Security updates have been issued by Debian (codemirror-js, firefox-esr, and pacemaker), Fedora (firefox, java-latest-openjdk, and xen), openSUSE (sddm), Oracle (bind, curl, fence-agents, kernel, librepo, libvirt, python3, qt and qt5-qtbase, and tomcat), SUSE (firefox), and Ubuntu (intel-microcode, openldap, and raptor2).
Toward the end of October, GitHub removed the repository for the youtube-dl utility, which provides a means todownload video content from various streaming sites, such as YouTube.The repository was replacedwith a cheery notice that it had beenremoved due to a DMCAtakedown. It will likely come as no surprise that the DMCA action camefrom the Recording Industry Association of America (RIAA) or that thecomplaint was that the program circumvented the "technologicalprotection measures" used on the videos by YouTube and other authorized sites.
A Google project aims to bring the Linux kernel virtualizationmechanism, KVM, to Android systems. Will Deacon leads that effort and he(virtually) came to KVM Forum todiscuss the project, its goals, and some of the challenges it has faced.Unlike some Android projects of the past, though, "protected KVM" is beingworked on in the open, with code going upstream along the way.
The second set of stable kernel updates in a single day has just come out:5.9.8,5.4.77,4.19.157,4.14.206,4.9.243, and4.4.243are all available. They all contain a single patch fixing anurgent security issue. Greg Kroah-Hartman says:"Hint, if you are using SGX, then upgrade. And then possibly reconsiderthe decisions you have recently made that caused you to write specialcode to use that crazy thing."See this article for information on SGX inthe kernel.
The Go blog celebrates elevenyears of Go language development and looks forward to what comes next."When the pandemic hit, we decided to pause any public announcementsor launches in the spring, recognizing that everyone’s attention rightlybelonged elsewhere. But we kept working, and one of our team members joinedthe Apple/Google collaboration on privacy-preserving exposure notificationsto support contact tracing efforts all over the world. In May, that grouplaunched the reference backend server, written in Go."
The realtime developers have been working for many years tocreate a kernel where the highest-priority task is always able to runwithout delay. That has meant a long process of finding and fixingsituations where high-priority tasks might be blocked from running; one ofthe persistent problems in this regard has been kernel code that disablespreemption. One tool that the realtime developers have reached for isdisabling migration (moving a process from one CPU to another) rather thanpreemption; this approach has not been entirely popular among schedulerdevelopers, though. Even so, the solution would appear to be thismigration-disable patch set from scheduler developer Peter Zijlstra.
The 5.10-rc3 kernel prepatch is out fortesting. "Things look normal. rc3 is neither particularly small orparticularly large - it's pretty much average for an rc3 release for thelast couple of years."
Version 2.0 of the Mutt email client is out. "This release wasbumped to 2.0, not because of the magnitude of features (which is actuallysmaller than past releases), but because of a few changes that are backwardincompatible". New features include a cd command to changedirectories, automatic IMAP reconnection, and "MuttLisp", a Lisp-likelanguage for the configuration file. See the release notes fordetails.
The 2020 editions of Open Source Summit Europe (OSS EU) and Embedded Linux Conference Europe (ELC EU) were held virtually October 26-30, along with some other events (KVM Forum, Linux Security Summit, and more). The videos, Q&A, and presentations from those conferences are now available to all at the event site through the month of November. The videos will also be posted to YouTube during the month so that they will be available for the future. The schedule is available as well.
As described in this Let'sEncrypt blog entry, certificates issued by Let's Encrypt will soon besigned solely by that organization's own root certificate, which isaccepted by all modern browsers. There is one little catch, though:versions of Android prior to 7.1.1 (released in late 2016) do not recognizethat certificate and will start throwing errors. "Currently, 66.2%of Android devices are running version 7.1 or above. The remaining 33.8% ofAndroid devices will eventually start getting certificate errors when usersvisit sites that have a Let’s Encrypt certificate. In our communicationswith large integrators, we have found that this represents around 1-5% oftraffic to their sites." There appears to be little to be doneabout this problem other than to encourage owners of older Android devicesto install Firefox.
