LWN.net

Ricardo Cañuelo Navarro describesthe challenges associated with fuzzing complex device drivers with Syzkaller — andsome solutions. "V4L2, however, is only supported in the sense thatthe involved system calls (including the myriad V4L2 ioctls) and datastructures are described. This is already useful and, equipped with thosedescriptions, Syzkaller has been able to find many V4L2 bugs. But thefuzzing process contains a lot of randomness and, while that's a good thingin many cases when it comes to fuzzing, due to the complexity of the V4L2API, simply randomizing the system calls and its inputs may not be enoughto reach most of the code in some drivers, especially in drivers withcomplicated interfaces such as those based on the Request API, includingstateless drivers."

One quote from Douglas Adams has always stayed with me: "I lovedeadlines. I like the whooshing sound they make as they fly by". Weall lead busy lives and few ever see the bottom of our long to-do lists.One of the oldest items on my list, ironically, is to find a better systemto manage all my tasks. Can task-management systems make us more productivewhile, at the same time, reducing the stress caused by the sheer number ofoutstanding tasks?This article, from guest author Martin Michlmayr, looks at todo.txt and Taskwarrior.

Security updates have been issued by Debian (alpine), Fedora (fwupd, microcode_ctl, mingw-libjpeg-turbo, mingw-sane-backends, suricata, and thunderbird), openSUSE (uftpd), Red Hat (nghttp2), SUSE (ceph, curl, mutt, squid, tigervnc, and unbound), and Ubuntu (linux kernel and nvidia-graphics-drivers-390, nvidia-graphics-drivers-440).

Greg Kroah-Hartman has announced the release of the 5.7.6, 5.4.49,4.19.130, and 4.14.186 stable kernels. These all contain arather large number of fixes all over the kernel tree; users of thoseseries should upgrade.

The idea of handling system calls differently depending on the origin of eachcall in the process's address space is not entirely new. OpenBSD, forexample, disallows system calls entirely ifthey are not made from the system's C library as a security-enhancingmechanism. At the end of May, Gabriel Krisman Bertazi proposeda similar mechanism for Linux, but the objective was not security atall; instead, he is working to make Windows games run better under Wine. That involves detecting and emulating Windows system calls; this can bedone through origin-based filtering, but that may not be the solution thatis merged in the end.

Security updates have been issued by Fedora (libexif, php-horde-horde, and tcpreplay), openSUSE (rubygem-bundler), Oracle (docker-cli docker-engine, kernel, and ntp), Slackware (curl and libjpeg), and Ubuntu (mutt).

The LWN.net Weekly Edition for June 25, 2020 is available.

Last week, we introduced the privacyconcerns with using Google Analytics (GA) and presented two lightweightopen-source options: GoatCounter and Plausible. Those tools are usefulfor site owners who need relatively basic metrics. In this second article,we present several heavier-weight GA replacements for those who need moredetailed analytics. We also look at some tools that produce analytics databased on web-server-access logs, GoAccess, in particular.

One of the responses to the COVID-19 pandemic consists of identifyingcontacts of infected people so they can be informed about the risk; that will allow themto search for medical care, if needed. This is laborious work if it is donemanually, so a number of applications have been developed to help withcontact tracing. But they are causing debates about their effectiveness andprivacy impacts. Many of the applications were released under open-sourcelicenses. Here, we look at theprinciples of these applications and the software frameworks used to build them;part two will look into some applications in more detail,along with the controversies (especially related to privacy) around these tools.

The Perl project has announced theupcoming release of Perl 7. Unlike Perl 6, though, this is not aradical departure, yet at least: "Perl 7.0 is going to be v5.32 butwith different, saner, more modern defaults. You won’t have to enable mostof the things you are already doing because they are enabled for you. Themajor version jump sets the boundary between how we have been doing thingsand what we can do in the future."The plan is to have a Perl 7 release "within the nextyear".

Security updates have been issued by CentOS (kernel, ntp, and unbound), Fedora (php-horde-horde and tcpreplay), openSUSE (chromium, java-1_8_0-openj9, mozilla-nspr, mozilla-nss, and opera), Oracle (gnutls, grafana, thunderbird, and unbound), Red Hat (candlepin and satellite, docker, microcode_ctl, openstack-keystone, openstack-manila and openstack-manila, and qemu-kvm-rhev), Scientific Linux (kernel and ntp), Slackware (ntp), SUSE (curl, libreoffice, libssh2_org, and php5), and Ubuntu (curl).

