The Stockfish project, whichdistributes a chess engine under GPLv3, has announcedthe filing of a GPL-enforcement lawsuit against ChessBase, which has been(and evidently still is) distributing proprietary versions of the Stockfishcode.
The5.13.4,5.12.19,5.10.52,5.4.134,4.19.198,4.14.240,4.9.276, and4.4.276stable updates have all been released. These are relatively large updatesonce again, and they include the fix for the just-disclosed local root vulnerability. Note that the5.12.x series ends with the 5.12.19 release.
Commit 8cae8cd89f05went into the mainline kernel repository on July 19; it puts a limiton the size of buffers allocated in the seq_file mechanism and mentions "intoverflow pitfalls". For more information, look to thisQualys advisory describing the vulnerability:
The lowly file descriptor is one of the fundamental objects in Linuxsystems. A file descriptor, which is a simple integer value, can refer to anopen file — or to a network connection, a running process, a loaded BPFprogram, or a namespace. Over the years, the use of file descriptors to refer to transient objectshas grown to the point that it can be difficult to justify an API thatuses anything else. Interestingly, though, the io_uring subsystem looks as if it is movingtoward its own number space separate from file descriptors.
As an example of what a "real" device driver in Rust would look like,Wedson Almeida Filho has posteda translation of the PL061 GPIO driver alongside the original. Forease of reading, the resulting HTML has been reformatted a bit and placedbelow; viewing in a wide window is recommended.
Security updates have been issued by Arch Linux (chromium, firefox, mbedtls, nextcloud, python-pillow, ruby, ruby2.6, ruby2.7, systemd, thunderbird, varnish, and vivaldi), Debian (thunderbird), Fedora (chromium, firefox, and linux-firmware), Gentoo (apache, commons-fileupload, dovecot, and mediawiki), openSUSE (firefox, fossil, go1.16, and icinga2), Oracle (firefox, kernel, and kernel-container), Red Hat (nettle), and SUSE (firefox and go1.16).
Non-uniform memory access (NUMA) systems have an architecture that attachesmemory to "nodes" within the system. CPUs, too, belong to nodes; memorythat is attached to the same node as a CPU will be faster to access (fromthat CPU) than memory on other nodes. This aspect of performance hasimportant implications for programs running on NUMA systems, and the kerneloffers a number of ways for user space to optimize their behavior. The NUMAabstraction is now being extended, though, and that is driving a need fornew ways of influencing memory allocation; the multi-preferencememory policy patch set is an attempt to meet that need.
Security updates have been issued by CentOS (firefox), Debian (firefox-esr), Fedora (linuxptp), Gentoo (commons-collections), Mageia (aom, firefox, python-django, thunderbird, and tpm2-tools), openSUSE (claws-mail, kernel, nodejs10, and nodejs14), Red Hat (nettle), Scientific Linux (firefox), SUSE (firefox, kernel, nodejs10, and nodejs14), and Ubuntu (libslirp and qemu).
Your editor has worked in the computing field for rather longer than hecares to admit; for all of that time it has been said that a day will comewhen all that tedious programming work will no longer be necessary.Instead, we'll just say what we want and the computer will figure it out.Arguably, the announcement of GitHubCopilot takes us another step in that direction. On the way, though,it raises some interesting questions about copyright and free-softwarelicensing.
Security updates have been issued by Debian (firefox-esr and php7.0), Fedora (firefox, mingw-djvulibre, and seamonkey), Gentoo (fluidsynth, openscad, and urllib3), openSUSE (ffmpeg, nodejs12, and sqlite3), Red Hat (firefox), and SUSE (ffmpeg, kernel, nodejs10, nodejs12, nodejs14, and sqlite3).
For those who appreciate detailed descriptions of how to exploit a kernelvulnerability, thisreport on a netfilter bug by Andy Nguyen should certainly satisfy.
CentOS 8 is reaching its end of life (EOL) at the end of 2021, thoughit was originallyslated to be supported until 2029. That change was announced last December, but it may still come asa surprise to some, perhaps many, of the users of the distribution. Whilethe systems running CentOS 8 will continue to do so, earlynext year they will stop getting security (and other) updates. The CentOSproject sees CentOSStream as a viable alternative, but usersmay not agree—should the project simply leave CentOS 8 systems as ticking time bombsin 2022 and beyond?
Security updates have been issued by CentOS (xstream), Debian (linuxptp), Fedora (glibc and krb5), Gentoo (pillow and thrift), Mageia (ffmpeg and libsolv), openSUSE (kernel and qemu), SUSE (kernel), and Ubuntu (php5, php7.0).
