Security updates have been issued by Fedora (dotnet3.1, kernel, mbedtls, and python35), Mageia (libraw), openSUSE (mumble), SUSE (libsolv, libzypp, and perl-DBI), and Ubuntu (libdbi-perl, libphp-phpmailer, mcabber, ncmpc, openssl, openssl1.0, qemu, samba, storebackup, and util-linux).
As the PHP project nears its 8.0 release, which is currently slated for late November, there are a number of interesting things to report from its development mailing list. For one, the syntax of the attributes feature has finally been settled on after an acrimonious debate largely over the minutiae of the voting process. In addition, some releases were made and a new proposal to add any() and all() as core library functions was discussed.
The pandemic has changed many things in our communities, even though distancehas always played a big role in free software development. Annual in-persongatherings for conferences and the like are generally paused at the moment,but even after travel and congregating become reasonable again,face-to-face meetings may be less frequent. There are both positives andnegatives to that outcome, of course, but some rethinking will be in orderif that comes to pass. The process of key signing is something that may needto change as well; the Debian project, which uses signed keys,has been discussing the subject.
Version 3.38 of the GNOME desktop environment is out. "This release brings a new Welcome tour, improved grouping and reorderingof applications in the overview, better fingerprint enrollment, deepersystemd integration, and more." See the releasenotes for details.
Security updates have been issued by Fedora (libssh, python35, and xen), Oracle (kernel), Red Hat (librepo and mysql:8.0), SUSE (perl-DBI), and Ubuntu (Apache Log4j, Apache XML-RPC, bsdiff, libdbi-perl, luajit, milkytracker, OpenJPEG, ruby-loofah, and ruby-websocket-extensions).
The BPF virtual machine is beingused ever more widely in the kernel, but it has not been a target for GCC until recently. BPF is currently generated using the LLVMcompiler suite.Jose E. Marchesi gave a pair of presentations as part of the GNU Toolstrack at the 2020 LinuxPlumbers Conference (LPC) that provided attendees with a look at theBPF for GCC project, which started around ayear ago. It has made some significant progress, but there is, of course, more to do.
Moment.js, the de facto standard JavaScript library for date and time manipulation, has announced that "we would like to discourage Moment from being used in new projects going forward." The project cited multiple reasons for the recommendation. The first is that moment objects are mutable; another is the unnecessarily large size of the library when compared to other internationalization and time-zone support options available to modern browsers. According to the post, "we now generally consider Moment to be a legacy project in maintenance mode. It is not dead, but it is indeed done." The project offers multiple recommendations of alternative options, including "the evolution of Moment", Luxon, authored by long-time Moment.js contributor Isaac Cambron.
Security updates have been issued by CentOS (dovecot), Debian (gnome-shell and teeworlds), Mageia (libetpan and zeromq), openSUSE (libxml2), Red Hat (chromium-browser and librepo), SUSE (compat-openssl098, firefox, kernel, openssl, and shim), and Ubuntu (gupnp).
Tasklets offer a deferred-execution method in the Linux kernel; theyhave been available since the 2.3 development series. They allow interrupthandlers to schedule further work to be executed as soon as possible afterthe handler itself. The tasklet API has its shortcomings, but it has stayedin place while other deferred-execution methods, including workqueues, havebeen introduced. Recently, Kees Cook posted a security-inspired patchset (also including work from Romain Perier) to improve the taskletAPI. This change is uncontroversial, but it provoked a discussion thatmight lead to the removal of the tasklet API in the (not so distant)future.
The 5.9-rc5 kernel prepatch is out fortesting. "So aside from the smoke from the fires, and a performanceregression I'm still looking at, things look normal."
In 2018, three former GnuPG developers began work on Sequoia, a new implementation of OpenPGP in Rust. OpenPGP is an open standard for data encryption, often used for secure email; GnuPG is an implementation of that standard. The GPLv2-licensed Sequoia is heading toward version 1.0, with a handful of issues remaining to be addressed. The project's founders believe that there is much to be desired in GnuPG, which is the de facto standard implementation of OpenPGP today. They hope to fix this with a reimplementation of the specification using a language with features that will help protect users from common types of memory bugs.
Security updates have been issued by Debian (python-pip), Fedora (kernel, libX11, and xen), openSUSE (go1.14), Oracle (libcroco, php:7.3, and postgresql:10), Red Hat (chromium-browser and httpd:2.4), and SUSE (gimp, golang-github-prometheus-prometheus, kernel, libxml2, pdsh, slurm_20_02, slurm, slurm_18_08, and tomcat).
In its early days, the Android project experienced a high-profiledisconnect with the kernel community. That situation has since improvedconsiderably, but there are stilldifferences between Android kernels and the mainline. As a result, it isnot possible to run Android on a vanilla kernel. That situation continuesto improve, though; much evidence to that effect was on display during theAndroid microconference at the 2020 Linux Plumbers Conference.Several sessions there showed the progress that is being made towardunifying the Android and mainline kernels — and the places where there isstill some work to be done.
Security updates have been issued by Arch Linux (ark, gnupg, go, opendmarc, and python-django), Debian (libxml2), Gentoo (chromium), Oracle (librepo and thunderbird), Red Hat (dovecot and httpd:2.4), SUSE (avahi, kernel, and openldap2), and Ubuntu (xorg-server).
Unlike many of the previous gatherings of the Linux realtime developers, theirmicroconference at the virtual 2020 Linux PlumbersConference had a different feel about it. Instead of being about when and how to get thefeature into the mainline, the microconference had two sessions that looked at whathappens after the realtime patches are upstream. That has not quite happenedyet, but is likely for the 5.10 kernel, so the developers werelooking to the future of the stable realtime trees and, relatedly, plansfor continuous-integration (CI) testing for realtime kernels.
BPF is, of course, the language used fornetwork (and other) customization in the Linux kernel, but some people have been using the Lua language for the networking side of thatequation. Two developers from Ring-0Networks, Lourival Vieira Neto and Victor Nogueira, came to the virtualNetdev 0x14 topresentthat work. It consists of a framework to allow the injection of Lua scriptsinto the running kernel as well as two projects aimed at routers, oneof which is deployed on 20 million devices.
Security updates have been issued by Debian (grunt), Fedora (ansible and geary), openSUSE (firefox, gettext-runtime, python-Flask-Cors, and thunderbird), Oracle (firefox and thunderbird), Red Hat (.NET Core 3.1), SUSE (kernel and libjpeg-turbo), and Ubuntu (gnutls28 and libx11).
Android 11 has beenreleased with the source pushed to the Android Open Source Project (AOSP). "For developers, Android 11 has a ton of new capabilities. You’ll want to check out conversation notifications, device and media controls, one-time permissions, enhanced 5G support, IME transitions, and so much more. To help you work and develop faster, we also added new tools like compatibility toggles, ADB incremental installs, app exit reasons API, data access auditing API, Kotlin nullability annotations, and many others."
Alyssa Rosenzweig looksat getting the ExposureNotifications System protocol, developed by Apple and Google forfacilitating COVID-19 contact tracing on Android and iOS phones, running onGNU/Linux. "All in all, we end up with a Linux implementation ofExposure Notifications functional in Ontario, Canada. What’s next? Perhapssupporting contact tracing systems elsewhere in the world – patcheswelcome." The source code for liben isavailable "for any one who dares go near".
The GStreamer team has announceda major feature release of GStreamer. "The 1.18 release series addsnew features on top of the previous 1.16 series and is part of the API andABI-stable 1.x release series of the GStreamer multimediaframework." There is a lengthy list of highlights in the announcementand more details in the release notes.
The kernel does not have just one system call to rename a file; instead,there are three of them: rename(),renameat(), and renameat2(). Each was added when theprevious one proved unable to support a new feature. A similar story hasplayed out with a number of system calls: a feature is needed that doesn'tfit into the existing interfaces, so a new one is created — again. At the2020 Linux Plumbers Conference,Christian Brauner and Aleksa Sarai ran a pair of sessions focused on thecreation of future-proof system calls that can be extended when the needfor new features arises.
Back in 2014, a Raspberry Pi enthusiast by the name of Michael Teeuw shared his build of a "magic mirror" with the world in a six-part series. The system consisted of a Raspberry Pi and monitor running a web browser in kiosk mode, with a web server that provided a dashboard interface — all stored in a custom-built case with a one-way mirror. Since his post, others around the world have built these devices for their home (including myself), forming both a community and an interesting open-source project. The recent release of MagicMirror (MM2) version 2.12.0 gives us an opportunity to learn more about where the project started and where it is today.
Security updates have been issued by Debian (ark, netty, netty-3.9, qemu, squid3, and xorg-server), Fedora (chromium), Gentoo (dovecot and gnutls), Mageia (ansible, postgresql, and python-rsa), openSUSE (curl, freerdp, libX11, php7, squid, and xorg-x11-server), Oracle (kernel), Red Hat (thunderbird), Slackware (gnutls), and SUSE (firefox, kernel, and thunderbird).
The 5.9-rc4 kernel prepatch is out fortesting. "So I certainly can't claim that things have calmed down,but hopefully this was pretty much it. Knock wood."
The Free Software Foundation (FSF) has announcedthat nominations are open, until October 28, for the Free Software Awards. Winners willbe announced at the annual LibrePlanet conference. "Youmight know of a contributor or organization who has done significant anduser-empowering work on free software. We invite you to take a moment toshow them (and tell us) that you care, by nominating them for an award inone of three categories: the Award for the Advancement ofFree Software, the Awardfor Projects of Social Benefit, or the Award for Outstanding NewFree Software Contributor. Don't assume that someone else will nominatethem -- too often, everyone assuming someone else will express theappreciation means that it never happens. As taking initiative and speakingup for the community are important parts of free software, why not take thetime yourself to make sure your voice is heard?"
On September 1, the Linux From Scratch (LFS) project announced the release of version 10.0 of LFS along with Beyond Linux From Scratch (BLFS). LFS is "a project that provides you with step-by-step instructions for building your own customized Linux system entirely from source"; BLFS picks up where LFS leaves off. Both books are available online either with or without systemd: LFS System V, LFS systemd, BLFS System V, and BLFS systemd. "The LFS release includes updates to glibc-2.31, and binutils-2.34. A total of 35 packages have been updated. A new package, zstd-1.4.4, has also been added. Changes to text have been made throughout the book. The Linux kernel has also been updated to version 5.5.3.The BLFS version includes approximately 1000 packages beyond the base Linux From Scratch Version 9.1 book. This release has over 840 updates from the previous version in addition to numerous text and formatting changes."
The 2020 Linux PlumbersConference (LPC) was meant to be held in Halifax, Nova Scotia, Canada at theend of August. As it happens, your editor was on the organizing committeefor that event and thus got a close view of what happens when one's hopesfor discussing memory-management changes on the Canadian eastern seaboardbecome one of the many casualties of an ongoing pandemic. TransformingLPC into a successful online experience was a lot of work, but the resultsmore than justified the effort. Read on for some notes and thoughts fromthe experience of making LPC happen in 2020.
Security updates have been issued by Fedora (curl, dovecot, geary, httpd, lua, mysql-connector-java, and squid), Mageia (lua and lua5.3, sane, and squid), Oracle (dovecot), Scientific Linux (dovecot), SUSE (java-1_7_1-ibm, kernel, php5, and xorg-x11-server), and Ubuntu (firefox).
James Bottomley got a copy of the patent-suit settlement between the GNOMEFoundation and Leigh Rothschild and has postedan analysis. "Although the agreement achieves its aim, to ridall of Open Source of the Rothschild menace, it also contains severalclauses which are suboptimal, but which had to be included to get a speedyresolution. In particular, Clause 10 forbids the GNOME foundation or itsaffiliates from publishing the agreement, which has caused much angst inopen source circles about how watertight the agreement actuallywas. Secondly Clause 11 prohibits GNOME or its affiliates from pursuing anyfurther invalidity challenges to any Rothschild patents leaving Rothschildfree to pursue any non open source targets.Fortunately the effect of clause 10 is now mitigated by me publishing theagreement and the effect of clause 11 by the fact that the Open InventionNetwork is now pursuing IPR invalidity actions against the Rothschildpatents."
GNU Privacy Guard (GnuPG or GPG) has released version 2.2.23 to fix a critical security bug affecting GnuPG 2.2.21 and 2.2.22, as well as Gpg4win 3.1.12. "Importing an OpenPGP key having a preference list for AEAD algorithmswill lead to an array overflow and thus often to a crash or otherundefined behaviour.Importing an arbitrary key can often easily be triggered by an attackerand thus triggering this bug. Exploiting the bug aside from crashes isnot trivial but likely possible for a dedicated attacker. The majorhurdle for an attacker is that only every second byte is under theircontrol with every first byte having a fixed value of 0x04.Software distribution verification should not be affected by this bugbecause such a system uses a curated list of keys."
One of the many unfortunate consequences of the Covid-19 pandemic was thecancellation of the 2020GNU Tools Cauldron. That loss turned out to be a gain for the Linux Plumbers Conference, whichwas able to add a GNU Tools track to host many of the discussions thatwould have otherwise occurred at Cauldron. In that track, Ian Bearmanpresented his group's work using profile-guidedoptimization with the Linux kernel. This technique, which he oftenreferred to as "pogo", is not straightforward to apply to the kernel, butthe benefits would appear to justify the effort.
Greg Kroah-Hartman has released six new stable kernels: 5.8.6,5.4.62, 4.19.143, 4.14.196, 4.9.235, and 4.4.235. As usual, they contain fixesthroughout the tree and users should upgrade.
Kees Cook catchesup with the security-relevant changes in the 5.6 kernel release."With my 'attack surface reduction' hat on, I remain personallysuspicious of the io_uring() family of APIs, but I can’t deny their utilityfor certain kinds of workloads. Being able to pipeline reads and writeswithout the overhead of actually making syscalls is pretty great forperformance. Jens Axboe has added the IORING_OP_OPENAT command so thatexisting io_urings can open files to be added on the fly to the mapping ofavailable read/write targets of a given io_uring. While LSMs are stillhappily able to intercept these actions, I remain wary of the growing'syscall multiplexer' that io_uring is becoming."
Security updates have been issued by Debian (asyncpg and uwsgi), Mageia (cairo), openSUSE (chromium, kernel, and postgresql10), Red Hat (dovecot and squid:4), SUSE (curl, java-1_7_0-ibm, java-1_7_1-ibm, java-1_8_0-ibm, kernel, libX11, php7, squid, and xorg-x11-server), and Ubuntu (apport, libx11, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04).
New to the forthcoming PHP 8.0 release is a feature called match expressions, which is a construct designed to address several shortcomings in PHP's switch statement. While it took three separate request-for-comment (RFC) proposals in order to be accepted, the new expression eventually received broad support for inclusion.
Emil Velikov providesa high-level introduction of the Linux graphics stack, how it is usedwithin ChromeOS, and the work being done to improve softwarerendering. "One of our goals is to be as flexible as possible, whileminimising the amount of legacy code required - so in our case we're usingOpenGL/GLES and EGL. In particular we are making use of the EGL_MESA_platform_surfaceless extension. It allows us to use OpenGL or GLES and render into a memory area, not requiring integration with the display subsystem."
We left the saga of PEP 622("Structural Pattern Matching") at the end of June, but thediscussion of a Python "match" statement—superficially similar to a Cswitch but with extra data-matching features—continued. At thispoint, the next steps are up to the Python steeringcouncil, which will determine the fate of the PEP. But there is lotsof discussion to catch up on from the last two months or so.
Security updates have been issued by Debian (apache2 and libx11), Fedora (batik, ecj, eclipse, eclipse-cdt, eclipse-ecf, eclipse-emf, eclipse-gef, eclipse-m2e-core, eclipse-mpc, eclipse-mylyn, eclipse-remote, eclipse-webtools, firefox, httpd, jetty, lucene, selinux-policy, and univocity-parsers), Mageia (hylafax+), openSUSE (ark and chromium), Red Hat (virt:8.2 and virt-devel:8.2), SUSE (freeradius-server, freerdp, php7, php72, php74, and xorg-x11-server), and Ubuntu (freerdp2, keystone, net-snmp, python-django, and python-rsa).
The LXD team has announcedthe release of LXD 4.5. LXD is a container and VMmanager focused on running full Linux distributions. Highlights includevirtual networks through OVN, bpfsystem call interception, a new way to allocate PTS devices, improvedcluster remote storage, AppArmor confinement for some side services, andgraphical console attach on Windows clients.
The Rust programming languagehas long aimed to be a suitable replacement for C in operating-systemkernel development. As Rust has matured, many developers have expressedgrowing interest in using it in the Linux kernel. At the 2020 (virtual) Linux Plumbers Conference, theLLVM microconference track hosted a sessionon open questions about and obstacles to accepting Rust upstream in the Linux kernel. The interest inthis topic can be seen in the fact that this was the single most heavilyattended session at the 2020 event.
LWN.net