PHP is used extensively on the web. How new features, security fixes, and bug fixes make their way into a release is important to understand. Likewise, understanding what can be expected in community support for previous releases is even more important. Since PHP-based sites are typically exposed to the Internet, keeping up-to-date is not something a security-minded administrator can afford to ignore.

The Linux Foundation's CoreInfrastructure Initiative (CII) and the Laboratory for Innovation Science atHarvard (LISH) have developed a surveyfor contributors to free and open-source software (FOSS) projects. The aim is "to identify how to improve security, including the sustainability of the FOSS ecosystem, especially the FOSS systems heavily relied upon by organizations worldwide."

Security updates have been issued by CentOS (thunderbird), Debian (wordpress), Fedora (ca-certificates, kernel, libexif, and tomcat), openSUSE (chromium, containerd, docker, docker-runc, golang-github-docker-libnetwork, fwupd, osc, perl, php7, and xmlgraphics-batik), Oracle (unbound), Red Hat (containernetworking-plugins, dpdk, grafana, kernel, kernel-rt, kpatch-patch, libexif, microcode_ctl, ntp, pcs, and skopeo), Scientific Linux (unbound), SUSE (kernel, mariadb, mercurial, and xawtv), and Ubuntu (mutt and nfs-utils).

Stable kernels 5.7.5, 5.4.48, 4.19.129, 4.14.185, 4.9.228, and 4.4.228 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (lynis, mutt, neomutt, ngircd, and rails), Mageia (gnutls), Oracle (thunderbird), Red Hat (chromium-browser, gnutls, grafana, thunderbird, and unbound), Scientific Linux (thunderbird and unbound), and SUSE (bind, java-1_8_0-openjdk, kernel, libgxps, and osc).

The second 5.8 kernel prepatch is out fortesting. "So rc2 isn't particularly big or scary, and falls right inthe normal range".

Mark your calendars: the LinuxPlumbers Conference has scheduledan online town hall for June 25at 15:00 GMT. "The first purpose is to test our remote conferenceset up. This is the first time we are holding Linux Plumbers virtually andwhile we can run simulated tests, it’s much more effective to test oursetup with actual participants with differing hardware set ups around theworld. The second purpose is to present on our planning and give everyone alittle bit of an idea of what to expect when we hold Plumbers at the end ofAugust. We plan to have time for questions." Testing thescalability of the conference system requires a lot of participants; theLPC organizers would appreciate it if a lot of people can find a moment toconnect and help out.

The Git source-code management system has for years been moving toward abandoning the Secure Hash Algorithm 1 (SHA-1) in favor of the more secure SHA-256 algorithm. Recently, the project moved a step closer to that goal with contributors implementing new Git protocol capabilities to enable the transition.

Security updates have been issued by Debian (drupal7), Fedora (dbus, kernel, microcode_ctl, mingw-glib-networking, moby-engine, and roundcubemail), Mageia (libjpeg), openSUSE (chromium and rmt-server), Oracle (kernel and microcode_ctl), Red Hat (rh-nodejs8-nodejs and thunderbird), Slackware (bind), and SUSE (adns, containerd, docker, docker-runc, golang-github-docker-libnetwork, dbus-1, fwupd, gegl, gnuplot, guile, java-1_7_1-ibm, java-1_8_0-ibm, kernel, mozilla-nspr, mozilla-nss, perl, and php7).

The Linux futex()system call is a bit of a strange beast. It is widely used to providelow-level synchronization support in user space, but there is no wrapperfor it in the GNU C Library. Its implementation was meant to be simple,but kernel developers have despaired at the complex beast that it hasbecome, and few dare to venture into that code. Recently, though, a neweffort has begun to rework futexes; it is limited to a new system-callinterface for now, but the plans go far beyond that.

The 5.7.4 stable kernel has been released.It contains a single fix fora problemintroduced in the rework of the VDSO clock code that affects paravirtualizedguests. Users should upgrade.

