LWN.net

As an ever-growing number of workloads are being moved to the cloud, CPUvendors have begun to roll out purpose-built hardware features to isolatevirtual machines (VMs) from potentially hostile parties. These processorfeatures, and their extensions, enable the notion of "secure VMs" (or"confidential VMs") — where a VM's "sensitive state" needs to be protectedfrom untrusted entities. Drawing from his experience contributing to the secure VM implementation for the s390 architecture, Janosch Frank describedthe challenges involved in a talk at the 2020 (virtual) KVMForum. Though the implementations across CPU vendors may vary, there aremany shared problems, which opens up possibilities for collaboration.

Security updates have been issued by Debian (libxstream-java, musl, mutt, pdfresurrect, vips, and zsh), Fedora (libuv, nodejs, thunderbird, and xen), openSUSE (libssh2_org, mutt, neomutt, and thunderbird), Oracle (firefox and thunderbird), Red Hat (firefox, rh-nodejs12-nodejs, rh-php73-php, and thunderbird), Scientific Linux (thunderbird), SUSE (libX11, mariadb, mutt, python-pip, python-setuptools, and python36), and Ubuntu (containerd, php-pear, and sniffit).

The Arm processor architecture has pushed the boundaries in a number ofways, some of which have required significant kernel changes in response.For example, the big.LITTLE architectureplaced fast (but power-hungry) and slower (but more power-efficient) CPUsin the same system-on-chip (SoC); significant scheduler changes were neededfor Linux to be able to properly distribute tasks on such systems. For alltheir quirkiness, big.LITTLE systems still feature CPUs that are in somesense identical: they can all run any task in the system. What is thescheduler to do, though, if confronted with a system where that is nolonger true?

The Python Packaging Authority has announced the release of pip 20.3. Thereis some potential for disruption with this release. "The new resolver is now *on by default*. It is significantly stricterand more consistent when it receives incompatible instructions, andreduces support for certain kinds of constraints files, so someworkarounds and workflows may break."

Security updates have been issued by Arch Linux (c-ares, libass, raptor, rclone, and swtpm), Debian (libproxy, qemu, tcpflow, and x11vnc), Fedora (asterisk, c-ares, microcode_ctl, moodle, pam, tcpdump, and webkit2gtk3), Mageia (jruby and webkit2), openSUSE (buildah, c-ares, ceph, fontforge, java-1_8_0-openjdk, kernel, LibVNCServer, mariadb, thunderbird, ucode-intel, and wireshark), Red Hat (firefox, rh-mariadb103-mariadb and rh-mariadb103-galera, and thunderbird), SUSE (binutils, libssh2_org, LibVNCServer, libX11, and nodejs12), and Ubuntu (mysql-8.0 and qemu).

Version 8.0.0 of the PHP language has been released. New features includeunion types, named arguments, match expressions, a just-in-time compiler,and more; see this article for moreinformation.

The 5.10-rc6 kernel prepatch is out."So I'm feeling pretty good about 5.10, and I hope I won't be provenwrong about that. But please do test."

Security updates have been issued by Arch Linux (go, libxml2, postgresql, and wireshark-cli), Debian (drupal7 and lxml), Fedora (drupal7, java-1.8.0-openjdk-aarch32, libxml2, pacemaker, slurm, and swtpm), openSUSE (c-ares, ceph, chromium, dash, firefox, go1.14, java-1_8_0-openjdk, kernel, krb5, perl-DBI, podman, postgresql10, postgresql12, rclone, slurm, ucode-intel, wireshark, wpa_supplicant, and xen), SUSE (ceph, firefox, kernel, LibVNCServer, and python), and Ubuntu (freerdp, poppler, and xdg-utils).

Security updates have been issued by openSUSE (blueman, chromium, firefox, LibVNCServer, postgresql10, postgresql12, thunderbird, and xen), Slackware (bind), SUSE (bluez, kernel, LibVNCServer, thunderbird, and ucode-intel), and Ubuntu (mutt, poppler, thunderbird, and webkit2gtk).

The process of adopting a new governance model for the Perl project appearsto be reaching an end; the new model is designed to look a lot like theone adopted by the Python project. "So, now Perl has twowell-defined bodies involved in its governance: a core team of a few dozenand a steering council of three people. The core team sets the rules ofPerl governance, votes on membership of the two groups, and delegatessubstantial decision making power to the steering council. The steeringcouncil has broad authority to make decisions about the development of thePerl language, the interpreter, and all other components, systems andprocesses that result in new releases of the language interpreter."The fulldescription is available for those looking for the details.

