Linux Weekly News

Linus Torvalds has sent out a note telling people not to install the recent 5.12-rc1 development kernel; this is especially true for anybody running with swap files. "But I want everybody to be aware of because _if_ it bites you, it bites you hard, and you can end up with a filesystem that is essentially overwritten by random swap data. This is what we in the industry call 'double ungood'." Additionally, he is asking maintainers to not start branches from 5.12-rc1 to avoid future situations where people land in the buggy code while bisecting problems.

Greg Kroah-Hartman has released the 5.11.3, 5.10.20, 5.4.102, 4.19.178, 4.14.223, 4.9.259, and 4.4.259 stable kernels. These are generally enormous updates, with important changes throughout the kernel tree; users should upgrade.

Security updates have been issued by Fedora (389-ds-base, dogtag-pki, freeipa, isync, pki-core, and screen), Mageia (firefox, kernel, kernel-linus, libtiff, nonfree-firmware, and thunderbird), Red Hat (bind and java-1.8.0-ibm), Scientific Linux (grub2), and SUSE (kernel-firmware, openldap2, postgresql12, and python-cryptography).

The LWN.net Weekly Edition for March 4, 2021 is available.

The Python lambda keyword, which can be used to create small, anonymous functions, comes from the world of functional programming, but is perhaps not the most beloved of Python features. In part, that may be because it is somewhat clunky to use, especially in comparison to the shorthand notation offered by other languages, such as JavaScript. That has led to some discussions on possible changes to lambda in Python mailing lists since mid-February.

OpenSSH 8.5 has been released. It includes fixes for a couple of potential security problems (one of which only applies to Solaris hosts); it also enables UpdateHostKeys by default, allowing hosts with insecure keys to upgrade them without creating scary warnings for users. There are a lot of other small changes; see the announcement for details.

Security updates have been issued by CentOS (bind), Debian (adminer, grub2, spip, and wpa), Mageia (openjpeg2, wpa_supplicant, and xterm), openSUSE (avahi, bind, firefox, ImageMagick, java-1_8_0-openjdk, nodejs10, and webkit2gtk3), Red Hat (container-tools:1.0, container-tools:2.0, grub2, and virt:rhel and virt-devel:rhel), SUSE (bind, gnome-autoar, grub2, and nodejs8), and Ubuntu (python2.7 and wpa).

For more than a decade, PulseAudio has been serving the Linux desktop as its predominant audio mixing and routing daemon — and its audio API. Unfortunately, PulseAudio's internal architecture does not fit the growing sandboxed-applications use case, even though there have been attempts to amend that. PipeWire, a new daemon created (in part) out of these attempts, will replace PulseAudio in the upcoming Fedora 34 release. It is a coming transition that deserves a look.

Security updates have been issued by Arch Linux (bind, intel-ucode, ipmitool, isync, openssl, python, python-cryptography, python-httplib2, salt, tar, and thrift), Fedora (ansible, salt, webkit2gtk3, and wpa_supplicant), Oracle (bind), Red Hat (bind, kernel, and kpatch-patch), Scientific Linux (bind), SUSE (firefox, gnome-autoar, java-1_8_0-ibm, java-1_8_0-openjdk, nodejs10, open-iscsi, perl-XML-Twig, python-cryptography, and thunderbird), and Ubuntu (bind9).

The 5.12 merge window closed with the release of 5.12-rc1 on February 28; this released followed the normal schedule despite the fact that Linus Torvalds had been without power for the first six days after 5.11 came out. At that point, 10,886 non-merge changesets had found their way into the mainline repository; about 2,000 of those showed up after the first-half merge-window summary was written. The pace of merging obviously slowed down, but there were still a number of interesting features to be found in those patches.

Security updates have been issued by CentOS (firefox, ImageMagick, libexif, thunderbird, and xorg-x11-server), Debian (docker.io, python-aiohttp, and thunderbird), Fedora (chromium, firefox, kernel, and rygel), Mageia (nodejs, pix, and subversion), openSUSE (glibc, gnuplot, nodejs12, nodejs14, pcp, python-cryptography, qemu, and salt), Red Hat (bind and podman), and SUSE (csync2, glibc, java-1_8_0-ibm, nodejs12, nodejs14, python-Jinja2, and rpmlint).

William Woodruff has posted a rant of sorts on the adoption of Rust by the Python Cryptography project, which was covered here in February.

What’s the point of this spiel? It’s precisely what happened to pyca/cryptography: nobody asked them whether it was a good idea to try to run their code on HPPA, much less System/390; some packagers just went ahead and did it, and are frustrated that it no longer works. People just assumed that it would, because there is still a norm that everything flows from C, and that any host with a halfway-functional C compiler should have the entire open source ecosystem at its disposal.

Version 3.2.0 of the fish shell has been released. New features include undo and redo support (for command-line editing, not commands!) and a long list of incremental improvements; see the announcement for details. LWN last looked at the fish shell in September.

Linus Torvalds has released 5.12-rc1 (codename now "Frozen wasteland") and closed the merge window despite getting a late start due to bad weather:

So I was actually without electricity for six days of the merge window, and was seriously considering just extending the merge window to get everything done. As you can tell, I didn't do that. To a large part because people were actually very good about sending in their pull requests, so by the time I finally got power back, everything was nicely lined up and I got things merged up ok. But partly this is also because 5.12 is a smaller release than some previous ones.

The Mageia distribution has announced the release of Mageia 8. It comes with the usual array of new packages, including a 5.10.16 kernel, Plasma 5.20.4, GNOME 3.38, Firefox 78, Chromium 88, LibreOffice 7.0.4.2, and more. "ARM support has continued to develop, with both AArch64 and ARMv7 now having all packages built and being close to primary architectures now. Support for Wi-Fi installation in the classical installer using WPA2 encryption has been added, as well as improved support for newer filesystems allowing installations on F2FS. Support for NILFS, XFS, exFAT and Windows 10 NTFS has been improved to allow for better partition management. The Live installer has also had significant development. Boot times have been greatly reduced with the use of Zstd compression and improved hardware detection and the support for installing updates as a final step of the installation has been added. Zstd compression has also been applied to the rescue mode, allowing for faster startup, support for encrypted LVM/LUKS has also been added."

Mike West has posted a detailed exploration of what is really required to protect sensitive information in web applications from speculative-execution exploits. "Spectre-like side-channel attacks inexorably lead to a model in which active web content (JavaScript, WASM, probably CSS if we tried hard enough, and so on) can read any and all data which has entered the address space of the process which hosts it. While this has deep implications for user agent implementations' internal hardening strategies (stack canaries, ASLR, etc), here we’ll remain focused on the core implication at the web platform level, which is both simple and profound: any data which flows into a process hosting a given origin is legible to that origin. We must design accordingly."

The first article in this series provided an introduction to lockless algorithms and the happens before relationship that allows us to reason about them. The next step is to look at the concept of a "data race" and the primitives that exist to prevent data races. We continue in that direction with a look at relaxed accesses, memory barriers, and how they can be used to implement the kernel's seqcount mechanism.

Greg Kroah-Hartman has released the 5.11.2, 5.10.19, and 5.4.101 stable kernels. These all contain a relatively small pile of important fixes; as usual, users should upgrade.

Version 1.0 of GNU poke is out. "GNU poke (http://www.jemarch.net/poke) is an interactive, extensible editor for binary data. Not limited to editing basic entities such as bits and bytes, it provides a full-fledged procedural, interactive programming language designed to describe data structures and to operate on them."

Security updates have been issued by Debian (python-pysaml2 and redis), Fedora (buildah, containernetworking-plugins, containers-common, libmysofa, libpq, podman, postgresql, skopeo, xen, and xterm), openSUSE (nghttp2), Oracle (firefox and thunderbird), SUSE (glibc, ImageMagick, python-Jinja2, and salt), and Ubuntu (python2.7, python2.7, python3.4, python3.5, python3.6, python3.8, and tiff).