LWN.net

The 6.7.3, 6.6.15, and 6.1.76 stable kernels have been released.These contain a large number of important fixes throughout the tree, as isthe norm.

Security updates have been issued by Debian (debian-security-support, firefox-esr, openjdk-11, and python-asyncssh), Fedora (glibc, python-templated-dictionary, thunderbird, and xorg-x11-server-Xwayland), Gentoo (Chromium, Google Chrome, Microsoft Edge and WebKitGTK+), Red Hat (firefox, gnutls, libssh, thunderbird, and tigervnc), SUSE (mbedtls, rear116, rear1172a, runc, squid, and tinyssh), and Ubuntu (glibc and runc).

The LWN.net Weekly Edition for February 1, 2024 is available.

Version 2.39of the GNU C Library has been released. Changes include integration withthe x86 shadow-stack mechanism, a couple ofnew posix_spawn() variants for working with control groups, pidfd_spawn() andpidfd_spawnp(), the C2X stdbit.h header, the removalof the libcrypt library, and more. See the release notesfor details.

Version24.2 of the LibreOffice office suite is available. Changes includeAutoRecovery enabled by default, styling of comments, better floating-tablesupport, improved accessibility, and more. See the releasenotes for details.

Return-oriented programming (ROP) attacks are hard to defend against.Partial mitigations such as address-space layout randomization, stackcanaries, and other techniques are commonly deployed to try and frustrateROP attacks. Now, OpenBSD is experimenting with a newmitigation that makes it harder for attackers to make systemcalls, although some security researchers have expressed doubt that it willprove effective at stopping real-world attacks.In hisannouncement message, Theo de Raadt said that this work"makes some specific low-level attackmethods unfeasable on OpenBSD, which will force the use of other methods."

Qualys has discloseda vulnerability in the GNU C Library that can be exploited by a localattacker for root access. It was introduced in the 2.37 release, and alsobackported to 2.36.

Security updates have been issued by Debian (bind9 and glibc), Fedora (ncurses), Gentoo (containerd, libaom, and xorg-server, xwayland), Mageia (python-pillow and zlib), Oracle (grub2 and tomcat), Red Hat (avahi, c-ares, container-tools:3.0, curl, firefox, frr, kernel, kernel-rt, kpatch-patch, libfastjson, libmicrohttpd, linux-firmware, oniguruma, openssh, perl-HTTP-Tiny, python-pip, python-urllib3, python3, rpm, samba, sqlite, tcpdump, thunderbird, tigervnc, and virt:rhel and virt-devel:rhel modules), SUSE (python-Pillow, slurm, slurm_20_02, slurm_20_11, slurm_22_05, slurm_23_02, and xen), and Ubuntu (libde265, linux-nvidia, mysql-8.0, openldap, pillow, postfix, and xorg-server, xwayland).

EmacsConf2023 was, like itsrecent predecessors, an online conference with lots of talks about variousaspects of the Emacseditor-though, of course, it is way more than just an editor. Last year'sedition was held in early December. One of thetalks that looked interesting was on Emacsdevelopment, which was given live by John Wiegley. In it, he brieflydescribed some of the biggest features coming in Emacs30, which is the next major versioncoming for the tool.

The eBPF Foundation has published a glossy document called TheState of eBPF; it seems mostly concerned with how a small number oflarge companies are using and developing this technology.

Security updates have been issued by Debian (pillow, postfix, and redis), Fedora (python-templated-dictionary and selinux-policy), Red Hat (gnutls, kpatch-patch, libssh, and tomcat), and Ubuntu (amanda, ceph, linux-azure, linux-azure-4.15, linux-kvm, and tinyxml).

In December, the Rust project releaseda call for proposals for inclusion in the 2024 edition. Rust handlesbackward incompatible changes by usingEditions,which permit projects to specify a single stable edition for their codeand allow libraries writtenin different editions to be linked together. Proposals for Rust 2024 arenow in, and have until the end of February to be debated and decided on. Oncethe proposals are accepted, they have until May to be implemented in time forthe 2024 edition to be released in the second half of the year.

Security updates have been issued by CentOS (gstreamer-plugins-bad-free, java-1.8.0-openjdk, java-11-openjdk, kernel, LibRaw, python-pillow, and xorg-x11-server), Debian (gst-plugins-bad1.0, libspreadsheet-parsexlsx-perl, mariadb-10.3, and slurm-wlm), Fedora (atril, dotnet8.0, gnutls, prometheus-podman-exporter, python-jinja2, sudo, and vips), Oracle (frr, kernel, php:8.1, python-urllib3, python3.9, rpm, sqlite, and tomcat), Slackware (pam), SUSE (cpio, rear23a, rear27a, sevctl, and xorg-x11-server), and Ubuntu (exim4 and firefox).

Linus has released 6.8-rc2 for testing."So go out and test. It's safe now. You trust me, right?"

While the mathematical realm of numbers is infinite, computers are onlyable to represent a finite subset of them. That can lead to problems whenarithmetic operations would create numbers that the computer is unable tostore as the intended type. This condition, called "overflow" or"wraparound" depending on the context, can be the source of bugs, including unpleasant securityvulnerabilities, so it is worth avoiding. This patchseries from Kees Cook is intended to improve the kernel's handling ofthese situations, but it is running into a bit of resistance.

Security updates have been issued by Debian (xorg-server), Fedora (chromium, dotnet8.0, firefox, freeipa, and thunderbird), Red Hat (avahi, c-ares, curl, edk2, expat, freetype, frr, git, gnutls, grub2, kernel, kernel-rt, libcap, libfastjson, libssh, libtasn1, libxml2, linux-firmware, ncurses, oniguruma, openssh, openssl, perl-HTTP-Tiny, protobuf-c, python-urllib3, python3, python3.9, rpm, samba, shadow-utils, sqlite, tcpdump, tomcat, and virt:rhel and virt-devel:rhel modules), SUSE (cpio, jasper, rear23a, thunderbird, and xorg-x11-server), and Ubuntu (jinja2, kernel, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-oem-6.1, and mariadb, mariadb-10.3, mariadb-10.6).

Greg Kroah-Hartman has announced the release of the 6.7.2, 6.6.14,6.1.75, 5.15.148, 5.10.209, 5.4.268, and 4.19.306 stable kernels. As usual, theycontain a long list of fixes throughout the kernel tree.

The free-software community has managed to build a body of software that isworth, by most estimates, many billions of dollars; all of this code isfreely available to anybody who wants to use or modify it. It is anunparalleled example of independent actors working cooperatively on acommon resource. Free software is certainly a success story, but all isnot perfect. One of the community's greatest strengths - convincingcompanies to contribute to this common resource - is also part of one ofits biggest weaknesses.

The AdaCore blog describessome hardening features contributed to GCC for the GCC14 release.

Security updates have been issued by Debian (chromium, firefox-esr, php-phpseclib, phpseclib, thunderbird, and zabbix), Fedora (dotnet7.0, firefox, fonttools, and python-jinja2), Mageia (avahi and chromium-browser-stable), Oracle (java-1.8.0-openjdk, java-11-openjdk, LibRaw, openssl, and python-pillow), Red Hat (gnutls, kpatch-patch, php:8.1, and squid:4), SUSE (apache-parent, apache-sshd, bluez, cacti, cacti-spine, erlang, firefox, java-11-openjdk, opera, python-Pillow, tomcat, tomcat10, and xwayland), and Ubuntu (paramiko and puma).

The LWN.net Weekly Edition for January 25, 2024 is available.

Python packaging discussions seem like they often just go around andaround, ending up where they started and recapitulating many of the points thathave come up before. A recent discussion revolves around the pip package installer, as theyoften do. The central role that is occupied by pip has bothgood points and bad. There is a clear need for something thatcan install from the Python Package Index(PyPI) immediately after Python itself is installed. Whether thereshould be additional features, including project management, that come"inside the box", as well, is much less clear-not unlike the question of which project management"style" should be chosen.

Security updates have been issued by Debian (jinja2, openjdk-11, ruby-httparty, and xorg-server), Fedora (ansible-core and mingw-jasper), Gentoo (GOCR, Ruby, and sudo), Oracle (gstreamer-plugins-bad-free, java-17-openjdk, java-21-openjdk, python-cryptography, and xorg-x11-server), Red Hat (kernel, kernel-rt, kpatch-patch, LibRaw, python-pillow, and python-pip), Slackware (mozilla), SUSE (python-Pillow, rear118a, and redis7), and Ubuntu (libapache-session-ldap-perl and pycryptodome).

There are many different Python web frameworks, fromnano-frameworks all the way up to the full-stack variety. One thatrecently caught my eye is Microdot, the"impossibly small web framework for Python and MicroPython"; sinceit targets MicroPython, it isplausible for running the user interface of an "internet of things" (IoT) device, for example. Beyondthat, it is Flask-inspired,which should make it reasonably familiar to many potential webdevelopers.

Version122.0 of the Firefox browser is out. Changes include improved searchsuggestions, improvements to the in-browsertranslation feature, better line-breaking compatibility, and a shinynew .deb package.

Security updates have been issued by Debian (kodi and squid), Fedora (ansible-core, java-latest-openjdk, mingw-python-jinja2, openssh, and pgadmin4), Gentoo (Apache XML-RPC), Red Hat (gnutls and xorg-x11-server), Slackware (postfix), SUSE (bluez and openssl-3), and Ubuntu (gnutls28, libssh, and squid).

Linus Torvalds was able to release 6.8-rc1and close the 6.8 merge window on time despite losing power to his home formost of a week. He noted that this merge window is "maybe a bit smallerthan usual", but 12,239 non-merge changesets found their way into themainline, so it's not that small. About 8,000 of those changes weremerged since the first-half summary waswritten; the second half saw a lot of device-driver updates, but therewere other interesting changes as well.

Security updates have been issued by Debian (keystone and subunit), Fedora (dotnet6.0, golang, kernel, sos, and tigervnc), Mageia (erlang), Red Hat (openssl), SUSE (bluez, python-aiohttp, and seamonkey), and Ubuntu (postfix and xorg-server).

The 6.8-rc1 kernel prepatch is out fortesting.

The6.7.1,6.6.13, and6.1.74stable kernel updates have been released; each contains another set ofimportant fixes.

SourceHut has publisheda post-mortem of itsoutage earlier this month.The post-mortem covers the causes of the outage and what steps SourceHuttook to mitigate it, ending by saying:

Jujutsu is a Git-compatibledistributed version control system originally started as a hobby project byMartin von Zweigbergk in 2019. It is intended to be a simpler, more performantGit replacement. Jujutsu boasts a radically simplified user interface and integratesideas from patch-based version control systems for a novel take on resolvingmerge conflicts. It is written in Rust and available under an Apache 2.0 license.

Internet pioneer and Network Time Protocol (NTP) inventor Dave Mills has died, as reported by Vint Cerf:

The proposed mseal() system callstirred up some controversy when it was first posted in October 2023.Since then, it has been evolving in a quieter fashion, and seems to havereached a point where the relevant commenters are willing to accept it.Should mseal() be merged in a future development cycle, it willlook rather different than it did at the outset.

The openSUSE News site has put up abrief article on how Slowroll fits into the spectrum of openSUSEdistributions.

Security updates have been issued by Fedora (chromium, golang-github-facebook-time, podman, and xorg-x11-server-Xwayland), Oracle (.NET 6.0, java-1.8.0-openjdk, java-11-openjdk, and python3.11-cryptography), Red Hat (java-11-openjdk, python-requests, and python-urllib3), SUSE (chromium, kernel, libcryptopp, libuev, perl-Spreadsheet-ParseExcel, suse-module-tools, and xwayland), and Ubuntu (filezilla and xerces-c).

Luis Villa writesabout the recent ruling in the Software Freedom Conservancy'sGPL-violation lawsuit against Vizio, wherein the judge refused to agreethat the SFC lacks standing to sue.

Ken Jin from the Faster CPython project has been working ontaking Python's recently-added just-in-time (JIT) compiler further by adding support for a peephole optimizer that rewrites the JIT's intermediate representation to introduce constant folding, type specialization, and other optimizations.Those techniques should provide significant benefits for theperformance of many different types of code running on CPython.

Security updates have been issued by CentOS (ImageMagick), Debian (chromium), Fedora (golang-x-crypto, golang-x-mod, golang-x-net, golang-x-text, gtkwave, redis, and zbar), Mageia (tinyxml), Oracle (.NET 7.0, .NET 8.0, java-1.8.0-openjdk, java-11-openjdk, python3, and sqlite), Red Hat (gstreamer-plugins-bad-free, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and java-21-openjdk), SUSE (kernel, libqt5-qtbase, libssh, pam, rear23a, and rear27a), and Ubuntu (pam and zookeeper).

The LWN.net Weekly Edition for January 18, 2024 is available.

Python's static-typing feature has come a long way since it was introduced in 2014. Adding typeinformation to functions has always been-and will remain-optional, but typingstill remains somewhat contentious. There are multiple kinds ofconsumers of the information, each with their own needs andwishes, as well as users of the feature with expectations of their own. That hasled to the formation of a Python typing councilto govern the type system for the language, though, as might be guessed,there are still grumblings from various quarters.

When, at the beginning of November, we posted an open position at LWN, we were only sohopeful; experience has shown that finding writers who are both capable ofand interested in writing our sort of material is a challenging task. Thistime, though, hope was justified: we got a surprising number ofapplications from highly qualified applicants. The hardest part of thetask has, instead, been narrowing down the choice to a hiring decision.We are pleased to announce that Daroc Alden has just joined LWN's staff.Daroc is a programmer from New England, where they live with theirspouse and their cat. They graduated with a Master's degree in ComputerScience from the University of New Hampshire. In their spare time, theyenjoy fiction writing and musicals. They are especially interested in programming language theory and implementation.Daroc will be taking on some of the load of keeping LWN interesting whilehelping us to expand our content mix in the areas that our readers areinterested in. Please give them your support as they come up to speedwithin our operation. We are looking forward to having Daroc as part of areinforced and more energetic LWN going forward.

Networking maintainer Jakub Kicinski (along with several collaborators) hasput up a summary ofwhat happened in the kernel's network stack during 2023.

Security updates have been issued by Fedora (zabbix), Gentoo (OpenJDK), Red Hat (kernel), Slackware (gnutls and xorg), SUSE (cloud-init, kernel, xorg-x11-server, and xwayland), and Ubuntu (freeimage, postgresql-10, and xorg-server, xwayland).

The new year arrived bearing a new version of Julia, a general-purpose, open-sourceprogramming languagewith a focus on high-performancescientific computing.Some of Julia's unusual features are Lisp-inspiredmetaprogramming, the ability to examine compiled representations of code inthe REPL or in a "reactivenotebook", an advanced type and dispatch system, and a sophisticated,built-in package manager.Version1.10 brings big increases inspeed and developer convenience,especially improvements in code precompilation and loading times. It alsofeatures a new parser written in Julia.

Version9.0 of the Wine Windows-compatibility system has been released."This release represents a year of development effort and over 7,000individual changes. It contains a large number of improvements that arelisted below. The main highlights are the new WoW64 architecture and theexperimental Wayland driver."

On January 13, Linus Torvalds letit be known that he had lost power due to the bad weather in the USPacific Northwest. As of this writing, he has not yet resurfaced, so the6.8 merge window has ground to a halt.

Security updates have been issued by Gentoo (KTextEditor, libspf2, libuv, and Nettle), Mageia (hplip), Oracle (container-tools:4.0, gnutls, idm:DL1, squid, squid34, and virt:ol, virt-devel:rhel), Red Hat (.NET 6.0, krb5, python3, rsync, and sqlite), SUSE (chromium, perl-Spreadsheet-ParseXLSX, postgresql, postgresql15, postgresql16, and rubygem-actionpack-5_1), and Ubuntu (binutils, libspf2, libssh2, mysql-5.7, w3m, webkit2gtk, and xerces-c).

The 6.6.12, 6.1.73, 5.15.147, 5.10.208, 5.4.267, and 4.19.305 stable kernels have beenreleased. They contain a relatively small number of important fixes.

The openSUSE project has confirmedthat there will be a successor to openSUSE Leap15, but is not sharinga lot of details at this point.