LWN.net

Version24.1 of the Arch-based Manjarodistribution is now available with the 6.10 Linux kernel,GNOME46.5, KDEPlasma6.1 and KDEGear24.08:

Security updates have been issued by AlmaLinux (grafana), Fedora (cjson and php), Oracle (389-ds-base, freeradius, grafana, kernel, and krb5), Slackware (cryfs, cups, and mozilla), SUSE (OpenIPMI, openssl-3, openvpn, thunderbird, and tomcat), and Ubuntu (cups, cups-filters, knot-resolver, linux-raspi, linux-raspi-5.4, orc, php7.4, php8.1, php8.3, python-asyncssh, ruby-devise-two-factor, and vim).

Version 7.1 ofthe FFmpeg audio/video toolkit has been released. Important changes inthis release include the VVC decoder reaching stable status, andinclusion of support for MV-HEVC decoding (which is generated byrecent phones and VR headsets), as well as support for Vulkan encodingwith H264 and HEVC. See the announcement and changelogfor full details.

Version131.0 of the Firefox browser has been released. Changes include theability to temporarily grant permissions to sites and a preview that popsup when hovering over tabs.

One concern that has often been expressed about the Rust language is thatthere is only one compiler for it. That makes it hard to say what thestandard version of the language is and restricts the architectures thatcan be targeted by Rust code to those that the available compiler supports.Adding a Rust frontend to GCC would do much to address those concerns; atthe 2024 GNU ToolsCauldron, Pierre-Emmanuel Patry gave an update on the state of thatwork and what its objectives are.

Security updates have been issued by Debian (debian-security-support, nghttp2, and sqlite3), Oracle (cups-filters, kernel, and osbuild-composer), SUSE (openssl-3), and Ubuntu (bubblewrap, flatpak and python2.7, python3.5).

Tathagata Roy has been working to make theCoccinelle tool that is used (among other things)to automate the refactoring of C code work on Rustcode as well. Roy gave apresentation at Kangrejos about that work,including the creative approaches necessary to work with Rust's more complicatedcontrol flow and syntax.

Linus Torvalds released6.12-rc1 and closed the 6.12 merge window on September29; at thatpoint, 11,260 non-merge change sets had been pulled into the mainline forthe 6.12 release. That is the lowest number of merge-window changes since5.17-rc1 in January 2022, which brought in 11,068 changesets. Nonetheless,6.12 brings a number of interesting changes, many of which were included inthe roughly 4,500 changes merged since thesummary of the first half of the 6.12 merge window was written.

WordPress is the world's mostpopular opensource blogging and contentmanagement platform. In its20plus years of existence, WordPress has been something of a posterchild for open source, similar to Linux and Firefox. It introduced theconcept of open source to millions of bloggers, smallbusiness owners,and others who have deployed WordPress to support their webpublishingneeds. Unfortunately, it is now in the spotlight due to an increasinglyugly dispute between two companies, Automattic and WPEngine, that has spilled over intothe WordPress community.

The 6.11.1, 6.10.12, 6.6.53, and 6.1.112 stable kernels have been released.Each contains important fixes and users of those series should upgrade.

The most recent major release of the Tcl/Tk language and graphical-user-interface toolkit, Tcl/Tk 9.0, has been released, a mere 27 years after the 8.0 major release in 1997. There have been plenty of releases in the interim, though, as can be seen in the Tcl chronology. The 9.0 release brings 64-bit data values, better Unicode support, the ability to use zip files as filesystems, a switch to use epoll() or kqueue() where they are available, SVG support in Tk, access to notifications and other desktop-platform services in Tk, and lots more. For more information, see the release notes for Tcl and Tk that can be downloaded as Markdown files from the announcement page. (Thanks to Matt Bradley.)

Security updates have been issued by AlmaLinux (cups-filters, net-snmp, and osbuild-composer), Debian (booth, cups, cups-filters, python-asyncssh, ruby-httparty, ruby-loofah, ruby-rails-html-sanitizer, tryton-server, unbound, and wireshark), Fedora (chromium, cjson, cups, cups-browsed, libcupsfilters, and libppd), Gentoo (Apache HTTPD, Docker, HashiCorp Consul, IcedTea, nginx, tmux, and yt-dlp), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, & java-latest-openjdk and libreoffice), Red Hat (git-lfs, grafana, and osbuild-composer), and SUSE (chromedriver, chromium, coredns, json-java-20240303, kernel, libmozjs-128-0, maven-archetype, python3, python312, and quagga).

The Arch Linux project has announced that Valve will be helping thedistribution with a couple of important initiatives:

Linus has released 6.12-rc1 and closed themerge window for this release.

Micha Gorny describesthe challenges involved in transitioning Gentoo to year-2038-safe timerepresentations:

In the wake of the XZbackdoor, the Debian project has revisited some of thepatches included in its OpenSSHpackages to improve security. The outcome of this is that the projectwill be splitting out support for Kerberos key exchange into aseparate set of packages, though not until after the Debian13("trixie") release expected next year. The impact on Debian usersshould be minimal, but it is an interesting look into the changesLinux distributions make to upstream software as well as some of thelong-term consequences of those choices.

Security updates have been issued by Debian (chromium and trafficserver), Fedora (chromium), Mageia (apache-mod_jk, gnome-shell, kernel, kmod-xtables-addons, and kmod-virtualbox, kernel-linus, and python3), Oracle (container-tools:ol8, dovecot, emacs, expat, firefox, git-lfs, gtk3, kernel, nano, net-snmp, osbuild-composer, python3, python3.11, python3.12, ruby:3.3, and virt:ol and virt-devel:rhel), Slackware (boost), SUSE (kernel), and Ubuntu (configobj, cups, cups-browsed, cups-filters, libcupsfilters, and libppd).

Security researcher Simone Margaritelli has reported a new vulnerability in CUPS, the software that many Linux systems use to manage printers and print jobs. Margaritelli describes the impact of the attack by saying:

Danilo Krummrich gave a talk at Kangrejos 2024 focusing on the question of howthe Rust-for-Linux project could improve at getting device and driverabstractions upstream. As a case study, he used some of his recent work thatattempts to make it possible to write a PCI driver entirely in Rust. Therewasn't time to go into as much detail as he would have liked, but he diddemonstrate that it is possible to interface with the kernel's module loader ina way that is much harder toscrew up than the current standard approach in C.

Version17 of the PostgreSQL database has been released.

The online-privacy-focused Torproject has announcedthat it has "joined forces and merged operations" with the Tails OS Linux distribution.

The extensible scheduler class (sched_ext)enables the implementation of CPU schedulers as a set of BPF programsloaded from user space; it first hit the mailing lists in late 2022.Sched_ext has engendered its share of controversy since, but is currentlyslated to be part of the 6.12 kernel release. At the 2024 Linux Plumbers Conference, the growingsched_ext community held one of its first public gatherings; sched_extwould appear to have launched a new burst of creativity in schedulerdesign.

Security updates have been issued by AlmaLinux (container-tools:rhel8, dovecot, emacs, expat, git-lfs, go-toolset:rhel8, golang, grafana, grafana-pcp, gtk3, kernel, kernel-rt, nano, python3, python3.11, python3.12, and virt:rhel and virt-devel:rhel), Debian (mediawiki and puredata), Fedora (chisel), Mageia (glib2.0, gtk+2.0 and gtk+3.0, and python-astropy), Red Hat (git-lfs, grafana, grafana-pcp, kernel, and kernel-rt), SUSE (kubernetes1.24, kubernetes1.25, kubernetes1.26, kubernetes1.27, kubernetes1.28, opensc, and python36), and Ubuntu (apparmor, apr, ca-certificates, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-raspi, openjpeg2, ruby-rack, and tomcat8, tomcat9).

Here's apost on the Google Security Blog on how switching to a memory-safelanguage can quickly reduce vulnerabilities in a project, even if a largebody of older code persists.

The LWN.net Weekly Edition for September 26, 2024 is available.

The Vanilla OS project haspublished ablog post to answer questions that users have raised since the release of Vanilla OS 2. The post has information about the update strategy for the distribution,an enterpriseversion with support, and plans for an experimental version calledVanilla OS Vision.

In March, Danilo Krummrich announced the newNova GPU driver - a successor to Nouveau for controlling NVIDIA GPUs.At Kangrejos 2024, Krummrich gave apresentation about what it is, why it's needed, and where it'sgoing next. Hearing about the needs of the driver provoked extended discussionon related topics, including what level of safety is reasonable to expect fromdrivers, given that they must interact with the hardware.

The "Linus and Dirk show" has been a fixture at Open Source Summit for aslong as the conference has existed; it started back when the conference wascalled LinuxCon. Since Linus Torvalds famously does not like to givetalks, as he said during this year's edition at Open Source Summit Europe(OSSEU) in Vienna, Austria, he and Dirk Hohndel have been sitting down for aninformal chat on a wide range of topics as a keynote session. That way,Torvalds does not need to prepare, but also does not know what topicswill be brought up, which makes it "so much more fun for one of us", Hohndelsaid with a grin. The topics this time ranged from the just-released6.11kernel and the upcoming Linux6.12, through Rust for the kernel, to the recurring topic of succession andthe graying of Linux maintainers.

Security updates have been issued by Debian (booth), Gentoo (Xpdf), Oracle (go-toolset:ol8, golang, grafana, grafana-pcp, kernel, libnbd, openssl, pcp, and ruby:3.3), Red Hat (container-tools:rhel8, go-toolset:rhel8, golang, kernel, and kernel-rt), SUSE (apr, cargo-audit, chromium, obs-service-cargo, python311, python36, quagga, traefik, and xen), and Ubuntu (intel-microcode, linux-azure-fde-5.15, and puma).

Almost a decade ago KDEe.V.,the non-profit organization that supports KDE, started a process forselecting goals to help the community unite behind a common vision for where theproject should go in the near future. KDErecently wrapped up its 2022-2024 cycle and announced the goals for 2024-2026 at Akademy on September7, in Wurzburg,Germany. This time around, KDE will be looking to streamline itsapplication-development experience, improve support for input devices,and bring in new contributors.

Version10.0.0 of the HarfBuzztext-shaping engine has been released. Notable changes in this releaseinclude Unicode16.0.0 support, adding Cairo script as an output format forhb-view, and a number of bug fixes.

The project to enable the writing of kernel code in Rust has been underwayfor several years, and each kernel release includes more Rust code. Evenso, some developers have expressed frustration at the time it takes to getnew functionality merged, and an air of uncertainty still hangs overthe project. At the 2024 Maintainers Summit, Miguel Ojeda led a discussionon the status of Rust in the kernel and whether the time had come to stopconsidering it an experimental project. There were not answers to all of thequestions, but it seems clear that Rust in the kernel will continuesteaming ahead.

Security updates have been issued by Gentoo (GCC, Hunspell, Tor, and ZNC), SUSE (apr-devel, cargo-c, chromedriver, firefox, kernel, libecpg6, libmfx, onefetch, postgresql12, postgresql13, postgresql14, postgresql15, postgresql16, python310-azure-identity, python39, qemu, rage-encryption, stgit, and system-user-zabbix), and Ubuntu (kernel, linux-ibm-5.15, linux-oracle-5.15, linux-xilinx-zynqmp, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-raspi, and py7zr).

Version 1.0.0 of Hy, a Lisp dialect that is embedded in Python, has been releasedafter nearly 12 years in development. This is the first stable release of the project:

Dirk Behme led a second session, back-to-back withhis session on error handling atKangrejos 2024, discussing providing better guidance for users of the kernel'sRust abstractions. Just after that,Carlos Bilbao and Miguel Ojeda had their own time slot dedicated to collectingresources that could be of use to someone trying to come up to speedon kernel development inRust. The attendees provided a lot of guidance in both sessions, anddiscussed what they could do to make things easier for people comingfrom non-Rust backgrounds.

Security updates have been issued by AlmaLinux (expat, fence-agents, firefox, libnbd, openssl, pcp, ruby:3.3, and thunderbird), Debian (ruby-saml), Fedora (aardvark-dns, chromium, expat, jupyterlab, less, openssl, python-jupyterlab-server, python-notebook, python3-docs, and python3.12), Gentoo (calibre, curl, Emacs, org-mode, Exo, file, GPL Ghostscript, gst-plugins-good, liblouis, Mbed TLS, OpenVPN, Oracle VirtualBox, PJSIP, Portage, PostgreSQL, pypy, pypy3, Rust, Slurm, stb, VLC, and Xen), SUSE (container-suseconnect, ffmpeg-4, kernel, libpcap, python3, python310, python36, and wpa_supplicant), and Ubuntu (firefox, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-azure, and linux-ibm-5.15, linux-oracle-5.15).

Konstantin Ryabitsev started a session on development tooling at the 2024Maintainers Summit by saying that he does not want to be a "wrecking ball".If a given workflow is working for people, he does not want to try to forceany sort of change. That said, he has ideas for how he can continue hiswork on providing better tooling for the development community.

The SUSE Security Team Blog has a detailed review of the Performance Co-Pilot (PCP) 6.2.1 release:

As of this writing, 6,778 non-merge changesets have been pulled into themainline kernel for the 6.12 release - over half of the work that had beenstaged in linux-next prior to the opening of the merge window. There hasbeen a lot of refactoring and cleanup work this time around, but also somesignificant changes. Read on for a summary of the first half of the 6.12merge window.

The OpenSSH project has released version 9.9. This version includes support for the new post-quantum cryptography standard from NIST.The release also includesthe next step in the deprecation of DSA keys - they are now disabled by default at compile time,and are expected to be removed entirely in early 2025. The release also contains the normal mixture of bug fixes and small usability improvements.

The kernel normally sits firmly between user space and the system'speripheral devices, and provides a standard interface to those devices. Attimes, though, a more direct interface to a device is desired - but suchinterfaces can be controversial. At the 2024 Maintainers Summit, theassembled developers considered a specific case - the proposed fwctl subsystem - as well as the role of suchdrivers in general.

Security updates have been issued by Debian (chromium), Fedora (bluez, chromium, frr, iwd, libell, python3.11, python3.8, python3.9, and ruby), Mageia (kernel, kmod-xtables-addons, and kmod-virtualbox and kernel-linus), Red Hat (kernel), SUSE (kernel, kubernetes1.23, kubernetes1.24, kubernetes1.25, libmfx, and python-azure-identity), and Ubuntu (emacs, emacs24, emacs25, libreoffice, postgresql-9.5, python2.7, python3.5, and tgt).

On September 19, Thomas Gleixner delivered the pull request for therealtime preemption enablement patches to Linus Torvalds - in printed form,wrapped in gold, with a ribbon, as Torvalds had requested. It was asignificant milestone, marking the completion of a project that required20years of effort. Congratulations are due to everybody involved.Torvalds acted onthe pull request the following morning.

Dirk Behme led a session discussing the use of Rust's question-mark operator inthe kernel at Kangrejos 2024. He was particularly concerned with the concept of"silent" errors that don't print any messages to the console.Other attendees were less convinced that this was a problem, but his presentationsparked a lot of discussion about whether the Rust-for-Linux project couldimprove error handling in kernel Rust code.

The RPM Package Manager (RPM) project isnearing the release of RPM4.20, the last major planned update for the RPM 4.xseries. It has few user-facing changes, butseveral additions and enhancements for developers-as well assome small incompatibilities that will likely require RPM packagers torevise their specfiles. 4.20 will be rolling out to many users soon, inFedora41, which is scheduled for October. RPM6.0 isalready in the works, with a new package format and opening the doorto enabling C++ use in the RPM codebase.

Security updates have been issued by Debian (expat and tinyproxy), Fedora (frr, microcode_ctl, python3.10, python3.12, python3.6, and ruby), Oracle (expat, fence-agents, firefox, ghostscript, java-1.8.0-openjdk, kernel, and thunderbird), Red Hat (firefox, openssl, ruby:3.3, and thunderbird), SUSE (clamav, ffmpeg-4, kernel, libmfx, python3, python312, runc, ucode-intel, and wireshark), and Ubuntu (apache2, git, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-nvidia, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, and linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle).

Tracking of regressions seems like an important task for any project; thereis no other way to ensure that known problems are fixed. At the 2024Maintainers Summit, though, Thorsten Leemhuis, who has been doing that workfor the kernel, expressed some doubts about whether it is worth continuing.The result was an energetic session on how regression tracking should bedone better, and how this work should be supported.

Version 47 of the GNOME desktophas been released. Changes include configurable accent colors, bettersmall-screen support, some performance improvements, new file open and savedialogs, and more.

The LWN.net Weekly Edition for September 19, 2024 is available.

The 6.10.11, 6.6.52, and 6.1.111 stable kernel updates have allbeen released. As usual, they contain important fixes throughout thetree. Users of those kernels should upgrade.