LWN.net

The6.1.12 and5.15.94stable kernel updates have been released, each with the usual set ofimportant fixes. There is also a 5.10.168 release in the works, but it raninto some snags in thereview process; it can be expected shortly.Another set of updates, containing the mitigations for the just-disclosedcross-threadreturn-address prediction vulnerability (yet another Spectre variantthat affects AMD processors), can be expected soon.

Security updates have been issued by Debian (imagemagick), Fedora (xml-security-c), Red Hat (grub2), SUSE (chromium, freerdp, libbpf, and python-setuptools), and Ubuntu (fig2dev and python-django).

A newinstallment of the rejuvenated kernel podcast has been posted.

The field of confidential computing is still in its infancy, to the pointwhere it lacks a clear, agreed, and established problem description. ElenaReshetova and Andi Kleen from Intel recently started the conversation by sharing their view of a potential threatmodel in the form of thisdocument, which is specific to the Intel Trust Domain Extension (TDX)on Linux, but which is intended to be applicable to otherconfidential-computing solutions as well. The resulting conversationshowed that there is some ground to be covered to achieve a consensus onthe model in the community.

Security updates have been issued by Debian (libde265 and snort), Fedora (chromium, openssl, php-symfony4, qt5-qtbase, qt6-qtbase, tigervnc, vim, wireshark, xorg-x11-server, and xorg-x11-server-Xwayland), Slackware (gnutls), SUSE (apr-util, grafana, java-1_8_0-ibm, kernel, less, libksba, opera, postgresql12, postgresql13, postgresql14, postgresql15, python-py, webkit2gtk3, wireshark, and xrdp), and Ubuntu (nova and webkit2gtk).

The eighthand presumably final 6.2 kernel prepatch has been released.

For those who have been anxiously awaiting the release of a GCC-basedcompiler for the COBOL language, James K. Lowden has astatus report with some good news:

It was only a matter of time before somebody tried to bring BPF to thekernel's CPU scheduler. At the end of January, Tejun Heo posted the secondrevision of a 30-part patch series, co-written with David Vernet, JoshDon, and Barret Rhoden, that does just that. There are clearly interestingthings that could be done by deferring scheduling decisions to a BPFprogram, but it may take some work to sell this idea to the developmentcommunity as a whole.

Security updates have been issued by Debian (postgresql-11 and sox), Fedora (opusfile), SUSE (bind, jasper, libapr-util1, pkgconf, tiff, and xrdp), and Ubuntu (cinder, imagemagick, less, linux, linux-aws, linux-azure, linux-azure-5.4, linux-gkeop, linux-kvm, linux-oracle, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux, linux-azure, linux-azure-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, linux-azure-4.15, linux-dell300x, linux-gke, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, linux-snapdragon, nova, and swift).

The 6.1.11 and 5.15.93 stable kernel updates have beenreleased; each contains another set of important fixes.

The Thunderbird email client blog has aplan for where the project is going.

Serial litigant Craig Wright recently wona procedural ruling in a London court that allows amulti-billion-dollar Bitcoin-related lawsuit to proceed. This case hasraised a fair amount of concern within the free-software community, whereit is seen as threatening the "no warranty" language included in almostevery free-software license. As it happens, this case does not actuallyinvolve that language, but it has some potentially worrisome implicationsanyway.

Security updates have been issued by Debian (chromium, libsdl2, and wireshark), Fedora (pesign, tpm2-tss, and webkitgtk), Oracle (hsqldb, krb5, libksba, tigervnc, and tigervnc and xorg-x11-server), Red Hat (openvswitch2.13, openvswitch2.15, openvswitch2.16, openvswitch2.17, rh-varnish6-varnish, tigervnc, and tigervnc and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), and SUSE (apache2, apache2-mod_security2, apr-util, netatalk, podman, python-swift3, rubygem-globalid, syslog-ng, and thunderbird).

The LWN.net Weekly Edition for February 9, 2023 is available.

The Atlantic Council (described byWikipedia as "an American think tank in the field of internationalaffairs") has published alengthy report on the problem of security in open-source software andwhat might be done about it.

A lot of digital ink has been expended in recounting the ongoingPython packaging saga, which is now in its fourth installment(earlier articles: landscape survey, visions and unification, and pip-conda convergence). Most of thatcovered conversations thattook place in November and the discussion largely settled down over theholidays, but it picked up again with a packaging-strategythread that started in early January. That thread was based on the resultsof a user survey about packaging that was meant to help guide the Python Packaging Authority (PyPA)and other interested developers, but the guidance provided was somewhatambiguous—leading to lots more discussion.

The nccgroup blog is carrying afour-part series by Domen Puncer Kugler on how vulnerabilities can maketheir way into device drivers written in Rust.

Security updates have been issued by Debian (heimdal, openssl, shim, and xorg-server), Oracle (kernel and thunderbird), Red Hat (git, libksba, samba, and tigervnc), Scientific Linux (thunderbird), Slackware (openssl and xorg), SUSE (EternalTerminal, openssl-1_0_0, openssl-1_1, openssl-3, openssl1, polkit, and sssd), and Ubuntu (git, grunt, heimdal, openssl, openssl1.0, and xorg-server, xorg-server-hwe-18.04, xwayland).

