Linux Weekly News

The LWN.net Weekly Edition for March 5, 2020 is available.

By most accounts, the freedesktop.org (fd.o) GitLab instance has been a roaring success; lots of projects are using it, including Mesa, Linux kernel graphics drivers, NetworkManager, PipeWire, and many others. In addition, a great deal of continuous-integration (CI) testing is being done on a variety of projects under the fd.o umbrella. That success has come at a price, however. A recent message from the X.Org Foundation, which merged with fd.o in 2019, has made it clear that the current situation is untenable from a financial perspective. Given its current resources, X.Org cannot continue covering those costs beyond another few months.

Sam Hartman has announced that he will not run for a second term as Debian Project Leader at this time. "TL;DR: Overall, being DPL has been incredibly rewarding. I have enjoyed working with you all, and have enjoyed the opportunity to contribute to the Debian Project. I hope to be DPL again some year, but 2020 is the wrong year for me and for the project. So I will not nominate myself this year, but hope to do so some future year."

Security updates have been issued by Debian (libzypp), Fedora (opensmtpd and thunderbird), openSUSE (nodejs8), Red Hat (http-parser, kpatch-patch, and xerces-c), SUSE (cloud-init, compat-openssl098, kernel, postgresql96, python, and yast2-rmt), and Ubuntu (python-django and rake).

Handling time zones is a pretty messy affair overall, but language runtimes may have even bigger problems. As a recent discussion on the Python discussion forum shows, there are considerations beyond those that an operating system or distribution needs to handle. Adding support for the IANA time zone database to the Python standard library, which would allow using names like "America/Mazatlan" to designate time zones, is more complicated than one might think—especially for a language trying to support multiple platforms.

Security updates have been issued by Debian (linux-4.9, proftpd-dfsg, rrdtool, and zsh), Fedora (kernel), openSUSE (cacti, cacti-spine, mariadb, and ppp), Red Hat (kernel, qemu-kvm, qemu-kvm-ma, and ruby), Slackware (seamonkey), SUSE (kernel, libpng16, ovmf, python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer, and python36), and Ubuntu (libpam-radius-auth, OpenSMTPD, and ppp).

The kernel development process is based on trust at many levels — trust in developers, but also in the infrastructure that supports the community. In some cases, that trust may not be entirely deserved; most of us have long since learned not to trust much of anything that shows up in email, for example, but developers still generally trust that emailed patches will be what they appear to be. In his ongoing effort to bring more security to kernel development, Konstantin Ryabitsev has proposed a patch attestation scheme that could help subsystem maintainers verify the provenance of the patches showing up in their mailboxes.

Security updates have been issued by Arch Linux (chromium and webkit2gtk), Debian (collabtive, dojo, firebird2.5, gst-plugins-base0.10, libapache2-mod-auth-openidc, openjdk-7, php5, python-bleach, and rrdtool), Fedora (kernel, kernel-headers, kernel-tools, mingw-openjpeg2, and openjpeg2), Mageia (hiredis, kernel, rsync, wireshark, and zsh), openSUSE (cacti, cacti-spine, libexif, proftpd, python-azure-agent, python3, and webkit2gtk3), Oracle (ppp), SUSE (permissions), and Ubuntu (libarchive).

The 5.6-rc4 kernel prepatch has been released. "Fairly reasonably sized rc4, and the diffstat looks nice and flat too (which basically means 'lots of small changes') except for a netfilter ipset fix that ended up being somewhat big and involved due to locking changes."

The Netdev 0x14 conference, scheduled to begin March 17 in Vancouver, has been postponed due to coronavirus concerns; it has been tentatively rescheduled for June 16 to 19 at the same location.

The 5.5.7, 5.4.23, 4.19.107, 4.14.172, 4.9.215, and 4.4.215 stable kernels have all been released; each contains another set of important fixes.

One of the basic rules of kernel-module development is that modules can only access symbols (functions and data structures) that have been explicitly exported. Even then, many symbols are restricted so that only modules with a GPL-compatible license can access them. It turns out, though, that there is a readily available workaround that makes it easy for a module to access any symbol it wants. That workaround seems likely to be removed soon despite some possible inconvenience for some out-of-tree users; the reason why that is happening turns out to be relatively interesting.

Security updates have been issued by CentOS (java-1.7.0-openjdk and ppp), Debian (libimobiledevice, libusbmuxd, and pure-ftpd), Fedora (caddy, firejail, golang-github-gorilla-websocket, golang-vitess, hugo, mingw-libpng, php, and proftpd), openSUSE (chromium, enigmail, ipmitool, libsolv, libzypp, zypper, weechat, and yast2-rmt), Oracle (java-1.7.0-openjdk and ppp), Red Hat (java-1.7.0-openjdk and ppp), Scientific Linux (java-1.7.0-openjdk and ppp), and SUSE (java-1_8_0-ibm, kernel, mariadb, mariadb-100, openssl, php5, python, rsyslog, and texlive-filesystem).

This patch from Johannes Weiner seemed like a straightforward way to improve memory-reclaim performance; without it, the virtual filesystem layer throws away memory that the memory-management subsystem thinks is still worth keeping. But that patch quickly ran afoul of a feature (or "misfeature" depending on who one asks) from the distant past, one which goes by the name of "high memory". Now, more than 20 years after its addition, high memory may be brought down low, as developers consider whether it should be deprecated and eventually removed from the kernel altogether.

Security updates have been issued by CentOS (kernel, ksh, python-pillow, and thunderbird), Debian (opensmtpd, proftpd-dfsg, and rake), Fedora (NetworkManager-ssh), openSUSE (chromium), and SUSE (libexif, mariadb, ovmf, python3, and squid).

The LWN.net Weekly Edition for February 27, 2020 is available.

The "kernel runtime security instrumentation" (KRSI) patch set has been making the rounds over the past few months; the idea is to use the Linux security module (LSM) hooks as a way to detect, and potentially deflect, active attacks against a running system. It does so by allowing BPF programs to be attached to the LSM hooks. That has caused some concern in the past about exposing the security hooks as external kernel APIs, which makes them potentially subject to the "don't break user space" edict. But there has been no real objection to the goals of KRSI. The fourth version of the patch set was posted by KP Singh on February 20; the concerns raised this time are about its impact on the LSM infrastructure.

Security updates have been issued by Debian (python-pysaml2), Mageia (clamav, graphicsmagick, opencontainers-runc, squid, and xmlsec1), Oracle (kernel, ksh, python-pillow, systemd, and thunderbird), Red Hat (rh-nodejs12-nodejs), Scientific Linux (ksh, python-pillow, and thunderbird), and SUSE (nodejs6, openssl, ppp, and squid).

BPF has exploded within the Linux world over the last few years, growing from its networking roots into the go-to tool for running custom in-kernel programs. Its role seems to expand with every kernel release into diverse areas such as security and device control. But none of that is the focus of a relatively new book from Brendan Gregg, BPF Performance Tools; it looks, instead, at how BPF provides visibility into the guts of the kernel. Finding performance bottlenecks of various sorts on (generally large) production systems is an area where BPF and the tool set that has grown up around it can excel; Gregg's book describes that landscape in great depth.

Version 19 of the Arch-based Manjaro distribution is out. "The Xfce edition remains our flagship offering and has received the attention it deserves. Only a few can claim to offer such a polished, integrated and leading-edge Xfce experience. With this release we ship Xfce 4.14 and have mostly focused on polishing the user experience with the desktop and window manager. Also we have switched to a new theme called Matcha. A new feature Display-Profiles allows you to store one or more profiles for your preferred display configuration. We also have implemented auto-application of profiles when new displays are connected."