LWN.net

The Python Packaging Authority (PyPA) has announced the release of pip21.0. This version removes Python 2.7 and 3.5 support, and drops supportfor legacy cache entries from pip < 20.0.

The term "browser wars" typically refers to Microsoft's attempts todominate the World Wide Web with its Internet Explorer browser in the1990s. That effort was thwarted by antitrust efforts and the rise of thefree browser now known as Firefox;ever since, the web has been defined by free software. Or so some may havethought. In the 2020s, the browser wars continue with the growingdominance of Chrome and, it would seem, the imminent removal of Chromiumfrom many Linux distributions.

Security updates have been issued by Debian (crmsh, debian-security-support, flatpak, gst-plugins-bad1.0, openvswitch, python-bottle, salt, tomcat9, and vlc), Fedora (chromium, python-pillow, sddm, and xen), Gentoo (chromium, dnsmasq, flatpak, glibc, kdeconnect, openjdk, python, thunderbird, virtualbox, and wireshark), Mageia (blosc, crmsh, glibc, perl-DBI, php-oojs-oojs-ui, python-pip, python-urllib3, and undertow), openSUSE (gdk-pixbuf, hawk2, ImageMagick, opera, python-autobahn, viewvc, wavpack, and xstream), Red Hat (dnsmasq), Slackware (seamonkey), SUSE (hawk2, ImageMagick, mutt, permissions, and stunnel), and Ubuntu (pound).

The 5.11-rc5 kernel prepatch is out fortesting. "Nothing particularly stands out. We had a couple of splice()regressions that came in during the previous release as part of the'get rid of set_fs()' development, but they were for odd cases thatmost people would never notice. I think it's just that 5.10 is nowgetting more widely deployed so people see the fallout from thatrather fundamental change in the last release."

The next round of stable kernel updates is out:5.10.10,5.4.92,4.19.170,4.14.217,4.9.253, and4.4.253.Each contains another set of important fixes.

Memory fragmentation has long been a problem for Linux systems, to thepoint that, for years, finding even two physically contiguous pages was anuncertain affair. That said, the situation has improved considerably inthe last decade or so thanks to a number of changes implemented by thememory-management developers. One of those changes is the creation of"movable"memory zones where pages can be relocated if need be. All that work is fornothing, though, if somebody comes along and pins down a page in one ofthese movable zones. Thispatch set from Pavel Tatashin seeks to prevent that from happening, butmay risk creating problems elsewhere.

Security updates have been issued by Debian (drupal7), Fedora (dotnet3.1), Gentoo (zabbix), openSUSE (ImageMagick and python-autobahn), and SUSE (hawk2 and wavpack).

Libre Arts (formerly Libre Graphics World) has posted a comprehensivesurvey of what 2021 might hold for a wide range of freecontent-creation software.The topic of fullscreen color management implementation in Wayland is back,and it’s a kinda frustrating story. In a nutshell:

The Corellium blog is carrying a description of how the Linuxport to the Apple M1 processor was done. "Many components of theM1 are shared with Apple mobile SoCs, which gave us a good runningstart. But when writing Linux drivers, it became very apparent hownon-standard Apple SoCs really are. Our virtual environment is extremelyflexible in terms of models it can accommodate; but on the Linux side, the64-bit ARM world has largely settled on a well-defined set of buildingblocks and firmware interfaces - nearly none of which were used on theM1."

As a general rule, when one attempts to open a file with a system call likeopenat2(),the expectation is that the call will not return until the job is done.But there are times where the desire to open the file is conditional onbeing able to open it immediately, without blocking. Linux has neversupported that mode well, but that may be about to change with thispatch set from Jens Axboe.

Security updates have been issued by Debian (mutt), Fedora (libntlm, mingw-python-pillow, python-pillow, and sudo), Mageia (kernel), SUSE (gdk-pixbuf, perl-Convert-ASN1, samba, and yast2-multipath), and Ubuntu (linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.4, linux-hwe-5.8, linux-oracle).

The LWN.net Weekly Edition for January 21, 2021 is available.

It is an unfortunate fact of life that non-free firmware blobs are requiredto use some hardware, such as network devices (WiFi in particular), audioperipherals, and video cards. Beyond that, those blobs may even berequired in order to install a Linux distribution, so an installation overthe network may need to get non-free firmware directly from the installationmedia. That, as might be guessed, is a bit of a problem for distributionsthat are not willing to officially ship said firmware because of itsnon-free status, as a recent discussion in the Debian community shows.

Back in October, LWN looked at a conversationwithin the Debian project regarding whether it was permissible to shipKubernetes bundled with some 200 dependencies. The Debian technicalcommittee has finally cometo a conclusion on this matter: this bundling is acceptable and themaintainer will not be required to make changes:Our consensus is that Kubernetes ought to be considered special inthe same way that Firefox is considered special -- we treat thepackage differently from most other source packages because (i) itis very large and complex, and (ii) upstream has significantly moreresources to keep all those moving parts up-to-date than Debiandoes.In the end, allowing this vendoring seemed like the only feasible way topackage Kubernetes for Debian.

Shay Banon first announced thatElastic would move its Apache 2.0-licensed source code in Elasticsearch andKibana to be dual licensed under Server Side Public License (SSPL) and theElastic License. "To be clear, our distributions starting with 7.11will be provided only under the Elastic License, which does not have anycopyleft aspects. If you are building Elasticsearch and/or Kibana fromsource, you may choose between SSPL and the Elastic License to govern youruse of the source code."In anotherpost Banon added some clarification. "SSPL, a copyleft licensebased on GPL, aims to provide many of the freedoms of open source, thoughit is not an OSI approved license and is not considered opensource."There is also this articleon why the change was made. "So why the change? AWS and AmazonElasticsearch Service. They have been doing things that we think are just NOT OK since 2015 and it has only gotten worse. If we don’t stand upto them now, as a successful company and leader in the market, whowill?"The FAQ hasadditional information. "While we have chosen to avoid confusion by not using the term open source to refer to these products, we will continue to use the word “Open” and “Free and Open.” These are simple ways to describe the fact that the product is free to use, the source code is available, and also applies to our open and collaborative engagement model in GitHub. We remain committed to the principles of open source - transparency, collaboration, and community."

Security updates have been issued by Fedora (coturn, dovecot, glibc, and sudo), Mageia (openldap and resource-agents), openSUSE (dnsmasq, python-jupyter_notebook, viewvc, and vlc), Oracle (dnsmasq and xstream), SUSE (perl-Convert-ASN1, postgresql, postgresql13, and xstream), and Ubuntu (nvidia-graphics-drivers-418-server, nvidia-graphics-drivers-450-server, pillow, pyxdg, and thunderbird).

Red Hat has announceda new set of options meant to attract current CentOS users who are unhappywith the shift to CentOS Stream."While CentOS Linux provided a no-cost Linux distribution, no-cost RHEL also exists today through the Red Hat Developer program. The program’s terms formerly limited its use to single-machine developers. We recognized this was a challenging limitation.We’re addressing this by expanding the terms of the Red Hat Developer program so that the Individual Developer subscription for RHEL can be used in production for up to 16 systems. That’s exactly what it sounds like: for small production use cases, this is no-cost, self-supported RHEL."

Stable kernels 5.10.9, 5.4.91, and 4.19.169 have been released with importantfixes. Users of those series should upgrade.

SciPy is a collection of Pythonlibraries for scientific and numerical computing. Nearly every serious userof Python for scientific research uses SciPy. Since Python is popular acrossall fields of science, and continues to be a prominent language in someareas of research, such as data science, SciPy has a large userbase. On New Year's Eve, SciPyannouncedversion 1.6 of the scipy library, which is the centralcomponent in the SciPy stack. That release gives us a good opportunity to delveinto this software and givesome examples of its use.

Security updates have been issued by Debian (gst-plugins-bad1.0), Fedora (flatpak), Red Hat (dnsmasq, kernel, kpatch-patch, libpq, linux-firmware, postgresql:10, postgresql:9.6, and thunderbird), SUSE (dnsmasq), and Ubuntu (dnsmasq, htmldoc, log4net, and pillow).

User namespaces provide a number ofinteresting challenges for the kernel. They give a user the illusion ofowning the system, but must still operate within the restrictions thatapply outside of the namespace. Resourcelimits represent one type of restriction that, it seems, is proving too restrictive for some users. Thispatch set from Alexey Gladkov attempts to address the problem by way ofa not-entirely-obvious approach.

Version3.9.0.0 of the GNU Radio software-defined radio system has beenreleased. "All in all, the main breaking change for pure GRC userswill consist in a few changed blocks – an incredible feat, considering theamount of shift under the hood."

Security updates have been issued by Arch Linux (atftp, coturn, gitlab, mdbook, mediawiki, nodejs, nodejs-lts-dubnium, nodejs-lts-erbium, nodejs-lts-fermium, nvidia-utils, opensmtpd, php, python-cairosvg, python-pillow, thunderbird, vivaldi, and wavpack), CentOS (firefox and thunderbird), Debian (chromium and snapd), Fedora (chromium, flatpak, glibc, kernel, kernel-headers, nodejs, php, and python-cairosvg), Mageia (bind, caribou, chromium-browser-stable, dom4j, edk2, opensc, p11-kit, policycoreutils, python-lxml, resteasy, sudo, synergy, and unzip), openSUSE (ceph, crmsh, dovecot23, hawk2, kernel, nodejs10, open-iscsi, openldap2, php7, python-jupyter_notebook, slurm_18_08, tcmu-runner, thunderbird, tomcat, viewvc, and vlc), Oracle (dotnet3.1 and thunderbird), Red Hat (postgresql:10, postgresql:12, postgresql:9.6, and xstream), SUSE (ImageMagick, openldap2, slurm, and tcmu-runner), and Ubuntu (icoutils).

The5.10.8,5.4.90,4.19.168,4.14.216,4.9.252, and4.4.252stable kernel updates have all been released; each contains the usual arrayof important fixes.

The 5.11-rc4 kernel prepatch is outfor testing. "Things continue to look fairly normal for this release:5.11-rc4 is solidly average in size, and nothing particularly scary standsout."

Daniel Stenberg writesabout getting paid to work on curl — 21 years after starting theproject. "I ran curl as a spare time project for decades. Over theyears it became more and more common that users who submitted bug reportsor asked for help about things were actually doing that during their paidwork hours because they used curl in a commercial surrounding – whichsometimes made the situation almost absurd. The ones who actually got paidto work with curl were asking the unpaid developers to help themout."

Security updates have been issued by Debian (flatpak, ruby-redcarpet, and wavpack), Fedora (dia, mingw-openjpeg2, and openjpeg2), Mageia (awstats, bison, cairo, kernel, kernel-linus, krb5, nvidia-current, nvidia390, php, and thunderbird), openSUSE (cobbler, firefox, kernel, libzypp, zypper, nodejs10, nodejs12, and nodejs14), Scientific Linux (thunderbird), Slackware (wavpack), SUSE (kernel, nodejs8, open-iscsi, openldap2, php7, php72, php74, slurm_20_02, and thunderbird), and Ubuntu (ampache and linux, linux-hwe, linux-hwe-5.4, linux-hwe-5.8, linux-lts-xenial).

The Linux 5.10 release included a changethat is expected to significantly increase the performance of the ext4filesystem; it goes by the name "fast commits" and introduces a new,lighter-weight journaling method. Let us look into how the feature works, whocan benefit from it, and when its use may be appropriate.

Since the release of the 5.5 kernel in January 2020, there have been almost87,000 patches from just short of 4,600 developers merged into the mainlinerepository. Reviewing all of those patches would be a tall order for eventhe most prolific of kernel developers, so decisions on patch acceptanceare delegated to a long list of subsystem maintainers, each of whom takespartial or full responsibility for a specific portion of the kernel. Thesemaintainers are documented in a file called, surprisingly, MAINTAINERS.But the MAINTAINERS file, too, must be maintained; how well doesit reflect reality?

Version 6.0 of the WineWindows not-an-emulator has been released. "This release isdedicated to the memory of Ken Thomases, who passed away just beforeChristmas at the age of 51. Ken was an incredibly brilliant developer, andthe mastermind behind the macOS support in Wine. We all miss his skills,his patience, and his dark sense of humor." Significant featuresinclude core modules built as PE executables, an experimental Direct3Drenderer, DirectShow support, a new text console, and more.

