LWN.net

While programmers are used to having tools to check their code forstylistic problems, writers often limit automatic checks of their texts tospelling and, sometimes, grammar, because there are not a lot of optionsfor further checking. If that is the case, Vale, an open-source, command-line tool to enforce editorial-style guidelines, wouldmake auseful addition to their toolbox. The recent release ofVale3.0 warrants a look at this versatile tool, which assists writers byidentifying common errors and helping them maintain a consistent voice in theirprose.

Security updates have been issued by Debian (chromium and yard), Fedora (cpp-jwt, golang-github-tdewolff-argp, golang-github-tdewolff-minify, golang-github-tdewolff-parse, and suricata), Mageia (wpa_supplicant), Oracle (curl, edk2, golang, haproxy, keylime, mysql, openssh, and rear), Red Hat (kernel and postgresql:12), SUSE (containerd, giflib, go1.21, gstreamer-plugins-bad, java-1_8_0-openjdk, python3, python311, python39, sudo, and vim), and Ubuntu (frr, linux, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-iot, linux-kvm, linux-raspi, and linux, linux-gcp, linux-gcp-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux-starfive-6.5).

The LWN.net Weekly Edition for March 7, 2024 is available.

The Fedora Project switchedto MariaDB as the default implementation of MySQL in Fedora19 in 2013. Once a drop-inreplacement for MySQL, MariaDB has diverged enough that this is no longerthe case-and, despite concerns about Oracleand optimism that MariaDB would supplant MySQL, the reality is that MySQLand MariaDB seem to be here to stay. With that in mind, Fedora developerMichal Schormproposed that the project revise the way MySQL and MariaDBare packaged in Fedora starting with Fedora40.

The postmarketOS project, which producesa Linux distribution for phones and mobile devices,has announcedthat it is in the early stages of adding systemd to make it easier to support GNOME and KDE.Users who prefer the OpenRCinit system are assured they will still have that option when building their ownimages "as long as OpenRC is in Alpine Linux (on which postmarketOS is based)":

QUIC is a UDP-based transport protocol that forms the foundation ofHTTP/3.It was initially developed at Google in 2012, and became anIETF standard in2021. Work on the protocol did not stop with its standardization, however. TheQUIC Working Grouppublished several follow-up standards. Now, it is working onfour more extensions to QUIC intended to patch over various shortcomings in thecurrent protocol - although progress has not been quick.

Greg Kroah-Hartman has announced another round of stable kernel updates:6.7.9, 6.6.21,6.1.81, 5.15.151,5.10.212, 5.4.271,and 4.19.309 have all beenreleased. Each contains a set of important fixes.

Security updates have been issued by Debian (libapache2-mod-auth-openidc, libuv1, php-phpseclib, and phpseclib), Red Hat (buildah, cups, curl, device-mapper-multipath, emacs, fence-agents, frr, fwupd, gmp, gnutls, golang, haproxy, keylime, libfastjson, libmicrohttpd, linux-firmware, mysql, openssh, rear, skopeo, sqlite, squid, systemd, and tomcat), Slackware (mozilla), SUSE (kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, postgresql-jdbc, python, python-cryptography, rubygem-rack, wpa_supplicant, and xmlgraphics-batik), and Ubuntu (c-ares, firefox, libde265, libgit2, and ruby-image-processing).

The kernel's memory-management subsystem is built on the concept of"zones", which were initially added to describe the physicalcharacteristics of the memory pages contained within them. Over time,zones have taken on more of a policy-related role as well. With a patchset called THPallocator optimizations, Yu Zhao has set out to better define the roleof policy-related zones on the path toward adding two more of them, withthe ultimate purpose of improving the kernel's support for transparent hugepages (THPs).

Security updates have been issued by Debian (yard), Oracle (buildah and kernel), Red Hat (389-ds:1.4, edk2, frr, gnutls, haproxy, libfastjson, libX11, postgresql:12, sqlite, squid, squid:4, tcpdump, and tomcat), SUSE (apache2-mod_auth_openidc and glibc), and Ubuntu (linux-gke, python-cryptography, and python-django).

It has long been possible to run multiple Python interpreters in the sameprocess - via the C API, but not within the language itself.Eric Snow has been working to make this abilityavailable in the language for many years.Now, Snow has publishedPEP 734 ("Multiple Interpretersin the Stdlib"), the latest work in hisquest, andsubmittedit to the Python steering council for a decision.If the PEP is approved, users will havean additional option for writing performant parallel Python code.

Security updates have been issued by Debian (firefox-esr and thunderbird), Fedora (dotnet6.0, dotnet8.0, and mod_auth_openidc), Gentoo (Blender, Tox, and UltraJSON), Oracle (kernel), Red Hat (edk2), SUSE (sendmail and zabbix), and Ubuntu (nodejs and thunderbird).

The 6.8-rc7 kernel prepatch is out fortesting.

The6.7.8 and6.6.20stable kernel updates have been released. They contain a single patchaddressing an ntfs3 filesystem build error introduced in the previousround of updates.

One of the outcomes of the (extremely) lengthy discussion about usingCommon Lisp features in Emacs Lisp (Elisp), which we looked at back in November, was an effort tostart removing some of those uses from Emacs. The rewrite of some of theElisp in Emacs that uses the Common Lisp library (cl-lib) was started byRichard Stallman as a way to reduce the cognitive load needed formaintaining Emacs itself. Since then, he has broadened his efforts tosimplify Elisp by adding a new pattern-matchingconditional that would be a competitor to pcase,which is a longstanding macro that he finds overly complex.

On February 29, the musl projectannounced release1.2.5, including support for loongarch64 and riscv32. Thisrelease also contains support for thestatx(),preadv2(),and pwritev2() system calls.

Greg Kroah-Hartman has announced the release of seven new stable kernels:6.7.7,6.6.19,6.1.80,5.15.150,5.10.211,5.4.270, and4.19.308.As usual, they contain many important fixes throughout the kernel tree.

Security updates have been issued by CentOS (firefox and thunderbird), Debian (gsoap, python-django, and wireshark), Fedora (dotnet7.0 and gifsicle), Mageia (sympa), Oracle (postgresql:10, postgresql:12, thunderbird, and unbound), Red Hat (kpatch-patch, python-pillow, and squid:4), SUSE (nodejs12, nodejs14, nodejs16, nodejs18, and openvswitch3), and Ubuntu (linux-azure, linux-lowlatency, linux-starfive-6.5, php-guzzlehttp-psr7, and php-nyholm-psr7).

Over on the Collabora blog, Faith Ekstrand has announced that the NVK Vulkan driver for NVIDIA devices will be part of Mesa 24.1 and is ready for real-world use. It should be appearing in Linux distributions later this year.

The Linux kernel follows a monolithic design, and that brings a well-knownproblem: all code in the kernel has access to the entirety of the kernel'saddress space. As a result, a bug in (for example) an obscure driver maywell be exploitable to wreak havoc on core-kernel data structures. Variousattempts have been made over the years to increase the degree of isolationwithin the kernel. The latest of these, "SandBoxMode" proposed by Petr Tesaik, makes it possible for the kernel to runsome limited code safely, but it has encountered a bit of a chilly reception.

Security updates have been issued by Debian (chromium), Fedora (moodle), Red Hat (kernel, kernel-rt, and postgresql:15), Slackware (wpa_supplicant), SUSE (Java and rear27a), and Ubuntu (libcpanel-json-xs-perl, libuv1, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.4, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, python-openstackclient, and unbound).

The LWN.net Weekly Edition for February 29, 2024 is available.

Tails 6.0 is now available. Based on Debian, Tails is a portable operating system designed to run from a USB stick and help users avoid surveillance and censorship. This release updates most Tails applications, and includes important security and usability improvements.One major new feature in 6.0 is to provide warnings to users about errors when reading orwriting to persistent storage. This release now ignores USB devices plugged in while the screen is locked, and removes some file and disk-wiping features from the Files application that are "not reliable enough" on USB sticks and SSDs to continue offering to users.Users of Tails prior to 6.0~rc1 will need to do a manualupgrade to retain persistent storage. New users can download Tails forUSB, or asan ISOto create a DVD or run Tails in a virtual machine.

It's been nearly 10 years sinceKDEPlasma5,which is the last major release of the desktop.On February28 the project announced its "mega release" of KDEPlasma6, KDE Frameworks 6, and KDE Gear24.02 - all based on the Qt6 development framework. Thisrelease focuses heavily on migrating to Wayland, and aspires to be a seamlessupgrade for the user while improving performance, security, and supportfor newer hardware. For developers, a lot of work has gone into removingdeprecated frameworks and decreasing dependencies to make it easier to writeapplications targeting KDE.

The Open CollectiveFoundation is an organization created to provide legal and financialservices for non-profit projects, many of which are associated with freesoftware. Projects hosted there are now beginningto report that the Open Collective Foundation will be shutting down atthe end of the year, with an unwinding process over that time.

Security updates have been issued by Debian (knot-resolver and wpa), Fedora (chromium, kernel, thunderbird, and yarnpkg), Mageia (c-ares), Oracle (firefox, kernel, opensc, postgresql:13, postgresql:15, and thunderbird), Red Hat (edk2, gimp:2.8, and kernel), SUSE (bind, bluez, container-suseconnect, dnsdist, freerdp, gcc12, gcc7, glib2, gnutls, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libqt5-qtbase, libqt5-qtsvg, nodejs18, nodejs20, openssl, openssl-1_0_0, poppler, python-crcmod, python-cryptography, python-cryptography- vectors, python-pip, python-requests, python3-requests, python311, python39, rabbitmq-c, samba, sccache, shim, SUSE Manager 4.2, SUSE Manager Server 4.2, the Linux-RT Kernel, and thunderbird), and Ubuntu (less, openssl, php7.0, php7.2, php7.4, and tiff).

Nix andGuix are a pair of unusual package managersbased on the idea of declarative configurations. Their associated Linuxdistributions - NixOS and the Guix System - take the idea further by allowing usersto define a single centralized configuration describing the state of the entiresystem. Both havebeen previously mentioned on LWN, but not covered extensively. They offer different takes onthe central idea of treating packages like immutable values.

Netflix has announcedthe release of a tool called bpftop to help with the performanceoptimization of BPF programs in the kernel:

Security updates have been issued by Debian (engrampa and libgit2), Fedora (libxls, perl-Spreadsheet-ParseXLSX, and wpa_supplicant), Gentoo (PyYAML), Mageia (packages and thunderbird), Red Hat (firefox, kernel, linux-firmware, thunderbird, and unbound), Slackware (openjpeg), SUSE (golang-github-prometheus-prometheus, installation-images, kernel, python-azure-core, python-azure-storage-blob, salt and python-pyzmq, SUSE Manager 4.2.11, SUSE Manager 4.3, SUSE Manager Server 4.2, and wayland), and Ubuntu (dnsmasq, libde265, libxml2, openjdk-17, openjdk-21, openjdk-lts, and postgresql-12, postgresql-14, postgresql-15).

In a recent episode, "Pitchforks for RDSEED",we learned that there was some uncertainty around whether hardware-basedrandom-number generators on x86 CPUs could fail. Since the consequences offailure in some situations (confidential-computing applications inparticular) can be catastrophic, there was some concern about this prospectand what to do about it. Since then, the situation has come a bit moreinto focus, and there would appear to be an agreed-upon plan for changes tobe made to the kernel.

Version 0.6 of Incus, a fork of LXD, has been released. This release includes a number of changes, including a new storage driver called lvmcluster, improvements for Open Virtual Network (OVN) users, improvements to migration tooling, a number of new security features, and storage bucket backup and re-import. See the release announcement for detailed release notes and complete list of changes. The announcement notes that a Long Term Support (LTS) release of Incus is planned in a few months "to coincide with the LTS releases of LXC and LXCFS".

At FOSDEM2024,the "Toolthe docs" devroom hosted several talks about free and open-source toolsfor writing, managing, testing, and rendering documentation. The centralconcept was to treat documentation as code, which makes it possible toincorporate various tools into documentation workflows in order to maintainhigh quality.

Security updates have been issued by Debian (gnutls28, iwd, libjwt, and thunderbird), Fedora (chromium, expat, mingw-expat, mingw-openexr, mingw-python3, mingw-qt5-qt3d, mingw-qt5-qtactiveqt, mingw-qt5-qtbase, mingw-qt5-qtcharts, mingw-qt5-qtdeclarative, mingw-qt5-qtgraphicaleffects, mingw-qt5-qtimageformats, mingw-qt5-qtlocation, mingw-qt5-qtmultimedia, mingw-qt5-qtquickcontrols, mingw-qt5-qtquickcontrols2, mingw-qt5-qtscript, mingw-qt5-qtsensors, mingw-qt5-qtserialport, mingw-qt5-qtsvg, mingw-qt5-qttools, mingw-qt5-qttranslations, mingw-qt5-qtwebchannel, mingw-qt5-qtwebsockets, mingw-qt5-qtwinextras, mingw-qt5-qtxmlpatterns, and thunderbird), Gentoo (btrbk, Glances, and GNU Aspell), Mageia (clamav and xen, qemu and libvirt), Oracle (firefox and postgresql), Red Hat (firefox, opensc, postgresql:10, postgresql:12, postgresql:13, postgresql:15, thunderbird, and unbound), SUSE (firefox, java-1_8_0-ibm, libxml2, and thunderbird), and Ubuntu (binutils, linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop, linux-oracle, linux-raspi, linux-starfive, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, linux-oem-6.1, and roundcube).

Linus has released 6.8-rc6 for testing.

Version 2.44.0 of the Gitsource-code management system has been released. There is a long list ofchanges, including the gitreplay command for faster, server-side rebasing, a number ofcommand-line completion improvements, and more.

The world of open-source "forges" is becoming a little more fragmented. The Forgejo project is a software-development platform that started as a "soft" fork of Gitea in late 2022. On February 16, Forgejo announced its intent to become a "hard fork" of Gitea to help address its mission of community-controlled development and to "liberate software development from the shackles of proprietary tools". In a world where proprietary tools cast a long shadow over open-source development that's a welcome sentiment-if the project can deliver.

Greg Kroah-Hartman has announced the release of seven new stable kernels:6.7.6, 6.6.18, 6.1.79, 5.15.149, 5.10.210, 5.4.269, and 4.19.307. As usual, they contain manyimportant fixes throughout the kernel tree.

Security updates have been issued by Debian (chromium, imagemagick, and iwd), Fedora (chromium, firefox, and pdns-recursor), Mageia (nodejs and yarnpkg), Red Hat (firefox, postgresql, and postgresql:15), and SUSE (bind, mozilla-nss, openssh, php-composer2, python-pycryptodome, python-uamqp, python310, and tiff).

The Curl project has previously had problems withCVEs issued for things that are not security issues. On February 21,Daniel Stenberg wrote about the Curl project's most recent issue with the CVE system, saying:

The Linux kernel uses a number of hardening techniques to try to protectitself against compromise; one of those is kernel address-space layoutrandomization (KASLR). But randomization is of little benefit if thekernel spills the beans on where its code has ended up. As it happens, thekernel has been doing exactly that - since 2007, in a behavior thatpredates the addition of KASLR. Some changes are in theworks to close that hole, but it is illustrative of just how hard somesecrets are to keep.

Security updates have been issued by CentOS (python-pillow), Debian (firefox-esr and imagemagick), Fedora (kernel, mbedtls, rust-asyncgit, rust-bat, rust-cargo-c, rust-eza, rust-git-absorb, rust-git-delta, rust-git2, rust-gitui, rust-libgit2-sys, rust-lsd, rust-pore, rust-pretty-git-prompt, rust-shadow-rs, rust-silver, rust-tokei, and rust-vergen), Gentoo (LibreOffice), Red Hat (kpatch-patch), Slackware (mozilla), SUSE (docker, python-pycryptodome, python3, and qemu), and Ubuntu (firefox and linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp).

The LWN.net Weekly Edition for February 22, 2024 is available.

Sudo is a ubiquitous tool for runningcommands with the privileges of another user on Unix-like operating systems. Overthe past decade or so, some alternatives havebeen developed; the base system of OpenBSD now comes with doas instead, sudo-rs is a subset ofsudo reimplemented in Rust, and, somewhat surprisingly, Microsoft alsorecently announcedits own Sudo for Windows. Each of these offers a different approach to thetask of providing limited privileges to unprivileged users.

Alexei Starovoitov introduceda patch series for the Linux kernel on February 6 to add bpf_arena, a new typeof shared memory betweenBPFprograms and user space.Starovoitov expects arenas to be useful both for bidirectional communicationbetween user space and BPF programs, and for use as an additional heap for BPFprograms. This will likely be useful to BPF programs that implementcomplex data structures directly, instead of relying on the kernel to supply them.Starovoitov cited Google'sghOSt projectas an example and inspiration for the work.

Version 5.10 of theRawTherapee raw photo editor is out. The list of changes is long, andincludes improved support for many camera-specific formats. (LWN looked at RawTherapee in 2022).

Security updates have been issued by CentOS (linux-firmware and python-reportlab), Debian (unbound), Fedora (freeglut and syncthing), Red Hat (edk2, go-toolset:rhel8, java-1.8.0-ibm, kernel, kernel-rt, mysql:8.0, oniguruma, and python-pillow), Slackware (libuv and mozilla), SUSE (abseil-cpp, grpc, opencensus-proto, protobuf, python- abseil, python-grpcio, re2, bind, dpdk, firefox, hdf5, libssh, libssh2_org, libxml2, mozilla-nss, openssl-1_1, openvswitch, postgresql12, postgresql13, postgresql14, postgresql15, postgresql16, python-aiohttp, python-time-machine, python-pycryptodomex, runc, and webkit2gtk3), and Ubuntu (kernel, libspf2, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, and linux, linux-aws, linux-kvm, linux-lts-xenial).

DNS resolvers (those that handle DNSSEC, at least) are almost uniformlyvulnerable to an exploitthat has been named "KeyTrap". In short, the right type of packet cansend a DNS system into something close to an infinite loop, taking it outof service indefinitely.

Qubes OS is a security-focused desktop Linux distribution built on Fedora Linux and the Xen hypervisor. Qubes uses virtualization to run applications, system services, and devices access via virtual machines called "qubes" that have varying levels of trust and persistence to provide an open-source "reasonably secure" operating system with "serious privacy". The Qubes 4.2.0 release, from December 2023, brings a number of refinements to make Qubes OS easier to manage and use.

Andrea Righi has starteda blog series on writing a user-space CPU scheduler with the BPF-basedextensible scheduler class:

Drew DeVault announced the first numbered release of the Hare programming language on February 16.