LWN.net News from the source
It's been a little over one year since we last covered Debian's reproducible builds project. The effort has not stopped in the interim; progress continues to be made, the message has sharpened up, and word is spreading. Chris Lamb, speaking about this at FLOSS UK in a talk called "You may think you're not a target: a tale of three developers", hinted that the end may be starting to come into sight.
Security updates have been issued by CentOS (plexus-archiver), Fedora (chromium, kernel, and plexus-archiver), Mageia (firefox, gifsicle, jasper, leptonica, patch, perl-DBD-mysql, qt3, and scummvm), openSUSE (opencv), Oracle (kernel), Red Hat (kernel), Scientific Linux (kernel), SUSE (gpg2, nautilus, and postgresql96), and Ubuntu (gnupg2 and linux-raspi2).
Kees Cook describes the security-oriented changes included in the 4.17 kernel release. "It was possible that old memory contents would live in a new process’s kernel stack. While normally not visible, “uninitialized” memory read flaws or read overflows could expose these contents (especially stuff “deeper” in the stack that may never get overwritten for the life of the process). To avoid this, I made sure that new stacks were always zeroed. Oddly, this “priming” of the cache appeared to actually improve performance, though it was mostly in the noise."
Ars technica has the story of a set of Docker images containing cryptocurrency miners that persisted on Docker Hub for the better part of a year — after being discovered. "Neither the Docker Hub account nor the malicious images it submitted were taken down. Over the coming months, the account went on to submit 14 more malicious images. The submissions were publicly called out two more times, once in January by security firm Sysdig and again in May by security company Fortinet. Eight days after last month's report, Docker Hub finally removed the images."
Security updates have been issued by Arch Linux (chromium and gnupg), Debian (spip), Fedora (pdns-recursor), Gentoo (adobe-flash, burp, quassel, and wget), openSUSE (bouncycastle and taglib), Oracle (kernel), SUSE (java-1_7_0-openjdk, java-1_8_0-openjdk, poppler, and samba), and Ubuntu (file, perl, and ruby1.9.1, ruby2.0, ruby2.3).
The LWN.net Weekly Edition for June 14, 2018 is available.
Inside this week's LWN.net Weekly Edition
In a short session at the 2018 Python Language Summit, Steve Dower brought up the shortcomings of Python virtual environments, which are meant to create isolated installations of the language and its modules. He said his presentation was "co-written with Twitter" and, indeed, most of his slides were of tweets. At the end, he also slipped in an announcement of his plans for hosting a core development sprint in September.
The XArray data structure was the topic of the final filesystem track session at the 2018 Linux Storage, Filesystem, and Memory-Management Summit (LSFMM). XArray is a new API for the kernel's radix-tree data structure; the session was led by Matthew Wilcox, who created XArray. When asked by Dave Chinner if the session was intended to be a live review of the patches, Wilcox admitted with a grin that it might be "the only way to get a review on this damn patch set".
While the 2018 Linux Storage, Filesystem, and Memory-Management Summit (LSFMM) filesystem track session was advertised as being a filesystem test suite "bakeoff", it actually focused on how to make the existing test suites more accessible. Kent Overstreet said that he has learned over the years that various filesystem developers have their own scripts for testing using QEMU and other tools. He and Ted Ts'o put the session together to try to share some of that information (and code) more widely.
Stable kernels 4.9.108, 4.4.137, and 3.18.113 have been released. As usual, they all contain important fixes and users should upgrade.
In the filesystem track at the 2018 Linux Storage, Filesystem, and Memory-Management Summit (LSFMM), Al Viro discussed some problems he has recently spotted in the implementation of rmdir(). He covered some of the history of that implementation and how things got to where they are now. He also described areas that needed to be checked because the problem may be present in different places in multiple filesystems.
Security updates have been issued by Debian (plexus-archiver), Oracle (plexus-archiver), Red Hat (plexus-archiver and rh-maven33-plexus-archiver and rh-maven35-plexus-archiver), Scientific Linux (plexus-archiver), SUSE (pdns, poppler, ucode-intel, wpa_supplicant, and xen), and Ubuntu (bind9, firefox, and linux-azure).
One of the larger features added to Python over the last few releases is support for static typing in the language. Static type-checking and tools to support it show up frequently as topics at the Python Language Summit (PLS) and this year was no exception. Mypy developers Jukka Lehtosalo and Ivan Levkivskyi gave an update on static typing at PLS 2018.
One of the many longstanding — though unwritten — rules of kernel development is that infrastructure is not merged until at least one user for that infrastructure exists. That helps developers evaluate potential interfaces and be sure that the proposed addition is truly needed. A big exception to this rule was made when the heterogeneous memory management (HMM) code was merged, though. One of the reasons for the lack of users in this case turns out to be that many of the use cases are proprietary; that has led to some disagreements over the GPL-only status of an exported kernel symbol.
Stable kernels 4.17.1, 4.16.15, and 4.14.49 have been released. They all contain important fixes and users should upgrade.
Security updates have been issued by Debian (perl), Red Hat (kernel), SUSE (slurm), and Ubuntu (gnupg, gnupg2, imagemagick, kernel, libvirt, linux, linux-aws, linux-gcp, linux-kvm, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux, linux-raspi2, linux-azure, linux-hwe, linux-gcp, linux-oem, linux-lts-trusty, linux-lts-xenial, linux-aws, and qemu).
The kernel's handling of I/O errors was the topic of a discussion led by Matthew Wilcox at the 2018 Linux Storage, Filesystem, and Memory-Management Summit (LSFMM) in a combined storage and filesystem track session. At the start, he asked: "how is our error handling and what do we plan to do about it?" That led to a discussion between the developers present on the kinds of errors that can occur and on ways to handle them.
LWN reviewed CopperheadOS, a security-enhanced Android distribution, in 2016. Unfortunately, the company behind CopperheadOS appears to have run into internal trouble; we don't dare venture a guess as to the specifics, even after watching the situation for a few days, beyond the fact that there is clearly a dispute between the founders. This Reddit post is apparently a letter to co-founder Daniel Micay essentially kicking him out of the company. Users of CopperheadOS may want to be considering alternatives.
Netconf, the Linux kernel networking development conference, has provided coverage of this year's event, which was held in Boston, MA, May 31-June 1.
Day 1 looks at the following sessions:
Day 2 covers:
Python 2.7 will reach its end of life in less than two years—at least for the core development team. Linux distributions need to figure out how to handle the transition given that many of their users are still using that version of the language—and may still be well beyond the end-of-life date. Petr Viktorin and Matthias Klose led a session at the 2018 Python Language Summit to discuss distributions' approaches to deprecating Python 2.
Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds