With the releaseof Python 3.9.0b1, the first of four planned betas for the developmentcycle, Python 3.9 is now feature-complete. There is still plenty todo in terms of testing and stabilization before the October finalrelease. The release announcement lists a half-dozen Python EnhancementProposals (PEPs) that were accepted for 3.9. We have looked at someof those PEPs along the way; there are some updates on those. It seemslike a good time to fill in some of the gaps on what will be coming in Python 3.9
Just in case anybody out there is still using qmail: a remote codeexecution vulnerability has just been disclosed. Its CVE number isCVE-2005-1513 because, as it turns out, the problem was reported 15 yearsago but the fix was refused by the maintainer."As a proof of concept, we developed a reliable, local and remote exploitagainst Debian's qmail package in its default configuration. This proofof concept requires 4GB of disk space and 8GB of memory, and allows anattacker to execute arbitrary shell commands as any user, except root(and a few system users who do not own their home directory)."
Developers of safety-critical systems tend to avoid Linux kernels for anumber of fairly obvious reasons; Linux simply was not developed with thatsort of use case in mind. There are increasingly compelling reasons to useLinux in such systems, though, leading to a search for the best way to doso safely. At the 2020 Power Management and Schedulingin the Linux Kernel summit (OSPM), José Martins described Bao, a minimalhypervisor aimed at safety-critical deployments.
Security updates have been issued by Debian (bind9 and clamav), Fedora (kernel, moodle, and transmission), Oracle (kernel), Red Hat (ipmitool, kernel, ksh, and ruby), Slackware (bind and libexif), SUSE (dpdk, openconnect, python, and rpmlint), and Ubuntu (linux, linux-aws, linux-gcp, linux-kvm, linux-oracle, linux-riscv and linux-gke-5.0, linux-oem-osp1).
AWK is a text-processing language with a history spanning more than 40years. It has a POSIXstandard, several conforming implementations, and is still surprisingly relevant in 2020 — both for simple text processing tasks and for wrangling "big data". Therecentreleaseof GNU Awk 5.1 seems like a good reason to survey the AWK landscape, seewhat GNU Awk has been up to, and look at where AWK is being used these days.
CZ.NIC staff member Petr Špaček has a blog post describing a newly disclosed DNS resolver vulnerability called NXNSAttack. It allows attackers to abuse the delegation mechanism to create a denial-of-service condition via packet amplification. "This is so-called glueless delegation, i.e. a delegation which contains only names of authoritative DNS servers (a.iana-servers.net. and b.iana-servers.net.), but does not contain their IP addresses. Obviously DNS resolver cannot send a query to “name”, so the resolver first needs to obtain IPv4 or IPv6 address of authoritative server 'a.iana-servers.net.' or 'b.iana-servers.net.' and only then it can continue resolving the original query 'example.com. A'.This glueless delegation is the basic principle of the NXNSAttack: Attacker simply sends back delegation with fake (random) server names pointing to victim DNS domain, thus forcing the resolver to generate queries towards victim DNS servers (in a futile attempt to resolve fake authoritative server names)." At this time, Ubuntu has updated its BIND package to mitigate the problem; other distributions will no doubt follow soon. More details can also be found in the paper [PDF].
The kernel's CPU scheduler does its best to make the right decisions forjust about any workload; over the years, it has been extended to betterhandle mobile-device scheduling as well. But handset vendors still end upapplying their own patches to the scheduler for the kernels they ship.Shipping out-of-tree code in this way leads to a certain amount ofcriticism from the kernel community but, asVincent Donnefort pointed out in his session at the 2020 Power Management and Schedulingin the Linux Kernel summit (OSPM), those patches are applied for areason. He looked at a set of vendor scheduler patches to see why they arebeing used.
Security updates have been issued by Debian (dpdk and exim4), Fedora (openconnect, perl-Mojolicious, and php), Red Hat (kernel and kpatch-patch), Slackware (sane), and Ubuntu (bind9, dpdk, exim4, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gke-4.15, linux-hwe, linux-oem, linux-oracle, linux-snapdragon, and linux, linux-aws, linux-lts-xenial, linux-raspi2, linux-snapdragon).
The MMTests benchmarkingsystem is normally associated with its initial use case: testingmemory-management changes. Increasingly, though, MMTests is not limited tomemory management testing; at the 2020 Power Management and Schedulingin the Linux Kernel summit (OSPM), Dario Faggioli talked about how heis using it to evaluate changes to the CPU scheduler, along with adiscussion of the changes he had to make to get useful results for systemshosting virtualized guests.
A task's "nice" value describes its priority within the completely fairscheduler; its semantics have roots in ancient Unix tradition. LastAugust, a "latencynice" parameter was proposed to provide similar control over a task'sresponse-time requirements. At the 2020 Power Management and Schedulingin the Linux Kernel summit (OSPM), Parth Shah, Chris Hyser, and DietmarEggemann ran a discussion about the latency nice proposal; it seems thateverybody agrees that it would be a useful feature to have, but there is awide variety of opinions about what it should actually do.
Security updates have been issued by Debian (apache-log4j1.2, exim4, libexif, and openconnect), Fedora (chromium, condor, java-1.8.0-openjdk, java-1.8.0-openjdk-aarch32, mingw-ilmbase, mingw-OpenEXR, sleuthkit, and squid), Mageia (jbig2dec, libreswan, netkit-telnet, ntp, and suricata), openSUSE (mailman and nextcloud), SUSE (autoyast2, file, git, gstreamer-plugins-base, libbsd, libvirt, libvpx, libxml2, mailman, and openexr), and Ubuntu (dovecot and json-c).
Linus has released the 5.7-rc6 kernelprepatch, which contains a bit more churn than he would like."That said, there's nothing particularly scary in here, and it's notlike this rc6 is outrageously big or out of control. I was just hoping forless."
Over the years, the kernel's CPU scheduler has become increasingly aware ofhow much load every task is putting on the system; this information is usedto make smarter task placement decisions. Sometimes, though, this logiccan go wrong, leading to a situation that Valentin Schneider describes as"utilization inversion". At the 2020 Power Management and Schedulingin the Linux Kernel summit (OSPM), he described the problem and someapproaches that are being considered to address it.
Linux is not heavily used in safety-critical systems — yet. There is anincreasing level of interest in such deployments, though, and that isdriving a number of initiatives to determine how Linux can be made suitablefor safety-critical environments. At the 2020 Power Management and Schedulingin the Linux Kernel summit (OSPM), Michal Sojka shone a light on onecorner of this work: testing the thermal characteristics of Linux systemswith an eye toward deployment in avionics systems.
Security updates have been issued by Debian (apt, inetutils, and log4net), Fedora (kernel, mailman, and viewvc), Gentoo (chromium, freerdp, libmicrodns, live, openslp, python, vlc, and xen), Oracle (.NET Core, container-tools:1.0, and kernel), Red Hat (kernel-rt), Scientific Linux (kernel), SUSE (kernel, libvirt, python-PyYAML, and syslog-ng), and Ubuntu (json-c).
It seems that the Rust programming language hasonly been around for five years. "With all that's going on inthe world you'd be forgiven for forgetting that as of today, it has beenfive years since we released 1.0 in 2015! Rust has changed a lot these pastfive years, so we wanted reflect back on all of our contributors' worksince the stabilization of the language."
Libre Graphics World is running anextensive interview with several Inkscape developers."I'd say we're at the point of supporting SVG as much as possible,but we've mostly given up trying to add editing features to the SVGspecification. As the W3C is dominated by web browsers who don't need multipage or connectors.I dare not say much more about W3C-specific things. I know that I'mpersonally disappointed that Inkscape's considerable importance in the SVGcreation space does not lend itself to getting the feature we intend tobuild into Inkscape into the actual SVG specification. This does lead tothe problem that going forwards we're likely to have browserincompatibilities."
Life gets complicated for the kernel when there is nothing for the systemto do. The obvious response is to put the CPU into an idle state tosave power, but which one? CPUs offer a wide range of sleep states withdifferent power-usage and latency characteristics. Picking too shallow astate will waste energy, while going too deep hurts latency and can impactthe performance of the system as a whole. The timer-events-oriented (TEO) cpuidle governoris a relatively new attempt to improve the kernel's choice of sleep states;at the 2020 Power Management and Scheduling in the Linux Kernel Summit,Pratik Sampat presented avariant of the TEO governor that tries to improve its choices further.
Security updates have been issued by Debian (apt and libreswan), Fedora (glpi, grafana, java-latest-openjdk, mailman, and oddjob), Oracle (container-tools:2.0, container-tools:ol8, kernel, libreswan, squid:4, and thunderbird), SUSE (apache2, grafana, and python-paramiko), and Ubuntu (apt and libexif).
