lwn.net

The 5.13.11, 5.10.59, 5.4.141, 4.19.204, 4.14.244, 4.9.280, and 4.4.281 stable kernel updates have been released; each contains a relatively small number of important fixes.

Debian 11, codenamed "bullseye", has been released after just over two years of development. It has lots of updates, including to half a dozen different desktop environments, lots of tools and programming languages, and, of course, more. It is available for nine different architectures. This release contains over 11,294 new packages for a total count of 59,551 packages, along with a significant reduction of over 9,519 packages which were marked as "obsolete" and removed. 42,821 packages were updated and 5,434 packages remained unchanged.

"bullseye" becomes our first release to provide a Linux kernel with support for the exFAT filesystem and defaults to using it for mount exFAT filesystems. Consequently it is no longer required to use the filesystem-in-userspace implementation provided via the exfat-fuse package. Tools for creating and checking an exFAT filesystem are provided in the exfatprogs package.

The KDE project has announced the release of KDE Gear 21.08, which updates the over 200 apps that are part of the project. The announcement highlights updates in many of the desktop tools that KDE Plasma users are accustomed to, including the Okular document viewer, the Dolphin file manager, Elisa music player, and Gwenview image viewer. The Konsole terminal application got updated as well: Text terminals are intimidating to people who are new to Linux. But knowing just a bit about how to use them (no, you don’t need to know how to program) gives you a level of control over your machine difficult to achieve any other way.

This is doubly true when using Konsole, KDE’s very powerful spin on the classic text terminal. In fact, calling Konsole a “terminal emulator” and leaving it at that is not fair. Take Konsole’s preview feature, for example, type white, red, blue or salmon at the command line, hover the cursor over the word, and a box will appear displaying the color. You can also use HTML color codes, like #1d99f3 and get a preview of the KDE blue color.

Previews extend to images and folders: hover the cursor over an image filename in a list in Konsole and a thumbnail will pop up showing you a preview. Hovering over a folder will show you a preview of its contents. This is very useful when you want to make sure you are copying, moving, or erasing the right thing.

Device drivers, along with the hardware they control, have long been considered to be a trusted part of the system. This faith has been under assault for some time, though, and it fails entirely in some situations, including virtual machines that do not trust the host system they are running under. The recently covered virtio-hardening work is one response to this situation, but that only addresses a small portion of the drivers built into a typical kernel. What is to be done about the rest? The driver-filter patch from Kuppuswamy Sathyanarayanan demonstrates one possible approach: disable them altogether.

Security updates have been issued by Debian (commons-io, curl, and firefox-esr), Fedora (perl-Encode), openSUSE (golang-github-prometheus-prometheus, grafana, and python-reportlab), Oracle (.NET Core 2.1, 389-ds:1.4, cloud-init, go-toolset:ol8, nodejs:12, nodejs:14, and rust-toolset:ol8), SUSE (aspell, firefox, kernel, and rpm), and Ubuntu (linux, linux-aws, linux-kvm, linux-lts-xenial and postgresql-10, postgresql-12, postgresql-13).

The Linux Foundation has announced the formation of the eBPF Foundation: Founding members include Facebook, Google, Isovalent, Microsoft and Netflix. This comes in advance of the eBPF Summit, a free and virtual event taking place August 18-19, 2021.

eBPF allows developers to safely and efficiently embed programs in any piece of software, including the operating system kernel. As a result, eBPF is quickly becoming the method of choice for achieving a wide range of infrastructure use cases, delivering significant efficiency and performance gains and dramatically reducing the complexity of the system. For example, Facebook is using eBPF as the primary software-defined load balancer in its data centers, and Google is using Cilium to bring eBPF-based networking and security to the managed Kubernetes offerings GKE and Anthos.

[...] The eBPF Foundation will expand the significant level of contributions being made to extend the powerful capabilities of eBPF and grow beyond Linux. It will be the home for open source eBPF projects and technologies and nurture the community through a variety of activities, including summits and other collaboration events in order to further drive the growth and adoption of the eBPF ecosystem.

While it may seem like the number of developers would be the limiting factor in a free-software project, the truth of the matter is that, for all but the smallest of project, the scarcest resource is reviewer time. Lots of people like to crank out code; rather fewer can find the time to take a close look at somebody else's patches. Free-software projects have taken a number of different approaches to address the review problem; the PostgreSQL developer community is currently struggling with its review load and considering changes to its commitfest process in response.

Greg Kroah-Hartman has announced the release of the 5.13.10, 5.10.58, 5.4.140, and 4.19.203 stable kernels. As usual, they all contain important fixes throughout the kernel tree; users of those series should upgrade.

Security updates have been issued by CentOS (java-1.8.0-openjdk), Debian (firefox-esr, libspf2, and openjdk-11-jre-dcevm), Fedora (bluez, fetchmail, and prosody), Oracle (edk2, glib2, kernel, and libuv), Red Hat (.NET Core 3.1), SUSE (cpio), and Ubuntu (firefox and openssh).

The LWN.net Weekly Edition for August 12, 2021 is available.

Child pornography and other types of sexual abuse of children are unquestionably heinous crimes; those who participate in them should be caught and severely punished. But some recent efforts to combat these scourges have gone a good ways down the path toward a kind of AI-driven digital panopticon that will invade the privacy of everyone in order to try to catch people who are violating laws prohibiting those activities. It is thus no surprise that privacy advocates are up in arms about an Apple plan to scan iPhone messages and an EU measure to allow companies to scan private messages, both looking for "child sexual abuse material" (CSAM). As with many things of this nature, there are concerns about the collateral damage that these efforts will cause—not to mention the slippery slope that is being created.

David A. Wheeler lists some of the security-related projects he is overseeing at the Linux Foundation. For example:

Ariadne Conill is improving Alpine Linux security, including significant improvements to its vulnerability processing and making it reproducible. For example, as noted in the July 2021 report, this resulted in Alpine 3.14 being released with the lowest open vulnerability count in the final release in a long time. Alpine Linux’s security is important because many containers use it.

Security updates have been issued by Debian (ceph), Fedora (buildah, containernetworking-plugins, and podman), openSUSE (chromium, kernel, php7, python-CairoSVG, python-Pillow, seamonkey, and transfig), Red Hat (microcode_ctl), SUSE (kernel and libcares2), and Ubuntu (c-ares).

Version 6 of the elementry OS distribution is now available. "It’s been a long road to elementary OS 6—what with a whole global pandemic dropped on us in the middle of development—but it’s finally here. elementary OS 6 Odin is available to download now. And it’s the biggest update to the platform yet!" Headline changes include a new dark-mode theme, a switch to Flatpak for application packaging, a rewritten email client, and more.

Linux Mint 20.2 "Uma" was released in Cinnamon, MATE, and Xfce editions on July 8. This new version of the popular desktop-oriented distribution has several improvements, including changes to the Update Manager, a new "Sticky Notes" app, a bulk file-renaming tool, improved file search, and better memory management in Cinnamon. Mint 20.2 is a long-term support (LTS) release that will receive security updates until 2025.

The 4.4.280 stable kernel update is available; it contains a small set of fixes, mostly focused on the futex subsystem.

The Firefox 91 release is available. Changes include stronger tracking-cookie protection, use of HTTPS within anonymous windows whenever possible, and more.

Security updates have been issued by CentOS (flatpak and microcode_ctl), Debian (c-ares, lynx, openjdk-8, and tomcat9), Fedora (kernel), openSUSE (apache-commons-compress, aria2, djvulibre, fastjar, kernel, libvirt, linuxptp, mysql-connector-java, nodejs8, virtualbox, webkit2gtk3, and wireshark), Oracle (kernel, kernel-container, and microcode_ctl), Red Hat (glib2, kernel, kernel-rt, kpatch-patch, and rust-toolset-1.52 and rust-toolset-1.52-rust), Scientific Linux (microcode_ctl), SUSE (kernel), and Ubuntu (c-ares, gpsd, and perl).

Traditionally, in virtualized environments, the host is trusted by its guests, and must protect itself from potentially malicious guests. With initiatives like confidential computing, this rule is extended in the other direction: the guest no longer trusts the host. This change of paradigm requires adding boundary defenses in places where there have been none before. Recently, Andi Kleen submitted a patch set attempting to add the needed protections in virtio. The discussion that resulted from this patch set highlighted the need to secure virtio for a wider range of use cases.

Security updates have been issued by Debian (ansible and bluez), Fedora (curl, kernel, mod_auth_openidc, rust-rav1e, and webkit2gtk3), Mageia (kernel and kernel-linus), openSUSE (php7 and python-reportlab), Oracle (ruby:2.7), Red Hat (microcode_ctl), SUSE (fastjar, kvm, mariadb, php7, php72, php74, and python-Pillow), and Ubuntu (docker.io).