ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Security updates for Tuesday

([Security] Nov 17, 2020 16:00 UTC (Tue) (ris))

Security updates have been issued by Debian (libdatetime-timezone-perl, openldap, pacemaker, and restic), Fedora (libmediainfo, mediainfo, mingw-python3, and seamonkey), Gentoo (libexif), openSUSE (raptor), Oracle (kernel and microcode_ctl), Scientific Linux (firefox), SUSE (kernel-firmware, postgresql, postgresql96, postgresql10 and postgresql12, and raptor), and Ubuntu (openldap and postgresql-10, postgresql-12, postgresql-9.5).

Firefox 83.0 released

([Development] Nov 17, 2020 15:36 UTC (Tue) (corbet))

Version 83.0 of the Firefox browser is out. Headline features include a new [1]HTTPS-only mode , JavaScript performance improvements, and more; see [2]the release notes for details.



[1] https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/

[2] https://www.mozilla.org/en-US/firefox/83.0/releasenotes/

OpenWrt and self-signed certificates

([Distributions] Nov 18, 2020 21:58 UTC (Wed) (jake))

The move to secure most or all of web traffic using HTTPS is generally a good thing; lots of personal information is exchanged via web browsers, after all. Using HTTPS requires web sites to have TLS certificates, however, which has sometimes been an impediment, though [1]Let's Encrypt has generally solved that problem for many. But there are systems out there that may need the HTTPS protection before their owners even have a chance to procure a certificate, IoT devices and home routers, for example. An October discussion among [2]OpenWrt developers explored this problem a bit.



[1] https://letsencrypt.org/

[2] https://openwrt.org/

Security updates for Monday

([Security] Nov 16, 2020 16:41 UTC (Mon) (ris))

Security updates have been issued by Debian (libdatetime-timezone-perl and libvncserver), Fedora (chromium, kernel, kernel-headers, kernel-tools, krb5, libexif, libxml2, and thunderbird), Gentoo (chromium, libmaxminddb, and mit-krb5), Mageia (arpwatch, bluez, chromium-browser-stable, firefox and thunderbird, golang, java-1.8.0-op, kdeconnect-kde, kleopatra, libexif, lilypond, microcode, packagekit, ruby, and tpm2-tss), openSUSE (chromium, firefox, ImageMagick, kernel, openldap2, python-waitress, SDL, u-boot, ucode-intel, and zeromq), Oracle (fence-agents, firefox, freetype, kernel, python, python3, and thunderbird), Red Hat (rh-postgresql10-postgresql, rh-postgresql12-postgresql, and virt:8.2 and virt-devel:8.2), Slackware (seamonkey), and SUSE (firefox, gdm, kernel, and kernel-firmware).

Kernel prepatch 5.10-rc4

([Kernel] Nov 16, 2020 15:32 UTC (Mon) (corbet))

The [1]5.10-rc4 kernel prepatch is out for testing. " All looks good, and nothing makes me go 'uhhuh, 5.10 looks iffy'. So go test, let's get this all solid and calmed down, and this will hopefully be one of those regular boring releases even if it's certainly not been on the smaller side... "



[1] https://lwn.net/Articles/837346/

youtube-dl repository restored at GitHub

([Development] Nov 16, 2020 14:58 UTC (Mon) (jake))

The GitHub [1]repository for the [2]youtube-dl utility, which is used to download video content from various web sites (including YouTube, thus the name), has been restored. As we [3]reported in last week's edition, GitHub had taken the repository down due to a [4]DMCA notice from the Recording Industry Association of America (RIAA). The only [5]change made to youtube-dl is the removal of some tests that downloaded a few seconds of certain music videos; those videos were specifically targeted by the RIAA in its complaint.



[1] https://github.com/ytdl-org/youtube-dl

[2] https://yt-dl.org/

[3] https://lwn.net/SubscriberLink/836830/5c84e77f5090d3e7/

[4] https://github.com/github/dmca/blob/master/2020/10/2020-10-23-RIAA.md

[5] https://github.com/ytdl-org/youtube-dl/commit/1fb034d029c8b7feafe45f64e6a0808663ad315e

Security updates for Friday

([Security] Nov 13, 2020 14:04 UTC (Fri) (jake))

Security updates have been issued by Debian (libproxy, pacemaker, and thunderbird), Fedora (nss), openSUSE (kernel), Oracle (curl, librepo, qt and qt5-qtbase, and tomcat), Red Hat (firefox), SUSE (firefox, java-1_7_0-openjdk, and openldap2), and Ubuntu (apport, libmaxminddb, openjdk-8, openjdk-lts, and slirp).

Changed-block tracking and differential backups in QEMU

([Kernel] Nov 17, 2020 16:33 UTC (Tue) (kashyap))

The block layer of [1]QEMU , the open-source machine emulator and virtualizer, forms the backbone of many [2]storage virtualization features : the QEMU Copy-On-Write (QCOW2) disk-image file format, disk image chains, point-in-time snapshots, backups, and more. At the recently concluded 2020 [3]KVM Forum virtual event, Eric Blake gave a [4]talk on the current work in QEMU and [5]libvirt to make differential backups more powerful. As the name implies, "differential backups" address the efficiency problems of full disk backups: space usage and speed of backup creation.



[1] https://qemu.org/

[2] https://www.qemu.org/2020/09/14/qemu-storage-overview/

[3] https://events.linuxfoundation.org/kvm-forum/

[4] https://kvmforum2020.sched.com/event/eE3o/bitmaps-and-nbd-building-blocks-of-change-block-tracking-eric-blake-red-hat

[5] https://libvirt.org

[$] Systemd catches up with bind events

([Kernel] Nov 13, 2020 19:37 UTC (Fri) (corbet))

The kernel project has a strong focus on not breaking user-space applications; if something works with a given kernel release, it should continue to work with subsequent releases. So it may be discouraging to read the lengthy exposition on an apparent user-space API break in [1]the announcement for the systemd 247-rc2 release. Changes to udev configuration files will be needed to keep systems working, but the systemd project claims that it " is not [the] fault of systemd or udev, but caused by an incompatible kernel change that happened back in Linux 4.12 ". It seems like an appropriate time to look at what happened, how administrators need to respond, and whether anything can be done to avoid this kind of thing from happening again.



[1] https://lwn.net/Articles/837034/

[$] A realtime developer's checklist

([Development] Nov 16, 2020 20:12 UTC (Mon) (mrybczyn))

Realtime application development under Linux requires care to make sure that the critical realtime tasks do not suffer interference from other applications and the rest of the system. During the [1]Embedded Linux Conference (ELC) 2020 , John Ogness presented a checklist ( [2]slides [PDF] ) for realtime developers, with practical recipes to follow. There are a lot of tools and features available for realtime developers, even on systems without the RT_PREEMPT patches applied.



[1] https://events.linuxfoundation.org/embedded-linux-conference-europe/

[2] https://ogness.net/ese2020/ese2020_johnogness_rtchecklist.pdf

LWN.net Weekly Edition for November 19, 2020


Security updates for Thursday

([Security] Nov 12, 2020 14:19 UTC (Thu) (jake))

Security updates have been issued by Debian (codemirror-js, firefox-esr, and pacemaker), Fedora (firefox, java-latest-openjdk, and xen), openSUSE (sddm), Oracle (bind, curl, fence-agents, kernel, librepo, libvirt, python3, qt and qt5-qtbase, and tomcat), SUSE (firefox), and Ubuntu (intel-microcode, openldap, and raptor2).

[$] iproute2 and libbpf: vendoring on the small scale

([Kernel] Nov 12, 2020 18:30 UTC (Thu) (corbet))

LWN's recent [1]article on Kubernetes in Debian discussed the challenges of packaging a massive project with hundreds of dependencies. Many of the issues that arose there, however, are not limited to such projects, as can be seen in the ongoing discussion about whether a copy of the relatively small [2]libbpf library should be shipped with the [3]iproute2 collection of networking tools. Fast-moving projects, it would seem, continue to feel limited by the restrictions imposed by the Linux distribution model.



[1] https://lwn.net/Articles/835599/

[2] https://github.com/libbpf/libbpf

[3] https://wiki.linuxfoundation.org/networking/iproute2

Security updates for Wednesday

([Security] Nov 11, 2020 15:36 UTC (Wed) (ris))

Security updates have been issued by Arch Linux (chromium, firefox, gdm, linux-hardened, matrix-synapse, salt, sddm, and wordpress), Debian (firefox-esr, libmaxminddb, and moin), Fedora (cifs-utils, firefox, galera, java-latest-openjdk, mariadb, mariadb-connector-c, and wordpress), Gentoo (blueman, chromium, firefox, mariadb, qemu, salt, tmux, and wireshark), openSUSE (sddm), Oracle (kernel), Red Hat (kernel-alt, microcode_ctl, and rh-nodejs12-nodejs), SUSE (kernel, microcode_ctl, openldap2, python-waitress, spice-vdagent, u-boot, and ucode-intel), and Ubuntu (firefox, intel-microcode, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux, linux-gcp, linux-gcp-4.15, linux-gcp-5.4, linux-gke-4.15, linux-gke-5.3, linux-hwe, linux-hwe-5.4, linux-oem, linux-oem-osp1, linux-oracle, linux-oracle-5.4, and moin).

The RIAA, GitHub, and youtube-dl

([Front] Nov 11, 2020 22:26 UTC (Wed) (jake))

Toward the end of October, GitHub removed the repository for the [1]youtube-dl utility, which provides a means to download video content from various streaming sites, such as YouTube. The repository was replaced with a [2]cheery notice that it had been removed due to a [3]DMCA takedown . It will likely come as no surprise that the DMCA action came from the Recording Industry Association of America (RIAA) or that the complaint was that the program circumvented the " technological protection measures " used on the videos by YouTube and other authorized sites.



[1] https://yt-dl.org/

[2] https://github.com/ytdl-org/youtube-dl

[3] https://github.com/github/dmca/blob/master/2020/10/2020-10-23-RIAA.md

Yet another set of stable kernel updates

([Kernel] Nov 10, 2020 21:08 UTC (Tue) (corbet))

The second set of stable kernel updates in a single day has just come out: [1]5.9.8 , [2]5.4.77 , [3]4.19.157 , [4]4.14.206 , [5]4.9.243 , and [6]4.4.243 are all available. They all contain a single patch fixing [7]an urgent security issue . Greg Kroah-Hartman says: " Hint, if you are using SGX, then upgrade. And then possibly reconsider the decisions you have recently made that caused you to write special code to use that crazy thing. " See [8]this article for information on SGX in the kernel.



[1] https://lwn.net/Articles/836794/

[2] https://lwn.net/Articles/836795/

[3] https://lwn.net/Articles/836796/

[4] https://lwn.net/Articles/836797/

[5] https://lwn.net/Articles/836798/

[6] https://lwn.net/Articles/836799/

[7] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00389.html

[8] https://lwn.net/Articles/786487/

Eleven Years of Go

([Development] Nov 10, 2020 17:36 UTC (Tue) (corbet))

The Go blog [1]celebrates eleven years of Go language development and looks forward to what comes next. " When the pandemic hit, we decided to pause any public announcements or launches in the spring, recognizing that everyone’s attention rightly belonged elsewhere. But we kept working, and one of our team members joined the Apple/Google collaboration on privacy-preserving exposure notifications to support contact tracing efforts all over the world. In May, that group launched the reference backend server, written in Go. "



[1] https://blog.golang.org/11years

Stable kernel updates

([Kernel] Nov 10, 2020 16:14 UTC (Tue) (ris))

Stable kernels [1]5.9.7 , [2]5.4.76 , [3]4.19.156 , [4]4.14.205 , [5]4.9.242 , and [6]4.4.242 have been released. They all contain important fixes and users should upgrade.



[1] https://lwn.net/Articles/836772/

[2] https://lwn.net/Articles/836773/

[3] https://lwn.net/Articles/836774/

[4] https://lwn.net/Articles/836775/

[5] https://lwn.net/Articles/836776/

[6] https://lwn.net/Articles/836777/

Security updates for Tuesday

([Security] Nov 10, 2020 16:01 UTC (Tue) (ris))

Security updates have been issued by Debian (moin, obfs4proxy, tcpdump, and zeromq3), Fedora (samba), Mageia (lout, openldap, pacemaker, samba, sddm, and spice, spice-gtk), openSUSE (bluez, ImageMagick, java-1_8_0-openj9, otrs, and wireshark), Red Hat (bind, buildah, curl, fence-agents, kernel, kernel-rt, kpatch-patch, librepo, libvirt, podman, python, python3, qt and qt5-qtbase, resource-agents, skopeo, tomcat, and unixODBC), SUSE (gcc10, python3, SDL, and zeromq), and Ubuntu (libexif).

KVM for Android

([Kernel] Nov 11, 2020 18:12 UTC (Wed) (jake))

A Google project aims to bring the Linux kernel virtualization mechanism, KVM, to Android systems. Will Deacon leads that effort and he (virtually) came to [1]KVM Forum to discuss the project, its goals, and some of the challenges it has faced. Unlike some Android projects of the past, though, "protected KVM" is being worked on in the open, with code going upstream along the way.



[1] https://events.linuxfoundation.org/kvm-forum/
More

To understand this important story, you have to understand how the telephone
company works. Your telephone is connected to a local computer, which is in
turn connected to a regional computer, which is in turn connected to a
loudspeaker the size of a garbage truck on the lawn of Edna A. Bargewater of
Lawrence, Kan.

Whenever you talk on the phone, your local computer listens in. If it
suspects you're going to discuss an intimate topic, it notifies the computer
above it, which listens in and decides whether to alert the one above it,
until finally, if you really humiliate yourself, maybe break down in tears
and tell your closest friend about a sordid incident from your past
involving a seedy motel, a neighbor's spouse, an entire religious order, a
garden hose and six quarts of tapioca pudding, the top computer feeds your
conversation into Edna's loudspeaker, and she and her friends come out on
the porch to listen and drink gin and laugh themselves silly.
-- Dave Barry, "Won't It Be Just Great Owning Our Own Phones?"