LWN.net

One of the simplest hardening concepts to understand is that memory shouldnever be both writable and executable, otherwise an attacker can use it toload and run arbitrary code. That rule is generally followed in Linuxsystems, but there is a glaring loophole that is exploitable from userspace to inject code into a running process. Attackers have duly exploitedit. A new effort to close the hole ran into trouble early in the mergewindow, but a solution may yet be found in time for the 6.11 kernelrelease.

Security updates have been issued by AlmaLinux (linux-firmware and squid), Debian (bind9), Fedora (kubernetes, thunderbird, and tinyproxy), Oracle (containernetworking-plugins, cups, edk2, httpd, httpd:2.4, kernel, kernel-container, libreoffice, libuv, libvirt, python3, and runc), Red Hat (freeradius:3.0, httpd, and squid), and SUSE (giflib and python-dnspython).

In the previous episode of thevgetrandom() story, Jason Donenfeld had put together a version ofthe getrandom()system call that ran in user space, significantly improving performance forapplications that need a lot of random data while retaining all of theguarantees provided by the system call. At that time, it seemed that aconsensus had built around the implementation and that it was headed towardthe mainline in that form. A few milliseconds after that article wasposted, though, a Linus-Torvalds-shaped obstacle appeared in its path.That obstacle has been overcome and this work has now been merged for the6.11 kernel, but its form has changed somewhat.

On July 12, Jocelyn Falempeproposed a change to the configuration options that Fedora sets for itskernels, in order to make kernel panics easier to report.Falempe would like to enable the kernel's recently addedDRM-panic feature, which addsa graphical crash screen that is reminiscent of the infamousWindows "blue screen of death" for kernel panics. The feature introduces a fewtradeoffs, including currently limited driver support, so the proposal spawned agood deal of discussion.

Version1.80.0 of the Rust language has been released. Changes include the newLazyCell and LazyLock types (which delay datainitialization until the first access), the stabilization of theexclusive-range syntax for match patterns, and more.

The 6.9.11, 6.6.42, and 6.1.101 stable kernels have been released. Asusual, they contain important fixes throughout the tree.

Security updates have been issued by AlmaLinux (containernetworking-plugins, cups, edk2, httpd, httpd:2.4, libreoffice, libuv, libvirt, python3, and runc), Fedora (exim, python-zipp, xdg-desktop-portal-hyprland, and xmedcon), Red Hat (cups, fence-agents, freeradius, freeradius:3.0, httpd:2.4, kernel, kernel-rt, nodejs:18, podman, and resource-agents), Slackware (htdig and libxml2), SUSE (exim), and Ubuntu (ocsinventory-server, php-cas, and poppler).

Linux Mint has announced version 22 ofthe distribution in three editions: Cinnamon, MATE, and Xfce. Mint 22is based on Ubuntu 24.04 and uses kernel version 6.8.0:

The LWN.net Weekly Edition for July 25, 2024 is available.

Greg Kroah-Hartman has released the 6.10.1 stable kernel update. This releasecontains a small number of seemingly urgent regression fixes. Users ofthis kernel series are advised to upgrade.

Updated installation images for the OpenMandriva ROME rolling release Linux distribution are now available. Notable features in the24.07 snapshot include KDEPlasma6 as the default desktop, the addition of Proton and Protonexperimental packages for playing Windows games on Linux, as well as GNOME46.3 and LXQt2.0.0 spins.

OpenSSL has announcedthat it has adopted a new governance framework:

David Howells wanted to discuss swap handling in light of multi-page foliosin a combined storage, filesystem, and memory-management session atthe 2024 Linux Storage,Filesystem, Memory Management, and BPF Summit. Swapping has always beendone with a one-to-one mapping of memory pages to swap slots, he said, butswapping multi-page folios breaks that assumption. He wondered if it wouldmake sense to use filesystem techniques to track swapped-out folios.

Ryan Sipes told the audience during his keynote atGUADEC2024 in Denver, Colorado that the Thunderbird mail client "probably shouldn't still be alive". Thunderbird, however, is not onlyalive-it is arguably in better shape than everbefore. According to Sipes, the project's turnaround is a result ofgovernance, storytelling, and learning to be comfortable asking usersfor money. He would also like it quite a bit if Linux distributions stoppedturning off telemetry.

