LWN.net

In recent years, the kernel has (finally) upped its game when it comes tohardening. It is rather harder to compromise a running kernel than it usedto be. But "rather harder" is relative: attackers still manage to findways to exploit kernel bugs. One piece of information that can be helpfulto attackers is the location of the kernel stack; thispatch set from Kees Cook and Elena Reshetova may soon make thatinformation harder to come by and nearly useless in any case.

Security updates have been issued by Debian (bluez and php5), Fedora (chromium, kernel, and PyYAML), Gentoo (adobe-flash, libvpx, php, qtcore, and unzip), openSUSE (chromium, kernel, and mcpp), Oracle (ipmitool and libvncserver), Red Hat (ipmitool and rh-postgresql10-postgresql), Slackware (kernel), and SUSE (ldns and tomcat6).

David Malcolm writesabout the static-analysis features that he is working on adding to theGCC compiler. "This issue is, of course, a huge problem totackle. For this release, I’ve focused on the kinds of problems seen in Ccode—and, in particular double-free bugs—but with a view toward creating aframework that we can expand on in subsequent releases (when we can addmore checks and support languages other than C)."

January 2018 was a sad time in the kernel community. The Meltdown andSpectre vulnerabilities had finally been disclosed, and the requiredworkarounds hurt kernel performance in a number of ways. One of thoseworkarounds — retpolines —continues to cause pain, with developers goingout of their way to avoid indirect calls, since they must now be implementedwith retpolines. In some cases, though, there may be a way to avoid retpolines and regain much of the lost performance;after a long gestation period, the "static calls" mechanism may finally benearing the point where it can be merged upstream.

The KDE.News site is carrying anannouncement for the PlasmaBigscreen environment, which is meant for large-screen televisions. "Talking of interacting from the couch,voice control provides users with the ultimate comfort when it comes to TVviewing. But most big brands not only do not safeguard the privacy of theircustomers, but actively harvest their conversations even when they are notsending instructions to their TV sets. We use Mycroft's Open Source voiceassistant to solve this problem."

Security updates have been issued by CentOS (firefox, icu, kernel-rt, libvncserver, python-imaging, python-pip, python-virtualenv, thunderbird, tomcat, tomcat6, and zsh), Debian (icu and okular), Fedora (libxslt and php), Gentoo (bluez, chromium, pure-ftpd, samba, tor, weechat, xen, and zsh), Oracle (libvncserver), Red Hat (ipmitool and zsh), and SUSE (python-cffi, python-cryptography and python-cffi, python-cryptography, python-xattr).

The LWN.net Weekly Edition for March 26, 2020 is available.

The effects of the Coronavirusdisease 2019 (COVID-19) pandemic are horrific and far-reaching; wereally do not yet know just how bad it will get. One far less serious areathat has been affected is conferences forand about free and open-source software (FOSS). On the grand scale, these problems are pretty low on thepriority list.There are a fair number of non-profit organizations behind thegatherings, however, that have spent considerable sums setting upnow-canceled events or depend on the conferences for a big chunk of their budget—or both. A neworganization, FOSS Responders,has formed to try to help out.

O'Reilly has announcedthat it is canceling all of its upcoming in-person conferences and shuttingdown its conference group permanently. "Without understanding whenthis global health emergency may come to an end, we can’t plan for orexecute on a business that will be forever changed as a result of thiscrisis. With large technology vendors moving their events completelyon-line, we believe the stage is set for a new normal moving forward whenit comes to in-person events." There is still no notice to thiseffect on the OSCON page, butone assumes that is coming.

Stable kernels 5.5.13, 5.5.12, 5.4.28, and 4.19.113 have been released. They all containimportant fixes and users should upgrade.

The Django web framework hascome a long way since it was first released as open source in 2005. Itstarted with a benevolent dictator for life (BDFL) governance model, likethe language it is implemented in, Python, but switched to a differentmodel in 2014. When Python switchedaway from the BDFL model in 2018, it followed Django's lead to someextent. But now Django is changing yet again, moving from governance basedaround a "core team" to one that is more inclusive and better reflects theway the project is operating now.

