Linux Weekly News

Security updates have been issued by Debian (haproxy, libdbi-perl, pjproject, spip, and trafficserver), Oracle (firefox, kernel, kernel-container, libvirt libvirt-python, and thunderbird), Red Hat (maven:3.5, maven:3.6, nodejs:16, postgresql, postgresql:10, and rsyslog), SUSE (gimp, helm-mirror, ImageMagick, mailman, openstack-neutron, pcmanfm, pcre2, postgresql10, and tiff), and Ubuntu (dpkg and freetype).

The ID-mapped mounts feature was added to Linux in 5.12, but the general idea behind it goes back a fair bit further. There are a number of different situations where the user and group IDs for files on disk do not match the current human (or process) user of those files, so ID-mapped mounts provide a way to resolve that problem—without changing the files on disk. The developer of the feature, Christian Brauner, led a discussion at the 2022 Linux Storage, Filesystem, Memory-management and BPF Summit (LSFMM) on ID-mapped mounts.

Our introduction to Linux audio and MIDI plugin APIs ended with a mention of the Clever Audio Plugin (CLAP) but did not get into the details. CLAP is an MIT-licensed API for developing audio and MIDI plugins that, its developers feel, has the potential to improve the audio-software situation on Linux. The time has now come to get to those details and look at the state of CLAP and where it is headed.

The 5.18.1, 5.17.12, 5.15.44, and 5.10.119 stable kernels have been released. As usual, they contain important fixes; users of those series should upgrade.

Version 5.36.0 of the Perl language is out. "Perl 5.36.0 represents approximately a year of development since Perl 5.34.0 and contains approximately 250,000 lines of changes across 2,000 files from 82 authors." Changes include the enabling of function signatures, Unicode 14.0 support, experimental iteration over multiple values, and a lot more; see the release notes for the full list.

Security updates have been issued by Debian (modsecurity-apache, pngcheck, rsyslog, and smarty3), Fedora (firefox, golang-github-opencontainers-runc, gron, kernel, kernel-headers, kernel-tools, logrotate, mingw-pcre2, and rubygem-git), Mageia (admesh, chromium-browser-stable, golang, kernel, kernel-linus, and pidgin), Red Hat (firefox, openvswitch2.13, openvswitch2.15, openvswitch2.16, rsyslog, and thunderbird), SUSE (bind, curl, opera, pcp, postgresql12, and postgresql14), and Ubuntu (gnupg2 and ntfs-3g).

Paul McKenney writes about why read-copy-update coverage is not universal in the kernel, the hazards that can result from that, and what is being done to improve the situation.

Unfortunately, an eternally watchful RCU is impractical in the Linux kernel due to energy-efficiency considerations. The problem is that if RCU watches an idle CPU, RCU needs that CPU to execute instructions. And making an idle CPU unnecessarily execute instructions (for a rather broad definition of the word “unnecessary”) will terminally annoy a great many people in the battery-powered embedded world. And for good reason: Making RCU avoid watching idle CPUs can provide 30-40% increases in battery lifetime.

As of this writing, just under 4,600 non-merge changesets have been pulled into the mainline repository for the 5.19 development cycle. The 5.19 merge window is clearly well underway. The changes pulled so far cover a number of areas, including the core kernel, architecture support, networking, security, and virtualization; read on for highlights from the first part of this merge window.

Security updates have been issued by Debian (atftp, cups, neutron, and zipios++), Fedora (clash, moodle, python-jwt, and thunderbird), Red Hat (thunderbird), Slackware (cups), SUSE (go1.17, libredwg, opera, seamonkey, and varnish), and Ubuntu (libxv, ncurses, openssl, and subversion).

AlmaLinux 9, based on RHEL 9, has been released. Four architectures are supported, so ISO files are available for x86_64, Arm64, PowerPC, and IBM Z. AlmaLinux OS 9.0 is based on upstream kernel version 5.14 and contains enhancements around cloud and container development and improvements to the web console (cockpit). This release also delivers enhancements for security and compliance, including additional security profiles, greatly improved SELinux performance and user authentication logs. Other various updates include Python 3.9, GCC 11 and the latest versions of LLVM, Rust and Go compilers to make modernizing the applications faster and easier. You can read more about it by checking out the Release Notes.

[...] The AlmaLinux OS Foundation would like to thank all those involved in the CentOS Stream 9 efforts, CentOS SIGs and others that made this release possible. Thank you to the Fedora and RHEL teams, as well as upstream projects and contributors everywhere. You Rock!

The normal rule of kernel development is that the creation of user-space regressions is not allowed; a patch that breaks a previously working application must be either fixed or reverted. There are exceptions, though, including a 5.10 patch that has been turning up regressions ever since. The story that emerges here shows what can happen when the goals of stability, avoiding security problems, and code cleanup run into conflict.

The Perl Steering Council has posted a blog entry on its plans for the language and when Perl 7 might be released.

For now, our plan is to continue introducing new features and to resolve all existing experimental features, so they're either dropped, or become non-experimental features (and so are included in the version bundle). The downside with this is that people often can't remember which version of Perl introduced which feature(s). At some point in the future, the PSC may decide that the set of features, taken together, represent a big enough step forward to justify a new baseline for Perl. If that happens, then the version will be bumped to 7.0.

Security updates have been issued by Debian (chromium, dpkg, filezilla, irssi, puma, and python-django), Fedora (firefox, ignition, and pcre2), Mageia (cockpit, firefox/thunderbird, openldap, supertux, unrar, and vim), Oracle (firefox and thunderbird), Red Hat (rh-varnish6-varnish), SUSE (cups, fribidi, kernel-firmware, redis, and wpa_supplicant), and Ubuntu (dpkg, logrotate, and subversion).

The LWN.net Weekly Edition for May 26, 2022 is available.

Right on the heels of his previous filesystem session at the 2022 Linux Storage, Filesystem, Memory-management and BPF Summit (LSFMM), Steve French led a session on temporary files and their interaction with network filesystems. The problem is that creating temporary files is not always atomic, so he was proposing changing that, which would eliminate a possible race condition and be more efficient for network filesystems. Since the temporary-file discussion did not fill the 30-minute slot, however, French took the opportunity to discuss some attributes he would like to see get added for the statx() system call.

Steve French led a discussion on change notifications for network filesystems in a session at the 2022 Linux Storage, Filesystem, Memory-management and BPF Summit (LSFMM). He is part of the Samba team and noted that both Windows and macOS clients get notified of new and changed files in a shared directory immediately, while on Linux that does not happen. He wanted to explore what it would take to add that functionality.

The Linux Foundation has posted an "Open Source Software Security Mobilization Plan" that aims to address a number of perceived security problems with the expenditure of nearly $140 million over two years.

While there are considerable ongoing efforts to secure the OSS supply chain, to achieve acceptable levels of resilience and risk, a more comprehensive series of investments to shift security from a largely reactive exercise to a proactive approach is required. Our objective is to evolve the systems and processes used to ensure a higher degree of security assurance and trust in the OSS supply chain.

This paper suggests a comprehensive portfolio of 10 initiatives which can start immediately to address three fundamental goals for hardening the software supply chain. Vulnerabilities and weaknesses in widely deployed software present systemic threats to the security and stability of modern society as government services, infrastructure providers, nonprofits and the vast majority of private businesses rely on software in order to function.

Here's an update from F-Droid regarding upcoming changes to its build and distribution infrastructure.

If you have an app on f-droid.org, you might have noticed that all builds happen on a 5 year old Debian release: stretch. We are in the midst of a big effort to upgrade to the latest bullseye release right now. This is not just a simple apt-get upgrade, we are also taking this opportunity to overhaul the build process so that app builds work with a relatively plain Debian install as the base OS. We have to provide a platform to build thousands of apps, so we cannot just upgrade the base image as often as we like.

The 5.17.10, 5.15.42, 5.10.118, 5.4.196, 4.19.245, 4.14.281, and 4.9.316 stable kernel updates have all been released; each contains another set of important fixes.

Update: the 5.17.11 and 5.15.43 updates followed immediately thereafter with a single MPTCP networking fix.

Security updates have been issued by Debian (lrzip and puma), Fedora (plantuml and plib), Oracle (kernel and kernel-container), Red Hat (firefox, kernel, kpatch-patch, subversion:1.14, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (kernel-firmware, libxml2, pcre2, and postgresql13), and Ubuntu (accountsservice, postgresql-10, postgresql-12, postgresql-13, postgresql-14, and rsyslog).