Linux Weekly News

Open-source software is famously able to be used by anyone for any purpose; those are some of the keystones of the open source definition. But some companies that run open-source projects are increasingly unhappy that others are reaping some of the profits from those projects. That has led to various efforts of "license reform" meant to try to capture those profits. So far, those efforts have just led to non-open-source licenses, thus projects that are no longer open source. We are seeing that play out yet again with Elastic's mid-January announcement that it was changing the license on some of its projects.

Stable kernels 5.10.11, 5.4.93, and 4.19.171 have been released. They contain important fixes and users should upgrade.

Security updates have been issued by Arch Linux (sudo), CentOS (sudo), Debian (sudo), Fedora (kernel, php-pear, and sudo), Gentoo (cacti, mutt, and sudo), Mageia (sudo), openSUSE (sudo), Oracle (sudo), Red Hat (sudo), Scientific Linux (sudo), Slackware (sudo), SUSE (go1.14, go1.15, nodejs8, and sudo), and Ubuntu (libsndfile and sudo).

Security updates have been issued by CentOS (dnsmasq, net-snmp, and xstream), Debian (mutt), Gentoo (cfitsio, f2fs-tools, freeradius, libvirt, mutt, ncurses, openjpeg, PEAR-Archive_Tar, and qtwebengine), openSUSE (chromium, mutt, stunnel, and virtualbox), Red Hat (cryptsetup, gnome-settings-daemon, and net-snmp), Scientific Linux (xstream), SUSE (postgresql, postgresql12, postgresql13 and rubygem-nokogiri), and Ubuntu (mutt).

Version 85 of the Firefox browser has been released. The headline change appears to be the isolation of internal caches to defeat the use of "supercookies" to track users; see this blog entry for details. "In fact, there are many different caches trackers can abuse to build supercookies. Firefox 85 partitions all of the following caches by the top-level site being visited: HTTP cache, image cache, favicon cache, HSTS cache, OCSP cache, style sheet cache, font cache, DNS cache, HTTP Authentication cache, Alt-Svc cache, and TLS certificate cache."

The Python Packaging Authority (PyPA) has announced the release of pip 21.0. This version removes Python 2.7 and 3.5 support, and drops support for legacy cache entries from pip < 20.0.

The term "browser wars" typically refers to Microsoft's attempts to dominate the World Wide Web with its Internet Explorer browser in the 1990s. That effort was thwarted by antitrust efforts and the rise of the free browser now known as Firefox; ever since, the web has been defined by free software. Or so some may have thought. In the 2020s, the browser wars continue with the growing dominance of Chrome and, it would seem, the imminent removal of Chromium from many Linux distributions.

Security updates have been issued by Debian (crmsh, debian-security-support, flatpak, gst-plugins-bad1.0, openvswitch, python-bottle, salt, tomcat9, and vlc), Fedora (chromium, python-pillow, sddm, and xen), Gentoo (chromium, dnsmasq, flatpak, glibc, kdeconnect, openjdk, python, thunderbird, virtualbox, and wireshark), Mageia (blosc, crmsh, glibc, perl-DBI, php-oojs-oojs-ui, python-pip, python-urllib3, and undertow), openSUSE (gdk-pixbuf, hawk2, ImageMagick, opera, python-autobahn, viewvc, wavpack, and xstream), Red Hat (dnsmasq), Slackware (seamonkey), SUSE (hawk2, ImageMagick, mutt, permissions, and stunnel), and Ubuntu (pound).

The 5.11-rc5 kernel prepatch is out for testing. "Nothing particularly stands out. We had a couple of splice() regressions that came in during the previous release as part of the 'get rid of set_fs()' development, but they were for odd cases that most people would never notice. I think it's just that 5.10 is now getting more widely deployed so people see the fallout from that rather fundamental change in the last release."

The next round of stable kernel updates is out: 5.10.10, 5.4.92, 4.19.170, 4.14.217, 4.9.253, and 4.4.253. Each contains another set of important fixes.

Memory fragmentation has long been a problem for Linux systems, to the point that, for years, finding even two physically contiguous pages was an uncertain affair. That said, the situation has improved considerably in the last decade or so thanks to a number of changes implemented by the memory-management developers. One of those changes is the creation of "movable" memory zones where pages can be relocated if need be. All that work is for nothing, though, if somebody comes along and pins down a page in one of these movable zones. This patch set from Pavel Tatashin seeks to prevent that from happening, but may risk creating problems elsewhere.

Security updates have been issued by Debian (drupal7), Fedora (dotnet3.1), Gentoo (zabbix), openSUSE (ImageMagick and python-autobahn), and SUSE (hawk2 and wavpack).

Libre Arts (formerly Libre Graphics World) has posted a comprehensive survey of what 2021 might hold for a wide range of free content-creation software.

The topic of fullscreen color management implementation in Wayland is back, and it’s a kinda frustrating story. In a nutshell:

• people who are now working on this (Collabora developers) seem to have little experience with color management but they appear to be motivated to hack on the code;
• all the while people who have a crapload of experience with color management have had bad experience discussing this before, do not like the approach by the new team, and don’t seem excited to contribute to this new effort (Graeme’s spec proposal is still available).

So we might end up with an implementation that is not suitable for professional work.

The Corellium blog is carrying a description of how the Linux port to the Apple M1 processor was done. "Many components of the M1 are shared with Apple mobile SoCs, which gave us a good running start. But when writing Linux drivers, it became very apparent how non-standard Apple SoCs really are. Our virtual environment is extremely flexible in terms of models it can accommodate; but on the Linux side, the 64-bit ARM world has largely settled on a well-defined set of building blocks and firmware interfaces - nearly none of which were used on the M1."

As a general rule, when one attempts to open a file with a system call like openat2(), the expectation is that the call will not return until the job is done. But there are times where the desire to open the file is conditional on being able to open it immediately, without blocking. Linux has never supported that mode well, but that may be about to change with this patch set from Jens Axboe.

Security updates have been issued by Debian (mutt), Fedora (libntlm, mingw-python-pillow, python-pillow, and sudo), Mageia (kernel), SUSE (gdk-pixbuf, perl-Convert-ASN1, samba, and yast2-multipath), and Ubuntu (linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.4, linux-hwe-5.8, linux-oracle).

The LWN.net Weekly Edition for January 21, 2021 is available.

It is an unfortunate fact of life that non-free firmware blobs are required to use some hardware, such as network devices (WiFi in particular), audio peripherals, and video cards. Beyond that, those blobs may even be required in order to install a Linux distribution, so an installation over the network may need to get non-free firmware directly from the installation media. That, as might be guessed, is a bit of a problem for distributions that are not willing to officially ship said firmware because of its non-free status, as a recent discussion in the Debian community shows.

Back in October, LWN looked at a conversation within the Debian project regarding whether it was permissible to ship Kubernetes bundled with some 200 dependencies. The Debian technical committee has finally come to a conclusion on this matter: this bundling is acceptable and the maintainer will not be required to make changes:

Our consensus is that Kubernetes ought to be considered special in the same way that Firefox is considered special -- we treat the package differently from most other source packages because (i) it is very large and complex, and (ii) upstream has significantly more resources to keep all those moving parts up-to-date than Debian does.

In the end, allowing this vendoring seemed like the only feasible way to package Kubernetes for Debian.

Shay Banon first announced that Elastic would move its Apache 2.0-licensed source code in Elasticsearch and Kibana to be dual licensed under Server Side Public License (SSPL) and the Elastic License. "To be clear, our distributions starting with 7.11 will be provided only under the Elastic License, which does not have any copyleft aspects. If you are building Elasticsearch and/or Kibana from source, you may choose between SSPL and the Elastic License to govern your use of the source code."

In another post Banon added some clarification. "SSPL, a copyleft license based on GPL, aims to provide many of the freedoms of open source, though it is not an OSI approved license and is not considered open source."

There is also this article on why the change was made. "So why the change? AWS and Amazon Elasticsearch Service. They have been doing things that we think are just NOT OK since 2015 and it has only gotten worse. If we don’t stand up to them now, as a successful company and leader in the market, who will?"

The FAQ has additional information. "While we have chosen to avoid confusion by not using the term open source to refer to these products, we will continue to use the word “Open” and “Free and Open.” These are simple ways to describe the fact that the product is free to use, the source code is available, and also applies to our open and collaborative engagement model in GitHub. We remain committed to the principles of open source - transparency, collaboration, and community."