Welcome to LWN.net
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
[$] A survey of free CAD systems
Computer-aided design (CAD) software is expensive to develop, which is a good reason to appreciate the existing free and open-source alternatives to some of the big names in the industry. This article takes a bird's-eye view at free and open-source software for 2D drafting and 3D parametric solid modeling, its progress over the years, as well as wins and ongoing challenges.
[$] Constant-time instructions and processor optimizations
Of all the attacks on cryptographic code, timing attacks may be among the most insidious. An algorithm that appears to be coded correctly, perhaps even with a formal proof of its correctness, may be undermined by information leaked as the result of data-dependent timing differences. Both Arm and Intel have introduced modes that are intended to help defend against timing attacks, but the extent to which those modes should be used in the kernel is still under discussion.
[$] Git archive generation meets Hyrum's law
On January 30, the GitHub blog carried a brief notice that the checksums of archives (such as tarballs) generated by the site had just changed. GitHub's engineers were seemingly unaware of the consequences of such a change — consequences that were immediately evident to anybody familiar with either packaging systems or Hyrum's law. Those checksums were widely depended on by build systems, which immediately broke when the change went live; the resulting impact of jawbones hitting the floor was observed by seismographs worldwide. The change has been reverted for now, but it is worth looking at how GitHub managed to casually break vast numbers of build systems — and why this sort of change will almost certainly happen again.
[$] LWN.net Weekly Edition for February 2, 2023
Posted Feb 2, 2023 1:38 UTC (Thu)The LWN.net Weekly Edition for February 2, 2023 is available.
Inside this week's LWN.net Weekly Edition
- Front: Pip and conda convergence; BPF ABI stability; GFP flags; Linux SVSM; Using low-cost wireless sensors.
- Briefs: RCU definition; C flexible arrays; Elementary OS 7; TrenchBoot for Qubes OS; Yocto; Go 1.20; Rust 1.67; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
[$] Convergence in the pip and conda worlds?
The discussions about the world of Python packaging and the problems caused by its disparate tools and incompatible ecosystems are still ongoing. Last week, we looked at the beginnings of the conversation in mid-November, as the discussion turned toward a possible convergence between two of the major package-management players: pip and conda. There are numerous barriers to bringing the two closer together, inertia not least, but the advantages for users of both, as well as new users to come, could be substantial.
[$] Using low-cost wireless sensors in the unlicensed bands
When it comes to home automation, people often end up with devices supporting the Zigbee or Z-Wave protocols, but those devices are relatively expensive. When I was looking for a way to keep an eye on the temperature at home a few years ago, I bought a bunch of cheap temperature and humidity sensors emitting radio signals in the unlicensed ISM (Industrial, Scientific, and Medical) frequency bands instead. Thanks to rtl_433 and, more recently, rtl_433_ESP and OpenMQTTGateway, I was able to integrate their measurements easily into my home-automation system.
[$] The Linux SVSM project
If legacy networks are like individual homes with a few doors where a handful of people have the key, then cloud-based environments are like apartment complexes that offer both higher density and greater flexibility, but which include more key holders and potential entry points. The importance of protecting virtual machines (VMs) running in these environments — from both the host and other tenants — has become increasingly clear. The Linux Secure VM Service Module (SVSM) is a new, Rust-based, open-source project that aims to help preserve the confidentiality and integrity of VMs on AMD hardware.
[$] GFP flags and the end of __GFP_ATOMIC
Memory allocation within the kernel is a complex business. The amount of physical memory available on any given system will be strictly limited, meaning that an allocation request can often only be satisfied by taking memory from somebody else, but some of the options for reclaiming memory may not be available when a request is made. Additionally, some allocation requests have requirements dictating where that memory can be placed or how quickly the allocation must be made. The kernel's memory-allocation functions have long supported a set of "GFP flags" used to describe the requirements of each specific request. Those flags will probably undergo some changes soon as the result of this patch set posted by Mel Gorman; that provides an opportunity to look at those flags in some detail.
[$] Reconsidering BPF ABI stability
The BPF subsystem exposes many aspects of the kernel's internal algorithms and data structures; this naturally leads to concerns about maintaining interface stability as the kernel changes. The longstanding position that BPF offers no interface-stability guarantees to user space has always seemed a little questionable; kernel developers have, in the past, found themselves having to maintain interfaces that were not intended to be stable. Now the BPF community is starting to think about what it might mean to provide explicit stability promises for at least some of its interfaces.
LWN.net Weekly Edition for January 26, 2023
Posted Jan 26, 2023 2:37 UTC (Thu)The LWN.net Weekly Edition for January 26, 2023 is available.
Inside this week's LWN.net Weekly Edition
- Front: Python packaging (again); X11 byte swapping; Removing kernel code; /proc/self/exe; nolibc.
- Briefs: Git security audit; Linux kernel podcast; Leap 15.3 EOL; FFmpeg history; Mozilla's 25th; Pandoc 3; Wine 8; FSF governance; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
Six new stable kernels
The most recent batch of stable kernels has been released: 6.1.10, 5.15.92, 5.10.167, 5.4.231, 4.19.272, and 4.14.305. Those updates contain a relatively small number of important fixes throughout the kernel tree.
Security updates for Monday
Security updates have been issued by Debian (libhtml-stripscripts-perl), Fedora (binwalk, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, kernel, sudo, and syncthing), SUSE (syslog-ng), and Ubuntu (editorconfig-core, firefox, pam, and thunderbird).
Kernel prepatch 6.2-rc7
The 6.2-rc7 kernel prepatch is out for testing.
So the 6.2 rc releases are continuing to be fairly small and controlled, to the point where normally I'd just say that this is the last rc. But since I've stated multiple times that I'll do an rc8 due to the holiday start of the release, that's what I'll do.
Security updates for Friday
Security updates have been issued by Fedora (chromium and vim), Slackware (openssh), and Ubuntu (lrzip and tiff).
The Document Foundation announces LibreOffice 7.5 Community
Version 7.5 of the LibreOffice Community edition is now available. LibreOffice is, of course, the FOSS desktop office suite; version 7.5 brings new features to multiple parts of the tool, including major improvements to dark mode, better PDF exports, improved bookmarks in Writer, data tables for charts in Calc, better interoperability with Microsoft Office, and lots more. Check out the release notes for further information.
LibreOffice 7.5 Community's new features have been developed by 144 contributors: 63% of code commits are from the 47 developers employed by three companies sitting in TDF's Advisory Board - Collabora, Red Hat and allotropia - or other organizations, 12% are from 6 developers at The Document Foundation, and the remaining 25% are from 91 individual volunteers.Other 112 volunteers - representing hundreds of other people providing translations - have committed localizations in 158 languages. LibreOffice 7.5 Community is released in 120 different language versions, more than any other free or proprietary software, and as such can be used in the native language (L1) by over 5.4 billion people worldwide. In addition, over 2.3 billion people speak one of those 120 languages as their second language (L2).
Ekstrand: Exploring Rust for Vulkan drivers, part 1
Faith Ekstrand begins an exploration of using the Rust language to write Vulkan graphics drivers.
Whenever a Vulkan object is created or destroyed, the parent object is passed to both the create and destroy functions. This ensures that the lifetime of the child object is contained within the lifetime of the parent object. In Rust terms, this means it's safe for the child object to contain a non-mutable reference to the parent object. Vulkan also defines which entrypoint parameters must be externally synchronized by the client. Externally synchronized objects follow the same rules as mutable references in Rust.
OpenSSH 9.2 released
OpenSSH 9.2 has been released. It includes a number of security fixes, including one for a pre-authentication double-free vulnerability that the project does not believe is exploitable. Other new features include support for channel-inactivity timeouts, better control over sftp protocol parameters, and more.
GNU C Library 2.37 released
Version 2.37 of the GNU C Library has been released. This looks like a relatively low-key release, with the one "major new feature" described as:
The getent tool now supports the --no-addrconfig option. The output of getent with --no-addrconfig may contain addresses of families not configured on the current host i.e. as-if you had not passed AI_ADDRCONFIG to getaddrinfo calls.
There is also a security fix for CVE-2022-39046:
When the syslog function is passed a crafted input string larger than 1024 bytes, it reads uninitialized memory from the heap and prints it to the target log file, potentially revealing a portion of the contents of the heap.
There is more information in the release notes.
Security updates for Thursday
Security updates have been issued by Debian (cinder, glance, nova, openjdk-17, and python-django), Fedora (caddy, git-credential-oauth, mingw-opusfile, and pgadmin4), Slackware (apr and mozilla), and Ubuntu (apache2 and python-django).
Go 1.20 released
Version 1.20 of the Go language has been released.
We’re particularly excited to launch a preview of profile-guided optimization (PGO), which enables the compiler to perform application- and workload-specific optimizations based on run-time profile information. Providing a profile to go build enables the compiler to speed up typical applications by around 3–4%, and we expect future releases to benefit even more from PGO. Since this is a preview release of PGO support, we encourage folks to try it out, but there are still rough edges which may preclude production use.Go 1.20 also includes a handful of language changes, many improvements to tooling and the library, and better overall performance.