The Linux kernel is, as a whole, licensed under the GPLv2, but variousparts and pieces are licensed under other compatible licenses and/ordual-licensed. That picture was much murkier only a few years back, beforethe SPDX in the kernel project cleaned up the licensing information in most of the kernel source by specifyingthe licenses, by name rather than boilerplate text, directlyin the files. A recent move to add yetanother license into the mix is encountering some headwinds, but thelicense in question was already being used in a few kernel files, and hasbeen for four years at this point.
Version90 of the Firefox browser is out. The headline feature this timearound, beyond working links in PDF output, is a newversion of the SmartBlock feature which appears to have been designedwith a specific goal in mind: "Third-party Facebook scripts areblocked to prevent you from being tracked, but are now automatically loaded'just in time' if you decide to 'Log in with Facebook' on anywebsite."
Tails is a privacy focused distribution and Tails 4.20"completely changes how to connect to the Tor network fromTails" with the new Tor Connection assistant.
Security updates have been issued by Debian (sogo), Fedora (libvirt), Gentoo (polkit), Mageia (binutils, freeradius, guile1.8, kernel, kernel-linus, libgrss, mediawiki, mosquitto, php-phpmailer, and webmin), openSUSE (bluez and jdom2), Oracle (kernel and xstream), Scientific Linux (xstream), and SUSE (kernel and python-pip).
The 5.14 merge window closed with the 5.14-rc1release on July 11. By that time, some 12,981 non-merge changesets hadbeen pulled into the mainline repository; nearly 8,000 of those arrivedafter the first LWN 5.14 merge-window summarywas written. This merge window has thus seen fewer commits than itspredecessor, which saw 14,231 changesets before the 5.13-rc1 release. Thatsaid, there is still a lot of interesting work that has found its way intothe kernel this time around.
Version 4.3of the Solus "home computing" distribution has been released. "Thisrelease delivers new desktop environment updates, software stacks, andhardware enablement."
The 5.12.16,5.10.49,5.4.131,4.19.197,4.14.239,4.9.275, and4.4.275stable kernels have been released. Each contains a relatively small set ofimportant fixes.
The Tor project, which provides tools for internet privacy and anonymity, has announced a rewrite of the Tor protocols in Rust, called Arti. It is not ready for prime time, yet, but based on a grant from Zcash Open Major Grants (ZOMG), significant work is ongoing; the plan is "to try bring Arti to a production-quality client implementation over the next year and a half". The C implementation is not going away anytime soon, but the idea is that Arti will eventually supplant it. The project sees a number of benefits from using Rust, including:
Computing devices are wonderful; they surely must be, since so manyof us have so many of them. The proliferation of computers leads directlyto a familiar problem, though: the files we want are always on the wrongmachine. One solution is synchronization services that keep a set of filesup to date across a multitude of machines; a number of companies havecreated successful commercial offerings based on such services. Some ofus, though, are stubbornly resistant to the idea of placing our data in thehands of corporations and their proprietary systems. For those of us whowould rather stay in control of our data, systems like Syncthing offer a possible solution.
Security updates have been issued by Debian (apache2 and scilab), Fedora (chromium and perl-Mojolicious), Gentoo (inspircd, redis, and wireshark), and Mageia (fluidsynth, glib2.0, gnome-shell, grub2, gupnp, hivex, libupnp, redis, and zstd).
While it has often been said that there is no such thing as bad publicity,the new owners of the Audacityaudio-editor project may beg to differ. The project has only recentlyweathered the controversies around its acquisition by the Muse Group,proposed telemetry features, and imposition ofa new license agreement on its contributors. Now, the posting of a newprivacy policy has set off a new round of criticism, with some accusing theproject of planning to ship spyware. Thesituation with Audacity is not remotely as bad as it has been portrayed,but it is a lesson on what can happen when a project loses the trust of itsuser community.
Security updates have been issued by CentOS (linuxptp), Fedora (kernel and php), Gentoo (bladeenc, blktrace, jinja, mechanize, privoxy, and rclone), Oracle (linuxptp, ruby:2.6, and ruby:2.7), Red Hat (kernel and kpatch-patch), SUSE (kubevirt), and Ubuntu (avahi).
On July 4, the Rust for Linux projectpostedanother version of its patch set adding support for the language to thekernel. It would seem that the project feels that it is ready to be considered formerging into the mainline. Perhaps a bigger question lingers, though: is the kerneldevelopment community ready for Rust? That part still seems to be up in the air.
Sasha Levin has released stable kernels 5.13.1, 5.12.15, 5.10.48, and 5.4.130. They all contain a small set ofimportant fixes and users should upgrade.
Security updates have been issued by Fedora (glibc), Gentoo (doas, firefox, glib, schismtracker, and tpm2-tss), Mageia (httpcomponents-client), openSUSE (virtualbox), Red Hat (linuxptp), Scientific Linux (linuxptp), and Ubuntu (libuv1 and php7.2, php7.4).
A discussion on the python-ideas mailing list touched on a number ofinteresting topics, from the problems with misspelled attribute namesthrough the design of security-sensitive interfaces and to the use of the__slots__ attribute of objects. The latter may not be all thatwell-known (or well-documented), but could potentially fix the problem athand, though not in a backward-compatible way. The conversation revolvesaround the ssl modulein the standard library, which has been targeted forupgrades, more than once, over the years—with luck, the maintainers may find time for some upgrades relatively soon.
The Virtuozzo team has announcedthe release of VzLinux 8.4; its fork of RHEL. "Thanks for noticing that we are fixing bugs so quickly (24 hours) and that you think VzLinux is stable and enterprise ready. To those who have asked if we will be following a similar path as CentOS, shifting its focus to Stream, the answer is: there are no plans for us to go this route, VzLinux will remain free to download, use and distribute.See the releasenotes for details.
Security updates have been issued by Arch Linux (python-django), Debian (libuv1, libxstream-java, and php7.3), Fedora (rabbitmq-server), Gentoo (glibc, google-chrome, libxml2, and postsrsd), openSUSE (libqt5-qtwebengine and roundcubemail), SUSE (python-rsa), and Ubuntu (djvulibre).
The addition of system calls to the Linux kernel is a routine affair; ithappens during almost every merge window. The removal of system calls,instead, is much more uncommon. That appears likely to happensoon, though, as discussions proceed on the removal of bdflush().Read on for a look at the purpose and history of this obscure system call and tolearn whether you will miss it (you won't).
Security updates have been issued by Arch Linux (electron11, electron12, istio, jenkins, libtpms, mediawiki, mruby, opera, puppet, and python-fastapi), Debian (djvulibre and openexr), Fedora (dovecot, libtpms, nginx, and php-league-flysystem), Gentoo (corosync, freeimage, graphviz, and libqb), Mageia (busybox, file-roller, live, networkmanager, and php), openSUSE (clamav-database, lua53, and roundcubemail), Oracle (389-ds:1.4, kernel, libxml2, python38:3.8 and python38-devel:3.8, and ruby:2.5), and SUSE (crmsh, djvulibre, python-py, and python-rsa).
Version 3.6of the Darktable raw photo editor has been released. "The darktableteam is proud to announce our second summer feature release, darktable3.6. Merry (summer) Christmas! This is the first of two releases this yearand, from here on, we intend to issue two new feature releases each year,around the summer and winter solstices." The list of new featuresis long, including a new color-balance module, a "censorize" module forpartial pixelization of images, a new demosaic algorithm, and more.
As of this writing, just under 5,000 non-merge changesets have been pulledinto the mainline repository for the 5.14 development cycle. That is lessthan half of the patches that have been queued up in linux-next, so it isfair to say that this merge window is getting off to a bit of a slowstart. Nonetheless, a fair number of significant changes have been merged.
Security updates have been issued by Fedora (ansible and seamonkey), openSUSE (go1.15 and opera), Oracle (kernel and microcode_ctl), and Red Hat (go-toolset-1.15 and go-toolset-1.15-golang).
The core scheduling feature has been underdiscussion for over three years. For those who need it, the waitis over at last; core scheduling was merged for the 5.14 kernel release.Now that this work has reached a (presumably) final form, a look at why this featuremakes sense and how it works is warranted. Core scheduling is not foreverybody, but it may prove to be quite useful for some user communities.
Security updates have been issued by Debian (htmldoc, ipmitool, and node-bl), Fedora (libgcrypt and libtpms), Mageia (dhcp, glibc, p7zip, sqlite3, systemd, and thunar), openSUSE (arpwatch, go1.15, and kernel), SUSE (curl, dbus-1, go1.15, and qemu), and Ubuntu (xorg-server).
A new project from Mozilla, which is meant to help researchers collectbrowsing data, but only with the informed consent of the browser-user, is taking a lot ofheat, perhaps in part because the company can never seem to do anythingright, at least in theeyes of some. Mozilla Rally wasannouncedon June 25 as joint venture between the company and researchers atPrinceton University "to enable crowdsourced science for publicgood". The idea is that users can volunteer to give academic studies access tothe same kinds of browser data that is being tracked in some browserstoday. Whether the privacy safeguards are strong enough—and if there is sufficient reason for users to sign up—remains to be seen.
LWN.net