Security updates have been issued by Fedora (adplug, audacious-plugins, cpu-x, kernel, kernel-headers, ocp, php, and python-lxml), openSUSE (crmsh, firefox, and hawk2), Oracle (thunderbird), Red Hat (kernel-rt), SUSE (kernel and rubygem-archive-tar-minitar), and Ubuntu (openvswitch and tar).

The LWN.net Weekly Edition for January 14, 2021 is available.

It may be kind of an obvious statement, but licensing terms matter in ourcommunities. Even a misplaced word or three can be fatal for a license,which is part of the motivation for the efforts to reduce licenseproliferation in free-software projects. Over the last few months, variousdistribution projects have been discussing changes made to the license forthe Nmap network scanner; those changesseemed to be adding restrictions that would make the software non-free, thoughthat was not the intent. But the incident does serve to show the importance oflicense clarity.

Tedium is running ahistory of the Linksys WRT54G router. "But the reason the WRT54Gseries has held on for so long, despite using a wireless protocol that waseffectively made obsolete 12 years ago, might come down to a feature thatwas initially undocumented—a feature that got through amid all thecomplications of a big merger. Intentionally or not, the WRT54G was hidingsomething fundamental on the router’s firmware: Software based onLinux."

Alyssa Rosenzweig presentsa progress report on the Panfrost driver for Arm Mali Midgard andBifrost GPUs, which now provides non-conformant OpenGL ES 3.0 on Bifrostand desktop OpenGL 3.1 on Midgard. "Architecturally, Bifrost shares most of its fixed-function data structures with Midgard, but features a brand new instruction set. Our work for bringing up OpenGL ES 3.0 on Bifrost reflects this division. Some fixed-function features, like instancing and transform feedback, worked without any Bifrost-specific changes since we already did bring-up on Midgard. Other shader features, like uniform buffer objects, required "from scratch" implementations in the Bifrost compiler, a task facilitated by the compiler's maturing intermediate representation with first-class builder support. Yet other features like multiple render targets required some Bifrost-specific code while leveraging other code shared with Midgard. All in all, the work progressed much more quickly the second time around, a testament to the power of code sharing. But there is no need to limit sharing to just Panfrost GPUs; open source drivers can share code across vendors."

Arnd Bergmann stirred up a bit of a discussion with his January 8 "bringout your dead" posting, wherein he raised the idea of removing supportfor a long list of seemingly unloved Arm platforms — and a few non-Arm onesas well. Many of these have seen no significant work in at least sixyears. In aJanuary 13 followup, he notes that several of those platforms willbe spared for now due to ongoing interest. Several others, though (efm32,picoxcell, prima2, tango, u300, and zx) remain on the chopping block, andthe status of another handful remains uncertain. Readers who care aboutold Arm platforms may want to have a look at the list now and speak up ifthey still need support for one of the platforms that might otherwise bedeleted.

Security updates have been issued by Debian (coturn, imagemagick, and spice-vdagent), Fedora (roundcubemail and sympa), Gentoo (asterisk and virtualbox), Oracle (kernel and kernel-container), Red Hat (dotnet3.1, dotnet5.0, and thunderbird), SUSE (crmsh, firefox, hawk2, ImageMagick, kernel, libzypp, zypper, nodejs10, nodejs14, openstack-dashboard, release-notes-suse-openstack-cloud, and tcmu-runner), and Ubuntu (coturn).

The problems with "vendoring" in packages—bundling dependencies rather thangetting them from other packages—seems to crop up frequently these days.We looked at Debian's concerns aboutpackaging Kubernetes and its myriad of Godependencies back in October. A more recent discussion in thatdistribution's community looks at another famously dependency-heavyecosystem: JavaScript libraries from the npm repository. Even C-based ecosystemsare not immune to the problem, as we saw withiproute2 and libbpf back in November; the discussion of vendoring seemslikely to recur over the coming years.

Stable kernels 5.10.7, 5.4.89, 4.19.167, 4.14.215, 4.9.251, and 4.4.251 have been released. They all containimportant fixes and users should upgrade.

The Google Project Zero blog is carrying asix-part series exploring, in great detail, a set of sophisticatedexploits discovered in the wild. "These exploit chains are designedfor efficiency & flexibility through their modularity. They arewell-engineered, complex code with a variety of novel exploitation methods,mature logging, sophisticated and calculated post-exploitation techniques,and high volumes of anti-analysis and targeting checks. We believe thatteams of experts have designed and developed these exploit chains. We hopethis blog post series provides others with an in-depth look at exploitationfrom a real world, mature, and presumably well-resourced actor."

Security updates have been issued by openSUSE (chromium), Oracle (firefox), Red Hat (kernel), Scientific Linux (firefox), Slackware (sudo), SUSE (firefox, nodejs10, nodejs12, and nodejs14), and Ubuntu (apt, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-4.15, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-hwe-5.8, linux-oem-5.6, linux-oracle, linux-oracle-5.4, nvidia-graphics-drivers-390, nvidia-graphics-drivers-450, nvidia-graphics-drivers-460, python-apt, and xdg-utils).

The kernel project goes out of its way to facilitate building with oldertoolchains. Building a kernel on a new system can be enough of a challengeas it is; being forced to install a custom toolchain first would notimprove the situation. So the kerneldevelopers try to keep it possible to build the kernel with the toolchainsshipped by most distributors. There are costs to this policy though, includingan inability to use newer compiler features. But, as was seen in a recentepisode, building with old compilers can subject developers to old compilerbugs too.

Security updates have been issued by Arch Linux (chromium, firefox, and mbedtls), Debian (coturn), Fedora (firefox, flac, and nodejs), Gentoo (ark, chromium, dovecot, firefox, firejail, ipmitool, nodejs, and pillow), Mageia (alpine, c-client, binutils, busybox, cherokee, firefox, golang, guava, imagemagick, libass, openexr, squirrelmail, tomcat, and xrdp), openSUSE (chromium, cobbler, rpmlint, and tomcat), Oracle (kernel), Red Hat (firefox, libpq, and openssl), SUSE (python-defusedxml, python-freezegun, python-pkgconfig, python-python3-saml, python-xmlsec), and Ubuntu (jasper).

The 5.11-rc3 kernel prepatch is out fortesting. "So in the rc2 announcement notes I thought we might have a slow weekfor rc3 as well due to people just coming back from vacations and ittaking some time for bug reports etc to start tricking in.That turned out to be the incoherent ramblings of a crazy old man."

The5.10.6,5.4.88,4.19.166,4.14.214,4.9.250, and4.4.250stable kernel updates have all been released; each contains a relativelysmall number of important fixes.

The Fedora 34 release is plannedfor April 20 — a plan that may well come to fruition, given that theFedora project appears to have abandoned its tradition of delayedreleases. As part of that schedule, any proposals for system-wide changeswere supposed to be posted by December 29. That has not stopped thearrival of alate proposal to add file signatures to Fedora's RPM packages, though.This proposal, meant to support the use of the integrity measurementarchitecture (IMA) in Fedora, has not been met with universal acclaim.

Security updates have been issued by Debian (firefox-esr and libxstream-java), Fedora (awstats and dia), Mageia (c-ares, dash, and dovecot), openSUSE (dovecot23, gimp, kitty, and python-notebook), Oracle (kernel), SUSE (python-paramiko and tomcat), and Ubuntu (edk2, firefox, ghostscript, and openjpeg2).

A key component of system hardening is restricting access to memory; thisextends to preventing the kernel itself from accessing or modifying much ofthe memory in the system most of the time. Memory that cannot be accessedcannot be read or changed by an attacker. On many systems, though, theserestrictions do not apply to peripheral devices, which can happily usedirect memory access (DMA) on most or all of the available memory. Therecently posted restrictedDMA patch set aims to reduce exposure to buggy or malicious deviceactivity by tightening up control over the memory that DMA operations areallowed to access.

Security updates have been issued by Debian (golang-websocket, nodejs, and pacemaker), Fedora (mingw-binutils and rubygem-em-http-request), and Ubuntu (linux-oem-5.6 and p11-kit).

The LWN.net Weekly Edition for January 7, 2021 is available.