LWN.net

Richard Stallman's return to the FreeSoftware Foundation's board of directors has provoked a flurry of responses, and many organizations inthe free-software community have expressed their unhappiness with thatappointment. In almost every case, the process leading up to thatexpression has been carried out behind closed doors. The Debian project,instead, is deciding what to do in a classic Debian way — holding a publicvote on a general resolution with a wide range of possible outcomes.

Security updates have been issued by Fedora (chromium, libldb, rpm, samba, and seamonkey), openSUSE (isync), Oracle (kernel), Red Hat (openssl and squid), SUSE (ceph, flatpak, libostree, xdg-desktop-portal, xdg-desktop-portal-gtk, fwupd, fwupdate, and openexr), and Ubuntu (curl, linux-lts-trusty, and lxml).

The LWN.net Weekly Edition for April 8, 2021 is available.

Five years ago, we looked at an effort toassist in the assignment of CommonVulnerabilities and Exposures (CVE) IDs, especially for open-sourceprojects.Developers in the free-software world have often found it difficult toobtain CVE IDs for the vulnerabilities that they find.The Distributed WeaknessFiling (DWF) project was meant to reduce the friction in theCVE-assignment process, but it never really got off the ground. In a blogpost, Josh Bressers said that DWF was hampered by trying to follow therules for CVEs. That has led to a plan to restart DWF, but this time without the"yoke of legacy CVE".

Projects, even of the open-source variety, sometimes have secrets that needto be maintained. They can range from things like signing keys, which are(or should be) securely stored away from the project's code, to credentialsand tokens for access to various web-based services, such as cloud-hosting services or thePython Package Index (PyPI). These credentialsare sometimesneeded by instances of the running code, and some others benefit from beingstored "near" the code, but these types of credentials are not meant tobe distributed outside of the project.They can sometimes mistakenly be added to a public repository, however, which isa slip that attackers are most definitely on the lookout for.The big repository-hosting services like GitHuband GitLab are well-placed to scan for these kinds of secrets beingcommitted to project repositories—and they do.

Stable kernels 5.11.12, 5.10.28, 5.4.110, 4.19.185, 4.14.229, 4.9.265, and 4.4.265 have been released with the usual setof important fixes. Users should upgrade.

Security updates have been issued by openSUSE (chromium), Oracle (flatpak and kernel), Red Hat (virt:8.3 and virt-devel:8.3), and SUSE (gssproxy and xen).

The Mozilla Hacks site has areport on the use of ThreadSanitizer to detect and fix data races inthe Firefox browser. "While benign data races do exist, we foundthat data races arevery easily misclassified as benign. The reasons for this are clear: It ishard to reason about what compilers can and will optimize, and confirmationfor certain 'benign' data races requires you to look at the assembler codethat the compiler finally produces. Needless to say, this procedure isoften much more time consuming than fixing the actual data race and alsonot future-proof. As a result, we decided that the ultimate goal should bea 'no data races' policy that declares even benign data races asundesirable due to their risk of misclassification, the required time forinvestigation and the potential risk from future compilers (with betteroptimizations) or future platforms (e.g. ARM)."

Security updates have been issued by Debian (chromium, netty, python-bleach, and python3.5), Fedora (libmediainfo, libzen, and mediainfo), Mageia (openssl), openSUSE (chromium), Red Hat (389-ds:1.4, flatpak, kernel, kernel-rt, kpatch-patch, libldb, and virt:rhel and virt-devel:rhel), and Ubuntu (python-django and ruby-rack).

Kees Cook has posted along list of security-related improvements that made it into the 5.9kernel release. "Sasha Levin, Andy Lutomirski, Chang S. Bae, AndiKleen, Tony Luck, Thomas Gleixner, and others landed the long-awaitedFSGSBASE series. This provides task switching performance improvementswhile keeping the kernel safe from modules accidentally (or maliciously)trying to use the features directly (which exposed an unprivileged directkernel access hole)."

Version3.2 of the Django web framework is out; it has been designated as along-term-support release. New features include automatic AppConfigdiscovery, functional indexes, pymemcache support, and more; see therelease notes for details.

The recent proposalfrom David Hildenbrand to remove support for the /dev/kmem specialfile has not sparked a lot of discussion. Perhaps that is because today'syoungsters, lacking an understanding of history, may be wonderingwhat that file is in the first place and, thus, be unclear on why it maymatter. Chances are that /dev/kmem will not be missed, but inpassing it takes away a venerable part of the Unix kernel interface.

Security updates have been issued by Debian (libxstream-java, php-nette, and smarty3), Fedora (curl, openssl, spamassassin, and webkit2gtk3), Mageia (ant, batik, kernel, kernel-linus, nodejs-chownr, nodejs-yargs-parser, python-bottle, and ruby-em-http-request), openSUSE (curl and OpenIPMI), and Red Hat (openssl).

The long saga of Oracle's copyright-infringement against Google, whichcopied much of the Java API for use in Android, has come to an end with thisruling [PDF] in favor of Google. "Google’s purpose was to create adifferent task-related system for a different computing environment(smartphones) and to create a platform—the Android platform—that would helpachieve and popularize that objective. The record demonstrates numerousways in which reimplementing an interface can further the development ofcomputer programs. Google’s purpose was therefore consistent with thatcreative progress that is the basic constitutional objective of copyrightitself."

The 5.12-rc6 kernel prepatch is out fortesting. "Well, if rc5 was bigger than usual, and I worried about what thatmeant for this release, rc6 is positively tiny.So I think it was just due to the usual random timing fluctuations,probably mainly networking updates (which were in rc5, but not inrc6). Which means that unless things change in the next two weeks, theschedule for this release is going to be the usual one."

One of the key tasks assigned to the memory-management subsystem is tooptimize the system's use of the available memory; that means pushing outpages containing unused data so that they can be put to better useelsewhere. Predicting which pages will be accessed in the near future is atricky task, and the kernel has evolved a number of mechanisms designed toimprove its chances of guessing right. But the kernel not only often getsit wrong, it also can expend a lot of CPU time to make the incorrectchoice. The multi-generationalLRU patch set posted by Yu Zhao is an attempt to improve thatsituation.

Security updates have been issued by Debian (busybox, ldb, openjpeg2, spamassassin, and underscore), Fedora (kernel, kernel-headers, and kernel-tools), Mageia (privoxy, python and python3, and rpm), openSUSE (ovmf, tar, and tomcat), SUSE (curl, firefox, OpenIPMI, and tomcat), and Ubuntu (openexr).

The process of hardening the kernel can benefit in a number of ways fromsupport by the compiler. In recent years, the Kernel Self Protection Project has broughtthis support from the grsecurity/PaXpatch set into the kernel in the form of GCCplugins; LWN looked into that process backin 2017. A recent discussion has highlighted the fact that the use ofGCC plugins brings disadvantages as well, and some developers would prefer to see those plugins replaced.

Security updates have been issued by Debian (underscore), Fedora (busybox, linux-firmware, and xmlgraphics-commons), Oracle (kernel and kernel-container), Slackware (curl and seamonkey), SUSE (firefox and opensc), and Ubuntu (spamassassin).

Version 18.1 ofLineageOS, the Android-based distribution once known as Cyanogen, isavailable. "With that said, we have been working extremely hardsince Android 11’s release last August to port our features to this newversion of Android. Thanks to our hard work adapting to Google’s fairlylarge changes in Android 10, we were able to rebase our changes ontoAndroid 11 much more efficiently. This led to a lot of time to spend oncool new features!" Some of those features include in improvedvoice recorder, a new calendar, a built-in backup mechanism, an improvedmusic player, and more.

