We have just received thesad news of the passing of Daniel Bristot de Oliveira at far too youngan age. He was a strong contributor to the core kernel and associatedrealtime infrastructure, and always a joyful presence in person; he will bedeeply missed.
Security updates have been issued by AlmaLinux (python3.11), Debian (composer), Fedora (thunderbird), Mageia (chromium-browser-stable, python-aiohttp, python-gunicorn, python-werkzeug, and virtualbox), Oracle (libreswan and python3.11), Red Hat (git, kpatch-patch, python3.11, python3.9, and thunderbird), and SUSE (avahi, ghostscript, grafana and mybatis, hdf5, kernel, openssl-1_1-livepatches, python-docker, and wget).
GhostBSD is adesktop-oriented operating system based on FreeBSD and the MATE Desktop Environment. Thegoal of the project is to lower the barrier to entry of using FreeBSDon a desktop or laptop system, and it largely succeeds at this. While it has a few rough edgesthat make it hard to recommend for the average desktop user, it isa fine choice for users who want a desktop with FreeBSD underpinningssuch as the Z File System (ZFS), and the Ports (source) and Packages (binary) software collections.
Security updates have been issued by AlmaLinux (ipa and libreswan), Debian (netty), Fedora (python-PyMySQL, tomcat, and webkitgtk), Gentoo (Flatpak, GLib, JHead, LZ4, and RDoc), Mageia (thunderbird), Oracle (nghttp2 and thunderbird), Red Hat (dnsmasq, libreswan, pki-core, and python3.11), Slackware (emacs), SUSE (gnome-settings-daemon, libarchive, qpdf, vte, and wget), and Ubuntu (libhibernate3-java).
Version29.4 of the Emacs editor has been released. This is "an emergencybugfix release" fixing a vulnerability that can causethe editor to execute arbitrary shell code in Org mode. Anybody who runs Emacs onuntrusted files - including those using Gnus or one of the Emacs mail modes- should be looking to update. For those who cannot update, a pair ofmessages from RussAllbery and Florian Weimerinvestigates how to disable the Org-mode evaluation, a task that isseemingly more complicated than it should be.
The 6.10-rc5 kernel prepatch is out fortesting. "So far, the 6.10 release cycle has been fairly calm, and rc5continues that trend. Let's hope things stay that way."
The linux-wireless mailing list carries the tersenotice that longtime networking developer Larry Finger passed away onJune21. The LWN KernelSource Database shows that Finger contributed to 94releases inthe (Git era) kernel history, starting with 2.6.16 - 1,464 commits intotal. He will be missed.
At the2024 Linux Storage,Filesystem, Memory Management, and BPF Summit, Wedson Almeida Filho andKent Overstreet led a combined storage and filesystem session on using Rustfor Linux filesystems. Back in December 2023, Almeida had postedan RFC patch set withsome Rust abstractions for filesystems, which resulted in some disagreement over the approach. On thesame mid-May day as the session, he posteda second version of the RFC patches, which he wanted to discuss along withother Rust-related topics.
Security updates have been issued by AlmaLinux (firefox, ghostscript, idm:DL1, and thunderbird), Debian (php8.2 and putty), Mageia (chromium-browser-stable), Oracle (ghostscript and thunderbird), Red Hat (thunderbird), and SUSE (containerd, kernel, php-composer2, podofo, python-cryptography, and rmt-server).
User namespaces in Linux create anenvironment in which all privileges are granted, but their effect iscontained within the namespace; they have become an important tool for theimplementation of containers. They have also become a significant sourceof worries for people who do not like the increased attack surface theycreate for the kernel. Various attempts have been made to restrict thatattack surface over the years; the latest is user namespacecapabilities, posted by Jonathan Calmels.
Arnaldo Carvalho de Melo spoke at the 2024Linux Storage,Filesystem, Memory Management, and BPF Summitabout his work onPoke-a-hole (pahole),a program that has expanded greatly over the years, but which was relevant to theBPF track because it produces BPF Type Format (BTF) information from DWARFdebugging information. He covered some small changes to the program, and thenwent into detail about the new support for data-type profiling. Hisslides includeseveral examples.
Security updates have been issued by AlmaLinux (ghostscript and thunderbird), Debian (chromium, composer, libndp, and sendmail), Fedora (composer), Mageia (flatpak and python-scikit-learn), Red Hat (curl, ghostscript, and thunderbird), SUSE (hdf5 and opencc), and Ubuntu (gdb and php7.4, php8.1, php8.2, php8.3).
Philip Hazel was 51 when he began the Exim message transfer agent (MTA)project in 1995, whichled to the Perl-Compatible RegularExpressions (PCRE) project in 1998. At 80,he's maintained PCRE, and its successor PCRE2, for more than 27years. For those doing the math, that's a year longer than LWN hasbeen in publication. Exim maintenance was handed off around the timeof his retirement in 2007. Now, he is ready to hand off PCRE2 as well,if a successor can be found.
Andrii Nakryiko led a session atthe 2024Linux Storage,Filesystem, Memory Management, and BPF Summit givinga look into the APIs for capturing stack tracesusing BPF, and how the APIs could be made more useful. BPF programs can capture thecurrent stack trace of a running process, including the portion in the kernelduring execution of a system call, which can be useful for diagnosingperformance problems, among other things. But there are substantial problems withthe existing API.
It has been four months since GregKroah-Hartman and MITREannounced that the Linux kernel project had become its own CVE NumberingAuthority (CNA). Since then, the Linux CNA Team has developed workflowsand mechanisms to help manage the various tasks associated with thischallenge. There does however, appear to be a lack of understanding amongcommunity members of the processes and rules the team have been workingwithin. The principal aim of this article, written by a member of theLinux kernel CNA team, is to clarify how the team works and how kernel CVEnumbers are assigned.
Security updates have been issued by AlmaLinux (container-tools, firefox, and flatpak), Debian (composer, roundcube, and thunderbird), Fedora (kitty and webkitgtk), Oracle (container-tools and flatpak), Red Hat (flatpak and java-1.8.0-ibm), SUSE (gdcm, gdk-pixbuf, libarchive, libzypp, zypper, ntfs-3g_ntfsprogs, openssl-1_1, openssl-3, podman, python-Werkzeug, and thunderbird), and Ubuntu (git, linux-hwe-6.5, mariadb, mariadb-10.6, and thunderbird).
One of the big-ticket items for the upcoming Python3.13 release is an experimental just-in-time (JIT) compiler for the language;the other is, of course, the removal of the global interpreter lock (GIL), which is also an experiment. BrandtBucher is a member of the Faster CPython project, which isworking on making the reference implementation of the language faster via avariety of techniques. Last year at PyCon, he gave a talk about the specializing adaptiveinterpreter; at PyCon2024 in Pittsburgh, he described the work he and others have been doingto add a copy-and-patch JIT compiler to CPython.
On the final day of the 2024Linux Storage,Filesystem, Memory Management, and BPF Summit, the BPF trackopened with a series of sessions on improving the performance andflexibility of probes and other performance-monitoring tools, in the kernel and inuser space. Jiri Olsa led two sessions about different aspects of probes:making the API for BPF programs attached to a probe more flexible, and makinguser-space probes more efficient.
Security updates have been issued by Debian (php7.3), Fedora (galera, ghostscript, and mariadb), Mageia (cups, iperf, and libndp), Oracle (firefox and flatpak), Red Hat (container-tools:rhel8, Firefox, firefox, and flatpak), SUSE (booth, bouncycastle, firefox, ghostscript, less, libaom, openssl-1_1, openssl-3, podman, python-Authlib, python-requests, python-Werkzeug, webkit2gtk3, and xdg-desktop-portal), and Ubuntu (ghostscript, ruby-rack, ruby2.7, ruby3.0, ruby3.1, ruby3.2, and sssd).
The kernel has a lot of code paths that are normally disabled: debugging printstatements, tracepoints, etc. To support these efficiently, thereis a common mechanism calledstatic keys that provides a way to enable or disable acode path at run time, with effectively no overhead for disabledbranches. BPF programs have not been able to take advantage of static keys so far,because they aren't compiled into the kernel.Now, it looks like BPF may be getting support for a similar mechanism -and the design could also provide one of the components needed to supportjump tables, another missing feature.Anton Protopovov presented his plans to add static keys to BPF at the 2024Linux Storage,Filesystem, Memory Management, and BPF Summit.
PostmarketOS is an Alpine Linuxderivative distribution aimed at mobile devices; the v24.06release claims support for over 250 devices, though the level of thatsupport varies widely. "This release is geared mainly towards Linuxenthusiasts. We are working hard on stability improvements and automatedtesting, but if you expect Android or iOS levels of polish, then this isnot for you yet." Changes include an upgrade to Alpine Linux 3.20,newer GNOME and KDE versions, and more.
Software-interrupt handlers (also called "bottom halves") have a longhistory in the Linux kernel; for much of that history, developers havewished that they could go away. One of their unfortunate characteristicsis that they can add unexpected latency to the execution of unrelatedprocesses; this problem is felt especially acutely in therealtime-preemption community. The solution adopted there has createdproblems of its own, though; in response Sebastian Andrzej Siewior is proposinga new locking mechanism for realtime builds of the kernel that may havebenefits for non-realtime users as well.
The Python Software Foundation has published aset of reports from the 2024 Python Language summit. Topics coveredinclude version numbering, the limited C API, a new default read-eval-printloop, and Python's security model in light of the XZ backdoor:
KDE developer Nate Graham has announceda new set of KDE HumanInterface Guidelines (HIG) for the KDE project. Graham says that the goalsfor the new HIGs were to reflect how KDE designs software today, makethe content 100% actionable, improve navigation, and to improve theguidelines so people feel comfortable contributing:
The openSUSE project recently announcedthe second release candidate (RC2) of its Aeon Desktop, formerly knownas MicroOS Desktop GNOME. Aside from the new coat of naming paint,Aeon breaks ground in a few other ways by dabbling with technologies not found in other openSUSE releases. The goal for Aeon is to provideautomated system updates using snapshots that can be appliedatomically, removing the burden of system maintenance for"lazy developers" who want to focus on their work rather than desktopadministration. System-tinkerers need not apply.
Security updates have been issued by CentOS (389-ds-base, bind, bind-dyndb-ldap, and dhcp, firefox, glibc, ipa, less, libreoffice, and thunderbird), Debian (cups), Fedora (chromium and cyrus-imapd), Mageia (golang and poppler), Oracle (bind, bind-dyndb-ldap, and dhcp, gvisor-tap-vsock, python-idna, and ruby), Red Hat (dnsmasq and expat), SUSE (libaom, php8, podman, python-pymongo, python-scikit-learn, and tiff), and Ubuntu (h2database and vte2.91).
The BPF verifier is a complex program. This has the unfortunate effect of makingit simultaneously more difficult for contributors to work on, and more likelyto harbor unknown bugs. Shung-Hsi Yu had two concrete proposals for how tosimplify the verifier to make it easier to maintain that he presented at the 2024Linux Storage,Filesystem, Memory Management, and BPF Summit. Yu proposed changing how theverifier tracks partially known values and cleaning up the interface tohide the details of the value-tracker's internal representation.
Redirecting execution flow is a common malwaretechnique that can be used to compromise operating systems. To protect from such attacks,the chip makers of leading architectures like x86 and arm64 have implementedcontrol-flow-integrity (CFI) extensions, though they need systemsoftware support to function. At the LinuxSecurity Summit North America, RISC-V kernel developer Deepak Gupta described the CFIprotections for that architecture and invited community input on thekernel support for them.
CentOS Linux7 was firstreleased in July2014, and is due to go end-of-life (EOL) on June30.By now, anyone who pays attention to such things is aware that Red Hat pulled the plug onCentOSLinux in late2020 to be replaced by CentOS Streaminstead. CentOSLinux8support was wounddown at the end of 2021 rather than in 2029 as originally stated.CentOS Linux7 was allowed to serve out itsfull lifespan-but that EOL is approaching rapidly andthere's no direct upgrade path. Users and organizations looking for a lifeline might want to considerAlmaLinux's ELevateutility, which allows CentOS users to migrate to alternate enterpriseLinux (EL) operating systems.
The mseal() system call allows aprocess to prevent any future changes to portions of its address space(thus "sealing" them); it was patterned after the mimmutable() system call in OpenBSD.mseal() generated a lot of discussion, but it was finally mergedfor the upcoming 6.10 kernel release. While mseal() was initiallyaimed at securing the Chrome browser, the hope was that it would be usefulelsewhere; as a step toward realizing that hope, Adhemerval Zanella hasposted apatch series adding support for - and use of - mseal() to theGNU C library (glibc).
Greg Kroah-Hartman has announced another round of stable kernelupdates: 6.9.4, 6.6.33, and 6.1.93 have been released. Each containsanother set of important fixes, users of these kernels are advised toupgrade right away.
LWN.net