Welcome to LWN.net
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
[$] Another try for getrandom() in the vDSO
Random numbers, it seems, can never be random enough, and they cannot be generated quickly enough. The kernel's getrandom() system call might, after years of discussion, be seen as sufficiently secure by most users, but it is still a system call. Linux system calls are relatively fast, but they are necessarily slower than calling a function directly. In an attempt to speed the provision of secure random data to user space, Jason Donenfeld has put together an implementation of getrandom() that lives in the virtual dynamic shared object (vDSO) area.
[$] LWN.net Weekly Edition for July 4, 2024
Posted Jul 4, 2024 2:32 UTC (Thu)The LWN.net Weekly Edition for July 4, 2024 is available.
Inside this week's LWN.net Weekly Edition
- Front: Tag2upload; Python in the App Store; PostmarketOS; Device TCP; Arithmetic overflow; Security modules; Mount notifications; Redox; FreeDOS; Daniel Bristot de Oliveira.
- Briefs: OpenSSH 9.8; FreeBSD Developer Summit; Scientific Linux 7 EOL; Universal Blue updates; GNU findutils 4.10.0; FSF board; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
[$] Mount notifications
There are a handful of extensions to the "new" mount API that Christian Brauner wanted to discuss as part of a filesystem session at the 2024 Linux Storage, Filesystem, Memory Management, and BPF Summit. In the session, though, the only one that he got to was a followup to last year's discussion on mount-operation monitoring. There is a need for user-space programs to be able to follow mount operations (e.g. mount and unmount) that happen in the system, especially for tools like container managers or systemd.
[$] Debian debate over tag2upload reaches compromise
Debian's proposed tag2upload service would be worthy of an article even if it wasn't so contentious; tag2upload promises a streamlined way for Debian developers using Git to upload packages to the Debian Archive. But tag2upload has been in limbo for years due to disagreement and a communication breakdown between the team behind tag2upload and the ftpmasters team. It took the threat of a General Resolution (GR), weeks of discussion, and more than 1,000 emails to finally move forward.
[$] PostmarketOS: Linux for phones and more
In 2016, Oliver Smith reached a point of frustration with the short lifespan of updates for his Android phone. Taking matters into his own hands, he began developing postmarketOS, a Linux distribution for mobile phones. Eight years later, the core team and trusted contributors have grown to twenty individuals, while the latest release, v24.06, now shows support for over 250 devices. Although postmarketOS isn't usable as a day-to-day phone operating system on all of them, it can also enable repurposing devices into compact servers or kiosk machines.
[$] Eliminating indirect calls for security modules
Like many kernel subsystems, the Linux security module (LSM) subsystem makes extensive use of indirect function calls. Those calls, however, are increasingly problematic, and the pressure to remove them has been growing. The good news is that there is a patch series from KP Singh that accomplishes that goal. Its progress into the mainline has been slow — this change was first proposed by Brendan Jackman and Paul Renauld in 2020 — and this work has been caught up in some wider controversies along the way, but it should be close to being ready.
[$] Arithmetic overflow mitigation in the kernel
On May 7, Kees Cook sent a proposal to the linux-kernel mailing list, asking for the kernel developers to start working on a way to mitigate unintentional arithmetic overflow, which has been a source of many bugs. This is not the first time Cook has made a request along these lines; he sent a related patch set in January 2024. Several core developers objected to the plan for different reasons. After receiving their feedback, Cook modified his approach to tackle the problem in a series of smaller steps.
[$] FreeDOS turns 30
FreeDOS is an open-source operating system designed to be compatible with the now-defunct MS-DOS. Three decades have now passed since the FreeDOS project was first announced, and it is still alive and well with a small community of developers and users committed to running legacy DOS software, classic DOS games, and developing modern applications that extend its functionality well beyond the original MS-DOS. It may well be around in another 30 years.
[$] Redox: An operating system in Rust
With the Rust-for-Linux project starting to gain some ground, it is worth looking at other operating systems that use Rust in their kernels. There are many attempts to use Rust for operating system development, but Redox may be the most complete. Redox is an MIT-licensed microkernel and corresponding user space, designed around concepts taken from Plan 9. While nowhere near being usable as a replacement for Linux, it already provides a graphical user interface and the ability to run many POSIX programs.
Mourning Daniel Bristot de Oliveira
The academic and the Linux real-time and scheduling community mourns the premature death of Daniel Bristot de Oliveira. Daniel died at the age of 37 on Monday, June 24, 2024. Juri Lelli, Tommaso Cucinotta, Steve Rostedt, Kate Stewart, and Thomas Gleixner have come together to share their thoughts on his life and what he has left behind
Security updates for Thursday
Security updates have been issued by AlmaLinux (389-ds, c-ares, container-tools, cups, fontforge, go-toolset, iperf3, less, libreoffice, libuv, nghttp2, openldap, python-idna, python-jinja2, python-pillow, python3, python3.11-PyMySQL, qemu-kvm, and xmlrpc-c), Debian (znc), Fedora (firmitas and libnbd), Mageia (dcmtk, krb5, libcdio, and openssh), Oracle (golang, openssh, pki-core, and qemu-kvm), Red Hat (openssh), SUSE (apache2-mod_auth_openidc, emacs, go1.21, go1.22, krb5, openCryptoki, and openssh), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-kvm, linux-lts-xenial, linux, linux-gcp, linux-gcp-6.5, linux-laptop, linux-nvidia-6.5, linux-raspi, linux, linux-gcp, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-xilinx-zynqmp, linux, linux-ibm, linux-lowlatency, linux-nvidia, linux-raspi, linux-aws, linux-aws-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-starfive, linux-aws, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-oracle, linux-oracle-5.15, linux-azure, linux-azure, linux-azure-6.5, linux-bluefield, linux-iot, linux-gcp, linux-intel, linux-hwe-5.15, and php7.0 and php7.2).
