LWN.net

Jason Nucciarone and Felipe Reyes gave back-to-back talksabout high-performance computing (HPC) using Ubuntu atSCALE thisyear. Nucciarone talked about ongoing work packagingOpen OnDemand - a web-based HPC cluster interface -to make high-performance-computing clustersmore user friendly. Reyes presented on usingOpenStack - a cloud-computing platform- to pass the performance benefits of one's hardware throughto virtual machines (VMs) running on a cluster.

Security updates have been issued by Debian (composer and nodejs), Fedora (w3m), Mageia (tomcat), Oracle (expat, firefox, go-toolset:ol8, grafana, grafana-pcp, nodejs:18, and thunderbird), Red Hat (dnsmasq, expat, kernel, kernel-rt, libreoffice, and squid), and SUSE (firefox, krb5, libvirt, and shadow).

Sasha Levin has announced the release of the 6.8.2, 6.7.11,6.6.23, 6.1.83, 5.15.153, 5.10.214, 5.4.273, and 4.19.311 stable kernels. Each contains a longlist of important fixes throughout the kernel tree.

The GNOME project announcedGNOME46 (code-named "Kathmandu") on March20. The release has quite a few updates and improvementsacross user applications, developer tools, and under the hood. Onething stood out while looking over this release-a major emphasis onFlatpaks as the way to acquire and update GNOME software.

Security updates have been issued by CentOS (kernel), Debian (firefox-esr), Fedora (webkitgtk), Mageia (curaengine & blender and gnutls), Red Hat (firefox, grafana, grafana-pcp, libreoffice, nodejs:18, and thunderbird), SUSE (glade), and Ubuntu (crmsh, debian-goodies, linux-aws, linux-aws-6.5, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-oracle, linux-azure, linux-azure-5.4, linux-oracle, linux-oracle-5.15, pam, and thunderbird).

The first-ever NixConin North America was co-located withSCALE this year. Theevent drew a mix of experiencedNix usersand people new to the project.I attended talks that covered using Nix to build Docker images, upcoming changesto how NixOS performs early booting, and ideas for making the set of servicesprovided in nixpkgsmore useful for self hosting. (LWN covered the relationship betweenNix, NixOS, and nixpkgs in arecent article.)Near the end of theconference, a collection of Nix contributors gave a "State of the Union"about the growth of the project and highlighting areas of concern.

The 6.9-rc1kernel prepatch was released on March24, closing the merge window forthis development cycle. By that time, 12,435 non-merge changesets had beenmerged into the mainline, making for a less-busy merge window than the lastcouple of kernel releases (but similar to the 12,492 seen for 6.5). Wellover 7,000 of those changes were merged after the first-half merge-window summary waswritten, meaning that the latter part of the merge window brought many moreinteresting changes.

Security updates have been issued by Debian (cacti, firefox-esr, freeipa, gross, libnet-cidr-lite-perl, python2.7, python3.7, samba, and thunderbird), Fedora (amavis, chromium, clojure, firefox, gnutls, kubernetes, and tcpreplay), Mageia (freeimage, libreswan, nodejs-hawk, and python, python3), Oracle (golang, nodejs, nodejs:16, and postgresql-jdbc), Slackware (emacs and mozilla), SUSE (dav1d, ghostscript, go1.22, indent, kernel, openvswitch, PackageKit, python-uamqp, rubygem-rack-1_4, shadow, ucode-intel, xen, and zziplib), and Ubuntu (firefox, graphviz, libnet-cidr-lite-perl, and qpdf).

Version 29.3 of theEmacs editor has been released:

The 6.9-rc1 kernel prepatch is out fortesting. Linus Torvalds described some rather large updates to the corekernel code that are coming for 6.9:

Security updates have been issued by Debian (firefox-esr, pillow, and thunderbird), Fedora (apptainer, chromium, ovn, and webkitgtk), Mageia (apache-mod_auth_openidc, ffmpeg, fontforge, libuv, and nodejs-tough-cookie), Oracle (kernel, libreoffice, postgresql-jdbc, ruby:3.1, squid, and squid:4), Red Hat (go-toolset:rhel8 and libreoffice), SUSE (firefox, jbcrypt, trilead-ssh2, jsch-agent-proxy, kernel, tiff, and zziplib), and Ubuntu (linux-aws and openssl1.0).

While a programming error in the kernel may be subject to directexploitation, usually a more roundabout approach is required to takeadvantage of a security bug. One popular approach for those wishing totake advantage of vulnerabilities is heap spraying, andit has often been employed to compromise the kernel. In the future,though, heap-spraying attacks may be a bit harder to pull off, thanks to the"dedicated bucket allocator" proposed by Kees Cook.

Security updates have been issued by Debian (pdns-recursor and php-dompdf-svg-lib), Fedora (grub2, libreswan, rubygem-yard, and thunderbird), Mageia (libtiff and python-scipy), Red Hat (golang, nodejs, and nodejs:16), Slackware (python3), and Ubuntu (linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-azure, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-starfive, linux-starfive-6.5, linux-aws, linux-aws-5.15, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-gcp, linux-gcp-4.15, linux-kvm, linux-laptop, linux-oem-6.1, and linux-raspi).

Version1.77.0 of the Rust language has been released. Changes include supportfor NUL-terminated C-string literals, the ability for asyncfunctions to call themselves recursively, the stabilization of theoffset_of!() macro, and more.

Verson 5.39.9 of the Perl language has been released. Changes this timeinclude a new "medium-precedence" logical exclusive-or operator, a numberof updated modules, and more; see thispage for details.

The Redis in-memory database system has hadits license changed to either the Redis Source AvailableLicense or the Server SidePublic License (covered here in 2018);neither license qualifies as free software.

Danilo Krummrich has announced theexistence of the "Nova" project within Red Hat.

The LWN.net Weekly Edition for March 21, 2024 is available.

Version 46 of the GNOME desktophas been released. "GNOME 46 is code-named 'Kathmandu', in recognitionof the amazing work done by the organizers of GNOME.Asia 2023."Significant changes include a new global search feature, enhancements tothe Files app, improved remote login support, and more.

Cockpit is an interestingproject for web-based Linux administration that has receivedrelatively little attention over the years. Part of that may be due tothe project's strategy of minor releases roughly every two weeks,rather than larger releases with many new features. While the strategyhas done little to garner headlines, it has delivered a useful andextensible tool to observe, manage, and troubleshoot Linux servers.

The Python project has announced three security releases, 3.10.14,3.9.19,and 3.8.19.In addition to the security fixes, these releases are notable for two reasons;they are the first to make use of GitHub Actions to performpublic builds instead of building artifacts "on a local computer of oneof the release managers", and the first since Python became aCVE Numbering Authority (CNA).Python release team member ukasz Langa saidthat being a CNA means Python is able to "ensure the quality of the vulnerabilityreports is high, and that the severity estimates are accurate." It alsoallows Python to coordinate CVE announcements with the patched versions ofPython, as it has with two CVEs addressed in these releases. CVE-2023-6597 CVE-2024-0450describes a flaw in CPython's zipfile module that made it vulnerable to a zip-bomb exploit. CVE-2024-0450 CVE-2023-6597 is anissue with Python's tempfile.TemporaryDirectory class which could beexploited to modify permissions of files referenced by symbolic links. Users of affected versions should upgrade soon.

Security updates have been issued by Debian (fontforge and imagemagick), Fedora (firefox), Mageia (cherrytree, python-django, qpdf, and sqlite3), Red Hat (bind, cups, emacs, fwupd, gmp, kernel, libreoffice, libX11, nodejs, opencryptoki, postgresql-jdbc, postgresql:10, postgresql:13, and ruby:3.1), Slackware (gnutls and mozilla), and Ubuntu (firefox, linux, linux-bluefield, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-aws, linux-aws-5.4, linux-aws, linux-aws-6.5, and linux-oracle, linux-oracle-5.15).

There are a number of different language-enhancement ideas that crop upwith some regularity in the Python community; many of them have been debated and shot down multipletimes over the years. When one inevitably arises anew, it can sometimes bedifficult to tamp it down, even if it is unlikely that the idea will goany further than the last N times it cropped up. A recent discussion about"real" anonymous functions follows a somewhat predictable path, but thereare still reasons to participate in vetting these "new" ideas, despite thetiresome, repetitive nature of the exercise-examples of recurring feature ideas that were eventually adopted definitely exist.

Version124.0 of the Firefox browser is out. Changes include support for"caret browsing mode" in the PDF viewer and the ability to control thesorting of tabs in the Firefox View screen.

Security updates have been issued by Debian (cacti, postgresql-11, and zfs-linux), Fedora (freeimage, mingw-expat, and mingw-freeimage), Mageia (apache-mod_security-crs, expat, and multipath-tools), Oracle (.NET 7.0 and kernel), Red Hat (kernel, kernel-rt, and kpatch-patch), and Ubuntu (bash, kernel, linux, linux-aws, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, and vim).

Man Yue Mo explainshow to compromise a Pixel8 phone even when the Arm memory-tagging extension is in use, by takingadvantage of the Mali GPU.

Kernel developers have long been told that any attempt to allocate memorymight fail, so their code must be prepared for memory to be unavailable.Informally, though, the kernel's memory-management subsystem implements apolicy whereby requests below a certain size will not fail (in processcontext, at least), regardless ofhow tight memory may be. A recent discussion on the linux-mm list haslooked at the idea of making the "too small tofail" rule a policy that developers can rely on.

Security updates have been issued by Debian (curl, spip, and unadf), Fedora (chromium, iwd, opensc, openvswitch, python3.6, shim, shim-unsigned-aarch64, and shim-unsigned-x64), Mageia (batik, imagemagick, irssi, jackson-databind, jupyter-notebook, ncurses, and yajl), Oracle (.NET 7.0, .NET 8.0, and dnsmasq), Red Hat (postgresql:10), SUSE (chromium, kernel, openvswitch, python-rpyc, and tiff), and Ubuntu (openjdk-8).

Cranelift is an Apache-2.0-licensedcode-generation backend being developed as partof the Wasmtime runtime forWebAssembly.In October 2023, the Rust project made Cranelift available as an optionalcomponent in its nightly toolchain.Users can now use Cranelift as the code-generation backend for debug builds ofprojects written in Rust,making it an opportune time to look at what makes Cranelift different.Cranelift is designed to compete with existing compilers by generatingcode more quickly than they can, thanks to a stripped-down design that prioritizesonly the most important optimizations.

Zach Mitchell has announced the 1.0 release of Flox, a tool that lets its users install packages from nixpkgs inside portable virtual environments, and share those virtual environments with others as an alternative to Docker-style containers. Flox is based on Nix but allows users to skip learning how to work with the Nix language:

Sasha Levin has announced the release of the 6.8.1,6.7.10, 6.6.22,6.1.82, 5.15.152,5.10.213, 5.4.272,and 4.19.310 stable kernels. As always, they contain important fixes throughout the tree. Users of those kernels should upgrade.

Security updates have been issued by Debian (composer and node-xml2js), Fedora (baresip), Mageia (fonttools, libgit2, mplayer, open-vm-tools, and packages), Red Hat (dnsmasq, gimp:2.8, and kernel-rt), and SUSE (389-ds, gdb, kernel, python-Django, python3, python36-pip, spectre-meltdown-checker, sudo, and thunderbird).

As of this writing, just over 4,900 non-merge changesets have been pulledinto the mainline for the 6.9 release. This work includes the usual arrayof changes all over the kernel tree; read on for a summary of the mostsignificant work merged during the first part of the 6.9 merge window.

Security updates have been issued by Debian (chromium and openvswitch), Fedora (chromium, python-multipart, thunderbird, and xen), Mageia (java-17-openjdk and screen), Red Hat (.NET 7.0, .NET 8.0, kernel-rt, kpatch-patch, postgresql:13, and postgresql:15), Slackware (expat), SUSE (glibc, python-Django, python-Django1, sudo, and vim), and Ubuntu (expat, linux-ibm, linux-ibm-5.4, linux-oracle, linux-oracle-5.4, linux-lowlatency, linux-raspi, python-cryptography, texlive-bin, and xorg-server).

The LWN.net Weekly Edition for March 14, 2024 is available.

Kaitlyn Abdo of Fedora's AI/MLSIG opened an issue with theFedora Engineering Steering Committee (FESCo) recently that carried a few trickyquestions about packaging machine-learning (ML) models for Fedora. Specifically, the SIG is looking for guidance on whether pre-trained weights forPyTorch constitute code or content. And, if the models are released under alicense approved by theOpen Source Initiative (OSI),does it matter what data the models were trained on? The issue was quicklytossed over to Fedora's legalmailing list and sparked an interesting discussion about how tohandle these items, and a temporary path forward.

Security updates have been issued by Fedora (edk2, freeipa, kernel, and liblas), Oracle (kernel), Red Hat (docker, edk2, kernel, kernel-rt, and kpatch-patch), SUSE (axis, fontforge, gnutls, java-1_8_0-openjdk, kernel, python3, sudo, and zabbix), and Ubuntu (dotnet7, dotnet8, libgoogle-gson-java, openssl, and ovn).

The pidfd abstraction is a Linux-specificway of referring to processes that avoids the race conditions inherent inUnix process ID numbers. Since a pidfd is a file descriptor, it needs afilesystem to implement the usual operations performed on files. As theuse of pidfds has grown, they have stressed the limits of the simplefilesystem that was created for them. Christian Brauner has createda new filesystem for pidfds that seems likely to debut in the 6.9kernel, but it ran into a little bump along the way, demonstrating thatthings you cannot see can still hurt you.

The mainline kernel has just received a set of commits addressing the"register file data sampling" hardware vulnerability.

Herb Sutter, chair of the ISO C++ standards committee,writes about the current problems with writing secure C++,and his personal opinion on next steps to address this while maintainingbackward compatibility.

Serialization is the process of transforming Python objects into a sequence ofbytes which can be used to recreate a copy of the object later - or on anothermachine.pickle is Python's native serialization module. It can store complex Pythonobjects,making it an appealing prospect for moving data without having to writecustom serialization code. For example, pickle is an integral component ofseveral fileformats used for machine learning. However, using pickle to deserializeuntrusted files is a major security risk, because doing so can invoke arbitraryPython functions. Consequently, the machine-learning community is working to address thesecurity issues caused by widespread use of pickle.

Security updates have been issued by Debian (qemu), Mageia (libtiff and thunderbird), Red Hat (kernel, kpatch-patch, postgresql, and rhc-worker-script), SUSE (compat-openssl098, openssl, openssl1, python-Django, python-Django1, and wpa_supplicant), and Ubuntu (accountsservice, libxml2, linux-bluefield, linux-raspi-5.4, linux-xilinx-zynqmp, linux-oem-6.1, openvswitch, postgresql-9.5, and ruby-rack).

Geoff Huston digs into thedetails of the KeyTrap DNS vulnerability, which was disclosed in February.

The 6.8 kernel was released on March 10after a typical, nine-week development cycle. Over this time, 1,938developers contributed 14,405 non-merge changesets, making 6.8 into aslower cycle than 6.7 (but busier than 6.6), with the lowest number ofdevelopers participating since the 6.5 release. Still, there wasa lot going on during this cycle; read on for some of the details.

Security updates have been issued by Debian (libuv1, nss, squid, tar, tiff, and wordpress), Fedora (chromium, exercism, grub2, qpdf, and wpa_supplicant), Oracle (edk2 and opencryptoki), and SUSE (cpio, openssl-1_0_0, openssl-1_1, openssl-3, sudo, tomcat, and xen).

Linus has released the 6.8 kernel.

Andrew 'bunnie' Huang provides an update onhis IRIS infrared chip-scanning project as the starting point for adetailed summary on how chip customers can detect forgeries andmodifications in general.

Name collisions aren't just a problem for softwaredevelopment-organizations, projects, and software that have thesame or similar names can cause serious confusion. That was certainlythe case on February28 when the Open CollectiveFoundation (OCF) began to notify its hosted projects that it wouldbe shutting down by the end of2024. The announcement surprisedprojects hosted with OCF, as one might expect. It also worried andconfused users of the Open Collective software platform from Open Collective, Inc. (OCI), aswell as organizations hosted by the Open SourceCollective (OSC) and Open CollectiveEurope (OC Europe). There is enough confusion about the names,relationships between the organizations, and impact on projects likeFlatpak, Homebrew, and htop hosted by OCF, that adeeper look is warranted.

Before loading a BPF program, the kernel must verify that the program issafe to run; among other things, that verification includes ensuring thatthe program will terminate within a bounded time. That requirement haslong made writing loops in BPF a challenging task. The situation hasimproved over the years for some types of loops, but others - includinglinked-list traversal - are still awkward in BPF programs. A new set ofBPF primitives aims to make life easier for this use case through theinstallation of what can be seen as a sort of circuit breaker.

Security updates have been issued by Debian (fontforge), Fedora (chromium, iwd, libell, and thunderbird), Oracle (buildah, kernel, skopeo, and tomcat), Red Hat (opencryptoki), Slackware (ghostscript), SUSE (go1.21, go1.22, google-oauth-java-client, jetty-minimal, openssl-1_0_0, python310, sudo, wpa_supplicant, and xmlgraphics-batik), and Ubuntu (libhtmlcleaner-java, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-lowlatency-hwe-5.15, linux-nvidia, linux-azure, linux-azure-6.5, linux-hwe-6.5, mqtt-client, ncurses, and puma).