Let's Encrypt hasannouncedthat it intends to end support "as soon as possible" for the Online Certificate Status Protocol (OCSP) over privacy concerns. OCSP was developed as alighter-weight alternative toCertificate Revocation Lists (CRLs) that did not involve downloadingthe entire CRL in order to check whether a certificate was valid. Let's Encrypt will continuesupporting OCSP as long as it is a requirement for Microsoft'sTrusted Root Program, but hopes to discontinue it soon:

Security updates have been issued by Fedora (ghostscript and xmedcon), Gentoo (Dmidecode, ExifTool, and Freenet), Red Hat (containernetworking-plugins, cups, edk2, httpd, httpd:2.4, kernel, kernel-rt, krb5, libreoffice, libuv, libvirt, linux-firmware, nghttp2, nodejs, openssh, python3, runc, thunderbird, and tpm2-tss), Slackware (aaa_glibc, bind, and mozilla), SUSE (postgresql14, python-sentry-sdk, and shadow), and Ubuntu (activemq, bind9, haproxy, nova, provd, python-zipp, squid, squid3, and tomcat).

Simon Willison, co-creator of the popular Django web framework for Python,gave a keynote presentation at PyCon2024 on a topic that isunrelated to that work: large language models (LLMs).The topic grew out of some other work that he is doing on Datasette, which is a Python-based"tool for exploring and publishing data". The talk was a lookbeyond the hype to try to discover what useful things you can actually dotoday using these models. Unsurprisingly, there were somecautionary notes from Willison, as well.

The Python Software Foundation (PSF) board has announcedimprovements to its grants program that have been enacted as aresponse to "concerns and frustrations" with the program:

Mark Zuckerberg has postedan article announcing some new releases of the Llama large languagemodel and going on at length about why open-source models are important:

LWN has covered BPFsince its initial introduction to Linux, usually through the lens of the newestdevelopments; this can make it hard to view the whole picture. BPF providesa way to extend a running kernel, without having to recompile and reboot.It does this in a safe way, so that malicious BPFprograms cannot crash a running kernel, thanks to the BPF verifier. So how doesthe verifier actually work, what are its limits, and how has it changed sincethe early days of BPF?

Version 2.40 of the GNU CLibrary has been released. Changes include partial support for the ISO C23standard, a new tunable for the testing of setuid programs, improved 64-bitArm vector support, and a handful of security fixes. See the release notesfor details.

Security updates have been issued by Fedora (gtk3 and jpegxl), Red Hat (kpatch-patch and thunderbird), SUSE (apache2, git, gnome-shell, java-11-openjdk, java-21-openjdk, kernel, kernel-firmware, kernel-firmware-nvidia-gspx-G06, libgit2, mozilla-nss, nodejs20, python-Django, and python312), and Ubuntu (linux-aws, linux-aws, linux-aws-5.4, linux-iot, linux-aws-5.15, pymongo, and ruby-rack).

Red Hat, through members of the FedoraWorkstation Working Group, has taken anotherswing at persuading the Fedora Project to allow metrics related tothe real-world use of the Workstation edition to be collected. The firstproposal, aimed for Fedora40, was withdrawn to be reworkedbased on feedback. This time around, the proponents have shifted fromasking for opt-out telemetry to opt-in metrics, with more detail aboutwhat would be collected and the policies that would govern data collection. Thechange seems to be on its way to approval by the Fedora EngineeringSteering Council (FESCo) and is set to take effect forFedora42.

Security updates have been issued by Fedora (botan2, chromium, ffmpeg, fluent-bit, gtk3, httpd, suricata, tcpreplay, and thunderbird), Mageia (apache, chromium-browser-stable, libfm & libfm-qt, and thunderbird), Oracle (firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, libndp, qt5-qtbase, ruby, skopeo, thunderbird, and virt:ol and virt-devel:rhel), Red Hat (containernetworking-plugins, firefox, libndp, qt5-qtbase, and thunderbird), SUSE (caddy, chromium, emacs, global, mockito, snakeyaml, testng, and opera), and Ubuntu (thunderbird).

The Next Generation Internet(NGI) project, an initiative of the EU's European Commission (EC),provides funding in the form of grants for a wide variety ofopen-source software,includingRedox,Briar,SourceHut, and many more.But the NGI project is not among those that would be funded under the current draft budget for 2025,as The Register reports. More than 60 organizations have signed on to an open letter asking theEC to reconsider:

The NumPy project released version 2.0.0 onJune 16, the first major release of the widelyused Python-based numeric-computing library since 2006. The release has been planned for sometime, as an opportunity to clean up NumPy's API. As with most NumPy updates,there are performance improvements to several individual functions. There are only a few newfeatures, but several backward-incompatible changes, including a change toNumPy's numeric-promotion rules. Changes to the Python API require relatively minor changes toPython code using the library, but the changes to the C API may be moredifficult to adapt to. Inboth cases, the officialmigration guide describes what needs to be adapted to the new version.