The kmap() interface in the kernel is a bit of a strange beast.It only exists to overcome the virtual addressing limitations of 32-bitCPUs, but it affects code across the kernel and has side effects on 64-bitmachines as well. A recent discussion on the handling of preemption withinthe kernel identified a number of problems in need of attention, one of which was the kmap()API. Now, an extension to this API called kmap_local() isbeing proposed to address some of the problems; it signals another step inthe kernel community's slow move away from supporting 32-bit machines asfirst-class citizens.
Security updates have been issued by Debian (sddm and wordpress), Fedora (blueman, chromium, pngcheck, and salt), openSUSE (chromium, salt, tiff, tigervnc, tmux, tomcat, transfig, and xen), Oracle (freetype, kernel, libX11, thunderbird, and xorg-x11-server), SUSE (bluez, ImageMagick, java-1_8_0-openjdk, rmt-server, salt, and u-boot), and Ubuntu (dom4j, firefox, netqmail, phpldapadmin, and tmux).
The scpcommand, which uses the SSH protocol tocopy files between machines, is deeply wired into the fingers of many Linux users anddevelopers — doubly so for those of us who still think of it as a moresecure replacement for rcp. Many users may be surprised to learn,though, that the resemblance to rcp goes beyond the name; much ofthe underlying protocol is the same as well. That protocol is showing itsage, and the OpenSSH community hasconsidered it deprecated for a while. Replacing scp in a way that keeps users happy may not be an easytask, though.
Four new stable kernels have been released: 5.9.5, 5.4.75,4.19.155, and 4.14.204. They are fairly large updates withlots of important fixes throughout the kernel tree; users should upgrade.Update: 5.9.6 has been released tofix a build problem with 5.9.5: "if 5.9.5 built properly for you, wonderful,no need to upgrade".
Security updates have been issued by Debian (bouncycastle, gdm3, and libonig), Fedora (arpwatch, thunderbird, and trousers), openSUSE (chromium, gn), Red Hat (freetype, libX11, thunderbird, and xorg-x11-server), and SUSE (ImageMagick, java-11-openjdk, salt, and wireshark).
At this year's (virtual) OpenSource Summit Europe, Oleg Fiksel gave an overviewtalk on the Matrix decentralized,secure communication network project. Matrix has been seeing increasingadoption recently, he said, including by governments (beyond France, whichwe already reported on in an article on a FOSDEM2019 talk) and other organizations. It also aims to bridge all of thedifferent chat mechanisms that people are using in order to provide aunified interface for all of them.
Greg Kroah-Hartman has released stable kernel 5.9.4. "This is only a bugfix for the5.9.3 kernel release which had some problems with some symlinks for thepowerpc selftests." If you did not have any issues with 5.9.3 thereis no need to upgrade.
Pluto is a new computationalnotebook for the Julia programming language. Computationalnotebooks are a way to program inside of a web browser, storing code,annotations, and output, including graphics, in a single place. They became popular with the advent of the Jupyter notebook, which originally targetedJulia, Python, and R—the names got mashed together to make the word"Jupyter".
Kernel.org manager Konstantin Ryabitsev describesthe Git signed-push functionality, which is now supported by thekernel.org system. "To help hedge against this problem, git providesdevelopers a way to sign their actual pushes, as a means to attest 'yes, Iactually did intend to push these commits into this ref in this repositoryon this server, and here's my PGP signature to prove it.'" Amongother things, these signatures can be preserved in a commit transparencylog, whichis also now provided by kernel.org.
Alyssa Rosenzweig reportson the progress of the Panfrost driver. "Since our previous update on Panfrost, the open source stack for Arm's Mali Midgard and Bifrost GPUs, we've focused on taking our driver from its reverse-engineered origins on Midgard to a mature stack. We've overhauled both the Gallium driver and the backend compiler, and as a result, Mesa 20.3 -- scheduled for release at the end-of-the-month -- will feature some Bifrost support out-of-the-box."
Security updates have been issued by Debian (blueman and wordpress), Fedora (fastd, kernel, and samba), Gentoo (bluez, fossil, kpmcore, libssh, and opendmarc), openSUSE (claws-mail and icinga2), and Ubuntu (blueman).
For those who are following along with Linus Walleij's detailed writeup ofhow the 32-bit Arm bootstrap process works, he has posted two newinstallments (part 1,part 2)on what happens once virtual memory is enabled. "This init task istask 0. It is not identical to task 1, which will be the init process. Thatis a completely different task that gets forked in userspace later on. Thistask is only about providing context for the kernel itself, and a point forthe first task (task 1) to fork from. The kernel is very dependent oncontext as we shall see, and that is why its thread/task information andeven the stack pointer for this 'task zero' is hardcoded into the kernellike this. This 'zero task' does not even appear to userspace if you typeps aux, it is hidden inside the kernel."
Overclocking the processor — running it above its specified maximumfrequency to increase performance — is a familiar operation for many readers. Sometimes, however, it is necessary to go the other direction and decrease a processor's operating power point by lowering its voltageto avoid overheating. Recently, Jason Donenfeld submitted a shortpatch removing a warning emitted by the kernel when user space accessesspecial processor registers that allow this "undervolting" on x86processors. It caused a long discussion that might result in a kernelinterface to allow users to safely control their processor's voltage.
The net today carries the sad news that DanKohn has passed away. Among other things, Dan played a huge role inthe establishment of the Linux Foundation and a number of its initiatives,including the Cloud Native ComputingFoundation and LF Public Health. Hewill be missed.
The second 5.10 kernel prepatch is out fortesting. "Despite the size, I don't get the feeling that there's anything reallyodd going on, and so far the release seems to be going smoothly. Butplease test, that's how we find problems."
Linux distributors are in the business of integrating software frommultiple sources, packaging the result, and making it available to theirusers. It has long been true that some projects are easier to package thanothers. The Debiantechnical committee (TC) is currently being asked to make a decision in a dispute over how an especially hard-to-package project— Kubernetes — should be handled.Regardless of the eventual outcome, this disagreement clearly shows how thepackaging model used by Linux distributors is increasingly mismatched tohow software is often developed in the 2020s; what should replace that modelis rather less clear, though.
Security updates have been issued by Debian (dompurify.js, libsndfile, and openjdk-8), Fedora (python2), Mageia (tomcat), openSUSE (lout, pagure, php7, singularity, and tensorflow2), SUSE (graphviz, libvirt, pacemaker, python-Jinja2, samba, spice, spice-gtk, thunderbird and mozilla-nspr, xen, and zstd), and Ubuntu (fastd).
The kernel's tracing infrastructure is designed to be fast and to interfereas little as possible with the normal operation of the system. Oneconsequence of this requirement is that the code that runs when atracepoint is hit cannot sleep; otherwise execution of the tracepoint couldadd an arbitrary delay to the execution of the real work the kernel shouldbe doing. There are times, though, that the ability to sleep within atracepoint would be handy, delays notwithstanding. The sleepabletracepoints patch set from Michael Jeanson sets the stageto make it possible for (some) tracepointhandlers to take a nap while performing their tasks — but stops short ofcompleting the job for now.
Greg Kroah-Hartman has announced the release of seven new stable kernels:5.9.2, 5.8.17, 5.4.73, 4.19.153, 4.14.203, 4.9.241, and 4.4.241. These are extremely large updates,with important fixes throughout the tree. Users of these kernel seriesshould upgrade.Update: 4.19.154 was released laterbecause 4.19.153 did not get all of the patches intended for it, as reported by Pavel Machek.
Security updates have been issued by Debian (linux-4.19), Fedora (tcpreplay, xen, and yubihsm-shell), SUSE (pacemaker), and Ubuntu (gosa and pam-python).
Python has keyword arguments for functions that is a useful (and popular)feature; it can make reading the code more clear and eliminate thepossibility of passing arguments in the wrong order. Python can also indexan object in various ways to refer to a subset or an aspect of the object.Bringing the idea of keywords to indexing would provide a way to get the claritybenefit for indexing operations; doing so has been discussed in Pythoncircles for a long time.Some renewed interest, in the formof lengthy discussions on the python-ideas mailing list and a new Python enhancementproposal (PEP), look like they just might take keyword indexing over the finish line.
Address-space isolation is the technique of removing a range of memory fromone or more address spaces as a way of preventing accidental or maliciousaccess to that memory. Since the disclosure of the Meltdown and Spectrevulnerabilities, the kernel has used one formof address-space isolation to make kernel memory completelyinaccessible to user-space processes, for example. There has been a steadylevel of interest in using similar techniques to protect memory in othercontexts; two patches implementing new isolation mechanisms are gettingcloser to being ready for merging into the mainline kernel.
Security updates have been issued by Debian (thunderbird), Fedora (createrepo_c, dnf-plugins-core, dnf-plugins-extras, librepo, livecd-tools, and pdns-recursor), openSUSE (firefox and mailman), Oracle (firefox), Red Hat (chromium-browser, java-1.8.0-openjdk, and Satellite 6.8), Scientific Linux (java-1.8.0-openjdk), SUSE (libvirt), and Ubuntu (blueman, firefox, mysql-5.7, mysql-8.0, php7.4, and ruby-kramdown).
The Fedora 33release is now available in a variety of editions, including the newly promoted IoT edition. "No matterwhat variant of Fedora you use, you’re getting the latest the open sourceworld has to offer. Following our 'First' foundation, we’ve updated keyprogramming language and system library packages, including Python 3.9,Ruby on Rails 6.0, and Perl 5.32. In Fedora KDE, we’ve followed the work inFedora 32 Workstation and enabled the EarlyOOM service by default toimprove the user experience in low-memory situations.To make the default Fedora experience better, we’ve set nano as the defaulteditor." A number of the more significant Fedora 33 changeswere covered here in June.
Linus Walleij continues his series of blog posts on the 32-bit Arm kernelwith thisdetailed description about how page tables work. "The Linuxkernel will act as if 5 levels of page tables exist. This is of coursegrossly over-engineered for ARM32 which has 2 or 3 levels of page tables,but we need to cater for the rest of the world. One size fits all. Inpractice, the code is organized such that these page tables 'fold' and wemostly skip over the intermediate translation steps when possible."
Linus Torvalds released5.10-rc1 and closed the 5.10 merge window on October 25; by that time, 13,903 non-merge changesets hadbeen pulled into the mainline repository. Of those, over 6,700 were mergedsince LWN's summary of the first half ofthe merge window. A fair number of interesting features found their wayinto the kernel among those commits; read on to catch up with what's comingin 5.10.
Security updates have been issued by Debian (fastd, freetype, openjdk-11, phpmyadmin, and thunderbird), Fedora (ant, firefox, freetype, kde-partitionmanager, kpmcore, mupdf, python-PyMuPDF, singularity, suricata, and zathura-pdf-mupdf), Mageia (claws-mail, nss, firefox, pdns-recursor, and thunderbird), openSUSE (atftp, chromium, firefox, freetype2, gnutls, hunspell, kleopatra, and opera), Oracle (firefox, java-11-openjdk, and kernel), Red Hat (firefox and kpatch-patch), SUSE (bluez, firefox, glibc, libcdio, rmt-server, and SDL), and Ubuntu (freetype, pam-python, and perl).
Linus has released 5.10-rc1 and closed themerge window for this development cycle. "This looks to be a bigger release than I expected, and while the mergewindow is smaller than the one for 5.8 was, it's not a *lot* smaller.And 5.8 was our biggest release ever."
Version 10.1 of the GDB debugger is out. Changes include support fordebugging BPF programs, GDBserver support on the RISC-V architecture, andsupport for "debuginfod", which is "an HTTP server for distributing ELF/DWARF debugging information as well as source code."
LWN.net