LWN.net News from the source
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
In January 2038, the 32-bit time_t value used on many Unix-like systems will run out of bits and be unable to represent the current time. This may seem like a distant problem, but, as Tom Scott recently observed, the year-2038 apocalypse is now closer to the present than the year-2000 problem. The fact that systems being deployed now will still be operating in 2038 adds urgency to the issue as well. The good news is that work has been underway for years to prepare Linux for this date, so there should be no need to call developers out of retirement in 2037 in a last-minute panic. Some of the final steps in this transition for the core kernel have been posted, and seem likely to be merged for 5.1.
Version 5.0 of the Metasploit penetration-testing framework is out. "Metasploit 5.0 offers a new data service, introduces fresh evasion capabilities, supports multiple languages, and builds upon the Framework’s ever-growing repository of world-class offensive security content. We’re able to continue innovating and expanding in no small part thanks to the many open source users and developers who make it a priority to share their knowledge with the community. You have our gratitude."
What if you announced a board election and nobody ran? That is the quandary the openSUSE project faced as recently as January 4, when the nomination deadline loomed and no candidates for the three open seats had come forward. The situation has since changed, and openSUSE members will have a wide slate of candidates to choose from. But the seeming reticence to come forward may well be a reflection of some unresolved tensions that exploded into a flame war several months ago.
Security updates have been issued by Arch Linux (systemd and wireshark-cli), Debian (libsndfile and tmpreaper), Fedora (beep, electrum, gnutls, haproxy, krb5, mupdf, php-horde-Horde-Image, python-django, and wget), Mageia (libarchive and terminology), openSUSE (libraw, polkit, and singularity), SUSE (haproxy, java-1_8_0-openjdk, LibVNCServer, and webkit2gtk3), and Ubuntu (exiv2, gnupg2, and webkit2gtk).
The LWN.net Weekly Edition for January 10, 2019 is available.
Inside this week's LWN.net Weekly Edition
Qualys has sent out a security advisory describing three stack-overrun vulnerabilities in systemd-journald. "We developed an exploit for CVE-2018-16865 and CVE-2018-16866 that obtains a local root shell in 10 minutes on i386 and 70 minutes on amd64, on average. We will publish our exploit in the near future. To the best of our knowledge, all systemd-based Linux distributions are vulnerable, but SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29 are not exploitable because their user space is compiled with GCC's -fstack-clash-protection."
Python has always touted itself as a "batteries included" language; its standard library contains lots of useful modules, often more than enough to solve many types of problems quickly. From time to time, though, some have started to rethink that philosophy, to reduce or restructure the standard library, for a variety of reasons. A discussion at the end of November on the python-dev mailing list revived that debate to some extent.
Security updates have been issued by Debian (libcaca), Fedora (beep and libgxps), Mageia (krb5, live, ffmpeg, mplayer, and vlc, and mbedtls), SUSE (helm-mirror, java-1_7_0-openjdk, and systemd), and Ubuntu (nss and python-django).
Many projects have adopted the "GitHub style" of development over the last few years, though, of course, there are some high-profile exceptions that still use patches and mailing lists. Many projects are leery of putting all of their project metadata into a proprietary service, with limited means of usefully retrieving it should that be necessary, which is why GitLab (which is at least "open core") has been gaining some traction. A recently announced effort looks to kind of bridge the gap; Drew DeVault's sr.ht ("the hacker's forge") combines elements of both styles of development in a "100% free and open source software forge". It looks to be an ambitious project, but it may also suffer from a lack of "social network" effects, which is part of what sustains GitHub as the forge of choice today, it seems.
Linus Torvalds released 5.0-rc1 on January 6, closing the merge window for this development cycle and confirming that the next release will indeed be called "5.0". At that point, 10,843 non-merge change sets had been pulled into the mainline, about 2,100 since last week's summary was written. Those 2,100 patches included a number of significant changes, though, including some new system-call semantics that may yet prove to create problems for existing user-space code.
Security updates have been issued by Arch Linux (elfutils, polkit, and tar), Debian (python-django and ruby-loofah), and Mageia (ansible, avidemux, coreutils, discount, nettle, openafs, opensc, and qtbase5).
One of the useful features added during the 4.20 development cycle was the availability of pressure-stall information, which provides visibility into how resource-constrained the system is. Interest in using this information has spread beyond the data-center environment where it was first implemented, but it turns out that there some shortcomings in the current interface that affect other use cases. Suren Baghdasaryan has posted a patch set aimed at making pressure-stall information more useful for the Android use case — and, most likely, for many other use cases as well.
Version 5.0 of the Bash shell has been released. "The most notable new features are several new shell variables: BASH_ARGV0, EPOCHSECONDS, and EPOCHREALTIME. The `history' builtin can remove ranges of history entries and understands negative arguments as offsets from the end of the history list. There is an option to allow local variables to inherit the value of a variable with the same name at a preceding scope. There is a new shell option that, when enabled, causes the shell to attempt to expand associative array subscripts only once (this is an issue when they are used in arithmetic expressions). The `globasciiranges' shell option is now enabled by default; it can be set to off by default at configuration time."
The fs-verity mechanism, created to protect files on Android devices from hostile modification by attackers, seemed to be on track for inclusion into the mainline kernel during the current merge window when the patch set was posted at the beginning of November. Indeed, it wasn't until mid-December that some other developers started to raise objections. The resulting conversation has revealed a deep difference of opinion regarding what makes a good filesystem-related API and may have implications for how similar features are implemented in the future.
Security updates have been issued by Debian (libav), Fedora (krb5), Red Hat (source-to-image), and SUSE (gpg2, libgit2, and libsoup).
The LWN.net Weekly Edition for January 3, 2019 is available.
Inside this week's LWN.net Weekly Edition
On the Red Hat community blog, Dave Neary writes about community governance and, in particular, how to choose who gets a vote, who can run, and how to decide a winner when electing a leader or council. He summarizes a number of different options that he has encountered with an eye toward avoiding the deep rat-hole conversations that picking a way to run elections can engender. "Defining the activity metric and minimum bar for what qualifies as participation can become contentious, mainly because where you draw the line will be arbitrary, and will omit people who you want to include, or include people who you want to omit. For example, if you set the bar at the minimum contribution level of one commit to the project, you omit all whose contributions are significant but not code related. The typical fear is ballot stuffing or cohort effects — where large companies will dominate the representative bodies by having a large voting bloc, or where friends of candidates (or people with a certain agenda) will pass the low bar to become voters just to vote for their candidate."
The January 3 LWN.net Weekly Edition will be our first for 2019, marking our return after an all-too-short holiday period. Years ago, we made the ill-considered decision to post some predictions at the beginning of the year and, like many mistakes, that decision has persisted and become an annual tradition. We fully expect 2019 to be an event-filled year, with both ups and downs; read on for some wild guesses as to what some of those events may look like.
Security updates have been issued by CentOS (keepalived), Debian (python-django), Fedora (tcpreplay), Mageia (apache-commons-compress, aubio, dcraw, freerdp, imagemagick, ldb, talloc, samba, libao, libextractor, libgxps, libpgf, openjpeg2, pdns, pdns-recursor, php-phpmailer, plexus-archiver, units, wget, and xmlrpc), Oracle (keepalived and kernel), and SUSE (polkit and xen).
Copyright © 2019, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds