LWN.net

The Rust Blog is carrying anupdate on what the Rust Types Team has been up to and its near-futureplans.

Security updates have been issued by AlmaLinux (git, python3.11, and python3.9), Debian (chromium, emacs, git, linux-5.10, and org-mode), Fedora (libopenmpt, nginx-mod-modsecurity, and thunderbird), Mageia (emacs, python-ansible-core, and python-authlib), Oracle (git, python3.11, and python3.9), Red Hat (kernel, kernel-rt, and samba), and Ubuntu (ansible, cups, google-guest-agent, google-osconfig-agent, libheif, openvpn, roundcube, and salt).

Unison is aMIT-licensed programming language, in development since 2013, thatexplores the ramifications of making code immutable and stored in a database,instead of a set of text files.Unison supports a greatly simplified model for distributedprogramming - one that describes the configuration of and communication betweenprograms in the same language as the programs themselves. Along the way, itintroduces a new approach to interfacing with programming languages, which is tailored toits design.

Version4.8.0 of the darktablephoto editor has been released. Changes include performanceimprovements for large collections, addition of more EXIF fields inthe image information module, and two new modules for imagecomposition: Enlarge Canvas and Overlay. Enlarge Canvas allows addingareas to an image, while Overlay allows adding new content byoverlaying pixels from the current image or another image. LWN lastlooked at darktable in2022. Users are "strongly advised" to make a backup of theirconfiguration and library before upgrading, as they will not becompatible with darktable 4.6.

Dan Walsh, Stef Walter, and Colin Walters all walk into apresentation and Walter asks, "why wouldyou want to boot your containers?" This isn't the setup for some technology joke, this is part of the trio'skeynote atDevConf.cz in Brno, Czech Republic on June14 about bootable containers(bootc). The talk, which was streamed to YouTube for those of us whodidn't attend DevConf.cz in person, provided a solid overview of bootcand the problems it is intended to solve. The idea behind bootc is tomake creating operating-system images just as easy as creatingapplication-container images while using the same tools.

We have just received thesad news of the passing of Daniel Bristot de Oliveira at far too youngan age. He was a strong contributor to the core kernel and associatedrealtime infrastructure, and always a joyful presence in person; he will bedeeply missed.

Nature looksat a recent paper on the openness of "open-source" language models.

Security updates have been issued by AlmaLinux (python3.11), Debian (composer), Fedora (thunderbird), Mageia (chromium-browser-stable, python-aiohttp, python-gunicorn, python-werkzeug, and virtualbox), Oracle (libreswan and python3.11), Red Hat (git, kpatch-patch, python3.11, python3.9, and thunderbird), and SUSE (avahi, ghostscript, grafana and mybatis, hdf5, kernel, openssl-1_1-livepatches, python-docker, and wget).

Changwoo Min has posted anintroduction to writing custom schedulers with sched_ext.

GhostBSD is adesktop-oriented operating system based on FreeBSD and the MATE Desktop Environment. Thegoal of the project is to lower the barrier to entry of using FreeBSDon a desktop or laptop system, and it largely succeeds at this. While it has a few rough edgesthat make it hard to recommend for the average desktop user, it isa fine choice for users who want a desktop with FreeBSD underpinningssuch as the Z File System (ZFS), and the Ports (source) and Packages (binary) software collections.

Security updates have been issued by AlmaLinux (ipa and libreswan), Debian (netty), Fedora (python-PyMySQL, tomcat, and webkitgtk), Gentoo (Flatpak, GLib, JHead, LZ4, and RDoc), Mageia (thunderbird), Oracle (nghttp2 and thunderbird), Red Hat (dnsmasq, libreswan, pki-core, and python3.11), Slackware (emacs), SUSE (gnome-settings-daemon, libarchive, qpdf, vte, and wget), and Ubuntu (libhibernate3-java).

Version29.4 of the Emacs editor has been released. This is "an emergencybugfix release" fixing a vulnerability that can causethe editor to execute arbitrary shell code in Org mode. Anybody who runs Emacs onuntrusted files - including those using Gnus or one of the Emacs mail modes- should be looking to update. For those who cannot update, a pair ofmessages from RussAllbery and Florian Weimerinvestigates how to disable the Org-mode evaluation, a task that isseemingly more complicated than it should be.

The 6.10-rc5 kernel prepatch is out fortesting. "So far, the 6.10 release cycle has been fairly calm, and rc5continues that trend. Let's hope things stay that way."

The linux-wireless mailing list carries the tersenotice that longtime networking developer Larry Finger passed away onJune21. The LWN KernelSource Database shows that Finger contributed to 94releases inthe (Git era) kernel history, starting with 2.6.16 - 1,464 commits intotal. He will be missed.

At the2024 Linux Storage,Filesystem, Memory Management, and BPF Summit, Wedson Almeida Filho andKent Overstreet led a combined storage and filesystem session on using Rustfor Linux filesystems. Back in December 2023, Almeida had postedan RFC patch set withsome Rust abstractions for filesystems, which resulted in some disagreement over the approach. On thesame mid-May day as the session, he posteda second version of the RFC patches, which he wanted to discuss along withother Rust-related topics.

The6.9.6,6.6.35,6.1.95, and5.10.220stable kernels have all been released; as usual, users are advised to updateimmediately.

Security updates have been issued by AlmaLinux (firefox, ghostscript, idm:DL1, and thunderbird), Debian (php8.2 and putty), Mageia (chromium-browser-stable), Oracle (ghostscript and thunderbird), Red Hat (thunderbird), and SUSE (containerd, kernel, php-composer2, podofo, python-cryptography, and rmt-server).

Version13.5 of the privacy-focused Tor browser has been released.

User namespaces in Linux create anenvironment in which all privileges are granted, but their effect iscontained within the namespace; they have become an important tool for theimplementation of containers. They have also become a significant sourceof worries for people who do not like the increased attack surface theycreate for the kernel. Various attempts have been made to restrict thatattack surface over the years; the latest is user namespacecapabilities, posted by Jonathan Calmels.

Arnaldo Carvalho de Melo spoke at the 2024Linux Storage,Filesystem, Memory Management, and BPF Summitabout his work onPoke-a-hole (pahole),a program that has expanded greatly over the years, but which was relevant to theBPF track because it produces BPF Type Format (BTF) information from DWARFdebugging information. He covered some small changes to the program, and thenwent into detail about the new support for data-type profiling. Hisslides includeseveral examples.

Security updates have been issued by AlmaLinux (ghostscript and thunderbird), Debian (chromium, composer, libndp, and sendmail), Fedora (composer), Mageia (flatpak and python-scikit-learn), Red Hat (curl, ghostscript, and thunderbird), SUSE (hdf5 and opencc), and Ubuntu (gdb and php7.4, php8.1, php8.2, php8.3).

The LWN.net Weekly Edition for June 20, 2024 is available.

Philip Hazel was 51 when he began the Exim message transfer agent (MTA)project in 1995, whichled to the Perl-Compatible RegularExpressions (PCRE) project in 1998. At 80,he's maintained PCRE, and its successor PCRE2, for more than 27years. For those doing the math, that's a year longer than LWN hasbeen in publication. Exim maintenance was handed off around the timeof his retirement in 2007. Now, he is ready to hand off PCRE2 as well,if a successor can be found.

Version1.28 of the MATE Desktophas been released.

Version 1.11.0 of Libgcrypt, a general-purpose library ofcryptographic building blocks, has been released by the GnuPG project:

Andrii Nakryiko led a session atthe 2024Linux Storage,Filesystem, Memory Management, and BPF Summit givinga look into the APIs for capturing stack tracesusing BPF, and how the APIs could be made more useful. BPF programs can capture thecurrent stack trace of a running process, including the portion in the kernelduring execution of a system call, which can be useful for diagnosingperformance problems, among other things. But there are substantial problems withthe existing API.

It has been four months since GregKroah-Hartman and MITREannounced that the Linux kernel project had become its own CVE NumberingAuthority (CNA). Since then, the Linux CNA Team has developed workflowsand mechanisms to help manage the various tasks associated with thischallenge. There does however, appear to be a lack of understanding amongcommunity members of the processes and rules the team have been workingwithin. The principal aim of this article, written by a member of theLinux kernel CNA team, is to clarify how the team works and how kernel CVEnumbers are assigned.

Security updates have been issued by AlmaLinux (container-tools, firefox, and flatpak), Debian (composer, roundcube, and thunderbird), Fedora (kitty and webkitgtk), Oracle (container-tools and flatpak), Red Hat (flatpak and java-1.8.0-ibm), SUSE (gdcm, gdk-pixbuf, libarchive, libzypp, zypper, ntfs-3g_ntfsprogs, openssl-1_1, openssl-3, podman, python-Werkzeug, and thunderbird), and Ubuntu (git, linux-hwe-6.5, mariadb, mariadb-10.6, and thunderbird).

One of the big-ticket items for the upcoming Python3.13 release is an experimental just-in-time (JIT) compiler for the language;the other is, of course, the removal of the global interpreter lock (GIL), which is also an experiment. BrandtBucher is a member of the Faster CPython project, which isworking on making the reference implementation of the language faster via avariety of techniques. Last year at PyCon, he gave a talk about the specializing adaptiveinterpreter; at PyCon2024 in Pittsburgh, he described the work he and others have been doingto add a copy-and-patch JIT compiler to CPython.

On the final day of the 2024Linux Storage,Filesystem, Memory Management, and BPF Summit, the BPF trackopened with a series of sessions on improving the performance andflexibility of probes and other performance-monitoring tools, in the kernel and inuser space. Jiri Olsa led two sessions about different aspects of probes:making the API for BPF programs attached to a probe more flexible, and makinguser-space probes more efficient.

Version 6.1 ofthe Plasma desktop environment has been released.

Security updates have been issued by Debian (php7.3), Fedora (galera, ghostscript, and mariadb), Mageia (cups, iperf, and libndp), Oracle (firefox and flatpak), Red Hat (container-tools:rhel8, Firefox, firefox, and flatpak), SUSE (booth, bouncycastle, firefox, ghostscript, less, libaom, openssl-1_1, openssl-3, podman, python-Authlib, python-requests, python-Werkzeug, webkit2gtk3, and xdg-desktop-portal), and Ubuntu (ghostscript, ruby-rack, ruby2.7, ruby3.0, ruby3.1, ruby3.2, and sssd).

The kernel has a lot of code paths that are normally disabled: debugging printstatements, tracepoints, etc. To support these efficiently, thereis a common mechanism calledstatic keys that provides a way to enable or disable acode path at run time, with effectively no overhead for disabledbranches. BPF programs have not been able to take advantage of static keys so far,because they aren't compiled into the kernel.Now, it looks like BPF may be getting support for a similar mechanism -and the design could also provide one of the components needed to supportjump tables, another missing feature.Anton Protopovov presented his plans to add static keys to BPF at the 2024Linux Storage,Filesystem, Memory Management, and BPF Summit.

PostmarketOS is an Alpine Linuxderivative distribution aimed at mobile devices; the v24.06release claims support for over 250 devices, though the level of thatsupport varies widely. "This release is geared mainly towards Linuxenthusiasts. We are working hard on stability improvements and automatedtesting, but if you expect Android or iOS levels of polish, then this isnot for you yet." Changes include an upgrade to Alpine Linux 3.20,newer GNOME and KDE versions, and more.

Software-interrupt handlers (also called "bottom halves") have a longhistory in the Linux kernel; for much of that history, developers havewished that they could go away. One of their unfortunate characteristicsis that they can add unexpected latency to the execution of unrelatedprocesses; this problem is felt especially acutely in therealtime-preemption community. The solution adopted there has createdproblems of its own, though; in response Sebastian Andrzej Siewior is proposinga new locking mechanism for realtime builds of the kernel that may havebenefits for non-realtime users as well.

Security updates have been issued by AlmaLinux (389-ds-base, buildah, c-ares, cockpit, containernetworking-plugins, fence-agents, gdk-pixbuf2, gvisor-tap-vsock, libreoffice, podman, python-idna, rpm-ostree, and ruby), Debian (atril, chromium, ffmpeg, libndp, libvpx, nano, plasma-workspace, pymongo, roundcube, sendmail, and thunderbird), Fedora (booth and thunderbird), Mageia (aom, atril, libvpx, nano, nss, firefox, and vte), Red Hat (linux-firmware), SUSE (bind, booth, mariadb, openssl-1_1, php7, php8, and webkit2gtk3), and Ubuntu (linux-azure, linux-azure-fde, linux-azure, linux-gke, and linux-nvidia-6.5).

Linus has released 6.10-rc4 for testing."Apart from a rather unusual spike in the diffstat due to a parisc fix,things look normal and pretty small."

The6.9.5,6.6.34,6.1.94,5.15.161,5.10.219,5.4.278, and4.19.316stable kernels have all been released; each contains another set ofimportant fixes.

The Python Software Foundation has published aset of reports from the 2024 Python Language summit. Topics coveredinclude version numbering, the limited C API, a new default read-eval-printloop, and Python's security model in light of the XZ backdoor:

Christian Schaller writes about AI and GPU-related features that are in flight and planned for Fedora 41.

KDE developer Nate Graham has announceda new set of KDE HumanInterface Guidelines (HIG) for the KDE project. Graham says that the goalsfor the new HIGs were to reflect how KDE designs software today, makethe content 100% actionable, improve navigation, and to improve theguidelines so people feel comfortable contributing:

The openSUSE project recently announcedthe second release candidate (RC2) of its Aeon Desktop, formerly knownas MicroOS Desktop GNOME. Aside from the new coat of naming paint,Aeon breaks ground in a few other ways by dabbling with technologies not found in other openSUSE releases. The goal for Aeon is to provideautomated system updates using snapshots that can be appliedatomically, removing the burden of system maintenance for"lazy developers" who want to focus on their work rather than desktopadministration. System-tinkerers need not apply.

ThisProject Zero article looks at the exploitation of a few Android driverbugs in great detail.

Security updates have been issued by CentOS (389-ds-base, bind, bind-dyndb-ldap, and dhcp, firefox, glibc, ipa, less, libreoffice, and thunderbird), Debian (cups), Fedora (chromium and cyrus-imapd), Mageia (golang and poppler), Oracle (bind, bind-dyndb-ldap, and dhcp, gvisor-tap-vsock, python-idna, and ruby), Red Hat (dnsmasq and expat), SUSE (libaom, php8, podman, python-pymongo, python-scikit-learn, and tiff), and Ubuntu (h2database and vte2.91).

The BPF verifier is a complex program. This has the unfortunate effect of makingit simultaneously more difficult for contributors to work on, and more likelyto harbor unknown bugs. Shung-Hsi Yu had two concrete proposals for how tosimplify the verifier to make it easier to maintain that he presented at the 2024Linux Storage,Filesystem, Memory Management, and BPF Summit. Yu proposed changing how theverifier tracks partially known values and cleaning up the interface tohide the details of the value-tracker's internal representation.

Redirecting execution flow is a common malwaretechnique that can be used to compromise operating systems. To protect from such attacks,the chip makers of leading architectures like x86 and arm64 have implementedcontrol-flow-integrity (CFI) extensions, though they need systemsoftware support to function. At the LinuxSecurity Summit North America, RISC-V kernel developer Deepak Gupta described the CFIprotections for that architecture and invited community input on thekernel support for them.

Version1.79.0 of the Rust language has been released. Changes this timeinclude inline const expressions, the "associated item boundssyntax", and more.

Security updates have been issued by Debian (firefox-esr), Fedora (nginx-mod-modsecurity, php, and tomcat), Mageia (strongswan), Oracle (389-ds-base, buildah, c-ares, cockpit, containernetworking-plugins, fence-agents, firefox, gdk-pixbuf2, idm:DL1, ipa, kernel, libreoffice, podman, rpm-ostree, and thunderbird), Red Hat (dnsmasq and nghttp2), Slackware (mozilla), SUSE (curl, firefox, kernel, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, openssl-3, and python-Pillow), and Ubuntu (libmatio, libndp, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-oem-6.5, and virtuoso-opensource).

The LWN.net Weekly Edition for June 13, 2024 is available.

The Cockpit project hasannouncedthe first release of CockpitFiles, a plugin for Cockpit that allows file management on your servervia a web browser: