A seemingly straightforward question aimed at candidates for the in-progressFedoraelections led to a discussion on the Fedora devel mailing list thatbranched into a few different directions. The question was related to astruggle that the distribution has had before: whether using non-free Gitforges is appropriate. One of thedifferences this time, though, is that the focus is on where source-git (or src-git)repositories will be hosted, which is a separate question from where the dist-git repositorylives.
The Software Freedom Conservancy providesan update on its suit against Vizio forcopyleft license violations. Vizio's response was not to release thesource code:
Stable kernels 5.15.6, 5.10.83, 5.4.163, and 4.19.219 have been released. They all containimportant fixes throughout the tree. Users of those series should upgrade.
Version1.7 of the Julia programming language has been released. The list ofnew features is long; see the release announcement and this LWN article for the details.
While there are few rules on the names of variables, classes, functions,and so on (i.e. identifiers) in the Python language, there are someguidelines on how those things should be named. But, of course, thoseguidelines were not always followed in the standard library, especially in the early years of the project. Asuggestion to add aliases to the standard library foridentifiers that do not follow the guidelines seems highly unlikely to goanywhere, but it led to an interesting discussion on the python-ideas mailing list.
Security updates have been issued by Debian (samba), Fedora (kernel), openSUSE (netcdf and tor), SUSE (netcdf and python-Pygments), and Ubuntu (imagemagick).
One of the key features of the extended BPF virtual machine is the verifierbuilt into the kernel that ensures that all BPF programs are safe to run.BPF developers often see the verifier as a bit of a mixed blessing, though;while it can catch a lot of problems before they happen, it can also behard to please. Comparisons with a well-meaning but rule-bound and pickybureaucracy would not be entirely misplaced. The bpf_loop()proposal from Joanne Koong is an attempt to make pleasing the BPFbureaucrats a bit easier for one type of loop construct.
Security updates have been issued by Debian (bluez, icu, libntlm, libvorbis, libvpx, opensc, roundcube, and tar), Fedora (kernel, kernel-headers, kernel-tools, puppet, slurm, stargz-snapshotter, and suricata), openSUSE (netcdf), Oracle (bluez, kernel, kernel-container, krb5, mailman:2.1, openssh, python3, and rpm), Red Hat (samba), and SUSE (xen).
The 5.16-rc3 kernel prepatch is out fortesting. "So rc3 is usually a bit larger than rc2 just because people had sometime to start finding things.So too this time, although it's not like this is a particularly bigrc3."
Version8.1.0 of the PHP language has been released. This release includes anumber of new features, including enumerations,read-onlyproperties,fibers, and more.Meanwhile, anew foundation has been created to support development of PHP:
Greg Kroah-Hartman has announced the release of six new stable kernels: 5.10.82, 5.4.162, 4.19.218, 4.14.256, 4.9.291, and 4.4.293. These kernels contain lots ofimportant fixes throughout the tree; users of those series should upgrade.
Security updates have been issued by Fedora (freerdp, gnome-boxes, gnome-connections, gnome-remote-desktop, guacamole-server, hydra, java-1.8.0-openjdk-aarch32, medusa, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, php, pidgin-sipe, remmina, vinagre, and weston), openSUSE (kernel and netcdf), and SUSE (kernel and netcdf).
Security updates have been issued by Fedora (busybox, getdata, and php), Mageia (couchdb, freerdp, openexr, postgresql, python-reportlab, and rsh), openSUSE (bind, java-1_8_0-openjdk, and kernel), SUSE (java-1_7_0-openjdk), and Ubuntu (icu).
Security updates have been issued by Debian (openjdk-17), Fedora (libxls, roundcubemail, and vim), openSUSE (bind, java-1_8_0-openjdk, and redis), Red Hat (kernel, kernel-rt, kpatch-patch, krb5, mailman:2.1, openssh, and rpm), Scientific Linux (kernel, krb5, openssh, and rpm), SUSE (bind, java-1_8_0-openjdk, redis, and webkit2gtk3), and Ubuntu (bluez).
The second 5.16 kernel prepatch is out fortesting. "Nothing especially noteworthy stands out for the lastweek, it all felt pretty normal for a rc2 week".
The5.15.4,5.14.21,5.10.81, and5.4.161 stable kernels have been released.Each contains another set of important updates, but it's worthnoting that 5.4.161hasn't been through the usual review process due to an amusing bit ofscripting confusion.
One does not normally expect a lot of disagreement over a 13-line patchthat effectively tweaks a single line of code. Occasionally, though, sucha patch can expose a disagreement over how the behavior of the kernelshould be managed. This patchfrom Drew DeVault, who is evidently taking a break from stirring upthe npm community, is a case in point. It brings to light the questionof how the kernel community should pick default values for configurableparameters like resource limits.
Security updates have been issued by Arch Linux (chromium, grafana, kubectl-ingress-nginx, and opera), Debian (netkit-rsh and salt), Fedora (freeipa and samba), Mageia (opensc, python-django-filter, qt4, tinyxml, and transfig), openSUSE (opera and transfig), Red Hat (devtoolset-11-annobin, devtoolset-11-binutils, and llvm-toolset:rhel8), SUSE (php72 and php74), and Ubuntu (mailman and thunderbird).
The kernel provides a number of macros internally to allow code to generatewarnings when something goes wrong. It does not, however, provide a lot ofguidance regarding what should happen when a warning is issued. AlexanderPopov recently posted apatch series adding an option for the system's response to warnings;that series seems unlikely to be applied in anything close to its currentform, but it did succeed in provoking a discussion on how warnings shouldbe handled.
Greg Kroah-Hartman has released two more stable kernels. 5.14.20 reverts three patches from the5.14.19 release, while 5.10.80 is one of themassive updates mentioned yesterday. Theother massive release mentioned, 5.15.3, is still underreview and can be expected in the next day or two. As usual, thekernels released contain important fixes and users should upgrade.Update: 5.15.3 was also released.
Security updates have been issued by CentOS (binutils, firefox, flatpak, freerdp, httpd, java-1.8.0-openjdk, java-11-openjdk, kernel, openssl, and thunderbird), Fedora (python-sport-activities-features, rpki-client, and vim), and Red Hat (devtoolset-10-annobin and devtoolset-10-binutils).
Even encrypted data sent on the internet leaves some footprints—metadataabout where packets originate, where they are bound, and when they are sent. Mix networks aremeant to hide that metadata by routing packets through various intermediatenodes to try to thwart the traffic analysis used by nation-state-leveladversaries to identify "opponents" of various kinds. Tor is perhaps thebest-known mix network, but there are others that make differenttradeoffs to increase the security of their users. Rollercoasteris a recently announced mechanism that extends the functionality of mixnetworks in order to more efficiently communicate among groups.
Security updates have been issued by CentOS (389-ds-base and libxml2), Debian (atftp, axis, and ntfs-3g), Fedora (digikam, freerdp, guacamole-server, and remmina), openSUSE (java-11-openjdk, kernel, samba, and tomcat), SUSE (firefox, java-11-openjdk, kernel, libarchive, samba, and tomcat), and Ubuntu (accountsservice, hivex, and openexr).
The 5.14.19 and 5.4.160 stable kernels have been released;these updates contain a huge number of important fixes. The equallymassive 5.15.3and 5.10.80updates were also intended for release but, as the result of some problemsthat turned up in testing, they will be going through onemore round of review first.
The Trojan Source vulnerabilities have beenrippling through various developmentcommunities since their disclosure on November 1. The oddities that can arise when handling Unicode, andbidirectional Unicode in particular, in a programming language have led Rust, forexample, to check forthe problematic code points in strings and comments and, by default,refuse to compile if they are present. Python has chosen a different path,but work is underway to help inform programmers of the kinds of pitfalls thatTrojan Source has highlighted.
Security updates have been issued by Debian (libxml-security-java), Fedora (botan2), openSUSE (drbd-utils, kernel, and samba), Red Hat (kernel and webkit2gtk3), SUSE (drbd-utils and samba), and Ubuntu (vim).
Version 2.34.0 of the Git source-code management system is out."It is comprised of 834 non-merge commits sincev2.33.0, contributed by 109 people, 29 of which are new faces". SeethisGitHub blog post for a look at some of the more significant changes inthis release:
Linus Torvalds released5.16-rc1 and ended the 5.16 merge window on November 14, asexpected. At that point, 12,321 non-merge changesets had been pulled intothe mainline; about 5,500 since our summary ofthe first half of the merge window was written. As is usually the case,the patch mix in the latter part of the merge window tended more towardfixes, but there were a number other changes as well.
