Brief items
Security
Security quote of the week
These are vulnerabilities in computer hardware, not software. They affect
virtually all high-end microprocessors produced in the last 20
years. Patching them requires large-scale coordination across the industry,
and in some cases drastically affects the performance of the computers. And
sometimes patching isn't possible; the vulnerability will remain until the
computer is discarded.
— Bruce
Schneier
Spectre and Meltdown aren't anomalies. They represent a new area to look for vulnerabilities and a new avenue of attack. They're the future of security -- and it doesn't look good for the defenders.
Kernel development
Kernel release status
The 4.15 kernel was released on January 28. In the announcement, Linus noted that: "After a release cycle that was unusual in so many (bad) ways, this last week was really pleasant. Quiet and small, and no last-minute panics, just small fixes for various issues. I never got a feeling that I'd need to extend things by yet another week, and 4.15 looks fine to me."
Some of the more significant features in this release include: the long-awaited CPU controller for the version-2 control-group interface, significant live-patching improvements, initial support for the RISC-V architecture, support for AMD's secure encrypted virtualization feature, and the MAP_SYNC mechanism for working with nonvolatile memory. See the KernelNewbies 4.15 page for a much more detailed summary.
This release also, of course, includes mitigations for the Meltdown and Spectre variant-2 vulnerabilities though, as Linus points out in the announcement, the work of dealing with these issues is not yet done.
Stable updates: 4.14.16, 4.9.79, 4.4.114, and 3.18.93 were released on January 31.
Quotes of the week
I think we've created this problem, for all security people not
just IMA, ourselves to some extent: We think they're insane, so we
don't listen to what they want. They go and implement a
complicated layering system to get what they need and we
congratulate ourselves that they were insane because of the
tasteless layering violations they've just committed. The average
security person, as ably created by us, has a mind that
automatically thinks in terms of convoluted external layering, for
which we just drive them further away.
— James Bottomley
So the news cycle notwithstanding, the bulk of the 4.15 work is all
the regular plodding "boring" stuff. And I mean that in the best
possible way. It may not be glamorous and get the headlines, but
it's the bread and butter of kernel development, and is in many
ways the really important stuff.
— Linus Torvalds
Distributions
CopperheadOS: Security features, installing apps, and more (opensource.com)
Here's an opensource.com article on the virtues of CopperheadOS. "Unlike other custom ROMs that strive to add lots of new functionality, Copperhead runs a pretty vanilla version of AOSP. Also, while the first thing you usually do when playing with a custom ROM is to add root access to the device, not only does Copperhead prevent that, it also requires that you have a device that has verified boot, so there's no unlocking the bootloader. This is to prevent malicious code from getting access to the handset."
Are the BSDs dying? Some security researchers think so (CSO)
Here's a 34c3 conference report in CSO suggesting that the BSDs are losing developers. "von Sprundel says he easily found around 115 kernel bugs across the three BSDs, including 30 for FreeBSD, 25 for OpenBSD, and 60 for NetBSD. Many of these bugs he called 'low-hanging fruit.' He promptly reported all the bugs, but six months later, at the time of his talk, many remained unpatched. 'By and large, most security flaws in the Linux kernel don't have a long lifetime. They get found pretty fast,' von Sprundel says. 'On the BSD side, that isn't always true. I found a bunch of bugs that have been around a very long time.' Many of them have been present in code for a decade or more."
Distribution quote of the week
I don't want to sound like an old idiot, but I must admit, after
working on LTS for two years, that working on patching old
software for security bugs is hard work, and not particularly
pleasant on top of it. You're basically always dealing with other
people's garbage: badly written code that hasn't been touched in
years, sometimes decades, that no one wants to take care of.
— Antoine
Beaupré (thanks to Paul Wise)
Yet someone needs to take care of it. A large part of the technical community considers Linux distributions in general, and LTS releases in particular, as "too old to care for". As if our elders, once they passed a certain age, should just be rolled out to the nearest dumpster or just left rotting on the curb.
Development
GCC 7.3 released
GCC 7.3 is out. This is mainly a bug-fix release, but it does also contain the "retpoline" support needed to build the kernel (and perhaps other code) with resistance to the Spectre variant-2 vulnerability.GDB 8.1 released
Version 8.1 of the GDB debugger is out. Changes include better support for the Rust language and various other improvements to make debugging easier; see the announcement and the news file for the full list.The Git community mourns Shawn Pearce
Shawn Pearce, a longtime contributor to the Git community (and beyond), has passed away. The thread on the Git mailing list makes it clear that he will be missed by many people.LibreOffice 6.0 released
The LibreOffice 6.0 release is available. Changes include a new help system, a better spelling checker, OpenPGP support, better document interoperability, improvements to LibreOffice Online, and more. "LibreOffice 6.0 represents the bleeding edge in term of features for open source office suites, and as such is targeted at technology enthusiasts, early adopters and power users."
Haas: DO or UNDO - there is no VACUUM
PostgreSQL developer Robert Haas describes a new storage module that is under development. "We are working to build a new table storage format for PostgreSQL, which we’re calling zheap. In a zheap, whenever possible, we handle an UPDATE by moving the old row version to an undo log, and putting the new row version in the place previously occupied by the old one. If the transaction aborts, we retrieve the old row version from undo and put it back in the original location; if a concurrent transaction needs to see the old row version, it can find it in undo. [...] This means that there is no need for VACUUM, or any similar process, to scan the table looking for dead rows."
Schaller: An update on Pipewire – the multimedia revolution
Christian Schaller provides us with an update on the state of the new PipeWire multimedia system. "So as you probably noticed one thing we didn’t mention above is how to deal with PulseAudio applications. Handling this usecase is still on the todo list and the plan is to at least initially just keep PulseAudio running on the system outputting its sound through PipeWire. That said we are a bit unsure how many applications would actually be using this path because as mentioned above all GStreamer applications for instance would be PipeWire native automatically through the PipeWire GStreamer plugins."
Development quote of the week
But there's something else that's very important to consider, which
rarely comes up in these discussions, and that's the developer's
productivity and programming experience. One of the things that makes
Python so popular and effective I think, is that it scales well in the
human dimension, meaning that it's a great language for one person, a
small team, and scales all the way up to very large organizations. I've
become convinced that things like type annotations helps immensely at
those upper human scales; a well annotated code base can help ramp up
developer productivity very quickly, and tools and IDEs are available
that help quite a bit with that.
— Barry
Warsaw (Thanks to Victor Stinner.)
This is often undervalued, but shouldn't be! Moore's Law doesn't apply to humans, and you can't effectively or cost efficiently scale up by throwing more bodies at a project. Python is one of the best languages (and ecosystems!) that make the development experience fun, high quality, and very efficient.
Miscellaneous
LinuxBoot: a new Linux Foundation project for boot firmware
The Linux Foundation has announced a new project, called LinuxBoot, that is working on replacements for much of the firmware used to boot our systems. The project is based on work by Google and others to use Linux (and Go programs) to replace most of the UEFI boot firmware. "Firmware has always had a simple purpose: to boot the OS. Achieving that has become much more difficult due to increasing complexity of both hardware and deployment. Firmware often must set up many components in the system, interface with more varieties of boot media, including high-speed storage and networking interfaces, and support advanced protocols and security features. LinuxBoot addresses the often slow, often error-prone, obscured code that executes these steps with a Linux kernel. The result is a system that boots in a fraction of the time of a typical system, and with greater reliability."
Yaghmour: Ten Days in Shenzhen
On his blog, embedded developer Karim Yaghmour has written about his ten-day trip to Shenzen, China, which is known as the "Silicon Valley of hardware". His lengthy trip report covers much that would be of use to others who are thinking of making the trip, but also serves as an interesting travelogue even for those who are likely to never go. "The map didn't disappoint and I was able to find a large number of kiosks selling some of the items I was interested in. Obviously many kiosks also had items that I had seen on Amazon or elsewhere as well. I was mostly focusing on things I hadn't seen before. After a few hours of walking floors upon floors of shops, I was ready to start focusing on other aspects of my research: hard to source and/or evaluate components, tools and expanding my knowledge of what was available in the hardware space. Hint: TEGES' [The Essential Guide to Electronics in Shenzhen] advice about having comfortable shoes and comfortable clothing is completely warranted. Finding tools was relatively easy. TEGES indicates the building and floor to go to, and you'll find most anything you can think of from rework stations, to pick-and-place machines, and including things like oscilloscopes, stereo microscopes, multimeters, screwdrivers, etc. In the process I saw some tools which I couldn't immediately figure out the purpose for, but later found out their uses on some other visits. Satisfied with a first glance at the tools, I set out to look for one specific component I was having a hard time with. That proved a lot more difficult than anticipated. Actually I should qualify that. It was trivial to find tons of it, just not something that matched exactly what I needed. I used TEGES to identify one part of the market that seemed most likely to have what I was looking for, but again, I could find lots of it, just not what I needed."
Chiariglione: A crisis, the causes and a solution
Worth a read: this blog posting from Leonardo Chiariglione, the founder and chair of MPEG, on how (in his view) the group is being destroyed by free codecs and patent trolls. "Good stories have an end, so the MPEG business model could not last forever. Over the years proprietary and 'royalty free' products have emerged but have not been able to dent the success of MPEG standards. More importantly IP holders – often companies not interested in exploiting MPEG standards, so called Non Practicing Entities (NPE) – have become more and more aggressive in extracting value from their IP." (Thanks to Paul Wise).
Page editor: Jake Edge
Next page:
Announcements>>