Linux Weekly News

The first preview of Ruby version 3.0 was released on September 25. It includes better support for type checking, additional language features, and two new experimental features: a parallel execution mechanism called Ractor, and Scheduler, which provides concurrency improvements.

Stable kernels 5.8.14, 5.4.70, and 4.19.150 have been released with some important fixes. Users should upgrade.

Security updates have been issued by Arch Linux (brotli, lib32-brotli, lib32-zeromq, samba, yaws, and zeromq), Debian (php7.0, puma, sane-backends, thunderbird, and tigervnc), Fedora (ghc-cmark-gfm, ghc-hakyll, gitit, pandoc, pandoc-citeproc, and patat), openSUSE (kdeconnect-kde and perl-DBI), Oracle (kernel), Red Hat (chromium-browser and spice and spice-gtk), SUSE (hexchat and nodejs8), and Ubuntu (vino).

The Zig programming language is a relatively recent entrant into the "systems programming" realm; it looks to interoperate with C, while adding safety features without sacrificing performance. The language has been gaining some attention of late and has announced progress toward a Zig compiler written in Zig in September. That change will allow LLVM to become an optional component, which will be a big step forward for the "maturity and stability" of Zig.

Security updates have been issued by Fedora (chromium, libproxy, mumble, and thunderbird), openSUSE (perl-DBI), Red Hat (qemu-kvm-rhev, rh-mariadb102-mariadb and rh-mariadb102-galera, rh-maven35-jackson-databind, spice and spice-gtk, and unbound), SUSE (gnutls, java-1_7_0-openjdk, openssl1, and perl-DBI), and Ubuntu (brotli, cyrus-imapd, openconnect, opendmarc, python-urllib3, ruby-rack-cors, spice, tika, and yaws).

Version 3.9 of the Python programming language has been released. The changelog, "What's New in Python 3.9" document, and our recent article have lots more information on the release. "Maintenance releases for the 3.9 series will follow at regular bi-monthly intervals starting in late November of 2020. OK, boring! Where is Python 4? Not so fast! The next release after 3.9 will be 3.10. It will be an incremental improvement over 3.9, just as 3.9 was over 3.8, and so on."

At Akademy 2020, the annual KDE conference that was held virtually this year, KDE developer Nate Graham delivered a talk entitled "Visions of the Future" (YouTube video) about the possible future of KDE on commercial products. Subtitled "Plasma sold on retail hardware — lots of it", the session concentrated on ways to make KDE applications (and the Plasma desktop) the default environment on hardware sold to the general public. The proposal includes creating an official KDE distribution with a hardware certification program and directly paying developers.

U-Boot (the Universal Boot Loader) v2020.10 is out. "With this release we have a number of 'please migrate to DM [Driver Model [PDF]]' warnings that are now 1 year past their warning date, and well past 1 year of those warnings being printed. It's getting up there on my TODO list to see if removing features or boards in these cases is easier."

Security updates have been issued by Debian (libvirt, snmptt, squid3, and xen), Fedora (chromium, libproxy, mumble, samba, and xawtv), openSUSE (bcm43xx-firmware, dpdk, grafana, nodejs12, python-pip, xen, and zabbix), Oracle (thunderbird), Red Hat (cockpit-ovirt, imgbased, redhat-release-virtualization-host, redhat-virtualization-host and qemu-kvm-rhev), and SUSE (perl-DBI).

The eighth and presumably final 5.9 prepatch is out for testing. "So things have been pretty calm, and rc8 is fairly small. I'm still waiting for a networking pull with some fixes, so it's not like I could have made a final 5.9 release even if I had wanted to, but there was nothing scary going on this past week, and it all feels ready for a final 5.9 next weekend."

The Document Foundation (TDF) was formed in 2010 as a home for the newly created LibreOffice project; it has just celebrated its tenth anniversary. As it begins its second decade, though, TDF is showing some signs of strain. Evidence of this could be seen in the disagreement over a five-year marketing plan in July. More recently, the TDF membership committee sent an open letter to the board of directors demanding more transparency and expressing fears of conflicts of interest within the board. Now the situation has advanced with one of the TDF's largest contributing companies announcing that it will be moving some of its work out of the foundation entirely.

Security updates have been issued by Debian (jruby and ruby2.3), Fedora (crun, pdns, and podman), openSUSE (go1.14 and kernel), Oracle (qemu-kvm and virt:ol), Red Hat (qemu-kvm-ma and thunderbird), SUSE (nodejs10, nodejs12, perl-DBI, permissions, and xen), and Ubuntu (ntp).

The Software Freedom Conservancy has announced that it is embarking on "a new strategy toward improving compliance and the freedom of users of devices that contain Linux-based systems". That includes GPL enforcement, an effort to create alternative firmware for embedded Linux devices, and collaboration with other organizations "to promote copyleft compliance as a feature for consumers to protect their privacy and get more out of their devices". The work is being sponsored by an initial $150,000 grant from Amateur Radio Digital Communications (ARDC). "We take this holistic approach because compliance is not an end in itself, but rather a lever to help people advance technology for themselves and the world. Bradley Kuhn, Conservancy’s Policy Fellow and Hacker-in-Residence remarked: 'GPL enforcement began as merely an education process more than twenty years ago. We all had hoped that industry-wide awareness of copyleft’s essential role in spreading software freedom would yield widespread, spontaneous compliance. We were simply wrong about that. Today, we observe almost universal failure in compliance throughout the (so-called) Internet of Things (IoT) market. Only unrelenting enforcement that holds companies accountable can change this abysmal reality. ARDC, a visionary grant-maker, recognizes the value of systemic enforcement that utilizes the legal system to regain software freedom. That process also catalyzes community-led projects to build liberated firmware for many devices.'"

On his blog, David Edmundson writes about a new optional mechanism for starting up the KDE Plasma desktop using systemd. "Another big motivating factor was the ability for customisation. The root of Plasma's startup is very hardcoded. What if you want to run krunner with a different environment variable set? or have a script run every time plasmashell restarts, or show a UI after kwin is loaded but before plasma shell to perform some user setup? You can edit the code, but that's not easy and you're very much on your own. Systemd provides that level of customisation; both at a distro or a user level out of the box. From our POV for free."

The 5.8.13, 5.4.69, 4.19.149, 4.14.200, and 4.4.238 stable kernels have been released. Note that 4.9.238 was in the review cycle with the rest of these kernels but needed a respin due to some test failures, so it will be released on or after October 3. As usual, all five of the released kernels have fixes throughout the tree; users should upgrade.

Update: Apparently October 3 came early for Greg Kroah-Hartman because 4.9.238 has now been released.

The ability to execute the contents of a file is controlled by the execute-permission bits — some of the time. If a given file contains code that can be executed by an interpreter — such as shell commands or code in a language like Perl or Python, for example — there are easy ways to run the interpreter on the file regardless of whether it has execute permission enabled or not. Mickaël Salaün has been working on tightening up the administrator's control over execution by interpreters for some time, but has struggled to find an acceptable home for this feature. His latest attempt takes the form of a new system call named trusted_for().

Security updates have been issued by Debian (ruby-json-jwt and ruby-rack-cors), Fedora (xen), SUSE (aspell and tar), and Ubuntu (ruby-gon, ruby-kramdown, and ruby-rack).

The LWN.net Weekly Edition for October 1, 2020 is available.

SELinux is a security mechanism with a lot of ability to restrict user-space compromises in various useful ways. It has also generally been considered a heavyweight option that is not suitable for more resource-restricted systems like wireless routers. Undeterred by this perception, some OpenWrt developers are adding SELinux as an option for protecting the distribution, which targets embedded devices.

Keeping device firmware up-to-date can be a challenge for end users. Firmware updates are often important for correct behavior, and they can have security implications as well. The Linux Vendor Firmware Service (LVFS) project is playing an increasing role in making firmware updates more straightforward for both end users and vendors; LVFS just announced its 20-millionth firmware download. Since even a wireless mouse dongle can pose a security threat, the importance of simple, reliable, and easily applied firmware updates is hard to overstate.