One of the kernel's primary jobs is to manage the memory installed in thesystem. Over the years, though, there have been various reasons forremoving a portion of the system's memory from the kernel's view. One ofthe latest can be seen in a mechanism called DMEMFS,which is being proposed as a way to get around some inefficiency in how thekernel keeps track of RAM.
Mozilla has released its annual report: "Every year in the spirit of openness upon which Mozilla was founded, we share publicly the ways we have protected, fought for and helped advance the internet in service of the people who rely on it every day. We outline how our organization is meeting the challenges of online life through an annual report: the State of Mozilla.This year we’ve changed the format of our report to focus on how we are using our organization’s strength and resources on two fronts: Fighting for People and Building for the Future. This report highlights the impact of our work in 2020 and is accompanied by our most recently filed financials which cover 2019.As the State of Mozilla outlines, Mozilla works to make the promise of a better internet a reality. We can’t and we don’t do it alone. There are myriad ways anyone can join this effort through actions big and small, starting with getting better educated on what’s at stake; pushing companies to operate more transparently and in the interest of communities and people, not just profits; testing new products; and choosing technology made by companies who share your vision for a healthier internet."
Bash 5.1 is out. "This release fixes several outstanding bugs in bash-5.0 and introducesseveral new features. The most significant change is a return to thebash-4.4 behavior of not performing pathname expansion on a word thatcontains backslashes but does not contain any unquoted globbing specialcharacters. This comes after a long POSIX discussion that resulted in achange to the standard. There are several changes regarding trap handlingwhile reading from the terminal (e.g, for `read' and `select'.) There are anumber of bug fixes, including several bugs that caused the shell tocrash."The readline library used in bash 5.1 has also been updated to version 8.1. "There are moreimprovements in the programming interface and new user-visible variablesand bindable commands. There are a several new public API functions, butthere should be no incompatible changes to existing APIs."
Linus has released 5.10-rc7 for testing; heseems happy with how it is coming together."So unless something odd and bad happens next week, we'll have a final5.10 release next weekend, and then we'll get the bulk of the mergewindow for 5.11 over and done with before the holiday season starts."
The 20.10 release of the t2 Linux distribution is available. "Aftera decade of development we are proud to announce the availability of thenew T2 Linux Source and Embedded Linux distribution build kit stablerelease 20.10." More information about this distribution can befound at t2sde.org: "T2 SDE is notjust a regular Linux distribution - it is a flexible Open Source SystemDevelopment Environment or Distribution Build Kit (others might even nameit Meta Distribution). T2 allows the creation of custom distributions withstate of the art technology, up-to-date packages and integrated support forcross compilation. Currently the Linux kernel is normally used - but the T2SDE is being expanded to Minix, Hurd, OpenDarwin, Haiku and OpenBSD - moreto come."
The news for processors and system-on-chip (SoC) products thesedays is all about 64-bit cores powering the latest computers andsmartphones, so it's easy to be misled into thinking that all 32-bittechnology is obsolete. That quickly leads to the idea of removing supportfor 32-bit hardware, which would clearly make life easier for kerneldevelopers in a number of ways.At the same time, a majority of embedded systems shipped today do use 32-bitprocessors, so a valid question is if this will ever change, or if 32-bitwill continue to be the best choice for devices that do not requiresignificant resources.
GitHub has released its "2020 Stateof the Octoverse" report; one piece of that is areport on security [PDF]. There are a number of interestingconclusions there, including that a surprising number of securityvulnerabilities are planted deliberately. "Analysis on a randomsample of 521 advisories from across our six ecosystems finds that 17% ofthe advisories are related to explicitly malicious behavior such asbackdoor attempts. Of those 17%, the vast majority come from the npmecosystem. While 17% of malicious attacks will steal the spotlight insecurity circles, vulnerabilities introduced by mistake can be just asdisruptive and are much more likely to impact popular projects. Out of allthe alerts GitHub sent developers notifying them of vulnerabilities intheir dependencies, only 0.2% were related to explicitly maliciousactivity. That is, most vulnerabilities were simply those caused bymistakes."
Security updates have been issued by Debian (thunderbird), Fedora (c-ares, pdfresurrect, webkit2gtk3, and xen), openSUSE (python3), SUSE (gdm, python-pip, rpmlint, and xen), and Ubuntu (snapcraft).
Ever since the stable-update process was created, there have been questionsabout which patches are suitable for inclusion in those updates; usually,these discussions are driven by people who think that the criteria shouldbe more restrictive. A regression in the XFS filesystem that found its wayinto the 5.9.9stable update briefly rekindled this discussion. In one sense, there waslittle new ground covered in this iteration, but there was an interestingpoint raised about the relationship between stable updates and the mainlinekernel -rc releases.
The Linux Foundation has published aglossy report of its activities for 2020. "2020 has been a yearof challenges for the Linux Foundation ('LF') and our hostedcommunities. During this pandemic, we’ve all seen our daily lives and thoseof many of our colleagues, friends, and family around the world completelychanged. Too many in our community also grieved over the loss of family andfriends.It was uplifting to see LF members join the fight against COVID-19. Ourmembers worldwide contributed technical resources for scientificresearchers, offered assistance to struggling families and individuals,contributed to national and international efforts, and some even cametogether to create open source projects under LF Public Health to helpcountries deal with the pandemic."
Security updates have been issued by Mageia (cimg, pngcheck, poppler, tor, and xdg-utils), openSUSE (mariadb), Red Hat (go-toolset-1.14-golang), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon).
A way to specify multiply branched conditionals in the Python language—akinto the C switch statement—has beena longtime feature request. Over the years, various proposals have beenmooted, but none has ever crossed the finish line and made it into thelanguage. A highly ambitious proposal thatwould solve the multi-branch-conditional problem (and quite a bit more) hasbeen discussed—dissected, perhaps—in the Python community over the last sixmonths or so. We have coveredsome of the discussion in August and September, but the ground has shifted onceagain so it is time to see where things stand.
Let's Encrypt has announced that, as of today, the TLS certificates issuedby the Let's Encrypt certificate authority are using a new intermediatecertificate. "While LE will start using their new _roots_ next year, the change todayis using a _variant_ of their "R3" certificate which is cross-signedfrom IdenTrust, rather than chaining back to their "ISRG Root X1".This will affect you if you're using DANE, TLSA records in DNS, signedby DNSSEC, to advertise properties of the certificate chain which remotesystems should expect to see."
Alexander Popov describeshis kernel heap-quarantine patches designed to protect the systemagainst use-after-free vulnerabilities. "In July 2020, I got an idea of how to break this heap spraying technique for UAF exploitation. In August I found some time to try it out. I extracted the slab freelist quarantine from KASAN functionality and called it SLAB_QUARANTINE.If this feature is enabled, freed allocations are stored in the quarantine queue, where they wait to be actually freed. So there should be no way for them to be instantly reallocated and overwritten by UAF exploits."
As an ever-growing number of workloads are being moved to the cloud, CPUvendors have begun to roll out purpose-built hardware features to isolatevirtual machines (VMs) from potentially hostile parties. These processorfeatures, and their extensions, enable the notion of "secure VMs" (or"confidential VMs") — where a VM's "sensitive state" needs to be protectedfrom untrusted entities. Drawing from his experience contributing to the secure VM implementation for the s390 architecture, Janosch Frank describedthe challenges involved in a talk at the 2020 (virtual) KVMForum. Though the implementations across CPU vendors may vary, there aremany shared problems, which opens up possibilities for collaboration.
Security updates have been issued by Debian (libxstream-java, musl, mutt, pdfresurrect, vips, and zsh), Fedora (libuv, nodejs, thunderbird, and xen), openSUSE (libssh2_org, mutt, neomutt, and thunderbird), Oracle (firefox and thunderbird), Red Hat (firefox, rh-nodejs12-nodejs, rh-php73-php, and thunderbird), Scientific Linux (thunderbird), SUSE (libX11, mariadb, mutt, python-pip, python-setuptools, and python36), and Ubuntu (containerd, php-pear, and sniffit).
The Arm processor architecture has pushed the boundaries in a number ofways, some of which have required significant kernel changes in response.For example, the big.LITTLE architectureplaced fast (but power-hungry) and slower (but more power-efficient) CPUsin the same system-on-chip (SoC); significant scheduler changes were neededfor Linux to be able to properly distribute tasks on such systems. For alltheir quirkiness, big.LITTLE systems still feature CPUs that are in somesense identical: they can all run any task in the system. What is thescheduler to do, though, if confronted with a system where that is nolonger true?
The Python Packaging Authority has announced the release of pip 20.3. Thereis some potential for disruption with this release. "The new resolver is now *on by default*. It is significantly stricterand more consistent when it receives incompatible instructions, andreduces support for certain kinds of constraints files, so someworkarounds and workflows may break."
Security updates have been issued by Arch Linux (c-ares, libass, raptor, rclone, and swtpm), Debian (libproxy, qemu, tcpflow, and x11vnc), Fedora (asterisk, c-ares, microcode_ctl, moodle, pam, tcpdump, and webkit2gtk3), Mageia (jruby and webkit2), openSUSE (buildah, c-ares, ceph, fontforge, java-1_8_0-openjdk, kernel, LibVNCServer, mariadb, thunderbird, ucode-intel, and wireshark), Red Hat (firefox, rh-mariadb103-mariadb and rh-mariadb103-galera, and thunderbird), SUSE (binutils, libssh2_org, LibVNCServer, libX11, and nodejs12), and Ubuntu (mysql-8.0 and qemu).
Version 8.0.0 of the PHP language has been released. New features includeunion types, named arguments, match expressions, a just-in-time compiler,and more; see this article for moreinformation.
Security updates have been issued by openSUSE (blueman, chromium, firefox, LibVNCServer, postgresql10, postgresql12, thunderbird, and xen), Slackware (bind), SUSE (bluez, kernel, LibVNCServer, thunderbird, and ucode-intel), and Ubuntu (mutt, poppler, thunderbird, and webkit2gtk).
The process of adopting a new governance model for the Perl project appearsto be reaching an end; the new model is designed to look a lot like theone adopted by the Python project. "So, now Perl has twowell-defined bodies involved in its governance: a core team of a few dozenand a steering council of three people. The core team sets the rules ofPerl governance, votes on membership of the two groups, and delegatessubstantial decision making power to the steering council. The steeringcouncil has broad authority to make decisions about the development of thePerl language, the interpreter, and all other components, systems andprocesses that result in new releases of the language interpreter."The fulldescription is available for those looking for the details.
Security updates have been issued by Debian (spip and webkit2gtk), Fedora (kernel and libexif), openSUSE (chromium and rclone), Slackware (mutt), SUSE (kernel, mariadb, and slurm), and Ubuntu (igraph).
The venerable email client Mutthas just reached version 2.0. Mutt is different fromthe type of client that has come to dominate the email landscape—for onething, it has no graphical interface. It has a long history that is worth a bit of a look,as are its feature set and extensive customizability. Version 2.0 bringsseveral enhancements to Mutt's interface, configurability, and convenience,as well. In this article, readers who areunfamiliar with Mutt will learn about a different way to deal with thedaily chore of wrangling their inboxes, while Mutt experts may discoversome new sides to an old friend.
Greg Kroah-Hartman has released stable kernels 5.9.11, 5.4.80, 4.19.160, 4.14.209, 4.9.246, and 4.4.246 have been released. They all containimportant fixes and users should upgrade.
Security updates have been issued by Fedora (chromium, microcode_ctl, and seamonkey), Mageia (f2fs-tools, italc, python-cryptography, python-pillow, tcpreplay, and vino), Oracle (thunderbird), Red Hat (bind, kernel, microcode_ctl, net-snmp, and Red Hat Virtualization), Scientific Linux (net-snmp and thunderbird), SUSE (kernel and mariadb), and Ubuntu (atftp, libextractor, pdfresurrect, and pulseaudio).
GNU Guix, a functional package manager and associated free softwaredistribution, was introducedeight years ago. The 1.2.0release celebrates the anniversary. "A major highlight in this release is the ability to authenticate channels, which probably makes Guix one of the safest ways to deliver complete operating systems today. This was the missing link in our “software supply chain” and we’re glad it’s now fixed. The end result is that guix pull and related commands now cryptographically authenticate channel code that they fetch; you cannot, for instance, retrieve unauthorized commits to the official Guix repository."
For those who are interested in security at the hardware level, this blog post fromAndrew 'bunnie' Huang is well worth a read. "Despite any claimsyou may have heard otherwise, tamper resistance is a largely unsolvedproblem. Any secrets committed to a non-volatile format are vulnerable torecovery by a sufficiently advanced adversary. The availability ofnear-atomic level microscopy, along with sophisticated photon and phononbased probing techniques, means that a lab equipped with a few milliondollars worth of top-notch gear and well-trained technicians has a goodchance of recovering secret key material out of virtually any non-volatilestorage media. The hard part is figuring out where the secrets are locatedon the chip."
The 5.10-rc5 kernel prepatch is out."The 5.10 release candidates stubbornly keeps staying fairly big,even though by rc5 we really should be seeing things starting to calmdown and shrink.There's nothing in here that makes me particularly nervous, but inpure numbers of commits, this is the largest rc5 we've had in the 5.xseries."
The various system calls and other APIs that the kernel provides for accessto files and filesystems has grown increasingly comprehensive over theyears. That does not mean, though, that there is no need or room forimprovement. Several relatively small additions to the kernel'sfilesystem-related API are under consideration in the developmentcommunity; read on for a survey of some of this work.
Over on the Collabora blog, Pekka Paalanen writesabout adding color management and high dynamic range (HDR) support to theWayland display serverprotocol. X11 already has support for color management tools and workflow, but not HDR, andWayland currently doesn't support either, but Paalanen and others are workingto change that. "As color management is all about color spaces andgamuts, and high dynamic range (HDR) is also very much about color spacesand gamuts plus extended luminance range, Sebastian [Wick] and I decided thatWayland color management extension should cater for both from thebeginning. Combining traditional color management and HDR is a fairly newthing as far as I know, and I'm not sure we have much prior art to baseupon, so this is an interesting research journey as well. There is a lot ofprior art on HDR and color management separately, but they tend to havefundamental differences that makes the combination not obvious."
The GCompris project,which provides a "high quality educational software suite, includinga large number of activities for children aged 2 to 10", has announced its 1.0release, which celebrates the 20th anniversary of the project. Itincludes more than 100 activities, a new Dataset selection in the ActivitySettings menu for more than 50 activities, and four new activities,including an Analog Electricity activity to simulate and learn about circuits.KDE.news coveredthe release: "We have built the activities to follow theprinciples of 'nothing succeeds like success' and that children, whenlearning, should be challenged, but not made to feel threatened. Thus,GCompris congratulates, but does not reprimand; all the characters thechild interacts with are friendly and supportive; activities are brightlycolored, contain encouraging voices and play upbeat, but soothing music. The hardware requirements for running GCompris are extremely low and itwill run fine on older computers or low-powered machines, like theRaspberry Pi. This saves you and your school from having to invest in newand expensive equipment and it is also eco-friendly, as it reduces theamount of technological waste that is produced when you have to renewcomputers to adapt to more and more power-hungry software. GCompris workson Windows, Android and GNU/Linux computers, and on desktop machines,laptops, tablets and phones."
Almost every filesystem (excepting relics like VFAT) implements the conceptof the owner and group of each file; the higher levels of the operatingsystem then use that information to control access to those files. Fordecades, it has usually sufficed to track a single owner and group for eachfile, but there is an increasing number of use cases wanting to make thatownership relative to the environment any given process is running in.Developers have been working for a few years to find solutions to thisproblem; the latest attempt is the ID-mappedmounts patch set from Christian Brauner.
Greg Kroah-Hartman has released the 5.9.9,5.4.78, 4.19.158, 4.14.207, 4.9.244, and 4.4.244 stable kernels. They all containimportant fixes throughout the kernel tree; users of those series should upgrade.
Version1.48.0 of the Rust language has been released. The biggest changeappears to be improvements to the documentation system, but there's more:"The most significant API change is kind of a mouthful: [T; N]:TryFrom<Vec<T>> is now stable. What does this mean? Well, youcan use this to try and turn a vector into an array of a givenlength".
The move to secure most or all of web traffic using HTTPS is generally agood thing; lots of personal information is exchanged via web browsers,after all. Using HTTPS requires web sites to have TLS certificates,however, which has sometimes been an impediment, though Let's Encrypt has generally solved thatproblem for many. But there are systems out there that may need the HTTPSprotection before their owners even have a chance to procure a certificate,IoT devices and home routers, for example. An October discussion among OpenWrt developers explored this problem a bit.
Security updates have been issued by openSUSE (opera and raptor), Oracle (bind, bluez, firefox, microcode_ctl, and thunderbird), Red Hat (firefox, net-snmp, and thunderbird), SUSE (java-11-openjdk and tcpdump), and Ubuntu (firefox, krb5, and libvncserver, vino).
Mozilla has announcedthat the Adobe Flash era is coming to an end. "Firefox version 84will be the final version to support Flash. On January 26, 2021 when werelease Firefox version 85, it will ship without Flash support, improvingour performance and security." One suspects that few people willmiss this support.
LWN.net