LWN.net News from the source
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
The kernel's timer interface has been around for a long time, and its API shows it. Beyond a lack of conformance with current in-kernel interface patterns, the timer API is not as efficient as it could be and stands in the way of ongoing kernel-hardening efforts. A late addition to the 4.14 kernel paves the way toward a wholesale change of this API to address these problems.
The next election for members of the Linux Foundation's Technical Advisory Board will be held on October 25 at the Kernel Summit in Prague. The call has gone out for candidates to fill the five available seats. "The Linux Foundation Technical Advisory Board (TAB) serves as the interface between the kernel development community and the Foundation. The TAB advises the Foundation on kernel-related matters, helps member companies learn to work with the community, and works to resolve community-related problems before they get out of hand. The board has ten members, one of whom sits on the LF board of directors."
What kind of cell phone would emerge from a concerted effort to design privacy in from the beginning, using free software as much as possible? Some answers are provided by a crowdfunding campaign launched in August by Purism SPC, which has used two such campaigns successfully in the past to build a business around secure laptops. The Librem 5, with a five-inch screen and radio chip for communicating with cell phone companies, represents Purism's hope to bring the same privacy-enhancing vision to the mobile space, which is much more demanding in its threats, technology components, and user experience.
An attacker who seeks to compromise a running kernel by overwriting kernel data structures or forcing a jump to specific kernel code must, in either case, have some idea of where the target objects are in memory. Techniques like kernel address-space layout randomization have been created in the hope of denying that knowledge, but that effort is wasted if the kernel leaks information about where it has been placed in memory. Developers have been plugging pointer leaks for years but, as a recent discussion shows, there is still some disagreement over the best way to prevent attackers from learning about the kernel's address-space layout.
Security updates have been issued by CentOS (kernel and postgresql), Debian (botan1.10, curl, dnsmasq, libxfont, nautilus, qemu, qemu-kvm, sam2p, and tor), Fedora (dnsmasq, libmspack, and samba), Gentoo (file, icu, libpcre2, munin, ocaml, pacemaker, postgresql, rubygems, and sudo), Mageia (clamav, dnsmasq, flightgear, libidn, and x11-server), openSUSE (libvirt), Oracle (kernel), SUSE (portus), and Ubuntu (poppler).
The LWN.net Weekly Edition for October 5, 2017 is available.
Inside this week's LWN.net Weekly Edition
The 4.14-rc4 kernel prepatch is out for testing. "So I do have some hope that things are approaching normal. I'd expect that to continue, and things start calming down."
A lot was discussed and presented in the three hours allotted to the Testing and Fuzzing microconference at this year's Linux Plumbers Conference (LPC), but some spilled out of that slot. We have already looked at some discussions on kernel testing that occurred both before and during the microconference. Much of the rest of the discussion is summarized in the article from this week's edition, which subscribers can access from the link below.
The Debian 9.2 point release is available; it includes fixes for a long list of problems. "As a special case for this point release, those using the 'apt-get' tool to perform the upgrade will need to ensure that the 'dist-upgrade' command is used, in order to update to the latest kernel packages."
Odoo is, according to Wikipedia, "the most popular open source ERP system." Thus, any survey of open-source accounting systems must certainly take a look in that direction. This episode in the ongoing search for a suitable accounting system for LWN examines the accounting features of Odoo; unfortunately, it comes up a bit short.
Version 235 of the systemd service manager is out; it includes a long list of new features. See this blog post for a description of the dynamic user feature in particular. "One major benefit of dynamic user IDs is that running a privilege-separated service leaves no artifacts in the system. A system user is allocated and made use of, but it is discarded automatically in a safe and secure way after use, in a fashion that is safe for later recycling. Thus, quickly invoking a short-lived service for processing some job can be protected properly through a user ID without having to pre-allocate it and without this draining the available UID pool any longer than necessary."
Jens Axboe is the maintainer of the block layer of the kernel. In this capacity, he spoke at Kernel Recipes 2017 on what's new in the storage world for Linux, with a particular focus on the new block-multiqueue subsystem: the degree to which it's been adopted, a number of optimizations that have recently been made, and a bit of speculation about how it will further improve in the future.
Subscribers can click below for a report from the Kernel Recipes talk by guest author Tom Yates.
"Jprobes" are an ancient kernel mechanism used to trace entry into kernel functions; they were described in this 2005 LWN article. Recently, the kernel community has come to the conclusion that jprobes have few (if any) remaining users, they have long been superseded by the function tracing (ftrace) mechanism, and they are a maintenance burden. As a result, the jprobe API will likely be disabled in a near-future kernel. If anybody out there is still using jprobes, now would be a good time to either move on or make the case for retaining that feature in the kernel.
While the adoption of OpenPGP by the general population is marginal at best, it is a critical component for the security community and particularly for Linux distributions. For example, every package uploaded into Debian is verified by the central repository using the maintainer's OpenPGP keys and the repository itself is, in turn, signed using a separate key. If upstream packages also use such signatures, this creates a complete trust path from the original upstream developer to users. Beyond that, pull requests for the Linux kernel are verified using signatures as well. Therefore, the stakes are high: a compromise of the release key, or even of a single maintainer's key, could enable devastating attacks against many machines.
Security updates have been issued by Arch Linux (curl, krb5, lib32-curl, lib32-krb5, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, and libcurl-gnutls), Debian (golang), Fedora (MySQL-zrm), Mageia (firefox, ghostscript, libgd, libraw, libwpd, open-vm-tools, poppler, and rawtherapee), Oracle (kernel and postgresql), Red Hat (kernel), Scientific Linux (kernel), Slackware (curl, openjpeg, and xorg), and Ubuntu (ruby1.9.1).
Free-software raw photo editor RawTherapee released a major new revision earlier this year, followed by a string of incremental updates. The 5.x series, released at a rapid pace, marks a significant improvement in the RawTherapee's development tempo — the project's preceding update had landed in 2014. Regardless of the speed of the releases themselves, however, the improved RawTherapee offers users a lot of added functionality and may shake up the raw-photo-processing workflow for many photographers.
SUSE has announced that SUSE Studio and the Open Build Service (OBS) will be merged into a combined solution, delivered as SUSE Studio Express. "Looking at the feature requests for SUSE Studio on image building and looking at our technologies, we decided to use OBS as the base for our image building service. Since OBS already builds images for various environments, we will first add a new image building GUI to OBS."
As the Internet of Things (IoT) becomes ever more populous, there is no shortage of people warning us that the continual infusion into our lives of hard-to-patch proprietary devices running hard-to-maintain proprietary code is a bit of a problem. It is an act of faith for some, myself included, that open devices running free software (whether IoT devices or not) are easier to maintain than proprietary, closed ones. So it's always of interest when freedom (or something close to it) makes its way into a class of devices that were not previously so blessed.
Subscribers can click below for a look at the NumWorks graphing calculator by guest author Tom Yates.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds