lwn.net

Version 3.4 of the Bison parser generator is out. "A particular focus was put on improving the diagnostics, which are now colored by default, and accurate with multibyte input. Their format was also changed, and is now similar to GCC 9's diagnostics."

By the time Linus Torvalds released the 5.2-rc1 kernel prepatch and closed the merge window for this development cycle, 12,064 non-merge changesets had been pulled into the mainline repository — about 3,700 since our summary of the first "half" was written. Thus, as predicted, the rate of change did slow during the latter part of the merge window. That does not mean that no significant changes have been merged, though; read on for a summary of what else has been merged for 5.2.

Security updates have been issued by Debian (cups-filters, dhcpcd5, faad2, ghostscript, graphicsmagick, jruby, lemonldap-ng, and libspring-security-2.0-java), Fedora (gnome-desktop3, java-1.8.0-openjdk-aarch32, libu2f-host, samba, sqlite, webkit2gtk3, xen, and ytnef), Mageia (docker, flash-player-plugin, freeradius, libsndfile, libxslt, mariadb, netpbm, python-jinja2, tomcat-native, and virtualbox), openSUSE (kernel and ucode-intel), and SUSE (kernel, kvm, libvirt, nmap, and transfig).

Wired looks at the security issues stemming from the complexity of the Bluetooth standard. "Bluetooth has certainly been investigated to a degree, but researchers say that the lack of intense scrutiny historically stems again from just how involved it is to even read the standard, much less understand how it works and all the possible implementations. On the plus side, this has created a sort of security through obscurity, in which attackers have also found it easier to develop attacks against other protocols and systems rather than taking the time to work out how to mess with Bluetooth."

Linus has released the 5.2-rc2 kernel prepatch and closed the merge window for this development cycle. "Nothing particularly odd going on this merge window. I had some travel in the middle of it, but to offset that I had a new faster test-build setup, and most of the pull requests came in early (thank you) so my travels didn't actually end up affecting the merge window all that much."

The ever-increasing complexity of the software stacks we work with has given testing an important role. There was a recent intersection between the automated testing being done by the Yocto Project (YP) and a bug introduced into the Linux kernel that gives some insight into what the future holds and the potential available with this kind of testing.

Six new stable kernels have been released: 5.1.3, 5.0.17, 4.19.44, 4.14.120, 4.9.177, and 4.4.180. As usual, they contain important fixes throughout the kernel tree; users should upgrade.

Security updates have been issued by Debian (jquery), Fedora (kernel-headers, php-typo3-phar-stream-wrapper, and python3), openSUSE (qemu, ucode-intel, and xen), Red Hat (chromium-browser, java-1.8.0-ibm, and rh-python35-python-jinja2), SUSE (containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork, evolution, graphviz, kernel, qemu, and systemd), and Ubuntu (libmediainfo, libvirt, and Wireshark).

Over the past four years, LWN has covered the Python Language Summit, but this year the Python Software Foundation (PSF) elected to go in a different direction, with coverage by A. Jesse Jiryu Davis on the PSF blog. Those reports are being gathered on a summit page; as of this writing there are two reports up with plenty more to come. "The Python Language Summit is a small gathering of Python language implementers, both the core developers of CPython and alternative Pythons, held on the first day of PyCon. The summit features short presentations from Python developers and community members, followed by longer discussions. The 2019 summit is the first held since Guido van Rossum stepped down as Benevolent Dictator for Life, replaced by a five-member Steering Council."

Even with radiators and fans, a system's CPUs can overheat. When that happens, the kernel's thermal governor will cap the maximum frequency of that CPU to allow it to cool. The scheduler, however, is not aware that the CPU's capacity has changed; it may schedule more work than optimal in the current conditions, leading to a performance degradation. Recently, Thara Gopinath did some research and posted a patch set to address this problem. The solution adds an interface to inform the scheduler about thermal events so that it can assign tasks better and thus improve the overall system performance.

Greg Kroah-Hartman has announced the release of the 3.18.140 stable kernel. "Note, this is the LAST 3.18.y release that I will be doing on kernel.org. I know it has been marked as End-of-Life for quite some time, but I have kept it alive due to a few million phones out there in the wild that depend on it, and can not move to a new kernel base due to them being stuck with a SoC vendor that does not work upstream. But, this does not mean the tree is dead, oh no, if only it were that easy..." He and others will be updating the kernel in the Android Open Source Project (AOSP) tree.

Security updates have been issued by CentOS (freeradius, kernel, libvirt, and qemu-kvm), Debian (intel-microcode, linux-4.9, and samba), Fedora (kernel, kernel-headers, memcached, microcode_ctl, php-pecl-imagick, and samba), Mageia (kernel, kernel-linus, kernel-tmb, and microcode), openSUSE (389-ds, bzip2, jakarta-commons-fileupload, kernel, and pacemaker), Red Hat (flash-plugin and ruby), Scientific Linux (kernel, libvirt, qemu-kvm, and ruby), Slackware (rdesktop), and Ubuntu (libvirt).

The LWN.net Weekly Edition for May 16, 2019 is available.

Over the past year, Python has moved on from the benevolent dictator for life (BDFL) governance model since Guido van Rossum stepped down from that role. In February, a new steering council was elected based on the governance model that was adopted in December. At PyCon 2019 in Cleveland, Ohio, the five members of the steering council took the stage for a keynote panel that was moderated by Python Software Foundation (PSF) executive director Ewa Jodlowska.

We contemplated putting together an LWN article on the "microarchitectural data sampling" (MDS) vulnerabilities, as we've done for past speculative-execution issues. But the truth of the matter is that it's really more of the same, and there is a lot of material out there on the net already. So, for those who would like to learn more, here's a list of resources.

• This page from the kernel documentation contains a fairly detailed description of the problem and this page has mitigation information.
• ZombieLoadAttack.com describes the ZombieLoad MDS attack and, in particular, contains this paper [PDF] from Michael Schwarz et al. with the details.

• mdsattacks.com holds academic papers on the Fallout [PDF] (Marina Minkin et al.) and RIDL [PDF] (Stephan van Schaik et al.) attacks.
• Jon Masters has written an overview article complete with a three-minute video on the vulnerabilities and their exploits. For those wanting more Masters, there is also a longer video that goes deeper.
• Here is Intel's "deep dive" into the MDS vulnerabilities.
• Cerberus Technology has put up an overview article that discusses some of the possible attacks enabled by the MDS vulnerabilities.

Amir Goldstein led a discussion on things that the two major network filesystems for Linux, Samba and NFS, could cooperate on at the end of day one of the 2019 Linux Storage, Filesystem, and Memory-Management Summit. In particular, are there needs that both filesystems have that the kernel is not currently providing? He had some ideas of areas that might be tackled, but was looking for feedback from the assembled filesystem developers.

Michael Crosby is one of the most influential developers working on Docker containers today, helping to lead development of containerd as well as serving as the Open Container Initiative (OCI) Technical Oversight Chair. At DockerCon 19, Crosby led a standing-room-only session, outlining the past, present and — more importantly — the future of Docker as a container technology. The early history of Docker is closely tied with Linux and, as it turns out, so too is Docker's future.

Security updates have been issued by Debian (drupal7, intel-microcode, kernel, and lemonldap-ng), Red Hat (kernel, kernel-rt, libvirt, qemu-kvm, qemu-kvm-rhev, redhat-virtualization-host, rhvm-appliance, vdsm, virt:rhel, and wget), Scientific Linux (wget), SUSE (containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork, kernel, libxslt, microcode_ctl, qemu, ucode-intel, and xen), and Ubuntu (intel-microcode, kernel, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-hwe, linux-azure, linux-hwe, linux-azure, linux-gcp, linux-oracle, linux-lts-trusty, linux-lts-xenial, linux-raspi2, linux-snapdragon, qemu, and samba).

Here's a blog post from "Brent" on how PHP deserves another look. "Today I want to look at the bright side: let's focus on the things that have changed and ways to write clean and maintainable PHP code. I want to ask you to set aside any prejudice for just a few minutes. Afterwards you're free to think exactly the same about PHP as you did before. Though chances are you will be surprised by some of the improvements made to PHP in the last few years."

A new filesystem aimed at sharing host filesystems with KVM guests, virtio-fs, was the topic of a session led by Miklos Szeredi at the 2019 Linux Storage, Filesystem, and Memory-Management Summit. The existing solution, which is based on the 9P filesystem from Plan 9, has some shortcomings, he said. Virtio-fs is a prototype that uses the Filesystem in Userspace (FUSE) interface.