LWN.net

Curl maintainer Daniel Stenberg announcesthat the curl project will be dropping hyper, its experimental HTTP backendwritten in Rust, due to lack of developer interest.

Version 2024.12 of the Debian-based Grml live Linux system for system administrators has been released. Grml 2024.12 uses packages from the upcoming Debian 13 ("trixie") release. It drops support for 32-bit x86 PCs and gains support for 64-bit ARM CPUs. See the release notes for a full list of changes and new features.

Back in 2022, Josh Triplett presented aplan to implement a "spawn new process" functionality in the io_uringsubsystem. There was a fair amount of interest at the time, but developersgot distracted, and the work did not progress. Now, Gabriel KrismanBertazi has returned with a patch seriesupdating and improving Triplett's work. While interest in thisfunctionality remains, it may still take some time before it is ready formerging into the mainline.

Security updates have been issued by Debian (chromium and gunicorn), Fedora (jupyterlab), Oracle (bluez, containernetworking-plugins, edk2:20220126gitbb1bba3d77, edk2:20240524, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, libsndfile, libsndfile:1.0.31, mpg123, mpg123:1.32.9, pam, python3.11-urllib3, skopeo, tuned, and unbound:1.16.2), SUSE (avahi, docker, emacs, govulncheck-vulndb, haproxy, kernel, libmozjs-128-0, python-grpcio, python310-xhtml2pdf, sudo, and tailscale), and Ubuntu (dpdk, linux-hwe-5.15, and linux-iot).

The 6.12.6, 6.6.67, 6.1.121, 5.15.175, 5.10.232, and 5.4.288 stable kernels have been released.As usual, they contain important fixes throughout the kernel tree.

Security updates have been issued by AlmaLinux (bluez, edk2:20220126gitbb1bba3d77, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, kernel-rt, mpg123, php:8.2, python3.11-urllib3, and tuned), Fedora (ColPack, glibc, golang-github-chainguard-dev-git-urls, golang-github-task, icecat, python-nbdime, python3.13, and python3.14), Mageia (kernel, kmod-xtables-addons, kmod-virtualbox, dwarves and kernel-linus), Red Hat (gstreamer1-plugins-base and gstreamer1-plugins-good), SUSE (curl, emacs, git-bug, glib2, helm, kernel, and traefik2), and Ubuntu (gst-plugins-base1.0, gst-plugins-good1.0, gstreamer1.0, libvpx, linux-gcp, phpunit, and yara).

The Fedora Engineering Steering Council (FESCo) has made a series ofmissteps in deciding to revoke a longtime Fedora contributor's provenpackagerstatus. FESCo made the decision during a closed session, based on privatecomplaints. It then publicly announced its decision, including thecontributor's name, while only supplying a vague account of thecontributor's actions. This has left the Fedora community with morequestions than answers, and raised a number of complaints about thetransparency of FESCo's process. In addition, the sequence of events hassparked discussions about package ownership, as well as when and how it'sappropriate to push changes to packages that a developer doesn't own.

fish is a shell with a custom language and several affordances not available out of the box in other shells, such as directory-sensitive command completion. Although the project does not normally make beta releases, the newly announced 4.0b1 releasewill have one in order to ensure that no problems were introducedafter a major effort to switch the code base from C++ to Rust.

The LWN.net Weekly Edition for December 19, 2024 is available.

Emacs has had afew bugs related to accidentallypermitting the execution of untrusted code. Unfortunately, it seems as thoughanother bug of that sort has appeared - and may be harder to patch,because the problem comes from the way Emacs handles expansion of Lisp macros incode being analyzed. Thevulnerability is only practically exploitable in a non-default configuration, sonot every Emacs user has something to worry about. The Emacsdevelopers are reportedly working on a fix, but have not yet shared detailsabout it. In the meantime, every Emacs version since at least26.1 (released in May2018) through the current development version is vulnerable.

Security updates have been issued by AlmaLinux (libsndfile, php:7.4, python3.11, python3.12, and python36:3.6), Debian (dpdk), Mageia (curl and socat), Oracle (firefox and tuned), Red Hat (bluez, containernetworking-plugins, edk2, edk2:20220126gitbb1bba3d77, edk2:20240524, expat, gstreamer1-plugins-base, gstreamer1-plugins-base and gstreamer1-plugins-good, gstreamer1-plugins-good, kernel, libsndfile, libsndfile:1.0.31, mpg123, mpg123:1.32.9, pam, python3.11-urllib3, skopeo, tuned, unbound, and unbound:1.16.2), SUSE (cloudflared, curl, docker, firefox, gstreamer-plugins-good, kernel, libmozjs-115-0, libmozjs-128-0, libmozjs-78-0, libsoup, ovmf, python-urllib3_1, subversion, thunderbird, and traefik), and Ubuntu (editorconfig-core, libspring-java, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-raspi, linux, linux-lowlatency, linux-oracle, linux-aws, linux-aws-5.15, linux-aws, linux-aws-5.4, linux-bluefield, linux-oracle, linux-oracle-5.4, and linux-oem-6.11).

Fedora Magazine reportsthat the Fedora Asahi Remix 41 for Apple Silicon is now available:

Since we last lookedat the WordPressdispute, WP Engine has soughta preliminary injunction against Automattic and its founder Matt Mullenweg torestore its access to WordPress.org, and more. The judgein the case granted a preliminary injunction on December 10. The caseis, of course, of interest to users and developers working withWordPress-but it may also have implications for otheropen-source projects well beyond the WordPress community.

Version2024.4 of the Kali Linux penetration-testing distribution has beenreleased. Changes include a switch to Python3.12, the removal of i386kernel support, GNOME47, and more.

Security updates have been issued by Debian (gstreamer1.0), Fedora (jupyterlab and python-notebook), Oracle (gimp:2.8.22, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, php:8.2, postgresql, and python3.11), SUSE (aws-iam-authenticator, firefox, installation-images, kernel, libaom, libyuv, libsoup, libsoup2, python-aiohttp, socat, thunderbird, and vim), and Ubuntu (curl, Docker, imagemagick, and kernel).

The Sequoia PGP project has announcedversion 1.0 of the sq command-line tool for managing OpenPGPencryption and signatures. It also provides a decentralized publickey infrastructure (PKI), and key management facilities. This isthe first stable release since development began on the project in2017.

Emacs is, famously, aneditor-perhaps far more-that is extensible using its ownvariant of the Lisp programming language, EmacsLisp (or Elisp). This year'sedition of EmacsConf, which is an annual "gathering" that has been heldonline for the past five years, had two separate talks on using a differentvariant of Lisp, Guile,for Emacs. Both projects would preserve Elisp compatibility, which is amust, but they would use Guile differently. The first talk we will coverwas given by Robin Templeton, who described the relaunch of the Guile-Emacs project, which would replacethe Elisp in Emacs with a compiler using Guile. A subsequent article will lookat the other talk, which is about an Emacs clone writtenusing Guile.

Security updates have been issued by Debian (gst-plugins-base1.0, gstreamer1.0, and libpgjava), Fedora (bpftool, chromium, golang-x-crypto, kernel, kernel-headers, linux-firmware, pytest, python3.10, subversion, and thunderbird), Gentoo (NVIDIA Drivers), Oracle (kernel, perl-App-cpanminus:1.7044, php:7.4, php:8.1, php:8.2, postgresql, python3.11, python3.12, python3.9:3.9.21, python36:3.6, ruby, and ruby:2.5), SUSE (docker-stable, firefox-esr, gstreamer, gstreamer-plugins-base, gstreamer-plugins-good, kernel, python-Django, python312, and socat), and Ubuntu (mpmath).

Linus has released 6.13-rc3 for testing."Earlier this week it felt to me like things might have already startedto quiet down in prep for the holidays, but doing the statistics on rc3that doesn't actually seem to be the case - this looks very regular both innumber of commits and in diff size".

Version 4.20of the Xfce desktop environment has been released. "The major focusduring this development cycle was the preparation of the codebase to beready for Wayland". See the Xfce 4.20 tour for anoverview of the changes in this release.

The6.12.5,6.6.66,6.1.120,5.15.174,5.10.231, and5.4.287stable kernels have all been released; each contains a relatively large setof important fixes.

Commits in the Git source-code management system are identified by theSHA-1 hash of their contents - though the specific hash may change someday. The full hash is a160-bit quantity, normally written as a 40-character hexadecimal string.While those strings are convenient for computers to work with, humans findthem to be a bit unwieldy, so it is common to abbreviate the hash values toshorter strings. Geert Uytterhoeven recently proposedincreasing the length of those abbreviated hashes as used in the kernelcommunity, but the problem he was working to solve may not be as urgent asit seems.

Handling time in a networked environment is never easy. TheNetwork Time Protocol (NTP) has been used to synchronize clocks across theinternet for almost 40 years - but, as computers and networks get faster, thedegree of synchronization it offers is not sufficient for some use cases. ThePrecision Time Protocol (PTP) attempts to provide more precisetime synchronization, at theexpense of requiring dedicated kernel and hardwaresupport. The Linux kernel hassupported PTP since 2011, but the protocol has recently seenincreasing use in data centers. As PTP becomes more widespread, it may beuseful to have an idea how it compares to NTP.

The CentOS Project has announcedthe general availability of CentOSStream10. See the release notes for informationon new features, changes, and removed software. The Extra Packages forEnterprise Linux (EPEL) 10 repository is also available,and will be adding minor version repositories:

Security updates have been issued by Debian (chromium, pgpool2, and smarty4), Fedora (chromium, linux-firmware, matrix-synapse, open62541, and thunderbird), Red Hat (kernel, kernel-rt, python3.11, python3.12, python3.9:3.9.18, python3.9:3.9.21, and ruby:2.5), SUSE (buildah, chromium, govulncheck-vulndb, java-1_8_0-ibm, libsvn_auth_gnome_keyring-1-0, python310-Django, qemu, and radare2), and Ubuntu (linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux-gkeop, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, php7.0, php7.2, python-asyncssh, and smarty3).

Version1.32 (dubbed "Penelope") of Kubernetes has been released with 13major features graduating to Stable status, 12 entering Beta, and 19entering Alpha.

The Python Package Index (PyPI) Blog has an analysisof the compromise ofthe ultralyticsproject, and what PyPI has learned from this event:

The release of the 4.19.325 stablekernel update on December5 marked the end of an era of sorts.This kernel had been supported for just over six years since its initialrelease in October 2018; over that time, 325 updates were released,adding 30,109 fixes. Few Linux kernels receive public support for so long;it is worth taking a look at this kernel's history to see how it playedout.

Security updates have been issued by Debian (libsoup2.4, python-aiohttp, and upx-ucl), Fedora (iaito, python3.11, python3.9, and radare2), Red Hat (ruby, ruby:2.5, and ruby:3.1), Slackware (mozilla-thunderbird), SUSE (govulncheck-vulndb, nodejs18, nodejs20, and socat), and Ubuntu (ofono and python-tornado).

The LWN.net Weekly Edition for December 12, 2024 is available.

The RedHat Enterprise Linux (RHEL) 10 beta was released in mid-Novemberand, if all goes according to plan, CentOSStream10should be released before the end of the year. While nothing is etchedin stone just yet, it is a good time for anyone using or targetingRHEL (and its clones) to start taking a look at how Stream10,and the corresponding EPELrepository, is shaping up. This is not only important to RHEL andStream users, but anyone deploying and supporting software onenterprise Linux (EL) derivatives like AlmaLinux, OracleLinux,and RockyLinux as well.

Greg Kroah-Hartman has released version 6.6.65 of the kernel:

The Linux kernel has many tunable parameters. While there is much adviceavailable on the internet about how to set them, few people have the time toweed through the (often contradictory) explanations and choose appropriatevalues. One possible way to address this isa project called bpftune, aprogram that uses BPF to track various metrics about a running system andadjust the sysctl knobs appropriately. The program is developed by Oracle, andis available under a GPLv2 license. Bpftune is currently mostlyfocused on optimizing network settings, but the authors hope that the system isflexible enough to be extended to cover other settings.

Security updates have been issued by Debian (proftpd-dfsg and smarty3), Fedora (python3.14), Gentoo (Distrobox, eza, idna, libvirt, and OpenSC), Red Hat (container-tools:rhel8 and edk2), SUSE (avahi, curl, libsoup2, lxd, nodejs20, python-Django, python310-Django4, python312, squid, and webkit2gtk3), and Ubuntu (expat, intel-microcode, linux, linux-aws, linux-kvm, linux-lts-xenial, and shiro).

Systemd 257 has been released. As usual, the list of changes is long; itincludes support for multipath TCP in socket units, the ability to runprocesses as init in their own PID namespace, a new tool for signing EFIbinaries for secure boot,and a superhero emoji in the run0 shell prompt, among many other things. Also, support for version-1 control groups has been disabled and requiresan elaborate dance to re-enable; it will be removed entirely in the nextrelease, along with support for SystemV service scripts.

Fedora Project Leader (FPL) Matthew Miller writes that he will soon be hanging up the FPL hat:

In a session atOpen Source Summit Europe(OSSEU) back in September, Alex Bucknall gave an overview of a camera "trap"-adevice to capture images in a non-intrusive way-that he helped develop which is being used to monitor seagrass. He works forthe Arribada Initiative, which is anon-profit organizationfocused on creating open-source technology for studying wildlife and ecosystems.The camera system uses the Zephyrrealtime operating system (RTOS) on an open platform that is designed to beinexpensive and usable for multiple applications.

Version1.0.0 of the GNU Shepherd service manager has been released after amere 21years of development.

Security updates have been issued by AlmaLinux (postgresql:15, postgresql:16, and ruby:3.1), Debian (jinja2), Fedora (python-multipart, python-python-multipart, python3.12, retsnoop, rust-rbspy, rust-rustls, and zabbix), Oracle (kernel, libsoup, postgresql:12, postgresql:13, postgresql:15, postgresql:16, redis:7, and ruby:3.1), SUSE (nodejs18, pam, qt6-webengine, and radare2), and Ubuntu (dogtag-pki, linux-intel-iotg, linux-intel-iotg-5.15, ofono, rabbitmq-server, and webkit2gtk).

When the Fedora Engineering Steering Council (FESCo) is up for election, the project postsinterviews of the candidates in order to help Fedora contributors make an informed choice. Thisyear, the candidates areZbigniew Jdrzejewski-Szmek,Toma Hrka,Josh Stone,David Cantrell,Fabio Alessandro Locati, andKevin Fenzi.All of them except for Locati are current members of the steering council.Voting is open until December 20.

In 2019, the Python community had alengthy discussion about changing the rules (that some find counterintuitive) onusing break, continue, or return statements infinally blocks. These are all ways of jumping out of a finallyblock, which can interrupt the handling of a raised exception.At the time, the Python developers chose not to changethings, because the consensus was that the existing behavior was not a problem. Now, afterareport put together by Irit Katriel, the project is once again consideringchanging the language.

The OpenWrt project has issued anadvisory regarding a vulnerability found in its Attended SysupgradeServer that could allow compromised packages to be installed on a router byan attacker. No official OpenWrt images were affected, and thevulnerability is not known to be exploited, but users who have installedimages created with an instance of this server are recommended toreinstall.For a detailed description of how the exploit works, see thisblog post.

The 6.12.4 and 6.6.64 stable kernels have been released,each with a set of important fixes throughout the kernel tree, as usual.

The 6.13-rc2 kernel prepatch is out fortesting. "The diffstat looks a bit unusual with 80%+ drivers, and a lot of itone-liners, but that's actually just because of a couple of automatedscripts that got run after -rc1 for some cleanups. Nothingparticularly interesting, but it makes for a lot of noise in the diff."One of those scripts was the EXPORT_SYMBOL_NS() change (to make ituse a quoted string for the namespace name) described in this article.

Security updates have been issued by AlmaLinux (redis:7, ruby, ruby:2.5, and ruby:3.1), Debian (avahi, ceph, chromium, gsl, jinja2, php7.4, renderdoc, ruby-doorkeeper, and zabbix), Fedora (chromium, python3.11, and uv), Gentoo (Asterisk, Cacti, Chromium, Google Chrome, Microsoft Edge. Opera, Dnsmasq, firefox, HashiCorp Consul, icinga2, OATH Toolkit, OpenJDK, PostgreSQL, R, Salt, Spidermonkey, and thunderbird), Mageia (kubernetes), Red Hat (grafana, grafana-pcp, osbuild-composer, and postgresql), SUSE (ansible-core, firefox, glib2, java-1_8_0-ibm, kernel-firmware, nanopb, netty, python310-django-ckeditor, python310-jupyter-ydoc, radare2, skopeo, and webkit2gtk3), and Ubuntu (tinyproxy).

A compromised release was uploaded to PyPI after a project automatically processed a pull request with a flawed script.The GitHub account "OpenIM Robot"(which appears to be controlled byXinwei Xiong) openeda pull request for the ultralyticsPython package. The pull request included a suspicious Git branch name:

Greg Kroah-Hartman released version6.12.3 of the kernel to fixa regression that can cause some machines to fail to boot on version 6.12.2.The other stable branches are continuing on their normal cadence, with6.12.4-rc1 and6.6.64-rc1 starting review today.

The pagestructure sits at the core of the kernel's memory-management subsystem(for now), and a key part of that structure is its reference count, storedin refcount. The page reference count tells the kernel how manyusers a given page has and when it can be freed. That count is not neededfor every page in the system, though. Matthew Wilcox has recently resurrectedan oldpatch set that expands the concept of a "frozen" page - one that lacks ameaningful reference count - to the immediate benefit of the slab allocatorbut in the service of a longer-term goal as well.

Security updates have been issued by AlmaLinux (firefox, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, python3:3.6.8, and thunderbird), Debian (clamav), Fedora (pam), Red Hat (firefox, postgresql:13, postgresql:15, python-tornado, redis:7, ruby, ruby:2.5, and ruby:3.1), SUSE (avahi, docker-stable, java-1_8_0-openjdk, libmozjs-128-0, obs-scm-bridge, php8, and teleport), and Ubuntu (ghostscript, needrestart, and shiro).

Apertis is a Collabora-developedDebian derivative distribution designed to be incorporated into electronicdevices; the v2024release is now available. It is now based on the Bookworm release, andincludes support for Podman, ONNXRuntime, OP-TEE, and more.