The 1.0 version of the LibrePCB "free, cross-platform, easy-to-use electronic design automation suite to draw schematics and design printed circuit boards". As noted in a blog post back in May, a grant has helped spur development of the tool. The focus for the release has been in adding features that were needed so that "there should be no show stopper anymore which prevents you from using LibrePCB for more complex PCB [printed circuit board] designs". New features include a 3D viewer and export format for working with designs in a mechanical computer aided design (CAD) tool, support for manufacturer part number (MFN) management, and lots of board editor features such as thermal relief pads in planes, blind & buried vias,keepout zones, and more. [Thanks to Alphonse Ogulla.]
The last year or so has seen the posting of a few new filesystem types thatare aimed at supporting container workloads. PuzzleFS, presented at the2023 Kangrejos gathering by ArielMiculas, is another contender in this area, but it has some features of itsown, including a novel compression mechanism and an implementation writtenin Rust.
The6.5.5,6.1.55,5.15.133,5.10.197,5.4.257,4.19.295, and4.14.326stable kernel updates have all been released; each contains another set ofimportant fixes.
Back in May, Andre Almeida presented somework toward the creation of user-space spinlocks using adaptivespinning. At that time, the work was stalled because there is, in Linux,currently no way to quickly determine whether a given thread is actuallyexecuting on a CPU. Some progress has since been made on that front; atthe 2023Open Source Summit Europe, Almeida returned to discuss how thatdifficulty might be overcome.
Security updates have been issued by Debian (gsl), Fedora (dotnet6.0 and dotnet7.0), Oracle (libwebp), Slackware (bind, cups, and seamonkey), SUSE (kernel and rust, rust1.72), and Ubuntu (cups, flac, gnome-shell, imagemagick, and python3.5).
All that Ankur Arora seemingly wanted to do with thispatch set was to make the process of clearing huge pages on x86systems go a little faster. What resulted was an extensive discussion onthe difficulties of managing preemption correctly in the kernel. It may bethat some changes will come to the plethora of preemption models that thekernel currently offers.
Security updates have been issued by Debian (mutt, netatalk, and python2.7), Fedora (chromium, golang-github-prometheus-exporter-toolkit, golang-github-xhit-str2duration, and golang-gopkg-alecthomas-kingpin-2), Oracle (dmidecode, frr, libwebp, open-vm-tools, and thunderbird), Red Hat (libwebp and open-vm-tools), SUSE (cups, frr, mariadb, openvswitch3, python39, qemu, redis7, rubygem-rails-html-sanitizer, and skopeo), and Ubuntu (bind9, cups, and libppd).
The "limited" C API for CPython extensions has been around for well over adecade at this point, but it has not seen much uptake. It is meant to giveextensions an API that will allow binaries built with it to be used formultiple versions of CPython, because those binaries will only access the stableABI that will not change when CPython does. Victor Stinner has beenworking on better definition for the API; as part of that work, he suggested that some of the C extensions in thestandard library start using it in an effort for CPython to "eat itsown dog food". The resulting discussion showed that there is still a fairamount of confusion about this API-and the thrust of Stinner's overall plan.
JDK 21, the reference implementation of the Java 21 language specification,hasbeen released. "This release includes fifteen JEPs [1], includingthe final versions of Record Patterns (440), Pattern Matching for switch(441), and Virtual Threads (444)".
The security of digital products has become a topic of regulationin recent years. Currently, the European Union is moving forwardwith another new law, which, if it comes into effect in a formclose to the current draft, will affect software developers worldwide.This new proposal, called the "CyberResilience Act" (CRA), brings mandatory security requirements on alldigital products, both softwareand hardware, that are available in Europe. While it aims at a worthy goal, theproposal is causing a stir among open-source communities.
Security updates have been issued by Debian (chromium, flac, gnome-shell, libwebp, openjdk-11, and xrdp), Fedora (giflib), Oracle (kernel), Red Hat (busybox, dbus, firefox, frr, kpatch-patch, libwebp, open-vm-tools, and thunderbird), Slackware (netatalk), SUSE (flac, gcc12, kernel, libeconf, libwebp, libxml2, and thunderbird), and Ubuntu (binutils, c-ares, libraw, linux-intel-iotg, nodejs, python-django, and vsftpd).
Processes in a Linux system run within their own virtual address spaces.Their virtual addresses map to physical pages provided by the hardware, butthe kernel takes pains to hide the physical addresses of those pages;processes normally have no way of knowing (and no need to know) where theirmemory is located in physical memory. As a result, the system calls formemory management also deal in virtual addresses. Gregory Price iscurrently trying to create an exception to this rule with aproposal for a new system call that would operate on memory using physicaladdresses.
Much of the kernel's performance is dependent on caching - keeping usefulinformation around for future use to avoid the cost of looking it up again.The kernel aggressively caches pages of file data, directory entries,inodes, slab objects, and much more. Without active measures, though,caches will tend to grow without bounds, leading to memory exhaustion. Thekernel's "shrinker" mechanism exists to be that active measure, butshrinkers have some performance difficulties of their own. Thispatch series from Qi Zheng seeks to address one of the worst of thoseby removing some locking overhead.
Security updates have been issued by Debian (c-ares and samba), Fedora (borgbackup, firefox, and libwebp), Oracle (.NET 6.0 and kernel), Slackware (libwebp), SUSE (chromium and firefox), and Ubuntu (atftp, dbus, gawk, libssh2, libwebp, modsecurity-apache, and mutt).
The Software Freedom Conservancy(SFC) has announcedthe availability of videos from thefirst-ever Free and Open Source Yearly(FOSSY) conference, which was held in July in Portland, Oregon in the US.
The fstat()system call retrieves some of the metadata - owner, size, protections,timestamps, and so on - associated with an open file descriptor. One mightnot think of it as a performance-critical system call, but there areworkloads that make a lot of fstat() calls; it is not somethingthat should be slowed unnecessarily. As it turns out, though, the GNU CLibrary (glibc) has been doing exactly that, but a fix is in the works.
Security updates have been issued by Debian (firefox-esr, libwebp, ruby-loofah, and ruby-rails-html-sanitizer), Fedora (open-vm-tools and salt), Oracle (.NET 7.0, dmidecode, flac, gcc, httpd:2.4, keylime, libcap, librsvg2, and qemu-kvm), Red Hat (.NET 6.0 and .NET 7.0), Slackware (libarchive and mozilla), SUSE (chromium and kernel), and Ubuntu (curl, firefox, ghostscript, open-vm-tools, postgresql-9.5, and thunderbird).
The "Common Vulnerabilities andExposures" (CVE) system was launched late in the previous century (September1999) to track vulnerabilities insoftware. Over the years since, it has had a somewhat checkeredreputation, along with some some attempts toreplace it, but CVE numbers are still the only effective way to trackvulnerabilities. While that can certainly be useful, theCVE-assignment (and severity scoring) process is not without its problems.The prominence of CVE numbers, and the consequent increase in "reputation" for a reporter, have combined to create a system that canbe-and is-actively gamed. Meanwhile, the organizations that oversee thesystem are ultimately not doing a particularly stellar job.
The6.5.3,6.4.16, and6.1.53stable kernel updates have been released; each contains a large number ofimportant fixes. Note that the 6.4.x line ends with 6.4.16.
Security updates have been issued by Debian (e2guardian), Fedora (libeconf), Red Hat (dmidecode, kernel, kernel-rt, keylime, kpatch-patch, libcap, librsvg2, linux-firmware, and qemu-kvm), Slackware (mozilla), SUSE (chromium and shadow), and Ubuntu (cups, dotnet6, dotnet7, file, flac, and ruby-redcloth).
The GCC stack-protector feature detects stack-based buffer overruns byputting a canary value on the stack and noticing if that value is changed.Itturns out, though, that dynamically allocated local variables (such asvariable-length arrays and space obtained with alloca()) areplaced beyond the canary, so overflows of those variables will not bedetected. As a result, arm64 binaries built with vulnerable versions ofGCC are not as protected as they should be and need to be rebuilt.
Arduino has emerged as one of theprime success stories of the open-hardware movement. In recent years, thecompany has shifted its focus toward Internet of Things (IoT)applications. As part of this transformation, it has completely redesignedits open-source integrated development environment (IDE), adding a moreprofessional feature set for its hobbyist target audience. If you haveexperimented with Arduino in the past, but have lost track of itsprogress, now might be a good time to give it another try.
Ars Technica reports on a credential-stealing Trojan horse that would infect only some of those who installed the "Free Download Manager". The article is based on a Kaspersky report that details the malicious payload offered up at that site from 2020 to 2022.
Security updates have been issued by Debian (node-cookiejar and orthanc), Oracle (firefox, kernel, and kernel-container), Red Hat (flac and httpd:2.4), Slackware (vim), SUSE (python-Django, terraform-provider-aws, terraform-provider-helm, and terraform-provider-null), and Ubuntu (c-ares, curl, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-raspi, and linux-ibm, linux-ibm-5.4).
Linus Torvalds released6.6-rc1 and closed the 6.6 merge window on September10. At thatpoint, 12,230 non-merge changesets had been pulled into the mainlinerepository, which is exactly 500 more than were pulled for 6.5 at this stagein the cycle. Over 7,000 of those changes were pulled after our first-half summary was written; theybrought a fair amount of new functionality with them. Read on for anoverview of those changes.
In a series of posts on his blog, Oscar Benjamin looks at SymPy, which is a Python-based symbolic-mathematics library. In the first article, he outlines the "big changes for SymPy with particular focus on speed". The second covers polynomial handling; subsequent articles will examine other pieces of the puzzle.
The work to add support for large anonymousfolios to the kernel has been underway for some time, but this featurehas not yet landed in the mainline. The author of this work, Ryan Roberts,has been trying to get a handle on what the remaining obstacles are so hecan address them. On September6, an online meeting ofmemory-management developers discussed that topic and made some progress;there is still some work to do, though, before large anonymous folios cango upstream.
Security updates have been issued by Debian (chromium, libssh2, memcached, and python-django), Fedora (netconsd), Oracle (firefox and thunderbird), Scientific Linux (firefox), SUSE (open-vm-tools), and Ubuntu (grub2-signed, grub2-unsigned, shim, and shim-signed, plib, and python2.7, python3.5).
The Ubuntu blog has adetailed article on plans to add full-disk encryption, with the keystored in the system's trusted platform module (TPM), to the desktopdistribution.
OpenSUSE Leap is a hybriddistribution; it is based on SUSE's enterprise distribution (SLE), whichfollows the "slow and stable" approach, but adds a number of newer packageson top. Leap is intended to be a desktop-oriented distribution with a stableand reliable base. As SUSE transitions away from its traditionalenterprise distribution toward its "AdaptableLinux Platform" (ALP), though, the stable base upon which openSUSE Leapis built is going away. The openSUSE community is currently discussing howthe project should respond.
Security updates have been issued by Fedora (erofs-utils, htmltest, indent, libeconf, netconsd, php-phpmailer6, tinyexr, and vim), Red Hat (firefox), and Ubuntu (linux-aws, linux-aws-5.15, linux-ibm-5.15, linux-oracle, linux-oracle-5.15, linux-azure, linux-azure-fde-5.15, linux-gke, linux-gkeop, linux-intel-iotg-5.15, linux-raspi, linux-oem-6.1, linux-raspi, linux-raspi-5.4, shiro, and sox).
A recent discussion on the Python forum looked at a way toprotect module objects (and users) from mistaken attribute assignment anddeletion. There are ways to get the same effect today, but the mechanism that would be used causes aperformance penalty for an unrelated, and heavily used, action: attributelookup on modules. Back in2017, PEP562 ("Module __getattr__and __dir__") set the stage for adding magic methods to module objects; nowa new proposal would extend that idea to add __setattr__() and__delattr__() to them.