4MLinux 23.2 released.

This is a minor (point) release in the 4MLinux STABLE channel, which comes with the Linux kernel 4.9.75 (*). The 4MLinux Server now includes Apache 2.4.29, MariaDB 10.2.11, and PHP 7.0.26 (see this post for more details). Additionally, some popular programs (Audacity, Chromium, VLC) have been updated, too. 4MLinux 23.2 includes bugfixes for VLC (which now plays the "https" network streams correctly) and Chromium (restored good sound quality). You can update your 4MLinux by executing the "zk update" command in your terminal (fully automatic process).

Security: Currencies, Marcus Hutchins, and Hardware Bugs

• Hot New Cryptocurrency Trend: Mining Malware That Could Fry Your Phone

• PyCryptoMiner Attacks Linux Machines And Turns Them Into Monero-mining Bots

• Marcus Hutchins' lawyers seek information around arrest

  Lawyers acting for British security researcher Marcus Hutchins have filed a motion seeking additional information on a number of aspects surrounding his arrest in order to prepare for a trial that is expected to take place this year.

• AMD Did NOT Disable Branch Prediction With A Zen Microcode Update

  With the plethora of software security updates coming out over the past few days in the wake of the Meltdown and Spectre disclosure, released by SUSE was a Family 17h "Zen" CPU microcode update that we have yet to see elsewhere... It claims to disables branch prediction, but I've confirmed with AMD that is not actually the case. AMD did post a processor security notice where they noted their hardware was not vulnerable to variant threee / rogue data cache load, for the "branch target injection" variant that there was "near zero risk" for exploiting, and with the bounds check bypass it would be resolved by software/OS updates.

• Spectre and Meltdown Attacks Against Microprocessors

  "Throw it away and buy a new one" is ridiculous security advice, but it's what US-CERT recommends. It is also unworkable. The problem is that there isn't anything to buy that isn't vulnerable. Pretty much every major processor made in the past 20 years is vulnerable to some flavor of these vulnerabilities. Patching against Meltdown can degrade performance by almost a third. And there's no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years. (Here's a running list of who's patched what.)

• OpenBSD & FreeBSD Are Still Formulating Kernel Plans To Address Meltdown+Spectre

  On Friday DragonFlyBSD's Matthew Dillon already landed his DragonFly kernel fixes for the Meltdown vulnerability affecting Intel CPUs. But what about the other BSDs? As outlined in that article yesterday, DragonFlyBSD founder Matthew Dillon quickly worked through better kernel/user separation with their code to address the Intel CPU bug. Similar to Linux, the DragonFlyBSD fix should cause minimal to small CPU performance impact for most workloads while system call heavy / interrupt-heavy workloads (like I/O and databases) could see more significant drops.

• Retpoline v5 Published For Fending Off Spectre Branch Target Injection

  David Woodhouse of Amazon has sent out the latest quickly-revising patches for introducing the "Retpoline" functionality to the Linux kernel for mitigating the Spectre "variant 2" attack. Retpoline v5 is the latest as of Saturday morning as the ongoing effort for avoiding speculative indirect calls within the Linux kernel for preventing a branch target injection style attack. These 200+ lines of kernel code paired with the GCC Retpoline patches are able to address vulnerable indirect branches in the Linux kernel. The Retpoline approach is said to only have up to a ~1.5% performance hit when patched... I hope this weekend to get around to trying these kernel and GCC patches on some of my systems for looking at the performance impact in our commonly benchmarked workloads. The Retpoline work is separate from the KPTI page table isolation work for addressing the Intel CPU Meltdown issue.

• Intel hit with three class-action lawsuits over chip flaws

• Meltdown, aka "Dear Intel, you suck"

  We have received *no* non-public information. I've seen posts elsewhere by other *BSD people implying that they receive little or no prior warning, so I have no reason to believe this was specific to OpenBSD and/or our philosophy. Personally, I do find it....amusing? that public announcements were moved up after the issue was deduced from development discussions and commits to a different open source OS project. Aren't we all glad that this was under embargo and strongly believe in the future value of embargoes?

• Hack-proof Quantum Data Encryption

Standards/Graphics: Alliance for Open Media (AOM), Vulkan 1.0.67, Mega/RadeonSI

• Apple joins Alliance for Open Media to support online video compression

  Iphone flogger Apple has quietly joined the Alliance for Open Media (AOM), a consortium focused on developing next-generation media formats, codecs and technologies

• Vulkan 1.0.67 Released With Conservative Rasterization Extension

  The Khronos Group has released their first Vulkan graphics/compute programming specification update of 2018. Vulkan 1.0.67 is the newest specification for this nearly two-year-old standard. It's been over one month since the Vulkan 1.0.66 update but now there's finally v1.0.67 to ring in the new year. While there's been a lot of time, this update mostly consists of documentation fixes and only one new extension.

• Marek Working On 32-bit GPU Pointers For RadeonSI

  Well known open-source AMD 3D driver developer Marek Olšák has published a set of new patches featuring his latest optimization work: 32-bit GPU pointers. 15 patches sent out this Saturday plumb into RadeonSI/Gallium3D support for 32-bit heaps, a 32-bit virtual memory allocator in the Radeon Winsys, and other changes for supporting 32-bit GPU pointers. These Mesa patches also depend upon two yet-to-be-merged LLVM patches in their AMDGPU back-end.

Latest of LWN (Paywall Expired)

• Python 3, ASCII, and UTF-8

  The dreaded UnicodeDecodeError exception is one of the signature "features" of Python 3. It is raised when the language encounters a byte sequence that it cannot decode into a string; strictly treating strings differently from arrays of byte values was something that came with Python 3. Two Python Enhancement Proposals (PEPs) bound for Python 3.7 look toward reducing those errors (and the related UnicodeEncodeError) for environments where they are prevalent—and often unexpected. Two related problems are being addressed by PEP 538 ("Coercing the legacy C locale to a UTF-8 based locale") and PEP 540 ("Add a new UTF-8 Mode"). The problems stem from the fact that locales are often incorrectly specified and that the default locale (the "POSIX" or "C" locale) specifies an ASCII encoding, which is often not what users actually want. Over time, more and more programs and developers are using UTF-8 and are expecting things to "just work".

• Shrinking the kernel with link-time garbage collection

  One of the keys to fitting the Linux kernel into a small system is to remove any code that is not needed. The kernel's configuration system allows that to be done on a large scale, but it still results in the building of a kernel containing many smaller chunks of unused code and data. With a bit of work, though, the compiler and linker can be made to work together to garbage-collect much of that unused code and recover the wasted space for more important uses. This is the first article of a series discussing various methods of reducing the si

• The current state of kernel page-table isolation

  At the end of October, the KAISER patch set was unveiled; this work separates the page tables used by the kernel from those belonging to user space in an attempt to address x86 processor bugs that can disclose the layout of the kernel to an attacker. Those patches have seen significant work in the weeks since their debut, but they appear to be approaching a final state. It seems like an appropriate time for another look. This work has since been renamed to "kernel page-table isolation" or KPTI, but the objective remains the same: split the page tables, which are currently shared between user and kernel space, into two sets of tables, one for each side. This is a fundamental change to how the kernel's memory management works and is the sort of thing that one would ordinarily expect to see debated for years, especially given its associated performance impact. KPTI remains on the fast track, though. A set of preparatory patches was merged into the mainline after the 4.15-rc4 release — when only important fixes would ordinarily be allowed — and the rest seems destined for the 4.16 merge window. Many of the core kernel developers have clearly put a lot of time into this work, and Linus Torvalds is expecting it to be backported to the long-term stable kernels. KPTI, in other words, has all the markings of a security patch being readied under pressure from a deadline. Just in case there are any smug ARM-based readers out there, it's worth noting that there is an equivalent patch set for arm64 in the works.

• Containers without Docker at Red Hat

  The Docker (now Moby) project has done a lot to popularize containers in recent years. Along the way, though, it has generated concerns about its concentration of functionality into a single, monolithic system under the control of a single daemon running with root privileges: dockerd. Those concerns were reflected in a talk by Dan Walsh, head of the container team at Red Hat, at KubeCon + CloudNativeCon. Walsh spoke about the work the container team is doing to replace Docker with a set of smaller, interoperable components. His rallying cry is "no big fat daemons" as he finds them to be contrary to the venerated Unix philosophy.

• Demystifying container runtimes

  As we briefly mentioned in our overview article about KubeCon + CloudNativeCon, there are multiple container "runtimes", which are programs that can create and execute containers that are typically fetched from online images. That space is slowly reaching maturity both in terms of standards and implementation: Docker's containerd 1.0 was released during KubeCon, CRI-O 1.0 was released a few months ago, and rkt is also still in the game. With all of those runtimes, it may be a confusing time for those looking at deploying their own container-based system or Kubernetes cluster from scratch. This article will try to explain what container runtimes are, what they do, how they compare with each other, and how to choose the right one. It also provides a primer on container specifications and standards.

• HarfBuzz brings professional typography to the desktop

  By their nature, low-level libraries go mostly unnoticed by users and even some programmers. Usually, they are only noticed when something goes wrong. However, HarfBuzz deserves to be an exception. Not only does the adoption of HarfBuzz mean that free software's ability to convert Unicode characters to a font's specific glyphs is as advanced as any proprietary equivalent, but its increasing use means that professional typography can now be done from the Linux desktop as easily as at a print shop. "HarfBuzz" is a transliteration of the Persian for "open type." Partly, the name reflects that it is designed for use with OpenType, the dominant format for font files. Equally, though, it reflects the fact that the library's beginnings lie in the wish of Behdad Esfahbod, HarfBuzz's lead developer, to render Persian texts correctly on a computer. "I grew up in a print shop," Esfahbod explained during a telephone interview. "My father was a printer, and his father was a printer. When I was nine, they got a PC, so my brother and I started learning programming on it." In university, Esfahbod tried to add support for Unicode, the industry standard for encoding text, to Microsoft Explorer 5. "We wanted to support Persian on the web," he said. "But the rendering was so bad, and we couldn't fix that, so we started hacking on Mozilla, which back then was Netscape." Esfahbod's early interest in rendering Persian was the start of a fifteen-year effort to bring professional typography to every Unicode-supported script (writing system). It was an effort that led through working on the GNOME desktop for Red Hat to working on Firefox development at Mozilla and Chrome development at Google, with Esfahbod always moving on amiably to wherever he could devote the most time to perfecting HarfBuzz. The first general release was reached in 2015, and Esfahbod continues to work on related font technologies to this day.