LWN.net

On July 30, Al Viro senta patch set to the linux-fsdevel mailing list with acomprehensive cover letter explaining hisrecent work on ensuring that the kernel's internal representation offile descriptors are used correctly in the kernel.File descriptors are ubiquitous; many system callsneed to handle them. Viro's reviewidentified a few existing bugs, and may prevent more in the future. He also hadsuggestions for ways to keep uses consistent throughout the kernel.

Matthew Garrett describesthe role of the Secure Boot Advanced Targeting mechanism and how itplayed into the recent Windows upgrade problems.

Security updates have been issued by AlmaLinux (.NET 8.0, bind, bind9.16, curl, edk2, firefox, gnome-shell, grafana, jose, krb5, libreoffice, mod_auth_openidc:2.3, orc, pcs, poppler, python-setuptools, python-urllib3, python3.11-setuptools, python3.12-setuptools, thunderbird, tomcat, and wget), Fedora (webkitgtk), SUSE (apache2, glib2, and roundcubemail), and Ubuntu (kernel, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-raspi, linux, linux-aws, linux-azure, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-ibm, linux-lowlatency, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-aws, linux-aws-hwe, linux-bluefield, linux-hwe-5.15, linux-raspi-5.4, and qemu).

The LWN.net Weekly Edition for August 22, 2024 is available.

Ars Technica coversa recent updatethat is causing problems for users with systems that dual-boot Windowsand Linux.

Gentoo developer Micha Gorny has written a lengthy blogpost that explains how Gentoo approaches releases:

Linux installers receive a disproportionate amount of attentioncompared to the amount of time that most users spend with them. Ideally,a user spends only a few minutes using the installer, versus years usingthe distribution after it is installed. Yet, the installer sets thefirst impression, and if it fails to do its job, little else matters.Installers also have to continually evolve to keep pace with newhardware, changes in distribution packaging (such as image-based Linuxdistributions), and so forth. Along those lines, the SUSE team that maintains thevenerable YaST installer hasdecided it's time to start (almost) fresh with a new Linux installerproject, called Agama,for new projects. YaST is not going away as an administration tool,but it is likely to be relieved of installer duties at some point.

Security updates have been issued by Debian (aom, cinder, dovecot, glance, and nova), Fedora (mysql8.0), Oracle (curl and libreoffice), SUSE (oniguruma, openssl-1_0_0, openssl1, and xen), and Ubuntu (cacti, curl, exfatprogs, firefox, and vim).

AtPyCon2024 in Pittsburgh,Pennsylvania, Anthony Shaw looked at the various kinds of parallelismavailable to Python programs. There have been two major developments onthe parallel-execution front over the last few years, with the effort toprovide subinterpreters, each with its ownglobal interpreter lock (GIL), along with the work to remove the GIL entirely. In the talk, heexplored the two approaches to try to give attendees a sense of how to makethe right choice for their applications.

Version 0.3.0 of the uvPython package and project manager has been released. Introduced inFebruary, uv is written in Rust and aims to be "Cargo forPython". Notable changes in this release include the addition ofinterfaces for managing projects, installingPython, and running scripts,along with adding new documentation. See theaccompanying blog post for more information.

One tactic often used by attackers set on compromising a system is heap spraying; inshort, the attacker fills as much of the heap as possible with crafted datain the hope of getting the target system to use that data in a bad way. Ifheap spraying can be blocked, attackers will lose an important tool. Thekernel has some heap-spraying defenses now, including the dedicated bucket allocator merged for theupcoming 6.11 release, but its author, Kees Cook, thinks that more can bedone.

Security updates have been issued by Debian (squid), Fedora (putty), Mageia (quictls), Oracle (bind, curl, python-setuptools, python3.11-setuptools, and python3.12-setuptools), Red Hat (kernel, kpatch-patch-4_18_0-305_120_1, kpatch-patch-4_18_0-372_87_1 and kpatch-patch-4_18_0-372_91_1, kpatch-patch-4_18_0-477_43_1, kpatch-patch-4_18_0-553, kpatch-patch-5_14_0-284_48_1 and kpatch-patch-5_14_0-284_52_1, kpatch-patch-5_14_0-427_13_1, and libreoffice), SUSE (cosign, dri3proto, presentproto, wayland-protocols, xwayland, freerdp, fwupdate, git, gnome-settings-daemon, hdf5, jasper, java-17-openjdk, java-1_8_0-ibm, java-1_8_0-openjdk, kernel, kernel-firmware, libaom, libqt5-qt3d, libqt5-qtquick3d, ntfs-3g_ntfsprogs, osc, python, python-aiohttp, python-azure-core, python-azure-storage-blob, python- azure-storage-queue, python-typing, python-typing_extensions, python-Jinja2, python-PyMySQL, python-requests, python-tqdm, python-WebOb, python3-sqlparse, python310, python311, qemu, sssd, thunderbird, tiff, unixODBC, uriparser, and wireshark), and Ubuntu (intel-microcode, linux-azure-5.4, and postgresql-12, postgresql-14, postgresql-16).

The FreeBSD Project is, for the secondtime this year, engaging in a long-running discussion about thepossibility of including Rust in its basesystem. The sequel to the first discussion included some work byAlan Somers to show what it might look like to use Rust code in thebase tree. Support for Rust code does not appear much closer to beingincluded in FreeBSD's base system, but the conversation has beenenlightening.

Today's crop of new stable kernels consists of seven new versions: 6.10.6, 6.6.47, 6.1.106, 5.15.165, 5.10.224, 5.4.282, and 4.19.320. As usual, each contains importantfixes throughout the kernel tree.

Security updates have been issued by Debian (python-asyncssh), Fedora (bind, bind-dyndb-ldap, httpd, and tor), SUSE (cosign, cpio, curl, expat, java-11-openjdk, ncurses, netty, netty-tcnative, opera, python-Django, python-Pillow, shadow, sudo, and wpa_supplicant), and Ubuntu (firefox).

The Rust code being added to the kernel is documented using the usual rustdocconventions; that documentation is now available on kernel.org informatted form. There is also the linux-next version ofthe documentation for Rust code that will land in the kernel soon.

The fourth 6.11 kernel prepatch is out fortesting. According to Linus:

The Gentoo Linux project hasannouncedthat it is dropping support for Itanium:

Python has hadformatted string literals(f-strings), a syntactic shorthand for buildingstrings, since 2015. Recently, Jim Baker, Guido van Rossum, and Paul Everitt haveproposedPEP 750 ("Tag Strings For Writing Domain-Specific Languages") which wouldgeneralize and expand that mechanism to provide Python library writers with additionalflexibility. Reactions to the proposed change were somewhat positive, althoughthere was a good deal of discussion of (and opposition to)the PEP's inclusion of lazy evaluation of template parameters.

Security updates have been issued by Fedora (389-ds-base, dotnet8.0, python3.13, roundcubemail, thunderbird, and tor), Mageia (roundcubemail), Oracle (.NET 8.0, bind and bind-dyndb-ldap, bind9.16, container-tools:ol8, edk2, firefox, gnome-shell, grafana, httpd:2.4, jose, kernel, krb5, mod_auth_openidc:2.3, orc, poppler, python-urllib3, python3.11-setuptools, thunderbird, and wget), Red Hat (kernel), SUSE (apptainer, curl, kernel, kernel-firmware, libqt5-qtbase, python-aiosmtpd, and ucode-intel), and Ubuntu (bind9, gnome-shell, libreoffice, and orc).

The kernel's memory-management developers have been busy in recent times;it can be hard to keep up with all that has been happening in this corearea. In an attempt to catch up, here is a look at recent workaffecting tiered-memory systems, underutilized huge pages, and duplicatedfile data in the Enhanced Read-Only Filesystem (EROFS).

Security updates have been issued by AlmaLinux (container-tools:rhel8), Debian (flatpak), Fedora (389-ds-base, dotnet8.0, and roundcubemail), Red Hat (bind9.16, firefox, python-setuptools, and thunderbird), Slackware (dovecot), SUSE (389-ds, curl, kernel, kernel-firmware, kubernetes1.25, openssl-1_1, openssl-3, python-Pillow, and zziplib), and Ubuntu (busybox, linux-azure, and ruby-rmagick).

The LWN.net Weekly Edition for August 15, 2024 is available.

Three new stable kernels have been released: 6.10.5, 6.6.46, and 6.1.105. As usual, they contain importantfixes all over the kernel tree.

Rust is intended to let programmers write safer code.But compilers arenot omniscient, and writing Rust code that interfaces with hardware (or thatworks with memory outside of Rust's lifetime paradigm) requires, atsome point, the programmer's assurance that some operations are permissible. Benno Lossinsuggested addingsome more documentation tothe Rust-for-Linux project clarifying thestandards for commenting uses of unsafe in kernel code. There's generalagreement that such standards are necessary, but less agreement on exactly whenit is appropriate to use unsafe.

Security updates have been issued by AlmaLinux (389-ds-base), Debian (ffmpeg), Fedora (chromium), Red Hat (.NET 8.0, container-tools:rhel8, edk2, firefox, gnome-shell, grafana, jose, kernel, kernel-rt, krb5, open-vm-tools, orc, pcs, poppler, python-urllib3, and wget), SUSE (gtk2, gtk3, kernel, python-setuptools, python310-setuptools, python312-setuptools, python39-setuptools, and webkit2gtk3), and Ubuntu (dotnet8, libcroco, linux-azure, linux-lowlatency, linux-raspi, and linux-oracle).

Markdown editors are a dime a dozen. Cheaper than that, actually,since many of them are opensource software. Despite the sheer number ofoptions, finding an editor that has all of the features that one might want canbe tricky. For some users, Zettlrmight be the right tool. It is a What You See is What YouMean (WYSIWYM) editor that stores its work locally as plain Markdownfiles. The project is billed as a "one-stop publicationworkbench", and is suitable for writing anything from blog posts toacademic papers, maintaining a personal journal, or keeping notes in a Zettlekasten. Itis simple to get started with, but rewards deeper exploration andcustomization.

ThePostgreSQL project hasreleased betaversions of PostgreSQL 17 containing several interesting security and usabilityimprovements, alongside the usual performance improvements and bug fixes. If therelease proceeds according to the usual timeline, the full release of version 17is expected in September or October.The most important changes are in what PostgreSQL does when a databasesupervisor has their credentials revoked, and addedsupport for incremental database backups.

Lix, the fork of Nix that LWN covered in July, has made its second release since forking. This one includes substantial changes to the backend code, including removing a dependency on Bison, and getting a change to the Nix language back upstream.

Version 6.4 of the Incus container manager is out.

Security updates have been issued by Debian (kernel and roundcube), Fedora (microcode_ctl, pypy, python2.7, and python3.6), Oracle (389-ds-base, httpd, kernel, kernel-container, and linux-firmware), Red Hat (kernel-rt), SUSE (firefox, kubernetes1.23, libqt5-qtbase, openssl-1_1, python-gunicorn, python-Twisted, python-urllib3, and qt6-base), and Ubuntu (linux-aws-5.15, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-raspi, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-oem-6.8, linux-oracle-5.15, and qemu).

Linux hardware vendor System76 started promotingits work on a Rust-based, Waylanddesktop environment for its Pop!_OSUbuntu-derivative distribution almost two yearsago. On August 8, the company released an alpha version of the COSMIC desktop environment forusers to test out. While it has rough edges and missing features, itis stable enough to get a good feel for what the finished product hasin store-and the initial results are promising.

Version 4.0 of the Magit text-basedGit user interface for Emacs has been released. Changes since the 3.3.0release include the addition of context menus, a makeover for themenu-bar menu, new menu commands, and many other new features and bugfixes. See the releasenotes for full details.

The Rust project has developed aset of goals for the latter half of 2024.

Security updates have been issued by AlmaLinux (httpd:2.4), Fedora (chromium, firefox, frr, neatvnc, nss, python-setuptools, and python3.13), Gentoo (AFLplusplus, Bundler, dpkg, GnuPG, GPAC, libde265, matio, MuPDF, PHP, protobuf, protobuf-python, protobuf-c, rsyslog, Ruby on Rails, and runc), Red Hat (389-ds-base, container-tools:rhel8, and httpd:2.4), SUSE (bind and ca-certificates-mozilla), and Ubuntu (linux-azure).

Linus has released 6.11-rc3 right onschedule. "Nothing particularly strange or interesting going on, thingslook normal".

The6.10.4,6.6.45, and6.1.104stable kernel updates have been released; each contains another set ofimportant updates as usual.

It is something of a DebConf tradition that members of the Debian TechnicalCommittee (TC) take the stage to talk about the work that the committeedoes-and more. DebConf24 inBusan, South Korea was no exception, as TC chair Sean Whitton, whowill complete his term at the end of the year, and oneof its newest members, Stefano Rivera, described the constitutionalunderpinnings of the TC, how it tries to make decisions when it needs to,and the constant process of recruiting new members. After that, they tooka few questions from the audience. The session provided a nice overview ofthe TC and its role in Debian, but it may well be of interest further afield.

The Canonical Kernel Team has announceda new policy regarding the version of the kernel that will ship with eachUbuntu release; the result will generally be the shipping of newerreleases.

Sometimes, the smallest changes create the longest discussions. As a casein point, a proposal to make a one-line change in an informational textfile on systems running the Debian unstable distribution has blown up intoan interminable and sometimes unfriendly debate. At its core, though, thisdiscussion comes down to a seemingly simple question: should a program beable to determine whether it is running on a Debian testing or unstablesystem?

Researchers from Graz University of Technology havepublished details of a new attackon the Linux kernel called SLUBStick. The attack uses timing information to turn an ability to trigger use-after-free or double-free bugs into the ability to overwrite page tables, and thence into the ability to read and write arbitrary areas of memory. The good news is that this attack does require an existing bug to be usable; the bad news is that the kernel regularly sees bugs of this kind.

Security updates have been issued by AlmaLinux (httpd, kernel, kernel-rt, and libtiff), Debian (postgresql-13, postgresql-15, and thunderbird), Fedora (frr, thunderbird, vim, and xrdp), Gentoo (Librsvg, Nautilus, ncurses, Percona XtraBackup, QEMU, and re2c), Red Hat (httpd, kernel, kernel-rt, openssl, and python-setuptools), SUSE (bind, ffmpeg-4, kubernetes1.23, kubernetes1.24, python-Django, and python3-Twisted), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-oem-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle, linux-oracle-5.4, and salt).

The Oligo Security blog disclosesa web-browser vulnerability that has been named "0.0.0.0 day". In short,browsers will allow JavaScript code to open connections to the all-zeroesIPv4 address; the result is that any port that is open on the local hostcan be accessed by a remote site. "When services use localhost, theyassume a constrained environment. This assumption, which can (as in thecase of this vulnerability) be faulty, results in insecure serverimplementations."

Endless OS is a Linux distribution with a focus on improving access toeducational tools by providing a simple-to-manage, full-featured desktop foreducators and students - one that works offline, with minimal maintenance. Thedistribution also aims to be suitable for older devices, in order to promote access tocomputers by ensuring those systems remain usable.In pursuit of those goals, it makes some unusual technicalchoices. But what makes the distribution really shine is its curated collectionof software and educational resources.

Security updates have been issued by AlmaLinux (freeradius and freeradius:3.0), Debian (chromium, odoo, and roundcube), Fedora (microcode_ctl, mingw-qt5-qtbase, mingw-qt6-qtbase, opentofu, orc, python-setuptools, and vim), Gentoo (Nokogiri), Oracle (kernel), Red Hat (go-toolset:rhel8, golang, kernel, krb5, libtiff, python-setuptools, and python39:3.9 and python39-devel:3.9), SUSE (python-Django), and Ubuntu (krb5).

The LWN.net Weekly Edition for August 8, 2024 is available.

Mozilla has announced that Puppeteer, a browser automation and testing library, now has first-class support for Firefox using theWebDriver BiDi protocol. Puppeteer can be used to drive headless browser instances, and is commonly used for automated end-to-end web-site tests.

The desire for the ability to checkpoint a process - to record its state ina form that can be restarted at a future time - on Linux is almost as old asLinux itself. See, for example, this announcement of a checkpointproject that appeared in LWN in 1998. While working solutions exist, theycan be somewhat fragile and difficult to use; it is not surprising thatsome people are interested in finding a better alternative. A currenteffort goes by the name CRIB,for Checkpoint/Restore in (naturally) BPF. It is far from clear that CRIBwill replace the existing solutions, but it is an interesting look at adifferent way of solving the problem.

There are lots of places in the kernel where an EINVAL can bereturned to user space, but it is often unclear what the actual underlyingproblem is because the errnoerror codes are too generic. That is the problem that Miklos Szerediwanted to discuss in a filesystem session that he led remotely at the 2024 Linux Storage,Filesystem, Memory Management, and BPF Summit. He would like to helpthose who are trying to debug problems trace where in the kernel aparticular error code is being generated.

Security updates have been issued by Debian (firefox-esr, openjdk-17, and wpa), Gentoo (aiohttp, Bitcoin, Cairo, Go, json-c, Levenshtein, libXpm, nghttp2, PostgreSQL, and Redis), Red Hat (kernel, kernel-rt, python-setuptools, python-urllib3, python3.11-setuptools, and wget), Slackware (mozilla), SUSE (bind, curl, docker, ffmpeg, ffmpeg-4, kernel, kernel-firmware, libnbd, patch, shadow, and thunderbird), and Ubuntu (python-django and wpa).