Gentoo Council member Micha Gorny postedan RFC to the gentoo-dev mailinglist in late February about banning "'AI'-backed (LLM/GPT/whatever)contributions" to the Gentoo Linux project. Gorny wrote that the spread of the"AIbubble" indicated a need for Gentoo to formally take a stand on AItools. After a lengthy discussion, the Gentoo Council votedunanimously this week to adopt his proposal and ban contributions generated with AI/ML tools.
Kernel developers, like conscientious developers for many projects, willoften include checks in the code for conditions that are never expected tooccur, but which would indicate a serious problem should that expectationturn out to be incorrect. For years, developers have been encouraged (toput it politely) to avoid using assertions that crash the machine for suchconditions unless there is truly no alternative. Increasingly, though, useof the kernel's WARN_ON() family of macros, which developers weretold to use instead, is also being discouraged.
Security updates have been issued by Debian (firefox-esr, jetty9, libdatetime-timezone-perl, tomcat10, and tzdata), Fedora (cockpit, filezilla, and libfilezilla), Red Hat (firefox, gnutls, java-1.8.0-openjdk, java-17-openjdk, kernel, kernel-rt, less, mod_http2, nodejs:18, rhc-worker-script, and shim), Slackware (mozilla), SUSE (kernel), and Ubuntu (apache2, glibc, and linux-xilinx-zynqmp).
Managing to-do lists is something of a universal necessity. While somepeople handle them mentally or on paper, others resort to a web-based tool ora mobile application. For those preferring the command line, the MIT-licensed Taskwarrior offers a flexible solutionwith a healthy community and lots of extensions.
Security updates have been issued by Debian (apache2 and cockpit), Fedora (firefox, kernel, mbedtls, python-cbor2, wireshark, and yyjson), Mageia (nghttp2), Red Hat (kernel, kernel-rt, opencryptoki, pcs, shim, squid, and squid:4), Slackware (firefox), SUSE (emacs, firefox, and kernel), and Ubuntu (linux-aws, linux-aws-5.15, linux-aws-6.5, linux-raspi, and linux-iot).
The recent XZ backdoor has sparked a lot of discussion about how the open-sourcecommunity links and packages software. One possiblesecurity improvement being discussedis changing howprojects like systemd link to dynamic libraries that are only used foroptional functionality: usingdlopen() to load those libraries onlywhen required. This couldshrink the attack surface exposed by dependencies, but the approach is notwithout downsides - most prominently, it makes discovering which dynamiclibraries a program depends on harder.On April 11, Lennart Poettering proposed one way to eliminate that problemin a systemd RFC on GitHub.
Fedora40Beta was releasedon March26, and the final release is nearing completion. So far,the release is coming together nicely with majorupdates for GNOME, KDEPlasma, and the usual cavalcade ofsmaller updates and enhancements. As part of the release, the project also scuttled DeltaRPMs and OpenSSL 1.1.
The Open Source Security Foundation and the OpenJS Foundation have jointlyposted awarning about XZ-like social-engineering attacks after OpenJS wasseemingly targeted.
Kumar Kartikeya Dwivedi has been working to add support for exceptions to BPFsince mid-2023. In July, Dwivedi postedthe first patch set in this effort, which adds support for basic stack unwinding.In February 2024, he postedthe second patch setaimed at letting the kernel release resources held by the BPF program when anexception occurs. This makes exceptions usable in many more contexts.
Security updates have been issued by AlmaLinux (bind, bind and dhcp, bind9.16, gnutls, httpd:2.4/mod_http2, squid:4, and unbound), Debian (kernel, trafficserver, and xorg-server), Fedora (chromium, kernel, libopenmpt, and rust-h2), Mageia (apache-mod_jk, golang, indent, openssl, perl-HTTP-Body, php, rear, ruby-rack, squid, varnish, and xfig), Oracle (bind, squid, unbound, and X.Org server), Red Hat (bind and dhcp and unbound), Slackware (less and php), SUSE (gnutls, python-Pillow, webkit2gtk3, xen, xorg-x11-server, and xwayland), and Ubuntu (yard).
