[$] LWN.net Weekly Edition for December 17, 2020
Security updates for Thursday
([Security] Dec 10, 2020 14:40 UTC (Thu) (jake))
Security updates have been issued by Arch Linux (ant, cimg, containerd, libproxy, libproxy-mozjs, libproxy-webkit, libslirp, python-lxml, tomcat8, tomcat9, and xorg-server), CentOS (firefox and thunderbird), Debian (apt, linux-4.19, python-apt, and sqlite3), Fedora (ceph, chromium, containerd, matrix-synapse, mingw-openjpeg2, openjpeg2, python-authlib, python-canonicaljson, and spice-gtk), Mageia (chromium-browser-stable), openSUSE (chromium and pngcheck), Slackware (curl), SUSE (clamav, curl, openssh, openssl-1_0_0, openssl-1_1, openssl1, python-pip, python-scripttest, python-urllib3, and xen), and Ubuntu (apt, curl, and python-apt).
[$] Changing CentOS in mid-stream
([Distributions] Dec 10, 2020 16:47 UTC (Thu) (corbet))
For years, the [1]CentOS distribution has been a reliable resource for anybody wanting to deploy systems with a stable, maintained Linux base that "just works". At one point, it was [2]reported to be the platform on which 30% of all web servers were run. CentOS has had its ups and downs over the years; for many, the December 8 [3]announcement that CentOS will be " shifting focus " will qualify as the final "down". Regardless of whether this change turns out to be a good thing, it certainly marks the end of an era that began in 2004.
[1] https://centos.org/
[2] https://w3techs.com/blog/entry/highlights_of_web_technology_surveys_july_2010
[3] https://blog.centos.org/2020/12/future-is-centos-stream/
[1] https://centos.org/
[2] https://w3techs.com/blog/entry/highlights_of_web_technology_surveys_july_2010
[3] https://blog.centos.org/2020/12/future-is-centos-stream/
Security updates for Wednesday
([Security] Dec 9, 2020 15:57 UTC (Wed) (ris))
Security updates have been issued by Debian (golang-golang-x-net-dev, python-certbot, and xorg-server), Fedora (resteasy, scap-security-guide, and vips), openSUSE (chromium, python, and rpmlint), SUSE (kernel), and Ubuntu (aptdaemon, curl, gdk-pixbuf, lxml, and openssl, openssl1.0).
The future for general-purpose computing
([Security] Dec 9, 2020 23:01 UTC (Wed) (jake))
There can be no doubt that general-purpose computing has been a boon to the world. The ability to run different kinds of programs, from various sources, including bought from companies, written from scratch, and, well, built from source, is something that we take for granted on many—most—of the computing devices that we own. But that model seems to be increasingly disappearing in many kinds of devices, including personal computers, as a recent kerfluffle in the Apple world helps to demonstrate.
GNU Autoconf 2.70 released
([Development] Dec 8, 2020 23:01 UTC (Tue) (ris))
GNU Autoconf 2.70 is out. " Noteworthy changes include support for the 2011 revisions of the C and C++ standards, support for reproducible builds, improved support for cross-compilation, improved compatibility with current compilers and shell utilities, more efficient generated shell code, and many bug fixes. " See [1]this article for more information on what has been happening with Autoconf.
[1] https://lwn.net/Articles/834682/
[1] https://lwn.net/Articles/834682/
Four stable kernels
([Kernel] Dec 8, 2020 17:22 UTC (Tue) (ris))
Stable kernels [1]5.9.13 , [2]5.4.82 , [3]4.19.162 , and [4]4.14.211 have been released. They contain important fixes and users should upgrade.
[1] https://lwn.net/Articles/839326/
[2] https://lwn.net/Articles/839327/
[3] https://lwn.net/Articles/839328/
[4] https://lwn.net/Articles/839329/
[1] https://lwn.net/Articles/839326/
[2] https://lwn.net/Articles/839327/
[3] https://lwn.net/Articles/839328/
[4] https://lwn.net/Articles/839329/
Security updates for Tuesday
([Security] Dec 8, 2020 16:35 UTC (Tue) (ris))
Security updates have been issued by Debian (minidlna, openssl, and trafficserver), Mageia (oniguruma, php-pear, python, python3, and x11vnc), openSUSE (minidlna), Oracle (kernel and net-snmp), Red Hat (kernel, mariadb-galera, microcode_ctl, and net-snmp), Slackware (seamonkey), SUSE (thunderbird and xen), and Ubuntu (xorg-server).
CentOS is dead, long live CentOS Stream
([Distributions] Dec 8, 2020 15:29 UTC (Tue) (corbet))
Red Hat has [1]announced an end to the CentOS distribution as we know it. CentOS will be replaced by "CentOS Stream", which looks like a sort of beta test for changes going into Red Hat Enterprise Linux. Support for CentOS 7 will continue as scheduled, but support for CentOS 8 will go away at the end of 2021. " When CentOS Linux 8 (the rebuild of RHEL8) ends, your best option will be to migrate to CentOS Stream 8, which is a small delta from CentOS Linux 8, and has regular updates like traditional CentOS Linux releases. If you are using CentOS Linux 8 in a production environment, and are concerned that CentOS Stream will not meet your needs, we encourage you to contact Red Hat about options. "
[1] https://blog.centos.org/2020/12/future-is-centos-stream/ More information can be found in [1]this FAQ . " CentOS Stream will be getting fixes and features ahead of RHEL. Generally speaking, we expect CentOS Stream to have fewer bugs and more runtime features than RHEL until those packages make it into the RHEL release. "
[1] https://centos.org/distro-faq/ Update : see also [1]this blog post from Chris Wright.
[1] https://www.redhat.com/en/blog/centos-stream-building-innovative-future-enterprise-linux
[1] https://blog.centos.org/2020/12/future-is-centos-stream/ More information can be found in [1]this FAQ . " CentOS Stream will be getting fixes and features ahead of RHEL. Generally speaking, we expect CentOS Stream to have fewer bugs and more runtime features than RHEL until those packages make it into the RHEL release. "
[1] https://centos.org/distro-faq/ Update : see also [1]this blog post from Chris Wright.
[1] https://www.redhat.com/en/blog/centos-stream-building-innovative-future-enterprise-linux
Qt 6.0 released
([Development] Dec 8, 2020 15:16 UTC (Tue) (corbet))
[1]Version 6.0 of the Qt interface framework is available. " Qt 6.0 is a starting point for the next generation of Qt. It is not yet as feature-complete as 5.15, but we will fill the gaps within the months to come. We've done a lot of important work in laying out the foundations of the next version of Qt. Many of those changes might not be immediately visible, but I firmly believe they will help keep Qt competitive in the years to come. " Changes include moving to C++17, the completion of the Unicode transition, a move away from OpenGL to a new internal rendering interface, additional 3D capabilities, and more.
[1] https://www.qt.io/blog/qt-6.0-released
[1] https://www.qt.io/blog/qt-6.0-released
2019-2020 State of Mozilla
([Development] Dec 7, 2020 22:39 UTC (Mon) (jake))
Mozilla has [1]released its [2]annual report : " Every year in the spirit of openness upon which Mozilla was founded, we share publicly the ways we have protected, fought for and helped advance the internet in service of the people who rely on it every day. We outline how our organization is meeting the challenges of online life through an annual report: the State of Mozilla. This year we’ve changed the format of our report to focus on how we are using our organization’s strength and resources on two fronts: Fighting for People and Building for the Future. This report highlights the impact of our work in 2020 and is accompanied by our most recently filed financials which cover 2019. As the State of Mozilla outlines, Mozilla works to make the promise of a better internet a reality. We can’t and we don’t do it alone. There are myriad ways anyone can join this effort through actions big and small, starting with getting better educated on what’s at stake; pushing companies to operate more transparently and in the interest of communities and people, not just profits; testing new products; and choosing technology made by companies who share your vision for a healthier internet. "
[1] https://blog.mozilla.org/blog/2020/12/07/state-of-mozilla-2019-annual-report/
[2] https://www.mozilla.org/en-US/foundation/annualreport/2019/
[1] https://blog.mozilla.org/blog/2020/12/07/state-of-mozilla-2019-annual-report/
[2] https://www.mozilla.org/en-US/foundation/annualreport/2019/
Sidestepping kernel memory management with DMEMFS
([Kernel] Dec 7, 2020 23:52 UTC (Mon) (corbet))
One of the kernel's primary jobs is to manage the memory installed in the system. Over the years, though, there have been various reasons for removing a portion of the system's memory from the kernel's view. One of the latest can be seen in a mechanism called [1]DMEMFS , which is being proposed as a way to get around some inefficiency in how the kernel keeps track of RAM.
[1] https://lwn.net/ml/linux-kernel/cover.1607332046.git.yuleixzhang@tencent.com/
[1] https://lwn.net/ml/linux-kernel/cover.1607332046.git.yuleixzhang@tencent.com/
Fedora and its editions
([Distributions] Dec 8, 2020 22:18 UTC (Tue) (jake))
Fedora has long had [1]Workstation and [2]Server editions and, back in August, [3]added an edition for [4]Internet of Things (IoT) devices. Those editions target different use cases for the distribution, as does the [5]CoreOS "spin" (or "emerging edition"), which targets cloud and Kubernetes deployments. A [6]proposal to elevate Fedora CoreOS to a full edition as part of Fedora 34 was recently discussed on the Fedora devel mailing list. As part of that, what it means for a distribution to be part of Fedora was discussed as well.
[1] https://getfedora.org/en/workstation/
[2] https://getfedora.org/en/server/
[3] https://lwn.net/Articles/828966/
[4] https://getfedora.org/en/iot/
[5] https://getfedora.org/en/coreos
[6] https://fedoraproject.org/wiki/Changes/FedoraCoreOS
[1] https://getfedora.org/en/workstation/
[2] https://getfedora.org/en/server/
[3] https://lwn.net/Articles/828966/
[4] https://getfedora.org/en/iot/
[5] https://getfedora.org/en/coreos
[6] https://fedoraproject.org/wiki/Changes/FedoraCoreOS
Bash 5.1 and Readline 8.1 released
([Development] Dec 7, 2020 17:50 UTC (Mon) (ris))
Bash 5.1 is out. " This release fixes several outstanding bugs in bash-5.0 and introduces several new features. The most significant change is a return to the bash-4.4 behavior of not performing pathname expansion on a word that contains backslashes but does not contain any unquoted globbing special characters. This comes after a long POSIX discussion that resulted in a change to the standard. There are several changes regarding trap handling while reading from the terminal (e.g, for `read' and `select'.) There are a number of bug fixes, including several bugs that caused the shell to crash. " The readline library used in bash 5.1 has also been [1]updated to version 8.1 . " There are more improvements in the programming interface and new user-visible variables and bindable commands. There are a several new public API functions, but there should be no incompatible changes to existing APIs. "
[1] https://lwn.net/Articles/839213/
[1] https://lwn.net/Articles/839213/
Security updates for Monday
([Security] Dec 7, 2020 15:56 UTC (Mon) (ris))
Security updates have been issued by Arch Linux (ceph, gitea, matrix-synapse, musl, mutt, neomutt, opensc, and webkit2gtk), Debian (debian-security-support, openldap, salt, xen, and xorg-server), Fedora (fossil, pdfresurrect, tcpdump, thunderbird, and xorg-x11-server), Gentoo (chromium, firefox, mariadb, pam, postgresql, seamonkey, thunderbird, and xorg-server), Mageia (mutt, pdfresurrect, privoxy, and thunderbird), openSUSE (chromium, java-1_8_0-openjdk, kernel, minidlna, neomutt, opera, pngcheck, python, python-cryptography, python-pip, python-setuptools, python3, rclone, thunderbird, xen, and xorg-x11-server), Red Hat (ksh and net-snmp), and SUSE (crowbar-openstack, grafana, influxdb, python-urllib3, fontforge, mariadb, mutt, postgresql12, python-cryptography, and xen).
Kernel prepatch 5.10-rc7
([Kernel] Dec 7, 2020 0:48 UTC (Mon) (corbet))
Linus has released [1]5.10-rc7 for testing; he seems happy with how it is coming together. " So unless something odd and bad happens next week, we'll have a final 5.10 release next weekend, and then we'll get the bulk of the merge window for 5.11 over and done with before the holiday season starts. "
[1] https://lwn.net/Articles/839084/
[1] https://lwn.net/Articles/839084/
t2 Linux 20.10 released
([Distributions] Dec 4, 2020 21:31 UTC (Fri) (corbet))
The 20.10 release of the t2 Linux distribution is available. " After a decade of development we are proud to announce the availability of the new T2 Linux Source and Embedded Linux distribution build kit stable release 20.10. " More information about this distribution can be found at [1]t2sde.org : " T2 SDE is not just a regular Linux distribution - it is a flexible Open Source System Development Environment or Distribution Build Kit (others might even name it Meta Distribution). T2 allows the creation of custom distributions with state of the art technology, up-to-date packages and integrated support for cross compilation. Currently the Linux kernel is normally used - but the T2 SDE is being expanded to Minix, Hurd, OpenDarwin, Haiku and OpenBSD - more to come. "
[1] https://t2sde.org/
[1] https://t2sde.org/
GitHub's report on open-source security
([Security] Dec 4, 2020 15:40 UTC (Fri) (corbet))
GitHub has released its [1]"2020 State of the Octoverse" report ; one piece of that is [2]a report on security [PDF] . There are a number of interesting conclusions there, including that a surprising number of security vulnerabilities are planted deliberately. " Analysis on a random sample of 521 advisories from across our six ecosystems finds that 17% of the advisories are related to explicitly malicious behavior such as backdoor attempts. Of those 17%, the vast majority come from the npm ecosystem. While 17% of malicious attacks will steal the spotlight in security circles, vulnerabilities introduced by mistake can be just as disruptive and are much more likely to impact popular projects. Out of all the alerts GitHub sent developers notifying them of vulnerabilities in their dependencies, only 0.2% were related to explicitly malicious activity. That is, most vulnerabilities were simply those caused by mistakes. "
[1] https://octoverse.github.com/
[2] https://octoverse.github.com/static/2020-security-report.pdf
[1] https://octoverse.github.com/
[2] https://octoverse.github.com/static/2020-security-report.pdf
Security updates for Friday
([Security] Dec 4, 2020 14:08 UTC (Fri) (jake))
Security updates have been issued by Debian (thunderbird), Fedora (c-ares, pdfresurrect, webkit2gtk3, and xen), openSUSE (python3), SUSE (gdm, python-pip, rpmlint, and xen), and Ubuntu (snapcraft).
Stone's Law:
One man's "simple" is another man's "huh?"