Linux Weekly News

The LWN.net Weekly Edition for October 22, 2020 is available.

Recently, PHP 8 release candidate 2 was posted by the project. A lot of changes are coming with this release, including a just-in-time compiler, a good number of backward-compatibility breaks, and new features that developers have been requesting for years. Now that the dust has settled, and the community is focusing on squashing bugs for the general-availability release scheduled for November 26, it's a good time to look at what to expect.

Security updates have been issued by Arch Linux (kdeconnect, kernel, kpmcore, lib32-freetype2, linux-hardened, linux-lts, linux-zen, lua, and powerdns-recursor), Debian (mariadb-10.1 and mariadb-10.3), Fedora (thunderbird), Mageia (claw-mail, freetype2, geary, kernel, and tigervnc), Oracle (nodejs:12), Red Hat (python27, rh-postgresql96-postgresql, and rh-python38), Slackware (freetype), SUSE (hunspell, kernel, libvirt, and taglib), and Ubuntu (grunt, quassel, and tomcat9).

Firefox 82.0 has been released, with improvements "that make watching videos more delightful" and improved performance. Firefox ESR 78.4.0 is also available with various stability, functionality, and security fixes. See the release notes (82.0, 78.4.0) for details.

The Julia programming language has seen a major increase in its use and popularity over the last few years. We last looked at it two years ago, around the time of the Julia 1.0 release. Here, we will look at some of the changes since that release, none of which are major, as well as some newer resources for learning the language, but the main focus of this article is a case study that is meant to help show why the language has been taking off. A follow-up article will introduce a new computational notebook for Julia, called Pluto, that is akin to Jupyter notebooks.

Security updates have been issued by Debian (python-flask-cors), Fedora (kleopatra, nextcloud, and phpMyAdmin), Gentoo (ark, libjpeg-turbo, libraw, and libxml2), openSUSE (bind, kernel, php7, and transfig), Red Hat (kernel, kernel-alt, kernel-rt, rh-python36, virt:8.1 and virt-devel:8.1, and virt:8.2 and virt-devel:8.2), and Ubuntu (collabtive, freetype, linux, linux-hwe, linux-hwe-5.4, linux-oem, linux-raspi, linux-raspi-5.4, linux-snapdragon, and linux-oem-osp1, linux-raspi2-5.3).

This Matrix blog entry describes a planned reputation-management system that, it is claimed, accomplishes some of the same goals as government backdoors without the need to compromise end-to-end encryption. "Just like the Web, Email or the Internet as a whole, there is literally no way to unilaterally censor or block content in Matrix. But what we can do is provide first-class infrastructure to let users (and room/community moderators and server admins) make up their own mind about who to trust, and what content to allow. This would also provide a means for authorities to publish reputation data about illegal content, providing a privacy-respecting mechanism that admins/mods/users can use to keep illegal content away from their servers/clients."

Version 2.29.0 of the Git source-code management system is out. This release includes a long list of smallish improvements; click below for the details. Also present is the code enabling Git to switch to the SHA-256 hash algorithm; this feature is still deemed experimental, though, and interoperability with SHA-1 repositories is not yet available.

Applications that run on the Linux desktop have changed significantly under the hood in recent years; for example, they use more processes than before. Desktop environments need to adapt to this change. During Akademy 2020, KDE developers David Edmundson and Henri Chain delivered a talk (YouTube video) about how KDE, working with other desktop environments, is starting to use advanced kernel features to give users more control over their systems. This talk complements a presentation by GNOME developers that was recently covered here.

Security updates have been issued by Debian (kernel, thunderbird, and yaws), Fedora (createrepo_c, dnf, dnf-plugins-core, dnf-plugins-extras, kata-agent, libdnf, librepo, and wireshark), Gentoo (chromium and firefox), Mageia (brotli, flash-player-plugin, php, phpmyadmin, and wireshark), openSUSE (crmsh, gcc10, nvptx-tools, icingaweb2, kernel, libproxy, pdns-recursor, phpMyAdmin, and rubygem-activesupport-5_1), Red Hat (nodejs:12 and rh-maven35-apache-commons-collections4), and SUSE (gcc10, nvptx-tools and transfig).

The 5.9.1, 5.8.16, 5.4.72, 4.19.152, 4.14.202, 4.9.240, and 4.4.240 stable updates have all been released; each contains another set of important fixes.

As of this writing, 7,153 non-merge changesets have been pulled into the mainline Git repository for the 5.10 release — over a period of four days. This development cycle is clearly off to a strong start. Read on for an overview of the significant changes merged thus far for the 5.10 kernel release.

Security updates have been issued by Fedora (dnf, kernel, libdnf, python27, and python34), SUSE (blktrace, crmsh, php7, and php72), and Ubuntu (containerd, docker.io, firefox, htmlunit, and newsbeuter).

The 2021 edition of linux.conf.au will be held online on January 23-25, 2021; the call for proposals has gone out with a relatively tight deadline of November 6. "Our theme is 'So what's next?'. We all know we're living through unprecedented change and uncertain times. How can open source play a role in creating, helping and adapting to this ongoing change? What new developments in software and coding can we look forward to in 2021 and beyond?" Since there is no travel involved, this is a rare opportunity for those who have not normally been able to participate in LCA.

One of the first features merged for the 5.10 kernel development cycle was support for the Arm v8.5 memory tagging extension [PDF]. By adding a "key" value to pointers, this mechanism enables the automated detection of a wide range of memory-safety issues. The result should be safer and more secure code — once support for the feature shows up in actual hardware.

Security updates have been issued by Arch Linux (chromium), Debian (httpcomponents-client), Fedora (claws-mail), SUSE (bcm43xx-firmware, crmsh, libqt5-qtimageformats, libqt5-qtsvg, php53, php7, and rubygem-activesupport-4_2), and Ubuntu (php5, php7.0, php7.2, php7.4, python2.7, python3.4, python3.5, python3.6, and vim).

The LWN.net Weekly Edition for October 15, 2020 is available.

We have looked at the problem of confusingly named packages in repositories such as the Python Package Index (PyPI) before. In general, malicious actors create these packages with names that can be mistaken for those of legitimate packages in the repository in a form of "typosquatting". Since our 2016 article, the problem has not gone away—no surprise—but there has been some recent analysis of it, as well as some efforts to combat it.

Recently, John Bafford revived a years-long conversation on expanding the syntax of the PHP foreach statement to include iterating solely over keys. Bafford, who wrote a patch and request for comments (RFC) on the matter back in 2016, hopes to update his work and convince the community to adopt the abbreviated syntax in PHP 8.1. The community took Bafford's general idea and expanded it into other areas of the language.

Several flaws in the BlueZ kernel Bluetooth stack prior to Linux 5.9 are being reported by Intel and by Google (GHSA-h637-c88j-47wq, GHSA-7mh3-gq28-gfrq, and GHSA-ccx2-w2r4-x649). They are collectively being called "BleedingTooth", and more information will be forthcoming, though there is already a YouTube video demonstrating remote code execution using BleedingTooth.