LWN.net

Stable kernels 5.8.2, 5.7.16, 5.4.59, and 4.19.140 have been released. There are manyimportant fixes and users should upgrade.

Security updates have been issued by Debian (imagemagick and ruby-websocket-extensions), Fedora (libetpan, LibRaw, and php), Gentoo (nss), Mageia (apache, ark, clamav, claws-mail, dovecot, firefox, firejail, freerdp, golang, jasper, kernel, libssh, libx11, postgresql-jdbc, python-rstlib, radare2, roundcubemail, squid, targetcli, thunderbird, tomcat, and x11-server), Red Hat (rh-mysql80-mysql), SUSE (dovecot22, freerdp, libvirt, and postgresql12), and Ubuntu (curl and linux-hwe, linux-azure-5.3, linux-gke-5.3).

Linus Walleij continueshis exploration of the boot process for the 32-bit Arm kernel."BAM! The MMU is on. The next instruction (which is incidentally aninstruction cache flush) will be executed from virtual memory. We don’tnotice anything at first, but we are executing in virtual memory. When wereturn by jumping to the address passed in r13, we enter__mmap_switched at the virtual memory address of this function,somewhere below PAGE_OFFSET (typically 0xC0nnnnnn). Wecan now facilitate absolute addressing: the kernel is executing asintended."

In this followup to our coverage of therelease of gnuplot 5.4, we look more deeply atone of the new features: voxel plots. We onlybriefly touched on these plots in that article, but they are the most conspicuous addition inthis release ofthe free-software graphing tool.Voxel plotting provides multiple ways to visualize 3D data, so it is worthlooking at this new plot type in more detail.

The Rust blog announcesthe creation of an independent foundation for the language. "Thisfoundation’s first task will be something Rust is already great at: takingownership. This time, the resource is legal, rather than something in aprogram. The various trademarks and domain names associated with Rust,Cargo, and crates.io will move into the foundation, which will also takefinancial responsibility for the costs they incur. We see this firstiteration of the foundation as just the beginning. There’s a lot ofpossibilities for growing the role of the foundation, and we’re excited toexplore those in the future."

Security updates have been issued by Debian (sane-backends), Fedora (kernel, LibRaw, and wob), openSUSE (balsa, hylafax+, postgresql, postgresql96, postgresql10, postgresql12, and postgresql96, postgresql10 and postgresql12), Oracle (.NET Core 3.1), Red Hat (bash and bind), SUSE (dovecot23, firefox, fwupd, postgresql10, postgresql12, python-azure-agent, and zabbix), and Ubuntu (ark, gnome-shell, libonig, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi2, linux-snapdragon, linux-gke-5.0, linux-oem-osp1, and software-properties).

Sourcegraph is a tool forsearching and navigating around large code bases.The tool has various searchmethods, including regular-expression search, and "structural search",which isa relatively new technique that is language-aware.The open-source core ofthe tool comeswith code search, go-to-definition and other "codeintelligence" features, which provide ways for developers to makesense of multi-repository code bases. Sourcegraph's code-searching toolscan show documentation for functions and methods on mouse hover and allow developers toquickly jump to definitions or to find all references to a particularidentifier.

By the time Linus Torvalds released 5.9-rc1and closed the merge window for this cycle, 12,866 non-merge changesets hadbeen pulled into the mainline repository. Nearly 9,000 of those came inafter the first 5.9 merge-window summarywas written. Clearly the kernel-development community remains busy. Muchof what was merged takes the form of cleanups and restructuring, as always,but there was also a substantial set of new features.

Security updates have been issued by Debian (dovecot, htmlunit, jruby, libetpan, lucene-solr, net-snmp, and posgresql-9.6), Fedora (firefox, nss, qt, and thunderbird), Mageia (glib-networking, mumble, webkit2, and znc), openSUSE (balsa, chromium, firejail, hylafax+, libreoffice, libX11, perl-XML-Twig, thunderbird, wireshark, and xrdp), Red Hat (libvncserver), SUSE (libvirt and perl-PlRPC), and Ubuntu (dovecot and salt).

Version20.08 of the Kdenlive video editor is available. "Kdenlive 20.08is out with nifty features like Interface Layouts, Multiple Audio Streamsupport, Cached data management and Zoombars in the Clip Monitor andEffects Panel but one may argue that the highlights of this release arestability and interface improvements".

Linux has released the 5.9-rc1 kernelprepatch and closed the merge window for this development cycle."This merge window felt a lot more normal than 5.8, and all the statsconfirm that it seems to be the usual size." In the end, 12,866non-merge changesets were pulled for 5.9-rc1, as compared to 14,206 for5.8-rc1.

While PHP does not come with a full toolkit for debugging and profiling, an open-source project has existed almost as long as PHP to provide both: Xdebug. Created and maintained by PHP core developer Derick Rethans, it offers remote debugging, stack traces, profiling, and more. It is a project that anyone doing PHP development would benefit from using.

Security updates have been issued by Debian (squid3), Fedora (lilypond and python3), openSUSE (xen), SUSE (libreoffice, libvirt, webkit2gtk3, xen, and xerces-c), and Ubuntu (apache2).

Shortly before the release of the 5.8 kernel, a brief patch to apseudo-random-number generator (PRNG) used by the networking stack was quietlyapplied to the kernel. As is the norm for such things, the changelog gaveno indication that a security vulnerability had been fixed, but that turnsout indeed to be the case. The resulting controversy had little to do withthe original vulnerability, though, and everything to do with howcryptographic security is managed in the kernel. Figuring prominently inthe discussion was the question of whether theoretical security can undermine security in thereal world.

On the Jupyter blog, Chris Holdgraf announces a rewrite of the Jupyter Book project. LWN looked at Jupyter and its interactive notebooks for Python and other languages back in 2018; Jupyter Book extends the notebook idea. "Jupyter Book is an open source project for building beautiful, publication-quality books, websites, and documents from source material that contains computational content. With this post, we’re happy to announce that Jupyter Book has been re-written from the ground up, making it easier to install, faster to use, and able to create more complex publishing content in your books. It is now supported by the Executable Book Project, an open community that builds open source tools for interactive and executable documents in the Jupyter ecosystem and beyond."

For those who are into the details: here is astep-by-step guide through the process of decompressing an Arm kerneland getting ready to boot from Linus Walleij. "Next thedecompression code sets up a page table, if it is possible to fit one overthe whole uncompressed+compressed kernel image. The page table is not forvirtual memory, but for enabling cache, which is then turned on. Thedecompression will for natural reasons be much faster if we can usecache."

Version 5.1.0 ofthe QEMU processor emulator is out. "This release contains 2500+commits from 235 authors." Enhancements consist mostly ofadditional hardware emulation, of course, but it doesn't stop there; see the changelog for lots ofdetails.

Security updates have been issued by Debian (linux-4.19, linux-latest-4.19, and openjdk-8) and Fedora (ark and hylafax+).

The LWN.net Weekly Edition for August 13, 2020 is available.

In this two-part series, we will be implementing a simple RSS reader for LWN using the UI toolkit Flutter. The project recently announced version 1.20 of the toolkit on August 5. Flutter is a BSD-licensed UI development platform written in Dart that is backed by Canonical as a new way to develop desktop applications targeting Linux. Part one will cover some of the basics of the project and Flutter, with part two building on that work to focus on building a full interactive UI for the application.

Security updates have been issued by Debian (dovecot and roundcube), Fedora (python36), Gentoo (chromium), openSUSE (ark, firefox, go1.13, java-11-openjdk, libX11, wireshark, and xen), Red Hat (bind and kernel), SUSE (libreoffice and python36), and Ubuntu (dovecot and software-properties).

The Linux kernel has never lacked for synchronization primitives andlocking mechanisms, so one might justifiably wonder why there might be aneed to add another one. The addition of locallocks to 5.8 provides an answer to that question. These locks,which have their origin in the realtime (PREEMPT_RT) tree, werecreated to solve some realtime-specific problems, but they also bring somemuch-needed structure to a common locking pattern used in non-realtimekernels as well.

