lwn.net

The LWN.net Weekly Edition for September 23, 2021 is available.

Over at the Guix-HPC blog, Ludovic Courtès writes about trying to package the PyTorch machine-learning library for the Guix distribution. Building from source in a user-verifiable manner is part of the philosophy behind Guix, but there were a number of problems that were encountered: The first surprise when starting packaging PyTorch is that, despite being on PyPI, PyTorch is first and foremost a large C++ code base. It does have a setup.py as commonly found in pure Python packages, but that file delegates the bulk of the work to CMake.

The second surprise is that PyTorch bundles (or "vendors", as some would say) source code for no less than 41 dependencies, ranging from small Python and C++ helper libraries to large C++ neural network tools. Like other distributions such as Debian, Guix avoids bundling: we would rather have one Guix package for each of these dependencies. The rationale is manifold, but it boils down to keeping things auditable, reducing resource usage, and making security updates practical.

A few weeks ago, Matthew Wilcox might have guessed that his session at the 2021 Linux Plumbers Conference would be focused rather differently. But, as we reported earlier in September, his folio patch set ran into some, perhaps unexpected, opposition and, ultimately, did not land in the mainline for 5.15. Instead of discussing how to use folios as part of the File Systems microconference, he led a discussion that was, at least in part, on the path forward for them.

The GNOME project has announced the release of GNOME 41. The most notable changes this in release include an improved Software app, new multitasking settings, and enhanced power management features. With these changes, GNOME is smarter, more flexible, and offers a richer and more engaging experience than ever before.

The new release also comes with significant improvements for developers, including a new developer documentation website, a major new version of the Human Interface Guidelines, new features in the Builder IDE, GTK 4 enhancements, and much more.

Craig Kerstiens highlights some of the "little things" featured in the upcoming PostgreSQL 14 release.

And now in PostgreSQL 14 there is this seemingly small update, pipeline mode, which, according to the docs, allows applications to send a query without having to read the result of the previously sent query. Taking advantage of the pipeline mode, a client will wait less for the server, since multiple queries/results can be sent/received in a single network transaction.

The Google security blog provides an overview of what is being done to address memory-safety problems in the Chrome browser.

In parallel, we’ll be exploring whether we can use a memory safe language for parts of Chrome in the future. The leading contender is Rust, invented by our friends at Mozilla. This is (largely) compile-time safe; that is, the Rust compiler spots mistakes with pointers before the code even gets to your device, and thus there’s no performance penalty. Yet there are open questions about whether we can make C++ and Rust work well enough together. Even if we started writing new large components in Rust tomorrow, we’d be unlikely to eliminate a significant proportion of security vulnerabilities for many years.

Stable kernels 5.14.7, 5.10.68, 5.4.148, 4.19.207, 4.14.247, 4.9.283, and 4.4.284 have been released. They all contain important fixes and users should upgrade.

Security updates have been issued by Debian (grilo), Fedora (curl, firefox, mingw-python-pillow, python-pillow, python2-pillow, and webkit2gtk3), openSUSE (chromium, grafana-piechart-panel, kernel, libcroco, php-composer, and xen), Oracle (curl, kernel, and nss and nspr), Red Hat (nodejs:12), Slackware (alpine), SUSE (ghostscript, grafana-piechart-panel, kernel, and xen), and Ubuntu (linux, linux-hwe, linux-hwe-5.11, linux-hwe-5.4, linux-raspi, linux-raspi-5.4, and linux-raspi2).

Alyssa Rosenzweig reports that the open-source Panfrost driver for Mali GPUs has achieved official conformance on Mali-G52 for OpenGL ES 3.1. This important milestone is a step forward for the open source driver, as it now certifies Panfrost for use in commercial products containing Mali G52 and paves the way for further conformance submissions on other Mali GPUs.

Middleboxes are, unfortunately in many ways, a big part of today's internet. While middleboxes inhabit the same physical niche as routers, they are not aimed at packet forwarding; instead they are meant to monitor and manipulate the packets that they see. The effects of those devices on users of the networks they reign over may be unfortunate as well, but the rest of the internet is only affected when trying to communicate with those users—or so it was thought. Based on some recently reported research, it turns out that middleboxes can be abused to inflict denial-of-service (DoS) attacks elsewhere on the net.

Security updates have been issued by Debian (webkit2gtk, wpewebkit, and xen), Oracle (kernel), Red Hat (curl, go-toolset:rhel8, krb5, mysql:8.0, nodejs:12, and nss and nspr), and Ubuntu (curl and tiff).

Ben Hoyt has published a critical overview of the Python 3.10 pattern-matching feature.

As shown above, there are cases where match really shines. But they are few and far between, mostly when handling syntax trees and writing parsers. A lot of code does have if ... elif chains, but these are often either plain switch-on-value, where elif works almost as well, or the conditions they’re testing are a more complex combination of tests that don’t fit into case patterns (unless you use awkward case _ if cond clauses, but that’s strictly worse than elif).

(Pattern matching has been covered here as well).

The first day of the Kangrejos (Rust for Linux) conference introduced the project and what it was trying to accomplish; day 2 covered a number of core Rust concepts and their relevance to the kernel. On the third and final day of the conference, Wedson Almeida Filho delved deeper into how Rust can be made to work in the Linux kernel, covered some of the lessons that have been learned so far, and discussed next steps with a number of kernel developers.

Security updates have been issued by Debian (gnutls28, nettle, nextcloud-desktop, and openssl1.0), Fedora (dovecot-fts-xapian, drupal7, ghostscript, haproxy, libtpms, lynx, wordpress, and xen), openSUSE (xen), Red Hat (rh-ruby27-ruby), and SUSE (openssl, openssl1, and xen).

The 5.15-rc2 kernel prepatch is out for testing.

So I've spent a fair amount of this week trying to sort out all the odd warnings, and I want to particularly thank Guenter Roeck for his work on tracking where the build failures due to -Werror come from.

Is it done? No. But on the whole I'm feeling fairly good about this all, even if it has meant that I've been looking at some really odd and grotty code. Who knew I'd still worry about some odd EISA driver on alpha, after all these years? A slight change of pace ;)

The relatively large 5.14.6, 5.13.19, and 5.10.67 stable kernel updates have been released; each contains another set of important fixes. Note that this is the final update for the 5.13.x series.

Here's a post from Christian Schaller describing a number of the desktop-oriented improvements that can be expected in the Fedora 35 release.

And I know some people will wonder why we spent so much time working with NVidia around their binary driver, but the reality is that NVidia is the market leader, especially in the professional Linux workstation space, and there are lot of people who either would end up not using Linux or using Linux with X without it, including a lot of Red Hat customers and Fedora users. And that is what I and my team are here for at the end of the day, to make sure Red Hat customers are able to get their job done using their Linux systems.

Ariadne Conill looks at the difficulties caused by the OpenSSL 3 transition in the context of Alpine Linux.

For distributions, however, the story is different: cryptography moved to using Rust, because they wanted to leverage all of the static analysis capabilities built into the language. This, too, is a reasonable decision, from a development perspective. From the ecosystem perspective, however, it is problematic, as the Rust ecosystem is still rapidly evolving, and so we cannot support a single branch of the Rust compiler for an entire 2 year lifecycle, which means it exists in community. Our solution, historically, has been to hold cryptography at the latest version that did not require Rust to build. However, that version is not compatible with OpenSSL 3, and so it will eventually need to be upgraded to a new version which is. And so, since cryptography has to move to community, so does paramiko and Ansible.

The first day of the online Kangrejos conference was focused on introducing the effort to bring the Rust programming language into the Linux kernel. On the second day, conference organizer Miguel Ojeda shifted to presenting the Rust language itself with an emphasis on what Rust can provide for kernel development. The result was a useful resource for anybody who is curious about this project, but who has not yet had the time to become familiar with Rust.

Security updates have been issued by CentOS (firefox and thunderbird), Fedora (haproxy, wordpress, and xen), openSUSE (apache2-mod_auth_openidc, fail2ban, ghostscript, haserl, libcroco, nextcloud, and wireshark), Oracle (kernel and kernel-container), Slackware (httpd), SUSE (crmsh, gtk-vnc, libcroco, Mesa, postgresql12, postgresql13, and transfig), and Ubuntu (libgcrypt20, linux-gcp, linux-gcp-4.15, linux-hwe-5.4, linux-oem-5.13, python3.4, python3.5, and qtbase-opensource-src).