LWN.net

GNU Autoconf, awidely used build tool that shines at compatibility with avariety of Unixes, has accumulated many improvements since its last releasein 2012 — and there are patches awaiting review. While many projects have switched toother build systems, interest in Autoconf remains. Now, a small team(disclaimer: including article author Sumana Harihareswara) is rejuvenating it, working through somedeferred maintenance and code review. A testablebeta is now out, a new stable release is due in early November, andinterested parties can build on this momentum to further refresh the restof the GNUBuild System (also known as Autotools).

Security updates have been issued by Gentoo (freetype), openSUSE (mailman), Red Hat (firefox, java-11-openjdk, OpenShift Container Platform 3.11.306 jenkins, and rh-maven35-jackson-databind), SUSE (kernel, mercurial, openldap2, python-pip, and xen), and Ubuntu (firefox, netty-3.9, and python-pip).

The Ubuntu 20.10 release is out. "The Ubuntu kernel has been updated to the 5.8 based Linux kernel, andour default toolchain has moved to gcc 10 with glibc 2.32. Additionally,there is now a desktop variant of the Raspberry Pi image for RaspberryPi 4 4GB and 8GB.Ubuntu Desktop 20.10 introduces GNOME 3.38, the fastest release yet withsignificant performance improvements delivering a more responsiveExperience". See therelease notes for more details.

The seccomp()system call allows user space to load one or more (classic) BPF programsto be run whenever the calling process invokes a system call. Thoseprograms can examine (to an extent) thearguments to each call and inform the kernel whether the call should beallowed to proceed or not. This feature is used in a number ofcontainerization solutions (and beyond) as a way of reducing the kernel'sattack surface. In some situations, though, using seccomp() can resultin a significant performance reduction. There are currently two patch setsin circulation that are aimed at reducing the overhead ofseccomp() for one common use case.

Security updates have been issued by Arch Linux (freetype2), Debian (bluez, firefox-esr, and freetype), Fedora (firefox), openSUSE (chromium), Oracle (kernel), Red Hat (java-11-openjdk), Slackware (kernel), SUSE (freetype2, gnutls, kernel, php7, and tomcat), and Ubuntu (flightgear, italc, libapache2-mod-auth-mellon, libetpan, and php-imagick).

The LWN.net Weekly Edition for October 22, 2020 is available.

Recently, PHP 8 release candidate 2 was posted by the project. A lot of changes are coming with this release, including a just-in-time compiler, a good number of backward-compatibility breaks, and new features that developers have been requesting for years. Now that the dust has settled, and the community is focusing on squashing bugs for the general-availability release scheduled for November 26, it's a good time to look at what to expect.

Security updates have been issued by Arch Linux (kdeconnect, kernel, kpmcore, lib32-freetype2, linux-hardened, linux-lts, linux-zen, lua, and powerdns-recursor), Debian (mariadb-10.1 and mariadb-10.3), Fedora (thunderbird), Mageia (claw-mail, freetype2, geary, kernel, and tigervnc), Oracle (nodejs:12), Red Hat (python27, rh-postgresql96-postgresql, and rh-python38), Slackware (freetype), SUSE (hunspell, kernel, libvirt, and taglib), and Ubuntu (grunt, quassel, and tomcat9).

Firefox 82.0 has been released, with improvements "that make watchingvideos more delightful" and improved performance. Firefox ESR 78.4.0is also available with various stability, functionality, and securityfixes. See the release notes (82.0,78.4.0)for details.

The Julia programming language hasseen a major increase in its use and popularity over the last few years.We last looked at it two years ago, around the time of the Julia 1.0release. Here, we will look at some of the changes since that release,none of which are major, as well as some newer resources for learning thelanguage, but the main focus of this article is a case study that is meantto help show why the language has been taking off. A follow-up articlewill introduce a new computational notebook for Julia, called Pluto, that is akin to Jupyter notebooks.

Security updates have been issued by Debian (python-flask-cors), Fedora (kleopatra, nextcloud, and phpMyAdmin), Gentoo (ark, libjpeg-turbo, libraw, and libxml2), openSUSE (bind, kernel, php7, and transfig), Red Hat (kernel, kernel-alt, kernel-rt, rh-python36, virt:8.1 and virt-devel:8.1, and virt:8.2 and virt-devel:8.2), and Ubuntu (collabtive, freetype, linux, linux-hwe, linux-hwe-5.4, linux-oem, linux-raspi, linux-raspi-5.4, linux-snapdragon, and linux-oem-osp1, linux-raspi2-5.3).

ThisMatrix blog entry describes a planned reputation-management systemthat, it is claimed, accomplishes some of the same goals as governmentbackdoors without the need to compromise end-to-end encryption."Just like the Web, Email or the Internet as a whole, there isliterally no way to unilaterally censor or block content in Matrix. Butwhat we can do is provide first-class infrastructure to let users (androom/community moderators and server admins) make up their own mind aboutwho to trust, and what content to allow. This would also provide a meansfor authorities to publish reputation data about illegal content, providinga privacy-respecting mechanism that admins/mods/users can use to keepillegal content away from their servers/clients."

Version 2.29.0 of the Git source-code management system is out. Thisrelease includes a long list of smallish improvements; click below for thedetails. Also present is the code enabling Git to switch to the SHA-256 hash algorithm; thisfeature is still deemed experimental, though, and interoperability withSHA-1 repositories is not yet available.

Applications that run on the Linux desktop have changed significantlyunder the hood in recent years; for example, they use more processes thanbefore. Desktop environments need to adapt to this change. During Akademy 2020, KDE developers DavidEdmundson and Henri Chain delivered a talk (YouTubevideo) about how KDE, working with other desktop environments, isstarting to use advanced kernel features to give users more control overtheir systems. This talk complements a presentation by GNOME developers thatwas recently covered here.

Security updates have been issued by Debian (kernel, thunderbird, and yaws), Fedora (createrepo_c, dnf, dnf-plugins-core, dnf-plugins-extras, kata-agent, libdnf, librepo, and wireshark), Gentoo (chromium and firefox), Mageia (brotli, flash-player-plugin, php, phpmyadmin, and wireshark), openSUSE (crmsh, gcc10, nvptx-tools, icingaweb2, kernel, libproxy, pdns-recursor, phpMyAdmin, and rubygem-activesupport-5_1), Red Hat (nodejs:12 and rh-maven35-apache-commons-collections4), and SUSE (gcc10, nvptx-tools and transfig).

The5.9.1,5.8.16,5.4.72,4.19.152,4.14.202,4.9.240, and4.4.240stable updates have all been released; each contains another set ofimportant fixes.

As of this writing, 7,153 non-merge changesets have been pulled into themainline Git repository for the 5.10 release — over a period of four days.This development cycle is clearly off to a strong start. Read on for anoverview of the significant changes merged thus far for the 5.10 kernelrelease.

Security updates have been issued by Fedora (dnf, kernel, libdnf, python27, and python34), SUSE (blktrace, crmsh, php7, and php72), and Ubuntu (containerd, docker.io, firefox, htmlunit, and newsbeuter).

The 2021 edition of linux.conf.au will be held online onJanuary 23-25, 2021; the call for proposals has gone out with arelatively tight deadline of November 6. "Our theme is 'So what's next?'.We all know we're living through unprecedented change and uncertain times. How can open source play a role in creating, helping and adapting to this ongoing change? What new developments in software and coding can we look forward to in 2021 and beyond?"Since there is no travel involved, this is a rare opportunity for those whohave not normally been able to participate in LCA.

One of the first features merged for the 5.10 kernel development cycle wassupport for theArm v8.5 memory tagging extension [PDF]. By adding a "key" value topointers, this mechanism enables the automated detection of a wide range ofmemory-safety issues. The result should be safer and more secure code —once support for the feature shows up in actual hardware.

Security updates have been issued by Arch Linux (chromium), Debian (httpcomponents-client), Fedora (claws-mail), SUSE (bcm43xx-firmware, crmsh, libqt5-qtimageformats, libqt5-qtsvg, php53, php7, and rubygem-activesupport-4_2), and Ubuntu (php5, php7.0, php7.2, php7.4, python2.7, python3.4, python3.5, python3.6, and vim).

The LWN.net Weekly Edition for October 15, 2020 is available.

We have looked at the problem ofconfusingly named packages in repositories such as the Python Package Index (PyPI) before. In general,malicious actors create these packages with names that can be mistaken for those oflegitimate packages in the repository in a form of "typosquatting".Since our 2016 article, the problem has not gone away—no surprise—but there has been some recent analysis of it, as well assome efforts to combat it.

Recently, John Bafford revived a years-long conversation on expanding the syntax of the PHP foreach statement to include iterating solely over keys. Bafford, who wrote a patch and request for comments (RFC) on the matter back in 2016, hopes to update his work and convince the community to adopt the abbreviated syntax in PHP 8.1. The community took Bafford's general idea and expanded it into other areas of the language.

