Linux Weekly News

Security updates have been issued by Debian (gdal), Fedora (nethack), Mageia (okular, sleuthkit, and webkit2), openSUSE (salt), Oracle (icu, kernel, python-pip, python-virtualenv, and zsh), Red Hat (icu, python-imaging, thunderbird, and zsh), Scientific Linux (icu, python-imaging, and zsh), SUSE (postgresql10), and Ubuntu (apache2).

The LWN.net Weekly Edition for March 19, 2020 is available.

The python-ideas mailing list is typically used to discuss new features or enhancements for the language; ideas that gain traction will get turned into Python Enhancement Proposals (PEPs) and eventually make their way to python-dev for wider consideration. Steve Jorgensen recently started a discussion of just that sort; he was looking for a way to add customization to the "pretty-print" module (pprint) so that objects could change the way they are displayed. The subsequent thread went in a few different directions that reflect the nature of the mailing list—and the idea itself.

Konstantin Ryabitsev introduces the "b4" tool for kernel development. Developers and LWN readers will be familiar with b4 under its previous name: get-lore-mbox. "On top of that, b4 also introduces support for cryptographic patch attestation, which makes it possible to verify that patches (and their metadata) weren't modified in transit between developers. This is still an experimental feature, but initial tests have been pretty encouraging." See this article for early coverage of the attestation feature.

Drew DeVault complains about the complexity of the web and the browsers that work with it. "The major projects are open source, and usually when an open-source project misbehaves, we’re able to to fork them to offer an alternative. But even this is an impossible task where web browsers are concerned. The number of W3C specifications grows at an average rate of 200 new specs per year, or about 4 million words, or about one POSIX every 4 to 6 months. How can a new team possibly keep up with this on top of implementing the outrageous scope web browsers already have now?"

Legislation recently proposed in the US Senate is ostensibly meant to combat "child sexual abuse material" (CSAM), but it does not actually do much to combat that horrible problem. Its target, instead, is the encryption of user communications, which the legislation—tellingly—never mentions. The Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020, EARN IT for short, is an attempt to force online service providers (e.g. Facebook, Google, etc.) to follow a set of "best practices" determined by a commission, to combat the scourge of CSAM; the composition of that commission makes it clear that end-to-end encryption will not be one of those practices, but companies that do not follow the best practices will lose liability protection for their users' actions. It is, in brief, an attempt to force providers to either abandon true end-to-end encryption or face ruinous lawsuits—all without "seeming" to be about encryption at all.

Stable kernels 5.5.10, 5.4.26, and 4.19.111 have been released with important fixes. Users of those series should upgrade.

Security updates have been issued by Debian (libvncserver and twisted), Fedora (libxslt), Red Hat (kernel, kernel-rt, python-flask, python-pip, python-virtualenv, slirp4netns, tomcat, and zsh), Scientific Linux (kernel, python-pip, python-virtualenv, tomcat, and zsh), SUSE (apache2-mod_auth_openidc and skopeo), and Ubuntu (apport and dino-im).

Security updates have been issued by Arch Linux (okular, thunderbird, and webkit2gtk), Debian (webkit2gtk), Fedora (php-horde-Horde-Form), Gentoo (libvorbis, nss, and proftpd), Oracle (firefox and kernel), Red Hat (kernel), Scientific Linux (firefox), SUSE (cni, cni-plugins, conmon, fuse-overlayfs, podman, librsvg, and ovmf), and Ubuntu (ceph, icu, linux, linux-aws, linux-kvm, linux-aws-5.0, linux-gcp, linux-gke-5.0, linux-oracle-5.0, linux-kvm, linux-oracle, linux-raspi2, linux-raspi2-5.3, linux-kvm, linux-raspi2, linux-snapdragon, and linux-lts-xenial, linux-aws).

Over the last decade, the addition of a "flags" argument to all new system calls, even if no flags are actually needed at the outset, has been widely adopted as a best practice. The result has certainly been greater API extensibility, but we have also seen a proliferation of various types of flags for related system calls. For calls related to files and filesystems, in particular, the available flags have reached a point where some calls will need as many as three arguments for them rather than just one.

The Free Software Foundation has announced the recipients of the 2019 Free Software Awards. A new category was added this year; the Award for Outstanding New Free Software Contributor went to Clarissa Lima Borges, "a talented young Brazilian software engineering student whose Outreachy internship work focused on usability testing for various GNOME applications". The Project of social benefit award went to Let's Encrypt, and the Award for the Advancement of Free Software was given to Jim Meyering, "a prolific free software programmer, maintainer, and writer".

Stable kernel 4.19.110 has been released. "This fixes a problem in 4.19.109 in the KVM subsystem. If you use KVM, you are strongly encouraged to upgrade. If not, no big deal, you can ignore this release."

Security updates have been issued by Debian (graphicsmagick, qemu, and slurm-llnl), Fedora (ansible, couchdb, mediawiki, and python3-typed_ast), Gentoo (atftp, curl, file, gdb, git, gst-plugins-base, icu, libarchive, libgcrypt, libjpeg-turbo, libssh, libvirt, musl, nfdump, ppp, python, ruby-openid, runc, sqlite, squid, sudo, SVG Salamander, systemd, thunderbird, tiff, and webkit-gtk), Mageia (firefox, kernel, and thunderbird), openSUSE (firefox, librsvg, php7, and tomcat), Red Hat (firefox), Slackware (thunderbird), and SUSE (firefox, kernel, salt, and wireshark).

Version 4.4 of The Amnesic Incognito Live System (or Tails) has been released. It has fixed a bunch of security vulnerabilities in Tails 4.3; users are advised to "upgrade as soon as possible". Tails 4.4 brings new versions of the Tor Browser (9.0.6), Thunderbird (68.5.0), and the Linux kernel (5.4.19). It also fixes some problems with WiFi. Tails is a Linux distribution that runs from removable media; it is focused on privacy, security, and anonymity.

The 5.6-rc6 kernel prepatch has been released. "Diffstat looks normal, and the number of commits is right in the middle of the usual range too. And I don't think any of the commits look all that strange either - it's all pretty small."

The Hypertext Transfer Protocol (HTTP) is a core component of the world-wide web. Over its evolution it has added features, including encryption, but time has revealed its limitations and those of the whole protocol stack. At FOSDEM 2020, Daniel Stenberg delivered a talk about a new version of the protocol called HTTP/3. It is under development and includes some big changes under the hood. There is no more TCP, for example; a new transport protocol called QUIC is expected to improve performance and allow new features.

Wired has an article on an open-source tool that is being used to track strains of Covid-19 throughout the world. "In the case of the Seattle area teenager, genetic data about his strain of Covid-19 was uploaded to Gisaid, a platform for sharing genomic data. Then researchers at Nextstrain made the connection with the earlier patient. Nextstrain is an open source application that tracks the evolution of viruses and bacteria, including Covid-19, Ebola, and lesser-known outbreaks such as Enterovirus D68 using data sourced largely from Gisaid. Hodcroft and other researchers involved with the project analyze the data shared on Gisaid for mutations and visualize the results. That’s how the team was able to spot the connection between the two Covid-19 cases in Washington."

Psycopg is the database adapter used by most Python programs needing to work with the PostgreSQL database manager. In this blog post, psycopg maintainer Daniele Varrazzo looks forward to the next major version. "There is a chance now to rethink how thick the C libpq wrapper should be. We can reduce the C implementation to a minimal wrapper around the libpq (replaceable by a CFFI Python wrapper if compiling C is not available on the client), using it as a foundation to build a familiar DBAPI blocking interface. A blocking behaviour is not bad in itself: it allows to write most of the programs, the ones which don't need crazy concurrency, in a simple and familiar paradigm; the async layer would be available under the hood to squeeze the best performance in programs who have embraced an asynchronous pattern and framework."

Security updates have been issued by Arch Linux (firefox, golang-golang-x-crypto, kernel, mbedtls, ppp, and python-django), Debian (slirp and yubikey-val), Fedora (firefox, java-1.8.0-openjdk-aarch32, mbedtls, monit, seamonkey, sympa, and zsh), Gentoo (chromium, e2fsprogs, firefox, groovy, postgresql, rabbitmq-c, ruby, and vim), Mageia (ppp), openSUSE (kernel), and SUSE (glibc, kernel, openstack-manila, php5, and squid).

As expected, the 5.5.9, 5.4.25, 4.19.109, 4.14.173, 4.9.216, and 4.4.216 stable kernels have all been released; each contains another set of important fixes.