Security updates have been issued by Debian (e2fsprogs, ruby2.1, and weechat), Fedora (java-1.8.0-openjdk and webkit2gtk3), openSUSE (apache2-mod_auth_openidc, glibc, mcpp, nghttp2, and skopeo), Oracle (libvncserver and thunderbird), and SUSE (keepalived).

The Cloudflare blog has anarticle on the company's work to improve the performance of Linux diskencryption. "As we can see the default Linux disk encryption implementation has asignificant impact on our cache latency in worst case scenarios, whereasthe patched implementation is indistinguishable from not using encryptionat all. In other words the improved encryption implementation does not haveany impact at all on our cache response speed, so we basically get it forfree!"Patches are available, but they are apparently not in any form to goupstream.

Version 10.0.0 of the LLVM compiler suite is out. New features includesupport for C++concepts, Windowscontrol flow guard support, and much more; click below for pointers toa set of language-specific release notes.

The Python Software Foundation blog looksat some changes to pip, the Python Package installer, in the process ofdeveloping a new resolver. The new resolver will reduce inconsistency and bestricter, refusing to install two packages with incompatible requirements. Also, this is a major change to a key part of pip - it's quitepossible there will initially be bugs. We would like to make sure thatthose get caught before people start using the new version inproduction. [...]We recognize that everyone's work is being disrupted by the COVID-19 pandemic, and that many data scientists and medical researchers use Python and pip in their work. We want to make the upgrade process as smooth and bug-free as possible for our users; if you can help us, you'll be helping each other.

Security updates have been issued by Debian (tomcat8), Fedora (chromium and okular), openSUSE (texlive-filesystem), Oracle (tomcat6), Scientific Linux (libvncserver, thunderbird, and tomcat6), Slackware (gd), SUSE (cloud-init, postgresql10, python36, and strongswan), and Ubuntu (ibus and vim).

Spring is coming to the northern hemisphere, and one's thoughts naturallyturn to ... being locked up inside the house and not allowed to goanywhere. That has, in turn, led to an increasing interest in alternativemechanisms for keeping up with family and coworkers, especially videoconferencing. There are a number of proprietary video-conferencingservices out there; your editor decided to look into what solutions existin the free-software realm. It turns out that there are a few; the firstto be looked at is Jitsi.

Google Open Source has announcedthe 2020 edition of Season of Docs, aprogram to connect open source projects with technical writers to improvedocumentation. Open source organizations may apply fromApril 14-May 4. Once mentoring organizations and technicalwriters are connected, there will be a month long community bonding period,beginning August 11. Writers will then work with mentors to completedocumentation projects by the December 6 deadline.

For those stuck at home looking for something to do, version 31 of the MythTV DVR and homemedia center hub, has been released. Features include, significant changesto video decoding and playback, improved channel scanning, andPython 3 support. See the release notes formore information.

Parrot OS is a security andprivacy focused distribution, with tools for cyber security operations. Parrot 4.8follows Debian testing and has many updates from the Debianrepositories. Parrot Docker containers allow you to use Parrot tools ondocker-supported operating systems. Since the previous release lastSeptember the Parrot team has put some effort into reorganizing itsinternal structure, from the operations and workflow of developers, up to the infrastructure. "After such a huge work, we have finally moved to the new workflow, and Parrot 4.8 is the proof of how hard we wanted such changes to take place in the project and how smooth development and cooperation became after achieving this goal."

Security updates have been issued by Debian (amd64-microcode, chromium, graphicsmagick, jackson-databind, phpmyadmin, python-bleach, and tor), Gentoo (exim and nodejs), openSUSE (chromium and thunderbird), Oracle (tomcat), Red Hat (devtoolset-8-gcc, libvncserver, runc, samba, thunderbird, and tomcat6), and SUSE (ruby2.5).

Version 2.26.0 of the Git source-code management system is out.Significant changes include a reimplementation of the "rebase" mechanism,improvements to sparse checkouts, performance improvements, and more. See this GitHubblog entry for more information.

The 5.6-rc7 kernel prepatch is out fortesting; this may be the last one before the final release."The world around us may be going through strange times, but at leastso far kernel development looks normal."

A new batch of stable kernels has just been released: 5.5.11, 5.4.27, 4.19.112, 4.14.174, 4.9.217, and 4.4.217.As usual, these contain important fixes throughout the kernel tree; usersshould upgrade.

The io_uring subsystem has, in the lastyear, redefined how asynchronous I/O is done on Linux systems. As thissubsystem grows in both capability and users, though, it starts to run intolimitations in the types of operations that can be expressed. That isdriving a number of changes in how operations are programmed for io_uring.One example is the mechanisms considered for carrying a file descriptorbetween operations that was covered here in early March. Another has todo with how I/O buffers are chosen for operations.

The Linux Mint Debian Edition (LMDE) 4 has been released. "LMDE is a Linux Mint project which stands for 'Linux Mint Debian Edition'. Its goal is to ensure Linux Mint would be able to continue to deliver the same user experience, and how much work would be involved, if Ubuntu was ever to disappear. LMDE is also one of our development targets, to guarantee the software we develop is compatible outside of Ubuntu.LMDE aims to be as similar as possible to Linux Mint, but without using Ubuntu. The package base is provided by Debian instead." It is based on Debian 10 ("Buster") with lots of new features, including many improvements from Linux Mint 19.3. More information can be found in the release notes.

Security updates have been issued by Arch Linux (bluez and chromium), Debian (icu, rails, thunderbird, and twisted), Fedora (chromium and webkit2gtk3), Gentoo (bsdiff, cacti, clamav, fribidi, libgit2, pecl-imagick, phpmyadmin, pyyaml, and tomcat), openSUSE (wireshark), Oracle (firefox, icu, python-imaging, thunderbird, and zsh), Scientific Linux (thunderbird), SUSE (firefox, nghttp2, thunderbird, and tomcat), and Ubuntu (twisted).

Author Nick Black has written an extensive book on the creation of textualuser interfaces using the notcurses library; it's available under the Apachelicense [PDF]. "Many people asked how such a thing wasuseful. My usual response was that numerous devices don’t present a bitmapinterface, that X11 GUIs run remotely over SSH are effectively unusable,that plenty of machines don’t have a GUI environment installed, that thereare obvious applications for large outdoor displays, and that Sixel isn’twell-supported across different terminal emulators. It seems impossible inan age of gigatransistor graphics cards, but the text environment stillpresents perceivably less latency than most GUI toolkits."

The kernel's memory-management subsystem goes to great lengths to keep thepages that are actually in use in memory. But sometimes it gets thingswrong, leading to reduced performance or, in the worst cases, flat-outthrashing. We may be about to see a significant improvement, though,thanks to apatch set from Joonsoo Kim changing how anonymous pages (thosecontaining data not backed by files on disk) are managed.As it turns out, all that had to be done was to make use of some work thatalready exists in related parts of the memory-management code.

Here's adetailed blog post on how the Qubes distribution is working to isolatethe graphical interface from the rest of the system. "The upcoming4.1 release changes this protocol to a more flexible form. It will nolonger use direct memory addresses, but an abstract mechanism in which theqube has to explicitly allow access to a particular memory page. In ourcurrent implementation — under Xen — we use the grant tables mechanism,which provides a separate memory allocation API and allows working ongrants and not directly on memory pages. Other implementations will also bepossible: whether for another hypervisor (e.g. KVM) or for a completelydifferent architecture not based on shared memory (e.g. directly sendingframes to another machine)."

Security updates have been issued by Debian (gdal), Fedora (nethack), Mageia (okular, sleuthkit, and webkit2), openSUSE (salt), Oracle (icu, kernel, python-pip, python-virtualenv, and zsh), Red Hat (icu, python-imaging, thunderbird, and zsh), Scientific Linux (icu, python-imaging, and zsh), SUSE (postgresql10), and Ubuntu (apache2).

The LWN.net Weekly Edition for March 19, 2020 is available.

The python-ideas mailing list is typically used to discuss new features orenhancements for the language; ideas that gain traction will get turnedinto Python Enhancement Proposals (PEPs) and eventually make their way topython-dev for wider consideration. Steve Jorgensen recently starteda discussion of just that sort; he was looking for a way to addcustomization to the "pretty-print" module (pprint)so that objects could change the way they are displayed. The subsequentthread went in a few different directions that reflect the nature of themailing list—and the idea itself.

Konstantin Ryabitsev introducesthe "b4" tool for kernel development. Developers and LWN readers willbe familiar with b4 under its previous name: get-lore-mbox. "On top of that, b4 alsointroduces support for cryptographic patch attestation, which makes itpossible to verify that patches (and their metadata) weren't modified intransit between developers. This is still an experimental feature, butinitial tests have been pretty encouraging." See this article for early coverage of theattestation feature.

Drew DeVault complainsabout the complexity of the web and the browsers that work with it."The major projects are open source, and usually when an open-sourceproject misbehaves, we’re able to to fork them to offer an alternative. Buteven this is an impossible task where web browsers are concerned. Thenumber of W3C specifications grows at an average rate of 200 new specs peryear, or about 4 million words, or about one POSIX every 4 to 6 months. Howcan a new team possibly keep up with this on top of implementing theoutrageous scope web browsers already have now?"

Legislation recently proposed in the US Senate is ostensibly meant tocombat "child sexual abuse material" (CSAM), but it does not actually domuch to combat that horrible problem. Its target, instead, is the encryptionof user communications, which the legislation—tellingly—never mentions.The EliminatingAbusive and Rampant Neglect of Interactive Technologies Act of 2020,EARN IT for short, is an attempt to force online service providers(e.g. Facebook, Google, etc.) to follow a set of "best practices"determined by a commission, to combat the scourge of CSAM; the composition ofthat commission makes it clear that end-to-end encryption will not be oneof those practices, but companies that do not follow the best practices will loseliability protection for their users' actions. It is, in brief, anattempt to force providers to either abandon true end-to-end encryption orface ruinous lawsuits—all without "seeming" to be about encryption at all.

Stable kernels 5.5.10, 5.4.26, and 4.19.111 have been released with importantfixes. Users of those series should upgrade.

Security updates have been issued by Debian (libvncserver and twisted), Fedora (libxslt), Red Hat (kernel, kernel-rt, python-flask, python-pip, python-virtualenv, slirp4netns, tomcat, and zsh), Scientific Linux (kernel, python-pip, python-virtualenv, tomcat, and zsh), SUSE (apache2-mod_auth_openidc and skopeo), and Ubuntu (apport and dino-im).

Security updates have been issued by Arch Linux (okular, thunderbird, and webkit2gtk), Debian (webkit2gtk), Fedora (php-horde-Horde-Form), Gentoo (libvorbis, nss, and proftpd), Oracle (firefox and kernel), Red Hat (kernel), Scientific Linux (firefox), SUSE (cni, cni-plugins, conmon, fuse-overlayfs, podman, librsvg, and ovmf), and Ubuntu (ceph, icu, linux, linux-aws, linux-kvm, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-oracle-5.0, linux-kvm, linux-oracle, linux-raspi2, linux-raspi2-5.3, linux-kvm, linux-raspi2, linux-snapdragon, and linux-lts-xenial, linux-aws).

Over the last decade, the addition of a "flags"argument to all new system calls, even if no flags are actually neededat theoutset, has been widely adopted as a best practice. The result hascertainly been greater API extensibility, but we have also seen a proliferation ofvarious types of flags for related system calls. For calls related tofiles and filesystems, in particular, the available flags have reached apoint where some calls will need as many as three arguments for themrather than just one.

The Free Software Foundation has announcedthe recipients of the 2019 Free Software Awards. A new category was addedthis year; the Award forOutstanding New Free Software Contributor went to Clarissa Lima Borges,"a talented young Brazilian software engineering student whoseOutreachy internship work focused on usability testing for various GNOMEapplications". The Project of social benefitaward went to Let's Encrypt, and the Award for the Advancement ofFree Software was given to Jim Meyering, "a prolific free software programmer, maintainer, and writer".

Stable kernel 4.19.110 has been released. "This fixes a problem in 4.19.109 in the KVM subsystem. If you use KVM,you are strongly encouraged to upgrade. If not, no big deal, you canignore this release."

Security updates have been issued by Debian (graphicsmagick, qemu, and slurm-llnl), Fedora (ansible, couchdb, mediawiki, and python3-typed_ast), Gentoo (atftp, curl, file, gdb, git, gst-plugins-base, icu, libarchive, libgcrypt, libjpeg-turbo, libssh, libvirt, musl, nfdump, ppp, python, ruby-openid, runc, sqlite, squid, sudo, SVG Salamander, systemd, thunderbird, tiff, and webkit-gtk), Mageia (firefox, kernel, and thunderbird), openSUSE (firefox, librsvg, php7, and tomcat), Red Hat (firefox), Slackware (thunderbird), and SUSE (firefox, kernel, salt, and wireshark).

Version 4.4 of The Amnesic Incognito Live System (or Tails) has been released. It has fixed a bunch of security vulnerabilities in Tails 4.3; users are advised to "upgrade as soon as possible". Tails 4.4 brings new versions of the Tor Browser (9.0.6), Thunderbird (68.5.0), and the Linux kernel (5.4.19). It also fixes some problems with WiFi. Tails is a Linux distribution that runs from removable media; it is focused on privacy, security, and anonymity.

The 5.6-rc6 kernel prepatch has beenreleased. "Diffstat looks normal, and the number of commits is right in themiddle of the usual range too. And I don't think any of the commitslook all that strange either - it's all pretty small."

The HypertextTransfer Protocol (HTTP) is a core component of the world-wideweb. Over its evolution it has added features, including encryption, but time has revealed its limitations andthose of the whole protocol stack. At FOSDEM 2020, Daniel Stenberg delivered a talkabout anew version of the protocol called HTTP/3. It is under development andincludes some big changes under the hood. There is no more TCP, forexample; a new transport protocol called QUIC is expected to improve performance and allow newfeatures.

Wired has an article on an open-source tool that is being used to track strains of Covid-19 throughout the world."In the case of the Seattle area teenager, genetic data about his strain of Covid-19 was uploaded to Gisaid, a platform for sharing genomic data. Then researchers at Nextstrain made the connection with the earlier patient.Nextstrain is an open source application that tracks the evolution of viruses and bacteria, including Covid-19, Ebola, and lesser-known outbreaks such as Enterovirus D68 using data sourced largely from Gisaid. Hodcroft and other researchers involved with the project analyze the data shared on Gisaid for mutations and visualize the results. That’s how the team was able to spot the connection between the two Covid-19 cases in Washington."

Psycopg is the database adapter usedby most Python programs needing to work with the PostgreSQL databasemanager. In thisblog post, psycopg maintainer Daniele Varrazzo looks forward to thenext major version. "There is a chance now to rethink how thick theC libpq wrapper should be. We can reduce the C implementation to a minimalwrapper around the libpq (replaceable by a CFFI Python wrapper if compilingC is not available on the client), using it as a foundation to build afamiliar DBAPI blocking interface. A blocking behaviour is not bad initself: it allows to write most of the programs, the ones which don't needcrazy concurrency, in a simple and familiar paradigm; the async layer wouldbe available under the hood to squeeze the best performance in programs whohave embraced an asynchronous pattern and framework."

Security updates have been issued by Arch Linux (firefox, golang-golang-x-crypto, kernel, mbedtls, ppp, and python-django), Debian (slirp and yubikey-val), Fedora (firefox, java-1.8.0-openjdk-aarch32, mbedtls, monit, seamonkey, sympa, and zsh), Gentoo (chromium, e2fsprogs, firefox, groovy, postgresql, rabbitmq-c, ruby, and vim), Mageia (ppp), openSUSE (kernel), and SUSE (glibc, kernel, openstack-manila, php5, and squid).

As expected, the5.5.9,5.4.25,4.19.109,4.14.173,4.9.216, and4.4.216stable kernels have all been released; each contains another set ofimportant fixes.