Security updates have been issued by Debian (spip and webkit2gtk), Fedora (kernel and libexif), openSUSE (chromium and rclone), Slackware (mutt), SUSE (kernel, mariadb, and slurm), and Ubuntu (igraph).

The venerable email client Mutthas just reached version 2.0. Mutt is different fromthe type of client that has come to dominate the email landscape—for onething, it has no graphical interface. It has a long history that is worth a bit of a look,as are its feature set and extensive customizability. Version 2.0 bringsseveral enhancements to Mutt's interface, configurability, and convenience,as well. In this article, readers who areunfamiliar with Mutt will learn about a different way to deal with thedaily chore of wrangling their inboxes, while Mutt experts may discoversome new sides to an old friend.

Greg Kroah-Hartman has released stable kernels 5.9.11, 5.4.80, 4.19.160, 4.14.209, 4.9.246, and 4.4.246 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Fedora (chromium, microcode_ctl, and seamonkey), Mageia (f2fs-tools, italc, python-cryptography, python-pillow, tcpreplay, and vino), Oracle (thunderbird), Red Hat (bind, kernel, microcode_ctl, net-snmp, and Red Hat Virtualization), Scientific Linux (net-snmp and thunderbird), SUSE (kernel and mariadb), and Ubuntu (atftp, libextractor, pdfresurrect, and pulseaudio).

GNU Guix, a functional package manager and associated free softwaredistribution, was introducedeight years ago. The 1.2.0release celebrates the anniversary. "A major highlight in this release is the ability to authenticate channels, which probably makes Guix one of the safest ways to deliver complete operating systems today. This was the missing link in our “software supply chain” and we’re glad it’s now fixed. The end result is that guix pull and related commands now cryptographically authenticate channel code that they fetch; you cannot, for instance, retrieve unauthorized commits to the official Guix repository."

For those who are interested in security at the hardware level, this blog post fromAndrew 'bunnie' Huang is well worth a read. "Despite any claimsyou may have heard otherwise, tamper resistance is a largely unsolvedproblem. Any secrets committed to a non-volatile format are vulnerable torecovery by a sufficiently advanced adversary. The availability ofnear-atomic level microscopy, along with sophisticated photon and phononbased probing techniques, means that a lab equipped with a few milliondollars worth of top-notch gear and well-trained technicians has a goodchance of recovering secret key material out of virtually any non-volatilestorage media. The hard part is figuring out where the secrets are locatedon the chip."

Security updates have been issued by Debian (cimg, golang-1.7, golang-1.8, krb5, mediawiki, mupdf, php-pear, samba, thunderbird, and zabbix), Fedora (chromium, krb5, microcode_ctl, pngcheck, and rpki-client), Mageia (librepo, postgresql, python-twisted, raptor2, tcpdump, and thunderbird), openSUSE (blueman, java-11-openjdk, moinmoin-wiki, python, rmt-server, SDL, and tcpdump), Red Hat (chromium-browser and thunderbird), SUSE (c-ares, ceph, dash, firefox, java-1_8_0-openjdk, postgresql10, postgresql12, postgresql96, u-boot, and ucode-intel), and Ubuntu (openldap).

The 5.10-rc5 kernel prepatch is out."The 5.10 release candidates stubbornly keeps staying fairly big,even though by rc5 we really should be seeing things starting to calmdown and shrink.There's nothing in here that makes me particularly nervous, but inpure numbers of commits, this is the largest rc5 we've had in the 5.xseries."

The5.9.10,5.4.79,4.19.159,4.14.208,4.9.245, and4.4.245stable kernel updates are all available. Each contains another set ofimportant fixes, as usual.

The various system calls and other APIs that the kernel provides for accessto files and filesystems has grown increasingly comprehensive over theyears. That does not mean, though, that there is no need or room forimprovement. Several relatively small additions to the kernel'sfilesystem-related API are under consideration in the developmentcommunity; read on for a survey of some of this work.

Security updates have been issued by CentOS (firefox), Fedora (chromium, microcode_ctl, mingw-libxml2, seamonkey, and xen), openSUSE (slurm_18_08 and tor), Oracle (thunderbird), SUSE (buildah, firefox, go1.14, go1.15, krb5, microcode_ctl, perl-DBI, podman, postgresql12, thunderbird, ucode-intel, wireshark, wpa_supplicant, and xen), and Ubuntu (firefox and phpmyadmin).

Over on the Collabora blog, Pekka Paalanen writesabout adding color management and high dynamic range (HDR) support to theWayland display serverprotocol. X11 already has support for color management tools and workflow, but not HDR, andWayland currently doesn't support either, but Paalanen and others are workingto change that. "As color management is all about color spaces andgamuts, and high dynamic range (HDR) is also very much about color spacesand gamuts plus extended luminance range, Sebastian [Wick] and I decided thatWayland color management extension should cater for both from thebeginning. Combining traditional color management and HDR is a fairly newthing as far as I know, and I'm not sure we have much prior art to baseupon, so this is an interesting research journey as well. There is a lot ofprior art on HDR and color management separately, but they tend to havefundamental differences that makes the combination not obvious."

The GCompris project,which provides a "high quality educational software suite, includinga large number of activities for children aged 2 to 10", has announced its 1.0release, which celebrates the 20th anniversary of the project. Itincludes more than 100 activities, a new Dataset selection in the ActivitySettings menu for more than 50 activities, and four new activities,including an Analog Electricity activity to simulate and learn about circuits.KDE.news coveredthe release: "We have built the activities to follow theprinciples of 'nothing succeeds like success' and that children, whenlearning, should be challenged, but not made to feel threatened. Thus,GCompris congratulates, but does not reprimand; all the characters thechild interacts with are friendly and supportive; activities are brightlycolored, contain encouraging voices and play upbeat, but soothing music. The hardware requirements for running GCompris are extremely low and itwill run fine on older computers or low-powered machines, like theRaspberry Pi. This saves you and your school from having to invest in newand expensive equipment and it is also eco-friendly, as it reduces theamount of technological waste that is produced when you have to renewcomputers to adapt to more and more power-hungry software. GCompris workson Windows, Android and GNU/Linux computers, and on desktop machines,laptops, tablets and phones."

Almost every filesystem (excepting relics like VFAT) implements the conceptof the owner and group of each file; the higher levels of the operatingsystem then use that information to control access to those files. Fordecades, it has usually sufficed to track a single owner and group for eachfile, but there is an increasing number of use cases wanting to make thatownership relative to the environment any given process is running in.Developers have been working for a few years to find solutions to thisproblem; the latest attempt is the ID-mappedmounts patch set from Christian Brauner.

Greg Kroah-Hartman has released the 5.9.9,5.4.78, 4.19.158, 4.14.207, 4.9.244, and 4.4.244 stable kernels. They all containimportant fixes throughout the kernel tree; users of those series should upgrade.

Version1.48.0 of the Rust language has been released. The biggest changeappears to be improvements to the documentation system, but there's more:"The most significant API change is kind of a mouthful: [T; N]:TryFrom<Vec<T>> is now stable. What does this mean? Well, youcan use this to try and turn a vector into an array of a givenlength".

Security updates have been issued by Arch Linux (chromium and firefox), CentOS (bind, curl, fence-agents, kernel, librepo, libvirt, microcode_ctl, python, python3, qt and qt5-qtbase, resource-agents, and tomcat), Debian (drupal7, firefox-esr, jupyter-notebook, packer, python3.5, and rclone), Fedora (firefox), Mageia (firefox, nss), openSUSE (gdm, kernel-firmware, and moinmoin-wiki), Oracle (net-snmp), SUSE (libzypp, zypper), and Ubuntu (c-ares).

The LWN.net Weekly Edition for November 19, 2020 is available.

The move to secure most or all of web traffic using HTTPS is generally agood thing; lots of personal information is exchanged via web browsers,after all. Using HTTPS requires web sites to have TLS certificates,however, which has sometimes been an impediment, though Let's Encrypt has generally solved thatproblem for many. But there are systems out there that may need the HTTPSprotection before their owners even have a chance to procure a certificate,IoT devices and home routers, for example. An October discussion among OpenWrt developers explored this problem a bit.

Security updates have been issued by openSUSE (opera and raptor), Oracle (bind, bluez, firefox, microcode_ctl, and thunderbird), Red Hat (firefox, net-snmp, and thunderbird), SUSE (java-11-openjdk and tcpdump), and Ubuntu (firefox, krb5, and libvncserver, vino).

Mozilla has announcedthat the Adobe Flash era is coming to an end. "Firefox version 84will be the final version to support Flash. On January 26, 2021 when werelease Firefox version 85, it will ship without Flash support, improvingour performance and security." One suspects that few people willmiss this support.

The block layer of QEMU, the open-sourcemachine emulator and virtualizer, forms the backbone of many storagevirtualization features: the QEMU Copy-On-Write (QCOW2) disk-image file format,disk image chains, point-in-time snapshots, backups, and more. At therecently concluded 2020 KVM Forumvirtual event, Eric Blake gave a talkon the current work in QEMU and libvirtto make differential backups more powerful. As the name implies,"differential backups" address the efficiency problems of full diskbackups: space usage and speed of backup creation.

Security updates have been issued by Debian (libdatetime-timezone-perl, openldap, pacemaker, and restic), Fedora (libmediainfo, mediainfo, mingw-python3, and seamonkey), Gentoo (libexif), openSUSE (raptor), Oracle (kernel and microcode_ctl), Scientific Linux (firefox), SUSE (kernel-firmware, postgresql, postgresql96, postgresql10 and postgresql12, and raptor), and Ubuntu (openldap and postgresql-10, postgresql-12, postgresql-9.5).

Version 83.0 of the Firefox browser is out. Headline features include anew HTTPS-onlymode, JavaScript performance improvements, and more; see the releasenotes for details.

Realtime application development under Linux requires care to make surethat the critical realtime tasks do not suffer interference from otherapplications and the rest of the system. During the EmbeddedLinux Conference (ELC) 2020, John Ogness presented a checklist (slides[PDF]) for realtime developers, with practical recipes tofollow. There are a lot of tools and features available for realtimedevelopers, even on systems without the RT_PREEMPT patches applied.

Security updates have been issued by Debian (libdatetime-timezone-perl and libvncserver), Fedora (chromium, kernel, kernel-headers, kernel-tools, krb5, libexif, libxml2, and thunderbird), Gentoo (chromium, libmaxminddb, and mit-krb5), Mageia (arpwatch, bluez, chromium-browser-stable, firefox and thunderbird, golang, java-1.8.0-op, kdeconnect-kde, kleopatra, libexif, lilypond, microcode, packagekit, ruby, and tpm2-tss), openSUSE (chromium, firefox, ImageMagick, kernel, openldap2, python-waitress, SDL, u-boot, ucode-intel, and zeromq), Oracle (fence-agents, firefox, freetype, kernel, python, python3, and thunderbird), Red Hat (rh-postgresql10-postgresql, rh-postgresql12-postgresql, and virt:8.2 and virt-devel:8.2), Slackware (seamonkey), and SUSE (firefox, gdm, kernel, and kernel-firmware).

The 5.10-rc4 kernel prepatch is out fortesting. "All looks good, and nothing makes me go 'uhhuh, 5.10 looks iffy'. Sogo test, let's get this all solid and calmed down, and this willhopefully be one of those regular boring releases even if it'scertainly not been on the smaller side..."

The GitHub repositoryfor the youtube-dl utility, which is used to download video content from various web sites(including YouTube, thus the name), has been restored. As we reported in last week'sedition, GitHub had taken the repository down due to a DMCAnotice from the Recording Industry Association of America (RIAA). Theonly changemade to youtube-dl is the removal of some tests that downloaded a few seconds of certain music videos; thosevideos were specifically targeted by the RIAA in its complaint.

The kernel project has a strong focus on not breaking user-spaceapplications; if something works with a given kernel release, it shouldcontinue to work with subsequent releases. So it may be discouraging toread the lengthy exposition on an apparent user-space API break in the announcement for the systemd 247-rc2release. Changes to udev configuration files will be needed to keepsystems working, but thesystemd project claims that it "is not [the] fault of systemd or udev, butcaused by an incompatible kernel change that happened back in Linux4.12". It seems like an appropriate time to look at what happened,how administrators need to respond, and whether anything can be done toavoid this kind of thing from happening again.

Security updates have been issued by Debian (libproxy, pacemaker, and thunderbird), Fedora (nss), openSUSE (kernel), Oracle (curl, librepo, qt and qt5-qtbase, and tomcat), Red Hat (firefox), SUSE (firefox, java-1_7_0-openjdk, and openldap2), and Ubuntu (apport, libmaxminddb, openjdk-8, openjdk-lts, and slirp).

LWN's recent article on Kubernetes inDebian discussed the challenges of packaging a massive project withhundreds of dependencies. Many of the issues that arose there, however,are not limited to such projects, as can be seen in the ongoing discussionabout whether a copy of the relatively small libbpf library should be shippedwith the iproute2collection of networking tools. Fast-moving projects, it would seem,continue to feel limited by the restrictions imposed by the Linuxdistribution model.

Security updates have been issued by Debian (codemirror-js, firefox-esr, and pacemaker), Fedora (firefox, java-latest-openjdk, and xen), openSUSE (sddm), Oracle (bind, curl, fence-agents, kernel, librepo, libvirt, python3, qt and qt5-qtbase, and tomcat), SUSE (firefox), and Ubuntu (intel-microcode, openldap, and raptor2).

The LWN.net Weekly Edition for November 12, 2020 is available.

Toward the end of October, GitHub removed the repository for the youtube-dl utility, which provides a means todownload video content from various streaming sites, such as YouTube.The repository was replacedwith a cheery notice that it had beenremoved due to a DMCAtakedown. It will likely come as no surprise that the DMCA action camefrom the Recording Industry Association of America (RIAA) or that thecomplaint was that the program circumvented the "technologicalprotection measures" used on the videos by YouTube and other authorized sites.

A Google project aims to bring the Linux kernel virtualizationmechanism, KVM, to Android systems. Will Deacon leads that effort and he(virtually) came to KVM Forum todiscuss the project, its goals, and some of the challenges it has faced.Unlike some Android projects of the past, though, "protected KVM" is beingworked on in the open, with code going upstream along the way.

Security updates have been issued by Arch Linux (chromium, firefox, gdm, linux-hardened, matrix-synapse, salt, sddm, and wordpress), Debian (firefox-esr, libmaxminddb, and moin), Fedora (cifs-utils, firefox, galera, java-latest-openjdk, mariadb, mariadb-connector-c, and wordpress), Gentoo (blueman, chromium, firefox, mariadb, qemu, salt, tmux, and wireshark), openSUSE (sddm), Oracle (kernel), Red Hat (kernel-alt, microcode_ctl, and rh-nodejs12-nodejs), SUSE (kernel, microcode_ctl, openldap2, python-waitress, spice-vdagent, u-boot, and ucode-intel), and Ubuntu (firefox, intel-microcode, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux, linux-gcp, linux-gcp-4.15, linux-gcp-5.4, linux-gke-4.15, linux-gke-5.3, linux-hwe, linux-hwe-5.4, linux-oem, linux-oem-osp1, linux-oracle, linux-oracle-5.4, and moin).

The second set of stable kernel updates in a single day has just come out:5.9.8,5.4.77,4.19.157,4.14.206,4.9.243, and4.4.243are all available. They all contain a single patch fixing anurgent security issue. Greg Kroah-Hartman says:"Hint, if you are using SGX, then upgrade. And then possibly reconsiderthe decisions you have recently made that caused you to write specialcode to use that crazy thing."See this article for information on SGX inthe kernel.

The Go blog celebrates elevenyears of Go language development and looks forward to what comes next."When the pandemic hit, we decided to pause any public announcementsor launches in the spring, recognizing that everyone’s attention rightlybelonged elsewhere. But we kept working, and one of our team members joinedthe Apple/Google collaboration on privacy-preserving exposure notificationsto support contact tracing efforts all over the world. In May, that grouplaunched the reference backend server, written in Go."

Stable kernels 5.9.7, 5.4.76, 4.19.156, 4.14.205, 4.9.242, and 4.4.242 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (moin, obfs4proxy, tcpdump, and zeromq3), Fedora (samba), Mageia (lout, openldap, pacemaker, samba, sddm, and spice, spice-gtk), openSUSE (bluez, ImageMagick, java-1_8_0-openj9, otrs, and wireshark), Red Hat (bind, buildah, curl, fence-agents, kernel, kernel-rt, kpatch-patch, librepo, libvirt, podman, python, python3, qt and qt5-qtbase, resource-agents, skopeo, tomcat, and unixODBC), SUSE (gcc10, python3, SDL, and zeromq), and Ubuntu (libexif).