Linux Weekly News

Version 4.16.0 of the RPM package manager has been released. "This turned out to be a much bigger release than anticipated with several groundbreaking new features, despite finally being back to annual cycle almost to date." Highlights include new database backends, macro and %if expressions including ternary operator and native version comparison, optional MIME type based file classification, new version parsing and comparison API in C and Python, license clarification, and more. The release notes have more details.

Security updates have been issued by Arch Linux (chromium, firefox, libvirt, and podman), Debian (firefox-esr and nss), Gentoo (bitcoind, chromium, cifs-utils, gpsd, libuv, and xen), Mageia (firefox, gnutls, mediawiki, samba, and Thunderbird), openSUSE (brotli and cifs-utils), Red Hat (audiofile, bluez, cloud-init, cpio, cups, curl, dbus, dnsmasq, e2fsprogs, evince and poppler, exiv2, expat, firefox, fontforge, freeradius, freerdp, glib2 and ibus, glibc, httpd, hunspell, ipa, kernel, kernel-rt, libcroco, libexif, libmspack, libpng, librabbitmq, libsndfile, libsrtp, libssh2, libtiff, libvirt, libvpx, libwmf, libxml2, libxslt, mariadb, mod_auth_openidc, NetworkManager, nss and nspr, okular, OpenEXR, openldap, openwsman, pcp, python, python-pillow, python3, qemu-kvm, qemu-kvm-ma, qt5-qtbase, samba, SDL, spamassassin, squid, subversion, systemd, tigervnc, tomcat, unoconv, and webkitgtk4), SUSE (bcm43xx-firmware, nodejs8, pdns, python-pip, and xen), and Ubuntu (libapreq2, netqmail, samba, and tomcat6).

Fish (the "friendly interactive shell") has the explicit goal of being more user-friendly than other shells. It features a modern command-line interface with syntax highlighting, tab completion, and auto-suggestions out of the box (all with no configuration required). Unlike many of its competitors, it doesn't care about being POSIX-compliant but attempts to blaze its own path. Since our last look at the project, way back in 2013, it has seen lots of new releases with features, bug fixes, and refinements aimed at appealing to a wide range of users. Some of the biggest additions landed in the 3.0 release, but we will also describe some other notable changes from version 2.1 up through latest version.

Security updates have been issued by Debian (firefox-esr and mediawiki), openSUSE (firefox, libqt5-qtbase, and rubygem-actionpack-5_1), Red Hat (qemu-kvm, qemu-kvm-ma, and virt:rhel), SUSE (dpdk, firefox, and go1.15), and Ubuntu (dpdk, imagemagick, italc, libpgf, libuv1, pam-python, squid3, ssvnc, and teeworlds).

Recently, the Mercurial project has been discussing its plans to migrate away from the compromised SHA-1 hashing algorithm in favor of a more secure alternative. So far, the discussion is in the planning stages of algorithm selection and migration strategy, with a general transition plan for users. The project, for the moment, is favoring the BLAKE2 hashing algorithm.

OpenSSH 8.4 is out. The SHA-1 algorithm is deprecated and the "ssh-rsa" public key signature algorithm will be disabled by default "in a near-future release." They note that it is possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K.

Security updates have been issued by Debian (curl, libdbi-perl, linux-4.19, lua5.3, mediawiki, nfdump, openssl1.0, qt4-x11, qtbase-opensource-src, ruby-gon, and yaws), Fedora (grub2, libxml2, perl-DBI, singularity, and xawtv), Mageia (cifs-utils, kio-extras, libproxy, mbedtls, nodejs, novnc, and pdns), openSUSE (bcm43xx-firmware, chromium, conmon, fuse-overlayfs, libcontainers-common, podman, firefox, libqt4, libqt5-qtbase, openldap2, ovmf, pdns, rubygem-actionpack-5_1, and tiff), SUSE (firefox, go1.14, ImageMagick, and libqt5-qtbase), and Ubuntu (firefox, gnuplot, libquicktime, miniupnpd, ruby-sanitize, and sudo).

The 5.9-rc7 kernel prepatch is out for testing. "But while I do now know of any remaining gating issues any more, the fixes came in fairly late. So unless I feel insanely optimistic and/or a burning bush tells me that everything is bug-free, my plan right now is that I'll do another rc next Sunday rather than the final 5.9 release. And btw, please no more burning bushes. We're kind of sensitive about those on the West coast right now."

The 5.8.12, 5.4.68, and 4.19.148 stable kernels have been released; each contains another set of important fixes.

It has only been a few months since the Emacs community went through an extended discussion on how to make the Emacs editor "popular again". As the community gears up for the Emacs 28 development cycle, (after the Emacs 27.1 release in August) that discussion has returned with a vengeance. The themes of this discussion differ somewhat from the last; developers are concerned about making Emacs — an editor with decades of history — seem "modern" to attract new users.

Version 5.0 of the Calibre electronic-book manager has been released. "There has been a lot of work on the calibre E-book viewer. It now supports Highlighting. The highlights can be colors, underlines, strikethrough, etc. and have added notes. All highlights can be both stored in EPUB files for easy sharing and centrally in the calibre library for easy browsing. Additionally, the E-book viewer now supports both vertical and right-to-left text." Another significant change is a port to Python 3; that was a necessary change but it means that there are a number of plugins that have not yet been ported and thus won't work. The status of many plugins can be found on this page.

Security updates have been issued by Debian (rails), openSUSE (chromium, jasper, ovmf, roundcubemail, samba, and singularity), Oracle (firefox), SUSE (bcm43xx-firmware, firefox, libqt5-qtbase, qemu, and tiff), and Ubuntu (aptdaemon, atftp, awl, packagekit, and spip).

The set_fs() function dates back to the earliest days of the Linux kernel; it is a key part of the machinery that keeps user-space and kernel-space memory separated from each other. It is also easy to misuse and has been the source of various security problems over the years; kernel developers have long wanted to be rid of it. They won't completely get their wish in the 5.10 kernel but, as the result of work that has been quietly progressing for several months, the end of set_fs() will be easily visible at that point.

Version 13 of the PostgreSQL database management system is out. "PostgreSQL 13 includes significant improvements to its indexing and lookup system that benefit large databases, including space savings and performance gains for indexes, faster response times for queries that use aggregates or partitions, better query planning when using enhanced statistics, and more. Along with highly requested features like parallelized vacuuming and incremental sorting, PostgreSQL 13 provides a better data management experience for workloads big and small, with optimizations for daily administration, more conveniences for application developers, and security enhancements."

Security updates have been issued by Fedora (firefox, libproxy, mbedtls, samba, and zeromq), openSUSE (chromium and virtualbox), Red Hat (firefox and kernel), SUSE (cifs-utils, conmon, fuse-overlayfs, libcontainers-common, podman, libcdio, python-pip, samba, and wavpack), and Ubuntu (rdflib).

The LWN.net Weekly Edition for September 24, 2020 is available.

It is a pretty rare event to see a nearly 21-year-old bug be addressed—many projects are nowhere near that old for one thing—but that is just what has occurred for the Mozilla Thunderbird email application. An enhancement request filed at the end of 1999 asked for a plugin to support email encryption, but it has mostly languished since. The Enigmail plugin did come along to fill the gap by providing OpenPGP support using GNU Privacy Guard (GnuPG or GPG), but was never part of Thunderbird. As part of Thunderbird 78, though, OpenPGP is now fully supported within the mail user agent (MUA).

Stable kernels 5.8.11, 5.4.67, 4.19.147, 4.14.199, 4.9.237, and 4.4.237 have been released with important fixes. Users should upgrade.

Disabling SELinux is, perhaps sadly in some ways, a time-honored tradition for users of Fedora, RHEL, and other distributions that feature the security mechanism. Over the years, SELinux has gotten easier to tolerate due to the hard work of its developers and the distributions, but there are still third-party packages that recommend or require disabling SELinux in order to function. Up until fairly recently, the kernel has supported disabling SELinux at run time, but that mechanism has been deprecated—in part due to another kernel security feature. Now Fedora is planning to eliminate the ability to disable SELinux at run time in Fedora 34, which sparked some discussion in its devel mailing list.

Security updates have been issued by openSUSE (libetpan, libqt4, lilypond, otrs, and perl-DBI), Red Hat (kernel-rt), Slackware (seamonkey), SUSE (grafana, libmspack, openldap2, ovmf, pdns, rubygem-actionpack-5_1, and samba), and Ubuntu (debian-lan-config, ldm, libdbi-perl, and netty-3.9).