Linux Weekly News

The LWN.net Weekly Edition for December 16, 2021 is available.

When last we looked in on the great typing PEP debate for Python, back in August, two PEPs were still being discussed as alternatives for handling annotations in the language. The steering council was considering the issue after deferring on a decision for the Python 3.10 release, but the question has been deferred again for Python 3.11. More study is needed and the council is looking for help from the Python community to guide its decision. In the meantime, though, discussion about the deferral has led to the understanding that annotations are not a general-purpose feature, but are only meant for typing information. In addition, there is a growing realization that typing information is effectively becoming mandatory for Python libraries.

Version 1.0 of the mold linker has been released.

mold 1.0 is the first stable and production-ready release of the high-speed linker. On Linux-based systems, it should "just work" as a faster drop-in replacement for the default GNU linker for most user-land programs. If you are building a large executable which takes a long time to link, mold is worth a try to see if it can shorten your build time.

Security updates have been issued by Fedora (libopenmpt), openSUSE (icu.691, log4j, nim, postgresql10, and xorg-x11-server), Red Hat (idm:DL1), SUSE (gettext-runtime, icu.691, runc, storm, storm-kit, and xorg-x11-server), and Ubuntu (xorg-server, xorg-server-hwe-18.04, xwayland).

Version 21.12 of the Kdenlive video editor is out.

The last and most exciting release of Kdenlive this year is out and brings long awaited features like Multicam Editing and Slip trimming mode, all of which drastically improve your editing workflow. This version also comes with a new deep-learning based tracking algorithm, an auto-magical noise reduction filter and support for multiple Project Bins.

Adding fs-verity file-integrity information to RPM packages for Fedora 36 is the topic of a recent discussion on the Fedora devel mailing list. The feature would provide a means to install files from RPM packages as read-only files that cannot be read or otherwise operated on if the data in the files changes at any point. The proposal is mostly about making the plumbing available for use cases that are not particularly clear—which has led to some questions and skepticism among those participating in the thread.

Stable kernels 5.15.8, 5.10.85, 5.4.165, 4.19.221, 4.14.258, 4.9.293, and 4.4.295 have been released. As usual there are important fixes and users should upgrade.

Security updates have been issued by Debian (libsamplerate and raptor2), Fedora (pam-u2f and python-markdown2), openSUSE (chromium, fetchmail, ImageMagick, and postgresql10), Oracle (samba), SUSE (fetchmail, postgresql10, python-pip, python3, and sles12sp2-docker-image), and Ubuntu (apache-log4j2, flatpak, glib, and samba).

Email is often seen as a technology with a dim future; it is slow, easily faked, and buried in spam. Kids These Days want nothing to do with it, and email has lost its charm with many others as well. But many development projects are still dependent on it, and even non-developers still cope with large volumes of mail. While development forges show one possible path away from email, they are not the only one. What if new structures could be built on top of email to address some of its worst problems while keeping the good parts that many projects depend on? The "lei" system recently launched by Konstantin Ryabitsev is a hint of how such a future might look.

Security updates have been issued by Arch Linux (chromium, firefox, gitlab, grafana, grafana-agent, thunderbird, and vivaldi), Debian (apache-log4j2, privoxy, and wireshark), Fedora (firefox, grub2, mariadb, mod_auth_openidc, rust-drg, rust-tiny_http, and rust-tiny_http0.6), Mageia (chromium-browser-stable, curaengine, fetchmail, firefox, libvirt, log4j, opencontainers-runc, python-django, speex, and thunderbird), openSUSE (clamav, firefox, glib-networking, glibc, gmp, ImageMagick, log4j, nodejs12, nodejs14, php7, python-Babel, python-pip, webkit2gtk3, and wireshark), Red Hat (mailman:2.1 and samba), and SUSE (bcm43xx-firmware, firefox, glib-networking, ImageMagick, kernel-rt, and python-pip).

The Electronic Frontier Foundation warns against Manifest V3, a set of changes coming to a Chrome browser near you.

Manifest V3, or Mv3 for short, is outright harmful to privacy efforts. It will restrict the capabilities of web extensions—especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit. Under the new specifications, extensions like these– like some privacy-protective tracker blockers– will have greatly reduced capabilities.

The 5.16-rc5 kernel prepatch is out for testing.

Do give it a good testing - with the holidays coming up, things are probably going to slow down both on the development and testing front, and as a result I expect that I will also extend the rc series by another week not because it's necessarily needed (too early to tell, but doesn't feel that way), but simply because nobody will want to open the next merge window immediately in the new year.

One small change of note in this -rc is that the default limit for the number of pages that can be locked into memory by an unprivileged process has been raised to 8MB; see this article for a summary of the discussions leading up to this change.

For those who have not yet seen it, this advisory from Apache describes a nasty vulnerability in the widely used Log4j package.

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.

Updating this package is, of course, necessary, but that will only help so much; it is bundled into a lot of other deployed products. For more information see this Ars Technica article or, for desperate cases, the Logout4Shell utility.

Guido van Rossum has posted the sad news that longtime Python contributor Fredrik Lundh has died.

Fredrik was an early Python contributor (e.g. Elementtree and the 're' module) and his enthusiasm for the language and community were inspiring for all who encountered him or his work. He spent countless hours on comp.lang.python answering questions from newbies and advanced users alike.

He also co-founded an early Python startup, Secret Labs AB, which among other software released an IDE named PythonWorks. Fredrik also created the Python Imaging Library (PIL) which is still THE way to interact with images in Python, now most often through its Pillow fork. His effbot.org site was a valuable resource for generations of Python users, especially its Tkinter documentation.

The "Meta for Developers" blog has an introduction to the drgn kernel debugger.

drgn (pronounced “dragon”) is a debugger that exposes the types and variables in a program for easy, expressive scripting in Python. The Linux kernel team at Meta originally built drgn to make it easier to investigate the kinds of difficult Linux kernel bugs that the team encounters at Meta. The team has since added further use cases for it, like monitoring and userspace memory profiling.

LWN reported on drgn in 2019.

Regressions are no fun; among other things, finding the source of a regression among thousands of changes can be a needle-in-the-haystack sort of problem. The git bisect command can help; it is a (relatively) easy way to sift through large numbers of commits to find the one that introduces a regression. When it works well, it can quickly point out the change that causes a specific problem. Bisection is not a perfect tool, though; it can go badly wrong in situations where a bug cannot be reliably reproduced. In an attempt to make bisection more useful in such cases, Jan Kara is proposing to add "stochastic bisection" support to Git.

Security updates have been issued by Debian (python-babel), Fedora (golang-github-opencontainers-image-spec and libmysofa), openSUSE (hiredis), Oracle (firefox and thunderbird), Red Hat (thunderbird and virt:8.2 and virt-devel:8.2), Scientific Linux (thunderbird), SUSE (kernel-rt and xen), and Ubuntu (firefox).

PostgreSQL developer Robert Haas has begun a blog series on what would be needed to allow database administrators to safely delegate superuser powers.

Consider, for example, the case of a service provider who would like to support a database with multiple customers as tenants. The customers will naturally want to feel as if they have the powers of a true superuser, with the ability to do things like create new roles, drop old ones, change permissions on objects that they don't own, and generally enjoy the freedom to bypass permission checks at the SQL level which superusers enjoy. The service provider, who is the true superuser, also wants this, but does not want the customers to be able to do the really scary things that a superuser can do, like changing archive_command to rm -rf / or deleting the entire contents of pg_proc so that the system crashes and the database in which the operation was performed is permanently ruined.

The Spectre class of vulnerabilities was given that name because, it was thought, these problems would haunt us for a long time. As the fourth anniversary of the disclosure of Meltdown and Spectre approaches, there is no reason to doubt the accuracy of that name. One of the more recent Spectre variants goes by the name "straight-line speculation"; it was first disclosed in June 2020, but fixes are still trying to find their way into the compilers and the kernel.

Security updates have been issued by Fedora (firefox, libopenmpt, matrix-synapse, vim, and xen), Mageia (gmp, heimdal, libsndfile, nginx/vsftpd, openjdk, sharpziplib/mono-tools, and vim), Red Hat (java-1.8.0-ibm), Scientific Linux (firefox), SUSE (kernel-rt), and Ubuntu (bluez).