Brief items
Security
Security quote of the week
[...] What if we have a scenario where a third party authenticates the client (by verifying that they have a valid token issued by their ID provider) and then uses that to issue their own token that's much longer lived? Well, now the client has a long-lived token sitting on it. And if anyone copies that token to another device, they can now pretend to be that client.— Matthew GarrettThis is, sadly, depressingly common. A lot of services will verify the user, and then issue an oauth token that'll expire some time around the heat death of the universe. If a client system is compromised and an attacker just copies that token to another system, they can continue to pretend to be the legitimate user until someone notices (which, depending on whether or not the service in question has any sort of audit logs, and whether you're paying any attention to them, may be once screenshots of your data show up on Twitter).
Kernel development
Kernel release status
The current development kernel is 5.18-rc1, released on April 3. Linus said: "In fact, at least in pure commits, this has been a bigger merge window than we've had in some time. But let's hope it's all smooth sailing this release." In the end, 13,207 non-merge changesets were merged during this merge window.
Stable updates: 4.14.275, containing mostly of backports of a set of arm64 Spectre mitigations, was released on April 2.
The first stable updates after the close of the merge window tend to be large, and the next set doesn't disappoint: 5.17.2 (1,126 patches), 5.16.19 (1,017), 5.15.33 (913), and 5.10.110 (599) are due on April 7.
Cook: Security things in Linux v5.10
Kees Cook catches up with the security-related changes in the 5.10 kernel, released at the end of 2020.
With static branches, an if/else choice can be hard-coded, instead of being run-time evaluated every time. Such branches can be updated too (the kernel just rewrites the code to switch around the “branch”). All these principles apply to static calls as well, but they’re for replacing indirect function calls (i.e. a call through a function pointer) with a direct call (i.e. a hard-coded call address). This eliminates the need for Spectre mitigations (e.g. RETPOLINE) for these indirect calls, and avoids a memory lookup for the pointer. For hot-path code (like the scheduler), this has a measurable performance impact. It also serves as a kind of Control Flow Integrity implementation: an indirect call got removed, and the potential destinations have been explicitly identified at compile-time.
An XFS 5.19 roadmap
XFS filesystem users may be interested in this message from Dave Chinner, who has taken back XFS maintainership for the 5.19 development cycle. It contains his plans for that cycle, which include bringing in a number of large patch sets.
I'd really like to try getting the merge bottlenecks we've had recently unstuck, so there are a few patchsets I want to try to get reviewed, tested and merged for 5.19. Hopefully not too many surprises will get in the way and so some planning to try to minimises surprised might be a good thing.
Quote of the week
The universal deployment of IP networks on Avian Carriers is facing a multi-decade delay. After operators discovered that birds are not real (now confirmed by the US Government), work began to first understand the many quirks of the drones' firmware before proceeding with wider-scale deployment. No clear timelines exist at this point in time.— RFC 9225
Development
Claws Mail 4.1.0 released
Version 4.1.0 of the Claws Mail email client is out. New features include text zooming in the message view, improvements to a number of preferences, a "keyword warner" plugin to give a warning before sending a message containing any (user-defined) keywords, and more.Behnel: Cython is 20!
On his blog, Stefan Behnel writes about the 20th anniversary of Cython, which is a compiler for Python extensions written in C, for wrapping C libraries in order to provide Python bindings for them, and for embedding Python into other applications. It is used by NumPy, scikit-learn (and other scikit-* extensions), pandas, and more.On April 4th, 2002, Greg Ewing published the first release of Pyrex 0.1.Already at the time, it was invented and designed as a compiler that extended the Python language with C data types to build extension modules for CPython. A design that survived the last 20 years, and that made Pyrex, and then Cython, a major corner stone of the Python data ecosystem. And way beyond that.
Now, on April 4th, 2022, its heir Cython is still very much alive and serves easily hundreds of thousands of developers worldwide, day to day.
Emacs 28.1 released
Version 28.1 of the Emacs editor has been released. The announcement says little about what's in this release, but there are a lot of details in the NEWS file. Significant changes include native compilation of ELisp files, support for running the editor in a seccomp() sandbox, improved emoji support, and much more. Wayland support did not make it into this release, but is already merged for version 29.Firefox 99.0 released
Version 99.0 of the Firefox browser has been released. "The Linux sandbox has been strengthened: processes exposed to web content no longer have access to the X Window system (X11)".
LXD 5.0 LTS released
Version 5.0 LTS of the LXD container-management system has been released. This is a long-term-support release, which will be supported into 2027. New features include disk and USB hotplug support, the ability to start with degraded networking, and more; see this forum post for more information.Rust Lang Roadmap for 2024
The Rust language team has put up a blog entry describing the plans for the language over the next couple of years or so.
More precise analyses, less rigamarole: Make the compiler better able to recognize when code is correct via improvements to the borrow checker, type inference, and so forth. Identify and eliminate "boilerplate" patterns like having to copy-and-paste the same set of where clauses everywhere.
Boucher: rustc_codegen_gcc can now bootstrap rustc
On his blog, Antoni Boucher updates the status of rustc_codegen_gcc, which "is a GCC codegen for rustc, meaning that it can be loaded by the existing rustc frontend, but benefits from GCC by having more architectures supported and having access to GCC’s optimizations". A significant milestone has been reached: "
the GCC codegen has made enough progress to be able to compile rustc itself". For the Rust programming language, rustc is the standard compiler, so this work will eventually allow programs to be built for a number of architectures that are not supported by rustc. He also made progress beyond just building the compiler as he "
was able to compile rustc using the GCC codegen and use the resulting rustc to compile a Hello World".
Page editor: Jake Edge
Next page:
Announcements>>