LWN.net

The LWN.net Weekly Edition for October 14, 2021 is available.

The syzbotkernel-fuzzing system finds an enormous number of bugs, but, since many of them may seem to be of a relatively low severity, they have a lower prioritywhen contending for the attention of developers. A talkat the recent Linux Security Summit North America reported on some research thatdug further into the bugs that syzbot hasfound; the results are rather worrisome. Rather than a pile ofdifficult- or impossible-to-exploit bugs, there are numerous, more seriousproblems lurking within.

Stable kernels 5.14.12, 5.10.73, 5.4.153, and 4.19.211 have been released with importantfixes. Users of those series should upgrade.

We recently looked atsome of the changes and new features arriving with the upcomingversion 1.7 release of the Julia programming language.The package system provided by the language makes it easier toexplore new language versions, while still preserving multiple versions of various parts of the ecosystem. This flexible systemtakes care of dependency management, both for writing exploratory code in the REPL and fordeveloping projects or libraries.

Security updates have been issued by Debian (flatpak and ruby2.3), Fedora (flatpak, httpd, mediawiki, redis, and xstream), openSUSE (kernel, libaom, libqt5-qtsvg, systemd, and webkit2gtk3), Red Hat (.NET 5.0, 389-ds-base, httpd:2.4, kernel, kernel-rt, libxml2, openssl, and thunderbird), Scientific Linux (389-ds-base, kernel, libxml2, and openssl), SUSE (apache2-mod_auth_openidc, curl, glibc, kernel, libaom, libqt5-qtsvg, systemd, and webkit2gtk3), and Ubuntu (squashfs-tools).

There are many barriers to producing software that is reliable andmaintainable over the long term. One of those is software complexity. Atthe recently concluded 2021 KVMForum, Paolo Bonziniexploredthis topic, using QEMU, the open source emulatorand virtualizer, as a case study. Drawing on his experience asa maintainer of several QEMU subsystems, he made some concretesuggestions on how to defend against undesirable complexity. Bonziniused QEMU as a running example throughout the talk, hoping to make iteasier for future contributors to modify QEMU. However, thelessons he shared are equally applicable to many other projects.

Security updates have been issued by Debian (firefox-esr, hiredis, and icu), Fedora (kernel), Mageia (libreoffice), openSUSE (chromium, firefox, git, go1.16, kernel, mbedtls, mupdf, and nodejs8), Oracle (firefox and kernel), Red Hat (firefox, grafana, kernel, kpatch-patch, and rh-mysql80-mysql), and SUSE (apache2, containerd, docker, runc, curl, firefox, kernel, libqt5-qtsvg, and squid).

A group of researchers at Trinity College in Dublin has released theresults of a study into the data collected by a number of Androidvariants. There are few surprises here, but the picture is stilldiscouraging.

One does not normally expect a lot of controversy around a patch seriesthat makes changes to platform-specific configurations and drivers.The furor over some work on the Samsung Exynos platform may thus besurprising. When one looks into the discussion, things become more clear;it mostly has to do with disagreements over the best ways to get hardwarevendors to cooperate with the kernel development community.

Security updates have been issued by Debian (apache2, mediawiki, neutron, and tiff), Fedora (chromium, dr_libs, firefox, and grafana), Mageia (apache), openSUSE (chromium and rabbitmq-server), Oracle (kernel), Red Hat (firefox and httpd24-httpd), SUSE (rabbitmq-server), and Ubuntu (libntlm).

Jörg Schilling, a longtime free-software developer, has passed on. Mostpeople will remember him from his work on cdrtools and the seemingly endless drama that surrounded thatwork. He was a difficult character to deal with, but he also contributedsome important code that, for a period, almost all of us depended on. Restwell, Jörg.

The 5.15-rc5 kernel prepatch is out fortesting. "So things continue to look quite normal, and it looks likethe rough patch (hah!) we had early in the release is all behind us. Knockwood."

The5.14.11,5.10.72,5.4.152,4.19.210,4.14.250,4.9.286, and4.4.288stable kernel updates have all been released; each contains another set ofimportant fixes.

For the time being, the effort to add the folioconcept to the memory-management subsystem appears to be stalled, but appearances canbe deceiving. The numerous folio discussions have produced a number ofpoints of consensus, though; one of those is that far too much of thekernel has to work with page structures to get its job done. Asan example of how a subsystem might be weaned off of struct pageusage, Matthew Wilcox has split outthe slab allocators in a 62-part patch set. The result may bea foreshadowing of changes to come in the memory-management subsystem.

Security updates have been issued by Fedora (libssh), Mageia (firefox), Slackware (httpd), SUSE (xen), and Ubuntu (firefox and mysql-5.7).

Stable kernels 5.14.10 and 4.4.287 have been released. 5.14.10 is astandard stable release, with fixes throughout the kernel tree, while4.4.287 is fixing a build problem: "You only need this release if youare building for ARM64 and had build failures with 4.4.286."

Among the many new features pulled into the mainline during the 5.15 mergewindow is the ksmbdnetwork filesystem server. Ksmbd implements the SMB protocol(also known as CIFS, though that name has gone out of favor) that isheavily used in the Windows world. The creation of an in-kernel SMB serveris a bit surprising, given that Linux has benefited greatly from theuser-space Samba solution sinceshortly after thebeginning. There are reasons for this move but, in the short term atleast, they risk being overshadowed by a worrisome stream ofsecurity-related problems in ksmbd.

Security updates have been issued by Debian (firefox-esr), Mageia (cockpit, fail2ban, libcryptopp, libss7, nodejs, opendmarc, and weechat), openSUSE (curl, ffmpeg, git, glibc, go1.16, libcryptopp, and nodejs8), SUSE (apache2, curl, ffmpeg, git, glibc, go1.16, grilo, libcryptopp, nodejs8, transfig, and webkit2gtk3), and Ubuntu (linux-oem-5.10 and python-bottle).

The LWN.net Weekly Edition for October 7, 2021 is available.

Sasha Levin, one of the maintainers of the stable kernels, gave apresentation atOpenSource Summit North America 2021 on a proposal for a different way tohandle the stable tree. He noted that throughout most of the kernel's history,version numbers did not really mean anything, but that the versioningscheme suggests that they do, which leads to a disconnect between how thekernels are seen versus how they are actually maintained. He proposedmaking a "rolling stable" release that provides users what they need—timely fixes to their kernel—without forcingthem to choose to switch to a new version number.

Stable kernels 5.10.71, 5.4.151, 4.19.209, 4.14.249, 4.9.285, and 4.4.286 have been released. They all containimportant fixes and users should upgrade.Note that 5.14.10has been through more than the usual number of release candidates and isnot yet out; it should show up in the next day or so.

Security updates have been issued by Fedora (cryptopp), Mageia (apache), Slackware (httpd), and Ubuntu (squid, squid3).

Two Google engineers came to OpenSource Summit North America 2021 to talk about a project to change theway the company creates and maintains the kernel it runs in its datacenters on its productionsystems. Andrew Delgadillo and Dylan Hatch described the current productionkernel (Prodkernel) and the problems that occur because it is so far fromthe mainline. Project Icebreaker is an effort to change that and toprovide a near-mainline kernel for development and testing within Google;the talk looked at the project, its risks, its current status, and its plans.

The Asahi Linux project has a progressreport on its goal of running Linux on Mac M1 hardware.

The AlmaLinux Foundation has openedmembership to everyone.

Firefox 93.0 has been released. With this version Firefox supports the newAVIF image format, which is based on the modern and royalty free AV1 videocodec. The PDF viewer supports filling more forms, such as XFA-based formsused by multiple governments and banks. Downloads that rely on insecureconnections are blocked, protecting against potentially malicious or unsafedownloads. Details on these features and more can be found in the release notes.

Version 13.0.0 of the LLVM compiler suite is out.There is a long list of changes, as always; see the numerous sets ofrelease notes below for details.

Security updates have been issued by Fedora (cryptopp), Mageia (kernel, kernel-linus, and sqlite), openSUSE (rabbitmq-server), Red Hat (kernel and samba), SUSE (glibc and webkit2gtk3), and Ubuntu (containerd, docker.io, imlib2, ledgersmb, mercurial, mongodb, and node-bl).

Version 3.10.0 of the Python language has been released. There are a lotof significant changes in this release, including the much-discussedstructural pattern-matching feature. Seethis article for an overview of what's in 3.10.

Julia is an open-source programminglanguage and ecosystem for high-performance scientific computing; itsdevelopment team has made the first release candidate for version 1.7available for testing on Linux, BSD, macOS, and Windows. Back in May, we looked at the increased performance thatarrived with Julia 1.6, its last major release. In this article we describe some ofthe changes and new features in the language and its libraries that arecoming in 1.7.

Developers working in languages like C or C++ have access totwo competing compilers — GCC and LLVM — either of which can usually getthe job done. Rust developers, though, are currently limited to theLLVM-based rustc compiler. While rustc works well, thereare legitimate reasons for developers to wish for an alternative. As itturns out, there are two different ways to compile Rust using GCC underdevelopment, though neither is ready at the moment. Developers of bothapproaches came to the 2021 LinuxPlumbers Conference to present the status of their work.

Security updates have been issued by Debian (apache2, fig2dev, mediawiki, plib, and qemu), Fedora (chromium, curl, kernel, kernel-headers, kernel-tools, openssh, rust-addr2line, rust-backtrace, rust-cranelift-bforest, rust-cranelift-codegen, rust-cranelift-codegen-meta, rust-cranelift-codegen-shared, rust-cranelift-entity, rust-cranelift-frontend, rust-cranelift-native, rust-cranelift-wasm, rust-gimli, rust-object, rust-wasmparser, rust-wasmtime-cache, rust-wasmtime-environ, rust-wasmtime-fiber, rust-wasmtime-types, rust-wast, rust-wat, and webkit2gtk3), Mageia (apache-mod_auth_openidc, c-ares, chromium-browser-stable, icu, libspf2, perl-DBI, python, and python-rsa), openSUSE (haproxy and opera), Oracle (kernel), SUSE (firefox and libvirt), and Ubuntu (python3.8).

The 5.15-rc4 kernel prepatch is out fortesting.

Paul McKenney has started a blog series on Rust for the Linux kernel. He has posted six of a planned 11 articles, though several are labeled as "under construction".

Much of the free-software development world has adopted Git forges (such asGitHub, GitLab, or sourcehut) with enthusiasm. The kernel community hasnot. Reasons for that reticence vary, but one that is often heard is thatthese forges simply don't work well at the scale needed for the kernelproject. At aKernel-Summit session during the 2021 Linux Plumbers conference, Donald Zickus and Prarit Bhargava sought toshow how Red Hat has put GitLab to good use to support its kernel team.Not only can these forges work for kernel development, they said, butmoving to a forge can bring a number of advantages.

Security updates have been issued by Debian (curl, krb5, openssl1.0, and taglib), Fedora (cifs-utils), SUSE (libqt5-qtbase and rubygem-activerecord-4_2), and Ubuntu (linux-raspi, linux-raspi-5.4 and linux-raspi2).

Adrian Ratiu writeson the Collabora blogabout the challenges that face developers trying to build the GNU CLibrary with the LLVM compiler.

James Bottomley explainshow the integration of Matrix and BigBlueButton was done for thejust-concluded Linux Plumbers Conference.

The term "interrupt" brings to mind a signal that originates in thehardware and which is handled in the kernel; even software interrupts are akernel concept. But there is, it seems, a use case for enabling user-spaceprocesses to send interrupts directly to each other. An upcoming Intelprocessor generation includes support for this capability; at the 2021 Linux Plumbers Conference,Sohil Mehta ran aKernel-Summit session on how Linux might support that feature.

Stable kernels 5.14.9, 5.10.70, and 5.4.150 have been released with the usual setof important fixes. Users of those series should upgrade.

Security updates have been issued by Debian (libxstream-java, uwsgi, and weechat), Fedora (libspf2, libvirt, mingw-python3, mono-tools, python-flask-restx, and sharpziplib), Mageia (gstreamer, libgcrypt, libgd, mosquitto, php, python-pillow, qtwebengine5, and webkit2), openSUSE (postgresql12 and postgresql13), SUSE (haproxy, postgresql12, postgresql13, and rabbitmq-server), and Ubuntu (commons-io and linux-oem-5.13).

Version 14 of the PostgreSQL relational database manager is out.

The LWN.net Weekly Edition for September 30, 2021 is available.

Work toward the signing of BPF programs hasbeen finding its way into recent mainline kernel releases; it is intendedto improve security by limiting the BPF programs that can be successfullyloaded into the kernel. As John Fastabend described in his "Watchingthe super powers" session at the 2021 Linux Plumbers Conference,this new feature has the potential to completely break his tools. Butrather than just complain, he decided to investigate solutions; the resultis an outline for an auditing mechanism that brings greater flexibility tothe problem of controlling which programs can be run.

Security updates have been issued by Fedora (iaito, libssh, radare2, and squashfs-tools), openSUSE (hivex, shibboleth-sp, and transfig), SUSE (python-urllib3 and shibboleth-sp), and Ubuntu (apache2, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, and linux-hwe-5.11, linux-azure, linux-azure-5.11, linux-oracle-5.11).

A controversy about the handling of the Time Zone Database (tzdb) hasbeen brewing since May, but has come to a head in recent weeks. Changes that were proposed to simplify the main database file have someconsequences in terms of time-zone history and changes to therepresentation of some zones. Those changes have upset a number of usersof the database—to the point where some have called for a fork. A September 25 release of tzdb with some, but notall, of the changes seems unlikely to resolve the conflict.

The Free Software Foundation Europe (FSFE) is organizing the codingcompetition "Youth Hacking 4 Freedom" (YH4F) for European teenagers(14-18). Six winners will receive a cash prize and a trip to Brussels.There will be an opening event October 10 and registration will remain openuntil October 31.

Security updates have been issued by CentOS (kernel), openSUSE (gd, grilo, nodejs14, and transfig), Oracle (nodejs:14 and squid), Red Hat (kernel and shim and fwupd), SUSE (apache2, atftp, gd, and python-Pillow), and Ubuntu (apache2, linux, linux-aws, linux-aws-5.11, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and vim).

The Kernel Maintainers Summit is an invitation-only gathering of top-levelkernel subsystem maintainers; it is concerned mostly with process-orientedissues that are not easily worked out on the mailing lists. There was nomaintainers summit in 2020; plans had been made to hold it in an electronicform, but there turned out to be a lack of things to talk about. In 2021,though, a number of interesting topics turned up, so an online gatheringwas held on September 24 as part of the Linux Plumbers Conference.Read on for a summary of the discussions held at this year's Summit.

Security updates have been issued by Debian (kernel, libxml-security-java, and openssl), Fedora (fetchmail and python-rsa), openSUSE (grafana-piechart-panel and opera), and Red Hat (nodejs:14).