The 5.2.12, 4.19.70, 4.14.142, 4.9.191, and 4.4.191 stable kernels have been released with another set of important fixes. Milliseconds thereafter, 5.2.13 and 4.19.71 were released to fix a regression with the elantech mouse driver.

Google has a long and interesting history contributing to the upstream Linux kernel. With Chrome OS, Google has tried to learn from some of the mistakes of its past and is now working with the upstream Linux kernel as much as it can. In a session at the 2019 Open Source Summit North America, Google software engineer Doug Anderson detailed how and why Chrome OS developers work upstream. It is an effort intended to help the Linux community as well as Google.

Security updates have been issued by Debian (exim4 and firefox-esr), Fedora (lxc, lxcfs, pdfresurrect, python3-lxc, rdesktop, and seamonkey), Oracle (kernel), and SUSE (nginx, python-Werkzeug, SUSE Manager Client Tools, and util-linux and shadow).

The staging tree was added to the kernel in 2008 for the 2.6.28 development cycle as a way to ease the process of getting substandard device drivers into shape and merged into the mainline. It has been followed by controversy for just about as long. The recent disagreements over the EROFS and exFAT filesystems have reignited many of the arguments over whether the staging tree is beneficial to the kernel community or not. LWN cannot answer that question, but we can look into what has transpired in the staging tree in its first eleven years to see if there are any conclusions to be drawn there. A lot of code has gone into the staging tree over the years; what happened to it thereafter?

Security updates have been issued by Debian (webkit2gtk), Fedora (systemd), openSUSE (go1.11, python-Twisted, SDL2_image, SDL_image, and wavpack), Oracle (kdelibs and kde-settings, kernel, and qemu-kvm), Red Hat (chromium-browser and firefox), Slackware (seamonkey), SUSE (java-1_8_0-ibm, kernel, and python-urllib3), and Ubuntu (firefox and npm/fstream).

Google has announced the release of a new library for applications using differential privacy techniques. "Differentially-private data analysis is a principled approach that enables organizations to learn from the majority of their data while simultaneously ensuring that those results do not allow any individual's data to be distinguished or re-identified. This type of analysis can be implemented in a wide variety of ways and for many different purposes. For example, if you are a health researcher, you may want to compare the average amount of time patients remain admitted across various hospitals in order to determine if there are differences in care. Differential privacy is a high-assurance, analytic means of ensuring that use cases like this are addressed in a privacy-preserving manner."

The LWN.net Weekly Edition for September 5, 2019 is available.

The Linux Plumbers Conference has filled up and has closed its waiting list. "All of the spots available have been allocated, so anyone who is not registered at this point will have to wait for next year. There will be no on-site registration. We regret that we could not accommodate everyone. The good news is that all of the microconferences, refereed talks, Kernel summit track, and Networking track will be recorded on video and made available as soon as possible after the conference. Anyone who could not make it to Lisbon this year will at least be able to catch up with what went on. Hopefully those who wanted to come will make it to a future LPC." LPC will be held in Lisbon, Portugal, September 9-11.

Finding ways to make it easier and faster to mitigate an ongoing attack against a Linux system at runtime is part of the motivation behind the kernel runtime security instrumentation (KRSI) project. Its developer, KP Singh, gave a presentation about the project at the 2019 Linux Security Summit North America (LSS-NA), which was held in late August in San Diego. A prototype of KRSI is implemented as a Linux security module (LSM) that allows eBPF programs to be attached to the kernel's security hooks.

Security updates have been issued by Arch Linux (grafana, irssi, and jenkins), Debian (freetype, samba, and varnish), Fedora (community-mysql, kernel, kernel-headers, kernel-tools, and python-mitogen), openSUSE (postgresql10 and python-SQLAlchemy), Oracle (kdelibs and kde-settings and squid:4), Red Hat (kdelibs and kde-settings, kernel, kernel-rt, openstack-nova, qemu-kvm, and redis), Scientific Linux (kdelibs and kde-settings, kernel, and qemu-kvm), SUSE (ansible, java-1_7_1-ibm, libosinfo, php53, and qemu), and Ubuntu (irssi, samba, and systemd).

A typical kernel development cycle involves pulling patches from over 100 repositories into the mainline. Any of those pulls could conceivably bring with it malicious code, leaving the kernel (and its users) open to compromise. The kernel's web of trust helps maintainers to ensure that pull requests are legitimate, but that web has become difficult to maintain in the wake of the recent attacks on key servers and other problems. So now the kernel community is taking management of its web of trust into its own hands.

This grsecurity blog entry looks at how an ineffective Spectre fix found its way into the stable kernel releases. If one looks past the advertising, it's a good summary of how the kernel processes can produce the wrong result. "Despite this warning, this code was merged into Thomas Gleixner's x86/tip tree verbatim, as can be seen here. Prior to merging the fix for 5.3-rc1, Linus Torvalds noticed the warning as seen on the LKML mailing list here and fixed it correctly. However, when the actual merge of the tree was performed, no mention was made of the correction to the fix, and with no specific commit mentioning the correction and fixing it alone, everyone else's processes that depended on cherry-picking specific commits ended up grabbing the bad warning-inducing change. As a further failure, instead of looking at Linus' correct fix (observable by checking out the master tree at the time), the approach seems to have been to naively silence the warning by simply swapping the order of the two lines."

Providing meaningful metrics for open-source projects has long been a challenge, as simply measuring downloads, commits, or GitHub stars typically doesn't say much about the health or diversity of a project. It's a challenge the Linux Foundation's Community Health Analytics Open Source Software (CHAOSS) project is looking to help solve. At the 2019 Open Source Summit North America (OSSNA), Matt Germonprez, one of the founding members of CHAOSS, outlined what the group is currently doing and why its initial efforts didn't work out as expected.

Google has announced the release of Android 10, the free parts of which are available from the Android Open Source Project now. "Privacy is a central focus in Android 10, from stronger protections in the platform to new features designed with privacy in mind. Building on previous releases, Android 10 includes extensive changes to protect privacy and give users control, with improved system UI, stricter permissions, and restrictions on what data apps can use."

Firefox 69.0 has been released. This release enables on-by-default Enhanced Tracking Protection for all users and gives more control over blocking playback of videos which start playing automatically. See the release notes for details.

Security updates have been issued by Debian (qemu), Fedora (ansible and wavpack), openSUSE (apache-commons-beanutils, apache2, go1.12, httpie, libreoffice, qemu, and slurm), Oracle (ghostscript), Scientific Linux (ghostscript), SUSE (ardana-ansible, ardana-barbican, ardana-cinder, ardana-cluster, ardana-cobbler, ardana-db, ardana-designate, ardana-extensions-nsx, ardana-glance, ardana-heat, ardana-horizon, ardana-input-model, ardana-installer-ui, ardana-ironic, ardana-keystone, ardana-logging, ardana-magnum, ardana-monasca, ardana-mq, ardana-neutron, ardana-nova, ardana-octavia, ardana-opsconsole, ardana-opsconsole-ui, ardana-osconfig, ardana-service, ardana-ses, ardana-swift, ardana-tempest, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui, java-monasca-common, java-monasca-common-kit, openstack-ceilometer, openstack-cinder, openstack-designate, openstack-heat, openstack-horizon-plugin-neutron-fwaas-ui, openstack-horizon-plugin-neutron-lbaas-ui, openstack-horizon-plugin-neutron-vpnaas-ui, openstack-ironic, openstack-ironic-python-agent, openstack-keystone, openstack-magnum, openstack-manila, openstack-monasca-notification, openstack-monasca-persister, openstack -monasca-persister-java, openstack-monasca-persister-java-kit, openstack-neutron, openstack-neutron-gbp, openstack-neutron-lbaas, openstack-nova, openstack-octavia, openstack-tempest, python-ardana-configurationprocessor, python-cinder-tempest-plugin, python-ironicclient, python-keystonemiddleware, python-monasca-tempest-plugin, python-openstackclient, python-openstacksdk, python-proliantutils, python-python-engineio, python-swiftlm, python-vmware-nsx, python-vmware-nsxlib, yast2-crowbar, pacemaker, and php72), and Ubuntu (linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-aws, linux-oracle, linux-raspi2, linux-raspi2, linux-snapdragon, and policykit-1).

The success stories that have gathered around data analytics drive broader adoption of the newest artificial-intelligence-based techniques—but risks come along with these techniques. The large numbers of freshly anointed data scientists piling into industry and the sensitivity of the areas given over to machine-learning models—hiring, loans, even sentencing for crime—means there is a danger of misapplied models, which is earning the attention of the public. Two sessions at the recent MinneBOS 2019 conference focused on maintaining ethics and addressing bias in machine-learning applications.

The 5.3-rc7 kernel prepatch is out for testing, one day later than usual. The final 5.3 release may also be delayed a week to accommodate Linus's travel schedule: "So I do suspect that with my timing (and a number of other developers are probably going to be traveling for LPC and KS too) I'll just make an rc8 even if it turns this Labor Day week ends up being very quiet and there might not be any _technical_ reason to delay the release."

Security updates have been issued by Debian (gosa, libav, libextractor, nghttp2, pump, and python2.7), Fedora (dovecot, mod_http2, and pango), Gentoo (dovecot, gnome-desktop, libofx, and nautilus), Mageia (ansible, ghostscript, graphicsmagick, memcached, mpg123, pango, vlc, wavpack, webmin, wireshark, and wpa_supplicant, hostapd), openSUSE (flatpak, libmirage, podman, slirp4netns and libcontainers-common, python-SQLAlchemy, and qemu), Red Hat (ghostscript, java-1.8.0-ibm, and squid:4), and SUSE (kernel, libsolv, libzypp, zypper, NetworkManager, nodejs10, nodejs8, perl, python-Django, and python-SQLAlchemy).

Linux kernel developers like to get support for new features — such as filesystem types — merged quickly. In the case of the exFAT filesystem, that didn't happen; exFAT was created by Microsoft in 2006 for use in larger flash-storage cards, but there has never been support in the kernel for this filesystem. Microsoft's recent announcement that it wanted to get exFAT support into the mainline kernel would appear to have removed the largest obstacle to Linux exFAT support. But, as is so often the case, it seems that some challenges remain.