LWN.net

Back in 2014, a Raspberry Pi enthusiast by the name of Michael Teeuw shared his build of a "magic mirror" with the world in a six-part series. The system consisted of a Raspberry Pi and monitor running a web browser in kiosk mode, with a web server that provided a dashboard interface — all stored in a custom-built case with a one-way mirror. Since his post, others around the world have built these devices for their home (including myself), forming both a community and an interesting open-source project. The recent release of MagicMirror (MM2) version 2.12.0 gives us an opportunity to learn more about where the project started and where it is today.

Security updates have been issued by Debian (ark, netty, netty-3.9, qemu, squid3, and xorg-server), Fedora (chromium), Gentoo (dovecot and gnutls), Mageia (ansible, postgresql, and python-rsa), openSUSE (curl, freerdp, libX11, php7, squid, and xorg-x11-server), Oracle (kernel), Red Hat (thunderbird), Slackware (gnutls), and SUSE (firefox, kernel, and thunderbird).

The 5.9-rc4 kernel prepatch is out fortesting. "So I certainly can't claim that things have calmed down,but hopefully this was pretty much it. Knock wood."

The 5.8.7 and5.4.63stable kernels are out with a relatively small number of important fixes.

The Free Software Foundation (FSF) has announcedthat nominations are open, until October 28, for the Free Software Awards. Winners willbe announced at the annual LibrePlanet conference. "Youmight know of a contributor or organization who has done significant anduser-empowering work on free software. We invite you to take a moment toshow them (and tell us) that you care, by nominating them for an award inone of three categories: the Award for the Advancement ofFree Software, the Awardfor Projects of Social Benefit, or the Award for Outstanding NewFree Software Contributor. Don't assume that someone else will nominatethem -- too often, everyone assuming someone else will express theappreciation means that it never happens. As taking initiative and speakingup for the community are important parts of free software, why not take thetime yourself to make sure your voice is heard?"

On September 1, the Linux From Scratch (LFS) project announced the release of version 10.0 of LFS along with Beyond Linux From Scratch (BLFS). LFS is "a project that provides you with step-by-step instructions for building your own customized Linux system entirely from source"; BLFS picks up where LFS leaves off. Both books are available online either with or without systemd: LFS System V, LFS systemd, BLFS System V, and BLFS systemd. "The LFS release includes updates to glibc-2.31, and binutils-2.34. A total of 35 packages have been updated. A new package, zstd-1.4.4, has also been added. Changes to text have been made throughout the book. The Linux kernel has also been updated to version 5.5.3.The BLFS version includes approximately 1000 packages beyond the base Linux From Scratch Version 9.1 book. This release has over 840 updates from the previous version in addition to numerous text and formatting changes."

The 2020 Linux PlumbersConference (LPC) was meant to be held in Halifax, Nova Scotia, Canada at theend of August. As it happens, your editor was on the organizing committeefor that event and thus got a close view of what happens when one's hopesfor discussing memory-management changes on the Canadian eastern seaboardbecome one of the many casualties of an ongoing pandemic. TransformingLPC into a successful online experience was a lot of work, but the resultsmore than justified the effort. Read on for some notes and thoughts fromthe experience of making LPC happen in 2020.

Security updates have been issued by Fedora (curl, dovecot, geary, httpd, lua, mysql-connector-java, and squid), Mageia (lua and lua5.3, sane, and squid), Oracle (dovecot), Scientific Linux (dovecot), SUSE (java-1_7_1-ibm, kernel, php5, and xorg-x11-server), and Ubuntu (firefox).

James Bottomley got a copy of the patent-suit settlement between the GNOMEFoundation and Leigh Rothschild and has postedan analysis. "Although the agreement achieves its aim, to ridall of Open Source of the Rothschild menace, it also contains severalclauses which are suboptimal, but which had to be included to get a speedyresolution. In particular, Clause 10 forbids the GNOME foundation or itsaffiliates from publishing the agreement, which has caused much angst inopen source circles about how watertight the agreement actuallywas. Secondly Clause 11 prohibits GNOME or its affiliates from pursuing anyfurther invalidity challenges to any Rothschild patents leaving Rothschildfree to pursue any non open source targets.Fortunately the effect of clause 10 is now mitigated by me publishing theagreement and the effect of clause 11 by the fact that the Open InventionNetwork is now pursuing IPR invalidity actions against the Rothschildpatents."

GNU Privacy Guard (GnuPG or GPG) has released version 2.2.23 to fix a critical security bug affecting GnuPG 2.2.21 and 2.2.22, as well as Gpg4win 3.1.12. "Importing an OpenPGP key having a preference list for AEAD algorithmswill lead to an array overflow and thus often to a crash or otherundefined behaviour.Importing an arbitrary key can often easily be triggered by an attackerand thus triggering this bug. Exploiting the bug aside from crashes isnot trivial but likely possible for a dedicated attacker. The majorhurdle for an attacker is that only every second byte is under theircontrol with every first byte having a fixed value of 0x04.Software distribution verification should not be affected by this bugbecause such a system uses a curated list of keys."

One of the many unfortunate consequences of the Covid-19 pandemic was thecancellation of the 2020GNU Tools Cauldron. That loss turned out to be a gain for the Linux Plumbers Conference, whichwas able to add a GNU Tools track to host many of the discussions thatwould have otherwise occurred at Cauldron. In that track, Ian Bearmanpresented his group's work using profile-guidedoptimization with the Linux kernel. This technique, which he oftenreferred to as "pogo", is not straightforward to apply to the kernel, butthe benefits would appear to justify the effort.

Greg Kroah-Hartman has released six new stable kernels: 5.8.6,5.4.62, 4.19.143, 4.14.196, 4.9.235, and 4.4.235. As usual, they contain fixesthroughout the tree and users should upgrade.

Kees Cook catchesup with the security-relevant changes in the 5.6 kernel release."With my 'attack surface reduction' hat on, I remain personallysuspicious of the io_uring() family of APIs, but I can’t deny their utilityfor certain kinds of workloads. Being able to pipeline reads and writeswithout the overhead of actually making syscalls is pretty great forperformance. Jens Axboe has added the IORING_OP_OPENAT command so thatexisting io_urings can open files to be added on the fly to the mapping ofavailable read/write targets of a given io_uring. While LSMs are stillhappily able to intercept these actions, I remain wary of the growing'syscall multiplexer' that io_uring is becoming."

Security updates have been issued by Debian (asyncpg and uwsgi), Mageia (cairo), openSUSE (chromium, kernel, and postgresql10), Red Hat (dovecot and squid:4), SUSE (curl, java-1_7_0-ibm, java-1_7_1-ibm, java-1_8_0-ibm, kernel, libX11, php7, squid, and xorg-x11-server), and Ubuntu (apport, libx11, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04).

The LWN.net Weekly Edition for September 3, 2020 is available.

New to the forthcoming PHP 8.0 release is a feature called match expressions, which is a construct designed to address several shortcomings in PHP's switch statement. While it took three separate request-for-comment (RFC) proposals in order to be accepted, the new expression eventually received broad support for inclusion.

Security updates have been issued by CentOS (firefox), Mageia (mutt and putty), openSUSE (ldb, samba, libqt5-qtbase, opera, and postgresql10), Red Hat (bash, kernel, and libvncserver), SUSE (apache2, curl, and squid), and Ubuntu (ark, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi2, linux-snapdragon, and linux-hwe, linux-aws-5.3, linux-gke-5.3, linux-raspi2-5.3).

Emil Velikov providesa high-level introduction of the Linux graphics stack, how it is usedwithin ChromeOS, and the work being done to improve softwarerendering. "One of our goals is to be as flexible as possible, whileminimising the amount of legacy code required - so in our case we're usingOpenGL/GLES and EGL. In particular we are making use of the EGL_MESA_platform_surfaceless extension. It allows us to use OpenGL or GLES and render into a memory area, not requiring integration with the display subsystem."

