Hírolvasó

Security updates have been issued by Mageia (apache-mod_auth_openidc, bind, bluez, cifs-utils, ffmpeg, gnome-autoar, guacd, kernel, kernel-linus, qtwebsockets5, slic3r, tunnel, wavpack, wireshark, and xscreensaver), openSUSE (apache2, cryptctl, go1.15, libnettle, python-rsa, salt, thunderbird, wireshark, libvirt, sbc, libqt5-qtmultimedia, xstream, and xterm), and SUSE (cryptctl, freeradius-server, libnettle, and libsolv).

The LWN.net Weekly Edition for June 24, 2021 is available.

There is an ongoing effort to "modernize" the kernel-development process; so far, the focus has been on providing better tools that can streamline the usual email-based workflow. But that "email-based" part has proven to be problematic for some potential contributors, especially those who might want to simply submit a small bug fix and are not interested in getting set up with that workflow. The project-hosting "forge" sites, like GitHub and GitLab, provide a nearly frictionless path for these kinds of one-off contributions, but they do not mesh well—at all, really—with most of mainline kernel development. There is some ongoing work that may change all of that, however.

At the behest of the Linux Foundation, a security-oriented review of the kernel project's release-signing and key-management practices was done; the report from this work has now been published.

This review resulted in seven recommendations that can help improve the robustness of the security and use of the signing keys for the Linux Kernel. Additionally, Trail of Bits suggested that more comprehensive and up to date documentation on the current procedures and policies are needed to help organizations around the world to best understand the current stratagem.

See the full report for the details.

For those wanting lots of grungy details about how the PipeWire system works, this blog entry from Patrick Louis should be of interest.

The session manager is the piece of software that is responsible for the policy: to find and configure devices, attach them appropriately to the graph, set and restore their properties if needed, route streams to the right device, set their volume, and more. It can create it’s own objects in the PipeWire graph related to session management such as endpoints and links between them, a sort of abstraction on top of PipeWire nodes. There are currently two implementations of the session manager: pipewire-media session and WirePlumber.

SUSE Linux Enterprise (SLE) 15 SP3 has been released.

With the release of SLES 15 SP3 we now have 100% binary compatibility with openSUSE Leap 15.3 (our developer platform). That means that you can smoothly move workloads from development to production environments that run SLE 15 SP3 – and back again – with assured application compatibility.

See the release notes for additional information.

Stable kernels 5.12.13, 5.10.46, and 5.4.128 have been released with the usual set of important fixes. Users should upgrade.

Note that 5.12.13 and 5.10.46 contain a fix for a significant Spectre vulnerability; stay tuned to LWN for details.

Security updates have been issued by Debian (kernel and linux-4.19), Fedora (tor), Oracle (rh-postgresql10-postgresql), Red Hat (kernel), SUSE (ansible, apache2, dovecot23, OpenEXR, ovmf, and wireshark), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-5.8, linux-azure, linux-azure-5.8, linux-gcp, linux-gcp-5.8, linux-hwe-5.8, linux-kvm, linux-oracle, linux-oracle-5.8, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-azure, linux-gcp, linux-oracle, linux-raspi, linux-hwe, linux-gke-5.3, linux-raspi2-5.3, linux-oem-5.10, and thunderbird).

Python 3.10 is proceeding apace; everything looks to be on track for the final release, which is expected on October 4. The beta releases started in early May, with the first of those marking the feature-freeze for this version of the language. There are a number of interesting changes that are coming with Python 3.10, including what is perhaps the "headline feature": structural pattern matching.

Security updates have been issued by Fedora (audacity), openSUSE (chromium), Oracle (glib2), SUSE (Salt and salt), and Ubuntu (apache2 and openexr).

Alex Colomar and I have released released man-pages-5.12. The release tarball is available on kernel.org. The browsable online pages can be found on man7.org. The Git repository for man-pages is available on kernel.org.

This release resulted from patches, bug reports, reviews, and comments from around 40 contributors. The release includes more than 300 commits that changed around 180 manual pages.

The most notable of the changes in man-pages-5.12 are the following:

• A very large number of global edits by Alex Colomar to the SYNOPSIS section of many manual pages. These include changes to the way the system calls that have no wrapper function in glibc are documented, as well more precise information about which header files are needed, and why, by various APIs.
  
• A new seccomp_unotify(2) page, written by me (with help from Tycho Andersen, Jann Horn, Kees Cook, Christian Brauner, and Sargun Dhillon), that documents the seccomp user-space notification feature.
• Alex Colomar wrote a new MAX(3) manual page documenting the MAX() and MIN() functions provided by glibc.
  
• Alex Colomar added a documentation of a number of further types to the system_data_types(7) page.

Special thanks to Alex, who was once again the largest contributor in this release!

We are pleased to announce that the Toolchains and Kernel Microconference has been accepted into the 2021 Linux Plumbers Conference. Toolchains are the main part of any development, as they create the executables from the code a developer writes. In order to run efficiently on the operating system, there needs to be a strong understanding of the interface between the application and the kernel it runs on. This microconference is focused on the integration of toolchains and the Linux kernel.

Since last year’s meet up, the following has been accomplished:

• Linux-toolchains mailing list and archive created.
• Rust-for-linux Github org established. Patches move from out of tree module building, to in tree module building.
• CI for kernel builds with LLVM moved to tuxbuild after an unexpected “no more free lunch” from TravisCI.
• LTO support landed in mainline.
• PGO patches sent upstream.
• At least one bugfix sent found via clang-tidy/clang-analyzer, discussions around driving tree wide cleanups via clang-tidy.
• GCC implemented support for asm goto with outputs
• Support for auto-initialized automatics in GCC is being worked out in GCC upstream. This is one of the security features that were deemed as desirable by the kernel last year. Work on the other missing desired security features is WIP.

This year’s topics to be discussed include:

• Upstreaming Rust Support
• Using Clang’s locking annotations
• Memory ordering progress in the C/C++ standards committees
• Toolchain security feature requests
• Post Link Optimization of the kernel with Binary Optimization and Layout Tool (BOLT)
• Objtool on arm64[4]
• DWARF, CTF and BTF
• BPF/BTF/CORE support in the GNU Toolchain
• Using BTF for ABI analysis

Come and join us in the discussion of making the toolchains work better with the Linux kernel.

We hope to see you there.

Rocky Linux is a community enterprise operating system, created by Gregory Kurtzer, founder of the CentOS project. Rocky Linux 8.4 has been released for x86-64 and aarch64. "Sufficient testing has been performed such that we have confidence in its stability for production systems."

The kernel-development community has long had a tense relationship with companies that create and ship proprietary loadable kernel modules. In the view of many developers, such modules are a violation of the GPL and should simply be disallowed. That has never happened, though; instead, the community has pursued a policy of legal ambiguity and technical inconvenience to discourage proprietary modules. A "technical-inconvenience" patch that was merged nearly one year ago has begun to show up in stable kernel releases, leading at least one developer to complain that things have gone a little too far.

Security updates have been issued by Arch Linux (connman, go, and grub), Debian (nettle, prosody, and tor), Fedora (iaito, mingw-ilmbase, mingw-openexr, mingw-python-urllib3, mosquitto, nettle, polkit, and radare2), Mageia (puddletag, python-babel, python-eventlet, and python-pikepdf), openSUSE (htmldoc), SUSE (go1.15, go1.16, gupnp, and libgcrypt), and Ubuntu (apache2 and dovecot).

The 5.13-rc7 kernel prepatch is out for testing. "So there's not a huge number of patches in here, and most of the patches are pretty small too. A fair number of one-liners and 'few-liners'. Which is just how I like it."

For reasons that have not been disclosed on the list, the codename for this release has been changed to "Opossums on Parade".

Since our previous report, there has been significant progress on support for riscv64:

• There's now a web page for the platform, with details of (broadened) hardware support (for those lucky/deserving enough to have hardware, of course).
• Following some commits from Dale Rahn (drahn@), install sets now include xenocara.

As always, thanks to those involved!

We are pleased to announce that the Tracing Microconference has been accepted into the 2021 Linux Plumbers Conference. Tracing in the Linux kernel is constantly improving. Tracing was officially added to Linux in 2008. Since then, more tooling has been constantly added to help out with visibility. The work is still ongoing, with Perf, ftrace, Lttng, and eBPF. User space tooling is expanding and as the kernel gets more complex, so does the need for facilitating seeing what is going on under the hood.

Since the last tracing meetup at Linux Plumbers in 2019, a few accomplishments have come out of it:

• The final design of bootconfig came out, which enables kernel command lines be attached to the init ramdisk.
• Discussion on how to simplify the interface to ftrace histograms from user-space resulted in a SQL like utility (still being worked on, but almost finished). This came from the help of the database folks.
• After several rounds of trying to have perf share PMUs (beyond the hardware limit), another approach was taken to use a BPF based solution that does not need any kernel changes. Now perf can use BPF to aggregate counters.
• Work to natively incorporate ftrace into the babeltrace library has moved forward, although more still needs to be done for it to be completed.

This year’s topics to be discussed include:

• Tracepoints that allow faults. It may be necessary to read user space address, but currently because tracepoints disable preemption, it can not sleep, nor fault. And then there’s the possibilities of causing locking issues.
• Function parameter parsing. Now that on x86 function tracing has full access to the arguments of a function, it is possible to record them as they are being traced. But knowing how to read the parameters may be difficult, because it is necessary to know the prototype of the function to do so. Having some kind of mapping between functions and how to read their parameters would be useful. Using BTF is a likely candidate.
• Consolidating tracing of return of a function. Currently there’s three use cases that hook to the return of a function, and they all do it differently. kretprobes, function graph tracer, and eBPF.
• User space libraries. Now that libtraceevent, libtracefs, and libtracecmd have been released, what tooling can be built around them. Also, improving the libtraceevent API to be more intuitive.
• Improving the libtracefs API to handle kprobes and uprobes easier.
• Python interface. Working on getting the libraries a python interface to allow full tracing from within python scripts.
• Tracing containers. What would be useful to expose on creating and running containers.

Come and join us and not only learn but help direct the future progress of tracing inside the Linux kernel and beyond!

We hope to see you there!

The 5.12.12, 5.10.45, and 5.4.127 stable kernels have been released. They contain important fixes, as usual, so users should upgrade.

Memory ordering issues are, as Linus Torvalds recently observed, "the rocket science of CS". Understanding memory ordering is increasingly necessary to write scalable code, so kernel developers often find themselves having to become rocket scientists. The subtleties associated with control dependencies turn out to be an especially tricky sort of rocket. A recent discussion about how to force control dependencies to be observed shows the sorts of difficulties that arise in this area.