LWN.net

Security updates have been issued by AlmaLinux (gstreamer1-plugins-base), Debian (chromium, ghostscript, libarchive, mpg123, ruby-saml, and symfony), Fedora (buildah and podman), Red Hat (buildah, containernetworking-plugins, podman, skopeo, and xorg-x11-server-Xwayland), Slackware (wget), SUSE (pcp), and Ubuntu (linux, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux-xilinx-zynqmp and mysql-8.0).

What have been the most significant security-related incidents for theopen-source community in 2024 (so far)? Marta Rybczyska recently ran apoll and got some interesting results. At the 2024 OpenSource Summit Japan, she presented those results along with somecommentary of her own. The events in question are unlikely to be asurprise to LWN readers, but the overall picture that was presented wasworth a look.

Longtime Debian and Tor developer, Jeremy Bobbio-perhaps better known as"Lunar"-diedon November 8. Lunar was one of the founders of the reproduciblebuilds movement and more recently had been working with Software Heritage. Moreinformation and tributes in French can be found at this site. They will be missed.

Security updates have been issued by AlmaLinux (podman), Debian (guix, libarchive, and nss), Fedora (expat, iaito, opendmarc, python-werkzeug, radare2, squid, and xorg-x11-server), Mageia (htmldoc, libheif, nspr, nss, firefox & rust, python-urllib3, python-werkzeug, quictls, ruby-webrick, and thunderbird), Oracle (firefox and NetworkManager-libreswan), SUSE (apache2, chromedriver, chromium, coredns, expat, govulncheck-vulndb, httpcomponents-client, java-17-openjdk, java-21-openjdk, libheif, python-wxPython, python311, python312, qbittorrent, ruby3.3-rubygem-actionmailer, ruby3.3-rubygem-actiontext, ruby3.3-rubygem-puma, ruby3.3-rubygem-rails, and virtualbox), and Ubuntu (openjdk-17, openjdk-21, openjdk-8, openjdk-lts, and qemu).

Linus has released 6.12-rc7 for testing."No big surprises, and I think everything is on track for a final 6.12release next weekend."

Back In Time is a GPL-2.0-licensed backup tool based onrsync and written in Python. It has both graphical and command-line interfaces, andsupports backups to local disks or over SSH.Back In Time was originally written byOprea Dan and released in 2009. The tool has beenthrough some rough patches over the years, and is currently on its third set ofmaintainers. Christian Buhtz, one of the current maintainers, explained to mehow he and his co-maintainers had revived the project, as well as why he thoughtBack In Time stood out from all of the existing backup solutions.

Greg Kroah-Hartman has shared another seven stable kernel updates:6.6.60,6.11.7,6.1.116,5.15.171,5.10.229,5.4.285, and4.19.323.

Fedora Linux, as a rule, handles version upgrades reasonablywell. However, there are times when users may want to do a freshinstallation rather than an upgrade but preserve existingusers and data under /home. This is a scenario that theFedora installer, currently, does not address. Users can maintain aseparate /home partition, of course, but the installer doesnot incorporate existing users into the new install-that is anexercise left to the user to handle. One solution might be to use systemd-homed, a systemdservice for managing users and home directories. However, a discussionproposing the use systemd-homed as part of Fedora installationuncovered some hurdles, such as trying to blend its approach tomanaging users with tools that centralize user management.

Arthur Cohen has posted adetailed introduction to the gccrs project on the Rust Blog, seeminglywith the goal of convincing the Rust community about the value of theproject.

Security updates have been issued by AlmaLinux (edk2), Debian (webkit2gtk), Fedora (thunderbird), Oracle (bzip2, container-tools:ol8, edk2, go-toolset:ol8, libtiff, python-idna, python3.11, and python3.12), Slackware (expat), and SUSE (apache2, govulncheck-vulndb, grub2, java-1_8_0-openjdk, python3, python39, qemu, xorg-x11-server, and xwayland).

Flexible arrays - arrays that are declared as the final member of astructure and which have a size determined at run time - have long drawnthe attention of developers seeking to harden the kernel againstbuffer-overflow vulnerabilities. These arrays have reliably been a sourceof bugs, so anything that can be done to ensure that operations on themstay within bounds is a welcome improvement. While many improvements,including the recent counted-by work, havebeen made, one of the most difficult cases remains. Now, however,developers who are interested in using recent compiler bounds-checkingfeatures are trying to get a handle on struct sockaddr.

Security updates have been issued by AlmaLinux (bcc, bpftrace, bzip2, container-tools:rhel8, grafana-pcp, haproxy, kernel, kernel-rt, krb5, libtiff, python-gevent, python3.11, python3.11-urllib3, python3.12, python3.12-urllib3, xmlrpc-c, and xorg-x11-server and xorg-x11-server-Xwayland), Debian (puma and pypy3), Fedora (firefox), Gentoo (libgit2), Mageia (libarchive), SUSE (ghostscript, go1.22-openssl, go1.23-openssl, htmldoc, kmail-account-wizard, libarchive, libgsf, libmozjs-128-0, openssl-3, python-jupyterlab, python-mysql-connector-python, python36, and ruby2.1), and Ubuntu (cinder, linux-aws, linux-aws-6.8, linux-oracle, linux-oracle-6.8, linux-aws, linux-azure-5.4, linux-kvm, linux-oracle, linux-xilinx-zynqmp, and linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency).

The LWN.net Weekly Edition for November 7, 2024 is available.

Image-based Linux distributions have seen increasing popularity, recently. Theypromise reliability and security, but pose packaging problems forexisting distributions. Ryan Lahfa and Niklas Sturm spoke about the work thatNixOS has done to enable an image-based workflow at this year'sAll Systems Go!conference in Berlin.Unfortunately, LWN was not able to cover the conference for scheduling reasons,but thevideos of the event are available for anyone interested in watching thetalks.Lahfa and Sturm explained that it is currently possible to create aNixOS system thatcryptographically verifies the kernel, initrd, and Nix store on boot - althoughdoing so still has some rough edges. Making an image-based NixOS installation issimilarly possible.

Man pages maintainer Alejandro Colomar announced in September that he was suspendinghis work due to a lack of support. He has now letit be known that funding has been found for the next year at least:

Security updates have been issued by AlmaLinux (libtiff), Debian (context, libheif, and thunderbird), Fedora (php-tcpdf, syncthing, and thunderbird), Gentoo (EditorConfig core C library, Flatpak, Neat VNC, and Ubiquiti UniFi), Oracle (bcc, bpftrace, grafana-pcp, haproxy, kernel, krb5, libtiff, python-gevent, python3.11-urllib3, python3.12-urllib3, and xmlrpc-c), Red Hat (python3.11-urllib3), SUSE (audacity, curl, govulncheck-vulndb, gradle, htmldoc, libgsf, python310, and qbittorrent), and Ubuntu (linux-aws-5.4, linux-oracle-5.4, mpg123, and python-werkzeug).

Version2.1.0 of the LXQtlightweight Qt desktop environment has been released. The highlight ofthis release is support for multiple Wayland compositors:

Joshua Liebow-Feeser took to the stage atRustConf to describe the methodologythat his team uses to encodearbitrary constraints in the Rust type system when working on theFuchsia operating system(slides).The technique is not unknown tothe Rust community, but Liebow-Feeser did a good job of both explaining themethod and making a case for why it should be used more widely.

After a couple of years of effort, the BPF instruction set architecture hasbeen accepted as RFC9669, giving it a standard outside of the in-kernel implementation. This message from DavidVernet (who also contributed an article onthe standardization process last year) describes the process and why itis important:

Security updates have been issued by AlmaLinux (firefox, openexr, and thunderbird), Fedora (llama-cpp and python-quart), Oracle (firefox, openexr, thunderbird, and xorg-x11-server and xorg-x11-server-Xwayland), SUSE (chromium, govulncheck-vulndb, openssl-1_1, python311, and python312), and Ubuntu (linux-azure, linux-bluefield, linux-azure, linux-gcp, linux-ibm, openjpeg2, and ruby3.0, ruby3.2, ruby3.3).

OpenWrt is, despite its relatively lowprofile, one of our community's most important distributions; it runsuntold numbers of network routers and has served as the base on which a lotof network-oriented development (including the bufferbloat-reductionwork) has been done. At the beginning of 2024, a few members of theproject announceda plan to design and produce a router device specifically designed to runOpenWrt. This device, dubbed the "OpenWrt One", is now becoming available;the kind folks at the Software FreedomConservancy were kind enough to ship one to LWN, where the desire toplay with a new toy is never lacking.

Security updates have been issued by AlmaLinux (firefox, grafana, kernel, and mod_http2), Debian (chromium, openssl, and thunderbird), Fedora (chromium, krb5, mysql8.0, polkit, python-single-version, and webkitgtk), Mageia (bind, buildah, podman, skopeo, kernel, kmod-xtables-addons. kmod-virtualbox, kernel-firmware & kernel-firmware-nonfree radeon-firmware, and kernel-linus), SUSE (apache2, chromedriver, cups-filters, docker-stable, firefox, gama, govulncheck-vulndb, java-11-openjdk, java-17-openjdk, java-23-openjdk, libnss_slurm2, openssl-1_1, openssl-3, python-waitress, python3, python310-waitress, ruby2.5, rubygem-actionmailer-5_1, rubygem-actionpack-5_1, rubygem-bundler, webkit2gtk3, and xorg-x11-server), and Ubuntu (linux-azure-6.8).

The 6.12-rc6 kernel prepatch is out fortesting. Linus says: "Another week, another rc. Nothing odd or specialseems to be going on - this may be a bit on the bigger side for an rc6, butnot hugely so, and nothing stands out."

Members of the Open SourceInitiative (OSI) board sat down for a 45-minute "Ask Me Anything"(AMA) session at All ThingsOpen in Raleigh, NC on October 29. Though the floor was open toany topic the audience might want to ask of the OSI board, many of thequestions were focused on the Open SourceAI Definition (OSAID), which was announced the daybefore. The new definition has been somewhat controversial,and the board spent a lot of time addressing concerns about it duringthe session, as well as questions on open washing, and a need for moreeducation about open source in general.

Greg Kroah-Hartman has released another four stable Linux kernel updates:6.11.6,6.6.59,6.1.115, and5.15.170.

Security updates have been issued by Debian (firefox-esr), Fedora (xorg-x11-server-Xwayland), Oracle (buildah, e2fsprogs, grafana, kernel, and mod_http2), Red Hat (buildah, container-tools:rhel8, firefox, grafana, grafana:7.3.6, podman, and thunderbird), SUSE (alloy, cargo-audit-advisory-db-20241030, chromedriver, corepack22, netty, openvpn, python310-Werkzeug, thunderbird, uwsgi, and xsd), and Ubuntu (linux, linux-azure-6.8, linux-gcp-6.8, linux-hwe-6.8 and linux, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4).

The Rust blog has an updateon its progress on some of its projectgoals. One of the project's flagshipgoals is to resolvethe biggest blockers to Linux building on stable Rust:

OpenStreetMap tends to dominatethe space for open mapping data, but it is not the only project working inthis area. At the 2024 OpenSource Summit Japan, Marc Prioleau presented the Overture Maps Foundation, which isbuilding and distributing a set of worldwide maps under open licenses.Overture may have a similar goal to OpenStreetMap, but its approach andintended uses are significantly different.

Security updates have been issued by Debian (firefox-esr and openssl), Fedora (firefox, libarchive, micropython, NetworkManager-libreswan, and xorg-x11-server-Xwayland), Red Hat (nano), Slackware (mozilla-firefox, mozilla-thunderbird, tigervnc, and xorg), SUSE (389-ds, Botan, go1.21-openssl, govulncheck-vulndb, java-11-openjdk, lxc, python-Werkzeug, and uwsgi), and Ubuntu (firefox, libarchive, linux-azure-fde, linux-azure-fde-5.15, python-pip, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04).

The LWN.net Weekly Edition for October 31, 2024 is available.

Timothee Ravier has written ablog post about changes in the Fedora AtomicDesktops for FedoraLinux41. Some of the notable newfeatures for Atomic Desktops include bootloader updates enabled bydefault for UEFI systems, first steps towards using bootable containers,and more.

The Raspberry Pi project has announceda new version of Raspberry Pi OS. It includes a number ofsignificant changes, the most notable of which is that the RaspberryPi Desktop now uses Wayland by default for all Pi models using thelabwc compositor:

The kernel graphics driver for the Apple M1 and M2 GPUs is, ratherfamously, written in Rust, but it has achieved conformance withvarious graphics standards, which is also noteworthy. At the X.Org Developers Conference(XDC)2024, Alyssa Rosenzweig gave an update on the status of thedriver, along with some news about the kinds of games it can support (YouTube video, slides).There has been lots of progress since her talk at XDC last year (YouTube video),with, of course, still more to come.

The first stable release of the Thunderbird mail client for Android is now available:

Security updates have been issued by AlmaLinux (buildah), Debian (python-git, texlive-bin, and xorg-server), Mageia (chromium-browser-stable), Red Hat (kernel), SUSE (Botan, go1.22-openssl, go1.23-openssl, grafana, libgsf, pcp, pgadmin4, python310-pytest-html, python313, xorg-x11-server, and xwayland), and Ubuntu (nano, python-urllib3, and xorg-server, xwayland).

Mozilla hasannounced the release of a new version of Firefox. This version has the usual mix of security fixes and new features, as well as a handful of deprecations. The release removes support for HTTP/2 Push, but adds hardware acceleration for SVGs, support for wide color gamuts on more platforms, and restores support for remote debugging via USB.

Fedora Linux 41 has beenreleased. See the "what's new" pages for FedoraWorkstation and FedoraKDE, to learn more about the latest in those editions. There isalso a new FedoraMiracle Window Manager Spin that offers the Miracle tiling window manager forWayland.

The first program that Martin Pool ever wrote, he said, had bugs; the ones he's writingnow most likely have bugs too. The talk Pool gave atRustConf this year was about a way to tryto write programs with fewer bugs. He has developed a tool calledcargo-mutants that highlights gaps in test coverage by identifyingfunctions that can be broken without causing any tests to fail.This can be a valuable complement to other testing techniques,he explained.

Security updates have been issued by Debian (exim4) and SUSE (chromium, openssl-1_1, and openssl-3).

A project called Flock has announcedits existence. Flock is a fork of the Flutter user-interface toolkitproject, motivated by frustration with the resources that Google is puttinginto Flutter.

Debian Developer Russell Coker has writtenup an analysis of the remote exploit of CUPSannounced in September:

The Open Source Initiative(OSI) has announcedthe release of version1.0 of the Open Source AI Definition:

Sparrow Li presented virtually atRustConf2024 about the current state of andfuture plans for the Rust compiler's performance. The compiler is relatively slow to compilelarge programs, although it has been getting better over time. The next bigperformance improvement to come will be parallelizing the compiler's parsing,type-checking, and related operations, but even after that, the project hasseveral avenues left to explore.

Rong Xu andHan Shen described the kernel-optimization techniques that Google uses in the toolchainstrack at the 2024 LinuxPlumbers Conference.They talked about automaticfeedback-directed optimization (AutoFDO), which can be used with the Propelleroptimizer to produce kernels with better performance using profileinformation gathered from real workloads. There is a fair amount ofoverlap between these tools and the BOLTpost-link optimizer, which was the subject of a talk that directly preceded this session.

Security updates have been issued by AlmaLinux (kernel, python3.12, and python3.9), Debian (activemq, chromium, libheif, nss, and twisted), Fedora (chromium, dnsdist, dotnet8.0, edk2, glibc, libdigidocpp, mbedtls3.6, NetworkManager-libreswan, oath-toolkit, podman-tui, prometheus-podman-exporter, python-fastapi, python-openapi-core, python-platformio, python-rpyc, python-starlette, rust-pyo3, rust-pyo3-build-config, rust-pyo3-ffi, rust-pyo3-macros, rust-pyo3-macros-backend, suricata, thunderbird, and yarnpkg), Mageia (cpanminus, libgsf, mozjs78, redis, and thunderbird), Oracle (firefox, python3.12, python3.9, and python39:3.9 and python39-devel:3.9), Red Hat (edk2, grafana, httpd, httpd:2.4, and mod_jk), and SUSE (nodejs-electron, python3, python310, and python39).

Linus has released 6.12-rc5 for testing.

The Open Source Initiative(OSI) has been working on defining Open Source AI-that is whatconstitutes an AI system that can be used, studied, modified, andshared for any purpose-for almost twoyears. Its board willbe voting on the Open Source AI Definition (OSAID) on Sunday,October27, with the 1.0 version slated to be published onOctober28. It is never possible to please everyone insuch an endeavor, and it would be folly to make that a goal. However,a number of prominent figures in the open-source community have voicedconcerns that OSI is setting the bar too low with the OSAID-whichwill undo decades of community work to cajole vendors into adhering toor respecting the original Open SourceDefinition (OSD).

A pair of talks in the toolchainstrack at the 2024 LinuxPlumbers Conference covered different tools that can be used tooptimize the kernel. First up was Maksim Panchenko to describe the binaryoptimization and layout tool (BOLT) that Meta uses on its productionkernels. It optimizes the kernel binary by rearranging it to improve itscode locality forbetter performance. A subsequent article will cover the second talk, whichlooked at automaticfeedback-directed optimization (AutoFDO) and other related techniquesthat are used to optimize Google's kernels.

Security updates have been issued by Debian (distro-info-data), Fedora (libtiff), Mageia (firefox and oath-toolkit), Red Hat (krb5), and SUSE (openssl-1_1).

Small objects can lead to large email threads. In thiscase, the GNU C Library (glibc) community has been having an extensivedebate over the handling of zero-byte allocations. Specifically, whatshould happen when a program calls realloc()specifying a size of zero? This is, it seems, a topic about which somepeople, at least, have strong feelings.