LWN.net

Stable kernels 5.14.16, 5.10.77, 5.4.157, 4.19.215, 4.14.254, 4.9.289, and 4.4.291 have been released. They containimportant fixes and users should upgrade.

Firefox 94.0 has beenreleased. Linux users should see improvedWebGL performance and reduced power consumption for many workloads. Theabout:unloadspage shows the user information about open tabs and allows them to releasesystem resources by unloading tabs without closing them. SiteIsolation provides better protection against side-channel attacks. Seethe announcement for more new features in this release.Firefox ESR91.3 is also available, with various stability, functionality, and securityfixes.

Security updates have been issued by Debian (asterisk, bind9, glusterfs, and openjdk-11), Fedora (ansible and CuraEngine), openSUSE (mailman and opera), Oracle (binutils and flatpak), Red Hat (curl, flatpak, java-1.8.0-ibm, kernel, kernel-rt, libsolv, python3, samba, and webkit2gtk3), Scientific Linux (binutils and flatpak), SUSE (binutils and transfig), and Ubuntu (ceph and mailman).

The Fedora 35release has been announced.

The long-running and sometimes acrimonious discussion on the memory folio patch set has come to an end:the folio patches were the first thing pulled into the mainline repositoryfor the 5.16 development cycle. Now the developers involved just have todo all of the other work identified as necessary to clean up thememory-management subsystem and isolate it from other parts of the kernel.

The Free Software Foundation has openednominations for the Free SoftwareAwards. Nominations are open until November 30.

The 5.15 kernel was released onOctober 31, with the code name appropriately changed to "Trick orTreat". By that time, 12,377 non-merge changesets had been merged into themainline, adding a net total of 332,000 lines of code. Read on for a lookat where the contributions to the 5.15 kernel came from.

Security updates have been issued by Arch Linux (bind, chromium, freerdp, opera, webkit2gtk, and wpewebkit), Debian (cron, cups, elfutils, ffmpeg, libmspack, libsdl1.2, libsdl2, opencv, and tiff), Fedora (java-latest-openjdk, stb, and thunderbird), Mageia (cairo, cloud-init, docker, ffmpeg, libcaca, php, squid, and webkit2), openSUSE (busybox, chromium, civetweb, containerd, docker, runc, dnsmasq, fetchmail, flatpak, go1.16, krb5, ncurses, python, python-Pygments, squid, strongswan, transfig, virtualbox, wireguard-tools, and xstream), Red Hat (binutils, devtoolset-10-gcc, and flatpak), SUSE (libvirt, opensc, and transfig), and Ubuntu (webkit2gtk).

The latest branded and trademarked vulnerability type is called "Trojan Source". By playing trickswith Unicode bidirectional support, an attacker can create malicious codethat appears to be benign to reviewers. "The attack is to usecontrol characters embedded in comments and strings to reorder source codecharacters in a way that changes its logic." Various releases,including Rust1.56.1,are being made to address this problem.

Linus has released the 5.15 kernel afteranother nine-week development cycle.

Version 3.4 of The Yocto Project has been released. Yocto provides a system for building embedded Linux distributions. This release comes with "Linux kernel 5.14, glibc 2.34 and ~280 other recipe upgrades", support for building and cross-compiling Rust code, tons of new recipes, a way to create a SPDX bill of materials (BoM), overlayfs and seccomp support, optimizations, bug fixes, and more. The fullrelease notes have further information.

For all of you youngsters out there, the Internet has always beenomnipresent, computers are something you carry in your pocket, the Unixwars are about as relevant as the War of 1812, and the term "NIS" doesn'tring a bell. But, for a certain class of Unix old-timer, NIS has a distinctplace in history — and, perhaps, in still-deployed systems. So thesuggestion that Fedora might drop support for NIS has proved to be a bit ofa wakeup call for some.

Security updates have been issued by Debian (bind9, gpsd, jbig2dec, libdatetime-timezone-perl, tzdata, webkit2gtk, and wpewebkit), Fedora (flatpak, java-1.8.0-openjdk, java-11-openjdk, and php), SUSE (qemu), and Ubuntu (bind9).

Software Freedom Conservancy has had several exemptions granted that it requested to the Digital Millennium Copyright Act (DMCA) by the US Library of Congress for activities of interest to free-software developers:

One does not normally expect to see a great deal of angst over a one-pageshell script, even on the Internet. But Debian is special, so it has beenhaving an extended discussion over the fate of the which commandthat has been escalated to the Debian Technical Committee. The amount ofattention that has been given to a small, nonstandard utility shines alight on Debian's governance processes and the interaction of traditionwith standards.

Security updates have been issued by openSUSE (salt), Slackware (bind), SUSE (salt), and Ubuntu (php5, php7.0, php7.2, php7.4, php8.0).

The LWN.net Weekly Edition for October 28, 2021 is available.

The oss-securitymailing list is specifically set up for reports and discussion of security flaws inopen-source software after their embargo, if any, has expired. But theresponse to a recentreportof the fix for a security flaw in the Linux kernel went in a differentdirection than usual. The report did not break the two-week embargoperiod, instead it was "late", which has highlighted some problems in themanagement of flaws of this nature.

Stable kernels 5.14.15, 5.10.76, 5.4.156, 4.19.214, 4.14.253, 4.9.288, and 4.4.290 have been released. They all containimportant fixes and users should upgrade.

For those of you still using the X.org display server, version 21.1 isout. It includes "fully mature" meson build support, Glamorsupport in Xvfb, variable refresh rate support, touchpad gestures, andmore.

Security updates have been issued by Debian (mosquitto and php7.0), Fedora (python-django-filter and qt), Mageia (fossil, opencryptoki, and qtbase5), openSUSE (apache2, busybox, dnsmasq, ffmpeg, pcre, and wireguard-tools), Red Hat (kpatch-patch), SUSE (apache2, busybox, dnsmasq, ffmpeg, java-11-openjdk, libvirt, open-lldp, pcre, python, qemu, util-linux, and wireguard-tools), and Ubuntu (apport and libslirp).

Uniquely identifying users so that they can be tracked as they go abouttheir business on the internet is, sadly, a major goal for advertisers andothers today. Web browser cookies provide a fairly well-known avenuefor tracking users as they traverse various web sites, but mobile apps arenot browsers, so that mechanism is not available. As it turns out, though,there are ways to "fingerprint" Android devices—and likely those of other mobileplatforms—so that the device owners can be tracked as they hopbetween their apps.

Security updates have been issued by Debian (php7.3 and php7.4), Mageia (kernel and kernel-linus), openSUSE (chromium and virtualbox), Oracle (xstream), Red Hat (kernel, rh-ruby30-ruby, and samba), and Ubuntu (binutils and mysql-5.7).

The 5.15-rc7 kernel prepatch is out, ratherlater than would have normally been expected due to Linus's travel schedule.

Memory management is a balancing act in a number of ways. The kernel mustbalance the needs of current users of memory with anticipated future needs,for example. The kernel must also balance the act of reclaiming memory for other uses, which can involvewriting data to permanent storage, with the rate of data that theunderlying storage devices are able to accept. For years, thememory-management subsystem has used storage-device congestion as a signalthat it should slow down reclaim. Unfortunately, that mechanism, which wasa bit questionable from the beginning, has not worked in a long time. MelGorman is now trying to fix this problem with apatch set that moves the kernel away from the idea of waiting on congestion.

Security updates have been issued by Debian (faad2 and mailman), Fedora (java-11-openjdk, libzapojit, nodejs, python-reportlab, vim, and watchdog), Mageia (ansible, docker-containerd, flatpak, tomcat, and virtualbox), openSUSE (containerd, docker, runc), Oracle (firefox and thunderbird), Red Hat (xstream), Scientific Linux (xstream), SUSE (cairo and containerd, docker, runc), and Ubuntu (apport and mysql-5.7, mysql-8.0).

Since the early days, Unix-like systems have implemented the concept ofprocess priorities, where higher-priority processes are given moreCPU time to get their work done. Implementations have changed, andalternatives (such as deadline scheduling)are available for specialized situations, but the core priority (or, in aninverted sense, "niceness") concept remains essentially the same. What should happen, though, in a world whereincreasing amounts of computing work is done outside of the CPU? TvrtkoUrsulin has put together apatch set showing how the nice mechanism can be extended to GPUs aswell.

Security updates have been issued by Arch Linux (apache, chromium, nodejs, nodejs-lts-erbium, nodejs-lts-fermium, and virtualbox), Fedora (vsftpd and watchdog), Oracle (java-1.8.0-openjdk, java-11-openjdk, and redis:6), and Ubuntu (libcaca, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-azure-5.8, and mailman).

The Jalopnik automotive site has posted anarticle on a(relatively) new setof open-source tools that can extract log data from Tesla cars.

The Rust language project has announced the release of stable version 1.56.0 and the Rust 2021 edition.

For those who are curious about where the development of Git is headed:Johannes Schindelin has posted anextensive set of notes from the just-concluded Git Contributors'Summit.

While the BPF virtual machine has been supported by Linux for most ofthe kernel's existence, its role for much of that time was limited to, asits fullname (Berkeley packet filter) would suggest, filtering packets. That began to change in 2012 with the introductionof seccomp() filtering, and the pace picked up in 2014 with the arrivalof the extended BPF virtual machine. At this point, BPF hooks have found theirway into many kernel subsystems. One area that has remained BPF-free,though, is the CPU scheduler; that could change if some version ofthis patchset from Roman Gushchin finds its way into the mainline.

Security updates have been issued by Debian (python-babel, squashfs-tools, and uwsgi), Fedora (gfbgraph and rust-coreos-installer), Mageia (aom, libslirp, redis, and vim), openSUSE (fetchmail, go1.16, go1.17, mbedtls, ncurses, python, squid, and ssh-audit), Red Hat (java-1.8.0-openjdk and java-11-openjdk), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), SUSE (fetchmail, git, go1.16, go1.17, ncurses, postgresql10, python, python36, and squid), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-raspi2, linux-snapdragon, linux, linux-bluefield, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-oem-5.10, and linux-oem-5.13).

The LWN.net Weekly Edition for October 21, 2021 is available.

A new style of GPL-enforcement lawsuit wasfiled on October 19 by Software Freedom Conservancy (SFC)against television maker Vizio. Unlike previous GPL-enforcement suits, whichhave been pursued on behalf of the developers and copyright holders ofGPL-licensed code, this suit has been filed on behalf of owners of the TVsin question. The idea that owners of devices that contain code under theGPL have the right to access that code seems clearly embodied in thelicense, but it remains to be seen if the courts will decide that thoseowners have the legal standing to sue for relief.

Stable kernels 5.14.14, 5.10.75, 5.4.155, 4.19.213, and 4.14.252 have been released. They all containimportant fixes and users of those series should upgrade.

Security updates have been issued by Debian (ffmpeg, smarty3, and strongswan), Fedora (udisks2), openSUSE (flatpak, strongswan, util-linux, and xstream), Oracle (redis:5), Red Hat (java-1.8.0-openjdk, java-11-openjdk, openvswitch2.11, redis:5, redis:6, and rh-redis5-redis), SUSE (flatpak, python-Pygments, python3, strongswan, util-linux, and xstream), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-raspi and strongswan).

Over at the Project Zero blog, Jann Horn has a lengthy post on a kernel bug, ways to exploit it, and various ideas on mitigation. While the exploitation analysis is highly detailed, more than half of the post looks at various defenses to this kind of bug.

On October 11, the first release candidate for Qubes OS version 4.1 was announced. Qubes OSis a security-oriented desktop operating system that uses multiple virtualmachines (VMs or "qubes") to isolatevarious types of functionality. The idea is to compartmentalize differentapplications and operating-system subsystems to protect them from eachother and to limit access to the user's data if an application iscompromised. Version 4.1 will bring several important enhancements tohelp Qubes OS continue to live up to its motto: "A reasonably secure operatingsystem".

Software Freedom Conservancy has announced that it filed suit against TV maker Vizio over "repeated failures to fulfill even the basic requirements of the General Public License (GPL)". The organization raised the problems with Vizio in August 2018, but the company stopped responding in January 2020, according to the announcement.

Security updates have been issued by Debian (redmine and strongswan), Fedora (containerd, fail2ban, grafana, moby-engine, and thunderbird), openSUSE (curl, firefox, glibc, kernel, libqt5-qtsvg, rpm, ssh-audit, systemd, and webkit2gtk3), Red Hat (389-ds:1.4, curl, kernel, kernel-rt, redis:5, and systemd), SUSE (util-linux), and Ubuntu (ardour, linux-azure, linux-azure-5.11, and strongswan).

Differences of opinion over which kernel symbols should be exported toloadable modules have been anything but uncommon over the years. Often,these disagreements relate to which kernel capabilities should be availableto proprietary modules. Sometimes, though, it hinges on the disagreementsover the best way to solve a problem. The recent discussion around theremoval of an export for a core kernel function is a case in point.

Security updates have been issued by Debian (amd64-microcode, libreoffice, linux-4.19, and nghttp2), Fedora (chromium, libopenmpt, vim, and xen), openSUSE (firefox, kernel, krb5, libaom, and opera), Oracle (thunderbird), SUSE (firefox, firefox, rust-cbindgen, iproute2, javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags, and krb5), and Ubuntu (nginx).

The 5.15-rc6 kernel prepatch is out."I'd love to say that it's all looking average, but rc6 is actuallybigger than rc5 was, and larger than normal for this time in therelease cycle.It's not _enormously_ larger than normal, and it's not the largest rc6we've had, but it's still slightly worrisome."

Greg Kroah-Hartman has released the5.14.13,5.10.74,5.4.154,4.19.212,4.14.251,4.9.287, and4.4.289stable kernel updates. Each contains another set of important fixes.

The name Debian brings to mind a Linuxdistribution, but the Debian project is far more than that; it is anongoing experiment in democratic project governance. Debian's processescan result in a lot of public squabbling; one should not lose track,though, of the fact that those processes have enabled a large community tomaintain and grow a complex distribution for decades without the benefit ofan overseeing corporate overlord. Processes can be improved, though; arecent proposalfrom Russ Allbery gives an interesting picture of where the pain pointsare and what can be made better.

Security updates have been issued by Debian (squashfs-tools, tomcat9, and wordpress), Fedora (openssh), openSUSE (kernel, mbedtls, and rpm), Oracle (httpd, kernel, and kernel-container), SUSE (firefox, kernel, and rpm), and Ubuntu (linux-azure, linux-azure-5.4).

The latest release of the Ubuntu Linux distribution is out: Ubuntu 21.10, code named "Impish Indri". The release notes fills in all of the details for the new features in this version, but the announcement lists some as well:

Version 4.0 of the Devuan distribution has been released; it is code-namedChimaera. This release is based on Debian Bullseye, has improved desktopsupport, and benefits from more accessibility work. See therelease notes for details.

Concerns over the performance of programs written in Python are oftenoverstated — for some use cases, at least. But there is no getting aroundthe problem imposed by the infamous global interpreter lock (GIL), whichseverely limits the concurrency of multi-threaded Python code. Variousefforts to remove the GIL have been madeover the years, but none have come anywhere near the point where they wouldbe considered for inclusion into the CPython interpreter. Now, though, SamGross has enteredthe arena with a proof-of-concept implementation that may solve theproblem for real.