LWN.net

John Stawinski IV describes,in detail, how he and a partner were able to compromise the security of theheavily used PyTorch project.

As the Rust-for-Linux projectadvances, the kernel is gradually accumulating abstraction layers that enable Rust code to interface with theexisting C code. As the discussion around the set of filesystemabstractions posted by Wedson Almeida Filho in December shows, though,there is some tension between two approaches to the design of thoseabstractions. The approach favored by most of the kernel's C programmerslooks set to win out, but this is a discussion that is likely to return asthe use of Rust in the kernel grows.

Security updates have been issued by CentOS (bind, cups, curl, firefox, ipa, iperf3, java-1.8.0-openjdk, java-11-openjdk, kernel, libssh2, linux-firmware, open-vm-tools, openssh, postgresql, python, python3, squid, thunderbird, tigervnc, and xorg-x11-server), Fedora (chromium, python-flask-security-too, and tkimg), Gentoo (libgit2, Opera, QPDF, and zlib), Mageia (chromium-browser-stable, gnutls, openssh, packages, and vlc), Oracle (.NET 6.0, fence-agents, frr, ipa, kernel, nss, pixman, and tomcat), and SUSE (gstreamer-plugins-bad).

The 5.10.207 stable kernel update has beenreleased; it consists entirely of a handful of reverts of SCSI patches.

The Linux Mint distribution has announced the release of Linux Mint 21.3, which is codenamed "Virginia". It has the Cinnamon 6.0 desktop, "comes with full support for SecureBoot and compatibility with a wider variety of BIOS and EFI implementation", has added new features to the Hypnotix TV-viewer application, and more. See the release notes for even more information about it.

The 6.8 merge window has gotten off to a relatively slow start; reasons forthat include a significant scheduler performance regression that LinusTorvalds stumbledinto and has spent time tracking down. Even so, 4,282 non-mergechangesets have found their way into the mainline repository for the 6.8release as of this writing. These commits have brought a number ofsignificant changes and new features.

Users of SourceHut will have noticed that the site has been unreachable;Drew DeVault has now posted a report onwhat is happening (it's a distributed denial-of-service attack) andwhat is being done to recover.

Security updates have been issued by Debian (kernel, linux-5.10, php-phpseclib, php-phpseclib3, and phpseclib), Fedora (openssh and tinyxml), Gentoo (FreeRDP and Prometheus SNMP Exporter), Mageia (packages), Red Hat (openssl), SUSE (gstreamer-plugins-rs and python-django-grappelli), and Ubuntu (dotnet6, dotnet7, dotnet8, openssh, and xerces-c).

For those of you still using DSA keys with SSH: the project has announcedits plans to remove support for that algorithm around the beginning of2025.

The data structure known as a "closure" first found its way into themainline kernel with the addition of bcache in the 3.10 developmentcycle. With the advent of bcachefs in6.7, though, it acquired a second user and was moved to the kernel'slib directory, making it available to other kernel users as well.The documentation of closures in the source is better than that of manythings in the kernel, but there is still room for a gentler introduction.

Security updates have been issued by Debian (chromium), Fedora (chromium, python-paramiko, tigervnc, and xorg-x11-server), Oracle (ipa, libxml2, python-urllib3, python3, and squid), Red Hat (.NET 6.0, .NET 7.0, .NET 8.0, container-tools:4.0, fence-agents, frr, gnutls, idm:DL1, ipa, kernel, kernel-rt, libarchive, libxml2, nss, openssl, pixman, python-urllib3, python3, tigervnc, tomcat, and virt:rhel and virt-devel:rhel modules), SUSE (gstreamer-plugins-bad), and Ubuntu (firefox, Go, linux-aws, linux-gcp-5.15, linux-intel-iotg-5.15, linux-iot, linux-oem-6.1, and twisted).

The LWN.net Weekly Edition for January 11, 2024 is available.

As part of my quest to master Emacs, whichis sort of a sub-quest on the way toward learning more about Lisp, I havespent a fair amount of time discovering various corners of the Emacsworld. One of those is the famous "Orgmode" that is used for a wide variety of organizational tasks withinthe editor-and not just Emacs, but for Vim and others too.Org mode can be used for to-do lists, notes with interconnections between them, literateprogramming, web sites, and more. Now my quests are growing quests oftheir own and digging into Org mode is one of those.

The 4.14.336 stable kernel update has beenreleased with a small handful of fixes; this is the end of the line for the4.14 stable series:

Security updates have been issued by Fedora (libssh), Gentoo (FAAD2 and RedCloth), Red Hat (kpatch-patch and nss), SUSE (hawk2, LibreOffice, opera, and tar), and Ubuntu (glibc, golang-1.13, golang-1.16, linux-azure, linux-gkeop, monit, and postgresql-9.5).

A new releasefor any project with a fix for a12-year old CVE is going to standout pretty obviously; a recent release has a fix of that nature, but the trail of CVE-2012-5639 israther elusive. The ApacheOpenOffice project made its 4.1.15release with fixes for four CVEs, including one forCVE-2012-5639 ("Loading internal / external resources withoutwarning"), on December22. But nearly everything about that CVEseems rather murky, and it is difficult to get a clear picture of what,exactly, was done in OpenOffice to address the problem.

The Vcc compiler has beenannounced.

OpenWrt developer John Crispin says:"In 2024 the OpenWrt project turns 20 years! Let's celebrate thisanniversary by launching our own first and fully upstream supportedhardware design." The rest of the message describes the proposedOpenWrt-native network-routing system, based on Banana Pi boards; the project isbeing organized through the Software Freedom Conservancy. (Thanks to DaveTaht).

Thorsten Leemhuis writesabout his plans for improving the kernel's regression handling in thecoming year.

Anthony Shaw describesthe new copy-and-patch JIT that has been proposed for Python 3.13.

Version 4.5("Resilience") of the Solus distribution has been released. "Thisrelease brings updated applications and kernels, refreshed software stacks,a new installer, and a new ISO edition featuring the XFCE desktopenvironment."

Security updates have been issued by Debian (squid), Fedora (podman), Mageia (dropbear), SUSE (eclipse-jgit, jsch, gcc13, helm3, opusfile, qt6-base, thunderbird, and wireshark), and Ubuntu (clamav, libclamunrar, and qemu).

The 6.7 kernel was releasedon January7 after a ten-week development cycle. This was, as itturns out, the busiest cycle ever with regard to the number of changesetsmerged. The time has come for our usual look at where all those changesetscame from, with a side trip into how long kernel developers tend to stickaround.

Greg Kroah-Hartman has announced the release of the 5.4.266, 4.19.304, and 4.14.335 stable kernels. They containimportant fixes throughout the kernel tree.

Security updates have been issued by Debian (exim4), Fedora (chromium, perl-Spreadsheet-ParseExcel, python-aiohttp, python-pysqueezebox, and tinyxml), Gentoo (Apache Batik, Eclipse Mosquitto, firefox, R, Synapse, and util-linux), Mageia (libssh2 and putty), Red Hat (squid), SUSE (libxkbcommon), and Ubuntu (gnutls28).

Linus has released the 6.7 kernel.

Kernel developers often go out of their way to reduce the memory used bythe kernel itself; that memory is not available for the workloads thatpeople are actually interested in running on their systems. Lower memoryusage also tends to lead to better performance overall. But there aretimes when the expenditure of some extra memory can make the system faster.The replication of the kernel's text (executable code) and read-only dataacross a NUMA system may be a case in point; patch sets have been postedadding that capability to two architectures.

The 6.6.10, 6.1.71, 5.15.146, and 5.10.206 stable kernels have been released.They contain numerous important fixes, as usual.

Security updates have been issued by Debian (asterisk, chromium, exim4, netatalk, and tomcat9), Fedora (chromium), Gentoo (BlueZ, c-ares, CUPS filters, RDoc, and WebKitGTK+), Oracle (firefox, squid:4, thunderbird, and tigervnc), SUSE (python-aiohttp and python-paramiko), and Ubuntu (linux-intel-iotg).

The saga of the None-aware (or null-coalescing) operators for Pythoncontinues. We last looked in on the topica little over a year ago and noted that either adoption or a clearrejection of the idea might help tamp down its regular recurrence. Thathas not happened, so, predictably, it was raised again-and does not lookany closer to resolution this time around.

ITWire coversthe passing of Niklaus Wirth.

Security updates have been issued by Oracle (firefox, gstreamer1-plugins-bad-free, thunderbird, tigervnc, and xorg-x11-server), Red Hat (squid:4), SUSE (exim, libcryptopp, and proftpd), and Ubuntu (openssh and sqlite3).

The LWN.net Weekly Edition for January 4, 2024 is available.

Normally, when a new vulnerability is discovered and releases arecoordinated with those affected, the announcement is done ata convenient time-not generally right before the end-of-year holidays, forexample. The SMTPSmuggling vulnerability has taken a different path, however, with itsannouncement landing on December18. That may well have beenunpleasant for some administrators that had not yet updated, but it wasparticularly problematic for some projects that had not been made aware of the vulnerability atall-though it was known to affect several open-source mailers.

On his blog, Luc Lenotre introducesMaestro, "a Unix-like kernel and operating system written fromscratch in Rust". Maestro is intended to be"lightweight and compatible-enough with Linux to be usable in everydaylife". The project began, in C, back in 2018, but switched over toRust after a year-and-a-half. The current status:

Version 9.1 of theVim editor has been released. "This release is dedicated to BramMoolenaar, Vim's lead developer for more than 30 years, who passed away halfa year ago. The Vim project wouldn't exist without his work". Changesinclude new support for classes and objects in the scripting language,smooth scrolling support, an EditorConfig plugin, and more.

Security updates have been issued by Debian (kernel), Fedora (slurm), Oracle (kernel and postgresql:15), Red Hat (firefox, gstreamer1-plugins-bad-free, thunderbird, tigervnc, and xorg-x11-server), SUSE (polkit, postfix, putty, w3m, and webkit2gtk3), and Ubuntu (nodejs).

The calendar has flipped over into 2024 - another year has begun. Here atLWN, we do not have a better idea of what this year will bring than anybodyelse does, but that doesn't keep us from going out on a shaky limb andmaking predictions anyway. Here, for the curious, are a few things that wethink may be in store for 2024.

Security updates have been issued by Gentoo (Joblib), Red Hat (firefox and thunderbird), SUSE (gstreamer-plugins-bad, libssh2_org, and webkit2gtk3), and Ubuntu (firefox and thunderbird).

Greg Kroah-Hartman has announced the release of the 6.6.9 and 6.1.70 stable kernels. As usual, they containimportant fixes throughout the kernel tree.

One might not think that much could be said about a simple macro defining aconstant integer value. But the kernel is special, it seems. A change tothe definition of MAX_ORDER has had a number of follow-on effects,and the task of cleaning up after this change is not done yet. So perhapsa look at MAX_ORDER is in order.

Version 1.6.0 of the Scribusdesktop-publishing application has been released. Thelist of new features is rather long and includes a user interface overhaul,improvements for HiDPI screens, new scripting commands, lots oftypographical improvements and features, a new picture browser forgraphical asset management, support for more gradient types, and much more.

Security updates have been issued by Debian (ansible, asterisk, cjson, firefox-esr, kernel, libde265, libreoffice, libspreadsheet-parseexcel-perl, php-guzzlehttp-psr7, thunderbird, tinyxml, and xerces-c), Fedora (podman-tui, proftpd, python-asyncssh, squid, and xerces-c), Mageia (libssh and proftpd), and SUSE (deepin-compressor, gnutls, gstreamer, libreoffice, opera, proftpd, and python-pip).

Linus has released 6.7-rc8 for testing.

The Julia programming language project has released Juliav1.10. It is mainly a performance release, with only two new language features mentioned in the release notes: "JuliaSyntax.jl is now used as the default parser, providing better diagnostics and faster parsing." and the addition of two Unicode symbols for use as binary operators: "(U+297A, \leftarrowsubset) and (U+2977, \leftarrowless)". Package-loading time has been improved further and the mark phase of garbage collection has been parallelized, among other improvements.

Version 6.0 of the Gnuplot plotting systemhas been released.

Gentoo Linux is the prototypical source-based distribution, but there isnow abinary installation option available as well.

Version1.75.0 of the Rust language has been released. Notable changes include"asyncfn and -> impl Trait in traits", a pointer byte-offsetAPI, some compiler performance improvements, and a number of stabilized APIs.

Displaying an application's graphical output onto the screen requirescompositing and mode setting that are correctly synchronized among the various pieces,with low overhead.In this second and final article in the series, we will look atthose pieces of the Linux graphics stack. In the first installment, we followed the path of graphics from the application, through Mesa, whileusing the memory-management features of the kernel's DirectRendering Manager (DRM) subsystem.We ended up with an application's graphics data stored in an output buffer,so nowit's time to display the image to the user.

Security updates have been issued by Debian (haproxy, libssh, and nodejs), Fedora (filezilla and minizip-ng), Gentoo (Git, libssh, and OpenSSH), and SUSE (gstreamer, postfix, webkit2gtk3, and zabbix).