We left the saga of PEP 622("Structural Pattern Matching") at the end of June, but thediscussion of a Python "match" statement—superficially similar to a Cswitch but with extra data-matching features—continued. At thispoint, the next steps are up to the Python steeringcouncil, which will determine the fate of the PEP. But there is lotsof discussion to catch up on from the last two months or so.

Security updates have been issued by Debian (apache2 and libx11), Fedora (batik, ecj, eclipse, eclipse-cdt, eclipse-ecf, eclipse-emf, eclipse-gef, eclipse-m2e-core, eclipse-mpc, eclipse-mylyn, eclipse-remote, eclipse-webtools, firefox, httpd, jetty, lucene, selinux-policy, and univocity-parsers), Mageia (hylafax+), openSUSE (ark and chromium), Red Hat (virt:8.2 and virt-devel:8.2), SUSE (freeradius-server, freerdp, php7, php72, php74, and xorg-x11-server), and Ubuntu (freerdp2, keystone, net-snmp, python-django, and python-rsa).

The LXD team has announcedthe release of LXD 4.5. LXD is a container and VMmanager focused on running full Linux distributions. Highlights includevirtual networks through OVN, bpfsystem call interception, a new way to allocate PTS devices, improvedcluster remote storage, AppArmor confinement for some side services, andgraphical console attach on Windows clients.

The Rust programming languagehas long aimed to be a suitable replacement for C in operating-systemkernel development. As Rust has matured, many developers have expressedgrowing interest in using it in the Linux kernel. At the 2020 (virtual) Linux Plumbers Conference, theLLVM microconference track hosted a sessionon open questions about and obstacles to accepting Rust upstream in the Linux kernel. The interest inthis topic can be seen in the fact that this was the single most heavilyattended session at the 2020 event.

Security updates have been issued by Debian (bacula, bind9, freerdp, libvncserver, lilypond, mupdf, ndpi, openexr, php-horde, php-horde-core, php-horde-gollem, php-horde-kronolith, ros-actionlib, thunderbird, and xorg-server), Fedora (golang-github-ulikunitz-xz and qt), Gentoo (bind, chrony, ghostscript-gpl, kleopatra, openjdk, and targetcli-fb), Mageia (ark, evolution-data-server, fossil, kernel, kernel-linus, and thunderbird), openSUSE (apache2, graphviz, grub2, inn, librepo, and xorg-x11-server), Oracle (firefox), and Red Hat (git).

The third 5.9 kernel prepatch is out fortesting. "On the whole it's been pretty calm for being rc3. This isactually one of the smaller rc3's we've had in recent releases."

Adding code to the kernel to support new hardware is relatively easy.Removing code that is no longer useful can be harder, mostly because it canbe difficult to know when something is truly no longer needed. ArndBergmann, who removed support for eightarchitectures from the kernel in 2018, knows well just how hard thiscan be. At the 2020 LinuxPlumbers Conference, he led two sessions dedicated to the topic ofobsolete software and hardware. With a bit of effort, he said, it shouldbe possible to have a better idea of when something can be removed.

Our previous article explored the fundamentals of Flutter, a cross-platform open-source user-interface (UI) toolkit. We complete our introduction of Flutter by returning to the simple LWN RSS feed headline viewer that was introduced in part one. We will be adding several new features to that application in part two, including interactive elements to demonstrate some of the UI features of Flutter.

Security updates have been issued by Debian (bind9 and squid), Fedora (libX11 and wireshark), Gentoo (libX11 and redis), Mageia (firefox, libx11, qt4 and qt5base, and x11-server), openSUSE (gettext-runtime, inn, and webkit2gtk3), Oracle (firefox), SUSE (libqt5-qtbase, openvpn, openvpn-openssl1, postgresql10, and targetcli-fb), and Ubuntu (chrony, nss, and squid).

