LWN.net is a comprehensive source of news and opinions from
and about the Linux community. This is the main LWN.net feed,
listing all articles which are posted to the site front page.
Posodobljeno: 4 min 14 sec nazaj
Čet, 04/14/2022 - 19:42
Support for developing in the
Rust
language is
headed toward the kernel, though just when it
will land in the mainline is yet to be determined. The Rust patches are
progressing, though, and beginning to attract attention from beyond the
kernel community. When two languages — and two different development
communities — come together, the result can be a sort of cultural clash.
Some early signs of that are appearing with regard to Rust in the kernel;
if the resulting impedance mismatches can be worked out, the result could
be a better development environment for everybody involved.
Čet, 04/14/2022 - 13:39
Security updates have been issued by Debian (lrzip), Fedora (community-mysql, expat, firefox, kernel, mingw-openjpeg2, nss, and openjpeg2), Mageia (ceph, subversion, and webkit2), openSUSE (chromium), Oracle (httpd:2.4), Red Hat (kpatch-patch), Slackware (ruby), SUSE (kernel and netatalk), and Ubuntu (gzip and xz-utils).
Čet, 04/14/2022 - 11:08
SUSE has
begun to
discuss its plans for the next version of SUSE Linux Enterprise on the
openSUSE lists. It appears that there will be some significant changes.
Intending to do radical changes (regarding technology-
but also design-wise) we choose "Adaptable Linux Platform" or short
"ALP" as codename for that next generation. This indicates already
that some things will be quite different than a "mere "SLE 15++
would be ;) [...]
Another important point is that we intend to split what was a more
generic, everything is closely intertwined into two parts: One
smaller hardware enabling piece, a kind of "host OS", and the and
the layer providing and supporting applications, which will be
container (and VM) based.
Čet, 04/14/2022 - 01:13
The LWN.net Weekly Edition for April 14, 2022 is available.
Sre, 04/13/2022 - 22:01
Using strings with contents that are supplied by users can be fraught with
peril; SQL injection is a well-known technique for attacking applications
that stems from that, for example. Generally, database frameworks and
libraries provide mechanisms that seek to lead programmers toward doing The
Right Thing, with parameterized queries and the like, but they cannot
enforce that—inventive developers will seemingly always find ways to inject
user input into places it should not go. A recently adopted Python
Enhancement Proposal (PEP) provides a way to enforce the use of
strings that are untainted by user input, but it uses the optional typing features
of the language to do so; those wanting to take advantage of it will need
to be running a type-checking program.
Sre, 04/13/2022 - 21:11
The
5.17.3,
5.16.20,
5.15.34, and
5.10.111 stable kernel updates have been
released after a relatively quick review cycle. Each contains a relatively
large set of important fixes. Note that 5.16.20 is the final update in the
5.16.x series.
Sre, 04/13/2022 - 14:46
Security updates have been issued by Arch Linux (gzip, python-django, and xz), Debian (chromium, subversion, and zabbix), Red Hat (expat, kernel, and thunderbird), SUSE (go1.16, go1.17, kernel, libexif, libsolv, libzypp, zypper, opensc, subversion, thunderbird, and xz), and Ubuntu (git, linux-bluefield, nginx, and subversion).
Sre, 04/13/2022 - 08:45
Version 6.3 of the Qt
graphics library has been released. "Qt 6.3 also comes with a decent
set of new functionality. A total of 250 user stories and tasks
implementing new functionality have been completed for 6.3. Those are of
course too many to list individually, and if you want to have all the
details, have a look at our
new
features page and our
Release Notes."
Sre, 04/13/2022 - 04:56
Git maintainer Junio C Hamano has
announced the
release of v2.35.2, along with multiple other Git versions
("v2.30.3, v2.31.2, v2.32.1, v2.33.2, and
v2.34.2"), to fix a security problem that can happen on multi-user
machines (
CVE-2022-24765).
This GitHub
blog
post has more details, though the GitHub service itself is not
vulnerable. The description in the announcement seems a bit
Windows-centric, but Linux multi-user systems are apparently vulnerable as well:
On multi-user machines, Git users might find themselves
unexpectedly in a Git worktree, e.g. when another user created a
repository in `C:\.git`, in a mounted network drive or in a
scratch space. Merely having a Git-aware prompt that runs `git
status` (or `git diff`) and navigating to a directory which is
supposedly not a Git worktree, or opening such a directory in an
editor or IDE such as VS Code or Atom, will potentially run
commands defined by that other user.
Tor, 04/12/2022 - 21:06
When last we
looked in on the proposed
trusted_for() system call, which would allow user-space interpreters
and other tools to ask the kernel whether a file is "trusted" for execution, it
looked like it was on-track for the mainline. That was back in
October 2020; the patch has been updated multiple times since then,
made its way into linux-next, and a
pull
request was made by Mickaël Salaün for the 5.18 merge window. But
it seems that there will be more to the story of getting this functionality
into the kernel, as Linus Torvalds declined to pull trusted_for(),
at least partly because he did not like the name, but there were other
reasons as well. While he is not opposed
to the functionality it would provide, he also had strong feelings that a
new system call
was not the right approach.
Tor, 04/12/2022 - 14:25
David Malcolm has posted
an
update on the state of static analysis in GCC 12.
Some other languages, such as Perl, can track input and flag any
variable that should not be trusted because it was read from an
outside source such as a web form. Flagging variables in this
manner is called tainting. After a program runs the variable
through a check, the variable can be untainted, a process called
sanitization.
Our GCC analyzer's taint mode is activated by
-fanalyzer-checker=taint (which should be specified in
addition to -fanalyzer). Taint mode attempts to track
attacker-controlled values entering the program and to warn if they
are used without sanitization.
Tor, 04/12/2022 - 11:10
The
4.9.310 stable kernel update has been
released; the changes consist mostly of backported Spectre mitigation patches.
Tor, 04/12/2022 - 11:02
Security updates have been issued by Debian (thunderbird and usbguard), Fedora (containerd, firefox, golang-github-containerd-imgcrypt, nss, and vim), Oracle (firefox, kernel, kernel-container, and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (libexif, mozilla-nss, mysql-connector-java, and qemu), and Ubuntu (libarchive and python-django).
Pon, 04/11/2022 - 17:59
Filesystems and the virtual filesystem layer are in the business of
managing files that actually exist, but the Linux "dentry cache", which
remembers the results of file-name lookups, also keeps track of files that
don't exist. This cache of "negative dentries" plays an important
role in the overall performance of the system but, if it is allowed to grow
too large, its role can become negative in its own right. As the 2022
Linux Storage, Filesystem,
and Memory-Management Summit (LSFMM) approaches, the subject of negative
dentries has come up yet again; whether one can be positive about the
prospects for a resolution this time around remains unclear.
Pon, 04/11/2022 - 14:32
The
second 5.18 kernel prepatch is out for
testing. "Things look fairly normal here, although it's early in the
release cycle so it's a bit hard to say for sure. But at least it's not
looking particularly odd, and we have fixes all over."
Pon, 04/11/2022 - 14:15
Security updates have been issued by Debian (gzip, libxml2, minidlna, openjpeg2, thunderbird, webkit2gtk, wpewebkit, xen, and xz-utils), Fedora (crun, unrealircd, and vim), Mageia (389-ds-base, busybox, flatpak, fribidi, gdal, python-paramiko, and usbredir), openSUSE (opera and seamonkey), Oracle (kernel and kernel-container), Red Hat (firefox), Scientific Linux (firefox), Slackware (libarchive), SUSE (389-ds, libsolv, libzypp, zypper, and python), and Ubuntu (python-django and tcpdump).
Pet, 04/08/2022 - 16:11
OpenSSH 9.0 has been released. It is claimed to be primarily a bug-fix
release, but it also switches to a new, quantum-computer-proof key-exchange
protocol by default and includes a number of sftp changes, some of
which may create some compatibility issues (described in the announcement)
with scp.
We consider the removal of the need for double-quoting shell
characters in file names to be a benefit and do not intend to
introduce bug-compatibility for legacy scp/rcp in scp(1) when using
the SFTP protocol.
Pet, 04/08/2022 - 14:49
The readahead code in the Linux kernel is nominally responsible for
reading data that has not yet been explicitly requested from storage,
with the idea that it might be needed soon. The code is stable, functional, widely
used, and uncontroversial, so it is reasonable to expect the code to be of
high quality, and largely this is true. Recently, I found the need to
document this code, which naturally shone a rather different light on
it. This work revealed minor problems with functionality and significant
problems with naming.
Pet, 04/08/2022 - 14:18
The
5.17.2,
5.16.19,
5.15.33, and
5.10.110 stable kernels have been released.
These post-merge-window updates have a larger than usual set of
fixes, throughout the tree. Users of those series should upgrade.
Pet, 04/08/2022 - 14:08
Security updates have been issued by Arch Linux (libtiff), Debian (chromium), Fedora (buildah and chromium), openSUSE (firefox), SUSE (firefox, libsolv, libzypp, and openjpeg2), and Ubuntu (firefox and python-oslo.utils).