LWN.net

There's just something about trains—model trains in particular. At Everything Open 2023, PaulAntoine spoke about his experiences with the DCC-EX project, which has a variety ofmodel-railroad automation hardware designs and software tools, all of whichare freely available. There is a long legacy of sharing within the modelrailroading hobby, which continues today in the form of free and open-sourcesoftware for it.

The Debian project has reportedon a survey of developers on the use of project funds to supportdevelopment work.

The5.15.106,5.10.177,5.4.240,4.19.280, and4.14.312stable kernel updates have been released, each with another set ofimportant fixes.The 6.2.10and 6.1.23updates are also in the works, but have ended up going through additionalrounds of review; they could be released almost any time.

Security updates have been issued by Debian (ghostscript and openimageio), Fedora (kernel, rubygem-actioncable, rubygem-actionmailbox, rubygem-actionmailer, rubygem-actionpack, rubygem-actiontext, rubygem-actionview, rubygem-activejob, rubygem-activemodel, rubygem-activerecord, rubygem-activestorage, rubygem-activesupport, rubygem-rails, and rubygem-railties), Oracle (gnutls, httpd, kernel, nodejs:16, nodejs:18, pesign, postgresql:13, tigervnc, and tigervnc, xorg-x11-server), Red Hat (gnutls, httpd, httpd:2.4, kernel, kpatch-patch, pcs, pesign, postgresql:13, tigervnc, and tigervnc, xorg-x11-server), Scientific Linux (httpd and tigervnc, xorg-x11-server), SUSE (aws-efs-utils.11048, libheif, liblouis, openssl, python-cryptography, python-Werkzeug, skopeo, tomcat, and wireshark), and Ubuntu (imagemagick, ipmitool, and node-trim-newlines).

Mobian is a project that aims to bring the Debian distribution to mobile devices suchas smartphones and tablets. By building on the flexibility, stability, and community-drivendevelopment of Debian, Mobian aspires to create a powerful anduser-friendly alternative to existing mobile operating systems. The projectis actively working on reducing the delta between Mobian and Debian, and itsultimate goal is to be absorbed back into its parent distribution and tomake it easy to run Debian on mobile devices.

The first call forvotes for the 2023 Debian Project Leader election has gone out. Thecampaigning was easy to miss this year, for one simple reason: the currentincumbent, Jonathan Carter, is running unopposed for another term. Thatsuggests that turnout will be low this time but, as several developers havepointed out, there is still value in voting; it clarifies whether Carterstill has the support of the project.

Security updates have been issued by Fedora (openbgpd and seamonkey), Red Hat (httpd:2.4, kernel, kernel-rt, and pesign), SUSE (compat-openssl098, dpdk, drbd, ImageMagick, nextcloud, openssl, openssl-1_1, openssl-3, openssl1, oracleasm, pgadmin4, terraform-provider-helm, and yaml-cpp), and Ubuntu (haproxy, ldb, samba, and vim).

The kernel has a well-developed mechanism for the control of tracing ofevents in kernel space. Developers often want to be able to trace user-spaceactivity as well, using the same interfaces, but that mode is rather lesswell supported. One year ago, an attempt toadd an API for the control of user-space trace events ran into troubleand has never been fully enabled. Now, Beau Belgrave is back with areworked API that may finally result in this mechanism becominggenerally available.

Security updates have been issued by Debian (duktape, firmware-nonfree, intel-microcode, svgpp, and systemd), Fedora (amanda, dino, flatpak, golang, libldb, netconsd, samba, tigervnc, and vim), Red Hat (nodejs:14), Slackware (ruby and seamonkey), SUSE (drbd, flatpak, glibc, grub2, ImageMagick, kernel, runc, thunderbird, and xwayland), and Ubuntu (amanda).

The 6.3-rc5 kernel prepatch is out fortesting. "This release continues to appear very normal and boring,which is just how I like it. The commit count says that we've startedcalming down right on schedule, and the diffstat looks normal too."

The Mozilla project celebrates25 years of existence.

As a general rule, the purpose behind mounting a filesystem is to make thatfilesystem's contents visible to the system, or at least to the mountnamespace where that mount occurs. For similar reasons, it is unusual tomount one filesystem on top of another, since that would cause the contentsof the over-mounted filesystem to be hidden. There are exceptions toeverything, though, and that extends to mounted filesystems; a"tucking" mechanism proposed by Christian Brauner is designed to hidemounted filesystems underneath other mounts — temporarily, at least.

Security updates have been issued by Debian (joblib, json-smart, libmicrohttpd, and xrdp), Fedora (thunderbird and xorg-x11-server-Xwayland), Mageia (dino, perl-Cpanel-JSON-XS, perl-Net-Server, snort, tigervnc/x11-server, and xapian), SUSE (curl, kernel, openssl-1_0_0, and shim), and Ubuntu (glusterfs, linux-gcp-4.15, musl, and xcftools).

The X.Org project has announced a vulnerability in its X server and Xwayland (CVE-2023-1393).

The kernel's hierarchical maintainer model works quite well from thestandpoint of allowing thousands of developers to work together without(often) stepping on each others' toes. But that model can also make lifepainful for developers who are trying to make changes across numeroussubsystems. Other possible source of pain include changes related tolicensing or those where maintainers don't understand the purpose of thework. Nick Alcock has managed to hit all of those hazards together in hiseffort to perform what would seem like a common-sense cleanup of thekernel's annotations for loadable modules.

Greg Kroah-Hartman has announced the release of the 6.2.9, 6.1.22,5.15.105, and 5.4.239 stable kernels. The latter (5.4.239)has single patch to fix the permissions of a selftest file, while the otherthree have a lengthy list of important fixes throughout the kernel tree.

Security updates have been issued by Debian (xorg-server and xrdp), Fedora (mingw-python-certifi, mingw-python3, mingw-zstd, moodle, python-cairosvg, python-markdown-it-py, redis, xorg-x11-server, and yarnpkg), Slackware (mozilla and xorg), SUSE (grub2, ldb, samba, libmicrohttpd, python-Werkzeug, rubygem-rack, samba, sudo, testng, tomcat, webkit2gtk3, xorg-x11-server, xstream, and zstd), and Ubuntu (linux, linux-aws, linux-dell300x, linux-kvm, linux-oracle, linux-raspi2, linux-aws-5.4, linux-azure-5.4, linux-gcp-5.4, linux-hwe-5.4, linux-ibm-5.4, linux-oracle-5.4, linux-raspi-5.4, linux-gke, linux-gke-5.15, linux-ibm, linux-kvm, php-nette, and xorg-server, xorg-server-hwe-18.04, xwayland).

The LWN.net Weekly Edition for March 30, 2023 is available.

The fourth and final keynote forEverything Open 2023 was givenby Professor Rebecca Giblin of the Melbourne Law School, University ofMelbourne. It revolved around her recent book, Chokepoint Capitalism,which she wrote with Cory Doctorow; it is "a book about why creativelabor markets are rigged — and how to unrig them". Giblin had plannedto be in Melbourne to give her talk in person, but "the universe had otherplans"; she got delayed in Austin,Texas by an unexpected speaking slot at the South by Southwest (SXSW) conference, so she gave her talk via videoconference from there—atnearly midnight in Austin.

Immutable Linux distributions are on the rise recently, with multiplepopular distributions creating their own immutable versions; itcould be one of the trends of 2023, aspredicted. While many of these immutabledistributions are focused on server use, there are also some that offer adesktop experience. OpenSUSE MicroOSDesktop is one of them, with a minimal openSUSE Tumbleweed as thebase operating system and applications running as Flatpaks or in containers. In its daily use,it feels a lot like a normal openSUSE desktop. Its biggest benefit isavailability of the newest software releases without sacrificing systemstability.

Curl maintainer Daniel Stenberg expressessome frustrations with the vulnerability notification policiesmaintained by the distros mailing list.

Security updates have been issued by Debian (unbound and xorg-server), Fedora (stellarium), Oracle (kernel), SUSE (apache2, oracleasm, python-Werkzeug, rubygem-loofah, sudo, and tomcat), and Ubuntu (git, kernel, and linux-hwe-5.19).

Canonical recently announcedthat it will no longer ship Flatpak aspart of its default installation for the various official Ubuntu flavors,which is in keeping with the practices of the core Ubuntu distribution. TheFlatpak package format has gained popularity among Linux usersfor its convenience and ease of use. Canonical will focus exclusively on its ownpackage-management system, Snap. Thedecision has caused disgruntlementamong some community members, who felt like the distribution was makingthis decision without regard for its users.

Security updates have been issued by Debian (dino-im and runc), Fedora (qemu), Red Hat (firefox), SUSE (chromium, containerd, docker, kernel, and systemd), and Ubuntu (graphicsmagick, linux-azure, linux-gcp, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, and node-url-parse).

The open()system call offers a number of flags that modify its behavior; not allcombinations of those flags make sense in a single call. It turns out,though, that the kernel has responded in a surprising way to thecombination of O_CREAT and O_DIRECTORY for a long time.After a 2020 change made that response even more surprising, it seemslikely that this behavior will soon be fixed, resulting in a rare user-visiblesemantic change to a core system call.

Version 5.0 of the GnuCash accounting tool is out. Changes include anumber of investment-tracking improvements, better completion in theregister window, a reworked report-generation system, and more.

Security updates have been issued by Debian (libreoffice and xen), Fedora (chromium, curl, and xen), Red Hat (kernel, kernel-rt, kpatch-patch, and thunderbird), Scientific Linux (thunderbird), Slackware (tar), SUSE (apache2, ceph, curl, dpdk, helm, libgit2, and php7), and Ubuntu (firefox and thunderbird).

Linus has released 6.3-rc4 for testing."Things are looking pretty normal for this time of the releaseprocess."

Matthew Garrett looks atthe recent disclosure of GitHub's private host key, how it probablycame about, and what a better approach to key management might look like.

Support for shadow stacks on the x86 architecture has been long in coming;LWN first covered this work in 2018. Afterfive years and numerous versions, though, it would appear thatuser-space shadow stacks on x86 might just be supported in the 6.4 kernelrelease. Getting there has required a few changes since we last caught up with this work in early 2022.

Security updates have been issued by Debian (chromium, libdatetime-timezone-perl, and tzdata), Fedora (flatpak and gmailctl), Mageia (firefox, flatpak, golang, gssntlmssp, libmicrohttpd, libtiff, python-flask-security, python-owslib, ruby-rack, thunderbird, unarj, and vim), Red Hat (firefox, kpatch-patch, nss, openssl, and thunderbird), SUSE (containerd, hdf5, qt6-base, and squirrel), and Ubuntu (amanda, gif2apng, graphviz, and linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi).

Just over 27 years ago, John Perry Barlow's declaration of theindependence of Cyberspace claimed that governments "have nosovereignty" over the networked world. In 2023, we have ample reasonto know better than that, but we still expect the free-software communityto be left alone by the affairs of governments much of the time. A coupleof recent episodes related to the war in Ukraine are making it clear thatthere are limits to our independence.

Security updates have been issued by CentOS (firefox, nss, and openssl), Fedora (firefox, liferea, python-cairosvg, and tar), Oracle (openssl and thunderbird), Scientific Linux (firefox, nss, and openssl), SUSE (container-suseconnect, grub2, libplist, and qemu), and Ubuntu (amanda, apache2, node-object-path, and python-git).

The LWN.net Weekly Edition for March 23, 2023 is available.

The concept of copyleft iscompelling in a lot of ways, at least for those who want to promotesoftware freedom in the world. Bradley Kuhn is certainly one of thosepeople and has long been working on various aspects of copyleft licensingand compliance, along with software freedom. He came to Everything Open 2023 to talkabout copyleft, some of its history—and flaws—and to look toward the futureof copyleft.

The6.2.8,6.1.21,5.15.104,5.10.176,5.4.238,4.19.279, and4.14.311stable kernel updates have all been released; each contains another set ofimportant fixes.

Version44 of the GNOME desktop environment has been released. "Thisrelease brings a grid view in the file chooser, improved settings panelsfor Device Security, Accessibility, etc, and refined quick settings in theshell. The Software and Files apps have seen improvements, and a whole slewof new apps has joined the GNOMECircle". See the releasenotes for details.

Security updates have been issued by Fedora (firefox), Oracle (kernel, kernel-container, and nss), and SUSE (curl, dpdk, drbd, go1.18, kernel, openstack-cinder, openstack-glance, openstack-neutron-gbp, openstack-nova, python-oslo.utils, oracleasm, python3, slirp4netns, and xen).

Version 20 of the Java SE platformhas been released. See the features list for anoverview of the big additions, or the release notes for thedetails.

At the end of 2022, Paulus Schoutsen declared 2023 "theyear of voice" for HomeAssistant, the popular open-source home-automation project that hefounded nine years ago. The project's goal this year is to let userscontrol their home with voice commands in their own language, using offlineprocessing instead of sending data to the cloud. Offline voice control hasbeen the holy grail of open-source home-automation systems foryears. Several projects have tried and failed. But with Rhasspy's developer Mike Hansenspearheading Home Assistant's voice efforts, this time things could bedifferent.

Security updates have been issued by Debian (apache2), Oracle (firefox, nss, and openssl), Slackware (curl and vim), SUSE (dpdk, firefox, grafana, oracleasm, python-cffi, python-Django, and qemu), and Ubuntu (ruby2.7, sox, and tigervnc).

Version 9.2 of the GNU coreutils collection — the home of common tools likecp, mv, ls, rm, and more — is out. Thechanges are mostly minor; numerous bugs have been fixed and a few newcommand-line options have been added.

The kernel's direct map makes all of a system's physical memory availableto the kernel within its address space — on 64-bit systems, at least. Thisseemingly simple feature has proved to be hard to maintain, in the face ofthe requirements faced by current systems, while keeping good performance.The latest attempt to address this issue is this patchset from Mike Rapoport adding more direct-map awareness to the kernel'spage allocator.

Security updates have been issued by Debian (firefox-esr, imagemagick, sox, thunderbird, and xapian-core), Fedora (chromium, containernetworking-plugins, guile-gnutls, mingw-python-OWSLib, pack, pypy3.7, sudo, thunderbird, tigervnc, and vim), Mageia (apache, epiphany, heimdal, jasper, libde265, libtpms, liferea, mysql-connector-c++, perl-HTML-StripScripts, protobuf, ruby-git, sqlite3, woodstox-core, and xfig), Oracle (kernel), Red Hat (firefox, nss, and openssl), SUSE (apache2, docker, drbd, kernel, and oracleasm), and Ubuntu (curl, python2.7, python3.10, python3.5, python3.6, python3.8, and vim).

Daniel Stenberg observesthe 25th anniversary of the curl project.

The 6.3-rc3 kernel prepatch is out fortesting. "So rc3 is fairly big, but that's not hugely usual: it's whena lot of the fixes tick up as it takes a while before people find and startreporting issues."

Version16.0.0 of the LLVM compiler suite has been released. As usual, thelist of changes is long; see the specific release notes forLLVM,Clang,Libc++,and others linked from the announcement.

The Free Software Foundation has announcedthe recipients of this year's Free Software Awards:

BPF programs destined to be loaded into the kernel are generally written inC but, increasingly, the environment in which those programs run differssignificantly from the C environment. The BPF virtual machine andassociated verifier make a growing set of checks in an attempt to make BPFcode safe to run. The proposed addition of an iterator mechanism to BPFhighlights the kind of features that are being added — as well as theconstraints placed on programmers by BPF.

The 6.2.7, 6.1.20, 5.15.103, 5.10.175, 5.4.237, 4.19.278, and 4.14.310 stable kernels have been released.As usual, they contain important fixes throughout the kernel tree; usersshould upgrade.