LWN.net

Debian Developer Russell Coker has writtenup an analysis of the remote exploit of CUPSannounced in September:

The Open Source Initiative(OSI) has announcedthe release of version1.0 of the Open Source AI Definition:

Sparrow Li presented virtually atRustConf2024 about the current state of andfuture plans for the Rust compiler's performance. The compiler is relatively slow to compilelarge programs, although it has been getting better over time. The next bigperformance improvement to come will be parallelizing the compiler's parsing,type-checking, and related operations, but even after that, the project hasseveral avenues left to explore.

Rong Xu andHan Shen described the kernel-optimization techniques that Google uses in the toolchainstrack at the 2024 LinuxPlumbers Conference.They talked about automaticfeedback-directed optimization (AutoFDO), which can be used with the Propelleroptimizer to produce kernels with better performance using profileinformation gathered from real workloads. There is a fair amount ofoverlap between these tools and the BOLTpost-link optimizer, which was the subject of a talk that directly preceded this session.

Security updates have been issued by AlmaLinux (kernel, python3.12, and python3.9), Debian (activemq, chromium, libheif, nss, and twisted), Fedora (chromium, dnsdist, dotnet8.0, edk2, glibc, libdigidocpp, mbedtls3.6, NetworkManager-libreswan, oath-toolkit, podman-tui, prometheus-podman-exporter, python-fastapi, python-openapi-core, python-platformio, python-rpyc, python-starlette, rust-pyo3, rust-pyo3-build-config, rust-pyo3-ffi, rust-pyo3-macros, rust-pyo3-macros-backend, suricata, thunderbird, and yarnpkg), Mageia (cpanminus, libgsf, mozjs78, redis, and thunderbird), Oracle (firefox, python3.12, python3.9, and python39:3.9 and python39-devel:3.9), Red Hat (edk2, grafana, httpd, httpd:2.4, and mod_jk), and SUSE (nodejs-electron, python3, python310, and python39).

Linus has released 6.12-rc5 for testing.

The Open Source Initiative(OSI) has been working on defining Open Source AI-that is whatconstitutes an AI system that can be used, studied, modified, andshared for any purpose-for almost twoyears. Its board willbe voting on the Open Source AI Definition (OSAID) on Sunday,October27, with the 1.0 version slated to be published onOctober28. It is never possible to please everyone insuch an endeavor, and it would be folly to make that a goal. However,a number of prominent figures in the open-source community have voicedconcerns that OSI is setting the bar too low with the OSAID-whichwill undo decades of community work to cajole vendors into adhering toor respecting the original Open SourceDefinition (OSD).

A pair of talks in the toolchainstrack at the 2024 LinuxPlumbers Conference covered different tools that can be used tooptimize the kernel. First up was Maksim Panchenko to describe the binaryoptimization and layout tool (BOLT) that Meta uses on its productionkernels. It optimizes the kernel binary by rearranging it to improve itscode locality forbetter performance. A subsequent article will cover the second talk, whichlooked at automaticfeedback-directed optimization (AutoFDO) and other related techniquesthat are used to optimize Google's kernels.

Security updates have been issued by Debian (distro-info-data), Fedora (libtiff), Mageia (firefox and oath-toolkit), Red Hat (krb5), and SUSE (openssl-1_1).

Small objects can lead to large email threads. In thiscase, the GNU C Library (glibc) community has been having an extensivedebate over the handling of zero-byte allocations. Specifically, whatshould happen when a program calls realloc()specifying a size of zero? This is, it seems, a topic about which somepeople, at least, have strong feelings.

Security updates have been issued by AlmaLinux (grafana, NetworkManager-libreswan, python3.11, and python39:3.9 and python39-devel:3.9), Fedora (dotnet6.0, koji, python-fastapi, python-openapi-core, python-platformio, python-starlette, rust-pyo3, rust-pyo3-build-config, rust-pyo3-ffi, rust-pyo3-macros, rust-pyo3-macros-backend, and yarnpkg), Oracle (grafana, kernel, linux-firmware, NetworkManager-libreswan, and python3.11), Slackware (php81), and SUSE (apache2, buildah, cups-filters, go1.21-openssl, podman, postgresql16, python-pyOpenSSL, and webkit2gtk3).

The LWN.net Weekly Edition for October 24, 2024 is available.

Currently in Rust, there is no efficient and safe way to turn an array of bytesinto a structure that corresponds to the array. Changing that was the topic ofJack Wrenn's talk this year atRustConf:"Safety Goggles for Alchemists". The goal is to be able to "transmute" -Rust's name for this kind of conversion - values into arbitrary user-definedtypes in a safer way. Wrenn justified the approach that the project has taken toaccomplish this, and spoke about the future work required to stabilize it.

Version14.0 of the privacy-focused Tor browser has been released.

Jakub Kadlik announcedon his blog that Fedora's Copr build system willbe dropping support for building modules(groups of RPM packages that are built, installed, and shippedtogether) soon:

In July, at the GNOME annual general meeting (AGM),held at GUADEC2024,the message from the GNOME Foundation board was that all was well,financially speaking. Not great, but the foundation was on abreak-even budget and expected to go into its next fiscal year with asimilar budget and headcount. On October7, however, the board announcedthat it had had to make some cuts, including reducing its staff bytwo people. This is not, however, strictly a GNOME problem: similarorganizations, such as the Python Software Foundation (PSF), KDEe.V., and the Free Software Foundation Europe (FSFE) are seeing declines infundraising while also being affected by inflation.

Security updates have been issued by Debian (dmitry, libheif, and python-sql), Fedora (suricata and wireshark), SUSE (cargo-c, libeverest, protobuf, and qemu), and Ubuntu (golang-1.22, libheif, unbound, and webkit2gtk).

Perhaps one of the more surprising changes in the 6.12-rc4 developmentkernel was the removalof several entries from the kernel's MAINTAINERS file. The patchperforming the removal was sent (by Greg Kroah-Hartman) only to thepatches@lists.linux.dev mailing list; the change was included in a char-misc driverspull request with no particular mention.The explanation for the removal is simply "various compliancerequirements". Given that the developers involved all appear to be ofRussian origin, it is not too hard to imagine what sort of compliance isinvolved here. There has, however, been no public posting of the policythat required the removal of these entries.Update: Linus Torvalds has since publiclysupported this action and said that it will not be reverted.

The Image-Based Linux Summit has by now established itself as a yearly event.Following on from last year's edition,the third edition was held in Berlin on September24, theday beforeAll Systems Go!2024 (ASG). The purpose of this event is to gatherstakeholders from various engineering groups and hold friendly but livelydiscussions around the topic of image-based Linux - that is, Linux distributionsbased around immutable images, instead of mutable root filesystems.

The AlmaLinux project has introduced a new edition called "Kitten",which will serve as "the direct upstream for AlmaLinux OS and isthe primary point for the AlmaLinux community to engage and influencethe future of AlmaLinux OS". Not intended for production use, thefirst release is based on CentOSStream10 source, whichwill eventually be the basis for Red Hat Enterprise Linux (RHEL)10:

The6.11.5,6.6.58,6.1.114,5.15.169, and5.10.228stable kernels have all been released; each contains another set ofimportant fixes.

Version 3.4.0 of the OpenSSL SSL/TLS library has been released. It adds anumber of new encryption algorithms, support for "directly fetchedcomposite signature algorithms such as RSA-SHA2-256", and more. See therelease notes for details.

Security updates have been issued by Debian (ffmpeg, ghostscript, libsepol, openjdk-11, openjdk-17, perl, and python-sql), Oracle (389-ds-base, buildah, containernetworking-plugins, edk2, httpd, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, python-setuptools, skopeo, and webkit2gtk3), Red Hat (buildah), Slackware (openssl), SUSE (apache2, firefox, libopenssl-3-devel, podman, and python310-starlette), and Ubuntu (cups-browsed, firefox, libgsf, and linux-gke).

Sasha Levin has announced anew tree that is intended to perform continuous-integration tests of pullrequests aimed at the mainline. The plan is for this tree to hold morefinished work than sometimes ends up in linux-next; in a name that seemsdestined to create typographical confusion, it is called "linus-next".

Version 1.1.0 of the bootc utility forperforming transactional, in-place operating system updates using Open Container Initative (OCI)images, has been released. This release "officially stabilizes allAPIs" for bootc and includes a number of bug fixes. LWN covered bootc in June.

Sigstore is a project that is meant to simplify and improve the process of signing,verifying, and protecting software. It is a relatively new project, declared"generally available" in 2022. Python is an early adopter of sigstore; it started providingsignatures for CPython artifacts with Python3.11in2022. This is in addition to the OpenPGP signatures it has beenproviding since atleast2001. Now, SethMichaelLarson-the Python SoftwareFoundation (PSF) securitydeveloper-in-residence-would like to deprecate the PGPsignature and move to sigstore exclusively by next year. If thathappens, it will involve some changes in the way that Linuxdistributions verify Python releases, since none of the majordistributions have processes for working with sigstore.

Security updates have been issued by Debian (asterisk, chromium, php-horde-mime-viewer, and php-horde-turba), Fedora (apache-commons-io, buildah, chromium, containers-common, libarchive, libdigidocpp, oath-toolkit, podman, rust-hyper-rustls, rust-reqwest, rust-rustls-native-certs, rust-rustls-native-certs0.7, rust-tonic, rust-tonic-build, rust-tonic-types, rust-tower, rust-tower-http, rust-tower-http0.5, rust-tower0.4, thunderbird, and unbound), SUSE (buildah, chromedriver, chromium, element-desktop, element-web, jetty-annotations, nodejs-electron, php7, php74, php8, podman, python3-virtualbox, qemu, thunderbird, and valkey), and Ubuntu (amd64-microcode).

The Guix project hasdisclosed a security vulnerability in the build daemon that the distribution uses to build and install software locally. The vulnerability allows an existing unprivileged user to get access to a setuid binary, and from there potentially interfere with any other software built or installed on the computer. The project recommends upgrading the guix daemon now, to avoid the issue.

Linus has released 6.12-rc4 for testing."I'm not happy with how big this is - it's probably far from the biggestrc4 ever, but it _is_ the biggest rc4 we've had in the 6.x series at leastin number of commits."

The kernel's CPU scheduler currently offers several preemption modes thatimplement a range of tradeoffs between system throughput and response time.Back in September 2023, a discussionon scheduling led to the concept of "lazy preemption", which couldsimplify scheduling in the kernel while providing better results. Thingswent quiet for a while, but lazy preemption has returned in the form of this patch seriesfrom Peter Zijlstra. While the concept appears to work well, there isstill a fair amount of work to be done.

Security updates have been issued by AlmaLinux (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, and webkit2gtk3), Debian (apache2), Red Hat (expat), SUSE (cups-filters, jetty-minimal, OpenIPMI, and python-starlette), and Ubuntu (linux-azure, linux-azure, linux-azure-5.15, linux-azure, linux-azure-5.4, and oath-toolkit).

Version1.82.0 of the Rust language has been released. There are a lot of newfeatures this time, including a cargo info command, tier-1 supportfor 64-bit Apple Arm systems, a new native syntax (&raw) to createraw pointers, changes to unsafe extern, unsafe attributes,standardized rules around the handling of floating-point not-a-numbervalues, and more.

Email has become somewhat unfashionable as a collaboration tool foropen-source projects, but there are still a number of projects-such asPostgreSQL and the Linux kernel-that expect contributors to send andreview patches via email. The aercmail client is aimed at developers looking for a text-based, efficient, andextensible client that is meant to be used for working with Git andemail. It uses Vim-style keybindings by default, and has an interfaceinspired by tmux thatlets users manage multiple accounts, mails, and embedded terminals at once.

Greg Kroah-Hartman has announced the release of the 6.11.4, 6.6.57, 6.1.113, 5.15.168, and 5.10.227 stable kernels. As usual, this setof updates contains a long list of important fixes throughout the kerneltree.

Security updates have been issued by Debian (python-cryptography), Fedora (dnsdist and python-virtualenv), Red Hat (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and java-21-openjdk), Slackware (libssh2 and mozilla), SUSE (haproxy, keepalived, libarchive, libnss_slurm2, php8, and python310-pytest-html), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, and linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-hwe-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-raspi).

The LWN.net Weekly Edition for October 17, 2024 is available.

Version 9.0 of theForgejo software forge system has been released. Changes include a switchto the GPLv3 license, the beginning of a quota system, the removal ofgo-git support, and a lot of fixes.(LWN looked at Forgejo in February).

Rust, like C, has its own memory model describing how concurrent access to thesame data by multiple threads can behave.The Linux kernel, however, has its ownideas. TheLinux kernel memory model (LKMM) is subtly different from both thestandard C memory model and Rust's model.At Kangrejos, Boqun Feng gave a presentation about theneed to reconcile the memory models used by Rust and the kernel,including a few potential avenues for doing so. Whileno consensus was reached, it is an area of active discussion.

The pidfd mechanism, which uses file descriptors to refer to processes inan unambiguous and race-free way, was firstintroduced in 2018. Since then, the interface has gained a number of new features, but development has slowed over time as the interface has matured. There are,however, a couple of patches in circulation that are meant to make workingwith pidfds simpler in some situations.

Security updates have been issued by AlmaLinux (buildah, containernetworking-plugins, and skopeo), Fedora (pdns-recursor and valkey), Mageia (unbound), Red Hat (fence-agents, firefox, java-11-openjdk, python-setuptools, python3-setuptools, resource-agents, and thunderbird), SUSE (etcd-for-k8s, libsonivox3, rubygem-puma, and unbound), and Ubuntu (apr, libarchive, linux, linux-aws, linux-aws-hwe, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, nano, and vim).

Version 4.0.0 of the LibreSSL TLS/cryptography stackhas been released. Changes include a cleanup of the MD4 and MD5implementations, removal of unused DSA methods, changes in libtlsprotocol parsing to ignore unsupported TLSv1.1 and TLSv1.0 protocols,and many more internal changes and bug fixes.

Security updates have been issued by AlmaLinux (container-tools:rhel8, firefox, OpenIPMI, podman, and thunderbird), Debian (libapache-mod-jk, php7.4, and webkit2gtk), Fedora (edk2, koji, libgsf, rust-hyper-rustls, rust-reqwest, rust-rustls-native-certs, rust-rustls-native-certs0.7, rust-tonic, rust-tonic-build, rust-tonic-types, rust-tower, rust-tower-http, rust-tower-http0.5, and rust-tower0.4), Mageia (firefox, firefox-l10n, and thunderbird), Oracle (bind, container-tools:ol8, kernel, kernel-container, OpenIPMI, podman, and thunderbird), Red Hat (container-tools:rhel8, containernetworking-plugins, podman, and skopeo), SUSE (argocd-cli, bsdtar, keepalived, kernel, kyverno, libmozjs-115-0, libmozjs-128-0, libmozjs-78-0, OpenIPMI, opensc, php8, thunderbird, and xen), and Ubuntu (configobj, haproxy, imagemagick, nginx, and postgresql-10, postgresql-9.3).

Paul McKenney gave a presentation at Kangrejos this year that wasn't (directly)related to Rust. Instead, he spoke about the work he has been doing in concertwith many other contributors on improving the handling of subtle concurrencyproblems in C++.Although he cautioned that his talk was only an overview, and not asubstitute for reading the relevant papers, he hoped that the things the C++community is working on would be of interest to the Rust developers present aswell, and potentially inform future work on the language. McKenney's talk was,as is his style, full of subtle examples of weird multithreaded behavior.Interested readers may wish to refer tohis slides in an attempt to follow along.

Version1.4 of the Inkscapeopen-source vector-graphics editor has been released. Highlights ofthis release include a filter gallery, import for Affinity Designerfiles, internal links in exported PDFs, and more. See the releasenotes for all of the new features. LWN previewed the 1.4 releasein early October.

It is too early to say what the outcome will be in the ongoing fight between Automattic and WPEngine, but the WordPress community at large is already theloser. Automattic founder and CEO Matt Mullenweg has been usinghis control of the project, and the WordPress.org infrastructure, topunish WPEngine and remove some dissenting contributors from discussionchannels. Most recently, Mullenweg has instituted a hostile fork of aWPEngine plugin and the forked plugin is replacing the originalvia WordPress updates.

While Debian's "sauce" is not actually all that secret, it is not particularlywell-known either, Samuel Henrique said at the start of his DebConf24 talk. There is a lotof software-engineering effort that has been put in place by thedistribution in order to create and maintain its releases, but "loads ofpeople are not aware" of it. That may be due to the fact that all ofthat isnot really documented anywhere in a central location that he can just pointsomeone to. Recognizing that is what led him to give the talk;hopefully it will be a "first step toward" helping solve the problem.

Security updates have been issued by Debian (docker.io, libreoffice, node-dompurify, python-reportlab, and thunderbird), Fedora (buildah, chromium, kernel, kernel-headers, libgsf, mosquitto, p7zip, podman, python-cramjam, python-virtualenv, redis, rust-async-compression, rust-brotli, rust-brotli-decompressor, rust-libcramjam, rust-libcramjam0.2, rust-nu-command, rust-nu-protocol, rust-redlib, rust-tower-http, thunderbird, and webkit2gtk4.0), Oracle (.NET 6.0, .NET 8.0, e2fsprogs, firefox, golang, openssl, python3-setuptools, systemd, and thunderbird), SUSE (chromium, firefox, java-jwt, libmozjs-128-0, libwireshark18, ntpd-rs, OpenIPMI, thunderbird, and wireshark), and Ubuntu (firefox, python2.7, python3.5, thunderbird, and ubuntu-advantage-desktop-daemon).

The 6.12-rc3 kernel prepatch is out fortesting.

At Kangrejos, Gary Guo wanted to discuss three problems with the wayRust and C code in the kernel interact: mismatched types, too many type casts,and the overhead of helper functions. To fix the first two problems, Guo proposedchanging the way the kernel maps C types into Rust types. The last problem was abit trickier, but he has a clever workaround for that, based on trickingthe compiler into inlining the helper functions across language boundaries.

Security updates have been issued by AlmaLinux (.NET 6.0, .NET 8.0, and openssl), Debian (firefox-esr), Fedora (firefox), Mageia (php, quictls, and vim), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, firefox, podman, skopeo, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, kernel, and xen), and Ubuntu (golang-1.17, libgsf, and linux-aws-6.8, linux-oracle-6.8).