Linux Weekly News

As part of the response to last year's UMN fiasco, Kees Cook and a group of collaborators have put together a set of guidelines for researchers who are studying how the kernel-development community (or any development community, really) works. That document has just been merged into the mainline as part of the 5.18 merge window.

This document seeks to clarify what the Linux kernel community considers acceptable and non-acceptable practices when conducting such research. At the very least, such research and related activities should follow standard research ethics rules.

The Open Source Initiative has announced the results of its 2022 board election.

Congratulations to the elected directors: Pamela Chestek, Carlo Piana, Josh Berkus and Amanda Brock. Pamela Chestek has been confirmed and is joined by Carlo Piana as the directors elected by the Affiliate organizations. Josh Berkus and Amanda Brock collected the votes of the Individual members.

MIT Technology Review has taken a brief look at open-source projects that have added changes protesting the war in Ukraine and drawn some questionable conclusions:

No tech firm has gone that far, but around two dozen open-source software projects have been spotted adding code protesting the war, according to observers tracking the protestware movement. Open-source software is software that anyone can modify and inspect, making it more transparent—and, in this case at least, more open to sabotage.

Security updates have been issued by Debian (apache2 and thunderbird), Fedora (abcm2ps, containerd, dotnet6.0, expat, ghc-cmark-gfm, moodle, openssl, and zabbix), Mageia (389-ds-base, apache, bind, chromium-browser-stable, nodejs-tar, python-django/python-asgiref, and stunnel), openSUSE (icingaweb2, lapack, SUSE:SLE-15-SP4:Update (security), and thunderbird), Oracle (openssl), Slackware (bind), SUSE (apache2, bind, glibc, kernel-firmware, lapack, net-snmp, and thunderbird), and Ubuntu (binutils, linux, linux-aws, linux-aws-5.13, linux-gcp, linux-hwe-5.13, linux-kvm, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-hwe, linux-gcp-4.15, linux-kvm, linux-oracle, linux-snapdragon).

The just-completed, online LibrePlanet conference was the venue for awarding this year's Free Software Awards: SecuRepairs was this year's winner of the Award for Projects of Social Benefit, which is presented to a project or team responsible for applying free software, or the ideas of the free software movement, to intentionally and significantly benefit society. This award stresses the use of free software in service to humanity. SecuRepairs is an association of professionals working in the information security industry, who have the common cause of supporting the "right to repair" devices and software.

[...] The 2021 Award for Outstanding New Free Software Contributor went to Protesilaos "Prot" Stavrou, who in a few short years has become a mainstay of the GNU Emacs community through his blog posts, livestreams, conference talks, and code contributions.

[...] Paul Eggert was this year's honoree for the Award for the Advancement of Free Software, an award given to an individual who has made a great contribution to the progress and development of free software through activities that accord with the spirit of free software. Eggert has been a contributor to the GNU operating system for over thirty years, including contributions to components like GNU Compiler Collection (GCC), and is the current maintainer of the Time Zone Database (tz), which provides accurate information on the world's time zones.

At the conclusion of the 5.17 development cycle, 13038 non-merge changesets had found their way into the mainline repository. That is a lower level of activity than was seen for 5.16 (14,190 changesets) but well above 5.15 (12,337). In other words, this was a fairly typical kernel release. That is true in terms of where the work that made up the release came from as well.

Aria Beingessner points out a set of problems with Rust's conception of unsafe pointers and proposes some fixes in this highly detailed post.

Rust currently says this code is totally cool and fine:

// Masking off a tag someone packed into a pointer: let mut addr = my_ptr as usize; addr = addr & !0x1; let new_ptr = addr as *mut T; *new_ptr += 10;

This is some pretty bog-standard code for messing with tagged pointers, what’s wrong with that? [...]

For this to possibly work with Pointer Provenance and Alias Analysis, that stuff must pervasively infect all integers on the assumption that they might be pointers. This is a huge pain in the neck for people who are trying to actually formally define Rust’s memory model, and for people who are trying to build sanitizers for Rust that catch UB. And I assure you it’s just as much a headache for all the LLVM and C(++) people too.

Security updates have been issued by Debian (bind9, chromium, libgit2, libpano13, paramiko, usbredir, and wordpress), Fedora (expat, kernel, openexr, thunderbird, and wordpress), openSUSE (chromium, frr, and weechat), Red Hat (java-1.7.1-ibm and java-1.8.0-ibm), SUSE (frr), and Ubuntu (imagemagick).

Linus has released the 5.17 kernel.

So we had an extra week of at the end of this release cycle, and I'm happy to report that it was very calm indeed. We could probably have skipped it with not a lot of downside, but we did get a few last-minute reverts and fixes in and avoid some brown-paper bugs that would otherwise have been stable fodder, so it's all good

Some of the significant features in this release include KCSAN support for the arm64 architecture, the bpf_loop() helper, improved ID-mapped filesystem mounts, the reference-count tracking infrastructure, a switch to BLAKE2s for the random-number generator, a rewritten network filesystem caching layer, straight-line speculation mitigation, and more. See the LWN merge-window summaries (part 1, part 2) and the KernelNewbies 5.17 page for more details.

The first alpha release of Asahi Linux, a distribution for Apple M1 silicon, has been released.

Keep in mind that this is still a very early, alpha release. It is intended for developers and power users; if you decide to install it, we hope you will be able to help us out by filing detailed bug reports and helping debug issues. That said, we welcome everyone to give it a try - just expect things to be a bit rough.

The 5.16.16, 5.15.30, 5.10.107, and 5.4.186 stable kernel updates have been released; each contains another set of important fixes.

Over on the Software Freedom Conservancy blog, Bradley M. Kuhn considers the question of the interaction between copyleft and the "ethical source" effort that seeks to use copyleft-like licensing to bring about additional changes, beyond just software freedom; the Hippocratic License is an example of such a license. In his view, copyleft and ethical software are not really compatible, even though many in free-software world (including Kuhn) are highly sympathetic to the goals, especially in light of the recent invasion of Ukraine by Russia. I suspect activists will continue to disagree about whether we have a moral imperative to change FOSS licenses themselves to contractually forbid Putin to copy, modify, redistribute and reinstall the FOSS he already has (or surreptitiously downloaded by circumventing sanctions). However, these horrendous events in Ukraine offer real world examples to consider the viability of expanding copyleft term expansion beyond software, and consider how it might work. My analysis is that such changes would only give us the false sense of having "done something". Ultimately enforcement of such licensing changes would either be impossible or pointless. The very entities (such as the varied international courts and treaty organizations) that could enforce such terms will also have plenty of other war crimes and sanctions violations to bring against Putin and his cronies anyway. The penalties for the actions of war that Putin took will be much stronger than Putin's contractual breach or copyright infringement claim that could be brought under a modified copyleft license and/or the Hippocratic License.

Jason Donenfeld has published a lengthy look at the changes to the Linux random-number generator (RNG) for Linux 5.17 and the upcoming 5.18 kernel. It covers his efforts "to modernize both the code and the cryptography used" and also peers into the future for changes that may be coming. random.c was introduced back in 1.3.30, steadily grew features, and was a pretty impressive driver for its time, but after some decades of tweaks, the general organization of the file, as well as some coding style aspects were showing some age. The documentation comments were also out of date in several places. That’s only natural for a driver this old, no matter how innovative it was. So a significant amount of work has gone into general code readability and maintainability, as well as updating the documentation. I consider these types of very unsexy improvements to be as important if not more than the various fancy modern cryptographic improvements. My hope is that this will encourage more people to read the code, find bugs, and help improve it. And it should make the task of academics studying and modeling the code a little bit easier.

The kernel community has a number of excuses for the relative paucity of regression-test coverage in the project, some of which hold more water than others. One of the more convincing reasons is that a great deal of kernel code is hardware-specific, and nobody can ever hope to put together a testing system with even a small fraction of all the hardware that the kernel supports. A new driver-testing framework called roadtest, posted by Vincent Whitchurch, may make that excuse harder to sustain, though, at least for certain kinds of hardware.

Security updates have been issued by Debian (python-treq), Fedora (openvpn, pesign, rust-regex, and thunderbird), Oracle (expat), Red Hat (kpatch-patch-4_18_0-147_58_1), Slackware (bind and openssl), SUSE (python-lxml), and Ubuntu (apache2).

The Open Source Initiative reports on a ruling in the US Court of Appeals reaffirming the meaning of "open source" in a software license.

The court only confirmed what we already know – that “open source” is a term of art for software that has been licensed under a specific type of license, and whether a license is an OSI-approved license is a critically important factor in user adoption of the software. Had the defendants’ desire to license its software as AGPLv3-only been permissible, its claims of “100% open source” wouldn’t have been false and there would have been no false advertising. But adding the non-free Commons Clause created a different license such that the software could not be characterized as “open source” and doing so in these circumstances was unlawful false advertising.

CPU scheduling can be a challenging task; the scheduler must ensure that every process gets a fair share of the available CPU time while, at the same time, respecting CPU affinities, avoiding the migration of processes away from their cached memory contents, and keeping all CPUs in the system busy. Even then, users can become grumpy if specific processes do not get their CPU share quickly; from that comes years of debates over desktop responsiveness, for example. The latency-nice priority proposal recently resurrected by Vincent Guittot aims to provide a new tool to help latency-sensitive applications get their CPU time more quickly.

Security updates have been issued by Debian (flac, openssl, and openssl1.0), Fedora (nbd, pesign, and rust-regex), openSUSE (ansible, java-1_8_0-openjdk, libreoffice, and stunnel), Oracle (expat, glibc, and virt:ol and virt-devel:rhel), Red Hat (expat, redhat-ds:11.3, and virt:av and virt-devel:av), SUSE (atftp, java-1_8_0-openjdk, libreoffice, python3, and stunnel), and Ubuntu (apache2, bind9, firefox, fuse, and man-db).

The LWN.net Weekly Edition for March 17, 2022 is available.

Python has often been touted as a "batteries included" language because of its rich standard library that provides access to numerous utility modules and is distributed with the language itself. But those libraries need maintenance, of course, and that is provided by the Python core development team. Over the years, it has become clear that some of the modules are not really being maintained any longer and they probably are not really needed by most Python users—either because better alternatives exist or because they address extremely niche use cases. A long-running project to start the removal of those modules has recently been approved.