Language Selection

English French German Italian Portuguese Spanish

About Tux Machines

Thursday, 27 Jun 19 - Tux Machines is a community-driven public service/news site which has been around for over a decade and primarily focuses on GNU/LinuxSubscribe now Syndicate content

Search This Site

Quick Roundup

Latest Security FUD

Filed under
Security

Linux Foundation, Kernel, and Linux Plumbers Conference

Filed under
Linux
  • Tech Giants Join Linux Foundation's Connected-Cities Efforts [Ed: Just surveillance capitalism inside Zemlin's PAC. Reminder: the spokesperson of the "Linux" Foundation is the former spokesperson of James Clapper.]
  • Generalized events notification and security policies

    Interfaces for the reporting of events to user space from the kernel have been a recurring topic on the kernel mailing lists for almost as long as the kernel has existed; LWN covered one 15 years ago, for example. Numerous special-purpose event-reporting APIs exist, but there are none that are designed to be a single place to obtain any type of event. David Howells is the latest to attempt to change that situation with a new notification interface that, naturally, uses a ring buffer to transfer events to user space without the need to make system calls. The API itself (which hasn't changed greatly since it was posted in 2018) is not hugely controversial, but the associated security model has inspired a few heated discussions.

  • Detecting and handling split locks

    The Intel architecture allows misaligned memory access in situations where other architectures (such as ARM or RISC-V) do not. One such situation is atomic operations on memory that is split across two cache lines. This feature is largely unknown, but its impact is even less so. It turns out that the performance and security impact can be significant, breaking realtime applications or allowing a rogue application to slow the system as a whole. Recently, Fenghua Yu has been working on detecting and fixing these issues in the split-lock patch set, which is currently on its eighth revision.

    [...]

    With a split lock, the value needs to be kept coherent between different CPUs, which means assuring that the two cache lines change together. As this is an uncommon operation, the hardware design needs to take a special path; as a result, split locks may have important consequences as described in the cover letter of Yu's patch set. Intel's choice was to lock the whole memory bus to solve the coherency problem; the processor locks the bus for the duration of the operation, meaning that no other CPUs or devices can access it. The split lock blocks not only the CPU performing the access, but also all others in the system. Configuring the bus-locking protocol itself also adds significant overhead to the system as a whole.

    On the other hand, if the atomic operation operand fits into a single cache line, the processor will use a less expensive cache lock. This all means that developers may increase performance and avoid split locks by actions like simply correctly aligning their variables.

  • Real-Time Microconference Accepted into 2019 Linux Plumbers Conference

    We are pleased to announce that the Real-Time Microconference has been accepted into the 2019 Linux Plumbers Conference! The PREEMPT_RT patch set (aka “The Real-Time Patch”) was created in 2004 in the effort to make Linux into a hard real-time designed operating system. Over the years much of the RT patch has made it into mainline Linux, which includes: mutexes, lockdep, high-resolution timers, Ftrace, RCU_PREEMPT, priority inheritance, threaded interrupts and much more. There’s just a little left to get RT fully into mainline, and the light at the end of the tunnel is finally in view. It is expected that the RT patch will be in mainline within a year, which changes the topics of discussion. Once it is in Linus’s tree, a whole new set of issues must be handled. The focus on this year’s Plumbers events will include:

Renaming openSUSE

Filed under
SUSE

At the 2019 openSUSE Conference, the openSUSE board discussed governance options at length. There will evidently be an official statement on its conclusions in the near future, but that has not been posted as of this writing. It would appear, though, that the board chose a foundation structure over the other options. A German registered association (e. V.) would have been easier to set up than a foundation, but an association has weaker restrictions so it could potentially shift its focus away from the openSUSE mission. Joining another umbrella group seemingly lacked appeal from the beginning, as did the option of doing nothing and leaving things as they are now.

The stated purpose of the foundation is to make it easier for openSUSE to accept donations and manage its own finances — things that are hard for the project to do now. The foundation structure, in particular, allows the project to enshrine its core objectives (such as support for free software) into the DNA of the organization, making it hard to divert the foundation toward some other goal. A foundation also allows openSUSE to retain its current governing board and membership structure.

In the absence of an official statement from the board, details on the decision and the reasoning behind it can be had by watching this YouTube video of a question-and-answer session with the board at the openSUSE Conference.

One motivation for the change that wasn't highlighted in the board session, but which was an undercurrent in the discussions leading up to it, is a desire for more independence from SUSE in general driven by concerns about what the company might do in the future. Such worries are not entirely irrational, even though by all accounts SUSE management is fully supportive of openSUSE now. A company's attitude can change quickly even in the absence of external events like a change of ownership. If SUSE were to be sold yet again, the new owners could take a rather dimmer view of the openSUSE project.

Read more

Security: National Security Agency (NSA) in Coreboot and NSA Back Doors in Microsoft Windows Out of Control

Filed under
Security
  • The NSA Is Looking To Contribute To A New x86 Security Feature To Coreboot

    The US National Security Agency (NSA) has developers contributing to the Coreboot project.

    Eugene Myers of the NSA under the Information Assurance Research, NSA/CSS Research Directorate, has been leading some work on an STM/PE implementation for Coreboot.

  • Coreboot Adds Support For Apollolake-Powered UP-Squared SBC Maker Board

    Coreboot now supports the UP Squared, the new single board computer / maker board based on an Intel Apollo Lake SoC.

    Not to be confused with the $35 Atomic Pi Intel SBC that aims to compete directly with the Raspberry Pi, the UP Squared is a higher-tier ~$150 board with more connectivity and options. The UP Squared offers dual Gigabit Ethernet, HDMI / DP, eMMC, mini-PCIe x1, MIPI CSI, 40-pin header, two USB 3.0 ports, and other options. Both Microsoft Windows and an assortment of Linux distributions are supported.

  • All-In-One Malware ‘Plurox’ Can Hack Your PC In ‘Three Different Ways’ [Ed: When you mean to say Microsoft Windows (with its NSA back doors) but instead you say "PC" as if Microsoft has nothing to do with it]

    The SMB plugin mentioned previously is essentially a repackaged NSA exploit called EternalBlue that was publicly leaked in 2017.

    The plugin allows bad actors to scan local networks and spread the malware to vulnerable workstations via the SMB protocol (running the EternalBlue exploit).

    But that’s not all. UPnP is actually the sneakiest and most nasty plugin among all. It creates port forwarding rules on the local network of a compromised system and uses it to build backdoors into enterprise networks bypassing firewalls and other security measures in place.

  • Windows 10 gets a lot of little fixes – and Microsoft reminds us it’ll start to force updates [Ed: Forced NSA back doors. Gone are the days of controlling our PCs if they contain proprietary software because "for our security/safety" (of course!) remote software modifications will be imposed on us.]

Audiocasts/Shows: TLLTS, FLOSS Weekly and BSD Now

Filed under
Interviews
  • The Linux Link Tech Show Episode 814
  • FLOSS Weekly 534: All Things Open 2019

    All Things Open is a polyglot technology conference focusing on the tools, processes and people making open source possible. Target audience includes designers, developers, decision makers, entrepreneurs and technologists of all types and skill levels.

  • OpenZFS in Ports | BSD Now 303

    The ZFS on FreeBSD project has renamed the userland and kernel ports from zol and zol-kmod to openzfs and openzfs-kmod
    The new versions from this week are IOCTL compatible with the command line tools in FreeBSD 12.0, so you can use the old userland with the new kernel module (although obviously not the new features)
    With the renaming it is easier to specify which kernel module you want to load in /boot/loader.conf: > zfs_load=”YES”
    or > openzfs_load=”YES”
    To load traditional or the newer version of ZFS

Programming: Firefox Binaries, Python, GCC, Kotlin, C++ and Rust

Filed under
Development
  • Stack Write Traffic In Firefox Binaries

    I became interested in how much CPU memory write traffic corresponds to "stack writes". For x86-64 this roughly corresponds to writes that use RSP or RBP as a base register (including implicitly via PUSH/CALL). I thought I had pretty good intuitions about x86 machine code, but the results surprised me.

  • Louis-Philippe Véronneau: membernator -- validate membership cards

    I currently work part-time for student unions in Montreal and they often have large general assemblies (more than 2000 people). As you can likely figure out by yourself, running through paper lists to validate people's identity is a real PITA and takes quite a long time.

    For example, even if you have 4 people checking names, if validating someone's identity takes 5 seconds on average (that's pretty fast), it takes around 40 minutes to go through 2000 people.

