LWN.net

The Rust project has developed aset of goals for the latter half of 2024.

Security updates have been issued by AlmaLinux (httpd:2.4), Fedora (chromium, firefox, frr, neatvnc, nss, python-setuptools, and python3.13), Gentoo (AFLplusplus, Bundler, dpkg, GnuPG, GPAC, libde265, matio, MuPDF, PHP, protobuf, protobuf-python, protobuf-c, rsyslog, Ruby on Rails, and runc), Red Hat (389-ds-base, container-tools:rhel8, and httpd:2.4), SUSE (bind and ca-certificates-mozilla), and Ubuntu (linux-azure).

Linus has released 6.11-rc3 right onschedule. "Nothing particularly strange or interesting going on, thingslook normal".

The6.10.4,6.6.45, and6.1.104stable kernel updates have been released; each contains another set ofimportant updates as usual.

It is something of a DebConf tradition that members of the Debian TechnicalCommittee (TC) take the stage to talk about the work that the committeedoes-and more. DebConf24 inBusan, South Korea was no exception, as TC chair Sean Whitton, whowill complete his term at the end of the year, and oneof its newest members, Stefano Rivera, described the constitutionalunderpinnings of the TC, how it tries to make decisions when it needs to,and the constant process of recruiting new members. After that, they tooka few questions from the audience. The session provided a nice overview ofthe TC and its role in Debian, but it may well be of interest further afield.

The Canonical Kernel Team has announceda new policy regarding the version of the kernel that will ship with eachUbuntu release; the result will generally be the shipping of newerreleases.

Sometimes, the smallest changes create the longest discussions. As a casein point, a proposal to make a one-line change in an informational textfile on systems running the Debian unstable distribution has blown up intoan interminable and sometimes unfriendly debate. At its core, though, thisdiscussion comes down to a seemingly simple question: should a program beable to determine whether it is running on a Debian testing or unstablesystem?

Researchers from Graz University of Technology havepublished details of a new attackon the Linux kernel called SLUBStick. The attack uses timing information to turn an ability to trigger use-after-free or double-free bugs into the ability to overwrite page tables, and thence into the ability to read and write arbitrary areas of memory. The good news is that this attack does require an existing bug to be usable; the bad news is that the kernel regularly sees bugs of this kind.

Security updates have been issued by AlmaLinux (httpd, kernel, kernel-rt, and libtiff), Debian (postgresql-13, postgresql-15, and thunderbird), Fedora (frr, thunderbird, vim, and xrdp), Gentoo (Librsvg, Nautilus, ncurses, Percona XtraBackup, QEMU, and re2c), Red Hat (httpd, kernel, kernel-rt, openssl, and python-setuptools), SUSE (bind, ffmpeg-4, kubernetes1.23, kubernetes1.24, python-Django, and python3-Twisted), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-oem-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle, linux-oracle-5.4, and salt).

The Oligo Security blog disclosesa web-browser vulnerability that has been named "0.0.0.0 day". In short,browsers will allow JavaScript code to open connections to the all-zeroesIPv4 address; the result is that any port that is open on the local hostcan be accessed by a remote site. "When services use localhost, theyassume a constrained environment. This assumption, which can (as in thecase of this vulnerability) be faulty, results in insecure serverimplementations."

Endless OS is a Linux distribution with a focus on improving access toeducational tools by providing a simple-to-manage, full-featured desktop foreducators and students - one that works offline, with minimal maintenance. Thedistribution also aims to be suitable for older devices, in order to promote access tocomputers by ensuring those systems remain usable.In pursuit of those goals, it makes some unusual technicalchoices. But what makes the distribution really shine is its curated collectionof software and educational resources.

Security updates have been issued by AlmaLinux (freeradius and freeradius:3.0), Debian (chromium, odoo, and roundcube), Fedora (microcode_ctl, mingw-qt5-qtbase, mingw-qt6-qtbase, opentofu, orc, python-setuptools, and vim), Gentoo (Nokogiri), Oracle (kernel), Red Hat (go-toolset:rhel8, golang, kernel, krb5, libtiff, python-setuptools, and python39:3.9 and python39-devel:3.9), SUSE (python-Django), and Ubuntu (krb5).

The LWN.net Weekly Edition for August 8, 2024 is available.

Mozilla has announced that Puppeteer, a browser automation and testing library, now has first-class support for Firefox using theWebDriver BiDi protocol. Puppeteer can be used to drive headless browser instances, and is commonly used for automated end-to-end web-site tests.

The desire for the ability to checkpoint a process - to record its state ina form that can be restarted at a future time - on Linux is almost as old asLinux itself. See, for example, this announcement of a checkpointproject that appeared in LWN in 1998. While working solutions exist, theycan be somewhat fragile and difficult to use; it is not surprising thatsome people are interested in finding a better alternative. A currenteffort goes by the name CRIB,for Checkpoint/Restore in (naturally) BPF. It is far from clear that CRIBwill replace the existing solutions, but it is an interesting look at adifferent way of solving the problem.

There are lots of places in the kernel where an EINVAL can bereturned to user space, but it is often unclear what the actual underlyingproblem is because the errnoerror codes are too generic. That is the problem that Miklos Szerediwanted to discuss in a filesystem session that he led remotely at the 2024 Linux Storage,Filesystem, Memory Management, and BPF Summit. He would like to helpthose who are trying to debug problems trace where in the kernel aparticular error code is being generated.

Security updates have been issued by Debian (firefox-esr, openjdk-17, and wpa), Gentoo (aiohttp, Bitcoin, Cairo, Go, json-c, Levenshtein, libXpm, nghttp2, PostgreSQL, and Redis), Red Hat (kernel, kernel-rt, python-setuptools, python-urllib3, python3.11-setuptools, and wget), Slackware (mozilla), SUSE (bind, curl, docker, ffmpeg, ffmpeg-4, kernel, kernel-firmware, libnbd, patch, shadow, and thunderbird), and Ubuntu (python-django and wpa).

CircuitPython is an open-sourceimplementation of the Python programming language for microcontrollerboards. The project, which is sponsored by Adafruit Industries, is designed withnew programmers in mind, but it also has many features that may be ofinterest to more-experienced developers. The recent 9.1.0releaseadds a few minor features, but it follows just a few months after CircuitPython9.0.0,which brings some more significant changes, including improved graphics andUSB support.

Version129.0 of the Firefox browser has been released. Changes include someimprovements to the reader mode, tab previews, and use of HTTPS by default.

Security updates have been issued by Debian (libreoffice), Gentoo (containerd and firefox), Red Hat (httpd), SUSE (ca-certificates-mozilla, ksh, openssl-3-livepatches, podman, python-Twisted, and skopeo), and Ubuntu (imagemagick).

David Howells wanted to discuss changing the way filesystem code handlesthe ability to interrupt or kill operations, in order to fix somelongstanding problems with network (and other) filesystems, in a session atthe 2024 LinuxStorage, Filesystem, Memory Management, and BPF Summit. As noted inhis sessionproposal, some filesystems may be expecting to not be interruptible,but are calling code can take locks and mutexes that are interruptible (orkillable), which are effectivelychanging the state of the task incorrectly.He would like to find a solution for that problem.

The BusinessSource License (BUSL) is a source-available license that "converts"to an open-source license after a period of time. In theory, thismeans that a few years after a version of a product is released underthe BUSL, it becomes open source and is fair game for Linuxdistributions to package along with regular open-source projects. Inpractice, the license throws a few curveballs that require specialconsideration and caution, as the Fedora Project recently discussed.

Version 2.43 of the GNU Binutils package is out. Changes include someimprovements to the assembler and the linker, better support for hardwareevent counters in the Gprofng profiler, and more.

Security updates have been issued by Debian (openjdk-11), Fedora (bind, bind-dyndb-ldap, chromium, ffmpeg, hostapd, trafficserver, and wpa_supplicant), and Ubuntu (curl and linux-oem-6.5).

Linus has released 6.11-rc2 for testing."Hopefully we've gotten rid of the bulk of the silly noise here in rc2,and not added too much new noise, so that we can get on with the process offinding more meaningful issues."

The 6.10.3, 6.6.44, and 6.1.103 stable kernel updates have all been released. As usual, theycontain important fixes throughout the tree. Users of those kernelsshould upgrade.

There is ongoing discussion about the ethics and effectiveness oftelemetry following some recent LWN articles that touched onThunderbird's use of opt-outtelemetry and planned metrics in Fedora. TheInternet Security Research Group (ISRG), the nonprofit behindLet's Encrypt, has a potential solution to the problem of how to collect andaggregate telemetry without violating users' privacy. The scheme is based on adraftprotocol being standardized with the Internet Engineering Task Force (IETF),and has anopen-source implementationavailable.

Security updates have been issued by Fedora (chromium), SUSE (docker and patch), and Ubuntu (bind9, gross, linux-azure, linux-azure-4.15, linux-lowlatency-hwe-6.5, and tomcat8, tomcat9).

The Sovereign Tech Fund (STF) has announceda fellowship program to support "the dedicated individuals who keepour digital infrastructure running":

Like many projects written in C, the kernel makes extensive use of the Cpreprocessor; indeed, the kernel's use is rather more extensive than most.The preprocessor famously has a number of sharp edges associated with it.One might not normally think of increased compilation time as one of them,though. It turns out that some changes to a couple of conceptually simplepreprocessor macros - min() and max() - led to some trulypathological, but hidden, behavior where those macros were used.

We have received thesad news that Dr. Mel Chua has passed away. Mel was probably bestknown in the free-software community as a contributor to the FedoraProject in its early days. The Fedora Community blog honoredMel recently after she had moved to hospice care with tributesfrom several Fedorans. Stephen Jacobs wrote:

Security updates have been issued by Debian (chromium), Fedora (kernel, obs-cef, and xen), Mageia (emacs), Oracle (freeradius, freeradius:3.0, and kernel), Red Hat (emacs, httpd, and kpatch-patch-4_18_0-305_120_1), Slackware (curl), SUSE (apache2, cockpit-wicked, glibc, gnutls, gvfs, less, nghttp2, opensc, python-idna, python-requests, qemu, rpm, tpm2-0-tss, tpm2.0-tools, and unbound), and Ubuntu (clickhouse, exim4, libcommons-collections3-java, linux, linux-aws, linux-kvm, linux-lts-xenial, mysql-8.0, openssl, php-cas, prometheus-alertmanager, and snapd).

The LWN.net Weekly Edition for August 1, 2024 is available.

Arnd Bergmann has posted adetailed timeline for the deprecation of support for old Arm CPUs inboth the kernel and the compiler toolchain. Anybody who is working withthat hardware will likely want to review this list and let the relevantdevelopers know if any of that support is still needed.

Version 2.0 of the Vanilla OS image-based Linux distribution hasbeen released. Dubbed"Orchid", Vanilla OS is now based on Debian Sid (prior versions were Ubuntu-based),allows creationof customized Linux environments, support for running Androidapplications using Waydroid, and many other improvements.

A few years ago, PyGObject-the Pythonpackage that provides bindings for GTK and GNOME applications-was notfaring particularly well. Several maintainers had left the project and itsdevelopment was not keeping pace with changes in GTK. At this year'sGUADEC, Dan Yeaw presented a talkabout the project's decline, improvements in the last year, and hisexperience getting involved in an undermaintained project.

Version 8.0 of the Forgejosoftware-development platform has been released. Notablechanges include the removalof non-free software found in the codebase, improved stability, and areductionin "seemingly random User Interface changes":

A bootstrappable build is one that builds existingsoftware from scratch - for example, building GCC without relying on an existingcopy of GCC. In 2023, the Guix projectannounced that the project had reduced the sizeof the binary bootstrap seed needed to build its operating system to just 357-bytes -not counting the Linux kernel required to run the build process. Now, thelive-bootstrap projecthas gone a step further and removed the need for an existing kernel at all.

Security updates have been issued by Fedora (xdg-desktop-portal-hyprland), Red Hat (freeradius, freeradius:3.0, git-lfs, httpd, kernel, openssh, and varnish:6), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, git, gtk2, gtk3, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, orc, postgresql14, python-dnspython, python-urllib3, shadow, and xen), and Ubuntu (openjdk-17, openjdk-21, openjdk-8, openjdk-lts, and python3.10, python3.8).

At the 2024 LinuxStorage, Filesystem, Memory Management, and BPF Summit, John Groves leda session on famfs, which is a filesystem he has developed that uses thekernel's direct-access (DAX)mechanism to access memory that is shareable between hosts. The discussionwas aimed at whether a different approach should be taken and, inparticular, whether FUSE should be used instead of implementing as anin-kernel filesystem. As noted in the thread about hisproposal for an LSFMM+BPF session, and the mailing-list discussions on the first and secondversion of his patch set, there is some skepticism that a new in-kernelfilesystem is warranted for the use case.

Daniel Robbins, founder of the Gentoo Linux distribution and itsspinoff Funtoo Linux, hasannouncedthat he has decided to end the Funtoo project:

At GUADECin Denver, Colorado on July21, the GNOME Foundation held its annualgeneral meeting (AGM) to provide updates from the foundation's board and committees.Topics included work accomplished in the past year, challengesfacing the GNOME Foundation-including fundraising and finding a newexecutive director-and some insight into plans for the next year. Andlast, but not least, the awarding of the Pants of Thanks.

Security updates have been issued by Fedora (curl), Mageia (virtualbox), Oracle (squid), Red Hat (kernel), SUSE (apache2, bind, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, devscripts, espeak-ng, freerdp, ghostscript, gnome-shell, gtk2, gtk3, java-11-openjdk, java-17-openjdk, kubevirt, libgit2, openssl-3, orc, p7zip, python-dnspython, and shadow), and Ubuntu (kernel, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia, linux-oem-6.8, linux-raspi, linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux-aws, linux-aws-5.4, linux-aws-5.15, linux-ibm, linux-ibm-5.15, linux-raspi, linux-gcp-5.15, and linux-lowlatency).

Version 2.46.0 of the Gitsource-code management system has been released. This release seems toconsist of a long list of interface and performance improvements ratherthan big new features; see the announcement for the details.

The release of 6.11-rc1marked the end of the 6.11 merge window on July28. By that time,12,102 non-merge changesets had been pulled into the mainline repository;about 8,000 of those came in after thefirst-half summary was written. Quite a few significant changes wereto be found in those changesets; there is also one big change that did notmake it.

Security updates have been issued by AlmaLinux (java-11-openjdk), Debian (bind9), Fedora (darkhttpd, mod_http2, and python-scrapy), Red Hat (python3.11, rhc-worker-script, and thunderbird), SUSE (assimp, gh, opera, python-Django, and python-nltk), and Ubuntu (edk2, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-nvidia-6.5, linux-oracle, linux-raspi, and lua5.4).

Linus Torvalds has released 6.11-rc1 and closed themerge window for this development cycle. "The merge window felt prettynormal, and the stats all look pretty normal too. I was expecting things tobe quieter because of summer vacations, but that (still) doesn't actuallyseem to have been the case."Note that the extensible scheduler class("sched_ext") was not merged, even though Torvalds had said he would back in June. Sched_ext, itseems, will need another development cycle out of tree.

The6.10.2,6.9.12,6.6.43,6.1.102,5.15.164,5.10.223,5.4.281, and4.19.319stable kernel updates have all been released; each contains a relativelysmall set of important fixes, atleast one of which appears to close a minor security hole.

One of the simplest hardening concepts to understand is that memory shouldnever be both writable and executable, otherwise an attacker can use it toload and run arbitrary code. That rule is generally followed in Linuxsystems, but there is a glaring loophole that is exploitable from userspace to inject code into a running process. Attackers have duly exploitedit. A new effort to close the hole ran into trouble early in the mergewindow, but a solution may yet be found in time for the 6.11 kernelrelease.

Security updates have been issued by AlmaLinux (linux-firmware and squid), Debian (bind9), Fedora (kubernetes, thunderbird, and tinyproxy), Oracle (containernetworking-plugins, cups, edk2, httpd, httpd:2.4, kernel, kernel-container, libreoffice, libuv, libvirt, python3, and runc), Red Hat (freeradius:3.0, httpd, and squid), and SUSE (giflib and python-dnspython).