Security updates have been issued by Fedora (adplug, audacious-plugins, cpu-x, kernel, kernel-headers, ocp, php, and python-lxml), openSUSE (crmsh, firefox, and hawk2), Oracle (thunderbird), Red Hat (kernel-rt), SUSE (kernel and rubygem-archive-tar-minitar), and Ubuntu (openvswitch and tar).
It may be kind of an obvious statement, but licensing terms matter in ourcommunities. Even a misplaced word or three can be fatal for a license,which is part of the motivation for the efforts to reduce licenseproliferation in free-software projects. Over the last few months, variousdistribution projects have been discussing changes made to the license forthe Nmap network scanner; those changesseemed to be adding restrictions that would make the software non-free, thoughthat was not the intent. But the incident does serve to show the importance oflicense clarity.
Tedium is running ahistory of the Linksys WRT54G router. "But the reason the WRT54Gseries has held on for so long, despite using a wireless protocol that waseffectively made obsolete 12 years ago, might come down to a feature thatwas initially undocumented—a feature that got through amid all thecomplications of a big merger. Intentionally or not, the WRT54G was hidingsomething fundamental on the router’s firmware: Software based onLinux."
Alyssa Rosenzweig presentsa progress report on the Panfrost driver for Arm Mali Midgard andBifrost GPUs, which now provides non-conformant OpenGL ES 3.0 on Bifrostand desktop OpenGL 3.1 on Midgard. "Architecturally, Bifrost shares most of its fixed-function data structures with Midgard, but features a brand new instruction set. Our work for bringing up OpenGL ES 3.0 on Bifrost reflects this division. Some fixed-function features, like instancing and transform feedback, worked without any Bifrost-specific changes since we already did bring-up on Midgard. Other shader features, like uniform buffer objects, required "from scratch" implementations in the Bifrost compiler, a task facilitated by the compiler's maturing intermediate representation with first-class builder support. Yet other features like multiple render targets required some Bifrost-specific code while leveraging other code shared with Midgard. All in all, the work progressed much more quickly the second time around, a testament to the power of code sharing. But there is no need to limit sharing to just Panfrost GPUs; open source drivers can share code across vendors."
Arnd Bergmann stirred up a bit of a discussion with his January 8 "bringout your dead" posting, wherein he raised the idea of removing supportfor a long list of seemingly unloved Arm platforms — and a few non-Arm onesas well. Many of these have seen no significant work in at least sixyears. In aJanuary 13 followup, he notes that several of those platforms willbe spared for now due to ongoing interest. Several others, though (efm32,picoxcell, prima2, tango, u300, and zx) remain on the chopping block, andthe status of another handful remains uncertain. Readers who care aboutold Arm platforms may want to have a look at the list now and speak up ifthey still need support for one of the platforms that might otherwise bedeleted.
Security updates have been issued by Debian (coturn, imagemagick, and spice-vdagent), Fedora (roundcubemail and sympa), Gentoo (asterisk and virtualbox), Oracle (kernel and kernel-container), Red Hat (dotnet3.1, dotnet5.0, and thunderbird), SUSE (crmsh, firefox, hawk2, ImageMagick, kernel, libzypp, zypper, nodejs10, nodejs14, openstack-dashboard, release-notes-suse-openstack-cloud, and tcmu-runner), and Ubuntu (coturn).
The problems with "vendoring" in packages—bundling dependencies rather thangetting them from other packages—seems to crop up frequently these days.We looked at Debian's concerns aboutpackaging Kubernetes and its myriad of Godependencies back in October. A more recent discussion in thatdistribution's community looks at another famously dependency-heavyecosystem: JavaScript libraries from the npm repository. Even C-based ecosystemsare not immune to the problem, as we saw withiproute2 and libbpf back in November; the discussion of vendoring seemslikely to recur over the coming years.
The Google Project Zero blog is carrying asix-part series exploring, in great detail, a set of sophisticatedexploits discovered in the wild. "These exploit chains are designedfor efficiency & flexibility through their modularity. They arewell-engineered, complex code with a variety of novel exploitation methods,mature logging, sophisticated and calculated post-exploitation techniques,and high volumes of anti-analysis and targeting checks. We believe thatteams of experts have designed and developed these exploit chains. We hopethis blog post series provides others with an in-depth look at exploitationfrom a real world, mature, and presumably well-resourced actor."
The kernel project goes out of its way to facilitate building with oldertoolchains. Building a kernel on a new system can be enough of a challengeas it is; being forced to install a custom toolchain first would notimprove the situation. So the kerneldevelopers try to keep it possible to build the kernel with the toolchainsshipped by most distributors. There are costs to this policy though, includingan inability to use newer compiler features. But, as was seen in a recentepisode, building with old compilers can subject developers to old compilerbugs too.
The 5.11-rc3 kernel prepatch is out fortesting. "So in the rc2 announcement notes I thought we might have a slow weekfor rc3 as well due to people just coming back from vacations and ittaking some time for bug reports etc to start tricking in.That turned out to be the incoherent ramblings of a crazy old man."
The5.10.6,5.4.88,4.19.166,4.14.214,4.9.250, and4.4.250stable kernel updates have all been released; each contains a relativelysmall number of important fixes.
The Fedora 34 release is plannedfor April 20 — a plan that may well come to fruition, given that theFedora project appears to have abandoned its tradition of delayedreleases. As part of that schedule, any proposals for system-wide changeswere supposed to be posted by December 29. That has not stopped thearrival of alate proposal to add file signatures to Fedora's RPM packages, though.This proposal, meant to support the use of the integrity measurementarchitecture (IMA) in Fedora, has not been met with universal acclaim.
Security updates have been issued by Debian (firefox-esr and libxstream-java), Fedora (awstats and dia), Mageia (c-ares, dash, and dovecot), openSUSE (dovecot23, gimp, kitty, and python-notebook), Oracle (kernel), SUSE (python-paramiko and tomcat), and Ubuntu (edk2, firefox, ghostscript, and openjpeg2).
A key component of system hardening is restricting access to memory; thisextends to preventing the kernel itself from accessing or modifying much ofthe memory in the system most of the time. Memory that cannot be accessedcannot be read or changed by an attacker. On many systems, though, theserestrictions do not apply to peripheral devices, which can happily usedirect memory access (DMA) on most or all of the available memory. Therecently posted restrictedDMA patch set aims to reduce exposure to buggy or malicious deviceactivity by tightening up control over the memory that DMA operations areallowed to access.
Security updates have been issued by Debian (golang-websocket, nodejs, and pacemaker), Fedora (mingw-binutils and rubygem-em-http-request), and Ubuntu (linux-oem-5.6 and p11-kit).
The idea of ReproducibleBuilds—being able to recreate bit-for-bit identical binaries using thesame source code—has gained momentum over the last few years.Reproducible builds provide some safeguards against bad actorsin the software supply chain. But building software depends on the toolsused to construct the binary, including compilers and build-automation tools, many ofwhich depend on pre-existing binaries. Minimizing the reliance on opaquebinaries for building our software ecosystem is the goal of the Bootstrappable Builds project.
Just because something is traditional does not imply that it is necessarilya good idea. As a case in point, consider LWN's tradition of starting theyear with some predictions for what is to come; some may be obvious whileothers are implausible, but none of them are reliable. Nonetheless, we'vebeen doing this since 2002 so we can't stop now.Read on for our wild guesses as to what might transpire in 2021.
TuxMake is an open-source project fromLinaro that began in May 2020 and is designed to make building Linux kernels easier.It provides a command-line interface and a Python library, along with afull set of curated portable build environments distributed as containerimages.With TuxMake, a developer can build any supported combination of targetarchitecture, toolchain, kernel configuration, and make targets.
Security updates have been issued by Arch Linux (dovecot, poppler, roundcubemail, and rsync), Debian (csync2 and gssproxy), Fedora (grafana, perl-Convert-ASN1, and python-py), openSUSE (privoxy), Oracle (kernel), Red Hat (ImageMagick and kernel), SUSE (ceph, dovecot22, flac, java-1_7_1-ibm, openssh, and python), and Ubuntu (dovecot, horizon, openexr, and python-apt).
The LibreSSL project has beendeveloping a fork of the OpenSSLpackage since 2014; it is supported as part of OpenBSD. Adoption ofLibreSSL on the Linux side has been slow from the start, though, and itwould appear that the situation is about to get worse. LibreSSL isstarting to look like an idea whose time may never come in the Linux world.
Security updates have been issued by Debian (chromium, dovecot, flac, influxdb, libhibernate3-java, and p11-kit), Fedora (ceph and guacamole-server), Mageia (audacity, gdm, libxml2, rawtherapee, and vlc), openSUSE (jetty-minimal and privoxy), Red Hat (kernel and kernel-rt), SUSE (gimp), and Ubuntu (libproxy).
The second 5.11 kernel prepatch is out fortesting. "People have (rightly) mostly been offline since, presumablyover-eating and doing all the other traditional holiday things. Andjust generally not being hugely active. That very much shows in a tinyrc2 release."
James Bottomley has posted adetailed description of what it takes to get an encrypted image runningsecurely with AMD's SEV mechanism. "In this post I’ll discuss howyou actually bring up a confidential VM from an encrypted image whilepreserving secrecy. However, first a warning: This post represents thestate of the art and includes patches that are certainly not deployed indistributions and may not even be upstream, so if you want to follow alongat home you’ll need to patch things like qemu, grub and OVMF."
