ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

LineageOS 17.1 released

([Distributions] Apr 2, 2020 14:21 UTC (Thu) (corbet))

[1]LineageOS 17.1 is out. This release of the Android-based distribution once known as CyanogenMod includes a rebase onto the Android 10 release of the Android Open Source Project, improved theme support, support for on-screen fingerprint sensors, the ability to use biometric sensors to control access to apps, and more. " On the whole, we feel that the 17.1 branch has reached feature and stability parity with 16.0 and is ready for initial release. With 17.1 being the most recent and most actively developed branch, on April 1st, 2020 it will begin receiving nightly builds and 16.0 will be moved to weekly builds. "



[1] https://lineageos.org/Changelog-24/

New 4.0 LTS releases for LXD, LXC and LXCFS

([Development] Apr 1, 2020 17:21 UTC (Wed) (ris))

The LXD system container and virtual manager, LXC container runtime, and LXCFS FUSE filesystem projects have released version 4.0 LTS. LTS versions of these intertwined projects are released every 2 years and receive 5 years of security and bugfix support.

OpenWRT code-execution bug puts millions of devices at risk (Ars Technica)

([Security] Apr 1, 2020 15:06 UTC (Wed) (corbet))

Ars Technica [1]reports on the recently disclosed OpenWrt package verification vulnerability. The headline may be a bit overwrought, though. " These code-execution exploits are limited in their scope because adversaries must either be in a position to conduct a man-in-the-middle attack or tamper with the DNS server that a device uses to find the update on the Internet. That means routers on a network that has no malicious users and using a legitimate DNS server are safe from attack. " It also assumes that people actually update their routers, which seems unlikely in most cases in the real world.



[1] https://arstechnica.com/information-technology/2020/03/openwrt-is-vulnerable-to-attacks-that-execute-malicious-code/

Stable kernel updates

([Kernel] Apr 1, 2020 15:00 UTC (Wed) (ris))

Stable kernels [1]5.6.1 , [2]5.5.14 , and [3]5.4.29 have been released with the usual set of important fixes. Users should upgrade.



[1] https://lwn.net/Articles/816513/

[2] https://lwn.net/Articles/816514/

[3] https://lwn.net/Articles/816515/

Security updates for Wednesday

([Security] Apr 1, 2020 14:55 UTC (Wed) (ris))

Security updates have been issued by Debian (apng2gif, gst-plugins-bad0.10, and libpam-krb5), Fedora (coturn, libarchive, and phpMyAdmin), Mageia (chromium-browser-stable, nghttp2, php, phpmyadmin, sympa, and vim), openSUSE (GraphicsMagick, ldns, phpMyAdmin, python-mysql-connector-python, python-nltk, and tor), Red Hat (advancecomp, avahi, bash, bind, bluez, buildah, chromium-browser, cups, curl, docker, dovecot, doxygen, dpdk, evolution, expat, file, gettext, GNOME, httpd, idm:DL1, ImageMagick, kernel, kernel-rt, lftp, libosinfo, libqb, libreoffice, libsndfile, libxml2, mailman, mariadb, mod_auth_mellon, mutt, nbdkit, net-snmp, nss-softokn, okular, php, podman, polkit, poppler and evince, procps-ng, python, python-twisted-web, python3, qemu-kvm, qemu-kvm-ma, qt, rsyslog, samba, skopeo, squid, systemd, taglib, texlive, unzip, virt:8.1, wireshark, and zziplib), Slackware (gnutls and httpd), and SUSE (glibc, icu, kernel, and mariadb).

Reworking StringIO concatenation in Python

([Development] Apr 1, 2020 22:43 UTC (Wed) (jake))

Python string objects are immutable, so changing the value of a string requires that a new string object be created with the new value. That is fairly well-understood within the community, but there are some "anti-patterns" that arise; it is pretty common for new users to build up a longer string by repeatedly concatenating to the end of the "same" string. The performance penalty for doing that could be avoided by switching to a type that is geared toward incremental updates, but Python 3 has already optimized the penalty away for regular strings. A recent thread on the python-ideas mailing list explored this topic some.

FSF: HACKERS and HOSPITALS

([Development] Mar 31, 2020 23:12 UTC (Tue) (ris))

The Free Software Foundation is [1]focusing on the shortage of medical equipment and using 3D printers to make more. " That's why we're looking into what we can make with our in-office Respects Your Freedom (RYF)-certified 3D printers, and we're talking to the brand new Mass General Brigham Center for COVID Innovation so they can direct our efforts. We're also gathering resources for our "HACKERS and HOSPITALS" plan at the [2]LibrePlanet wiki page , and if you have expertise, 3D printers, or supplies to contribute, please contact Michael via sysadmin@fsf.org. If you do not have the means to produce medical gear and you still want to help, research can be done from anywhere with only a computer and an Internet connection. Add any projects that are freely licensed working towards helping with COVID-19 to the wiki! "



[1] https://www.fsf.org/blogs/community/hackers-and-hospitals-how-you-can-help

[2] https://libreplanet.org/wiki/HACKERS_and_HOSPITALS

[$] Frequency-invariant utilization tracking for x86

([Kernel] Apr 2, 2020 15:45 UTC (Thu) (corbet))

The kernel provides a number of CPU-frequency governors to choose from; by most accounts, the most effective of those is "schedutil", which was [1]merged for the 4.7 kernel in 2016. While schedutil is used on mobile devices, it still doesn't see much use on x86 desktops; the [2]intel_pstate governor is generally seen giving better results on those processors as a result of the secret knowledge embodied therein. A set of patches merged for 5.7, though, gives schedutil a better idea of what the true utilization of x86 processors is and, as a result, greatly improves its effectiveness.



[1] https://git.kernel.org/linus/9bdcb44e391d

[2] https://www.kernel.org/doc/html/v4.12/admin-guide/pm/intel_pstate.html

MOSS launches COVID-19 Solutions Fund

([Development] Mar 31, 2020 18:52 UTC (Tue) (ris))

The Mozilla Open Source Support Program (MOSS) has [1]launched a COVID-19 Solutions Fund, which will provide awards of up to $50,000 each to open source technology projects which are responding to the COVID-19 pandemic in some way. " As part of the COVID-19 Solutions Fund, we will accept applications that are hardware (e.g., an open source ventilator), software (e.g., a platform that connects hospitals with people who have 3D printers who can print parts for that open source ventilator), as well as software that solves for secondary effects of COVID-19 (e.g., a browser plugin that combats COVID related misinformation). "



[1] https://blog.mozilla.org/blog/2020/03/31/moss-launches-covid-19-solutions-fund/

Security updates for Tuesday

([Security] Mar 31, 2020 15:06 UTC (Tue) (ris))

Security updates have been issued by Debian (tinyproxy), Fedora (okular), Gentoo (ffmpeg, libxls, and qemu), openSUSE (GraphicsMagick), Red Hat (qemu-kvm-rhev), SUSE (cloud-init and spamassassin), and Ubuntu (bluez, libpam-krb5, linux, linux-aws, linux-azure, linux-azure-5.3, linux-gcp, linux-gcp-5.3, linux-gke-5.3, linux-hwe, linux-kvm, linux-oracle, linux-oracle-5.3,linux-raspi2, linux-raspi2-5.3, and Timeshift).

Unangst: Rethinking OpenBSD security

([Security] Mar 31, 2020 13:44 UTC (Tue) (corbet))

OpenBSD developer Ted Unangst [1]looks for lessons in a set of recent vulnerabilities in that system. " Even OpenBSD is subject to compromise for the sake of practicality, which is how some legacy designs stick around. So the lesson perhaps is to really stick with the principles that work, and not just when convenient. But not always an easy choice to make. "



[1] https://flak.tedunangst.com/post/rethinking-openbsd-security

[$] 5.7 Merge window part 1

([Kernel] Apr 3, 2020 14:54 UTC (Fri) (corbet))

As of this writing, 7,233 non-merge changesets have been pulled into the mainline repository for the 5.7 kernel development cycle — over the course of about three days. If current world conditions are slowing down kernel development, it would seem that the results are not yet apparent at this level. As usual, these changesets bring no end of fixes, improvements, and new features; read on for a summary of what the first part of the 5.7 merge window has brought in.

A full task-isolation mode for the kernel

([Kernel] Apr 6, 2020 15:13 UTC (Mon) (mrybczyn))

Some applications require guaranteed access to the CPU without even brief interruptions; realtime systems and high-bandwidth networking applications with user-space drivers can fall into the category. While Linux provides some support for CPU isolation (moving everything but the critical task off of one or more CPUs) now, it is an imperfect solution that is still subject to some interruptions. Work has been continuing in the community to improve the kernel's CPU-isolation capabilities, notably with improvements in the nohz (tickless) mode, but it is not finished yet. Recently, Alex Belits [1]submitted a patch set (based on [2]work by Chris Metcalf in 2015 ) that introduces a completely predictable environment for Linux applications — as long as they do not need any kernel services.



[1] https://lwn.net/ml/linux-kernel/aed12dd15ea2981bc9554cfa8b5e273c1342c756.camel@marvell.com/

[2] https://lwn.net/Articles/659490/

Fedora's Git forge decision

([Distributions] Mar 30, 2020 15:56 UTC (Mon) (corbet))

Back in February, LWN [1]reported on the process of gathering requirements for a Git forge system. That process then went relatively quiet until March 28, when the posting of [2]a "CPE Weekly" news summary included, under "other updates", a note that the decision has been made. It appears that the project will be pushed toward a not-fully-free version of the GitLab offering. It is fair to say that this decision — or how it was presented — was not met with universal acclaim in the Fedora community; see [3]this response from Neal Gompa for more.



[1] https://lwn.net/Articles/810776/

[2] https://lwn.net/ml/fedora-devel/CAJqbrbeQdQq1J4VAKKixQB7KSV+18yf647BfWFajaz2=K6R3-w@mail.gmail.com/

[3] https://lwn.net/ml/fedora-devel/CAEg-Je9jnXxr4ocxE966sv+5wBwQ30aXznbR3e+tw7k2F_D0YQ@mail.gmail.com/

Debian @ COVID-19 Biohackathon (April 5-11, 2020)

([Distributions] Mar 30, 2020 15:40 UTC (Mon) (corbet))

The Debian community has announced a one-week, online "biohackathon" as a focused effort to improve the available free biomedical tools. " Most tasks do not require any knowledge of biology or medicine, and all types of contributions are welcome: bug triage, testing, documentation, CI, translations, packaging, and code contributions. "

Security updates for Monday

([Security] Mar 30, 2020 14:57 UTC (Mon) (ris))

Security updates have been issued by Debian (php-horde-form and tika), Fedora (dcraw and libmodsecurity), Gentoo (libidn2 and screen), openSUSE (cloud-init, cni, cni-plugins, conmon, fuse-overlayfs, podman, opera, phpMyAdmin, python-mysql-connector-python, ruby2.5, strongswan, and tor), Oracle (ipmitool), Scientific Linux (ipmitool), SUSE (spamassassin and tomcat), and Ubuntu (twisted and webkit2gtk).

The 5.6 kernel has been released

([Kernel] Mar 29, 2020 23:04 UTC (Sun) (corbet))

Linus has [1]released the 5.6 kernel.



[1] https://lwn.net/Articles/816216/ Some of the headline features in this release include [1]Arm EOPD support , [2]time namespaces , the BPF dispatcher and batched BPF map operations (both described in [3]this article ), the [4]openat2() system call , the [5]WireGuard virtual private network implementation, the [6]flow queue PIE packet scheduler , nearly complete year-2038 support, many [7]new io_uring features , the [8]pidfd_getfd() system call , the [9]ZoneFS filesystem, the [10]ability to implement TCP congestion-control algorithms in BPF, the [11]dma-buf heaps subsystem, and the [12]removal of the /dev/random blocking pool.



[1] https://lwn.net/Articles/804982/

[2] https://lwn.net/Articles/766089/

[3] https://lwn.net/Articles/808503/

[4] https://lwn.net/Articles/796868/

[5] https://lwn.net/Articles/802376/

[6] https://tools.ietf.org/html/rfc8033

[7] https://lwn.net/Articles/810414/

[8] https://lwn.net/Articles/808997/

[9] https://lwn.net/Articles/794364/

[10] https://lwn.net/Articles/811631/

[11] https://lwn.net/Articles/792733/

[12] https://lwn.net/Articles/808575/ See the LWN merge-window summaries ( [1]part 1 and [2]part 2 ) and the (under construction) [3]KernelNewbies 5.6 page for more details.



[1] https://lwn.net/Articles/810780/

[2] https://lwn.net/Articles/811230/

[3] https://kernelnewbies.org/Linux_5.6

Some 5.6 kernel development statistics

([Kernel] Mar 30, 2020 21:19 UTC (Mon) (corbet))

When the 5.6 kernel was [1]released on March 29, 12,665 non-merge changesets had been accepted from 1,712 developers, making this a fairly typical development cycle in a number of ways. As per longstanding LWN tradition, what follows is a look at where those changesets came from and who supported the work that created them. This may have been an ordinary cycle, but there are still a couple of differences worth noting.



[1] https://lwn.net/Articles/816216/

Three candidates vying to be DPL

([Distributions] Apr 1, 2020 16:03 UTC (Wed) (jake))

The annual Debian project leader (DPL) election is well underway at this point; voting begins in early April and the outcome will be known after the polls close on April 18. Outgoing DPL Sam Hartman [1]posted a lengthy "non-platform" in the run-up to the election, which detailed the highs and lows of his term, perhaps providing something of a roadmap, complete with pitfalls, for potential candidates—Hartman is not running again this time. When the nomination period completed, three people [2]put their hats into the ring : Jonathan Carter, Sruthi Chandran, and Brian Gupta. Their platforms have been posted and there have been several threads on the debian-vote mailing list with questions for the candidates; it seems like a good time to look in on the race.



[1] https://lwn.net/ml/debian-vote/tsl5zfjex22.fsf@suchdamage.org/

[2] https://lwn.net/ml/debian-vote/20200315000835.GA4020585@roeckx.be/

Security updates for Friday

([Security] Mar 27, 2020 13:39 UTC (Fri) (jake))

Security updates have been issued by Debian (bluez and php5), Fedora (chromium, kernel, and PyYAML), Gentoo (adobe-flash, libvpx, php, qtcore, and unzip), openSUSE (chromium, kernel, and mcpp), Oracle (ipmitool and libvncserver), Red Hat (ipmitool and rh-postgresql10-postgresql), Slackware (kernel), and SUSE (ldns and tomcat6).
More

Trailing Edge Technologies is pleased to announce the following
TETflame programme:

1) For a negotiated price (no quatloos accepted) one of our flaming
representatives will flame the living shit out of the poster of
your choice. The price is inversely proportional to how much of
an asshole the target it. We cannot be convinced to flame Dennis
Ritchie. Matt Crawford flames are free.

2) For a negotiated price (same arrangement) the TETflame programme
is offering ``flame insurance''. Under this arrangement, if
one of our policy holders is flamed, we will cancel the offending
article and flame the flamer, to a crisp.

3) The TETflame flaming representatives include: Richard Sexton, Oleg
Kisalev, Diane Holt, Trish O'Tauma, Dave Hill, Greg Nowak and our most
recent acquisition, Keith Doyle. But all he will do is put you in his
kill file. Weemba by special arrangement.

-- Richard Sexton