A company called Xinuos has announced alawsuit against IBM and Red Hat that has a familiar echo to it."Xinuos alleges that the IBM and Red Hat conspiracy has harmed theopen-source community and specifically Xinuos’ OpenServer 10 product, whichis based on FreeBSD, an open-source UNIX-based operating system andalternative to Red Hat’s Linux-based open-source operating system,RHEL. 'By dominating the Unix/Linux server operating system market,competing open-source operating systems, like our FreeBSD-based OpenServer10, have been pushed out of the market.'" The fulltext of the suit [PDF] is available for those wanting the details.

The LWN.net Weekly Edition for April 1, 2021 is available.

The HPy project has beenaround for more than a year now; it is meant to provide an alternate C APIfor Python that allows extensions to the language to run, and run well, in moreenvironments. It first came to our attention in a reportof a talk at the 2020Python Language Summit (LWN coverage), but it goes back to some discussions that wereheld at EuroPython 2019. Thereare a number of ways that the existing C API holds back innovation forPython, but there are also some hugely important extensions (e.g. NumPy) that use it; any change to the APIneeds to take those into account.

Security updates have been issued by Debian (curl, ldb, leptonlib, and linux-4.19), Fedora (busybox), Gentoo (openssl, redis, salt, and sqlite), Mageia (firefox, fwupd, glib2.0, python-aiohttp, radare2, thunderbird, and zeromq), openSUSE (firefox), SUSE (ovmf, tomcat, and zabbix), and Ubuntu (curl, lxml, and pygments).

A problem reported when attaching GDB to programs that use io_uring has led to a flurry of potentialsolutions, and one that was merged into Linux 5.12-rc5. The problemstemmed from a change made in the 5.12merge window tohow the threads used by io_uring were created, such that they became associatedwith the process using io_uring. Those "I/O threads" were treatedspecially in the kernel, but that led to the problem with GDB (and likely other ptrace()-usingprograms). The solution is to treat them like other threads because itturned out that trying to makethem special caused more problems than it solved.

CloudLinux has announced the availability of a "ready for productionworkloads" version of AlmaLinux, which is intended to be areplacement for CentOS 8. Also announced is the creation of afoundation to manage the distribution: "The company also announced the formation of a non-profit organization thatwill take over responsibility for managing the AlmaLinux project goingforward. CloudLinux has committed a $1 million dollars annual endowment tosupport the project. The AlmaLinux project named Jack Aboutboul as communitymanager of AlmaLinux."

Stable kernels 5.11.11, 5.10.27, 5.4.109, 4.19.184, 4.14.228, 4.9.264, and 4.4.264 have been released. They all containimportant fixes and users should update.

Security updates have been issued by Debian (lxml), Fedora (openssl, pdfbox, rpm, and rubygem-kramdown), openSUSE (eclipse), Oracle (flatpak and openssl), Red Hat (curl, kernel, kpatch-patch, mariadb, nss-softokn, openssl, perl, and tomcat), and SUSE (firefox, ovmf, and tar).

So far, this series has covered five common lockless patterns in the Linuxkernel; those are probably the five that you will most likely encounterwhen working on Linux. Throughout this series, some details have been left out and somesimplifications were made in the name of clarity. In this finalinstallment, I will sort out some of these loose ends and try to answerwhat is arguably themost important question of all: when should you use the locklesspatterns that have been described here?

John Sullivan, executive director of the Free Software Foundation, has announced hisresignation from the organization. "It's been a humbling honorto serve this institution, and to work alongside the FSF's staff, members,and volunteers over the years. The current staff deserve your fullconfidence and support -- they certainly have mine."Meanwhile, the FSF has announcedthe addition of Ian Kelling to its board of directors. "The boardand voting members look forward to having the participation of the staffvia this designated seat in our future deliberations. This is an importantstep in the FSF's effort to recognize and support new leadership, toconnect that leadership to the community, to improve transparency andaccountability, and to build trust. There is still considerable work to bedone, and that work will continue."

Security updates have been issued by Arch Linux (awstats, busybox, dotnet-runtime, dotnet-runtime-3.1, dotnet-sdk, dotnet-sdk-3.1, gitlab, godot, groovy, libebml, mkinitcpio-busybox, openssl, python2, vivaldi, webkit2gtk, and wpewebkit), CentOS (firefox and thunderbird), Debian (pygments, spamassassin, thunderbird, and webkit2gtk), Fedora (CGAL, dotnet3.1, dotnet5.0, firefox, kernel, qt, and xen), Mageia (imagemagick, jackson-databind, openscad, redis, and unbound), openSUSE (evolution-data-server, go1.15, and zstd), Oracle (firefox, openssl, and thunderbird), Red Hat (flatpak), Slackware (xterm), and Ubuntu (squid, squid3 and webkit2gtk).

The PHP project has announcedthat it is moving its PHP repository to GitHub after its own server wascompromised. "Yesterday (2021-03-28) two malicious commits werepushed to the php-src repo from the names of Rasmus Lerdorf and myself. Wedon't yet know how exactly this happened, but everything points towards acompromise of the git.php.net server (rather than a compromise of anindividual git account)."

The 5.12-rc5 kernel prepatch is out fortesting. "So if rc4 was perhaps a bit smaller than average, it looks like rc5 isa bigger than average. We're not breaking any records, but itcertainly isn't tiny, and the rc's aren't shrinking.I'm not overly worried yet, but let's just say that the trend hadbetter not continue, or I'll start feeling like we will need to makethis one of those releases that need an rc8."

Version7.2.0 of the digiKam photo-management application has been released.Changes include better renaming tools, improved album management, areworked internal database, and more. "The neural network to process face detection have been a huge effort with this release.We use a new data model named Yolo. More faces on same images can bedetected with complex shot conditions. The processing speed have beenreduced and the older bugs about the wrong memory allocation definitivelyfixed."

For those wanting more details on the saga of the WireGuard implementationthat was almost released in FreeBSD 13 (a story that LWN covered recently), thisArs Technica story digs in deep. "Despite not having any kerneldevelopers on-staff, Ars was able to verify at least some of Donenfeld'sclaims directly, quickly, and without external assistance. For instance,finding a validation function which simply returned true—and printfstatements buried deep in cryptographic loops—required nothing morecomplicated than grep."

The "Internet of things" (IoT), being the future paradise that awaits uswhen all of our devices are connected to the net, is a worrisome prospectto just about anybody who has thought about its security and privacyimplications. It would be problematic even if the design of all connecteddevices included security and privacy as absolute requirements — but thatis not the way these devices are made. Currently, it is possible to optout of much of the IoT experience with a bit of attention and discipline.In the near future, though, that situation is likely to change and it isnot clear what we can do about it.

Security updates have been issued by Debian (firefox-esr, jquery, openssl, and thunderbird), openSUSE (openssl-1_1 and tor), Oracle (firefox and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (libzypp, zypper and openssl-1_1), and Ubuntu (firefox, ldb, openssl, and ruby2.0).

Technology review coversthe controversy that has resulted from Google's disclosureand fixing of a number of security vulnerabilities being exploited byWestern intelligence agencies. "Instead of focusing on who wasbehind and targeted by a specific operation, Google decided to take broaderaction for everyone. The justification was that even if a Westerngovernment was the one exploiting those vulnerabilities today, it willeventually be used by others, and so the right choice is always to fix theflaw today."

Part 1 of this series described thecopy-on-write (COW) mechanism used to avoid unnecessary copying of pages inmemory, then went into the details of a bug in that mechanism thatcould result in the disclosure of sensitive data. A patch written by LinusTorvalds and merged for the 5.8 kernel appeared to fix that problem withoutunfortunate side effects elsewhere in the system. But COW is a complicatedbeast and surprises are not uncommon; this particular story was nowherenear as close to an end as had been thought.

