LWN.net

Security updates have been issued by Debian (chromium, containerd, kernel, ntfs-3g, and vlc), Fedora (buildah and logrotate), Red Hat (xz), and SUSE (google-gson, netty3, rubygem-sinatra, and u-boot).

The second 5.19 kernel prepatch is out fortesting.

Modern language environments make it easy to discover and incorporateexternally written libraries into a program. These same mechanisms canalso make it easy to inadvertently incorporate security vulnerabilities orovertly malicious code, which is rather less gratifying. The stream ofresulting vulnerabilities seems like it will never end, and it afflicts relatively safelanguages like Rust just as much as any other language. In an effortto avoid the embarrassment that comes with shipping vulnerabilities (orworse) by way of its dependencies, the Mozilla project has come up with a new supply-chain management tool known as"cargo vet".

Security updates have been issued by Debian (python-bottle), Fedora (grub2 and kernel), Mageia (python-pypdf2, python-ujson, and vim), and SUSE (fribidi, grub2, mozilla-nss, and webkit2gtk3).

Stable kernels 5.18.3, 5.17.14, 5.15.46, and 5.10.121 have been released.Typically, the stable kernels released right after the merge window closes contain a large number of changes and these updates certainly fit thebill.

Linux distributors are famously averse to shipping packages with bundledlibraries; they would rather ship a single version of each library to beshared by all packages that need it. Many upstream projects, instead, arefond of bundling (or "vendoring") libraries; this leads to tension that hasbeen covered here numerous times in the past (examples:1,23,4,5, ...). The recent Fedora discussion onbundling libraries with its Java implementation would look like justanother in a long series, but it also shines a light on the uniquechallenges of shipping Java in a fast-moving community distribution.

Security updates have been issued by Debian (mailman and python-bottle), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, subversion:1.14, and xz), Scientific Linux (python-twisted-web), Slackware (httpd), and Ubuntu (ca-certificates, ffmpeg, ghostscript, and varnish).

The LWN.net Weekly Edition for June 9, 2022 is available.

In a combined storage and filesystem session at the2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM), Luis Chamberlainand James Bottomley led a discussion about the use of ioctl()as a mechanism for configuration. There are plenty of downsides to the useof ioctl() commands, and alternatives exist, but in general kerneldevelopers have chosen to continue using this multiplexing systemcall. While there is interest in changing things, at least in somequarters, the discussion did not seem to indicate major changes on the horizon.

Version15.4 of the openSUSE Leap distribution has been released. "Leap15.4 is a feature release version and provides a significant amount ofupdates from previous Leap 15.x versions along with new offerings".Changes include the addition of openSUSE LeapMicro, improved codec support, KDE Plasma 5.24, and more. This releasealso deprecates Python 2 support.

Security updates have been issued by Debian (avahi), Fedora (firefox), Oracle (grub2, python-twisted-web, shim, shim-signed, and thunderbird), Red Hat (kernel and python-twisted-web), SUSE (gcc48, go1.17, go1.18, and mariadb), and Ubuntu (e2fsprogs, linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-intel-5.13, linux-kvm, linux-oracle, linux-oracle-5.13, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-oem-5.14, linux-oem-5.17, and ntfs-3g).

As a followup to a session on testingchallenges earlier in the day, Josef Bacik led a discussion on bestpractices for testing in a combined storage and filesystem session at the2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM). There are anumber of ways that developers can collaborate on improving the testinglandscape using fstests and blktests, starting with gathering and sharinginformation about which tests are expected to pass and fail. Thatinformation depends on a lot of different factors, including kernel versionand configuration, fstest options, and more.

The Fedora 34 distribution release has gone out of the supported mode:"No further updates, including security updates, will be available forFedora 34". Users should update to the Fedora 35 or 36release.

Security updates have been issued by Debian (glib2.0, librecad, and php-horde-mime-viewer), Fedora (vim), and Ubuntu (freerdp2, ruby2.3, ruby2.5, ruby2.7, ruby3.0, and vim).

