20 Mar 2018

feedLXer Linux News

How to install Chevereto Image Hosting on Ubuntu 16.04

Chevereto is a free, open source and easy to use image hosting script written in PHP language that allows you to create your own image hosting website. In this tutorial, we will learn how to install and configure Chevereto using Apache, PHP and MariaDB on Ubuntu 16.04 server.

20 Mar 2018 1:19pm GMT

Dry – An Interactive CLI Manager For Docker Containers

2DayGeek: A command line Docker manager & monitoring tool for Linux.

20 Mar 2018 12:10pm GMT


Behind the scenes with the Bitwarden password manager

opensource.com: Developer Kyle Spearrin explains why he created Bitwarden and how it improves upon commercial password managers like LastPass and 1Password.

20 Mar 2018 12:00pm GMT

feedLXer Linux News

6 common questions about agile development practices for teams

"Any questions?"You've probably heard a speaker ask this question at the end of their presentation. This is the most important part of the presentation-after all, you didn't attend just to hear a lecture but to participate in a conversation and a community.read more

20 Mar 2018 11:02am GMT


How to install Ansible AWX with Docker on CentOS 7

Ansible AWX is the OpenSource version of ansible tower.

20 Mar 2018 11:00am GMT

feedLXer Linux News

96Boards.org spins AI format tapped by new Arrow, HiSilicon, Rockchip, and Avnet SBCs

Linaro and 96Boards.org unveiled a "96Boards.ai" initiative along with several Linux-based hacker boards that comply with it: Arrow's DragonBoard 820C, HiSilicon's Hikey970, Rockchip's Rock960, Avnet's Ultra96, and an upcoming Socionext board. At Linaro Connect in Hong Kong, Linaro announced yet another variation on its open source 96Boards spec called 96Boards.ai. The Linux-supported platform is designed […]

20 Mar 2018 9:53am GMT

OpenPower Foundation Aims to Power Server Acceleration Beyond Moore's Law

At the OpenPower Summit, execs reveal that initial enthusiasm by vendors to build their own silicon has been replaced by efforts to built accelerators.

20 Mar 2018 8:45am GMT

Sony Xperia XA1, XA1 Plus, and XA1 Ultra Users Rejoice, Android 8.0 Oreo Is Here

If you own a Sony Xperia XA1, Sony Xperia XA1 Plus or Sony Xperia XA1 Ultra smartphone, chances are you can now update your devices to the Android 8.0 Oreo software update.

20 Mar 2018 7:36am GMT

Tails Security Update, Companies Team Up to Cure Open Source License Noncompliance, LG Expanding webOS and More

News briefs for March 19, 2018.

20 Mar 2018 6:27am GMT


Easily Fund Open Source Projects With These Platforms

itsFOSS: We list out some funding platforms you can use to financially support open source projects.

20 Mar 2018 6:00am GMT

feedLXer Linux News

Linux tricks, advice for advanced developers, Raspberry Pi, Ansible, Bitwarden, and more must-reads

Last week we celebrated Pi week with nine new Raspberry Pi articles. Also, advice for advanced developers from A. Jesse (staff engineer at MongoDB) created lots of conversation on HackerNews. Here[he]#039[/he]s the list of reader favorites from March 12-18.

20 Mar 2018 5:19am GMT

Canonical Officially Announces Mozilla's Firefox as a Snap App for Ubuntu Linux

Canonical, the company behind the popular Ubuntu operating system, informed Softpedia today about the official availability Mozilla's Firefox web browser as a Snap package for Ubuntu Linux and other Snap-enabled GNU/Linux distributions.

20 Mar 2018 4:10am GMT

Linux Foundation LFCS: Ahmed Alkabary

The Linux Foundation offers many resources for Linux and open source developers, users, and administrators. One of the most important offerings is its Linux Certification Program, which is designed to give you a way to differentiate yourself in a job market that's hungry for your skills.

20 Mar 2018 3:01am GMT


Booting Raspberry Pi From USB

The standard way of using a Raspberry Pi is to run the OS from a micro sd card.

20 Mar 2018 2:00am GMT

feedLXer Linux News

How To Manage Disk Partitions Using Parted Command

2DayGeek: Parted allow users to create a partition when the disk size is larger than 2TB but fdisk doesn't allow.

20 Mar 2018 1:53am GMT

How to install Ansible AWX with Docker on CentOS 7

Ansible AWX is the OpenSource version of ansible tower. AWX provides a web-based user interface, REST API, and task engine built on top of Ansible. In this tutorial, I will show you how to install and configure AWX using Docker.

20 Mar 2018 12:44am GMT

19 Mar 2018

feedLXer Linux News

You Can Now Transform Your Raspberry Pi 3 Model B+ into a Home Theatre System

OSMC (Open Source Media Center), the free and open-source media player operating system based on the Linux kernel and designed for single-board computers received March 2018's update with dozens of changes, including support for the latest Raspberry Pi model.

19 Mar 2018 11:36pm GMT

diff -u: Intel Design Flaw Fallout

For weeks, the world's been talking about severe Intel design flawsaffecting many CPUs and forcing operating systems to look for sometimescostly workarounds.

19 Mar 2018 10:27pm GMT


How To Manage Disk Partitions Using Parted Command

2DayGeek: Parted allow users to create a partition when the disk size is larger than 2TB but fdisk doesn't allow.

19 Mar 2018 10:00pm GMT

feedLXer Linux News

Linux md5sum Command Tutorial for Beginners (5 Examples)

While we have already discussed the cksum command line utility, there's another tool that you can use in scenarios where, say, you need to verify the integrity of files during transfers. The tool we're talking about here is md5sum. In this tutorial, we will discuss the basics of this command using some easy to understand examples.

19 Mar 2018 9:18pm GMT


How to Send Email from PHP

LinuxHint: You can send email using PHP by using PHP mail function or by using a PHP library named PHPMailer.

19 Mar 2018 9:00pm GMT

feedLXer Linux News

Booting A Raspberry Pi From A USB

The standard way of using a Raspberry Pi is to run the OS from a micro sd card. The problem with this is that the SD Card has limited read and writes, which will cause the SD to fail in a short period of time, especially if you write to files frequently.

19 Mar 2018 8:10pm GMT


How to Randomly Display ASCII Art on Linux Terminal

ASCII-Art-Splash-Screen is a utility that comprises of a python script and a collection of ASCII art to be displayed every time you open a terminal window in Linux.

19 Mar 2018 8:00pm GMT

How to Install Turtl Server Evernote Alternative on CentOS 7

HowToForge: Turtl is a secure and encrypted Evernote alternative.

19 Mar 2018 7:00pm GMT

Hackers Can Abuse Plugins for Popular Unix Text Editors to Escalate Privileges

Advanced Unix Text Editors offers extensibility by allowing users to install third-party plugins for ease of use and to enhance functionality

19 Mar 2018 6:00pm GMT

15 Mar 2018

feedKernel Planet

Pete Zaitcev: The more you tighten your grip

Seen at the webpage for RancherOS:

Everything in RancherOS is a Docker container. We accomplish this by launching two instances of Docker. One is what we call System Docker, the first process on the system. All other system services, like ntpd, syslog, and console, are running in Docker containers. System Docker replaces traditional init systems like systemd, and can be used to launch additional system services.

15 Mar 2018 10:33pm GMT

13 Mar 2018

feedKernel Planet

Pete Zaitcev: You Are Not Uber: Only Uber Are Uber

Remember how FAA shut down the business of NavWorx, with heavy monetary and loss-of-use consequences for its customers? Imagine receiving a letter from U.S. Government telling you that your car is not compatible with roads, and therefore you are prohibited from continuing to drive it. Someone sure forgot that the power to regulate is the power to destroy. This week, we have this report by IEEE Spectrum:

IEEE Spectrum can reveal that the SpaceBees are almost certainly the first spacecraft from a Silicon Valley startup called Swarm Technologies, currently still in stealth mode. Swarm was founded in 2016 by one engineer who developed a spacecraft concept for Google and another who sold his previous company to Apple. The SpaceBees were built as technology demonstrators for a new space-based Internet of Things communications network.

The only problem is, the Federal Communications Commission (FCC) had dismissed Swarm's application for its experimental satellites a month earlier, on safety grounds.

On Wednesday, the FCC sent Swarm a letter revoking its authorization for a follow-up mission with four more satellites, due to launch next month. A pending application for a large market trial of Swarm's system with two Fortune 100 companies could also be in jeopardy.

Swarm Technologies, based in Menlo Park, Calif., is the brainchild of two talented young aerospace engineers. Sara Spangelo, its CEO, is a Canadian who worked at NASA's Jet Propulsion Laboratory, before moving to Google in 2016. Spangelo's astronaut candidate profile at the Canadian Space Agency says that while at Google, she led a team developing a spacecraft concept for its moonshot X division, including both technical and market analyses.

Swarm CFO Benjamin Longmier has an equally impressive resume. In 2015, he sold his near-space balloon company Aether Industries to Apple, before taking a teaching post at the University of Michigan. He is also co-founder of Apollo Fusion, a company producing an innovative electric propulsion system for satellites.

Although a leading supplier in its market, NavWorx was a bit player at the government level. Not that many people have small private airplanes anymore. But Swarm operates at a different level, an may be able to grease a enough palms in the Washington, D.C., enough to survive this debacle. Or, they may reconstitute as a notionally new company, then claim a clean start. Again unlike the NavWorx, there's no installed base.

13 Mar 2018 3:45pm GMT

11 Mar 2018

feedKernel Planet

Greg Kroah-Hartman: My affidavit in the Geniatech vs. McHardy case

As many people know, last week there was a court hearing in the Geniatech vs. McHardy case. This was a case brought claiming a license violation of the Linux kernel in Geniatech devices in the German court of OLG Cologne.

Harald Welte has written up a wonderful summary of the hearing, I strongly recommend that everyone go read that first.

In Harald's summary, he refers to an affidavit that I provided to the court. Because the case was withdrawn by McHardy, my affidavit was not entered into the public record. I had always assumed that my affidavit would be made public, and since I have had a number of people ask me about what it contained, I figured it was good to just publish it for everyone to be able to see it.

There are some minor edits from what was exactly submitted to the court such as the side-by-side German translation of the English text, and some reformatting around some footnotes in the text, because I don't know how to do that directly here, and they really were not all that relevant for anyone who reads this blog. Exhibit A is also not reproduced as it's just a huge list of all of the kernel releases in which I felt that were no evidence of any contribution by Patrick McHardy.


I, the undersigned, Greg Kroah-Hartman,
declare in lieu of an oath and in the
knowledge that a wrong declaration in
lieu of an oath is punishable, to be
submitted before the Court:

I. With regard to me personally:

1. I have been an active contributor to
   the Linux Kernel since 1999.

2. Since February 1, 2012 I have been a
   Linux Foundation Fellow.  I am currently
   one of five Linux Foundation Fellows
   devoted to full time maintenance and
   advancement of Linux. In particular, I am
   the current Linux stable Kernel maintainer
   and manage the stable Kernel releases. I
   am also the maintainer for a variety of
   different subsystems that include USB,
   staging, driver core, tty, and sysfs,
   among others.

3. I have been a member of the Linux
   Technical Advisory Board since 2005.

4. I have authored two books on Linux Kernel
   development including Linux Kernel in a
   Nutshell (2006) and Linux Device Drivers
   (co-authored Third Edition in 2009.)

5. I have been a contributing editor to Linux
   Journal from 2003 - 2006.

6. I am a co-author of every Linux Kernel
   Development Report. The first report was
   based on my Ottawa Linux Symposium keynote
   in 2006, and the report has been published
   every few years since then. I have been
   one of the co-author on all of them. This
   report includes a periodic in-depth
   analysis of who is currently contributing
   to Linux. Because of this work, I have an
   in-depth knowledge of the various records
   of contributions that have been maintained
   over the course of the Linux Kernel

   For many years, Linus Torvalds compiled a
   list of contributors to the Linux kernel
   with each release. There are also usenet
   and email records of contributions made
   prior to 2005. In April of 2005, Linus
   Torvalds created a program now known as
   "Git" which is a version control system
   for tracking changes in computer files and
   coordinating work on those files among
   multiple people. Every Git directory on
   every computer contains an accurate
   repository with complete history and full
   version tracking abilities.  Every Git
   directory captures the identity of
   contributors.  Development of the Linux
   kernel has been tracked and managed using
   Git since April of 2005.

   One of the findings in the report is that
   since the 2.6.11 release in 2005, a total
   of 15,637 developers have contributed to
   the Linux Kernel.

7. I have been an advisor on the Cregit
   project and compared its results to other
   methods that have been used to identify
   contributors and contributions to the
   Linux Kernel, such as a tool known as "git
   blame" that is used by developers to
   identify contributions to a git repository
   such as the repositories used by the Linux
   Kernel project.

8. I have been shown documents related to
   court actions by Patrick McHardy to
   enforce copyright claims regarding the
   Linux Kernel. I have heard many people
   familiar with the court actions discuss
   the cases and the threats of injunction
   McHardy leverages to obtain financial
   settlements. I have not otherwise been
   involved in any of the previous court

II. With regard to the facts:

1. The Linux Kernel project started in 1991
   with a release of code authored entirely
   by Linus Torvalds (who is also currently a
   Linux Foundation Fellow).  Since that time
   there have been a variety of ways in which
   contributions and contributors to the
   Linux Kernel have been tracked and
   identified. I am familiar with these

2. The first record of any contribution
   explicitly attributed to Patrick McHardy
   to the Linux kernel is April 23, 2002.
   McHardy's last contribution to the Linux
   Kernel was made on November 24, 2015.

3. The Linux Kernel 2.5.12 was released by
   Linus Torvalds on April 30, 2002.

4. After review of the relevant records, I
   conclude that there is no evidence in the
   records that the Kernel community relies
   upon to identify contributions and
   contributors that Patrick McHardy made any
   code contributions to versions of the
   Linux Kernel earlier than 2.4.18 and
   2.5.12. Attached as Exhibit A is a list of
   Kernel releases which have no evidence in
   the relevant records of any contribution
   by Patrick McHardy.

11 Mar 2018 1:51am GMT

07 Mar 2018

feedKernel Planet

Dave Airlie (blogspot): radv - Vulkan 1.1 conformant on launch day

Vulkan 1.1 was officially released today, and thanks to a big effort by Bas and a lot of shared work from the Intel anv developers, radv is a launch day conformant implementation.


is a link to the conformance results. This is also radv's first time to be officially conformant on Vega GPUs.

is the patch series, it requires a bunch of common anv patches to land first. This stuff should all be landing in Mesa shortly or most likely already will have by the time you read this.

In order to advertise 1.1 you need at least a 4.15 Linux kernel.

Thanks to the all involved in making this happen, including the behind the scenes effort to allow radv to participate in the launch day!

07 Mar 2018 7:13pm GMT

04 Mar 2018

feedKernel Planet

Pete Zaitcev: MITM in Ireland

I'm just back from OpenStack PTG (Project Technical Gathering) in Dublin, Ireland and while I was there, Firefox reported wrong TLS certificates for some obscure websites, although not others. Example: zaitcev.us retains old certificate, as does wrk.ru. But sealion.club goes bad. I presume that Irish authorities and/or ISPs deemed it proper to MITM these sites. The question is, why such a strange choice of targets?

The sealion.club is a free speech and discussion site, named, as much as I can tell, after an old (possibly classic or memetic) Wondermark cartoon. Maybe the Irish just hate the free speech.

Or, they do not MITM sites that have TLS settings that are too easy to break... and Gmail.

04 Mar 2018 7:14am GMT

21 Feb 2018

feedKernel Planet

Paul E. Mc Kenney: Exit Libris

I have only so many bookshelves, and I have not yet bought into ereaders, so from time to time books must leave. Here is the current batch:

It is a bit sad to abandon some old friends, but such is life with physical books!

21 Feb 2018 5:06am GMT

18 Feb 2018

feedKernel Planet

Linux Plumbers Conference: Summary of Survey Results – Thanks to all those who responded

Thank you to everyone who participated in the survey after Linux Plumbers in 2017, we had 134 responses to it which, given the total number of conference participants of around 354, has provided confidence in the feedback trends.

