Security researcher Simone Margaritelli has reported a new vulnerability in CUPS, the software that many Linux systems use to manage printers and print jobs. Margaritelli describes the impact of the attack by saying:
Danilo Krummrich gave a talk at Kangrejos 2024 focusing on the question of howthe Rust-for-Linux project could improve at getting device and driverabstractions upstream. As a case study, he used some of his recent work thatattempts to make it possible to write a PCI driver entirely in Rust. Therewasn't time to go into as much detail as he would have liked, but he diddemonstrate that it is possible to interface with the kernel's module loader ina way that is much harder toscrew up than the current standard approach in C.
The extensible scheduler class (sched_ext)enables the implementation of CPU schedulers as a set of BPF programsloaded from user space; it first hit the mailing lists in late 2022.Sched_ext has engendered its share of controversy since, but is currentlyslated to be part of the 6.12 kernel release. At the 2024 Linux Plumbers Conference, the growingsched_ext community held one of its first public gatherings; sched_extwould appear to have launched a new burst of creativity in schedulerdesign.
Here's apost on the Google Security Blog on how switching to a memory-safelanguage can quickly reduce vulnerabilities in a project, even if a largebody of older code persists.
The Vanilla OS project haspublished ablog post to answer questions that users have raised since the release of Vanilla OS 2. The post has information about the update strategy for the distribution,an enterpriseversion with support, and plans for an experimental version calledVanilla OS Vision.
In March, Danilo Krummrich announced the newNova GPU driver - a successor to Nouveau for controlling NVIDIA GPUs.At Kangrejos 2024, Krummrich gave apresentation about what it is, why it's needed, and where it'sgoing next. Hearing about the needs of the driver provoked extended discussionon related topics, including what level of safety is reasonable to expect fromdrivers, given that they must interact with the hardware.
The "Linus and Dirk show" has been a fixture at Open Source Summit for aslong as the conference has existed; it started back when the conference wascalled LinuxCon. Since Linus Torvalds famously does not like to givetalks, as he said during this year's edition at Open Source Summit Europe(OSSEU) in Vienna, Austria, he and Dirk Hohndel have been sitting down for aninformal chat on a wide range of topics as a keynote session. That way,Torvalds does not need to prepare, but also does not know what topicswill be brought up, which makes it "so much more fun for one of us", Hohndelsaid with a grin. The topics this time ranged from the just-released6.11kernel and the upcoming Linux6.12, through Rust for the kernel, to the recurring topic of succession andthe graying of Linux maintainers.
Security updates have been issued by Debian (booth), Gentoo (Xpdf), Oracle (go-toolset:ol8, golang, grafana, grafana-pcp, kernel, libnbd, openssl, pcp, and ruby:3.3), Red Hat (container-tools:rhel8, go-toolset:rhel8, golang, kernel, and kernel-rt), SUSE (apr, cargo-audit, chromium, obs-service-cargo, python311, python36, quagga, traefik, and xen), and Ubuntu (intel-microcode, linux-azure-fde-5.15, and puma).
Almost a decade ago KDEe.V.,the non-profit organization that supports KDE, started a process forselecting goals to help the community unite behind a common vision for where theproject should go in the near future. KDErecently wrapped up its 2022-2024 cycle and announced the goals for 2024-2026 at Akademy on September7, in Wurzburg,Germany. This time around, KDE will be looking to streamline itsapplication-development experience, improve support for input devices,and bring in new contributors.
Version10.0.0 of the HarfBuzztext-shaping engine has been released. Notable changes in this releaseinclude Unicode16.0.0 support, adding Cairo script as an output format forhb-view, and a number of bug fixes.
The project to enable the writing of kernel code in Rust has been underwayfor several years, and each kernel release includes more Rust code. Evenso, some developers have expressed frustration at the time it takes to getnew functionality merged, and an air of uncertainty still hangs overthe project. At the 2024 Maintainers Summit, Miguel Ojeda led a discussionon the status of Rust in the kernel and whether the time had come to stopconsidering it an experimental project. There were not answers to all of thequestions, but it seems clear that Rust in the kernel will continuesteaming ahead.
Version 1.0.0 of Hy, a Lisp dialect that is embedded in Python, has been releasedafter nearly 12 years in development. This is the first stable release of the project:
Dirk Behme led a second session, back-to-back withhis session on error handling atKangrejos 2024, discussing providing better guidance for users of the kernel'sRust abstractions. Just after that,Carlos Bilbao and Miguel Ojeda had their own time slot dedicated to collectingresources that could be of use to someone trying to come up to speedon kernel development inRust. The attendees provided a lot of guidance in both sessions, anddiscussed what they could do to make things easier for people comingfrom non-Rust backgrounds.
Konstantin Ryabitsev started a session on development tooling at the 2024Maintainers Summit by saying that he does not want to be a "wrecking ball".If a given workflow is working for people, he does not want to try to forceany sort of change. That said, he has ideas for how he can continue hiswork on providing better tooling for the development community.
As of this writing, 6,778 non-merge changesets have been pulled into themainline kernel for the 6.12 release - over half of the work that had beenstaged in linux-next prior to the opening of the merge window. There hasbeen a lot of refactoring and cleanup work this time around, but also somesignificant changes. Read on for a summary of the first half of the 6.12merge window.
The OpenSSH project has released version 9.9. This version includes support for the new post-quantum cryptography standard from NIST.The release also includesthe next step in the deprecation of DSA keys - they are now disabled by default at compile time,and are expected to be removed entirely in early 2025. The release also contains the normal mixture of bug fixes and small usability improvements.
The kernel normally sits firmly between user space and the system'speripheral devices, and provides a standard interface to those devices. Attimes, though, a more direct interface to a device is desired - but suchinterfaces can be controversial. At the 2024 Maintainers Summit, theassembled developers considered a specific case - the proposed fwctl subsystem - as well as the role of suchdrivers in general.
Security updates have been issued by Debian (chromium), Fedora (bluez, chromium, frr, iwd, libell, python3.11, python3.8, python3.9, and ruby), Mageia (kernel, kmod-xtables-addons, and kmod-virtualbox and kernel-linus), Red Hat (kernel), SUSE (kernel, kubernetes1.23, kubernetes1.24, kubernetes1.25, libmfx, and python-azure-identity), and Ubuntu (emacs, emacs24, emacs25, libreoffice, postgresql-9.5, python2.7, python3.5, and tgt).
On September 19, Thomas Gleixner delivered the pull request for therealtime preemption enablement patches to Linus Torvalds - in printed form,wrapped in gold, with a ribbon, as Torvalds had requested. It was asignificant milestone, marking the completion of a project that required20years of effort. Congratulations are due to everybody involved.Torvalds acted onthe pull request the following morning.
Dirk Behme led a session discussing the use of Rust's question-mark operator inthe kernel at Kangrejos 2024. He was particularly concerned with the concept of"silent" errors that don't print any messages to the console.Other attendees were less convinced that this was a problem, but his presentationsparked a lot of discussion about whether the Rust-for-Linux project couldimprove error handling in kernel Rust code.
The RPM Package Manager (RPM) project isnearing the release of RPM4.20, the last major planned update for the RPM 4.xseries. It has few user-facing changes, butseveral additions and enhancements for developers-as well assome small incompatibilities that will likely require RPM packagers torevise their specfiles. 4.20 will be rolling out to many users soon, inFedora41, which is scheduled for October. RPM6.0 isalready in the works, with a new package format and opening the doorto enabling C++ use in the RPM codebase.
Tracking of regressions seems like an important task for any project; thereis no other way to ensure that known problems are fixed. At the 2024Maintainers Summit, though, Thorsten Leemhuis, who has been doing that workfor the kernel, expressed some doubts about whether it is worth continuing.The result was an energetic session on how regression tracking should bedone better, and how this work should be supported.
Version 47 of the GNOME desktophas been released. Changes include configurable accent colors, bettersmall-screen support, some performance improvements, new file open and savedialogs, and more.
The 6.10.11, 6.6.52, and 6.1.111 stable kernel updates have allbeen released. As usual, they contain important fixes throughout thetree. Users of those kernels should upgrade.
Version6.0 of the Swift programming language has been released. Notablechanges include new low-level programming features,expanded Linux support, and a preview release of the EmbeddedSwift language subset for embedded software development with atoolchain for Arm and RISC-V targets. See the CHANGELOGfor full details of changes in 6.0.
VersionR1/beta5 for the Haikuproject, an open-source "spiritual successor to BeOS", has been released. Notablechanges in this release include a TUN/TAP network driver, basicsupport for USB audio devices, TCP throughput improvements, arewritten driver for the FAT filesystem, read-only support forUnix File System 2 (UFS2), as well as hundreds of bug fixes andperformance improvements since the last release inDecember 2022. Thanks to Paul Wise for the tip.
A Linux system is made up of a large number of interdependent components,all of which must support each other well. It can thus be surprising that,it seems, the developers working on those components do not often speakwith each other. In the hope of improving that situation, efforts havebeen made in recent years to attract toolchain developers to thekernel-heavy Linux Plumbers Conference. This year, though, the oppositehappened as well: the 2024GNU Tools Cauldron hosted a discussion where kernel developers wereinvited to discuss their needs.
Security updates have been issued by AlmaLinux (pcs), Debian (expat, galera-4, libreoffice, mariadb-10.5, and php-twig), Fedora (chromium), Red Hat (ghostscript and git), SUSE (gstreamer-plugins-bad, gstreamer-plugins-bad, libvpl, python-dnspython, python3, and python36), and Ubuntu (expat, frr, libxmltok, linux-xilinx-zynqmp, openssl, and quagga).
Kangrejos 2024 started off with a talk from Benno Lossin about hisrecent workto establish a standard for safety documentation in Rust kernel code. Lossinbegan his talk by giving a brief review of what safety documentation is, andwhy it's needed, before moving on to the current status of his work. Safetydocumentation is easier to read and write when there's a shared vocabulary fordiscussing common requirements; Lossin wants to establish that shared vocabularyfor Rust code in the Linux kernel.
Vanilla OS, an immutable desktopLinux distribution designed for developers and advanced users, hasrecently published its 2.0"Orchid" release. Previously based on Ubuntu, Vanilla OS has nowshifted to Debian unstable ("sid"). The release has made it easier toinstall software from other distributions' package repositories, and itis now theoretically possible to install and run Android applications as well.
Four researchers have published a formal proof that Linux's new deterministic random bit generator (DRBG) is secure in a particular sense - specifically, that the number of queries that would need to be made to it to uncover its internal state depends on the quality of the entropy it can collect from different sources. As long as it can gather enough entropy, it produces secure random numbers.
The generation of binary code for the kernel's BPF virtual machine has beenlimited to the Clang compiler since the beginning; even developers whouse GCC to build kernels must use Clang to compile to BPF. Work hasbeen underway for some years on adding a BPF backend to GCC as well; thedevelopers involved ran a session at the 2024 GNU Tools Cauldron toprovide an update on that project. It would seem that the BPF backend isclose to being ready for production use.
Security updates have been issued by Debian (php-twig and pymongo), Fedora (linux-firmware, microcode_ctl, and python3.13), Mageia (clamav, microcode, postgresql13 and postgresql15, python3-webob, suricata, tcpreplay, tgt, and wireshark), Oracle (httpd, kernel, and linux-kernel), Red Hat (firefox, kernel, kernel-rt, pcs, and thunderbird), SUSE (389-ds, chromium, golang-github-prometheus-prometheus, htmldoc, kernel, SUSE Manager Client Tools, and wireshark), and Ubuntu (clamav, curl, dcmtk, dovecot, nginx, openssh, and python3.10, python3.12, python3.8).
The Linux Foundation has announcedthe creation of the OpenSearch SoftwareFoundation as a vendorneutral home for the OpenSearch search and observabilitysoftware:
The FedoraEngineering Steering Committee (FESCo) has voted toimmediately remove the WolfSSL package from all of Fedora'srepositories due to its maintainer failing to gain approval to packagea new cryptography library for Fedora. Its brief travels throughFedora's package system highlights gaps in documentation, as well asin the packagereview process. The good news is that this may stirFedora to improve its documentation and revive a formal securityteam.
Version 8.0.0 ofthe Valkey open-source in-memory datastore is now available. This is the first major release of Valkeysince the project forked from Redis in March of this year:
The 6.11 kernel was releasedon September15 after a typical nine-week development cycle. Thisrelease integrates 13,890 non-merge changesets, so it was a moderately busycycle, slightly more so that 6.10 was. With a new release comes a new roundof development statistics; read on for the details.
Security updates have been issued by Debian (git, nodejs, and ring), Fedora (apr, bubblewrap, chromium, clamav, flatpak, mingw-expat, python3-docs, python3.12, and thunderbird), Mageia (assimp, botan2, python-tqdm, and radare2), Slackware (libarchive), and SUSE (curl).
Linus has released the 6.11 kernel."I'm once again on the road and not in my normal timezone, but it'sSunday afternoon here in Vienna, and 6.11 is out."Significant changes in this release includenew io_uring operations for bind() and listen(),the nested bottom-half locking patches,the ability to write to busy executablefiles,support for writing block drivers in Rust,support for atomic write operations in theblock layer,the dedicated bucket slab allocator,the vDSO implementation of getrandom(),and more. See the LWN merge-window summaries(part1,part2) for more information.
LWN.net