Linux Weekly News

The "kernel runtime security instrumentation" (or KRSI) patch set enables the attachment of BPF programs to every security hook in the kernel; LWN covered this work in December. That article focused on ABI issues, but it deferred another potential problem to our 2020 predictions: the possibility that vendors could start shipping proprietary BPF programs for use with frameworks like KRSI. Other developers did pick up on the possibility that KRSI could be abused this way, though, leading to a discussion on whether KRSI should continue to allow the loading of BPF programs that do not carry a GPL-compatible license.

Fedora Magazine reports that the Fedora CoreOS distribution is now deemed ready for use. "Fedora CoreOS is a new Fedora Edition built specifically for running containerized workloads securely and at scale. It’s the successor to both Fedora Atomic Host and CoreOS Container Linux and is part of our effort to explore new ways of assembling and updating an OS. Fedora CoreOS combines the provisioning tools and automatic update model of Container Linux with the packaging technology, OCI support, and SELinux security of Atomic Host."

Security updates have been issued by Arch Linux (chromium), Fedora (gnulib, ImageMagick, jetty, ocsinventory-agent, phpMyAdmin, python-django, rubygem-rmagick, thunderbird, and xar), Mageia (e2fsprogs, kernel, and libjpeg), openSUSE (icingaweb2), Oracle (git, java-11-openjdk, and thunderbird), Red Hat (.NET Core), Scientific Linux (git, java-11-openjdk, and thunderbird), SUSE (fontforge and LibreOffice), and Ubuntu (kamailio and thunderbird).

Android users make heavy use of the displays on their devices for almost all of their interaction; good display performance is thus critical for a satisfactory user experience. Achieving that performance is not always easy; there are a lot of pieces that need to work together, and the kernel does not always support this collaboration as well as one might like. The Android team is currently considering a number of combinations of existing kernel features and possible enhancements in its efforts to provide the best display experience possible.

Version 3.0.0 of the Guile implementation of the Scheme programming language has been released. There's a lot of work here, including a new, lower-level byte code implementation, interleaved internal definitions, a new exception implementation, and much more. "Guile programs now run up to 4 times faster, relative to Guile 2.2, thanks to just-in-time (JIT) native code generation. Notably, this brings the performance of "eval" as written in Scheme back to the level of 'eval' written in C, as in the days of Guile 1.8."

Security updates have been issued by Debian (debian-lan-config and phpmyadmin), openSUSE (openssl-1_1), Oracle (firefox and kernel), Red Hat (.NET Core, git, java-11-openjdk, and thunderbird), SUSE (Mesa, python3, shibboleth-sp, slurm, and tigervnc), and Ubuntu (libpcap and nginx).

The LWN.net Weekly Edition for January 16, 2020 is available.

Everyone has expertise in some things, which is normally seen as a good thing to have. But Dr. Sean Brady gave some examples of ways that our expertise can lead us astray, and actually cause us to make worse decisions, in a keynote at the 2020 linux.conf.au. Brady is a forensic engineer who specializes in analyzing engineering failures to try to discover the root causes behind them. The talk gave real-world examples of expertise gone wrong, as well as looking at some of the psychological research that demonstrates the problem. It was an interesting view into the ways that our brains work—and fail to work—in situations where our expertise may be sending our thoughts down the wrong path.

The CentOS Project has announced the release of CentOS 8-1911, derived from Red Hat Enterprise Linux 8.1. See the release notes for details.

Security updates have been issued by Arch Linux (thunderbird), CentOS (firefox), openSUSE (chromium, firefox, GraphicsMagick, log4j, nodejs8, phpMyAdmin, singularity, and virglrenderer), Oracle (kernel), Red Hat (firefox), SUSE (man, nodejs10, openssl-1_1, and php7), and Ubuntu (php5, php7.0, php7.2, php7.3 and spamassassin).

The intersection of games with free and open-source software (FOSS) was the topic of a miniconf on the first day of this year's linux.conf.au, which was held January 13-17 in Gold Coast, Australia. As part of the miniconf, Bradley M. Kuhn gave a talk that was well outside of his normal conference-talk fare: the game of poker and its relationship to FOSS. It turns out that he did some side work on a FOSS-based poker site along the way, which failed by most measures, but there was also an element of success to the project. The time for a successful FOSS poker project likely has passed at this point, but there are some lessons to be learned from the journey.

Stable kernels 5.4.12, 4.19.96, 4.14.165, 4.9.210, and 4.4.210 have been released with the usual set of important fixes.

Supporting network protocols at high speeds in pure software is getting increasingly difficult, with 25-100Gb/s interfaces available now and 200-400Gb/s starting to show up. Packet processing at 100Gb/s must happen in 200 cycles or less, which does not leave much room for processing at the operating-system level. Fortunately some operations can be performed by hardware, including checksum verification and offloading parts of the packet send and receive paths.

As modern hardware adds more functionality, new options are becoming available. The 5.3 kernel includes a patch set from Pablo Neira Ayuso that added support for offloading some packet filtering with netfilter. This patch set not only adds the offload support, but also performs a refactoring of the existing offload paths in the generic code and the network card drivers. More work came in the following kernel releases. This seems like a good moment to review the recent advancements in offloading in the network stack.

Security updates have been issued by Debian (wordpress and xen), Mageia (graphicsmagick, kernel, makepasswd, and unbound), openSUSE (containerd, docker, docker-runc,, dia, ffmpeg-4, libgcrypt, php7-imagick, proftpd, rubygem-excon, shibboleth-sp, tomcat, trousers, and xen), Oracle (firefox), Red Hat (kernel), Scientific Linux (firefox), SUSE (e2fsprogs, kernel, and libsolv, libzypp, zypper), and Ubuntu (libgcrypt20, libvirt, nginx, sdl-image1.2, and spamassassin).

Ars technica reports on the "Cable Haunt" vulnerability that afflicts a large number of cable modems. "The first and most straightforward way is to serve malicious JavaScript that causes the browser to connect to the modem. Normally, a mechanism called cross-origin resource sharing prevents a Web application from one origin (such as malicious.example.com) from working on a different origin (such as 192.168.100.1, the address used by most or all of the vulnerable modems). Websockets, however, aren't protected by CORS, as the mechanism is usually called. As a result, the modems will accept the remote JavaScript, thereby allowing attackers to reach the endpoint and serve it code." Thus far, there doesn't seem to be any information out there on whether routers running OpenWrt are vulnerable.

Git 2.25 has been released. This blog post looks at "partial clone support" and "sparse checkouts" as these features mature. "A clone of a Git repository copies all of its data: every version of every file in the history. For very large repositories, the cost of network transfer and local storage can make this awkward or even impossible, even if you're only interested in a subset of the files. In the past several versions, Git learned the ability to execute a "partial" clone, which means that it can now clone and work with repositories without having all of their contents. Partial clones are still considered an experimental feature from Git's point of view. For instance, many providers (such as GitHub) don't support this feature yet, and it's continually changing and evolving within Git from release to release."

Here is a longish blog entry from Mercurial maintainer Gregory Szorc on the painful process of converting Mercurial to Python 3. "I anticipate a long tail of random bugs in Mercurial on Python 3. While the tests may pass, our code coverage is not 100%. And even if it were, Python is a dynamic language and there are tons of invariants that aren't caught at compile time and can only be discovered at run time. These invariants cannot all be detected by tests, no matter how good your test coverage is. This is a feature/limitation of dynamic languages. Our users will likely be finding a long tail of miscellaneous bugs on Python 3 for years."

Security updates have been issued by Arch Linux (file and firefox), Debian (apache-log4j1.2), Fedora (chromium, dovecot, GraphicsMagick, kubernetes, libvpx, makepasswd, matio, and slurm), Mageia (libtomcrypt, ming, oniguruma, opencv, pcsc-lite, phpmyadmin, and thunderbird), openSUSE (chromium, chromium, re2, and mozilla-nspr, mozilla-nss), Red Hat (chromium-browser, firefox, and rabbitmq-server), Slackware (mozilla), and SUSE (crowbar-core, crowbar-openstack, openstack-horizon-plugin-monasca-ui, openstack-monasca-api, openstack-monasca-log-api, openstack-neutron, rubygem-puma, rubygem-rest-client, firefox, libzypp, and openssl-1_1).

The 5.5-rc6 kernel prepatch is out for testing. "Let's see how things go. I do suspect that this ends up being one of those 'rc8' releases, not because things look particularly bad right now, but simply because the holiday season has meant that both the testing side and the development side have been quiet. But who knows?"

On the stable side, 5.4.11, 4.19.95, 4.14.164, 4.9.209, and 4.4.209 have all been released with another set of important fixes.

The 5.2 kernel saw the addition of an extensive new API for the mounting (and remounting) of filesystems; this article covered an early version of that API. Since then, work in this area has mostly focused on enabling filesystems to support this API fully. James Bottomley has taken a look at this API as part of the job of redesigning his shiftfs filesystem and found it to be incomplete. What has followed is a significant set of changes that promise to simplify the mount API — though it turns out that "simple" is often in the eye of the beholder.