All posts by corbet

The Debian tech committee allows Kubernetes vendoring

Post Syndicated from corbet original

Back in October, LWN looked at a conversation
within the Debian project
regarding whether it was permissible to ship
Kubernetes bundled with some 200 dependencies. The Debian technical
committee has finally come
to a conclusion
on this matter: this bundling is acceptable and the
maintainer will not be required to make changes:

Our consensus is that Kubernetes ought to be considered special in
the same way that Firefox is considered special — we treat the
package differently from most other source packages because (i) it
is very large and complex, and (ii) upstream has significantly more
resources to keep all those moving parts up-to-date than Debian

In the end, allowing this vendoring seemed like the only feasible way to
package Kubernetes for Debian.

Red Hat expands no-cost RHEL options

Post Syndicated from corbet original

Red Hat has announced
a new set of options meant to attract current CentOS users who are unhappy
with the shift to CentOS Stream.
While CentOS Linux provided a no-cost Linux distribution, no-cost RHEL also exists today through the Red Hat Developer program. The program’s terms formerly limited its use to single-machine developers. We recognized this was a challenging limitation.

We’re addressing this by expanding the terms of the Red Hat Developer program so that the Individual Developer subscription for RHEL can be used in production for up to 16 systems. That’s exactly what it sounds like: for small production use cases, this is no-cost, self-supported RHEL.”

[$] Resource limits in user namespaces

Post Syndicated from corbet original

User namespaces provide a number of
interesting challenges for the kernel. They give a user the illusion of
owning the system, but must still operate within the restrictions that
apply outside of the namespace. Resource
represent one type of
restriction that, it seems, is proving too restrictive for some users. This
patch set
from Alexey Gladkov attempts to address the problem by way of
a not-entirely-obvious approach.

Stenberg: Food on the table while giving away code

Post Syndicated from corbet original

Daniel Stenberg writes
about getting paid to work on curl
— 21 years after starting the
project. “I ran curl as a spare time project for decades. Over the
years it became more and more common that users who submitted bug reports
or asked for help about things were actually doing that during their paid
work hours because they used curl in a commercial surrounding – which
sometimes made the situation almost absurd. The ones who actually got paid
to work with curl were asking the unpaid developers to help them

[$] MAINTAINERS truth and fiction

Post Syndicated from corbet original

Since the release of the 5.5 kernel in January 2020, there have been almost
87,000 patches from just short of 4,600 developers merged into the mainline
repository. Reviewing all of those patches would be a tall order for even
the most prolific of kernel developers, so decisions on patch acceptance
are delegated to a long list of subsystem maintainers, each of whom takes
partial or full responsibility for a specific portion of the kernel. These
maintainers are documented in a file called, surprisingly, MAINTAINERS.
But the MAINTAINERS file, too, must be maintained; how well does
it reflect reality?

Wine 6.0 released

Post Syndicated from corbet original

Version 6.0 of the Wine
Windows not-an-emulator has been released. “This release is
dedicated to the memory of Ken Thomases, who passed away just before
Christmas at the age of 51. Ken was an incredibly brilliant developer, and
the mastermind behind the macOS support in Wine. We all miss his skills,
his patience, and his dark sense of humor.
” Significant features
include core modules built as PE executables, an experimental Direct3D
renderer, DirectShow support, a new text console, and more.

The Default Router (Tedium)

Post Syndicated from corbet original

Tedium is running a
history of the Linksys WRT54G router
. “But the reason the WRT54G
series has held on for so long, despite using a wireless protocol that was
effectively made obsolete 12 years ago, might come down to a feature that
was initially undocumented—a feature that got through amid all the
complications of a big merger. Intentionally or not, the WRT54G was hiding
something fundamental on the router’s firmware: Software based on

Final days for some Arm platforms

Post Syndicated from corbet original

Arnd Bergmann stirred up a bit of a discussion with his January 8 “bring
out your dead” posting
, wherein he raised the idea of removing support
for a long list of seemingly unloved Arm platforms — and a few non-Arm ones
as well. Many of these have seen no significant work in at least six
years. In a
January 13 followup
, he notes that several of those platforms will
be spared for now due to ongoing interest. Several others, though (efm32,
picoxcell, prima2, tango, u300, and zx) remain on the chopping block, and
the status of another handful remains uncertain. Readers who care about
old Arm platforms may want to have a look at the list now and speak up if
they still need support for one of the platforms that might otherwise be

Google series on in-the-wild exploits

Post Syndicated from corbet original

The Google Project Zero blog is carrying a
six-part series
exploring, in great detail, a set of sophisticated
exploits discovered in the wild. “These exploit chains are designed
for efficiency & flexibility through their modularity. They are
well-engineered, complex code with a variety of novel exploitation methods,
mature logging, sophisticated and calculated post-exploitation techniques,
and high volumes of anti-analysis and targeting checks. We believe that
teams of experts have designed and developed these exploit chains. We hope
this blog post series provides others with an in-depth look at exploitation
from a real world, mature, and presumably well-resourced actor.

[$] Old compilers and old bugs

Post Syndicated from corbet original

The kernel project goes out of its way to facilitate building with older
toolchains. Building a kernel on a new system can be enough of a challenge
as it is; being being forced to install a custom toolchain first would not
improve the situation. So the kernel
developers try to keep it possible to build the kernel with the toolchains
shipped by most distributors. There are costs to this policy though, including
an inability to use newer compiler features. But, as was seen in a recent
episode, building with old compilers can subject developers to old compiler
bugs too.

[$] A possible step toward integrity measurement for Fedora

Post Syndicated from corbet original

The Fedora 34 release is planned
for April 20 — a plan that may well come to fruition, given that the
Fedora project appears to have abandoned its tradition of delayed
releases. As part of that schedule, any proposals for system-wide changes
were supposed to be posted by December 29. That has not stopped the
arrival of a
late proposal
to add file signatures to Fedora’s RPM packages, though.
This proposal, meant to support the use of the integrity measurement
(IMA) in Fedora, has not been met with universal acclaim.

[$] Restricted DMA

Post Syndicated from corbet original

A key component of system hardening is restricting access to memory; this
extends to preventing the kernel itself from accessing or modifying much of
the memory in the system most of the time. Memory that cannot be accessed
cannot be read or changed by an attacker. On many systems, though, these
restrictions do not apply to peripheral devices, which can happily use
direct memory access (DMA) on most or all of the available memory. The
recently posted restricted
DMA patch set
aims to reduce exposure to buggy or malicious device
activity by tightening up control over the memory that DMA operations are
allowed to access.