The Flatpak package format promises tobring "the future of apps on Linux", but a Linux distribution likeFedora already provides packages in its native format—and builtto its specifications. Flatpaks that come from upstream projects may ormay not follow the packaging guidelines, philosophy, and practices so theyexist in their own world, separate from the packages that come directlyfrom Fedora. But those worlds havecollided to a certain extent over the past year to two. Recently, apackager announced their plans to stop packaging the Bottles tool, used for runningWindows programs in Wine-based containers on Linux, in favor ofrecommending that Fedora users install the upstream Flatpak.

Security updates have been issued by Debian (graphite-web, openjdk-11, webkit2gtk, wpewebkit, and xorg-server), Mageia (advancecomp, apache, dojo, git, java/timezone, libtiff, libxpm, netatalk, nodejs-minimist, opusfile, python-django, python-future, python-mechanize, ruby-sinatra, sofia-sip, thunderbird, and tigervnc), Oracle (git and thunderbird), Red Hat (git, libksba, rh-git227-git, rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon, and thunderbird), SUSE (apache2, nginx, php8-pear, redis, rubygem-activesupport-5_1, rubygem-rack, sssd, xorg-x11-server, and xwayland), and Ubuntu (tmux).

The most recent batch of stable kernels has been released: 6.1.10, 5.15.92, 5.10.167, 5.4.231, 4.19.272, and 4.14.305. Those updates contain a relatively smallnumber of important fixes throughout the kernel tree.

Computer-aided design (CAD) software is expensive to develop, which is agood reason to appreciate the existing free and open-source alternatives to someof the big names in the industry. This article takes a bird's-eye view at freeand open-source software for 2D drafting and 3D parametric solid modeling,its progress over the years, as well as wins and ongoing challenges.

Security updates have been issued by Debian (libhtml-stripscripts-perl), Fedora (binwalk, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, kernel, sudo, and syncthing), SUSE (syslog-ng), and Ubuntu (editorconfig-core, firefox, pam, and thunderbird).

The 6.2-rc7 kernel prepatch is out fortesting.

Of all the attacks on cryptographic code, timing attacks may be among themost insidious. An algorithm that appears to be coded correctly, perhapseven with a formal proof of its correctness, may be undermined byinformation leaked as the result of data-dependent timing differences.Both Arm and Intel have introduced modes that are intended to help defendagainst timing attacks, but the extent to which those modes should be usedin the kernel is still under discussion.

Security updates have been issued by Fedora (chromium and vim), Slackware (openssh), and Ubuntu (lrzip and tiff).

Version 7.5 of the LibreOffice Community edition is now available. LibreOffice is, of course, the FOSS desktop office suite; version 7.5 brings new features to multiple parts of the tool, including major improvements to dark mode, better PDF exports, improved bookmarks in Writer, data tables for charts in Calc, better interoperability with Microsoft Office, and lots more. Check out the release notes for further information.

Faith Ekstrand beginsan exploration of using the Rust language to write Vulkan graphicsdrivers.

OpenSSH9.2 has been released. It includes a number of security fixes,including one for a pre-authenticationdouble-free vulnerability that the project does not believe isexploitable. Other new features include support for channel-inactivitytimeouts, better control over sftp protocol parameters, and more.

Version2.37 of the GNU C Library has been released. This looks like arelatively low-key release, with the one "major new feature" described as:

On January 30, the GitHub blog carried abrief notice that the checksums of archives (such as tarballs)generated by the site had just changed. GitHub's engineers were seeminglyunaware of the consequences of such a change — consequences that wereimmediately evident to anybody familiar with either packaging systems or Hyrum's law. Those checksums werewidely depended on by build systems, which immediately broke when thechange went live; the resulting impact ofjawbones hitting the floor was observed by seismographs worldwide. Thechange has been reverted for now, but it is worth looking at how GitHubmanaged to casually break vast numbers of build systems — and why this sortof change will almost certainly happen again.

Security updates have been issued by Debian (cinder, glance, nova, openjdk-17, and python-django), Fedora (caddy, git-credential-oauth, mingw-opusfile, and pgadmin4), Slackware (apr and mozilla), and Ubuntu (apache2 and python-django).

The LWN.net Weekly Edition for February 2, 2023 is available.

Version 1.20 of the Go languagehas been released.

The discussions about the world of Python packaging and theproblems caused by its disparate tools and incompatible ecosystems arestill ongoing. Last week, we looked at thebeginnings of the conversation in mid-November, as the discussionturned toward a possible convergence between two of the majorpackage-management players: pip and conda. There are numerousbarriers to bringing the two closer together, inertia not least, but theadvantages for users of both, as well as new users to come, could besubstantial.

The Qubes OS news site has adetailed article on work being done to ensure the integrity of thesystem at boot time.

Version 7 ofthe Ubuntu-based elementary OS distribution has been released.

The6.1.9,5.15.91, and5.10.166stable kernel updates have been released; each contains another set ofimportant fixes.

Security updates have been issued by Debian (fig2dev and libstb), Fedora (seamonkey), SUSE (ctags, python-setuptools, samba, tmux, and xterm), and Ubuntu (advancecomp, apache2, python-django, slurm-llnl, and vim).

Kees Cook has posted adetailed document describing the work to improve safety offlexible-length arrays in the kernel.

When it comes to home automation, people often end up with devicessupporting the Zigbee or Z-Wave protocols, but those devices arerelatively expensive. When I was looking for a way to keep an eye on thetemperature at home a few years ago, I bought a bunch of cheaptemperature and humidity sensors emitting radio signals in the unlicensedISM (Industrial, Scientific, and Medical) frequency bands instead. Thanks to rtl_433 and, more recently, rtl_433_ESP and OpenMQTTGateway,I was able to integrate their measurements easily into my home-automationsystem.

Security updates have been issued by CentOS (bind, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, libXpm, pki-core, sssd, sudo, thunderbird, tigervnc, and xorg-x11-server), Debian (cinder, glance, libarchive, libhtml-stripscripts-perl, modsecurity-crs, node-moment, node-qs, nova, ruby-git, ruby-rack, and tiff), Fedora (java-17-openjdk, rust-bat, rust-cargo-c, rust-git-delta, rust-gitui, rust-pore, rust-silver, rust-tokei, and seamonkey), Oracle (libksba), Red Hat (kernel, kernel-rt, kpatch-patch, libksba, and pcs), Scientific Linux (libksba), SUSE (apache2-mod_auth_openidc, ghostscript, libarchive, nginx, python, vim, and xen), and Ubuntu (cinder, glance, linux-raspi, nova, python-future, and sudo).

Over at Linux.com, Yocto Project architect Richard Purdie writes about various kinds of problems that the project is experiencing, some of which stem from its success and growth. It is a story that will likely resonate with other open-source projects.

If legacy networks are like individual homes with a few doorswhere a handful of people have the key, then cloud-based environments are likeapartment complexes that offer both higher density and greater flexibility,but which include more key holders and potential entry points. The importanceof protecting virtual machines (VMs) running in these environments — fromboth the host and other tenants — has become increasingly clear.The Linux Secure VM ServiceModule (SVSM) isa new, Rust-based, open-source project that aims to help preserve the confidentialityand integrity of VMs on AMD hardware.

Security updates have been issued by Debian (curl, dojo, git, lemonldap-ng, libapache-session-browseable-perl, libapache-session-ldap-perl, libzen, node-object-path, openjdk-11, sofia-sip, tiff, tor, and varnish), Fedora (libgit2, open62541, pgadmin4, rubygem-git, rust-bat, rust-cargo-c, rust-git-delta, rust-gitui, rust-libgit2-sys, rust-libgit2-sys0.12, rust-pore, rust-pretty-git-prompt, rust-rd-agent, rust-rd-hashd, rust-resctl-bench, rust-resctl-demo, rust-silver, and rust-tokei), Scientific Linux (thunderbird), SUSE (ffmpeg, krb5, nginx, python39-setuptools, sssd, systemd, tiff, and virtualbox), and Ubuntu (linux-azure, linux-azure-5.4, linux-raspi2, linux-azure-fde, and mysql-5.7, mysql-8.0).

The 6.2-rc6 kernel prepatch is out fortesting.

Version1.67.0 of the Rust language has been released. The list of newfeatures is relatively short; it includes support for #[must_use]on async functions and a new multi-producer, single-consumer channelimplementation.

Memory allocation within the kernel is a complex business. The amount ofphysical memory available on any given system will be strictly limited,meaning that an allocation request can often only be satisfied by takingmemory from somebody else, but some of the options for reclaiming memorymay not be available when a request is made. Additionally,some allocation requests haverequirements dictating where that memory can be placed or how quickly theallocation must be made. The kernel'smemory-allocation functions have long supported a set of "GFP flags" usedto describe the requirements of each specific request. Those flags willprobably undergo some changes soon as the result of thispatch set posted by Mel Gorman; that provides an opportunity to look atthose flags in some detail.

Security updates have been issued by Debian (bind9, chromium, and modsecurity-apache), Fedora (libgit2, mediawiki, and redis), Oracle (go-toolset:ol8, java-1.8.0-openjdk, systemd, and thunderbird), Red Hat (java-1.8.0-openjdk and redhat-ds:12), SUSE (apache2, bluez, chromium, ffmpeg-4, glib2, haproxy, kernel, libXpm, podman, python-py, python-setuptools, samba, xen, xrdp, and xterm), and Ubuntu (samba).

The BPF subsystem exposes many aspects of the kernel's internal algorithmsand data structures; this naturally leads to concerns about maintaininginterface stability as the kernel changes. The longstanding position thatBPF offers no interface-stability guarantees to user space has alwaysseemed a little questionable; kernel developers have, in the past, foundthemselves having to maintain interfaces that were not intended to bestable. Now the BPF community is starting to think about what it mightmean to provide explicit stability promises for at least some of itsinterfaces.