Overall - 85% of respondents were positive about the event, with only 2% actually saying they were dissatisfied. Co-locating with Open Source Summit did not provide as much benefit as locating with the Kernel Summit in the past, so we will be co-locating with Kernel Summit in 2018. This preference was also echoed in the write-in comments. Conference participation was down from 2016, but adding back the Kernel Summit colocation should address this.

On a positive note, the wireless woes of 2016 were resolved, and survey feedback indicated satisfaction in this area. Also, folks have let us know that they were able to hear better in the rooms this time and follow the conversations - the throwable microphones were helpful here. 53% felt the conference size was about right, with 45% wanting more to be able to attend.

Communication - People generally approved of the communication from the committee (we didn't spam you too much), and you were able to find the talks you wanted to attend. The authors and miniconf leads that responded, followed the trend.

Venue - From the feedback, we got the clear signal, that smaller venues like Santa Fe are preferred. For 2018, Plumbers will be held in Vancouver, Canada, where we'll have a floor dedicated to us. From your feedback, we got wireless, power plug access, hacking space areas right this year, but had problems with on-site catering taking the break beverages and snacks away too soon. The use of meal cards continues to be very popular, and the catering at the off-site events was well received and appreciated.

Events - The Closing Plenary was generally well received. Some individuals didn't find the lightning summaries at the closing that useful, but overall the survey feedback for those responding was either neutral or positive (less than 5% negative), similar to 2016. We're looking into the feasibility of some of the suggestions from the written comments to try to improve the closing summary further. There were several compliments that came through on our evening events, and again the overall feedback provided was very positive.

Location - Respondents were very positive about the convenience of having the hotel as the conference site, and were able to use the negotiated rates. They were more neutral about the choice of LA for the event (some liking it, some not).

Sessions - Of the sessions, the hallway track continues to remain the most popular and well attended. There was a very positive response to most of the miniconfs and talks; the refereed track running in parallel was popular. Our experiment of using part of the time for an unconference was generally well received by those participating, but the write-in comments have some good suggestions for improving this. Similarly making the schedule visible before the early registration closes is something that attendees want to see. Keeping the focus on solving problems rather than presenting status is something we have improved on, and will continue to emphasize for next year.

There were lots of great suggestions in the "what one thing would you like to see changed", and the program committee has been studying them to see what is possible to implement this year. Thank you again to the participants for their input and help on making the Linux Plumbers Conference better in 2018 and the future.

18 Feb 2018 8:07pm GMT

16 Feb 2018

feedKernel Planet

Pete Zaitcev: ARM servers apparently exist at last

Check out what I found at Pogo Linux (h/t Bryan Lunduke):

ARM R150-T62
2 x Cavium® ThunderX™ 48 Core ARM processors
16 x DDR4 DIMM slots
3 x 40GbE QSFP+ LAN ports
4 x 10GbE SFP+ LAN ports
4 x 3.5" hot-swappable HDD/SSD bays
650W 80 PLUS Platinum redundant PSU

The prices are ridiculouts, but at least it's a server with CentOS.

16 Feb 2018 6:42am GMT

Dave Airlie (blogspot): virgl caps - oops I messed.up

When I designed virgl I added a capability system to pass some info about the host GL to the guest driver along the lines of gallium caps. The design was at the virtio GPU level you have a number of capsets each of which has a max version and max size.

The virgl capset is capset 1 with max version 1 and size 308 bytes.

Until now we've happily been using version 1 at 308 bytes. Recently we decided we wanted to have a v2 at 380 bytes, and the world fell apart.

It turned out there is a bug in the guest kernel driver, it asks the host for a list of capsets and allows guest userspace to retrieve from it. The guest userspace has it's own copy of the struct.

The flow is:
Guest mesa driver gives kernel a caps struct to fill out for capset 1.
Kernel driver asks the host over virtio for latest capset 1 info, max size, version.
Host gives it the max_size, version for capset 1.
Kernel driver asks host to fill out malloced memory of the max_size with the
caps struct.
Kernel driver copies the returned caps struct to userspace, using the size of the returned host struct.

The bug is the last line, it uses the size of the returned host struct which ends up corrupting the guest in the scenario where the host has a capset 1 v2, size 380, but the host is still running old userspace which understands capset v1, size 308.

The 380 bytes gets memcpy over the 308 byte struct and boom.

Now we can fix the kernel to not do this, but we can't upgrade every kernel in an existing VM. So if we allow the virglrenderer process to expose a v2 all older sw will explode unless it is also upgraded which isn't really something you want in a VM world.

I came up with some virglrenderer workarounds, but due to another bug where qemu doesn't reset virglrenderer when it should, there was no way to make it reliable, and things like kexec old kernel from new kernel would blow up.

I decided in the end to bite the bullet and just make capset 2 be a repaired one. Unfortunately this needs patches in all 4 components before it can be used.

1) virglrenderer needs to expose capset 2 with the new version/size to qemu.
2) qemu needs to allow the virtio-gpu to transfer capset 2 as a virgl capset to the host.
3) The kernel on the host needs fixing to make sure we copy the minimum of the host caps and the guest caps into the guest userspace driver, then it needs to
provide a way that guest userspace knows the fixed version is in place.
4) The guest userspace needs to check if the guest kernel has the fix, and then query capset 2 first, and fallback to querying capset 1.

After talking to a few other devs in virgl land, they pointed out we could probably just never add a new version of capset 2, and grow the struct endlessly.

