Feed lwn LWN.net

Favorite IconLWN.net

Link https://lwn.net/
Feed http://lwn.net/headlines/rss
Updated 2025-04-08 13:15
OpenInfra board calls for input on joining Linux Foundation
Jonathan Bryce has announced two open community meetings to hearinput on the topic of the OpenInfraFoundation migrating to the Linux Foundation. Brycewrote that the OpenInfra board has carefully evaluated its options,and sees joining the Linux Foundation as the best way forward.Like the Linux Foundation, the OpenInfra Foundation is 501(c)(6)nonprofit. According to the FAQ,OpenInfra "is in great health, financially and otherwise" witha growth in membership of about 15% in the last year. However, itsneeds in 2025 are different than when it was founded as the OpenStackFoundation in 2012.
LibreOffice 25.2 released
Version 25.2 of the LibreOffice productivity suite is out. Changes includethe ability to remove all personal information from any document, supportfor ODF version1.4, a number of accessibility improvements, and more;see therelease notes for details.
OpenWrt 24.10.0 released
Version24.10.0 of the OpenWrt router-oriented distribution has been released.Changes include an update to the 6.6 kernel, use of access control lists onlarger systems, multipath TCP support, better WiFi6 support, thebeginning of WiFi7 support, and more.
[$] The selfish contributor revisited
Open source is often described as a "gift economy"-anecosystem where contributors are motivated by a desire to make theworld a better place. That is, sometimes, true. However, JamesBottomley used his maintrack slot at FOSDEM 2025,on February1, to make the case that it is better to bank on theselfish motivations of individuals to drive community success than torely on their altruism.
Security updates for Thursday
Security updates have been issued by Debian (asterisk and chromium), Fedora (FlightGear, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, and SimGear), Mageia (bind, chromium-browser-stable, python-django, and vim), Oracle (buildah, bzip2, firefox, keepalived, mariadb:10.11, and podman), Slackware (curl, mariadb, and mozilla), SUSE (cargo-audit-advisory-db-20250204 and python311-scikit-learn), and Ubuntu (ckeditor, krb5, and ruby2.7).
[$] LWN.net Weekly Edition for February 6, 2025
Inside this week's LWN.net Weekly Edition:
Servo in 2024: stats, features and donations
The Servo Rust-based renderingengine project has publishedan article summarizing its progress in2024, and plans for thefuture:
LWN site tour 2025
Over the past year or so, LWN has added a number of useful newfeatures for our subscribers to enhance the experience of reading andcommenting on our content. Those features are of little use, however,to readers who do not know about them. It has been more than a decadesince we last provided atour of the site-it seems that another is inorder. Walk this way for a look at the LWN kernel source database (KSDB),enhanced commenting features, EPUB downloads, and more.
[$] Exposing concurrency bugs with a custom scheduler
Jake Hillion gavea presentation atFOSDEM about usingsched_ext, the BPFscheduling framework that was introduced in kernel version 6.12, to help findelusive concurrency problems. In collaboration with Johannes Bechberger, he hasbuilt a scheduler that can reveal theoretically possible but unobservedconcurrency bugs in test code in a few minutes. Since their scheduler onlyrelies on mainline kernel features, it can theoretically be applied to anyapplication that runs on Linux - although there are a number of caveats sincethe project is still in its early days.
Security updates for Wednesday
Security updates have been issued by Debian (firefox-esr), Fedora (fastd, ovn, and yq), Mageia (libreoffice), Slackware (mozilla), SUSE (google-osconfig-agent, grafana, helm, and rime-schema-all), and Ubuntu (linux-azure, linux-azure-5.4, linux-lowlatency, openjdk-17, openjdk-21, openjdk-23, openjdk-8, and openjdk-lts).
[$] An update on sealed system mappings
Jeff Xu has been working ona patch set that makes certain mappings in a process's address spaceimpossible to change, sealing them against tampering. This has some potentialsecurity benefits - mainly, makingsure that someone cannot relocate thevsyscall andvDSO mappings - but some kernel developers haven'tbeen impressed with the patches.While the core functionality (sealing the mappings) is sound, some of thesupporting code for enabling and disabling the new feature caused concern bygoing against the normal design for such things. Reviewers also questionedhow this feature would interact with checkpointing and with sandboxing.
Firefox 135.0 released
Version135.0 of the Firefox web browser has been released. Changes includemore languages for the translations feature, increasing roll-out of thecredit-card autofill and AI chatbot features, and (perhaps most welcome):
Security updates for Tuesday
Security updates have been issued by Debian (openjdk-17), Fedora (chromium, fastd, ovn, and yq), Mageia (libxml2 and redis), Oracle (gstreamer1-plugins-base, gstreamer1-plugins-good), Red Hat (buildah, bzip2, galera, mariadb, grafana, keepalived, libsoup, mariadb:10.11, mariadb:10.5, mingw-glib2, podman, python-jinja2, and rsync), SUSE (bind, ignition, java-11-openjdk, java-17-openjdk, krb5, libxml2, openssl-1_1, orc, python-asteval, rsync, and xrdp), and Ubuntu (harfbuzz, libndp, libvpx, and opencv).
[$] The rest of the 6.14 merge window
By the time that Linus Torvalds released6.14-rc1 and closed the merge window for this development cycle, some9,307 non-merge changesets had been pulled into the mainlinerepository - the lowest level of merge-window activity seen in years.There were, nonetheless, a number of interesting changes in the5,000 commits pulled since thefirst-half merge-window summary was written.
What’s new in GTK, winter 2025 edition
Matthias Clasen has written a short update on a GTK hackfest thattook place at FOSDEM and what'scoming in GTK 4.18. This includes fixes for pointer sizes in Waylandwhen fractional scaling is enabled, removal of the old GL renderer infavor of the GLrenderer introduced in GTK4.13.6, and deprecation of X11 and Broadway backends with intentto remove them in GTK 5.The deprecated backends will remain available until then, and noaction is required by developers at this time, Clasen wrote: "Thereis no need to act on deprecations until you are actively porting yourapp to the next major version of GTK, which is not on the horizonyet".
Security updates for Monday
Security updates have been issued by AlmaLinux (git-lfs, libsoup, and unbound), Debian (dcmtk, ffmpeg, openjdk-11, pam-u2f, and python-aiohttp), Fedora (buku, chromium, jpegxl, nodejs18, nodejs20, and rust-routinator), Mageia (clamav, kernel, kmod-virtualbox, kmod-xtables-addons & dwarves, and kernel-linus), SUSE (apptainer, bind, buildah, chromedriver, clamav, dovecot24, ignition, kubelogin, libjxl, libQt5Bluetooth5-32bit, orc, owasp-modsecurity-crs, python-pydantic, python311-ipython, and stb), and Ubuntu (linux-azure and netdata).
Kernel prepatch 6.14-rc1
Linus has released 6.14-rc1 and closed themerge window for this release.
GNU Binutils 2.44 Released
Version 2.44 of the GNU Binutils package has been released. Perhaps themost significant change is the absence of the "gold" linker, which isdeprecated and about to disappear entirely. Gold appeared in 2008 with some fanfare as a fasterlinker, but it has suffered from a lack of maintenance in recent years.This release also includes some architecture-specific assemblerimprovements, and some (non-gold) linker enhancements.
Stable kernel updates for Saturday
The6.13.1,6.12.12,6.6.75,6.1.128,5.15.178,5.10.234, and5.4.290stable kernel updates have all been released; each contains another set ofimportant fixes.
[$] New horizons for Julia
Julia, a free, general-purposeprogramming language aimed at science, engineering, and related arenas oftechnical computing, has steadily improved and widened its scope ofapplication since its initial publicrelease in2012. As part of its 1.11release from late 2024, Julia made several inroads into areasoutside of its traditional focus, provided its users with advances intooling, and has seen several improvements in performance and programmerconvenience. These recent developments in andaround Julia go a long way to answer several longstanding complaints fromboth new and experienced users. We last lookedin on the language one year ago,for its previous major release, Julia1.10.
[$] A look at the openSUSE board election
The election to replace outgoing openSUSE board members isunderway, with four candidates vying for three seats. The election wasinitially scheduled to be completed in December, but the timeline was extendeddue to too few candidates standing for the seats. Voting closes onFebruary2 and the results are expected to be announced onFebruary3.
The Linux Foundation on global regulations and sanctions
The Linux Foundation has published itslong-awaited article on international sanctions and open-sourcedevelopment. This is the reasoning that went into the removal of a group of Russian kernelmaintainers in October.
Security updates for Friday
Security updates have been issued by AlmaLinux (libsoup), Debian (debian-security-support and redis), Fedora (expat, java-21-openjdk, lemonldap-ng, and phpMyAdmin), Mageia (chromium-browser-stable and git-lfs), Oracle (bzip2, git-lfs, libsoup, mariadb:10.11, mariadb:10.5, python-jinja2, redis, and unbound), Red Hat (git-lfs, libsoup, python-jinja2, rsync, and unbound), SUSE (buildah, chromium, google-osconfig-agent, govulncheck-vulndb, hauler, ignition, krb5, libxml2, python311-pydantic, SDL2_sound, and trivy), and Ubuntu (jquery, linux-azure, linux-azure-4.15, linux-azure-5.15, linux-hwe-5.4, linux-oracle, and mysql-8.0).
[$] Resistance to Rust abstractions for DMA mapping
While the path toward the ability to write device drivers in Rust has beenanything but smooth, steady progress has been made and that goal is closeto being achieved - for some types of drivers at least. Device driversneed to be able to set up memory areas for direct memory access (DMA)transfers, though; that means Rust drivers will need a set ofabstractions to interface with the kernel's DMA-mapping subsystem. Thoseabstractions have run into resistance that has the potential to blockprogress on the Rust-for-Linux project as a whole.
Freedesktop looking for new home for its GitLab instance
Visitors to the freedesktop.orgGitLab instance are currently being greeted with a message noting thatthe company who has been hosting it for free for nearly five years, Equinix, hasasked that it be moved (or start being paid for) by the end of April. Theissueticket opened by Benjamin Tissoires in order to track the planning of a move is clear that the project is grateful forthe gift:"First, I'd like to thank Equinix Metal for the years of support they gave us. They were very kind and generous with us and even if it's a shame we have to move out on a short notice, all things come to an end."The current cost for the services, much of which is for 50TB of bandwidth data transferper month and a half-dozen beefy servers for running continuous-integration(CI) jobs, comes to around $24,000 per month. Tissoires believes that theproject should start paying for service somewhere, in order to avoidupheaval of this sort, sometimes on short or no notice. "I personallythink we better have fd.o pay for its own servers, and then have sponsorschip in. This way, when a sponsor goes away, it's technically much simplerto just replace the money than change datacenter." Various options arebeing discussed there, but any move is likely to disrupt normal servicesfor a week or more.
GNU C Library 2.41 released
Version 2.41 of the GNUC Library has been released. Changes include a number of test-suiteimprovements, strict-error support in the DNS stub resolver, wrappers forthe the sched_setattr()and sched_getattr() system calls,Unicode 16.0.0 support,improved C23 support,support for extensible restartablesequences,Guarded Control Stack support on 64-bit Arm systems,and more.
Security updates for Thursday
Security updates have been issued by AlmaLinux (redis:7), Debian (bind9, chromium, flightgear, pam-u2f, and simgear), Red Hat (fence-agents, git-lfs, libsoup, python3.9, rsync, and traceroute), Slackware (bind), SUSE (apache2-mod_security2, corepack22, go1.24, hplip, ignition, iperf, kernel, kernel-devel-longterm, nginx, nodejs22, openvpn, owasp-modsecurity-crs, and shadow), and Ubuntu (bind9, jinja2, libxml2, linux-lowlatency-hwe-6.8, php7.0, tomcat6, and vlc).
Thunderbird moving to monthly updates in March
The Thunderbird project has announcedthat it is making its Releasechannel the default download beginning with the 135.0 release inMarch. This will move users to major monthly releases instead of theannual major Extended Support Release (ESR) that is the currentdefault.
[$] LWN.net Weekly Edition for January 30, 2025
Inside this week's LWN.net Weekly Edition:
Incus 6.9 released
Version 6.9 of the Incus container and virtual-machine management system has been released. Changes include a command to provide virtual machine memory dumps, ability to set network ACLs for instances on bridged networks, and more.
LWN in EPUB format
For years we have had occasional requests to be able to receive LWN ina format for ebook readers. It took a while, but we are now happy toannounce that all of LWN's feature content is available, to subscribers atthe "professional hacker" level and above, in the EPUB format. To obtainthe weekly edition as an EPUB file, just click the "Download EPUB" link inthe left column. There is a separate RSS feedfor the EPUB format as well. Any other feature content can be turned intoan ebook by appending /epub to its URL.We will also be creating special EPUB books at times. As an example ofwhat is possible, our complete coverage from Kangrejos 2024 and the 2024 Linux Storage, Filesystem,Memory Management, and BPF Summit are available to all readers.There are surely places where our EPUB books can be improved; please feelfree to drop us a note (at lwn@lwn.net) with suggestions.
Credential-leaking vulnerability in some Git credential managers
Security researcher RyotaKhas shared a series of vulnerabilities that all have to do with how Gitinterfaces with externalcredential managers. In short, while Git guards against newline characters(\n) being injected into a repository's URL, some programming languagesalso treat carriage return characters (\r) as being newlines. Adding acarriage return to a repository's URL can cause Git and the credential managerto disagree on how the URL should be parsed, ultimately resulting in Gitcredentials being sent to the wrong host. Malicious repositories could includeGit submodules with malformed URLs, triggering the bug. Only password-based authenticationwith an external credential manager isvulnerable to this attack; SSH-based authentication remains secure. The Git projecthas chosen to consider this a vulnerability in Git, given the large amount ofexternal software affected. The project has fixed the bug on its end byreleasing updates for all supported versions that bancarriage returns in URLs entirely.Affected software includes GitHub Desktop, Git LFS, and possibly other Git utilities:
[$] Offline applications with Earthstar
Earthstar is a privacy-oriented,offline-first, LGPL-licensed database intended to support distributedapplications. Unlike other distributed storage libraries, itfocuses on providing mutable data with human-meaningful names and modificationtimes, which gives it an interface similar to many non-distributedkey-value databases.Now, the developers are looking at switching to a new synchronizationprotocol - one that is general enough that it might see wider adoption.
Ubuntu developer discussion moving to Matrix
Ubuntu will be moving its "official realtime communicationschannels" from IRC to Matrix, beginning March1,2025, followinga discussionon the ubuntu-devel mailing list.
Security updates for Wednesday
Security updates have been issued by AlmaLinux (bzip2, gimp:2.8, keepalived, mariadb:10.11, mariadb:10.5, python-jinja2, and redis), Debian (iperf3, libtar, and pdns-recursor), Fedora (abseil-cpp, dotnet8.0, dotnet9.0, golang, libsoup3, and vaultwarden), Oracle (gimp:2.8, iperf3, keepalived, kernel, redis:7, and unbound), Red Hat (libsoup), SUSE (amazon-ssm-agent, go1.22, go1.23, iperf, java-21-openjdk, nginx, openvpn, and python311-asteval), and Ubuntu (kernel, libmicrodns, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-azure, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-azure, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-lowlatency, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle-6.8, linux-raspi, linux, linux-azure, linux-gcp, linux-oem-6.11, linux-raspi, linux-realtime, linux, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-oem-6.8, rsync, and tcpreplay).
[$] FOSDEM keynote causes concerns
This year's edition of the Free and OpenSource Software Developers' European Meeting (FOSDEM) begins onFebruary1 in Brussels. The event is widely regarded as one ofthe most important open-source conferences. One of the reasons thatFOSDEM is held in high esteem by the community is its non-commercialnature. It does accept sponsors, butsponsorships come with few perks and no "pay-for-play" speakingslots. Thus, the scheduling of a keynote by JackDorsey-primarily known for his role in co-founding Twitter, andcurrently CEO and chairman of FOSDEM sponsor Block,Inc.-raised eyebrows and led to plans for a protest. Thekeynote has since been removed from the schedule, but there are stilla number of lingering questions.
Security updates for Tuesday
Security updates have been issued by Debian (git and openjpeg2), Mageia (virtualbox), SUSE (podman), and Ubuntu (clamav, frr, libreoffice, linux-xilinx-zynqmp, and quagga).
Linux-related discussion as a cybersecurity threat
The DistroWatchJanuary 27 edition includes this interesting tidbit:
[$] Vendoring Go packages by default in Fedora
The Go language is designed to make iteasy for developers to import otherGo packages and compile everything into a static binaryfor simple distribution. Unfortunately, this complicates things forthose who package Go programs for Linux distributions, such as Fedora,that have guidelines which require dependencies to be packagedseparately. Fedora's Go special interestgroup (SIG) is asking for relief and a loosening of the bundlingguidelines to allow Go packagers to bundle dependencies into thepackages that need them, otherwise known as vendoring. So far, theparticipants in the discussion have seemed largely in favor of theidea.
Security updates for Monday
Security updates have been issued by AlmaLinux (git-lfs, java-17-openjdk, java-21-openjdk, kernel, and python-jinja2), Debian (git and git-lfs), Fedora (buildah, chromium, containers-common, freeipa, glibc, golang, mediawiki, pam-u2f, podman, and rsync), Mageia (glibc, iperf, openssl, phpmyadmin, and poppler), Oracle (firefox, git-lfs, grafana, java-17-openjdk, java-21-openjdk, kernel, python-jinja2, and redis:6), and SUSE (chromium, go1.22-1.22.11-1.1, go1.23-1.23.5-1.1, go1.24-1.24rc2-1.1, java-11-openjdk, kernel, libopenssl-3-devel, libQt6Bluetooth6, nodejs18, nodejs20, python311-azure-storage-blob, qt6-connectivity, and ruby3.4-rubygem-nokogiri-1.18.2-1.1).
[$] The Rust 2024 Edition takes shape
Last year, LWN examined the changes lined up forRust's 2024 edition. Now, with the editionready to be stabilized in February,it's time to look back at the edition process and see what wassuccessfully adopted, which new changes were added, and what still remains towork on. A surprising amount of new work was proposed, implemented, andstabilized during the year.
Security updates for Friday
Security updates have been issued by Debian (chromium and python-django), Fedora (git-lfs and pam-u2f), Mageia (golang), Red Hat (java-11-openjdk with Extended Lifecycle Support, java-17-openjdk, and java-21-openjdk), SUSE (cheat, dante, docker-stable, grafana, and kernel), and Ubuntu (cacti, cyrus-imapd, HTMLDOC, and PCL).
Four new stable kernels
Greg Kroah-Hartman has released the 6.12.11, 6.6.74, 6.1.127, and 5.15.177 stable kernels. They all containimportant fixes, as is the usual case.
[$] The trouble with the new uretprobes
A "uretprobe" is a dynamic, user-space tracepoint injected by the kernelinto a running process; this documenttersely describes their use. Among other things, uretprobes are used bythe perf utility to time function calls. The 6.11 kernel saw asignificant change to uretprobes that improved their performance, but thatchange is also creating trouble for some users. The best way to solve theproblem is not entirely clear.
[$] The first part of the 6.14 merge window
As of this writing, just over 4,300 non-merge changesets have been pulledinto the mainline repository for the 6.14 release. Many of the pullrequests this time around include remarks saying that activity has beenrelatively low this time around, presumably due to the holidays. So those4,300 changesets are probably closer to the merge-window halfway point thanusual. Much of the work merged thus far looks more like incrementalimprovements than major new initiatives, but there still have been a numberof interesting changes in the mix.
Security updates for Thursday
Security updates have been issued by AlmaLinux (redis:6), Debian (frr and git-lfs), Fedora (SDL2_sound and webkit2gtk4.0), Gentoo (firefox, GPL Ghostscript, libgsf, libuv, PHP, Qt, QtWebEngine, and Yubico pam-u2f), Mageia (chromium-browser-stable), SUSE (helmfile, nvidia-modprobe, qt6-webengine, ruby3.4-rubygem-actioncable-8.0-8.0.1-1.1, ruby3.4-rubygem-actionpack-8.0-8.0.1-1.1, ruby3.4-rubygem-actiontext-8.0-8.0.1-1.1, ruby3.4-rubygem-actionview-8.0-8.0.1-1.1, ruby3.4-rubygem-activejob-8.0-8.0.1-1.1, ruby3.4-rubygem-activerecord-8.0-8.0.1-1.1, ruby3.4-rubygem-activestorage-8.0-8.0.1-1.1, ruby3.4-rubygem-rails-8.0-8.0.1-1.1, and ruby3.4-rubygem-railties-8.0-8.0.1-1.1), and Ubuntu (bluez, openjpeg2, and python-django).
LWN.net Weekly Edition for January 23, 2025
Inside this week's LWN.net Weekly Edition:
Zero-trust builds for FreeBSD
The FreeBSD Foundationhas announced that it has undertaken a project to deliver zero-trustbuilds commissioned by the Sovereign Tech Agency (STA).
A revamped Python string-formatting proposal
The proposal to add a more general facility for string formatting toPython, which we looked at in August 2024,has changed a great deal since, so it merits another look. Thechanges take multiple forms: a new title for PEP750 ("Template Strings"), a different mechanism for creating and using templates,a new Template type to hold them, and several additional authors for the PEP.Meanwhile, one controversial part of the original proposal, lazy evaluationof the interpolated values, has been changed so that it requires anexplicit opt-in (via lambda);template strings are a generalization of f-strings and lazy evaluation was seen by someas a potentially confusing departure from their behavior.
A mouseless tale: trying for a keyboard-driven desktop
The computer mouse is a wonderful invention, but for the past fewmonths I've been working to use mine as little as possible forproductivity and ergonomic reasons. It should not be surprising thatthere are quite a few open-source applications, utilities, andconfiguration options that are either designed to or incidentallyassist in creating a keyboard-driven desktop. This includes tiling windowmanagement with PaperWM, the Vimium browser extension, Input Remapper, and more.
12345678910...