Linux Weekly News

One of the advantages of the in-kernel BPF virtual machine is that it is fast. BPF programs are just-in-time compiled and run directly by the CPU, so there is no interpreter overhead. For many of the intended use cases, though, "fast" can never be quite fast enough. It is thus unsurprising that there are currently a number of patch sets under development that are intended to speed up one aspect or another of using BPF in the system. A few, in particular, seem about ready to hit the mainline.

Over the holiday week, we missed the announcement of Ruby 2.7 on December 25. It is the most recent release of the Ruby programming language and was more than a year in development. There are quite a few new features including experimental pattern matching for case statements (more information can be found in these slides), a new compaction garbage collector for the heap, support for separating positional and keyword arguments, and plenty more.

Security updates have been issued by Red Hat (chromium-browser and rh-git218-git) and SUSE (java-1_8_0-ibm and openssl-1_1).

The LWN.net Weekly Edition for January 2, 2020 is available.

Python prides itself on being a newbie-friendly language; its developers have gone out of their way to try to ensure that easy tasks are straightforward to program. A recent discussion on the python-ideas mailing list looked at a use case that is common, but often implemented in an inefficient, incorrect fashion, with an eye toward making it easier to do correctly. Finding the first match for a regular expression in a body of text is where the conversation started, but it went in some other interesting directions as well.

January 1, 2020 marks the beginning of a new year and a new decade. Many things will doubtless change over the course of this year in the free-software community and beyond, while others will remain the same. One thing that will certainly hold true is LWN's tradition of starting the new year with some ill-advised predictions about what may be in store. Your editor has no special vision, but neither does he fear being proved badly wrong in a public setting — it's all in a day's work.

Security updates have been issued by Debian (igraph, jhead, libgcrypt20, otrs2, and waitress) and Mageia (clamaw, exiv2, filezilla, hunspell, libidn2, pdfresurrect, roundcubemail, and xpdf).

A proposal to periodically run the fstrim command on Fedora 32 systems was discussed recently on the Fedora devel mailing list. fstrim is used to cause a filesystem to inform the underlying storage of unused blocks, which can help SSDs and other types of block devices perform better. There were a number of questions and concerns raised, including whether to change the behavior of earlier versions of the distribution when they get upgraded and if the kernel should be responsible for handling the whole problem.

Stable kernels 5.4.7, 4.19.92, and 4.14.161 have been released. They all contain important fixes and users should upgrade.

Security updates have been issued by Debian (intel-microcode and libbsd), openSUSE (chromium, LibreOffice, and spectre-meltdown-checker), and SUSE (mozilla-nspr, mozilla-nss and python-azure-agent).

Security updates have been issued by Debian (debian-lan-config, freeimage, imagemagick, libxml2, mediawiki, openssl1.0, php5, and tomcat8).

The results from the Debian general resolution vote on init systems are in; the project's developers chose the option titled "Systemd but we support exploring alternatives". It makes systemd into the preferred init system, and allows packages to use systemd-specific features; packagers are not required to support other init systems, but support for other systems is encouraged where it is practical.

The 5.5-rc4 kernel prepatch is out for testing. "To absolutely nobody's surprise, last week was very quiet indeed. It's hardly even worth making an rc release, but there are _some_ fixes in here, so here's the usual weekly Sunday afternoon rc."

Matthew Garrett works out how to avoid being recorded by "Ring" door cameras in his apartment building. "The most interesting one here is the deauthentication frame that access points can use to tell clients that they're no longer welcome. These can be sent for a variety of reasons, including resource exhaustion or authentication failure. And, by default, they're entirely unprotected. Anyone can inject such a frame into your network and cause clients to believe they're no longer authorised to use the network, at which point they'll have to go through a new authentication cycle - and while they're doing that, they're not able to send any other packets."

Security updates have been issued by SUSE (dia, kernel, and libgcrypt).

One of the first uses of the BPF virtual machine outside of networking was to implement access-control policies for the seccomp() system call. Since then, though, the role of BPF in the security area has not changed much in the mainline kernel, even though BPF has evolved considerably from the "classic" variant still used with seccomp() to the "extended" BPF now supported by the kernel. That has not been for a lack of trying, though. The out-of-tree Landlock security module was covered here over three years ago. We also looked at the kernel runtime security instrumentation (KRSI) patch set in September. KP Singh has posted a new KRSI series, so the time seems right for a closer look.

Andrew 'bunnie' Huang has posted a detailed article on why creating trustable hardware is so difficult and describing a project he's working on to do it anyway. "While open hardware has the opportunity to empower users to innovate and embody a more correct and transparent design intent than closed hardware, at the end of the day any hardware of sufficient complexity is not practical to verify, whether open or closed. Even if we published the complete mask set for a modern billion-transistor CPU, this 'source code' is meaningless without a practical method to verify an equivalence between the mask set and the chip in your possession down to a near-atomic level without simultaneously destroying the CPU."

Security updates have been issued by CentOS (firefox, fribidi, nss, nss-softokn, nss-util, openslp, and thunderbird), Debian (opensc), and Mageia (389-ds-base, apache, apache-mod_auth_openidc, kernel, libofx, microcode, php, and ruby).

Security updates have been issued by CentOS (freetype, kernel, nss, nss-softokn, nss-util, and thunderbird), Mageia (ghostpcl, libmirage, and spamassassin), Oracle (fribidi), and SUSE (mariadb-100, shibboleth-sp, and slurm).

Security updates have been issued by Debian (cups, cyrus-sasl2, tightvnc, and x2goclient), Fedora (cacti and cacti-spine), openSUSE (mariadb and samba), Oracle (fribidi, git, and python), Red Hat (fribidi, libyang, and qemu-kvm-rhev), Slackware (openssl and tigervnc), and SUSE (firefox, nspr, nss and kernel).