Linux Weekly News

Security updates have been issued by Oracle (java-1.7.0-openjdk and java-1.8.0-openjdk), Red Hat (git, java-1.8.0-openjdk, java-11-openjdk, and kernel), Scientific Linux (kernel), Slackware (git), SUSE (openssl-1_1 and puppet), and Ubuntu (binutils and thunderbird).

Matthew Garrett has posted an overview of the kernel lockdown capability merged in 5.4. "If you verify your boot chain but allow root to modify that kernel, the benefits of the verified boot chain are significantly reduced. Even if root can't modify the on-disk kernel, root can just hot-patch the kernel and then make this persistent by dropping a binary that repeats the process on system boot. Lockdown is intended as a mechanism to avoid that, by providing an optional policy that closes off interfaces that allow root to modify the kernel."

Many applications benefit significantly from the use of huge pages. However, huge-page allocations often incur a high latency or even fail under fragmented memory conditions. Proactive compaction may provide an effective solution to these problems by doing memory compaction in the background. With guest author Nitin Gupta's proposed proactive compaction implementation, typical huge-page allocation latencies are reduced by a factor of 70-80 while incurring minimal CPU overhead.

Subscribers can read on for the full story from the upcoming weekly edition.

Stable kernels 5.6.6, 5.5.19, 5.4.34, and 4.19.117 have been released. This is the last 5.5.y kernel and users should move to 5.6.y at this time. Users of the other series should upgrade to get the latest fixes.

Security updates have been issued by Arch Linux (webkit2gtk), Debian (awl, git, and openssl), Red Hat (chromium-browser, git, http-parser, java-1.7.0-openjdk, java-1.8.0-openjdk, java-11-openjdk, qemu-kvm-ma, rh-git218-git, and rh-maven35-jackson-databind), Scientific Linux (advancecomp, avahi, bash, bind, bluez, cups, curl, dovecot, doxygen, evolution, expat, file, firefox, gettext, git, GNOME, httpd, ImageMagick, java-1.7.0-openjdk, java-1.8.0-openjdk, java-11-openjdk, kernel, lftp, libosinfo, libqb, libreoffice, libsndfile, libxml2, mailman, mariadb, mod_auth_mellon, mutt, nbdkit, net-snmp, okular, php, polkit, poppler and evince, python, python-twisted-web, python3, qemu-kvm, qt, rsyslog, samba, squid, taglib, telnet, texlive, thunderbird, unzip, wireshark, and zziplib), SUSE (apache2), and Ubuntu (git and python2.7, python3.4, python3.5, python3.6, python3.7).

Back in February, the kernel community discussed the removal of a couple of functions that could be used by loadable modules to gain access to symbols (functions and data structures) that were not meant to be available to them. That change was merged during the 5.7 merge window. This change will break a number of external modules that depended on the removed functions; since many of those modules are proprietary, this fact does not cause a great deal of anguish in the kernel community. But there are a few out-of-tree modules with GPL-compatible licenses that are also affected by this change; one of those is LTTng. Fixing LTTng may not be entirely straightforward.

Python 2.7.18 is out. This is the last release and end of support for Python 2. "Python 2.7 has been under active development since the release of Python 2.6, more than 11 years ago. Over all those years, CPython's core developers and contributors sedulously applied bug fixes to the 2.7 branch, no small task as the Python 2 and 3 branches diverged. There were large changes midway through Python 2.7's life such as PEP 466's feature backports to the ssl module and hash randomization. Traditionally, these features would never have been added to a branch in maintenance mode, but exceptions were made to keep Python 2 users secure. Thank you to CPython's community for such dedication."

Security updates have been issued by Arch Linux (openvpn), Debian (awl, file-roller, jackson-databind, and shiro), Fedora (chromium, git, and libssh), Mageia (php, python-bleach, and webkit2), openSUSE (chromium, gstreamer-rtsp-server, and mp3gain), Oracle (thunderbird and tigervnc), SUSE (thunderbird), and Ubuntu (file-roller and webkit2gtk).

The results are in from this year's Debian project leader election; the winner is Jonathan Carter.

The 5.7-rc2 kernel prepatch is out for testing. "Everything continues to look fairly normal, with commit counts right in the middle of what you'd expect for rc2. And most of the changes are tiny and don't look scary at all."

Greg Kroah-Hartman has released the 5.6.5, 5.5.18, 5.4.33, and 4.19.116 stable kernels. They contain a seemingly larger-than-usual collection of fixes throughout the kernel tree; users of those series should upgrade.

Much of the free software we run every day was developed over email, and the developers of that software, who may have been using email for decades, tend to be somewhat attached to it. The newer generation of developers that came later, though, has proved remarkably resistant to the charms of email-based communication. That has led to an ongoing push to replace email with other forms of communication; often the "other form" of choice is a web-based system called Discourse. Moving to Discourse tends to be controversial; LWN covered related discussions in the Fedora and Python projects in 2018. Now it is Debian's turn to confront this question.

On the FSF blog, Zoe Kooyman describes how the LibrePlanet 2020 conference was converted to a virtual conference in a week's time—using free software, naturally. "In 2016, we gained some livestreaming experience when we interviewed Edward Snowden live from Moscow. To minimize the risk of failed recordings due to overly complex or error-prone software systems, we made it a priority to achieve a pipeline with low latency, good image quality, and low CPU usage. The application we used then was Jitsi Meet, and the tech info and scripts we used for streaming from 2016 are available for your information and inspiration. Naturally, for this year, with no time for researching other applications, we opted to build on our experience with Jitsi Meet. We hosted our own instance for remote speakers to connect to and enter a video call with the conference organizers. A screen capture of this call was then simultaneously recorded by the FSF tech team, and streamed out to the world via Gstreamer and Icecast."

Security updates have been issued by Arch Linux (apache and chromium), Debian (webkit2gtk), Fedora (firefox, nss, and thunderbird), Mageia (chromium-browser-stable and git), openSUSE (gnuhealth), Oracle (thunderbird), Red Hat (kernel-alt, thunderbird, and tigervnc), Scientific Linux (thunderbird), Slackware (openvpn), and SUSE (freeradius-server and libqt4).

There are many ways to try to keep a system secure. One of those, often employed in embedded or other dedicated-purpose systems, is to try to ensure that only code that has been approved (by whoever holds that power over the system in question) can be executed. The secure boot mechanism, which is intended to keep a computer from booting anything but a trusted kernel, is one piece of this puzzle, but its protection only extends through the process of booting the kernel itself. Various mechanisms exist for protecting a system after it boots; a new option for this stage is the Integrity Policy Enforcement (IPE) security module, posted by Deven Bowers.

Security updates have been issued by Arch Linux (git), Fedora (cacti, cacti-spine, chromium, golang-github-buger-jsonparser, kernel, kernel-headers, and kernel-tools), openSUSE (ansible, git, and mp3gain), Oracle (container-tools:ol8, nodejs:10, and virt:ol), Red Hat (chromium-browser, ipmitool, and thunderbird), Slackware (bind), SUSE (quartz), and Ubuntu (php5, php7.0, php7.2, php7.3).

The LWN.net Weekly Edition for April 16, 2020 is available.

We last looked in on the question of a Git forge for Fedora at the end of January—which seems like nearly a lifetime ago, but is, in truth, only around two-and-a-half months back. At that time, requirements were being gathered for an open decision-making process that would seemingly play out with lots of community participation. That is not at all what transpired, however, and much of the Fedora community feels that its needs have not been taken into consideration. There are a number of lessons that can be learned from all of this.

Version 1.1.0 of the GNU Guix transactional package manager and system distribution has been released. "It’s been 11 months since the previous release, during which 201 people contributed code and packages. This is a long time for a release, which is in part due to the fact that bug fixes and new features are continuously delivered to our users via guix pull. However, a number of improvements, in particular in the installer, will greatly improve the experience of first-time users."

Security updates have been issued by Debian (git, graphicsmagick, php-horde-data, and php-horde-trean), Mageia (apache, gnutls, golang, krb5-appl, libssh, libvncserver, mediawiki, thunderbird, tor, and wireshark), openSUSE (chromium, nagios, and thunderbird), Oracle (kernel and krb5-appl), Red Hat (elfutils, kernel, nss-softokn, ntp, procps-ng, and python), Scientific Linux (firefox), Slackware (git), SUSE (git and ruby2.5), and Ubuntu (git).