[$] Persistent memory for transient data
1 day ago, lwn

Arguably, the most notable characteristic of persistent memory is that it is persistent: it retains its contents over power cycles. One other important aspect of these persistent-memory arrays that, we are told, will soon be everywhere, is their sheer size and low cost; persistent memory is a relatively inexpensive way to attach large amounts of memory to a system. Large, cheap memory arrays seem likely to be attractive to users who may not care about persistence and who can live with slower ...

Kernel prepatch 5.0-rc3
1 day ago, lwn

The 5.0-rc3 kernel prepatch has been released. "This rc is a bit bigger than usual. Partly because I missed a networking pull request for rc2, and as a result rc3 now contains _two_ networking pull updates. But part of it may also just be that it took a while for people to find and then fix bugs after the holiday season."...

[$] A proposed API for full-memory encryption
4 days ago, lwn

Hardware memory encryption is, or will soon be, available on multiple generic CPUs. In its absence, data is stored — and passes between the memory chips and the processor — in the clear. Attackers may be able to access it by using hardware probes or by directly accessing the chips, which is especially problematic with persistent memory. One new memory-encryption offering is Intel's Multi-Key Total Memory Encryption (MKTME) [PDF]; AMD's equivalent is called Secure Encrypted Virtualization (SEV)...

[$] Defending against page-cache attacks
5 days ago, lwn

The kernel's page cache works to improve performance by minimizing disk I/O and increasing the sharing of physical memory. But, like other performance-enhancing techniques that involve resources shared across security boundaries, the page cache can be abused as a way to extract information that should be kept secret. A recent paper [PDF] by Daniel Gruss and colleagues showed how the page cache can be targeted for a number of different attacks, leading to an abrupt change in how the mincore() s...

[$] LWN.net Weekly Edition for January 17, 2019
6 days ago, lwn

The LWN.net Weekly Edition for January 17, 2019 is available....

[$] Adiantum: encryption for the low end
6 days ago, lwn

Low-end devices bound for developing countries, such as those running the Android Go edition, lack encryption support because the hardware doesn't provide any cryptographic acceleration. That means users in developing countries have no protection for the data on their phones. Google would like to change that situation. The company worked on adding the Speck cipher to the kernel, but decided against using it because of opposition due to Speck's origins at the US National Security Agency (NSA)...

[$] Ringing in a new asynchronous I/O API
1 week ago, lwn

While the kernel has had support for asynchronous I/O (AIO) since the 2.5 development cycle, it has also had people complaining about AIO for about that long. The current interface is seen as difficult to use and inefficient; additionally, some types of I/O are better supported than others. That situation may be about to change with the introduction of a proposed new interface from Jens Axboe called "io_uring". As might be expected from the name, io_uring introduces just what the kernel nee...

Google Summer of Code mentor projects sought
1 week ago, lwn

It is that time of year again: Google is looking for mentor projects for the 2019 Summer of Code. "GSoC is a global program that draws university student developers from around the world to contribute to open source. Each student spends three months working on a coding project, with the support of volunteer mentors, for participating open source organizations from late May to August. Last year 1,264 students worked with 206 open source organizations." The application deadline is February 6....

[$] Fedora, UUIDs, and user tracking
1 week ago, lwn

"User tracking" is generally contentious in free-software communities—even if the "tracking" is not really intended to do so. It is often distributions that have the most interest in counting their users, but Linux users tend to be more privacy conscious than users of more mainstream desktop operating systems. The Fedora project recently discussed how to count its users and ways to preserve their privacy while doing so. ...

An ancient OpenSSH vulnerability
1 week ago, lwn

An advisory from Harry Sintonen describes several vulnerabilities in the scp clients shipped with OpenSSH, PuTTY, and others. "Many scp clients fail to verify if the objects returned by the scp server match those it asked for. This issue dates back to 1983 and rcp, on which scp is based. A separate flaw in the client allows the target directory attributes to be changed arbitrarily. Finally, two vulnerabilities in clients may allow server to spoof the client output." The outcome is that a host...

Kernel prepatch 5.0-rc2
1 week ago, lwn

The second 5.0 prepatch is out for testing. "So the merge window had somewhat unusual timing with the holidays, and I was afraid that would affect stragglers in rc2, but honestly, that doesn't seem to have happened much. rc2 looks pretty normal."...

[$] Approaching the kernel year-2038 end game
1 week ago, lwn

In January 2038, the 32-bit time_t value used on many Unix-like systems will run out of bits and be unable to represent the current time. This may seem like a distant problem, but, as Tom Scott recently observed, the year-2038 apocalypse is now closer to the present than the year-2000 problem. The fact that systems being deployed now will still be operating in 2038 adds urgency to the issue as well. The good news is that work has been underway for years to prepare Linux for this date, so ther...

Metasploit 5.0 released
1 week ago, lwn

Version 5.0 of the Metasploit penetration-testing framework is out. "Metasploit 5.0 offers a new data service, introduces fresh evasion capabilities, supports multiple languages, and builds upon the Framework’s ever-growing repository of world-class offensive security content. We’re able to continue innovating and expanding in no small part thanks to the many open source users and developers who make it a priority to share their knowledge with the community. You have our gratitude."...

[$] A slow start to OpenSUSE's board election
1 week ago, lwn

What if you announced a board election and nobody ran? That is the quandary the openSUSE project faced as recently as January 4, when the nomination deadline loomed and no candidates for the three open seats had come forward. The situation has since changed, and openSUSE members will have a wide slate of candidates to choose from. But the seeming reticence to come forward may well be a reflection of some unresolved tensions that exploded into a flame war several months ago....

[$] A slow start to openSUSE's board election
1 week ago, lwn

What if you announced a board election and nobody ran? That is the quandary the openSUSE project faced as recently as January 4, when the nomination deadline loomed and no candidates for the three open seats had come forward. The situation has since changed, and openSUSE members will have a wide slate of candidates to choose from. But the seeming reticence to come forward may well be a reflection of some unresolved tensions that exploded into a flame war several months ago....

A set of systemd-journald exploits
1 week ago, lwn

Qualys has sent out a security advisory describing three stack-overrun vulnerabilities in systemd-journald. "We developed an exploit for CVE-2018-16865 and CVE-2018-16866 that obtains a local root shell in 10 minutes on i386 and 70 minutes on amd64, on average. We will publish our exploit in the near future. To the best of our knowledge, all systemd-based Linux distributions are vulnerable, but SUSE Linux Enterprise 15, openSUSE Leap 15.0, and Fedora 28 and 29 are not exploitable because their...

[$] LWN.net Weekly Edition for January 10, 2019
1 week ago, lwn

The LWN.net Weekly Edition for January 10, 2019 is available....

[$] What should be in the Python standard library?
1 week ago, lwn

Python has always touted itself as a "batteries included" language; its standard library contains lots of useful modules, often more than enough to solve many types of problems quickly. From time to time, though, some have started to rethink that philosophy, to reduce or restructure the standard library, for a variety of reasons. A discussion at the end of November on the python-dev mailing list revived that debate to some extent....

[$] A new free-software forge: sr.ht
2 weeks ago, lwn

Many projects have adopted the "GitHub style" of development over the last few years, though, of course, there are some high-profile exceptions that still use patches and mailing lists. Many projects are leery of putting all of their project metadata into a proprietary service, with limited means of usefully retrieving it should that be necessary, which is why GitLab (which is at least "open core") has been gaining some traction. A recently announced effort looks to kind of bridge the gap; D...

Bash 5.0 released
2 weeks ago, lwn

Version 5.0 of the Bash shell has been released. "The most notable new features are several new shell variables: BASH_ARGV0, EPOCHSECONDS, and EPOCHREALTIME. The `history' builtin can remove ranges of history entries and understands negative arguments as offsets from the end of the history list. There is an option to allow local variables to inherit the value of a variable with the same name at a preceding scope. There is a new shell option that, when enabled, causes the shell to attempt to expa...

Next