[$] LWN.net Weekly Edition for September 30, 2021
The LWN.net Weekly Edition for September 30, 2021 is available.

(Comment on this)

[$] Taming the BPF superpowers
Work toward the signing of BPF programs has
been finding its way into recent mainline kernel releases; it is intended
to improve security by limiting the BPF programs that can be successfully
loaded into the kernel. As John Fastabend described in his "Watching
the super powers" session at the 2021 Linux Plumbers Conference,
this new feature has the potential to completely break his tools. But
rather than just complain, he decided to investigate solutions; the result
is an outline for an auditing mechanism that brings greater flexibility to
the problem of controlling which programs can be run.

(Comment on this)

Security updates for Wednesday
Security updates have been issued by Fedora (iaito, libssh, radare2, and squashfs-tools), openSUSE (hivex, shibboleth-sp, and transfig), SUSE (python-urllib3 and shibboleth-sp), and Ubuntu (apache2, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, and linux-hwe-5.11, linux-azure, linux-azure-5.11, linux-oracle-5.11).

(Comment on this)

[$] A fork for the time-zone database?
A controversy about the handling of the Time Zone Database (tzdb) has
been brewing since May, but has come to a head in recent weeks.
Changes that were proposed to simplify the main database file have some
consequences in terms of time-zone history and changes to the
representation of some zones. Those changes have upset a number of users
of the database—to the point where some have called for a fork. A
September 25 release of tzdb with some, but not
all, of the changes seems unlikely to resolve the conflict.

(Comment on this)

FSFE: Youth Hacking 4 Freedom
The Free Software Foundation Europe (FSFE) is organizing the coding
competition "Youth Hacking 4 Freedom" (YH4F) for European teenagers
(14-18). Six winners will receive a cash prize and a trip to Brussels.
There will be an opening event October 10 and registration will remain open
until October 31.

On Monday 1 November 2021, a five-month coding phase starts and the participants focus on coding until March 2022. Participants may bring all their imagination to the competition; they may code any type of software they want, as long as it is Free Software. The software project can be a stand-alone program written from scratch, or you can modify or combine existing programs. Everything is welcome! The participants will have the chance to briefly follow each other’s work and exchange ideas.

(Comment on this)

Security updates for Tuesday
Security updates have been issued by CentOS (kernel), openSUSE (gd, grilo, nodejs14, and transfig), Oracle (nodejs:14 and squid), Red Hat (kernel and shim and fwupd), SUSE (apache2, atftp, gd, and python-Pillow), and Ubuntu (apache2, linux, linux-aws, linux-aws-5.11, linux-gcp, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and vim).

(Comment on this)

[$] The 2021 Kernel Maintainers Summit
The Kernel Maintainers Summit is an invitation-only gathering of top-level kernel subsystem maintainers; it is concerned mostly with process-oriented issues that are not easily worked out on the mailing lists. There was no maintainers summit in 2020; plans had been made to hold it in an electronic form, but there turned out to be a lack of things to talk about. In 2021, though, a number of interesting topics turned up, so an online gathering was held on September 24 as part of the Linux Plumbers Conference.

Read on for a summary of the discussions held at this year's Summit.

(Comment on this)

Security updates for Monday
Security updates have been issued by Debian (kernel, libxml-security-java, and openssl), Fedora (fetchmail and python-rsa), openSUSE (grafana-piechart-panel and opera), and Red Hat (nodejs:14).

(Comment on this)

Kernel prepatch 5.15-rc3
The third 5.15 kernel prepatch is out for
testing. "So after a somewhat rocky merge window and second rc,
things are now actually looking pretty normal for rc3. Knock wood".

(Comment on this)

Weekend stable kernel updates
The
5.14.8,
5.10.69,
5.4.149,
4.19.208,
4.14.248,
4.9.284, and
4.4.285
stable kernels have all been released; each contains another set of
important fixes.

(Comment on this)

Results from the 2021 Linux Foundation Technical Advisory Board election
The 2021 election for the Linux Foundation's Technical Advisory board
resulted in all five incumbent members (Greg Kroah-Hartman, Jonathan
Corbet, Steven Rostedt, Ted Ts'o, and Sasha Levin) being re-elected. Of the
1,012 developers authorized to vote, 237 actually cast ballots.

(Comment on this)

[$] Two security improvements for GCC
It has often been said that the competition between the GCC and LLVM
compilers is good for both of them. One place where that competition
shows up is in the area of security features; if one compiler adds a way to
harden programs, the other is likely to follow suit. Qing
Zhao's session at the 2021
Linux Plumbers Conference told the story of how GCC successfully played
catch-up for two security-related features that were of special interest to
the kernel community.

(Comment on this)

coreutils-9.0 released
The GNU Core Utilities (coreutils) has announced the release of version 9.0 of "the basic file, shell and text manipulation utilities" used by the GNU operating system and various Linux distributions. In the year and a half or so since the last major release (8.32), various new features were added, including:

cp has changed how it handles data

• enables CoW [copy on write] by default (through FICLONE ioctl),
  
• uses copy offload where available (through copy_file_range),
  
• detects holes differently (though SEEK_HOLE)
  
• This also applies to mv and install.
  

(Comment on this)

Security updates for Friday
Security updates have been issued by Debian (mupdf), Fedora (ghostscript, gifsicle, and ntfs-3g), openSUSE (kernel and nodejs14), and SUSE (curl, ffmpeg, gd, hivex, kernel, nodejs14, python-reportlab, sqlite3, and xen).

(Comment on this)

Poettering: Authenticated Boot and Disk Encryption on Linux
Here's a lengthy missive from Lennart Poettering taking Linux distributors to task for inadequately protecting systems from physical attacks.

So, does the scheme so far implemented by generic Linux distributions protect us against the latter two scenarios? Unfortunately not at all. Because distributions set up disk encryption the way they do, and only bind it to a user password, an attacker can easily duplicate the disk, and then attempt to brute force your password. What's worse: since code authentication ends at the kernel — and the initrd is not authenticated anymore —, backdooring is trivially easy: an attacker can change the initrd any way they want, without having to fight any kind of protections.

The article contains a lot of suggestions for how to do things better.

(Comment on this)

Security updates for Thursday
Security updates have been issued by Debian (ruby-kaminari and tomcat8), Mageia (389-ds-base, ansible, apache, apr, cpio, curl, firefox, ghostscript, gifsicle, gpac, libarchive, libgd, libssh, lynx, nextcloud-client, openssl, postgresql, proftpd, python3, thunderbird, tor, and vim), openSUSE (chromium, ffmpeg, grilo, hivex, linuxptp, and samba), Oracle (go-toolset:ol8, kernel, kernel-container, krb5, mysql:8.0, and nodejs:12), SUSE (ffmpeg, firefox, grilo, hivex, kernel, linuxptp, nodejs14, and samba), and Ubuntu (ca-certificates, edk2, sqlparse, and webkit2gtk).

(Comment on this)

[$] Improvements to GCC's -fanalyzer option
For the second year in a row, the GNU Tools Cauldron (the annual gathering
of GNU toolchain developers) has been held as a dedicated track at the
online Linux Plumbers
Conference. For the 2021 event, that track started with a talk by
David Malcolm on his work with the GCC -fanalyzer option, which
provides access to a number of static-analysis features. Quite a bit has
been happening with -fanalyzer and more is on the way with the
upcoming GCC 12 release, including, possibly, a set of checks that
have already found at least one vulnerability in the kernel.

(Comment on this)

[$] LWN.net Weekly Edition for September 23, 2021
The LWN.net Weekly Edition for September 23, 2021 is available.

(Comment on this)

Courtès: What's in a package
Over at the Guix-HPC blog, Ludovic Courtès writes about trying to package the PyTorch machine-learning library for the Guix distribution. Building from source in a user-verifiable manner is part of the philosophy behind Guix, but there were a number of problems that were encountered:

The first surprise when starting packaging PyTorch is that, despite being on PyPI, PyTorch is first and foremost a large C++ code base. It does have a setup.py as commonly found in pure Python packages, but that file delegates the bulk of the work to CMake.

The second surprise is that PyTorch bundles (or "vendors", as some would say) source code for no less than 41 dependencies, ranging from small Python and C++ helper libraries to large C++ neural network tools. Like other distributions such as Debian, Guix avoids bundling: we would rather have one Guix package for each of these dependencies. The rationale is manifold, but it boils down to keeping things auditable, reducing resource usage, and making security updates practical.

(Comment on this)

[$] A discussion on folios
A few weeks ago, Matthew Wilcox might have guessed that his session
at the 2021 Linux
Plumbers Conference would be focused rather differently. But, as we reported earlier in September, his folio patch set ran into some, perhaps
unexpected, opposition and, ultimately, did not land in the mainline for
5.15. Instead of discussing how to use folios as part
of the File
Systems microconference, he led a discussion that was, at least in part, on the
path forward for them.

(Comment on this)