Language Selection

English French German Italian Portuguese Spanish

LWN

Syndicate content
LWN.net is a comprehensive source of news and opinions from and about the Linux community. This is the main LWN.net feed, listing all articles which are posted to the site front page.
Updated: 4 hours 51 min ago

[$] Strict memcpy() bounds checking for the kernel

Friday 30th of July 2021 02:49:18 PM
The C programming language is famously prone to memory-safety problems that lead to buffer overflows and a seemingly endless stream of security vulnerabilities. But, even in C, it is possible to improve the situation in many cases. One of those is the memcpy() family of functions, which are used to efficiently copy or overwrite blocks of memory; with a bit of help from the compiler, those functions can be prevented from writing past the end of the destination object they are passed. Enforcing that condition in the kernel is harder than one might expect, though, as this massive patch set from Kees Cook shows.

Security updates for Friday

Friday 30th of July 2021 02:12:14 PM
Security updates have been issued by Debian (libsndfile and openjdk-11), Fedora (php-pear and seamonkey), openSUSE (fastjar and php7), SUSE (php72, qemu, and sqlite3), and Ubuntu (libsndfile, php-pear, and qpdf).

The GNU C Library copyright-assignment policy changes

Thursday 29th of July 2021 10:22:30 PM
The change in copyright-assignment policy proposed in June for the GNU C Library project has now been adopted:

The changes to accept patches with or without FSF copyright assignment will be effective after August 2nd, and will apply to all open branches. Code shared with other GNU packages via Gnulib will continue to require assignment to the FSF.

The library will continue to be licensed under the GNU Lesser Public License v2.1 or later.

FSF-funded call for white papers on philosophical and legal questions around Copilot

Thursday 29th of July 2021 09:36:37 PM
On its blog, the Free Software Foundation (FSF) has announced a call for white papers about GitHub Copilot and the questions surrounding it. The FSF will pay $500 for papers that it publishes because they "help elucidate the problem": We can see that Copilot's use of freely licensed software has many implications for an incredibly large portion of the free software community. Developers want to know whether training a neural network on their software can really be considered fair use. Others who may be interested in using Copilot wonder if the code snippets and other elements copied from GitHub-hosted repositories could result in copyright infringement. And even if everything might be legally copacetic, activists wonder if there isn't something fundamentally unfair about a proprietary software company building a service off their work.

[$] Hole punching races against page-cache filling

Thursday 29th of July 2021 02:07:07 PM
Filesystem developers tend to disagree with each other about many things, but they are nearly unanimous in their dislike for the truncate() system call, which chops data off the end of a file. Implementing truncate() tends to be full of traps for the unwary — the kind of traps that can lead to lost data. But it turns out that a similar operation, called "hole punching", may be worse. This operation has been subject to difficult-to-hit but real race conditions in many filesystems for years; this patch set from Jan Kara may finally be at a point where it can fill the hole in hole punching.

Security updates for Thursday

Thursday 29th of July 2021 01:14:20 PM
Security updates have been issued by Debian (webkit2gtk), Fedora (ruby and webkit2gtk3), Mageia (aspell and varnish), openSUSE (git), SUSE (ardana-cobbler, cassandra, cassandra-kit, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, kibana, openstack-heat-templates, openstack-monasca-installer, openstack-nova, python-Django, python-elementpath, python-eventlet, python-py, python-pysaml2, python-six, python-xmlschema and git), and Ubuntu (libsndfile, mariadb-10.3, and webkit2gtk).

[$] LWN.net Weekly Edition for July 29, 2021

Thursday 29th of July 2021 01:44:10 AM
The LWN.net Weekly Edition for July 29, 2021 is available.

[$] Python gets a "Developer-in-Residence"

Wednesday 28th of July 2021 08:18:26 PM
Backlogs in bug triage, code review, and other elements of the development process are nothing new for free-software projects; there is clearly a lot more interest in creating new features (and the bugs that go with them, of course) than in taking on the less-satisfying bits. For a large project like CPython, though, the backlog can seriously impede progress—potentially chasing off contributors whose work falls through the cracks. In order to address that, the Python Software Foundation (PSF) has raised some funds to hire Łukasz Langa as the CPython "Developer-in-Residence". Langa will be working to help clear the backlog, while also looking into other areas of interest to the PSF and the Python steering council.

A set of stable kernels

Wednesday 28th of July 2021 02:59:49 PM
Stable kernels 5.13.6, 5.10.54, 5.4.136, 4.19.199, 4.14.241, 4.9.277, and 4.4.277 have been released. They all contain important fixes and users should upgrade.

Security updates for Wednesday

Wednesday 28th of July 2021 02:47:39 PM
Security updates have been issued by Fedora (golang), Mageia (curl, filezilla, jdom/jdom2, netty, pdfbox, perl-Mojolicious, perl-Net-CIDR-Lite, perl-Net-Netmask, python-urllib3, python3, quassel, transfig, and virtualbox), openSUSE (umoci), Red Hat (rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon and rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), and SUSE (firefox, glibc, libsndfile, linuxptp, qemu, and umoci).

[$] A look forward to Linux Plumbers 2021

Tuesday 27th of July 2021 07:49:41 PM
The annual Linux Plumbers Conference (LPC) is a gathering of a relatively small subset of the developers working on the low-level (plumbing) details of Linux systems. It covers topics from below the kernel through the user-space components that underlie the interfaces and applications that most Linux users interact with. This year's event will be held virtually September 20‑24; it is shaping up to be another great edition of one of the premier open-registration Linux technical conferences on the calendar.

Security updates for Tuesday

Tuesday 27th of July 2021 03:14:50 PM
Security updates have been issued by Debian (drupal7), Fedora (linux-firmware), openSUSE (qemu), Oracle (kernel and thunderbird), Red Hat (thunderbird), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, kernel, and thunderbird), SUSE (dbus-1, libvirt, linuxptp, qemu, and slurm), and Ubuntu (aspell and mysql-5.7, mysql-8.0).

[$] Hastening process cleanup with process_mrelease()

Monday 26th of July 2021 07:25:29 PM
One of the fundamental invariants of computing is that, regardless of how much memory is installed in a system, it is never enough. This is especially true of systems with tight performance constraints, where every page of memory is allocated and in use, making it difficult to find more when it is badly needed. One way to make more memory available is to kill one or more processes, freeing their resources for other users. But that often does not work as quickly or reliably as users would like. In an attempt to improve the situation, Suren Baghdasaryan has proposed the addition of a system call named process_mrelease().

Security updates for Monday

Monday 26th of July 2021 03:13:36 PM
Security updates have been issued by Debian (aspell, intel-microcode, krb5, rabbitmq-server, and ruby-actionpack-page-caching), Fedora (chromium, containernetworking-plugins, containers-common, crun, fossil, podman, skopeo, varnish-modules, and vmod-uuid), Gentoo (leptonica, libsdl2, and libyang), Mageia (golang, lib3mf, nodejs, python-pip, redis, and xstream), openSUSE (containerd, crmsh, curl, icinga2, and systemd), Oracle (containerd), and Red Hat (thunderbird).

Kernel prepatch 5.14-rc3

Sunday 25th of July 2021 11:16:13 PM
The third 5.14 kernel prepatch is out for testing.

Here we are, a week later. After a relatively big rc2, things seem to have calmed down and rc3 looks pretty normal. Most of the fixes here are small, and the diffstat looks largely flat. And there's not an undue amount of stuff.

Some weekend stable kernels

Sunday 25th of July 2021 08:01:49 PM
The 5.13.5, 5.10.53, and 5.4.135 stable kernels have been released; each contains another set of important fixes.

K-9 5.800 released

Saturday 24th of July 2021 05:53:34 PM
After a long pause, the K-9 Android mail client project has released version 5.800. "The user interface has been redesigned. Some of you will love it, some will hate it. You’re welcome and we're sorry." There are also a number of improvements to make background operation work better on current Android systems.

[$] Using DAMON for proactive reclaim

Friday 23rd of July 2021 05:09:15 PM
The DAMON patch set was first covered here in early 2020; this work, now in its 34th revision, enables the efficient collection of information about memory-usage patterns on Linux systems. That data can then be used to influence the kernel's memory-management subsystem; one possible way to do that is to more aggressively reclaim memory that is not being used. To that end, DAMON author SeongJae Park is proposing a DAMON-based mechanism to perform user-controllable proactive reclaim.

Security updates for Friday

Friday 23rd of July 2021 02:21:44 PM
Security updates have been issued by Arch Linux (chromium, curl, impacket, jdk11-openjdk, jre-openjdk, jre-openjdk-headless, jre11-openjdk-headless, kernel, lib32-curl, lib32-libcurl-compat, lib32-libcurl-gnutls, libcurl-compat, libcurl-gnutls, libpano13, linux-hardened, linux-lts, linux-zen, nvidia-utils, opera, systemd, and virtualbox), CentOS (java-11-openjdk and kernel), Debian (lemonldap-ng), Fedora (curl and podman), Gentoo (icedtea-web and velocity), openSUSE (bluez, go1.15, go1.16, kernel, thunderbird, transfig, and wireshark), Oracle (java-1.8.0-openjdk, java-11-openjdk, kernel, and kernel-container), SUSE (bluez, curl, kernel, qemu, thunderbird, transfig, and wireshark), and Ubuntu (curl).

[$] The core of the -stable debate

Thursday 22nd of July 2021 04:44:58 PM
Disagreements over which patches should find their way into stable updates are not new — or uncommon. So when the topic came up again recently, there was little reason to expect anything but more of the same. And, for the most part, that is what ensued but, in this exchange, we were also able to see the core issue that drives these discussions. There are, in the end, two fundamentally different views of what the stable tree should be.

More in Tux Machines

Lutris 0.5.9 Beta Released With Epic Games Store Support, DXVK-NVAPI/DLSS, Gamescope

The Lutris 0.5.9 beta delivers on initial support for the Epic Games Store, support for DXVK-NVAPI and DLSS, FidelityFX Super Resolution is now an exposed option for compatible Wine versions, Valve's Gamescope Wayland game compositor is now an option, Esync usage is now enabled by default, the Dolphin emulator is now available as a game source, improved process monitoring, and other enhancements. It's quite a hearty update for this game manager. Read more

today's leftovers

Audiocasts/Shows: Missing OBS Features On Arch Linux, Going Linux, and GNU World Order

Proprietary Software and Security Issues

  • SolarWinds [Attack] Reached 27 U.S. Attorneys’ Offices, Justice Says

    The attack compromised Microsoft 365 accounts of at least 80% of the department’s employees working in offices located in the Eastern, Northern, Southern and Western Districts of New York. Also affected to a lesser degree were employees in U.S. Attorneys’ offices in 14 other states, including California, Florida, Maryland, Texas and Virginia, as well as the District of Columbia.

  • Safari isn't protecting the web, it's killing it

    There's been a lot of discussion recently about how "Safari is the new IE" (1, 2, 3, 4, 5).

    I don't want to rehash the basics of that, but I have seen some interesting rebuttals, most commonly: Safari is actually protecting the web, by resisting adding unnecessary and experimental features that create security/privacy/bloat problems.

    That is worth further discussion, because it's widespread, and wrong.

    More specifically, Safari's approach isn't protecting the web from bloat & evil Google influence, because: [...]

  • Hasta la Vista Gmail

    I’ve been a Gmail user pretty much since day 1, when it was still an invite-only service in 2004.1 Not anymore. Over the past month I’ve migrated most of my email to Fastmail and I’m extremely happy with the result.

    Why bother? Well, I guess it won’t come to you as a shock that I’ve felt progressively more uncomfortable with how Google (and the like) are handling my personal data. I’ve also been getting quite frustrated with attempts to make email/my inbox “smarter”. I never needed a “priority inbox”, auto-categorization of email, etc. Simple is good. Just put the newest emails on the top and I’ll sort it out from there.

  • Google dodges regulation, hits advertisers with “regulatory” charges: What’s the Scam?

    We are not familiar with what draconian regulatory schemes exist for Google in Austria and Turkey, but here in Australia we know what it is – which is not much at all. And they paid no tax on their 2020 revenue of $5.2 billion.

  • Storing Encrypted Photos in Google’s Cloud

    Cloud photo services are widely used for persistent, convenient, and often free photo storage, which is especially useful for mobile devices. As users store more and more photos in the cloud, significant privacy concerns arise because even a single compromise of a user’s credentials give attackers unfettered access to all of the user’s photos. We have created Easy Secure Photos (ESP) to enable users to protect their photos on cloud photo services such as Google Photos. [...]

  • Spyware revelations are a crucial moment for Indian democracy
  • Joint Open Letter: States Must Implement Moratorium on Surveillance Technology - PEN America

    We the undersigned civil society organizations and independent experts are alarmed at the media revelations that NSO Group’s spyware has been used to facilitate human rights violations around the world on a massive scale. These revelations are a result of the Pegasus Project and are based on the leak of 50,000 phone numbers of potential surveillance targets. The project is a collaboration of more than 80 journalists from 16 media organizations in 10 countries coordinated by Forbidden Stories, a Paris-based media non-profit, with the technical support of Amnesty International, who conducted forensic tests on mobile phones to identify traces of the Pegasus spyware.

  • Canonicalization Attacks Against MACs and Signatures

    Canonicalization Attacks occur when a protocol that feeds data into a hash function used in a Message Authentication Code (MAC) or Digital Signature calculation fails to ensure some property that’s expected of the overall protocol.

    The textbook example of a canonicalization attack is the length-extension attack against hash functions such as MD5–which famously broke the security of Flickr’s API signatures.

    But there’s a more interesting attack to think about, which affects the design of security token/envelope formats (PASETO, DSSE, etc.) and comes up often when folks try to extend basic notions of authenticated encryption (AE) to include additional authenticated (but unencrypted) data (thus yielding an AEAD mode).