LWN.net

The LWN.net Weekly Edition for August 31, 2023 is available.

A series of rabbit holes, some of which led to unshavedyaks, recently landed me on a book called Mastering Emacs.Given that I have been using Emacs "professionally" for more than16years-and first looked into it a good ways into the previous century-Ishould probably be pretty well-versed in that editor-cum-operating-system.Sadly, for a variety of reasons, that is not really true, but the book andsome concerted effort have been helping me down a path toward Emacs-ianenlightenment. Mastering Emacs may also help others who arestruggling in the frothy sea that makes up Emacs documentation.

The6.4.13,6.1.50,5.15.129,5.10.193,5.4.255,4.19.293, and4.14.324stable kernels have been released; each contains another set of importantfixes.

Security updates have been issued by Debian (qpdf, ring, and tryton-server), Fedora (mingw-qt5-qtbase and moby-engine), Red Hat (cups, kernel, kernel-rt, kpatch-patch, librsvg2, and virt:rhel and virt-devel:rhel), and Ubuntu (amd64-microcode, firefox, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-hwe-5.4, linux-kvm, linux-oracle, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-hwe-6.2, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-raspi, linux-bluefield, linux-ibm, linux-oem-6.1, and openjdk-lts, openjdk-17).

"Sugar" is, to a certain extent, in the eye of the beholder-at least whenit comes to syntax. Programming languages are often made up of a (mostly)irreducible core, with lots of sugary constructs sprinkled on top-the syntactic sugar. No onewants to be forced to do without the extra syntax-at least not for theirfavorite pieces-but it is worth looking at how a language's constructs canbe built from the core. That is just what Brett Cannon has been doing forPython, on his blog and in talks,including a talk at PyCon back in April (YouTube video).

Security updates have been issued by Debian (flask-security and opendmarc), Fedora (qemu), Oracle (rust and rust-toolset:ol8), Red Hat (cups and libxml2), Scientific Linux (cups), SUSE (ca-certificates-mozilla, chromium, clamav, freetype2, haproxy, nodejs12, procps, and vim), and Ubuntu (faad2, json-c, libqb, linux, linux-aws, linux-lts-xenial, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-gkeop-5.15, and linux-gke, linux-ibm-5.4).

The OpenChain site carries the sad news of thepassing of Satoru Ueda. Your editor first met Ueda San at the 2007 Linux Foundation Japan Symposium, where asmall group of dedicated developers and managers was working hard to bringopen-source development practices to the country. Ueda San was always astrong advocate for this cause and deserves much credit for the success ofLinux and open source in Japan. He was also always a warm and welcomingperson; he will be much missed.

The 6.5 kernel was releasedon August27 after a nine-week development cycle. By that time, some13,561 non-merge changesets had found their way into the mainlinerepository, the lowest number seen since the 5.15 release (12,377changesets) in late 2021. Nonetheless, quite a bit of significant work wasdone in this cycle; read on for a look at where that work came from.

August 26 was the 25th anniversary of the release of the Bugzilla bug tracker as open-source software under the Mozilla Public License (MPL). A blog post for the occasion has some announcements, including several upcoming releases, help wanted, and a new legal entity to house the project:

Security updates have been issued by Debian (chromium, clamav, librsvg, rar, and unrar-nonfree), Fedora (caddy, chromium, and xen), and SUSE (ca-certificates-mozilla, gawk, ghostscript, java-1_8_0-ibm, java-1_8_0-openjdk, php7, qemu, and xen).

Linus has, as expected, released the 6.5kernel.

The6.1.48,5.15.128, and5.10.192stable kernels have been released; each contains another set of importantfixes.Update: 6.1.49 has also beenreleased. "This upgrade is only for all users of the 6.1 series thatuse the x86 platform OR the F2FS file system. If that's not you, feel freeto ignore this release."

The OpenTF Foundation has announced that it is moving forward with its eponymous fork of HashiCorp Terraform, which was recently changed to a non-FOSS license by the company. The organization has applied to become part of the Linux Foundation, "with the end goal of having OpenTF as part of Cloud Native Computing Foundation". There is a GitHub repository for its manifesto, but the code repository for OpenTF is private for now, with plans to open it up in the next week or two. Work has been going on for the last week and more developers are coming on board:

The more one pays attention to the Internet of Things (IoT), the more onelearns to appreciate simple, unconnected devices. Your editor long agoacquired an aversion to products that advertise themselves as "smart"or "WiFi-enabled". There can be advantages, though, to devices thatcontain microprocessors, are Internet connected, and are remotelyaccessible, if they are implemented well. The OpenSprinkler sprinkler timer wouldappear to be a case in point.

