Linux Weekly News

Security updates have been issued by Debian (firefox-esr, jquery, openssl, and thunderbird), openSUSE (openssl-1_1 and tor), Oracle (firefox and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (libzypp, zypper and openssl-1_1), and Ubuntu (firefox, ldb, openssl, and ruby2.0).

Technology review covers the controversy that has resulted from Google's disclosure and fixing of a number of security vulnerabilities being exploited by Western intelligence agencies. "Instead of focusing on who was behind and targeted by a specific operation, Google decided to take broader action for everyone. The justification was that even if a Western government was the one exploiting those vulnerabilities today, it will eventually be used by others, and so the right choice is always to fix the flaw today."

Part 1 of this series described the copy-on-write (COW) mechanism used to avoid unnecessary copying of pages in memory, then went into the details of a bug in that mechanism that could result in the disclosure of sensitive data. A patch written by Linus Torvalds and merged for the 5.8 kernel appeared to fix that problem without unfortunate side effects elsewhere in the system. But COW is a complicated beast and surprises are not uncommon; this particular story was nowhere near as close to an end as had been thought.

The Free Software Foundation has announced changes in how its board of directors is selected. "We will adopt a transparent, formal process for identifying candidates and appointing new board members who are wise, capable, and committed to the FSF's mission. We will establish ways for our supporters to contribute to the discussion. We will require all existing board members to go through this process as soon as possible, in stages, to decide which of them remain on the board."

Meanwhile, numerous community members have posted an open letter calling for the resignation of the entire Free Software Foundation board of directors after the announcement that Richard Stallman would be returning. The Free Software Foundation Europe has made its disapproval known, as has the Electronic Frontier Foundation. The Debian project has started discussing a general resolution affirming its support for the open letter. Various other organizations have expressed concern as well.

For those who feel differently, there is also an open letter in support of Stallman's return to the FSF.

Greg Kroah-Hartman has announced the release of 5.10.26—delayed from the large batch on March 24—with the usual important fixes throughout the kernel tree, and 5.11.10, which just contains some relatively minor fixes: "This is a 'quick revert' of some 5.11.9 commits that caused noisy warnings to show up in the kernel log of some systems. If you do not have this issue, or are not bothered by these messages, no need to upgrade."

Security updates have been issued by Debian (firefox-esr and lxml), Fedora (jasper), openSUSE (gnutls, hawk2, ldb, libass, nghttp2, and ruby2.5), Oracle (pki-core:10.6), Red Hat (firefox and thunderbird), SUSE (evolution-data-server, ldb, python3, and zstd), and Ubuntu (ldb, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-signed, linux-snapdragon, and linux, linux-lts-xenial).

Open Collective has put out an announcement describing its "Funds for Open Source" initiative, which is aimed at making it easy for corporations to fund the work of individual developers. "Big companies call the process for paying for stuff 'procurement'. It’s often pretty involved, with contracts, invoices, purchasing order numbers, and bureaucracy—a painful thing to go through repeatedly for small amounts. It's practically a blocker. It is so much simpler and more practical to ask corporations to make one large payment, to one vendor. Make it easy and companies will invest more."

The LWN.net Weekly Edition for March 25, 2021 is available.

Enumerated types or "enums" are a feature of many languages, including Python; enums provide a convenient way to collect up a bunch of related symbols that (typically) evaluate to integer values. The canonical example would seem to be for colors, at least for demonstration purposes, but there are others, especially for handling "magic" constants from source likes POSIX or the host operating system. A recent thread on the python-ideas mailing list discusses different ways to add a new feature to enums—seven years after they were added to the standard library as part of Python 3.4.

The WireGuard VPN tunnel is a fast and easy-to-use solution for those who need or want a secure tunnel for their traffic. The project has been around since 2016, but it has had a somewhat circuitous route into Linux; it was merged for the 5.6 kernel, which was released in March 2020. Getting into Linux required WireGuard developer Jason A. Donenfeld to acquiesce to having WireGuard use some of the existing kernel crypto primitives, rather than merging his Zinc crypto library. Some of the same tensions that were seen in that process seem to be cropping up again in the more recent efforts to add WireGuard support to several BSD kernels.

The GNOME 40 release is out. "It brings new design for the Activities overview and improved support for input with Compose sequences and keyboard shortcuts, among many other things. Improvements to core GNOME applications include a redesigned Weather application, information popups in Maps, better tabs in Web, and many more." See the GNOME 40 page and the release notes for details.

Stable kernels 5.11.9, 5.4.108, 4.19.183, 4.14.227, 4.9.263, and 4.4.263 have been released. They all contain important fixes and users should upgrade.

Security updates have been issued by Debian (imagemagick and squid), Fedora (jasper and kernel), Red Hat (pki-core), SUSE (gnutls, go1.15, go1.16, hawk2, jetty-minimal, libass, nghttp2, openssl, ruby2.5, sudo, and wavpack), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke-5.3, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe, linux-hwe-5.4, linux-hwe-5.8, linux-kvm, linux-oem-5.10, linux-oem-5.6, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-raspi2-5.3).

Firefox 87 has been released. This version introduces SmartBlock, "a new intelligent tracker blocking mechanism for Firefox Private Browsing and Strict Mode."

Firefox ESR 78.9 has also been released with the usual set of fixes.

Security updates have been issued by Debian (dnsmasq, libmediainfo, and mariadb-10.1), Fedora (dotnet5.0, moodle, and radare2), Mageia (kernel and kernel-linus), Oracle (python27:2.7, python36:3.6, and python38:3.8), Red Hat (pki-core:10.6), and Ubuntu (privoxy).

The kernel's memory-management subsystem is built upon many concepts, one of which is called "copy on write", or "COW". The idea behind COW is conceptually simple, but its details are tricky and its past is troublesome. Any change to its implementation can have unexpected consequences and cause subtle breakage for existing workloads. So it is somewhat surprising that last year we saw two major changes the kernel's COW code; less surprising is the fact that, both times, these changes had unexpected consequences and broke things. Some of the resulting problems are still not fixed today, almost ten months after the first change, while the original reason for the changes — a security vulnerability — is also not fully fixed. Read on for a description of COW, the vulnerability, and the initial fix; the concluding article in the series will describe the complications that arose thereafter.

Security updates have been issued by Arch Linux (chromium, ffmpeg, flatpak, git, gnutls, minio, openssh, opera, and wireshark-qt), Debian (cloud-init, pygments, and xterm), Fedora (flatpak, glib2, kernel, kernel-headers, kernel-tools, pki-core, and upx), Mageia (glibc, htmlunit, koji, and python-cairosvg), openSUSE (chromium, connman, froxlor, grub2, libmysofa, netty, privoxy, python-markdown2, tor, and velocity), Oracle (ipa), SUSE (evolution-data-server, glib2, openssl, python3, python36, and wavpack), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-raspi2, linux-snapdragon, linux-oem-5.10, and pygments).

At the LibrePlanet conference over the weekend, Richard Stallman announced that he has returned to the Free Software Foundation's board of directors. Video of the announcement is available, but there is little information beyond that.

The fourth 5.12 kernel prepatch is out for testing. "So I'll just tempt the fates and say that everything looks pretty normal and this release seems to look good despite the rc1 hiccup."

The Free Software Foundation has announced the recipients of its 2021 Free Software Awards. Alyssa Rosenzweig received the award for outstanding new free-software contributor, the CiviCRM project won the award for social benefit, and Bradley Kuhn received the award for the advancement of free software.