Hírolvasó

The 5.8.7 and 5.4.63 stable kernels are out with a relatively small number of important fixes.

The Free Software Foundation (FSF) has announced that nominations are open, until October 28, for the Free Software Awards. Winners will be announced at the annual LibrePlanet conference. "You might know of a contributor or organization who has done significant and user-empowering work on free software. We invite you to take a moment to show them (and tell us) that you care, by nominating them for an award in one of three categories: the Award for the Advancement of Free Software, the Award for Projects of Social Benefit, or the Award for Outstanding New Free Software Contributor. Don't assume that someone else will nominate them -- too often, everyone assuming someone else will express the appreciation means that it never happens. As taking initiative and speaking up for the community are important parts of free software, why not take the time yourself to make sure your voice is heard?"

On September 1, the Linux From Scratch (LFS) project announced the release of version 10.0 of LFS along with Beyond Linux From Scratch (BLFS). LFS is "a project that provides you with step-by-step instructions for building your own customized Linux system entirely from source"; BLFS picks up where LFS leaves off. Both books are available online either with or without systemd: LFS System V, LFS systemd, BLFS System V, and BLFS systemd. "The LFS release includes updates to glibc-2.31, and binutils-2.34. A total of 35 packages have been updated. A new package, zstd-1.4.4, has also been added. Changes to text have been made throughout the book. The Linux kernel has also been updated to version 5.5.3. The BLFS version includes approximately 1000 packages beyond the base Linux From Scratch Version 9.1 book. This release has over 840 updates from the previous version in addition to numerous text and formatting changes."

The 2020 Linux Plumbers Conference (LPC) was meant to be held in Halifax, Nova Scotia, Canada at the end of August. As it happens, your editor was on the organizing committee for that event and thus got a close view of what happens when one's hopes for discussing memory-management changes on the Canadian eastern seaboard become one of the many casualties of an ongoing pandemic. Transforming LPC into a successful online experience was a lot of work, but the results more than justified the effort. Read on for some notes and thoughts from the experience of making LPC happen in 2020.

Security updates have been issued by Fedora (curl, dovecot, geary, httpd, lua, mysql-connector-java, and squid), Mageia (lua and lua5.3, sane, and squid), Oracle (dovecot), Scientific Linux (dovecot), SUSE (java-1_7_1-ibm, kernel, php5, and xorg-x11-server), and Ubuntu (firefox).

James Bottomley got a copy of the patent-suit settlement between the GNOME Foundation and Leigh Rothschild and has posted an analysis. "Although the agreement achieves its aim, to rid all of Open Source of the Rothschild menace, it also contains several clauses which are suboptimal, but which had to be included to get a speedy resolution. In particular, Clause 10 forbids the GNOME foundation or its affiliates from publishing the agreement, which has caused much angst in open source circles about how watertight the agreement actually was. Secondly Clause 11 prohibits GNOME or its affiliates from pursuing any further invalidity challenges to any Rothschild patents leaving Rothschild free to pursue any non open source targets. Fortunately the effect of clause 10 is now mitigated by me publishing the agreement and the effect of clause 11 by the fact that the Open Invention Network is now pursuing IPR invalidity actions against the Rothschild patents."

GNU Privacy Guard (GnuPG or GPG) has released version 2.2.23 to fix a critical security bug affecting GnuPG 2.2.21 and 2.2.22, as well as Gpg4win 3.1.12. "Importing an OpenPGP key having a preference list for AEAD algorithms will lead to an array overflow and thus often to a crash or other undefined behaviour. Importing an arbitrary key can often easily be triggered by an attacker and thus triggering this bug. Exploiting the bug aside from crashes is not trivial but likely possible for a dedicated attacker. The major hurdle for an attacker is that only every second byte is under their control with every first byte having a fixed value of 0x04. Software distribution verification should not be affected by this bug because such a system uses a curated list of keys."

One of the many unfortunate consequences of the Covid-19 pandemic was the cancellation of the 2020 GNU Tools Cauldron. That loss turned out to be a gain for the Linux Plumbers Conference, which was able to add a GNU Tools track to host many of the discussions that would have otherwise occurred at Cauldron. In that track, Ian Bearman presented his group's work using profile-guided optimization with the Linux kernel. This technique, which he often referred to as "pogo", is not straightforward to apply to the kernel, but the benefits would appear to justify the effort.

Greg Kroah-Hartman has released six new stable kernels: 5.8.6, 5.4.62, 4.19.143, 4.14.196, 4.9.235, and 4.4.235. As usual, they contain fixes throughout the tree and users should upgrade.

Kees Cook catches up with the security-relevant changes in the 5.6 kernel release. "With my 'attack surface reduction' hat on, I remain personally suspicious of the io_uring() family of APIs, but I can’t deny their utility for certain kinds of workloads. Being able to pipeline reads and writes without the overhead of actually making syscalls is pretty great for performance. Jens Axboe has added the IORING_OP_OPENAT command so that existing io_urings can open files to be added on the fly to the mapping of available read/write targets of a given io_uring. While LSMs are still happily able to intercept these actions, I remain wary of the growing 'syscall multiplexer' that io_uring is becoming."

Security updates have been issued by Debian (asyncpg and uwsgi), Mageia (cairo), openSUSE (chromium, kernel, and postgresql10), Red Hat (dovecot and squid:4), SUSE (curl, java-1_7_0-ibm, java-1_7_1-ibm, java-1_8_0-ibm, kernel, libX11, php7, squid, and xorg-x11-server), and Ubuntu (apport, libx11, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04).

The LWN.net Weekly Edition for September 3, 2020 is available.

New to the forthcoming PHP 8.0 release is a feature called match expressions, which is a construct designed to address several shortcomings in PHP's switch statement. While it took three separate request-for-comment (RFC) proposals in order to be accepted, the new expression eventually received broad support for inclusion.

Security updates have been issued by CentOS (firefox), Mageia (mutt and putty), openSUSE (ldb, samba, libqt5-qtbase, opera, and postgresql10), Red Hat (bash, kernel, and libvncserver), SUSE (apache2, curl, and squid), and Ubuntu (ark, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi2, linux-snapdragon, and linux-hwe, linux-aws-5.3, linux-gke-5.3, linux-raspi2-5.3).

Emil Velikov provides a high-level introduction of the Linux graphics stack, how it is used within ChromeOS, and the work being done to improve software rendering. "One of our goals is to be as flexible as possible, while minimising the amount of legacy code required - so in our case we're using OpenGL/GLES and EGL. In particular we are making use of the EGL_MESA_platform_surfaceless extension. It allows us to use OpenGL or GLES and render into a memory area, not requiring integration with the display subsystem."

We left the saga of PEP 622 ("Structural Pattern Matching") at the end of June, but the discussion of a Python "match" statement—superficially similar to a C switch but with extra data-matching features—continued. At this point, the next steps are up to the Python steering council, which will determine the fate of the PEP. But there is lots of discussion to catch up on from the last two months or so.

Security updates have been issued by Debian (apache2 and libx11), Fedora (batik, ecj, eclipse, eclipse-cdt, eclipse-ecf, eclipse-emf, eclipse-gef, eclipse-m2e-core, eclipse-mpc, eclipse-mylyn, eclipse-remote, eclipse-webtools, firefox, httpd, jetty, lucene, selinux-policy, and univocity-parsers), Mageia (hylafax+), openSUSE (ark and chromium), Red Hat (virt:8.2 and virt-devel:8.2), SUSE (freeradius-server, freerdp, php7, php72, php74, and xorg-x11-server), and Ubuntu (freerdp2, keystone, net-snmp, python-django, and python-rsa).

Theo (deraadt@) has just committed the crank to 6.8-beta to CVS

From: Theo de Raadt Date: Mon, 31 Aug 2020 10:08:28 -0600 (MDT) To: source-changes@openbsd.org Subject: CVS: cvs.openbsd.org: src CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2020/08/31 10:08:28 Modified files: sys/conf : newvers.sh sys/sys : param.h usr.bin/signify: signify.1 etc/root : root.mail share/mk : sys.mk sys/arch/macppc/stand/tbxidata: bsd.tbxi Log message: crank to 6.8-beta

You know what this means: time to test snapshots and report any issues you find, both in the base systems as in the supplied packages, so that the upcoming 6.8 release will not surprise you in unfortunate ways!