LWN.net

Security updates have been issued by Mageia (sssd and tcpdump), Red Hat (.NET 7.0, .NET 8.0, expat, kernel, and kernel-rt), Slackware (mozilla), SUSE (kernel, postgresql15, postgresql16, python-arcomplete, python-Fabric, python-PyGithub, python- antlr4-python3-runtime, python-avro, python-chardet, python-distro, python- docker, python-fakeredis, python-fixedint, pyth, and python3), and Ubuntu (linux-bluefield).

Version24.0of the Arch-based Manjaro distribution is now available withthe 6.9kernel, GNOME46, Xfce4.18, and an update to thePamac packageinstaller. This is also the project's first release with KDEPlasma6:

Large language models (LLMs) have been the subject of much discussion andscrutiny recently. Of particular interest to open-source enthusiasts are theproblems with running LLMs on one's own hardware - especially when doing sorequires NVIDIA's proprietary CUDA toolkit, which remains unavailable in manyenvironments.Mozilla has developedllamafile as apotential solution to these problems. Llamafile can compile LLM weightsinto portable, native executables for easy integration, archival, ordistribution. These executables can take advantage of supported GPUs whenpresent, but do not require them.

Security updates have been issued by Debian (glib2.0 and shim), Fedora (glib2, gnome-shell, tcpdump, tpm2-tools, tpm2-tss, and uriparser), Mageia (mutt), Oracle (git-lfs, glibc, kernel, kernel-container, nodejs:18, nodejs:20, and pcp), SUSE (apache2, opensc, openssl-1_1, openssl-3, perl, python-Pillow, python-pyOpenSSL, python-Werkzeug, SUSE Manager Client Tools Beta, tpm2-0-tss, and tpm2.0-tools), and Ubuntu (sqlparse and strongswan).

The 6.9 kernel was releasedon May12 after a typical nine-week development cycle. Once again,this is a major release containing a lot of changes and new features. Ourmerge-window summaries (part1, part2) covered those changes; now thatthe development cycle is complete, the time has come to look at where allthat work came from - and to introduce a new and experimental LWN featurefor readers interested in this kind of information.

Maintainers of open-source projects sometimes have disagreements withcontributors over how contributions are reviewed, modified, merged, andcredited. A written policy describing how contributions are handled canhelp maintainers set reasonable expectations for potential contributors.In turn, that can make the maintainer's job easier because it can helpreduce a source of friction in the project. A guide to help create thiskind of policy for a project has recently been developed.

Security updates have been issued by AlmaLinux (nodejs:18 and shim), Debian (atril and chromium), Fedora (chromium, glib2, gnome-shell, mediawiki, php-wikimedia-cdb, php-wikimedia-utfnormal, stb, and tcpdump), Gentoo (Kubelet, PoDoFo, Rebar3, and thunderbird), Mageia (glibc and libnbd), Oracle (kernel), Red Hat (bind and dhcp and varnish), and SUSE (chromium, cpio, freerdp, giflib, gnutls, opera, python-Pillow, python-Werkzeug, tinyproxy, and tpm2-0-tss).

Linus has released the 6.9 kernel. "So 6.9 is now out, and last week has looked quite stable (and thewhole release has felt pretty normal)."Significant changes in this release includethe ability to create pidfds for individualthreads,the BPF arena subsystem,the BPF token security mechanism,truncate() support in io_uring,support for the Rust language on 64-bit Arm systems,weighted interleaving in thememory-management subsystem,the device-mappervirtual data optimizer target,initial FUSE passthrough support,and more.See the LWN merge-window summaries(part1, part2) for more information.

In April, the Gentoo Linux project banned the use ofgenerative AI/ML tools due to copyright, ethical, and qualityconcerns. This means contributors cannot use tools like ChatGPT or GitHub Copilot tocreate content for the distribution such as code, documentation,bug reports, and forum posts. A proposal for Debian to adopt a similarpolicy revealed a distinct lack of love for those kinds of tools,though it would also seem few contributors supportbanning them outright.

Security updates have been issued by AlmaLinux (container-tools:4.0, container-tools:rhel8, git-lfs, glibc, libxml2, nodejs:18, and nodejs:20), Debian (dav1d and libpgjava), Fedora (kernel and pypy), Red Hat (glibc and nodejs:16), SUSE (ffmpeg, ffmpeg-4, ghostscript, go1.21, go1.22, less, python-python-jose, python-Werkzeug, and sssd), and Ubuntu (fossil, glib2.0, and libspreadsheet-parsexlsx-perl).

The extensible scheduler class (or "sched_ext") is a comprehensiveframework that enables the implementation of CPU schedulers as a set of BPFprograms that can be loaded at run time. Despite having attracted a fairamount of interest from the development community, sched_ext has run intoconsiderable opposition and seems far from acceptance into the mainline.The posting by Tejun Heo of a newversion of the sched_ext series at the beginning of May has restartedthis long-running discussion, but it is not clear what the end result willbe.

Security updates have been issued by AlmaLinux (ansible-core, avahi, bind, buildah, containernetworking-plugins, edk2, fence-agents, file, freeglut, freerdp, frr, git-lfs, gnutls, golang, grafana, grafana-pcp, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, harfbuzz, httpd, ipa, libjpeg-turbo, libnbd, LibRaw, libreswan, libsndfile, libssh, libtiff, libvirt, libX11, libXpm, mingw components, mingw-glib2, mingw-pixman, mod_http2, mod_jk and mod_proxy_cluster, motif, mutt, openssl and openssl-fips-provider, osbuild-composer, pam, pcp, perl, pmix, podman, python-jinja2, python-jwcrypto, python3.11, python3.11-cryptography, python3.11-urllib3, qemu-kvm, qt5-qtbase, runc, skopeo, sssd, systemd, tcpdump, tigervnc, toolbox, webkit2gtk3, xorg-x11-server, xorg-x11-server-Xwayland, and zziplib), CentOS (firefox, grub2, kernel, squid, thunderbird, tigervnc, and xorg-x11-server), Debian (chromium, glib2.0, python-idna, webkit2gtk, and wordpress), Fedora (freerdp, freerdp2, and pypy), Mageia (chromium-browser-stable, exfatprogs, freeglut, libtiff, libvirt, libxml2, openpmix, php-tcpdf, ruby, tpm2-tools, tpm2-tss, traceroute, and zziplib), Oracle (bind, buildah, git-lfs, gnutls, golang, grafana, grafana-pcp, libreswan, libvirt, libxml2, mod_http2, podman, python-jwcrypto, skopeo, sssd, and tigervnc), Red Hat (nodejs:18, nodejs:20, and squid:4), and SUSE (avahi, ghostscript, go1.21, go1.22, python-pymongo, python-Werkzeug, and sssd).

The LWN.net Weekly Edition for May 9, 2024 is available.

The so-called software supply chain starts with source code. But most security measures and toolingdon't kick in until source is turned into an artifact-a sourcetarball, binary build, container image, or other method of delivering arelease to users. The gittuf projectis an attempt to provide a security layer for Git that can handle key management,enforce security policies for repositories, and guard against attacksat the version-control layer. At Open Source Summit North America (OSSNA), Aditya Sirish AYelgundhalli and Billy Lynch presentedan introduction to gittuf with an overview of its goals andstatus.

Fedora Magazine reportsthat the Fedora AsahiRemix for Apple Arm hardware, based on Fedora40, is now available:

Security updates have been issued by Debian (glib2.0 and php7.3), Gentoo (Commons-BeanUtils, Epiphany, glibc, MariaDB, Node.js, NVIDIA Drivers, qtsvg, rsync, U-Boot tools, and ytnef), Oracle (kernel), Red Hat (git-lfs and kernel), SUSE (flatpak, less, python311, rpm, and sssd), and Ubuntu (libde265, libvirt, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-oem-6.5, and nghttp2).

A proposal to switch the default desktop for Fedora Workstation from GNOMEto KDE Plasma largely went over like the proverbial lead balloon-unsurprisingly.But the conversation about the proposal did surface some areas where thedistribution could perhaps be more inclusive with regard to the other desktop choicesavailable. The project believes that itbenefits from being opinionated and not requiring users to makemultiple decisions before they can even install the distribution, but thereis a balance to be found.

Thesystemd project is preparing for a new release.Version256-rc1 was releasedon April25 with a large number of changes and new features. Most of thechanges relate to security, easier configuration, unprivileged access to systemresources, or all three of these. Users of systemd will find setting upcontainers - even without root access - much simpler and more secure.

Version14.1 of the GCC compiler suite has been released. The list of changesis long; it includes support for more C++26 features, preparation forFortran 2023 support, a new -fhardened flag to enablesecurity-hardening features, vectorizer improvements, and a number of static-analyzer improvements. See the release notes fordetails.

The Go Blog has a detailedarticle on the new, more secure random-number generator implemented forthe 1.22 release.

Security updates have been issued by Debian (kernel), Gentoo (libjpeg-turbo, xar, and Xpdf), Red Hat (bind, dhcp and glibc), and SUSE (bouncycastle, curl, flatpak, less, and xen).

The Python SoftwareFoundation (PSF) has announcedits annualimpact report for 2023. The report includes updates from PSF staffas well as summaries of the foundation's activities, financials, andinfrastructure. The PSF celebrated the20th anniversary of PyCon US, distributed more than $370,000 in grants, andenjoyed impressive traffic on PyPI:

Daniel Stenberg hasposted a report about the recent curl up conference about curl development. It was held over two days inStockholm. The report has short summaries of the talks with links to therecordings.

In some aspects, such as in gaming, the Linux desktop has madeenormous strides in the past few years. In others, such asaccessibility, things have stagnated. At Open Source Summit North America (OSSNA), Matt Campbell spokeabout the need for, and an approach to, modernizing accessibility fordesktop Linux. This included a discussion of Newton, a fledglingproject that may greatly improve accessibility on the Linux desktop.

The Free Software Foundation has announcedthe recipients of its 2023 Free Software Awards: Bruno Haible for work ongnulib, Nick Logozzo asthe "outstanding new free software contributior", and code.gouv.fr for projects of socialbenefit.

Security updates have been issued by Debian (glibc, intel-microcode, less, libkf5ksieve, and ruby3.1), Fedora (chromium, gdcm, httpd, and stalld), Gentoo (Apache Commons BCEL, borgmatic, Dalli, firefox, HTMLDOC, ImageMagick, MediaInfo, MediaInfoLib, MIT krb5, MPlayer, mujs, Pillow, Python, PyPy3, QtWebEngine, Setuptools, strongSwan, and systemd), Oracle (grub2 and shim), Red Hat (git-lfs, kpatch-patch, unbound, and varnish), and SUSE (avahi, grafana and mybatis, java-11-openjdk, java-17-openjdk, skopeo, SUSE Manager Client Tools, SUSE Manager Salt Bundle, and SUSE Manager Server 4.3).

The 6.9-rc7 kernel prepatch is out fortesting. "The stats for 6.9 continue to look very normal, and nothinglooks particularly alarming."

Kernel developers are encouraged to send their changes in small batches asa way of making life easier for reviewers. So when a longtime developerand maintainer hits the list with a 437-patch series touching 859 files,eyebrows are certain to head skyward. Specifically, this seriesfrom Jens Axboe is cleaning up one of the core abstractions that hasbeen part of the Linux kernel almost since the beginning; authors of devicedrivers (among others) will have to take note.

Security updates have been issued by Fedora (chromium, grub2, httpd, kernel, libcoap, matrix-synapse, python-pip, and rust-pythonize), Red Hat (kernel and libxml2), SUSE (kernel), and Ubuntu (eglibc, glibc and php7.4, php8.1, php8.2).

Greg Kroah-Hartman has announced the release of the 6.8.9, 6.6.30,6.1.90, 5.15.158, 5.10.216, 5.4.275, and 4.19.313 stable kernels. As is the norm, theycontain lots of important fixes throughout the kernel tree.

In Unix-like systems, an open file descriptor carries the right to accessthe opened object in specific ways. As a general rule, that filedescriptor does not enable access to any other objects. Therecently merged BPF token feature runscounter to this practice by creating file descriptors that carry specificBPF-related access rights. A similar but different approach tocapability-carrying file descriptors, in the form of directory filedescriptors that include their own credentials, is currently underconsideration in the kernel community.

Version1.78.0 of the Rust language has been released. Changes include a newmechanism for diagnostic attributes, changes to how assertions aroundunsafe blocks are handled, and more.

Security updates have been issued by Debian (chromium and distro-info-data), Fedora (et, php-tcpdf, python-aiohttp, python-openapi-core, thunderbird, tpm2-tools, and tpm2-tss), Red Hat (nodejs:16 and podman), and Ubuntu (firefox).

The LWN.net Weekly Edition for May 2, 2024 is available.

Version 8.0 of the terminal text editor GNU nano has beenreleased. This update includes several changes to keybindings to bemore newcomer-friendly, such as remapping Ctrl-F to forward-search andadding an option for modern bindings:

Ubuntu24.04LTS, code-named "NobleNumbat", was released on April25. This release includes GNOME46, installer updates,security enhancements, a lot of updated packages, and a new App Centerthat puts a heavy emphasis on using Snaps to install software. It is not an ambitious release, but it brings enough to the table that it's a worthwhile update.

The NixOS Foundation boardannounced on April 30 that Eelco Dolstra is stepping down from the boardfollowing the recent calls for his resignation.

Security updates have been issued by Debian (nghttp2 and qtbase-opensource-src), Mageia (cjson, freerdp, guava, krb5, libarchive, and mediawiki), Oracle (container-tools:4.0 and container-tools:ol8), Red Hat (bind, buildah, container-tools:3.0, container-tools:rhel8, expat, gnutls, golang, grafana, kernel, kernel-rt, libreswan, libvirt, linux-firmware, mod_http2, pcp, pcs, podman, python-jwcrypto, rhc-worker-script, shadow-utils, skopeo, sssd, tigervnc, unbound, and yajl), SUSE (kernel and python311), and Ubuntu (gerbv and node-json5).

When it comes to security, telling developers to do (or not do)something can be ineffective. Helping them understand the why behindinstructions, by illustrating good and bad practices using stories, can bemuch more effective. With several such stories MartaRybczyska fashioned an interesting talkabout patterns and anti-patterns in embedded Linux security at theEmbeddedOpen Source Summit (EOSS), co-located with OpenSource Summit North America (OSSNA), on April 16 in Seattle, Washington.

Version5.0 of the Yocto Projectdistribution builder has been released. The list of new features is long;see therelease notes for the details.

ThisMastodon stream from Lennart Poettering describes a sudoreplacement - called run0 - that will be part of the upcomingsystemd 256 release. It takes a rather different approach to the executionof privileged commands, avoiding the use of setuid (which he calls "SUID")permissions entirely.

Version 2.45.0 of the Gitsource-code management system has been released. Changes include a newlist command for gitreflog, a couple of newconfiguration variables for gitdiff, the ability to dropredundant commits while cherry-picking, a number of performanceimprovements, and more.

Security updates have been issued by Debian (org-mode), Oracle (shim and tigervnc), Red Hat (ansible-core, avahi, buildah, container-tools:4.0, containernetworking-plugins, edk2, exfatprogs, fence-agents, file, freeglut, freerdp, frr, grub2, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, harfbuzz, httpd, ipa, kernel, libjpeg-turbo, libnbd, LibRaw, libsndfile, libssh, libtiff, libvirt, libX11, libXpm, mingw components, mingw-glib2, mingw-pixman, mod_http2, mod_jk and mod_proxy_cluster, motif, mutt, openssl and openssl-fips-provider, osbuild and osbuild-composer, pam, pcp, pcs, perl, pmix, podman, python-jinja2, python3.11, python3.11-cryptography, python3.11-urllib3, qemu-kvm, qt5-qtbase, runc, skopeo, squashfs-tools, systemd, tcpdump, tigervnc, toolbox, traceroute, webkit2gtk3, wpa_supplicant, xorg-x11-server, xorg-x11-server-Xwayland, and zziplib), SUSE (docker, ffmpeg, ffmpeg-4, frr, and kernel), and Ubuntu (anope, freerdp3, and php7.0, php7.2, php7.4, php8.1).

The Amarok music player projecthas announcedthe release of version3.0, which is codenamed "Castaway". It is the firststable version using Qt5 and KDE Frameworks5, and the first stablerelease since the final Qt-4-based2.9.0 in 2018.

On April 21, a group of anonymous authors and non-anonymous signatories publisheda lengthy open letter to theNix communityand Nix founder Eelco Dolstra calling for his resignation from the project. Theyclaimed ongoing problems with the project's leadership, primarily focusing on theway his actions have allegedlyundermined people nominally empowered to perform variousmoderation and governance tasks. Since its release, the letter has gainedmore than 100 signatures.

Security updates have been issued by AlmaLinux (buildah, go-toolset:rhel8, golang, java-11-openjdk, java-21-openjdk, libreswan, thunderbird, and tigervnc), Debian (chromium, emacs, frr, mediawiki, ruby-rack, trafficserver, and zabbix), Fedora (chromium, grub2, python-idna, and python-reportlab), Mageia (chromium-browser-stable, firefox, opencryptoki, and thunderbird), Red Hat (container-tools:4.0, container-tools:rhel8, git-lfs, and shim), SUSE (frr, java-11-openjdk, java-1_8_0-openjdk, kernel, pdns-recursor, and shim), and Ubuntu (apache2, cpio, curl, glibc, gnutls28, less, libvirt, and pillow).

Robert McQueen has posted a messagefrom the GNOME Foundation board describing the current financialsituation, plans to improve it, and an increase in the size of the board.

The 6.9-rc6 kernel prepatch is out fortesting.

The6.8.8,6.6.29,6.1.88, and5.15.157stable kernels have been released; each contains another set of importantfixes.Update: 6.1.89 was released two dayslater to fix abuild problem in 6.1.88.

Video playback is undeniably one of the most important features in modernconsumer devices. Yet, surprisingly, users are by and large unaware of theintricate engineering involved in the compression and decompression ofvideo data, with codecs being left to find a delicate balance between imagequality, bandwidth, and power consumption. In response to constantperformance pressure, video codecs have become complex and hardwareimplementations are now common, but programming these devices is becomingincreasingly difficult and fraught with opportunities for exploitation. Ihope to convey how Rust can help fix this problem.