LWN.net

The Asahi Linux project, which isworking to create a Linux distribution for Apple hardware, has announcedthat its new "flagship" distribution will be based on Fedora Linux.

Security updates have been issued by Debian (bouncycastle), Fedora (firefox), Red Hat (cjose, curl, iperf3, kernel, kernel-rt, kpatch-patch, libeconf, libxml2, mod_auth_openidc:2.3, openssh, and python-requests), SUSE (firefox, jtidy, libredwg, openssl, salt, SUSE Manager Client Tools, and SUSE Manager Salt Bundle), and Ubuntu (firefox).

Kernel testing is a perennial topic at Linux-related conferences and the KernelCI project is one of the larger testingplayers. It does its own testing but also coordinates with various othertesting systems and aggregates their results. At the2023 EmbeddedOpen Source Summit (EOSS), KernelCI developer Nikolai Kondrashov gave apresentation on the testing framework, its database, and how others can getinvolved in the project. He also had some thoughts on where KernelCI isfalling short of its goals and potential, along with some ideas of ways toimprove it.

Here is along reminiscence from Jon "maddog" Hall leading up to some thoughts onRed Hat's source-release policy changes.

Version 2.38 ofthe GNU C Library has been released. This release consists mostly ofrelatively small changes, including improved support for working withbinary integer constants, some new printf() formatting options,libmvec support for 64-bit Arm systems, the strlcpy() andstrlcat() string functions, and more. See the release notesfor the details.

Security updates have been issued by Debian (tiff), Fedora (curl), Red Hat (bind, ghostscript, iperf3, java-1.8.0-ibm, nodejs, nodejs:18, openssh, postgresql:15, and samba), Scientific Linux (iperf3), Slackware (mozilla and seamonkey), SUSE (compat-openssl098, gnuplot, guava, openssl-1_0_0, pipewire, python-requests, qemu, samba, and xmltooling), and Ubuntu (librsvg, openjdk-8, openjdk-lts, openjdk-17, openssh, rabbitmq-server, and webkit2gtk).

Version 29.1 of the Emacs editor has been released. There is a long listof changes, including integration with the Tree-sitterincremental parsing library, the ability to access SQLite databases, "pure GTK" display support (which enables Wayland support), and a lot more; see theNEWS file for all the details.

Version 3.2 of the GNU COBOL compiler is out. "The amount of featuresare too much to note, but you can skip over the attached NEWS file toinvestigate them." These new features include improved support forCOBOL dialects, performance improvements, better GDB debugging support, andmore.

It is well understood that concurrency makes programming problems harder;the high level of concurrency inherent in kernel development is one of thereasons why kernel work can be challenging. Things can get even worse,though, if concurrent access happens in places where the code is notexpecting it. The long story accompanying thisshort patch from Christian Brauner is illustrative of the kind ofproblem that can arise when assumptions about concurrency prove to beincorrect.

Security updates have been issued by CentOS (apr-util, bcel, c-ares, emacs, git, java-1.8.0-openjdk, libwebp, open-vm-tools, python, and python3), Debian (amd64-microcode, kernel, and thunderbird), Fedora (iperf3), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, cjose, java-17-openjdk, jtidy, kernel-firmware, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container, libqt5-qtbase, librsvg, libvirt, openssl-1_0_0, openssl-3, qemu, samba, thunderbird, and zabbix), and Ubuntu (linux-iot and wireshark).

The 6.5-rc4 kernel prepatch is out fortesting.

The Python Steering Council has announcedits intent to accept PEP703 (Making the Global Interpreter Lock Optional in CPython), withinitial support possibly showing up in the 3.13 release. There are stillsome details to work out, though.

For those who are interested in the gory details of how the StackRot vulnerability works, Ruihan Li hasposted a detailedwriteup of the bug and how it can be exploited.

One of the longstanding strengths of Linux, and a key to its early success,is its ability to interoperate with other systems. That interoperabilityincludes filesystems; Linux supports a wide range of filesystem types,allowing it to mount filesystems created by many other operating systems.Some of those filesystem implementations, though, are better maintainedthan others; developers at both the kernel and distribution levels arecurrently considering, again, how to minimize the security risks presentedby the others.

Security updates have been issued by Debian (kernel and libmail-dkim-perl), Fedora (openssh), and SUSE (kernel).

Systemd 254 has been released. As usual, there is a long list of changes,including a new list-paths command for systemctl, theability to send POSIX signals to services, a "soft reboot" feature thatrestarts user space while leaving the kernel in place, improved support for"confidentialvirtual machines", and a lot more.The announcement also notes the support for split-/usr systemswill be removed in the next release, and support for version-one controlgroups and for SystemV service scripts will be deleted in the nearfuture as well.

Security updates have been issued by Debian (curl), Fedora (kitty, mingw-qt5-qtbase, and mingw-qt6-qtbase), Mageia (cri-o, kernel, kernel-linus, mediawiki, and microcode), SUSE (chromium, conmon, go1.20-openssl, iperf, java-11-openjdk, kernel-firmware, and mariadb), and Ubuntu (libvirt, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-5.19, linux-gcp-5.19, linux-hwe-5.19, linux-intel-iotg-5.15, linux-iot, llvm-toolchain-13, llvm-toolchain-14, llvm-toolchain-15, open-iscsi, open-vm-tools, and xorg-server-hwe-16.04).

The fchmodat()system call on Linux hides a little secret: it does not actually implementall of the functionality that the man page claims (and that POSIXcalls for). As a result, C libraries have to do a bit of a complicatedworkaround to provide the API that applications expect. That situationlooks likely to change with the 6.6 kernel, though, as the result of this patchseries posted by Alexey Gladkov.

The 6.4.7, 6.1.42, 5.15.123, 5.10.188, and 5.4.251 stable kernels have been released. Asusual, they all contain lots of important fixes; users of those seriesshould upgrade.

The LWN.net Weekly Edition for July 27, 2023 is available.

The U-Boot"universal boot loader" is used extensively in the embedded-Linux world.At the 2023 EmbeddedOpen Source Summit (EOSS), Simon Glass gave a presentation (slides,YouTube video) onthe status of the project, with a focus on new features added over the lastseveral years. He also wanted to talk about complexity in the firmwareworld, which he believes is increasing, and how U-Boot can help manage thatcomplexity. The talk was something of a grab bag of ideas and changesthroughout the increasingly large footprint of the project.

The extensible scheduler class enables thecreation of CPU schedulers in BPF. After the fourthversion of this series was greeted with relative silence, Tejun Heo asked aboutthe status of this work:

Security updates have been issued by Debian (amd64-microcode, gst-plugins-bad1.0, gst-plugins-base1.0, gst-plugins-good1.0, iperf3, openjdk-17, and pandoc), Fedora (389-ds-base, kitty, and thunderbird), SUSE (libqt5-qtbase, libqt5-qtsvg, mysql-connector-java, netty, netty-tcnative, openssl, openssl-1_1, openssl1, php7, python-scipy, and xmltooling), and Ubuntu (amd64-microcode, avahi, libxpm, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, openstack-trove, and python-django).

There was something of a space theme that pervaded the Embedded LinuxConference (ELC) portion of the 2023 EmbeddedOpen Source Summit (EOSS), which is an umbrella event for varioussub-conferences related to embedded open-source development. That maypartly be because one of the organizers of EOSS (and ELC), Tim Bird,described himself as "a bit of a space junkie"; he made that observationduring a panel session that he led on embedded Linux in space. Bird andfour panelists discussed various aspects of the use of Linux inspace-related systems, including where it has been used, thecharacteristics and challenges of aerospace deployments, certification ofLinux for aerospace use, and more.

Security updates have been issued by Debian (python-git and renderdoc), Red Hat (edk2, kernel, kernel-rt, and kpatch-patch), Slackware (kernel), SUSE (firefox, libcap, openssh, openssl-1_1, python39, and zabbix), and Ubuntu (cinder, ironic, nova, python-glance-store, python-os-brick, frr, graphite-web, and openssh).

Greg Kroah-Hartman has released six new stable kernels to address the Zenbleed vulnerability for AMD processors: 6.4.6, 6.1.41,5.15.122, 5.10.187, 5.4.250, and 4.19.289. "All AMD processor users of the[...] kernel series who have not updated their microcode to the latest version, must upgrade."

Tavis Ormandy reports on a vulnerability that he has found in "all Zen 2 class processors"from AMD. (Wayback Machine link as the original site is overloaded.) It canallow local attackers to recover data used in string operations; "If you remove the first word from the string 'hello world',what should the result be? This is the story of how we discovered that theanswer could be your root password!" The report has lots of details,including an exploit; AMD has released a microcodeupdate to address the problem.

The kernel's address-space layout randomization is intended to make lifeharder for attackers by changing the placement of kernel text and data ateach boot. With this randomization, an attacker cannot know ahead of timewhere a vulnerable target will be found on any given system. There aretechniques, though, that can be effective without knowing precisely where agiven object is stored. As a way of hardening systems against suchattacks, the kernel will be gaining yet another form of randomization.

The Debian project is nowsupporting 64-bit RISC-V systems as an official architecture. Somework remains to be done, though:

Version1.3 of the Inkscape drawing editor has been released. "With version1.3 of Inkscape, you'll find improved performance, several new features,and a solid set of improvements to a few existing ones". Changesinclude a new shape-builder tool, a "document resources" dialog for themanagement of drawings, a new pattern editor, and more.

Security updates have been issued by Debian (webkit2gtk), Fedora (curl, dotnet6.0, dotnet7.0, ghostscript, kernel-headers, kernel-tools, libopenmpt, openssh, and samba), Mageia (virtualbox), Red Hat (java-1.8.0-openjdk and java-11-openjdk), and Scientific Linux (java-1.8.0-openjdk and java-11-openjdk).

Linus has released 6.5-rc3 for testing."Things continue to look pretty normal - there's nothing here that wouldseem to stand out, with both the commit counts and the diffs looking prettymuch normal for rc3".Meanwhile, Greg Kroah-Hartman has released the large6.4.5,6.1.40, and5.15.121stable updates; each contains another set of important fixes.

The BPF virtual machine in the kernel has been steadily gaining newfeatures for years, many of which add capabilities that C programmers donot ordinarily have. So, from one point of view, it was only a matter oftime before BPF gained support for exceptions. As it turns out, though,this "exceptions" feature is aimed at a specific use case, and its use inmost programs will be truly exceptional.

Security updates have been issued by Fedora (golang, nodejs16, nodejs18, and R-jsonlite), Red Hat (java-1.8.0-openjdk and java-17-openjdk), SUSE (container-suseconnect, redis, and redis7), and Ubuntu (wkhtmltopdf).

Sometimes, the shortest patches lead to the longest threads; for a case inpoint, see thisthree-line change posted by Emanuele Giuseppe Esposito. The purpose ofthis change is to improve the security of locked-down systems by adding a"revocation number" to the kernel image. But, as the discussion revealed,both the cost and the value of this feature are seen differently across thekernel-development community.

Security updates have been issued by Debian (chromium), Fedora (sysstat), Gentoo (openssh), Mageia (firefox/nss, kernel, kernel-linus, maven, mingw-nsis, mutt/neomutt, php, qt4/qtsvg5, and texlive), Red Hat (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and kpatch-patch), Slackware (curl and openssh), SUSE (curl, grafana, kernel, mariadb, MozillaFirefox, MozillaFirefox-branding-SLE, poppler, python-Flask, python310, samba, SUSE Manager Client Tools, and texlive), and Ubuntu (curl, ecdsautils, and samba).

The LWN.net Weekly Edition for July 20, 2023 is available.

The advantages of the Rust programming language are generally well-known;memory safety is a feature that has attracted a lot of developer attentionover the last few years. At the inaugural EmbeddedOpen Source Summit (EOSS), which is an umbrella event for numerousembedded-related conferences, Martin Mosler presented on using Rust for anembedded project. In the talk, he showed how easy it is to get up andrunning with a Rust-based application on a RISC-V-based development board.

The6.4.4 and6.1.39stable kernel updates have been released; each contains a large number ofimportant fixes.

Security updates have been issued by Debian (bind9, libapache2-mod-auth-openidc, and python-django), Fedora (nodejs18 and redis), Red Hat (python3.9 and webkit2gtk3), Scientific Linux (bind and kernel), SUSE (cni, cni-plugins, cups-filters, curl, dbus-1, ImageMagick, kernel, libheif, and python-requests), and Ubuntu (bind9, connman, curl, libwebp, and yajl).

Version3.0 of Cython (describedas "a programming language that makes writing Cextensions for the Python language as easy as Python itself") has beenreleased. Changes include support for Python through 3.11 (but 2.6 supportwas dropped), the implementation of a number of PEPs, initial support forthe CPython limited API, better exception handling, and more.

The 2023 sambaXP conference was held May 10 and 11 in Goettingen, Germany.Videosof the talks held there have now been posted on YouTube; topics coveredinclude an io_uring update, fuzzing, passwordless services, GPL compliance,and much more.

In a session at the 2023 Real Time Linux Summit, Thomas Gleixner answeredquestions about the realtime feature of the kernel, its status, and the Real-Time Linuxproject's plans for the future. The talk was billed as a "Q&A aboutPREEMPT_RT" with a caveat: "anything except printk() anddocumentation". As might be guessed, the first two questions were on justthose topics, but there were plenty of other questions (and answers) too.The summit was held in conjunction with the inaugural EmbeddedOpen Source Summit in Prague, Czechia at the end of June.

Security updates have been issued by Fedora (java-1.8.0-openjdk), Red Hat (bind, bind9.16, curl, edk2, java-1.8.0-ibm, kernel, kernel-rt, and kpatch-patch), SUSE (iniparser, installation-images, java-1_8_0-ibm, kernel, libqt5-qtbase, nodejs16, openvswitch, and ucode-intel), and Ubuntu (linux-oem-6.0 and linux-xilinx-zynqmp).

On January 19, 2038, the time_t value used on many 32-bit Linuxsystems will overflow and wrap around, causing those systems to believethey have returned to 1901. Much work has gone into preparing many layers of thesystem for this event, but not all distributions have completed theirpreparations. One of those is Debian but, as was seen in a conversation inMay, the Debian developers are now grappling with the problem in a seriousway. Along the way, they appear to have made an interesting decisionregarding which systems will (or will not) be updated.

Security updates have been issued by Debian (gpac, iperf3, kanboard, kernel, and pypdf2), Fedora (ghostscript), SUSE (bind, bouncycastle, ghostscript, go1.19, go1.20, installation-images, kernel, mariadb, MozillaFirefox, MozillaFirefox-branding-SLE, php74, poppler, and python-Django), and Ubuntu (cups, linux-oem-6.1, and ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.1).

The second 6.5 prepatch is out for testing."No surprises here: this thing looks very normal."

The page structure sits at the core of the kernel'smemory-management subsystem; one such structure exists for every page ofinstalled RAM. This structure is increasingly seen as a problem, though,and phasing it out is one of the many side projects associated with the folio conversion. One step in that directionis currently meeting some pushback from memory-management developers,though, who think that some of these changes are coming too soon.

Security updates have been issued by Debian (lemonldap-ng and php-dompdf), Red Hat (.NET 6.0, .NET 7.0, firefox, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (ghostscript, installation-images, kernel, php7, python, and python-Django), and Ubuntu (linux-azure, linux-gcp, linux-ibm, linux-oracle, mozjs102, postgresql-9.5, and tiff).

AlmaLinux has announced thatthe distribution will no longer be a strict clone of Red Hat EnterpriseLinux, but will maintain ABI compatibility.