Hírolvasó

On the surface, the kernel's internal timer mechanism would not appear to have changed much in a long time; the core API looks quite similar to the one present in the 1.0 release. Underneath the API, naturally, quite a bit of complexity has been added over the years. The implementation of this API looks to become even more complex — but faster — if and when this patch set from Anna-Maria Behnsen finds its way into the mainline.

Security updates have been issued by Debian (ffmpeg, libxml2, python-django, python-scciclient, and xen), Fedora (ghc-cmark-gfm, java-latest-openjdk, and vim), Mageia (expat, ntfs-3g, and wkhtmltopdf), Oracle (kernel), Slackware (sudo), and SUSE (expat, libxml2, rubygem-loofah, and xmlbeans).

The 6.1-rc4 kernel prepatch is out for testing. "So as hoped for (and expected), things seem to be starting to calm down, and rc4 is a pretty normal size for this stage in the process".

A few years ago, I posted on the challenges of maintaining low weight as one ages.  I have managed to  stay near my target weight, with the occasional excursion in either direction, though admittedly more often up than down.  My suspicion that maintaining weight would prove 90% as difficult as losing it has proven to be all too well founded.  As has the observation that exercise is inherently damaging to muscles (see for example here), especially as one's body's ability to repair itself decreases inexorably with age.

It can be helpful to refer back to those old college physics courses.  One helpful formula is the well-worn Newtonian formula for kinetic energy, which is equal to half your mass times the square of your velocity.  Now, the human body does not maintain precisely the same speed while moving (that is after all what bicycles are for), and the faster you are going, the more energy your body must absorb when decreasing your velocity by a set amount on each footfall.  In fact, this amount of energy increases linearly with your average velocity.  So you can reduce the energy absorption (and thus the muscle and joint damage) by decreasing your speed.  And here you were wondering why old people often move much more slowly than do young people!

But moving more slowly decreases the quality of the exercise, for example, requiring more time to gain the same cardiovascular benefits.  One approach is to switch from (say) running to hiking uphill, thus decreasing velocity while increasing exertion.  This works quite well, at least until it comes time to hike back down the hill.

At this point, another formula comes into play, that for potential energy.  The energy released by lowering your elevation is your mass times the force of gravity time the difference in elevation.  With each step you take downhill, your body must dissipate this amount of energy.  Alternatively, you can transfer the potential energy into kinetic energy, but please see the previous discussion.  And again, this is what bicycles are for, at least for those retaining sufficiently fast reflexes to operate them safely under those conditions.  (Not me!!!)

The potential energy can be dissipated by your joints or by your muscles, with muscular dissipation normally being less damaging.  In other words, bend your knee and hip before, during, and after the time that your foot strikes the ground.  This gives your leg muscles more time to dissipate that step's worth of potential energy.  Walking backwards helps by bringing your ankle joint into play and also by increasing the extent to which your hip and knee can flex.  Just be careful to watch where you are going, as falling backwards down a hill is not normally what you want to be doing.  (Me, I walk backwards down the steepest slopes, which allow me to see behind myself just by looking down.  It is also helpful to have someone else watching out for you.)

Also, take small steps.  This reduces the difference in elevation, thus reducing the amount of energy that must be dissipated per step.

But wait!  This also increases the number of steps, so that the effect of reducing your stride cancels out, right?

Wrong.

First, longer stride tends to result in higher velocity, the damaging effects of which were described above.  Second, the damage your muscles incur while dissipating energy is non-linear with both the force that your muscles are exerting and the energy per unit time (also known as "power") that they are dissipating.  To see this, recall that a certain level of force/power will cause your muscle to rupture completely, so that a (say) 10x reduction in force/power results in much greater than a 10x reduction in damage.

These approaches allow you to get good exercise with minimal damage to your body.  Other strategies include the aforementioned bicycling as well as swimming.  Although I am fond of swimming, I recognize that it is my exercise endgame, and that I will therefore need to learn to like it.  But not just yet.

To circle back to the subject of the earlier blog post, one common term in the formulas for both kinetic and potential energy is one's mass.  And I do find hiking easier than it was when I weighed 30 pounds more than I do now.  Should I lose more weight?  On this, I defer to my wife, who is a dietitian.  She assures me that 180 pounds is my target weight.

So here I am!  And here I will endeavor to stay, despite my body's continued fear of the food-free winter that it has never directly experienced.

Version 4.8 of the SystemTap tracing tool is out. "Enhancements to this release include: kernel runtime improvements on multi-CPU systems, python3 tapset support through python3.11, tapset and template script for cve livepatching, bpf backend embedded-code assembler improvements".

The search for better performance from the kernel never ends. Recently there has been a stream of smaller patches that promise incremental performance gains, at least for some types of applications. Read on for an overview of two of those patches, which make changes to the epoll system calls and to NUMA balancing. This work shows where developers are looking for performance improvements — and that not everybody measures performance the same way.

Security updates have been issued by Debian (clickhouse, distro-info-data, and ntfs-3g), Fedora (firefox), Oracle (kernel), Slackware (mozilla), and SUSE (python-Flask-Security-Too).

Version 0.78 of Game of Trees has been released (and the port updated):

* got 0.78; 2022-11-03 - gotsh.1: Use Sx for referencing EXAMPLES (patch by Josiah Frentsos) - change got_pack_parse_offset_delta tslen argument to size_t (op) - fix regression test failures with Git 2.30.5 / 2.38.1 or later installed - fix gotd(8) usage() string (patch by Josiah Frentsos) - regress/rebase.sh: remove accidentally included absolute path to "got" (naddy) - fix off_t type mismatches in printf format string arguments (naddy, op) - fix spelling of "FastCGI" (patch by Josiah Frentsos) - add missing `goto done;' on error path of read_raw_delta_data() (op) - add bounds check when reading a delta offset from a packed object (op) - check size before calling mmap(2) (op) - sort getopt() option lists and switch statements (patch by Josiah Frentsos) - make got.conf(5) warn about remotes configured in locally-shared repositories - add missing check for errors from got_gotconfig_read() in open_worktree() - plug a memory leak on error in got_gotconfig_read() - convert pack filesize variables to off_t for large packs on 32-bit arch (op) - remove sendfd pledge promise from gotd repo_read and repo_write processes - add gotctl(8); initially supported commands are 'info' and 'stop' - respect umask when creating or changing files and directories (op) - fix typo which caused a double-free in gotd repo_write_shutdown() - got-fetch-pack: fix wrong memmove length leading to dubious checksum failures - avoid incomplete writes of pack file data in gotsh and got-send-pack - add a test suite for gotd(8); check basic clone and send functionality - require space between commit author name and email, for Git compatibility - gotwebd: avoid 500 error code if erroring out in plaintext mode (landry) - gotwebd: add respect_exportok flag, defaulting to off (landry) - respect open files resource limit when sizing pack cache; regression from 0.71 - provide a diff of changes in a temp file while editing a commit log message - fix memory and file descriptor leak for raw objects (regression from 0.77) - remove casts which made older gcc versions unhappy - fix free of wrong address on error in gotweb's parse.y

This release sees the introduction of gotctl(8), a utility for controlling gotd(8).

Brent Cook (bcook@) has announced the release of LibreSSL verion 3.6.1:

We have released LibreSSL 3.6.1, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. This is the first stable portable LibreSSL release from the OpenBSD 7.2 branch. It includes the following fixes from LibreSSL 3.6.0: - Custom verification callbacks could cause the X.509 verifier to fail to store errors resulting from leaf certificate verification. Reported by Ilya Shipitsin. - Unbreak ASN.1 indefinite length encoding. Reported by Niklas Hallqvist. - Fix endian detection on macOS Reported by jiegec on Github For the changes from LibreSSL 3.5.x, see the 3.6.0 release notes here: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.0-relnotes.txt The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.

Security updates have been issued by Debian (pypy3), Fedora (drupal7, git, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and php), Oracle (kernel, lua, openssl, pcs, php-pear, pki-core, python3.9, and zlib), Red Hat (kernel, kernel-rt, kpatch-patch, lua, openssl-container, pcs, php-pear, pki-core, python3.9, and zlib), Scientific Linux (kernel, pcs, and php-pear), SUSE (EternalTerminal, hsqldb, ntfs-3g_ntfsprogs, privoxy, rubygem-actionview-4_2, sqlite3, and xorg-x11-server), and Ubuntu (ntfs-3g, python3.10, and sqlite3).

The first Image-Based Linux Summit was held in Berlin on October 5 and 6, 2022. The main goal of this summit was to agree on common concepts and tooling for how to build, deploy, and run modern, secure, image-based Linux distributions — a project that that the organizers, Christian Brauner, Luca Boccassi, and Lennart Poettering, have been working on for some time. The result was a more refined vision of how Linux systems can be built and deployed securely.

Greg Kroah-Hartman has announced the release of the 6.0.7, 5.15.77, 5.10.153, 5.4.223, 4.19.264, 4.14.298, and 4.9.332 stable kernels. As usual, they contain important fixes throughout the kernel tree.

Version 1.65.0 of the Rust language has been released. Improvements include generic associated types, a new let...else statement, and the ability to break from labeled blocks:

Plain block expressions can now be labeled as a break target, terminating that block early. This may sound a little like a goto statement, but it's not an arbitrary jump, only from within a block to its end. This was already possible with loop blocks, and you may have seen people write loops that always execute only once, just to get a labeled break.

The LWN.net Weekly Edition for November 3, 2022 is available.

It is not often that you see a Fedora change proposal for a version of the distribution that will not be available for 18 months or so, but that is exactly what was recently posted to the mailing list. The change targets the C source code in the myriad of packages that the distribution ships; it would fix code that uses some ancient compatibility features that were removed by the C99 standard but are still supported by GCC. As might be guessed from the long runway proposed, there is quite a bit of work to do to get there.

Phylum has posted an article with a detailed look at a set of malicious packages discovered by an automated system they have developed.

Similar to this attacker’s previous attempts, this particular attack starts by copying existing popular libraries and simply injecting a malicious __import__ statement into an otherwise healthy codebase. The benefit this attacker gained from copying an existing legitimate package, is that because the PyPI landing page for the package is generated from the setup.py and the README.md, they immediately have a real looking landing page with mostly working links and the whole bit. Unless thoroughly inspected, a brief glance might lead one to believe this is also a legitimate package.

Security updates have been issued by Debian (ffmpeg and linux-5.10), Fedora (libksba, openssl, and php), Gentoo (openssl), Mageia (curl, gdk-pixbuf2.0, libksba, nbd, php, and virglrenderer), Red Hat (kernel, kernel-rt, libksba, and openssl), SUSE (gnome-desktop, hdf5, hsqldb, kernel, nodejs10, openssl-3, php7, podofo, python-Flask-Security, python-lxml, and xorg-x11-server), and Ubuntu (backport-iwlwifi-dkms, firefox, ntfs-3g, and openssl).

The 5.4.222, 4.19.263, and 4.14.297 stable kernel updates have been released. The first two contain a single patch for a Clang compilation error; 4.14.297, instead, has a number of fixes and speculative-execution mitigations.

At the recently concluded Netdev 0x16 conference, which was held both in Lisbon, Portugal and virtually, Stanford professor John Ousterhout gave his personal views on where networking in data centers needs to be headed. To solve the problems that he sees, he suggested some "fairly significant changes" to those environments, including leaving behind the venerable—ubiquitous—TCP transport protocol. While LWN was unable to attend the conference itself, due to scheduling and time-zone conflicts, we were able to view the video of Ousterhout's keynote talk to bring you this report.

The much-anticipated OpenSSL 3.0.7 release, which fixes some high-risk security problems, is available. The release notes list two vulnerabilities (CVE-2022-3786 and CVE-2022-3602) that have not yet been documented on the OpenSSL vulnerabilities page. LWN commenter mat2 has provided the relevant information, though. It is worth updating quickly, but many sites do not appear to be at immediate risk.

Update: the associated security advisory is now available.