Hírolvasó

The problem of how to deprecate pieces of the Python language in a minimally disruptive way has cropped in various guises over the last few years—in truth, it has been wrangled with throughout much of language's 30-year history. The scars of the biggest deprecation, that of Python 2, are still rather fresh, both for users and the core developers, so no one wants (or plans) a monumental change of that sort. But the language community does want to continue evolving Python, which means leaving some "baggage" behind; how to do so without leaving further scars is a delicate balancing act, as yet another discussion highlights.

The Systems and Network Security Group at Vrije Universiteit Amsterdam has announced a tool called Kasper that is able to scan the kernel source and locate speculative-execution vulnerabilities:

Namely, it models an attacker capable of controlling data (e.g., via memory massaging or value injection a la LVI), accessing secrets (e.g., via out-of-bounds or use-after-free accesses), and leaking these secrets (e.g., via cache-based, MDS-based, or port contention-based covert channels). As a result, Kasper discovered 1,379 previously unknown gadgets in the heavily-hardened Linux kernel.

The page includes a discussion of a vulnerability in the kernel's linked-list implementation as well as links to the code and the full paper. (Thanks to Paul Wise).

For anybody who feels they haven't had enough stable kernel releases recently, the 5.16.5, 5.15.19, 5.10.96, and 5.4.176 stable kernel updates have been released; each contains another set of important fixes.

Security updates have been issued by Debian (ipython), Fedora (kernel and usbview), Gentoo (webkit-gtk), Oracle (java-1.8.0-openjdk), Red Hat (kpatch-patch and samba), Scientific Linux (samba), Slackware (kernel), SUSE (kernel and samba), and Ubuntu (samba).

"Restartable sequences" are small segments of user-space code designed to access per-CPU data structures without the need for heavyweight locking. It is a relatively obscure feature, despite having been supported by the Linux kernel since the 4.18 release. Among other things, there is no support in the GNU C Library (glibc) for this feature. That is about to change with the upcoming glibc 2.35 release, though, so a look at the user-space API for this feature is warranted.

The vote has concluded in the Debian project on a general resolution affecting the way such resolutions are discussed in the future. The changes, as proposed by Russ Allbery, have been adopted with the required three-to-one supermajority, though the overall level of voting was low. The new process is mostly as described in this article from October with a few changes. The end result may be to shorten the discussion period for controversial issues and make the end of that period more predictable.

Greg Kroah-Hartman has announced another set of eight stable kernels: 5.16.4, 5.15.18, 5.10.95, 5.4.175, 4.19.227, 4.14.264, 4.9.299, and 4.4.301. These are relatively small updates that, as usual, contain important fixes; users should upgrade.

Version 2.0.0 of the Debian-based Nitrux distribution is available. "This new version brings together the latest software updates, bug fixes, performance improvements, and ready-to-use hardware support."

Security updates have been issued by Debian (apache-log4j1.2, expat, libraw, prosody, and python-nbxmpp), Fedora (chromium, hiredis, java-11-openjdk, java-latest-openjdk, lua, rust-afterburn, rust-ammonia, rust-askalono-cli, rust-below, rust-cargo-c, rust-cargo-insta, rust-fd-find, rust-insta, rust-lsd, rust-oxipng, rust-python-launcher, rust-ripgrep, rust-ron, rust-ron0.6, rust-similar, rust-similar-asserts, rust-skim, rust-thread_local, rust-tokei, vim, wpa_supplicant, and zola), Gentoo (chromium, chrome), openSUSE (log4j12), Oracle (log4j and polkit), Scientific Linux (java-1.8.0-openjdk), SUSE (log4j12), and Ubuntu (ldns).

The 5.17-rc2 kernel prepatch is out for testing.

Nothing hugely surprising here - it's a bit on the bigger side for being an rc2, but maybe part of that is that there's a NFS client merge-window pull request that got merged late due to it having been marked as spam.

By now, most readers are likely to be familiar with the Polkit vulnerability known as CVE-2021-4034. The fix for Polkit is relatively straightforward and is being rolled out across the net. The root of this problem, though, lies in a misunderstanding about how programs are run on Unix-like systems. This problem is highly likely to exist in other programs, so it would be nice to find a more general solution. The best place to address this issue may be in the kernel, but properly working around this misunderstanding without causing regressions is not an easy task.

Security updates have been issued by CentOS (java-1.8.0-openjdk), Debian (graphicsmagick), Fedora (grafana), Mageia (aom and roundcubemail), openSUSE (log4j and qemu), Oracle (parfait:0.5), Red Hat (java-1.7.1-ibm and java-1.8.0-openjdk), Slackware (expat), SUSE (containerd, docker, log4j, and strongswan), and Ubuntu (cpio, shadow, and webkit2gtk).

Here's a war story from Alyssa Rosenzweig on the process of writing a free driver for Arm's "Valhall" GPUs without having the hardware to test it on.

In 2021, there were no Valhall devices running mainline Linux. While a lack of devices poses an obvious obstacle to device driver development, there is no better time to write drivers than before hardware reaches end-users. Developing and distributing production-quality drivers takes time, and we don’t want users to be reliant on closed source blobs. If development doesn’t start until a device hits shelves, that device could reach “end-of-life” by the time there are mature open drivers. But with a head start, we can have drivers ready by the time devices reach end users.

The Linux Storage, Filesystem, Memory-Management, and BPF Summit is scheduled for May 2 to 4 in Palm Springs, California; with luck it will actually happen this year. As usual, it is an invitation-only event, with a preference for those who bring interesting topics to discuss. The call for proposals is out now, with a request for proposals to arrive before March 1.

Version 2.0 of GNU Poke, a binary-data editor, has been released. "A lot of things have changed and improved with respect to the 1.x series; we have fixed many bugs and added quite a lot of new exciting and useful features." Look below for an extensive list of changes.

Greg Kroah-Hartman has announced the release of the 5.16.3, 5.15.17, 5.10.94, 5.4.174, 4.19.226, 4.14.263, 4.9.298, and 4.4.300 stable kernels. These all contain a huge number of fixes all over the tree, so huge that 5.16.3 broke the scripts used to create stable kernels; users should upgrade.

In mid-December, Thorsten Behrens, a board member for the Document Foundation (TDF), posted a seemingly simple proposal for an "attic" that would become the home of abandoned projects. No specific projects were named as the first intended residents of the attic, but the proposal clearly related to the LibreOffice Online (LOOL) project. The following discussion made it clear that the unhappiness around LOOL has yet to fade away, and that the Foundation still has some work to do when it comes to defining its relationship with its corporate members.

Security updates have been issued by CentOS (polkit), Debian (uriparser), Fedora (cryptsetup, flatpak, flatpak-builder, and polkit), Gentoo (polkit), Mageia (virtualbox), Red Hat (httpd24-httpd, httpd:2.4, and parfait:0.5), SUSE (clamav, log4j, python-numpy, and strongswan), and Ubuntu (vim).

The LWN.net Weekly Edition for January 27, 2022 is available.

Back in May, we looked at a Google proposal to replace third-party cookies with something called the "Federated Learning of Cohorts" (FLoC). Third-party cookies were once used to track users all over the web so that advertisers could, supposedly, target their ads better, but, of the major browsers, only Google's Chrome browser fails to block them today. Google took a fair amount of flak for FLoC, since it was not perceived to be much of a win for users' privacy—and was mostly a sop to the (Google-dominated) web-advertising industry. Now the company is back with a different proposal that could, eventually, replace third-party cookies in Chrome: Topics.