The 6.9-rc4 kernel prepatch is out fortesting. "Nothing particularly unusual going on this week - some new hwmitigations may stand out, but after a decade of this I can't really callit 'unusual' any more, can I?"
The6.8.6,6.6.27,6.1.86,5.15.155,5.10.215,5.4.274, and4.19.312stable kernel updates have all been released; each contains a relativelylarge number of important fixes.
The kernel project merges dozens of drivers with every development cycle,and almost every one of those drivers is entirely uncontroversial.Occasionally, though, a driver submission raises wider questions, leadingto lengthy discussion and, perhaps, opposition. That is currently the casewith two separate drivers, both with ties to the networking subsystem. Oneof them is hung up on questions of whether (and how) all devicefunctionality should be made available to user space, while the other hasrun into turbulence because it drives a device that is unobtainable outsideof a single company.
Security updates have been issued by Debian (chromium), Fedora (rust, trafficserver, and upx), Mageia (postgresql-jdbc and x11-server, x11-server-xwayland, tigervnc), Red Hat (bind, bind9.16, gnutls, httpd:2.4, squid, unbound, and xorg-x11-server), SUSE (perl-Net-CIDR-Lite), and Ubuntu (apache2, maven-shared-utils, and nss).
The Earliest Virtual Deadline First (EEVDF)scheduler was merged as an option for the 6.6 kernel. It represents amajor change to how CPU scheduling is done on Linux systems, but the EEVDFfront has been relatively quiet since then. Now, though, schedulerdeveloper Peter Zijlstra has returned from a long absence to post a patchseries intended to finish the EEVDF work. Beyond some fixes, this workincludes a significant behavioral change and a new feature intended to helplatency-sensitive tasks.
Security updates have been issued by AlmaLinux (kernel, less, libreoffice, nodejs:18, nodejs:20, rear, thunderbird, and varnish), Debian (pillow), Fedora (dotnet7.0), SUSE (sngrep, texlive-specs-k, tomcat, tomcat10, and xorg-x11-server), and Ubuntu (nss, squid, and util-linux).
The Gentoo Linux project has announcedthat it is now an Associated Project of Software in the Public Interest(SPI), which will allow it to accept tax deductible donations in theUS and reduce its "non-technical workload":
Greg Kroah-Hartman has announced another round of stable kernelupdates: 6.8.5, 6.6.26, 6.1.85, and 5.15.154 have all been released; eachcontains another set of important fixes, including the mitigations for therecently disclosed branch history injectionhardware vulnerability.
A recent book by LWN guest author Lee Phillips provides a nice introduction to the Julia programming language.Practical Juliadoes more than that, however. As its subtitle ("A Hands-On Introductionfor Scientific Minds") implies, the book focuses on bringing Julia toscientists, rather than programmers, which gives it something of adifferent feel from most other books of this sort.
On April 3 security researcher Bartek Nowotarskipublished the details of a new denial-of-service (DoS)attack, called a "continuation flood", against manyHTTP/2-capable webservers. While the attack is not terribly complex, it affects many independentimplementations of the HTTP/2 protocol, even though multiplesimilar vulnerabilities over the years have given implementers plenty of warning.
The mainline kernel has just received a set of commits mitigating thelatest x86 hardware vulnerability, known as "branch history injection".From this commit:
On February 20, Linaro held the initialget-together for what is intended to be a regular Linux Kernel Forum forthe Arm-focused kernel community. This gathering aims to conveneapproximately a few weeks prior to the merge window opening and prior tothe release of the current kernel version under development. Topicscovered in the first gathering include preparing 64-bit Arm kernels forlow-end embedded systems, memory errors and Compute ExpressLink (CXL), devlink objectives, and scheduler integration.
Version 3.3.0 of the OpenSSL SSL/TLS implementation has been released.Changes include a number of additions to its QUIC protocol support, someyear-2038 improvements for 32-bit systems, and a lot of cryptographicfeatures with descriptions like "Added a new EVP_DigestSqueeze()API. This allows SHAKE to squeeze multiple times with different outputsizes." See the releasenotes for details.
There are many mechanisms for deferred work in the Linux kernel. One of them,workqueues, has seen increasing use as part ofthe move away from software interrupts. Alison Chaiken gave a talkat SCALEabout how they compare to software interrupts, the new challenges they pose forsystem administrators, and what tools are available tokernel developers wishing to diagnose problems with workqueues as they becomeincreasingly prevalent.
Security updates have been issued by Debian (expat), Oracle (less and nodejs:20), Slackware (libarchive), SUSE (kubernetes1.23, nghttp2, qt6-base, and util-linux), and Ubuntu (python-django).
Version 4.2.0 of the Rivendellradio automation system has been released. Changes include a new datafeed for 'next' data objects, improvements to its podcast system,numerous bug fixes, and more.
Sometimes the smallest patches create the biggest discussions. A case inpoint would be the process by which the PostgreSQL community - not a groupnormally prone to extended, strongly worded megathreads - resolved the question ofwhether to merge a brief patch adding a new configuration parameter. Sometimes, a proposal that looks like a security patch is not, infact, intended to be a security patch, but getting that point across can bedifficult.
Version 2.4.0 of the GNU Stow symbolic-link manager has been released.This marks the first release forGNU Stow since 2019. MaintainerAdam Spires wrote:
Wayne Davison has announcedthe release of rsync version 3.3.0, whichcontains a number of bug fixes and minor enhancements. Davison hasalso announced a change in maintainers and a move to a new GitHubproject:
The nominations have closed and campaigning is underway to see whowill be the next DebianProject Leader (DPL). This year, twocandidates are campaigning for the position Jonathan Carter hasheld for four eventful years: Sruthi Chandran andAndreas Tille. Topics that have emerged so far include how theprospective DPLs would spend project money, their opinions on handlingcontroversial topics, and project diversity.
OpenBSD 7.5 has been released. The list of changes and improvements is, asusual, long; it includes the pinsyscalls() functionality coveredhere in January.
The Eclipse Foundation, the organizationbehind the Eclipse IDE and many other software projects, announceda collaboration between several different open-source-software foundations tocreate a specification describing secure software development best practices.This work is motivated by the European Union's Cyber Resilience Act (CRA).
Version 7.0 of theFFmpeg audio/video toolkit is out. "The most noteworthy changes formost users are a native VVC decoder (currently experimental, until morefuzzing is done), IAMF support, or a multi-threaded ffmpeg CLI tool".There's also the usual list of new formats and codecs, and a few deprecatedfeatures have been removed.
Security updates have been issued by Debian (cockpit), Mageia (python-pygments), Red Hat (nodejs), Slackware (httpd and nghttp2), SUSE (avahi, gradle, gradle-bootstrap, and squid), and Ubuntu (xorg-server, xwayland).
Among the numerous approaches to funding the development and advancement ofopen-source software, corporate sponsorship in the form of donations to umbrellaorganizations is perhaps the most visible. At SCALE21x in Pasadena, California, Duane O'Brienpresenteda slice of his recent research into the landscape of such sponsorship arrangements,with an overview of the identifiable trends of the past ten years and some initialinsights he hopes are valuable for sponsors and community members alike.
Version6.0 LTS of the Incus container management system has been released."This is a major milestone for Incus as it marks our first release withextended support, suitable for use in production environments where monthlyfeature releases aren't suitable." Changes include swap limits forcontainers, a new shell completion mechanism, support for the creation ofVLAN interfaces, improved live migration, and more.
Security updates have been issued by CentOS (firefox and thunderbird), Debian (chromium and gtkwave), Fedora (micropython), Slackware (xorg), SUSE (util-linux and xen), and Ubuntu (firefox).
LWN.net