LWN.net

The PHP project has announcedthat it is moving its PHP repository to GitHub after its own server wascompromised. "Yesterday (2021-03-28) two malicious commits werepushed to the php-src repo from the names of Rasmus Lerdorf and myself. Wedon't yet know how exactly this happened, but everything points towards acompromise of the git.php.net server (rather than a compromise of anindividual git account)."

The 5.12-rc5 kernel prepatch is out fortesting. "So if rc4 was perhaps a bit smaller than average, it looks like rc5 isa bigger than average. We're not breaking any records, but itcertainly isn't tiny, and the rc's aren't shrinking.I'm not overly worried yet, but let's just say that the trend hadbetter not continue, or I'll start feeling like we will need to makethis one of those releases that need an rc8."

Version7.2.0 of the digiKam photo-management application has been released.Changes include better renaming tools, improved album management, areworked internal database, and more. "The neural network to process face detection have been a huge effort with this release.We use a new data model named Yolo. More faces on same images can bedetected with complex shot conditions. The processing speed have beenreduced and the older bugs about the wrong memory allocation definitivelyfixed."

For those wanting more details on the saga of the WireGuard implementationthat was almost released in FreeBSD 13 (a story that LWN covered recently), thisArs Technica story digs in deep. "Despite not having any kerneldevelopers on-staff, Ars was able to verify at least some of Donenfeld'sclaims directly, quickly, and without external assistance. For instance,finding a validation function which simply returned true—and printfstatements buried deep in cryptographic loops—required nothing morecomplicated than grep."

The "Internet of things" (IoT), being the future paradise that awaits uswhen all of our devices are connected to the net, is a worrisome prospectto just about anybody who has thought about its security and privacyimplications. It would be problematic even if the design of all connecteddevices included security and privacy as absolute requirements — but thatis not the way these devices are made. Currently, it is possible to optout of much of the IoT experience with a bit of attention and discipline.In the near future, though, that situation is likely to change and it isnot clear what we can do about it.

Security updates have been issued by Debian (firefox-esr, jquery, openssl, and thunderbird), openSUSE (openssl-1_1 and tor), Oracle (firefox and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (libzypp, zypper and openssl-1_1), and Ubuntu (firefox, ldb, openssl, and ruby2.0).

Technology review coversthe controversy that has resulted from Google's disclosureand fixing of a number of security vulnerabilities being exploited byWestern intelligence agencies. "Instead of focusing on who wasbehind and targeted by a specific operation, Google decided to take broaderaction for everyone. The justification was that even if a Westerngovernment was the one exploiting those vulnerabilities today, it willeventually be used by others, and so the right choice is always to fix theflaw today."

Part 1 of this series described thecopy-on-write (COW) mechanism used to avoid unnecessary copying of pages inmemory, then went into the details of a bug in that mechanism thatcould result in the disclosure of sensitive data. A patch written by LinusTorvalds and merged for the 5.8 kernel appeared to fix that problem withoutunfortunate side effects elsewhere in the system. But COW is a complicatedbeast and surprises are not uncommon; this particular story was nowherenear as close to an end as had been thought.

The Free Software Foundation has announcedchanges in how its board of directors is selected. "We will adopt atransparent, formal process for identifying candidates and appointing newboard members who are wise, capable, and committed to the FSF's mission. Wewill establish ways for our supporters to contribute to the discussion. Wewill require all existing board members to go through this process as soonas possible, in stages, to decide which of them remain on theboard."Meanwhile, numerous community members have posted an open letter calling forthe resignation of the entire Free Software Foundation board of directorsafter the announcement that Richard Stallman would be returning. The FreeSoftware Foundation Europe has made itsdisapproval known, as has the ElectronicFrontier Foundation. The Debian project has starteddiscussing a general resolution affirming its support for the openletter. Various other organizations have expressed concern as well.For those who feel differently, there is also an open letter in supportof Stallman's return to the FSF.

Greg Kroah-Hartman has announced the release of 5.10.26—delayed from the large batch on March 24—with the usualimportant fixes throughout the kernel tree, and 5.11.10, which just contains some relativelyminor fixes: "This is a 'quick revert' of some 5.11.9 commits thatcaused noisy warnings to show up in the kernel log of some systems. If you do not have this issue, orare not bothered by these messages, no need to upgrade."

Security updates have been issued by Debian (firefox-esr and lxml), Fedora (jasper), openSUSE (gnutls, hawk2, ldb, libass, nghttp2, and ruby2.5), Oracle (pki-core:10.6), Red Hat (firefox and thunderbird), SUSE (evolution-data-server, ldb, python3, and zstd), and Ubuntu (ldb, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-signed, linux-snapdragon, and linux, linux-lts-xenial).

Open Collective has put out anannouncement describing its "Funds for Open Source" initiative, whichis aimed at making it easy for corporations to fund the work of individualdevelopers. "Big companies call the process for paying for stuff'procurement'. It’s often pretty involved, with contracts, invoices,purchasing order numbers, and bureaucracy—a painful thing to go throughrepeatedly for small amounts. It's practically a blocker. It is so muchsimpler and more practical to ask corporations to make one large payment,to one vendor. Make it easy and companies will invest more."

The LWN.net Weekly Edition for March 25, 2021 is available.

Enumerated types or "enums" are a feature of many languages, includingPython; enums provide a convenient way to collect up a bunch of relatedsymbols that (typically) evaluate to integer values. The canonical examplewould seem to be for colors, at least for demonstration purposes, but there areothers, especially for handling "magic" constants from source likes POSIXor the host operating system. A recent thread on the python-ideas mailing list discussesdifferent ways to add a new feature to enums—seven years after they wereadded to the standard library as part ofPython 3.4.

The WireGuard VPN tunnel is afast and easy-to-use solution for those who need or want a secure tunnelfor their traffic. The project has been around since 2016, but it has had asomewhat circuitous route into Linux; it was merged for the 5.6kernel, which was released in March 2020. Getting into Linux requiredWireGuard developer Jason A. Donenfeld to acquiesce to having WireGuard use some of theexisting kernel crypto primitives, rather than merging his Zinc crypto library. Some of the sametensions that were seen in that process seem to be cropping up again in the morerecent efforts to add WireGuard support to several BSD kernels.

The GNOME 40 release is out. "It brings new design for the Activities overview and improved support forinput with Compose sequences and keyboard shortcuts, among many otherthings.Improvements to core GNOME applications include a redesigned Weatherapplication, information popups in Maps, better tabs in Web, and manymore." See the GNOME 40 pageand the releasenotes for details.

Stable kernels 5.11.9, 5.4.108, 4.19.183, 4.14.227, 4.9.263, and 4.4.263 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (imagemagick and squid), Fedora (jasper and kernel), Red Hat (pki-core), SUSE (gnutls, go1.15, go1.16, hawk2, jetty-minimal, libass, nghttp2, openssl, ruby2.5, sudo, and wavpack), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.3, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe, linux-hwe-5.4, linux-hwe-5.8, linux-kvm, linux-oem-5.10, linux-oem-5.6, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-raspi2-5.3).

Firefox 87 has beenreleased. This version introduces SmartBlock, "a new intelligent tracker blocking mechanism for Firefox Private Browsing and Strict Mode."Firefox ESR 78.9 has also beenreleased with the usual set of fixes.

Security updates have been issued by Debian (dnsmasq, libmediainfo, and mariadb-10.1), Fedora (dotnet5.0, moodle, and radare2), Mageia (kernel and kernel-linus), Oracle (python27:2.7, python36:3.6, and python38:3.8), Red Hat (pki-core:10.6), and Ubuntu (privoxy).

The kernel's memory-management subsystem is built upon many concepts, oneof which is called "copy on write", or "COW".The idea behind COW is conceptually simple, but itsdetails are tricky and its past is troublesome. Any change to itsimplementation can have unexpected consequences and cause subtle breakagefor existing workloads. So it is somewhat surprising that last year we sawtwo major changes the kernel's COW code; less surprising is the fact that,both times, these changes had unexpected consequences and broke things. Some of the resulting problems are still not fixedtoday, almost ten months after the first change, while the original reasonfor the changes — a security vulnerability — is also not fully fixed. Readon for a description of COW, the vulnerability, and the initial fix; theconcluding article in the series will describe the complications that arosethereafter.

Security updates have been issued by Arch Linux (chromium, ffmpeg, flatpak, git, gnutls, minio, openssh, opera, and wireshark-qt), Debian (cloud-init, pygments, and xterm), Fedora (flatpak, glib2, kernel, kernel-headers, kernel-tools, pki-core, and upx), Mageia (glibc, htmlunit, koji, and python-cairosvg), openSUSE (chromium, connman, froxlor, grub2, libmysofa, netty, privoxy, python-markdown2, tor, and velocity), Oracle (ipa), SUSE (evolution-data-server, glib2, openssl, python3, python36, and wavpack), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-raspi2, linux-snapdragon, linux-oem-5.10, and pygments).

At the LibrePlanet conferenceover the weekend, Richard Stallman announced that he has returned to theFree Software Foundation's board of directors. Video of the announcement isavailable, but there is little information beyond that.

The fourth 5.12 kernel prepatch is out fortesting. "So I'll just tempt the fates and say that everything lookspretty normal and this release seems to look good despite the rc1hiccup."

The Free Software Foundation has announcedthe recipients of its 2021 Free Software Awards. Alyssa Rosenzweigreceived the award for outstanding new free-software contributor,the CiviCRM project won the award for social benefit, and Bradley Kuhnreceived the award for the advancement of free software.

The5.11.8,5.10.25,5.4.107,and 4.19.182stable kernels have been released; each contains another set of importantfixes.

Last week's installment in this series on lockless patterns took a first lookat the compare-and-swap (CAS) operation. CAS is a powerful tool that canbe used to implement a number of lockless primitives. The next step is tolook at other atomic read-modify-write operations that canbe implemented on top of compare-and-swap.

Followers of the linux-next integration tree may have noticed a significantaddition: initial support for writing device drivers in the Rust language.There is some documentation in Documentation/rust,while the code itself is in the rusttop-level directory. Appearance in linux-next generally implies readinessfor the upcoming merge window, but it is not clear if that is the casehere; this code has not seen a lot of wider review yet. It is, regardless,an important step toward the ability to write drivers in a safer language.

Security updates have been issued by CentOS (kernel and pki-core), Debian (shibboleth-sp, shibboleth-sp2, and squid3), openSUSE (libmysofa and privoxy), Oracle (bind), and Ubuntu (ruby2.3, ruby2.5, ruby2.7).

Memory management generally works at the level of pages, which typicallycontain 4,096 bytes but may be larger. The kernel, though, has extendedthe concept of pages to include compound pages, which are groups ofcontiguous single pages. That, in turn, has made the definition ofwhat a "page" is a bit fuzzy. Matthew Wilcox has been working since lastyear on a concept called "page folios" which is meant to bring the pictureback into focus; whether the memory-management community will accept itremains unclear, though.

Security updates have been issued by Debian (velocity-tools), Fedora (switchboard-plug-bluetooth), Mageia (discover, flatpak, and xmlgraphics-commons), openSUSE (chromium and python), Oracle (kernel, kernel-container, and pki-core), Red Hat (openvswitch2.11 and ovn2.11, python-django, qemu-kvm-rhev, and rubygem-em-http-request), and SUSE (crmsh, openssl1, and php53).

The LWN.net Weekly Edition for March 18, 2021 is available.

A number of different attacks against Linux systems rely on brute-forcetechniques using the fork()system call, so a new Linux security module (LSM), called "Brute", has been created todetect and thwart such attacks.Repeated fork() calls can be used for various types ofattacks, such as exploiting the StackClash vulnerability or Heartbleed-style flaws.Version 6 of the Brute patch set was recentlypostedand looks like it might be heading toward the mainline.

Stable kernels 5.11.7, 5.10.24, 5.4.106, 4.19.181, 4.14.226, 4.9.262, and 4.4.262 have been released. There areimportant fixes throughout the tree and users should upgrade.

Open-source projects have many non-technical needs as they grow. But,running a FOSS non-profit organization for supporting these projects is alot of work, as anyone involved in such an organization will attest. Thesedays, some software platforms, such as LFX from the Linux Foundationand Open Collective, are indevelopment to provide important services, such as crowdfunding, toprojects and other organizations. These platforms have the potential toimprove both the quality and range of services available to projects.

Security updates have been issued by Debian (shadow, tor, and velocity), Fedora (gsoap, qt5-qtsvg, and switchboard-plug-bluetooth), Mageia (batik, chromium-browser-stable, glibc, ksh, and microcode), openSUSE (389-ds, connman, freeradius-server, froxlor, openssl-1_0_0, openssl-1_1, postgresql12, and python-markdown2), Red Hat (bind, curl, kernel, nss and nss-softokn, perl, python, and tomcat), Scientific Linux (ipa, kernel, and pki-core), SUSE (glib2 and velocity), and Ubuntu (containerd).

Christian Schaller looksforward to the Fedora 34 release with a detailed write-up of thedesktop-oriented changes. "The big ticket item we have wanted toclose off on was Wayland, because while Wayland has been production readyfor most of us for a while, there was still some cases it didn’t cover aswell as X.org. The biggest of this was of course the lack of acceleratedXWayland support with the binary NVidia driver."

Security updates have been issued by Debian (tomcat8), Fedora (git), openSUSE (opera), Oracle (python), Red Hat (ipa, kernel, kernel-rt, kpatch-patch, and pki-core), SUSE (compat-openssl098 and python), and Ubuntu (glib2.0, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.8, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi2, linux-snapdragon, and openjpeg2).

There is a newmailing-list server running under the auspices of kernel.org that ismeant, over time, to address the problems that have been plaguingvger.kernel.org in recent times.

It is probably fair to say that most Linux developers never end up using chroot()in an application. This system call puts the calling process into a newview of the filesystem, with the passed-in directory as the rootdirectory. It can be used to isolate a process from the bulk of thefilesystem, though its security benefits are somewhat limited. Callingchroot() is a privileged operation but, if Mickaël Salaün has hisway with this patchset, that will not be true for much longer, in some situations atleast.

Security updates have been issued by Debian (ca-certificates, flatpak, golang-1.7, golang-1.8, mupdf, pygments, and tiff), Fedora (containerd, golang-github-containerd-cri, mingw-gdk-pixbuf, mingw-glib2, mingw-jasper, mingw-python-jinja2, mingw-python-pillow, mingw-python3, python-django, python-pillow, and python2-pillow), Mageia (git, mediainfo, netty, python-django, and quartz), openSUSE (crmsh, git, glib2, kernel-firmware, openldap2, stunnel, and wpa_supplicant), Oracle (qemu), Red Hat (openvswitch2.11, openvswitch2.13, pki-core, rh-nodejs10-nodejs, rh-nodejs12-nodejs, rh-nodejs14-nodejs, and wpa_supplicant), Slackware (kernel), SUSE (apache2, crmsh, glib2, s390-tools, and slurm_20_11 and pdsh), and Ubuntu (python2.7, python3.7, python3.8).

The third 5.12 kernel prepatch is out fortesting. "So rc3 is pretty big this time around, but that's entirelyartificial, and due to how I released rc2 early. So I'm not going to readanything more into this, 5.12 still seems to actually be on the smallerside overall."

In the first part of this series, I showed you the theory behindconcurrent memory models and how that theory can be applied tosimple loads and stores. However, loads and stores alone are nota practical tool for the building of higher-level synchronization primitivessuch as spinlocks, mutexes, and condition variables.Even though it is possible to synchronize two threads using thefull memory-barrier pattern that was introduced last week (Dekker'salgorithm), modern processors provide a way that iseasier, more generic, and faster—yes, all three of them—thecompare-and-swap operation.

Security updates have been issued by Debian (mupdf and pygments), Fedora (arm-none-eabi-newlib, nodejs, python3.10, and suricata), Mageia (ansible, ceph, firejail, glib2.0, gnuplot, libcaca, mumble, openssh, postgresql, python-cryptography, python-httplib2, python-yaml, roundcubemail, and ruby-mechanize), Scientific Linux (wpa_supplicant), Slackware (git), SUSE (crmsh, libsolv, libzypp, yast2-installation, zypper, openssl-1_0_0, python, and stunnel), and Ubuntu (pillow).

The Asahi Linux project, which is working to build a distribution forM1-based Apple systems, has published aprogress report for January and February. "Apple Silicon Macsboot in a completely different way from PCs. The way they work is more akinto embedded platforms (like Android phones, or, of course, iOS devices),but with quite a few bespoke mechanisms thrown in. However, Apple has takena few steps to make this boot process feel closer to that of an Intel Mac,so there has been a lot of confusion around how things actually work. Forexample, did you know that Apple Silicon Macs cannot boot from externalstorage at all, in the traditional sense? Or that the bootloader on AppleSilicon Macs cannot show a graphical user interface at all, and that the“Boot Picker” is in fact a full-screen macOS app, not part of thebootloader?"

The5.11.6,5.10.23,5.4.105,4.19.180,4.14.225,4.9.261, and4.4.261 stable kernels have all beenreleased, one day earlier than might have been expected. Each contains yetanother set of important fixes.

Many developers use SSH to access their systems, so it is not surprisingthat SSH servers are widely attacked. During the FOSDEM 2021 conference,Sanja Bonic and Janos Pasztor reported on their experiment using containers as a way to easily createSSH honeypots — fake servers that allow administrators to observe the actions ofattackers without risking a production system. Theconversational-style talk walked the audience through the process ofsetting up an SSH server to play the role of the honeypot, showed whatSSH attacks look like, and gave a number of suggestions on how toimprove the security of SSH servers.

Security updates have been issued by Debian (zeromq3), Oracle (dotnet, dotnet3.1, python3, and wpa_supplicant), and Red Hat (wpa_supplicant).

The LWN.net Weekly Edition for March 11, 2021 is available.

A potentially nasty vulnerability in the Gitdistributed revision-control system was disclosed on March 9. There are enoughqualifiers in the description of the vulnerability that it may appear to befairly narrowly focused—and it is. That may make it less worrisome, butit is not entirely clear. As with most vulnerabilities, it all depends on howthe software is being used and the environment in which it is running.