LWN.net

Security updates have been issued by CentOS (firefox and thunderbird), Debian (gsoap, python-django, and wireshark), Fedora (dotnet7.0 and gifsicle), Mageia (sympa), Oracle (postgresql:10, postgresql:12, thunderbird, and unbound), Red Hat (kpatch-patch, python-pillow, and squid:4), SUSE (nodejs12, nodejs14, nodejs16, nodejs18, and openvswitch3), and Ubuntu (linux-azure, linux-lowlatency, linux-starfive-6.5, php-guzzlehttp-psr7, and php-nyholm-psr7).

Over on the Collabora blog, Faith Ekstrand has announced that the NVK Vulkan driver for NVIDIA devices will be part of Mesa 24.1 and is ready for real-world use. It should be appearing in Linux distributions later this year.

The Linux kernel follows a monolithic design, and that brings a well-knownproblem: all code in the kernel has access to the entirety of the kernel'saddress space. As a result, a bug in (for example) an obscure driver maywell be exploitable to wreak havoc on core-kernel data structures. Variousattempts have been made over the years to increase the degree of isolationwithin the kernel. The latest of these, "SandBoxMode" proposed by Petr Tesaik, makes it possible for the kernel to runsome limited code safely, but it has encountered a bit of a chilly reception.

Security updates have been issued by Debian (chromium), Fedora (moodle), Red Hat (kernel, kernel-rt, and postgresql:15), Slackware (wpa_supplicant), SUSE (Java and rear27a), and Ubuntu (libcpanel-json-xs-perl, libuv1, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.4, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, python-openstackclient, and unbound).

The LWN.net Weekly Edition for February 29, 2024 is available.

Tails 6.0 is now available. Based on Debian, Tails is a portable operating system designed to run from a USB stick and help users avoid surveillance and censorship. This release updates most Tails applications, and includes important security and usability improvements.One major new feature in 6.0 is to provide warnings to users about errors when reading orwriting to persistent storage. This release now ignores USB devices plugged in while the screen is locked, and removes some file and disk-wiping features from the Files application that are "not reliable enough" on USB sticks and SSDs to continue offering to users.Users of Tails prior to 6.0~rc1 will need to do a manualupgrade to retain persistent storage. New users can download Tails forUSB, or asan ISOto create a DVD or run Tails in a virtual machine.

It's been nearly 10 years sinceKDEPlasma5,which is the last major release of the desktop.On February28 the project announced its "mega release" of KDEPlasma6, KDE Frameworks 6, and KDE Gear24.02 - all based on the Qt6 development framework. Thisrelease focuses heavily on migrating to Wayland, and aspires to be a seamlessupgrade for the user while improving performance, security, and supportfor newer hardware. For developers, a lot of work has gone into removingdeprecated frameworks and decreasing dependencies to make it easier to writeapplications targeting KDE.

The Open CollectiveFoundation is an organization created to provide legal and financialservices for non-profit projects, many of which are associated with freesoftware. Projects hosted there are now beginningto report that the Open Collective Foundation will be shutting down atthe end of the year, with an unwinding process over that time.

Security updates have been issued by Debian (knot-resolver and wpa), Fedora (chromium, kernel, thunderbird, and yarnpkg), Mageia (c-ares), Oracle (firefox, kernel, opensc, postgresql:13, postgresql:15, and thunderbird), Red Hat (edk2, gimp:2.8, and kernel), SUSE (bind, bluez, container-suseconnect, dnsdist, freerdp, gcc12, gcc7, glib2, gnutls, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libqt5-qtbase, libqt5-qtsvg, nodejs18, nodejs20, openssl, openssl-1_0_0, poppler, python-crcmod, python-cryptography, python-cryptography- vectors, python-pip, python-requests, python3-requests, python311, python39, rabbitmq-c, samba, sccache, shim, SUSE Manager 4.2, SUSE Manager Server 4.2, the Linux-RT Kernel, and thunderbird), and Ubuntu (less, openssl, php7.0, php7.2, php7.4, and tiff).

Nix andGuix are a pair of unusual package managersbased on the idea of declarative configurations. Their associated Linuxdistributions - NixOS and the Guix System - take the idea further by allowing usersto define a single centralized configuration describing the state of the entiresystem. Both havebeen previously mentioned on LWN, but not covered extensively. They offer different takes onthe central idea of treating packages like immutable values.

Netflix has announcedthe release of a tool called bpftop to help with the performanceoptimization of BPF programs in the kernel:

Security updates have been issued by Debian (engrampa and libgit2), Fedora (libxls, perl-Spreadsheet-ParseXLSX, and wpa_supplicant), Gentoo (PyYAML), Mageia (packages and thunderbird), Red Hat (firefox, kernel, linux-firmware, thunderbird, and unbound), Slackware (openjpeg), SUSE (golang-github-prometheus-prometheus, installation-images, kernel, python-azure-core, python-azure-storage-blob, salt and python-pyzmq, SUSE Manager 4.2.11, SUSE Manager 4.3, SUSE Manager Server 4.2, and wayland), and Ubuntu (dnsmasq, libde265, libxml2, openjdk-17, openjdk-21, openjdk-lts, and postgresql-12, postgresql-14, postgresql-15).

In a recent episode, "Pitchforks for RDSEED",we learned that there was some uncertainty around whether hardware-basedrandom-number generators on x86 CPUs could fail. Since the consequences offailure in some situations (confidential-computing applications inparticular) can be catastrophic, there was some concern about this prospectand what to do about it. Since then, the situation has come a bit moreinto focus, and there would appear to be an agreed-upon plan for changes tobe made to the kernel.

Version 0.6 of Incus, a fork of LXD, has been released. This release includes a number of changes, including a new storage driver called lvmcluster, improvements for Open Virtual Network (OVN) users, improvements to migration tooling, a number of new security features, and storage bucket backup and re-import. See the release announcement for detailed release notes and complete list of changes. The announcement notes that a Long Term Support (LTS) release of Incus is planned in a few months "to coincide with the LTS releases of LXC and LXCFS".

At FOSDEM2024,the "Toolthe docs" devroom hosted several talks about free and open-source toolsfor writing, managing, testing, and rendering documentation. The centralconcept was to treat documentation as code, which makes it possible toincorporate various tools into documentation workflows in order to maintainhigh quality.

Security updates have been issued by Debian (gnutls28, iwd, libjwt, and thunderbird), Fedora (chromium, expat, mingw-expat, mingw-openexr, mingw-python3, mingw-qt5-qt3d, mingw-qt5-qtactiveqt, mingw-qt5-qtbase, mingw-qt5-qtcharts, mingw-qt5-qtdeclarative, mingw-qt5-qtgraphicaleffects, mingw-qt5-qtimageformats, mingw-qt5-qtlocation, mingw-qt5-qtmultimedia, mingw-qt5-qtquickcontrols, mingw-qt5-qtquickcontrols2, mingw-qt5-qtscript, mingw-qt5-qtsensors, mingw-qt5-qtserialport, mingw-qt5-qtsvg, mingw-qt5-qttools, mingw-qt5-qttranslations, mingw-qt5-qtwebchannel, mingw-qt5-qtwebsockets, mingw-qt5-qtwinextras, mingw-qt5-qtxmlpatterns, and thunderbird), Gentoo (btrbk, Glances, and GNU Aspell), Mageia (clamav and xen, qemu and libvirt), Oracle (firefox and postgresql), Red Hat (firefox, opensc, postgresql:10, postgresql:12, postgresql:13, postgresql:15, thunderbird, and unbound), SUSE (firefox, java-1_8_0-ibm, libxml2, and thunderbird), and Ubuntu (binutils, linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop, linux-oracle, linux-raspi, linux-starfive, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, linux-oem-6.1, and roundcube).

Linus has released 6.8-rc6 for testing.

Version 2.44.0 of the Gitsource-code management system has been released. There is a long list ofchanges, including the gitreplay command for faster, server-side rebasing, a number ofcommand-line completion improvements, and more.

The world of open-source "forges" is becoming a little more fragmented. The Forgejo project is a software-development platform that started as a "soft" fork of Gitea in late 2022. On February 16, Forgejo announced its intent to become a "hard fork" of Gitea to help address its mission of community-controlled development and to "liberate software development from the shackles of proprietary tools". In a world where proprietary tools cast a long shadow over open-source development that's a welcome sentiment-if the project can deliver.

Greg Kroah-Hartman has announced the release of seven new stable kernels:6.7.6, 6.6.18, 6.1.79, 5.15.149, 5.10.210, 5.4.269, and 4.19.307. As usual, they contain manyimportant fixes throughout the kernel tree.

Security updates have been issued by Debian (chromium, imagemagick, and iwd), Fedora (chromium, firefox, and pdns-recursor), Mageia (nodejs and yarnpkg), Red Hat (firefox, postgresql, and postgresql:15), and SUSE (bind, mozilla-nss, openssh, php-composer2, python-pycryptodome, python-uamqp, python310, and tiff).

The Curl project has previously had problems withCVEs issued for things that are not security issues. On February 21,Daniel Stenberg wrote about the Curl project's most recent issue with the CVE system, saying:

The Linux kernel uses a number of hardening techniques to try to protectitself against compromise; one of those is kernel address-space layoutrandomization (KASLR). But randomization is of little benefit if thekernel spills the beans on where its code has ended up. As it happens, thekernel has been doing exactly that - since 2007, in a behavior thatpredates the addition of KASLR. Some changes are in theworks to close that hole, but it is illustrative of just how hard somesecrets are to keep.

Security updates have been issued by CentOS (python-pillow), Debian (firefox-esr and imagemagick), Fedora (kernel, mbedtls, rust-asyncgit, rust-bat, rust-cargo-c, rust-eza, rust-git-absorb, rust-git-delta, rust-git2, rust-gitui, rust-libgit2-sys, rust-lsd, rust-pore, rust-pretty-git-prompt, rust-shadow-rs, rust-silver, rust-tokei, and rust-vergen), Gentoo (LibreOffice), Red Hat (kpatch-patch), Slackware (mozilla), SUSE (docker, python-pycryptodome, python3, and qemu), and Ubuntu (firefox and linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp).

The LWN.net Weekly Edition for February 22, 2024 is available.

Sudo is a ubiquitous tool for runningcommands with the privileges of another user on Unix-like operating systems. Overthe past decade or so, some alternatives havebeen developed; the base system of OpenBSD now comes with doas instead, sudo-rs is a subset ofsudo reimplemented in Rust, and, somewhat surprisingly, Microsoft alsorecently announcedits own Sudo for Windows. Each of these offers a different approach to thetask of providing limited privileges to unprivileged users.

Alexei Starovoitov introduceda patch series for the Linux kernel on February 6 to add bpf_arena, a new typeof shared memory betweenBPFprograms and user space.Starovoitov expects arenas to be useful both for bidirectional communicationbetween user space and BPF programs, and for use as an additional heap for BPFprograms. This will likely be useful to BPF programs that implementcomplex data structures directly, instead of relying on the kernel to supply them.Starovoitov cited Google'sghOSt projectas an example and inspiration for the work.

Version 5.10 of theRawTherapee raw photo editor is out. The list of changes is long, andincludes improved support for many camera-specific formats. (LWN looked at RawTherapee in 2022).

Security updates have been issued by CentOS (linux-firmware and python-reportlab), Debian (unbound), Fedora (freeglut and syncthing), Red Hat (edk2, go-toolset:rhel8, java-1.8.0-ibm, kernel, kernel-rt, mysql:8.0, oniguruma, and python-pillow), Slackware (libuv and mozilla), SUSE (abseil-cpp, grpc, opencensus-proto, protobuf, python- abseil, python-grpcio, re2, bind, dpdk, firefox, hdf5, libssh, libssh2_org, libxml2, mozilla-nss, openssl-1_1, openvswitch, postgresql12, postgresql13, postgresql14, postgresql15, postgresql16, python-aiohttp, python-time-machine, python-pycryptodomex, runc, and webkit2gtk3), and Ubuntu (kernel, libspf2, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, and linux, linux-aws, linux-kvm, linux-lts-xenial).

DNS resolvers (those that handle DNSSEC, at least) are almost uniformlyvulnerable to an exploitthat has been named "KeyTrap". In short, the right type of packet cansend a DNS system into something close to an infinite loop, taking it outof service indefinitely.

Qubes OS is a security-focused desktop Linux distribution built on Fedora Linux and the Xen hypervisor. Qubes uses virtualization to run applications, system services, and devices access via virtual machines called "qubes" that have varying levels of trust and persistence to provide an open-source "reasonably secure" operating system with "serious privacy". The Qubes 4.2.0 release, from December 2023, brings a number of refinements to make Qubes OS easier to manage and use.

Andrea Righi has starteda blog series on writing a user-space CPU scheduler with the BPF-basedextensible scheduler class:

Drew DeVault announced the first numbered release of the Hare programming language on February 16.

Security updates have been issued by Fedora (freeglut, hugin, libmodsecurity, qemu, rust-asyncgit, rust-bat, rust-cargo-c, rust-eza, rust-git-absorb, rust-git-delta, rust-git2, rust-gitui, rust-libgit2-sys, rust-lsd, rust-pore, rust-pretty-git-prompt, rust-shadow-rs, rust-silver, rust-tokei, and rust-vergen), Mageia (packages, radare2, ruby-rack, and wireshark), Oracle (.NET 8.0 and python-pillow), Red Hat (gimp:2.8, java-1.8.0-ibm, and kpatch-patch), SUSE (dpdk and opera), and Ubuntu (bind9, curl, linux-raspi, linux-raspi-5.4, node-ip, and tiff).

Spritely is a project seeking tobuild a platform for sovereign distributed applications - applications whereusers run their own nodes in order to control their own data - as the basis of anew social internet.While there are many such existingprojects, Spritely takes an unusual approach based on a newinteroperable protocol forefficient, secure remote procedure calls (RPC). The project is in its early stages,with many additional features planned, but it is already possible to play aroundwith Goblins, the distributedactor library that Spritely intends to build on.

Security updates have been issued by Debian (engrampa, openvswitch, pdns-recursor, and runc), Fedora (caddy, expat, freerdp, libgit2, libgit2_1.6, mbedtls, python-cryptography, qt5-qtbase, and sudo), Gentoo (Apache Log4j, Chromium, Google Chrome, Microsoft Edge, CUPS, e2fsprogs, Exim, firefox, Glade, GNU Tar, intel-microcode, libcaca, QtNetwork, QtWebEngine, Samba, Seamonkey, TACACS+, Thunar, and thunderbird), Mageia (dnsmasq, unbound, and vim), Oracle (container-tools:4.0, container-tools:ol8, dotnet6.0, dotnet7.0, kernel, nss, openssh, and sudo), Red Hat (python-pillow), and SUSE (bitcoin, dpdk, libssh, openvswitch, postgresql12, and postgresql13).

The 6.8-rc5 kernel prepatch is out fortesting. "Absolutely nothing stands out here, although I do wishthings should have calmed down a bit more at this point in the releaseprocess."

The openSUSE News blog looks at the roadmap for Agama (a new installer from the YaST development team) with releases planned for April and July:

Greg Kroah-Hartman has announced the release of the 6.7.5, 6.6.17,and 6.1.78 stable kernels. As is the norm,they contain important fixes throughout the kernel tree. So far, there are nonew CVEs reported onthe linux-cve-announce mailing list, which means that the new kernel CVE numbering authority (CNA)powers have not yet been used.

The futexmechanism provided by the kernel allows for the creation of efficient andflexible locking primitives in user space. Futexes work well for manyapplications, but not all. One of the exceptions, it seems, is thatperennially difficult-to-support use case: Windows games. With thispatch series, Elizabeth Figura seeks to provide the sort of lockingthat those games need, by way of a special-purpose virtual device.

Security updates have been issued by Mageia (bind), Red Hat (.NET 8.0 and kpatch-patch), SUSE (golang-github-prometheus-alertmanager, java-1_8_0-openj9, kernel, libaom, openssl-3, postgresql15, salt, SUSE Manager Client Tools, SUSE Manager Server 4.3, and webkit2gtk3), and Ubuntu (shadow).

At FOSDEM2024 in Brussels, theAI and MachineLearning devroom hosted several talks about open-source AI models. Withtalks about a definition of open-source AI, "ethical" restrictions inlicenses, and the importance of open data sets, in particular fornon-English languages, the devroom provided an overview of the current stateof the domain.

Security updates have been issued by Debian (edk2, postgresql-13, and postgresql-15), Fedora (engrampa, vim, and xen), Mageia (mbedtls and quictls), Oracle (nss, openssh, and tcpdump), Red Hat (.NET 8.0), SUSE (hugin, kernel, pdns-recursor, python3, tomcat, and tomcat10), and Ubuntu (clamav, edk2, linux-gcp-6.2, linux-intel-iotg-5.15, linux-oem-6.1, and ujson).

The LWN.net Weekly Edition for February 15, 2024 is available.

Version 21 of LineageOS,an Android-based distribution, has been released.

The Ubuntu Weekly Newsletter carries the sad news that long-time contributor Gunnar Hjalmarsson has passed away.

The Fedora Project is working toward the releaseof Fedora Linux 40, and (as with each release) that means changesto the way the project works and the software included in its repositories. Mostof the changesset for Fedora 40 are uncontroversial, but one change is causing quitea stir. The KDE Special Interest Group's (SIG) proposal to adopt KDE Plasma 6 with only Wayland session support, which it interpreted as a mandate to block any X11 packages for Plasma. Others saw it as overreach by the SIG, and an attempt to block users and contributors from maintaining software they needed.

The Common Vulnerabilities andExposures (CVE) system was set up in 1999 as a way to referunambiguously to known vulnerabilities in software. That system has founditself under increasing strain over the years, and numerous projects haveresponded by trying to assert greater control over how CVE numbers areassigned for their code. On February 13, though, a big shoe dropped whenthe Linux kernel project announcedthat it, too, was taking control of CVE-number assignments. As is oftenthe case, though, the kernel developers are taking a different approach tovulnerabilities, with possible implications for the CVE system as a whole.

Security updates have been issued by Debian (bind9 and unbound), Fedora (clamav, firecracker, libkrun, rust-event-manager, rust-kvm-bindings, rust-kvm-ioctls, rust-linux-loader, rust-userfaultfd, rust-versionize, rust-vhost, rust-vhost-user-backend, rust-virtio-queue, rust-vm-memory, rust-vm-superio, rust-vmm-sys-util, and virtiofsd), Red Hat (.NET 6.0, dotnet6.0, and dotnet7.0), Slackware (bind and dnsmasq), and Ubuntu (dotnet6, dotnet7, dotnet8, linux-lowlatency, linux-raspi, linux-nvidia-6.2, and ujson).

Greg Kroah-Hartman has announcedthat the kernel project has been accepted as a CVE numbering authority(CNA). The way that CVE numbers will be handled by the kernel is describedin thisdocumentation patch: