LWN.net

Version1.9 of the Julia language has been released. Notable changes includeimproved caching of native code, faster load times via a "packageextensions" mechanism, better memory-usage introspection, and more.

Security updates have been issued by Debian (emacs), Fedora (chromium, community-mysql, and LibRaw), Red Hat (nodejs nodejs-nodemon, nodejs:18, and webkit2gtk3), Slackware (mozilla), SUSE (amazon-ssm-agent, conmon, distribution, docker-distribution, google-cloud-sap-agent, ignition, kernel, ntp, prometheus-ha_cluster_exporter, protobuf-c, python-cryptography, runc, and shim), and Ubuntu (ceph, freetype, and node-css-what).

The Thunderbird email-client project has put out areport describing its financial situation in 2022.

Two members of the FasterCPython team, which was put together at Microsoft at the behest of Guidovan Rossum to work on major performance improvements for CPython, cameto PyCon 2023 to report on what theteam has been working on—and its plans for the future. PEP 659 ("SpecializingAdaptive Interpreter") describes the foundation of the current work, someof whichhas already been released as part of Python 3.11. Brandt Bucher, whogave a popular talk on structural pattern matchingat last year's PyCon, was up first, with a talk on what "adaptive" and"specializing" mean in the context of Python, which we cover here in partone. Mark Shannon, whose proposed planfor performance improvements in 2020 was a major impetus for this work,presented on the past, present, and future of the Python performanceenhancements, which will be covered in part two.

Version113.0 of the Firefox browser is out. Changes include improvedpicture-in-picture support, blocking of third-party cookies in privatewindows, some accessibility improvements, and more. "A 13-year-oldfeature request was fulfilled and Firefox now supports files beingdrag-and-dropped directly from Microsoft Outlook".

Security updates have been issued by Fedora (java-11-openjdk-portable and rubygem-redcarpet), Red Hat (autotrace, bind, buildah, butane, conmon, containernetworking-plugins, curl, device-mapper-multipath, dhcp, edk2, emacs, fence-agents, freeradius, freerdp, frr, fwupd, gdk-pixbuf2, git, git-lfs, golang-github-cpuguy83-md2man, grafana, grafana-pcp, gstreamer1-plugins-good, Image Builder, jackson, kernel, kernel-rt, krb5, libarchive, libguestfs-winsupport, libreswan, libtiff, libtpms, lua, mysql, net-snmp, openssh, openssl, pcs, php:8.1, pki-core, podman, poppler, postgresql-jdbc, python-mako, qemu-kvm, samba, skopeo, sysstat, tigervnc, toolbox, unbound, webkit2gtk3, wireshark, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (cfengine, cfengine-masterfiles, go1.19, go1.20, libfastjson, python-cryptography, and python-ujson), and Ubuntu (mysql-5.7).

Linus Torvalds released 6.4-rc1 and closed themerge window on May 7. By that time, 13,044 non-mergechangesets had found their way into the mainline repository for the 6.4release. A little over 5,000 of those changesets came in after our summary of the first half of the mergewindow was written. Those changes brought a long list of new featuresand capabilities to the kernel.

Security updates have been issued by Fedora (rust-cargo-c, rust-coreos-installer, rust-fedora-update-feedback, rust-git-delta, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sevctl, rust-tealdeer, and rust-ybaas), Mageia (avahi, git, imagemagick, libfastjson, libxml2, parcellite, and virtualbox), SUSE (containerd, dnsmasq, ffmpeg, git, indent, installation-images, java-17-openjdk, maven and recommended update for antlr3, minlog, sbt, xmvn, ncurses, netty, netty-tcnative, openssl-1_0_0, python-Django1, redis, shim, terraform-provider-helm, and zstd), and Ubuntu (erlang, mysql-5.7, mysql-8.0, ruby2.3, ruby2.5, ruby2.7, and webkit2gtk).

Linus has released 6.4-rc1 and closed themerge window for this development cycle.

Version4.2 of the Yocto Project distribution builder has been released. Itfeatures improved Rust support, a number of BitBake enhancements, lots ofupdated software, and numerous security fixes.

Security updates have been issued by Debian (chromium, evolution, and odoo), Fedora (java-11-openjdk), Oracle (samba), Red Hat (libreswan and samba), Slackware (libssh), SUSE (amazon-ssm-agent, apache2-mod_auth_openidc, cmark, containerd, editorconfig-core-c, ffmpeg, go1.20, harfbuzz, helm, java-11-openjdk, java-1_8_0-ibm, liblouis, podman, and vim), and Ubuntu (linux-aws, linux-aws-hwe, linux-intel-iotg, and linux-oem-6.1).

The SemiAnalysis site has what is said to be aleaked Google document on the state of open-source AI development.Open source, it concludes, is winning.

The 2018 Linux Storage, Filesystem, and Memory-Management (LSFMM)conference included a session onget_user_pages(), an internal kernel interface that can, insome situations, be used in ways that will lead to data corruption orkernel crashes. As the 2023 LSFMM+BPF eventapproaches, this problem remains unsolved and is still the topic of ongoingdiscussion. This patchseries from Lorenzo Stoakes, which is another attempt at a partialsolution, is the latest focus point.

The Red Hat Developer site has anoverview of some of the new C-language features supported by theGCC 13 release.

Security updates have been issued by Fedora (python-sentry-sdk) and Ubuntu (python-django and ruby2.3, ruby2.5, ruby2.7).

The LWN.net Weekly Edition for May 4, 2023 is available.

The Python packaging picture is generally a bit murky; there are lots ofdifferent stakeholders, with disparate wishes and needs, which all adds upto a fairly large set of multi-faceted problems. Back in the first threemonths of the year, we looked at variousdiscussions around packaging, some of which are still ongoing.A packagingsummit was held at PyCon 2023 to bring some of the participants of those discussions together in one room. One of its sessionswas on addinga namespaces feature to the Python PackageIndex (PyPI). It provides a look into some of thedifficulties that can arise, especially when trying to accommodate a long legacy of existingpractices, which is often a millstone around the neck of those trying tomake packaging improvements.

Security updates have been issued by Debian (avahi, kernel, linux-5.10, nodejs, webkit2gtk, and wpewebkit), Gentoo (chromium, google-chrome, microsoft-edge, dbus, dbus-broker, dhcp, firefox, firejail-lts, libapreq2, libsdl, libsdl2, lua, proftpd, python, PyPy3, sudo, syslog-ng, systemd, tor, uptimed, vim, and xfce4-settings), Oracle (emacs and libwebp), Red Hat (libwebp), Scientific Linux (libwebp), and SUSE (ceph, ffmpeg-4, git, pdns-recursor, and shim).

Version 3.21.0 of the Valgrindcode-analysis tool is out. Changes include better integration with the GDB debugger, better checks for non-portablerealloc() calls, and a number of other improvements.

The Guix project ("a transactionalpackage manager and an advanced distribution of the GNU system") has announceda milestone toward its goal of bootstrapping an entire distribution fromsource:

Security updates have been issued by Debian (libdatetime-timezone-perl and tzdata), Fedora (chromium), Red Hat (emacs and libwebp), Slackware (netatalk), and Ubuntu (php7.0).

No data structures found in the Linux kernel — at least, in any versionthat escaped from Linus Torvalds's development machine — are older than thebuffer head. Like many other legacies from the early days of Linux, bufferheads have been targeted for removal for years. They persist, though,despite the problems they present. Now, Christoph Hellwig has posted a patchseries that enables the building of a kernel without buffer heads — butthe cost of doing so at this point will be more than most want to pay.

Greg Kroah-Hartman has announced the 6.3.1,6.2.14, 6.1.27, and 5.15.110 stable kernels. They all contain afairly small collection of important fixes. Note that there is a reportof build problems in the wireguard subsystem for the 6.1.27 and 5.15.110kernels, so we may see updates for those fairly soon.

Security updates have been issued by Debian (distro-info-data, ffmpeg, jackson-databind, jruby, libapache2-mod-auth-openidc, libxml2, openvswitch, sniproxy, and wireshark), Fedora (git, libsignal-protocol-c, php-nyholm-psr7, python-setuptools, rust-askama, rust-askama_shared, rust-comrak, thunderbird, and webkitgtk), SUSE (git, glib2, shadow, thunderbird, and webkit2gtk3), and Ubuntu (Apache Commons Net, git, linux-azure-5.15, linux-azure-fde, linux-kvm, linux-ibm-5.4, linux-snapdragon, netty, and ZenLib).

Version4.9 of the SystemTap tracing tool has been released. The headlinechanges this time include a new, Jupyter-based frontend and alanguage-server-protocol interface for name completion.

As of this writing, nearly 7,500 non-merge changesets have been pulled intothe mainline repository for the 6.4 kernel release. The 6.4 merge windowis thus clearly off and running, with a number of significant changesmerged already. Read on for a summary of the most significant pulledso far.

For those who are waiting for the upcoming Debian "bookworm" release, thedate hasnow been set: it's coming out on June 10. The full-freeze datefor the distribution will be May 24.

Security updates have been issued by Fedora (git, libpcap, php-laminas-diactoros2, php-nyholm-psr7, tcpdump, and xen), Oracle (cloud-init), Scientific Linux (kernel), SUSE (conmon, docker, glib2, glibc, libmicrohttpd, libX11, liferea, python3, qemu, rubygem-actionview-5_1, s390-tools, stellarium, vim, and xen), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-4.15, linux-azure-5.4, linux-gcp, linux-gcp-4.15, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4 and openssl-ibmca).

When the developers of the Linux security module (LSM) subsystem findthemselves disagreeing with other kernel developers, it tends to be becausethose other developers don't think to — or don't want to — add securityhooks to their shiny new subsystems. Sometimes, though, the addition ofnew hooks by non-LSM developers can also create some friction. AndriiNakryiko's posting of a pair ofBPF-related security hooks raised a couple of interesting questions,one of which spurred a fair amount of discussion, and one that did not.

Security updates have been issued by Fedora (chromium, perl-Alien-ProtoBuf, and redis), Oracle (kernel), SUSE (dmidecode, fwupd, libtpms, libxml2, openssl-ibmca, and webkit2gtk3), and Ubuntu (cloud-init, ghostscript, linux, linux-aws, linux-aws-5.15, linux-azure, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, and linux, linux-aws, linux-kvm, linux-lts-xenial).

The LWN.net Weekly Edition for April 27, 2023 is available.

Longtime Pythonista Ned Batchelder gave the first of four keynotes at PyCon's20th-anniversary edition, PyCon 2023, which was heldApril 19-27 in Salt Lake City, Utah. In fact, it is still being heldat the time of this writing; the sprints continue for four days after thethree days of main-conference talks. Batchelder presented his thoughts oncommunication, how it can often go awry for technical people, and how tomake it work better.

The6.2.13,6.1.26,5.15.109,5.10.179,5.4.242,4.19.282, and4.14.314stable kernels have all been released; each contains another set ofimportant fixes and updates.

Version13.1 of the GCC compiler suite has been released.

Security updates have been issued by Fedora (chromium, lilypond, and lilypond-doc), Oracle (java-1.8.0-openjdk), Red Hat (emacs, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-rt, pesign, and virt:rhel, virt-devel:rhel), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), Slackware (git), SUSE (fwupd, git, helm, and runc), and Ubuntu (firefox, golang-1.18, linux-hwe-5.15, and openssl, openssl1.0).

Static-site generators are tools that generateHTML pages from source files, often written in Markdown oranother markup language. They have built-in templates and themes, which allowsdevelopers to create lightweight and secure web sites that can be easilymaintained using version control. One of these tools is Nikola, written in Python.

There is a newstable Git release containing fixes for three separate securityvulnerabilities. The fixes have also been backported to the older v2.39.3,v2.38.5, v2.37.7, v2.36.6, v2.35.8, v2.34.8, v2.33.8, v2.32.7, v2.31.8, andv2.30.9 releases. Sites using Git in untrusted environments — or withuntrusted input — should probably upgrade soon.

Philip Herron and Arthur Cohen have posted anupdate on the status of gccrs — the GCC frontend for the Rust language— and why it will not be a part of the upcoming GCC 13 release.

Security updates have been issued by CentOS (firefox, java-11-openjdk, and thunderbird), Debian (apache2), Fedora (kernel), Oracle (emacs), Red Hat (emacs, haproxy, java-1.8.0-openjdk, kernel, kernel-rt, kpatch-patch, pcs, pki-core:10.6, and qatzip), and SUSE (avahi, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, giflib, kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container, ovmf, and protobuf-c).

The 6.3 kernel was releasedon April 24 after a nine-week development cycle. As is the case withall mainline releases, this is amajor kernel release with a lot of changes and a big pile of new features.The time has come, yet again, for a look at where that work came from andwho supported it.

Security updates have been issued by Debian (389-ds-base, chromium, connman, curl, redis, and thunderbird), Fedora (ceph, doctl, dr_libs, ffmpeg, freeimage, golang-github-digitalocean-godo, insight, libreswan, mingw-binutils, mingw-freeimage, mingw-freetype, openvswitch, rnp, suricata, webkitgtk, and wireshark), Mageia (dnsmasq, emacs, openimageio, php-smarty, redis, squirrel/supertux, and tcpdump), Red Hat (emacs), and SUSE (avahi, chromium, dmidecode, indent, jettison, openssl, openstack-cinder, openstack-nova, python-oslo.utils, and ovmf).

Linus has released the 6.3 kernel asexpected.

This ten days old but hopefully better late than never: the Python SoftwareFoundation has put out anarticle describing how the proposed European "cyber resilience act"threatens the free-software community.

The concept of movable memory was initially designed for hot-pluggablememory on server-class systems, but it would now appear that this mechanismis finding a new use in consumer-electronics devices as well. Thedesignated movable block patch set was first submittedby Doug Berger in September 2022. By adding more flexibility around theconfiguration and use of movable memory, this work will, it is hoped, improve howLinux performs on resource-constrained systems.

The Python Package Index (PyPI) has, likemany language-specific repositories, had ongoing problems with malicious uploads. PyPIis now launching an authentication mechanism called trustedpublishers in an attempt to fight this problem.

Security updates have been issued by Debian (golang-1.11 and libxml2), Fedora (chromium, dr_libs, frr, ruby, and runc), Oracle (java-11-openjdk and java-17-openjdk), Red Hat (emacs, httpd and mod_http2, kpatch-patch, and webkit2gtk3), SUSE (libmicrohttpd, nodejs16, ovmf, and wireshark), and Ubuntu (kauth and patchelf).

GNOME is, of course, a widely-useddesktop environment for Linuxsystems; on March 22, the project released GNOME 44,codenamed "Kuala Lumpur". This version features enhancements to the settings panels, quick settings, the files application, and an updated filechooser with a grid view, among others. The full list of changes canbe seen in the releasenotes available on the GNOME website.

The Ubuntu 23.04 release is out. Headline features include a newinstaller, GNOME 44, Azure Active Directory authentication, and more.

Distributors have been enabling the SELinux security module for nearly20 years now, and many administrators have been disabling it on theirsystems for almost as long. There are a few ways in which SELinux can bedisabled on any given system, including command-line options, a run-timeswitch, or simply not loading a policy after boot. One of those ways,however, is about to be disabled itself.

The latest crop of stable kernels is out; 6.2.12, 6.1.25, 5.15.108, 5.10.178, 5.4.241, 4.19.281, and 4.14.313 have been released. As is usual,they all contain important fixes throughout the kernel tree.