Hírolvasó

Linux Plumbers Conference 2022 is pleased to host the Containers and Checkpoint/Restore Microconference

The Containers and Checkpoint/Restore Microconference focuses on both userspace and kernel related work. The micro-conference targets the wider container ecosystem ideally with participants from all major container runtimes as well as init system developers.

Potential discussion topcis include :

• User namespace improvements
• System call interception
• LSM improvements and LSM namespacing
• CGroup2 transition, emulation and future extensions
• Memory isolation
• CRIU and hardware security features
• Restartable sequences (rseq()) support
• Support for C/R of GPU and other directly accessed hardware
• Checkpoint/Restore standardization effort (driven by HPC)
• Kubernetes and container migration

Please come and join the discussion centered on what holds “The Cloud” together.

We hope to see you there!

The LWN.net Weekly Edition for May 26, 2022 is available.

Right on the heels of his previous filesystem session at the 2022 Linux Storage, Filesystem, Memory-management and BPF Summit (LSFMM), Steve French led a session on temporary files and their interaction with network filesystems. The problem is that creating temporary files is not always atomic, so he was proposing changing that, which would eliminate a possible race condition and be more efficient for network filesystems. Since the temporary-file discussion did not fill the 30-minute slot, however, French took the opportunity to discuss some attributes he would like to see get added for the statx() system call.

Steve French led a discussion on change notifications for network filesystems in a session at the 2022 Linux Storage, Filesystem, Memory-management and BPF Summit (LSFMM). He is part of the Samba team and noted that both Windows and macOS clients get notified of new and changed files in a shared directory immediately, while on Linux that does not happen. He wanted to explore what it would take to add that functionality.

The Linux Foundation has posted an "Open Source Software Security Mobilization Plan" that aims to address a number of perceived security problems with the expenditure of nearly $140 million over two years.

While there are considerable ongoing efforts to secure the OSS supply chain, to achieve acceptable levels of resilience and risk, a more comprehensive series of investments to shift security from a largely reactive exercise to a proactive approach is required. Our objective is to evolve the systems and processes used to ensure a higher degree of security assurance and trust in the OSS supply chain.

This paper suggests a comprehensive portfolio of 10 initiatives which can start immediately to address three fundamental goals for hardening the software supply chain. Vulnerabilities and weaknesses in widely deployed software present systemic threats to the security and stability of modern society as government services, infrastructure providers, nonprofits and the vast majority of private businesses rely on software in order to function.

Here's an update from F-Droid regarding upcoming changes to its build and distribution infrastructure.

If you have an app on f-droid.org, you might have noticed that all builds happen on a 5 year old Debian release: stretch. We are in the midst of a big effort to upgrade to the latest bullseye release right now. This is not just a simple apt-get upgrade, we are also taking this opportunity to overhaul the build process so that app builds work with a relatively plain Debian install as the base OS. We have to provide a platform to build thousands of apps, so we cannot just upgrade the base image as often as we like.

The 5.17.10, 5.15.42, 5.10.118, 5.4.196, 4.19.245, 4.14.281, and 4.9.316 stable kernel updates have all been released; each contains another set of important fixes.

Update: the 5.17.11 and 5.15.43 updates followed immediately thereafter with a single MPTCP networking fix.

Security updates have been issued by Debian (lrzip and puma), Fedora (plantuml and plib), Oracle (kernel and kernel-container), Red Hat (firefox, kernel, kpatch-patch, subversion:1.14, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (kernel-firmware, libxml2, pcre2, and postgresql13), and Ubuntu (accountsservice, postgresql-10, postgresql-12, postgresql-13, postgresql-14, and rsyslog).

On the second day of the 2022 Linux Storage, Filesystem, Memory-management and BPF Summit (LSFMM), Goldwyn Rodrigues led a combined filesystem and memory-management session on saving memory when reading files that share extents. That kind of sharing can occur with copy-on-write (COW) filesystems, reflinks, snapshots, and other features of that sort. When reading those files, memory is wasted because multiple copies of the same data is stored in the page cache, so he wanted to explore adding a cache specifically to handle that.

This Google blog entry looks at some zero-day Android exploits that were detected and makes it clear what the stakes are.

We assess with high confidence that these exploits were packaged by a single commercial surveillance company, Cytrox, and sold to different government-backed actors who used them in at least the three campaigns discussed below. Consistent with findings from CitizenLab, we assess likely government-backed actors purchasing these exploits are operating (at least) in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia.

In a fast-paced talk at PyCon 2022 in Salt Lake City, Utah, Pablo Galindo Salgado described some changes he and others have made to the error reporting for CPython 3.10. He painted a picture of a rather baffling set of syntax errors reported by earlier interpreter versions and how they have improved. This work is not done by any means, he said, and encouraged attendees to get involved in making error reporting even better in future Python versions.

Security updates have been issued by Debian (firefox-esr and openldap), Fedora (curl), Oracle (kernel and kernel-container), Red Hat (maven:3.5), SUSE (cacti, cacti-spine, firefox, go1.18, openldap2, python-requests, rsyslog, and slurm_20_11), and Ubuntu (firefox, htmldoc, libpng, libxfixes, libxrender, thunderbird, and vim).

Version 3.16.0 of the Alpine Linux distribution has been released. Significant changes include a switch to tmpfs for the /tmp directory, the splitting out of a number of NetworkManager plugins into separate packages, the removal of Python 2, and a lot of updated packages; see the release notes for more information.

The 5.18 kernel was released on May 22 after a nine-week development cycle. That can only mean that the time has come to look at some of the statistics behind this release, which was one of the busiest in a while. Read on for a look at the 5.18 kernel, where the code in this release came from, and how it found its way into the mainline.

Systemd 251 is out. The list of changes includes an increase of the minimum kernel version to 4.15, use of C11 to build the program, increased use of filesystem ID mapping, and many other things; see the announcement for all the details.

Security updates have been issued by Debian (admesh, condor, firefox-esr, libpgjava, libxml2, rsyslog, and thunderbird), Fedora (dotnet6.0, libarchive, php-openpsa-universalfeedcreator, thunderbird, and vim), Mageia (ffmpeg, kernel, kernel-linus, microcode, netatalk, nvidia-current, nvidia390, opencontainers-runc, postgresql, and ruby-nokogiri), Slackware (mariadb and mozilla), and SUSE (curl, firefox, libarchive, librecad, libxls, openldap2, php7, and postgresql10).

Linux Plumbers Conference 2022 is pleased to host the Kernel Testing & Dependability Microconference

The Kernel Testing & Dependability Microconference focuses on advancing the state of testing of the Linux kernel and testing on Linux in general. The main purpose is to improve software quality and dependability for applications that require predictability and trust. The microconference aims to create connections between folks working on similar projects, and help individual projects make progress

This microconference is a merge of Testing and Fuzzing and the Kernel Dependability and Assurance microconferences into a single session. There was a lot of overlap in topics and attendees of these MCs and and combining the two tracks will promote collaboration between all the interested communities and people.

The Microconference is open to all topics related to testing on Linux, not necessarily in the kernel space.

• Potential testing and dependability topics include:
• KernelCI: Improving user experience and new web dashboard
• Growing KCIDB, integrating more sources
• Better sanitizers: KFENCE, improving KCSAN
• Using Clang for better testing coverage
• How to spread KUnit throughout the kernel?
• Building and testing in-kernel Rust code.
• Identify missing features that will provide assurance in safety critical systems.
• Which test coverage infrastructures are most effective to provide evidence for kernel quality assurance? How should it be measured?
• Explore ways to improve testing framework and tests in the kernel with a specific goal to increase traceability and code coverage.
• Regression Testing for safety: Prioritize configurations and tests critical and important for quality and dependability.
• Transitioning to test-driven kernel release cycles for mainline and stable: How to start relying on passing tests before releasing a new version?
• Explore how do SBOMs figure into dependability?

Please come and join us in the discussion on how we can assure that Linux becomes the most trusted and dependable software in the world!

We hope to see you there!

Linus has released the 5.18 kernel. "No unexpected nasty surprises this last week, so here we go with the 5.18 release right on schedule." Some of the headline changes in this release include the DAMOS memory-management interface, a number of random-number-generator improvements, the Intel software-defined silicon driver, strict memcpy() bounds checking, a switch to the C11 standard, and more. Also, the Reiserfs filesystem has been deprecated and the last vestiges of a.out support have been removed. See the LWN merge-window summaries (part 1, part 2) and the KernelNewbies 5.18 page for more details.

LibreSSL 3.5.3 was released on May 18th, 2022.

The release notes may be found here:
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.3-relnotes.txt

However, given the release notes are rather brief, they are quoted here in their entirety:

We have released LibreSSL 3.5.3, which will be arriving in the LibreSSL directory of your local OpenBSD mirror soon. It includes the following reliability fix: * Fix d2i_ASN1_OBJECT(). A confusion of two CBS resulted in advancing the passed *der_in pointer incorrectly. Thanks to Aram Sargsyan for reporting the issue and testing the fix. The LibreSSL project continues improvement of the codebase to reflect modern, safe programming practices. We welcome feedback and improvements from the broader community. Thanks to all of the contributors who helped make this release possible.

For readers who want to follow our article stream on Mastodon, LWN now (finally) has a presence in the Fosstodon community; you can find us at @LWN@fosstodon.org.