泰晓资讯 09月 / 第 三 期 / 2019 —— 资讯收集
unicornx opened this issue · 5 comments
LWN.net Weekly Edition for September 5, 2019
- Maintaining the kernel's web of trust: the public key servers aren't working anymore, so the kernel community takes web-of-trust management into its own hands.
- Bias and ethical issues in machine-learning models: a pair of conference sessions on machine-learning bias.
- Kernel runtime security instrumentation: a proposed Linux security module for attack detection and response.
- Change IDs for kernel patches: an attempt to improve the connection between Git commits and the discussions that lead up to them.
- Examining exFAT: the legal obstacles to merging the exFAT filesystem module may have gone away, but technical and procedural issues remain.
- CHAOSS project bringing order to open-source metrics: how does one objectively measure the health of a project?
This week's edition also includes these inner pages:
- Brief items: Brief news items from throughout the community.
- Announcements: Newsletters, conferences, security updates, patches, and more.
- Change IDs for kernel patches: an attempt to improve the connection between Git commits and the discussions that lead up to them.
For all its faults, email has long proved to be an effective communication mechanism for kernel development. Similarly, Git is an effective tool for source-code management. But there is no real connection between the two, meaning that there is no straightforward way to connect a Git commit with the email discussions that led to its acceptance. Once a patch enters a repository, it transitions into a new form of existence and leaves its past life behind. Doug Anderson recently went to the ksummit-discuss list with a proposal to add Gerrit-style change IDs as a way of connecting the two lives of a kernel patch; the end result may not be quite what he was asking for.
长久以来 email 一直是 linux kernel 开发过程中的主要交流方式,尽管它还有这样那样的问题。同样的,Git 则是代码管理方面所使用的主要工具。不过这两者之间其实毫无关联,也就是说,没有什么直接的方法能把 Git commit 和相应的 email 讨论给关联起来。patch 合入 repository 时并不会带上和该 patch 相关的邮件讨论信息。Doug Anderson 近来在 ksummit-discuss list 上提了个建议,希望能采用像 Gerrit 类似的 change ID 方案,从而把 kernel patch 的这两段完全不同的 “人生经历” 给关联起来。社区提出了很多的意见,但显然并没有达成什么一致,因为这实在是一个与个人体验相关的东西,对于这类话题,或许 “just show me the code” 才是最好的回答。
Kernel runtime security instrumentation: a proposed Linux security module for attack detection and response.
Finding ways to make it easier and faster to mitigate an ongoing attack against a Linux system at runtime is part of the motivation behind the kernel runtime security instrumentation (KRSI) project. Its developer, KP Singh, gave a presentation about the project at the 2019 Linux Security Summit North America (LSS-NA), which was held in late August in San Diego. A prototype of KRSI is implemented as a Linux security module (LSM) that allows eBPF programs to be attached to the kernel's security hooks.
KRSI 项目全称 Kernel Runtime Security Instrumentation,这个项目的主要目的是希望能够更加方便地降低 Linux 在运行过程中遭受攻击所带来的风险。项目的开发者 KP Singh 在圣地亚哥八月下旬举行的2019 Linux Security Summit North America (LSS-NA)上介绍了这个项目。KRSI 的原型已经通过 LSM (Linux security module) 的形式实现出来,可以将 eBPF program 挂载到 kernel 的 security hook 上。
在谈到研发 KRSI 的动机时,Singh 认为系统的安全管理工作主要包括两方面,一方面是对系统异常活动的检测(这称之为 signals);另一方面是在检测到异常行为之后所采取的补救措施(称之为 mitigations)。而目前的内核缺乏一套统一的方案能够将两者紧密地联系起来。而这就是 KRSI 所需要提供的能力了。
Maintaining the kernel's web of trust: the public key servers aren't working anymore, so the kernel community takes web-of-trust management into its own hands.
A typical kernel development cycle involves pulling patches from over 100 repositories into the mainline. Any of those pulls could conceivably bring with it malicious code, leaving the kernel (and its users) open to compromise. The kernel's web of trust helps maintainers to ensure that pull requests are legitimate, but that web has become difficult to maintain in the wake of the recent attacks on key servers and other problems. So now the kernel community is taking management of its web of trust into its own hands.
典型的内核开发流程中涉及将来自 100 多个 repositories 的补丁合并入主线。 任何这些合并操作都可能引入恶意代码,给内核(及其用户)带来潜在的风险。
就在 2011 年时,还没有什么成熟的机制来帮助内核维护者验证他们收到的 pull request 请求来源的合法性问题。 如果发送请求的电子邮件 “看起来” 合法,并且建议的代码更改也 “看起来” 有意义,则合并操作就会执行。这导致潜在的冒名提交以及篡改提交等等恶意的合并请求发生。最近发生的对密钥服务器的攻击以及其他的问题,这个问题变得愈发严重起来。内核社区正在努力,争取在合作与信任上建立一套完善的机制,而不是像现在这样基于简单原始的邮件签名。
Linux Kernel 5.3正式发布
https://kernelnewbies.org/Linux_5.3
Linux之父Linus Torvalds于今天宣布了Linux 5.3内核版本。本次重大版本更新引入了几项新的功能,数十项改进并对驱动进行了优化升级。Linux 5.3内核开发工作历时两个多月,先后经历了8个候选版本,改善硬件支持,提高了整体性能。
Linux 5.3内核系列的亮点包括支持Intel Speed Select,以便在某些Xeon服务器上更轻松地进行电源调整,支持AMD Radeon Navi显卡,例如AMDGPU驱动程序中的AMD Radeon RX5700,支持Zhaoxin x86处理器,以及对功率不对称CPU中的利用夹紧机制的支持。
Linux内核5.3还引入了一个新的pidfd_open(2)系统调用,它有望帮助服务管理器处理PID重用问题,支持umwait x86指令以实现更高功效的用户空间,支持轻量级和灵活的ACRN嵌入式虚拟机管理程序,以及支持对于0.0.0.0/8范围内的1600万个新IPv4地址。
Java编程语言最新版本JDK 13发布—龙芯中科贡献度居全球前5
2019年9月17日,国际知名的OpenJDK开源社区发布了Java编程语言环境的最新版本OpenJDK13。与此同时,龙芯中科也同步发布基于OpenJDK 13的龙芯平台Java环境。
在过去两年中,龙芯中科Java团队深度参与了OpenJDK开源社区的最新版本研发工作,作出了大量创新性贡献。根据JDK 13发布新闻中的统计报告(参见注释[1]),龙芯中科对JDK 13的研发贡献度排在Oracle、Red Hat、SAP和Google之后,居全球第5位。
Java是全球最流行的编程语言之一。自2017年发布的Java 9开始,Java平台从基于特性的发布模式变为基于时间的发布模式。每年3月和9月,即每隔6个月的时间,会有一个新版本的Java发布,这使得开发者持续使用新特性成为了可预期的事情。2019年9月17日,Java 13如期而至。