Hírolvasó

The Mozilla Open Source Support Program (MOSS) has launched a COVID-19 Solutions Fund, which will provide awards of up to $50,000 each to open source technology projects which are responding to the COVID-19 pandemic in some way. "As part of the COVID-19 Solutions Fund, we will accept applications that are hardware (e.g., an open source ventilator), software (e.g., a platform that connects hospitals with people who have 3D printers who can print parts for that open source ventilator), as well as software that solves for secondary effects of COVID-19 (e.g., a browser plugin that combats COVID related misinformation)."

Security updates have been issued by Debian (tinyproxy), Fedora (okular), Gentoo (ffmpeg, libxls, and qemu), openSUSE (GraphicsMagick), Red Hat (qemu-kvm-rhev), SUSE (cloud-init and spamassassin), and Ubuntu (bluez, libpam-krb5, linux, linux-aws, linux-azure, linux-azure-5.3, linux-gcp, linux-gcp-5.3, linux-gke-5.3, linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3,linux-raspi2, linux-raspi2-5.3, and Timeshift).

OpenBSD developer Ted Unangst looks for lessons in a set of recent vulnerabilities in that system. "Even OpenBSD is subject to compromise for the sake of practicality, which is how some legacy designs stick around. So the lesson perhaps is to really stick with the principles that work, and not just when convenient. But not always an easy choice to make."

When the 5.6 kernel was released on March 29, 12,665 non-merge changesets had been accepted from 1,712 developers, making this a fairly typical development cycle in a number of ways. As per longstanding LWN tradition, what follows is a look at where those changesets came from and who supported the work that created them. This may have been an ordinary cycle, but there are still a couple of differences worth noting.

Back in February, LWN reported on the process of gathering requirements for a Git forge system. That process then went relatively quiet until March 28, when the posting of a "CPE Weekly" news summary included, under "other updates", a note that the decision has been made. It appears that the project will be pushed toward a not-fully-free version of the GitLab offering. It is fair to say that this decision — or how it was presented — was not met with universal acclaim in the Fedora community; see this response from Neal Gompa for more.

The Debian community has announced a one-week, online "biohackathon" as a focused effort to improve the available free biomedical tools. "Most tasks do not require any knowledge of biology or medicine, and all types of contributions are welcome: bug triage, testing, documentation, CI, translations, packaging, and code contributions."

Security updates have been issued by Debian (php-horde-form and tika), Fedora (dcraw and libmodsecurity), Gentoo (libidn2 and screen), openSUSE (cloud-init, cni, cni-plugins, conmon, fuse-overlayfs, podman, opera, phpMyAdmin, python-mysql-connector-python, ruby2.5, strongswan, and tor), Oracle (ipmitool), Scientific Linux (ipmitool), SUSE (spamassassin and tomcat), and Ubuntu (twisted and webkit2gtk).

Linus has released the 5.6 kernel.

Some of the headline features in this release include Arm EOPD support, time namespaces, the BPF dispatcher and batched BPF map operations (both described in this article), the openat2() system call, the WireGuard virtual private network implementation, the flow queue PIE packet scheduler, nearly complete year-2038 support, many new io_uring features, the pidfd_getfd() system call, the ZoneFS filesystem, the ability to implement TCP congestion-control algorithms in BPF, the dma-buf heaps subsystem, and the removal of the /dev/random blocking pool.

See the LWN merge-window summaries (part 1 and part 2) and the (under construction) KernelNewbies 5.6 page for more details.

In recent years, the kernel has (finally) upped its game when it comes to hardening. It is rather harder to compromise a running kernel than it used to be. But "rather harder" is relative: attackers still manage to find ways to exploit kernel bugs. One piece of information that can be helpful to attackers is the location of the kernel stack; this patch set from Kees Cook and Elena Reshetova may soon make that information harder to come by and nearly useless in any case.

Security updates have been issued by Debian (bluez and php5), Fedora (chromium, kernel, and PyYAML), Gentoo (adobe-flash, libvpx, php, qtcore, and unzip), openSUSE (chromium, kernel, and mcpp), Oracle (ipmitool and libvncserver), Red Hat (ipmitool and rh-postgresql10-postgresql), Slackware (kernel), and SUSE (ldns and tomcat6).

David Malcolm writes about the static-analysis features that he is working on adding to the GCC compiler. "This issue is, of course, a huge problem to tackle. For this release, I’ve focused on the kinds of problems seen in C code—and, in particular double-free bugs—but with a view toward creating a framework that we can expand on in subsequent releases (when we can add more checks and support languages other than C)."

January 2018 was a sad time in the kernel community. The Meltdown and Spectre vulnerabilities had finally been disclosed, and the required workarounds hurt kernel performance in a number of ways. One of those workarounds — retpolines — continues to cause pain, with developers going out of their way to avoid indirect calls, since they must now be implemented with retpolines. In some cases, though, there may be a way to avoid retpolines and regain much of the lost performance; after a long gestation period, the "static calls" mechanism may finally be nearing the point where it can be merged upstream.

The KDE.News site is carrying an announcement for the Plasma Bigscreen environment, which is meant for large-screen televisions. "Talking of interacting from the couch, voice control provides users with the ultimate comfort when it comes to TV viewing. But most big brands not only do not safeguard the privacy of their customers, but actively harvest their conversations even when they are not sending instructions to their TV sets. We use Mycroft's Open Source voice assistant to solve this problem."

Security updates have been issued by CentOS (firefox, icu, kernel-rt, libvncserver, python-imaging, python-pip, python-virtualenv, thunderbird, tomcat, tomcat6, and zsh), Debian (icu and okular), Fedora (libxslt and php), Gentoo (bluez, chromium, pure-ftpd, samba, tor, weechat, xen, and zsh), Oracle (libvncserver), Red Hat (ipmitool and zsh), and SUSE (python-cffi, python-cryptography and python-cffi, python-cryptography, python-xattr).

Developer Otto Moerbeek (otto@) has been working on support to boot from FFS2. He writes in with the below article, to give us a little insight into the challenges he faced while working on this.

FFS2 filesystem support has been in OpenBSD for quite a while. FFS2 has a few advantages above FFS1: large partition support, 64-bit timestamps, faster newfs(8) and faster fsck(8), but it is only used for large (> 1TB) filesystems at the moment. The only drawback is that its meta-data overhead is a bit larger than FFS1 because of 64-bit instead of 32-bit blocknumbers and timestamps.

I decided that it was time to start using FFS2 in as many places as possible, and that includes booting from it. Booting is an area where there are quite large differences between the various platforms OpenBSD supports. The boot code interacts with the platform-specific firmware and the bootstrap process uses different vendor-specific mechanisms.

Read more…

The LWN.net Weekly Edition for March 26, 2020 is available.

The effects of the Coronavirus disease 2019 (COVID-19) pandemic are horrific and far-reaching; we really do not yet know just how bad it will get. One far less serious area that has been affected is conferences for and about free and open-source software (FOSS). On the grand scale, these problems are pretty low on the priority list. There are a fair number of non-profit organizations behind the gatherings, however, that have spent considerable sums setting up now-canceled events or depend on the conferences for a big chunk of their budget—or both. A new organization, FOSS Responders, has formed to try to help out.

O'Reilly has announced that it is canceling all of its upcoming in-person conferences and shutting down its conference group permanently. "Without understanding when this global health emergency may come to an end, we can’t plan for or execute on a business that will be forever changed as a result of this crisis. With large technology vendors moving their events completely on-line, we believe the stage is set for a new normal moving forward when it comes to in-person events." There is still no notice to this effect on the OSCON page, but one assumes that is coming.

Stable kernels 5.5.13, 5.5.12, 5.4.28, and 4.19.113 have been released. They all contain important fixes and users should upgrade.