    Introducing membernator, a python program written using pygame that validates membership cards against a CSV database! The idea is to use barcode scanners to scan people's school ID cards and see if they are in our digital lists. Hopefull, it will make our GA process easier for everyone.

  • Developer Toolset 8.1 and GCC 8.3 now available for Red Hat Enterprise Linux 7

    Red Hat Developer Toolset delivers GCC, GDB, and a set of complementary development tools for Red Hat Enterprise Linux via two release trains per year. We are pleased to share that Developer Toolset 8.1 with GCC 8.3 is now available and supported on Red Hat Enterprise Linux 7.

    The Red Hat Developer Toolset 8.1 release includes many enhancements and changes, but here are a few of the highlights...

  • Finished converting all the buildfiles to groovy and downgraded to gradle 4.4.1; week 3+ update

    During the third week I mainly spent my time converting all the buildfiles in the "dist" task graph to groovy from kotlin-dsl.

    I finished converting all the build files from kotlin-dsl to groovy. I then proceeded to build the entire project with only the subprojects required for the dist task so that we can avoid converting all the uneeded subproject buildfiles to groovy. Ran tests on the binary obtained from the newly onverted project and compared it to the test result on an original unconverted project. Since the new project only contains the needed subprojects this new project is unable to run all the needed tests. So inorder to overcome this we copy the binaries built by our new project and run the tests using the original unaltered projects. The compiler test task we need is "compilerTest"; this is the only aplicalbe test for out build binary from the "dist" task. I have run "distTest" for the unaltered project and uploaded it here; "distTest" task encompasses compilerTest task within it. Here is the log of the "compilerTest" run on the geenrated binaries.

  • Intel Developing "Data Parallel C++" As Part Of OneAPI Initiative

    Intel announced an interesting development in their oneAPI initiative: they are developing a new programming language/dialect.

    Intel originally began talking about oneAPI last December for optimizing code across CPUs / GPUs / FPGAs and as part of "no transistor left behind." Early details sounded similar to HSA while with time more bits have become known while the big reveal isn't expected until Q4'2019 when it will enter beta.

    We've known OpenCL will take a big role and their LLVM upstreaming effort around their SYCL compiler back-end. The SYCL single-source C++ programming standard from The Khronos Group we've expected Intel to use as their basis for oneAPI while now it seems they are going a bit beyond just targeting SYCL.

  • You can't buy DevOps [Ed: Poor article about mere buzzwords]
  • This Week in Rust 291

Qt Creator 4.10 Beta released

Filed under
KDE

You can “pin” files so they stay open when closing all files. Check the context menu on the document dropdown and the Open Documents pane.

The client for the Language Server Protocol is now better integrated into Locator, shows tooltip information from the server, and has more flexible server settings.
We also moved the plugin out of the experimental state, so it is enabled by default.

Read more

Also: Qt Creator 4.10 Beta Allows Pinning Files, Support For Boost Tests

OpenSUSE/SUSE: Leap 15.1 Update Experience, Btrfs in YaST, SUSECON and SUSE GSI Partner Forum

Filed under
SUSE
  • The openSUSE Leap 15.1 update experience

    My desktop is a HP Pavilion Power 580-146nd. This is a midsize PC with an AMD Ryzen 5 1400 CPU, an AMD Radeon RX 580 GPU, 16 GB of RAM, a 128 GB M.2 SSD and a 1 TB 7200rpm HDD.

    I used the same USB thumbstick. After selecting ‘Update’ from the boot menu, the whole screen went black. And then nothing happened. Since I have installed openSUSE many times before, I quickly realized that this must be a graphics issue. I used ‘nomodeset’ in the past to get around that issue. This causes the installer to go back to the most basic graphics settings but it also means I could finish the update.

    It used to be a lot easier to edit the boot options. However, this is now hidden. This post on Stack Exchange (2) gives a great explanation how to enable nomodeset, both as a one-time option and as a permanent option.

    For the permanent enablement of nomodeset I know an easier way: in YaST look for the module ‘Boot Loader’ and in the Kernel Parameters tab, you can edit the boot command. This was the route that I took to make nomodeset a permanent boot setting.

  • Getting further with Btrfs in YaST

    Since the YaST team rewrote the software stack for managing the storage devices, we have been adding and presenting new capabilities in that area regularly. That includes, among other features, the unpaired ability to format and partition all kind of devices and the possibility of creating and managing Bcache devices. Time has come to present another largely awaited feature that is just landing in openSUSE Tumbleweed: support for multi-device Btrfs file systems.

    As our usual readers surely know, Btrfs is a modern file system for Linux aimed at implementing advanced features that go beyond the scope and capabilities of traditional file systems. Such capabilities include subvolumes (separate internal file system roots), writable and read-only snapshots, efficient incremental backup and our today’s special: support for distributing a single file system over multiple block devices.

  • openSUSE's YaST Now Supports Multi-Device Btrfs Setups

    For those wanting to install openSUSE Tumbleweed on a system where a single Btrfs file-system spans multiple block devices, that's now easily possible with the latest YaST. This includes the abilities for just a simple file-system spanning multiple devices to data duplication to the various RAID levels natively supported by Btrfs.

  • An application a year to an application a week on AWS

    At the recent SUSECON conference in Nashville, Ryan Niksch from AWS discussed how shifting the focus from writing code to deploying applications to production has become more critical as business agility tops the list of customer requirements. He then introduces the benefits of Cloud Foundry in general, and SUSE Cloud Application Platform specifically, including the AWS service broker; its benefits are that it is a containerized distribution of Cloud Foundry that can very quickly and easily be deployed to AWS using a Quick Start template.

  • THE Forum exclusively for GSI Partners!

    This year’s SUSE GSI Partner Forum will feature all these – you won’t want to miss it!

Digging into the new features in OpenZFS post-Linux migration

Filed under
Linux

ZFS on Linux 0.8 (ZoL) brought tons of new features and performance improvements when it was released on May 23. They came after Delphix announced that it was migrating its own product to Linux back in March 2018. We'll go over some of the most exciting May features (like ZFS native encryption) here today.

For the full list—including both new features and performance improvements not covered here—you can visit the ZoL 0.8.0 release on Github. (Note that ZoL 0.8.1 was released last week, but since ZFS on Linux follows semantic versioning, it's a bugfix release only.)

Unfortunately for Ubuntu fans, these new features won't show up in Canonical's repositories for quite some time—October 2019's forthcoming interim release, Eoan Ermine, is still showing 0.7.12 in its repos. We can hope that Ubuntu 20.04 LTS (which has yet to be named) will incorporate the 0.8.x branch, but there's no official word so far; if you're running Ubuntu 18.04 (or later) and absolutely cannot wait, the widely-used Jonathon F PPA has 0.8.1 available. Debian has 0.8.0 in its experimental repo, Arch Linux has 0.8.1 in its zfs-dkms AUR package, and Gentoo has 0.8.1 in testing at sys-fs/zfs. Users of other Linux distributions can find instructions for building packages directly from master at https://zfsonlinux.org/.

Read more

Raspberry Pi pHAT detects indoor pollution, and optionally, outdoors too

Filed under
Hardware

Pimoroni’s $57 “Enviro+” pHAT for the Raspberry Pi can detect indoor air quality, temperature, pressure, humidity, light, and noise. You can hook up an optional “PMS5003 Particulate Matter Sensor” for detecting outdoor pollution.

In 2016, Pimoroni launched a $20 Enviro pHAT board for the Raspberry Pi. The name was a bit misleading, however, since its environmental sensors were limited to a temperature/pressure sensor, light sensor, and whatever you could hook up via the 4-channel analog to digital converter (ADC). Now, the UK-based company has returned with a 45-Pound ($57) Enviro+ pHAT that loses the accelerometer/magnetometer, but adds humidity and analog gas sensors, a MEMS microphone for detecting noise levels, and a 1-inch color LCD screen.

Read more

Kubernetes 1.15

Filed under
Server
OSS
  • Kubernetes 1.15: Extensibility and Continuous Improvement

    The theme of the new developments around CustomResourceDefinitions is data consistency and native behaviour. A user should not notice whether the interaction is with a CustomResource or with a Golang-native resource. With big steps we are working towards a GA release of CRDs and GA of admission webhooks in one of the next releases.

    In this direction, we have rethought our OpenAPI based validation schemas in CRDs and from 1.15 on we check each schema against a restriction called “structural schema”. This basically enforces non-polymorphic and complete typing of each field in a CustomResource. We are going to require structural schemas in the future, especially for all new features including those listed below, and list violations in a NonStructural condition. Non-structural schemas keep working for the time being in the v1beta1 API group. But any serious CRD application is urged to migrate to structural schemas in the foreseeable future.

    Details about what makes a schema structural will be published in a blog post on kubernetes.io later this week, and it is of course documented in the Kubernetes documentation.

  • Kubernetes 1.15 now available from Canonical

    Canonical announces full enterprise support for Kubernetes 1.15 using kubeadm deployments, its Charmed Kubernetes, and MicroK8s; the popular single-node deployment of Kubernetes.

    The MicroK8s community continues to grow and contribute enhancements, with Knative and RBAC support now available through the simple microk8s.enable command. Knative is a great way to experiment with serverless computing, and now you can experiment locally through MicroK8s. With MicroK8s 1.15 you can develop and deploy Kubernetes 1.15 on any Linux desktop, server or VM across 40 Linux distros. Mac and Windows are supported too, with Multipass.

    Existing Charmed Kubernetes users can upgrade smoothly to Kubernetes 1.15, regardless of the underlying hardware or machine virtualisation. Supported deployment targets include AWS, GCE, Azure, Oracle, VMware, OpenStack, LXD, and bare metal.

  • Kubernetes 1.15 Released

    The Kubernetes community has announced the release of Kubernetes 1.15, the second release of 2019. The release focuses on Continuous Improvement and Extensibility. Work on making Kubernetes installation, upgrade and configuration even more robust has been a major focus for this cycle for SIG Cluster Lifecycle. The release comes in time just before KubeCon + CloudNativeCon Shanghai, which will bring the larger cloud-native community together in China. Read more about what's new in Kubernetes 1.15 here.

Librem 5 June Software Update

Filed under
Linux

Several areas of the kernel have seen major improvements, and we are now very close to some important milestones. One such area is forward porting patches so that the images built for the devkit can switch from a 4.18 to a 5.2 kernel, and we’re almost there! You can find a recent image build with the 5.2 kernel here.

With the new kernel, you will be able to long press the power button to turn on the devkit, and use suspend/resume. To help better detect SoC revisions, an RFC
patch has been sent to improve this. Working towards improving the power management, we are testing cpufreq and preparing some cpuidle tests.

A lot of effort has been put into debugging the sound on the 5.2 kernel. After many hours of work, we have discovered that ATF was blocking access to the aips regions—and upstream ATF has it fixed now!

Read more

Also: Librem 5 Dev Kit Can At Least Run Quake II Now, Progress On Adopting Linux 5.2

Programming: Lucid Vision Labs, Librem 5, Instana, Python and GNU

Filed under
Development
  • Time-of-Flight camera is powered by Jetson TX2

    Lucid Vision Labs unveiled a MIPI-CSI2 equipped “Helios Embedded” version of its new Helios Time of Flight 3D camera that combines a Jetson TX2 with a Sony DepthSense IMX556PLR ToF sensor with under-5mm accuracy at 0.3 to 1.5 meters.

    Time-of-Flight (ToF) technology spans a range of infrared laser scanners from 3D imaging and navigation systems found on autonomous robots and self-driving cars to the camera flash mechanism inside the Huawei Honor View 20 phone. Most ToF cameras are controlled from a Windows or Linux PCs, such as the Basler ToF Camera, the Terabee 3Dcam 80×60, or Lucid Vision Labs’ Helios ToF Camera, which was announced last October and is due to ship later this month. Now Lucid has announced a similar Helios Embedded version of the Helios ToF due in Q4 2019 that can operate autonomously thanks to its Jetson TX2 module.

  • Librem 5 June Software Update

    Hi everyone! The Librem 5 team has been hard at work, and we want to update you all on our software progress.

    Conferences

    A couple of blog posts back, we mentioned that our hardware engineer gave a talk at KiCon—and it is available for watching now!

    Also, recently Tobias Bernard attended the Libre Graphics Meeting, where he had lots of conversation around the future photo viewing application for the Librem 5 phone.

  • Instana Releases Red Hat OpenShift Kubernetes Operator Built on Quarkus

    Red Hat OpenShift introduced Kubernetes (K8s) Operator support with version 3.11. Since that time, the number of Operators created by the OpenShift community has been steadily growing. Instana introduced our Red Hat OpenShift Kubernetes Operator at Red Hat Summit 2019, and will be demonstrating our K8s capabilities at KubeCon Barcelona this week.

  • Book Contest: Creating GUI Applications with wxPython
  • How to Use Python lambda Functions
  • Event - GNU Hackers Meeting (Madrid, Spain)

    Twelve years after its first edition in Orense, the GNU Hackers Meeting (2019-09-04–06) will help in Spain again. This is an opportunity to meet, hack, and learn with other free software enthusiasts.

Alpine 3.10.0 released

Filed under
GNU
Linux

We are pleased to announce the release of Alpine Linux 3.10.0, the first in the v3.10 stable series.

Read more

Also: Alpine Linux 3.10 Brings Support For Intel's IWD, Better Arm Support

Open Invention Network, the Linux-based patent non-aggression community, exceeds 3,000 licensees

Filed under
Linux
Legal

OIN's mission is to enable Linux, its related software, and its programmers to develop and monetize without being hogtied by patent fights. In Linux's early years, this was a constant threat. Now, thanks largely to the OIN's efforts to get everyone to agree on the basic open-source principle -- that's it's better and more profitable to share than to cling to proprietary property -- open-source software has taken off in the marketplace.

The OIN isn't the first to take this concept and apply it to the Unix/Linux operating system family. After Novell bought Unix from AT&T, rather than keep fighting with Berkeley Software Design Inc. (BSDO) over possible Unix IP rights violations in BSD/OS, an early, commercial BSD Unix, Noorda famously declared that he'd rather compete in the marketplace than in court. This Unix case was settled in 1994.

That was a one off. The OIN, which has grown by 50% in the last two years, has turned patent non-aggression into policy for thousands of companies. By agreeing to the OIN license, members gain access to patented inventions worth hundreds of millions of dollars while promoting a favorable environment for Linux and related open source software.

Read more

Syndicate content

More in Tux Machines

Fedora Workstation 31, AAC Support

  • Fedora Workstation 31 to come with Wayland support, improved core features of PipeWire, and more

    On Monday, Christian F.K. Schaller, Senior Manager for Desktop at Red Hat, shared a blog post that outlined the various improvements and features coming in Fedora Workstation 31. These include Wayland improvements, more PipeWire functionality, continued improvements around Flatpak, Fleet Commander, and more.

  • Fedora's AAC Support Finally Seeing Audio Quality Improvements

    Fedora's version of the FDK-AAC library that they began shipping in 2017 to finally provide AAC audio support strips out what was patented encumbered functionality. But that gutting of the code did cause some problems like audio playback glitches that are now being addressed. Fortunately, better AAC support is on the way to Fedora. There is this F30 update pending to provide an updated AAC implementation with quality enhancements.

Mozilla: Firefox's Gecko Media Plugin & EME Architecture, Accessibility, Firefox 68 Beta 10 Testday Results

  • Chris Pearce: Firefox's Gecko Media Plugin & EME Architecture

    For rendering audio and video Firefox typically uses either the operating system's audio/video codecs or bundled software codec libraries, but for DRM video playback (like Netflix, Amazon Prime Video, and the like) and WebRTC video calls using baseline H.264 video, Firefox relies on Gecko Media Plugins, or GMPs for short. This blog post describes the architecture of the Gecko Media Plugin system in Firefox, and the major class/objects involved, as it looked in June 2019. For DRM video Firefox relies upon Google's Widevine Content Decryption Module, a dynamic shared library downloaded at runtime. Although this plugin doesn't conform to the GMP ABI, we provide an adapter to allow it to be run through the GMP system. We use the same Widevine CDM plugin that Chrome uses. For decode and encode of H.264 streams for WebRTC, Firefox uses OpenH264, which is provided by Cisco. This plugin implements the GMP ABI.

  • Hacks.Mozilla.Org: How accessibility trees inform assistive tech

    The web is accessible by default. It was designed with features to make accessibility possible, and these have been part of the platform pretty much from the beginning. In recent times, inspectable accessibility trees have made it easier to see how things work in practice. In this post we’ll look at how “good” client-side code (HTML, CSS and JavaScript) improves the experience of users of assistive technologies, and how we can use accessibility trees to help verify our work on the user experience.

  • QMO: Firefox 68 Beta 10 Testday Results

    As you may already know, Friday June 14th – we held a new Testday event, for Firefox 68 Beta 10.

Security Leftovers/FUD

  • New Linux Worm Attacks IoT Devices [Ed: How to blame "Linux" for default passwords in devices (and some now also blame "Iran", citing a CIA 'proxy' Recorded Future in relation to this because they want war)]

    Silex has 'bricked' more than 2000 Linux-based IoT devices so far.

  • Your server remote login isn't root:password, right? Cool. You can keep your data. Oh sh... your IoT gear, though? [Ed: All this "Silex" 'news' tries to blame Iran for cracking by guessing default passwords; but this is attempted every day by dozens of nations, every minute in a lot of cases. Any political motivation behind this Iran angle?]

    Earlier this week, infosec outfit Recorded Future claimed a Tehran-backed group known as Elfin, or APT33, has been increasingly active in recent months, largely targeting industrial facilities and companies within Saudi Arabia that do business with the US and other Western countries.
  • 'Silex' Malware Renders Internet-of-Things Devices Useless. Here's How to Prevent It [Ed: War lovers' media, e.g. Fortune (see parent) and CBS (through ZDNet) push this whole "Iran" angle, manufactured in part by Recorded Future, which works with the CIA. This is the source of all these "Iran is cracking your gear" stories (every large nation does it all the time, so why the focus on Iran all of a sudden?)]
  • Silex malware targeting IoT devices spotted by security researchers
  • Daily News Roundup: Hackers Broke into Ten Telecom Networks [Ed: Definitely sounds like they used Windows, which executes malware without obstructing the users (who might just open an E-mail or click on a link)]

    Security researchers have revealed hackers spent years burrowing into ten different telecoms. Using a common method of an email with a link leading to malware, the hackers then used sophisticated techniques to target specific individuals. Security researchers at Cybereason revealed details of years-long attempts to break into telecom services (cell phone carriers). Starting in 2017, and possibly before, hackers sent emails to unsuspecting telecom employees with malicious links. The initial payload gave the hackers access to the telecom networks. Once in, the hackers ultimately compromised the network, gaining administrative privileges, and even creating a VPN on the system that let hackers access large amounts of data and empowered them even to shut down the telecom network entirely. The hackers had so much power that Amit Serper, Principal Security Researcher at Cybereason, described them as essentially a “de facto shadow IT department of the company.”

Kernel: LWN's Latest (SACK etc.) and Phoronix on Saitek R440 Force Racing Wheel Support Coming to Linux

  • The TCP SACK panic

    Selective acknowledgment (SACK) is a technique used by TCP to help alleviate congestion that can arise due to the retransmission of dropped packets. It allows the endpoints to describe which pieces of the data they have received, so that only the missing pieces need to be retransmitted. However, a bug was recently found in the Linux implementation of SACK that allows remote attackers to panic the system by sending crafted SACK information. Data sent via TCP is broken up into multiple segments based on the maximum segment size (MSS) specified by the other endpoint—or some other network hardware in the path it traversed. Those segments are transmitted to that endpoint, which acknowledges that it has received them. Originally, those acknowledgments (ACKs) could only indicate that it had received segments up to the first gap; so if one early segment was lost (e.g. dropped due to congestion), the endpoint could only ACK those up to the lost one. The originating endpoint would have to retransmit many segments that had actually been received in order to ensure the data gets there; the status of the later segments is unknown, so they have to be resent. In simplified form, sender A might send segments 20-50, with segments 23 and 37 getting dropped along the way. Receiver B can only ACK segments 20-22, so A must send 23-50 again. As might be guessed, if the link is congested such that segments are being dropped, sending a bunch of potentially redundant traffic is not going to help things.

  • Short waits with umwait

    If a user-space process needs to wait for some event to happen, there is a whole range of mechanisms provided by the kernel to make that easy. But calling into the kernel tends not to work well for the shortest of waits — those measured in small numbers of microseconds. For delays of this magnitude, developers often resort to busy loops, which have a much smaller potential for turning a small delay into a larger one. Needless to say, busy waiting has its own disadvantages, so Intel has come up with a set of instructions to support short delays. A patch set from Fenghua Yu to support these instructions is currently working its way through the review process. The problem with busy waiting, of course, is that it occupies the processor with work that is even more useless than cryptocoin mining. It generates heat and uses power to no useful end. On hyperthreaded CPUs, a busy-waiting process could prevent the sibling thread from running and doing something of actual value. For all of these reasons, it would be a lot nicer to ask the CPU to simply wait for a brief period until something interesting happens. To that end, Intel is providing three new instructions. umonitor provides an address and a size to the CPU, informing it that the currently running application is interested in any writes to that range of memory. A umwait instruction tells the processor to stop executing until such a write occurs; the CPU is free to go into a low-power state or switch to a hyperthreaded sibling during that time. This instruction provides a timeout value in a pair of registers; the CPU will only wait until the timestamp counter (TSC) value exceeds the given timeout value. For code that is only interested in the timeout aspect, the tpause instruction will stop execution without monitoring any addresses.

  • Dueling memory-management performance regressions

    The 2019 Linux Storage, Filesystem, and Memory-Management Summit included a detailed discussion about a memory-management fix that addressed one performance regression while causing another. That fix, which was promptly reverted, is still believed by most memory-management developers to implement the correct behavior, so a patch posted by Andrea Arcangeli in early May has relatively broad support. That patch remains unapplied as of this writing, but the discussion surrounding it has continued at a slow pace over the last month. Memory-management subsystem maintainer Andrew Morton is faced with a choice: which performance regression is more important? The behavior in question relates to the intersection of transparent huge pages and NUMA policy. Ever since this commit from Aneesh Kumar in 2015, the kernel will, for memory areas where madvise(MADV_HUGEPAGE) has been called, attempt to allocate huge pages exclusively on the current NUMA node. It turns out that the kernel will try so hard that it will go into aggressive reclaim and compaction on that node, forcing out other pages, even if free memory exists on other nodes in the system. In essence, enabling transparent huge pages for a range of memory has become an equivalent to binding that memory to a single NUMA node. The result, as observed by many, can be severe swap storms and a dramatic loss of performance. In an attempt to fix this problem, Arcangeli applied a patch in November 2018 that loosened the tight binding to the current node. But, it turned out, some workloads want that binding behavior. Local huge pages will perform better than huge pages on a remote node; even local small pages tend to be better than remote huge pages. For some tasks, the performance penalty for using remote pages is high enough that it is worth going to great lengths — even enduring a swap storm at application startup — to avoid it. No such workload has been publicly posted, but the patch was reverted by David Rientjes in December after a huge discussion.

  • Rebasing and merging in kernel repositories

    What follows is a kernel document I have been working on for the last month in the hope of reducing the number of subsystem maintainers who run into trouble during the merge window. If all goes according to plan, this text will show up in 5.3 as Documentation/maintainer/rebasing-and-merging.txt. On the off chance that some potentially interested readers might not be monitoring additions to the nascent kernel maintainer's handbook, I'm publishing the text here as well. Maintaining a subsystem, as a general rule, requires a familiarity with the Git source-code management system. Git is a powerful tool with a lot of features; as is often the case with such tools, there are right and wrong ways to use those features. This document looks in particular at the use of rebasing and merging. Maintainers often get in trouble when they use those tools incorrectly, but avoiding problems is not actually all that hard. One thing to be aware of in general is that, unlike many other projects, the kernel community is not scared by seeing merge commits in its development history. Indeed, given the scale of the project, avoiding merges would be nearly impossible. Some problems encountered by maintainers result from a desire to avoid merges, while others come from merging a little too often.

  • Years Late But Saitek R440 Force Racing Wheel Support Is On The Way For Linux

    If you happen to have a Saitek R440 Force Wheel or looking to purchase a cheap and used racing wheel for enjoying the various Linux racing game ports or even the number of games working under Steam Play like F1 2018 and DiRT Rally 2.0, Linux support is on the way. The Saitek R440 Force Wheel can still be found from the likes of eBay for those wanting a cheap/used PC game racing wheel. Now coming soon to the Linux kernel is support for this once popular gaming wheel -- which was originally released back in 2004. The Linux kernel patch originally adding the Saitek R440 was sent last year only to be resent out recently in an attempt for mainline acceptance.