Alyssa Rosenzweig announcesa milestone for support of Mali GPUs with free software:

The 5.19 merge window was closed with the 5.19-rc1release on June 5 after the addition of 13,124 non-merge changesetsto the mainline kernel. That makes this merge window another busy one, essentiallymatching the 13,204 changesets seen for 5.18. The approximately 8,500changesets merged since our first 5.19merge-window summary contain quite a bit of new functionality; read onfor a summary of the most interesting changes that were pulled during thesecond half of this merge window.

Version 5.1 of theTor-oriented Tails distribution has been released. It includes someimprovements to the Tor connection assistant and to handling ofcaptive-portals, but the most significant change is arguably the delayed fix to asevere securityvulnerability that had sparked suggestions that some users, at least,should stop using Tails temporarily.

Greg Kroah-Hartman has announced the release of the 5.18.2, 5.17.13, 5.15.45, 5.10.120, 5.4.197, 4.19.246, 4.14.282, and 4.9.317 stable kernels. Each contains a setof important fixes, as usual; users of those series should upgrade.

In something of a grab-bag session, Josef Bacik led a discussion aboutvarious challenges that Linux kernel maintainers face, some of which lead toburnout. The session was originallygoing to be led by Darrick Wong, but he was unable to come to LSFMM, soBacik gathered some of Wong's concerns and combined them with his own in ajoint storage and filesystem session at the2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM). As part of thediscussion, Bacik presentedhis view on what the role of a kernel maintainer should be, which seemed toresonate with those present.

Security updates have been issued by Debian (clamav, firefox-esr, pidgin, and thunderbird), Fedora (dotnet3.1, firefox, kernel, vim, and webkit2gtk3), Mageia (firefox/nss/nspr, gimp, logrotate, mariadb, thunderbird, trojita, webkit2, and webmin), Oracle (thunderbird), Red Hat (compat-openssl11, postgresql:10, postgresql:12, and thunderbird), Slackware (pidgin), and SUSE (openvpn).

Linus has released 5.19-rc1 and closed themerge window for this cycle. "Judging by the merge window, this releaseis going to be on the bigger side, but certainly not breaking any records,and nothing looks particularly odd or crazy."

Version22.05 of the NixOS distribution is out. "NixOS is already known asthe most up to date distribution and is the distribution with the mostpackages. This release saw 9345 new packages and 10666 updatedpackages". Significant changes include an update to version 2.8.0 ofthe Nix package manager with experimental support for flakes, GNOME 42, and manynew services; see therelease notes for details.

Opinions differ on the best way to disclose security vulnerabilities, butthere is a general consensus in our community that vulnerabilitiesshould, indeed, be made public at some point. What happens between the discovery of avulnerability and its disclosure can be more controversial. A recentdiscussion on the handling of kernel vulnerabilities has led to change inthe policies of the linux-distros mailing list — all based on the questionof what constitutes "disclosure".

Security updates have been issued by Debian (cifs-utils, debian-security-support, and pypdf2), Fedora (fapolicyd, mariadb, openssl, and qt5-qtbase), Oracle (firefox, maven:3.5, maven:3.6, postgresql:10, postgresql:12, and postgresql:13), Red Hat (.NET 6.0, firefox, gzip, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, pcs, rsync, subversion, thunderbird, and zlib), Scientific Linux (thunderbird), Slackware (mozilla), SUSE (firefox, hdf5, suse-hpc, kernel-firmware, libarchive, patch, php8, and redis), and Ubuntu (cifs-utils and vim).

Mozilla has announcedthe release of a translation plugin for Firefox as part of the Project Bergamot initiative.

The kernel tries hard to keep memory available for its present and futureneeds. Should that effort fail, though, the tool of last resort is thedreaded out-of-memory (OOM) killer, which is tasked with killing processeson the system to free their memory and alleviate the problem. The resultsof invoking the OOM killer are never going to be good, but they can bedistinctly worse if the wrong processes are chosen for an untimely end. Asone might expect, the effort to properly choose the right processes is anongoing effort. Most recently, ChristianKönig has proposed anew mechanism to address a blind spot in the OOM killer'sdeliberations.

Francesco Mazzoli delvesdeeply into the kernel's implementation of pipes (and more) in anattempt to maximize the throughput of data.

Security updates have been issued by Debian (firefox-esr), Fedora (thunderbird and vim), Red Hat (firefox, postgresql:10, postgresql:12, and postgresql:13), Scientific Linux (firefox and rsyslog), SUSE (hdf5, hdf5, suse-hpc, postgresql14, rubygem-yajl-ruby, and udisks2), and Ubuntu (imagemagick and influxdb).

The LWN.net Weekly Edition for June 2, 2022 is available.

Adding support for an in-kernel TLShandshake was the topic of a combined storage and filesystem session at the2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM). Chuck Lever andHannes Reinecke led the discussion on ways to add that support; they areinterested in order to provide TLS for network storage and filesystems.But there are likely other features, such as QUIC support, that could use an in-kernel TLS implementation.

The challenges of testing filesystems and the block layer were the topic of acombined storage and filesystem session led by Luis Chamberlain at the2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM). His goal is toreduce the amount of time it takes to test new features in those areas, butone of the problems that he has encountered is a lack of determinism in thetest results. It is sometimes hard to distinguish problems in the kernelcode from problems in the tests themselves.

If you are running Fedora 34, the time has come to move on; thatdistribution will reach the end of its supportlife on June 7. Users of Ubuntu 21.10 have a little longer, butthat release loses support on July 14 andusers should update to 22.04.

Security updates have been issued by Debian (libjpeg-turbo, webkit2gtk, and wpewebkit), Fedora (golang-github-opencontainers-runc, mingw-pcre2, python-jwt, python-ujson, and weechat), Oracle (nodejs:16 and rsyslog), Red Hat (container-tools:3.0, expat, fapolicyd, kernel, kernel-rt, kpatch-patch, mariadb:10.3, postgresql:12, rsyslog and rsyslog7, and zlib), Slackware (mozilla), SUSE (bind, dpdk, fribidi, hdf5, librelp, php74, postgresql12, and postgresql13), and Ubuntu (cups, linux-gcp-5.13, linux-oracle, linux-oracle-5.13, linux-gcp-5.4, linux-gkeop, linux-gkeop-5.4, linux-ibm-5.4, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, and webkit2gtk).

In a filesystem session at the 2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM), Amir Goldsteinled a discussion about the stable kernel trees. Those trees, andespecially the long-term support (LTS) versions, are used as a basis for avariety of Linux-based products, but the kind of testing that is being doneon them for filesystems is lacking. Part of the problem is that the teststarget filesystem developers so they are not easily used by downstreamconsumers of the stable kernel trees.

Security updates have been issued by Debian (haproxy, libdbi-perl, pjproject, spip, and trafficserver), Oracle (firefox, kernel, kernel-container, libvirt libvirt-python, and thunderbird), Red Hat (maven:3.5, maven:3.6, nodejs:16, postgresql, postgresql:10, and rsyslog), SUSE (gimp, helm-mirror, ImageMagick, mailman, openstack-neutron, pcmanfm, pcre2, postgresql10, and tiff), and Ubuntu (dpkg and freetype).

The ID-mapped mounts feature was added toLinux in 5.12, but the general idea behind it goes back a fair bitfurther. There are a number of different situations where the user andgroup IDs for files on disk do not match the current human (or process) user of thosefiles, so ID-mapped mounts provide a way to resolve that problem—withoutchanging the files on disk. The developer of the feature, ChristianBrauner, led a discussion at the 2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM) on ID-mapped mounts.

