At the CPU level, a memory model describes, among other things, the amountof freedom the processor has to reorder memory operations. If low-levelcode does not take the memory model into account, unpleasant surprises arelikely to follow. Naturally, different CPUs offer different memory models,complicating the portability of certain types of concurrent software. Tomake life easier, some Arm CPUs offer the ability to emulate the x86 memorymodel, but efforts to make that feature available in the kernel are runninginto opposition.
Security updates have been issued by Debian (knot-resolver, pdns-recursor, and putty), Fedora (xen), Mageia (editorconfig-core-c, glibc, mbedtls, webkit2, and wireshark), Oracle (buildah), Red Hat (buildah and yajl), Slackware (libarchive), SUSE (dcmtk, openCryptoki, php7, php74, php8, python-gunicorn, python-idna, qemu, and thunderbird), and Ubuntu (cryptojs, freerdp2, nghttp2, and zabbix).
On April 11, Brandt Bucher postedPEP 744 ("JIT Compilation"),which summarizes the current state of Python's new copy-and-patch just-in-time (JIT) compiler. The JIT is currentlyexperimental, but the PEP proposes some criteria for the circumstances under which itshould become a non-experimental part of Python.The discussion of the PEP hasn'treached a conclusion, butseveral members of the community have already raised questionsabout how the JIT would fit into future iterations of the Python language.
Linux, famously, appears in a wide range of systems. While servers andlarge data centers get a lot of the attention, and this year will always bethe year of the Linux desktop, there is also a great deal of Linux to befound in realtime and embedded applications. Two talks held in therealtime and embedded tracks of the 2024 OpenSource Summit North America provided listeners with an update on howLinux is doing in those areas. Work on realtime Linux appears to be nearingcompletion, while the embedded community is still pushing forward at fullspeed.
Security updates have been issued by Fedora (curl, filezilla, flatpak, kubernetes, libfilezilla, thunderbird, and xen), Oracle (go-toolset:ol8, kernel, libreswan, shim, and tigervnc), Red Hat (buildah, gnutls, libreswan, tigervnc, and unbound), SUSE (cockpit-wicked, nrpe, and python-idna), and Ubuntu (dnsmasq, freerdp2, linux-azure-6.5, and thunderbird).
BleepingComputerreported on April 20 that some malware was being distributed via GitHub.Uploading files as part of a comment gives them a URL that appears to beassociated with a repository, even if the comment is never posted.
Version 9.0 ofthe QEMU emulator has been released. "This release contains 2700+commits from 220 authors." The list of improvements is long; see theannouncement and thechangelog for details.
For several years, contributors to the Rust project havebeen working to improve support for asynchronouscode. The benefits of these efforts are not confined to asynchronous code,however. Members of the Rust community have been working toward adding explicitexistential types to Rust since 2017. Existential types are not a common featureof programming languages (somethingthe RFC acknowledges), so the motivation for their inclusion might be somewhatobscure.
The long-running effort to complete the work on stacking (or composing) theLinux security modules (LSMs) recently encountered a barrier-in the form ofa "suggestion" to discontinue it from Linus Torvalds. His complaintrevolved around the indirect function calls that are used to implementLSMs, but he also did not think much of the effort to switch away fromthose calls. While it does not appear that a major course-change is in storefor LSMs, it is clear that Torvalds is not happy with the direction of thatsubsystem.
The Fedora 40 distribution has beenreleased. See the "what's new" pages for FedoraWorkstation and FedoraKDE to learn more about the desktop spins, along with this LWN article, for more information.
The Rust programming language, it is hoped, will bring a new level ofsafety to the Linux kernel. At the moment, though, there are still anumber of impediments to getting useful Rust code into the kernel. In theEmbedded Open Source Summit track of the OpenSource Summit North America, Fabien Parent provided an overview of hiswork aimed at improving the infrastructure needed to write the devicedrivers needed by embedded systems in Rust; there is still some work to bedone.
Security updates have been issued by Debian (glibc and samba), Fedora (chromium, cjson, mingw-python-idna, and pgadmin4), Mageia (kernel, kmod-xtables-addons, kmod-virtualbox, kernel-linus, and perl-Clipboard), Red Hat (go-toolset:rhel8, golang, java-11-openjdk, kpatch-patch, and shim), Slackware (freerdp), SUSE (apache-commons-configuration, glibc, jasper, polkit, and qemu), and Ubuntu (google-guest-agent, google-osconfig-agent, linux-lowlatency-hwe-6.5, pillow, and squid).
The Debian project leaderelection results are in and Andreas Tillehas been elected.In a fairly competitive vote, Tille beat Sruthi Chandran to fill theposition for the coming year. We looked at the election and thecandidates a few weeks back.
One of the mainstays of the the Linux Foundation's Open Source Summit is the "fireside chat"(sans fire) between Linus Torvalds and Dirk Hohndel to discuss open source andLinux kernel topics of the day. On April 17, at Open Source SummitNorth America (OSSNA) in Seattle, Washington, they held with traditionand discussed a range of topics including proper whitespace parsing,security, and the current AI craze.
Gregory Price recently posteda patch set that adds support for weighted memory interleaving - allowing aprocess's memory to be distributed betweennon-uniform memory access (NUMA)nodes in a more controlled way.According to his performance measurements, the patch set could provide asignificant improvement for computers with network-attached memory.The patch set alsointroduces new system calls and paves the way for future extensionsintended to give processes more control over their own memory.
Security updates have been issued by AlmaLinux (gnutls, java-17-openjdk, mod_http2, and squid), Debian (firefox-esr), Fedora (editorconfig, perl-Clipboard, php, rust, and wordpress), Mageia (less, libreswan, puppet, and x11-server, x11-server-xwayland, and tigervnc), Slackware (aaa_glibc), and SUSE (firefox, graphviz, kernel, nodejs12, pgadmin4, tomcat, and wireshark).
Gentoo Council member Micha Gorny postedan RFC to the gentoo-dev mailinglist in late February about banning "'AI'-backed (LLM/GPT/whatever)contributions" to the Gentoo Linux project. Gorny wrote that the spread of the"AIbubble" indicated a need for Gentoo to formally take a stand on AItools. After a lengthy discussion, the Gentoo Council votedunanimously this week to adopt his proposal and ban contributions generated with AI/ML tools.
Kernel developers, like conscientious developers for many projects, willoften include checks in the code for conditions that are never expected tooccur, but which would indicate a serious problem should that expectationturn out to be incorrect. For years, developers have been encouraged (toput it politely) to avoid using assertions that crash the machine for suchconditions unless there is truly no alternative. Increasingly, though, useof the kernel's WARN_ON() family of macros, which developers weretold to use instead, is also being discouraged.
Security updates have been issued by Debian (firefox-esr, jetty9, libdatetime-timezone-perl, tomcat10, and tzdata), Fedora (cockpit, filezilla, and libfilezilla), Red Hat (firefox, gnutls, java-1.8.0-openjdk, java-17-openjdk, kernel, kernel-rt, less, mod_http2, nodejs:18, rhc-worker-script, and shim), Slackware (mozilla), SUSE (kernel), and Ubuntu (apache2, glibc, and linux-xilinx-zynqmp).
Managing to-do lists is something of a universal necessity. While somepeople handle them mentally or on paper, others resort to a web-based tool ora mobile application. For those preferring the command line, the MIT-licensed Taskwarrior offers a flexible solutionwith a healthy community and lots of extensions.
Security updates have been issued by Debian (apache2 and cockpit), Fedora (firefox, kernel, mbedtls, python-cbor2, wireshark, and yyjson), Mageia (nghttp2), Red Hat (kernel, kernel-rt, opencryptoki, pcs, shim, squid, and squid:4), Slackware (firefox), SUSE (emacs, firefox, and kernel), and Ubuntu (linux-aws, linux-aws-5.15, linux-aws-6.5, linux-raspi, and linux-iot).
The recent XZ backdoor has sparked a lot of discussion about how the open-sourcecommunity links and packages software. One possiblesecurity improvement being discussedis changing howprojects like systemd link to dynamic libraries that are only used foroptional functionality: usingdlopen() to load those libraries onlywhen required. This couldshrink the attack surface exposed by dependencies, but the approach is notwithout downsides - most prominently, it makes discovering which dynamiclibraries a program depends on harder.On April 11, Lennart Poettering proposed one way to eliminate that problemin a systemd RFC on GitHub.
Fedora40Beta was releasedon March26, and the final release is nearing completion. So far,the release is coming together nicely with majorupdates for GNOME, KDEPlasma, and the usual cavalcade ofsmaller updates and enhancements. As part of the release, the project also scuttled DeltaRPMs and OpenSSL 1.1.
The Open Source Security Foundation and the OpenJS Foundation have jointlyposted awarning about XZ-like social-engineering attacks after OpenJS wasseemingly targeted.
Kumar Kartikeya Dwivedi has been working to add support for exceptions to BPFsince mid-2023. In July, Dwivedi postedthe first patch set in this effort, which adds support for basic stack unwinding.In February 2024, he postedthe second patch setaimed at letting the kernel release resources held by the BPF program when anexception occurs. This makes exceptions usable in many more contexts.
Security updates have been issued by AlmaLinux (bind, bind and dhcp, bind9.16, gnutls, httpd:2.4/mod_http2, squid:4, and unbound), Debian (kernel, trafficserver, and xorg-server), Fedora (chromium, kernel, libopenmpt, and rust-h2), Mageia (apache-mod_jk, golang, indent, openssl, perl-HTTP-Body, php, rear, ruby-rack, squid, varnish, and xfig), Oracle (bind, squid, unbound, and X.Org server), Red Hat (bind and dhcp and unbound), Slackware (less and php), SUSE (gnutls, python-Pillow, webkit2gtk3, xen, xorg-x11-server, and xwayland), and Ubuntu (yard).
The 6.9-rc4 kernel prepatch is out fortesting. "Nothing particularly unusual going on this week - some new hwmitigations may stand out, but after a decade of this I can't really callit 'unusual' any more, can I?"
The6.8.6,6.6.27,6.1.86,5.15.155,5.10.215,5.4.274, and4.19.312stable kernel updates have all been released; each contains a relativelylarge number of important fixes.
The kernel project merges dozens of drivers with every development cycle,and almost every one of those drivers is entirely uncontroversial.Occasionally, though, a driver submission raises wider questions, leadingto lengthy discussion and, perhaps, opposition. That is currently the casewith two separate drivers, both with ties to the networking subsystem. Oneof them is hung up on questions of whether (and how) all devicefunctionality should be made available to user space, while the other hasrun into turbulence because it drives a device that is unobtainable outsideof a single company.
Security updates have been issued by Debian (chromium), Fedora (rust, trafficserver, and upx), Mageia (postgresql-jdbc and x11-server, x11-server-xwayland, tigervnc), Red Hat (bind, bind9.16, gnutls, httpd:2.4, squid, unbound, and xorg-x11-server), SUSE (perl-Net-CIDR-Lite), and Ubuntu (apache2, maven-shared-utils, and nss).
The Earliest Virtual Deadline First (EEVDF)scheduler was merged as an option for the 6.6 kernel. It represents amajor change to how CPU scheduling is done on Linux systems, but the EEVDFfront has been relatively quiet since then. Now, though, schedulerdeveloper Peter Zijlstra has returned from a long absence to post a patchseries intended to finish the EEVDF work. Beyond some fixes, this workincludes a significant behavioral change and a new feature intended to helplatency-sensitive tasks.
Security updates have been issued by AlmaLinux (kernel, less, libreoffice, nodejs:18, nodejs:20, rear, thunderbird, and varnish), Debian (pillow), Fedora (dotnet7.0), SUSE (sngrep, texlive-specs-k, tomcat, tomcat10, and xorg-x11-server), and Ubuntu (nss, squid, and util-linux).
The Gentoo Linux project has announcedthat it is now an Associated Project of Software in the Public Interest(SPI), which will allow it to accept tax deductible donations in theUS and reduce its "non-technical workload":
Greg Kroah-Hartman has announced another round of stable kernelupdates: 6.8.5, 6.6.26, 6.1.85, and 5.15.154 have all been released; eachcontains another set of important fixes, including the mitigations for therecently disclosed branch history injectionhardware vulnerability.
A recent book by LWN guest author Lee Phillips provides a nice introduction to the Julia programming language.Practical Juliadoes more than that, however. As its subtitle ("A Hands-On Introductionfor Scientific Minds") implies, the book focuses on bringing Julia toscientists, rather than programmers, which gives it something of adifferent feel from most other books of this sort.
On April 3 security researcher Bartek Nowotarskipublished the details of a new denial-of-service (DoS)attack, called a "continuation flood", against manyHTTP/2-capable webservers. While the attack is not terribly complex, it affects many independentimplementations of the HTTP/2 protocol, even though multiplesimilar vulnerabilities over the years have given implementers plenty of warning.
LWN.net