LWN.net

Security updates have been issued by Debian (blueman and wordpress), Fedora (fastd, kernel, and samba), Gentoo (bluez, fossil, kpmcore, libssh, and opendmarc), openSUSE (claws-mail and icinga2), and Ubuntu (blueman).

For those who are following along with Linus Walleij's detailed writeup ofhow the 32-bit Arm bootstrap process works, he has posted two newinstallments (part 1,part 2)on what happens once virtual memory is enabled. "This init task istask 0. It is not identical to task 1, which will be the init process. Thatis a completely different task that gets forked in userspace later on. Thistask is only about providing context for the kernel itself, and a point forthe first task (task 1) to fork from. The kernel is very dependent oncontext as we shall see, and that is why its thread/task information andeven the stack pointer for this 'task zero' is hardcoded into the kernellike this. This 'zero task' does not even appear to userspace if you typeps aux, it is hidden inside the kernel."

Overclocking the processor — running it above its specified maximumfrequency to increase performance — is a familiar operation for many readers. Sometimes, however, it is necessary to go the other direction and decrease a processor's operating power point by lowering its voltageto avoid overheating. Recently, Jason Donenfeld submitted a shortpatch removing a warning emitted by the kernel when user space accessesspecial processor registers that allow this "undervolting" on x86processors. It caused a long discussion that might result in a kernelinterface to allow users to safely control their processor's voltage.

The net today carries the sad news that DanKohn has passed away. Among other things, Dan played a huge role inthe establishment of the Linux Foundation and a number of its initiatives,including the Cloud Native ComputingFoundation and LF Public Health. Hewill be missed.

Security updates have been issued by Debian (cimg, junit4, kernel, openldap, qtsvg-opensource-src, spice, spice-gtk, tzdata, and wireshark), Fedora (firefox, java-1.8.0-openjdk, java-11-openjdk, and thunderbird), openSUSE (apache2, binutils, libvirt, lout, pacemaker, pagure, phpMyAdmin, samba, sane-backends, singularity, spice, spice-gtk, thunderbird, nspr, tomcat, virt-bootstrap, and xen), SUSE (graphviz, liblouis, and samba), and Ubuntu (samba).

The second 5.10 kernel prepatch is out fortesting. "Despite the size, I don't get the feeling that there's anything reallyodd going on, and so far the release seems to be going smoothly. Butplease test, that's how we find problems."

The5.9.3,5.8.18, and5.4.74stable kernel updates are out; each contains another set of important fixes.

Linux distributors are in the business of integrating software frommultiple sources, packaging the result, and making it available to theirusers. It has long been true that some projects are easier to package thanothers. The Debiantechnical committee (TC) is currently being asked to make a decision in a dispute over how an especially hard-to-package project— Kubernetes — should be handled.Regardless of the eventual outcome, this disagreement clearly shows how thepackaging model used by Linux distributors is increasingly mismatched tohow software is often developed in the 2020s; what should replace that modelis rather less clear, though.

Security updates have been issued by Debian (dompurify.js, libsndfile, and openjdk-8), Fedora (python2), Mageia (tomcat), openSUSE (lout, pagure, php7, singularity, and tensorflow2), SUSE (graphviz, libvirt, pacemaker, python-Jinja2, samba, spice, spice-gtk, thunderbird and mozilla-nspr, xen, and zstd), and Ubuntu (fastd).

The kernel's tracing infrastructure is designed to be fast and to interfereas little as possible with the normal operation of the system. Oneconsequence of this requirement is that the code that runs when atracepoint is hit cannot sleep; otherwise execution of the tracepoint couldadd an arbitrary delay to the execution of the real work the kernel shouldbe doing. There are times, though, that the ability to sleep within atracepoint would be handy, delays notwithstanding. The sleepabletracepoints patch set from Michael Jeanson sets the stageto make it possible for (some) tracepointhandlers to take a nap while performing their tasks — but stops short ofcompleting the job for now.

Greg Kroah-Hartman has announced the release of seven new stable kernels:5.9.2, 5.8.17, 5.4.73, 4.19.153, 4.14.203, 4.9.241, and 4.4.241. These are extremely large updates,with important fixes throughout the tree. Users of these kernel seriesshould upgrade.Update: 4.19.154 was released laterbecause 4.19.153 did not get all of the patches intended for it, as reported by Pavel Machek.

Security updates have been issued by Debian (linux-4.19), Fedora (tcpreplay, xen, and yubihsm-shell), SUSE (pacemaker), and Ubuntu (gosa and pam-python).

The LWN.net Weekly Edition for October 29, 2020 is available.

Python has keyword arguments for functions that is a useful (and popular)feature; it can make reading the code more clear and eliminate thepossibility of passing arguments in the wrong order. Python can also indexan object in various ways to refer to a subset or an aspect of the object.Bringing the idea of keywords to indexing would provide a way to get the claritybenefit for indexing operations; doing so has been discussed in Pythoncircles for a long time.Some renewed interest, in the formof lengthy discussions on the python-ideas mailing list and a new Python enhancementproposal (PEP), look like they just might take keyword indexing over the finish line.

Security updates have been issued by Debian (blueman), Fedora (nodejs), Gentoo (firefox), openSUSE (kleopatra), Oracle (java-1.8.0-openjdk), SUSE (apache2, binutils, firefox, pacemaker, sane-backends, spice, spice-gtk, tomcat, virt-bootstrap, xen, and zeromq), and Ubuntu (ca-certificates, mariadb-10.1, mariadb-10.3, netty, openjdk-8, openjdk-lts, perl, and tomcat6).

Address-space isolation is the technique of removing a range of memory fromone or more address spaces as a way of preventing accidental or maliciousaccess to that memory. Since the disclosure of the Meltdown and Spectrevulnerabilities, the kernel has used one formof address-space isolation to make kernel memory completelyinaccessible to user-space processes, for example. There has been a steadylevel of interest in using similar techniques to protect memory in othercontexts; two patches implementing new isolation mechanisms are gettingcloser to being ready for merging into the mainline kernel.

Security updates have been issued by Debian (thunderbird), Fedora (createrepo_c, dnf-plugins-core, dnf-plugins-extras, librepo, livecd-tools, and pdns-recursor), openSUSE (firefox and mailman), Oracle (firefox), Red Hat (chromium-browser, java-1.8.0-openjdk, and Satellite 6.8), Scientific Linux (java-1.8.0-openjdk), SUSE (libvirt), and Ubuntu (blueman, firefox, mysql-5.7, mysql-8.0, php7.4, and ruby-kramdown).

The Fedora 33release is now available in a variety of editions, including the newly promoted IoT edition. "No matterwhat variant of Fedora you use, you’re getting the latest the open sourceworld has to offer. Following our 'First' foundation, we’ve updated keyprogramming language and system library packages, including Python 3.9,Ruby on Rails 6.0, and Perl 5.32. In Fedora KDE, we’ve followed the work inFedora 32 Workstation and enabled the EarlyOOM service by default toimprove the user experience in low-memory situations.To make the default Fedora experience better, we’ve set nano as the defaulteditor." A number of the more significant Fedora 33 changeswere covered here in June.

Linus Walleij continues his series of blog posts on the 32-bit Arm kernelwith thisdetailed description about how page tables work. "The Linuxkernel will act as if 5 levels of page tables exist. This is of coursegrossly over-engineered for ARM32 which has 2 or 3 levels of page tables,but we need to cater for the rest of the world. One size fits all. Inpractice, the code is organized such that these page tables 'fold' and wemostly skip over the intermediate translation steps when possible."

Linus Torvalds released5.10-rc1 and closed the 5.10 merge window on October 25; by that time, 13,903 non-merge changesets hadbeen pulled into the mainline repository. Of those, over 6,700 were mergedsince LWN's summary of the first half ofthe merge window. A fair number of interesting features found their wayinto the kernel among those commits; read on to catch up with what's comingin 5.10.

Security updates have been issued by Debian (fastd, freetype, openjdk-11, phpmyadmin, and thunderbird), Fedora (ant, firefox, freetype, kde-partitionmanager, kpmcore, mupdf, python-PyMuPDF, singularity, suricata, and zathura-pdf-mupdf), Mageia (claws-mail, nss, firefox, pdns-recursor, and thunderbird), openSUSE (atftp, chromium, firefox, freetype2, gnutls, hunspell, kleopatra, and opera), Oracle (firefox, java-11-openjdk, and kernel), Red Hat (firefox and kpatch-patch), SUSE (bluez, firefox, glibc, libcdio, rmt-server, and SDL), and Ubuntu (freetype, pam-python, and perl).

Linus has released 5.10-rc1 and closed themerge window for this development cycle. "This looks to be a bigger release than I expected, and while the mergewindow is smaller than the one for 5.8 was, it's not a *lot* smaller.And 5.8 was our biggest release ever."

Version 10.1 of the GDB debugger is out. Changes include support fordebugging BPF programs, GDBserver support on the RISC-V architecture, andsupport for "debuginfod", which is "an HTTP server for distributing ELF/DWARF debugging information as well as source code."

GNU Autoconf, awidely used build tool that shines at compatibility with avariety of Unixes, has accumulated many improvements since its last releasein 2012 — and there are patches awaiting review. While many projects have switched toother build systems, interest in Autoconf remains. Now, a small team(disclaimer: including article author Sumana Harihareswara) is rejuvenating it, working through somedeferred maintenance and code review. A testablebeta is now out, a new stable release is due in early November, andinterested parties can build on this momentum to further refresh the restof the GNUBuild System (also known as Autotools).

Security updates have been issued by Gentoo (freetype), openSUSE (mailman), Red Hat (firefox, java-11-openjdk, OpenShift Container Platform 3.11.306 jenkins, and rh-maven35-jackson-databind), SUSE (kernel, mercurial, openldap2, python-pip, and xen), and Ubuntu (firefox, netty-3.9, and python-pip).

The Ubuntu 20.10 release is out. "The Ubuntu kernel has been updated to the 5.8 based Linux kernel, andour default toolchain has moved to gcc 10 with glibc 2.32. Additionally,there is now a desktop variant of the Raspberry Pi image for RaspberryPi 4 4GB and 8GB.Ubuntu Desktop 20.10 introduces GNOME 3.38, the fastest release yet withsignificant performance improvements delivering a more responsiveExperience". See therelease notes for more details.

The seccomp()system call allows user space to load one or more (classic) BPF programsto be run whenever the calling process invokes a system call. Thoseprograms can examine (to an extent) thearguments to each call and inform the kernel whether the call should beallowed to proceed or not. This feature is used in a number ofcontainerization solutions (and beyond) as a way of reducing the kernel'sattack surface. In some situations, though, using seccomp() can resultin a significant performance reduction. There are currently two patch setsin circulation that are aimed at reducing the overhead ofseccomp() for one common use case.

Security updates have been issued by Arch Linux (freetype2), Debian (bluez, firefox-esr, and freetype), Fedora (firefox), openSUSE (chromium), Oracle (kernel), Red Hat (java-11-openjdk), Slackware (kernel), SUSE (freetype2, gnutls, kernel, php7, and tomcat), and Ubuntu (flightgear, italc, libapache2-mod-auth-mellon, libetpan, and php-imagick).

The LWN.net Weekly Edition for October 22, 2020 is available.

Recently, PHP 8 release candidate 2 was posted by the project. A lot of changes are coming with this release, including a just-in-time compiler, a good number of backward-compatibility breaks, and new features that developers have been requesting for years. Now that the dust has settled, and the community is focusing on squashing bugs for the general-availability release scheduled for November 26, it's a good time to look at what to expect.

Security updates have been issued by Arch Linux (kdeconnect, kernel, kpmcore, lib32-freetype2, linux-hardened, linux-lts, linux-zen, lua, and powerdns-recursor), Debian (mariadb-10.1 and mariadb-10.3), Fedora (thunderbird), Mageia (claw-mail, freetype2, geary, kernel, and tigervnc), Oracle (nodejs:12), Red Hat (python27, rh-postgresql96-postgresql, and rh-python38), Slackware (freetype), SUSE (hunspell, kernel, libvirt, and taglib), and Ubuntu (grunt, quassel, and tomcat9).

Firefox 82.0 has been released, with improvements "that make watchingvideos more delightful" and improved performance. Firefox ESR 78.4.0is also available with various stability, functionality, and securityfixes. See the release notes (82.0,78.4.0)for details.

The Julia programming language hasseen a major increase in its use and popularity over the last few years.We last looked at it two years ago, around the time of the Julia 1.0release. Here, we will look at some of the changes since that release,none of which are major, as well as some newer resources for learning thelanguage, but the main focus of this article is a case study that is meantto help show why the language has been taking off. A follow-up articlewill introduce a new computational notebook for Julia, called Pluto, that is akin to Jupyter notebooks.

Security updates have been issued by Debian (python-flask-cors), Fedora (kleopatra, nextcloud, and phpMyAdmin), Gentoo (ark, libjpeg-turbo, libraw, and libxml2), openSUSE (bind, kernel, php7, and transfig), Red Hat (kernel, kernel-alt, kernel-rt, rh-python36, virt:8.1 and virt-devel:8.1, and virt:8.2 and virt-devel:8.2), and Ubuntu (collabtive, freetype, linux, linux-hwe, linux-hwe-5.4, linux-oem, linux-raspi, linux-raspi-5.4, linux-snapdragon, and linux-oem-osp1, linux-raspi2-5.3).

ThisMatrix blog entry describes a planned reputation-management systemthat, it is claimed, accomplishes some of the same goals as governmentbackdoors without the need to compromise end-to-end encryption."Just like the Web, Email or the Internet as a whole, there isliterally no way to unilaterally censor or block content in Matrix. Butwhat we can do is provide first-class infrastructure to let users (androom/community moderators and server admins) make up their own mind aboutwho to trust, and what content to allow. This would also provide a meansfor authorities to publish reputation data about illegal content, providinga privacy-respecting mechanism that admins/mods/users can use to keepillegal content away from their servers/clients."

Version 2.29.0 of the Git source-code management system is out. Thisrelease includes a long list of smallish improvements; click below for thedetails. Also present is the code enabling Git to switch to the SHA-256 hash algorithm; thisfeature is still deemed experimental, though, and interoperability withSHA-1 repositories is not yet available.

Applications that run on the Linux desktop have changed significantlyunder the hood in recent years; for example, they use more processes thanbefore. Desktop environments need to adapt to this change. During Akademy 2020, KDE developers DavidEdmundson and Henri Chain delivered a talk (YouTubevideo) about how KDE, working with other desktop environments, isstarting to use advanced kernel features to give users more control overtheir systems. This talk complements a presentation by GNOME developers thatwas recently covered here.

Security updates have been issued by Debian (kernel, thunderbird, and yaws), Fedora (createrepo_c, dnf, dnf-plugins-core, dnf-plugins-extras, kata-agent, libdnf, librepo, and wireshark), Gentoo (chromium and firefox), Mageia (brotli, flash-player-plugin, php, phpmyadmin, and wireshark), openSUSE (crmsh, gcc10, nvptx-tools, icingaweb2, kernel, libproxy, pdns-recursor, phpMyAdmin, and rubygem-activesupport-5_1), Red Hat (nodejs:12 and rh-maven35-apache-commons-collections4), and SUSE (gcc10, nvptx-tools and transfig).

The5.9.1,5.8.16,5.4.72,4.19.152,4.14.202,4.9.240, and4.4.240stable updates have all been released; each contains another set ofimportant fixes.

As of this writing, 7,153 non-merge changesets have been pulled into themainline Git repository for the 5.10 release — over a period of four days.This development cycle is clearly off to a strong start. Read on for anoverview of the significant changes merged thus far for the 5.10 kernelrelease.

Security updates have been issued by Fedora (dnf, kernel, libdnf, python27, and python34), SUSE (blktrace, crmsh, php7, and php72), and Ubuntu (containerd, docker.io, firefox, htmlunit, and newsbeuter).

The 2021 edition of linux.conf.au will be held online onJanuary 23-25, 2021; the call for proposals has gone out with arelatively tight deadline of November 6. "Our theme is 'So what's next?'.We all know we're living through unprecedented change and uncertain times. How can open source play a role in creating, helping and adapting to this ongoing change? What new developments in software and coding can we look forward to in 2021 and beyond?"Since there is no travel involved, this is a rare opportunity for those whohave not normally been able to participate in LCA.

One of the first features merged for the 5.10 kernel development cycle wassupport for theArm v8.5 memory tagging extension [PDF]. By adding a "key" value topointers, this mechanism enables the automated detection of a wide range ofmemory-safety issues. The result should be safer and more secure code —once support for the feature shows up in actual hardware.

Security updates have been issued by Arch Linux (chromium), Debian (httpcomponents-client), Fedora (claws-mail), SUSE (bcm43xx-firmware, crmsh, libqt5-qtimageformats, libqt5-qtsvg, php53, php7, and rubygem-activesupport-4_2), and Ubuntu (php5, php7.0, php7.2, php7.4, python2.7, python3.4, python3.5, python3.6, and vim).

The LWN.net Weekly Edition for October 15, 2020 is available.

We have looked at the problem ofconfusingly named packages in repositories such as the Python Package Index (PyPI) before. In general,malicious actors create these packages with names that can be mistaken for those oflegitimate packages in the repository in a form of "typosquatting".Since our 2016 article, the problem has not gone away—no surprise—but there has been some recent analysis of it, as well assome efforts to combat it.

Recently, John Bafford revived a years-long conversation on expanding the syntax of the PHP foreach statement to include iterating solely over keys. Bafford, who wrote a patch and request for comments (RFC) on the matter back in 2016, hopes to update his work and convince the community to adopt the abbreviated syntax in PHP 8.1. The community took Bafford's general idea and expanded it into other areas of the language.

Several flaws in the BlueZ kernel Bluetooth stack prior to Linux 5.9 are being reported by Intel and by Google (GHSA-h637-c88j-47wq, GHSA-7mh3-gq28-gfrq, and GHSA-ccx2-w2r4-x649). They are collectively being called "BleedingTooth", and more information will be forthcoming, though there is already a YouTube video demonstrating remote code execution using BleedingTooth.

Stable kernels 5.8.15, 5.4.71, 4.19.151, 4.14.201, 4.9.239, and 4.4.239 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (jackson-databind and tomcat8), Fedora (dovecot), Oracle (firefox, spice and spice-gtk, and thunderbird), Red Hat (flash-plugin), SUSE (ansible, crowbar-core, crowbar-openstack, grafana, grafana-natel-discrete-panel, openstack-aodh, openstack-barbican, openstack-cinder, openstack-gnocchi, openstack-heat, openstack-ironic, openstack-magnum, openstack-manila, openstack-monasca-agent, openstack-murano, openstack-neutron, openstack-neutron-vpnaas, openstack-nova, openstack-sahara, python-Pillow, rubygem-crowbar-client, bind, crmsh, kernel, libproxy, php74, rubygem-activesupport-5_1, and tigervnc), and Ubuntu (dom4j, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi2, linux-snapdragon, linux, linux-lts-trusty, and linux-hwe, linux-gke-5.0, linux-gke-5.3, linux-oem-osp1, linux-raspi2-5.3).