LWN.net

The5.9.10,5.4.79,4.19.159,4.14.208,4.9.245, and4.4.245stable kernel updates are all available. Each contains another set ofimportant fixes, as usual.

The various system calls and other APIs that the kernel provides for accessto files and filesystems has grown increasingly comprehensive over theyears. That does not mean, though, that there is no need or room forimprovement. Several relatively small additions to the kernel'sfilesystem-related API are under consideration in the developmentcommunity; read on for a survey of some of this work.

Security updates have been issued by CentOS (firefox), Fedora (chromium, microcode_ctl, mingw-libxml2, seamonkey, and xen), openSUSE (slurm_18_08 and tor), Oracle (thunderbird), SUSE (buildah, firefox, go1.14, go1.15, krb5, microcode_ctl, perl-DBI, podman, postgresql12, thunderbird, ucode-intel, wireshark, wpa_supplicant, and xen), and Ubuntu (firefox and phpmyadmin).

Over on the Collabora blog, Pekka Paalanen writesabout adding color management and high dynamic range (HDR) support to theWayland display serverprotocol. X11 already has support for color management tools and workflow, but not HDR, andWayland currently doesn't support either, but Paalanen and others are workingto change that. "As color management is all about color spaces andgamuts, and high dynamic range (HDR) is also very much about color spacesand gamuts plus extended luminance range, Sebastian [Wick] and I decided thatWayland color management extension should cater for both from thebeginning. Combining traditional color management and HDR is a fairly newthing as far as I know, and I'm not sure we have much prior art to baseupon, so this is an interesting research journey as well. There is a lot ofprior art on HDR and color management separately, but they tend to havefundamental differences that makes the combination not obvious."

The GCompris project,which provides a "high quality educational software suite, includinga large number of activities for children aged 2 to 10", has announced its 1.0release, which celebrates the 20th anniversary of the project. Itincludes more than 100 activities, a new Dataset selection in the ActivitySettings menu for more than 50 activities, and four new activities,including an Analog Electricity activity to simulate and learn about circuits.KDE.news coveredthe release: "We have built the activities to follow theprinciples of 'nothing succeeds like success' and that children, whenlearning, should be challenged, but not made to feel threatened. Thus,GCompris congratulates, but does not reprimand; all the characters thechild interacts with are friendly and supportive; activities are brightlycolored, contain encouraging voices and play upbeat, but soothing music. The hardware requirements for running GCompris are extremely low and itwill run fine on older computers or low-powered machines, like theRaspberry Pi. This saves you and your school from having to invest in newand expensive equipment and it is also eco-friendly, as it reduces theamount of technological waste that is produced when you have to renewcomputers to adapt to more and more power-hungry software. GCompris workson Windows, Android and GNU/Linux computers, and on desktop machines,laptops, tablets and phones."

Almost every filesystem (excepting relics like VFAT) implements the conceptof the owner and group of each file; the higher levels of the operatingsystem then use that information to control access to those files. Fordecades, it has usually sufficed to track a single owner and group for eachfile, but there is an increasing number of use cases wanting to make thatownership relative to the environment any given process is running in.Developers have been working for a few years to find solutions to thisproblem; the latest attempt is the ID-mappedmounts patch set from Christian Brauner.

Greg Kroah-Hartman has released the 5.9.9,5.4.78, 4.19.158, 4.14.207, 4.9.244, and 4.4.244 stable kernels. They all containimportant fixes throughout the kernel tree; users of those series should upgrade.

Version1.48.0 of the Rust language has been released. The biggest changeappears to be improvements to the documentation system, but there's more:"The most significant API change is kind of a mouthful: [T; N]:TryFrom<Vec<T>> is now stable. What does this mean? Well, youcan use this to try and turn a vector into an array of a givenlength".

Security updates have been issued by Arch Linux (chromium and firefox), CentOS (bind, curl, fence-agents, kernel, librepo, libvirt, microcode_ctl, python, python3, qt and qt5-qtbase, resource-agents, and tomcat), Debian (drupal7, firefox-esr, jupyter-notebook, packer, python3.5, and rclone), Fedora (firefox), Mageia (firefox, nss), openSUSE (gdm, kernel-firmware, and moinmoin-wiki), Oracle (net-snmp), SUSE (libzypp, zypper), and Ubuntu (c-ares).

The LWN.net Weekly Edition for November 19, 2020 is available.

The move to secure most or all of web traffic using HTTPS is generally agood thing; lots of personal information is exchanged via web browsers,after all. Using HTTPS requires web sites to have TLS certificates,however, which has sometimes been an impediment, though Let's Encrypt has generally solved thatproblem for many. But there are systems out there that may need the HTTPSprotection before their owners even have a chance to procure a certificate,IoT devices and home routers, for example. An October discussion among OpenWrt developers explored this problem a bit.

Security updates have been issued by openSUSE (opera and raptor), Oracle (bind, bluez, firefox, microcode_ctl, and thunderbird), Red Hat (firefox, net-snmp, and thunderbird), SUSE (java-11-openjdk and tcpdump), and Ubuntu (firefox, krb5, and libvncserver, vino).

Mozilla has announcedthat the Adobe Flash era is coming to an end. "Firefox version 84will be the final version to support Flash. On January 26, 2021 when werelease Firefox version 85, it will ship without Flash support, improvingour performance and security." One suspects that few people willmiss this support.

The block layer of QEMU, the open-sourcemachine emulator and virtualizer, forms the backbone of many storagevirtualization features: the QEMU Copy-On-Write (QCOW2) disk-image file format,disk image chains, point-in-time snapshots, backups, and more. At therecently concluded 2020 KVM Forumvirtual event, Eric Blake gave a talkon the current work in QEMU and libvirtto make differential backups more powerful. As the name implies,"differential backups" address the efficiency problems of full diskbackups: space usage and speed of backup creation.

Security updates have been issued by Debian (libdatetime-timezone-perl, openldap, pacemaker, and restic), Fedora (libmediainfo, mediainfo, mingw-python3, and seamonkey), Gentoo (libexif), openSUSE (raptor), Oracle (kernel and microcode_ctl), Scientific Linux (firefox), SUSE (kernel-firmware, postgresql, postgresql96, postgresql10 and postgresql12, and raptor), and Ubuntu (openldap and postgresql-10, postgresql-12, postgresql-9.5).

Version 83.0 of the Firefox browser is out. Headline features include anew HTTPS-onlymode, JavaScript performance improvements, and more; see the releasenotes for details.

Realtime application development under Linux requires care to make surethat the critical realtime tasks do not suffer interference from otherapplications and the rest of the system. During the EmbeddedLinux Conference (ELC) 2020, John Ogness presented a checklist (slides[PDF]) for realtime developers, with practical recipes tofollow. There are a lot of tools and features available for realtimedevelopers, even on systems without the RT_PREEMPT patches applied.

Security updates have been issued by Debian (libdatetime-timezone-perl and libvncserver), Fedora (chromium, kernel, kernel-headers, kernel-tools, krb5, libexif, libxml2, and thunderbird), Gentoo (chromium, libmaxminddb, and mit-krb5), Mageia (arpwatch, bluez, chromium-browser-stable, firefox and thunderbird, golang, java-1.8.0-op, kdeconnect-kde, kleopatra, libexif, lilypond, microcode, packagekit, ruby, and tpm2-tss), openSUSE (chromium, firefox, ImageMagick, kernel, openldap2, python-waitress, SDL, u-boot, ucode-intel, and zeromq), Oracle (fence-agents, firefox, freetype, kernel, python, python3, and thunderbird), Red Hat (rh-postgresql10-postgresql, rh-postgresql12-postgresql, and virt:8.2 and virt-devel:8.2), Slackware (seamonkey), and SUSE (firefox, gdm, kernel, and kernel-firmware).

The 5.10-rc4 kernel prepatch is out fortesting. "All looks good, and nothing makes me go 'uhhuh, 5.10 looks iffy'. Sogo test, let's get this all solid and calmed down, and this willhopefully be one of those regular boring releases even if it'scertainly not been on the smaller side..."

The GitHub repositoryfor the youtube-dl utility, which is used to download video content from various web sites(including YouTube, thus the name), has been restored. As we reported in last week'sedition, GitHub had taken the repository down due to a DMCAnotice from the Recording Industry Association of America (RIAA). Theonly changemade to youtube-dl is the removal of some tests that downloaded a few seconds of certain music videos; thosevideos were specifically targeted by the RIAA in its complaint.

The kernel project has a strong focus on not breaking user-spaceapplications; if something works with a given kernel release, it shouldcontinue to work with subsequent releases. So it may be discouraging toread the lengthy exposition on an apparent user-space API break in the announcement for the systemd 247-rc2release. Changes to udev configuration files will be needed to keepsystems working, but thesystemd project claims that it "is not [the] fault of systemd or udev, butcaused by an incompatible kernel change that happened back in Linux4.12". It seems like an appropriate time to look at what happened,how administrators need to respond, and whether anything can be done toavoid this kind of thing from happening again.

Security updates have been issued by Debian (libproxy, pacemaker, and thunderbird), Fedora (nss), openSUSE (kernel), Oracle (curl, librepo, qt and qt5-qtbase, and tomcat), Red Hat (firefox), SUSE (firefox, java-1_7_0-openjdk, and openldap2), and Ubuntu (apport, libmaxminddb, openjdk-8, openjdk-lts, and slirp).

LWN's recent article on Kubernetes inDebian discussed the challenges of packaging a massive project withhundreds of dependencies. Many of the issues that arose there, however,are not limited to such projects, as can be seen in the ongoing discussionabout whether a copy of the relatively small libbpf library should be shippedwith the iproute2collection of networking tools. Fast-moving projects, it would seem,continue to feel limited by the restrictions imposed by the Linuxdistribution model.

Security updates have been issued by Debian (codemirror-js, firefox-esr, and pacemaker), Fedora (firefox, java-latest-openjdk, and xen), openSUSE (sddm), Oracle (bind, curl, fence-agents, kernel, librepo, libvirt, python3, qt and qt5-qtbase, and tomcat), SUSE (firefox), and Ubuntu (intel-microcode, openldap, and raptor2).

The LWN.net Weekly Edition for November 12, 2020 is available.

Toward the end of October, GitHub removed the repository for the youtube-dl utility, which provides a means todownload video content from various streaming sites, such as YouTube.The repository was replacedwith a cheery notice that it had beenremoved due to a DMCAtakedown. It will likely come as no surprise that the DMCA action camefrom the Recording Industry Association of America (RIAA) or that thecomplaint was that the program circumvented the "technologicalprotection measures" used on the videos by YouTube and other authorized sites.

A Google project aims to bring the Linux kernel virtualizationmechanism, KVM, to Android systems. Will Deacon leads that effort and he(virtually) came to KVM Forum todiscuss the project, its goals, and some of the challenges it has faced.Unlike some Android projects of the past, though, "protected KVM" is beingworked on in the open, with code going upstream along the way.

Security updates have been issued by Arch Linux (chromium, firefox, gdm, linux-hardened, matrix-synapse, salt, sddm, and wordpress), Debian (firefox-esr, libmaxminddb, and moin), Fedora (cifs-utils, firefox, galera, java-latest-openjdk, mariadb, mariadb-connector-c, and wordpress), Gentoo (blueman, chromium, firefox, mariadb, qemu, salt, tmux, and wireshark), openSUSE (sddm), Oracle (kernel), Red Hat (kernel-alt, microcode_ctl, and rh-nodejs12-nodejs), SUSE (kernel, microcode_ctl, openldap2, python-waitress, spice-vdagent, u-boot, and ucode-intel), and Ubuntu (firefox, intel-microcode, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux, linux-gcp, linux-gcp-4.15, linux-gcp-5.4, linux-gke-4.15, linux-gke-5.3, linux-hwe, linux-hwe-5.4, linux-oem, linux-oem-osp1, linux-oracle, linux-oracle-5.4, and moin).

The second set of stable kernel updates in a single day has just come out:5.9.8,5.4.77,4.19.157,4.14.206,4.9.243, and4.4.243are all available. They all contain a single patch fixing anurgent security issue. Greg Kroah-Hartman says:"Hint, if you are using SGX, then upgrade. And then possibly reconsiderthe decisions you have recently made that caused you to write specialcode to use that crazy thing."See this article for information on SGX inthe kernel.

The Go blog celebrates elevenyears of Go language development and looks forward to what comes next."When the pandemic hit, we decided to pause any public announcementsor launches in the spring, recognizing that everyone’s attention rightlybelonged elsewhere. But we kept working, and one of our team members joinedthe Apple/Google collaboration on privacy-preserving exposure notificationsto support contact tracing efforts all over the world. In May, that grouplaunched the reference backend server, written in Go."

Stable kernels 5.9.7, 5.4.76, 4.19.156, 4.14.205, 4.9.242, and 4.4.242 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (moin, obfs4proxy, tcpdump, and zeromq3), Fedora (samba), Mageia (lout, openldap, pacemaker, samba, sddm, and spice, spice-gtk), openSUSE (bluez, ImageMagick, java-1_8_0-openj9, otrs, and wireshark), Red Hat (bind, buildah, curl, fence-agents, kernel, kernel-rt, kpatch-patch, librepo, libvirt, podman, python, python3, qt and qt5-qtbase, resource-agents, skopeo, tomcat, and unixODBC), SUSE (gcc10, python3, SDL, and zeromq), and Ubuntu (libexif).

