lwn.net

LWN.net is a comprehensive source of news and opinions from
and about the Linux community. This is the main LWN.net feed,
listing all articles which are posted to the site front page.
URL: https://lwn.net
업데이트: 2시간 10분 지남
[$] LWN.net Weekly Edition for January 28, 2021
The LWN.net Weekly Edition for January 28, 2021 is available.
An unpleasant sudo vulnerability
It would appear that "sudo" has a buffer-overflow vulnerability that allows
any local user to gain root privileges, whether or not they are in the
sudoers file. It has been there since 2011. See this
advisory for details, but perhaps run an update first.
[$] A year of Python in Fedora
Distribution developers do a lot of work to keep a language ecosystem
working well within the distribution. It is relatively thankless work that
normally only becomes visible when there is a problem or complaint. But
Miro Hrončok recently put together a look
back at what the Fedora Python team did during 2020. While it is,
obviously, Fedora-specific, it provides something of a look inside at the
kinds of things that distribution teams work on.
[$] Elastic promises "open"—delivers proprietary
Open-source software is famously able to be used by anyone for any purpose;
those are some of the keystones of the open
source definition.
But some companies that run open-source projects are increasingly unhappy
that others are reaping some of the profits from those projects.
That has led to various
efforts of "license reform" meant to try to capture those profits. So
far, those efforts have just led to non-open-source licenses, thus projects
that are no longer open source. We are seeing
that play out yet again with Elastic's mid-January announcement that
it was changing the license on some of its projects.
Three stable kernels
Security updates for Wednesday
Security updates have been issued by Arch Linux (sudo), CentOS (sudo), Debian (sudo), Fedora (kernel, php-pear, and sudo), Gentoo (cacti, mutt, and sudo), Mageia (sudo), openSUSE (sudo), Oracle (sudo), Red Hat (sudo), Scientific Linux (sudo), Slackware (sudo), SUSE (go1.14, go1.15, nodejs8, and sudo), and Ubuntu (libsndfile and sudo).
Security updates for Tuesday
Security updates have been issued by CentOS (dnsmasq, net-snmp, and xstream), Debian (mutt), Gentoo (cfitsio, f2fs-tools, freeradius, libvirt, mutt, ncurses, openjpeg, PEAR-Archive_Tar, and qtwebengine), openSUSE (chromium, mutt, stunnel, and virtualbox), Red Hat (cryptsetup, gnome-settings-daemon, and net-snmp), Scientific Linux (xstream), SUSE (postgresql, postgresql12, postgresql13 and rubygem-nokogiri), and Ubuntu (mutt).
Firefox 85 released
Version 85 of
the Firefox browser has been released. The headline change appears to
be the isolation of internal caches to defeat the use of "supercookies" to
track users; see this
blog entry for details. "In fact, there are many different
caches trackers can abuse to build supercookies. Firefox 85 partitions all
of the following caches by the top-level site being visited: HTTP cache,
image cache, favicon cache, HSTS cache, OCSP cache, style sheet cache, font
cache, DNS cache, HTTP Authentication cache, Alt-Svc cache, and TLS
certificate cache."
pip 21.0 has now been released
The Python Packaging Authority (PyPA) has announced the release of pip
21.0. This version removes Python 2.7 and 3.5 support, and drops support
for legacy cache entries from pip < 20.0.
[$] The endless browser wars
The term "browser wars" typically refers to Microsoft's attempts to
dominate the World Wide Web with its Internet Explorer browser in the
1990s. That effort was thwarted by antitrust efforts and the rise of the
free browser now known as Firefox;
ever since, the web has been defined by free software. Or so some may have
thought. In the 2020s, the browser wars continue with the growing
dominance of Chrome and, it would seem, the imminent removal of Chromium
from many Linux distributions.
Security updates for Monday
Security updates have been issued by Debian (crmsh, debian-security-support, flatpak, gst-plugins-bad1.0, openvswitch, python-bottle, salt, tomcat9, and vlc), Fedora (chromium, python-pillow, sddm, and xen), Gentoo (chromium, dnsmasq, flatpak, glibc, kdeconnect, openjdk, python, thunderbird, virtualbox, and wireshark), Mageia (blosc, crmsh, glibc, perl-DBI, php-oojs-oojs-ui, python-pip, python-urllib3, and undertow), openSUSE (gdk-pixbuf, hawk2, ImageMagick, opera, python-autobahn, viewvc, wavpack, and xstream), Red Hat (dnsmasq), Slackware (seamonkey), SUSE (hawk2, ImageMagick, mutt, permissions, and stunnel), and Ubuntu (pound).
Kernel prepatch 5.11-rc5
The 5.11-rc5 kernel prepatch is out for
testing. "Nothing particularly stands out. We had a couple of splice()
regressions that came in during the previous release as part of the
'get rid of set_fs()' development, but they were for odd cases that
most people would never notice. I think it's just that 5.10 is now
getting more widely deployed so people see the fallout from that
rather fundamental change in the last release."
Some weekend stable kernel updates
[$] Preserving the mobility of ZONE_MOVABLE
Memory fragmentation has long been a problem for Linux systems, to the
point that, for years, finding even two physically contiguous pages was an
uncertain affair. That said, the situation has improved considerably in
the last decade or so thanks to a number of changes implemented by the
memory-management developers. One of those changes is the creation of
"movable"
memory zones where pages can be relocated if need be. All that work is for
nothing, though, if somebody comes along and pins down a page in one of
these movable zones. This
patch set from Pavel Tatashin seeks to prevent that from happening, but
may risk creating problems elsewhere.
Security updates for Friday
Security updates have been issued by Debian (drupal7), Fedora (dotnet3.1), Gentoo (zabbix), openSUSE (ImageMagick and python-autobahn), and SUSE (hawk2 and wavpack).
This is 2021: what’s coming in free/libre software (Libre Arts)
Libre Arts (formerly Libre Graphics World) has posted a comprehensive
survey of what 2021 might hold for a wide range of free
content-creation software.
The topic of fullscreen color management implementation in Wayland is back, and it’s a kinda frustrating story. In a nutshell:
- people who are now working on this (Collabora developers) seem to have little experience with color management but they appear to be motivated to hack on the code;
- all the while people who have a crapload of experience with color management have had bad experience discussing this before, do not like the approach by the new team, and don’t seem excited to contribute to this new effort (Graeme’s spec proposal is still available).
So we might end up with an implementation that is not suitable for professional work.
Corellium: How we ported Linux to the M1
The Corellium blog is carrying a description of how the Linux
port to the Apple M1 processor was done. "Many components of the
M1 are shared with Apple mobile SoCs, which gave us a good running
start. But when writing Linux drivers, it became very apparent how
non-standard Apple SoCs really are. Our virtual environment is extremely
flexible in terms of models it can accommodate; but on the Linux side, the
64-bit ARM world has largely settled on a well-defined set of building
blocks and firmware interfaces - nearly none of which were used on the
M1."
[$] Avoiding blocking file-name lookups
As a general rule, when one attempts to open a file with a system call like
openat2(),
the expectation is that the call will not return until the job is done.
But there are times where the desire to open the file is conditional on
being able to open it immediately, without blocking. Linux has never
supported that mode well, but that may be about to change with this
patch set from Jens Axboe.
Security updates for Thursday
Security updates have been issued by Debian (mutt), Fedora (libntlm, mingw-python-pillow, python-pillow, and sudo), Mageia (kernel), SUSE (gdk-pixbuf, perl-Convert-ASN1, samba, and yast2-multipath), and Ubuntu (linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.4, linux-hwe-5.8, linux-oracle).
[$] LWN.net Weekly Edition for January 21, 2021
The LWN.net Weekly Edition for January 21, 2021 is available.