The Free Software Foundation has announcedchanges in how its board of directors is selected. "We will adopt atransparent, formal process for identifying candidates and appointing newboard members who are wise, capable, and committed to the FSF's mission. Wewill establish ways for our supporters to contribute to the discussion. Wewill require all existing board members to go through this process as soonas possible, in stages, to decide which of them remain on theboard."Meanwhile, numerous community members have posted an open letter calling forthe resignation of the entire Free Software Foundation board of directorsafter the announcement that Richard Stallman would be returning. The FreeSoftware Foundation Europe has made itsdisapproval known, as has the ElectronicFrontier Foundation. The Debian project has starteddiscussing a general resolution affirming its support for the openletter. Various other organizations have expressed concern as well.For those who feel differently, there is also an open letter in supportof Stallman's return to the FSF.

Greg Kroah-Hartman has announced the release of 5.10.26—delayed from the large batch on March 24—with the usualimportant fixes throughout the kernel tree, and 5.11.10, which just contains some relativelyminor fixes: "This is a 'quick revert' of some 5.11.9 commits thatcaused noisy warnings to show up in the kernel log of some systems. If you do not have this issue, orare not bothered by these messages, no need to upgrade."

Security updates have been issued by Debian (firefox-esr and lxml), Fedora (jasper), openSUSE (gnutls, hawk2, ldb, libass, nghttp2, and ruby2.5), Oracle (pki-core:10.6), Red Hat (firefox and thunderbird), SUSE (evolution-data-server, ldb, python3, and zstd), and Ubuntu (ldb, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-signed, linux-snapdragon, and linux, linux-lts-xenial).

Open Collective has put out anannouncement describing its "Funds for Open Source" initiative, whichis aimed at making it easy for corporations to fund the work of individualdevelopers. "Big companies call the process for paying for stuff'procurement'. It’s often pretty involved, with contracts, invoices,purchasing order numbers, and bureaucracy—a painful thing to go throughrepeatedly for small amounts. It's practically a blocker. It is so muchsimpler and more practical to ask corporations to make one large payment,to one vendor. Make it easy and companies will invest more."

The LWN.net Weekly Edition for March 25, 2021 is available.

Enumerated types or "enums" are a feature of many languages, includingPython; enums provide a convenient way to collect up a bunch of relatedsymbols that (typically) evaluate to integer values. The canonical examplewould seem to be for colors, at least for demonstration purposes, but there areothers, especially for handling "magic" constants from source likes POSIXor the host operating system. A recent thread on the python-ideas mailing list discussesdifferent ways to add a new feature to enums—seven years after they wereadded to the standard library as part ofPython 3.4.

The WireGuard VPN tunnel is afast and easy-to-use solution for those who need or want a secure tunnelfor their traffic. The project has been around since 2016, but it has had asomewhat circuitous route into Linux; it was merged for the 5.6kernel, which was released in March 2020. Getting into Linux requiredWireGuard developer Jason A. Donenfeld to acquiesce to having WireGuard use some of theexisting kernel crypto primitives, rather than merging his Zinc crypto library. Some of the sametensions that were seen in that process seem to be cropping up again in the morerecent efforts to add WireGuard support to several BSD kernels.

The GNOME 40 release is out. "It brings new design for the Activities overview and improved support forinput with Compose sequences and keyboard shortcuts, among many otherthings.Improvements to core GNOME applications include a redesigned Weatherapplication, information popups in Maps, better tabs in Web, and manymore." See the GNOME 40 pageand the releasenotes for details.

Stable kernels 5.11.9, 5.4.108, 4.19.183, 4.14.227, 4.9.263, and 4.4.263 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (imagemagick and squid), Fedora (jasper and kernel), Red Hat (pki-core), SUSE (gnutls, go1.15, go1.16, hawk2, jetty-minimal, libass, nghttp2, openssl, ruby2.5, sudo, and wavpack), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.3, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe, linux-hwe-5.4, linux-hwe-5.8, linux-kvm, linux-oem-5.10, linux-oem-5.6, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-raspi2-5.3).

Firefox 87 has beenreleased. This version introduces SmartBlock, "a new intelligent tracker blocking mechanism for Firefox Private Browsing and Strict Mode."Firefox ESR 78.9 has also beenreleased with the usual set of fixes.