Mitchell Baker writesabout changes at Mozilla, headlined by the laying-off of 250 people."Recognizing that the old model where everything was free hasconsequences, means we must explore a range of different businessopportunities and alternate value exchanges. How can we lead towardsbusiness models that honor and protect people while creating opportunitiesfor our business to thrive? How can we, or others who want a betterinternet, or those who feel like a different balance should exist betweensocial and public benefit and private profit offer an alternative?"

Security updates have been issued by Debian (firmware-nonfree, golang-github-seccomp-libseccomp-golang, and ruby-kramdown), Fedora (kernel, libmetalink, and nodejs), openSUSE (go1.13, perl-XML-Twig, and thunderbird), Oracle (kernel, libvncserver, and thunderbird), Red Hat (kernel-rt and python-paunch and openstack-tripleo-heat-templates), SUSE (dpdk, google-compute-engine, libX11, webkit2gtk3, xen, and xorg-x11-libX11), and Ubuntu (nss and samba).

Greg Kroah-Hartman has released the 5.8.1, 5.7.15, 5.4.58, and 4.19.139 stable kernels. As usual, these contain lots of important fixes throughout the tree; users should upgrade.

Version 27.1 of the Emacs editor is out. New features include support forarbitrary-sized integers, HarfBuzz support,improved drawing with Cairo, and the obligatory new JSON parser.

Nick McKeown kicked off the virtual Netdev0x14 conference with a talk on extending the programmability ofnetworking equipment well beyond where it is today. His visionis of an end-to-end system with programmable pieces at every level.Getting there will require collaboration between the developers of thenetworking stacks on endpoint operating systems as well as those ofswitches, routers, and other backbone equipment.The keynote was held on July 28, a little over two weeksbefore the seven daysof talks, workshops, and tutorials for Netdev, which begins on August 13.

Security updates have been issued by Debian (pillow, ruby-kramdown, wpa, and xrdp), Fedora (ark and rpki-client), Gentoo (apache, ark, global, gthumb, and iproute2), openSUSE (chromium, grub2, java-11-openjdk, libX11, and opera), Red Hat (bind, chromium-browser, java-1.7.1-ibm, java-1.8.0-ibm, and libvncserver), SUSE (LibVNCServer, perl-XML-Twig, thunderbird, and xen), and Ubuntu (samba).

For those who are wondering about the state of the proposed Perl 7fork and the role of the newly formed Perl Steering Committee, RicardoSignes has put together a detailed explanation that is worth a read."You should not expect to see a stream of unjustified dictates issuing forthfrom some secret body on high. You should expect to see perl5-portersoperating as it generally did: with proposals coming to the list, gettingdiscussion, and then being thumbed up or down by the project manager. This iswhat has been happening for years, already. Some proposals were alreadydiscussed by the project manager and some were not. If you eliminated anynamed mailing list for doing this, it would still happen. The PSC is a meansto say that there is a default group for such discussions. If you werewondering, its initial membership was formed from 'the people who came to orwere invited to the Perl Core Summit' over the last few years."

As of this writing, just over 3,900 non-merge changesets have been pulledinto the mainline repository for the 5.9 kernel development cycle. Whilethis merge window has just begun, there is already a significant set of newfeatures to point out.

The Free Software Foundation (FSF) has announced that Geoffrey Knauth has been elected president, and free software activist and developer Odile Bénassy has been appointed to the board of directors. Knauth is replacing Richard Stallman who resigned last year. In Knauth's statement, he said: "The FSF board chose me at this moment as a servant leader to help the community focus on our shared dedication to protect and grow software that respects our freedoms. It is also important to protect and grow the diverse membership of the community."

Security updates have been issued by CentOS (firefox, java-1.8.0-openjdk, java-11-openjdk, libvncserver, postgresql-jdbc, and thunderbird), Debian (firejail and gupnp), Fedora (cutter-re, postgresql-jdbc, radare2, and webkit2gtk3), openSUSE (chromium, firefox, kernel, and python-rtslib-fb), Oracle (container-tools:ol8, kernel, and nss and nspr), Scientific Linux (thunderbird), and SUSE (firefox, kernel, postgresql10 and postgresql12, python-ipaddress, and xen).

Greg Kroah-Hartman has released the 5.7.14, 5.4.57, 4.19.138, and 4.14.193 stable kernels. As usual, these contain lots of important fixes throughout the tree; users should upgrade.

PHP 8.0 is on the horizon, and the project has imposed a feature-freeze for the release. There's one exception to the feature-freeze, though: the new attributes syntax. An attribute is syntactical metadata for PHP code, identical to what is called an "annotation" in other languages. Even though attributes have been voted on multiple times by the community, major contributor and creator of XDebug Derick Rethans threw a wrench into the works days before the feature-freeze by challenging the current syntax. The ensuing discussion lead to the fourth attributes proposal for the year, with a special feature-freeze exception being made by release manager Sara Golemon. This exception gives Rethans one more opportunity to convince the community to change how attributes work up to the Beta 3 release, scheduled for September 3.

Version 2.32 of the GNU CLibrary (glibc) has been released. It contains support forUnicode 13.0.0, a new Kurdish/Sorani locale (ckb_IQ), supportfor audit modules listed in ELF sections of the executable, support forSynopsys ARC HS cores, new signalabbreviation and descriptive text functions (sigabbrev_np() andsigdescr_np()), similar functions for errno values(strerrorname_np() and strerrordesc_np()), branchprotection security hardening for arm64, and more. There are also lots ofbug fixes, deprecations, and removals, as well as four security fixes. Moreinformation can be found in the release notes.

Security updates have been issued by Debian (clamav and json-c), Fedora (python2, python36, and python37), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (java-11-openjdk, kernel, rubygem-actionview-4_2, wireshark, xen, and xrdp), and Ubuntu (openjdk-8 and ppp).

The LWN.net Weekly Edition for August 6, 2020 is available.

Our look at running a CNC milling machine using open-source software led me to another tool worth looking at: FreeCAD. I wasn't previously familiar with the program, so I decided to check it out. In this article I will walk through my experiences with using FreeCAD for the first time to do a variety of CNC-related tasks I normally would have used a commercial product for. I had varying degrees of success in my endeavors, but in the end came away with a positive opinion.

ThisMozilla Security Blog entry describes the new redirect-trackingprotections soon to be provided by the Firefox browser. "ETP 2.0clears cookies and site data from tracking sites every 24 hours, except forthose you regularly interact with. We’ll be rolling ETP 2.0 out to allFirefox users over the course of the next few weeks."

We last looked at the idea of a Python"match" or "switch" statement back in 2016, but it is something that hasbeen circulating in the Python community both before and since that coverage.In June it was raised again, with a Python Enhancement Proposal (PEP)supporting it: PEP 622("Structural Pattern Matching"). As that title would imply, thematch statement proposed in the PEP is actually a pattern-matchingconstruct with many uses.While it may superficially resemble the C switch statement, aPython match would do far more than simply choose a chunk of codeto execute based on the value of an expression.

Security updates have been issued by Debian (net-snmp), Fedora (mingw-curl), openSUSE (firefox, ghostscript, and opera), Oracle (libvncserver and postgresql-jdbc), Scientific Linux (postgresql-jdbc), SUSE (firefox, kernel, libX11, xen, and xorg-x11-libX11), and Ubuntu (apport, grub2, grub2-signed, libssh, libvirt, mysql-8.0, ppp, tomcat8, and whoopsie).

The5.7.13,5.4.56,4.19.137, and4.14.192stable kernel updates have been released; each contains another set ofimportant fixes.

Version 7.0 of the LibreOffice office suite is out. It brings a long listof new features, including: "support for OpenDocument Format (ODF) 1.3; Skia graphics engine and VulkanGPU-based acceleration for better performance; and carefully improvedcompatibility with DOCX, XLSX and PPTX files". The plan to create adifferentiated "enterprise edition" that was discussed in July has been deferred and is notpart of this release.

Security updates have been issued by Debian (libx11, webkit2gtk, and zabbix), Fedora (webkit2gtk3), openSUSE (claws-mail, ghostscript, and targetcli-fb), Red Hat (dbus, kpatch-patch, postgresql-jdbc, and python-pillow), Scientific Linux (libvncserver and postgresql-jdbc), SUSE (kernel and python-rtslib-fb), and Ubuntu (ghostscript, sqlite3, squid3, and webkit2gtk).

The Linux Foundation has announcedthe formation of the Open Source Security Foundation (OpenSSF). Thefoundation aims to improve the security of open source software. "The OpenSSF brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab, are just a couple of the projects that will be brought together under the new OpenSSF. The Foundation’s governance, technical community and its decisions will be transparent, and any specifications and projects developed will be vendor agnostic. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all."

Linus Torvalds releasedthe 5.8 kernel on August 2, concluding another nine-weekdevelopment cycle. By the time the work was done, 16,306 non-mergechangesets had been pulled into the mainline repository for this release.That happens to be a record, beating the previous record holder (4.9,released in December 2016) by 92 changesets. It was, in other words,a busy development cycle. It's time for our traditional look into wherethat work came from to see what might be learned.

Version 1.5 of the Julia programming language has been released. On the Julia blog, Jeff Bezanson and Stefan Karpinski describe the highlights of the release, which includes struct layout improvements for decreasing heap allocations, stabilization of the multithreading API, faster random numbers, changes to the scoping rules in the read-eval-print loop (REPL), and more. "Julia excels at simulations, so random numbers are important to a lot of users of the language. For this release Rafael Fourquet, one of the primary architects of the Random standard library and a prolific contributor in general, implemented some impressive algorithmic improvements for some popular cases. The first is a major improvement when generating normally-distributed double-precision floats. Calling randn(1000) is nearly twice as fast in Julia 1.5 compared with Julia 1.4. Generating random booleans also got much faster: rand(Bool, 1000) is nearly 6x faster. Finally, sampling from discrete collections has also gotten faster: rand(1:100, 1000) got 25% faster." LWN looked at Julia (part 1, part 2) back in 2018, shortly after the release of Julia 1.0.

Debian 10 "buster" received a fifth update. In addition to the usualsecurity and bug fixes, this point release addresses Debian SecurityAdvisory: DSA-4735-1grub2. This security update covers multiple CVE issues regardingthe GRUB2 UEFI SecureBoot 'BootHole' vulnerability.

Security updates have been issued by Arch Linux (ffmpeg, libjcat, mbedtls, tcpreplay, and wireshark-cli), Debian (ark, evolution-data-server, libjpeg-turbo, libopenmpt, libpam-radius-auth, libphp-phpmailer, libssh, ruby-zip, thunderbird, and transmission), Fedora (chromium, clamav, claws-mail, evolution-data-server, freerdp, glibc, java-latest-openjdk, nspr, and nss), Gentoo (libsndfile, pycrypto, python, snmptt, thunderbird, and webkit-gtk), Mageia (botan2, chocolate-doom, cloud-init, dnsmasq, freerdp/remmina, gssdp/gupnp, java-1.8.0-openjdk, matio, microcode, nasm, openjpeg2, pcre2, php-phpmailer, redis, roundcubemail, ruby-rack, thunderbird, virtualbox, and xerces-c), openSUSE (claws-mail, ldb, and libraw), Oracle (firefox), Red Hat (bind, grub2, kernel-rt, libvncserver, nss and nspr, and qemu-kvm-rhev), Scientific Linux (firefox), Slackware (thunderbird), and SUSE (firefox, kernel, and targetcli-fb).

Linus has released the 5.8 kernel."So I considered making an rc8 all the way to the last minute, butdecided it's not just worth waiting another week when there aren't any biglooming worries around." Headline features in this release include:branch target identification and shadow callstacks for the arm64 architecture,the BPF iterator mechanism,inline encryption support in the blocklayer,the CAP_PERFMON and CAP_BPF capabilities,a generalized kernel event-notificationsubsystem,the KCSAN data-race detector, and more.As always, see theKernelNewbies 5.8 page for more information.