Several flaws in the BlueZ kernel Bluetooth stack prior to Linux 5.9 are being reported by Intel and by Google (GHSA-h637-c88j-47wq, GHSA-7mh3-gq28-gfrq, and GHSA-ccx2-w2r4-x649). They are collectively being called "BleedingTooth", and more information will be forthcoming, though there is already a YouTube video demonstrating remote code execution using BleedingTooth.

Stable kernels 5.8.15, 5.4.71, 4.19.151, 4.14.201, 4.9.239, and 4.4.239 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (jackson-databind and tomcat8), Fedora (dovecot), Oracle (firefox, spice and spice-gtk, and thunderbird), Red Hat (flash-plugin), SUSE (ansible, crowbar-core, crowbar-openstack, grafana, grafana-natel-discrete-panel, openstack-aodh, openstack-barbican, openstack-cinder, openstack-gnocchi, openstack-heat, openstack-ironic, openstack-magnum, openstack-manila, openstack-monasca-agent, openstack-murano, openstack-neutron, openstack-neutron-vpnaas, openstack-nova, openstack-sahara, python-Pillow, rubygem-crowbar-client, bind, crmsh, kernel, libproxy, php74, rubygem-activesupport-5_1, and tigervnc), and Ubuntu (dom4j, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi2, linux-snapdragon, linux, linux-lts-trusty, and linux-hwe, linux-gke-5.0, linux-gke-5.3, linux-oem-osp1, linux-raspi2-5.3).

Version 4.4.0of the Krita painting application has been released. "With a wholeslew of new fill layer types, including the really versatile SeExpr basedscriptable fill layer type, exciting new options for Krita’s brushes likethe gradient map mode for brushes, lightness and gradient modes for brushtextures, support for dynamic use of colors in gradients, webm export foranimations, new scripting features — and of course, hundreds of bug fixesthat make this version of Krita better than ever."See the releasenotes for details.

The 5.9 kernel wasreleased on October 11, at the end of a ten-week development cycle —the first release to take more than nine weeks since 5.4 at the end of 2019.While this cycle was not as busy as 5.8, whichbroke some records, it was still one of the busier ones we have seenin some time, featuring 14,858 non-merge changesets contributed by 1,914developers. Read on for our traditional look at what those developers wereup to while creating the 5.9 release.

A recent proposal on the python-ideas mailing list would add a new way to represent floating-point infinity in the language. Cade Brown suggested the change; he cited a few different reasons for it, including fixing an inconsistency in the way the string representation of infinity is handled in the language. The discussion that followed branched in a few directions, including adding a constant for "not a number" (NaN) and a more general discussion of the inconsistent way that Python handles expressions that evaluate to infinity.

Security updates have been issued by Mageia (mariadb), openSUSE (qemu and tigervnc), Oracle (kernel), Red Hat (chromium-browser and kernel), and SUSE (php5).

On the 20th anniversary of the open-sourcing of the OpenOffice.org suite,the LibreOffice project has sent anopen letter to the Apache OpenOffice project suggesting that it is timefor the latter to recognize that the game is over. "If ApacheOpenOffice wants to still maintain its old 4.1 branch from 2014, sure,that’s important for legacy users. But the most responsible thing to do in2020 is: help new users. Make them aware that there’s a much more modern,up-to-date, professionally supported suite, based on OpenOffice, with manyextra features that people need."

Plausible, a web-analytics package thatwas reviewed here in June, has announced a movefrom the MIT license to the Affero GPL, version 3. "This changemakes no difference to any of you who subscribe to Plausible Cloud or whoself-host Plausible, but it may upset a few corporations who tried to useour software to directly compete with us without contributing back."

The Open InventionNetwork, which offers patent protection for a wide range of open-sourcesoftware, has expanded its Linux SystemDefinition — the set of software covered by the OIN patentnon-aggression agreement. In particular, the new definition includes theexFAT filesystem (once the subject of a lot of patent worries), the KDE Frameworks, the Robot Operating System, and version 10of the Android Open Source Project.

Version 5.20 ofthe Plasma KDE desktop is out. "A massive release, containing improvements to dozens of components,widgets, and the desktop behavior in general.Everyday utilities and tools, such as the Panels, Task Manager,Notifications and System Settings, have all been overhauled to make themmore usable, efficient, and friendlier." There are also significantimprovements in Plasma's Wayland support.

Security updates have been issued by Debian (eclipse-wtp, httpcomponents-client, rails, and spice), Fedora (crun, oniguruma, and podman), openSUSE (grafana, kdeconnect-kde, kernel, nextcloud, nodejs10, nodejs8, and permissions), Oracle (kernel), and SUSE (tigervnc).

Version11.0.0 of the LLVM compiler suite is out. Significant change includethe addition of a Fortran frontend and a lot more; see the collection ofrelease-note sets in the announcement for details.

David Miller is the long-time maintainer of the kernel's networkingsubsystem. On October 10, he wrote this to hisTwitter feed: "I had a stroke on Tuesday and have been recoveringsince please pray for me". We at LWN wish David a fast and completerecovery. (Thanks to Harald Welte for the heads-up).

Linus has released the 5.9 kernel."Ok, so I'll be honest - I had hoped for quite a bit fewer changesthis last week, but at the same time there doesn't really seem to beanything particularly scary in here. It's just more commits and more lineschanged than I would have wished for."Some of the significant features in this release are:x86 FSGSBASE support,capacity awareness in the deadlinescheduler,the close_range() system call,proactive compaction in thememory-management subsystem,the rationalization of kernel-threadpriorities, and more.See the KernelNewbies 5.9page for more details.

Systems that manage large amounts of network traffic end up dedicating asignificant part of their available CPU time to the network stack itself.Much of this work is done in software-interrupt context, which can beproblematic in a number of ways. That may be about to change, though,once thispatch series posted by Wei Wang is merged into the mainline.

Security updates have been issued by Oracle (bind, kernel, libcroco, nss and nspr, qemu-kvm, spice and spice-gtk, and squid) and SUSE (kernel).

One of the key rules of Linux kernel development is that the ABI betweenthe kernel and user space cannot be broken; any change that breakspreviously working programs will, outside of exceptional circumstances, bereverted. The rule seems clear, but there are ambiguities when it comes todetermining just what constitutes the kernel ABI; tracepoints are a perennial example of this. A recentdiscussion has brought another one of those ambiguities to light: the on-disk format of Linuxfilesystems.

Security updates have been issued by Debian (activemq, golang-go.crypto, packagekit, and sympa), Fedora (php and xen), Red Hat (bind, kernel, and qemu-kvm), SUSE (qemu), and Ubuntu (golang-github-seccomp-libseccomp-golang and spice).

The LWN.net Weekly Edition for October 8, 2020 is available.

In unusually stark terms, Mozilla is trying to rally thetroops to take back the internet from the forces of evil—or at least "misinformation,corruption and greed"—that have overtaken it. In aSeptember 30 blogpost, the organization behind the Firefox web browserwarned that "the internet needs our love". While there is lots tocelebrate about the internet, it is increasingly under threat fromvarious types of bad actors, so Mozilla is starting a campaign to try topush back against those threats.

The first preview of Ruby version 3.0 was released on September 25. It includes better support for type checking, additional language features, and two new experimental features: a parallel execution mechanism called Ractor, and Scheduler, which provides concurrency improvements.

Stable kernels 5.8.14, 5.4.70, and 4.19.150 have been released with someimportant fixes. Users should upgrade.

Security updates have been issued by Arch Linux (brotli, lib32-brotli, lib32-zeromq, samba, yaws, and zeromq), Debian (php7.0, puma, sane-backends, thunderbird, and tigervnc), Fedora (ghc-cmark-gfm, ghc-hakyll, gitit, pandoc, pandoc-citeproc, and patat), openSUSE (kdeconnect-kde and perl-DBI), Oracle (kernel), Red Hat (chromium-browser and spice and spice-gtk), SUSE (hexchat and nodejs8), and Ubuntu (vino).

The Zig programming language is arelatively recent entrant into the "systems programming" realm; it looksto interoperate with C, while adding safety features without sacrificingperformance. The language has been gaining some attention of late and hasannouncedprogress toward a Zig compiler written in Zig in September. Thatchange will allow LLVM to become an optional component, which will be a big step forward for the"maturity and stability" of Zig.

Security updates have been issued by Fedora (chromium, libproxy, mumble, and thunderbird), openSUSE (perl-DBI), Red Hat (qemu-kvm-rhev, rh-mariadb102-mariadb and rh-mariadb102-galera, rh-maven35-jackson-databind, spice and spice-gtk, and unbound), SUSE (gnutls, java-1_7_0-openjdk, openssl1, and perl-DBI), and Ubuntu (brotli, cyrus-imapd, openconnect, opendmarc, python-urllib3, ruby-rack-cors, spice, tika, and yaws).