Yocto Project, a system to build embedded Linux distributions, releasedversion 3.3 "Hardknott". In this version all OE-Core recipes buildreproducibly regardless of host distro/build location except golang recipesand ruby's docs package. There are many more new features, upgrades, andbug fixes. The releasenotes have more details.
A filesystem's role is to store information and retrieve it in its originalform on request. But filesystems are also expected to prevent theretrieval of information by people who should not see it. That requirementextends to data that has been deleted; users expect that data to be trulygone and will not welcome its reappearance in surprising places. Some workbeing done with ext4 shows the kind of measures that are required to liveup to that expectation.
Security updates have been issued by Debian (gst-libav1.0, gst-plugins-bad1.0, gst-plugins-base1.0, and gst-plugins-ugly1.0), Fedora (kernel, kernel-headers, kernel-tools, and rust), openSUSE (firefox), Oracle (firefox, mariadb:10.3 and mariadb-devel:10.3, thunderbird, and xstream), Red Hat (kernel, kernel-alt, kpatch-patch, nss, and openldap), Scientific Linux (firefox, thunderbird, and xstream), SUSE (firefox), and Ubuntu (file-roller, firefox, and ruby2.7).
The Fedora 34release is now available. "This release features GNOME 40, thenext step in focused, distraction-free computing. GNOME 40 bringsimprovements to navigation whether you use a trackpad, a keyboard, or amouse. The app grid and settings have been redesigned to make interactionmore intuitive." LWN recently reviewed the Fedora 34 Workstationrelease.
Version 11.1 of the GCC compiler suite is out."This release switches the default debugging format to DWARF 5 on mosttargets and switches the default C++ language version to -std=gnu++17.It makes great progress in the C++20 language support, both on the compilerand library sides, adds experimental C++23 support, some C2X enhancements,various optimization enhancements and bug fixes, several new hardwareenablement changes and enhancements to the compiler back-ends and many otherchanges."
The Register reportson the death of security researcher Dan Kaminsky. "Though Kaminsky rose to fame in 2008 for identifying a critical design weakness in the internet's infrastructure – and worked in secret with software developers to mitigate the issue before it could be easily exploited – he had worked behind the scenes in the infosec world for at least the past two decades."
By the time the 5.12kernel was finally released, some 13,015 non-merge changesets had been pulled into the mainlinerepository for this development cycle. That makes 5.12 the slowestdevelopment cycle since 5.6, which was released at the end of March 2020.Still, there was plenty of work done for 5.12. Read on for our traditionallook at where that work came from and how it got into the kernel.
Linus Torvalds has released the 5.12kernel. "Thanks to everybody who made last week very calm indeed, which justmakes me feel much happier about the final 5.12 release."Headline features in 5.12 includethe removal of a number of obsolete, (mostly) 32-bit Arm subarchitectures,atomicinstructions for BPF,conditional file lookups with LOOKUP_CACHED,support for zoned block devices in the Btrfsfilesystem, threaded NAPI polling in the network stack,filesystem ID mapping,support for building the kernel with Clang link-timeoptimization,the KFENCEkernel-debugging tool, and more. See the LWN merge-window summaries(part 1, part 2) and the (in-progress) KernelNewbies 5.12 page formore information.
The University of Minnesota researchers who have stirred up the kernel community with varioustypes of bad patches have sentan open letter to the linux-kernel list. "This current incidenthas caused a great deal of anger in the Linux community toward us, theresearch group, and the University of Minnesota. We apologizeunconditionally for what we now recognize was a breach of the shared trustin the open source community and seek forgiveness for our missteps."
Many of us think that we operate busy web servers; LWN's server, forexample, sweats hard when keeping up with the comment stream thataccompanies any article mentioning the Rust programming language. But someorganizations run truly busy servers and have to take someextraordinary measures to keep up with levels of traffic that even languageadvocates cannot create. The SO_REUSEPORT socket option is one ofmany features that have been added to the network stack to help these usecases. SO_REUSEPORT suffers from an implementation problem that cancause connections to fail, though. Kuniyuki Iwashima has posted a patchset addressing this problem, but there is some doubt as to whether ittakes the right approach.
Security updates have been issued by Debian (firefox-esr, openjdk-8, and wpa), openSUSE (irssi, jhead, opera, and python-django-registration), SUSE (firefox and qemu), and Ubuntu (dnsmasq and shibboleth-sp).
