Version 3.4.0 of the OpenSSL SSL/TLS library has been released. It adds anumber of new encryption algorithms, support for "directly fetchedcomposite signature algorithms such as RSA-SHA2-256", and more. See therelease notes for details.
Security updates have been issued by Debian (ffmpeg, ghostscript, libsepol, openjdk-11, openjdk-17, perl, and python-sql), Oracle (389-ds-base, buildah, containernetworking-plugins, edk2, httpd, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, python-setuptools, skopeo, and webkit2gtk3), Red Hat (buildah), Slackware (openssl), SUSE (apache2, firefox, libopenssl-3-devel, podman, and python310-starlette), and Ubuntu (cups-browsed, firefox, libgsf, and linux-gke).
Sasha Levin has announced anew tree that is intended to perform continuous-integration tests of pullrequests aimed at the mainline. The plan is for this tree to hold morefinished work than sometimes ends up in linux-next; in a name that seemsdestined to create typographical confusion, it is called "linus-next".
Version 1.1.0 of the bootc utility forperforming transactional, in-place operating system updates using Open Container Initative (OCI)images, has been released. This release "officially stabilizes allAPIs" for bootc and includes a number of bug fixes. LWN covered bootc in June.
Sigstore is a project that is meant to simplify and improve the process of signing,verifying, and protecting software. It is a relatively new project, declared"generally available" in 2022. Python is an early adopter of sigstore; it started providingsignatures for CPython artifacts with Python3.11in2022. This is in addition to the OpenPGP signatures it has beenproviding since atleast2001. Now, SethMichaelLarson-the Python SoftwareFoundation (PSF) securitydeveloper-in-residence-would like to deprecate the PGPsignature and move to sigstore exclusively by next year. If thathappens, it will involve some changes in the way that Linuxdistributions verify Python releases, since none of the majordistributions have processes for working with sigstore.
The Guix project hasdisclosed a security vulnerability in the build daemon that the distribution uses to build and install software locally. The vulnerability allows an existing unprivileged user to get access to a setuid binary, and from there potentially interfere with any other software built or installed on the computer. The project recommends upgrading the guix daemon now, to avoid the issue.
Linus has released 6.12-rc4 for testing."I'm not happy with how big this is - it's probably far from the biggestrc4 ever, but it _is_ the biggest rc4 we've had in the 6.x series at leastin number of commits."
The kernel's CPU scheduler currently offers several preemption modes thatimplement a range of tradeoffs between system throughput and response time.Back in September 2023, a discussionon scheduling led to the concept of "lazy preemption", which couldsimplify scheduling in the kernel while providing better results. Thingswent quiet for a while, but lazy preemption has returned in the form of this patch seriesfrom Peter Zijlstra. While the concept appears to work well, there isstill a fair amount of work to be done.
Security updates have been issued by AlmaLinux (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, and webkit2gtk3), Debian (apache2), Red Hat (expat), SUSE (cups-filters, jetty-minimal, OpenIPMI, and python-starlette), and Ubuntu (linux-azure, linux-azure, linux-azure-5.15, linux-azure, linux-azure-5.4, and oath-toolkit).
Version1.82.0 of the Rust language has been released. There are a lot of newfeatures this time, including a cargo info command, tier-1 supportfor 64-bit Apple Arm systems, a new native syntax (&raw) to createraw pointers, changes to unsafe extern, unsafe attributes,standardized rules around the handling of floating-point not-a-numbervalues, and more.
Email has become somewhat unfashionable as a collaboration tool foropen-source projects, but there are still a number of projects-such asPostgreSQL and the Linux kernel-that expect contributors to send andreview patches via email. The aercmail client is aimed at developers looking for a text-based, efficient, andextensible client that is meant to be used for working with Git andemail. It uses Vim-style keybindings by default, and has an interfaceinspired by tmux thatlets users manage multiple accounts, mails, and embedded terminals at once.
Greg Kroah-Hartman has announced the release of the 6.11.4, 6.6.57, 6.1.113, 5.15.168, and 5.10.227 stable kernels. As usual, this setof updates contains a long list of important fixes throughout the kerneltree.
Version 9.0 of theForgejo software forge system has been released. Changes include a switchto the GPLv3 license, the beginning of a quota system, the removal ofgo-git support, and a lot of fixes.(LWN looked at Forgejo in February).
Rust, like C, has its own memory model describing how concurrent access to thesame data by multiple threads can behave.The Linux kernel, however, has its ownideas. TheLinux kernel memory model (LKMM) is subtly different from both thestandard C memory model and Rust's model.At Kangrejos, Boqun Feng gave a presentation about theneed to reconcile the memory models used by Rust and the kernel,including a few potential avenues for doing so. Whileno consensus was reached, it is an area of active discussion.
The pidfd mechanism, which uses file descriptors to refer to processes inan unambiguous and race-free way, was firstintroduced in 2018. Since then, the interface has gained a number of new features, but development has slowed over time as the interface has matured. There are,however, a couple of patches in circulation that are meant to make workingwith pidfds simpler in some situations.
Security updates have been issued by AlmaLinux (buildah, containernetworking-plugins, and skopeo), Fedora (pdns-recursor and valkey), Mageia (unbound), Red Hat (fence-agents, firefox, java-11-openjdk, python-setuptools, python3-setuptools, resource-agents, and thunderbird), SUSE (etcd-for-k8s, libsonivox3, rubygem-puma, and unbound), and Ubuntu (apr, libarchive, linux, linux-aws, linux-aws-hwe, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, nano, and vim).
Version 4.0.0 of the LibreSSL TLS/cryptography stackhas been released. Changes include a cleanup of the MD4 and MD5implementations, removal of unused DSA methods, changes in libtlsprotocol parsing to ignore unsupported TLSv1.1 and TLSv1.0 protocols,and many more internal changes and bug fixes.
Paul McKenney gave a presentation at Kangrejos this year that wasn't (directly)related to Rust. Instead, he spoke about the work he has been doing in concertwith many other contributors on improving the handling of subtle concurrencyproblems in C++.Although he cautioned that his talk was only an overview, and not asubstitute for reading the relevant papers, he hoped that the things the C++community is working on would be of interest to the Rust developers present aswell, and potentially inform future work on the language. McKenney's talk was,as is his style, full of subtle examples of weird multithreaded behavior.Interested readers may wish to refer tohis slides in an attempt to follow along.
Version1.4 of the Inkscapeopen-source vector-graphics editor has been released. Highlights ofthis release include a filter gallery, import for Affinity Designerfiles, internal links in exported PDFs, and more. See the releasenotes for all of the new features. LWN previewed the 1.4 releasein early October.
It is too early to say what the outcome will be in the ongoing fight between Automattic and WPEngine, but the WordPress community at large is already theloser. Automattic founder and CEO Matt Mullenweg has been usinghis control of the project, and the WordPress.org infrastructure, topunish WPEngine and remove some dissenting contributors from discussionchannels. Most recently, Mullenweg has instituted a hostile fork of aWPEngine plugin and the forked plugin is replacing the originalvia WordPress updates.
While Debian's "sauce" is not actually all that secret, it is not particularlywell-known either, Samuel Henrique said at the start of his DebConf24 talk. There is a lotof software-engineering effort that has been put in place by thedistribution in order to create and maintain its releases, but "loads ofpeople are not aware" of it. That may be due to the fact that all ofthat isnot really documented anywhere in a central location that he can just pointsomeone to. Recognizing that is what led him to give the talk;hopefully it will be a "first step toward" helping solve the problem.
At Kangrejos, Gary Guo wanted to discuss three problems with the wayRust and C code in the kernel interact: mismatched types, too many type casts,and the overhead of helper functions. To fix the first two problems, Guo proposedchanging the way the kernel maps C types into Rust types. The last problem was abit trickier, but he has a clever workaround for that, based on trickingthe compiler into inlining the helper functions across language boundaries.
Security updates have been issued by AlmaLinux (.NET 6.0, .NET 8.0, and openssl), Debian (firefox-esr), Fedora (firefox), Mageia (php, quictls, and vim), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, firefox, podman, skopeo, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, kernel, and xen), and Ubuntu (golang-1.17, libgsf, and linux-aws-6.8, linux-oracle-6.8).
Version24.10 of the Ubuntu distribution is out. This release includes GNOME47, Linux 6.11,security enhancements for managing Personal Package Archives (PPAs),experimental security controls for Snap packages, and more.
At the recently concluded Maintainers Summit, it was generally agreed that the Rust experiment wouldcontinue, and that the path was clear for more Rust code to enter thekernel. But the high-level view taken at such gatherings cannot alwaysaccount for the difficult details that will inevitably arise as the Rustwork proceeds. A recent discussion on the nouveau mailing list may haveescaped the notice of many, but it highlights some of the problems thatwill have to be worked out as important functionality written in Rust headstoward the mainline.
Mozilla has released Firefox versions 131.0.2, ESR 128.3.1, and ESR115.16.1. These updates address asevere, remotely exploitable code-execution vulnerability that isevidently already being exploited. Updating to a fixed release seems likea wise thing to do.
Greg Kroah-Hartman has announced the release of the 6.11.3, 6.10.14, 6.6.55, and 6.6.56 stable kernels. The 6.6.56 releasefixes a problem with building perf in 6.6.55; "If you do not use theperf tool in the 6.6.y tree, there is no need to upgrade.". Meanwhile,6.10.14 is the last of the 6.10.y series, so users should now be moving to6.11.y. Other than 6.6.56, they contain the usual long list of importantfixes throughout the kernel tree.
Security updates have been issued by Debian (chromium), Fedora (firefox, koji, unbound, webkit2gtk4.0, and xen), Red Hat (glibc, net-snmp, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, buildah, cups-filters, liboath-devel, libreoffice, libunbound8, podman, and redis), and Ubuntu (cups-browsed, cups-filters, edk2, linux-raspi-5.4, and oath-toolkit).
Bindgen is a widely used tool that automatically generates Rust bindings from Cheaders. TheRust-for-Linux project uses it to create some ofthe bindings between Rust code and the rest of the kernel. John Baublitzpresented at Kangrejos about the improvements that he has made to the tool inorder to make the generated bindings easier to use, including improved supportfor macros, bitfields, and enums.
Security updates have been issued by AlmaLinux (firefox, mod_jk, and thunderbird), Debian (apache2 and firefox-esr), Fedora (crosswords, logiops, p7zip, and perl-App-cpanminus), Red Hat (.NET 6.0, firefox, git, kernel, kernel-rt, openssl, and thunderbird), SUSE (buildah, json-lib, kernel, Mesa, mozjs78, pgadmin4, podman, podofo, qatlib, redis7, roundcubemail, rusty_v8, and seamonkey), and Ubuntu (dotnet6, dotnet8, nginx, and ruby-webrick).
In the early days of open source, it was a struggle to get companiesto accept the concept and trust its development model.Now, companies have few qualms about using it, but do tend to take open source andthose who maintain it for granted. The struggle now is to find waysto compensate producers of the software, sustain the opensourcecommons, and avoid burning out maintainers. The Open Source Pledge project isan effort to persuade companies to pay maintainers by making it a socialnorm. On October8, the project is launching a marketing campaign to raiseawareness and try to get a larger conversation started around payingmaintainers.
Alice Ryhl has been working to enabletracepoints - which are widely usedthroughout the kernel - to be seamlessly placed in Rust code as well. She spokeabout her approach at Kangrejos. Herpatch setenables efficient use of statictracepoints, but supporting dynamic tracepoints will take some additional effort.
Security updates have been issued by Debian (kernel), Fedora (webkitgtk), Mageia (cups), Oracle (e2fsprogs, kernel, and kernel-container), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, git-lfs, go-toolset:rhel8, golang, grafana-pcp, podman, and skopeo), SUSE (Mesa, mozjs115, podofo, and redis7), and Ubuntu (cups and cups-filters).
OpenBSD7.6 has been released. Notable newfeatures include work to improve suspend/resume on modern hardware,support for the arm64 Qualcomm Snapdragon X Elite laptops, as well as manyimprovements in hardware support and driver bug fixes.
The recent WordPresscontroversy is not the first time there's been tension between theWordPress community, the interests of Automattic as a business, and MattMullenweg's leadership as WordPress's benevolent dictator forlife (BDFL). In particular, Mullenweg's focus on pushing WordPress to use a new"editing experience" called Gutenberg caused significantfriction-and led to the ClassicPress fork. Users whowant to preserve the "classic" WordPress experience without strayingtoo far from the WordPress fold may want to look into ClassicPress.
Version 3.13 of the Python programming language has been released. The"What's NewIn Python 3.13" page has a summary of all the new features andchanges. Highlights of the release include a basic JIT compiler,experimental support for free-threading, and muchmore. See the changelogfor even more details.
The core of the Android operating system, as represented by the Android Open Source Project (AOSP),can only be considered one of the most successful open-source initiativesever created; its user count is measured in the billions. But few wouldconsider it to be a truly community-oriented project. At the 2024 Linux Plumbers Conference, Chris Simmondsasked why the AOSP community is so hard to find, and what might be doneabout the situation.
Version 2.47.0 of the Gitsource-code management system has been released. The changes include along list of incremental improvements; see the announcement and thisGitHub blog post for details.
Version 4.20 ofthe RPM Package Manager (RPM) has been released. Major changes in thisrelease include a new plugin to prevent filesystem and network accessby scriptlets, the BuildSystem directive for declaring thebuild system to be used by packaged software, and more. LWN covered the development ofRPM 4.20 in September.
Akamaireleased a report pointing out that therecently-reported CUPS vulnerability(original disclosure)could be used to drive distributed denial-of-service (DDoS) attacks as well. Even if an attacker cannot gain remote control over a computer, they can still cause it to fetch a URL of their choice - potentially getting free DDoS amplification.
LWN.net