ESPHome is a project that brings together two recent subjects at LWN: The open-source smart hub Home Assistant, and the Espressif ESP8266 microcontroller. With this project, smart home devices can be created and integrated quickly — without needing to write a single line of code.

Version 4.3.0of the Krita painting application is out. "There’s a whole new setof brush presets that evoke watercolor painting. There’s a color mode inthe gradient map filter and a brand new palettize filter and a high passfilter. The scripting API has been extended. It’s now possible to adjustthe opacity and lightness on colored brush tips separately. You can nowcreate animated brush tips that select brush along multipledimensions. We’ve made it possible to put the canvas area in a window ofits own, so on a multi monitor setup, you can have all the controls on onemonitor, and your images on the other. The color selector has had a bigupdate. There’s a new snapshot docker that stores states of your image, andyou can switch between those. There’s a brand new magnetic selectiontool. Gradients can now be painting as spirals."

Security updates have been issued by Debian (drupal7 and python-django), Fedora (glib-networking, kernel, kernel-headers, and nghttp2), openSUSE (adns, chromium, file-roller, and libEMF), SUSE (java-1_7_1-ibm), and Ubuntu (bind9 and nss).

The LWN.net Weekly Edition for June 18, 2020 is available.

More and more web-site owners are concerned about the "all-seeing Google"tracking users as they browse around the web. Google Analytics (GA) is a full-featured web-analytics system that is available for free and, despite the privacyconcerns, has become the de facto analytics tool for small and large web sitesalike. However, in recent years, a growing number of alternatives are helpingbreak Google's dominance. In this article we'll look at two of the lightweightopen-source options, namely GoatCounter and Plausible. In a subsequent article,we'll look at a few of the larger tools.

Stable kernels 5.7.3, 5.6.19, and 5.4.47 have been released with important fixesthroughout the tree. This is the last 5.6.y release and users should moveto 5.7.y.

Arguments about terminology are not rare in our community; words arepowerful tools, so we want to be sure that we are using them in the correctway. But, naturally, opinions on what is "correct" may (and do) differ.Discussions on the use of loaded terms like "master" and "slave" have beenongoing in the community for some time, but recent world events have giventhem a new urgency. Some projects have made changes in the past, but thecurrent wave of changes seems likely to be far larger.

Security updates have been issued by Arch Linux (dbus and intel-ucode), CentOS (libexif), Debian (vlc), SUSE (xen), and Ubuntu (dbus, libexif, and nss).

Nikita Prokopov reviewsSyncthing (a file-synchronization system) and, seemingly, rediscoversfree software: "Syncthing is everything I used to love about computers.It’s amazing how great computer products can be when they don’t need todeal with corporate bullshit, don’t have to promote a brand or to sell itsusers. Frankly, I almost ceased to believe it’s still possible. But itis."

Open-source developers put a lot of emphasis on quality and have createdmany tools to improve source code, such as linters and codeformatters. Documentation, on the other hand, doesn't receive theattention it deserves. LWN reviewed several grammar and style-checkingtools back in 2016. It seems like a good time to evaluate progress in thisarea.

Security updates have been issued by Fedora (galera, grafana, libjcat, libvirt, mariadb-connector-c, and perl), Gentoo (asterisk, bubblewrap, cyrus-imapd, faad2, json-c, openconnect, openjdk-bin, pcre2, PEAR-Archive_Tar, thunderbird, and tomcat), Mageia (mbedtls and scapy), openSUSE (libntlm, libupnp, prboom-plus, varnish, and xen), Oracle (libexif), Red Hat (kpatch-patch), Scientific Linux (libexif), SUSE (mariadb, nodejs6, and poppler), and Ubuntu (apport).

The Internet of Things (IoT) world is filled with countless microprocessors. One option we have covered in various ways before is the Arduino ecosystem. In the same vein, we now will look at another interesting segment of that community: The WiFi-enabled Espressif ESP8266 chip.

Security updates have been issued by Debian (intel-microcode, libexif, mysql-connector-java, and thunderbird), Fedora (gnutls, grafana, kernel, kernel-headers, mingw-gnutls, mod_auth_openidc, NetworkManager, and pdns-recursor), Gentoo (adobe-flash, ansible, chromium, firefox, glibc, mailutils, nokogiri, readline, ssvnc, and webkit-gtk), Mageia (axel, bind, dbus, flash-player-plugin, libreoffice, networkmanager, and roundcubemail), openSUSE (java-1_8_0-openjdk, kernel, nodejs8, rubygem-bundler, texlive-filesystem, and thunderbird), Oracle (libexif and tomcat6), Red Hat (chromium-browser, flash-plugin, and libexif), Scientific Linux (tomcat6), SUSE (libEMF), and Ubuntu (fwupd).

By the time Linus Torvalds released 5.8-rc1and closed the merge window for this development cycle, 14,206 non-merge changesets hadbeen pulled into the repository for 5.8. That is more work thanwas pulled for the entire 5.7 cycle; clearly development work on the kernelhas not (yet) slowed down in response to events in the wider world. The nearly 6,700 changespulled since the previous summary includehuge numbers of fixes and internal cleanups, but there were a number ofsignificant features added as well.

Linus has released 5.8-rc1 and closed themerge window for this release. By the end, 14,206 non-merge changesetsfound their way into the mainline repository, making this one of thebusiest development cycles ever. "So in the 5.8 merge window we have modified about 20% of all the filesin the kernel source repository. That's really a fairly bigpercentage, and while some of it _is_ scripted, on the whole it'sreally just the same pattern: 5.8 has simply seen a lot ofdevelopment.IOW, 5.8 looks big. Really big."

Over at TechNewsWorld, Jack M. Germain reviews the rather ... different ... distribution, PsychOS Linux. Just taking a peek at the home page may be enough to cause flashbacks to a misspent youth, or perhaps that of one's parents at this point. Bucking the trend for modern distributions, PsychOS is only built for 32-bit systems; the main focus seems to be DOS-oriented: "Retro comes alive in PsychOS and is the main driving point in its development. The distro creator still uses DOS software, which is launched easily from the applications menu via emulators such as DOSBox.Anyone with PsychOS 3.4.6 and higher who uses RetroGrab to install older software can do the same, noted the developer. The corresponding emulators must be installed first. PsychOS lets you run more than one DOS program at a time, too. Other programming influences include BASIC and BBC BASIC, due to shortcomings that helped the PsychOS developer learn more about Python. Other BASIC flavors are FreeBASIC, QB45, and QB64."

The bpfilter subsystem, along with its"user-mode blobs" infrastructure, attracted a lot of attention when it wasmerged for the 4.18 kernel in 2018. Since then, however, development inthis effort has been, to put it charitably, subdued. Now, two years afterits merging, bpfilter may be in danger of being removed from the kernel asa failed experiment.

Security updates have been issued by CentOS (tomcat), Debian (intel-microcode, libphp-phpmailer, mysql-connector-java, python-django, thunderbird, and xawtv), Fedora (kernel and thunderbird), Gentoo (perl), openSUSE (libexif and vim), Oracle (dotnet, kernel, microcode_ctl, and tomcat), Red Hat (net-snmp), Scientific Linux (libexif and tomcat), Slackware (kernel), and SUSE (adns, audiofile, ed, kvm, nodejs12, and xen).

Part 1 of this series, covered somebackground on ION, DMA-BUF heaps, the DMA API, and the concept of"ownership" when it comes to handling CPU-cache maintenance, finally endingon a conventional DMA API view of how DMA-BUF cache handling should bedone. The article concluded with a discussion of why the traditional DMAAPIs can perform poorly on contemporary systems. This article completesthe series with an exploration ofsome of the approaches that DMA-BUF exporters can use to avoidunnecessary cache operations along with some rough proposals for how wemight improve things.

Greg Kroah-Hartman has announced the release of the 5.7.2, 5.6.18,5.4.46, 4.19.128, 4.14.184, 4.9.227, and 4.4.227 stable kernels. These containmitigations for the special register buffer datasampling (SRBDS) hardware vulnerability, as well as other fixeselsewhere in the trees. Users of those series should upgrade.

Security updates have been issued by CentOS (kernel and microcode_ctl), Debian (roundcube), Mageia (coturn, cups, libarchive, libvirt, libzypp, nghttp2, nrpe, openconnect, perl, python-typed-ast, ruby-rack, ruby-RubyGems, sudo, vino, wpa_supplicant, and xawtv), openSUSE (firefox, gnutls, GraphicsMagick, ucode-intel, and xawtv), Oracle (dotnet3.1 and kernel), Red Hat (curl, expat, file, gettext, kernel, kpatch-patch, libexif, pcs, python, tomcat, tomcat6, and unzip), Scientific Linux (kernel and microcode_ctl), SUSE (kernel), and Ubuntu (intel-microcode and sqlite3).

The LWN.net Weekly Edition for June 11, 2020 is available.

The Internet of Things (IoT) push continues to expand as tens of thousands of different internet-enabled devices from light bulbs to dishwashers reach consumers' homes. Home Assistantis an open-source project to make the most of all of those devices, potentially with no data being shared with third parties.

Kees Cook has been doing some thinking about plans for new seccomp features to work on soon. There werefour separate areas that he was interested in, which he detailed in alengthy mid-May message on the linux-kernel mailing list. One of thosefeatures, deep argument inspection, has been covered here before, but it would seem that weare getting closer to a resolution on how that all will work.

Security updates have been issued by Arch Linux (chromium, firefox, gnutls, python-django, thunderbird, tomcat7, tomcat8, and tomcat9), CentOS (unbound), Debian (bluez, firefox-esr, kernel, and linux-4.9), Oracle (kernel), Red Hat (.NET Core, .NET Core 3.1, kernel, kernel-rt, libexif, microcode_ctl, pcs, and virt:rhel), SUSE (gnutls, java-1_7_0-ibm, kernel, microcode_ctl, nodejs10, nodejs8, rubygem-bundler, texlive, texlive-filesystem, thunderbird, and ucode-intel), and Ubuntu (intel-microcode, kernel, libjpeg-turbo, linux, linux-aws, linux-aws-5.3, linux-azure, linux-azure-5.3, linux-gcp, linux-gcp-5.3, linux-gke-5.3, linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux, linux-lts-trusty, and linux-gke-5.0, linux-oem-osp1).

The Debian Med team joined a COVID-19 Biohackathon last April and isplaning on doing it again on June 15-21.A recently shared pre-publication draft paper highlights whichsoftware tools are considered useful "to Accelerate SARS-CoV-2 andCoronavirus Research". Many of these tools would benefit from beingpackaged in Debian and all the advantages that Debian brings for bothusers and upstream alike.As in the first sprint most tasks do not require any knowledge ofbiology or medicine, and all types of contributions are welcome: bugtriage, testing, documentation, CI, translations, packaging, and codecontributions.

We have not had a new CPU vulnerability for a little while — a situationthat was clearly too good to last. The mainline kernel has just mergedmitigations for the "special register buffer data sampling" vulnerabilitywhich, in short, allows an attacker to spy on the random numbers obtainedby others. In particular, the results of the RDRAND instructioncan be obtained via a speculative attack.The mitigation involves more flushing and the serialization ofRDRAND. That means a RDRAND instruction will take longerto run, but it also means that RDRAND requires locking across thesystem, which will slow things considerably if it is executed frequently.There are ways to turn the mitigations off, of course. See this new kernel document for moreinformation.These fixes are currently queued to be part of the5.7.2,5.6.18,5.4.46,4.19.128,4.14.1844.9.227,4.4.227, and3.16.85stable updates.

TechRepublic interviewed Lenovo's general manager and executive director of the Workstation & Client AI Group Rob Herman about the company's plans to begin optionally pre-loading enterprise versions of the Red Hat and Ubuntu Linux distributions across its P Series ThinkPad and ThinkStation products, putting Linux on parity with Microsoft Windows for those product lines. "'Around the workstation and what I would call the performance computing world, the world is really changing [...] We're starting to see a lot more use of data science and AI workloads on performance client products like workstations, [and] we're seeing software development need the ability for more customization and flexibility.' This is where Linux and the power of open source come into the picture, says Herman. This is particularly crucial in artificial intelligence data science and content creation applications, areas Lenovo is eager to tap. 'Overall, we see content creators looking for an edge, looking for a new way, a new platform to develop on,' says Herman. 'The number of Linux users is increasing year on year, so from a market standpoint, we see it's the right time to do it.'"