LWN.net

Security updates have been issued by Debian (firmware-nonfree, golang-github-seccomp-libseccomp-golang, and ruby-kramdown), Fedora (kernel, libmetalink, and nodejs), openSUSE (go1.13, perl-XML-Twig, and thunderbird), Oracle (kernel, libvncserver, and thunderbird), Red Hat (kernel-rt and python-paunch and openstack-tripleo-heat-templates), SUSE (dpdk, google-compute-engine, libX11, webkit2gtk3, xen, and xorg-x11-libX11), and Ubuntu (nss and samba).

Greg Kroah-Hartman has released the 5.8.1, 5.7.15, 5.4.58, and 4.19.139 stable kernels. As usual, these contain lots of important fixes throughout the tree; users should upgrade.

Version 27.1 of the Emacs editor is out. New features include support forarbitrary-sized integers, HarfBuzz support,improved drawing with Cairo, and the obligatory new JSON parser.

Nick McKeown kicked off the virtual Netdev0x14 conference with a talk on extending the programmability ofnetworking equipment well beyond where it is today. His visionis of an end-to-end system with programmable pieces at every level.Getting there will require collaboration between the developers of thenetworking stacks on endpoint operating systems as well as those ofswitches, routers, and other backbone equipment.The keynote was held on July 28, a little over two weeksbefore the seven daysof talks, workshops, and tutorials for Netdev, which begins on August 13.

Security updates have been issued by Debian (pillow, ruby-kramdown, wpa, and xrdp), Fedora (ark and rpki-client), Gentoo (apache, ark, global, gthumb, and iproute2), openSUSE (chromium, grub2, java-11-openjdk, libX11, and opera), Red Hat (bind, chromium-browser, java-1.7.1-ibm, java-1.8.0-ibm, and libvncserver), SUSE (LibVNCServer, perl-XML-Twig, thunderbird, and xen), and Ubuntu (samba).

For those who are wondering about the state of the proposed Perl 7fork and the role of the newly formed Perl Steering Committee, RicardoSignes has put together a detailed explanation that is worth a read."You should not expect to see a stream of unjustified dictates issuing forthfrom some secret body on high. You should expect to see perl5-portersoperating as it generally did: with proposals coming to the list, gettingdiscussion, and then being thumbed up or down by the project manager. This iswhat has been happening for years, already. Some proposals were alreadydiscussed by the project manager and some were not. If you eliminated anynamed mailing list for doing this, it would still happen. The PSC is a meansto say that there is a default group for such discussions. If you werewondering, its initial membership was formed from 'the people who came to orwere invited to the Perl Core Summit' over the last few years."

As of this writing, just over 3,900 non-merge changesets have been pulledinto the mainline repository for the 5.9 kernel development cycle. Whilethis merge window has just begun, there is already a significant set of newfeatures to point out.

The Free Software Foundation (FSF) has announced that Geoffrey Knauth has been elected president, and free software activist and developer Odile Bénassy has been appointed to the board of directors. Knauth is replacing Richard Stallman who resigned last year. In Knauth's statement, he said: "The FSF board chose me at this moment as a servant leader to help the community focus on our shared dedication to protect and grow software that respects our freedoms. It is also important to protect and grow the diverse membership of the community."

Security updates have been issued by CentOS (firefox, java-1.8.0-openjdk, java-11-openjdk, libvncserver, postgresql-jdbc, and thunderbird), Debian (firejail and gupnp), Fedora (cutter-re, postgresql-jdbc, radare2, and webkit2gtk3), openSUSE (chromium, firefox, kernel, and python-rtslib-fb), Oracle (container-tools:ol8, kernel, and nss and nspr), Scientific Linux (thunderbird), and SUSE (firefox, kernel, postgresql10 and postgresql12, python-ipaddress, and xen).

Greg Kroah-Hartman has released the 5.7.14, 5.4.57, 4.19.138, and 4.14.193 stable kernels. As usual, these contain lots of important fixes throughout the tree; users should upgrade.

PHP 8.0 is on the horizon, and the project has imposed a feature-freeze for the release. There's one exception to the feature-freeze, though: the new attributes syntax. An attribute is syntactical metadata for PHP code, identical to what is called an "annotation" in other languages. Even though attributes have been voted on multiple times by the community, major contributor and creator of XDebug Derick Rethans threw a wrench into the works days before the feature-freeze by challenging the current syntax. The ensuing discussion lead to the fourth attributes proposal for the year, with a special feature-freeze exception being made by release manager Sara Golemon. This exception gives Rethans one more opportunity to convince the community to change how attributes work up to the Beta 3 release, scheduled for September 3.