The kernel will not consent to execute just any file that happens to besitting in a filesystem; there are formalities, such as the checking ofexecute permission and consulting security policies, to get through first.On some systems, security policies have been established to limit executionto specifically approved programs. But there are files that are notexecuted directly by the kernel; these include scripts fed to languageinterpreters like Python, Perl, or a shell. An attacker who is able to getan interpreter to execute a file may be able to bypass a system's securitypolicies. Mickael Salaun has been working on closing this hole for years;the latestattempt takes the form of a new flag to the execveat()system call.

Security updates have been issued by AlmaLinux (firefox, java-1.8.0-openjdk, java-17-openjdk, java-21-openjdk, libndp, openssh, qt5-qtbase, ruby, skopeo, and thunderbird), Debian (thunderbird), Fedora (dotnet6.0, httpd, python-django, python-django4.2, qt6-qtbase, rapidjson, and ruby), Red Hat (389-ds-base, firefox, java-1.8.0-openjdk, java-11-openjdk, libndp, qt5-qtbase, and thunderbird), Slackware (httpd), SUSE (apache2, chromium, and kernel), and Ubuntu (apache2, linux-aws, linux-azure-fde, linux-azure-fde-5.15, linux-hwe-5.15, linux-aws-6.5, linux-lowlatency-hwe-6.5, linux-oracle-6.5, linux-starfive-6.5, and linux-raspi, linux-raspi-5.4).

The sad news that Peter de Schrijver has passed away has just reached us. An obituary in Dutch relates that he passed in a Helsinki hospital on July 12. Mind Software Consulting, which he founded, has a message of condolences as well.De Schrijver was a Debian Developer and a Linux kernel contributor; he will be missed.

The Apache Software Foundation (ASF)has announcedthat it will be changing its logo to remove the feather that has been partof its brand since 1997. ASF members will have input on the rebranding process and beable to vote on the new logo, which will be unveiled at the Community Over Code conference in October.

Greg Kroah-Hartman has released seven new stable kernels: 6.9.10, 6.6.41, 6.1.100, 5.15.163, 5.10.222, 5.4.280, and 4.19.318. As usual, each contains importantfixes throughout the kernel tree.

Leah Rumancik led a filesystem-track session atthe 2024 Linux Storage,Filesystem, Memory Management, and BPF Summit on the testing needed toqualify XFS patches for the stable kernels. At last year's summit,Rumancik, Amir Goldstein, and Chandan Babu Rajendra presented on their efforts to test andbackport fixes for the XFS filesystem to three separate stable kernels.There has been some longstanding unhappiness inthe XFS-development communitywith the stable-kernel process, which led tobackports ceasing for that filesystem until Goldstein started working on XFS testing for the stabletrees a few years ago. In this year's session, Rumancik updatedattendees on how things had gone over the last year and wanted to discuss someremaining pain points for the process.

The merge window for the 6.11 kernel release opened on July14; as ofthis writing, 4,072 non-merge changesets have been pulled into the mainlinerepository since then. This merge window, in other words, is just nowbeginning. Still, there has been enough time for a number of interestingchanges to land for the next kernel release; read on for a summary of whathas been merged so far.

Security updates have been issued by Debian (chromium), Fedora (freeradius), Red Hat (firefox, java-1.8.0-openjdk, and java-17-openjdk), Slackware (openssl), SUSE (ghostscript, gnutls, podman, and python-Django), and Ubuntu (linux-hwe-6.5, linux-ibm-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle-5.15, linux-oracle, linux-xilinx-zynqmp, and stunnel).

The LWN.net Weekly Edition for July 18, 2024 is available.

Version4.2 LTS of the Blenderopen-source 3D creation suite has been released. Major improvementsinclude a rewrite of the EEVEErender engine, faster rendering, and much more. See the showcasereel for examples of work created by the Blender community withthis release.See the text releasenotes for even more about 4.2 LTS, which will be maintained untilJuly 2026.

Maintenance of the kernel is a difficult, often thankless, task; how it isbeing handled, the role of maintainers, burnout, and so on are recurringtopics at kernel-related conferences. Atthe 2024 Linux Storage,Filesystem, Memory Management, and BPF Summit, Josef Bacik andChristian Brauner led a session to discuss possible changes to the wayfilesystems are maintained, though Bacik took the lead role (and the podium). There are a number of interrelated topics,including merging new filesystems, removing old ones, making and testing changesthroughout the filesystem tree, and more.

