As of this writing, just over 4,900 non-merge changesets have been pulledinto the mainline for the 6.9 release. This work includes the usual arrayof changes all over the kernel tree; read on for a summary of the mostsignificant work merged during the first part of the 6.9 merge window.
Security updates have been issued by Debian (chromium and openvswitch), Fedora (chromium, python-multipart, thunderbird, and xen), Mageia (java-17-openjdk and screen), Red Hat (.NET 7.0, .NET 8.0, kernel-rt, kpatch-patch, postgresql:13, and postgresql:15), Slackware (expat), SUSE (glibc, python-Django, python-Django1, sudo, and vim), and Ubuntu (expat, linux-ibm, linux-ibm-5.4, linux-oracle, linux-oracle-5.4, linux-lowlatency, linux-raspi, python-cryptography, texlive-bin, and xorg-server).
Kaitlyn Abdo of Fedora's AI/MLSIG opened an issue with theFedora Engineering Steering Committee (FESCo) recently that carried a few trickyquestions about packaging machine-learning (ML) models for Fedora. Specifically, the SIG is looking for guidance on whether pre-trained weights forPyTorch constitute code or content. And, if the models are released under alicense approved by theOpen Source Initiative (OSI),does it matter what data the models were trained on? The issue was quicklytossed over to Fedora's legalmailing list and sparked an interesting discussion about how tohandle these items, and a temporary path forward.
Security updates have been issued by Fedora (edk2, freeipa, kernel, and liblas), Oracle (kernel), Red Hat (docker, edk2, kernel, kernel-rt, and kpatch-patch), SUSE (axis, fontforge, gnutls, java-1_8_0-openjdk, kernel, python3, sudo, and zabbix), and Ubuntu (dotnet7, dotnet8, libgoogle-gson-java, openssl, and ovn).
The pidfd abstraction is a Linux-specificway of referring to processes that avoids the race conditions inherent inUnix process ID numbers. Since a pidfd is a file descriptor, it needs afilesystem to implement the usual operations performed on files. As theuse of pidfds has grown, they have stressed the limits of the simplefilesystem that was created for them. Christian Brauner has createda new filesystem for pidfds that seems likely to debut in the 6.9kernel, but it ran into a little bump along the way, demonstrating thatthings you cannot see can still hurt you.
Herb Sutter, chair of the ISO C++ standards committee,writes about the current problems with writing secure C++,and his personal opinion on next steps to address this while maintainingbackward compatibility.
Serialization is the process of transforming Python objects into a sequence ofbytes which can be used to recreate a copy of the object later - or on anothermachine.pickle is Python's native serialization module. It can store complex Pythonobjects,making it an appealing prospect for moving data without having to writecustom serialization code. For example, pickle is an integral component ofseveral fileformats used for machine learning. However, using pickle to deserializeuntrusted files is a major security risk, because doing so can invoke arbitraryPython functions. Consequently, the machine-learning community is working to address thesecurity issues caused by widespread use of pickle.
Security updates have been issued by Debian (qemu), Mageia (libtiff and thunderbird), Red Hat (kernel, kpatch-patch, postgresql, and rhc-worker-script), SUSE (compat-openssl098, openssl, openssl1, python-Django, python-Django1, and wpa_supplicant), and Ubuntu (accountsservice, libxml2, linux-bluefield, linux-raspi-5.4, linux-xilinx-zynqmp, linux-oem-6.1, openvswitch, postgresql-9.5, and ruby-rack).
The 6.8 kernel was released on March 10after a typical, nine-week development cycle. Over this time, 1,938developers contributed 14,405 non-merge changesets, making 6.8 into aslower cycle than 6.7 (but busier than 6.6), with the lowest number ofdevelopers participating since the 6.5 release. Still, there wasa lot going on during this cycle; read on for some of the details.
Security updates have been issued by Debian (libuv1, nss, squid, tar, tiff, and wordpress), Fedora (chromium, exercism, grub2, qpdf, and wpa_supplicant), Oracle (edk2 and opencryptoki), and SUSE (cpio, openssl-1_0_0, openssl-1_1, openssl-3, sudo, tomcat, and xen).
Andrew 'bunnie' Huang provides an update onhis IRIS infrared chip-scanning project as the starting point for adetailed summary on how chip customers can detect forgeries andmodifications in general.
Name collisions aren't just a problem for softwaredevelopment-organizations, projects, and software that have thesame or similar names can cause serious confusion. That was certainlythe case on February28 when the Open CollectiveFoundation (OCF) began to notify its hosted projects that it wouldbe shutting down by the end of2024. The announcement surprisedprojects hosted with OCF, as one might expect. It also worried andconfused users of the Open Collective software platform from Open Collective, Inc. (OCI), aswell as organizations hosted by the Open SourceCollective (OSC) and Open CollectiveEurope (OC Europe). There is enough confusion about the names,relationships between the organizations, and impact on projects likeFlatpak, Homebrew, and htop hosted by OCF, that adeeper look is warranted.
Before loading a BPF program, the kernel must verify that the program issafe to run; among other things, that verification includes ensuring thatthe program will terminate within a bounded time. That requirement haslong made writing loops in BPF a challenging task. The situation hasimproved over the years for some types of loops, but others - includinglinked-list traversal - are still awkward in BPF programs. A new set ofBPF primitives aims to make life easier for this use case through theinstallation of what can be seen as a sort of circuit breaker.
While programmers are used to having tools to check their code forstylistic problems, writers often limit automatic checks of their texts tospelling and, sometimes, grammar, because there are not a lot of optionsfor further checking. If that is the case, Vale, an open-source, command-line tool to enforce editorial-style guidelines, wouldmake auseful addition to their toolbox. The recent release ofVale3.0 warrants a look at this versatile tool, which assists writers byidentifying common errors and helping them maintain a consistent voice in theirprose.
The Fedora Project switchedto MariaDB as the default implementation of MySQL in Fedora19 in 2013. Once a drop-inreplacement for MySQL, MariaDB has diverged enough that this is no longerthe case-and, despite concerns about Oracleand optimism that MariaDB would supplant MySQL, the reality is that MySQLand MariaDB seem to be here to stay. With that in mind, Fedora developerMichal Schormproposed that the project revise the way MySQL and MariaDBare packaged in Fedora starting with Fedora40.
The postmarketOS project, which producesa Linux distribution for phones and mobile devices,has announcedthat it is in the early stages of adding systemd to make it easier to support GNOME and KDE.Users who prefer the OpenRCinit system are assured they will still have that option when building their ownimages "as long as OpenRC is in Alpine Linux (on which postmarketOS is based)":
QUIC is a UDP-based transport protocol that forms the foundation ofHTTP/3.It was initially developed at Google in 2012, and became anIETF standard in2021. Work on the protocol did not stop with its standardization, however. TheQUIC Working Grouppublished several follow-up standards. Now, it is working onfour more extensions to QUIC intended to patch over various shortcomings in thecurrent protocol - although progress has not been quick.
Greg Kroah-Hartman has announced another round of stable kernel updates:6.7.9, 6.6.21,6.1.81, 5.15.151,5.10.212, 5.4.271,and 4.19.309 have all beenreleased. Each contains a set of important fixes.
The kernel's memory-management subsystem is built on the concept of"zones", which were initially added to describe the physicalcharacteristics of the memory pages contained within them. Over time,zones have taken on more of a policy-related role as well. With a patchset called THPallocator optimizations, Yu Zhao has set out to better define the roleof policy-related zones on the path toward adding two more of them, withthe ultimate purpose of improving the kernel's support for transparent hugepages (THPs).
Security updates have been issued by Debian (yard), Oracle (buildah and kernel), Red Hat (389-ds:1.4, edk2, frr, gnutls, haproxy, libfastjson, libX11, postgresql:12, sqlite, squid, squid:4, tcpdump, and tomcat), SUSE (apache2-mod_auth_openidc and glibc), and Ubuntu (linux-gke, python-cryptography, and python-django).
It has long been possible to run multiple Python interpreters in the sameprocess - via the C API, but not within the language itself.Eric Snow has been working to make this abilityavailable in the language for many years.Now, Snow has publishedPEP 734 ("Multiple Interpretersin the Stdlib"), the latest work in hisquest, andsubmittedit to the Python steering council for a decision.If the PEP is approved, users will havean additional option for writing performant parallel Python code.
Security updates have been issued by Debian (firefox-esr and thunderbird), Fedora (dotnet6.0, dotnet8.0, and mod_auth_openidc), Gentoo (Blender, Tox, and UltraJSON), Oracle (kernel), Red Hat (edk2), SUSE (sendmail and zabbix), and Ubuntu (nodejs and thunderbird).
The6.7.8 and6.6.20stable kernel updates have been released. They contain a single patchaddressing an ntfs3 filesystem build error introduced in the previousround of updates.
One of the outcomes of the (extremely) lengthy discussion about usingCommon Lisp features in Emacs Lisp (Elisp), which we looked at back in November, was an effort tostart removing some of those uses from Emacs. The rewrite of some of theElisp in Emacs that uses the Common Lisp library (cl-lib) was started byRichard Stallman as a way to reduce the cognitive load needed formaintaining Emacs itself. Since then, he has broadened his efforts tosimplify Elisp by adding a new pattern-matchingconditional that would be a competitor to pcase,which is a longstanding macro that he finds overly complex.
On February 29, the musl projectannounced release1.2.5, including support for loongarch64 and riscv32. Thisrelease also contains support for thestatx(),preadv2(),and pwritev2() system calls.
Greg Kroah-Hartman has announced the release of seven new stable kernels:6.7.7,6.6.19,6.1.80,5.15.150,5.10.211,5.4.270, and4.19.308.As usual, they contain many important fixes throughout the kernel tree.
Security updates have been issued by CentOS (firefox and thunderbird), Debian (gsoap, python-django, and wireshark), Fedora (dotnet7.0 and gifsicle), Mageia (sympa), Oracle (postgresql:10, postgresql:12, thunderbird, and unbound), Red Hat (kpatch-patch, python-pillow, and squid:4), SUSE (nodejs12, nodejs14, nodejs16, nodejs18, and openvswitch3), and Ubuntu (linux-azure, linux-lowlatency, linux-starfive-6.5, php-guzzlehttp-psr7, and php-nyholm-psr7).
Over on the Collabora blog, Faith Ekstrand has announced that the NVK Vulkan driver for NVIDIA devices will be part of Mesa 24.1 and is ready for real-world use. It should be appearing in Linux distributions later this year.
The Linux kernel follows a monolithic design, and that brings a well-knownproblem: all code in the kernel has access to the entirety of the kernel'saddress space. As a result, a bug in (for example) an obscure driver maywell be exploitable to wreak havoc on core-kernel data structures. Variousattempts have been made over the years to increase the degree of isolationwithin the kernel. The latest of these, "SandBoxMode" proposed by Petr Tesaik, makes it possible for the kernel to runsome limited code safely, but it has encountered a bit of a chilly reception.
Security updates have been issued by Debian (chromium), Fedora (moodle), Red Hat (kernel, kernel-rt, and postgresql:15), Slackware (wpa_supplicant), SUSE (Java and rear27a), and Ubuntu (libcpanel-json-xs-perl, libuv1, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.4, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, python-openstackclient, and unbound).
Tails 6.0 is now available. Based on Debian, Tails is a portable operating system designed to run from a USB stick and help users avoid surveillance and censorship. This release updates most Tails applications, and includes important security and usability improvements.One major new feature in 6.0 is to provide warnings to users about errors when reading orwriting to persistent storage. This release now ignores USB devices plugged in while the screen is locked, and removes some file and disk-wiping features from the Files application that are "not reliable enough" on USB sticks and SSDs to continue offering to users.Users of Tails prior to 6.0~rc1 will need to do a manualupgrade to retain persistent storage. New users can download Tails forUSB, or asan ISOto create a DVD or run Tails in a virtual machine.
It's been nearly 10 years sinceKDEPlasma5,which is the last major release of the desktop.On February28 the project announced its "mega release" of KDEPlasma6, KDE Frameworks 6, and KDE Gear24.02 - all based on the Qt6 development framework. Thisrelease focuses heavily on migrating to Wayland, and aspires to be a seamlessupgrade for the user while improving performance, security, and supportfor newer hardware. For developers, a lot of work has gone into removingdeprecated frameworks and decreasing dependencies to make it easier to writeapplications targeting KDE.
The Open CollectiveFoundation is an organization created to provide legal and financialservices for non-profit projects, many of which are associated with freesoftware. Projects hosted there are now beginningto report that the Open Collective Foundation will be shutting down atthe end of the year, with an unwinding process over that time.
Nix andGuix are a pair of unusual package managersbased on the idea of declarative configurations. Their associated Linuxdistributions - NixOS and the Guix System - take the idea further by allowing usersto define a single centralized configuration describing the state of the entiresystem. Both havebeen previously mentioned on LWN, but not covered extensively. They offer different takes onthe central idea of treating packages like immutable values.
Security updates have been issued by Debian (engrampa and libgit2), Fedora (libxls, perl-Spreadsheet-ParseXLSX, and wpa_supplicant), Gentoo (PyYAML), Mageia (packages and thunderbird), Red Hat (firefox, kernel, linux-firmware, thunderbird, and unbound), Slackware (openjpeg), SUSE (golang-github-prometheus-prometheus, installation-images, kernel, python-azure-core, python-azure-storage-blob, salt and python-pyzmq, SUSE Manager 4.2.11, SUSE Manager 4.3, SUSE Manager Server 4.2, and wayland), and Ubuntu (dnsmasq, libde265, libxml2, openjdk-17, openjdk-21, openjdk-lts, and postgresql-12, postgresql-14, postgresql-15).
In a recent episode, "Pitchforks for RDSEED",we learned that there was some uncertainty around whether hardware-basedrandom-number generators on x86 CPUs could fail. Since the consequences offailure in some situations (confidential-computing applications inparticular) can be catastrophic, there was some concern about this prospectand what to do about it. Since then, the situation has come a bit moreinto focus, and there would appear to be an agreed-upon plan for changes tobe made to the kernel.
Version 0.6 of Incus, a fork of LXD, has been released. This release includes a number of changes, including a new storage driver called lvmcluster, improvements for Open Virtual Network (OVN) users, improvements to migration tooling, a number of new security features, and storage bucket backup and re-import. See the release announcement for detailed release notes and complete list of changes. The announcement notes that a Long Term Support (LTS) release of Incus is planned in a few months "to coincide with the LTS releases of LXC and LXCFS".
At FOSDEM2024,the "Toolthe docs" devroom hosted several talks about free and open-source toolsfor writing, managing, testing, and rendering documentation. The centralconcept was to treat documentation as code, which makes it possible toincorporate various tools into documentation workflows in order to maintainhigh quality.
LWN.net