Linux Weekly News

Back in February, LWN reported on the process of gathering requirements for a Git forge system. That process then went relatively quiet until March 28, when the posting of a "CPE Weekly" news summary included, under "other updates", a note that the decision has been made. It appears that the project will be pushed toward a not-fully-free version of the GitLab offering. It is fair to say that this decision — or how it was presented — was not met with universal acclaim in the Fedora community; see this response from Neal Gompa for more.

The Debian community has announced a one-week, online "biohackathon" as a focused effort to improve the available free biomedical tools. "Most tasks do not require any knowledge of biology or medicine, and all types of contributions are welcome: bug triage, testing, documentation, CI, translations, packaging, and code contributions."

Security updates have been issued by Debian (php-horde-form and tika), Fedora (dcraw and libmodsecurity), Gentoo (libidn2 and screen), openSUSE (cloud-init, cni, cni-plugins, conmon, fuse-overlayfs, podman, opera, phpMyAdmin, python-mysql-connector-python, ruby2.5, strongswan, and tor), Oracle (ipmitool), Scientific Linux (ipmitool), SUSE (spamassassin and tomcat), and Ubuntu (twisted and webkit2gtk).

Linus has released the 5.6 kernel.

Some of the headline features in this release include Arm EOPD support, time namespaces, the BPF dispatcher and batched BPF map operations (both described in this article), the openat2() system call, the WireGuard virtual private network implementation, the flow queue PIE packet scheduler, nearly complete year-2038 support, many new io_uring features, the pidfd_getfd() system call, the ZoneFS filesystem, the ability to implement TCP congestion-control algorithms in BPF, the dma-buf heaps subsystem, and the removal of the /dev/random blocking pool.

See the LWN merge-window summaries (part 1 and part 2) and the (under construction) KernelNewbies 5.6 page for more details.

In recent years, the kernel has (finally) upped its game when it comes to hardening. It is rather harder to compromise a running kernel than it used to be. But "rather harder" is relative: attackers still manage to find ways to exploit kernel bugs. One piece of information that can be helpful to attackers is the location of the kernel stack; this patch set from Kees Cook and Elena Reshetova may soon make that information harder to come by and nearly useless in any case.

Security updates have been issued by Debian (bluez and php5), Fedora (chromium, kernel, and PyYAML), Gentoo (adobe-flash, libvpx, php, qtcore, and unzip), openSUSE (chromium, kernel, and mcpp), Oracle (ipmitool and libvncserver), Red Hat (ipmitool and rh-postgresql10-postgresql), Slackware (kernel), and SUSE (ldns and tomcat6).

David Malcolm writes about the static-analysis features that he is working on adding to the GCC compiler. "This issue is, of course, a huge problem to tackle. For this release, I’ve focused on the kinds of problems seen in C code—and, in particular double-free bugs—but with a view toward creating a framework that we can expand on in subsequent releases (when we can add more checks and support languages other than C)."

January 2018 was a sad time in the kernel community. The Meltdown and Spectre vulnerabilities had finally been disclosed, and the required workarounds hurt kernel performance in a number of ways. One of those workarounds — retpolines — continues to cause pain, with developers going out of their way to avoid indirect calls, since they must now be implemented with retpolines. In some cases, though, there may be a way to avoid retpolines and regain much of the lost performance; after a long gestation period, the "static calls" mechanism may finally be nearing the point where it can be merged upstream.

The KDE.News site is carrying an announcement for the Plasma Bigscreen environment, which is meant for large-screen televisions. "Talking of interacting from the couch, voice control provides users with the ultimate comfort when it comes to TV viewing. But most big brands not only do not safeguard the privacy of their customers, but actively harvest their conversations even when they are not sending instructions to their TV sets. We use Mycroft's Open Source voice assistant to solve this problem."

Security updates have been issued by CentOS (firefox, icu, kernel-rt, libvncserver, python-imaging, python-pip, python-virtualenv, thunderbird, tomcat, tomcat6, and zsh), Debian (icu and okular), Fedora (libxslt and php), Gentoo (bluez, chromium, pure-ftpd, samba, tor, weechat, xen, and zsh), Oracle (libvncserver), Red Hat (ipmitool and zsh), and SUSE (python-cffi, python-cryptography and python-cffi, python-cryptography, python-xattr).

The LWN.net Weekly Edition for March 26, 2020 is available.

The effects of the Coronavirus disease 2019 (COVID-19) pandemic are horrific and far-reaching; we really do not yet know just how bad it will get. One far less serious area that has been affected is conferences for and about free and open-source software (FOSS). On the grand scale, these problems are pretty low on the priority list. There are a fair number of non-profit organizations behind the gatherings, however, that have spent considerable sums setting up now-canceled events or depend on the conferences for a big chunk of their budget—or both. A new organization, FOSS Responders, has formed to try to help out.

O'Reilly has announced that it is canceling all of its upcoming in-person conferences and shutting down its conference group permanently. "Without understanding when this global health emergency may come to an end, we can’t plan for or execute on a business that will be forever changed as a result of this crisis. With large technology vendors moving their events completely on-line, we believe the stage is set for a new normal moving forward when it comes to in-person events." There is still no notice to this effect on the OSCON page, but one assumes that is coming.

Stable kernels 5.5.13, 5.5.12, 5.4.28, and 4.19.113 have been released. They all contain important fixes and users should upgrade.

The Django web framework has come a long way since it was first released as open source in 2005. It started with a benevolent dictator for life (BDFL) governance model, like the language it is implemented in, Python, but switched to a different model in 2014. When Python switched away from the BDFL model in 2018, it followed Django's lead to some extent. But now Django is changing yet again, moving from governance based around a "core team" to one that is more inclusive and better reflects the way the project is operating now.

Security updates have been issued by Debian (e2fsprogs, ruby2.1, and weechat), Fedora (java-1.8.0-openjdk and webkit2gtk3), openSUSE (apache2-mod_auth_openidc, glibc, mcpp, nghttp2, and skopeo), Oracle (libvncserver and thunderbird), and SUSE (keepalived).

The Cloudflare blog has an article on the company's work to improve the performance of Linux disk encryption. "As we can see the default Linux disk encryption implementation has a significant impact on our cache latency in worst case scenarios, whereas the patched implementation is indistinguishable from not using encryption at all. In other words the improved encryption implementation does not have any impact at all on our cache response speed, so we basically get it for free!" Patches are available, but they are apparently not in any form to go upstream.

Version 10.0.0 of the LLVM compiler suite is out. New features include support for C++ concepts, Windows control flow guard support, and much more; click below for pointers to a set of language-specific release notes.

The Python Software Foundation blog looks at some changes to pip, the Python Package installer, in the process of developing a new resolver. The new resolver will reduce inconsistency and be stricter, refusing to install two packages with incompatible requirements.

Also, this is a major change to a key part of pip - it's quite possible there will initially be bugs. We would like to make sure that those get caught before people start using the new version in production. [...]

We recognize that everyone's work is being disrupted by the COVID-19 pandemic, and that many data scientists and medical researchers use Python and pip in their work. We want to make the upgrade process as smooth and bug-free as possible for our users; if you can help us, you'll be helping each other.

Security updates have been issued by Debian (tomcat8), Fedora (chromium and okular), openSUSE (texlive-filesystem), Oracle (tomcat6), Scientific Linux (libvncserver, thunderbird, and tomcat6), Slackware (gd), SUSE (cloud-init, postgresql10, python36, and strongswan), and Ubuntu (ibus and vim).