Linux Weekly News

Version 1.1 of the Inkscape vector image editor has been released. "Among the highlights in Inkscape 1.1 are a Welcome dialog, a Command Palette, a revamped Dialog Docking System, and searchable preference options, along with new formats for exporting your work."

The multi-generational LRU patch set is a significant reworking of the kernel's memory-management subsystem that promises better performance for a number of workloads; it was covered here in April. Since then, two new versions of that work have been released by developer Yu Zhao, with version 3 being posted on May 20. Some significant changes have been made since the original post, so another look is in order.

Security updates have been issued by Debian (libx11, prosody, and ring), Fedora (ceph, glibc, kernel, libxml2, python-pip, slurm, and tpm2-tss), Mageia (bind, libx11, mediawiki, openjpeg2, postgresql, and thunderbird), openSUSE (Botan, cacti, cacti-spine, chromium, djvulibre, fribidi, graphviz, java-1_8_0-openj9, kernel, libass, libxml2, lz4, and python-httplib2), and Slackware (expat).

The third 5.13 kernel prepatch is out for testing. "It's been a very calm rc3 week, and at least in pure number of commits this is the smallest rc3 we've had in the 5.x series. Considering that the merge window was not in any way small, this is a bit surprising, but I suspect it's one of those 'not everybody sent in fixes this week' things that will rectify itself next week." This prepatch does include reverts and fixes for a long series of broken patches identified in the TAB report on the UMN mess.

The 5.12.6, 5.10.39, 5.4.121, 4.19.191, 4.14.233, 4.9.269, and 4.4.269 stable kernels have all been released; each contains yet another set of important fixes.

In 2018, LWN covered a talk by Gernot Heiser about the seL4 project, which has developed an open-source operating system for safety-critical applications and gone to the trouble of proving its correctness. Much of that work has been done at CSIRO in Australia. Heiser has announced via Twitter that CSIRO's support for this project is being shut down, with the staff being redirected to artificial-intelligence projects. Hopefully the seL4 Foundation, established in 2020, will be able to carry on this interesting work.

Version 5.34.0 of the Perl language has been released. "Perl 5.34.0 represents approximately 11 months of development since Perl 5.32.0 and contains approximately 280,000 lines of changes across 2,100 files from 78 authors." See this page for a list of changes; they include a new try/catch syntax, a new octal syntax, and many improvements to various modules.

Among the many changes merged for the 5.13 kernel is support for the LLVM control-flow integrity (CFI) mechanism. CFI defends against exploits by ensuring that indirect function calls have not been redirected by an attacker. Quite a bit of work was needed to make this feature work well for the kernel, but the result appears to be production-ready and able to defend Linux systems from a range of attacks.

Security updates have been issued by Arch Linux (ceph, chromium, firefox, gitlab, hedgedoc, keycloak, libx11, mariadb, opendmarc, prosody, python-babel, python-flask-security-too, redmine, squid, and vivaldi), Debian (lz4), Fedora (ceph and python-pydantic), and openSUSE (cacti, cacti-spine).

The RISC-V CPU architecture has been gaining prominence for some years; its relatively open nature makes it an attractive platform on which a number of companies have built products. Linux supports RISC-V well, but there is one gaping hole: there is no support for virtualization with KVM, despite the fact that a high-quality implementation exists. A recent attempt to add that support is shining some light on a part of the ecosystem that, it seems, does not work quite as well as one would like.

Security updates have been issued by Fedora (cacti, cacti-spine, exif, firefox, kernel, mariadb, and thunderbird), Mageia (kernel, kernel-linus, and libxml2), openSUSE (exim and jhead), Oracle (slapi-nis and xorg-x11-server), Scientific Linux (slapi-nis and xorg-x11-server), Slackware (libX11), SUSE (djvulibre, fribidi, graphviz, grub2, libass, libxml2, lz4, python-httplib2, redis, rubygem-actionpack-4_2, and xen), and Ubuntu (pillow and python-babel).

The LWN.net Weekly Edition for May 20, 2021 is available.

May 11 marked a new major release for the Python-based Flask web microframework project, but Flask 2.0 was only part of the story. While the framework may be the most visible piece, it is one of a small handful of cooperating libraries that provide solutions for various web-development tasks; all are incorporated into the Pallets projects organization. For the first time, all six libraries that make up Pallets were released at the same time and each had a new major version number. In part, that new major version indicated that Python 2 support was being left behind, but there is plenty more that went into the coordinated release.

Stable kernels 5.12.5, 5.11.22, 5.10.38, and 5.4.120 have been released. This is the last 5.11.y kernel and users should move to 5.12.y at this time.

Security updates have been issued by Fedora (cacti, cacti-spine, exif, and hivex), Red Hat (bash, bind, bluez, brotli, container-tools:rhel8, cpio, curl, dotnet3.1, dotnet5.0, dovecot, evolution, exiv2, freerdp, ghostscript, glibc, GNOME, go-toolset:rhel8, grafana, gssdp and gupnp, httpd:2.4, idm:DL1, idm:DL1 and idm:client, ipa, kernel, kernel-rt, krb5, libdb, libvncserver, libxml2, linux-firmware, mailman:2.1, mingw packages, NetworkManager and libnma, opensc, p11-kit, pandoc, perl, pki-core:10.6 and pki-deps:10.6, poppler and evince, python-cryptography, python-lxml, python-urllib3, python27:2.7, python3, python38:3.8, qt5-qtbase, raptor2, redis:6, rh-mariadb103-mariadb and rh-mariadb103-galera, rust-toolset:rhel8, samba, sane-backends, shim, slapi-nis, spice, spice-vdagent, sqlite, squid:4, sudo, systemd, tigervnc, trousers, unbound, userspace graphics, xorg-x11, and mesa, virt:rhel and virt-devel:rhel, wpa_supplicant, and xorg-x11-server), SUSE (kernel), and Ubuntu (djvulibre, gst-plugins-base1.0, linux-raspi, linux-raspi-5.4, python-pip, and runc).

Several readers have alerted us to some serious problems at freenode, which runs an IRC network that is popular in the free-software world. Evidently there has been a change of control within the volunteer-run organization that has led to the resignations of multiple different volunteers, at least in part due to a concern about the personal information of freenode users under the new management. "The freenode resignation FAQ" has collected a bunch of information (and links to even more resignation letters) that may help shed some light on this mess. From the FAQ: "Freenode staff have stepped down. The network that runs at freenode.org/net/com should now be assumed to be under control of a malicious party." In the meantime, many of the volunteers who resigned have formed Libera.Chat to continue the legacy of freenode. LWN will be keeping an eye on the situation, stay tuned ...

Control groups (cgroups) are meant to limit access to a shared resource among processes in the system. One such resource is the values used to specify an encrypted-memory region for a virtual machine, such as the address-space identifiers (ASIDs) used by the AMD Secure Encrypted Virtualization (SEV) feature. Vipin Sharma set out to add a control group for these ASIDs back in September; based on the feedback, though, he expanded the idea into a controller to track and limit any countable resource. The patch set became the controller for the misc control group and has been merged for Linux 5.13.

The Mozilla Security Blog announces that there is a new site-isolation mechanism available for testing in the Firefox browser. It's a defense against Meltdown and Spectre exploits.

This fundamental redesign of Firefox's Security architecture extends current security mechanisms by creating operating system process-level boundaries for all sites loaded in Firefox for Desktop. Isolating each site into a separate operating system process makes it even harder for malicious sites to read another site’s secret or private data.

Security updates have been issued by Debian (chromium, curl, prosody, and ruby-rack-cors), Fedora (dotnet3.1 and dotnet5.0), openSUSE (ibsim and prosody), SUSE (kernel and python3), and Ubuntu (caribou and djvulibre).

There have been many disagreements over the years in the kernel community concerning the exporting of internal kernel symbols to loadable modules. Exporting a symbol often exposes implementation decisions to outside code, makes it possible to use (or abuse) kernel functionality in unintended ways, and makes future changes harder. That said, there is no authority overseeing the exporting of symbols and no process for approving exports; discussions only tend to arise when somebody notices a change that they don't like. But it is not particularly hard to detect changes in symbol exports from one kernel version to the next, and doing so can give some insights into the kinds of changes that are happening under the hood.