Linux Weekly News

Five new stable kernels have been released: 5.4.16, 4.19.100, 4.14.169, 4.9.212, and 4.4.212. As usual, each contains important fixes throughout the kernel tree. Users should upgrade.

Security updates have been issued by Debian (graphicsmagick, opensmtpd, webkit2gtk, wget, and zlib), openSUSE (apt-cacher-ng, GraphicsMagick, java-1_8_0-openjdk, mailman, mumble, rubygem-excon, sarg, and shadowsocks-libev), Oracle (libarchive and openjpeg2), Red Hat (firefox, fribidi, openjpeg2, SDL, and thunderbird), Scientific Linux (openjpeg2), SUSE (glibc, java-1_8_0-openjdk, and rmt-server), and Ubuntu (Apache Solr and webkit2gtk).

The LWN.net Weekly Edition for January 30, 2020 is available.

Fedora currently uses Pagure to host many of its Git repositories and to handle things like documentation and bug tracking. But Pagure is maintained by the Red Hat Community Platform Engineering (CPE) team, which is currently straining under the load of managing the infrastructure and tools for Fedora and CentOS, while also maintaining the tools used by the Red Hat Enterprise Linux (RHEL) team. That has led to a discussion about identifying the requirements for a "Git forge" and possibly moving away from Pagure.

Qualys has put out an advisory regarding a vulnerability in OpenBSD's OpenSMTPD mail server. It "allows an attacker to execute arbitrary shell commands, as root: either locally, in OpenSMTPD's default configuration (which listens on the loopback interface and only accepts mail from localhost); or locally and remotely, in OpenSMTPD's 'uncommented' default configuration (which listens on all interfaces and accepts external mail)." OpenBSD users would be well advised to update quickly.

Security updates have been issued by CentOS (apache-commons-beanutils, java-1.8.0-openjdk, libarchive, openjpeg2, openslp, python-reportlab, and sqlite), Debian (hiredis, otrs2, and unzip), openSUSE (apt-cacher-ng, git, samba, sarg, and storeBackup), Oracle (openjpeg2), Red Hat (libarchive, openjpeg2, sqlite, and virt:rhel), SUSE (aws-cli and python-reportlab), and Ubuntu (libgcrypt11, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-oracle-5.0, linux-hwe, linux-hwe, linux-aws-hwe, linux-lts-xenial, linux-aws, and openjdk-8, openjdk-lts).

Version 6.4 of the LibreOffice productivity suite is out. It is said to be "a new major release providing better performance, especially when opening and saving spreadsheets and presentations, and excellent compatibility with DOCX, XLSX and PPTX files."

The Thunderbird email client has been moved into a separate company called "MZLA Technologies Corporation", which remains wholly owned by the Mozilla Foundation. "Moving to MZLA Technologies Corporation will not only allow the Thunderbird project more flexibility and agility, but will also allow us to explore offering our users products and services that were not possible under the Mozilla Foundation. The move will allow the project to collect revenue through partnerships and non-charitable donations, which in turn can be used to cover the costs of new products and services. Thunderbird’s focus isn’t going to change. We remain committed to creating amazing, open source technology focused on open standards, user privacy, and productive communication."

Transparent and verifiable electronic elections are technically feasible, but for a variety of reasons, the techniques used are not actually viable for running most elections—and definitely not for remote voting. That was one of the main takeaways from a keynote at this year's linux.conf.au given by University of Melbourne Associate Professor Vanessa Teague. She is a cryptographer who, along with her colleagues, has investigated several kinds of e-voting software; as is probably not all that much of a surprise, what they found is buggy implementations. She described some of that work in a talk that was a mix of math with software-company and government missteps; the latter may directly impact many of the Australian locals who were in attendance.

Security updates have been issued by Debian (iperf3, openjpeg2, and tomcat7), Mageia (ansible, c3p0, fontforge, glpi, gthumb, libbsd, libmediainfo, libmp4v2, libqb, libsass, mbedtls, opencontainers-runc, php, python-pip, python-reportlab, python3, samba, sysstat, tomcat, virtualbox, and webkit2), openSUSE (java-11-openjdk, libredwg, and sarg), Oracle (sqlite), Red Hat (libarchive, nss, and openjpeg2), Scientific Linux (sqlite), SUSE (nodejs6), and Ubuntu (cyrus-sasl2, linux, linux-aws, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-oem, mysql-5.7, mysql-8.0, tcpdump, and tomcat8).

The 5.5 kernel was released on January 26. Over the course of this development cycle, it was occasionally said that the holidays were slowing contributions. At the end, though, 5.5 saw the merging of 14,350 non-merge changesets from 1,885 developers — not exactly a slow-moving cycle. Indeed, 5.5 just barely edged out 5.4 as the kernel with the most developers ever. Read on for our traditional look at where the contributions to 5.5 came from, along with a digression into the stable-update process.

The Qt blog has announced some changes in how the Qt toolkit is offered to consumers. Notably, installation of Qt binaries will require a Qt Account and long-term-supported (LTS) releases and the offline installer will become available to commercial licensees only. "From February onward, everyone, including open-source Qt users, will require valid Qt accounts to download Qt binary packages. We changed this because we think that a Qt account lets you make the best use of our services and contribute to Qt as an open-source user. We want open-source users to help improve Qt in one form or another, be that through bug reports, forums, code reviews, or similar. These are currently only accessible from a Qt account, which is why having one will become mandatory."

Stable kernels 4.19.99 and 4.14.168. As usual, there are important fixes and users should upgrade.

Stable kernel 5.4.15 has been released with important fixes throughout the tree. Users should upgrade.

Security updates have been issued by Debian (jsoup and slirp), Fedora (community-mysql, elog, fontforge, libuv, libvpx, mingw-podofo, nodejs, opensc, podofo, thunderbird-enigmail, transfig, and xfig), openSUSE (arc, libssh, and libvpx), Red Hat (git, java-1.8.0-openjdk, java-11-openjdk, python-reportlab, and sqlite), Slackware (thunderbird), and SUSE (java-1_8_0-openjdk, python, and samba).

In the end, Linus decided to release the 5.5 kernel rather than going for another prepatch. "So despite the slight worry that the holidays might have affected the schedule, 5.5 ended up with the regular rc cadence and is out now." Some of the significant features in this release are iopl() emulation, many new io_uring commands, live-patch state tracking, type checking for BPF tracepoint programs, a new CPU load-balancing algorithm, the KUnit unit-testing framework, airtime queue limits for WiFi, and much more. See the KernelNewbies 5.5 changelog for more information.

Ars Technica reviews the Purism Librem 5 smartphone, which is made from open-source software and (mostly) open hardware. It is clearly not there yet as a replacement for the phone in our pockets, but it would seem to be on the right path. "The thing to keep in mind here is that Purism has taken on an absolutely gargantuan task. It somehow scraped together a new supply chain of mostly open source components, it came up with a smartphone design from scratch, and it is building its own smartphone distribution of Linux. Two years is not enough time to do this. The OS and app package is not nearly finished, and it lacks basic smartphone functionality. The hardware is nearly finished, but you'll have a hard time taking advantage of it right now since the power management isn't really implemented, and support for things like the cameras are non-existent. If you really want open source smartphones to be a thing, though, this is where you need to start. The Librem 5 is a proof of concept."

The Electronic Frontier Foundation (EFF) has put out a statement in support of journalist Glenn Greenwald whose "prosecution is an attempt to use computer crime law to silence an investigative reporter who exposed deep-seated government corruption". Greenwald is being charged in Brazil, where he reported on corruption within the government of that country. While the EFF said that it has seen "no actions detailed in the criminal complaint that violate Brazilian law", its main concern is the use of ill-defined "cybercrime" laws. "Around the world, cybercrime laws are notoriously hazy. This is in part because it’s challenging to write good cybercrime laws: technology evolves quickly, our language for describing certain digital actions may be imprecise, and lawmakers may not always imagine how laws will later be interpreted. And while the laws are hazy, the penalties are often severe, which makes them a dangerously big stick in the hands of prosecutors. Prosecutors can and do take advantage of this disconnection, abusing laws designed to target criminals who break into computers for extortion or theft to prosecute those engaged in harmless activities, or research—or, in this case, journalists communicating with their sources."

One year ago, the io_uring subsystem did not exist in the mainline kernel; it showed up in the 5.1 release in May 2019. At its core, io_uring is a mechanism for performing asynchronous I/O, but it has been steadily growing beyond that use case and adding new capabilities. Herein we catch up with the current state of io_uring, where it is headed, and an interesting question or two that will come up along the way.

Security updates have been issued by Debian (git and python-apt), Oracle (openslp), Red Hat (chromium-browser and ghostscript), SUSE (samba, slurm, and tomcat), and Ubuntu (clamav, gnutls28, and python-apt).