LWN.net

Nix andGuix are a pair of unusual package managersbased on the idea of declarative configurations. Their associated Linuxdistributions - NixOS and the Guix System - take the idea further by allowing usersto define a single centralized configuration describing the state of the entiresystem. Both havebeen previously mentioned on LWN, but not covered extensively. They offer different takes onthe central idea of treating packages like immutable values.

Netflix has announcedthe release of a tool called bpftop to help with the performanceoptimization of BPF programs in the kernel:

Security updates have been issued by Debian (engrampa and libgit2), Fedora (libxls, perl-Spreadsheet-ParseXLSX, and wpa_supplicant), Gentoo (PyYAML), Mageia (packages and thunderbird), Red Hat (firefox, kernel, linux-firmware, thunderbird, and unbound), Slackware (openjpeg), SUSE (golang-github-prometheus-prometheus, installation-images, kernel, python-azure-core, python-azure-storage-blob, salt and python-pyzmq, SUSE Manager 4.2.11, SUSE Manager 4.3, SUSE Manager Server 4.2, and wayland), and Ubuntu (dnsmasq, libde265, libxml2, openjdk-17, openjdk-21, openjdk-lts, and postgresql-12, postgresql-14, postgresql-15).

In a recent episode, "Pitchforks for RDSEED",we learned that there was some uncertainty around whether hardware-basedrandom-number generators on x86 CPUs could fail. Since the consequences offailure in some situations (confidential-computing applications inparticular) can be catastrophic, there was some concern about this prospectand what to do about it. Since then, the situation has come a bit moreinto focus, and there would appear to be an agreed-upon plan for changes tobe made to the kernel.

Version 0.6 of Incus, a fork of LXD, has been released. This release includes a number of changes, including a new storage driver called lvmcluster, improvements for Open Virtual Network (OVN) users, improvements to migration tooling, a number of new security features, and storage bucket backup and re-import. See the release announcement for detailed release notes and complete list of changes. The announcement notes that a Long Term Support (LTS) release of Incus is planned in a few months "to coincide with the LTS releases of LXC and LXCFS".

At FOSDEM2024,the "Toolthe docs" devroom hosted several talks about free and open-source toolsfor writing, managing, testing, and rendering documentation. The centralconcept was to treat documentation as code, which makes it possible toincorporate various tools into documentation workflows in order to maintainhigh quality.

Security updates have been issued by Debian (gnutls28, iwd, libjwt, and thunderbird), Fedora (chromium, expat, mingw-expat, mingw-openexr, mingw-python3, mingw-qt5-qt3d, mingw-qt5-qtactiveqt, mingw-qt5-qtbase, mingw-qt5-qtcharts, mingw-qt5-qtdeclarative, mingw-qt5-qtgraphicaleffects, mingw-qt5-qtimageformats, mingw-qt5-qtlocation, mingw-qt5-qtmultimedia, mingw-qt5-qtquickcontrols, mingw-qt5-qtquickcontrols2, mingw-qt5-qtscript, mingw-qt5-qtsensors, mingw-qt5-qtserialport, mingw-qt5-qtsvg, mingw-qt5-qttools, mingw-qt5-qttranslations, mingw-qt5-qtwebchannel, mingw-qt5-qtwebsockets, mingw-qt5-qtwinextras, mingw-qt5-qtxmlpatterns, and thunderbird), Gentoo (btrbk, Glances, and GNU Aspell), Mageia (clamav and xen, qemu and libvirt), Oracle (firefox and postgresql), Red Hat (firefox, opensc, postgresql:10, postgresql:12, postgresql:13, postgresql:15, thunderbird, and unbound), SUSE (firefox, java-1_8_0-ibm, libxml2, and thunderbird), and Ubuntu (binutils, linux, linux-aws, linux-gcp, linux-hwe-6.5, linux-laptop, linux-oracle, linux-raspi, linux-starfive, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, linux-oem-6.1, and roundcube).

Linus has released 6.8-rc6 for testing.

Version 2.44.0 of the Gitsource-code management system has been released. There is a long list ofchanges, including the gitreplay command for faster, server-side rebasing, a number ofcommand-line completion improvements, and more.

The world of open-source "forges" is becoming a little more fragmented. The Forgejo project is a software-development platform that started as a "soft" fork of Gitea in late 2022. On February 16, Forgejo announced its intent to become a "hard fork" of Gitea to help address its mission of community-controlled development and to "liberate software development from the shackles of proprietary tools". In a world where proprietary tools cast a long shadow over open-source development that's a welcome sentiment-if the project can deliver.

Greg Kroah-Hartman has announced the release of seven new stable kernels:6.7.6, 6.6.18, 6.1.79, 5.15.149, 5.10.210, 5.4.269, and 4.19.307. As usual, they contain manyimportant fixes throughout the kernel tree.

Security updates have been issued by Debian (chromium, imagemagick, and iwd), Fedora (chromium, firefox, and pdns-recursor), Mageia (nodejs and yarnpkg), Red Hat (firefox, postgresql, and postgresql:15), and SUSE (bind, mozilla-nss, openssh, php-composer2, python-pycryptodome, python-uamqp, python310, and tiff).

The Curl project has previously had problems withCVEs issued for things that are not security issues. On February 21,Daniel Stenberg wrote about the Curl project's most recent issue with the CVE system, saying:

The Linux kernel uses a number of hardening techniques to try to protectitself against compromise; one of those is kernel address-space layoutrandomization (KASLR). But randomization is of little benefit if thekernel spills the beans on where its code has ended up. As it happens, thekernel has been doing exactly that - since 2007, in a behavior thatpredates the addition of KASLR. Some changes are in theworks to close that hole, but it is illustrative of just how hard somesecrets are to keep.

Security updates have been issued by CentOS (python-pillow), Debian (firefox-esr and imagemagick), Fedora (kernel, mbedtls, rust-asyncgit, rust-bat, rust-cargo-c, rust-eza, rust-git-absorb, rust-git-delta, rust-git2, rust-gitui, rust-libgit2-sys, rust-lsd, rust-pore, rust-pretty-git-prompt, rust-shadow-rs, rust-silver, rust-tokei, and rust-vergen), Gentoo (LibreOffice), Red Hat (kpatch-patch), Slackware (mozilla), SUSE (docker, python-pycryptodome, python3, and qemu), and Ubuntu (firefox and linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp).

The LWN.net Weekly Edition for February 22, 2024 is available.

Sudo is a ubiquitous tool for runningcommands with the privileges of another user on Unix-like operating systems. Overthe past decade or so, some alternatives havebeen developed; the base system of OpenBSD now comes with doas instead, sudo-rs is a subset ofsudo reimplemented in Rust, and, somewhat surprisingly, Microsoft alsorecently announcedits own Sudo for Windows. Each of these offers a different approach to thetask of providing limited privileges to unprivileged users.

Alexei Starovoitov introduceda patch series for the Linux kernel on February 6 to add bpf_arena, a new typeof shared memory betweenBPFprograms and user space.Starovoitov expects arenas to be useful both for bidirectional communicationbetween user space and BPF programs, and for use as an additional heap for BPFprograms. This will likely be useful to BPF programs that implementcomplex data structures directly, instead of relying on the kernel to supply them.Starovoitov cited Google'sghOSt projectas an example and inspiration for the work.

Version 5.10 of theRawTherapee raw photo editor is out. The list of changes is long, andincludes improved support for many camera-specific formats. (LWN looked at RawTherapee in 2022).

Security updates have been issued by CentOS (linux-firmware and python-reportlab), Debian (unbound), Fedora (freeglut and syncthing), Red Hat (edk2, go-toolset:rhel8, java-1.8.0-ibm, kernel, kernel-rt, mysql:8.0, oniguruma, and python-pillow), Slackware (libuv and mozilla), SUSE (abseil-cpp, grpc, opencensus-proto, protobuf, python- abseil, python-grpcio, re2, bind, dpdk, firefox, hdf5, libssh, libssh2_org, libxml2, mozilla-nss, openssl-1_1, openvswitch, postgresql12, postgresql13, postgresql14, postgresql15, postgresql16, python-aiohttp, python-time-machine, python-pycryptodomex, runc, and webkit2gtk3), and Ubuntu (kernel, libspf2, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, and linux, linux-aws, linux-kvm, linux-lts-xenial).

DNS resolvers (those that handle DNSSEC, at least) are almost uniformlyvulnerable to an exploitthat has been named "KeyTrap". In short, the right type of packet cansend a DNS system into something close to an infinite loop, taking it outof service indefinitely.

Qubes OS is a security-focused desktop Linux distribution built on Fedora Linux and the Xen hypervisor. Qubes uses virtualization to run applications, system services, and devices access via virtual machines called "qubes" that have varying levels of trust and persistence to provide an open-source "reasonably secure" operating system with "serious privacy". The Qubes 4.2.0 release, from December 2023, brings a number of refinements to make Qubes OS easier to manage and use.

Andrea Righi has starteda blog series on writing a user-space CPU scheduler with the BPF-basedextensible scheduler class:

Drew DeVault announced the first numbered release of the Hare programming language on February 16.

Security updates have been issued by Fedora (freeglut, hugin, libmodsecurity, qemu, rust-asyncgit, rust-bat, rust-cargo-c, rust-eza, rust-git-absorb, rust-git-delta, rust-git2, rust-gitui, rust-libgit2-sys, rust-lsd, rust-pore, rust-pretty-git-prompt, rust-shadow-rs, rust-silver, rust-tokei, and rust-vergen), Mageia (packages, radare2, ruby-rack, and wireshark), Oracle (.NET 8.0 and python-pillow), Red Hat (gimp:2.8, java-1.8.0-ibm, and kpatch-patch), SUSE (dpdk and opera), and Ubuntu (bind9, curl, linux-raspi, linux-raspi-5.4, node-ip, and tiff).

Spritely is a project seeking tobuild a platform for sovereign distributed applications - applications whereusers run their own nodes in order to control their own data - as the basis of anew social internet.While there are many such existingprojects, Spritely takes an unusual approach based on a newinteroperable protocol forefficient, secure remote procedure calls (RPC). The project is in its early stages,with many additional features planned, but it is already possible to play aroundwith Goblins, the distributedactor library that Spritely intends to build on.

Security updates have been issued by Debian (engrampa, openvswitch, pdns-recursor, and runc), Fedora (caddy, expat, freerdp, libgit2, libgit2_1.6, mbedtls, python-cryptography, qt5-qtbase, and sudo), Gentoo (Apache Log4j, Chromium, Google Chrome, Microsoft Edge, CUPS, e2fsprogs, Exim, firefox, Glade, GNU Tar, intel-microcode, libcaca, QtNetwork, QtWebEngine, Samba, Seamonkey, TACACS+, Thunar, and thunderbird), Mageia (dnsmasq, unbound, and vim), Oracle (container-tools:4.0, container-tools:ol8, dotnet6.0, dotnet7.0, kernel, nss, openssh, and sudo), Red Hat (python-pillow), and SUSE (bitcoin, dpdk, libssh, openvswitch, postgresql12, and postgresql13).

The 6.8-rc5 kernel prepatch is out fortesting. "Absolutely nothing stands out here, although I do wishthings should have calmed down a bit more at this point in the releaseprocess."

The openSUSE News blog looks at the roadmap for Agama (a new installer from the YaST development team) with releases planned for April and July:

Greg Kroah-Hartman has announced the release of the 6.7.5, 6.6.17,and 6.1.78 stable kernels. As is the norm,they contain important fixes throughout the kernel tree. So far, there are nonew CVEs reported onthe linux-cve-announce mailing list, which means that the new kernel CVE numbering authority (CNA)powers have not yet been used.

The futexmechanism provided by the kernel allows for the creation of efficient andflexible locking primitives in user space. Futexes work well for manyapplications, but not all. One of the exceptions, it seems, is thatperennially difficult-to-support use case: Windows games. With thispatch series, Elizabeth Figura seeks to provide the sort of lockingthat those games need, by way of a special-purpose virtual device.

Security updates have been issued by Mageia (bind), Red Hat (.NET 8.0 and kpatch-patch), SUSE (golang-github-prometheus-alertmanager, java-1_8_0-openj9, kernel, libaom, openssl-3, postgresql15, salt, SUSE Manager Client Tools, SUSE Manager Server 4.3, and webkit2gtk3), and Ubuntu (shadow).

At FOSDEM2024 in Brussels, theAI and MachineLearning devroom hosted several talks about open-source AI models. Withtalks about a definition of open-source AI, "ethical" restrictions inlicenses, and the importance of open data sets, in particular fornon-English languages, the devroom provided an overview of the current stateof the domain.

Security updates have been issued by Debian (edk2, postgresql-13, and postgresql-15), Fedora (engrampa, vim, and xen), Mageia (mbedtls and quictls), Oracle (nss, openssh, and tcpdump), Red Hat (.NET 8.0), SUSE (hugin, kernel, pdns-recursor, python3, tomcat, and tomcat10), and Ubuntu (clamav, edk2, linux-gcp-6.2, linux-intel-iotg-5.15, linux-oem-6.1, and ujson).

The LWN.net Weekly Edition for February 15, 2024 is available.

Version 21 of LineageOS,an Android-based distribution, has been released.

The Ubuntu Weekly Newsletter carries the sad news that long-time contributor Gunnar Hjalmarsson has passed away.

The Fedora Project is working toward the releaseof Fedora Linux 40, and (as with each release) that means changesto the way the project works and the software included in its repositories. Mostof the changesset for Fedora 40 are uncontroversial, but one change is causing quitea stir. The KDE Special Interest Group's (SIG) proposal to adopt KDE Plasma 6 with only Wayland session support, which it interpreted as a mandate to block any X11 packages for Plasma. Others saw it as overreach by the SIG, and an attempt to block users and contributors from maintaining software they needed.

The Common Vulnerabilities andExposures (CVE) system was set up in 1999 as a way to referunambiguously to known vulnerabilities in software. That system has founditself under increasing strain over the years, and numerous projects haveresponded by trying to assert greater control over how CVE numbers areassigned for their code. On February 13, though, a big shoe dropped whenthe Linux kernel project announcedthat it, too, was taking control of CVE-number assignments. As is oftenthe case, though, the kernel developers are taking a different approach tovulnerabilities, with possible implications for the CVE system as a whole.

Security updates have been issued by Debian (bind9 and unbound), Fedora (clamav, firecracker, libkrun, rust-event-manager, rust-kvm-bindings, rust-kvm-ioctls, rust-linux-loader, rust-userfaultfd, rust-versionize, rust-vhost, rust-vhost-user-backend, rust-virtio-queue, rust-vm-memory, rust-vm-superio, rust-vmm-sys-util, and virtiofsd), Red Hat (.NET 6.0, dotnet6.0, and dotnet7.0), Slackware (bind and dnsmasq), and Ubuntu (dotnet6, dotnet7, dotnet8, linux-lowlatency, linux-raspi, linux-nvidia-6.2, and ujson).

Greg Kroah-Hartman has announcedthat the kernel project has been accepted as a CVE numbering authority(CNA). The way that CVE numbers will be handled by the kernel is describedin thisdocumentation patch:

The dynamic linker is a critical component of modern Linux systems, beingresponsible for setting up the address space of most processes. While staticallylinked binaries have become more popular over time as the tradeoffs thatoriginally led to dynamic linking become less relevant, dynamic linking is stillthe default. This article looks at what steps the dynamic linker takes toprepare a program for execution.

Security updates have been issued by Fedora (clamav and virtiofsd), Oracle (gimp), Red Hat (gnutls and nss), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t and squid), and Ubuntu (openssl).

The FreeBSD Project has announced that it intends to deprecate 32-bit platforms "over the next couple of major releases".

Once again, runc-a toolfor spawning and running OCI containers-is drawing attention due to a highseverity container breakout attack. This vulnerability is interesting forseveral reasons: its potential for widespread impact, the continued difficultyin actually containing containers, the dangers of running containersas a privileged user, and the fact that this vulnerability is made possiblein part by a response to a previouscontainer breakout flaw in runc.

Security updates have been issued by Debian (libgit2), Fedora (chromium, firecracker, libkrun, openssh, python-nikola, runc, rust-event-manager, rust-kvm-bindings, rust-kvm-ioctls, rust-linux-loader, rust-userfaultfd, rust-versionize, rust-vhost, rust-vhost-user-backend, rust-virtio-queue, rust-vm-memory, rust-vm-superio, rust-vmm-sys-util, virtiofsd, webkitgtk, and wireshark), Mageia (filezilla and xpdf), Oracle (gimp), Red Hat (libmaxminddb, linux-firmware, squid:4, and tcpdump), Slackware (xpdf), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont and suse-build-key), and Ubuntu (python-glance-store and webkit2gtk).

The 6.8-rc4 kernel prepatch is out fortesting. "Commit counts and contents look normal for this phase of therelease, nothing here really stands out."

Fedora Magazine has announced the creation of Fedora Atomic Desktops: a way of branding Fedora's growing set of rpm-ostree spins. Joseph Gayso wrote "we've seen more of our mainline Fedora Linux spins make the jump to offer a version that implements rpm-ostree. It's reached the point where it can be hard to talk about all of them at the same time. Therefore we've introduced a new brand that will serve to simplify how we discuss rpm-ostree and how we name future atomic spins." LWN covered Project Bluefin, which is based on Fedora's rpm-ostree work, in December 2023.

Over on the Collabora blog, Helen Koike writesabout the DRM-CI project for running automated continuous integration (CI)tests on multiple graphics devices in several different labs. It uses theIGT GPUtools for testing, though there are plans to expand:

Gnuplot6.0 was released inDecember2023, bringing a host of significant improvements and newcapabilities to the open-source graphing tool. Here we survey the majornew features, including filled contours in 3D, adaptive plotting resolution, watchpoints, clippingof surfaces, sector plots for making things like pie charts, and newsyntax for conditionals in gnuplot's scripting language. In addition, therearedetailed examples of the features described.