A project that has been floating around in the Python world for a number ofyears is now working its way toward inclusion into the language—or not."Subinterpreters", which are separate Python interpreters that cancurrently be created via the C API for extensions, are seen by some as away to get a more Go-like concurrency model for Python. The first steptoward that goal is to expose that API in the standard library. But thereare questions about whether subinterpreters are actually a desirablefeature for Python at all, as well as whether the hoped-for concurrencyimprovements will materialize.
Core scheduling is a proposed modificationto the kernel's CPU scheduler that allows system administrators to controlwhich processes can be running simultaneously on the same processor core.It was originally proposed as a security mechanism, but other use cases have shown up over time aswell. At the 2020 PowerManagement and Scheduling in the Linux Kernel summit (OSPM), a group ofsome 50 developers gathered online to discuss the current state of the core-scheduling patches and what is needed to get them intothe mainline kernel.
Security updates have been issued by Fedora (java-1.8.0-openjdk and seamonkey), Gentoo (firefox, lrzip, qemu, squid, and thunderbird), Oracle (thunderbird), Red Hat (buildah, kernel, kernel-alt, kernel-rt, kpatch-patch, podman, python-pip, python-virtualenv, and qemu-kvm), Scientific Linux (kernel), Slackware (mariadb), SUSE (openconnect), and Ubuntu (file, firefox, iproute2, pulseaudio, and squid, squid3).
Go 1.15, the 16th major version of the Goprogramming language, is due out on August 1. It will be a release with fewer changes than usual, but many ofthe major changes are behind-the-scenes or in the tooling: for example,there is anew linker, which will speed up build times and reduce the size ofbinaries.In addition, there are performance improvements to the language's runtime,changes to the architectures supported, and some updates to the standard library. Overall, it should be a solidupgrade for the language.
Security updates have been issued by Arch Linux (a2ps and qutebrowser), openSUSE (cacti, cacti-spine, ghostscript, and python-markdown2), Oracle (kernel), Red Hat (chromium-browser, libreswan, and qemu-kvm-ma), Scientific Linux (thunderbird), and SUSE (kernel and libvirt).
Shuveb Hussain has posted an extensiveintroduction to io_uring, complete with examples and a reference guide."Because of the shared ring buffers between the kernel and userspace, io_uring can be a zero-copy system. Copying bytes around becomesnecessary when there are system calls that transfer data between kernel anduser space are involved. But since the bulk of the communication inio_uring is via buffers shared between the kernel and user space, this hugeperformance overhead is completely avoided."
Normally, when a kernel developer shows up with a proposed option thatdoesn't do anything, a skeptical response can be expected. But there areexceptions. Mickaël Salaün is proposingthe addition of a new flag (O_MAYEXEC) for the openat2() system call that, by default, will change nothing. But it doesopen a path toward tighter security in some situations.
Security updates have been issued by Arch Linux (chromium and firefox), Debian (libntlm, squid, thunderbird, and wordpress), Fedora (chromium, community-mysql, crawl, roundcubemail, and xen), Mageia (chromium-browser-stable), openSUSE (chromium, firefox, LibVNCServer, openldap2, opera, ovmf, php7, python-PyYAML, rpmlint, rubygem-actionview-5_1, slirp4netns, sqliteodbc, squid, thunderbird, and webkit2gtk3), Oracle (firefox, git, gnutls, kernel, libvirt, squid, and targetcli), Red Hat (thunderbird), SUSE (firefox, squid, and thunderbird), and Ubuntu (mailman).
The 5.7-rc5 kernel prepatch is out fortesting. "We'll see what the next few weeks bring, but at least for now it allfeels normal, and like the 5.7 release is tracking well.So please keep testing, and if you haven't dared a 5.7 pre-releasekernel yet, we're well into the 'things look calm and safe to test'time."
The userfaultfd()system call is a bit of a strange beast; it allows user space to takeresponsibility for the handling of page faults, which is normally aquintessential kernel task. It is thus perhaps not surprising that it hasturned out to have some utility for those who would attack the kernel'ssecurity as well. A recent patchset from Daniel Colascione is small, but it makes a significant changethat can help block at least one sort of attack usinguserfaultfd().
Security updates have been issued by Debian (firefox-esr, salt, and webkit2gtk), Fedora (firefox, mingw-gnutls, nss, and teeworlds), Mageia (firefox, libvncserver, matio, qt4, roundcubemail, samba, thunderbird, and vlc), Oracle (firefox and squid), SUSE (firefox, ghostscript, openldap2, rmt-server, syslog-ng, and webkit2gtk3), and Ubuntu (firefox).
A loop device is a kernel abstraction that allows a file to be presented asif it were a physical block device. The typical use for a loop device is to mount afilesystem image stored in a file. Loop devices are global and shared betweenusers, which causes a number of problems for container workloads where theinstances are expected to be isolated from each other. Christian Braunerhas been working on this problem; he has posted a patchset solving it by adding a small virtual filesystem called loopfs.
The GCC project has announced therelease of GCC 10.1. "A year has lapsed away since the release of last majorGCC release, more than 33 years passed since the firstpublic GCC release and the GCC developers survivedrepository conversion from SVN to GIT earlier this year.Today, we are glad to announce another major GCC release, 10.1.This release makes great progress in the C++20 language support,both on the compiler and library sides, some C2X enhancements,various optimization enhancements and bug fixes, several newhardware enablement changes and enhancements to the compiler back-endsand many other changes. There is even a new experimentalstatic analysis pass." More information can be found in the release notes.
Security updates have been issued by Debian (firefox-esr, keystone, mailman, and tomcat9), Fedora (ceph, firefox, java-1.8.0-openjdk, libldb, nss, samba, seamonkey, and suricata), Oracle (kernel), Scientific Linux (firefox and squid), SUSE (libvirt, php7, slirp4netns, and webkit2gtk3), and Ubuntu (linux-firmware and openldap).
The Emacs editor predatesLinux, and was once far more popular, but it has fallen into relative obscurity over the years.In a mega-thread on the emacs-devel mailing list, participants discussedvarious ideas for making Emacs more "attractive", in both aestheticand in "appealing to more users" senses of that term. Any improvementsto Emacs in that regard have numerous hurdles to overcome, however. Thereare technical questions and, naturally, licensing considerations, butthere is also the philosophical question of what it is, exactly, that stopsthe venerable text editor from being more popular.
Firefox 76.0 has been released. This version features a number ofimprovements to password management, Picture-in-Picture allows a smallvideo window to follow you around as you work, and support for AudioWorklets has been added, allowing more complex audio processing. Thereleasenotes have more details.
Drew DeVault has just released a (mostly complete) book on the Wayland display-serverprotocol under the Creative Commons CC-SA license. "This bookwill help you establish a firm understanding of the concepts, design, andimplementation of Wayland, and equip you with the tools to build your ownWayland client and server applications. Over the course of your reading,we'll build a mental model of Wayland and establish the rationale that wentinto its design. Within these pages you should find many 'aha!' moments asthe intuitive design choices of Wayland become clear, which should help tokeep the pages turning." For those who would rather peruse (orcontribute to) the Markdown source, it's available here.
Security updates have been issued by Debian (ansible, ntp, and roundcube), Fedora (libldb and samba), Mageia (chromium-browser-stable, crawl, dolphin-emu, exiv2, fortune-mod, gnuchess, kernel, libsndfile, openexr, openldap, openvpn, qtbase5, ruby-json, squid, teeworlds, and webkit2), Red Hat (sqlite), and SUSE (icu, mailman, nginx, rmt-server, rpmlint, and rubygem-actionview-5_1).
The end of April saw the posting of acomplex patch set called "Popcorn Linux distributed thread execution". It is the first appearance on thekernel mailing lists of an academic project (naturally called PopcornLinux) that has been underway since 2013 or so. This project has,among other goals, the objective of turning a tightly networked set ofcomputers into something that looks like a single system — a sort of NUMAmachine with even larger than usual inter-node costs. The posted code,which is a portion of the larger project, is focused on process migrationand memory sharing across machines. It is an interesting proof of concept,but one should not expect to see it merged in anything close to its currentform.
This year PHP turned 25 and, as with all things, the hope is that with age comeswisdom and maturity. Often derided as a great way to write bad (andinsecure) code, PHP is hard to ignore completely when it is used in nearlyeight out of tenwebsites. With PHP 7.4.5 released inApril, it's worthwhile to take a look at modern PHP, how it has evolved to address the criticisms of thepast, and what lies ahead in its future.
Version1.0 of the Inkscape drawing editor has been released. "One ofthe first things users will notice is a reorganized tool box, with a morelogical order. There are many new and improved Live Path Effect (LPE)features. The new searchable LPE selection dialog now features a verypolished interface, descriptions and even the possibility of markingfavorite LPEs. Performance improvements are most noticeable when editingnode-heavy objects, using the Objects dialog, and whengrouping/ungrouping."
LWN.net