The 5.11-rc4 kernel prepatch is outfor testing. "Things continue to look fairly normal for this release:5.11-rc4 is solidly average in size, and nothing particularly scary standsout."
Daniel Stenberg writesabout getting paid to work on curl — 21 years after starting theproject. "I ran curl as a spare time project for decades. Over theyears it became more and more common that users who submitted bug reportsor asked for help about things were actually doing that during their paidwork hours because they used curl in a commercial surrounding – whichsometimes made the situation almost absurd. The ones who actually got paidto work with curl were asking the unpaid developers to help themout."
The Linux 5.10 release included a changethat is expected to significantly increase the performance of the ext4filesystem; it goes by the name "fast commits" and introduces a new,lighter-weight journaling method. Let us look into how the feature works, whocan benefit from it, and when its use may be appropriate.
Since the release of the 5.5 kernel in January 2020, there have been almost87,000 patches from just short of 4,600 developers merged into the mainlinerepository. Reviewing all of those patches would be a tall order for eventhe most prolific of kernel developers, so decisions on patch acceptanceare delegated to a long list of subsystem maintainers, each of whom takespartial or full responsibility for a specific portion of the kernel. Thesemaintainers are documented in a file called, surprisingly, MAINTAINERS.But the MAINTAINERS file, too, must be maintained; how well doesit reflect reality?
Version 6.0 of the WineWindows not-an-emulator has been released. "This release isdedicated to the memory of Ken Thomases, who passed away just beforeChristmas at the age of 51. Ken was an incredibly brilliant developer, andthe mastermind behind the macOS support in Wine. We all miss his skills,his patience, and his dark sense of humor." Significant featuresinclude core modules built as PE executables, an experimental Direct3Drenderer, DirectShow support, a new text console, and more.
Security updates have been issued by Fedora (adplug, audacious-plugins, cpu-x, kernel, kernel-headers, ocp, php, and python-lxml), openSUSE (crmsh, firefox, and hawk2), Oracle (thunderbird), Red Hat (kernel-rt), SUSE (kernel and rubygem-archive-tar-minitar), and Ubuntu (openvswitch and tar).
It may be kind of an obvious statement, but licensing terms matter in ourcommunities. Even a misplaced word or three can be fatal for a license,which is part of the motivation for the efforts to reduce licenseproliferation in free-software projects. Over the last few months, variousdistribution projects have been discussing changes made to the license forthe Nmap network scanner; those changesseemed to be adding restrictions that would make the software non-free, thoughthat was not the intent. But the incident does serve to show the importance oflicense clarity.
Tedium is running ahistory of the Linksys WRT54G router. "But the reason the WRT54Gseries has held on for so long, despite using a wireless protocol that waseffectively made obsolete 12 years ago, might come down to a feature thatwas initially undocumented—a feature that got through amid all thecomplications of a big merger. Intentionally or not, the WRT54G was hidingsomething fundamental on the router’s firmware: Software based onLinux."
Alyssa Rosenzweig presentsa progress report on the Panfrost driver for Arm Mali Midgard andBifrost GPUs, which now provides non-conformant OpenGL ES 3.0 on Bifrostand desktop OpenGL 3.1 on Midgard. "Architecturally, Bifrost shares most of its fixed-function data structures with Midgard, but features a brand new instruction set. Our work for bringing up OpenGL ES 3.0 on Bifrost reflects this division. Some fixed-function features, like instancing and transform feedback, worked without any Bifrost-specific changes since we already did bring-up on Midgard. Other shader features, like uniform buffer objects, required "from scratch" implementations in the Bifrost compiler, a task facilitated by the compiler's maturing intermediate representation with first-class builder support. Yet other features like multiple render targets required some Bifrost-specific code while leveraging other code shared with Midgard. All in all, the work progressed much more quickly the second time around, a testament to the power of code sharing. But there is no need to limit sharing to just Panfrost GPUs; open source drivers can share code across vendors."
Arnd Bergmann stirred up a bit of a discussion with his January 8 "bringout your dead" posting, wherein he raised the idea of removing supportfor a long list of seemingly unloved Arm platforms — and a few non-Arm onesas well. Many of these have seen no significant work in at least sixyears. In aJanuary 13 followup, he notes that several of those platforms willbe spared for now due to ongoing interest. Several others, though (efm32,picoxcell, prima2, tango, u300, and zx) remain on the chopping block, andthe status of another handful remains uncertain. Readers who care aboutold Arm platforms may want to have a look at the list now and speak up ifthey still need support for one of the platforms that might otherwise bedeleted.
Security updates have been issued by Debian (coturn, imagemagick, and spice-vdagent), Fedora (roundcubemail and sympa), Gentoo (asterisk and virtualbox), Oracle (kernel and kernel-container), Red Hat (dotnet3.1, dotnet5.0, and thunderbird), SUSE (crmsh, firefox, hawk2, ImageMagick, kernel, libzypp, zypper, nodejs10, nodejs14, openstack-dashboard, release-notes-suse-openstack-cloud, and tcmu-runner), and Ubuntu (coturn).
The problems with "vendoring" in packages—bundling dependencies rather thangetting them from other packages—seems to crop up frequently these days.We looked at Debian's concerns aboutpackaging Kubernetes and its myriad of Godependencies back in October. A more recent discussion in thatdistribution's community looks at another famously dependency-heavyecosystem: JavaScript libraries from the npm repository. Even C-based ecosystemsare not immune to the problem, as we saw withiproute2 and libbpf back in November; the discussion of vendoring seemslikely to recur over the coming years.
The Google Project Zero blog is carrying asix-part series exploring, in great detail, a set of sophisticatedexploits discovered in the wild. "These exploit chains are designedfor efficiency & flexibility through their modularity. They arewell-engineered, complex code with a variety of novel exploitation methods,mature logging, sophisticated and calculated post-exploitation techniques,and high volumes of anti-analysis and targeting checks. We believe thatteams of experts have designed and developed these exploit chains. We hopethis blog post series provides others with an in-depth look at exploitationfrom a real world, mature, and presumably well-resourced actor."
The kernel project goes out of its way to facilitate building with oldertoolchains. Building a kernel on a new system can be enough of a challengeas it is; being forced to install a custom toolchain first would notimprove the situation. So the kerneldevelopers try to keep it possible to build the kernel with the toolchainsshipped by most distributors. There are costs to this policy though, includingan inability to use newer compiler features. But, as was seen in a recentepisode, building with old compilers can subject developers to old compilerbugs too.
The 5.11-rc3 kernel prepatch is out fortesting. "So in the rc2 announcement notes I thought we might have a slow weekfor rc3 as well due to people just coming back from vacations and ittaking some time for bug reports etc to start tricking in.That turned out to be the incoherent ramblings of a crazy old man."
The5.10.6,5.4.88,4.19.166,4.14.214,4.9.250, and4.4.250stable kernel updates have all been released; each contains a relativelysmall number of important fixes.
The Fedora 34 release is plannedfor April 20 — a plan that may well come to fruition, given that theFedora project appears to have abandoned its tradition of delayedreleases. As part of that schedule, any proposals for system-wide changeswere supposed to be posted by December 29. That has not stopped thearrival of alate proposal to add file signatures to Fedora's RPM packages, though.This proposal, meant to support the use of the integrity measurementarchitecture (IMA) in Fedora, has not been met with universal acclaim.
Security updates have been issued by Debian (firefox-esr and libxstream-java), Fedora (awstats and dia), Mageia (c-ares, dash, and dovecot), openSUSE (dovecot23, gimp, kitty, and python-notebook), Oracle (kernel), SUSE (python-paramiko and tomcat), and Ubuntu (edk2, firefox, ghostscript, and openjpeg2).
A key component of system hardening is restricting access to memory; thisextends to preventing the kernel itself from accessing or modifying much ofthe memory in the system most of the time. Memory that cannot be accessedcannot be read or changed by an attacker. On many systems, though, theserestrictions do not apply to peripheral devices, which can happily usedirect memory access (DMA) on most or all of the available memory. Therecently posted restrictedDMA patch set aims to reduce exposure to buggy or malicious deviceactivity by tightening up control over the memory that DMA operations areallowed to access.
Security updates have been issued by Debian (golang-websocket, nodejs, and pacemaker), Fedora (mingw-binutils and rubygem-em-http-request), and Ubuntu (linux-oem-5.6 and p11-kit).
The idea of ReproducibleBuilds—being able to recreate bit-for-bit identical binaries using thesame source code—has gained momentum over the last few years.Reproducible builds provide some safeguards against bad actorsin the software supply chain. But building software depends on the toolsused to construct the binary, including compilers and build-automation tools, many ofwhich depend on pre-existing binaries. Minimizing the reliance on opaquebinaries for building our software ecosystem is the goal of the Bootstrappable Builds project.
Just because something is traditional does not imply that it is necessarilya good idea. As a case in point, consider LWN's tradition of starting theyear with some predictions for what is to come; some may be obvious whileothers are implausible, but none of them are reliable. Nonetheless, we'vebeen doing this since 2002 so we can't stop now.Read on for our wild guesses as to what might transpire in 2021.
TuxMake is an open-source project fromLinaro that began in May 2020 and is designed to make building Linux kernels easier.It provides a command-line interface and a Python library, along with afull set of curated portable build environments distributed as containerimages.With TuxMake, a developer can build any supported combination of targetarchitecture, toolchain, kernel configuration, and make targets.
Security updates have been issued by Arch Linux (dovecot, poppler, roundcubemail, and rsync), Debian (csync2 and gssproxy), Fedora (grafana, perl-Convert-ASN1, and python-py), openSUSE (privoxy), Oracle (kernel), Red Hat (ImageMagick and kernel), SUSE (ceph, dovecot22, flac, java-1_7_1-ibm, openssh, and python), and Ubuntu (dovecot, horizon, openexr, and python-apt).
The LibreSSL project has beendeveloping a fork of the OpenSSLpackage since 2014; it is supported as part of OpenBSD. Adoption ofLibreSSL on the Linux side has been slow from the start, though, and itwould appear that the situation is about to get worse. LibreSSL isstarting to look like an idea whose time may never come in the Linux world.
Security updates have been issued by Debian (chromium, dovecot, flac, influxdb, libhibernate3-java, and p11-kit), Fedora (ceph and guacamole-server), Mageia (audacity, gdm, libxml2, rawtherapee, and vlc), openSUSE (jetty-minimal and privoxy), Red Hat (kernel and kernel-rt), SUSE (gimp), and Ubuntu (libproxy).
The second 5.11 kernel prepatch is out fortesting. "People have (rightly) mostly been offline since, presumablyover-eating and doing all the other traditional holiday things. Andjust generally not being hugely active. That very much shows in a tinyrc2 release."
James Bottomley has posted adetailed description of what it takes to get an encrypted image runningsecurely with AMD's SEV mechanism. "In this post I’ll discuss howyou actually bring up a confidential VM from an encrypted image whilepreserving secrecy. However, first a warning: This post represents thestate of the art and includes patches that are certainly not deployed indistributions and may not even be upstream, so if you want to follow alongat home you’ll need to patch things like qemu, grub and OVMF."
On this last day of 2020, the Rust project has announced the release of version 1.49.0 of the programming language. It establishes the arm64 Linux target as a Tier 1 platform, which is the highest level of support; "Tier 1 platforms can be thought of as 'guaranteed to work'". Also, arm64 macOS and Windows have risen to Tier 2 status, which means they are guaranteed to build and are likely to work just fine, but the automated tests are not run. Beyond that, the test framework now captures output from multiple threads and some library changes were made. See the detailed release notes for more information. "Rust 1.49.0 promotes the aarch64-unknown-linux-gnu target to Tier 1 support, bringing our highest guarantees to users of 64-bit ARM systems running Linux! We expect this change to benefit workloads spanning from embedded to desktops and servers.This is an important milestone for the project, since it's the first time a non-x86 target has reached Tier 1 support: we hope this will pave the way for more targets to reach our highest tier in the future.Note that Android is not affected by this change as it uses a different Tier 2 target."
Security updates have been issued by Debian (libdatetime-timezone-perl and tzdata), openSUSE (kdeconnect-kde and opera), and SUSE (gimp, squid3, and xen).
Security updates have been issued by Mageia (flac, graphicsmagick, jackit, kdeconnect-kde, libmaxminddb, libvirt, openjpeg2, pngcheck, python3, roundcubemail, and spice-vdagent), openSUSE (gimp), and SUSE (containerd, docker, docker-runc, golang-github-docker-libnetwork, cyrus-sasl, and gimp).
Linus Torvalds releasedthe 5.11-rc1 prepatch and closed the 5.11 merge window onDecember 27. By that time, 12,498 non-merge changesets had beenpulled into the mainline; nearly 2,500 of those wandered in after the first merge-window summary was written.Activity slowed down in the second week, as expected, but there were stilla number of interesting features that found their way into the mainline.
Linus hasreleased 5.11-rc1and closed the merge window for this development cycle."Two weeks have passed, Christmas is over, and so is the merge window.I want to thank all the maintainers who sent in their pull requestsearly: we all wanted to get things done before the holidays reallyhit, and mostly it seemed to work quite well."
Ruby 3.0.0 has been released. "From2015 we developed hard toward Ruby 3, whose goal is performance,concurrency, and Typing. [...] With Optcarrot benchmark, which measures single thread performance based on NES’s game emulation workload, it achieved 3x faster performance than Ruby 2.0!"
Its existence may come as a bit of a surprise to some, but the GnuCOBOL project has released version 3.1.2 as a successor to GnuCOBOL 2.2 after three years of improvements. "GnuCOBOL is a free, modern COBOL compiler.It translates COBOL into intermediate C and compiles the code using a native C compiler (preferably GCC, but not limited to it). [...] some of the highlights: Huge improvements for compatibility to different COBOL dialects, better error handling and adjustable exceptions per COBOL 2002; more modern format for diagnostic messages (especially useful when used in an integrated development environment possible in Emacs, Vim, VSCodium and others) and improved source-level debugging." More information about the new features in the release can be found in the NEWS file, which is attached to the release announcement below.