LWN.net

Version 10.0 of the NetBSD system has been released.

Security updates have been issued by Arch Linux (xz), Debian (libvirt, mediawiki, util-linux, and xz-utils), Fedora (apache-commons-configuration, cockpit, ghc-base64, ghc-hakyll, ghc-isocline, ghc-toml-parser, gitit, gnutls, pandoc, pandoc-cli, patat, podman-tui, prometheus-podman-exporter, seamonkey, suricata, and xen), Gentoo (XZ utils), Mageia (aide & mhash, emacs, microcode, opensc, and squid), Red Hat (ruby:3.1), and SUSE (kanidm and qpid-proton).

The 6.9-rc2 kernel prepatch is out fortesting. "Neither snow nor rain nor heat nor gloom of night stays kernel rc releases.Nor does Easter."

Andres Freund has posted adetailed investigation into a backdoor that was shipped with versions5.6.0 and 5.6.1 of the xz compression utility. It appears that themalicious code may be aimed at allowing SSH authentication to be bypassed.

Radicle is a new, peer-to-peer,MIT/Apache-licensed collaboration platform written in Rust and built on topof Git. It adds support for issues and pull requests (which Radicle calls"patches") on top of core Git, which are stored in the Git repositoryitself. Unlike GitHub, GitLab, and similar forges, Radicle is distributed;it doesn't rely on having everyone use the same server. Instead, Radicleinstances form a network that synchronizes changes between nodes.

Security updates have been issued by Debian (chromium), Fedora (apache-commons-configuration, chromium, csmock, ofono, onnx, php-tcpdf, and podman-tui), Mageia (curl), Oracle (libreoffice), Slackware (coreutils, seamonkey, and util), SUSE (minidlna, PackageKit, and podman), and Ubuntu (linux-azure-6.5 and linux-intel-iotg, linux-intel-iotg-5.15).

Christian Schaller writesabout the desktop-oriented work aimed at the upcoming Fedora40release.

On March 21, Redis Ltd. announced that the Redis "in-memory data store" project would now bereleased under non-free, source-available licenses, starting with Redis7.4. Thenews is unwelcome, but not entirely unexpected. What is unusual with this situation isthe number of Redis alternatives to choose from; there are at leastfour options to choose as a replacement for those who wish to staywith free software, including a pre-existing fork called KeyDB and the Linux Foundation's newly-announced Valkey project. The question now is which one(s)Linux distributions, users, and providers will choose to take its place.

Keith Fiske gave a talk(with slides) about the state of partitioning - splitting a largetable into smaller tables for performance reasons - inPostgreSQL atSCALEthis year. He spoke about the existing support for partitioning, what work stillneeds to be done, and what place existing partitioning tools, like his ownpg_partman, still have as PostgreSQL gains more built-in features.

Version 4.20.0 of the Samba Windows interoperability suite has beenreleased. Changes include better support for group-managed serviceaccounts, an experimental Windows search protocol client, support forconditional access control entries, and more.

Security updates have been issued by Fedora (perl-Data-UUID, python-pygments, and thunderbird), Mageia (clojure, grub2, kernel,kmod-xtables-addons,kmod-virtualbox, kernel-linus, nss firefox, nss, python3, python, tcpreplay, and thunderbird), Oracle (nodejs:18), Red Hat (.NET 6.0 and dnsmasq), SUSE (avahi and python39), and Ubuntu (curl, linux-intel-iotg, linux-intel-iotg-5.15, unixodbc, and util-linux).

The LWN.net Weekly Edition for March 28, 2024 is available.

The PostgreSQL community is dealing with the loss of Simon Riggs, whopassed away on March26:

Jason Nucciarone and Felipe Reyes gave back-to-back talksabout high-performance computing (HPC) using Ubuntu atSCALE thisyear. Nucciarone talked about ongoing work packagingOpen OnDemand - a web-based HPC cluster interface -to make high-performance-computing clustersmore user friendly. Reyes presented on usingOpenStack - a cloud-computing platform- to pass the performance benefits of one's hardware throughto virtual machines (VMs) running on a cluster.

Security updates have been issued by Debian (composer and nodejs), Fedora (w3m), Mageia (tomcat), Oracle (expat, firefox, go-toolset:ol8, grafana, grafana-pcp, nodejs:18, and thunderbird), Red Hat (dnsmasq, expat, kernel, kernel-rt, libreoffice, and squid), and SUSE (firefox, krb5, libvirt, and shadow).

Sasha Levin has announced the release of the 6.8.2, 6.7.11,6.6.23, 6.1.83, 5.15.153, 5.10.214, 5.4.273, and 4.19.311 stable kernels. Each contains a longlist of important fixes throughout the kernel tree.

The GNOME project announcedGNOME46 (code-named "Kathmandu") on March20. The release has quite a few updates and improvementsacross user applications, developer tools, and under the hood. Onething stood out while looking over this release-a major emphasis onFlatpaks as the way to acquire and update GNOME software.

Security updates have been issued by CentOS (kernel), Debian (firefox-esr), Fedora (webkitgtk), Mageia (curaengine & blender and gnutls), Red Hat (firefox, grafana, grafana-pcp, libreoffice, nodejs:18, and thunderbird), SUSE (glade), and Ubuntu (crmsh, debian-goodies, linux-aws, linux-aws-6.5, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-oracle, linux-azure, linux-azure-5.4, linux-oracle, linux-oracle-5.15, pam, and thunderbird).

The first-ever NixConin North America was co-located withSCALE this year. Theevent drew a mix of experiencedNix usersand people new to the project.I attended talks that covered using Nix to build Docker images, upcoming changesto how NixOS performs early booting, and ideas for making the set of servicesprovided in nixpkgsmore useful for self hosting. (LWN covered the relationship betweenNix, NixOS, and nixpkgs in arecent article.)Near the end of theconference, a collection of Nix contributors gave a "State of the Union"about the growth of the project and highlighting areas of concern.

The 6.9-rc1kernel prepatch was released on March24, closing the merge window forthis development cycle. By that time, 12,435 non-merge changesets had beenmerged into the mainline, making for a less-busy merge window than the lastcouple of kernel releases (but similar to the 12,492 seen for 6.5). Wellover 7,000 of those changes were merged after the first-half merge-window summary waswritten, meaning that the latter part of the merge window brought many moreinteresting changes.

Security updates have been issued by Debian (cacti, firefox-esr, freeipa, gross, libnet-cidr-lite-perl, python2.7, python3.7, samba, and thunderbird), Fedora (amavis, chromium, clojure, firefox, gnutls, kubernetes, and tcpreplay), Mageia (freeimage, libreswan, nodejs-hawk, and python, python3), Oracle (golang, nodejs, nodejs:16, and postgresql-jdbc), Slackware (emacs and mozilla), SUSE (dav1d, ghostscript, go1.22, indent, kernel, openvswitch, PackageKit, python-uamqp, rubygem-rack-1_4, shadow, ucode-intel, xen, and zziplib), and Ubuntu (firefox, graphviz, libnet-cidr-lite-perl, and qpdf).

Version 29.3 of theEmacs editor has been released:

The 6.9-rc1 kernel prepatch is out fortesting. Linus Torvalds described some rather large updates to the corekernel code that are coming for 6.9:

Security updates have been issued by Debian (firefox-esr, pillow, and thunderbird), Fedora (apptainer, chromium, ovn, and webkitgtk), Mageia (apache-mod_auth_openidc, ffmpeg, fontforge, libuv, and nodejs-tough-cookie), Oracle (kernel, libreoffice, postgresql-jdbc, ruby:3.1, squid, and squid:4), Red Hat (go-toolset:rhel8 and libreoffice), SUSE (firefox, jbcrypt, trilead-ssh2, jsch-agent-proxy, kernel, tiff, and zziplib), and Ubuntu (linux-aws and openssl1.0).

While a programming error in the kernel may be subject to directexploitation, usually a more roundabout approach is required to takeadvantage of a security bug. One popular approach for those wishing totake advantage of vulnerabilities is heap spraying, andit has often been employed to compromise the kernel. In the future,though, heap-spraying attacks may be a bit harder to pull off, thanks to the"dedicated bucket allocator" proposed by Kees Cook.

Security updates have been issued by Debian (pdns-recursor and php-dompdf-svg-lib), Fedora (grub2, libreswan, rubygem-yard, and thunderbird), Mageia (libtiff and python-scipy), Red Hat (golang, nodejs, and nodejs:16), Slackware (python3), and Ubuntu (linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-azure, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-raspi, linux-starfive, linux-starfive-6.5, linux-aws, linux-aws-5.15, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-gcp, linux-gcp-4.15, linux-kvm, linux-laptop, linux-oem-6.1, and linux-raspi).

Version1.77.0 of the Rust language has been released. Changes include supportfor NUL-terminated C-string literals, the ability for asyncfunctions to call themselves recursively, the stabilization of theoffset_of!() macro, and more.

Verson 5.39.9 of the Perl language has been released. Changes this timeinclude a new "medium-precedence" logical exclusive-or operator, a numberof updated modules, and more; see thispage for details.

The Redis in-memory database system has hadits license changed to either the Redis Source AvailableLicense or the Server SidePublic License (covered here in 2018);neither license qualifies as free software.

Danilo Krummrich has announced theexistence of the "Nova" project within Red Hat.

The LWN.net Weekly Edition for March 21, 2024 is available.

Version 46 of the GNOME desktophas been released. "GNOME 46 is code-named 'Kathmandu', in recognitionof the amazing work done by the organizers of GNOME.Asia 2023."Significant changes include a new global search feature, enhancements tothe Files app, improved remote login support, and more.

Cockpit is an interestingproject for web-based Linux administration that has receivedrelatively little attention over the years. Part of that may be due tothe project's strategy of minor releases roughly every two weeks,rather than larger releases with many new features. While the strategyhas done little to garner headlines, it has delivered a useful andextensible tool to observe, manage, and troubleshoot Linux servers.

The Python project has announced three security releases, 3.10.14,3.9.19,and 3.8.19.In addition to the security fixes, these releases are notable for two reasons;they are the first to make use of GitHub Actions to performpublic builds instead of building artifacts "on a local computer of oneof the release managers", and the first since Python became aCVE Numbering Authority (CNA).Python release team member ukasz Langa saidthat being a CNA means Python is able to "ensure the quality of the vulnerabilityreports is high, and that the severity estimates are accurate." It alsoallows Python to coordinate CVE announcements with the patched versions ofPython, as it has with two CVEs addressed in these releases. CVE-2023-6597 CVE-2024-0450describes a flaw in CPython's zipfile module that made it vulnerable to a zip-bomb exploit. CVE-2024-0450 CVE-2023-6597 is anissue with Python's tempfile.TemporaryDirectory class which could beexploited to modify permissions of files referenced by symbolic links. Users of affected versions should upgrade soon.

Security updates have been issued by Debian (fontforge and imagemagick), Fedora (firefox), Mageia (cherrytree, python-django, qpdf, and sqlite3), Red Hat (bind, cups, emacs, fwupd, gmp, kernel, libreoffice, libX11, nodejs, opencryptoki, postgresql-jdbc, postgresql:10, postgresql:13, and ruby:3.1), Slackware (gnutls and mozilla), and Ubuntu (firefox, linux, linux-bluefield, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-aws, linux-aws-5.4, linux-aws, linux-aws-6.5, and linux-oracle, linux-oracle-5.15).

There are a number of different language-enhancement ideas that crop upwith some regularity in the Python community; many of them have been debated and shot down multipletimes over the years. When one inevitably arises anew, it can sometimes bedifficult to tamp it down, even if it is unlikely that the idea will goany further than the last N times it cropped up. A recent discussion about"real" anonymous functions follows a somewhat predictable path, but thereare still reasons to participate in vetting these "new" ideas, despite thetiresome, repetitive nature of the exercise-examples of recurring feature ideas that were eventually adopted definitely exist.

Version124.0 of the Firefox browser is out. Changes include support for"caret browsing mode" in the PDF viewer and the ability to control thesorting of tabs in the Firefox View screen.

Security updates have been issued by Debian (cacti, postgresql-11, and zfs-linux), Fedora (freeimage, mingw-expat, and mingw-freeimage), Mageia (apache-mod_security-crs, expat, and multipath-tools), Oracle (.NET 7.0 and kernel), Red Hat (kernel, kernel-rt, and kpatch-patch), and Ubuntu (bash, kernel, linux, linux-aws, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, and vim).

Man Yue Mo explainshow to compromise a Pixel8 phone even when the Arm memory-tagging extension is in use, by takingadvantage of the Mali GPU.

Kernel developers have long been told that any attempt to allocate memorymight fail, so their code must be prepared for memory to be unavailable.Informally, though, the kernel's memory-management subsystem implements apolicy whereby requests below a certain size will not fail (in processcontext, at least), regardless ofhow tight memory may be. A recent discussion on the linux-mm list haslooked at the idea of making the "too small tofail" rule a policy that developers can rely on.

Security updates have been issued by Debian (curl, spip, and unadf), Fedora (chromium, iwd, opensc, openvswitch, python3.6, shim, shim-unsigned-aarch64, and shim-unsigned-x64), Mageia (batik, imagemagick, irssi, jackson-databind, jupyter-notebook, ncurses, and yajl), Oracle (.NET 7.0, .NET 8.0, and dnsmasq), Red Hat (postgresql:10), SUSE (chromium, kernel, openvswitch, python-rpyc, and tiff), and Ubuntu (openjdk-8).

Cranelift is an Apache-2.0-licensedcode-generation backend being developed as partof the Wasmtime runtime forWebAssembly.In October 2023, the Rust project made Cranelift available as an optionalcomponent in its nightly toolchain.Users can now use Cranelift as the code-generation backend for debug builds ofprojects written in Rust,making it an opportune time to look at what makes Cranelift different.Cranelift is designed to compete with existing compilers by generatingcode more quickly than they can, thanks to a stripped-down design that prioritizesonly the most important optimizations.

Zach Mitchell has announced the 1.0 release of Flox, a tool that lets its users install packages from nixpkgs inside portable virtual environments, and share those virtual environments with others as an alternative to Docker-style containers. Flox is based on Nix but allows users to skip learning how to work with the Nix language:

Sasha Levin has announced the release of the 6.8.1,6.7.10, 6.6.22,6.1.82, 5.15.152,5.10.213, 5.4.272,and 4.19.310 stable kernels. As always, they contain important fixes throughout the tree. Users of those kernels should upgrade.

Security updates have been issued by Debian (composer and node-xml2js), Fedora (baresip), Mageia (fonttools, libgit2, mplayer, open-vm-tools, and packages), Red Hat (dnsmasq, gimp:2.8, and kernel-rt), and SUSE (389-ds, gdb, kernel, python-Django, python3, python36-pip, spectre-meltdown-checker, sudo, and thunderbird).

As of this writing, just over 4,900 non-merge changesets have been pulledinto the mainline for the 6.9 release. This work includes the usual arrayof changes all over the kernel tree; read on for a summary of the mostsignificant work merged during the first part of the 6.9 merge window.

Security updates have been issued by Debian (chromium and openvswitch), Fedora (chromium, python-multipart, thunderbird, and xen), Mageia (java-17-openjdk and screen), Red Hat (.NET 7.0, .NET 8.0, kernel-rt, kpatch-patch, postgresql:13, and postgresql:15), Slackware (expat), SUSE (glibc, python-Django, python-Django1, sudo, and vim), and Ubuntu (expat, linux-ibm, linux-ibm-5.4, linux-oracle, linux-oracle-5.4, linux-lowlatency, linux-raspi, python-cryptography, texlive-bin, and xorg-server).

The LWN.net Weekly Edition for March 14, 2024 is available.

Kaitlyn Abdo of Fedora's AI/MLSIG opened an issue with theFedora Engineering Steering Committee (FESCo) recently that carried a few trickyquestions about packaging machine-learning (ML) models for Fedora. Specifically, the SIG is looking for guidance on whether pre-trained weights forPyTorch constitute code or content. And, if the models are released under alicense approved by theOpen Source Initiative (OSI),does it matter what data the models were trained on? The issue was quicklytossed over to Fedora's legalmailing list and sparked an interesting discussion about how tohandle these items, and a temporary path forward.