Many home-automation devices come with their own mobile app or cloudservice. However, using multiple apps or services isinconvenient, so it's (purposely) tempting to only buy devices from the samevendor, but this can lead to lock-in. One project that letsusers manage home-automation devices from various vendors without lock-inis Home Assistant. Over itsten-year existence, it has developed into a user-friendly home-automationplatform that caters to both technically inclined and less tech-savvypeople.
Version119.0 of the Firefox browser has been released. The list of changesincludes improvements to FirefoxView, some PDF-editing improvements, better cookie protection, encryptedclient hello support, and more.
The 2023 election for members of the Linux Foundation Technical AdvisoryBoard will be held during the upcoming LinuxPlumbers Conference. The callfor nominees has been posted.
It is probably fair to say that most Linux users spend little time thinkingabout the troff typesetting program, despite that application'sgroundbreaking role in computing history. Troff (along with nroff) isstill with us, though, even if they are called groff these days, and everynow and then they make their presence known. A recent groff change createda bit of a tempest within the Debian community, and has effectively beenreverted there. It all comes down to the question of what, exactly, is thecharacter used to mark command-line options on Unix systems?
Jeff Xu recently proposedthe addition of a new system call, named mseal(), that would allowapplications to prevent modifications to selected memory mappings. Itwould enable the hardening of user-space applications against certain typesof attacks; some other operating systems have this type of feature already.There is support for adding this type of mechanism to the Linux kernel aswell, but it has become clear that mseal() will not land in themainline in anything resembling its current form. Instead, it has becomean example of how not to do kernel development at a number of levels.
When considering the interface provided by the GNU C Library (glibc),thoughts naturally turn to the programming interface as specified by POSIX,along with numerous extensions added over the years. But glibc alsoprovides a "tunables" interface to control how the library operates; ratherthan being managed by a C API, tunables are set with theGLIBC_TUNABLES environmentvariable. Glibc tunables have been a part of a few security problemsinvolving setuid binaries, most recently the "LooneyTunables" bug disclosed at the beginning of October. The glibcdevelopers are now considering significant changes to tunable handling inthe hope of avoiding such problems in the future.
Open-source hardware (or open hardware) refers to hardware that isdeveloped in a manner similar to open-source software. There's a widelyaccepted definition of open-source hardware, but it is probably not as wellknown as its open-source-software counterpart. In addition, there is a popularcertification program that hardware makers can use to indicate which oftheir devices meets that criteria. But there are some vendors that areshowing more enthusiasm than others in participating in the process-or inproducing open hardware at all.
Security updates have been issued by Debian (slurm-wlm), Fedora (icecat and python-configobj), Oracle (dotnet6.0, kernel-container, nginx, nginx:1.20, nginx:1.22, and python3.9), Red Hat (bind9.16, curl, dotnet6.0, kernel-rt, kpatch-patch, nghttp2, nodejs, python-reportlab, and virt:rhel), Slackware (util), SUSE (buildah, conmon, erlang, glibc, kernel, nghttp2, opensc, python-urllib3, samba, slurm, and suse-module-tools), and Ubuntu (frr, linux-azure, and pmix).
The Linux kernel has supported restartablesequences (sometimes referred to as "RSEQ") since 2018, but it remainsa bit of a niche feature, mostly useful to performance-oriented developerswho do not mind writing assembly code. According to Mathieu Desnoyers, the developerbehind the kernel's implementation of restartable sequences, this featurecan be applicable to a much wider range of performance-sensitive code withproper library support. He came to the 2023 GNU Tools Cauldron topresent the case for use of restartable sequences within the GNU C Library(glibc).
Security updates have been issued by Debian (axis, nghttp2, node-babel7, and tomcat9), Fedora (curl and ghostscript), Oracle (bind, kernel-container, mariadb:10.5, and python3.11), Red Hat (.NET 7.0, go-toolset, golang, and go-toolset:rhel8), SUSE (kernel, libcue, libxml2, python-Django, and python-gevent), and Ubuntu (curl, ghostscript, iperf3, libcue, python2.7, quagga, and samba).
