Linux Weekly News

The 5.5.4, 5.4.20, 4.19.104, 4.14.171, 4.9.214, and 4.4.214 stable kernels have all been released; each contains a relatively large set of important fixes.

Back in November 2019, Mike Rapoport made the case that there is too much address-space sharing in Linux systems. This sharing can be convenient and good for performance, but in an era of advanced attacks and hardware vulnerabilities it also facilitates security problems. At that time, he proposed a number of possible changes in general terms; he has now come back with a patch implementing a couple of address-space isolation options for the memfd mechanism. This work demonstrates the sort of features we may be seeing, but some of the hard work has been left for the future.

Security updates have been issued by Debian (debian-security-support, postgresql-11, and postgresql-9.6), Fedora (cutter-re, firefox, php-horde-Horde-Data, radare2, and texlive-base), openSUSE (docker-runc), Oracle (kernel), Red Hat (sudo), and Ubuntu (firefox).

Stable-kernel updates are, unsurprisingly, supposed to be stable; that is why the first of the rules for stable-kernel patches requires them to be "obviously correct and tested". Even so, for nearly as long as the kernel community has been producing stable update releases, said community has also been complaining about regressions that make their way into those releases. Back in 2016, LWN did some analysis that showed the presence of regressions in stable releases, though at a rate that many saw as being low enough. Since then, the volume of patches showing up in stable releases has grown considerably, so perhaps the time has come to see what the situation with regressions is with current stable kernels.

Security updates have been issued by Arch Linux (dovecot, firefox, ksh, and webkit2gtk), Debian (firefox-esr and openjdk-8), Mageia (exiv2, flash-player-plugin, python-waitress, and vim and neovim), openSUSE (pcp and rubygem-rack), Oracle (kernel), Red Hat (sudo), and Slackware (libarchive).

The LWN.net Weekly Edition for February 13, 2020 is available.

It seems unlikely that anyone on any "side" of the systemd war that has raged in Debian over the last few years thought that the results of the recent general resolution (GR) vote ended the matter. The vote showed a clear preference for moving ahead with systemd as the preferred init system, though it was far from any kind of landslide—there were definitely plenty of voters who would have preferred a different outcome. It was a complicated GR, with a wide spectrum of options, but at this point, the project as a whole has spoken. Actually implementing some of the changes that the GR enabled may not have the smooth path that some might have hoped for, however.

On the Google Project Zero blog, Jann Horn looks at a number of vulnerabilities in a Samsung Android kernel, some of which are caused by the addition of out-of-tree "security" features. "The Samsung kernel on the A50 contains an extra security subsystem (named 'PROCA', short for 'Process Authenticator', with code in security/proca/) to track process identities. By combining several logic issues in this subsystem (which, on their own, can already cause a mismatch between the tracking state and the actual process state) with a brittle code pattern, it is possible to cause memory unsafety by winning a race condition."

Security updates have been issued by CentOS (spice-gtk), Debian (libemail-address-list-perl), openSUSE (chromium, libqt5-qtbase, nginx, systemd, and wicked), Oracle (spice-gtk), Slackware (firefox and thunderbird), and Ubuntu (libexif and Yubico PIV Tool).

Stable kernels 5.5.3, 5.4.19, and 4.19.103 have been released. They all contain many important fixes throughout the tree and users should upgrade.

From a high-level perspective, Lua and Python are similar languages; both are "scripting" languages that are compiled into bytecode instructions that run on a virtual machine. But the focus of Lua has generally been toward embedding the language into some larger application or system, rather than as an alternative for, say, Python, Perl, or Ruby as a general-purpose language. That is not to say that Lua is not capable of handling any of the tasks those other languages do, but that it has not really been the target, seemingly. Some recent discussions in the Lua community have explored possible changes in that regard, particularly around the idea of providing a larger, richer standard library.

Firefox 73.0 has been released. This version includes two features that help users view and read website content more easily; a new global default zoom level setting and a "readability backplate" solution to make websites in High Contrast Mode more readable without disabling background images. See the release notes for details.

Security updates have been issued by Debian (checkstyle), Fedora (poppler), Oracle (kernel), Red Hat (389-ds:1.4, java-1.7.1-ibm, java-1.8.0-ibm, nss-softokn, and spice-gtk), and Scientific Linux (spice-gtk).

Daniel Aleksandersen shows how to sandbox a daemon process using a set of systemd features. "These directives combined would have stopped the specific remote code execution vulnerability that afflicted OpenSMTPD. However, the key takeaway is that you should strive to sandbox long-running and internet-exposed services. There’s no need for your webserver to be able to load a kernel module, your email server to change the hostname, or your DNS server to launch wget and schedule reoccurring tasks with cron."

Linus Torvalds released the 5.6-rc1 prepatch and closed the merge window on February 9; at that point, 10,780 non-merge changesets had been pulled into the mainline repository for 5.6. That is substantially less than recent development cycles (14,350 for 5.5, 14,619 for 5.4), but is similar to what was going on at this time last year (10,843 for 5.0-rc1 in January 2019). About 6,000 of those changes were pulled since the first 5.6 merge-window article was written; read on for what was included in those changes.

Version 9.1 of the GNU debugger is out. There are many improvements; see the announcement and the changelog for details.

Security updates have been issued by Debian (ipmitool, libexif, and ppp), Fedora (glib2, java-1.8.0-openjdk, java-11-openjdk, libasr, libuv, mingw-gdk-pixbuf, mingw-SDL2, nethack, nghttp2, nodejs, nodejs-mixin-deep, nodejs-set-value, nodejs-yarn, opensmtpd, python-feedgen, runc, samba, sox, and texlive-base), Mageia (chromium-browser-stable, mgetty, openslp, qtbase5, spamassassin, sudo, and xmlrpc), openSUSE (ceph and chromium), Oracle (grub2 and kernel), SUSE (docker-runc, LibreOffice, and wicked), and Ubuntu (libxml2 and qtbase-opensource-src).

Linus has released 5.6-rc1 and closed the merge window for this development cycle. "This was actually a slightly smaller merge window than usual, but I think that what happened is simply that the holiday season impacted new development. It impacted the 5.5 rc series less than I had expected, but seems to instead have caused 5.6 to have slightly less development than normal."

One of the more eyebrow-raising features to go into the 5.6 kernel is the ability to load TCP congestion-control algorithms as BPF programs; networking developer Toke Høiland-Jørgensen described it as a continuation of the kernel's "march towards becoming BPF runtime-powered microkernel". On its face, congestion control is a significant new functionality to hand over to BPF, taking it far beyond its existing capabilities. When one looks closer, though, one's eyebrow altitude may well increase further; the implementation of this feature breaks new ground in a couple of areas.

Over on the Ardour forum, Paul Davis wonders whether access to the source code is truly what users these days want or need. There are other closed-source digital audio workstations that are far more customizable than Ardour via a scripting language without needing any access to the source. "But perhaps for applications like Ardour, ones that do not yet exist, there ought to be a different development pathway. I remember once wondering if we should have implemented the entire GUI in PyGTK (i.e. Python). We didn't, and most of my curiosity was about whether it would have helped or hindered our development process. However, had we done so, one of the consequences would have been that many changes to the program would have been made simpler, easier to access and would require no 'rebuild'. I wonder if going forward, large-scale apps like Ardour ought to (as Reaper did relatively early in its life) consider the 'script extension system' to be a vital and critical part of the application infrastructure. This would mean, for example, writing large parts of 'core functionality' using this system, rather than dropping back into C++ to get things done. There are precedents for this: GNU Emacs, for example, is at some level written in C, but almost everything about the program is actually constructed in Emacs Lisp, its own 'scripting extension'. The C core of Emacs is so small and so irrelevant that it almost doesn't matter that it is there: if you want to modify or extend Emacs, you (almost always) write Lisp, not C."