Linux Weekly News

Security updates have been issued by Debian (ledgersmb, tnef, and tor), Fedora (nodejs-underscore and tor), openSUSE (aws-cli, python-boto3, python-botocore,, fetchmail, firefox, and isync), SUSE (aws-cli, python-boto3, python-botocore, python-service_identity, python-trustme, python-urllib3 and python-PyYAML), and Ubuntu (linux-aws-5.8, linux-azure-5.8, linux-gcp-5.8, linux-oracle-5.8).

The first installment in this two-part series looked at the difficulties that arise when Btrfs filesystems containing subvolumes are exported via NFS. Btrfs has a couple of quirks that complicate life in this situation: the use of separate device numbers for subvolumes and the lack of unique inode numbers across the filesystem as a whole. Recently, Neil Brown set off on an effort to try to solve these problems, only to discover that the situation was even more difficult than expected and that many attempts would be required.

Security updates have been issued by Debian (ffmpeg, ircii, and scrollz), Fedora (kernel, krb5, libX11, and rust-actix-http), Mageia (kernel and kernel-linus), openSUSE (aspell, chromium, dbus-1, isync, java-1_8_0-openjdk, krb5, libass, libhts, libvirt, prosody, systemd, and tor), SUSE (cpio, dbus-1, libvirt, php7, qemu, and systemd), and Ubuntu (inetutils).

The 5.14-rc7 kernel prepatch has been released. "So things continue to look normal, and unless there is any last-minute panic this upcoming week, this is likely the last rc before a final 5.14."

OpenSSH 8.7 has been released. Changes include steps toward deprecating scp and using the SFTP protocol for file transfers instead, changes to remote-to-remote copies (they go through the local host by default now), a stricter configuration-file parser, and more.

Unix-like systems — and their users — tend to expect all filesystems to behave in the same way. But those users are also often interested in fancy new filesystems offering features that were never envisioned by the developers of the Unix filesystem model; that has led to a number of interesting incompatibilities over time. Btrfs is certainly one of those filesystems; it provides a long list of features that are found in few other systems, and some of those features interact poorly with the traditional view of how filesystems work. Recently, Neil Brown has been trying to resolve a specific source of confusion relating to how Btrfs handles inode numbers.

Luis Villa writes about increasing demands on open-source maintainers on opensource.com.

Second, these new and increasingly specialized requirements primarily benefit a specific class of open source users—large enterprises. That isn't necessarily a bad thing—big enterprises are essential in many ways, and indeed, the risks to them deserve to be taken seriously.

But in a world where hundreds of billions of dollars in enterprise value have been created by open source, and where small educational/hobby projects (and even many small companies) don't really benefit from these new unfunded mandates, developers will likely focus on other things, since few of them got into open source primarily to benefit the Fortune 500.

Security updates have been issued by Fedora (libtpms and mingw-exiv2), openSUSE (389-ds, aspell, c-ares, fetchmail, firefox, go1.15, go1.16, haproxy, java-1_8_0-openjdk, krb5, libass, libmspack, libsndfile, openexr, php7, qemu, and tor), Oracle (compat-exiv2-023 and compat-exiv2-026), and SUSE (389-ds, aspell, djvulibre, fetchmail, firefox, go1.15, go1.16, java-1_8_0-openjdk, krb5, libass, libmspack, nodejs8, openexr, postgresql10, qemu, and spice-vdagent).

Unix-like systems abound with ways to confuse new users, many of which have been present since long before Linux entered the scene. One consistent source of befuddlement is the "text file is busy" (ETXTBSY) error message that is delivered in response to an attempt to overwrite an executable image file. Linux is far less likely to deliver ETXTBSY results than it once was, but they do still happen on occasion. Recent work to simplify the mechanism behind ETXTBSY has raised a more fundamental question: does this error check have any value at all?

The Document Foundation has announced the latest release of LibreOffice: LibreOffice 7.2 Community, the new major release of the volunteer-supported free office suite for desktop productivity, is available from https://www.libreoffice.org/download. Based on the LibreOffice Technology platform for personal productivity on desktop, mobile and cloud, it provides a large number of interoperability improvements with Microsoft’s proprietary file formats. In addition, LibreOffice 7.2 Community offers numerous performance improvements in handling large files, opening certain DOCX and XLSX files, managing font caching, and opening presentations and drawings that contain large images. There are also drawing speed improvements when using the Skia back-end that was introduced with LibreOffice 7.1.

[...] LibreOffice 7.2 Community’s new features have been developed by 171 contributors: 70% of code commits are from 51 developers employed by three companies sitting in TDF’s Advisory Board – Collabora, Red Hat and allotropia – or other organizations (including The Document Foundation), and 30% are from 120 individual volunteers.

See the release notes for more information on the changes and new features in the LibreOffice 7.2.

Security updates have been issued by CentOS (exiv2, firefox, and thunderbird), Fedora (libsndfile, python-docx, and xscreensaver), openSUSE (haproxy), and SUSE (haproxy).

The LWN.net Weekly Edition for August 19, 2021 is available.

As part of the ramp-up to the 2021 Linux Plumbers Conference, LWN editor Jonathan Corbet will be presenting a version of "The kernel report" at 9:00AM US/Mountain time (15:00 UTC) on Thursday, August 26. Registration for LPC is not required; all are welcome for an update on the state of kernel development and a perspective on 30 years of the Linux kernel. Please come for an interesting discussion and to help the LPC crew stress-test the 2021 infrastructure.

The talk will be happening at meet.lpc.events; the more the merrier.

Back in June, we looked at a change to Python annotations, which provide a way to associate metadata, such as type information, with functions. That change was planned for the upcoming Python 3.10 release, but was deferred due to questions about it and its impact on run-time uses of the feature. The Python steering council felt that more time was needed to consider all of the different aspects of the problem before deciding on the right approach; the feature freeze for Python 3.10 was only around two weeks off when the decision was announced on April 20. But now, there is most of a year before another feature freeze, which gives the council (and the greater Python development community) some time to discuss it at a more leisurely pace.

Stable kernels 5.13.12, 5.10.60, 5.4.142 have been released. As usual, there are important fixes and users should upgrade.

Security updates have been issued by Debian (haproxy), Fedora (c-ares, hivex, kernel, libtpms, newsflash, python-django, rust-gettext-rs, and rust-gettext-sys), openSUSE (c-ares and libsndfile), Scientific Linux (cloud-init, edk2, exiv2, firefox, kernel, kpatch-patch, microcode_ctl, sssd, and thunderbird), SUSE (c-ares, fetchmail, haproxy, kernel, libmspack, libsndfile, rubygem-puma, spice-vdagent, and webkit2gtk3), and Ubuntu (exiv2, haproxy, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, and linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.11, linux-oracle, linux-raspi).

The use of Transport Layer Security (TLS) encryption is ubiquitous on today's internet, though that has largely happened over the last 20 years or so; the first public version of its predecessor, Secure Sockets Layer (SSL), appeared in 1995. Before then, internet protocols were generally not encrypted, thus providing fertile ground for various types of "meddler-in-the-middle" (MitM) attacks. Later on, the STARTTLS command was added to some protocols as a backward-compatible way to add TLS support, but the mechanism has suffered from a number of flaws and vulnerabilities over the years. Some recent research, going by the name "NO STARTTLS", describes more, similar vulnerabilities and concludes that it is probably time to avoid using STARTTLS altogether.

These releases of Firefox 91.0.1 and Firefox ESR 91.0.1 fix two issues; one caused buttons on the tab bar to be resized and the other caused tabs from private windows to be visible in non-private windows. There is also a fix for a header splitting attack, and fixes for various stability issues.

Security updates have been issued by Fedora (firefox), openSUSE (cpio and rpm), Oracle (compat-exiv2-026, exiv2, firefox, kernel, kernel-container, qemu, sssd, and thunderbird), Red Hat (cloud-init, edk2, kernel, kpatch-patch, microcode_ctl, and sssd), and SUSE (cpio, firefox, and libcares2).

Version 2.33.0 of the Git source-code management system has been released.

As can be seen here, it turns out that this release does not have many end-user facing changes and new features, but a lot of fixes and internal improvements went into the codebase during this cycle. Also, preparation for a new merge strategy backend (can be used with "git merge -sort" today) is on its final stretch and we are hoping that it can become the default in the next release.