Version 8.4.0 of the digiKam photo editing and managementapplication has been released. Thisrelease includes an update of the LibRaw RAW decoder whichbrings support for many new cameras, a new version of the LensFuntoolkit, a feature for automatic translation of image tags, GMIC-Qt 3.4.0, and manybug fixes. See the announcement for full details.

Gustavo A. R. Silva describesthe path to safer flexible arrays in the kernel, thanks to thecounted_by attribute supported by Clang18 and GCC15.

Security updates have been issued by Debian (kernel), Fedora (golang and krb5), Red Hat (cups, firefox, git, java-21-openjdk, kernel, linux-firmware, nghttp2, nodejs, and podman), SUSE (libndp, nodejs18, nodejs20, tomcat, and xen), and Ubuntu (gtk+2.0, gtk+3.0 and linux-hwe-5.4, linux-oracle-5.4).

SUSE has, in a somewhat clumsyfashion, asked openSUSEto consider rebranding to clear up confusion over therelationship between SUSE the company and openSUSE as a communityproject. That, in turn, has opened conversations about revisingopenSUSE governance and more. So far, there is no concrete proposal toconsider, no timeline, or even a process for the community and companyto follow to make any decisions.

Amir Goldstein led a filesystem-track session at the 2024 Linux Storage,Filesystem, Memory Management, and BPF Summit on his project to build ahierarchicalstorage management (HSM) system using fanotify.The idea is to monitor file access in order to determine when to retrievecontent from non-local storage (e.g. the cloud). The session was afollow-up to last year's introduction to theproject, which covered some of the problems he had encountered; thisyear, hewas updating attendees on its status and progress, along with some otherproblem areas that he wanted to discuss.

Redox has received agrant to work on implementing POSIX-compatible signals. Thedraft design calls for them to be implemented nearly completely in user space.

Security updates have been issued by Debian (kernel), Fedora (erlang-jose, mingw-python-certifi, and yt-dlp), Mageia (firefox, nss, libreoffice, sendmail, and tomcat), Red Hat (firefox, ghostscript, git-lfs, kernel, kernel-rt, ruby, and skopeo), SUSE (Botan, cockpit, kernel, nodejs18, p7zip, python3, and tomcat), and Ubuntu (ghostscript, linux, linux-azure, linux-azure-5.15, linux-gcp, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-nvidia, linux-oracle, linux-azure-6.5, linux-gcp-6.5, and linux-gke, linux-nvidia).

On June 25, Matthew Wilcox posteda second version of a patch setintroducing a newdata structure called rosebush, which"is a resizing, scalable, cache-aware, RCU optimised hashtable." The kernel already has generic hash tables, though, includingrhashtable. Wilcox believes that the design ofrhashtable is not the best choice for performance, and has written rosebush asan alternative for use in thedirectory-entry cache (dcache) - the filesystem cache used to speed upfile-name lookup.

The 6.10 kernel was releasedon July14 after a nine-week development cycle. This time around,13,312 non-merge changesets were pulled into the mainline repository - thelowest changeset count since 5.17 in early 2022. Longstanding traditionsays that it is time for LWN to gather some statistics on where the newcode for 6.10 came from and how it got to the mainline; read on for thedetails.

Greg Kroah-Hartman has released the 6.6.40and 6.1.99 stable kernels. Both contain afix for the USB subsystem; anyone who uses those kernel series and "the XHCIUSB host controller driver (i.e. USB 3) must upgrade".

Security updates have been issued by Fedora (cups, krb5, pgadmin4, python3.6, and yarnpkg), Mageia (freeradius, kernel, kmod-xtables-addons, kmod-virtualbox, and dwarves, kernel-linus, and squid), Red Hat (ghostscript, kernel, and less), SUSE (avahi, c-ares, cairo, cups, fdo-client, gdk-pixbuf, git, libarchive, openvswitch3, podman, polkit, python-black, python-Jinja2, python-urllib3, skopeo, squashfs, tiff, traceroute, and wget), and Ubuntu (linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-ibm, linux-ibm-5.4, linux-kvm).

Linus hasreleasedthe 6.10 kernel.

The GNOME Foundation has announcedthat executive director Holly Million is stepping down at the end ofJuly, and will be replaced by Richard Littauer as interim executivedirector: