Brief items
Security
OpenSSH 8.5 released
OpenSSH 8.5 has been released. It includes fixes for a couple of potential security problems (one of which only applies to Solaris hosts); it also enables UpdateHostKeys by default, allowing hosts with insecure keys to upgrade them without creating scary warnings for users. There are a lot of other small changes; see the announcement for details.West: Post-Spectre web development
Mike West has posted a detailed exploration of what is really required to protect sensitive information in web applications from speculative-execution exploits. "Spectre-like side-channel attacks inexorably lead to a model in which active web content (JavaScript, WASM, probably CSS if we tried hard enough, and so on) can read any and all data which has entered the address space of the process which hosts it. While this has deep implications for user agent implementations' internal hardening strategies (stack canaries, ASLR, etc), here we’ll remain focused on the core implication at the web platform level, which is both simple and profound: any data which flows into a process hosting a given origin is legible to that origin. We must design accordingly."
Woodruff: Weird architectures weren't supported to begin with
William Woodruff has posted a rant of sorts on the adoption of Rust by the Python Cryptography project, which was covered here in February.
What’s the point of this spiel? It’s precisely what happened to pyca/cryptography: nobody asked them whether it was a good idea to try to run their code on HPPA, much less System/390; some packagers just went ahead and did it, and are frustrated that it no longer works. People just assumed that it would, because there is still a norm that everything flows from C, and that any host with a halfway-functional C compiler should have the entire open source ecosystem at its disposal.
Security quotes of the week
It's not difficult to see the path this is likely to head down, and it's bad. A few countries force Google/Facebook to pay these old school publishers. Then, basically everyone else on the web notices this and says "hey, how come they get to link to me for free? Shouldn't they be paying me too?!?" And then, one by one, we'll just hear of every failed and flopped industry demanding free money from the companies that actually innovated. The music industry must be so excited. Book publishing? Absolutely. What about boxed software providers (hi, Microsoft!).— Mike MasnickBasically, every industry that failed to adapt and innovate online is likely to go running to government demanding payment. And the very nature of the open internet ceases to exist the way it has for the past three decades. It's a terrible, terrible idea, and it was ridiculous that it went ahead in Australia. But Microsoft is an actual tech company, which should know better, but it's trollish obsession with Google beating Microsoft in the market means it's willing to toss out the open internet if it thinks it will harm Google.
It's shameful and disgusting.
There is no good reason to underspend on security other than to save money — especially when your clients include government agencies around the world and when the technology experts that you pay to advise you are telling you to do more.— Bruce SchneierAs the economics writer Matt Stoller has suggested, cybersecurity is a natural area for a technology company to cut costs because its customers won’t notice unless they are hacked – and if they are, they will have already paid for the product. In other words, the risk of a cyberattack can be transferred to the customers. Doesn’t this strategy jeopardize the possibility of long-term, repeat customers? Sure, there’s a danger there – but investors are so focused on short-term gains that they’re too often willing to take that risk.
The market loves to reward corporations for risk-taking when those risks are largely borne by other parties, like taxpayers. This is known as “privatizing profits and socializing losses.” Standard examples include companies that are deemed “too big to fail,” which means that society as a whole pays for their bad luck or poor business decisions. When national security is compromised by high-flying technology companies that fob off cybersecurity risks onto their customers, something similar is at work.
Kernel development
Kernel release status
The current development kernel is 5.12-rc1, released on schedule (on February 28) despite getting a late start. Linus said:
So I was actually without electricity for six days of the merge window, and was seriously considering just extending the merge window to get everything done. As you can tell, I didn't do that. To a large part because people were actually very good about sending in their pull requests, so by the time I finally got power back, everything was nicely lined up and I got things merged up ok. But partly this is also because 5.12 is a smaller release than some previous ones.
Stable updates: 5.11.2, 5.10.19, and 5.4.101 were released on February 26. The 5.11.3, 5.10.20, 5.4.102, 4.19.178, and 4.14.223 updates are in the review process. These updates are due anytime; they are also massive and have been through a couple of revisions during review.
Quote of the week
Imagine you have the following:— Nick Desaulniers (worth a read for anybody interested in compiler inlining decisions)
void baz(void); void bar(void) { baz(); ... } void foo(void) { bar(); ... }So foo() calls bar() calls baz() (and tail calls don't apply). The question being asked in this specific case (and a few other threads) is "why isn't the call to bar() being inlined into foo()?" Again, totally fair question to ask. (In this analogy, bar() is get_smp_config()/early_get_smp_config(), foo() is their caller(s, plural potentially)).
The answer lies in the direction that inlining occurs. If you're doing "top down" inlining, then when looking at the edge between foo() and bar(), inlining looks totally reasonable. Inline substitution is performed. Then you get to the edge that existed between bar() and baz() and decide perhaps that baz() is too big, has too many callers, etc. and don't inline baz() into foo().
But if you're doing "bottom up" inlining, then you start by analyzing the edge between baz() and bar(), perhaps you decide to inline baz() into bar(), but now the size of bar() is just over the threshold to inline into foo(), or there's too many callers of bar() to inline into every caller without excessive code bloat, or trips the threshold for any number of concerns that go into the inlining cost model. These cost models are insanely complex (and don't fully generalize), because you need to distill a great deal many inputs into a single yes/no signal: "should I inline?"
Distributions
Mageia 8 has been released
The Mageia distribution has announced the release of Mageia 8. It comes with the usual array of new packages, including a 5.10.16 kernel, Plasma 5.20.4, GNOME 3.38, Firefox 78, Chromium 88, LibreOffice 7.0.4.2, and more. "ARM support has continued to develop, with both AArch64 and ARMv7 now having all packages built and being close to primary architectures now. Support for Wi-Fi installation in the classical installer using WPA2 encryption has been added, as well as improved support for newer filesystems allowing installations on F2FS. Support for NILFS, XFS, exFAT and Windows 10 NTFS has been improved to allow for better partition management. The Live installer has also had significant development. Boot times have been greatly reduced with the use of Zstd compression and improved hardware detection and the support for installing updates as a final step of the installation has been added. Zstd compression has also been applied to the rescue mode, allowing for faster startup, support for encrypted LVM/LUKS has also been added."
Development
Fish shell 3.2.0 released
Version 3.2.0 of the fish shell has been released. New features include undo and redo support (for command-line editing, not commands!) and a long list of incremental improvements; see the announcement for details. LWN last looked at the fish shell in September.GNU poke 1.0 released
Version 1.0 of GNU poke is out. "GNU poke (http://www.jemarch.net/poke) is an interactive, extensible editor for binary data. Not limited to editing basic entities such as bits and bytes, it provides a full-fledged procedural, interactive programming language designed to describe data structures and to operate on them."
Page editor: Jake Edge
Next page:
Announcements>>