On the Collabora blog, Gabriel Krisman Bertazi writes about a feature he developed: case-insensitive ext4. He describes how to enable the feature in the kernel (>= 5.2), how to create an ext4 filesystem that will support case-insensitive lookups, as well as some gotchas; he starts with some justification for the idea: "A file name is a text string used to uniquely identify a file (in this context, 'directory' is the same as a file) at a specific level of the directory hierarchy. While, from the operating system point of view, it doesn't matter what the file name is, as long as it is unique, meaningful file names are essential for the end user, since it is the main key to locate and retrieve data. In other words, a meaningful file name is what people rely upon to find their valuable documents, pictures and spreadsheets.Traditionally, Linux (and Unix) filesystems have always considered file names as an opaque byte sequence without any special meaning, requiring users to submit the exact match of the file to find it in the filesystem. But that is not how humans operate. When people write titles, 'important report.ods' and 'IMPORTANT REPORT.ods' usually mean the same piece of data, and you don't care how it was written when creating it. We care about the content and the semantics of the words IMPORTANT and REPORT."

The Rust team has announced therelease of Rust 1.46.0. "This release enables quite a lot of newthings to appear in const fn, two new standard library APIs, andone feature useful for library authors. See the detailedrelease notes to learn about other changes not covered by thispost."

Greg Kroah-Hartman has released the 5.8.5and 5.7.19 stable kernels with a relativelysmall number of fixes. Note that this is the last release for the 5.7.xkernel series, so users should move to 5.8.5 along with those on 5.8.x.

For as long as we have had desktop systems, there have been concerns aboutdesktop responsiveness and developers have been working to improve things in thatarea. Over the years, Linux has gained a number of capabilities — controlgroups in particular — that are applicable to the problem of improvingdesktop performance, but use of these features has lagged behind theiravailability. At the 2020Linux Plumbers Conference, Benjamin Berg outlined some of the work thatis being done by the Linux desktop projects to put recent kernel featuresto work.

Security updates have been issued by Debian (firefox-esr and nginx), Fedora (firefox, firejail, and lua), Gentoo (chromium, docker, firefox and thunderbird, net-snmp, postgresql, and wireshark), openSUSE (chromium, claws-mail, dovecot23, libreoffice, and python3), Oracle (kernel), Scientific Linux (firefox), SUSE (apache2, graphviz, and libxslt), and Ubuntu (firefox, libmysofa, and squid3).

The LWN.net Weekly Edition for August 27, 2020 is available.

The X.Org project has announced the release of xorg-server version 1.20.9. Among other improvements are numerous fixes to XWayland, including a bug that could cause an infinite loop at startup as well as other potential crash fixes. The release also addresses several security issues that can "lead to local privileges elevation on systems where the X server is running privileged." Users of xorg-server are encouraged to upgrade.

The Oracle blog is putting up a series by Vegard Nossum on fuzzing thekernel's entry code; part 1and part 2are available now. "While these fuzzers effectively test the system calls themselves (and the code reachable through system calls), one thing they don't test very well is what happens at the actual transition point between userspace and the kernel. There is more to this boundary than meets the eye; it is written in assembly code and there is a lot of architectural state (CPU state) that must be verified or sanitized before the kernel can safely start executing its C code.This blog post explores how one might go about writing a fuzzer targeting the Linux kernel entry code on x86."

OpenSCAD is a GPLv2-licensed 3D computer-aided design (CAD) program best described as a "programmer's CAD"; it is available for Linux, Windows, several flavors of BSD, and macOS. Unlike the majority of 3D-modeling software packages which are point-and-click, the OpenSCAD website describes the project as "something like a 3D compiler", where models are generated using a scripting language. It is a unique way of approaching CAD and has many real-world applications that may be of interest.

Stable kernels 5.8.4, 5.7.18, 5.4.61, 4.19.142, 4.14.195, 4.9.234, and 4.4.234 have been released with importantfixes throughout the tree. Users should upgrade.

Security updates have been issued by Debian (firefox-esr, ghostscript, php7.0, and proftpd-dfsg), Fedora (mod_http2 and thunderbird), Red Hat (chromium-browser and firefox), and SUSE (apache2, grub2, samba, and xorg-x11-server).

Fuzzing is a testingtechnique with randomized inputs that is used to find problematic edgecases or security problems in code that accepts user input. Go package developers can use Dmitry Vyukov's popular go-fuzz tool for fuzz testingtheir code; it has foundhundreds ofobscure bugs in the Go standard library as well as in third-partypackages. However, this tool is not built in, and is not as simple to useas it could be; to address this, Go team member Katie Hockmanrecently published a draftdesign that proposes adding fuzz testing as a first-class feature ofthe standard go test command.

Security updates have been issued by Debian (icingaweb2 and mongodb), Fedora (nss), Gentoo (chromium and shadow), Mageia (ghostscript, kdepim-runtime, kmail-account-wizard, luajit, mysql-connector-python, and python-ipaddress), openSUSE (python, python3, and webkit2gtk3), Red Hat (kernel and kernel-alt), Slackware (firefox), SUSE (squid3), and Ubuntu (bind9, ghostscript, net-snmp, postgresql-10, postgresql-12, postgresql-9.5, and sane-backends).

CAELinux is a distribution focused on computer-aided engineering (CAE) maintained by Joël Cugnoni. Designed with students and academics in mind, the distribution is loaded with open-source software that can be used to model everything from pig livers to airfoils. Cugnoni's latest release, CAELinux 2020, was made on August 11; readers with engineering interests may want to take a look.

Security updates have been issued by Debian (firejail, icingaweb2, inetutils, libjackson-json-java, proftpd-dfsg, python2.7, software-properties, and sqlite3), Fedora (chrony), Mageia (chrony), openSUSE (dovecot23, postgresql12, and python), Slackware (bind), SUSE (gettext-runtime and SUSE Manager Server 3.2), and Ubuntu (bind9).

The 5.9-rc2 kernel prepatch is out fortesting. "Nothing in particular stands out, there's a randomcollection of fixes and updates in here."

The proposed fsinfo() system call, which returns extendedinformation about mounted filesystems, was first covered here just over one year ago. The formof fsinfo() has not changed much in that year, but the debate overmerging it continues. To some, fsinfo() is needed to efficientlyobtain information about filesystems; to others, it is an unnecessary andover-engineered mechanism. Changes will probably be necessary if thisfeature is ever to make it into the mainline kernel.

The 5.8.3, 5.7.17, 5.4.60, 4.19.141, 4.14.194, 4.9.233, and 4.4.233 stable kernels have been released. Asusual, they contain lots of fixes all over the kernel tree. Users of thosekernel series should upgrade.

Security updates have been issued by Debian (ghostscript), Fedora (curl and mod_http2), Mageia (ngircd), openSUSE (kernel), SUSE (libreoffice), and Ubuntu (curl).

The Fedora 33 release is currently scheduled for late October; as part ofthe process of designing this release, the deadline for system-wide changeproposals was set for June 30. This release already has a substantial number of big changes in theworks, so one might be forgiven for being surprised by asystem-wide change proposal that appeared on August 4, whichlooks to be pre-approved. Not only that, but this proposalexpands the small set of official Fedora "editions" by adding therelatively obscure Fedora Internetof Things Edition.

Security updates have been issued by Fedora (ansible, libmetalink, roundcubemail, rubygem-kramdown, sqlite, and swtpm), Slackware (curl), SUSE (python and python3), and Ubuntu (qemu).

The LWN.net Weekly Edition for August 20, 2020 is available.

The Document Foundation (TDF) has announced the release of LibreOffice 7.0. This major release is a significant upgrade from version 6.4.6, focusing on interoperability with Microsoft Office, general performance, and support for OpenDocument Format (ODF) version 1.3. A complete list of new features and bug fixes can be found in the release notes.