Our introduction to Linux audio and MIDIplugin APIs ended with a mention ofthe Clever Audio Plugin(CLAP) but did not get into the details. CLAP is an MIT-licensed API fordeveloping audio and MIDI plugins that, its developers feel, has thepotential to improve the audio-software situation on Linux. The time hasnow come to get to those details and look at the state of CLAP and where itis headed.

The 5.18.1, 5.17.12, 5.15.44, and 5.10.119 stable kernels have been released.As usual, they contain important fixes; users of those series should upgrade.

Version 5.36.0 of the Perl language is out. "Perl 5.36.0 representsapproximately a year of development since Perl 5.34.0 and containsapproximately 250,000 lines of changes across 2,000 files from 82authors." Changes include the enabling of function signatures,Unicode 14.0 support, experimental iteration over multiple values, and alot more; see therelease notes for the full list.

Security updates have been issued by Debian (modsecurity-apache, pngcheck, rsyslog, and smarty3), Fedora (firefox, golang-github-opencontainers-runc, gron, kernel, kernel-headers, kernel-tools, logrotate, mingw-pcre2, and rubygem-git), Mageia (admesh, chromium-browser-stable, golang, kernel, kernel-linus, and pidgin), Red Hat (firefox, openvswitch2.13, openvswitch2.15, openvswitch2.16, rsyslog, and thunderbird), SUSE (bind, curl, opera, pcp, postgresql12, and postgresql14), and Ubuntu (gnupg2 and ntfs-3g).

Paul McKenney writesabout why read-copy-update coverage is not universal in the kernel, thehazards that can result from that, and what is being done to improve thesituation.

As of this writing, just under 4,600 non-merge changesets have been pulledinto the mainline repository for the 5.19 development cycle. The 5.19merge window is clearly well underway. The changes pulled so far cover anumber of areas, including the core kernel, architecture support, networking,security, and virtualization; read on for highlights from the first part ofthis merge window.

Security updates have been issued by Debian (atftp, cups, neutron, and zipios++), Fedora (clash, moodle, python-jwt, and thunderbird), Red Hat (thunderbird), Slackware (cups), SUSE (go1.17, libredwg, opera, seamonkey, and varnish), and Ubuntu (libxv, ncurses, openssl, and subversion).

AlmaLinux 9, based on RHEL 9, has been released. Four architectures are supported, so ISO files are available for x86_64, Arm64, PowerPC, and IBM Z.

The normal rule of kernel development is that the creation of user-spaceregressions is not allowed; a patch that breaks a previously workingapplication must be either fixed or reverted. There are exceptions,though, including a5.10 patch that has been turning up regressions ever since. The storythat emerges here shows what can happen when the goals of stability,avoiding security problems, and code cleanup run into conflict.

The Perl Steering Council has posted ablog entry on its plans for the language and when Perl 7 might bereleased.

Security updates have been issued by Debian (chromium, dpkg, filezilla, irssi, puma, and python-django), Fedora (firefox, ignition, and pcre2), Mageia (cockpit, firefox/thunderbird, openldap, supertux, unrar, and vim), Oracle (firefox and thunderbird), Red Hat (rh-varnish6-varnish), SUSE (cups, fribidi, kernel-firmware, redis, and wpa_supplicant), and Ubuntu (dpkg, logrotate, and subversion).

The LWN.net Weekly Edition for May 26, 2022 is available.

Right on the heels of his previous filesystemsession at the2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM), Steve French leda session on temporary files and their interaction with networkfilesystems.The problem is that creating temporary files is not always atomic, so he wasproposing changing that, which would eliminate a possible race conditionand be more efficient for network filesystems.Since the temporary-file discussion did not fill the 30-minute slot, however, French tookthe opportunity to discuss some attributes he would like to see get added for thestatx()system call.

Steve French led a discussion on change notifications for networkfilesystems in a session at the2022 Linux Storage,Filesystem, Memory-management and BPF Summit (LSFMM). He is part ofthe Samba team and noted that both Windows and macOS clients get notifiedof new and changed files in a shared directory immediately, while on Linux that does not happen. Hewanted to explore what it would take to add that functionality.