Security updates have been issued by Debian (ffmpeg and tomcat9), Fedora (et and kernel), openSUSE (binutils, rubygem-activerecord-5_1, samba, and tinyxml), Oracle (freerdp and httpd:2.4), Red Hat (devtoolset-11-gcc, gcc-toolset-10-binutils, kernel, kernel-rt, and kpatch-patch), and Scientific Linux (freerdp).
Over on the Google Security blog, Jonathan Metzman announced the release of ClusterFuzzLite, which is "a continuous fuzzing solution that runs as part of CI/CD workflows to find vulnerabilities faster than ever before". ClusterFuzzLite is a descendant of OSS-Fuzz, which we looked at in 2017.
The memory-management subsystem remains one of the most complex parts ofthe kernel, with an ongoing reliance on various heuristics forperformance. It is thus not surprising that developers continue to try toimprove its functionality. A number of memory-management patches arecurrently in circulation; read on for a look at the freeing of page-tablepages, kvmalloc() flags, memory clearing, and NUMA "home nodes".
Greg Kroah-Hartman has announced the release of eight stable kernels: 5.15.2, 5.14.18, 5.10.79, 5.4.159, 4.19.217, 4.14.255, 4.9.290, and 4.4.292. They contain a relatively small setof important fixes, but, as usual, users should upgrade.
Security updates have been issued by Debian (node-tar, postgresql-11, postgresql-13, and postgresql-9.6), Fedora (autotrace, botan2, chafa, converseen, digikam, dmtx-utils, dvdauthor, eom, kxstitch, pfstools, php-pecl-imagick, psiconv, q, R-magick, radeontop, rss-glx, rubygem-rmagick, synfig, synfigstudio, vdr-scraper2vdr, vdr-skinelchihd, vdr-skinnopacity, vdr-tvguide, and WindowMaker), Mageia (kernel, kernel-linus, and openafs), openSUSE (kernel), Red Hat (freerdp), SUSE (bind and kernel), and Ubuntu (openexr, postgresql-10, postgresql-12, postgresql-13, and samba).
While the "Trojan Source" vulnerabilitieshave, thus far, generated far more publicity than examples of actualexploits, addressing the problem still seems like a good thing to do.There are several places where defenses could be put into place; texteditors, being the place where developers look at a lot of code, are oneobvious example. The discussion of how to enhance Emacs in this regard hasmade it clear, though, that there are multiple opinions about how an editorshould flag potential attacks.
On November 10, the Go programming language community celebrated the 12th anniversary of its release as open-source software. The post covers a number of different topics, including the consolidation of web sites at go.dev, releases and their features over the last year, as well as a look to the future:
Security updates have been issued by Debian (icinga2, libxstream-java, ruby-kaminari, and salt), Fedora (awscli, cacti, cacti-spine, python-boto3, python-botocore, radeontop, and rust), Mageia (firefox, libesmtp, libzapojit, sssd, and thunderbird), openSUSE (samba and samba and ldb), SUSE (firefox, pcre, qemu, samba, and samba and ldb), and Ubuntu (firejail, linux-bluefield, linux-gke-5.4, linux-oracle, linux-oracle-5.4, linux-oem-5.10, linux-oem-5.14, and python-py).
Python supports default values for arguments to functions, but thosedefaults are evaluated at function-definition time. A proposal to adddefaults that are evaluated when the function is called has been discussedat some length on the python-ideas mailing list. The idea came about, in part,due to yet another resurrection of the proposalfor None-aware operators in Python. Late-bound defaults would helpwith one use case for those operators, but there are other, strongerreasons to consider their addition to the language.
There is a set of new Samba releases out there. They fix a long andintimidating list of security issues and seem worth upgrading to for anybut the most protected of Samba servers.
The Julia programming language hasits roots in high-performance scientific computing, so it is no surprisethat it has facilities for concurrent processing. Those features are notwell-known outside of the Julia community, though, so it is interesting tosee the different types of parallel and concurrent computation that thelanguage supports. In addition, the upcoming release of Juliaversion 1.7 brings an improvement to the language'sconcurrent-computation palette, in the form of "task migration".
LWN.net