The realtime developers have been working for many years tocreate a kernel where the highest-priority task is always able to runwithout delay. That has meant a long process of finding and fixingsituations where high-priority tasks might be blocked from running; one ofthe persistent problems in this regard has been kernel code that disablespreemption. One tool that the realtime developers have reached for isdisabling migration (moving a process from one CPU to another) rather thanpreemption; this approach has not been entirely popular among schedulerdevelopers, though. Even so, the solution would appear to be thismigration-disable patch set from scheduler developer Peter Zijlstra.

Security updates have been issued by CentOS (bind, firefox, java-1.8.0-openjdk, kernel, libX11, qemu-kvm, thunderbird, and xorg-x11-server), Debian (guacamole-server, krb5, libexif, poppler, raptor2, and sympa), Fedora (blueman, chromium, freetype, galera, krb5, libtpms, mariadb, mariadb-connector-c, pngcheck, and salt), Mageia (blueman, docker, fontforge, junit, libproxy, libuv, mariadb, suricata, and webmin), openSUSE (apache-commons-httpclient, bluez, gnome-settings-daemon, gnome-shell, python, salt, sddm, u-boot, virt-bootstrap, and wireshark), Red Hat (chromium-browser), SUSE (ceph, deepsea, kernel, Salt, salt, SUSE Manager 3.2, u-boot, and yast2-multipath), and Ubuntu (openldap and pacemaker).

The 5.10-rc3 kernel prepatch is out fortesting. "Things look normal. rc3 is neither particularly small orparticularly large - it's pretty much average for an rc3 release for thelast couple of years."

Version 2.0 of the Mutt email client is out. "This release wasbumped to 2.0, not because of the magnitude of features (which is actuallysmaller than past releases), but because of a few changes that are backwardincompatible". New features include a cd command to changedirectories, automatic IMAP reconnection, and "MuttLisp", a Lisp-likelanguage for the configuration file. See the release notes fordetails.

The 2020 editions of Open Source Summit Europe (OSS EU) and Embedded Linux Conference Europe (ELC EU) were held virtually October 26-30, along with some other events (KVM Forum, Linux Security Summit, and more). The videos, Q&A, and presentations from those conferences are now available to all at the event site through the month of November. The videos will also be posted to YouTube during the month so that they will be available for the future. The schedule is available as well.

As described in this Let'sEncrypt blog entry, certificates issued by Let's Encrypt will soon besigned solely by that organization's own root certificate, which isaccepted by all modern browsers. There is one little catch, though:versions of Android prior to 7.1.1 (released in late 2016) do not recognizethat certificate and will start throwing errors. "Currently, 66.2%of Android devices are running version 7.1 or above. The remaining 33.8% ofAndroid devices will eventually start getting certificate errors when usersvisit sites that have a Let’s Encrypt certificate. In our communicationswith large integrators, we have found that this represents around 1-5% oftraffic to their sites." There appears to be little to be doneabout this problem other than to encourage owners of older Android devicesto install Firefox.

The kmap() interface in the kernel is a bit of a strange beast.It only exists to overcome the virtual addressing limitations of 32-bitCPUs, but it affects code across the kernel and has side effects on 64-bitmachines as well. A recent discussion on the handling of preemption withinthe kernel identified a number of problems in need of attention, one of which was the kmap()API. Now, an extension to this API called kmap_local() isbeing proposed to address some of the problems; it signals another step inthe kernel community's slow move away from supporting 32-bit machines asfirst-class citizens.

Security updates have been issued by Debian (sddm and wordpress), Fedora (blueman, chromium, pngcheck, and salt), openSUSE (chromium, salt, tiff, tigervnc, tmux, tomcat, transfig, and xen), Oracle (freetype, kernel, libX11, thunderbird, and xorg-x11-server), SUSE (bluez, ImageMagick, java-1_8_0-openjdk, rmt-server, salt, and u-boot), and Ubuntu (dom4j, firefox, netqmail, phpldapadmin, and tmux).

The scpcommand, which uses the SSH protocol tocopy files between machines, is deeply wired into the fingers of many Linux users anddevelopers — doubly so for those of us who still think of it as a moresecure replacement for rcp. Many users may be surprised to learn,though, that the resemblance to rcp goes beyond the name; much ofthe underlying protocol is the same as well. That protocol is showing itsage, and the OpenSSH community hasconsidered it deprecated for a while. Replacing scp in a way that keeps users happy may not be an easytask, though.

Four new stable kernels have been released: 5.9.5, 5.4.75,4.19.155, and 4.14.204. They are fairly large updates withlots of important fixes throughout the kernel tree; users should upgrade.Update: 5.9.6 has been released tofix a build problem with 5.9.5: "if 5.9.5 built properly for you, wonderful,no need to upgrade".

Security updates have been issued by Debian (bouncycastle, gdm3, and libonig), Fedora (arpwatch, thunderbird, and trousers), openSUSE (chromium, gn), Red Hat (freetype, libX11, thunderbird, and xorg-x11-server), and SUSE (ImageMagick, java-11-openjdk, salt, and wireshark).

The LWN.net Weekly Edition for November 5, 2020 is available.

At this year's (virtual) OpenSource Summit Europe, Oleg Fiksel gave an overviewtalk on the Matrix decentralized,secure communication network project. Matrix has been seeing increasingadoption recently, he said, including by governments (beyond France, whichwe already reported on in an article on a FOSDEM2019 talk) and other organizations. It also aims to bridge all of thedifferent chat mechanisms that people are using in order to provide aunified interface for all of them.

Greg Kroah-Hartman has released stable kernel 5.9.4. "This is only a bugfix for the5.9.3 kernel release which had some problems with some symlinks for thepowerpc selftests." If you did not have any issues with 5.9.3 thereis no need to upgrade.

Security updates have been issued by Arch Linux (chromium and firefox), Fedora (nss), openSUSE (pacemaker), Red Hat (bind, binutils, bluez, cloud-init, container-tools:rhel8, cryptsetup, cups, curl, cyrus-imapd, cyrus-sasl, dovecot, dpdk, edk2, evolution, expat, file-roller, fontforge, freeradius:3.0, freerdp and vinagre, freetype, frr, gd, glibc, GNOME, gnome-software and fwupd, gnupg2, grafana, httpd:2.4, idm:DL1 and idm:client, kernel, kernel-rt, libarchive, libexif, libgcrypt, libldb, libpcap, librabbitmq, libreoffice, librsvg2, libsolv, libssh, libtiff, libvpx, libX11, libxml2, libxslt, mailman:2.1, mingw-expat, nodejs:12, oddjob, oniguruma, opensc, openssl, openwsman, pcre2, pki-core:10.6 and pki-deps:10.6, poppler, prometheus-jmx-exporter, python-pip, python27:2.7, python3, python38:3.8, qt5-qtbase and qt5-qtwebsockets, resource-agents, SDL, spamassassin, sqlite, squid:4, subversion:1.10, sysstat, systemd, targetcli, tcpdump, thunderbird, varnish:6, vim, and virt:rhel and virt-devel:rhel), SUSE (apache-commons-httpclient, gnome-settings-daemon, gnome-shell, kernel, libvirt, opensc, ovmf, python, rmt-server, and sane-backends), and Ubuntu (accountsservice, gdm3, libytnef, python-cryptography, and spice-vdagent).

Pluto is a new computationalnotebook for the Julia programming language. Computationalnotebooks are a way to program inside of a web browser, storing code,annotations, and output, including graphics, in a single place. They became popular with the advent of the Jupyter notebook, which originally targetedJulia, Python, and R—the names got mashed together to make the word"Jupyter".

Kernel.org manager Konstantin Ryabitsev describesthe Git signed-push functionality, which is now supported by thekernel.org system. "To help hedge against this problem, git providesdevelopers a way to sign their actual pushes, as a means to attest 'yes, Iactually did intend to push these commits into this ref in this repositoryon this server, and here's my PGP signature to prove it.'" Amongother things, these signatures can be preserved in a commit transparencylog, whichis also now provided by kernel.org.

Alyssa Rosenzweig reportson the progress of the Panfrost driver. "Since our previous update on Panfrost, the open source stack for Arm's Mali Midgard and Bifrost GPUs, we've focused on taking our driver from its reverse-engineered origins on Midgard to a mature stack. We've overhauled both the Gallium driver and the backend compiler, and as a result, Mesa 20.3 -- scheduled for release at the end-of-the-month -- will feature some Bifrost support out-of-the-box."