Linux Weekly News

Security updates have been issued by Debian (busybox, ldb, openjpeg2, spamassassin, and underscore), Fedora (kernel, kernel-headers, and kernel-tools), Mageia (privoxy, python and python3, and rpm), openSUSE (ovmf, tar, and tomcat), SUSE (curl, firefox, OpenIPMI, and tomcat), and Ubuntu (openexr).

The process of hardening the kernel can benefit in a number of ways from support by the compiler. In recent years, the Kernel Self Protection Project has brought this support from the grsecurity/PaX patch set into the kernel in the form of GCC plugins; LWN looked into that process back in 2017. A recent discussion has highlighted the fact that the use of GCC plugins brings disadvantages as well, and some developers would prefer to see those plugins replaced.

Security updates have been issued by Debian (underscore), Fedora (busybox, linux-firmware, and xmlgraphics-commons), Oracle (kernel and kernel-container), Slackware (curl and seamonkey), SUSE (firefox and opensc), and Ubuntu (spamassassin).

Version 18.1 of LineageOS, the Android-based distribution once known as Cyanogen, is available. "With that said, we have been working extremely hard since Android 11’s release last August to port our features to this new version of Android. Thanks to our hard work adapting to Google’s fairly large changes in Android 10, we were able to rebase our changes onto Android 11 much more efficiently. This led to a lot of time to spend on cool new features!" Some of those features include in improved voice recorder, a new calendar, a built-in backup mechanism, an improved music player, and more.

A company called Xinuos has announced a lawsuit against IBM and Red Hat that has a familiar echo to it. "Xinuos alleges that the IBM and Red Hat conspiracy has harmed the open-source community and specifically Xinuos’ OpenServer 10 product, which is based on FreeBSD, an open-source UNIX-based operating system and alternative to Red Hat’s Linux-based open-source operating system, RHEL. 'By dominating the Unix/Linux server operating system market, competing open-source operating systems, like our FreeBSD-based OpenServer 10, have been pushed out of the market.'" The full text of the suit [PDF] is available for those wanting the details.

The LWN.net Weekly Edition for April 1, 2021 is available.

The HPy project has been around for more than a year now; it is meant to provide an alternate C API for Python that allows extensions to the language to run, and run well, in more environments. It first came to our attention in a report of a talk at the 2020 Python Language Summit (LWN coverage), but it goes back to some discussions that were held at EuroPython 2019. There are a number of ways that the existing C API holds back innovation for Python, but there are also some hugely important extensions (e.g. NumPy) that use it; any change to the API needs to take those into account.

Security updates have been issued by Debian (curl, ldb, leptonlib, and linux-4.19), Fedora (busybox), Gentoo (openssl, redis, salt, and sqlite), Mageia (firefox, fwupd, glib2.0, python-aiohttp, radare2, thunderbird, and zeromq), openSUSE (firefox), SUSE (ovmf, tomcat, and zabbix), and Ubuntu (curl, lxml, and pygments).

A problem reported when attaching GDB to programs that use io_uring has led to a flurry of potential solutions, and one that was merged into Linux 5.12-rc5. The problem stemmed from a change made in the 5.12 merge window to how the threads used by io_uring were created, such that they became associated with the process using io_uring. Those "I/O threads" were treated specially in the kernel, but that led to the problem with GDB (and likely other ptrace()-using programs). The solution is to treat them like other threads because it turned out that trying to make them special caused more problems than it solved.

CloudLinux has announced the availability of a "ready for production workloads" version of AlmaLinux, which is intended to be a replacement for CentOS 8. Also announced is the creation of a foundation to manage the distribution: "The company also announced the formation of a non-profit organization that will take over responsibility for managing the AlmaLinux project going forward. CloudLinux has committed a $1 million dollars annual endowment to support the project. The AlmaLinux project named Jack Aboutboul as community manager of AlmaLinux."

Stable kernels 5.11.11, 5.10.27, 5.4.109, 4.19.184, 4.14.228, 4.9.264, and 4.4.264 have been released. They all contain important fixes and users should update.

Security updates have been issued by Debian (lxml), Fedora (openssl, pdfbox, rpm, and rubygem-kramdown), openSUSE (eclipse), Oracle (flatpak and openssl), Red Hat (curl, kernel, kpatch-patch, mariadb, nss-softokn, openssl, perl, and tomcat), and SUSE (firefox, ovmf, and tar).

So far, this series has covered five common lockless patterns in the Linux kernel; those are probably the five that you will most likely encounter when working on Linux. Throughout this series, some details have been left out and some simplifications were made in the name of clarity. In this final installment, I will sort out some of these loose ends and try to answer what is arguably the most important question of all: when should you use the lockless patterns that have been described here?

John Sullivan, executive director of the Free Software Foundation, has announced his resignation from the organization. "It's been a humbling honor to serve this institution, and to work alongside the FSF's staff, members, and volunteers over the years. The current staff deserve your full confidence and support -- they certainly have mine."

Meanwhile, the FSF has announced the addition of Ian Kelling to its board of directors. "The board and voting members look forward to having the participation of the staff via this designated seat in our future deliberations. This is an important step in the FSF's effort to recognize and support new leadership, to connect that leadership to the community, to improve transparency and accountability, and to build trust. There is still considerable work to be done, and that work will continue."

Security updates have been issued by Arch Linux (awstats, busybox, dotnet-runtime, dotnet-runtime-3.1, dotnet-sdk, dotnet-sdk-3.1, gitlab, godot, groovy, libebml, mkinitcpio-busybox, openssl, python2, vivaldi, webkit2gtk, and wpewebkit), CentOS (firefox and thunderbird), Debian (pygments, spamassassin, thunderbird, and webkit2gtk), Fedora (CGAL, dotnet3.1, dotnet5.0, firefox, kernel, qt, and xen), Mageia (imagemagick, jackson-databind, openscad, redis, and unbound), openSUSE (evolution-data-server, go1.15, and zstd), Oracle (firefox, openssl, and thunderbird), Red Hat (flatpak), Slackware (xterm), and Ubuntu (squid, squid3 and webkit2gtk).

The PHP project has announced that it is moving its PHP repository to GitHub after its own server was compromised. "Yesterday (2021-03-28) two malicious commits were pushed to the php-src repo from the names of Rasmus Lerdorf and myself. We don't yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account)."

The 5.12-rc5 kernel prepatch is out for testing. "So if rc4 was perhaps a bit smaller than average, it looks like rc5 is a bigger than average. We're not breaking any records, but it certainly isn't tiny, and the rc's aren't shrinking. I'm not overly worried yet, but let's just say that the trend had better not continue, or I'll start feeling like we will need to make this one of those releases that need an rc8."

Version 7.2.0 of the digiKam photo-management application has been released. Changes include better renaming tools, improved album management, a reworked internal database, and more. "The neural network to process face detection have been a huge effort with this release. We use a new data model named Yolo. More faces on same images can be detected with complex shot conditions. The processing speed have been reduced and the older bugs about the wrong memory allocation definitively fixed."

For those wanting more details on the saga of the WireGuard implementation that was almost released in FreeBSD 13 (a story that LWN covered recently), this Ars Technica story digs in deep. "Despite not having any kernel developers on-staff, Ars was able to verify at least some of Donenfeld's claims directly, quickly, and without external assistance. For instance, finding a validation function which simply returned true—and printf statements buried deep in cryptographic loops—required nothing more complicated than grep."

The "Internet of things" (IoT), being the future paradise that awaits us when all of our devices are connected to the net, is a worrisome prospect to just about anybody who has thought about its security and privacy implications. It would be problematic even if the design of all connected devices included security and privacy as absolute requirements — but that is not the way these devices are made. Currently, it is possible to opt out of much of the IoT experience with a bit of attention and discipline. In the near future, though, that situation is likely to change and it is not clear what we can do about it.