LWN.net

Security updates have been issued by Debian (kernel, libxml-security-java, and openssl), Fedora (fetchmail and python-rsa), openSUSE (grafana-piechart-panel and opera), and Red Hat (nodejs:14).

The third 5.15 kernel prepatch is out fortesting. "So after a somewhat rocky merge window and second rc,things are now actually looking pretty normal for rc3. Knock wood".

The5.14.8,5.10.69,5.4.149,4.19.208,4.14.248,4.9.284, and4.4.285stable kernels have all been released; each contains another set ofimportant fixes.

The 2021 election for the Linux Foundation's Technical Advisory boardresulted in all five incumbent members (Greg Kroah-Hartman, JonathanCorbet, Steven Rostedt, Ted Ts'o, and Sasha Levin) being re-elected. Of the1,012 developers authorized to vote, 237 actually cast ballots.

It has often been said that the competition between the GCC and LLVMcompilers is good for both of them. One place where that competition shows up is in the area of security features; if one compiler adds a way toharden programs, the other is likely to follow suit. QingZhao's session at the 2021Linux Plumbers Conference told the story of how GCC successfully playedcatch-up for two security-related features that were of special interest tothe kernel community.

The GNU Core Utilities (coreutils) has announced the release of version 9.0 of "the basic file, shell and text manipulation utilities" used by the GNU operating system and various Linux distributions. In the year and a half or so since the last major release (8.32), various new features were added, including:

Security updates have been issued by Debian (mupdf), Fedora (ghostscript, gifsicle, and ntfs-3g), openSUSE (kernel and nodejs14), and SUSE (curl, ffmpeg, gd, hivex, kernel, nodejs14, python-reportlab, sqlite3, and xen).

Here's alengthy missive from Lennart Poettering taking Linux distributors totask for inadequately protecting systems from physical attacks.

For the second year in a row, the GNU Tools Cauldron (the annual gatheringof GNU toolchain developers) has been held as a dedicated track at theonline Linux PlumbersConference. For the 2021 event, that track started with a talk byDavid Malcolm on his work with the GCC -fanalyzer option, whichprovides access to a number of static-analysis features. Quite a bit hasbeen happening with -fanalyzer and more is on the way with theupcoming GCC 12 release, including, possibly, a set of checks thathave already found at least one vulnerability in the kernel.

Security updates have been issued by Debian (ruby-kaminari and tomcat8), Mageia (389-ds-base, ansible, apache, apr, cpio, curl, firefox, ghostscript, gifsicle, gpac, libarchive, libgd, libssh, lynx, nextcloud-client, openssl, postgresql, proftpd, python3, thunderbird, tor, and vim), openSUSE (chromium, ffmpeg, grilo, hivex, linuxptp, and samba), Oracle (go-toolset:ol8, kernel, kernel-container, krb5, mysql:8.0, and nodejs:12), SUSE (ffmpeg, firefox, grilo, hivex, kernel, linuxptp, nodejs14, and samba), and Ubuntu (ca-certificates, edk2, sqlparse, and webkit2gtk).

The LWN.net Weekly Edition for September 23, 2021 is available.

Over at the Guix-HPC blog, Ludovic Courtès writes about trying to package the PyTorch machine-learning library for the Guix distribution. Building from source in a user-verifiable manner is part of the philosophy behind Guix, but there were a number of problems that were encountered:

A few weeks ago, Matthew Wilcox might have guessed that his sessionat the 2021 LinuxPlumbers Conference would be focused rather differently. But, as we reported earlier in September, his folio patch set ran into some, perhapsunexpected, opposition and, ultimately, did not land in the mainline for5.15. Instead of discussing how to use folios as partof the FileSystems microconference, he led a discussion that was, at least in part, on thepath forward for them.

The GNOME project has announced therelease of GNOME 41.

Craig Kerstiens highlightssome of the "little things" featured in the upcoming PostgreSQL 14release.

The Google security blog providesan overview of what is being done to address memory-safety problems inthe Chrome browser.

Stable kernels 5.14.7, 5.10.68, 5.4.148, 4.19.207, 4.14.247, 4.9.283, and 4.4.284 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (grilo), Fedora (curl, firefox, mingw-python-pillow, python-pillow, python2-pillow, and webkit2gtk3), openSUSE (chromium, grafana-piechart-panel, kernel, libcroco, php-composer, and xen), Oracle (curl, kernel, and nss and nspr), Red Hat (nodejs:12), Slackware (alpine), SUSE (ghostscript, grafana-piechart-panel, kernel, and xen), and Ubuntu (linux, linux-hwe, linux-hwe-5.11, linux-hwe-5.4, linux-raspi, linux-raspi-5.4, and linux-raspi2).

Alyssa Rosenzweig reportsthat the open-source Panfrost driver for Mali GPUs has achieved officialconformance on Mali-G52 for OpenGL ES 3.1.

Middleboxes are,unfortunately in many ways, a big part of today's internet. While middleboxesinhabit the same physical niche as routers, they are not aimed at packet forwarding;instead they are meant to monitor and manipulate the packets that theysee. The effects of those devices on users of the networks they reign over may beunfortunate as well, but the rest of the internet is only affected whentrying to communicate with those users—or so it was thought. Based on somerecently reported research, it turns out that middleboxes can be abused to inflict denial-of-service (DoS) attacks elsewhere on the net.

Security updates have been issued by Debian (webkit2gtk, wpewebkit, and xen), Oracle (kernel), Red Hat (curl, go-toolset:rhel8, krb5, mysql:8.0, nodejs:12, and nss and nspr), and Ubuntu (curl and tiff).

Ben Hoyt has published a criticaloverview of the Python 3.10 pattern-matching feature.

The first day of the Kangrejos (Rust for Linux) conferenceintroduced the project and what it was trying to accomplish; day 2 covered a number of core Rustconcepts and their relevance to the kernel. On the third and final day ofthe conference, Wedson Almeida Filho delved deeper into how Rust can bemade to work in the Linux kernel, covered some of the lessons that have beenlearned so far, and discussed next steps with a number of kerneldevelopers.

Security updates have been issued by Debian (gnutls28, nettle, nextcloud-desktop, and openssl1.0), Fedora (dovecot-fts-xapian, drupal7, ghostscript, haproxy, libtpms, lynx, wordpress, and xen), openSUSE (xen), Red Hat (rh-ruby27-ruby), and SUSE (openssl, openssl1, and xen).

The 5.15-rc2 kernel prepatch is out fortesting.

The relatively large5.14.6,5.13.19, and5.10.67stable kernel updates have been released; each contains another set ofimportant fixes. Note that this is the final update for the 5.13.xseries.

Here's apost from Christian Schaller describing a number of thedesktop-oriented improvements that can be expected in the Fedora 35release.

Ariadne Conill looksat the difficulties caused by the OpenSSL 3 transition in thecontext of Alpine Linux.

The first day of the online Kangrejos conference was focused onintroducing the effort to bring the Rust programming language into the Linux kernel. On the second day, conference organizer Miguel Ojeda shiftedto presenting the Rust language itself with an emphasis on what Rust canprovide for kernel development. The result was a useful resource foranybody who is curious about this project, but who has not yet had the timeto become familiar with Rust.

Security updates have been issued by CentOS (firefox and thunderbird), Fedora (haproxy, wordpress, and xen), openSUSE (apache2-mod_auth_openidc, fail2ban, ghostscript, haserl, libcroco, nextcloud, and wireshark), Oracle (kernel and kernel-container), Slackware (httpd), SUSE (crmsh, gtk-vnc, libcroco, Mesa, postgresql12, postgresql13, and transfig), and Ubuntu (libgcrypt20, linux-gcp, linux-gcp-4.15, linux-hwe-5.4, linux-oem-5.13, python3.4, python3.5, and qtbase-opensource-src).

Four new stable kernels, 5.14.5, 5.13.18, 5.10.66, and 5.4.147, have been released.

Thisars technica article describes a problem with the Traviscontinuous-integration service:

The first ever Rust for Linux conference, known as Kangrejos, got underway onSeptember 13. Organizer Miguel Ojeda used the opening session to givean overview of why there is interest in using Rust in the kernel, where thechallenges are, and what the current status is. The talk and followingdiscussion provided a good overview of what is driving this initiative andwhere some of the sticking points might be.

Security updates have been issued by Debian (sssd), Fedora (libtpms and vim), openSUSE (kernel and php7-pear), Oracle (kernel), Slackware (curl), and Ubuntu (libgcrypt20 and squashfs-tools).

The LWN.net Weekly Edition for September 16, 2021 is available.

Back in January 2020, we looked at someoddities in Python's handling of Not a Number (NaN) values inits statisticsmodule. The conversation went quiet after that, but it has beenrevived recently with an eye toward fixing the problems that were reported.As detailed in that earlier article, NaNs are rather strange beasts in thefloating-point universe, so figuring out how best to deal with theirpresence is less straightforward than it might seem.

Stable kernels 5.14.4, 5.13.17, 5.10.65, and 5.4.146 have been released. There areimportant fixes throughout the tree and users should upgrade.

Security updates have been issued by Arch Linux (chromium, element-desktop, element-web, firefox, ghostscript, and hedgedoc), Fedora (kernel and openssl), openSUSE (ghostscript, htmldoc, and openssl-1_0_0), Oracle (libtirpc), Red Hat (cyrus-imapd, kernel, and kernel-rt), SUSE (ghostscript), and Ubuntu (apport, curl, and squashfs-tools).

The Roundup Issue Trackeris a flexible tool for managing issues via the web oremail. However, Roundup is useful for more thanweb-based bug tracking or help-desk ticketing; it can be used as a simple wiki or to manage taskswith the Getting ThingsDone (GTD) methodology. The 20th-anniversaryedition ofRoundup,version 2.1.0, wasreleased in July; it is a maintenance release, but there have been a numberof larger improvements in the last year or so. Here we introduce Roundup'sfeatures along with therecent developments that have helped make Roundup even more useful for trackingissues to their resolution.

Security updates have been issued by openSUSE (libaom and nextcloud), Oracle (cyrus-imapd, firefox, and thunderbird), Red Hat (kernel and kpatch-patch), Scientific Linux (firefox and thunderbird), and Ubuntu (apport).

Thisrelease on PostgreSQL.org describes an ongoing disagreement over thePostgreSQL trademark:

Linus Torvalds released 5.15-rc1 and closedthe merge window for this release on September 12; at that point, 10,471 non-mergechangesets had found their way into the mainline repository. Thosechangesets contain a lot of significant changes and improvements. Read onfor a summary of what came into the mainline in the roughly 7,000changesets pulled since our first-halfsummary was written.

Security updates have been issued by Debian (qemu and thunderbird), Fedora (chromium, firefox, and mosquitto), openSUSE (apache2-mod_auth_openidc, gifsicle, openssl-1_1, php7-pear, and wireshark), Oracle (oswatcher), Red Hat (cyrus-imapd, firefox, and thunderbird), SUSE (apache2-mod_auth_openidc, compat-openssl098, php7-pear, and wireshark), and Ubuntu (git and linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon).

Version 11.1 of the GDB debugger is out. There are a number of newfeatures, and somebody will surely be disappointed to see that support fordebugging Arm Symbian programs has been removed.

Linus has released 5.15-rc1 and closed themerge window for this development cycle.

The5.14.3,5.13.16,5.10.64, and5.4.145stable kernel updates have been released; each contains another set ofimportant fixes.

The Linux Foundation has announced that Software Package Data Exchange (SPDX) has become an international standard (ISO/IEC 5962:2021). SPDX has been used in the kernel and other projects to identify the licenses and attach other metadata to software components.

When we last caught up with the page folio patch set, it appeared to be ontrack to be pulled into the mainline during the 5.15 merge window. MatthewWilcox duly sent a pullrequest in August to make that happen. While it is possible thatfolios could still end up in 5.15, that has not happened as of this writingand appears increasingly unlikely. What we got instead was a lengthydiscussion on the merits of the folio approach.

Security updates have been issued by Debian (firefox-esr, ghostscript, ntfs-3g, and postorius), Fedora (java-1.8.0-openjdk-aarch32, libtpms, and salt), openSUSE (libaom, libtpms, and openssl-1_0_0), Red Hat (openstack-neutron), SUSE (grilo, java-1_7_0-openjdk, libaom, libtpms, mariadb, openssl-1_0_0, openssl-1_1, and php74-pear), and Ubuntu (firefox and ghostscript).

This blog post byLoris Cro makes the claim that the Ziglanguage isthe solution to a lot of low-level programming problems: