The Asahi Linux project, which is working to build a distribution forM1-based Apple systems, has published aprogress report for January and February. "Apple Silicon Macsboot in a completely different way from PCs. The way they work is more akinto embedded platforms (like Android phones, or, of course, iOS devices),but with quite a few bespoke mechanisms thrown in. However, Apple has takena few steps to make this boot process feel closer to that of an Intel Mac,so there has been a lot of confusion around how things actually work. Forexample, did you know that Apple Silicon Macs cannot boot from externalstorage at all, in the traditional sense? Or that the bootloader on AppleSilicon Macs cannot show a graphical user interface at all, and that the“Boot Picker” is in fact a full-screen macOS app, not part of thebootloader?"
The5.11.6,5.10.23,5.4.105,4.19.180,4.14.225,4.9.261, and4.4.261 stable kernels have all beenreleased, one day earlier than might have been expected. Each contains yetanother set of important fixes.
Many developers use SSH to access their systems, so it is not surprisingthat SSH servers are widely attacked. During the FOSDEM 2021 conference,Sanja Bonic and Janos Pasztor reported on their experiment using containers as a way to easily createSSH honeypots — fake servers that allow administrators to observe the actions ofattackers without risking a production system. Theconversational-style talk walked the audience through the process ofsetting up an SSH server to play the role of the honeypot, showed whatSSH attacks look like, and gave a number of suggestions on how toimprove the security of SSH servers.
A potentially nasty vulnerability in the Gitdistributed revision-control system was disclosed on March 9. There are enoughqualifiers in the description of the vulnerability that it may appear to befairly narrowly focused—and it is. That may make it less worrisome, butit is not entirely clear. As with most vulnerabilities, it all depends on howthe software is being used and the environment in which it is running.
Exceptions inPython are a mechanism used to report errors (of an exceptional variety); programs can be and are written to expect and handlecertain types of exceptions using try and except. Butexceptions were originally meant to report a single error event and, thesedays, things are a tad more complicated than that. A recent PythonEnhancement Proposal (PEP) targets adding exception groups, as well as newsyntax to catch and handle the groups.
Security updates have been issued by Debian (kernel and privoxy), Fedora (libtpms, privoxy, and x11vnc), openSUSE (chromium), Red Hat (.NET 5.0, .NET Core, .NET Core 2.1, .NET Core 3.1, dotnet, and dotnet3.1), SUSE (git, kernel, openssl-1_1, and wpa_supplicant), and Ubuntu (git and openssh).
The Linux Foundation has announceda project called sigstore; its purpose isto protect against supply-chain attacks by signing (and verifying) releaseartifacts. "Very few open source projects cryptographically signsoftware release artifacts. This is largely due to the challenges softwaremaintainers face on key management, key compromise / revocation and thedistribution of public keys and artifact digests. In turn, users are leftto seek out which keys to trust and learn steps needed to validatesigning. Further problems exist in how digests and public keys aredistributed, often stored on websites susceptible to hacks or a README filesituated on a public git repository. sigstore seeks to solve these issuesby utilization of short lived ephemeral keys with a trust root leveragedfrom an open and auditable public transparency logs."
Several new versions of the Git source-code management system have beenreleased; they fix a vulnerability that could allow a hostile remoterepository to execute code locally during a clone operation. Only users with case-insensitive filesystems are affected, reducingthe set of possible targets considerably, but an update still seems like agood idea.
Linaro Ltd has announced the first GNU Toolchain integration build. "Every six months, Arm releases the official GNU Toolchain release for Arm architectures for the purpose of production. Linaro will bridge the gap between the official releases by delivering monthly integration builds which offer users a snapshot of the upstream build. Although not supported, having access to these builds will allow developers to test features from a pre-built binary as soon as it lands upstream. The builds will also enable companies to check their BSP (Board Support Package) release will work with newer toolchains without having to wait for an official release."
Security updates have been issued by Fedora (firefox, kernel, kernel-headers, kernel-tools, libebml, and wpa_supplicant), openSUSE (mbedtls), Oracle (kernel, kernel-container, and screen), Red Hat (curl, kernel, kernel-rt, kpatch-patch, nss-softokn, python, and virt:rhel and virt-devel:rhel), Scientific Linux (screen), SUSE (389-ds, crmsh, openldap2, openssl-1_0_0, and wpa_supplicant), and Ubuntu (glib2.0, gnome-autoar, golang-1.10, golang-1.14, and libzstd).
The -rc kernels released by Linus Torvalds exist for a reason: after 10,000or so changes flow into the kernel over a two-week merge window, there willsurely be some bugs in need of squashing. The -rc kernels provide anopportunity for wider testing after all those patches have beenintegrated. Most of the time, -rc kernels (even the initial -rc1 releases)are surprisingly safe to run. Occasionally, though, something goes wrong,giving early testers reason to reconsider their life choices. The 5.12-rc1kernel, as it turns out, was one of those.
Security updates have been issued by Debian (activemq, libcaca, libupnp, mqtt-client, and xcftools), Fedora (ceph, mupdf, nagios, python-PyMuPDF, and zathura-pdf-mupdf), Mageia (cups, kernel, pngcheck, and python-pygments), openSUSE (bind, chromium, gnome-autoar, kernel, mbedtls, nodejs8, and thunderbird), and Red Hat (nodejs:10, nodejs:12, nodejs:14, screen, and virt:8.2 and virt-devel:8.2).
The NGI POINTER organization, whichis funded by the European Commission, has put out its second open callfor providing development/research funding; the first open callwas in April 2020. This time around, the organization is looking forindividuals or projects that are working on "changing the Internetand Web with European Values at its core". The goal is to"support promising bottom-up projects that are able to build, on topof state-of-the-art research, scalable protocols and tools to assist in thepractical transition or migration to new or updated technologies, whilstkeeping European Values at the core". Those interested may want tolook at some of the previously fundedprojects; more information can also be foundin the WorkProgramme [PDF].
Linus has released 5.12-rc2 a little soonerthan would normally be expected due to theproblems with 5.12-rc1. "Other than that it all looks prettynormal".
The first two articles in this series introduced four ways to order memoryaccesses: load-acquire and store-release operations in the first installment, read andwrite memory barriers in the second. The series continueswith an exploration of full memory barriers, why they are more expensive,and how they are used in the kernel.
Security updates have been issued by Fedora (389-ds-base, dogtag-pki, dpdk, freeipa, isync, openvswitch, pki-core, and screen), Mageia (bind, chromium-browser-stable, gnome-autoar, jasper, openldap, openssl and compat-openssl10, screen, webkit2, and xpdf), Oracle (grub2), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, nodejs:10, and nodejs:12), SUSE (freeradius-server), and Ubuntu (wpa).
Over the last couple of years, a lot of development effort has gone intotwo kernel subsystems:BPF andio_uring. The BPF virtual machine allowsprograms from user space to be safely run within the context of the kernel,while io_uring addresses the longstanding problem of running system callsasynchronously. As the two subsystems expand, it was inevitable that thetwo would eventually meet; the first encounter happened in mid-Februarywith this patchset from Pavel Begunkov adding the ability to run BPF programs fromwithin io_uring.
Linus Torvalds has sent out a note telling people not to install the recent5.12-rc1 development kernel; this is especially true for anybody runningwith swap files. "But I want everybody to be aware of because _if_it bites you, it bites you hard, and you can end up with a filesystem thatis essentially overwritten by random swap data. This is what we in theindustry call 'double ungood'." Additionally, he is askingmaintainers to not start branches from 5.12-rc1 to avoid future situations wherepeople land in the buggy code while bisecting problems.
Greg Kroah-Hartman has released the 5.11.3,5.10.20, 5.4.102, 4.19.178, 4.14.223, 4.9.259, and 4.4.259 stable kernels. These are generallyenormous updates, with important changes throughout the kernel tree; usersshould upgrade.
Security updates have been issued by Fedora (389-ds-base, dogtag-pki, freeipa, isync, pki-core, and screen), Mageia (firefox, kernel, kernel-linus, libtiff, nonfree-firmware, and thunderbird), Red Hat (bind and java-1.8.0-ibm), Scientific Linux (grub2), and SUSE (kernel-firmware, openldap2, postgresql12, and python-cryptography).
The Python lambdakeyword, which can be used to create small, anonymous functions, comes from the world of functionalprogramming, but is perhaps not the most beloved of Python features.In part, that may be because it is somewhat clunky to use, especially incomparison to the shorthand notation offered by other languages, such asJavaScript. That has led to some discussions on possible changes to lambda in Pythonmailing lists since mid-February.
OpenSSH 8.5 has been released. It includes fixes for a couple of potentialsecurity problems (one of which only applies to Solaris hosts); it alsoenables UpdateHostKeys by default, allowing hosts with insecurekeys to upgrade them without creating scary warnings for users. There area lot of other small changes; see the announcement for details.
Security updates have been issued by CentOS (bind), Debian (adminer, grub2, spip, and wpa), Mageia (openjpeg2, wpa_supplicant, and xterm), openSUSE (avahi, bind, firefox, ImageMagick, java-1_8_0-openjdk, nodejs10, and webkit2gtk3), Red Hat (container-tools:1.0, container-tools:2.0, grub2, and virt:rhel and virt-devel:rhel), SUSE (bind, gnome-autoar, grub2, and nodejs8), and Ubuntu (python2.7 and wpa).
For more than a decade, PulseAudiohas been serving the Linux desktop as its predominant audiomixing and routing daemon — and its audio API. Unfortunately,PulseAudio's internal architecture does not fit the growingsandboxed-applications use case, even though there have been attempts to amend that. PipeWire, a new daemon created (in part)out of these attempts, will replacePulseAudio in the upcoming Fedora 34 release. It is a comingtransition that deserves a look.
Security updates have been issued by Arch Linux (bind, intel-ucode, ipmitool, isync, openssl, python, python-cryptography, python-httplib2, salt, tar, and thrift), Fedora (ansible, salt, webkit2gtk3, and wpa_supplicant), Oracle (bind), Red Hat (bind, kernel, and kpatch-patch), Scientific Linux (bind), SUSE (firefox, gnome-autoar, java-1_8_0-ibm, java-1_8_0-openjdk, nodejs10, open-iscsi, perl-XML-Twig, python-cryptography, and thunderbird), and Ubuntu (bind9).
The 5.12 merge window closed with the release of 5.12-rc1on February 28; this released followed the normal schedule despite thefact that Linus Torvalds had been without power for the first six daysafter 5.11 came out. At that point, 10,886 non-merge changesets had foundtheir way into the mainline repository; about 2,000 of those showed upafter the first-half merge-window summarywas written. The pace of merging obviously slowed down, but there werestill a number of interesting features to be found in those patches.
Security updates have been issued by CentOS (firefox, ImageMagick, libexif, thunderbird, and xorg-x11-server), Debian (docker.io, python-aiohttp, and thunderbird), Fedora (chromium, firefox, kernel, and rygel), Mageia (nodejs, pix, and subversion), openSUSE (glibc, gnuplot, nodejs12, nodejs14, pcp, python-cryptography, qemu, and salt), Red Hat (bind and podman), and SUSE (csync2, glibc, java-1_8_0-ibm, nodejs12, nodejs14, python-Jinja2, and rpmlint).
Version3.2.0 of the fish shell has been released. New features include undoand redo support (for command-line editing, not commands!) and a long listof incremental improvements; see the announcement for details. LWN last looked at the fish shell in September.
The Mageia distribution has announcedthe release of Mageia 8. It comes with the usual array of newpackages, including a 5.10.16 kernel, Plasma 5.20.4,GNOME 3.38, Firefox 78, Chromium 88, LibreOffice 7.0.4.2, and more."ARM support has continued to develop, with both AArch64 and ARMv7now having all packages built and being close to primary architecturesnow. Support for Wi-Fi installation in the classical installer using WPA2encryption has been added, as well as improved support for newerfilesystems allowing installations on F2FS. Support for NILFS, XFS, exFATand Windows 10 NTFS has been improved to allow for better partitionmanagement. The Live installer has also had significant development. Boottimes have been greatly reduced with the use of Zstd compression andimproved hardware detection and the support for installing updates as afinal step of the installation has been added. Zstd compression has alsobeen applied to the rescue mode, allowing for faster startup, support forencrypted LVM/LUKS has also been added."
Mike West has posted a detailed explorationof what is really required to protect sensitive information in webapplications from speculative-execution exploits. "Spectre-likeside-channel attacks inexorably lead to a model in which active web content(JavaScript, WASM, probably CSS if we tried hard enough, and so on) canread any and all data which has entered the address space of the processwhich hosts it. While this has deep implications for user agentimplementations' internal hardening strategies (stack canaries, ASLR, etc),here we’ll remain focused on the core implication at the web platformlevel, which is both simple and profound: any data which flows into aprocess hosting a given origin is legible to that origin. We must designaccordingly."
The first article in this series providedan introduction to lockless algorithms and the happens beforerelationship that allows us to reason about them. The next step is to lookat the concept of a "data race" and the primitives that exist to preventdata races. We continue in that direction with a look at relaxed accesses, memorybarriers, and how they can be used to implement the kernel's seqcountmechanism.
Greg Kroah-Hartman has released the 5.11.2,5.10.19, and5.4.101 stable kernels. These all containa relatively small pile of important fixes; as usual, users should upgrade.
Version 1.0 of GNU poke is out."GNU poke (http://www.jemarch.net/poke) is an interactive, extensible editor for binary data. Not limited to editing basic entities such as bits and bytes, it provides a full-fledged procedural, interactive programming language designed to describe data structures and to operate on them."
Security updates have been issued by Debian (python-pysaml2 and redis), Fedora (buildah, containernetworking-plugins, containers-common, libmysofa, libpq, podman, postgresql, skopeo, xen, and xterm), openSUSE (nghttp2), Oracle (firefox and thunderbird), SUSE (glibc, ImageMagick, python-Jinja2, and salt), and Ubuntu (python2.7, python2.7, python3.4, python3.5, python3.6, python3.8, and tiff).
One of the under-the-hood changes in the Fedora 33 release was a switch tosystemd-resolved for the handling of DNS queries. This change shouldbe invisible to most users unless they start using one of the new featuresprovided by systemd-resolved. Recently, though, the Fedora project changedits default configuration for that service to eliminate fallback DNSservers — a change which is indeed visible to some users who have foundthemselves without domain-name resolution as a result.
Two separate vulnerabilities led to the fast-tracked releaseof Python 3.9.2 and 3.8.8 on February 19, though source-onlyreleases of 3.7.10 and 3.6.13 came a few days earlier. Thevulnerabilities may be problematic for some Python users andworkloads; one could potentially lead to remote code execution. The otheris, arguably, not exactly a flaw in the Python standard library—it simplyalso follows an older standard—but it can lead to web cachepoisoning attacks.
Sergio Durigan Junior has announced the availability of a debuginfod server for Debiansystems. "In a nutshell, by using a debuginfod service you will not need toinstall debuginfo (a.k.a. dbgsym) files anymore; the symbols will beserved to GDB (or any other debuginfo consumer that supports debuginfod)over the network. Ultimately, this makes the debugging experience muchsmoother (I myself never remember the full URL of our debuginforepository when I need it)."
Security updates have been issued by openSUSE (firefox and tor), Oracle (stunnel and xterm), Red Hat (virt:8.2 and virt-devel:8.2 and xterm), SUSE (avahi, gnuplot, java-1_7_0-ibm, and pcp), and Ubuntu (openssl).
NumPy is a Python library that addsan array data type to the language, along with providing operatorsappropriate to working on arrays and matrices. By wrapping fast Fortran andC numerical routines, NumPy allows Python programmers to write performant code in what is normally a relatively slowlanguage. NumPy 1.20.0 wasannounced on January 30, in what its developers describe as the largestrelease in the history of the project. That makes for a good opportunity toshow a little bit about what NumPy is, how to use it, and to describe what's new in therelease.
LWN.net