LWN Headlines

[$] Containers as kernel objects

The kernel has, over the years, gained comprehensive support for containers; that, in turn, has helped to drive the rapid growth of a number of containerization systems. Interestingly, though, the kernel itself has no concept of what a container is; it just provides a number of facilities that can be used in the creation of containers in user space. David Howells is trying to change that state of affairs with a patch set adding containers as a first-class kernel object, but the idea is proving to be a hard sell in the kernel community.

LibreOffice leverages Google’s OSS-Fuzz to improve quality of office suite

The Document Foundation looks at the progress made in improving the quality and reliability of LibreOffice's source code by using Google's OSS-Fuzz. "Developers have used the continuous and automated fuzzing process, which often catches issues just hours after they appear in the upstream code repository, to solve bugs - and potential security issues - before the next binary release. LibreOffice is the first free office suite in the marketplace to leverage Google's OSS-Fuzz. The service, which is associated with other source code scanning tools such as Coverity, has been integrated into LibreOffice's security processes - under Red Hat's leadership - to significantly improve the quality of the source code."

Security updates for Tuesday

Security updates have been issued by Arch Linux (lynis), CentOS (kdelibs, libtirpc, rpcbind, and samba), Debian (miniupnpc), Fedora (chromium, chromium-native_client, and kernel), Oracle (kdelibs and samba), Red Hat (libtirpc and rpcbind), and Scientific Linux (kdelibs, libtirpc, rpcbind, and samba).

Hughes: Updating Logitech Hardware on Linux

Richard Hughes describes his work to address the MouseJack vulnerability in Logitech (and other) receivers. This vulnerability allows an attacker to pair new devices with the receiver with no user interaction or awareness, and, thus, take over the machine. "This makes sitting in a café quite a dangerous thing to do when any affected hardware is inserted, which for the unifying dongle is quite likely as it’s explicitly designed to remain in an empty USB socket."

Logitech has provided firmware updates, but not for "unsupported" platforms like Linux. Hughes has filled that gap by getting documentation and a fixed firmware image from Logitech and adding support for these devices to fwupd. He is now looking for testers to ensure that the whole thing works across all devices. This is important work that is well worth supporting.

GNU Guix & GuixSD 0.13.0 released

GNU Guix and GuixSD 0.13.0 have been released. GNU Guix is a transactional package manager for the GNU system and the Guix System Distribution, GuixSD, is an advanced distribution of the GNU system. A couple of highlights in this version: Guix can now be used on aarch64 systems, and GuixSD now supports Btrfs and adds the LXDE desktop as an option. See the announcement for more information.

FreeBSD quarterly status report

FreeBSD has released its status report for the first quarter of 2017. As usual there are reports from the FreeBSD Core Team, the FreeBSD Foundation, the FreeBSD Ports Collection, and the FreeBSD Release Engineering Team, followed by more information about ongoing projects, and more.

Security updates for Monday

Security updates have been issued by Arch Linux (fop), Debian (dropbear, icu, and openjdk-7), Fedora (chicken, cinnamon-settings-daemon, jbig2dec, libtirpc, sane-backends, and smb4k), Mageia (flash-player-plugin, vlc, and webmin), Oracle (libtirpc and rpcbind), Red Hat (kdelibs, libtirpc, rpcbind, and samba), and SUSE (kernel).

The end of Parsix GNU/Linux

The Debian-based Parsix distribution has announced that it will be shutting down six months after the Debian "Stretch" release. "Parsix GNU/Linux 8.15 (Nev) will be fully supported during this time and users should be able to upgrade their installations to Debian Stretch without any significant issues. We will make all necessary changes, and updates to ensure a smooth transition to Debian Stretch."

Kernel prepatch 4.12-rc2

The 4.12-rc2 kernel prepatch is out. "I'm back on the usual Sunday schedule, and everything else looks fairly normal too. This rc2 is maybe a bit bigger than usual, but the whole merge window was bigger than most, so maybe it's just that. And it's not like it's huge".

[$] Revisiting "too small to fail"

Back in 2014, the revelation that the kernel's memory-management subsystem would not allow relatively small allocation requests to fail created a bit of a stir. The discussion has settled down since then, but the "too small to fail" rule still clearly creates a certain amount of confusion in the kernel community, as is evidenced by a recent discussion inspired by the 4.12 merge window. It would appear that the rule remains in effect, but developers are asked to act as if it did not.

zetcd: running ZooKeeper apps without ZooKeeper

The CoreOS Blog introduces the first beta release, v0.0.1, of zetcd. "Distributed systems commonly rely on a distributed consensus to coordinate work. Usually the systems providing distributed consensus guarantee information is delivered in order and never suffer split-brain conflicts. The usefulness, but rich design space, of such systems is evident by the proliferation of implementations; projects such as chubby, ZooKeeper, etcd, and consul, despite differing in philosophy and protocol, all focus on serving similar basic key-value primitives for distributed consensus. As part of making etcd the most appealing foundation for distributed systems, the etcd team developed a new proxy, zetcd, to serve ZooKeeper requests with an unmodified etcd cluster."

Security updates for Friday

Security updates have been issued by Debian (deluge, jbig2dec, mysql-connector-java, and nss), Fedora (jasper), Mageia (mhonarc and radicale), openSUSE (smb4k), SUSE (kdelibs4 and rpcbind), and Ubuntu (jasper and openjdk-7).

[$] The trouble with SMC-R

Among the many features merged for the 4.11 kernel was the "shared memory communications over RDMA" (SMC-R) protocol from IBM. SMC-R is a high-speed data-center communications protocol that is claimed to be much more efficient than basic TCP sockets. As it turns out, though, the merging of this code was a surprise — and an unpleasant one at that — to a relevant segment of the kernel development community. This issue and the difficulties in resolving it are an indicator of how the increasingly fast-paced kernel development community can go off track.

Security updates for Thursday

Security updates have been issued by Debian (shadow), Fedora (rpcbind), Gentoo (gst-plugins-bad and tomcat), Red Hat (ansible and openshift-ansible, openstack-heat, and Red Hat OpenStack Platform director), and Ubuntu (bash, FreeType, linux-aws, linux-gke, linux-raspi2, linux-snapdragon, and linux-lts-xenial).

What’s New in Android: O Developer Preview 2

The Android Developers blog looks at the latest Android O Developer Preview, which is now in public beta. The developer preview also contains an early version of a project called Android Go which is built specifically for Android devices that have 1GB or less of memory.

[$] Restricting pathname resolution with AT_NO_JUMPS

On April 29, Al Viro posted a patch on the linux-api mailing list adding a new flag to be used in conjunction with the ...at() family of system calls. The flag is for containing pathname resolution to the same filesystem and subtree as the given starting point. This is a useful feature to have for implementing file I/O in programs that accept pathnames as untrusted user input. The ensuing discussion made it clear that there were multiple use cases for such a feature, especially if the granularity of its restrictions could be increased.

[$] IPv6 segment routing

In November 2016, a new networking feature, IPv6 segment routing (also known as "IPv6 SR" or "SRv6"), was merged into net-next and subsequently included in Linux 4.10. In this article, we explain this new feature, describe key elements of its implementation, and present a few performance measurements.

[$] Vulnerability hoarding and Wcry

A virulent ransomware worm attacked a wide swath of Windows machines worldwide in mid-May. The malware, known as Wcry, Wanna, or WannaCry, infected a number of systems at high-profile organizations as well as striking at critical pieces of the infrastructure—like hospitals, banks, and train stations. While the threat seems to have largely abated—for now—the origin of some of its code, which is apparently the US National Security Agency (NSA), should give one pause.