lwn.net

DNF, the Fedora package manager, is going to be significantly rewritten; it seems it is truly "development not finished" for now. "We've managed to drop a lot of redundant code across the whole DNF stack in the past years, but we have reached a point when it's nearly impossible to consolidate the code any further without breaking the API/ABI. Especially with PackageKit being dead, we can't move with the old 'libhif' API in libdnf, because making any bigger changes to PackageKit is clearly out of scope."

System calls on Linux are relatively cheap, though the mitigations for speculative-execution vulnerabilities have made them more expensive than they once were. But even cheap system calls add up if one has to make a large number of them. Thus, developers have been working on ways to avoid system calls for a long time. Currently under discussion is a pair of ways to reduce the number of system calls required to read a file's contents, one of which is rather simpler than the other.

Security updates have been issued by Arch Linux (chromium, opensc, opensmtpd, and weechat), Debian (jackson-databind and pdfresurrect), Fedora (sudo), openSUSE (openfortivpn and squid), Red Hat (virt:8.1 and virt-devel:8.1), Scientific Linux (http-parser and xerces-c), and SUSE (gd, kernel, postgresql10, and tomcat).

Over on the Collabora blog, Julian Bouzas writes about PipeWire, which is a relatively new multimedia server for the Linux desktop and beyond. "PipeWire was originally created to only handle access to video resources and co-exist with PulseAudio. Earlier versions have already been shipping in Fedora for a while, allowing Flatpak applications to access video cameras and to implement screen sharing on Wayland. Eventually, PipeWire has ended up handling any kind of media, to the point of planning to completely replace PulseAudio in the future. The new 0.3 version is marked as a preview for audio support. But why replace PulseAudio? Although PulseAudio already provides a working intermediate layer to access audio devices, PipeWire has to offer more features that PulseAudio was not designed to deliver, starting with a better security model, which allows isolation between applications and secure access from within containers. Another interesting feature of PipeWire is that it unifies the two audio systems used on the desktop, JACK for low-latency professional audio and PulseAudio for normal desktop use-cases. PipeWire was designed to be able to accommodate both use cases, delivering very low latency, while at the same time not wasting CPU resources. This design also makes PipeWire a much more efficient solution than PulseAudio in general, making it a perfect fit for embedded use cases too."

The Positive Technologies blog is reporting on an unfixable flaw the company has found in Intel x86 hardware that has the potential to subvert the hardware root of trust for a variety of processors. "The EPID [Enhanced Privacy ID] issue is not too bad for the time being because the Chipset Key is stored inside the platform in the One-Time Programmable (OTP) Memory, and is encrypted. To fully compromise EPID, hackers would need to extract the hardware key used to encrypt the Chipset Key, which resides in Secure Key Storage (SKS). However, this key is not platform-specific. A single key is used for an entire generation of Intel chipsets. And since the ROM vulnerability allows seizing control of code execution before the hardware key generation mechanism in the SKS is locked, and the ROM vulnerability cannot be fixed, we believe that extracting this key is only a matter of time. When this happens, utter chaos will reign. Hardware IDs will be forged, digital content will be extracted, and data from encrypted hard disks will be decrypted." Intel has said that it is aware of the problem (CVE-2019-0090), but since it cannot be fixed in the ROM, Intel is "trying to block all possible exploitation vectors"; the fix for CVE-2019-0090 only blocks one such vector, according to the blog post.

Greg Kroah-Hartman has announced the release of the 5.5.8, 5.4.24, and 4.19.108 stable kernels. There are fixes throughout the tree, as usual; users should upgrade.

Like many larger free-software projects, openSUSE has an elected board that is charged with handling various non-technical tasks: organizing events, dealing with conduct issues, managing the project's money, etc. Sitting on such a board is usually a relatively low-profile activity; development communities tend to pay more attention to technical contributions than other types of service. Every now and then, though, board-related issues burst into prominence; that is the case now in the openSUSE project, which will be holding a special election after the abrupt resignation of one-third of its board.

KubeCon + CloudNativeCon Europe 2020, which was originally scheduled for March 30-April 2 in Amsterdam, has been postponed until July or August due to COVID-19 concerns. In addition, KubeCon + CloudNativeCon China 2020, scheduled for July in Shanghai, has been canceled "due to the uncertainty around travel to China and our ability to assemble the speakers, sponsors, and attendees necessary for a successful event". It seems likely that these are not the last conferences that will be affected in our communities.

Security updates have been issued by CentOS (http-parser and xerces-c), Debian (tomcat7), Fedora (opensmtpd), openSUSE (openfortivpn and permissions), Red Hat (http-parser, openstack-octavia, python-waitress, and sudo), Slackware (ppp), and SUSE (kernel).

The LWN.net Weekly Edition for March 5, 2020 is available.

By most accounts, the freedesktop.org (fd.o) GitLab instance has been a roaring success; lots of projects are using it, including Mesa, Linux kernel graphics drivers, NetworkManager, PipeWire, and many others. In addition, a great deal of continuous-integration (CI) testing is being done on a variety of projects under the fd.o umbrella. That success has come at a price, however. A recent message from the X.Org Foundation, which merged with fd.o in 2019, has made it clear that the current situation is untenable from a financial perspective. Given its current resources, X.Org cannot continue covering those costs beyond another few months.

Sam Hartman has announced that he will not run for a second term as Debian Project Leader at this time. "TL;DR: Overall, being DPL has been incredibly rewarding. I have enjoyed working with you all, and have enjoyed the opportunity to contribute to the Debian Project. I hope to be DPL again some year, but 2020 is the wrong year for me and for the project. So I will not nominate myself this year, but hope to do so some future year."

Security updates have been issued by Debian (libzypp), Fedora (opensmtpd and thunderbird), openSUSE (nodejs8), Red Hat (http-parser, kpatch-patch, and xerces-c), SUSE (cloud-init, compat-openssl098, kernel, postgresql96, python, and yast2-rmt), and Ubuntu (python-django and rake).

Handling time zones is a pretty messy affair overall, but language runtimes may have even bigger problems. As a recent discussion on the Python discussion forum shows, there are considerations beyond those that an operating system or distribution needs to handle. Adding support for the IANA time zone database to the Python standard library, which would allow using names like "America/Mazatlan" to designate time zones, is more complicated than one might think—especially for a language trying to support multiple platforms.

Security updates have been issued by Debian (linux-4.9, proftpd-dfsg, rrdtool, and zsh), Fedora (kernel), openSUSE (cacti, cacti-spine, mariadb, and ppp), Red Hat (kernel, qemu-kvm, qemu-kvm-ma, and ruby), Slackware (seamonkey), SUSE (kernel, libpng16, ovmf, python-aws-sam-translator, python-boto3, python-botocore, python-cfn-lint, python-jsonschema, python-nose2, python-parameterized, python-pathlib2, python-pytest-cov, python-requests, python-s3transfer, and python36), and Ubuntu (libpam-radius-auth, OpenSMTPD, and ppp).

The kernel development process is based on trust at many levels — trust in developers, but also in the infrastructure that supports the community. In some cases, that trust may not be entirely deserved; most of us have long since learned not to trust much of anything that shows up in email, for example, but developers still generally trust that emailed patches will be what they appear to be. In his ongoing effort to bring more security to kernel development, Konstantin Ryabitsev has proposed a patch attestation scheme that could help subsystem maintainers verify the provenance of the patches showing up in their mailboxes.

Security updates have been issued by Arch Linux (chromium and webkit2gtk), Debian (collabtive, dojo, firebird2.5, gst-plugins-base0.10, libapache2-mod-auth-openidc, openjdk-7, php5, python-bleach, and rrdtool), Fedora (kernel, kernel-headers, kernel-tools, mingw-openjpeg2, and openjpeg2), Mageia (hiredis, kernel, rsync, wireshark, and zsh), openSUSE (cacti, cacti-spine, libexif, proftpd, python-azure-agent, python3, and webkit2gtk3), Oracle (ppp), SUSE (permissions), and Ubuntu (libarchive).

The 5.6-rc4 kernel prepatch has been released. "Fairly reasonably sized rc4, and the diffstat looks nice and flat too (which basically means 'lots of small changes') except for a netfilter ipset fix that ended up being somewhat big and involved due to locking changes."

The Netdev 0x14 conference, scheduled to begin March 17 in Vancouver, has been postponed due to coronavirus concerns; it has been tentatively rescheduled for June 16 to 19 at the same location.

The 5.5.7, 5.4.23, 4.19.107, 4.14.172, 4.9.215, and 4.4.215 stable kernels have all been released; each contains another set of important fixes.