Speaking for the Linux Foundation Technical Advisory Board, Kees Cook hasposted a brief statement on the controversyover patches submitted from the University of Minnesota.
The Ubuntu21.04 distribution release is available. "Today, Canonicalreleased Ubuntu 21.04 with native Microsoft Active Directory integration,Wayland graphics by default, and a Flutter application developmentSDK. Separately, Canonical and Microsoft announced performance optimizationand joint support for Microsoft SQL Server on Ubuntu."
The kernel's BPF virtual machine is versatile;it is possible to load BPF programs into the kernel to carry outa large (and growing) set of tasks. The growing body of BPF code canreasonably bethought of as kernel code in its own right. But, while the kernel cancheck signatures on loadable modules and prevent the loading of modulesthat are not properly signed, there is no such mechanism for BPF programs;any sufficiently privileged process can load any program that will pass theverifier. One might think that adding this checking for BPF would bestraightforward, but that subsystem has some unique characteristics thatmake things more challenging than one might expect. There may be asolution in the works, though; fittingly, it works by loading yet another BPFprogram.
Security updates have been issued by Debian (thunderbird and wordpress), Fedora (curl, firefox, mediawiki, mingw-binutils, os-autoinst, and rpm-ostree), Oracle (java-1.8.0-openjdk and java-11-openjdk), SUSE (kernel, pcp, and tomcat6), and Ubuntu (linux, linux-aws, linux-gke-5.3, linux-hwe, linux-kvm, linux-lts-xenial, linux-oem-5.6, linux-raspi2-5.3, linux-snapdragon).
A buggy patchposted to the linux-kernel mailing list in early April was apparently thelast straw for Greg Kroah-Hartman as it led to the planned reversion of a whole slew ofcommits with one thing in common: their origin at the University ofMinnesota (UMN). The patch to the NFSv4 authorization mechanism was dulyquestioned by two NFS developers, but it is not an honest mistake; according to Kroah-Hartman, there has been an attackof sorts underway as part of some academic research at the university. Inorder to be sure that these intentional bugs, many with securityimplications, do not continue to haunt Linux, he is workingon reverting commits that came from email addresses with theumn.edu domain.
Security updates have been issued by Debian (firefox-esr, php-pear, wordpress, and zabbix), Oracle (java-1.8.0-openjdk and java-11-openjdk), Red Hat (java-1.8.0-openjdk, java-11-openjdk, kernel, and kpatch-patch), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), Slackware (seamonkey), SUSE (apache-commons-io, ImageMagick, kvm, ruby2.5, and sudo), and Ubuntu (edk2, libcaca, ntp, and ruby2.3, ruby2.5, ruby2.7).
In a lengthymessage to the linux-kernel mailing list, Miguel Ojeda "introduced" theRust for Linux project. Itwas likely not the first time that most kernel developers had heard of theeffort; there was an extensive discussionof the project at the 2020 Linux PlumbersConference, for example. It has also been raisedbefore on the list. Now, the project is looking for feedback fromthe kernel community about its plans, thus the RFC posting on April 14.
Linux.com has published aninterview with Thomas Gleixner with a focus on the realtime preemptionwork. "The approach to funding these kinds of projects reminds me of the Mikado Game, which is popular in Europe, where the first player who picks up the stick and disturbs the pile often is the one who loses.That’s puzzling to me, especially as many companies build key productsdepending on these technologies and seem to take the availability andsustainability for granted up to the point where such a project fails, orpeople stop working on it due to lack of funding. Such companies shouldseriously consider supporting the funding of the Real-Time project."
Security updates have been issued by Debian (xorg-server), Fedora (CImg, gmic, leptonica, mingw-binutils, mingw-glib2, mingw-leptonica, mingw-python3, nodejs, and seamonkey), openSUSE (irssi, kernel, nextcloud-desktop, python-django-registration, and thunderbird), Red Hat (389-ds:1.4, kernel, kernel-rt, perl, and pki-core:10.6), SUSE (kernel, sudo, and xen), and Ubuntu (clamav and openslp-dfsg).
Zonedblock devices have some unfamiliar characteristics that result fromcompromises made in the name of higher storage density. They are dividedinto zones, some or all of which do not support random access for writeoperations. Instead, these "sequential" zones can only be written inorder, from the first block to the last. This constraint poses a newchallenge for filesystems, which are normally designed with the assumptionthat storage blocks can be written in any order. It is thus not surprisingthat zoned-device support in mainstream filesystems in Linux has been slowin coming; that is changing, though, with the additionof support for zoned block devices to Btrfs in Linux 5.12.