The guest driver would fill out the struct it wants to use with it's copy of default minimum values.
It would then call the kernel ioctl to copy over the host caps. The kernel ioctl would copy the minimum size of the host caps and the guest caps.

In this case if the host has a 400 byte capset 2, and the guest still only has 380 byte capset 2, the new fields from the host won't get copied into the guest struct
and it will be fine.

If the guest has the 400 byte capset 2, but the host only has the 380 byte capset 2, the guest would preinit the extra 20 bytes with it's default values (0 or whatever) and the kernel would only copy 380 bytes into the start of the 400 bytes and leave the extra bytes alone.

Now I just have to got write the patches and confirm it all.

Thanks to Stephane at google for creating the patch that showed how broken it was, and to others in the virgl community who noticed how badly it broke old guests! Now to go write the patches...

16 Feb 2018 12:11am GMT

14 Feb 2018

feedKernel Planet

Pete Zaitcev: More system administration in the age of SystemD

I'm tinkering with OpenStack TripleO in a simulated environment. It uses a dedicated non-privileged user, "stack", which can do things such as list VMs with "virsh list". So, yesterday I stopped the undercloud VM, and went to sleep. Today, I want to restart it... but virsh says:

error: failed to connect to the hypervisor
error: Cannot create user runtime directory '/run/user/1000/libvirt': Permission denied

What seems to happen is that when one logs into the stack@ user over ssh, systemd-logind mounts that /run/user/UID thing, but if I log as zaitcev@ and then do "su - stack", this fails to occur.

I have no idea what to do about this. It's probably trivial for someone more knowledgeable to throw the right pam_systemd line into /etc/pam.d/su. But su-l includes system-auth, which invokes pam_systemd.so, and yet... Oh well.

14 Feb 2018 11:23pm GMT

06 Feb 2018

feedKernel Planet

Eric Sandeen: LEAF battery replacement update

New LEAF battery

Just a quick note here - the LEAF battery did finally go under warranty on Sept 24, 2017, and I got it replaced with minimal hassle back in great shape on October 3. The LeafSPY stats on the new battery actually dropped fairly quickly after I got it which was worrisome, but now (in the very cold weather) it's holding steady at about 97% state of health, with 62.3Ahr and 90.35Hx.

The stats when it finally dropped the 9th bar were:

Miles: 40623
Ahr: 43.51
Hx: 45.25

I've definitely needed that fresh capacity for this harsh winter, it's been fine, but frigid mornings still show the Guess-o-Meter at as low as 50-60 miles at times.

06 Feb 2018 8:25pm GMT

05 Feb 2018

feedKernel Planet

Greg Kroah-Hartman: Linux Kernel Release Model


This post is based on a whitepaper I wrote at the beginning of 2016 to be used to help many different companies understand the Linux kernel release model and encourage them to start taking the LTS stable updates more often. I then used it as a basis of a presentation I gave at the Linux Recipes conference in September 2017 which can be seen here.

With the recent craziness of Meltdown and Spectre , I've seen lots of things written about how Linux is released and how we handle handles security patches that are totally incorrect, so I figured it is time to dust off the text, update it in a few places, and publish this here for everyone to benefit from.

I would like to thank the reviewers who helped shape the original whitepaper, which has helped many companies understand that they need to stop "cherry picking" random patches into their device kernels. Without their help, this post would be a total mess. All problems and mistakes in here are, of course, all mine. If you notice any, or have any questions about this, please let me know.


This post describes how the Linux kernel development model works, what a long term supported kernel is, how the kernel developers approach security bugs, and why all systems that use Linux should be using all of the stable releases and not attempting to pick and choose random patches.

Linux Kernel development model

The Linux kernel is the largest collaborative software project ever. In 2017, over 4,300 different developers from over 530 different companies contributed to the project. There were 5 different releases in 2017, with each release containing between 12,000 and 14,500 different changes. On average, 8.5 changes are accepted into the Linux kernel every hour, every hour of the day. A non-scientific study (i.e. Greg's mailbox) shows that each change needs to be submitted 2-3 times before it is accepted into the kernel source tree due to the rigorous review and testing process that all kernel changes are put through, so the engineering effort happening is much larger than the 8 changes per hour.

At the end of 2017 the size of the Linux kernel was just over 61 thousand files consisting of 25 million lines of code, build scripts, and documentation (kernel release 4.14). The Linux kernel contains the code for all of the different chip architectures and hardware drivers that it supports. Because of this, an individual system only runs a fraction of the whole codebase. An average laptop uses around 2 million lines of kernel code from 5 thousand files to function properly, while the Pixel phone uses 3.2 million lines of kernel code from 6 thousand files due to the increased complexity of a SoC.

Kernel release model

With the release of the 2.6 kernel in December of 2003, the kernel developer community switched from the previous model of having a separate development and stable kernel branch, and moved to a "stable only" branch model. A new release happened every 2 to 3 months, and that release was declared "stable" and recommended for all users to run. This change in development model was due to the very long release cycle prior to the 2.6 kernel (almost 3 years), and the struggle to maintain two different branches of the codebase at the same time.

The numbering of the kernel releases started out being 2.6.x, where x was an incrementing number that changed on every release The value of the number has no meaning, other than it is newer than the previous kernel release. In July 2011, Linus Torvalds changed the version number to 3.x after the 2.6.39 kernel was released. This was done because the higher numbers were starting to cause confusion among users, and because Greg Kroah-Hartman, the stable kernel maintainer, was getting tired of the large numbers and bribed Linus with a fine bottle of Japanese whisky.

The change to the 3.x numbering series did not mean anything other than a change of the major release number, and this happened again in April 2015 with the movement from the 3.19 release to the 4.0 release number. It is not remembered if any whisky exchanged hands when this happened. At the current kernel release rate, the number will change to 5.x sometime in 2018.

Stable kernel releases

The Linux kernel stable release model started in 2005, when the existing development model of the kernel (a new release every 2-3 months) was determined to not be meeting the needs of most users. Users wanted bugfixes that were made during those 2-3 months, and the Linux distributions were getting tired of trying to keep their kernels up to date without any feedback from the kernel community. Trying to keep individual kernels secure and with the latest bugfixes was a large and confusing effort by lots of different individuals.

Because of this, the stable kernel releases were started. These releases are based directly on Linus's releases, and are released every week or so, depending on various external factors (time of year, available patches, maintainer workload, etc.)

The numbering of the stable releases starts with the number of the kernel release, and an additional number is added to the end of it.

For example, the 4.9 kernel is released by Linus, and then the stable kernel releases based on this kernel are numbered 4.9.1, 4.9.2, 4.9.3, and so on. This sequence is usually shortened with the number "4.9.y" when referring to a stable kernel release tree. Each stable kernel release tree is maintained by a single kernel developer, who is responsible for picking the needed patches for the release, and doing the review/release process. Where these changes are found is described below.

Stable kernels are maintained for as long as the current development cycle is happening. After Linus releases a new kernel, the previous stable kernel release tree is stopped and users must move to the newer released kernel.

Long-Term Stable kernels

After a year of this new stable release process, it was determined that many different users of Linux wanted a kernel to be supported for longer than just a few months. Because of this, the Long Term Supported (LTS) kernel release came about. The first LTS kernel was 2.6.16, released in 2006. Since then, a new LTS kernel has been picked once a year. That kernel will be maintained by the kernel community for at least 2 years. See the next section for how a kernel is chosen to be a LTS release.

Currently the LTS kernels are the 4.4.y, 4.9.y, and 4.14.y releases, and a new kernel is released on average, once a week. Along with these three kernel releases, a few older kernels are still being maintained by some kernel developers at a slower release cycle due to the needs of some users and distributions.

Information about all long-term stable kernels, who is in charge of them, and how long they will be maintained, can be found on the kernel.org release page.

LTS kernel releases average 9-10 patches accepted per day, while the normal stable kernel releases contain 10-15 patches per day. The number of patches fluctuates per release given the current time of the corresponding development kernel release, and other external variables. The older a LTS kernel is, the less patches are applicable to it, because many recent bugfixes are not relevant to older kernels. However, the older a kernel is, the harder it is to backport the changes that are needed to be applied, due to the changes in the codebase. So while there might be a lower number of overall patches being applied, the effort involved in maintaining a LTS kernel is greater than maintaining the normal stable kernel.

Choosing the LTS kernel

The method of picking which kernel the LTS release will be, and who will maintain it, has changed over the years from an semi-random method, to something that is hopefully more reliable.

Originally it was merely based on what kernel the stable maintainer's employer was using for their product (2.6.16.y and 2.6.27.y) in order to make the effort of maintaining that kernel easier. Other distribution maintainers saw the benefit of this model and got together and colluded to get their companies to all release a product based on the same kernel version without realizing it (2.6.32.y). After that was very successful, and allowed developers to share work across companies, those companies decided to not do that anymore, so future LTS kernels were picked on an individual distribution's needs and maintained by different developers (3.0.y, 3.2.y, 3.12.y, 3.16.y, and 3.18.y) creating more work and confusion for everyone involved.

This ad-hoc method of catering to only specific Linux distributions was not beneficial to the millions of devices that used Linux in an embedded system and were not based on a traditional Linux distribution. Because of this, Greg Kroah-Hartman decided that the choice of the LTS kernel needed to change to a method in which companies can plan on using the LTS kernel in their products. The rule became "one kernel will be picked each year, and will be maintained for two years." With that rule, the 3.4.y, 3.10.y, and 3.14.y kernels were picked.

Due to a large number of different LTS kernels being released all in the same year, causing lots of confusion for vendors and users, the rule of no new LTS kernels being based on an individual distribution's needs was created. This was agreed upon at the annual Linux kernel summit and started with the 4.1.y LTS choice.

During this process, the LTS kernel would only be announced after the release happened, making it hard for companies to plan ahead of time what to use in their new product, causing lots of guessing and misinformation to be spread around. This was done on purpose as previously, when companies and kernel developers knew ahead of time what the next LTS kernel was going to be, they relaxed their normal stringent review process and allowed lots of untested code to be merged (2.6.32.y). The fallout of that mess took many months to unwind and stabilize the kernel to a proper level.

The kernel community discussed this issue at its annual meeting and decided to mark the 4.4.y kernel as a LTS kernel release, much to the surprise of everyone involved, with the goal that the next LTS kernel would be planned ahead of time to be based on the last kernel release of 2016 in order to provide enough time for companies to release products based on it in the next holiday season (2017). This is how the 4.9.y and 4.14.y kernels were picked as the LTS kernel releases.

This process seems to have worked out well, without many problems being reported against the 4.9.y tree, despite it containing over 16,000 changes, making it the largest kernel to ever be released.

Future LTS kernels should be planned based on this release cycle (the last kernel of the year). This should allow SoC vendors to plan ahead on their development cycle to not release new chipsets based on older, and soon to be obsolete, LTS kernel versions.

Stable kernel patch rules

The rules for what can be added to a stable kernel release have remained almost identical for the past 12 years. The full list of the rules for patches to be accepted into a stable kernel release can be found in the Documentation/process/stable_kernel_rules.rst kernel file and are summarized here. A stable kernel change:

The last rule, "a change must be in Linus's tree", prevents the kernel community from losing fixes. The community never wants a fix to go into a stable kernel release that is not already in Linus's tree so that anyone who upgrades should never see a regression. This prevents many problems that other projects who maintain a stable and development branch can have.

Kernel Updates

The Linux kernel community has promised its userbase that no upgrade will ever break anything that is currently working in a previous release. That promise was made in 2007 at the annual Kernel developer summit in Cambridge, England, and still holds true today. Regressions do happen, but those are the highest priority bugs and are either quickly fixed, or the change that caused the regression is quickly reverted from the Linux kernel tree.

This promise holds true for both the incremental stable kernel updates, as well as the larger "major" updates that happen every three months.

The kernel community can only make this promise for the code that is merged into the Linux kernel tree. Any code that is merged into a device's kernel that is not in the kernel.org releases is unknown and interactions with it can never be planned for, or even considered. Devices based on Linux that have large patchsets can have major issues when updating to newer kernels, because of the huge number of changes between each release. SoC patchsets are especially known to have issues with updating to newer kernels due to their large size and heavy modification of architecture specific, and sometimes core, kernel code.

Most SoC vendors do want to get their code merged upstream before their chips are released, but the reality of project-planning cycles and ultimately the business priorities of these companies prevent them from dedicating sufficient resources to the task. This, combined with the historical difficulty of pushing updates to embedded devices, results in almost all of them being stuck on a specific kernel release for the entire lifespan of the device.

Because of the large out-of-tree patchsets, most SoC vendors are starting to standardize on using the LTS releases for their devices. This allows devices to receive bug and security updates directly from the Linux kernel community, without having to rely on the SoC vendor's backporting efforts, which traditionally are very slow to respond to problems.

It is encouraging to see that the Android project has standardized on the LTS kernels as a "minimum kernel version requirement". Hopefully that will allow the SoC vendors to continue to update their device kernels in order to provide more secure devices for their users.


When doing kernel releases, the Linux kernel community almost never declares specific changes as "security fixes". This is due to the basic problem of the difficulty in determining if a bugfix is a security fix or not at the time of creation. Also, many bugfixes are only determined to be security related after much time has passed, so to keep users from getting a false sense of security by not taking patches, the kernel community strongly recommends always taking all bugfixes that are released.

Linus summarized the reasoning behind this behavior in an email to the Linux Kernel mailing list in 2008:

On Wed, 16 Jul 2008, pageexec@freemail.hu wrote:
> you should check out the last few -stable releases then and see how
> the announcement doesn't ever mention the word 'security' while fixing
> security bugs

Umm. What part of "they are just normal bugs" did you have issues with?

I expressly told you that security bugs should not be marked as such,
because bugs are bugs.

> in other words, it's all the more reason to have the commit say it's
> fixing a security issue.


> > I'm just saying that why mark things, when the marking have no meaning?
> > People who believe in them are just _wrong_.
> what is wrong in particular?

You have two cases:

 - people think the marking is somehow trustworthy.

   People are WRONG, and are misled by the partial markings, thinking that
   unmarked bugfixes are "less important". They aren't.

 - People don't think it matters

   People are right, and the marking is pointless.

In either case it's just stupid to mark them. I don't want to do it,
because I don't want to perpetuate the myth of "security fixes" as a
separate thing from "plain regular bug fixes".

They're all fixes. They're all important. As are new features, for that

> when you know that you're about to commit a patch that fixes a security
> bug, why is it wrong to say so in the commit?

It's pointless and wrong because it makes people think that other bugs
aren't potential security fixes.

What was unclear about that?


This email can be found here, and the whole thread is recommended reading for anyone who is curious about this topic.

When security problems are reported to the kernel community, they are fixed as soon as possible and pushed out publicly to the development tree and the stable releases. As described above, the changes are almost never described as a "security fix", but rather look like any other bugfix for the kernel. This is done to allow affected parties the ability to update their systems before the reporter of the problem announces it.

Linus describes this method of development in the same email thread:

On Wed, 16 Jul 2008, pageexec@freemail.hu wrote:
> we went through this and you yourself said that security bugs are *not*
> treated as normal bugs because you do omit relevant information from such
> commits

Actually, we disagree on one fundamental thing. We disagree on
that single word: "relevant".

I do not think it's helpful _or_ relevant to explicitly point out how to
tigger a bug. It's very helpful and relevant when we're trying to chase
the bug down, but once it is fixed, it becomes irrelevant.

You think that explicitly pointing something out as a security issue is
really important, so you think it's always "relevant". And I take mostly
the opposite view. I think pointing it out is actually likely to be

For example, the way I prefer to work is to have people send me and the
kernel list a patch for a fix, and then in the very next email send (in
private) an example exploit of the problem to the security mailing list
(and that one goes to the private security list just because we don't want
all the people at universities rushing in to test it). THAT is how things
should work.

Should I document the exploit in the commit message? Hell no. It's
private for a reason, even if it's real information. It was real
information for the developers to explain why a patch is needed, but once
explained, it shouldn't be spread around unnecessarily.


Full details of how security bugs can be reported to the kernel community in order to get them resolved and fixed as soon as possible can be found in the kernel file Documentation/admin-guide/security-bugs.rst

Because security bugs are not announced to the public by the kernel team, CVE numbers for Linux kernel-related issues are usually released weeks, months, and sometimes years after the fix was merged into the stable and development branches, if at all.

Keeping a secure system

When deploying a device that uses Linux, it is strongly recommended that all LTS kernel updates be taken by the manufacturer and pushed out to their users after proper testing shows the update works well. As was described above, it is not wise to try to pick and choose various patches from the LTS releases because:

Note, this author has audited many SoC kernel trees that attempt to cherry-pick random patches from the upstream LTS releases. In every case, severe security fixes have been ignored and not applied.

As proof of this, I demoed at the Kernel Recipes talk referenced above how trivial it was to crash all of the latest flagship Android phones on the market with a tiny userspace program. The fix for this issue was released 6 months prior in the LTS kernel that the devices were based on, however none of the devices had upgraded or fixed their kernels for this problem. As of this writing (5 months later) only two devices have fixed their kernel and are now not vulnerable to that specific bug.

05 Feb 2018 5:13pm GMT

04 Feb 2018

feedKernel Planet

Pete Zaitcev: Farewell Nexus 7, Hello Huawei M3

Flying a photoshoot of the Carlson, I stuffed my Nexus 7 under my thighs and cracked the screen. In my defense, I did it several times before, because I hate leaving it on the cockpit floor. I had to fly uncoordinated for the photoshoot, which causes anything that's not fixed in place slide around, and I'm paranoid about a controls interference. Anyway, the cracked screen caused a significant dead zone where touch didn't register anymore, and that made the tablet useless. I had to replace it.

In the years since I had the Nexus (apparently since 2014), the industry stopped making good 7-inch tablets. Well, you can still buy $100 tablets in that size. But because the Garmin Pilot was getting spec-hungry recently, I had no choice but to step up. Sad, really. Naturally, I'm having trouble fitting the M3 into pockets where Nexus lived comfortably before. {It's a full-size iPad in the picture, not a Mini.}

The most annoying problem that I encountered was Chrome not liking the SSL certificate of www.zaitcev.us. It bails with ERR_SSL_SERVER_CERT_BAD_FORMAT. I have my own fake CA, so I install my CA certificate on clients and I sign my hosts. I accept the consequences and inconventice. The annoyance arises because Chrome does not tell what it does not like about the certificate. Firefox works fine with it, as do other applications (like IMAP clients). Chrome in the Nexus worked fine. A cursory web search suggests that Chrome may want alternative names keyed with "DNS.1" instead of "DNS". Dunno what it means and if it is true.

UPDATE: "Top FBI, CIA, and NSA officials all agree: Stay away from Huawei phones"

04 Feb 2018 5:17am GMT

02 Feb 2018

feedKernel Planet

Michael Kerrisk (manpages): man-pages-4.15 is released

I've released man-pages-4.15. The release tarball is available on kernel.org. The browsable online pages can be found on man7.org. The Git repository for man-pages is available on kernel.org.

This release resulted from patches, bug reports, reviews, and comments from 26 contributors. Just over 200 commits changed around 75 pages. In addition, 3 new manual pages were added.

Among the more significant changes in man-pages-4.15 are the following:

02 Feb 2018 3:21pm GMT

Daniel Vetter: LCA Sydney: Burning Down the Castle

I've done a talk about the kernel community. It's a hot take, but with the feedback I've received thus far I think it was on the spot, and started a lot of uncomfortable, but necessary discussion. I don't think it's time yet to give up on this project, even if it will take years.

Without further ado the recording of my talk "Burning Down the Castle is on youtueb". For those who prefer reading, LWN has you covered with "Too many lords, not enough stewards". I think Jake Edge and Jon Corbet have done an excellent job in capturing my talk in a balanced fashion.

Further Discussion

For understanding abuse dynamics I can't recommend "Why Does He Do That?: Inside the Minds of Angry and Controlling Men" by Lundy Bancroft enough. All the examples are derived from a few decades of working with abusers in personal relationships, but the patterns and archetypes that Lundy Bancroft extracts transfers extremely well to any other kind of relationship, whether that's work, family or open source communities.

There's endless amounts of stellar talks about building better communities. I'd like to highlight just two: "Life is better with Rust's community automation" by Emily Dunham and "Have It Your Way: Maximizing Drive-Thru Contribution" by VM Brasseur. For learning more there's lots of great community topic tracks at various conferences, but also dedicated ones - often as unconferences: Community Leadership Summit, including its various offsprings and maintainerati are two I've been at and learned a lot.

Finally there's the fun of trying to change a huge existing organization with lots of inertia. "Leading Change" by John Kotter has some good insights and frameworks to approach this challenge.

Despite what it might look like I'm not quitting kernel hacking nor the X.org community, and I'm happy to discuss my talk over mail and in upcoming hallway tracks.

02 Feb 2018 12:00am GMT

23 Jan 2018

feedKernel Planet

Pete Zaitcev: 400 gigabits, every second

I keep waiting for RJ-45 to fail to keep the pace with the gigabits, for many years. And it always catches up. But maybe not anymore. Here's what the connector looks for QSFP-DD, a standard module connector for 400GbE:

Two rows, baby, same as on USB3.

These speeds are mostly used between leaf and spine switches, but I'm sure we'll see them in the upstream routers, too.

23 Jan 2018 7:43pm GMT