Universal Blue images need manual intervention for updates
The Universal Blue project, which produces operating system images based on Fedora's Atomic Desktops, has issued an announcement that manual steps are required to continue receiving updates. Jorge Castro wrote:
If you use Bazzite, Bluefin, Aurora, or any other Universal Blue image (including our toolboxes) then you need to follow the instructions in this announcement in order to ensure that your device is getting updates. We were rotating our cosign keypairs this morning, which is the method that we use to sign our images.
During this process I made a critical error which has resulted in forcing you to take manual steps to migrate to our newly signed images.
This applies to all Universal Blue images released before July 2, 2024. See the full announcement for instructions. LWN covered Bluefin in December, 2023.
GNU findutils 4.10.0 released
Version 4.10.0 of GNU findutils has been released. Notable changes include allowing find -name / as a valid pattern, and accepting larger UIDs/GIDs for find -user and find -group. It is also once again possible to build findutils on systems with musl-libc.
Rosenthal: X Window System At 40
David Rosenthal looks back at 40 years of the X Window System:
A major reason for Sun's early success was that they in effect open-sourced the Network File System. X11 was open source under the MIT license. I, and some of the other Sun engineers, understood that NeWS could not displace X11 as the Unix standard window system without being equally open source. But Sun's management looked at NeWS and saw superior technology, an extension of the PostScript that Adobe was selling, and couldn't bring themselves to give it away.
Security updates for Wednesday
Security updates have been issued by AlmaLinux (golang and kernel), Fedora (ghostscript and openssh), Mageia (espeak-ng), Red Hat (389-ds, c-ares, container-tools, cups, fontforge, go-toolset, iperf3, less, libreoffice, libuv, linux-firmware, nghttp2, openldap, pki-core, python-idna, python-jinja2, python-pillow, python3, python3.11-PyMySQL, qemu-kvm, and xmlrpc-c), SUSE (ghostscript, git, libndp, libxml2, openssh, pgadmin4, podman, podofo, postgresql14, postgresql15, postgresql16, python39, squid, and wireshark), and Ubuntu (firefox and openvpn).
Security updates for Tuesday
Security updates have been issued by AlmaLinux (httpd:2.4/httpd), Arch Linux (openssh), Fedora (cups, emacs, and python-urllib3), Gentoo (OpenSSH), Mageia (ffmpeg, gdb, openssl, python-idna, and python-imageio), Red Hat (golang and kernel), SUSE (booth, libreoffice, openssl-1_1-livepatches, podman, python-arcomplete, python-Fabric, python-PyGithub, python- antlr4-python3-runtime, python-avro, python-chardet, python-distro, python- docker, python-fakeredis, python-fixedint, pyth, python-Js2Py, python310, python39, and squid), and Ubuntu (cups and netplan.io).
Scientific Linux 7 reaches end of life
While the end of support for CentOS 7, which happened on June 30, is significant, it is also worth taking a moment to reflect on the end of Scientific Linux 7, which has also just occurred. Scientific Linux was once a popular RHEL rebuild supported by Fermilab, CERN, DESY, and ETH Zurich. Development of Scientific Linux stopped with SL7, with the labs switching to CentOS thereafter, but the SL7 release was supported through to the bitter end. Thanks are due to all who built and supported Scientific Linux; you provided a useful and stable platform for many years.
Security updates for Monday
Security updates have been issued by Debian (dcmtk, edk2, emacs, glibc, gunicorn, libmojolicious-perl, openssh, org-mode, pdns-recursor, tryton-client, and tryton-server), Fedora (freeipa, kitty, libreswan, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, mingw-poppler, and mingw-python-urllib3), Gentoo (cpio, cryptography, GNU Emacs, Org Mode, GStreamer, GStreamer Plugins, Liferea, Pixman, SDL_ttf, SSSD, and Zsh), Oracle (pki-core), Red Hat (httpd:2.4, libreswan, and pki-core), SUSE (glib2 and kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t), and Ubuntu (espeak-ng, libcdio, and openssh).
Serious vulnerability fixed with OpenSSH 9.8
OpenSSH 9.8 has been released, fixing an ugly vulnerability:
Successful exploitation has been demonstrated on 32-bit Linux/glibc systems with ASLR. Under lab conditions, the attack requires on average 6-8 hours of continuous connections up to the maximum the server will accept. Exploitation on 64-bit systems is believed to be possible but has not been demonstrated at this time. It's likely that these attacks will be improved upon.Exploitation on non-glibc systems is conceivable but has not been examined.
There is a configuration workaround for systems that cannot be updated, though it has its own problems. See this Qualys advisory for more details.
Kernel prepatch 6.10-rc6
Linus has released 6.10-rc6 for testing.
"This release continues to be fairly calm, and rc6 looks pretty small.
It's also entirely just random small fixes spread all over, with no bigger
pattern.
"