lwn.net

LWN.net is a comprehensive source of news and opinions from
and about the Linux community. This is the main LWN.net feed,
listing all articles which are posted to the site front page.
URL: https://lwn.net
업데이트: 1시간 54분 지남
t2 Linux 20.10 released
The 20.10 release of the t2 Linux distribution is available. "After
a decade of development we are proud to announce the availability of the
new T2 Linux Source and Embedded Linux distribution build kit stable
release 20.10." More information about this distribution can be
found at t2sde.org: "T2 SDE is not
just a regular Linux distribution - it is a flexible Open Source System
Development Environment or Distribution Build Kit (others might even name
it Meta Distribution). T2 allows the creation of custom distributions with
state of the art technology, up-to-date packages and integrated support for
cross compilation. Currently the Linux kernel is normally used - but the T2
SDE is being expanded to Minix, Hurd, OpenDarwin, Haiku and OpenBSD - more
to come."
[$] The future of 32-bit Linux
The news for processors and system-on-chip (SoC) products these
days is all about 64-bit cores powering the latest computers and
smartphones, so it's easy to be misled into thinking that all 32-bit
technology is obsolete. That quickly leads to the idea of removing support
for 32-bit hardware, which would clearly make life easier for kernel
developers in a number of ways.
At the same time, a majority of embedded systems shipped today do use 32-bit
processors, so a valid question is if this will ever change, or if 32-bit
will continue to be the best choice for devices that do not require
significant resources.
GitHub's report on open-source security
GitHub has released its "2020 State
of the Octoverse" report; one piece of that is a
report on security [PDF]. There are a number of interesting
conclusions there, including that a surprising number of security
vulnerabilities are planted deliberately. "Analysis on a random
sample of 521 advisories from across our six ecosystems finds that 17% of
the advisories are related to explicitly malicious behavior such as
backdoor attempts. Of those 17%, the vast majority come from the npm
ecosystem. While 17% of malicious attacks will steal the spotlight in
security circles, vulnerabilities introduced by mistake can be just as
disruptive and are much more likely to impact popular projects. Out of all
the alerts GitHub sent developers notifying them of vulnerabilities in
their dependencies, only 0.2% were related to explicitly malicious
activity. That is, most vulnerabilities were simply those caused by
mistakes."
Security updates for Friday
Security updates have been issued by Debian (thunderbird), Fedora (c-ares, pdfresurrect, webkit2gtk3, and xen), openSUSE (python3), SUSE (gdm, python-pip, rpmlint, and xen), and Ubuntu (snapcraft).
[$] XFS, stable kernels, and -rc releases
Ever since the stable-update process was created, there have been questions
about which patches are suitable for inclusion in those updates; usually,
these discussions are driven by people who think that the criteria should
be more restrictive. A regression in the XFS filesystem that found its way
into the 5.9.9
stable update briefly rekindled this discussion. In one sense, there was
little new ground covered in this iteration, but there was an interesting
point raised about the relationship between stable updates and the mainline
kernel -rc releases.
Linux Foundation 2020 annual report
The Linux Foundation has published a
glossy report of its activities for 2020. "2020 has been a year
of challenges for the Linux Foundation ('LF') and our hosted
communities. During this pandemic, we’ve all seen our daily lives and those
of many of our colleagues, friends, and family around the world completely
changed. Too many in our community also grieved over the loss of family and
friends.
It was uplifting to see LF members join the fight against COVID-19. Our
members worldwide contributed technical resources for scientific
researchers, offered assistance to struggling families and individuals,
contributed to national and international efforts, and some even came
together to create open source projects under LF Public Health to help
countries deal with the pandemic."
Security updates for Thursday
Security updates have been issued by Mageia (cimg, pngcheck, poppler, tor, and xdg-utils), openSUSE (mariadb), Red Hat (go-toolset-1.14-golang), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-gke-4.15, linux-hwe, linux-kvm, linux-oem, linux-oracle, linux-raspi2, linux-snapdragon).
[$] LWN.net Weekly Edition for December 3, 2020
The LWN.net Weekly Edition for December 3, 2020 is available.
[$] Python structural pattern matching morphs again
A way to specify multiply branched conditionals in the Python language—akin
to the C switch statement—has been
a longtime feature request. Over the years, various proposals have been
mooted, but none has ever crossed the finish line and made it into the
language. A highly ambitious proposal that
would solve the multi-branch-conditional problem (and quite a bit more) has
been discussed—dissected, perhaps—in the Python community over the last six
months or so. We have covered
some of the discussion in August and September, but the ground has shifted once
again so it is time to see where things stand.
Certificates from Let's Encrypt (R3 active)
Let's Encrypt has announced that, as of today, the TLS certificates issued
by the Let's Encrypt certificate authority are using a new intermediate
certificate. "While LE will start using their new _roots_ next year, the change today
is using a _variant_ of their "R3" certificate which is cross-signed
from IdenTrust, rather than chaining back to their "ISRG Root X1".
This will affect you if you're using DANE, TLSA records in DNS, signed
by DNSSEC, to advertise properties of the certificate chain which remote
systems should expect to see."
Stable kernel updates
Security updates for Wednesday
Security updates have been issued by Debian (brotli, jupyter-notebook, and postgresql-9.6), Fedora (perl-Convert-ASN1 and php-pear), openSUSE (go1.15, libqt5-qtbase, mutt, python-setuptools, and xorg-x11-server), Oracle (firefox, kernel, libvirt, and thunderbird), Red Hat (rh-postgresql10-postgresql and rh-postgresql12-postgresql), SUSE (java-1_8_0-openjdk, python, python-cryptography, python-setuptools, python3, and xorg-x11-server), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-azure, linux-kvm, linux-lts-trusty, linux-raspi2, linux-snapdragon, python-werkzeug, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04).
Popov: Linux kernel heap quarantine versus use-after-free exploits
Alenxander Popov describes
his kernel heap-quarantine patches designed to protect the system
against use-after-free vulnerabilities. "In July 2020, I got an idea of how to break this heap spraying technique for UAF exploitation. In August I found some time to try it out. I extracted the slab freelist quarantine from KASAN functionality and called it SLAB_QUARANTINE.
If this feature is enabled, freed allocations are stored in the quarantine queue, where they wait to be actually freed. So there should be no way for them to be instantly reallocated and overwritten by UAF exploits."
xorg-server 1.20.10
Xorg-server 1.20.10 has been released. This version fixes security issues that could lead to privilege
escalation, or other problems.
[$] Challenges in protecting virtual machines from untrusted entities
As an ever-growing number of workloads are being moved to the cloud, CPU
vendors have begun to roll out purpose-built hardware features to isolate
virtual machines (VMs) from potentially hostile parties. These processor
features, and their extensions, enable the notion of "secure VMs" (or
"confidential VMs") — where a VM's "sensitive state" needs to be protected
from untrusted entities. Drawing from his experience
contributing to the secure VM implementation for the s390 architecture, Janosch Frank described
the challenges involved in a talk at the 2020 (virtual) KVM
Forum. Though the implementations across CPU vendors may vary, there are
many shared problems, which opens up possibilities for collaboration.
Security updates for Tuesday
Security updates have been issued by Debian (libxstream-java, musl, mutt, pdfresurrect, vips, and zsh), Fedora (libuv, nodejs, thunderbird, and xen), openSUSE (libssh2_org, mutt, neomutt, and thunderbird), Oracle (firefox and thunderbird), Red Hat (firefox, rh-nodejs12-nodejs, rh-php73-php, and thunderbird), Scientific Linux (thunderbird), SUSE (libX11, mariadb, mutt, python-pip, python-setuptools, and python36), and Ubuntu (containerd, php-pear, and sniffit).
[$] Scheduling for asymmetric Arm systems
The Arm processor architecture has pushed the boundaries in a number of
ways, some of which have required significant kernel changes in response.
For example, the big.LITTLE architecture
placed fast (but power-hungry) and slower (but more power-efficient) CPUs
in the same system-on-chip (SoC); significant scheduler changes were needed
for Linux to be able to properly distribute tasks on such systems. For all
their quirkiness, big.LITTLE systems still feature CPUs that are in some
sense identical: they can all run any task in the system. What is the
scheduler to do, though, if confronted with a system where that is no
longer true?
pip 20.3 release
The Python Packaging Authority has announced the release of pip 20.3. There
is some potential for disruption with this release. "The new resolver is now *on by default*. It is significantly stricter
and more consistent when it receives incompatible instructions, and
reduces support for certain kinds of constraints files, so some
workarounds and workflows may break."
Security updates for Monday
Security updates have been issued by Arch Linux (c-ares, libass, raptor, rclone, and swtpm), Debian (libproxy, qemu, tcpflow, and x11vnc), Fedora (asterisk, c-ares, microcode_ctl, moodle, pam, tcpdump, and webkit2gtk3), Mageia (jruby and webkit2), openSUSE (buildah, c-ares, ceph, fontforge, java-1_8_0-openjdk, kernel, LibVNCServer, mariadb, thunderbird, ucode-intel, and wireshark), Red Hat (firefox, rh-mariadb103-mariadb and rh-mariadb103-galera, and thunderbird), SUSE (binutils, libssh2_org, LibVNCServer, libX11, and nodejs12), and Ubuntu (mysql-8.0 and qemu).
PHP 8.0.0 released
Version 8.0.0 of the PHP language has been released. New features include
union types, named arguments, match expressions, a just-in-time compiler,
and more; see this article for more
information.