Security updates have been issued by Debian (tryton-server), Fedora (youtube-dl), SUSE (clamav and krb5), and Ubuntu (cjose and fastdds).

The kernel's software I/O translation lookaside buffer ("swiotlb") is anobscure corner of the DMA-support layer. The swiotlb was initiallyintroduced to enable DMA for devices with special challenges, and one mighthave expected it to fade away as newer peripherals came along. Instead,though, the swiotlb has turned out to be useful in places outside of itsoriginal use cases. Thispatch set from Petr Tesarik now aims to update the swiotlb with an eyetoward its continuing use indefinitely into the future.

Version1.72.0 of the Rust compiler has been released. Changes includeimproved diagnostics and the removal of a limit on const evaluation:

Security updates have been issued by Debian (w3m), Fedora (libqb), Mageia (docker-containerd, kernel, kernel-linus, microcode, php, redis, and samba), Oracle (kernel, kernel-container, and openssh), Scientific Linux (subscription-manager), SUSE (ca-certificates-mozilla, erlang, gawk, gstreamer-plugins-base, indent, java-1_8_0-ibm, kernel, kernel-firmware, krb5, libcares2, nodejs14, nodejs16, openssl-1_1, openssl-3, poppler, postfix, redis, webkit2gtk3, and xen), and Ubuntu (php8.1).

The LWN.net Weekly Edition for August 24, 2023 is available.

Greg Kroah-Hartman has announced the release of two new stable kernels: 6.4.12 and 6.1.47. Both contain lots of important fixesthroughout the kernel tree.

Over the years, there have been multiple examples of open-source softwarethat, suddenly, was no longer open source; on August10, some furtherexamples were added to the pile. That happened when HashiCorp announcedthat it would be switching the license on its products from the Mozilla PublicLicense2.0 (MPL) to the Business Source License1.1(BSL or BUSL). At least one of the products affected by the change, the Terraform infrastructure-automationtool, has attracted an effort to continue it as an open-source tool in theform of a fork that would be maintained by the nascent OpenTF Foundation. That seems like asensible reaction to the move, but it also helps serve up yet anotherreminder that code which is controlled by a single entity is normallyalways at risk of suchadverse changes.

Security updates have been issued by Debian (mediawiki and qt4-x11), Fedora (java-17-openjdk, linux-firmware, and python-yfinance), Red Hat (kernel, kpatch-patch, and subscription-manager), SUSE (evolution, janino, kernel, nodejs16, nodejs18, postgresql15, qt6-base, and ucode-intel), and Ubuntu (inetutils).

ThePineTime is an inexpensivesmartwatch developed by PINE64 that isdesigned to run open-source operating systems. Despite its low cost, however,it has most of the features expected from more expensive, proprietarysmartwatches. Because it runs open-source software, though, interesteddevelopers can add any other useful features that they dream up.

Security updates have been issued by Debian (intel-microcode, lxc, and zabbix), Fedora (clamav), SUSE (python-configobj), and Ubuntu (clamav).

Making a filesystem implementation robust in the face of maliciouslycreated filesystem images is a challenging task even when theimplementation is actively maintained, which many in the kernel are not. There is a way tomake that task even harder, though: modify that filesystem image behind theimplementation's back while it is mounted. A recent discussion on thelinux-fsdevel list reveals an ongoing disagreement over whether (and how)this threat should be addressed.

The Document Foundationhas announcedthe release of LibreOffice7.6 Community. It is the last releaseusing the existing numbering scheme as the office suite will move to date-basedrelease numbers starting with LibreOffice24.2 inFebruary,2024. Highlights of this release include support fordocument themes, including import and export of them, a new navigationpanel for Impress and Draw, zoom-gesture support, font-handlingimprovements, and lots more; the releasenotes have all the details.

Security updates have been issued by Debian (fastdds, flask, and kernel), Fedora (chromium, dotnet6.0, dotnet7.0, gerbv, java-1.8.0-openjdk, libreswan, procps-ng, and spectre-meltdown-checker), SUSE (chromium, kernel-firmware, krb5, opensuse-welcome, and python-mitmproxy), and Ubuntu (clamav, firefox, and vim).

Linus Torvalds has released the 6.5-rc7 kernelprepatch, which looks to be the final release candidate before the likelyrelease of Linux 6.5 next Sunday. Torvalds released it a little earlierthan usual due to some travel; overall things look to be in good shape:

It is fair to say that the DNF packagemanager is not the favorite tool of many Fedora users. It was broughtin as a replacement for Yum but got off to arather rocky start; DNF hasstabilized over the years, though and the complaints have subsided. That can onlymean one thing: it must be time to throw it away and start over from thebeginning. The replacement, called DNF5, was slated to be a part of theFedora39 release, due in October, but that is not going to happen.

Security updates have been issued by Debian (chromium, rar, and unrar-nonfree), Fedora (microcode_ctl, trafficserver, and webkitgtk), SUSE (ImageMagick, kernel, nodejs16, nodejs18, postgresql12, postgresql15, re2c, and samba), and Ubuntu (ghostscript, haproxy, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux-hwe-5.4, linux-xilinx-zynqmp, poppler, and zziplib).

SUSE's long story of corporate ownership is gaining a new chapter; thecompany has announcedthat its majority shareholder (Marcel LUX III SARL) will be acquiring theremaining shares, and will take the company private and off of the stockexchange. "SUSE's Management Board and Supervisory Board support thestrategic opportunity from delisting of the company as it will allow SUSEto focus fully on its operational priorities and execution of its long-termstrategy."

In its default configuration, the Linux kernel will allow processes toallocate more memory than the system can actually provide; this policyenables better utilization of physical memory and works just fine - most ofthe time. On occasions, though, the kernel may find itself unable toprovide memory that processes may think already belongs to them. If thesituation gets bad enough, the only solution (short of rebooting) is todeclare a sort of memory bankruptcy and write off some of the kernel'sdebts by killing one or more processes. Over the years, a great deal ofeffort has gone into heuristics to select the processes that the user isleast likely to miss. This problem is still clearly not solved toeverybody's satisfaction, though, so it was only a matter of time beforesomebody introduced a way to select the out-of-memory (OOM) victim usingBPF.

Security updates have been issued by Debian (open-vm-tools, openjdk-11, and openssh), Fedora (librsvg2, llhttp, opensc, and rust), Oracle (.NET 6.0, .NET 7.0, iperf3, microcode_ctl, postgresql:10, and python-requests), SUSE (openssl-1_0_0, perl-Cpanel-JSON-XS, postgresql12, and postgresql15), and Ubuntu (ceph, haproxy, heat, libpod, and postgresql-12, postgresql-14, postgresql-15).

The LWN.net Weekly Edition for August 17, 2023 is available.

Readers have been pointing us to HashiCorp's announcementthat it is moving to its own "Business Source License" for some of its(formerly) open-source products. Like other companies (example) that have taken this path, HashiCorpis removing the freedom to use its products commercially in ways that itsees as competitive. This is, in a real sense, an old and tiresome story.The lessons to be drawn from this change are old as well. One is to bewareof depending on any platform, free or proprietary, that is controlled by asingle company. It is a rare company that will not try to take advantageof that control at some point.The other is to beware of contributor license agreements. HashiCorp'sagreement usedto read that it existed "to ensure that our projects remain licensedunder Free and Open Source licenses"; the current version doesn't say thatanymore. But both versions give HashiCorp the right to play exactly thiskind of game with any code contributed by outsiders. Developers who werecontributing to a free-software project will now have their code used in arather more proprietary setting. When a company is given the right to takesomebody else's code proprietary, many of them will eventually make use ofthat right.

The call for topics for the LinuxKernelMaintainers Summit went out on August15; one proposed topic hasgenerated some interesting discussion about security-bug reporting for thekernel. A recent patchto the kernel's documentation about how to report security bugs recommendsavoiding posting to the linux-distrosmailing list because its goals and rules do not mesh well with kernelsecurity practices. That led Jiri Kosina to suggesta discussion on security reporting, especially with regard to Linuxdistributions.

The6.4.11,6.1.46,5.15.127,5.10.191,5.4.254,4.19.292, and4.14.323stable kernels have all been released; each contains another set ofimportant fixes.

On August 16, 1993, Ian Murdock announceda new distribution to the comp.os.linux.development Usenet newsgroup:

The Debian project has addedthe LoongArch architecture to its ports collection.

Security updates have been issued by Debian (datatables.js and openssl), Fedora (ghostscript, java-11-openjdk, java-latest-openjdk, microcode_ctl, and xen), Red Hat (redhat-ds:11), SUSE (java-1_8_0-openj9, kernel, krb5, pcre2, and perl-HTTP-Tiny), and Ubuntu (gstreamer1.0, mysql-8.0, tiff, and webkit2gtk).

"Subinterpreters", which are separate Python interpreters running in thesame process that can becreated usingthe C API, have been a part of Python since the previous century(version1.5 in1997), but they are largely unknown and unused.Eric Snow has been on something of a quest, since 2015 or so, to bring better multicore processing to Python byway of subinterpreters (or "multiple interpreters"). He has made it partof the way there, with the adoption of a separate global interpreter lock (GIL) for eachsubinterpreter, whichwas added for Python3.12. Back in April, Snow gave a talk (YouTube video) atPyCon about multiple interpreters, their status, and his plans for thefeature in the future.

Version5.0 ("Daedalus") of the Debian-based Devuan distribution has beenreleased. "This is the result of many months of painstaking work by theTeam and detailed testing by the wider Devuan community." Theannouncement lists a couple of new features but mostly defers to theDebian12 ("bookworm") release notes.

The 2023 Maintainers Summit will be held on November 16 in Richmond, VA,immediately after the Linux PlumbersConference.

Security updates have been issued by Debian (samba), Red Hat (.NET 6.0, .NET 7.0, rh-dotnet60-dotnet, rust, rust-toolset-1.66-rust, and rust-toolset:rhel8), and SUSE (kernel and opensuse-welcome).

For those who find the 6.x kernel intimidating, Seiya Nuta has written a look at the 0.01kernel, which reflects a simpler time.

The Linux fast user-space mutex ("futex") subsystem debuted with the 2.6.0kernel; it provides a mechanism that can be used to implement user-spacelocking. Since futexes avoid calling into the kernel whenever possible,they can indeed be fast, especially in the uncontended case. The API usedto access futexes has never been seen as one of Linux's strongest points,though, so there has long been a desire to improve it. This patchseries from Peter Zijlstra shows what the future of futexes may looklike.

Security updates have been issued by Debian (gst-plugins-ugly1.0, libreoffice, linux-5.10, netatalk, poppler, and sox), Fedora (chromium, ghostscript, java-1.8.0-openjdk-portable, java-11-openjdk, java-11-openjdk-portable, java-17-openjdk-portable, java-latest-openjdk-portable, kernel, linux-firmware, mingw-python-certifi, ntpsec, and php), Oracle (.NET 6.0, .NET 7.0, 15, 18, bind, bind9.16, buildah, cjose, curl, dbus, emacs, firefox, go-toolset and golang, go-toolset:ol8, grafana, iperf3, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, libcap, libeconf, libssh, libtiff, libxml2, linux-firmware, mod_auth_openidc:2.3, nodejs, nodejs:16, nodejs:18, open-vm-tools, openssh, postgresql:12, postgresql:13, python-requests, python27:2.7, python3, python38:3.8 and python38-devel:3.8, python39:3.9 and python39-devel:3.9, ruby:2.7, samba, sqlite, systemd, thunderbird, virt:ol and virt-devel:rhel, and webkit2gtk3), SUSE (docker, java-1_8_0-openj9, kernel, kernel-firmware, libyajl, nodejs14, openssl-1_0_0, poppler, and webkit2gtk3), and Ubuntu (golang-yaml.v2, intel-microcode, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux-oem-6.1, pygments, and pypdf2).

The 6.5-rc6 kernel prepatch is out fortesting.

LWN recently covered a discussion onfile-position locking that demonstrated the hazards that can resultfrom unexpected concurrency. It turns out that this discussion had not yetfully run its course. Since that article was written, additional changesintended to address a performance regression evolved into a core virtualfilesystem (VFS) layer API change to carry out some much-delayed housecleaning.

Greg Kroah-Hartman has announced the release of the6.4.10, 6.1.45, 5.10.190, 5.4.253, 4.19.291, and 4.14.322 stable kernels. Note that 5.15.126was also inthe review process for this batch, but has not (yet) been released. Meanwhile, the rest of the batch all have important fixes throughoutthe kernel tree, as usual.Update: the 5.15.126 announcementhas now gone out as well.