LWN.net

The so-called software supply chain starts with source code. But most security measures and toolingdon't kick in until source is turned into an artifact-a sourcetarball, binary build, container image, or other method of delivering arelease to users. The gittuf projectis an attempt to provide a security layer for Git that can handle key management,enforce security policies for repositories, and guard against attacksat the version-control layer. At Open Source Summit North America (OSSNA), Aditya Sirish AYelgundhalli and Billy Lynch presentedan introduction to gittuf with an overview of its goals andstatus.

Fedora Magazine reportsthat the Fedora AsahiRemix for Apple Arm hardware, based on Fedora40, is now available:

Security updates have been issued by Debian (glib2.0 and php7.3), Gentoo (Commons-BeanUtils, Epiphany, glibc, MariaDB, Node.js, NVIDIA Drivers, qtsvg, rsync, U-Boot tools, and ytnef), Oracle (kernel), Red Hat (git-lfs and kernel), SUSE (flatpak, less, python311, rpm, and sssd), and Ubuntu (libde265, libvirt, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-oem-6.5, and nghttp2).

A proposal to switch the default desktop for Fedora Workstation from GNOMEto KDE Plasma largely went over like the proverbial lead balloon-unsurprisingly.But the conversation about the proposal did surface some areas where thedistribution could perhaps be more inclusive with regard to the other desktop choicesavailable. The project believes that itbenefits from being opinionated and not requiring users to makemultiple decisions before they can even install the distribution, but thereis a balance to be found.

Thesystemd project is preparing for a new release.Version256-rc1 was releasedon April25 with a large number of changes and new features. Most of thechanges relate to security, easier configuration, unprivileged access to systemresources, or all three of these. Users of systemd will find setting upcontainers - even without root access - much simpler and more secure.

Version14.1 of the GCC compiler suite has been released. The list of changesis long; it includes support for more C++26 features, preparation forFortran 2023 support, a new -fhardened flag to enablesecurity-hardening features, vectorizer improvements, and a number of static-analyzer improvements. See the release notes fordetails.

The Go Blog has a detailedarticle on the new, more secure random-number generator implemented forthe 1.22 release.

Security updates have been issued by Debian (kernel), Gentoo (libjpeg-turbo, xar, and Xpdf), Red Hat (bind, dhcp and glibc), and SUSE (bouncycastle, curl, flatpak, less, and xen).

The Python SoftwareFoundation (PSF) has announcedits annualimpact report for 2023. The report includes updates from PSF staffas well as summaries of the foundation's activities, financials, andinfrastructure. The PSF celebrated the20th anniversary of PyCon US, distributed more than $370,000 in grants, andenjoyed impressive traffic on PyPI:

Daniel Stenberg hasposted a report about the recent curl up conference about curl development. It was held over two days inStockholm. The report has short summaries of the talks with links to therecordings.

In some aspects, such as in gaming, the Linux desktop has madeenormous strides in the past few years. In others, such asaccessibility, things have stagnated. At Open Source Summit North America (OSSNA), Matt Campbell spokeabout the need for, and an approach to, modernizing accessibility fordesktop Linux. This included a discussion of Newton, a fledglingproject that may greatly improve accessibility on the Linux desktop.

The Free Software Foundation has announcedthe recipients of its 2023 Free Software Awards: Bruno Haible for work ongnulib, Nick Logozzo asthe "outstanding new free software contributior", and code.gouv.fr for projects of socialbenefit.

Security updates have been issued by Debian (glibc, intel-microcode, less, libkf5ksieve, and ruby3.1), Fedora (chromium, gdcm, httpd, and stalld), Gentoo (Apache Commons BCEL, borgmatic, Dalli, firefox, HTMLDOC, ImageMagick, MediaInfo, MediaInfoLib, MIT krb5, MPlayer, mujs, Pillow, Python, PyPy3, QtWebEngine, Setuptools, strongSwan, and systemd), Oracle (grub2 and shim), Red Hat (git-lfs, kpatch-patch, unbound, and varnish), and SUSE (avahi, grafana and mybatis, java-11-openjdk, java-17-openjdk, skopeo, SUSE Manager Client Tools, SUSE Manager Salt Bundle, and SUSE Manager Server 4.3).

The 6.9-rc7 kernel prepatch is out fortesting. "The stats for 6.9 continue to look very normal, and nothinglooks particularly alarming."

Kernel developers are encouraged to send their changes in small batches asa way of making life easier for reviewers. So when a longtime developerand maintainer hits the list with a 437-patch series touching 859 files,eyebrows are certain to head skyward. Specifically, this seriesfrom Jens Axboe is cleaning up one of the core abstractions that hasbeen part of the Linux kernel almost since the beginning; authors of devicedrivers (among others) will have to take note.

Security updates have been issued by Fedora (chromium, grub2, httpd, kernel, libcoap, matrix-synapse, python-pip, and rust-pythonize), Red Hat (kernel and libxml2), SUSE (kernel), and Ubuntu (eglibc, glibc and php7.4, php8.1, php8.2).

Greg Kroah-Hartman has announced the release of the 6.8.9, 6.6.30,6.1.90, 5.15.158, 5.10.216, 5.4.275, and 4.19.313 stable kernels. As is the norm, theycontain lots of important fixes throughout the kernel tree.

In Unix-like systems, an open file descriptor carries the right to accessthe opened object in specific ways. As a general rule, that filedescriptor does not enable access to any other objects. Therecently merged BPF token feature runscounter to this practice by creating file descriptors that carry specificBPF-related access rights. A similar but different approach tocapability-carrying file descriptors, in the form of directory filedescriptors that include their own credentials, is currently underconsideration in the kernel community.

Version1.78.0 of the Rust language has been released. Changes include a newmechanism for diagnostic attributes, changes to how assertions aroundunsafe blocks are handled, and more.

Security updates have been issued by Debian (chromium and distro-info-data), Fedora (et, php-tcpdf, python-aiohttp, python-openapi-core, thunderbird, tpm2-tools, and tpm2-tss), Red Hat (nodejs:16 and podman), and Ubuntu (firefox).

The LWN.net Weekly Edition for May 2, 2024 is available.

Version 8.0 of the terminal text editor GNU nano has beenreleased. This update includes several changes to keybindings to bemore newcomer-friendly, such as remapping Ctrl-F to forward-search andadding an option for modern bindings:

Ubuntu24.04LTS, code-named "NobleNumbat", was released on April25. This release includes GNOME46, installer updates,security enhancements, a lot of updated packages, and a new App Centerthat puts a heavy emphasis on using Snaps to install software. It is not an ambitious release, but it brings enough to the table that it's a worthwhile update.

The NixOS Foundation boardannounced on April 30 that Eelco Dolstra is stepping down from the boardfollowing the recent calls for his resignation.

Security updates have been issued by Debian (nghttp2 and qtbase-opensource-src), Mageia (cjson, freerdp, guava, krb5, libarchive, and mediawiki), Oracle (container-tools:4.0 and container-tools:ol8), Red Hat (bind, buildah, container-tools:3.0, container-tools:rhel8, expat, gnutls, golang, grafana, kernel, kernel-rt, libreswan, libvirt, linux-firmware, mod_http2, pcp, pcs, podman, python-jwcrypto, rhc-worker-script, shadow-utils, skopeo, sssd, tigervnc, unbound, and yajl), SUSE (kernel and python311), and Ubuntu (gerbv and node-json5).

When it comes to security, telling developers to do (or not do)something can be ineffective. Helping them understand the why behindinstructions, by illustrating good and bad practices using stories, can bemuch more effective. With several such stories MartaRybczyska fashioned an interesting talkabout patterns and anti-patterns in embedded Linux security at theEmbeddedOpen Source Summit (EOSS), co-located with OpenSource Summit North America (OSSNA), on April 16 in Seattle, Washington.

Version5.0 of the Yocto Projectdistribution builder has been released. The list of new features is long;see therelease notes for the details.

ThisMastodon stream from Lennart Poettering describes a sudoreplacement - called run0 - that will be part of the upcomingsystemd 256 release. It takes a rather different approach to the executionof privileged commands, avoiding the use of setuid (which he calls "SUID")permissions entirely.

Version 2.45.0 of the Gitsource-code management system has been released. Changes include a newlist command for gitreflog, a couple of newconfiguration variables for gitdiff, the ability to dropredundant commits while cherry-picking, a number of performanceimprovements, and more.

Security updates have been issued by Debian (org-mode), Oracle (shim and tigervnc), Red Hat (ansible-core, avahi, buildah, container-tools:4.0, containernetworking-plugins, edk2, exfatprogs, fence-agents, file, freeglut, freerdp, frr, grub2, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, harfbuzz, httpd, ipa, kernel, libjpeg-turbo, libnbd, LibRaw, libsndfile, libssh, libtiff, libvirt, libX11, libXpm, mingw components, mingw-glib2, mingw-pixman, mod_http2, mod_jk and mod_proxy_cluster, motif, mutt, openssl and openssl-fips-provider, osbuild and osbuild-composer, pam, pcp, pcs, perl, pmix, podman, python-jinja2, python3.11, python3.11-cryptography, python3.11-urllib3, qemu-kvm, qt5-qtbase, runc, skopeo, squashfs-tools, systemd, tcpdump, tigervnc, toolbox, traceroute, webkit2gtk3, wpa_supplicant, xorg-x11-server, xorg-x11-server-Xwayland, and zziplib), SUSE (docker, ffmpeg, ffmpeg-4, frr, and kernel), and Ubuntu (anope, freerdp3, and php7.0, php7.2, php7.4, php8.1).

The Amarok music player projecthas announcedthe release of version3.0, which is codenamed "Castaway". It is the firststable version using Qt5 and KDE Frameworks5, and the first stablerelease since the final Qt-4-based2.9.0 in 2018.

On April 21, a group of anonymous authors and non-anonymous signatories publisheda lengthy open letter to theNix communityand Nix founder Eelco Dolstra calling for his resignation from the project. Theyclaimed ongoing problems with the project's leadership, primarily focusing on theway his actions have allegedlyundermined people nominally empowered to perform variousmoderation and governance tasks. Since its release, the letter has gainedmore than 100 signatures.

Security updates have been issued by AlmaLinux (buildah, go-toolset:rhel8, golang, java-11-openjdk, java-21-openjdk, libreswan, thunderbird, and tigervnc), Debian (chromium, emacs, frr, mediawiki, ruby-rack, trafficserver, and zabbix), Fedora (chromium, grub2, python-idna, and python-reportlab), Mageia (chromium-browser-stable, firefox, opencryptoki, and thunderbird), Red Hat (container-tools:4.0, container-tools:rhel8, git-lfs, and shim), SUSE (frr, java-11-openjdk, java-1_8_0-openjdk, kernel, pdns-recursor, and shim), and Ubuntu (apache2, cpio, curl, glibc, gnutls28, less, libvirt, and pillow).

Robert McQueen has posted a messagefrom the GNOME Foundation board describing the current financialsituation, plans to improve it, and an increase in the size of the board.

The 6.9-rc6 kernel prepatch is out fortesting.

The6.8.8,6.6.29,6.1.88, and5.15.157stable kernels have been released; each contains another set of importantfixes.Update: 6.1.89 was released two dayslater to fix abuild problem in 6.1.88.

Video playback is undeniably one of the most important features in modernconsumer devices. Yet, surprisingly, users are by and large unaware of theintricate engineering involved in the compression and decompression ofvideo data, with codecs being left to find a delicate balance between imagequality, bandwidth, and power consumption. In response to constantperformance pressure, video codecs have become complex and hardwareimplementations are now common, but programming these devices is becomingincreasingly difficult and fraught with opportunities for exploitation. Ihope to convey how Rust can help fix this problem.

At the CPU level, a memory model describes, among other things, the amountof freedom the processor has to reorder memory operations. If low-levelcode does not take the memory model into account, unpleasant surprises arelikely to follow. Naturally, different CPUs offer different memory models,complicating the portability of certain types of concurrent software. Tomake life easier, some Arm CPUs offer the ability to emulate the x86 memorymodel, but efforts to make that feature available in the kernel are runninginto opposition.

Security updates have been issued by Debian (knot-resolver, pdns-recursor, and putty), Fedora (xen), Mageia (editorconfig-core-c, glibc, mbedtls, webkit2, and wireshark), Oracle (buildah), Red Hat (buildah and yajl), Slackware (libarchive), SUSE (dcmtk, openCryptoki, php7, php74, php8, python-gunicorn, python-idna, qemu, and thunderbird), and Ubuntu (cryptojs, freerdp2, nghttp2, and zabbix).

On April 11, Brandt Bucher postedPEP 744 ("JIT Compilation"),which summarizes the current state of Python's new copy-and-patch just-in-time (JIT) compiler. The JIT is currentlyexperimental, but the PEP proposes some criteria for the circumstances under which itshould become a non-experimental part of Python.The discussion of the PEP hasn'treached a conclusion, butseveral members of the community have already raised questionsabout how the JIT would fit into future iterations of the Python language.

Version 24.04 LTS of the Ubuntu distribution is out.

Linux, famously, appears in a wide range of systems. While servers andlarge data centers get a lot of the attention, and this year will always bethe year of the Linux desktop, there is also a great deal of Linux to befound in realtime and embedded applications. Two talks held in therealtime and embedded tracks of the 2024 OpenSource Summit North America provided listeners with an update on howLinux is doing in those areas. Work on realtime Linux appears to be nearingcompletion, while the embedded community is still pushing forward at fullspeed.

Security updates have been issued by Fedora (curl, filezilla, flatpak, kubernetes, libfilezilla, thunderbird, and xen), Oracle (go-toolset:ol8, kernel, libreswan, shim, and tigervnc), Red Hat (buildah, gnutls, libreswan, tigervnc, and unbound), SUSE (cockpit-wicked, nrpe, and python-idna), and Ubuntu (dnsmasq, freerdp2, linux-azure-6.5, and thunderbird).

The LWN.net Weekly Edition for April 25, 2024 is available.

BleepingComputerreported on April 20 that some malware was being distributed via GitHub.Uploading files as part of a comment gives them a URL that appears to beassociated with a repository, even if the comment is never posted.

On April 23, Mozillaannounced that Firefox's crash reporter has been rewritten in Rust, allowing theproject to address a backlog of issues.

Version 9.0 ofthe QEMU emulator has been released. "This release contains 2700+commits from 220 authors." The list of improvements is long; see theannouncement and thechangelog for details.

For several years, contributors to the Rust project havebeen working to improve support for asynchronouscode. The benefits of these efforts are not confined to asynchronous code,however. Members of the Rust community have been working toward adding explicitexistential types to Rust since 2017. Existential types are not a common featureof programming languages (somethingthe RFC acknowledges), so the motivation for their inclusion might be somewhatobscure.

Security updates have been issued by Fedora (abseil-cpp, chromium, filezilla, libfilezilla, and xorg-x11-server-Xwayland), Oracle (firefox, gnutls, golang, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, libreswan, mod_http2, owO: thunderbird, and thunderbird), Red Hat (container-tools:rhel8, gnutls, grub2, kernel, kernel-rt, less, linux-firmware, opencryptoki, pcs, postgresql-jdbc, and thunderbird), Slackware (ruby), SUSE (kubernetes1.23, kubernetes1.24, and opensc), and Ubuntu (firefox, linux-azure, linux-lowlatency, linux-nvidia, and ruby-sanitize).

The long-running effort to complete the work on stacking (or composing) theLinux security modules (LSMs) recently encountered a barrier-in the form ofa "suggestion" to discontinue it from Linus Torvalds. His complaintrevolved around the indirect function calls that are used to implementLSMs, but he also did not think much of the effort to switch away fromthose calls. While it does not appear that a major course-change is in storefor LSMs, it is clear that Torvalds is not happy with the direction of thatsubsystem.