lwn.net

Security updates have been issued by Mageia (mysql-connector-java), openSUSE (chromium, curl, libqt4, and singularity), Red Hat (bash and kernel), SUSE (python-pip and python3), and Ubuntu (busybox, ceph, freeimage, libofx, libpam-tacplus, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-azure, linux-gcp, linux-oracle, novnc, and tnef).

Kees Cook catches up with the security-related changes in the 5.7 kernel. "The kernel’s Linux Security Module (LSM) API provide a way to write security modules that have traditionally implemented various Mandatory Access Control (MAC) systems like SELinux, AppArmor, etc. The LSM hooks are numerous and no one LSM uses them all, as some hooks are much more specialized (like those used by IMA, Yama, LoadPin, etc). There was not, however, any way to externally attach to these hooks (not even through a regular loadable kernel module) nor build fully dynamic security policy, until KP Singh landed the API for building LSM policy using BPF. With this, it is possible (for a privileged process) to write kernel LSM hooks in BPF, allowing for totally custom security policy (and reporting)."

Security updates have been issued by Debian (inspircd and modsecurity), Fedora (chromium, cryptsetup, gnutls, mingw-libxml2, and seamonkey), openSUSE (ark, chromium, claws-mail, docker-distribution, fossil, hylafax+, inn, knot, libetpan, libjpeg-turbo, libqt4, librepo, libvirt, libxml2, lilypond, mumble, openldap2, otrs, pdns-recursor, perl-DBI, python-Flask-Cors, singularity, slurm_18_08, and virtualbox), SUSE (jasper, less, ovmf, and rubygem-actionview-4_2), and Ubuntu (sa-exim).

The 5.9-rc6 kernel prepatch is out. "The one thing that does show up in the diffstat is the softscroll removal (both fbcon and vgacon), and there are people who want to save that, but we'll see if some maintainer steps up. I'm not willing to resurrect it in the broken form it was in, so I doubt that will happen in 5.9, but we'll see what happens."

Andrew "bunnie" Huang has announced a new project called "Precursor"; it is meant to be a platform for makers to create interesting new devices. "Precursor is unique in the open source electronics space in that it’s designed from the ground-up to be carried around in your pocket. It’s not just a naked circuit board with connectors hanging off at random locations: it comes fully integrated—with a rechargeable battery, a display, and a keyboard—in a sleek, 7.2 mm (quarter-inch) aluminum case." You can't get one yet, but the crowdfunding push starts soon.

The discussion started out as a straightforward patch set from Thomas Gleixner making a minor change to how preemption counting is handled. The resulting discussion quickly spread out to cover a number of issues relevant to core-kernel development in surprisingly few messages; each of those topics merits a quick look, starting with how the preemption counter itself works. Sometimes a simple count turns out to not be as simple as it seems.

James Bottomley has put together a detailed recounting of what it took to get IPv6 fully working on his network. "One of the things you’d think from the above is that IPv6 always auto configures and, while it is true that if you simply plug your laptop into the ethernet port of a cable modem it will just automatically configure, most people have a more complex home setup involving a router, which needs some special coaxing before it will work. That means you need to obtain additional features from your ISP using special DHCPv6 requests."

Security updates have been issued by Arch Linux (chromium and netbeans), Oracle (mysql:8.0 and thunderbird), SUSE (rubygem-rack and samba), and Ubuntu (apng2gif, gnupg2, libemail-address-list-perl, libproxy, pulseaudio, pure-ftpd, samba, and xawtv).

Greg Kroah-Hartman has announced the release of the 5.8.10, 5.4.66, and 4.19.146 stable kernels. They contain important fixes throughout the tree and users should upgraded.

The GNOME Project has announced a change to its version-numbering scheme; the next release will be "GNOME 40". "After nearly 10 years of 3.x releases, the minor version number is getting unwieldy. It is also exceedingly clear that we're not going to bump the major version because of technological changes in the core platform, like we did for GNOME 2 and 3, and then piling on a major UX change on top of that. Radical technological and design changes are too disruptive for maintainers, users, and developers; we have become pretty good at iterating design and technologies, to the point that the current GNOME platform, UI, and UX are fairly different from what was released with GNOME 3.0, while still following the same design tenets."

The kernel contains a wide variety of locking primitives; it can be hard to stay on top of all of them. So even veteran kernel developers might be forgiven for being unaware of the "seqcount latch" lock type or its use. While this lock type has existed in the kernel for several years, it is only being formalized with a proper type declaration in 5.10. So this seems like a good time to look at what these locks are and how they work.

Security updates have been issued by Fedora (dotnet3.1, kernel, mbedtls, and python35), Mageia (libraw), openSUSE (mumble), SUSE (libsolv, libzypp, and perl-DBI), and Ubuntu (libdbi-perl, libphp-phpmailer, mcabber, ncmpc, openssl, openssl1.0, qemu, samba, storebackup, and util-linux).

The LWN.net Weekly Edition for September 17, 2020 is available.

As the PHP project nears its 8.0 release, which is currently slated for late November, there are a number of interesting things to report from its development mailing list. For one, the syntax of the attributes feature has finally been settled on after an acrimonious debate largely over the minutiae of the voting process. In addition, some releases were made and a new proposal to add any() and all() as core library functions was discussed.

The pandemic has changed many things in our communities, even though distance has always played a big role in free software development. Annual in-person gatherings for conferences and the like are generally paused at the moment, but even after travel and congregating become reasonable again, face-to-face meetings may be less frequent. There are both positives and negatives to that outcome, of course, but some rethinking will be in order if that comes to pass. The process of key signing is something that may need to change as well; the Debian project, which uses signed keys, has been discussing the subject.

Version 3.38 of the GNOME desktop environment is out. "This release brings a new Welcome tour, improved grouping and reordering of applications in the overview, better fingerprint enrollment, deeper systemd integration, and more." See the release notes for details.

Security updates have been issued by Fedora (libssh, python35, and xen), Oracle (kernel), Red Hat (librepo and mysql:8.0), SUSE (perl-DBI), and Ubuntu (Apache Log4j, Apache XML-RPC, bsdiff, libdbi-perl, luajit, milkytracker, OpenJPEG, ruby-loofah, and ruby-websocket-extensions).

The BPF virtual machine is being used ever more widely in the kernel, but it has not been a target for GCC until recently. BPF is currently generated using the LLVM compiler suite. Jose E. Marchesi gave a pair of presentations as part of the GNU Tools track at the 2020 Linux Plumbers Conference (LPC) that provided attendees with a look at the BPF for GCC project, which started around a year ago. It has made some significant progress, but there is, of course, more to do.

Moment.js, the de facto standard JavaScript library for date and time manipulation, has announced that "we would like to discourage Moment from being used in new projects going forward." The project cited multiple reasons for the recommendation. The first is that moment objects are mutable; another is the unnecessarily large size of the library when compared to other internationalization and time-zone support options available to modern browsers. According to the post, "we now generally consider Moment to be a legacy project in maintenance mode. It is not dead, but it is indeed done." The project offers multiple recommendations of alternative options, including "the evolution of Moment", Luxon, authored by long-time Moment.js contributor Isaac Cambron.

Security updates have been issued by CentOS (dovecot), Debian (gnome-shell and teeworlds), Mageia (libetpan and zeromq), openSUSE (libxml2), Red Hat (chromium-browser and librepo), SUSE (compat-openssl098, firefox, kernel, openssl, and shim), and Ubuntu (gupnp).