LWN.net

Security updates have been issued by Debian (chromium and thunderbird), Fedora (keylime, libarchive, libtasn1, pgadmin4, rubygem-nokogiri, samba, thunderbird, wireshark, and xorg-x11-server-Xwayland), Gentoo (curl, libreoffice, nss, unbound, and virtualbox), Mageia (advancecomp, couchdb, firefox, freerdp, golang, heimdal, kernel, kernel-linus, krb5, leptonica, libetpan, python-slixmpp, thunderbird, and xfce4-settings), Oracle (firefox, nodejs:16, and thunderbird), Scientific Linux (firefox and thunderbird), Slackware (samba), SUSE (chromium and kernel), and Ubuntu (linux-oem-5.17).

Version 4.0.0 of the Apache SpamAssassin spam filter has been released.

Version5.0.0 of the OCaml programming language is out.

Security updates have been issued by Debian (firefox-esr, libde265, php7.3, and thunderbird), Fedora (firefox, freeradius, freerdp, and xorg-x11-server), Oracle (firefox, prometheus-jmx-exporter, and thunderbird), Red Hat (firefox, nodejs:16, prometheus-jmx-exporter, and thunderbird), and SUSE (ceph and chromium).

Version 4.18 ofthe Xfce desktop environment has been released.

Once upon a time, Linus Torvalds would try to set a pace of about 1,000changesets pulled into the mainline each day during the early part of themerge window. For 6.2, though, the situation is different; no less than9,278 non-merge changesets were pulled during the first two days. Needlessto say, these commits affect the kernel in numerous ways, even though thereare fewer fundamental changes than were seen in 6.1.

Security updates have been issued by Debian (firefox-esr and git), Slackware (mozilla and xorg), SUSE (apache2-mod_wsgi, capnproto, xorg-x11-server, xwayland, and zabbix), and Ubuntu (emacs24, firefox, linux-azure, linux-azure-5.15, linux-azure-fde, linux-oem-6.0, and xorg-server, xorg-server-hwe-18.04, xwayland).

Ted Ts'o, in collaboration with the Linux Foundation Technical AdvisoryBoard, has put together a document called the Linux kernelcontribution maturity model to help companies improve theirparticipation in the kernel development process.

The6.0.13,5.15.83,5.10.159,5.4.227,4.19.269,4.14.302, and4.9.336stable kernel updates have all been released; each contains another set ofimportant fixes.

The LWN.net Weekly Edition for December 15, 2022 is available.

A report from the syzbotkernel fuzz-testing robot does not usually spawn a vitriolic mailing-list thread, but that is just what happened recently.While the invective is regrettable, the underlying issue is important. Thedispute revolves around how best to report bugs to affected subsystems and, ultimately, how not to waste maintainers' time.

Security updates have been issued by Debian (pngcheck), Fedora (qemu), Mageia (admesh, busybox, emacs, libarchive, netkit-telnet, ruby, rxvt-unicode, and shadowutils), Oracle (bcel and kernel), Red Hat (389-ds-base, bcel, dbus, firefox, grub2, kernel, kernel-rt, kpatch-patch, thunderbird, and usbguard), Scientific Linux (bcel), SUSE (containerd, firefox, grafana, java-1_8_0-openjdk, libtpms, net-snmp, and wireshark), and Ubuntu (pillow).

Everything Open is,seemingly, the future form of the conference once known as linux.conf.au;see thispage for a discussion of the reasoning behind the change. Theinaugural event will be held March 14 to 16 in Melbourne,Australia, and the call forproposals has gone out now, with a deadline of January 15."Our aim is to create a deeply technical conference where we bringtogether industry leaders and experts on a wide range of subjects."

X.org users running in potentially hostile environments will want to lookinto the xorg-server 21.1.5 release, whichfixes several potentially serious securityvulnerabilities. "All theses issues can lead to local privilegeselevation on systems where the X server is running privileged and remotecode execution for ssh X forwarding sessions".

Version108 of the Firefox browser has been released. The headline featurethis time around appears to be the enabling of import maps bydefault, along with support for theWeb MIDI API and the usual set of security fixes.

Bugzilla project lead Dave Miller has posted a plan for several upcoming releases of the bug-tracking tool. The post starts with: "Surprise! Bugzilla’s not dead yet. :-)". It is, in effect, an update to his August posting to the Bugzilla developers mailing list. In the new post, he outlines the plan for releases of multiple branches, lists specific areas where help is needed, and describes some project infrastructure improvements.

Security updates have been issued by Debian (node-tar and pngcheck), SUSE (colord, containerd, and tiff), and Ubuntu (containerd, linux-azure, linux-azure, linux-azure-5.4, linux-oem-5.17, and vim).

Version 2.39.0of the Git source-code management system is out. "It is comprised of483 non-merge commits since v2.38.0, contributed by 86 people, 31 of whichare new faces". This release seems to mostly offer incrementalimprovements; see the announcement or this GitHubblog post for details.

The 6.1 kernel was releasedon December 11; by the time of this release, 13,942 non-mergechangesets had been pulled into the mainline, growing the kernel by 412,000lines of code. This is thus not the busiest development cycle ever, butneither is it the slowest, and those changesets contained a number offundamental changes. This release will also be the long-term-supportkernel for 2022. Read on for a look at where the work in 6.1 came from.

Security updates have been issued by Debian (cacti, grub2, hsqldb, node-eventsource, and openexr), Fedora (bcel, keylime, rust-capnp, rust-sequoia-octopus-librnp, xfce4-screenshooter, and xfce4-settings), Oracle (nodejs:18), Scientific Linux (grub2), Slackware (libarchive), SUSE (go1.18, go1.19, nautilus, opera, python-slixmpp, and samba), and Ubuntu (python2.7, python3.5, qemu, and squid3).

Version3.0 of the OpenShot video editor is out.

Linus has released the 6.1 kernel; he is preparing for a tricky holiday merge window:

Virtual-memory systems provide a great deal of flexibility in how memorycan be mapped and protected. Unfortunately, memory-management flexibilitycan also be useful to attackers bent on compromising a system. In theOpenBSD world, a new system call is being added to reduce this flexibility;it is, though, a system call that almost no code is expected to use.

Security updates have been issued by Debian (leptonlib), Fedora (woff), Red Hat (grub2), Slackware (emacs), SUSE (busybox, chromium, java-1_8_0-openjdk, netatalk, and rabbitmq-server), and Ubuntu (gcc-5, gccgo-6, glibc, protobuf, and python2.7, python3.10, python3.6, python3.8).

Version 8.2.0 of thePHP language is out.

Each new kernel release fixes a lot of bugs, but each release alsointroduces new bugs of its own. That leads to a fundamentalquestion: is the kernel community fixing bugs more quickly than it is addingthem? The answer is less than obvious but, if it could be found, itwould give an important indication of the long-term future of the kernelcode base. While digging into the kernel's revision history cannot give adefinitive answer to that question, it can provide some hints as to whatthat answer might be.

Greg Kroah-Hartman has released the 6.0.12,5.15.82, 5.10.158, 5.4.226, 4.19.268, 4.14.301, and 4.9.335 stable kernels. As is the norm, theycontain important fixes throughout the kernel tree; users of those seriesshould upgrade.

Security updates have been issued by Debian (dlt-daemon, jqueryui, and virglrenderer), Fedora (firefox, vim, and woff), Oracle (kernel and nodejs:18), Red Hat (java-1.8.0-ibm and redhat-ds:11), Slackware (python3), SUSE (buildah, matio, and osc), and Ubuntu (heimdal and postgresql-9.5).

The LWN.net Weekly Edition for December 8, 2022 is available.

Version12.0 of the Tor browser has been released. Changes includemulti-locale support, Apple silicon support, HTTPS-only behavior by defaulton Android and more.

A read-only filesystem that will transparently share file data between disparatedirectory trees, while also providing integrity verification for the dataand the directory metadata, was recently posted as anRFCto the linux-kernel mailing list. Composefs was developedby Alexander Larsson (who posted it) and Giuseppe Scrivano for use by podman containers and OSTree (or "libostree" as itis now known) root directories, but there are likely others who want theabilities it provides. So far, there has been little response, either with feedback orcomplaints, but it is a small patch set (around 2K lines of code) andgenerally self-contained since it is a filesystem, so it would not be asurprise to see it appear in some upcoming kernel.

Security updates have been issued by Debian (cgal, ruby-rails-html-sanitizer, and xfce4-settings), Red Hat (dbus, grub2, kernel, pki-core, and usbguard), Scientific Linux (pki-core), SUSE (bcel, LibVNCServer, and xen), and Ubuntu (ca-certificates and u-boot).

Gccrs — the Rust front-end for GCC — has been approvedfor merging into the GCC trunk. That means that the next GCC release willbe able to compile Rust, sort of; as gccrs developer Arthur Cohen warns:"This is very much an extremely experimental compiler and will still geta lot of changes in the coming weeks and months up until the release".See this article and this one for more details on the currentstatus of gccrs.

Over on the Collabora blog, Adrian Ratiu writes about the addition of the kernel's Rust code to the KernelCI automated kernel testing project. The blog post looks at what it took to add the support and on some plans for future additions, as well.

The kernel's page cache holds pages from files in RAM, allowing thosepages to be accessed without expensive trips to persistent storage.Applications are normally entirely unaware of the page cache's operation;it speeds things up and that is all that matters. Some applications,though, can benefit from knowledge about how much of a given file ispresent in the page cache at any given time; the proposedcachestat() system call from Nhat Pham is the latest in a longseries of attempts to make that information available.

Security updates have been issued by Ubuntu (binutils and ca-certificates).

Alison Chaiken provides anoverview of Linux ABI concerns on opensource.com.

The kernel project is now more than three decades old; over that time, anumber of development practices have come and gone. Once upon a time, theuse of "magic numbers" to identify kernel data structures was seen as agood way to help detect and debug problems. Over the years, though, theuse of magic numbers has gone into decline; thispatch set from Ahelenia Ziemiańska may be an indication that the reignof magic numbers may be reaching its end.

Security updates have been issued by Debian (awstats, chromium, clamav, g810-led, giflib, http-parser, jhead, libpgjava, node-cached-path-relative, node-fetch, and vlc), Fedora (fastnetmon, kernel, librime, qpress, rr, thunderbird, and wireshark), Red Hat (kernel, kernel-rt, and kpatch-patch), Slackware (mozilla), SUSE (cherrytree and chromium), and Ubuntu (libbpf, libxml2, linux-gcp-5.15, linux-gke, linux-gke-5.15, and linux-gke).

The eighth and presumably final 6.1 kernelprepatch has been released for testing. "So everything looks good,and while the calming down may have happened later than I wished for, itdid happen. Let's hope this upcoming week is as quiet (or quieter)."

The6.0.11,5.15.81, and5.10.157stable kernel updates have been released; each contains another set ofimportant fixes.

The software-interrupt mechanism is one of the oldest parts in the kernel;arguably, the basic design behind it predates Linux itself. Softwareinterrupts can get in the way of other work so, for almost aslong as they have existed, developers have wished that theycould be made to go away. That has never happened, though, and doesn'tlook imminent. Instead, Android systems have long carried a patch thattries to minimize the impact of software interrupts, at least in somesituations. John Stultz is now postingthat work, which contains contributions from a number of authors, inthe hope of getting it into the mainline kernel.

Security updates have been issued by Debian (snapd), Fedora (firefox, libetpan, ntfs-3g, samba, thunderbird, and xen), SUSE (busybox, emacs, and virt-v2v), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-dell300x, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-hwe, linux-gcp, linux-hwe, linux-oracle, and tiff).

Bleeping Computer reportsthat the Android platform signing certificates for several manufacturershave leaked and been used to sign malware.

Over on the Google security blog, Jeffrey Vander Stoep writes about the impact of focusing on using memory-safe languages for new code in Android.

The Document Foundation(TDF) was created in 2010 to steward andsupport the development of the LibreOffice suite, which was then a new fork of OpenOffice.org. TDF hasclearly been successful; unlike OpenOffice,which is currently under the Apache umbrella, LibreOffice is an activelydeveloped and widely used project. But TDF has also been showing signs of stress in recentyears, and the situation does not appear to be getting better. There arecurrently some significant disagreements over just what role TDF shouldplay; if those cannot be resolved, there is a real chance that they couldrip the Foundation apart.

Security updates have been issued by CentOS (device-mapper-multipath, firefox, hsqldb, krb5, thunderbird, and xorg-x11-server), Debian (libraw), Fedora (freerdp and grub2), SUSE (bcel, emacs, glib2, glibc, grub2, nodejs10, and tomcat), and Ubuntu (linux-azure-fde and snapd).

The LWN.net Weekly Edition for December 1, 2022 is available.

The recent discussion of a proposed change to the Python language—the usualfare on the language's Ideasforum—was interesting, somewhat less for the actual feature underdiscussion than for the other issues raised. The change itself is a minor, conveniencefeature that would provide a reproducible iteration order for certainkinds of sets betweenseparate invocations of the interpreter. That is a pretty limited use case, and onethat could perhaps be fulfilled in other ways, but the discussion alsohighlighted some potentially worrying trends in the way that feature ideas are handled inthe Python community.

It was only a matter of time before somebody found a way to inject BPF intothe CPU scheduler. This patchseries, posted by Tejun Heo and containing work by David Vernet, JoshDon, and Barret Rhoden, does exactly that. The cover letter covers themotivation behind this work in detail: