Security updates have been issued by Debian (netty) and Fedora (libssh, nethack, php, samba, and xen).
One of the advantages of the in-kernel BPF virtual machine is that it is
fast. BPF programs are just-in-time compiled and run directly by the CPU,
so there is no interpreter overhead. For many of the intended use cases,
though, "fast" can never be quite fast enough. It is thus unsurprising
that there are currently a
number of patch sets under development that are intended to speed up one
aspect or another of using BPF in the system. A few, in particular, seem
about ready to hit the mainline.
Security updates have been issued by Red Hat (chromium-browser and rh-git218-git) and SUSE (java-1_8_0-ibm and openssl-1_1).
The LWN.net Weekly Edition for January 2, 2020 is available.
Python prides itself on being a newbie-friendly language; its developers
have gone out of their way to try to ensure that easy tasks are
straightforward to program. A recent discussion on the python-ideas
mailing list looked at a use case that is common, but often implemented in an
inefficient, incorrect fashion, with an eye toward making it easier to do
correctly. Finding the first match for a regular expression in a body of
text is where the conversation started, but it went in some other
interesting directions as well.
January 1, 2020 marks the beginning of a new year and a new decade. Many
things will doubtless change over the course of this year in the
free-software community and
beyond, while others will remain the same. One thing that will certainly
hold true is LWN's tradition of starting the new year with some ill-advised
predictions about what may be in store. Your editor has no special vision,
but neither does he fear being proved badly wrong in a public setting —
it's all in a day's work.
Security updates have been issued by Debian (igraph, jhead, libgcrypt20, otrs2, and waitress) and Mageia (clamaw, exiv2, filezilla, hunspell, libidn2, pdfresurrect, roundcubemail, and xpdf).
A proposal to periodically run the fstrim
command on Fedora 32 systems was discussed recently on the Fedora
devel mailing list.
is used to cause a filesystem to inform the underlying
storage of unused blocks, which can help SSDs and other types of block
devices perform better.
There were a number of questions and concerns raised,
including whether to change the behavior of earlier versions of the
distribution when they get upgraded and if the kernel should be responsible
for handling the whole problem.
Stable kernels 5.4.7
, and 4.14.161
have been released. They all contain
important fixes and users should upgrade.
Security updates have been issued by Debian (intel-microcode and libbsd), openSUSE (chromium, LibreOffice, and spectre-meltdown-checker), and SUSE (mozilla-nspr, mozilla-nss and python-azure-agent).
Security updates have been issued by Debian (debian-lan-config, freeimage, imagemagick, libxml2, mediawiki, openssl1.0, php5, and tomcat8).
The results from the Debian general resolution
on init systems are in; the project's developers chose the option titled "Systemd but we
support exploring alternatives
". It makes systemd into the preferred
init system, and allows packages to use systemd-specific features;
packagers are not required to support other init systems, but support for
other systems is encouraged where it is practical.
kernel prepatch is out for
testing. "To absolutely nobody's surprise, last week was very quiet
indeed. It's hardly even worth making an rc release, but there are _some_
fixes in here, so here's the usual weekly Sunday afternoon rc.
Matthew Garrett works
how to avoid being recorded by "Ring" door cameras in his apartment
building. "The most interesting one here is the deauthentication
frame that access points can use to tell clients that they're no longer
welcome. These can be sent for a variety of reasons, including resource
exhaustion or authentication failure. And, by default, they're entirely
unprotected. Anyone can inject such a frame into your network and cause
clients to believe they're no longer authorised to use the network, at
which point they'll have to go through a new authentication cycle - and
while they're doing that, they're not able to send any other
Security updates have been issued by SUSE (dia, kernel, and libgcrypt).
One of the first uses of the BPF virtual
outside of networking was to implement access-control policies
for the seccomp()
system call. Since then, though, the role of BPF in the security area has
not changed much in the mainline kernel, even though BPF has evolved
considerably from the "classic" variant still used with seccomp()
to the "extended" BPF now supported by the kernel. That has not been for a
lack of trying, though. The out-of-tree Landlock security module was covered here
over three years ago. We also looked at
the kernel runtime security
instrumentation (KRSI) patch set in September. KP Singh has posted a new
, so the time seems right for a closer look.
Andrew 'bunnie' Huang has posted a detailed article
why creating trustable hardware is so difficult and describing a project
on to do it anyway. "While open hardware has the opportunity to
empower users to innovate and embody a more correct and transparent design
intent than closed hardware, at the end of the day any hardware of
sufficient complexity is not practical to verify, whether open or
closed. Even if we published the complete mask set for a modern
billion-transistor CPU, this 'source code' is meaningless without a
practical method to verify an equivalence between the mask set and the chip
in your possession down to a near-atomic level without simultaneously
destroying the CPU.
Security updates have been issued by CentOS (firefox, fribidi, nss, nss-softokn, nss-util, openslp, and thunderbird), Debian (opensc), and Mageia (389-ds-base, apache, apache-mod_auth_openidc, kernel, libofx, microcode, php, and ruby).
Security updates have been issued by CentOS (freetype, kernel, nss, nss-softokn, nss-util, and thunderbird), Mageia (ghostpcl, libmirage, and spamassassin), Oracle (fribidi), and SUSE (mariadb-100, shibboleth-sp, and slurm).