On this last day of 2020, the Rust project has announced the release of version 1.49.0 of the programming language. It establishes the arm64 Linux target as a Tier 1 platform, which is the highest level of support; "Tier 1 platforms can be thought of as 'guaranteed to work'". Also, arm64 macOS and Windows have risen to Tier 2 status, which means they are guaranteed to build and are likely to work just fine, but the automated tests are not run. Beyond that, the test framework now captures output from multiple threads and some library changes were made. See the detailed release notes for more information. "Rust 1.49.0 promotes the aarch64-unknown-linux-gnu target to Tier 1 support, bringing our highest guarantees to users of 64-bit ARM systems running Linux! We expect this change to benefit workloads spanning from embedded to desktops and servers.This is an important milestone for the project, since it's the first time a non-x86 target has reached Tier 1 support: we hope this will pave the way for more targets to reach our highest tier in the future.Note that Android is not affected by this change as it uses a different Tier 2 target."
Security updates have been issued by Debian (libdatetime-timezone-perl and tzdata), openSUSE (kdeconnect-kde and opera), and SUSE (gimp, squid3, and xen).
Security updates have been issued by Mageia (flac, graphicsmagick, jackit, kdeconnect-kde, libmaxminddb, libvirt, openjpeg2, pngcheck, python3, roundcubemail, and spice-vdagent), openSUSE (gimp), and SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, cyrus-sasl, and gimp).
Linus Torvalds releasedthe 5.11-rc1 prepatch and closed the 5.11 merge window onDecember 27. By that time, 12,498 non-merge changesets had beenpulled into the mainline; nearly 2,500 of those wandered in after the first merge-window summary was written.Activity slowed down in the second week, as expected, but there were stilla number of interesting features that found their way into the mainline.
Linus hasreleased 5.11-rc1and closed the merge window for this development cycle."Two weeks have passed, Christmas is over, and so is the merge window.I want to thank all the maintainers who sent in their pull requestsearly: we all wanted to get things done before the holidays reallyhit, and mostly it seemed to work quite well."
Ruby 3.0.0 has been released. "From2015 we developed hard toward Ruby 3, whose goal is performance,concurrency, and Typing. [...] With Optcarrot benchmark, which measures single thread performance based on NES’s game emulation workload, it achieved 3x faster performance than Ruby 2.0!"
Its existence may come as a bit of a surprise to some, but the GnuCOBOL project has released version 3.1.2 as a successor to GnuCOBOL 2.2 after three years of improvements. "GnuCOBOL is a free, modern COBOL compiler.It translates COBOL into intermediate C and compiles the code using a native C compiler (preferably GCC, but not limited to it). [...] some of the highlights: Huge improvements for compatibility to different COBOL dialects, better error handling and adjustable exceptions per COBOL 2002; more modern format for diagnostic messages (especially useful when used in an integrated development environment possible in Emacs, Vim, VSCodium and others) and improved source-level debugging." More information about the new features in the release can be found in the NEWS file, which is attached to the release announcement below.
The Tor project is mourning Karsten Loesing, who died on December 18. "Karsten was part of the Tor community for 13 years and an amazing, smart, thoughtful, and gentle person who has touched us all. Over the course of these years we saw him not only grow as a colleague at Tor but as a father to his family. His positive, attentive, and kind presence helped us grow as people as well.Dr. Karsten Loesing joined Tor in 2007 as a Google Summer of Code student to work on Distributed Tor Directory, and earned his PhD in Computer Science at Germany’s University of Bamberg in 2009 on a Tor-related topic, 'Distributed Storage for Tor Hidden Service Descriptors [PDF]'."
After more than a year's work, Xfce has announced the 4.16 release of the desktop. Highlights include window manager improvements, a new statustray panel plugin, fractional scaling, settings manager improvements, and lots more. "One of the corner-stones of the non-code changes concerns our migration to GitLab, which is a change in development workflow and a huge step forward in terms of becoming more contributor-friendly and welcoming. In parts, the humungous changelog of Xfce 4.16 can be attributed to new contributors proposing merge requests (288 merge requests were merged or closed against our core components alone!)."
Security updates have been issued by Debian (spip and sympa), Gentoo (c-ares, cherokee, curl, dbus, firefox, gdk-pixbuf, haproxy, libass, nss, openssl, pdns, pdns-recursor, php, samba, tomcat, and webkit-gtk), and SUSE (java-1_8_0-ibm, openexr, and python3).
A recent blogpost from Purism—the company that developed PureOS to run on its security-focusedhardware—celebrates three years of FSF endorsementof the Linux distribution. While this endorsement is an achievement that is not ashighly valued by our communities as one might think, the work done toobtain and maintain that endorsement is useful even to those who disdainthe FSF or disagree with its definition of what makes a distribution "free". WhilePurism and PureOS have been on our radarfor a few years now, it seems worth a look at where things have gone withthe distribution—and the company behind it.
Security updates have been issued by Debian (awstats and mediawiki), Fedora (mbedtls and pngcheck), openSUSE (firefox and thunderbird), Oracle (gnutls, go-toolset:ol8, pacemaker, postgresql:10, postgresql:12, and postgresql:9.6), and SUSE (clamav, groovy, jetty-minimal, and xen).
LWN.net