Feed lwn LWN.net

Favorite IconLWN.net

Link https://lwn.net/
Feed http://lwn.net/headlines/rss
Updated 2024-12-08 04:45
Abusing Git branch names to compromise a PyPI package
A compromised release was uploaded to PyPI after a project automatically processed a pull request with a flawed script.The GitHub account "OpenIM Robot"(which appears to be controlled byXinwei Xiong) openeda pull request for the ultralyticsPython package. The pull request included a suspicious Git branch name:
A single stable kernel to fix boot problems
Greg Kroah-Hartman released version6.12.3 of the kernel to fixa regression that can cause some machines to fail to boot on version 6.12.2.The other stable branches are continuing on their normal cadence, with6.12.4-rc1 and6.6.64-rc1 starting review today.
[$] Freezing out the page reference count
The pagestructure sits at the core of the kernel's memory-management subsystem(for now), and a key part of that structure is its reference count, storedin refcount. The page reference count tells the kernel how manyusers a given page has and when it can be freed. That count is not neededfor every page in the system, though. Matthew Wilcox has recently resurrectedan oldpatch set that expands the concept of a "frozen" page - one that lacks ameaningful reference count - to the immediate benefit of the slab allocatorbut in the service of a longer-term goal as well.
Security updates for Friday
Security updates have been issued by AlmaLinux (firefox, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, python3:3.6.8, and thunderbird), Debian (clamav), Fedora (pam), Red Hat (firefox, postgresql:13, postgresql:15, python-tornado, redis:7, ruby, ruby:2.5, and ruby:3.1), SUSE (avahi, docker-stable, java-1_8_0-openjdk, libmozjs-128-0, obs-scm-bridge, php8, and teleport), and Ubuntu (ghostscript, needrestart, and shiro).
Apertis v2024 released
Apertis is a Collabora-developedDebian derivative distribution designed to be incorporated into electronicdevices; the v2024release is now available. It is now based on the Bookworm release, andincludes support for Podman, ONNXRuntime, OP-TEE, and more.
Let's Encrypt sets date for ending OCSP support
In July, Let's Encrypt announced it was endingsupport "as soon as possible" for the OnlineCertificate Status Protocol (OCSP) in favor of CertificateRevocation Lists (CRLs) due to privacy concerns. The organizationhas now announcedthat it has set a timeline, and will be turning off its OCSPresponders on August6, 2025. There is additional action requiredfor Let's Encrypt users who use the OCSP Must Staple Extension:
‘Tis the Season for COSMIC Alpha 4! (System76 Blog)
System76 has announced thefourth alpha release of its Rust-based COSMIC desktop. New featuresin this version include the ability to set default applications,region and language settings, a new Accessibility applet, as well assupport forvariable refresh rate (VRR) in the cosmic-comp compositor and thedisplay settings tool. See the blog post for a full list of fixes andperformance improvements. LWN covered the first alpharelease in August.
[$] Debian opens a can of username worms
It has long been said that naming thingsis one of the hard things to do in computer science. That may beso, but it pales in comparison to the challenge of handlingusernames properly in applications. This is especially true when multipleapplications are involved, and they are all supposed to agree on whatcharacters are, and are not, allowed. The Debian project is facingthat problem right now, as two user-creation utilities disagreed aboutwhich names are allowable. A plan is in place to sort this outbefore the release of Debian13 ("trixie") sometime next year.
Mozilla's new branding strategy
Mozilla wouldappear to have concluded that the solution to its problems is anextensive rebranding effort:
Stable kernels 6.12.2, 6.11.11, and 4.19.325
Greg Kroah-Hartman has released the 6.12.2, 6.11.11, and 4.19.325 stable kernels. Note that both6.11.11 and 4.19.325 are the last kernels in those series, "please moveoff to a newer kernel version". In the 4.19.325 release notice, he hasa rather longer-than-usual message, including:
Security updates for Thursday
Security updates have been issued by Fedora (thunderbird, tuned, and webkitgtk), Mageia (python-aiohttp and qemu), Oracle (container-tools:ol8, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, kernel:4.18.0, krb5, pam, postgresql:16, python-tornado, python3:3.6.8, thunderbird, tigervnc, tuned, and webkit2gtk3), Red Hat (bzip2, postgresql, postgresql:13, postgresql:15, postgresql:16, python-tornado, and ruby:3.1), Slackware (python3), SUSE (postgresql, postgresql16, postgresql17, postgresql13, postgresql14, postgresql15, python-python-multipart, and python3), and Ubuntu (python-django and recutils).
[$] LWN.net Weekly Edition for December 5, 2024
The LWN.net Weekly Edition for December 5, 2024 is available.
Fedora moves towards Forgejo (Fedora Magazine)
Fedora Project Leader Matthew Miller reportsthat the project's search to replace Pagure as its git forge isalmost complete, with the Fedora Council strongly in favor of Forgejo:
Walleij: New ARM32 Security Features in v6.10
Linus Walleij writesabout a pair of security features for 32-bit Arm systems; these landedin 6.10, but, he says, have now stabilized to the point that distributorsmay want to enable them.
[$] The return of RWF_UNCACHED
Linux offers two broad ways of performing I/O to files. Buffered I/O,which is the usual way of accessing a file, stores a copy of thetransferred data in the kernel's page cache to speed future accesses.Direct I/O, instead, moves data directly between the storage device and auser-space buffer, avoiding the page cache. Both modes have theiradvantages and disadvantages. In 2019, Jens Axboe proposed an uncached buffered mode to get someof the advantages of both, but that effort stalled at the time. Now, uncached bufferedI/O is back with some impressive performance results behind it.
Hurl 6.0.0 released
Version6.0.0 of the Hurl command-line tool has been released. Hurl is acurl-powered utility that runs HTTP requests and tests defined in aplain-text Hurlfile. Notable features in this release include the ability togenerate dynamic values with functions, shorter syntax, and an optionto export Hurl files to a list of curl commands. See the releasenotes for a full list of changes and downloads.
Security updates for Wednesday
Security updates have been issued by Red Hat (go-toolset:rhel8, grafana, kernel, kernel-rt, kernel:4.18.0, pam, pam:1.5.1, pcs, postgresql:12, postgresql:15, postgresql:16, python3:3.6.8, qemu-kvm, rhc, rhc-worker-playbook, and virt:rhel and virt-devel:rhel) and SUSE (ansible-10, ansible-core, avahi, bpftool, python, python3, python36, webkit2gtk3, and xen).
[$] Rust's incremental compiler architecture
The traditional structure of a compiler forms a pipeline - parsing,type-checking, optimization, and code-generation, usually in that order. Butmodern programming languages have requirements that are ill-suited to such adesign. Increasingly, compilers are moving toward other designs inorder to support incremental compilation and low-latency responses for useslike integration into IDEs. Rust has, for the last eight years, been pursuing aparticularly unusual design; in that timecompile times havesubstantially improved, but there's still more work to be done.
Security updates for Tuesday
Security updates have been issued by AlmaLinux (container-tools:rhel8, kernel, kernel-rt:4.18.0, kernel:4.18.0, pam, pam:1.5.1, perl-App-cpanminus, perl-App-cpanminus:1.7044, python-tornado, tigervnc, tuned, and webkit2gtk3), Debian (needrestart and webkit2gtk), Mageia (firefox, glib2.0, krb5, and thunderbird), Red Hat (firefox, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, and thunderbird), SUSE (editorconfig-core-c, kernel, php7, php8, python, python-tornado6, python3-virtualenv, python310, python39, thunderbird, wget, and wireshark), and Ubuntu (firefox and haproxy).
NixOS 24.11 released
The most recent version of NixOS,24.11,was releasedon November30. It contains GNOME47, Plasma6.2, LLVM19, and lots more:
Security updates for Monday
Security updates have been issued by Debian (dnsmasq, editorconfig-core, lemonldap-ng, proftpd-dfsg, python3.9, simplesamlphp, tgt, and xfpt), Fedora (qbittorrent, webkitgtk, and wireshark), Mageia (libsoup3 & libsoup), Red Hat (buildah, grafana, grafana-pcp, and podman), SUSE (gimp, kernel, postgresql14, python, webkit2gtk3, xen, and zabbix), and Ubuntu (ansible and postgresql-12, postgresql-14, postgresql-16).
[$] The rest of the 6.13 merge window
The 6.13 merge window closed with the release of 6.13-rc1 on December1. By that time,11,307 non-merge commits had been pulled into the mainlinerepository; about 9,500 of those landed after our first-half merge-window summary waswritten. There was a lot of new material in these patches, includingarchitecture-support improvements, new BPF features, an efficient way toadd guard pages to an address space, more Rust support, a vast number ofnew device drivers, and more.
Kernel prepatch 6.13-rc1
Linus has released 6.13-rc1 and closed themerge window for this release. "And for once - possibly the first timeever - it looks like the release cycle doesn't clash horribly up withthe holiday season, and we'll have time both to stabilize this release,_and_ the work for 6.14 won't be starting until well into January."
Rust 1.83.0 released
Version1.83.0 of the Rust language has been released.
The OpenWrt One router is now shipping
The OpenWrt One router, which was reviewedhere recently, isnow generally available.
Security updates for Friday
Security updates have been issued by Debian (firefox-esr, redis, twisted, and tzdata), Fedora (firefox, nss, pam, rust-rustls, rust-zlib-rs, thunderbird, tuned, and xen), and SUSE (cobbler, kernel, libjxl-devel, libuv, postgresql12, postgresql14, postgresql15, python-waitress, seamonkey, tomcat, and tomcat10).
Giving thanks for the LWN community
Earlier today, one of our subscribers, anselm, posted the one millionth item in our database during a discussion in the comments about the GPL. One million articles and comments is a big milestone - one representing twenty two years of work by both the editors of LWN and the community. I think reaching this milestone on Thanksgiving is a lovely coincidental reminder of how far LWN has come, and how that wouldn't have been possible without your support. So thank you for reading.
[$] GIMP 3.0 — a milestone for open-source image editing
The long-awaited release of the GNU ImageManipulation Program (GIMP)3.0 is on the way, marking the firstmajor update since version2.10 wasreleased in April2018. It now features a GTK3 user interface and GIMP3.0introduces significant changes to the core platform and plugins. Thisrelease also brings performance and usability improvements, as well as morecompatibility with Wayland and complex input sources.
Security updates for US Thanksgiving (Thursday)
Security updates have been issued by Debian (firefox-esr, netatalk, and thunderbird), Fedora (firefox, libsoup3, mingw-glib2, mingw-libsoup, mingw-python-waitress, mingw-python3, nss, perl-Module-ScanDeps, php, and python-aiohttp), Mageia (dcmtk, golang, iptraf-ng, libsndfile, microcode, php, postgresql15 & postgresql13, rapidjson, tomcat, wget, and zbar), Red Hat (openssl and openssl-fips-provider, toolbox, and webkit2gtk3), SUSE (firefox, frr, glib2, hplip, kernel, neomutt-20241114, ovmf, python-aiohttp, python-virtualenv, python310-tornado6, qemu, webkit2gtk3, and xen), and Ubuntu (mpg123 and vim).
Elementary OS 8 released
Version8 of the Ubuntu-based elementary OS has been released. Thisrelease includes a rewritten Dock, new window-management features,improvements in the installation and initial setup procedures forvisually impaired users, as well as a new Secure Session mode:
[$] The kernel's command-line commotion
For the most part, the 6.13 merge window has gone smoothly, with relativelyfew problems or disagreements - other than thisone, of course. There is one other exception, though, relating to thekernel's presentation of a process's command line to interested user-spaceobservers when a relatively new system call is used. A pull request with asimple change to make that information more user-friendly ran afoul ofLinus Torvalds, who has his own view of how it should be managed.
Security updates for Wednesday
Security updates have been issued by Debian (mpg123 and php8.2), Fedora (libsndfile, mingw-glib2, mingw-libsoup, mingw-python3, and qbittorrent), Oracle (pam:1.5.1 and perl-App-cpanminus), Red Hat (firefox, thunderbird, and webkit2gtk3), Slackware (mozilla), SUSE (firefox, rclone, tomcat, tomcat10, and xen), and Ubuntu (gh, libsoup2.4, libsoup3, pygments, TinyGLTF, and twisted).
[$] Arch Linux finally starts licensing PKGBUILDs
Arch Linux is popular as a basefor other Linux distributions; examples of Arch-derivatives include EndeavourOS, Manjaro, Parabola, and SteamOS.There's one small problem: the control files used to describe how to buildpackages for Arch Linux have no stated license. That creates a bit ofuncertainty about the rights and responsibilities for the downstreamderivatives. So far, that doesn't seem to have been a problem, nor hasit stopped other projects from assuming that reuse isallowed. However, the Arch project is looking to add some clarity byexplicitly assigning a liberal license to its packagesources. Currently the project is in the process of reaching out tocontributors to see if they have any objections.
Firefox version 133.0 is now available
Mozilla has announcedthe release of Firefox133.0. Notable in this release is the additionof a new anti-tracking feature, Bounce Tracking Protection, whichdetects trackers based on redirectbehavior and automatically purges their cookies and site data tothwart tracking. The release also includes varioussecurity fixes and more.
Security updates for Tuesday
Security updates have been issued by Debian (pypy3), Fedora (chromium, cobbler, and libsoup3), Oracle (kernel), SUSE (glib2, govulncheck-vulndb, javapackages-tools, xmlgraphics-batik, xmlgraphics- commons, xmlgraphics-fop, libblkid-devel, opentofu, php8, postgresql, postgresql16, postgresql17, thunderbird, traefik, and ucode-intel), and Ubuntu (needrestart and rapidjson).
Security updates for Monday
Security updates have been issued by Debian (ansible, chromium, ghostscript, glib2.0, intel-microcode, and kernel), Fedora (dotnet9.0, needrestart, php, and python3.6), Oracle (cups, kernel, osbuild-composer, podman, python3.12-urllib3, squid, and xerces-c), Red Hat (buildah, edk2, gnome-shell, haproxy, kernel, kernel-rt, libvpx, pam, python3.11-urllib3, python3.12-urllib3, qemu-kvm, rhc-worker-script, squid:4, and tigervnc), Slackware (php), SUSE (chromedriver, chromium, dcmtk, govulncheck-vulndb, iptraf-ng, and traefik2), and Ubuntu (linux-oracle and openjdk-23).
A kernel code of conduct enforcement action
The Linux Foundation TechnicalAdvisory Board (TAB) has decided to "restrict Kent Overstreet'sparticipation in the kernel development process during the Linux 6.13kernel development cycle" based on a recommendation from the Code of Conductcommittee. In particular, the scope of the restriction will be to "decline all pullrequests from Kent Overstreet" during the development cycle.Overstreet is the creator and maintainer of the bcachefs filesystem.Thisaction stems from a messageOverstreet posted back in early September that was abusive toward anotherkernel developer; there is a fair amount of back-and-forth about theincident and the committee's attempts to extract a public apology fromOverstreet in that thread. Overstreet has published a lengthy blog postdescribing his side of the story.
[$] NonStop discussion around adding Rust to Git
The Linux kernel community's discussions about including Rust havegotten a lot of attention, but the kernel is not the only project wrestlingwith the question of whether to allow Rust. The Git projectdiscussed the prospect in January, and thenagain at the Git Contributor's Summit in September. Complicating thediscussion is the Git project's lack of a policy on platformsupport, and the fact that it does already have tools written in otherlanguages.While the project has not committed to usingor avoiding Rust, it seems like only a matter of time until maintainers willhave to make a decision.
Four Friday stable kernel updates
The6.12.1,6.11.10,6.6.63, and6.1.119 stable kernel updates have been released.As always, they contain important fixes.
Security updates for Friday
Security updates have been issued by Debian (postgresql-13, postgresql-15, and webkit2gtk), Fedora (libsndfile, microcode_ctl, and trafficserver), Mageia (kanboard, kernel, kmod-xtables-addons, kmod-virtualbox, and bluez, kernel-linus, opendmarc, and radare2), Oracle (.NET 9.0, bubblewrap and flatpak, buildah, expat, firefox, grafana, grafana-pcp, kernel, krb5, libsoup, libvpx, NetworkManager-libreswan, openexr, pcp, python3.11, python3.11-urllib3, python3.12, python3.9, squid, thunderbird, tigervnc, and webkit2gtk3), Red Hat (.NET 9.0, binutils, expat, grafana-pcp, kernel, libsoup, NetworkManager-libreswan, openexr, python3.11, python3.12, python39:3.9, squid, tigervnc, and webkit2gtk3), SUSE (chromedriver, cobbler, govulncheck-vulndb, and icinga2), and Ubuntu (linux-lowlatency, linux-lowlatency-hwe-6.8, python2.7, and zbar).
PHP 8.4.1 released
Version8.4.1 of the PHP language has been released. See this page for details onthe new features in this release. "PHP 8.4 is a major update of the PHPlanguage. It contains many new features, such as property hooks,asymmetric visibility, an updated DOM API, performance improvements, bugfixes, and general cleanup."
[$] The beginning of the 6.13 merge window
As of this writing, just over 1,800 non-merge changesets have been pulledinto the mainline kernel for the 6.13 release. That number may seem small,given that a typical merge window brings in at least 12,000 commits, butthe early pulls this time around have focused on significant core changes,and there are quite a few of them. The time has come to summarize thechanges pulled so far, including lazy preemption, multi-grained timestamps,new extended-attribute system calls, and more.
Security updates for Thursday
Security updates have been issued by AlmaLinux (kernel, NetworkManager-libreswan, and openssl), Fedora (chromium and llvm-test-suite), Mageia (thunderbird), and Ubuntu (linux-aws-6.8, linux-azure, linux-azure-6.8, linux-oracle-6.8,, linux-azure, and ruby2.7).
[$] LWN.net Weekly Edition for November 21, 2024
The LWN.net Weekly Edition for November 21, 2024 is available.
[$] RVKMS and Rust KMS bindings
At the 2024 X.Org DevelopersConference (XDC), Lyude Paul gave a talk on the work she has been doingas part of the Novaproject, which is an effort build an NVIDIAGPU driver in Rust. She wanted to provide an introduction to RVKMS, whichis being used to develop Rust kernel mode setting (KMS)bindings; RVKMS is a port of the virtual KMS (VKMS)driver to Rust. In addition, she wanted to give her opinion on Rust, and why shethinks it isa "game-changer for the kernel", noting that the reasons are notrelated to the oft-mentioned, "headline" feature of the language: memorysafety.
Blender 4.3 released
Version 4.3 ofthe Blender animation system has been released. "Brush assets, fastersculpting, a revolutionized Grease Pencil, and more. Blender 4.3 got youcovered."
Plans for CHICKEN 6
CHICKEN Scheme, a portable Scheme compiler, is gearing up for its next major release. Maintainer Felix Winkelmann hassharedan article about what changes to expect in version 6 of the language, including better Unicode support and support for theR7RS (small) Scheme standard.
Security updates for Wednesday
Security updates have been issued by Debian (guix, libmodule-scandeps-perl, needrestart, and thunderbird), SUSE (gh), and Ubuntu (kernel, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-gcp, linux-gcp-6.8, linux-gke, linux-hwe-6.8, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-raspi, linux-iot, linux-lowlatency, linux-lowlatency-hwe-6.8, needrestart, python2.7, python3.10, python3.12, python3.8, and Waitress).
Rocky Linux 9.5 released
Version9.5 of the Rocky Linux distribution is out. As with the AlmaLinux 9.5release, Rocky Linux 9.5 tracks the changes in upstream RHEL 9.5. See the release notesfor details.
FreeCAD 1.0 released
It took more than 20 years, but the FreeCAD computer-aided design projecthas just madeits 1.0 release.
12345678910...