Linux Weekly News

The kernel-development community is a busy place, with thousands of emails flying by every day and many different projects under development at any given time. Much of that work ends up inspiring articles at LWN, but there is no way to ever cover all of it, or even all of the most interesting parts. What follows is a first attempt at what may become a semi-regular LWN feature: a quick look at some of the work that your editor is tracking that may or may not show up as the topic of a full article in the future. The first set of topics includes memory folios, task isolation, and a lightweight threading framework from Google.

Version 2.34 of the GNU C library has been released. Significant changes include the folding of libpthread, libdl, libutil, and libanl into the main library, support for 64-bit (year-2038 safe) times on 32-bit systems, support for the close_range() system call, a handful of security fixes, and many other changes.

Stable kernels 5.13.7, 5.10.55, 5.4.137, and 4.19.200 have been released. As usual, there are important fixes and users should upgrade.

Security updates have been issued by Arch Linux (389-ds-base, consul, containerd, geckodriver, powerdns, vivaldi, webkit2gtk, and wpewebkit), Debian (aspell, condor, libsndfile, linuxptp, and lrzip), and Fedora (bluez, buildah, java-1.8.0-openjdk, java-11-openjdk, java-latest-openjdk, kernel, kernel-tools, mbedtls, mingw-exiv2, mingw-python-pillow, mrxvt, python-pillow, python2-pillow, redis, and seamonkey).

The 5.14-rc4 kernel prepatch is out for testing. "Nothing to see here, entirely normal rc4".

The C programming language is famously prone to memory-safety problems that lead to buffer overflows and a seemingly endless stream of security vulnerabilities. But, even in C, it is possible to improve the situation in many cases. One of those is the memcpy() family of functions, which are used to efficiently copy or overwrite blocks of memory; with a bit of help from the compiler, those functions can be prevented from writing past the end of the destination object they are passed. Enforcing that condition in the kernel is harder than one might expect, though, as this massive patch set from Kees Cook shows.

Security updates have been issued by Debian (libsndfile and openjdk-11), Fedora (php-pear and seamonkey), openSUSE (fastjar and php7), SUSE (php72, qemu, and sqlite3), and Ubuntu (libsndfile, php-pear, and qpdf).

The change in copyright-assignment policy proposed in June for the GNU C Library project has now been adopted:

The changes to accept patches with or without FSF copyright assignment will be effective after August 2nd, and will apply to all open branches. Code shared with other GNU packages via Gnulib will continue to require assignment to the FSF.

The library will continue to be licensed under the GNU Lesser Public License v2.1 or later.

On its blog, the Free Software Foundation (FSF) has announced a call for white papers about GitHub Copilot and the questions surrounding it. The FSF will pay $500 for papers that it publishes because they "help elucidate the problem": We can see that Copilot's use of freely licensed software has many implications for an incredibly large portion of the free software community. Developers want to know whether training a neural network on their software can really be considered fair use. Others who may be interested in using Copilot wonder if the code snippets and other elements copied from GitHub-hosted repositories could result in copyright infringement. And even if everything might be legally copacetic, activists wonder if there isn't something fundamentally unfair about a proprietary software company building a service off their work.

Filesystem developers tend to disagree with each other about many things, but they are nearly unanimous in their dislike for the truncate() system call, which chops data off the end of a file. Implementing truncate() tends to be full of traps for the unwary — the kind of traps that can lead to lost data. But it turns out that a similar operation, called "hole punching", may be worse. This operation has been subject to difficult-to-hit but real race conditions in many filesystems for years; this patch set from Jan Kara may finally be at a point where it can fill the hole in hole punching.

Security updates have been issued by Debian (webkit2gtk), Fedora (ruby and webkit2gtk3), Mageia (aspell and varnish), openSUSE (git), SUSE (ardana-cobbler, cassandra, cassandra-kit, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-heat-templates, openstack-monasca-installer, openstack-nova, python-Django, python-elementpath, python-eventlet, python-py, python-pysaml2, python-six, python-xmlschema and git), and Ubuntu (libsndfile, mariadb-10.3, and webkit2gtk).

The LWN.net Weekly Edition for July 29, 2021 is available.

Backlogs in bug triage, code review, and other elements of the development process are nothing new for free-software projects; there is clearly a lot more interest in creating new features (and the bugs that go with them, of course) than in taking on the less-satisfying bits. For a large project like CPython, though, the backlog can seriously impede progress—potentially chasing off contributors whose work falls through the cracks. In order to address that, the Python Software Foundation (PSF) has raised some funds to hire Łukasz Langa as the CPython "Developer-in-Residence". Langa will be working to help clear the backlog, while also looking into other areas of interest to the PSF and the Python steering council.

Stable kernels 5.13.6, 5.10.54, 5.4.136, 4.19.199, 4.14.241, 4.9.277, and 4.4.277 have been released. They all contain important fixes and users should upgrade.

Security updates have been issued by Fedora (golang), Mageia (curl, filezilla, jdom/jdom2, netty, pdfbox, perl-Mojolicious, perl-Net-CIDR-Lite, perl-Net-Netmask, python-urllib3, python3, quassel, transfig, and virtualbox), openSUSE (umoci), Red Hat (rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon and rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), and SUSE (firefox, glibc, libsndfile, linuxptp, qemu, and umoci).

The annual Linux Plumbers Conference (LPC) is a gathering of a relatively small subset of the developers working on the low-level (plumbing) details of Linux systems. It covers topics from below the kernel through the user-space components that underlie the interfaces and applications that most Linux users interact with. This year's event will be held virtually September 20‑24; it is shaping up to be another great edition of one of the premier open-registration Linux technical conferences on the calendar.

Security updates have been issued by Debian (drupal7), Fedora (linux-firmware), openSUSE (qemu), Oracle (kernel and thunderbird), Red Hat (thunderbird), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, kernel, and thunderbird), SUSE (dbus-1, libvirt, linuxptp, qemu, and slurm), and Ubuntu (aspell and mysql-5.7, mysql-8.0).

One of the fundamental invariants of computing is that, regardless of how much memory is installed in a system, it is never enough. This is especially true of systems with tight performance constraints, where every page of memory is allocated and in use, making it difficult to find more when it is badly needed. One way to make more memory available is to kill one or more processes, freeing their resources for other users. But that often does not work as quickly or reliably as users would like. In an attempt to improve the situation, Suren Baghdasaryan has proposed the addition of a system call named process_mrelease().

Security updates have been issued by Debian (aspell, intel-microcode, krb5, rabbitmq-server, and ruby-actionpack-page-caching), Fedora (chromium, containernetworking-plugins, containers-common, crun, fossil, podman, skopeo, varnish-modules, and vmod-uuid), Gentoo (leptonica, libsdl2, and libyang), Mageia (golang, lib3mf, nodejs, python-pip, redis, and xstream), openSUSE (containerd, crmsh, curl, icinga2, and systemd), Oracle (containerd), and Red Hat (thunderbird).

The third 5.14 kernel prepatch is out for testing.

Here we are, a week later. After a relatively big rc2, things seem to have calmed down and rc3 looks pretty normal. Most of the fixes here are small, and the diffstat looks largely flat. And there's not an undue amount of stuff.