Vue lecture
Security updates for Thursday
Security updates have been issued by AlmaLinux (dotnet6.0, dotnet8.0, fence-agents, and virt:rhel and virt-devel:rhel), Debian (exim4 and firefox-esr), Fedora (dotnet8.0, firefox, onnx, qt6-qtbase, squid, and wordpress), Mageia (golang, netatalk, php, and poppler), Red Hat (ghostscript, httpd, openssh, python3, and ruby), Slackware (mozilla), SUSE (kernel and openssh), and Ubuntu (linux-aws-5.4, linux-azure, linux-ibm-5.15, and python3.5, python3.6, python3.7, python3.8, python3.9, python3.10,
python3.11, python3.12).
[$] Improving pseudo filesystems
The eventfs filesystem provides an interface to the tracepoints that are available
to be used by various Linux tracing tools (e.g. ftrace, perf, uprobes,
etc.); it is meant to be a version of the tracefs filesystem that
dynamically allocates its entries as needed. The goal is to reduce the memory
required for multiple instances of tracefs, as Steven Rostedt described in
a session at the 2022
Linux Storage,
Filesystem, Memory Management, and BPF Summit. He returned to the 2024
edition of the summit to talk further about how to make pseudo (or virtual)
filesystems, such as tracefs/eventfs, more like regular Linux filesystems,
where the directory entries (dentries) and inodes are only created (and
cached) as needed.
[$] Sxmo: a text-centric mobile user interface
Sxmo, short for "Simple X Mobile", is described on its web site as "
a minimalist environment for Linux mobile devices"; it offers a menu-driven interface that is controlled with the phone's hardware buttons. Sxmo enables the user to send SMS messages from a text editor and is entirely customizable with shell scripts. This peculiar mobile user interface significantly differs from the prevailing approach—but it works.
[$] A new API for tree-in-dcache filesystems
There are a number of kernel filesystems that store their directory entries
directly in the directory-entry cache (dcache) without having any permanent
storage for those objects. It started out as a "neat hack" for ramfs,
Al Viro said, at the start of his filesystem-track session at
the
2024 Linux Storage,
Filesystem, Memory Management, and BPF Summit. Unfortunately, as the use
of this technique has grown into other filesystems, there has been a lot of
scope creep that has gotten out of control. He wanted to discuss some new
infrastructure that he is working on to try to clean some of that up.
Esfahbod: State of Text Rendering 2024
On his blog, Behdad Esfahbod has published a lengthy and detailed look at the state of open-source text rendering. It looks at the libraries available, application support, future directions, and gives a summary analysis of the ecosystem.
In broad strokes, OpenType added support for color fonts, variable fonts, and the Universal Shaping Engine. The Free & Open Source stack supports all of these advances at the lower level, but application UI support has been slower to arrive. The Open Source text stack also gained enormous market-share when Android and Google Chrome fully embraced it.Looking forward, there is a Rust migration of the text stack underway, which will unify font compilation and consumption under a safe programming language. Incremental Font Transfer will enable streaming fonts to web browsers. And my proposed Wasm-fonts will enable more expressive fonts.
Security updates for Monday
Security updates have been issued by AlmaLinux (openssh), Debian (krb5), Fedora (yt-dlp), Gentoo (firefox, KDE Plasma Workspaces, Stellarium, thunderbird, and X.Org X11 library), Mageia (python-js2py and znc), Oracle (389-ds, c-ares, container-tools, cups, go-toolset, httpd:2.4/httpd, iperf3, kernel, less, libreoffice, libuv, nghttp2, openldap, openssh, python-idna, python-jinja2, python-pillow, python3, python3.11-PyMySQL, and xmlrpc-c), Red Hat (kernel, kernel-rt, openssh, and virt:rhel and virt-devel:rhel modules), and SUSE (go1.21, go1.22, krb5, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, netty3, opera, and python-urllib3).
Security updates for Thursday
Security updates have been issued by AlmaLinux (389-ds, c-ares, container-tools, cups, fontforge, go-toolset, iperf3, less, libreoffice, libuv, nghttp2, openldap, python-idna, python-jinja2, python-pillow, python3, python3.11-PyMySQL, qemu-kvm, and xmlrpc-c), Debian (znc), Fedora (firmitas and libnbd), Mageia (dcmtk, krb5, libcdio, and openssh), Oracle (golang, openssh, pki-core, and qemu-kvm), Red Hat (openssh), SUSE (apache2-mod_auth_openidc, emacs, go1.21, go1.22, krb5, openCryptoki, and openssh), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe,
linux-kvm, linux-oracle, linux, linux-aws, linux-azure, linux-azure-5.4, linux-bluefield,
linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4,
linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi,
linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-kvm, linux-lts-xenial, linux, linux-gcp, linux-gcp-6.5, linux-laptop, linux-nvidia-6.5,
linux-raspi, linux, linux-gcp, linux-lowlatency, linux-lowlatency-hwe-5.15,
linux-nvidia, linux-xilinx-zynqmp, linux, linux-ibm, linux-lowlatency, linux-nvidia, linux-raspi, linux-aws, linux-aws-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5,
linux-starfive, linux-aws, linux-azure, linux-azure-5.15, linux-azure-fde,
linux-azure-fde-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm,
linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-oracle,
linux-oracle-5.15, linux-azure, linux-azure, linux-azure-6.5, linux-bluefield, linux-iot, linux-gcp, linux-intel, linux-hwe-5.15, and php7.0 and php7.2).
[$] Mount notifications
There are a handful of extensions to the "new" mount API that Christian
Brauner wanted to discuss as part of a filesystem session at
the
2024 Linux Storage,
Filesystem, Memory Management, and BPF Summit. In the session, though,
the only one that he got to was a followup to last year's discussion on mount-operation monitoring.
There is a need for user-space programs to be able to follow mount
operations (e.g. mount and unmount) that happen in the system, especially
for tools like container
managers or systemd.
[$] PostmarketOS: Linux for phones and more
In 2016, Oliver Smith reached a point of frustration with the short
lifespan of updates for his Android phone. Taking matters into his own
hands, he began developing postmarketOS, a Linux distribution for
mobile phones. Eight years later, the core team and
trusted contributors have grown to twenty individuals, while the latest
release, v24.06,
now shows support for over 250 devices. Although postmarketOS isn't
usable as a day-to-day phone operating system on all of them, it can also enable repurposing devices into compact servers or kiosk machines.
[$] Finishing the conversion to the "new" mount API
Eric Sandeen led a filesystem-track session at
the
2024 Linux Storage,
Filesystem, Memory Management, and BPF Summit on completing the
conversion of the existing kernel filesystems to use the mount API that was added for the 5.2 kernel in 2019. That API is
invariably called the "new" API, which it is when compared to the
venerable mount()
system call, but it has been available for five years or so at this point
without really pushing its predecessor aside. Sandeen wanted to discuss
the status of the conversion process and some other questions surrounding
the new API.
Security updates for Monday
Security updates have been issued by AlmaLinux (ipa and libreswan), Debian (netty), Fedora (python-PyMySQL, tomcat, and webkitgtk), Gentoo (Flatpak, GLib, JHead, LZ4, and RDoc), Mageia (thunderbird), Oracle (nghttp2 and thunderbird), Red Hat (dnsmasq, libreswan, pki-core, and python3.11), Slackware (emacs), SUSE (gnome-settings-daemon, libarchive, qpdf, vte, and wget), and Ubuntu (libhibernate3-java).
[$] Rust for filesystems
At the
2024 Linux Storage,
Filesystem, Memory Management, and BPF Summit, Wedson Almeida Filho and
Kent Overstreet led a combined storage and filesystem session on using Rust
for Linux filesystems. Back in December 2023, Almeida had posted
an RFC patch set with
some Rust abstractions for filesystems, which resulted in some disagreement over the approach. On the
same mid-May day as the session, he posted
a second version of the RFC patches, which he wanted to discuss along with
other Rust-related topics.
Security updates for Thursday
Security updates have been issued by AlmaLinux (ghostscript and thunderbird), Debian (chromium, composer, libndp, and sendmail), Fedora (composer), Mageia (flatpak and python-scikit-learn), Red Hat (curl, ghostscript, and thunderbird), SUSE (hdf5 and opencc), and Ubuntu (gdb and php7.4, php8.1, php8.2, php8.3).
[$] Adding a JIT compiler to CPython
One of the big-ticket items for the upcoming Python 3.13 release is an experimental just-in-time (JIT) compiler for the language;
the other is, of course, the removal of the
global interpreter lock (GIL), which is also an experiment. Brandt
Bucher is a member of the Faster CPython project, which is
working on making the reference implementation of the language faster via a
variety of techniques. Last year at PyCon, he gave a talk about the specializing adaptive
interpreter; at PyCon 2024 in Pittsburgh, he described the work he and others have been doing
to add a copy-and-patch JIT compiler to CPython.
Security updates for Monday
Security updates have been issued by AlmaLinux (389-ds-base, buildah, c-ares, cockpit, containernetworking-plugins, fence-agents, gdk-pixbuf2, gvisor-tap-vsock, libreoffice, podman, python-idna, rpm-ostree, and ruby), Debian (atril, chromium, ffmpeg, libndp, libvpx, nano, plasma-workspace, pymongo, roundcube, sendmail, and thunderbird), Fedora (booth and thunderbird), Mageia (aom, atril, libvpx, nano, nss, firefox, and vte), Red Hat (linux-firmware), SUSE (bind, booth, mariadb, openssl-1_1, php7, php8, and webkit2gtk3), and Ubuntu (linux-azure, linux-azure-fde, linux-azure, linux-gke, and linux-nvidia-6.5).
[$] Improving control-flow integrity for Linux on RISC-V
Redirecting execution flow is a common malware
technique that can be used to compromise operating systems. To protect from such attacks,
the chip makers of leading architectures like x86 and arm64 have implemented
control-flow-integrity (CFI) extensions, though they need system
software support to function. At the Linux
Security Summit North America, RISC-V kernel developer Deepak Gupta described the CFI
protections for that architecture and invited community input on the
kernel support for them.
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr), Fedora (nginx-mod-modsecurity, php, and tomcat), Mageia (strongswan), Oracle (389-ds-base, buildah, c-ares, cockpit, containernetworking-plugins, fence-agents, firefox, gdk-pixbuf2, idm:DL1, ipa, kernel, libreoffice, podman, rpm-ostree, and thunderbird), Red Hat (dnsmasq and nghttp2), Slackware (mozilla), SUSE (curl, firefox, kernel, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, openssl-3, and python-Pillow), and Ubuntu (libmatio, libndp, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp,
linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4,
linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4,
linux-xilinx-zynqmp, linux-oem-6.5, and virtuoso-opensource).
[$] Dropping the page cache for filesystems
VFS maintainer Christian Brauner led a discussion about the possibility of
selectively dropping the contents of the page cache for a filesystem in a
session at the
2024 Linux Storage,
Filesystem, Memory Management, and BPF Summit. As he described in his
topic
proposal, the use case that started him down this path comes from
GNOME, which wants to be able to safely suspend access to an encrypted home
directory. While it is known to kernel
developers, it is surprising to others that reads from encrypted
filesystems that have been suspended will succeed if the data to be read
still exists in the
page cache.