OpenSSH 8.6 is now available. The "ssh-rsa" signature scheme, which usesthe SHA-1 hash algorithm, will be disabled by default in the nearfuture. "Note that the deactivation of "ssh-rsa" signatures does notnecessarily require cessation of use for RSA keys. In the SSH protocol,keys may be capable of signing using multiple algorithms. In particular,"ssh-rsa" keys are capable of signing using "rsa-sha2-256" (RSA/SHA256),"rsa-sha2-512" (RSA/SHA512) and "ssh-rsa" (RSA/SHA1). Only the last ofthese is being turned off by default."
Firefox 88 has been released. Newfeatures include support for PDF forms with embedded JavaScript and smoothpinch-zooming using a touchpad, and better protection against cross-siteprivacy leaks. See thisarticle for more information on how Firefox 88 combats window.nameprivacy abuses. Firefox 78.10 ESR containsvarious fixes for stability, functionality, and security.
Security updates have been issued by CentOS (nettle, squid, and thunderbird), Debian (libebml, python-bleach, and python2.7), Fedora (batik, gnuchess, kernel-headers, kernel-tools, ruby, singularity, and xorg-x11-server), Mageia (clamav, kernel, kernel-linus, and python3), openSUSE (chromium, fluidsynth, opensc, python-bleach, and wpa_supplicant), Oracle (gnutls and nettle), Red Hat (dpdk, gnutls and nettle, mariadb:10.3 and mariadb-devel:10.3, and redhat-ds:11), and SUSE (kernel, qemu, and xen).
In the end, Linus decided to hold the 5.12 release for one more week andput out 5.12-rc8 instead. "Ok, so it's been _fairly_ calm this past week, but it hasn't been thekind of dead calm I would have taken to mean 'no rc8 necessary'.So here we are, with an extra rc to make sure things are all settleddown."
Version 12.0.0 of the LLVM compiler suite is out. This appears to be arelease with a lot of incremental improvements rather than large headlinefeatures; see the various sets of release notes in the announcement fordetails.
The Debian project has voted strongly toretain Jonathan Carter as the project leader. On that other littlenagging issue, the project has voted not toissue a statement regarding Richard Stallman's return to the FreeSoftware Foundation board of directors. This, too, was a relatively strongresult over the other options. Details can be found on the specific pagesfor the projectleader and generalresolution ballots.
Today's crop of stable kernels includes the following: 4.4.267, 4.9.267, 4.14.231, 4.19.188, 5.4.113, 5.10.31, and 5.11.15. As usual. they contain importantfixes throughout the tree; users of those series should upgrade.
One of the key resources that defines a process is its address space — theset of mappings that determines what any specific memory address meanswithin that process. An address space is normally privateto the process it belongs to, but there are situations where one processneeds to make changes to another process's memory; an interactive debuggerwould be one case in point. The ptrace()system call makes such changes possible, but it is slow and not always easyto use, so there has been a longstanding quest for better alternatives.One possibility, process_vm_exec()from Andrei Vagin, was recently posted for review.
A new organization for maintainers and contributors to GNU tools, the GNU Assembly, has announced its existence."We’re excited to kick off the GNU Assembly and its web site! This place intends to be a collaboration platform for the developers of GNU packages who are all 'hacking for user freedom' and who share a vision for the umbrella project." It is an outgrowth of discussions on changes to GNU governance from a few years back, but its origins are even older than that. The organization is working on its governance model and invites those interested to its Assembly mailing list.
The Fedora project may have managed to shake off its reputation for delayedreleases in recent years, but that hasn't stopped the release date forFedora 34 from slippingone week to April 27. Modulo ahandful of bugs, though, this release is in its final form, so a lookat what is coming is warranted. Distribution releases, especially thosefor fast-moving community distributions, are a good point at which to catchup with the state of many free-software projects and where Linux is headedin general. Fedora 34 includes a lot of changes, including the GNOME 40 release but, for the mostpart, it looks like an exercise in continuity.
Security updates have been issued by Debian (xorg-server), Fedora (kernel), openSUSE (clamav, fluidsynth, python-bleach, spamassassin, and xorg-x11-server), Red Hat (gnutls and nettle, libldb, and thunderbird), Scientific Linux (thunderbird), SUSE (clamav, util-linux, and xorg-x11-server), and Ubuntu (network-manager and underscore).
The Google security blog has adetailed article on what a device driver written in Rust looks like."That is, we use Rust's ownership discipline when interacting with Ccode by handing the C portion ownership of a Rust object, allowing it tocall functions implemented in Rust, then eventually giving ownershipback. So as long as the C code is correct, the lifetime of Rust fileobjects work seamlessly as well, with the compiler enforcing correctlifetime management on the Rust side, for example: open cannot returnstack-allocated pointers or heap-allocated objects containing pointers tothe stack, ioctl/read/write cannot free (ormodify without synchronization) the contents of the object stored in filp->private_data, etc."
In early April, Fedora program manager Ben Cotton posteda proposal to use the distribution'sdebuginfodservers by default in Fedora 35. This feature would help developerswho are trying to debug or trace their programs using various tools, but who arelacking the source code and debugging symbols needed. The serverscan provide that data directly to the tools as needed, but there are somesecurity and privacy concerns to work through before turning the feature onby default.
The OpenStack cloud-infrastructure project has made its 23rd release, Wallaby. "The Wallaby release strengthens open infrastructure for cloud native applications with enhanced security and integration with other open source technologies. More than 17,000 code changes authored by over 800 contributors from 140 different organizations and 45 countries were merged into the release.In addition to delivering a wide range of improvements to the stable and reliable OpenStack core and its highly flexible project integration capabilities, Wallaby delivers security enhancements including fallback permissions and RBAC improvements in Ironic [bare-metal provisioning service], Glance [image service] and Manila [shared filesystems], and the community focused this cycle on migrating the RBAC policy format from JSON to YAML. Additionally, the Ironic project has extended functionality for UEFI (Unified Extensible Firmware Interface), including secure erase for NVME."
The FreeBSD 13 release is out. It includes a lot of updated software, theremoval of a number of GNU tools (including the toolchain), and more, butnot WireGuard. See the releasenotes for the details.
There are times when developers and system administrators need to diagnoseproblems in running code. The program to be examined can be a user-spaceprocess, the kernel, or both. Two of the major tools available on Linux toperform this sort of analysis areSystemTap andbpftrace. SystemTap has been availablesince 2005, while bpftrace is a more recent contender that, to some,may appear tohave made SystemTap obsolete. However, SystemTap is still the preferredtool forsome real-world use cases.
Security updates have been issued by Debian (libpano13), Fedora (mosquitto and perl-Net-CIDR-Lite), Mageia (curl, mongodb, pdfbox, python-jinja2, rygel, spamassassin, tor, velocity, webkit2, and wireshark), openSUSE (umoci), Oracle (389-ds:1.4, kernel, and virt:ol and virt-devel:rhel), Red Hat (kernel and kpatch-patch), Slackware (dnsmasq and irssi), and SUSE (cifs-utils, rubygem-actionpack-4_2, and spamassassin).
While some parts of the core kernel reached a relatively stable "done"state years ago, others never really seem to be finished. One of thelatter variety is undoubtedly the kernel's implementation of spinlocks,which arbitrate access to data at the lowest levels of the kernel. Lockperformance can have a significant effect on the performance of the systemas a whole, so optimization work can pay back big dividends. Lest onethink that this work is finally done, the NUMA-awareqspinlock patch set shows how some more performance can be squeezed outof the kernel's spinlock implementation.
The Free Software Foundation has finally issueda statement on why the decision to return Richard Stallman to theorganization's board of directors was taken.
Security updates have been issued by CentOS (kernel and libldb), Debian (mediawiki, qemu, ruby-kramdown, and xen), Fedora (grub2, libldb, libopenmpt, python-pikepdf, python39, samba, squid, and webkit2gtk3), openSUSE (bcc, ceph, gssproxy, hostapd, isync, kernel, openexr, openSUSE KMPs, and tpm2-tss-engine), SUSE (fwupdate and wpa_supplicant), and Ubuntu (spamassassin).
The 5.12-rc7 kernel prepatch is out; it'srather larger than Linus would have liked."End result: I'm still waffling about the final 5.12 release. The factthat we have a big rc7 does make me think that I'll probably do an rc8this time around. But it ends up depending a bit on how the upcomingweek goes, and if things are deathly quiet, I may end up deciding thatan rc8 doesn't really make sense."
There is another set of stable kernel updates out:5.11.13,5.10.29,5.4.111,4.19.186,4.14.230,4.9.266, and4.4.266.Each contains another set of important fixes.
LWN.net