LWN.net

The Asahi Linux project has posted anupdate and reality check on the status of Linux support for Apple's M1hardware.

Most of the kernel's code is written in C and intended to be run directlyon the underlying hardware. That situation is changing in a few ways,though; one of those is the ability to write kernel code for the BPFvirtual machine. The 6.3 kernel release will include a new API making the red-black tree data structure available to BPFprograms. Beyond being an interesting feature in its own right, this newAPI shows how BPF is bringing a different approach to kernel programming —and to the C language in general.

Security updates have been issued by Debian (apr-util, freeradius, mono, nodejs, php7.3, php7.4, and python-cryptography), Fedora (epiphany, haproxy, and podman), SUSE (chromium, libraw, php7, php74, python-pip, and rubygem-activerecord-4_2), and Ubuntu (apr, clamav, curl, intel-microcode, nss, openvswitch, webkit2gtk, and zoneminder).

The6.2.1,6.1.14,5.15.965.10.170,5.4.233,4.19.274, and4.14.307stable kernel updates have all been released; each contains another set ofimportant fixes.

Developers who build distributions often (but not always) put considerableeffort into backward compatibility, ensuring, for example, that a programbuilt for one release will continue to run on later releases. Forwardcompatibility, where it is possible to move a program (or other artifact)from a more recent release to an older one, can be less of a concern, butit still tends to be seen as something that is better to not break ifpossible. So it is not surprising that an issue affecting theforward-compatibility of ext4 filesystems built for the upcomingDebian 12 ("bookworm") release has generated a fair amount ofdiscussion, even if the number of affected users is likely to be small.

Security updates have been issued by Debian (binwalk, chromium, curl, emacs, frr, git, libgit2, and tiff), Fedora (qt5-qtbase), SUSE (c-ares, kernel, openssl-1_1-livepatches, pesign, poppler, rubygem-activerecord-5_1, and webkit2gtk3), and Ubuntu (linux-aws).

As of this writing, 5,776 non-merge changesets have been pulled into themainline kernel for the 6.3 release; that is a bit less than half of thework that was waiting in linux-next before the merge window opened. Thismerge window is thus well underway, but far from complete. Quite a bit ofsignificant work has been pulled so far; read on to see what entered thekernel in the first half of the 6.3 merge window.

The group working on adding keyword generics to the Rust language isforeshadowing what it plans to propose:

Security updates have been issued by CentOS (firefox and thunderbird), Debian (asterisk, git, mariadb-10.3, node-url-parse, python-cryptography, and sofia-sip), Fedora (c-ares, golang-github-need-being-tree, golang-helm-3, golang-oras, golang-oras-1, and golang-oras-2), Oracle (httpd:2.4, kernel, php:8.0, python-setuptools, python3, samba, systemd, tar, and webkit2gtk3), Red Hat (webkit2gtk3), SUSE (phpMyAdmin, poppler, and postgresql12), and Ubuntu (dcmtk and linux-hwe).

The LWN.net Weekly Edition for February 23, 2023 is available.

The Rust community has been working to reform its governance model; thatwork is now being presented as adraft document describing how that model will work.

As we have seen in earlier articles, the packaging landscape for Python isfragmented and complex, though users of the language have been clamoringfor some kind of unification for a decade or more at this point. The developers behindpip and other packaging tools would like to find a way to satisfythis wish fromPython-language users and developers, thus they have been discussing possiblesolutions with increasing urgency, it seems, of late. In order to do that,though, it is important to understand what specific items—and types of Pythonusers—to target.

The Ubuntu Flavorsofferings (Kubuntu and the like) have decidedthat the way to improve the user experience is to put more emphasis on theSnap package format.

The6.1.13,5.15.95,5.10.169,5.4.232,4.19.273, and4.14.306stable kernel updates have all been released; each contains another set ofimportant fixes.

Security updates have been issued by Debian (amanda, apr-util, and tiff), Fedora (apptainer, git, gssntlmssp, OpenImageIO, openssl, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (firefox and thunderbird), Red Hat (python3), SUSE (gnutls, php7, and python-Django), and Ubuntu (chromium-browser, libxpm, and mariadb-10.3, mariadb-10.6).

FIDO2 is a standard forauthenticating users without the need for passwords. While the technology hasbeen introduced mainly to protect accounts on web sites, it's also usefulfor other purposes, such as logging into Linux systems. The same technologycan even be used beyond authentication, for example to sign files or Gitcommits. A couple of talks at FOSDEM2023 in Brussels presented the possibilities for Linux users.

Security updates have been issued by CentOS (libksba, thunderbird, and tigervnc and xorg-x11-server), Debian (clamav, nss, python-django, and sox), Fedora (kernel and thunderbird), Mageia (curl, firefox, nodejs-qs, qtbase5, thunderbird, upx, and webkit2), Red Hat (httpd:2.4, kernel, kernel-rt, kpatch-patch, pcs, php:8.0, python-setuptools, Red Hat build of Cryostat, Red Hat Virtualization Host 4.4.z SP 1, samba, systemd, tar, and thunderbird), Scientific Linux (firefox and thunderbird), and SUSE (clamav, firefox, jhead, mozilla-nss, prometheus-ha_cluster_exporter, tar, and ucode-intel).

The 6.2 kernel was released on February 19,at the end of a ten-week development cycle. This time around, 15,536non-merge changesets found their way into the mainline repository, makingthis cycle significantly more active than itspredecessor. Read on for a look at the work that went into this kernelrelease.

Version 13.1 of the GNU GDB debugger has been released. Changes includesupport for the LoongArch and CSKY architectures, a number of Python APIimprovements, support for zstd-compressed debug sections, and more.

Security updates have been issued by Debian (c-ares, gnutls28, golang-github-opencontainers-selinux, isc-dhcp, nss, openssl, snort, and thunderbird), Fedora (clamav, curl, phpMyAdmin, thunderbird, vim, webkitgtk, and xen), Red Hat (firefox), Slackware (kernel), SUSE (apache2-mod_security2, gssntlmssp, postgresql-jdbc, postgresql12, and timescaledb), and Ubuntu (firefox).

Linus has released the 6.2 kernel asexpected.

Security updates have been issued by Debian (webkit2gtk and wpewebkit), Fedora (firefox, phpMyAdmin, tpm2-tools, and tpm2-tss), Slackware (mozilla), SUSE (mozilla-nss, rubygem-actionpack-4_2, rubygem-actionpack-5_1, and tar), and Ubuntu (linux-azure and linux-hwe-5.19).

Systemd 253 has been released. As always, the list of changes isextensive. Support for version-1 control groups and separate /usrsystems is going away later this year. There is a new tool for workingwith unifiedkernel images, a number of new unit-file options have been added, andmuch more; click below for the full list.

When LWN looked at the composefs filesystemin December, we reported that there had been "little response" to thepatches. That is no longer the case. Whether composefs (or something likeit) should be merged has become the subject of an extended debate; at itscore, the discussion is over just how Linux should support certain types ofcontainer workloads.

Security updates have been issued by Debian (firefox-esr), Fedora (community-mysql, edk2, firefox, and git), Slackware (curl and git), SUSE (apache2-mod_security2, aws-efs-utils, bind, curl, git, ImageMagick, java-11-openjdk, java-17-openjdk, java-1_8_0-openjdk, kernel, libksba, and mozilla-nss), and Ubuntu (golang-golang-x-text, golang-x-text, linux-aws, linux-aws-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-intel-iotg, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-oracle-5.4, linux-gke, linux-gke-5.15, nss, and xorg-server, xorg-server-hwe-16.04).

The LWN.net Weekly Edition for February 16, 2023 is available.

From the moon landing to the James Webb Space Telescope and many otherscientific missions, software is critical for the US National Aeronautics and Space Administration(NASA). Sharing information has also been in the DNA of the spaceagency from the beginning. As a result, NASA also contributes to andreleases open-source software and open data. In a keynote at FOSDEM 2023, Science Data Officer Steve Crawford talked about NASA andopen-source software, including the challenges NASA has faced in using opensource and the agency's recent initiatives to lower barriers.

The 5.10.168 stable kernel update hasfinally emerged from the review process and been released; it contains yetanother set of important fixes.

Jens Axboe has posted adetailed guide to improving the performance of networking applicationswith io_uring.

Canonical has announcedthe general availability of a realtime variant of its distribution.

Version110.0 of the Firefox browser has been released. Significant newfeatures include the ability to import bookmarks from the Opera and Vivaldibrowsers and GPU sandboxing on Windows systems.

Security updates have been issued by Debian (gnutls28 and haproxy), Fedora (syslog-ng), Mageia (apr-util, chromium-browser-stable, editorconfig-core-c, ffmpeg, libzen, phpmyadmin, tpm2-tss, and webkit2), Oracle (kernel and kernel-container), Slackware (mozilla and php), SUSE (git, haproxy, kernel, nodejs18, phpMyAdmin, and timescaledb), and Ubuntu (APR-util, git, and haproxy).

Many people, when they are installing a Linux distribution for a singlepurpose such as running containers, would prefer an install-and-forgettype of deployment. At FOSDEM 2023 in Brussels, severalprojects of this minimal Linux distribution type were presented. FedoraCoreOS, Ubuntu Core, openSUSE MicroOS, and Bottlerocket OSall tackle this problem in their own way. The talks at FOSDEM gave aninteresting overview of how these projects differ in their approaches.

The6.1.12 and5.15.94stable kernel updates have been released, each with the usual set ofimportant fixes. There is also a 5.10.168 release in the works, but it raninto some snags in thereview process; it can be expected shortly.Another set of updates, containing the mitigations for the just-disclosedcross-threadreturn-address prediction vulnerability (yet another Spectre variantthat affects AMD processors), can be expected soon.

Security updates have been issued by Debian (imagemagick), Fedora (xml-security-c), Red Hat (grub2), SUSE (chromium, freerdp, libbpf, and python-setuptools), and Ubuntu (fig2dev and python-django).

A newinstallment of the rejuvenated kernel podcast has been posted.

The field of confidential computing is still in its infancy, to the pointwhere it lacks a clear, agreed, and established problem description. ElenaReshetova and Andi Kleen from Intel recently started the conversation by sharing their view of a potential threatmodel in the form of thisdocument, which is specific to the Intel Trust Domain Extension (TDX)on Linux, but which is intended to be applicable to otherconfidential-computing solutions as well. The resulting conversationshowed that there is some ground to be covered to achieve a consensus onthe model in the community.

Security updates have been issued by Debian (libde265 and snort), Fedora (chromium, openssl, php-symfony4, qt5-qtbase, qt6-qtbase, tigervnc, vim, wireshark, xorg-x11-server, and xorg-x11-server-Xwayland), Slackware (gnutls), SUSE (apr-util, grafana, java-1_8_0-ibm, kernel, less, libksba, opera, postgresql12, postgresql13, postgresql14, postgresql15, python-py, webkit2gtk3, wireshark, and xrdp), and Ubuntu (nova and webkit2gtk).

The eighthand presumably final 6.2 kernel prepatch has been released.

For those who have been anxiously awaiting the release of a GCC-basedcompiler for the COBOL language, James K. Lowden has astatus report with some good news:

It was only a matter of time before somebody tried to bring BPF to thekernel's CPU scheduler. At the end of January, Tejun Heo posted the secondrevision of a 30-part patch series, co-written with David Vernet, JoshDon, and Barret Rhoden, that does just that. There are clearly interestingthings that could be done by deferring scheduling decisions to a BPFprogram, but it may take some work to sell this idea to the developmentcommunity as a whole.

Security updates have been issued by Debian (postgresql-11 and sox), Fedora (opusfile), SUSE (bind, jasper, libapr-util1, pkgconf, tiff, and xrdp), and Ubuntu (cinder, imagemagick, less, linux, linux-aws, linux-azure, linux-azure-5.4, linux-gkeop, linux-kvm, linux-oracle, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux, linux-azure, linux-azure-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, linux-azure-4.15, linux-dell300x, linux-gke, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, linux-snapdragon, nova, and swift).

The 6.1.11 and 5.15.93 stable kernel updates have beenreleased; each contains another set of important fixes.

The Thunderbird email client blog has aplan for where the project is going.

Serial litigant Craig Wright recently wona procedural ruling in a London court that allows amulti-billion-dollar Bitcoin-related lawsuit to proceed. This case hasraised a fair amount of concern within the free-software community, whereit is seen as threatening the "no warranty" language included in almostevery free-software license. As it happens, this case does not actuallyinvolve that language, but it has some potentially worrisome implicationsanyway.

Security updates have been issued by Debian (chromium, libsdl2, and wireshark), Fedora (pesign, tpm2-tss, and webkitgtk), Oracle (hsqldb, krb5, libksba, tigervnc, and tigervnc and xorg-x11-server), Red Hat (openvswitch2.13, openvswitch2.15, openvswitch2.16, openvswitch2.17, rh-varnish6-varnish, tigervnc, and tigervnc and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), and SUSE (apache2, apache2-mod_security2, apr-util, netatalk, podman, python-swift3, rubygem-globalid, syslog-ng, and thunderbird).

The LWN.net Weekly Edition for February 9, 2023 is available.

The Atlantic Council (described byWikipedia as "an American think tank in the field of internationalaffairs") has published alengthy report on the problem of security in open-source software andwhat might be done about it.

A lot of digital ink has been expended in recounting the ongoingPython packaging saga, which is now in its fourth installment(earlier articles: landscape survey, visions and unification, and pip-conda convergence). Most of thatcovered conversations thattook place in November and the discussion largely settled down over theholidays, but it picked up again with a packaging-strategythread that started in early January. That thread was based on the resultsof a user survey about packaging that was meant to help guide the Python Packaging Authority (PyPA)and other interested developers, but the guidance provided was somewhatambiguous—leading to lots more discussion.

The nccgroup blog is carrying afour-part series by Domen Puncer Kugler on how vulnerabilities can maketheir way into device drivers written in Rust.