Version 2.32 of the GNU CLibrary (glibc) has been released. It contains support forUnicode 13.0.0, a new Kurdish/Sorani locale (ckb_IQ), supportfor audit modules listed in ELF sections of the executable, support forSynopsys ARC HS cores, new signalabbreviation and descriptive text functions (sigabbrev_np() andsigdescr_np()), similar functions for errno values(strerrorname_np() and strerrordesc_np()), branchprotection security hardening for arm64, and more. There are also lots ofbug fixes, deprecations, and removals, as well as four security fixes. Moreinformation can be found in the release notes.

Security updates have been issued by Debian (clamav and json-c), Fedora (python2, python36, and python37), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (java-11-openjdk, kernel, rubygem-actionview-4_2, wireshark, xen, and xrdp), and Ubuntu (openjdk-8 and ppp).

The LWN.net Weekly Edition for August 6, 2020 is available.

Our look at running a CNC milling machine using open-source software led me to another tool worth looking at: FreeCAD. I wasn't previously familiar with the program, so I decided to check it out. In this article I will walk through my experiences with using FreeCAD for the first time to do a variety of CNC-related tasks I normally would have used a commercial product for. I had varying degrees of success in my endeavors, but in the end came away with a positive opinion.

ThisMozilla Security Blog entry describes the new redirect-trackingprotections soon to be provided by the Firefox browser. "ETP 2.0clears cookies and site data from tracking sites every 24 hours, except forthose you regularly interact with. We’ll be rolling ETP 2.0 out to allFirefox users over the course of the next few weeks."

We last looked at the idea of a Python"match" or "switch" statement back in 2016, but it is something that hasbeen circulating in the Python community both before and since that coverage.In June it was raised again, with a Python Enhancement Proposal (PEP)supporting it: PEP 622("Structural Pattern Matching"). As that title would imply, thematch statement proposed in the PEP is actually a pattern-matchingconstruct with many uses.While it may superficially resemble the C switch statement, aPython match would do far more than simply choose a chunk of codeto execute based on the value of an expression.

Security updates have been issued by Debian (net-snmp), Fedora (mingw-curl), openSUSE (firefox, ghostscript, and opera), Oracle (libvncserver and postgresql-jdbc), Scientific Linux (postgresql-jdbc), SUSE (firefox, kernel, libX11, xen, and xorg-x11-libX11), and Ubuntu (apport, grub2, grub2-signed, libssh, libvirt, mysql-8.0, ppp, tomcat8, and whoopsie).

The5.7.13,5.4.56,4.19.137, and4.14.192stable kernel updates have been released; each contains another set ofimportant fixes.

Version 7.0 of the LibreOffice office suite is out. It brings a long listof new features, including: "support for OpenDocument Format (ODF) 1.3; Skia graphics engine and VulkanGPU-based acceleration for better performance; and carefully improvedcompatibility with DOCX, XLSX and PPTX files". The plan to create adifferentiated "enterprise edition" that was discussed in July has been deferred and is notpart of this release.

Security updates have been issued by Debian (libx11, webkit2gtk, and zabbix), Fedora (webkit2gtk3), openSUSE (claws-mail, ghostscript, and targetcli-fb), Red Hat (dbus, kpatch-patch, postgresql-jdbc, and python-pillow), Scientific Linux (libvncserver and postgresql-jdbc), SUSE (kernel and python-rtslib-fb), and Ubuntu (ghostscript, sqlite3, squid3, and webkit2gtk).

The Linux Foundation has announcedthe formation of the Open Source Security Foundation (OpenSSF). Thefoundation aims to improve the security of open source software. "The OpenSSF brings together the industry’s most important open source security initiatives and the individuals and companies that support them. The Linux Foundation’s Core Infrastructure Initiative (CII), founded in response to the 2014 Heartbleed bug, and the Open Source Security Coalition, founded by the GitHub Security Lab, are just a couple of the projects that will be brought together under the new OpenSSF. The Foundation’s governance, technical community and its decisions will be transparent, and any specifications and projects developed will be vendor agnostic. The OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all."

Linus Torvalds releasedthe 5.8 kernel on August 2, concluding another nine-weekdevelopment cycle. By the time the work was done, 16,306 non-mergechangesets had been pulled into the mainline repository for this release.That happens to be a record, beating the previous record holder (4.9,released in December 2016) by 92 changesets. It was, in other words,a busy development cycle. It's time for our traditional look into wherethat work came from to see what might be learned.

Version 1.5 of the Julia programming language has been released. On the Julia blog, Jeff Bezanson and Stefan Karpinski describe the highlights of the release, which includes struct layout improvements for decreasing heap allocations, stabilization of the multithreading API, faster random numbers, changes to the scoping rules in the read-eval-print loop (REPL), and more. "Julia excels at simulations, so random numbers are important to a lot of users of the language. For this release Rafael Fourquet, one of the primary architects of the Random standard library and a prolific contributor in general, implemented some impressive algorithmic improvements for some popular cases. The first is a major improvement when generating normally-distributed double-precision floats. Calling randn(1000) is nearly twice as fast in Julia 1.5 compared with Julia 1.4. Generating random booleans also got much faster: rand(Bool, 1000) is nearly 6x faster. Finally, sampling from discrete collections has also gotten faster: rand(1:100, 1000) got 25% faster." LWN looked at Julia (part 1, part 2) back in 2018, shortly after the release of Julia 1.0.

Debian 10 "buster" received a fifth update. In addition to the usualsecurity and bug fixes, this point release addresses Debian SecurityAdvisory: DSA-4735-1grub2. This security update covers multiple CVE issues regardingthe GRUB2 UEFI SecureBoot 'BootHole' vulnerability.

Security updates have been issued by Arch Linux (ffmpeg, libjcat, mbedtls, tcpreplay, and wireshark-cli), Debian (ark, evolution-data-server, libjpeg-turbo, libopenmpt, libpam-radius-auth, libphp-phpmailer, libssh, ruby-zip, thunderbird, and transmission), Fedora (chromium, clamav, claws-mail, evolution-data-server, freerdp, glibc, java-latest-openjdk, nspr, and nss), Gentoo (libsndfile, pycrypto, python, snmptt, thunderbird, and webkit-gtk), Mageia (botan2, chocolate-doom, cloud-init, dnsmasq, freerdp/remmina, gssdp/gupnp, java-1.8.0-openjdk, matio, microcode, nasm, openjpeg2, pcre2, php-phpmailer, redis, roundcubemail, ruby-rack, thunderbird, virtualbox, and xerces-c), openSUSE (claws-mail, ldb, and libraw), Oracle (firefox), Red Hat (bind, grub2, kernel-rt, libvncserver, nss and nspr, and qemu-kvm-rhev), Scientific Linux (firefox), Slackware (thunderbird), and SUSE (firefox, kernel, and targetcli-fb).

Linus has released the 5.8 kernel."So I considered making an rc8 all the way to the last minute, butdecided it's not just worth waiting another week when there aren't any biglooming worries around." Headline features in this release include:branch target identification and shadow callstacks for the arm64 architecture,the BPF iterator mechanism,inline encryption support in the blocklayer,the CAP_PERFMON and CAP_BPF capabilities,a generalized kernel event-notificationsubsystem,the KCSAN data-race detector, and more.As always, see theKernelNewbies 5.8 page for more information.

On its face, the netgpupatch set appears to add a useful feature: the ability to copy networkdata directly between a network adapter and a GPU without moving it throughthe host CPU. This patch set has quickly become an example of how not to getwork into the kernel, though; it has no chance of being merged in anythinglike its current form and has created a backlash designed to keep moduleslike it from ever working in mainline kernels. It all comes down to onefundamental mistake: basing kernel work on a proprietary kernel module.

Greg Kroah-Hartman has released the 5.7.12,5.4.55, 4.19.136, 4.14.191, 4.9.232, and 4.4.232 stable kernels. As usual, thesecontain lots of important fixes throughout the tree; users should upgrade.

The X.Org project has announced two security advisories that impact Xserver and libX11. The first advisory for X server is regarding uninitialized memory in AllocatePixmap() that could lead to address space layout randomization bypass. The second, impacting libX11, is a heap corruption caused by integer overflows and signed/unsigned comparisons.

Security updates have been issued by Debian (grub2 and mercurial), Fedora (chromium, firefox, and freerdp), Oracle (firefox and kernel), Red Hat (firefox), Scientific Linux (firefox, grub2, and kernel), and SUSE (ghostscript and targetcli-fb).

Systemd 246 has been released. There is an incredibly long list of newfeatures, many of which have to do with support for encrypted and signeddisk volumes. "Various command line parameters and configuration file settings that configure key or certificate files now optionally take paths to AF_UNIX sockets in the file system. If configured that way a stream connection is made to the socket and the required data read from it. This is a simple and natural extension to the existing regular file logic, and permits other software to provide keys or certificates via simple IPC services, for example when unencrypted storage on disk is not desired."

The Go team has recently publishedseveral draft designs that propose changes to the language, standardlibrary, and tooling: we covered the one on genericsback in June. Last week, the Go team published two draft designs related tofiles: one for a new read-only filesysteminterface, which specifies a minimal interfacefor filesystems, and a second design that proposes a standard way to embedfiles into Go binaries (by building on the filesystem interface).Embedding files into Go binaries is intended to simplify deploymentsby including all of a program's resources in a single binary; thefilesystem interface design was drafted primarily as a building block forthat. There has beena lot of discussion on the draft designs, which has been generallypositive, but there are somesignificant concerns.

Security updates have been issued by Arch Linux (webkit2gtk), CentOS (GNOME, grub2, and kernel), Debian (firefox-esr, grub2, json-c, kdepim-runtime, libapache2-mod-auth-openidc, net-snmp, and xrdp), Gentoo (chromium and firefox), Mageia (podofo), openSUSE (knot and tomcat), Oracle (grub2, kernel, postgresql-jdbc, and python-pillow), Red Hat (firefox, grub2, kernel, and kernel-rt), SUSE (grub2), and Ubuntu (firefox, grub2, grub2-signed, and librsvg).

As reported in the comments on the Grub2 secure-boot vulnerabilities report, the updates for grub2 for RHEL 8 and CentOS 8 are making some systems unbootable. The boot problems are seemingly unrelated to whether the system has secure boot enabled. It may be worth waiting a bit for that to shake out.

The LWN.net Weekly Edition for July 30, 2020 is available.

Last year Sienci Labs finished its Kickstarter campaign for the open-source LongMill Benchtop CNC Router — its second successful open-source CNC machine Kickstarter campaign. CNC routers allow users to mill things (like parts) from raw materials (like a block of aluminum) based on a 3D-model. The LongMill is a significant improvement over the original sold-out Mill One and makes professional-quality machining based entirely on open-source technology a reality. As an owner of a LongMill, I will walk through the various open-source technologies that make this tool a cornerstone of my home workshop.

Several vulnerabilities have been disclosed in the GRUB2 bootloader; theyenable the circumvention of the UEFI secure boot mechanism and thepersistent installation of hostile software. Fixing the problem is not justa matter of getting a new GRUB2 installation, unfortunately."It is important to note that updating the exploitablebinaries does not in fact mitigate the CVE, since an attacker couldbring an old, exploitable, signed copy of a grub binary onto a systemwith whatever kernel they wished to load. In order to mitigate, theUEFI Revocation List (dbx) must be updated on a system. Once the UEFIRevocation List is updated on a system, it will no longer bootbinaries that pre-date these fixes. This includes old install media."

Stable kernels 5.7.11, 5.4.54, 4.19.135, and 4.14.190 have been released. They all containimportant fixes and users should upgrade.

Dart is a BSD-licensed programming language from Google with a mature open-source community supporting the project. It works with multiple architectures, is capable of producing native machine-code binaries, and can also produce JavaScript versions of its applications. Dart version 1.0 was released in 2013, with the most recent version, 2.8, released on June 3 (2.9 is currently in public beta). Among the open-source projects using Dart is the cross-device user-interface (UI) toolkit Flutter. We recently covered the Canonical investment in Flutter to help drive more applications to the Linux desktop, and Dart is central to that story.

Security updates have been issued by Debian (curl, firefox-esr, luajit, and salt), Fedora (clamav, java-1.8.0-openjdk, and java-11-openjdk), Gentoo (claws-mail, dropbear, ffmpeg, libetpan, mujs, mutt, and rsync), openSUSE (qemu), Red Hat (openstack-tripleo-heat-templates), SUSE (freerdp, ldb, rubygem-puma, samba, and webkit2gtk3), and Ubuntu (mysql-5.7, mysql-8.0 and sympa).

Version 5.0 of the GNU nano text editor is out; it contains a number ofimprovements to the editing experience. "With --indicator (or -q or 'set indicator') nano will show a kind of scrollbar on the righthand side of the screen to indicate where in the buffer the viewport is located and how much it covers."

Time, as some have said, is nature's way of keeping everything fromhappening at once. In today's highly concurrent computers, though, timeturns out not to be enough to keep events in order; that task falls to anextensive set of locking primitives and, below those, the formalized viewof memory known as the Linux kernel memory model. It takes a special kindof mind to really understand the memory model, though; kernel developerslacking that particular superpower are likely to make mistakes when workingin areas where the memory model comes into play. Working at that level isincreasingly necessary for performance purposes, though; a recentconversation points out ways in which the kernel could make that kind ofwork easier for ordinary kernel developers.

Firefox 79.0 has been released. This version has improved accessibility forpeople using screen readers. See the releasenotes for more details.

Arduino devices are a favorite among do-it-yourself (DIY) enthusiasts to create, among other things, Internet of Things (IoT) devices. We have previously covered the Espressif ESP8266 family of devices that can be programmed using the Arduino SDK, but the Arduino project itself also provides WiFi-enabled devices such as the Arduino MKR WiFi 1010 board. Recently, the Arduino Security Team raised the problem of security shortcomings of IoT devices in a post, and how the Arduino project is working to make improvements. We will take the opportunity to share some interesting things from that, and also look at the overall state of TLS support in the Arduino and Espressif SDK projects.

As Alex McDonald notes in thissupport request, Google has recently banned the old Usenet groupscomp.lang.forth and comp.lang.lisp from the Google Groups system."Of specific concern is the archive. These are some of the oldestgroups on Usenet, and the depth & breadth of the historical material thathas just disappeared from the internet, on two seminal programminglanguages, is huge and highly damaging. These are the history andcollective memories of two communities that are being expunged, and it'snot great, since there is no other comprehensive archive after Google'spurchase of Dejanews around 20 years ago."Perhaps Google can be convinced to restore the content, but it also seemsthat some of this material could benefit from a more stable archive.

Security updates have been issued by openSUSE (cacti, cacti-spine, go1.13, SUSE Manager Client Tools, and tomcat), Red Hat (postgresql-jdbc and python-pillow), Slackware (mozilla), SUSE (python-Django and python-Pillow), and Ubuntu (clamav, librsvg, libslirp, linux-gke-5.0, linux-oem-osp1, linux-hwe, linux-azure-5.3, linux-gcp-5.3, linux-gke-5.3, linux-hwe, linux-oracle-5.3, and sqlite3).

Version 2.28.0 of the git version control system has been released. "It is smaller than the releases in our recent past, mostly due tothe development cycle was near the shorter end of the spectrum (ourcycles last 8-12 weeks and this was a rare 8-week cycle)."See thisGitHub Blog post for details on the new features in this release.

Security updates have been issued by Debian (e2fsprogs, ffmpeg, milkytracker, mupdf, openjdk-11, and qemu), Fedora (bashtop), Gentoo (ant, arpwatch, awstats, cacti, chromium, curl, dbus, djvu, filezilla, firefox, freexl, fuseiso, fwupd, glib-networking, haml, hylafaxplus, icinga, jhead, lha, libexif, libreswan, netqmail, nss, ntfs3g, ntp, ocaml, okular, ossec-hids, qtgui, qtnetwork, re2c, reportlab, samba, sarg, sqlite, thunderbird, transmission, tre, twisted, webkit-gtk, wireshark, and xen), openSUSE (cacti, cacti-spine, chromium, freerdp, go1.13, kernel, knot, libraw, LibVNCServer, perl-YAML-LibYAML, salt, tomcat, vino, and webkit2gtk3), and SUSE (mailman, rubygem-excon, rust, rust-cbindgen, samba, and tomcat).

The 5.8-rc7 kernel prepatch is out fortesting; Linus is unsure about whether things are slowing down enough ornot. "But it *might* mean that an rc8 is called for. It's not like rc7 is*big* big. We've had bigger rc7's. Both 5.3 and 5.5 had bigger rc7's,but only 5.3 ended up with an rc8.Put another way: it could still go either way. We'll see how thisupcoming week goes."