LWN.net

The LWN.net Weekly Edition for November 21, 2024 is available.

At the 2024 X.Org DevelopersConference (XDC), Lyude Paul gave a talk on the work she has been doingas part of the Novaproject, which is an effort build an NVIDIAGPU driver in Rust. She wanted to provide an introduction to RVKMS, whichis being used to develop Rust kernel mode setting (KMS)bindings; RVKMS is a port of the virtual KMS (VKMS)driver to Rust. In addition, she wanted to give her opinion on Rust, and why shethinks it isa "game-changer for the kernel", noting that the reasons are notrelated to the oft-mentioned, "headline" feature of the language: memorysafety.

Version 4.3 ofthe Blender animation system has been released. "Brush assets, fastersculpting, a revolutionized Grease Pencil, and more. Blender 4.3 got youcovered."

CHICKEN Scheme, a portable Scheme compiler, is gearing up for its next major release. Maintainer Felix Winkelmann hassharedan article about what changes to expect in version 6 of the language, including better Unicode support and support for theR7RS (small) Scheme standard.

Security updates have been issued by Debian (guix, libmodule-scandeps-perl, needrestart, and thunderbird), SUSE (gh), and Ubuntu (kernel, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-gcp, linux-gcp-6.8, linux-gke, linux-hwe-6.8, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-raspi, linux-iot, linux-lowlatency, linux-lowlatency-hwe-6.8, needrestart, python2.7, python3.10, python3.12, python3.8, and Waitress).

Version9.5 of the Rocky Linux distribution is out. As with the AlmaLinux 9.5release, Rocky Linux 9.5 tracks the changes in upstream RHEL 9.5. See the release notesfor details.

It took more than 20 years, but the FreeCAD computer-aided design projecthas just madeits 1.0 release.

The most common piece of advice given to users who ask aboutrunning their own mail server is don't. Setting upand securing a mail server in2024 is not for the faint of heart, norfor anyone without copious spare time. Spammers want to flood inboxeswith ads for questionable supplements, attackers want to abuse serversto send spam (or worse), and getting the big providers to accept mailfrom small servers is a constant uphill battle. Michael W. Lucas,however, encourages users to thumb their nose at the "EmailEmpire", and declare email independence. His self-published book,Run Your Own MailServer, provides a manual (and manifesto) for users who areinterested in the challenge.

Version 6.7 of the Incus container-management system (forked from LXD) hasbeen released. "This is another one of those pretty well roundedreleases with new features and improvements for everyone". Newfeatures include automatic cluster rebalancing, DHCP improvements, and more.

Security updates have been issued by AlmaLinux (.NET 9.0, bcc, bluez, bpftrace, bubblewrap, flatpak, buildah, cockpit, containernetworking-plugins, cups, cyrus-imapd, edk2, expat, firefox, fontforge, gnome-shell, gnome-shell-extensions, grafana, grafana-pcp, gtk3, httpd, iperf3, jose, krb5, libgcrypt, libsoup, libvirt, libvpx, lldpd, microcode_ctl, mingw-glib2, mod_auth_openidc, nano, NetworkManager, oci-seccomp-bpf-hook, openexr, osbuild-composer, pcp, podman, poppler, postfix, python-dns, python-jinja2, python-jwcrypto, python3.11, python3.11-PyMySQL, python3.11-urllib3, python3.12, python3.12-PyMySQL, python3.12-urllib3, python3.9, qemu-kvm, runc, skopeo, squid, thunderbird, toolbox, tpm2-tools, vim, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), Fedora (lemonldap-ng and mingw-expat), SUSE (bea-stax, xstream, expat, httpcomponents-client, httpcomponents-core, kernel, SUSE Manager Client Tools, SUSE Manager Proxy, Retail Branch Server 4.3, SUSE Manager Salt Bundle, SUSE Manager Server 4.3, and SUSE Manager Server 5.0), and Ubuntu (curl, glib2.0, and webkit2gtk).

Version 9.5 of the AlmaLinux enterprise-oriented distribution has beenreleased.

The FreeBSD Foundation has announcedthe release of a securityaudit report conducted by security firm Synacktiv. The audit uncovereda number of vulnerabilities:

Linus Torvalds releasedthe 6.12 kernel on November17, as expected. This developmentcycle, the last for 2024, brought 13,344 non-merge changesets into themainline kernel; that made it a relatively slow cycle from thisperspective, but 6.12 includes a long list of significant new features.The time has come to look at where those changes came from, and to look atthe year-long LTS cycle as well.

Security updates have been issued by AlmaLinux (binutils, libsoup, squid:4, tigervnc, and webkit2gtk3), Debian (icinga2, postgresql-13, postgresql-15, smarty3, symfony, thunderbird, and waitress), Fedora (dotnet9.0, ghostscript, microcode_ctl, php-bartlett-PHP-CompatInfo, python-waitress, and webkitgtk), Gentoo (Perl, Pillow, and X.Org X server, XWayland), Oracle (binutils, cups-filters, giflib, squid, and webkit2gtk3), Red Hat (webkit2gtk3), SUSE (ansible-core, apache2, gio-branding-upstream, icinga2, kernel-devel, libnghttp2-14, libsoup-2_4-1, libsoup-3_0-0, libvirt, nodejs-electron, postgresql13, postgresql16, python39, rclone, thunderbird, ucode-intel-20241112, and wget), and Ubuntu (python-asyncssh and tomcat9).

Linus has released the 6.12 kernel."No strange surprises this last week, so we're sticking to the regularrelease schedule, and that obviously means that the merge window openstomorrow.".Headline features in this release include:support for the Armpermission overlay extension,better compile-time control over which Spectre mitigations to employ,the last pieces of realtime preemption support,the realtime deadline server mechanism,more EEVDF scheduler development,the extensible scheduler class,the device memory TCP work,use of static calls in the security-modulesubsystem,the integritypolicy enforcement security module,the ability to handle devices with a block size larger than the system pagesize in the XFS filesystem,and more.See the LWN merge-window summaries (part1, part2) and the KernelNewbies 6.12 page formore details.

The6.11.9,6.6.62,6.1.118,5.15.173,5.10.230,5.4.286, and4.19.324stable kernels have all been released; each contains another set ofimportant fixes.

The OpenWrt router-oriented distribution has long used its own opkgpackage manager. The project has just announced,though, that future releases will use the apkpackage manager from Alpine Linux instead. "This new packagemanager offers a number of advantages over the older opkg system and is asignificant milestone in the development of the OpenWrt platform. The olderopkg package manager has been deprecated and is no longer part ofOpenWrt." There is some more information on thispage.

The kernel's loadable-module facility allows code to be loaded into (andsometimes removed from) a running kernel. Among other things, loadablemodules make it possible to run a kernel with only the subsystems neededfor the system's hardware and workload. Loadable modules can also make iteasy for out-of-tree code to access parts of the kernel that developerswould prefer to keep private; this has led to many discussions in thepast. The topic has returned to the kernel's mailing lists with twodifferent patch sets aimed at further tightening the restrictions appliedto loadable modules.

The Fedora Project is set to welcome a second desktop edition to itslineup after months (or years, depending when one starts the clock)of discussions. The project recently decided to allow a new working group tomove forward with a KDEPlasmaDesktop edition that will sitalongside the existing GNOME-based FedoraWorkstationedition. This puts KDE on a more equal footing within the project,which, it is hoped, will bring more contributors and users interestedin KDE to adopt Fedora as their Linux distribution of choice.

Security updates have been issued by Debian (curl and unbound), Fedora (krb5 and microcode_ctl), Red Hat (kernel and kernel-rt), SUSE (glib2, python3-wxPython, and ucode-intel), and Ubuntu (golang-1.17, golang-1.18, libgd2, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-gke, linux-raspi, linux-raspi, linux-raspi-5.4, and php7.0, php7.2).

The Python Package Index (PyPI) has announcedthat it has finalized support for PEP 740 ("Index supportfor digital attestations"). Trail of Bits, which performedmuch of the development work for the implementation, has an in-depthblog post about the work and its adoption, as well as what is leftundone:

Direct memory access (DMA) I/O is simple in concept: a peripheral devicemoves data directly to or from memory while the CPU is busy doing otherthings. As is so often the case, DMA is rather more complicated inpractice, and the kernel has developed a complicated internal API tosupport it. It turns out that the DMA API, as it exists now, can affectthe performance of some high-bandwidth devices. In an effort to addressthat problem, Leon Romanovsky is making the API even more complex with this patch seriesadding a new two-step mapping API.

A new batch of stable kernels has just been released: 6.11.8, 6.6.61, 6.1.117, and 5.15.172. As usual, they contain importantfixes throughout the kernel tree.

Security updates have been issued by Fedora (llama-cpp, mingw-expat, python3.6, webkit2gtk4.0, and xorg-x11-server-Xwayland), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk & java-latest-openjdk and libarchive), Oracle (expat, gstreamer1-plugins-base, kernel, libsoup, podman, and tigervnc), SUSE (buildah, java-1_8_0-openjdk, and switchboard-plug-bluetooth), and Ubuntu (zlib).

The LWN.net Weekly Edition for November 14, 2024 is available.

Programming language polyglots are files that are validprograms in multiple languages, and do different things in each. While polyglots are normallynothing more than a curiosity, theCosmopolitan Libc project has been tryingto put them to a novel use: producing native, multi-platform binaries thatrun directly on several operating systems and architectures. There are stillsome rough edges with the project's approach, but it is generally possible tobuild C programs into a polyglot format with with minimaltweaking.

Security updates have been issued by AlmaLinux (expat), Fedora (chromium and golang-github-nvidia-container-toolkit), Mageia (curl, expat, mpg123, networkmanager-libreswan, openssl, php-tcpdf, qbittorrent, and x11-server, x11-server-xwayland, and tigervnc), Red Hat (kernel and libsoup), Slackware (mozilla), SUSE (firefox, kernel, python-PyPDF2, and xen), and Ubuntu (dotnet9, ghostscript, linux-aws, linux-oem-6.8, and pydantic).

Over the years, there has been steady progress in adding security features tocompilers and other tools to assist with hardening the Linux kernel (and, of course, otherprograms). In something of a tradition in the toolchainstrack at the LinuxPlumbers Conference, Kees Cook and Qing Zhao have led a session on that progress andfurther plans; this year, they were joined by Justin Stitt (YouTube video).

Garrett LeSage has written an in-depth articlefor Fedora Magazine about a new web-based user interface (UI) for Fedora's Anacondainstaller, planned to ship with Fedora42. The article looks atthe rationale for moving from GTK3 to a web-based UI, provides anumber of screenshots and demo screencasts, as well as instructions ontrying out the new installer with Fedora Rawhide.

Security updates have been issued by AlmaLinux (gstreamer1-plugins-base), Debian (chromium, ghostscript, libarchive, mpg123, ruby-saml, and symfony), Fedora (buildah and podman), Red Hat (buildah, containernetworking-plugins, podman, skopeo, and xorg-x11-server-Xwayland), Slackware (wget), SUSE (pcp), and Ubuntu (linux, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux-xilinx-zynqmp and mysql-8.0).

What have been the most significant security-related incidents for theopen-source community in 2024 (so far)? Marta Rybczyska recently ran apoll and got some interesting results. At the 2024 OpenSource Summit Japan, she presented those results along with somecommentary of her own. The events in question are unlikely to be asurprise to LWN readers, but the overall picture that was presented wasworth a look.

Longtime Debian and Tor developer, Jeremy Bobbio-perhaps better known as"Lunar"-diedon November 8. Lunar was one of the founders of the reproduciblebuilds movement and more recently had been working with Software Heritage. Moreinformation and tributes in French can be found at this site. They will be missed.

Security updates have been issued by AlmaLinux (podman), Debian (guix, libarchive, and nss), Fedora (expat, iaito, opendmarc, python-werkzeug, radare2, squid, and xorg-x11-server), Mageia (htmldoc, libheif, nspr, nss, firefox & rust, python-urllib3, python-werkzeug, quictls, ruby-webrick, and thunderbird), Oracle (firefox and NetworkManager-libreswan), SUSE (apache2, chromedriver, chromium, coredns, expat, govulncheck-vulndb, httpcomponents-client, java-17-openjdk, java-21-openjdk, libheif, python-wxPython, python311, python312, qbittorrent, ruby3.3-rubygem-actionmailer, ruby3.3-rubygem-actiontext, ruby3.3-rubygem-puma, ruby3.3-rubygem-rails, and virtualbox), and Ubuntu (openjdk-17, openjdk-21, openjdk-8, openjdk-lts, and qemu).

Linus has released 6.12-rc7 for testing."No big surprises, and I think everything is on track for a final 6.12release next weekend."

Back In Time is a GPL-2.0-licensed backup tool based onrsync and written in Python. It has both graphical and command-line interfaces, andsupports backups to local disks or over SSH.Back In Time was originally written byOprea Dan and released in 2009. The tool has beenthrough some rough patches over the years, and is currently on its third set ofmaintainers. Christian Buhtz, one of the current maintainers, explained to mehow he and his co-maintainers had revived the project, as well as why he thoughtBack In Time stood out from all of the existing backup solutions.

Greg Kroah-Hartman has shared another seven stable kernel updates:6.6.60,6.11.7,6.1.116,5.15.171,5.10.229,5.4.285, and4.19.323.

Fedora Linux, as a rule, handles version upgrades reasonablywell. However, there are times when users may want to do a freshinstallation rather than an upgrade but preserve existingusers and data under /home. This is a scenario that theFedora installer, currently, does not address. Users can maintain aseparate /home partition, of course, but the installer doesnot incorporate existing users into the new install-that is anexercise left to the user to handle. One solution might be to use systemd-homed, a systemdservice for managing users and home directories. However, a discussionproposing the use systemd-homed as part of Fedora installationuncovered some hurdles, such as trying to blend its approach tomanaging users with tools that centralize user management.

Arthur Cohen has posted adetailed introduction to the gccrs project on the Rust Blog, seeminglywith the goal of convincing the Rust community about the value of theproject.

Security updates have been issued by AlmaLinux (edk2), Debian (webkit2gtk), Fedora (thunderbird), Oracle (bzip2, container-tools:ol8, edk2, go-toolset:ol8, libtiff, python-idna, python3.11, and python3.12), Slackware (expat), and SUSE (apache2, govulncheck-vulndb, grub2, java-1_8_0-openjdk, python3, python39, qemu, xorg-x11-server, and xwayland).

Flexible arrays - arrays that are declared as the final member of astructure and which have a size determined at run time - have long drawnthe attention of developers seeking to harden the kernel againstbuffer-overflow vulnerabilities. These arrays have reliably been a sourceof bugs, so anything that can be done to ensure that operations on themstay within bounds is a welcome improvement. While many improvements,including the recent counted-by work, havebeen made, one of the most difficult cases remains. Now, however,developers who are interested in using recent compiler bounds-checkingfeatures are trying to get a handle on struct sockaddr.

Security updates have been issued by AlmaLinux (bcc, bpftrace, bzip2, container-tools:rhel8, grafana-pcp, haproxy, kernel, kernel-rt, krb5, libtiff, python-gevent, python3.11, python3.11-urllib3, python3.12, python3.12-urllib3, xmlrpc-c, and xorg-x11-server and xorg-x11-server-Xwayland), Debian (puma and pypy3), Fedora (firefox), Gentoo (libgit2), Mageia (libarchive), SUSE (ghostscript, go1.22-openssl, go1.23-openssl, htmldoc, kmail-account-wizard, libarchive, libgsf, libmozjs-128-0, openssl-3, python-jupyterlab, python-mysql-connector-python, python36, and ruby2.1), and Ubuntu (cinder, linux-aws, linux-aws-6.8, linux-oracle, linux-oracle-6.8, linux-aws, linux-azure-5.4, linux-kvm, linux-oracle, linux-xilinx-zynqmp, and linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency).

The LWN.net Weekly Edition for November 7, 2024 is available.

Image-based Linux distributions have seen increasing popularity, recently. Theypromise reliability and security, but pose packaging problems forexisting distributions. Ryan Lahfa and Niklas Sturm spoke about the work thatNixOS has done to enable an image-based workflow at this year'sAll Systems Go!conference in Berlin.Unfortunately, LWN was not able to cover the conference for scheduling reasons,but thevideos of the event are available for anyone interested in watching thetalks.Lahfa and Sturm explained that it is currently possible to create aNixOS system thatcryptographically verifies the kernel, initrd, and Nix store on boot - althoughdoing so still has some rough edges. Making an image-based NixOS installation issimilarly possible.

Man pages maintainer Alejandro Colomar announced in September that he was suspendinghis work due to a lack of support. He has now letit be known that funding has been found for the next year at least:

Security updates have been issued by AlmaLinux (libtiff), Debian (context, libheif, and thunderbird), Fedora (php-tcpdf, syncthing, and thunderbird), Gentoo (EditorConfig core C library, Flatpak, Neat VNC, and Ubiquiti UniFi), Oracle (bcc, bpftrace, grafana-pcp, haproxy, kernel, krb5, libtiff, python-gevent, python3.11-urllib3, python3.12-urllib3, and xmlrpc-c), Red Hat (python3.11-urllib3), SUSE (audacity, curl, govulncheck-vulndb, gradle, htmldoc, libgsf, python310, and qbittorrent), and Ubuntu (linux-aws-5.4, linux-oracle-5.4, mpg123, and python-werkzeug).

Version2.1.0 of the LXQtlightweight Qt desktop environment has been released. The highlight ofthis release is support for multiple Wayland compositors:

Joshua Liebow-Feeser took to the stage atRustConf to describe the methodologythat his team uses to encodearbitrary constraints in the Rust type system when working on theFuchsia operating system(slides).The technique is not unknown tothe Rust community, but Liebow-Feeser did a good job of both explaining themethod and making a case for why it should be used more widely.

After a couple of years of effort, the BPF instruction set architecture hasbeen accepted as RFC9669, giving it a standard outside of the in-kernel implementation. This message from DavidVernet (who also contributed an article onthe standardization process last year) describes the process and why itis important:

Security updates have been issued by AlmaLinux (firefox, openexr, and thunderbird), Fedora (llama-cpp and python-quart), Oracle (firefox, openexr, thunderbird, and xorg-x11-server and xorg-x11-server-Xwayland), SUSE (chromium, govulncheck-vulndb, openssl-1_1, python311, and python312), and Ubuntu (linux-azure, linux-bluefield, linux-azure, linux-gcp, linux-ibm, openjpeg2, and ruby3.0, ruby3.2, ruby3.3).

OpenWrt is, despite its relatively lowprofile, one of our community's most important distributions; it runsuntold numbers of network routers and has served as the base on which a lotof network-oriented development (including the bufferbloat-reductionwork) has been done. At the beginning of 2024, a few members of theproject announceda plan to design and produce a router device specifically designed to runOpenWrt. This device, dubbed the "OpenWrt One", is now becoming available;the kind folks at the Software FreedomConservancy were kind enough to ship one to LWN, where the desire toplay with a new toy is never lacking.