LWN.net

At the recently concluded Maintainers Summit, it was generally agreed that the Rust experiment wouldcontinue, and that the path was clear for more Rust code to enter thekernel. But the high-level view taken at such gatherings cannot alwaysaccount for the difficult details that will inevitably arise as the Rustwork proceeds. A recent discussion on the nouveau mailing list may haveescaped the notice of many, but it highlights some of the problems thatwill have to be worked out as important functionality written in Rust headstoward the mainline.

Mozilla has released Firefox versions 131.0.2, ESR 128.3.1, and ESR115.16.1. These updates address asevere, remotely exploitable code-execution vulnerability that isevidently already being exploited. Updating to a fixed release seems likea wise thing to do.

Greg Kroah-Hartman has announced the release of the 6.11.3, 6.10.14, 6.6.55, and 6.6.56 stable kernels. The 6.6.56 releasefixes a problem with building perf in 6.6.55; "If you do not use theperf tool in the 6.6.y tree, there is no need to upgrade.". Meanwhile,6.10.14 is the last of the 6.10.y series, so users should now be moving to6.11.y. Other than 6.6.56, they contain the usual long list of importantfixes throughout the kernel tree.

Security updates have been issued by Debian (chromium), Fedora (firefox, koji, unbound, webkit2gtk4.0, and xen), Red Hat (glibc, net-snmp, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, buildah, cups-filters, liboath-devel, libreoffice, libunbound8, podman, and redis), and Ubuntu (cups-browsed, cups-filters, edk2, linux-raspi-5.4, and oath-toolkit).

The LWN.net Weekly Edition for October 10, 2024 is available.

Bindgen is a widely used tool that automatically generates Rust bindings from Cheaders. TheRust-for-Linux project uses it to create some ofthe bindings between Rust code and the rest of the kernel. John Baublitzpresented at Kangrejos about the improvements that he has made to the tool inorder to make the generated bindings easier to use, including improved supportfor macros, bitfields, and enums.

The Julia project hasreleased version 1.11.0. A separateblog post covers some of the highlights. The release includes a number of helpful features.

Security updates have been issued by AlmaLinux (firefox, mod_jk, and thunderbird), Debian (apache2 and firefox-esr), Fedora (crosswords, logiops, p7zip, and perl-App-cpanminus), Red Hat (.NET 6.0, firefox, git, kernel, kernel-rt, openssl, and thunderbird), SUSE (buildah, json-lib, kernel, Mesa, mozjs78, pgadmin4, podman, podofo, qatlib, redis7, roundcubemail, rusty_v8, and seamonkey), and Ubuntu (dotnet6, dotnet8, nginx, and ruby-webrick).

In the early days of open source, it was a struggle to get companiesto accept the concept and trust its development model.Now, companies have few qualms about using it, but do tend to take open source andthose who maintain it for granted. The struggle now is to find waysto compensate producers of the software, sustain the opensourcecommons, and avoid burning out maintainers. The Open Source Pledge project isan effort to persuade companies to pay maintainers by making it a socialnorm. On October8, the project is launching a marketing campaign to raiseawareness and try to get a larger conversation started around payingmaintainers.

Alice Ryhl has been working to enabletracepoints - which are widely usedthroughout the kernel - to be seamlessly placed in Rust code as well. She spokeabout her approach at Kangrejos. Herpatch setenables efficient use of statictracepoints, but supporting dynamic tracepoints will take some additional effort.

Security updates have been issued by Debian (kernel), Fedora (webkitgtk), Mageia (cups), Oracle (e2fsprogs, kernel, and kernel-container), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, git-lfs, go-toolset:rhel8, golang, grafana-pcp, podman, and skopeo), SUSE (Mesa, mozjs115, podofo, and redis7), and Ubuntu (cups and cups-filters).

OpenBSD7.6 has been released. Notable newfeatures include work to improve suspend/resume on modern hardware,support for the arm64 Qualcomm Snapdragon X Elite laptops, as well as manyimprovements in hardware support and driver bug fixes.

The recent WordPresscontroversy is not the first time there's been tension between theWordPress community, the interests of Automattic as a business, and MattMullenweg's leadership as WordPress's benevolent dictator forlife (BDFL). In particular, Mullenweg's focus on pushing WordPress to use a new"editing experience" called Gutenberg caused significantfriction-and led to the ClassicPress fork. Users whowant to preserve the "classic" WordPress experience without strayingtoo far from the WordPress fold may want to look into ClassicPress.

Version 3.13 of the Python programming language has been released. The"What's NewIn Python 3.13" page has a summary of all the new features andchanges. Highlights of the release include a basic JIT compiler,experimental support for free-threading, and muchmore. See the changelogfor even more details.

The core of the Android operating system, as represented by the Android Open Source Project (AOSP),can only be considered one of the most successful open-source initiativesever created; its user count is measured in the billions. But few wouldconsider it to be a truly community-oriented project. At the 2024 Linux Plumbers Conference, Chris Simmondsasked why the AOSP community is so hard to find, and what might be doneabout the situation.

Version 2.47.0 of the Gitsource-code management system has been released. The changes include along list of incremental improvements; see the announcement and thisGitHub blog post for details.

Version 4.20 ofthe RPM Package Manager (RPM) has been released. Major changes in thisrelease include a new plugin to prevent filesystem and network accessby scriptlets, the BuildSystem directive for declaring thebuild system to be used by packaged software, and more. LWN covered the development ofRPM 4.20 in September.

Security updates have been issued by AlmaLinux (go-toolset:rhel8 and linux-firmware), Arch Linux (oath-toolkit), Debian (e2fsprogs, firefox-esr, libgsf, mediawiki, and oath-toolkit), Fedora (aws, chromium, firefox, p7zip, pgadmin4, python-gcsfs, unbound, webkitgtk, znc, znc-clientbuffer, and znc-push), Mageia (ghostscript and rootcerts nss firefox firefox-l10n), Oracle (kernel, oVirt 4.4 ovirt-engine, and thunderbird), SUSE (chromedriver, chromium, cups-filters, ffmpeg-7, frr, Mesa, openssl-3, openvpn, pcp, and redis), and Ubuntu (firefox and ruby-webrick).

Linus has released 6.12-rc2 for testing.

Akamaireleased a report pointing out that therecently-reported CUPS vulnerability(original disclosure)could be used to drive distributed denial-of-service (DDoS) attacks as well. Even if an attacker cannot gain remote control over a computer, they can still cause it to fetch a URL of their choice - potentially getting free DDoS amplification.

Rust has a plethora of smart-pointer types, including reference-countedpointers, which have special support in the compiler to make themeasier to use. The Rust-for-Linux project would like to reap those same benefitsfor its smart pointers, which need to be written by hand to conform totheLinux kernelmemory model. Xiangfei Dingpresented at Kangrejos about the work to enable customsmart pointers to function the same as built-in smart pointers.

The6.11.2,6.10.13,and6.6.54 stable kernels have been released.They contain important fixes, and upgrading is, as always, recommended.

The SUSE Security Team Blog has a detailedreport on its discovery of a privilege escalation in theoath-toolkit,which provides libraries and utilities for managing one-time password(OTP) authentication.

Security updates have been issued by AlmaLinux (firefox, golang, linux-firmware, and thunderbird), Debian (kernel and zabbix), Fedora (firefox, pgadmin4, and php), Mageia (chromium-browser-stable, cjson, hostapd and wpa_supplicant, and openjpeg2), Oracle (firefox, flatpak, and go-toolset:ol8), Red Hat (cups-filters, firefox, grafana, linux-firmware, python3, python3.11, and python3.9), SUSE (expat, firefox, libpcap, and opensc), and Ubuntu (freeradius, imagemagick, and unzip).

Cameras were never the simplest of devices for Linux to support; they havea wide range of operating parameters and can generate high rates of data.In recent years, though, they have become increasingly complex, stressingthe ability of the kernel's mediasubsystem to manage them. At the 2024 Linux Plumbers Conference, developers fromthat subsystem and beyond gathered to discuss the state of affairs and howcomplex camera devices should be supported in the future.

Security updates have been issued by AlmaLinux (cups-filters), Debian (chromium and php8.2), Fedora (firefox), Oracle (cups-filters, flatpak, kernel, krb5, oVirt 4.5 ovirt-engine, and python-urllib3), Red Hat (cups-filters, firefox, go-toolset:rhel8, golang, and thunderbird), SUSE (postgresql16), and Ubuntu (gnome-shell and linux-azure-fde-5.15).

The LWN.net Weekly Edition for October 3, 2024 is available.

The open-source vector-graphics editor, Inkscape, is expected to release version1.4in October. The release represents an evolutionary step for the program, whichbrings new features, user-interface improvements, new and improvedfile-format support, and important changes to the code base. The changes inthis release should improve the user experience for both casual andprofessional designers, and make Inkscape more compatible with proprietaryvector-graphics software, including Adobe Illustrator and AffinityDesigner.

BPF Type Format (BTF),BPF's debugging information format, has undergone rapid evolution to matchthe evolving needs of BPF programs. Jose Marchesi spoke at Kangrejos about someof that work - and how it could impact Rust, specifically. He discussed debuginformation, kernel-specific relocations, and the planned changes to kernelstack unwinding. Each of these will require some amount of work to fullysupport in Rust, but preliminary signs look promising.

Version24.1 of the Arch-based Manjarodistribution is now available with the 6.10 Linux kernel,GNOME46.5, KDEPlasma6.1 and KDEGear24.08:

Security updates have been issued by AlmaLinux (grafana), Fedora (cjson and php), Oracle (389-ds-base, freeradius, grafana, kernel, and krb5), Slackware (cryfs, cups, and mozilla), SUSE (OpenIPMI, openssl-3, openvpn, thunderbird, and tomcat), and Ubuntu (cups, cups-filters, knot-resolver, linux-raspi, linux-raspi-5.4, orc, php7.4, php8.1, php8.3, python-asyncssh, ruby-devise-two-factor, and vim).

Version 7.1 ofthe FFmpeg audio/video toolkit has been released. Important changes inthis release include the VVC decoder reaching stable status, andinclusion of support for MV-HEVC decoding (which is generated byrecent phones and VR headsets), as well as support for Vulkan encodingwith H264 and HEVC. See the announcement and changelogfor full details.

Version131.0 of the Firefox browser has been released. Changes include theability to temporarily grant permissions to sites and a preview that popsup when hovering over tabs.

One concern that has often been expressed about the Rust language is thatthere is only one compiler for it. That makes it hard to say what thestandard version of the language is and restricts the architectures thatcan be targeted by Rust code to those that the available compiler supports.Adding a Rust frontend to GCC would do much to address those concerns; atthe 2024 GNU ToolsCauldron, Pierre-Emmanuel Patry gave an update on the state of thatwork and what its objectives are.

Security updates have been issued by Debian (debian-security-support, nghttp2, and sqlite3), Oracle (cups-filters, kernel, and osbuild-composer), SUSE (openssl-3), and Ubuntu (bubblewrap, flatpak and python2.7, python3.5).

Tathagata Roy has been working to make theCoccinelle tool that is used (among other things)to automate the refactoring of C code work on Rustcode as well. Roy gave apresentation at Kangrejos about that work,including the creative approaches necessary to work with Rust's more complicatedcontrol flow and syntax.

Linus Torvalds released6.12-rc1 and closed the 6.12 merge window on September29; at thatpoint, 11,260 non-merge change sets had been pulled into the mainline forthe 6.12 release. That is the lowest number of merge-window changes since5.17-rc1 in January 2022, which brought in 11,068 changesets. Nonetheless,6.12 brings a number of interesting changes, many of which were included inthe roughly 4,500 changes merged since thesummary of the first half of the 6.12 merge window was written.

WordPress is the world's mostpopular opensource blogging and contentmanagement platform. In its20plus years of existence, WordPress has been something of a posterchild for open source, similar to Linux and Firefox. It introduced theconcept of open source to millions of bloggers, smallbusiness owners,and others who have deployed WordPress to support their webpublishingneeds. Unfortunately, it is now in the spotlight due to an increasinglyugly dispute between two companies, Automattic and WPEngine, that has spilled over intothe WordPress community.

The 6.11.1, 6.10.12, 6.6.53, and 6.1.112 stable kernels have been released.Each contains important fixes and users of those series should upgrade.

The most recent major release of the Tcl/Tk language and graphical-user-interface toolkit, Tcl/Tk 9.0, has been released, a mere 27 years after the 8.0 major release in 1997. There have been plenty of releases in the interim, though, as can be seen in the Tcl chronology. The 9.0 release brings 64-bit data values, better Unicode support, the ability to use zip files as filesystems, a switch to use epoll() or kqueue() where they are available, SVG support in Tk, access to notifications and other desktop-platform services in Tk, and lots more. For more information, see the release notes for Tcl and Tk that can be downloaded as Markdown files from the announcement page. (Thanks to Matt Bradley.)

Security updates have been issued by AlmaLinux (cups-filters, net-snmp, and osbuild-composer), Debian (booth, cups, cups-filters, python-asyncssh, ruby-httparty, ruby-loofah, ruby-rails-html-sanitizer, tryton-server, unbound, and wireshark), Fedora (chromium, cjson, cups, cups-browsed, libcupsfilters, and libppd), Gentoo (Apache HTTPD, Docker, HashiCorp Consul, IcedTea, nginx, tmux, and yt-dlp), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, & java-latest-openjdk and libreoffice), Red Hat (git-lfs, grafana, and osbuild-composer), and SUSE (chromedriver, chromium, coredns, json-java-20240303, kernel, libmozjs-128-0, maven-archetype, python3, python312, and quagga).

The Arch Linux project has announced that Valve will be helping thedistribution with a couple of important initiatives:

Linus has released 6.12-rc1 and closed themerge window for this release.

Micha Gorny describesthe challenges involved in transitioning Gentoo to year-2038-safe timerepresentations:

In the wake of the XZbackdoor, the Debian project has revisited some of thepatches included in its OpenSSHpackages to improve security. The outcome of this is that the projectwill be splitting out support for Kerberos key exchange into aseparate set of packages, though not until after the Debian13("trixie") release expected next year. The impact on Debian usersshould be minimal, but it is an interesting look into the changesLinux distributions make to upstream software as well as some of thelong-term consequences of those choices.

Security updates have been issued by Debian (chromium and trafficserver), Fedora (chromium), Mageia (apache-mod_jk, gnome-shell, kernel, kmod-xtables-addons, and kmod-virtualbox, kernel-linus, and python3), Oracle (container-tools:ol8, dovecot, emacs, expat, firefox, git-lfs, gtk3, kernel, nano, net-snmp, osbuild-composer, python3, python3.11, python3.12, ruby:3.3, and virt:ol and virt-devel:rhel), Slackware (boost), SUSE (kernel), and Ubuntu (configobj, cups, cups-browsed, cups-filters, libcupsfilters, and libppd).

Security researcher Simone Margaritelli has reported a new vulnerability in CUPS, the software that many Linux systems use to manage printers and print jobs. Margaritelli describes the impact of the attack by saying:

Danilo Krummrich gave a talk at Kangrejos 2024 focusing on the question of howthe Rust-for-Linux project could improve at getting device and driverabstractions upstream. As a case study, he used some of his recent work thatattempts to make it possible to write a PCI driver entirely in Rust. Therewasn't time to go into as much detail as he would have liked, but he diddemonstrate that it is possible to interface with the kernel's module loader ina way that is much harder toscrew up than the current standard approach in C.

Version17 of the PostgreSQL database has been released.

The online-privacy-focused Torproject has announcedthat it has "joined forces and merged operations" with the Tails OS Linux distribution.