lwn.net

Security updates have been issued by Debian (sudo and xtrlock), openSUSE (sudo), Red Hat (Single Sign-On), Slackware (sudo), SUSE (binutils, dhcp, ffmpeg, kernel, kubernetes-salt, sudo, and tcpdump), and Ubuntu (sudo).

The KDE project has announced the release of version 5.17 of the Plasma desktop environment. "Night Color, the color-grading system that relaxes your eyes when the sun sets, has landed for X11. Your Plasma desktop also recognizes when you are giving a presentation, and stops messages popping up in the middle of your slideshow. If you are using Wayland, Plasma now comes with fractional scaling, which means that you can adjust the size of all your desktop elements, windows, fonts and panels perfectly to your HiDPI monitor."

Version 3.8.0 of the Python language has been released. New features include the controversial assignment expressions, positional-only arguments, the Vectorcall mechanism, and more; see the what's new in Python 3.8 document for more information.

Version 7.2 of PyPy, an implementation of the Python language, is out. With this release, Python 3.6 support is deemed ready: "This release removes the 'beta' tag from PyPy3.6. While there may still be some small corner-case incompatibilities (around the exact error messages in exceptions and the handling of faulty codec errorhandlers) we are happy with the quality of the 3.6 series and are looking forward to working on a Python 3.7 interpreter."

Race conditions can be some of the trickiest bugs to find. The resulting problems can be subtle, and reproducing the problem in order to track it down can be difficult or impossible; often code inserted to narrow down a race condition will cause it to stop manifesting entirely. A tool that can find race conditions automatically would thus be a valuable thing for the kernel community to have. In late September, Marco Elver announced a tool called KCSAN (the Kernel Concurrency Sanitizer) that does exactly that — and which has already found a number of real problems.

Security updates have been issued by Arch Linux (chromium, sdl, and unbound), Debian (clamav, libdatetime-timezone-perl, openssl, tcpdump, and tzdata), Fedora (cutter-re, jackson-annotations, jackson-bom, jackson-core, jackson-databind, jackson-parent, libapreq2, ming, opendmarc, radare2, and thunderbird), openSUSE (chromium), Oracle (kernel), and SUSE (axis, jakarta-commons-fileupload, kernel, sles12sp3-docker-image, sles12sp4-image, system-user-root, and webkit2gtk3).

The 5.4-rc3 kernel prepatch is out for testing. "Things continue to look fairly normal, with rc3 being larger than rc2, as people are starting to find more regressions, but 5.4 so far remains on the smaller side of recent releases."

The 5.3.6, 4.19.79, and 4.14.149 stable kernel updates have been released; each contains another set of important updates.

As noted earlier, when compiling Linux-kernel code that does a plain C-language load or store, as in "a=b", the C standard grants the compiler the right to assume that the affected variables are neither accessed nor modified by any other thread at the time of that load or store. The compiler is therefore permitted to carry out a surprisingly large number of optimizations, any number of which might ruin your concurrent code's day. Given that current compilers usually do not emit diagnostics warning of potential ruined days, it would be good to have other tools take on this task.

Security updates have been issued by Debian (lucene-solr and ruby-openid), Fedora (krb5 and SDL2), openSUSE (kernel and libopenmpt), and Ubuntu (python2.7, python3.4).

The Google Open Source Blog has an announcement of the release of the SchedViz tool that is used internally at the company "to discover many opportunities for better scheduling choices and to root-cause many latency issues". SchedViz provides a GUI to explore kernel traces: "The SchedViz UI displays collections in several ways. A zoomable and pannable heatmap shows system cores on the y-axis, and the trace duration on the x-axis. Each core in the system has a swim-lane, and each swim-lane shows CPU utilization (when that CPU is being kept busy) and wait-queue depth (how many threads are waiting to run on that CPU.) The UI also includes a thread list that displays which threads were active in the heatmap, along with how long they ran, waited to run, and blocked on some event, and how many times they woke up or migrated between cores. Individual threads can be selected to show their behavior over time, or expanded to see their details."

It is no secret that much of the work on the in-kernel BPF virtual machine and associated user-space support code is being done at Facebook. But less is known about how Facebook is actually using BPF. At Kernel Recipes 2019, BPF developer Alexei Starovoitov described a bit of that work, though even he admitted that he didn't know what most of the BPF programs running there were doing. He also summarized recent developments with BPF and some near-future work.

Security updates have been issued by Debian (clamav, libtomcrypt, and rsyslog), Fedora (suricata), SUSE (libopenmpt and python-requests), and Ubuntu (libsoup2.4 and octavia).

The LWN.net Weekly Edition for October 10, 2019 is available.

The input stack for Linux is an essential part of interacting with our systems, but it is also an area that is lacking in terms of developers. There has been progress over the last few years, however; Peter Hutterer from Red Hat came to the 2019 X.Org Developers Conference to talk about some of the work that has been done. He gave a status report on the input stack that covered development work that is going on now as well as things that have been completed in the last two years or so. Overall, things are looking pretty good for input on Linux, though the "bus factor" for the stack is alarmingly low.

Richard Stallman has issued a brief statement saying that there will not be any radical changes in the GNU Project's goals, principles and policies. "I would like to make incremental changes in how some decisions are made, because I won't be here forever and we need to ready others to make GNU Project decisions when I can no longer do so. But these won't lead to unbounded or radical changes."

A talk at the recent X.Org Developers Conference in Montréal, Canada looked at support for "XR" in free software. XR is an umbrella term that includes both virtual reality (VR) and augmented reality (AR). In the talk, Joey Ferwerda and Christoph Haag from Collabora gave an overview of XR and the Monado project that provides support for those types of applications.

Security updates have been issued by Fedora (chromium), openSUSE (rust and sqlite3), SUSE (dnsmasq, firefox, and kubernetes, patchinfo), and Ubuntu (python2.7, python3.5, python3.6, python3.7).

OpenSSH 8.1 is out. It includes some security fixes, including the encryption of keys at rest to defend them against speculative-execution attacks. There is also an experimental new signature and verification mechanism for public keys.

Stable kernels 5.3.5, 5.2.20, 4.19.78, 4.14.148, 4.9.196, and 4.4.196 have been released. They all contain the usual set of important fixes. This is the last 5.2 kernel and users should move to the 5.3.y kernel series now.