Brief items

Security quotes of the week

This suggests a missing factor in machine-learning research: manners. We’ve evolved manners to signal to others that our intent is not hostile, and to negotiate the many little transactions that in a hostile environment might lead to a tussle for dominance. Yet these are hard for robots. Food-delivery robots can become unpopular for obstructing and harassing other pavement users; and one of the show-stoppers for automated driving is the difficulty that self-driving cars have in crossing traffic, or otherwise negotiating precedence with other road users. And even in the military, manners have a role – from the chivalry codes of medieval knights to the more modern protocols whereby warships and warplanes warn other craft before opening fire. If we let loose swarms of killer drones with no manners, conflict will be more likely.

— Ross Anderson

Traditionally, Rowhammer was understood to operate at a distance of one row: when a DRAM row is accessed repeatedly (the “aggressor”), bit flips were found only in the two adjacent rows (the “victims”). However, with Half-Double, we have observed Rowhammer effects propagating to rows beyond adjacent neighbors, albeit at a reduced strength. Given three consecutive rows A, B, and C, we were able to attack C by directing a very large number of accesses to A, along with just a handful (~dozens) to B. [...] This is likely an indication that the electrical coupling responsible for Rowhammer is a property of distance, effectively becoming stronger and longer-ranged as cell geometries shrink down. Distances greater than two are conceivable.

— Salman Qazi, Yoongu Kim, Nicolas Boichat, Eric Shiu & Mattias Nissler report on their discovery of Half-Double (Thanks to Paul Wise.)

When the floodgates open, democratic speech is in danger of drowning beneath a tide of fake letters and comments, tweets and Facebook posts. The danger isn’t just that fake support can be generated for unpopular positions, as happened with net neutrality. It is that public commentary will be completely discredited. This would be bad news for specialist AstroTurf companies, which would have no business model if there isn’t a public that they can pretend to be representing. But it would empower still further other kinds of lobbyists, who at least can prove that they are who they say they are.

We may have a brief window to shore up the flood walls. The most effective response would be to regulate what UCLA sociologist Edward Walker has described as the “grassroots for hire” industry. Organizations that deliberately fabricate citizen voices shouldn’t just be subject to civil fines, but to criminal penalties. Businesses that hire these organizations should be held liable for failures of oversight. [...]

— Bruce Schneier and Henry Farrell

Comments (6 posted)

Kernel release status

The current development kernel is 5.13-rc3, released on May 23. "It's been a very calm rc3 week, and at least in pure number of commits this is the smallest rc3 we've had in the 5.x series. Considering that the merge window was not in any way small, this is a bit surprising, but I suspect it's one of those 'not everybody sent in fixes this week' things that will rectify itself next week."

Smallness notwithstanding, there are a couple of interesting things in 5.13-rc3, the first of which is a big set of reverts and fixes for a long series of broken patches identified in the TAB report on the UMN mess.

The other notable change in 5.13-rc3 is that the quotactl_path() system call, which was added during the 5.13 merge window, has been disabled. The commit turning it off notes that the concerns about this call were first raised in the LWN comment stream — good work everybody!

Stable updates: 5.12.6, 5.10.39, 5.4.121, 4.19.191, 4.14.233, 4.9.269, and 4.4.269 were released on May 22, followed by 5.12.7, 5.10.40, 5.4.122, 4.19.192, 4.14.234, 4.9.270, and 4.4.270 on May 26.

Comments (none posted)

Quotes of the week

It matters because over time the Standard and the common compilers have made C an unsuitable language for developing a range of applications, from memory allocators, to cryptography applications, to threading libraries and, especially operating systems. We have the absurd situation that C, specifically constructed to write the UNIX kernel, cannot be used to write operating systems. In fact, Linux and other operating systems are written in an unstable dialect of C that is produced by using a number of special flags that turn off compiler transformations based on undefined behavior (with no guarantees about future “optimizations”). The Postgres database also needs some of these flags as does the libsodium encryption library and even the machine learning tensor-flow package.

— Victor Yodaiken

If [RISC-V] vendors want to make sure their hardware is supported then the best way to do that is to make sure specifications get ratified in a timely fashion that describe the behavior required from their products. That way we have an agreed upon interface that vendors can implement and software can rely on. I understand that a lot of people are frustrated with the pace of that process when it comes to the H [virtualization] extension, but circumventing that process doesn't fix the fundamental problem. If there really are products out there that people can't build because the H extension isn't upstream then we need to have a serious discussion about those, but without something specific to discuss this is just going to devolve into speculation which isn't a good use of time.

— Palmer Dabbelt

Please describe the runtime effects of this bug. Please always include this information when fixing bugs. And when adding them.

— Andrew Morton

Comments (28 posted)

CSIRO's seL4 project shut down

In 2018, LWN covered a talk by Gernot Heiser about the seL4 project, which has developed an open-source operating system for safety-critical applications and gone to the trouble of proving its correctness. Much of that work has been done at CSIRO in Australia. Heiser has announced via Twitter that CSIRO's support for this project is being shut down, with the staff being redirected to artificial-intelligence projects. Hopefully the seL4 Foundation, established in 2020, will be able to carry on this interesting work.

Comments (10 posted)

Distribution quote of the week

Modern (>2010) networked printers JustWork(tm), without need for local drivers. CUPS-shared printers JustWork(tm), also without local drivers. Folks with smartphones can print to most CUPS-attached printers, again, no drivers.

We have a standard _lossless_ raster image format that all printers must accept. We have a native PDF-based print flow, enabling far more consistent rendering behavior than pure postscript, as well as a much richer set of capabilities.

We have end-to-end colorspace awareness, with automatic colorspace conversion if the appropriate profiles are installed. We have sane auto-scaling/cropping modes that generally do the right thing in the face of aspect ratio mismatches.

We're closer than ever to a universal printing system that is not tied to any specific OS or client, and that behaves identically no matter where or how the printer is attached. Underpinning all of this are formally standardized protocols (and equally importantly, well-defined behaviors), Free Software reference implementations and conformance tests.

Of course we also have bugs galore, because it's software.

— Solomon Peachy

Linux distributions on smartphones are here to stay!

— postmarketOS blog

Comments (6 posted)

Inkscape 1.1 released

Version 1.1 of the Inkscape vector image editor has been released. "Among the highlights in Inkscape 1.1 are a Welcome dialog, a Command Palette, a revamped Dialog Docking System, and searchable preference options, along with new formats for exporting your work."

Comments (none posted)

Magit 3.0 released

Version 3.0 of Magit, a Git interface that runs inside emacs, has been released. "The big change are the completely reworked menus used to select arguments and invoke suffix commands. Magit now uses the Transient package to implement these menus." See the release notes for more details.

Comments (2 posted)

Perl 5.34.0 released

Version 5.34.0 of the Perl language has been released. "Perl 5.34.0 represents approximately 11 months of development since Perl 5.32.0 and contains approximately 280,000 lines of changes across 2,100 files from 78 authors." See this page for a list of changes; they include a new try/catch syntax, a new octal syntax, and many improvements to various modules.

Full Story (comments: 24)

Development quote of the week

One morning recently, I was staring at a git tree when the realisation slapped me in the face that in a git workflow the primary / master / main branches reflected a consensus point in that workflow.

    Consensus: Decisions are reached in a dialogue between equals

That realisation settled it pretty hard for me, consensus not only accurately reflected the point in the workflow but was also the most correct English word for what that branch represented.

— Craige McWhirter

Comments (none posted)