LWN.net

Stable kernels 5.10.71, 5.4.151, 4.19.209, 4.14.249, 4.9.285, and 4.4.286 have been released. They all containimportant fixes and users should upgrade.Note that 5.14.10has been through more than the usual number of release candidates and isnot yet out; it should show up in the next day or so.

Security updates have been issued by Fedora (cryptopp), Mageia (apache), Slackware (httpd), and Ubuntu (squid, squid3).

Two Google engineers came to OpenSource Summit North America 2021 to talk about a project to change theway the company creates and maintains the kernel it runs in its datacenters on its productionsystems. Andrew Delgadillo and Dylan Hatch described the current productionkernel (Prodkernel) and the problems that occur because it is so far fromthe mainline. Project Icebreaker is an effort to change that and toprovide a near-mainline kernel for development and testing within Google;the talk looked at the project, its risks, its current status, and its plans.

The Asahi Linux project has a progressreport on its goal of running Linux on Mac M1 hardware.

The AlmaLinux Foundation has openedmembership to everyone.

Firefox 93.0 has been released. With this version Firefox supports the newAVIF image format, which is based on the modern and royalty free AV1 videocodec. The PDF viewer supports filling more forms, such as XFA-based formsused by multiple governments and banks. Downloads that rely on insecureconnections are blocked, protecting against potentially malicious or unsafedownloads. Details on these features and more can be found in the release notes.

Version 13.0.0 of the LLVM compiler suite is out.There is a long list of changes, as always; see the numerous sets ofrelease notes below for details.

Security updates have been issued by Fedora (cryptopp), Mageia (kernel, kernel-linus, and sqlite), openSUSE (rabbitmq-server), Red Hat (kernel and samba), SUSE (glibc and webkit2gtk3), and Ubuntu (containerd, docker.io, imlib2, ledgersmb, mercurial, mongodb, and node-bl).

Version 3.10.0 of the Python language has been released. There are a lotof significant changes in this release, including the much-discussedstructural pattern-matching feature. Seethis article for an overview of what's in 3.10.

Julia is an open-source programminglanguage and ecosystem for high-performance scientific computing; itsdevelopment team has made the first release candidate for version 1.7available for testing on Linux, BSD, macOS, and Windows. Back in May, we looked at the increased performance thatarrived with Julia 1.6, its last major release. In this article we describe some ofthe changes and new features in the language and its libraries that arecoming in 1.7.

Developers working in languages like C or C++ have access totwo competing compilers — GCC and LLVM — either of which can usually getthe job done. Rust developers, though, are currently limited to theLLVM-based rustc compiler. While rustc works well, thereare legitimate reasons for developers to wish for an alternative. As itturns out, there are two different ways to compile Rust using GCC underdevelopment, though neither is ready at the moment. Developers of bothapproaches came to the 2021 LinuxPlumbers Conference to present the status of their work.

Security updates have been issued by Debian (apache2, fig2dev, mediawiki, plib, and qemu), Fedora (chromium, curl, kernel, kernel-headers, kernel-tools, openssh, rust-addr2line, rust-backtrace, rust-cranelift-bforest, rust-cranelift-codegen, rust-cranelift-codegen-meta, rust-cranelift-codegen-shared, rust-cranelift-entity, rust-cranelift-frontend, rust-cranelift-native, rust-cranelift-wasm, rust-gimli, rust-object, rust-wasmparser, rust-wasmtime-cache, rust-wasmtime-environ, rust-wasmtime-fiber, rust-wasmtime-types, rust-wast, rust-wat, and webkit2gtk3), Mageia (apache-mod_auth_openidc, c-ares, chromium-browser-stable, icu, libspf2, perl-DBI, python, and python-rsa), openSUSE (haproxy and opera), Oracle (kernel), SUSE (firefox and libvirt), and Ubuntu (python3.8).

The 5.15-rc4 kernel prepatch is out fortesting.

Paul McKenney has started a blog series on Rust for the Linux kernel. He has posted six of a planned 11 articles, though several are labeled as "under construction".

Much of the free-software development world has adopted Git forges (such asGitHub, GitLab, or sourcehut) with enthusiasm. The kernel community hasnot. Reasons for that reticence vary, but one that is often heard is thatthese forges simply don't work well at the scale needed for the kernelproject. At aKernel-Summit session during the 2021 Linux Plumbers conference, Donald Zickus and Prarit Bhargava sought toshow how Red Hat has put GitLab to good use to support its kernel team.Not only can these forges work for kernel development, they said, butmoving to a forge can bring a number of advantages.

Security updates have been issued by Debian (curl, krb5, openssl1.0, and taglib), Fedora (cifs-utils), SUSE (libqt5-qtbase and rubygem-activerecord-4_2), and Ubuntu (linux-raspi, linux-raspi-5.4 and linux-raspi2).

Adrian Ratiu writeson the Collabora blogabout the challenges that face developers trying to build the GNU CLibrary with the LLVM compiler.

James Bottomley explainshow the integration of Matrix and BigBlueButton was done for thejust-concluded Linux Plumbers Conference.

The term "interrupt" brings to mind a signal that originates in thehardware and which is handled in the kernel; even software interrupts are akernel concept. But there is, it seems, a use case for enabling user-spaceprocesses to send interrupts directly to each other. An upcoming Intelprocessor generation includes support for this capability; at the 2021 Linux Plumbers Conference,Sohil Mehta ran aKernel-Summit session on how Linux might support that feature.

Stable kernels 5.14.9, 5.10.70, and 5.4.150 have been released with the usual setof important fixes. Users of those series should upgrade.

Security updates have been issued by Debian (libxstream-java, uwsgi, and weechat), Fedora (libspf2, libvirt, mingw-python3, mono-tools, python-flask-restx, and sharpziplib), Mageia (gstreamer, libgcrypt, libgd, mosquitto, php, python-pillow, qtwebengine5, and webkit2), openSUSE (postgresql12 and postgresql13), SUSE (haproxy, postgresql12, postgresql13, and rabbitmq-server), and Ubuntu (commons-io and linux-oem-5.13).

Version 14 of the PostgreSQL relational database manager is out.

The LWN.net Weekly Edition for September 30, 2021 is available.

Work toward the signing of BPF programs hasbeen finding its way into recent mainline kernel releases; it is intendedto improve security by limiting the BPF programs that can be successfullyloaded into the kernel. As John Fastabend described in his "Watchingthe super powers" session at the 2021 Linux Plumbers Conference,this new feature has the potential to completely break his tools. Butrather than just complain, he decided to investigate solutions; the resultis an outline for an auditing mechanism that brings greater flexibility tothe problem of controlling which programs can be run.

Security updates have been issued by Fedora (iaito, libssh, radare2, and squashfs-tools), openSUSE (hivex, shibboleth-sp, and transfig), SUSE (python-urllib3 and shibboleth-sp), and Ubuntu (apache2, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, and linux-hwe-5.11, linux-azure, linux-azure-5.11, linux-oracle-5.11).

A controversy about the handling of the Time Zone Database (tzdb) hasbeen brewing since May, but has come to a head in recent weeks. Changes that were proposed to simplify the main database file have someconsequences in terms of time-zone history and changes to therepresentation of some zones. Those changes have upset a number of usersof the database—to the point where some have called for a fork. A September 25 release of tzdb with some, but notall, of the changes seems unlikely to resolve the conflict.

The Free Software Foundation Europe (FSFE) is organizing the codingcompetition "Youth Hacking 4 Freedom" (YH4F) for European teenagers(14-18). Six winners will receive a cash prize and a trip to Brussels.There will be an opening event October 10 and registration will remain openuntil October 31.

Security updates have been issued by CentOS (kernel), openSUSE (gd, grilo, nodejs14, and transfig), Oracle (nodejs:14 and squid), Red Hat (kernel and shim and fwupd), SUSE (apache2, atftp, gd, and python-Pillow), and Ubuntu (apache2, linux, linux-aws, linux-aws-5.11, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and vim).

The Kernel Maintainers Summit is an invitation-only gathering of top-levelkernel subsystem maintainers; it is concerned mostly with process-orientedissues that are not easily worked out on the mailing lists. There was nomaintainers summit in 2020; plans had been made to hold it in an electronicform, but there turned out to be a lack of things to talk about. In 2021,though, a number of interesting topics turned up, so an online gatheringwas held on September 24 as part of the Linux Plumbers Conference.Read on for a summary of the discussions held at this year's Summit.

Security updates have been issued by Debian (kernel, libxml-security-java, and openssl), Fedora (fetchmail and python-rsa), openSUSE (grafana-piechart-panel and opera), and Red Hat (nodejs:14).

The third 5.15 kernel prepatch is out fortesting. "So after a somewhat rocky merge window and second rc,things are now actually looking pretty normal for rc3. Knock wood".

The5.14.8,5.10.69,5.4.149,4.19.208,4.14.248,4.9.284, and4.4.285stable kernels have all been released; each contains another set ofimportant fixes.

The 2021 election for the Linux Foundation's Technical Advisory boardresulted in all five incumbent members (Greg Kroah-Hartman, JonathanCorbet, Steven Rostedt, Ted Ts'o, and Sasha Levin) being re-elected. Of the1,012 developers authorized to vote, 237 actually cast ballots.

It has often been said that the competition between the GCC and LLVMcompilers is good for both of them. One place where that competition shows up is in the area of security features; if one compiler adds a way toharden programs, the other is likely to follow suit. QingZhao's session at the 2021Linux Plumbers Conference told the story of how GCC successfully playedcatch-up for two security-related features that were of special interest tothe kernel community.

The GNU Core Utilities (coreutils) has announced the release of version 9.0 of "the basic file, shell and text manipulation utilities" used by the GNU operating system and various Linux distributions. In the year and a half or so since the last major release (8.32), various new features were added, including:

Security updates have been issued by Debian (mupdf), Fedora (ghostscript, gifsicle, and ntfs-3g), openSUSE (kernel and nodejs14), and SUSE (curl, ffmpeg, gd, hivex, kernel, nodejs14, python-reportlab, sqlite3, and xen).

Here's alengthy missive from Lennart Poettering taking Linux distributors totask for inadequately protecting systems from physical attacks.

For the second year in a row, the GNU Tools Cauldron (the annual gatheringof GNU toolchain developers) has been held as a dedicated track at theonline Linux PlumbersConference. For the 2021 event, that track started with a talk byDavid Malcolm on his work with the GCC -fanalyzer option, whichprovides access to a number of static-analysis features. Quite a bit hasbeen happening with -fanalyzer and more is on the way with theupcoming GCC 12 release, including, possibly, a set of checks thathave already found at least one vulnerability in the kernel.

Security updates have been issued by Debian (ruby-kaminari and tomcat8), Mageia (389-ds-base, ansible, apache, apr, cpio, curl, firefox, ghostscript, gifsicle, gpac, libarchive, libgd, libssh, lynx, nextcloud-client, openssl, postgresql, proftpd, python3, thunderbird, tor, and vim), openSUSE (chromium, ffmpeg, grilo, hivex, linuxptp, and samba), Oracle (go-toolset:ol8, kernel, kernel-container, krb5, mysql:8.0, and nodejs:12), SUSE (ffmpeg, firefox, grilo, hivex, kernel, linuxptp, nodejs14, and samba), and Ubuntu (ca-certificates, edk2, sqlparse, and webkit2gtk).

The LWN.net Weekly Edition for September 23, 2021 is available.

Over at the Guix-HPC blog, Ludovic Courtès writes about trying to package the PyTorch machine-learning library for the Guix distribution. Building from source in a user-verifiable manner is part of the philosophy behind Guix, but there were a number of problems that were encountered:

A few weeks ago, Matthew Wilcox might have guessed that his sessionat the 2021 LinuxPlumbers Conference would be focused rather differently. But, as we reported earlier in September, his folio patch set ran into some, perhapsunexpected, opposition and, ultimately, did not land in the mainline for5.15. Instead of discussing how to use folios as partof the FileSystems microconference, he led a discussion that was, at least in part, on thepath forward for them.

The GNOME project has announced therelease of GNOME 41.

Craig Kerstiens highlightssome of the "little things" featured in the upcoming PostgreSQL 14release.

The Google security blog providesan overview of what is being done to address memory-safety problems inthe Chrome browser.

Stable kernels 5.14.7, 5.10.68, 5.4.148, 4.19.207, 4.14.247, 4.9.283, and 4.4.284 have been released. They all containimportant fixes and users should upgrade.

Security updates have been issued by Debian (grilo), Fedora (curl, firefox, mingw-python-pillow, python-pillow, python2-pillow, and webkit2gtk3), openSUSE (chromium, grafana-piechart-panel, kernel, libcroco, php-composer, and xen), Oracle (curl, kernel, and nss and nspr), Red Hat (nodejs:12), Slackware (alpine), SUSE (ghostscript, grafana-piechart-panel, kernel, and xen), and Ubuntu (linux, linux-hwe, linux-hwe-5.11, linux-hwe-5.4, linux-raspi, linux-raspi-5.4, and linux-raspi2).

Alyssa Rosenzweig reportsthat the open-source Panfrost driver for Mali GPUs has achieved officialconformance on Mali-G52 for OpenGL ES 3.1.

Middleboxes are,unfortunately in many ways, a big part of today's internet. While middleboxesinhabit the same physical niche as routers, they are not aimed at packet forwarding;instead they are meant to monitor and manipulate the packets that theysee. The effects of those devices on users of the networks they reign over may beunfortunate as well, but the rest of the internet is only affected whentrying to communicate with those users—or so it was thought. Based on somerecently reported research, it turns out that middleboxes can be abused to inflict denial-of-service (DoS) attacks elsewhere on the net.

Security updates have been issued by Debian (webkit2gtk, wpewebkit, and xen), Oracle (kernel), Red Hat (curl, go-toolset:rhel8, krb5, mysql:8.0, nodejs:12, and nss and nspr), and Ubuntu (curl and tiff).