LWN.net

Security updates have been issued by Arch Linux (salt), CentOS (git), Debian (qtbase-opensource-src), Fedora (java-11-openjdk), Mageia (kernel and openjpeg2), openSUSE (mailman, python-reportlab, ucl, and upx), Oracle (git), Red Hat (container-tools:rhel8, go-toolset:rhel8, grub2, kernel, kernel-rt, php:7.2, and sudo), SUSE (crowbar-core, crowbar-openstack, openstack-neutron-fwaas, rubygem-crowbar-client and python36), and Ubuntu (python-django).

The Git source-code management system is famously built on the SHA‑1hashing algorithm,which has become an increasingly weak foundation over the years. SHA‑1 isnow considered to be broken and, despite the fact that it does not yet seemto be so broken that it could be used to compromise Git repositories, usersare increasingly worried about its security. The good news is that work onmoving Git past SHA‑1 has been underway for some time, and is slowlycoming to fruition; there is a version of the code that can be looked atnow.

Security updates have been issued by Arch Linux (opensmtpd), Debian (firefox-esr, libidn2, libjackson-json-java, prosody-modules, qemu, qtbase-opensource-src, spamassassin, and sudo), Fedora (e2fsprogs, java-1.8.0-openjdk, mingw-openjpeg2, openjpeg2, samba, sox, upx, webkit2gtk3, and xar), Red Hat (git), Scientific Linux (git), Slackware (sudo), SUSE (ceph and rmt-server), and Ubuntu (sudo).

The GNU libc 2.31 release is out. Significant changes include some initialC2X standard support, some DNS stub resolver changes, a newpthread_clockjoin_np() POSIX threads extension, a number ofchanges to time-related functions, and more.

The5.5.1,5.4.17, and4.19.101stable kernel updates have been released; each contains another set ofimportant fixes.

The longtime tech writer for the Yocto Project, Scott Rifenbark, has died after a battle with cancer. Project architect Richard Purdie announced the sad news on the yocto mailing list; he also reflected on Rifenbark and his impact: "I remember interviewing Scott over 10 years ago when forming a team atIntel to work on what became the Yocto Project, he was with it from thestart. He warned me he wasn't an entirely traditional tech writer but Iwarned we weren't aiming to be a traditional project either. It was agreat match. He stayed with the project ever since in one way oranother, he enjoyed working on the project and we enjoyed working withhim.The concept of having a tech writer as part of the team was a decisionI'm proud of and it shows in the material supporting the project todaybut that success belongs to Scott and his approach to it. Someone elseput that best, 'He would first try the procedure or instructions beforedocumenting it, I was really impressed'. He was hands on and wantedthings to be understandable and correct, a huge challenge with some ofthe complexities we deal with."

As network interfaces get faster, the amount of CPU time available toprocess each packet becomes correspondingly smaller. The good news is thatmany tasks, including packet filtering, can be offloaded to the hardwareitself. The bad news is that the Linux kernel required quite a bit of work to beable to take advantage of that capability. The first article in this series provided anoverview of how hardware-based packet filtering can work and the supportfor this feature that already existedin the kernel. This series now concludes with a detailed look at howoffloaded packet filtering works in the netfilter subsystem and howadministrators can make use of it.

Security updates have been issued by Debian (libsolv, libxmlrpc3-java, openjpeg2, qemu, and suricata), Fedora (ansible, chromium, java-latest-openjdk, links, mingw-openjpeg2, nss, openjpeg2, python-pillow, thunderbird, webkit2gtk3, and xen), Mageia (gdal, java-1.8.0-openjdk, mariadb, openjpeg2, and sqlite3), Oracle (kernel), Red Hat (rh-java-common-xmlrpc), SUSE (e2fsprogs, ImageMagick, php72, tigervnc, and wicked), and Ubuntu (keystone).

As of this writing, 4,726 non-merge changesets have been pulled into themainline repository for the 5.6 development cycle. That is a relativelyslow start by contemporary kernel standards, but it still is enough tobring a number of new features, some of which have been pending for years,into the mainline. Read on for a summary of the changes pulled in theearly part of the 5.6 merge window.

Ian Jackson posted a note to the xen-announce mailing list with the sad news that Xen community manager and project advisory board member Lars Kurth has died. "I'm very sad to inform you that Lars Kurth passed away earlier thisweek. Many of us regarded Lars as a personal friend, and his loss is agreat loss to the Xen Project.We plan to have a tribute to Lars on the XenProject blog in the nearfuture. Those who are attending FOSDEM may wish to attend the shorttribute we plan for Sunday morning: https://fosdem.org/2020/schedule/event/vai_memory_of_lars_kurth/"

Five new stable kernels have been released: 5.4.16, 4.19.100, 4.14.169, 4.9.212, and 4.4.212. As usual, each contains importantfixes throughout the kernel tree. Users should upgrade.

Security updates have been issued by Debian (graphicsmagick, opensmtpd, webkit2gtk, wget, and zlib), openSUSE (apt-cacher-ng, GraphicsMagick, java-1_8_0-openjdk, mailman, mumble, rubygem-excon, sarg, and shadowsocks-libev), Oracle (libarchive and openjpeg2), Red Hat (firefox, fribidi, openjpeg2, SDL, and thunderbird), Scientific Linux (openjpeg2), SUSE (glibc, java-1_8_0-openjdk, and rmt-server), and Ubuntu (Apache Solr and webkit2gtk).

The LWN.net Weekly Edition for January 30, 2020 is available.

Fedora currently uses Pagure to hostmany of its Git repositories and to handle things like documentation andbug tracking. But Pagure is maintained by the Red Hat Community PlatformEngineering (CPE) team, which is currently straining under the load ofmanaging the infrastructure and tools for Fedora and CentOS, while also maintainingthe tools used by the Red Hat Enterprise Linux (RHEL) team. That has ledto a discussion about identifying the requirements for a "Git forge" andpossibly moving away from Pagure.

Qualys has put out an advisory regarding a vulnerability in OpenBSD'sOpenSMTPD mail server. It "allows an attacker to execute arbitrary shellcommands, as root: either locally, in OpenSMTPD's default configuration (which listens on the loopback interface and only accepts mail from localhost); or locally and remotely, in OpenSMTPD's 'uncommented' default configuration (which listens on all interfaces and accepts external mail)." OpenBSD users would be well advised to update quickly.

Security updates have been issued by CentOS (apache-commons-beanutils, java-1.8.0-openjdk, libarchive, openjpeg2, openslp, python-reportlab, and sqlite), Debian (hiredis, otrs2, and unzip), openSUSE (apt-cacher-ng, git, samba, sarg, and storeBackup), Oracle (openjpeg2), Red Hat (libarchive, openjpeg2, sqlite, and virt:rhel), SUSE (aws-cli and python-reportlab), and Ubuntu (libgcrypt11, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-oracle-5.0, linux-hwe, linux-hwe, linux-aws-hwe, linux-lts-xenial, linux-aws, and openjdk-8, openjdk-lts).

Version6.4 of the LibreOffice productivity suite is out. It is said to be"a new major release providing better performance, especially whenopening and saving spreadsheets and presentations, and excellentcompatibility with DOCX, XLSX and PPTX files."

The Thunderbird email client has been movedinto a separate company called "MZLA Technologies Corporation", whichremains wholly owned by the Mozilla Foundation. "Moving to MZLA Technologies Corporation will not only allow the Thunderbird project more flexibility and agility, but will also allow us to explore offering our users products and services that were not possible under the Mozilla Foundation. The move will allow the project to collect revenue through partnerships and non-charitable donations, which in turn can be used to cover the costs of new products and services.Thunderbird’s focus isn’t going to change. We remain committed to creatingamazing, open source technology focused on open standards, user privacy,and productive communication."

Transparent and verifiable electronic elections are technically feasible,but for a variety of reasons, the techniques used are not actually viable forrunning most elections—and definitely not for remote voting. That was one of themain takeaways from a keynote at this year's linux.conf.au given by University ofMelbourne AssociateProfessor Vanessa Teague. She is a cryptographer who, along with hercolleagues, has investigated several kinds of e-voting software; as isprobably not all that much of a surprise, what they found is buggyimplementations. She described some of that work in atalk that was a mix of math with software-company and government missteps; the latter maydirectly impact many of the Australian locals who were in attendance.

Security updates have been issued by Debian (iperf3, openjpeg2, and tomcat7), Mageia (ansible, c3p0, fontforge, glpi, gthumb, libbsd, libmediainfo, libmp4v2, libqb, libsass, mbedtls, opencontainers-runc, php, python-pip, python-reportlab, python3, samba, sysstat, tomcat, virtualbox, and webkit2), openSUSE (java-11-openjdk, libredwg, and sarg), Oracle (sqlite), Red Hat (libarchive, nss, and openjpeg2), Scientific Linux (sqlite), SUSE (nodejs6), and Ubuntu (cyrus-sasl2, linux, linux-aws, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-oem, mysql-5.7, mysql-8.0, tcpdump, and tomcat8).

The 5.5 kernel was released onJanuary 26. Over the course of this development cycle, it wasoccasionally said that the holidays were slowing contributions. At theend, though, 5.5 saw the merging of 14,350 non-merge changesets from 1,885developers — not exactly a slow-moving cycle. Indeed, 5.5 just barelyedged out 5.4 as the kernel with the most developers ever. Read on for ourtraditional look at where the contributions to 5.5 came from, along with adigression into the stable-update process.

The Qt blog has announced somechanges in how the Qt toolkit is offered to consumers. Notably,installation of Qt binaries will require a Qt Account andlong-term-supported (LTS) releases and the offline installer will becomeavailable to commercial licensees only. "From February onward, everyone, including open-source Qt users, will require valid Qt accounts to download Qt binary packages. We changed this because we think that a Qt account lets you make the best use of our services and contribute to Qt as an open-source user.We want open-source users to help improve Qt in one form or another, be that through bug reports, forums, code reviews, or similar. These are currently only accessible from a Qt account, which is why having one will become mandatory."

Stable kernels 4.19.99 and 4.14.168. As usual, there are important fixesand users should upgrade.

Stable kernel 5.4.15 has been released withimportant fixes throughout the tree. Users should upgrade.

Security updates have been issued by Debian (jsoup and slirp), Fedora (community-mysql, elog, fontforge, libuv, libvpx, mingw-podofo, nodejs, opensc, podofo, thunderbird-enigmail, transfig, and xfig), openSUSE (arc, libssh, and libvpx), Red Hat (git, java-1.8.0-openjdk, java-11-openjdk, python-reportlab, and sqlite), Slackware (thunderbird), and SUSE (java-1_8_0-openjdk, python, and samba).

In the end, Linus decided to release the 5.5kernel rather than going for another prepatch. "So despite theslight worry that the holidays might have affected the schedule, 5.5 endedup with the regular rc cadence and is out now." Some of the significantfeatures in this release areiopl() emulation,many new io_uring commands,live-patchstate tracking,type checking for BPF tracepoint programs,a new CPUload-balancing algorithm,the KUnit unit-testing framework,airtime queue limits for WiFi,and much more. See theKernelNewbies 5.5 changelog for more information.

Ars Technica reviews the Purism Librem 5 smartphone, which is made from open-source software and (mostly) open hardware. It is clearly not there yet as a replacement for the phone in our pockets, but it would seem to be on the right path. "The thing to keep in mind here is that Purism has taken on an absolutely gargantuan task. It somehow scraped together a new supply chain of mostly open source components, it came up with a smartphone design from scratch, and it is building its own smartphone distribution of Linux. Two years is not enough time to do this. The OS and app package is not nearly finished, and it lacks basic smartphone functionality. The hardware is nearly finished, but you'll have a hard time taking advantage of it right now since the power management isn't really implemented, and support for things like the cameras are non-existent. If you really want open source smartphones to be a thing, though, this is where you need to start. The Librem 5 is a proof of concept."

The Electronic Frontier Foundation (EFF) has put out a statement in support of journalist Glenn Greenwald whose "prosecution is an attempt to use computer crime law to silence an investigative reporter who exposed deep-seated government corruption". Greenwald is being charged in Brazil, where he reported on corruption within the government of that country. While the EFF said that it has seen "no actions detailed in the criminal complaint that violate Brazilian law", its main concern is the use of ill-defined "cybercrime" laws."Around the world, cybercrime laws are notoriously hazy. This is in part because it’s challenging to write good cybercrime laws: technology evolves quickly, our language for describing certain digital actions may be imprecise, and lawmakers may not always imagine how laws will later be interpreted. And while the laws are hazy, the penalties are often severe, which makes them a dangerously big stick in the hands of prosecutors. Prosecutors can and do take advantage of this disconnection, abusing laws designed to target criminals who break into computers for extortion or theft to prosecute those engaged in harmless activities, or research—or, in this case, journalists communicating with their sources."

One year ago, the io_uring subsystem didnot exist in the mainline kernel; it showed up in the 5.1 release in May2019. At its core, io_uring is a mechanism for performing asynchronousI/O, but it has been steadily growing beyond that use case and adding newcapabilities. Herein we catch up with the current state of io_uring, whereit is headed, and an interesting question or two that will come up alongthe way.

Security updates have been issued by Debian (git and python-apt), Oracle (openslp), Red Hat (chromium-browser and ghostscript), SUSE (samba, slurm, and tomcat), and Ubuntu (clamav, gnutls28, and python-apt).

Some years back, I was caught in a weak moment and somehow became thekernel documentation maintainer. More recently, I've given a few talks onthe state of kernel documentation and the sort of work that needs to bedone to make things better. A key part of getting that work done iscommunicating to potential contributors the tasks that they might helpfullytake on — a list that was, naturally, entirely undocumented. To that end,a version of the following document is currently under review and headedfor the mainline. Read on to see how you, too, can help to make thekernel's documentation better.

Greg Kroah-Hartman has announced the release of the 4.4.211, 4.9.211, 4.14.167, 4.19.98, and 5.4.14 stable kernels. As usual, thesecontain important fixes throughout the kernel tree; users should upgrade.

Security updates have been issued by openSUSE (chromium, libredwg, and thunderbird), Oracle (apache-commons-beanutils, java-1.8.0-openjdk, libarchive, and python-reportlab), Red Hat (kernel), Scientific Linux (apache-commons-beanutils, libarchive, and openslp), SUSE (java-11-openjdk), and Ubuntu (e2fsprogs, graphicsmagick, python-apt, and zlib).

The LWN.net Weekly Edition for January 23, 2020 is available.

Keith Packard is no stranger to the linux.conf.au stage; he has spoken on a wide variety of topics since he started going to the conference in 2004(which was held inAdelaide, where organizers apparently had a lot of ice cream forattendees). One of his talks at this year's conference was on aneducation-focused project that he has been working on for around a year:a version of Python called "Snek" targeting embedded processors.He gave a look at some of the history of his work with 10-12 year-old students that led to thedevelopment of Snek as well as some plans for the language—and hardware torun it on—moving forward.

Security updates have been issued by Debian (tiff and transfig), Fedora (thunderbird-enigmail), Mageia (ffmpeg and sox), openSUSE (fontforge, python3, and tigervnc), Oracle (python-reportlab), Red Hat (apache-commons-beanutils, java-1.8.0-openjdk, kernel, kernel-alt, libarchive, openslp, openvswitch2.11, openvswitch2.12, and python-reportlab), Scientific Linux (java-1.8.0-openjdk and python-reportlab), SUSE (samba and tigervnc), and Ubuntu (python-pysaml2).

Control-flowintegrity (CFI) is a technique used to reduce the ability toredirect the execution of a program's code in attacker-specified ways. TheClang compiler has some features that can assist in maintainingcontrol-flow integrity, which have been applied to the Android kernel. KeesCook gave a talk about CFI for the Linux kernel at the recently concludedlinux.conf.au in Gold Coast, Australia.

Wine 5.0 has been released. The mainhighlights are builtin modules in PE format, multi-monitor support, XAudio2reimplementation, and Vulkan 1.1 support. Wine is capable of running Windowsapplications on Linux and other POSIX-compliant systems.

Brent Roose argues thatit is time to take another look at PHP. "In this post, I want tolook at this bright side of PHP development. I want to show you that,despite its many shortcomings, PHP is a worthwhile language to learn. Iwant you to know that the PHP 5 era is coming to an end. That, if you wantto, you can write modern and clean PHP code, and leave behind much of themess it was 10 years ago."

Security updates have been issued by Debian (openconnect), Fedora (e2fsprogs, glibc, kernel, and nss), openSUSE (Mesa, php7, and slurm), Oracle (.NET Core, java-1.8.0-openjdk, java-11-openjdk, and thunderbird), Red Hat (java-1.8.0-openjdk, openvswitch, and openvswitch2.11), Scientific Linux (java-1.8.0-openjdk), SUSE (java-11-openjdk, libssh, libvpx, Mesa, and thunderbird), and Ubuntu (libbsd and samba).

Once upon a time, there were few ways for one process to operate uponanother after its creation; sending signals and ptrace() wereabout it. In recent years, interest inproviding ways for processes to control others has been on the increase,and the kernel's process-management API has been expanded accordingly.Along these lines, the process_madvise() system call has been proposed as a way for one process to influencehow memory management is done in another. There is a newprocess_madvise() series which is interesting in its own right,but this series has also raised a couple of questions about how processmanagement should be improved in general.

GNU make 4.3 is out. New features include explicit grouped targets, a new.EXTRA_PREREQS variable, the ability to specify parallel builds inthe makefile itself, and more. There are also a couple ofbackward-incompatible changes; see the announcement for details.

Security updates have been issued by CentOS (git, java-11-openjdk, and thunderbird), Debian (cacti, chromium, gpac, kernel, openjdk-11, ruby-excon, and thunderbird), Fedora (chromium and rubygem-rack), Mageia (suricata, tigervnc, and wireshark), openSUSE (glusterfs, libredwg, and uftpd), and Ubuntu (linux-hwe and sysstat).

The 5.5-rc7 kernel prepatch is out. Linusis still unsure whether the final 5.5 release will come out next week ornot: "if it looks like there's pent-up fixes pending nextweek, I'll make another rc".

Stable kernels 5.4.13, 4.19.97, and 4.14.166 have been released. They all containimportant fixes and users should upgrade.

The "kernel runtime security instrumentation" (or KRSI) patch set enablesthe attachment of BPF programs to every security hook in the kernel; LWN covered this work in December. That articlefocused on ABI issues, but it deferred another potential problem toour 2020 predictions: the possibility thatvendors could start shipping proprietary BPF programs for use withframeworks like KRSI. Other developers did pick up on the possibility that KRSI could be abused this way, though,leading to a discussion on whether KRSI should continue to allow the loading of BPF programs that do not carrya GPL-compatible license.

Fedora Magazine reportsthat the Fedora CoreOS distribution is now deemed ready for use."Fedora CoreOS is a new Fedora Edition built specifically for runningcontainerized workloads securely and at scale. It’s the successor to bothFedora Atomic Host and CoreOS Container Linux and is part of our effort toexplore new ways of assembling and updating an OS. Fedora CoreOS combinesthe provisioning tools and automatic update model of Container Linux withthe packaging technology, OCI support, and SELinux security of AtomicHost."

Security updates have been issued by Arch Linux (chromium), Fedora (gnulib, ImageMagick, jetty, ocsinventory-agent, phpMyAdmin, python-django, rubygem-rmagick, thunderbird, and xar), Mageia (e2fsprogs, kernel, and libjpeg), openSUSE (icingaweb2), Oracle (git, java-11-openjdk, and thunderbird), Red Hat (.NET Core), Scientific Linux (git, java-11-openjdk, and thunderbird), SUSE (fontforge and LibreOffice), and Ubuntu (kamailio and thunderbird).

Android users make heavy use of the displays on their devices for almostall of their interaction; good display performance is thus critical for asatisfactory user experience. Achieving that performance is not alwayseasy; there are a lot of pieces that need to work together, and the kerneldoes not always support this collaboration as well as one might like. TheAndroid team is currently considering a number of combinations of existingkernel features and possible enhancements in its efforts to provide thebest display experience possible.

Version 3.0.0 of the Guile implementation of the Scheme programminglanguage has been released. There's a lot of work here, including a new,lower-level byte code implementation, interleaved internal definitions, anew exception implementation, and much more. "Guile programs now run up to 4 times faster, relative to Guile 2.2,thanks to just-in-time (JIT) native code generation. Notably, thisbrings the performance of "eval" as written in Scheme back to the levelof 'eval' written in C, as in the days of Guile 1.8."