OpenBSD 7.4 is out. Changes include a new kqueue1() system callthat allows close-on-exec behavior, support for better arm64 control-flowintegrity, support for TCP segmentation offloading, and much more.
Following up from last year's first Image-BasedLinux Summit), a second meeting was held in Berlin on September 12th,2023, the day before All Systems Go!2023, at the Microsoft office. The goal of these summits is to findcommon ground among stakeholders from various engineering groups around thetopic of image-based Linux distributions, communicate progress, and attemptto build a strategy to tackle shared problems together. The organizers -Luca Boccassi, Lennart Poettering, and Christian Brauner - welcomedparticipants from the UAPI Group,which draws developers from a long list of companies with an interest inthis area, and spent the full day discussing a variety of topics. Fullminutes have been published on the UAPI Group's web site.
Security updates have been issued by Debian (batik, poppler, and tomcat9), Fedora (chromium, composer, curl, emacs, ghostscript, libwebp, libXpm, netatalk, nghttp2, python-asgiref, python-django, and webkitgtk), Mageia (curl and libX11), Oracle (bind, busybox, firefox, and kernel), Red Hat (curl, dotnet6.0, dotnet7.0, and nginx), SUSE (chromium, cni, cni-plugins, grub2, netatalk, opensc, opera, and wireshark), and Ubuntu (iperf3).
The 6.6-rc6 kernel prepatch is out fortesting. "So the previous week has been pretty calm, and a lot of thediscussion has been about future changes as so often happens late in therelease cycle."
The primary job of a compiler is to translate source code into a binaryform that can be run by a computer. Increasingly, though, developers wantmore from their tools, compilers included. Since the compiler mustunderstand the code it is being asked to translate, it is in a goodposition to provide information about how that code will execute - andwhere things might go wrong. At the 2023 GNU Tools Cauldron,David Malcolm talked about recent work to improve the diagnostic outputfrom the GCC compiler.
Version23.10 of the Ubuntu distribution is out. Changes include support forhardware-backed full-disk encryption, tighter control over user namespaces,a new App Center application, and more.
Version23.05.0 of the OpenWrt distribution has been released: "OpenWrt23.05 supports over 1790 devices. Support for over 200 new devices wasadded in addition to the device support by OpenWrt 22.03". Along withnew device support, this release features a switch to the mbedtlscryptographic library, the ability to include utilities written in Rust, anupdated toolchain, and more.
Security updates have been issued by Debian (chromium, tomcat9, and webkit2gtk), Fedora (cacti, cacti-spine, grafana-pcp, libcue, mbedtls, samba, and vim), Oracle (kernel, libvpx, and thunderbird), Red Hat (bind and galera, mariadb), SUSE (exiv2, go1.20, go1.21, and kernel), and Ubuntu (ffmpeg).
The Civil Infrastructure Platform project has announcedthat it will be maintaining the 6.1 kernel for a minimum of ten years pastits initial release (and, thus, through 2032).
Programs running in the BPF machine can, depending on how they areattached, perform a number of privileged operations; the ability to loadand run those programs, thus, must be a privileged operation in its ownright. Almost since the beginning of the extended-BPF era, developers havestruggled to find a way to allow users to run the programs they needwithout giving away more privilege than is necessary. Earlier this year,the idea of a BPF token ran into someopposition from security-oriented developers. Andrii Nakryiko has sincereturned with anupdated patch set that significantly increases the granularity of theprivileges that can be conferred with a BPF token.
While the vulnerability itself is pretty run-of-the-mill, the recently disclosedGNOME vulnerability has a number of interesting facets. The problem liesin a library that reads files in a fairly obscure format, but it turns outthat files in that format are routinely-automatically-processed by GNOME ifthey are downloaded to the local system. That turns a vulnerability in alargely unknown library into a one-click remote-code-execution flaw forthe GNOME desktop.
Version8.4.0 of the curl data-transfer tool has been released, mostly inresponse to a relatively severe security vulnerability that can betriggered when a SOCKS5 proxy server is in use. See thisblog post for details on what went wrong. "In hindsight, shipping aheap overflow in code installed in over twenty billion instances is not anexperience I would recommend."
Security updates have been issued by Debian (curl, mediawiki, tomcat10, and tomcat9), Fedora (libcaca, oneVPL, oneVPL-intel-gpu, and tracker-miners), Gentoo (curl), Mageia (cups and firefox, thunderbird), Red Hat (curl, kernel, kernel-rt, kpatch-patch, libqb, libssh2, linux-firmware, python-reportlab, tar, and the virt:rhel module), Slackware (curl, libcue, libnotify, nghttp2, and samba), SUSE (conmon, curl, glibc, kernel, php-composer2, python-reportlab, samba, and shadow), and Ubuntu (curl, dotnet6, dotnet7, firefox, libx11, samba, tiff, and webkit2gtk).
The6.5.7,6.1.57,5.15.135,5.10.198,5.4.258,4.19.296, and4.14.327stable kernel updates have all been released; each contains another set ofimportant fixes.
Back at the end of July, the Python steering council announcedits intention to approve the proposal to make the global interpreter lock(GIL) optional over the next few Python releases. The details of thatacceptance are still being decided on, but work on the feature isproceeding-in discussion form at least. Beyond that, though, there areefforts underway to solve that hardest of problems in computerscience, naming, for the no-GIL version.
The GitHub blog describesa vulnerability in the libcue library (which is used by the GNOMEdesktop) that can be exploited by a remote attacker to run code on adesktop system if the target can be convinced to click on a malicious link.
Security updates have been issued by Fedora (chromium, firefox, and kernel), Gentoo (less and libcue), Red Hat (bind, libvpx, nodejs, and python3), Scientific Linux (firefox and thunderbird), SUSE (conmon, go1.20, go1.21, shadow, and thunderbird), and Ubuntu (libcue, ring, and ruby-kramdown).
The Linux Containers project hasannouncedthe release version0.1 of the Incus system container andvirtual-machine manager, which is a community-led fork of Canonical's LXD. Incus 0.1 "is roughlyequivalent to LXD 5.18 but with a number of breaking changes on top of theobvious rename". There have been some changes made in the two monthssince the fork:
One of the significant features added to the mainline kernel during the 6.6merge window was multi-grain timestamps, which allow the kernel toselectively store file modification times with higher resolution withouthurting performance. Unfortunately, this feature also caused somesurprising regressions, and was quickly ushered back out of the kernel as aresult. It is instructive to look at how this feature went wrong, and howthe developers involved plan to move forward from here.
Red Hat has announcedthat its longstanding "rhsa-announce" mailing list will be shut down onOctober10. That is the list that receives security advisories forRed Hat Enterprise Linux and a whole slew of related products. Anybody whowas counting on that list for Red Hat security advisories will need to findan alternative; a few options are listed in the announcement.
The latest round of stable kernels, 6.5.6,6.1.56, and 5.15.134, have been released. Each contains afairly large collection of important fixes throughout the kernel tree.
On its surface, the BPF virtual machine resembles many other computerarchitectures; it has registers and instructions to perform the usualoperations. But there is a key difference: BPF programs must pass thekernel's verifier before they can be run. The verifier imposes a long listof additional restrictions so that it can prove to itself that any givenprogram is safe to run; getting past those checks can be a source offrustration for BPF developers. At the 2023 GNU Tools Cauldron,Jose Marchesi looked at the problem of compiling for verified architecturesand how the compiler can generate code that will pass verification.
Security updates have been issued by Debian (grub2, libvpx, libx11, libxpm, and qemu), Fedora (firefox, matrix-synapse, tacacs, thunderbird, and xrdp), Oracle (glibc), Red Hat (bind, bind9.16, firefox, frr, ghostscript, glibc, ImageMagick, libeconf, python3.11, python3.9, and thunderbird), Scientific Linux (ImageMagick), SUSE (kernel, libX11, and tomcat), and Ubuntu (linux-hwe-5.15, linux-oracle-5.15).
Hardening the Linux kernel is an endless task, with work required onmultiple fronts. Sometimes, that work is not done in the kernel itself;other tools, including compilers, can have a significant role to play. At the 2023 GNU ToolsCauldron, Qing Zhao covered some of the work that has been done in theGCC compiler to help with the hardening of the kernel - along with workthat still needs to be done.
LWN.net