LWN.net

Security updates have been issued by Oracle (bcel), SUSE (ca-certificates-mozilla, glibc, minetest, multimon-ng, nautilus, ovmf, python-Django, samba, saphanabootstrap-formula, and xrdp), and Ubuntu (usbredir).

Yet another new year is upon us, and that can only mean one thing: the timehas come for your editor to look into his crystal ball and make somepredictions for what 2023 will hold. Said crystal ball is known to sufferfrom speculative-execution problems and parity errors, but it's the bestthat LWN's budget will afford. Read on for a highly unreliable look atwhat's to come.

DistroWatch Weekly celebrates its1000th issue and 20 years of publication.

Anybody who installed a nightly release from the PyTorch machine-learning library betweenDecember 25 and 30 willwant to uninstall it immediately:

Security updates have been issued by Debian (cacti, emacs, exuberant-ctags, libjettison-java, mplayer, node-loader-utils, node-xmldom, openvswitch, ruby-image-processing, webkit2gtk, wpewebkit, and xorg-server), Fedora (OpenImageIO, systemd, w3m, and webkit2gtk3), Mageia (curl, freeradius, libksba, libtar, python-ujson, sogo, thunderbird, and webkit2), Red Hat (bcel), and SUSE (ffmpeg, ffmpeg-4, mbedtls, opera, saphanabootstrap-formula, sbd, vlc, and webkit2gtk3).

The second 6.2 kernel prepatch is out fortesting — but there isn't a lot there.

Vanilla OS is a new, Ubuntu-baseddistribution with an immutable(ish) core and a focus on containers. Version22.10, the first stable release, is out.

Version 20 of theAndroid-based LineageOS distribution has been released.

The6.1.2,6.0.16, and5.15.86stable kernel updates have been released. As is typical for the firstpost-rc1 updates, each of these contains a huge number of important fixes.

Security updates have been issued by Debian (libcommons-net-java), Fedora (python3.6), and SUSE (conmon, polkit-default-privs, thunderbird, and webkit2gtk3).

Security updates have been issued by Debian (multipath-tools), Fedora (containerd and trafficserver), Gentoo (libksba and openssh), and SUSE (webkit2gtk3).

Security updates have been issued by Fedora (curl) and SUSE (curl, freeradius-server, sqlite3, systemd, and vim).

The world got a special Christmas present from Linus Torvalds this year inthe form of the 6.2-rc1kernel prepatch. By the time the merge window closed, 13,687 non-mergechangesets had been pulled into the mainline for the 6.2 release. This wasthe busiest merge window since 5.13 (which brought in 14.231 changesets) inmid-2021, and quite a bit busier than 6.1 was — but comparable to the late5.x releases. Just under 4,000 of those changesets were pulled after the first-half summary was written; there werequite a few significant changes to be found in those late-arriving patches.

Security updates have been issued by Debian (gerbv), Fedora (webkitgtk), and SUSE (ca-certificates-mozilla, freeradius-server, multimon-ng, vim, and vlc).

Security updates have been issued by Debian (kernel, libksba, and mbedtls), Fedora (containerd, curl, firefox, kernel, mod_auth_openidc, and xorg-x11-server), and Mageia (chromium-browser-stable).

Linus has released 6.2-rc1 and closed themerge window for this release. "So it's Christmas Day here, but it's also Sunday afternoon two weeksafter the 6.2 merge window opened. So holidays or not, the kerneldevelopment show must go on."

The kernel project tries hard to avoid duplicating functionality within itscode base; whenever possible, a single subsystem is made to serve all usecases. There is one notable exception to this rule, though: there arethree object-level memory allocators ("slab allocators") in the kernel.The desire to reduce the count has been growing stronger over the years,and some steps have been taken in 6.2 to eliminate the least-lovedallocator — SLOB — in the relatively near future.

Security updates have been issued by Debian (node-hawk and node-trim-newlines), Fedora (insight, ntfs-3g, and suricata), and SUSE (conmon, helm, kernel, and mbedtls).

Intel's graphical processors have been well supported in the mainline foryears, but it seems that the i915 driver may be approaching the end of itsdevelopment life. Matthew Brost has just posted a newdriver called "Xe" that looks to be (eventually) a replacement fori915:

The wish for a "None-aware" operator (or operators) islongstanding within the Python community. While there is fairlywidespread interest in more easily handling situations where a value needs to betested for being None before being further processed, there ismuch less agreement on how to "spell" such an operator (or construct) andon whether the language truly needs it. But the idea never seems to goaway, with long discussions erupting every year or two—and no resolutionreally in sight.

Version4.2.0 of the Darktable raw photo editor is out. New features include anew display transform module, a pair of new highlight-reconstructionalgorithms, and more; see the announcement and this Libre Artsarticle for more.

Konstantin Ryabitsev has put up ablog entry showing how to use b4 to submit kernel patcheswithout (directly) using email.

The openSUSE News site coverssome highlights from the second prototyperelease of the upcoming SUSE "ALP" distribution.

Security updates have been issued by Debian (libksba and linux-5.10), Slackware (mozilla), and SUSE (curl, java-1_8_0-ibm, and sqlite3).

The LWN.net Weekly Edition for December 22, 2022 is available.

Yet another year is coming to a close; that can only mean that the time hascome to indulge in a longstanding LWN tradition: looking back at the predictions we made in January and givingthem the mocking that they richly deserve. Read on to see how thosepredictions went, what was missed, and a look back at the year in general.

Andrew 'bunnie' Huang writes about his workwith Cramium to bring more openness to secure elementchips:

The6.1.1,6.0.15,5.15.85, and5.10.161stable kernel updates have been released. Each contains a relatively smallset of important fixes.

Security updates have been issued by Debian (xorg-server), Fedora (samba, snakeyaml, thunderbird, xorg-x11-server, and xrdp), Slackware (libksba and sdl), and SUSE (cni, cni-plugins, java-1_7_1-ibm, kernel, openssl-3, and supportutils).

ActivityPub-enabled microblogs are gainingpopularity as a replacement for Twitter, but ActivityPub is for more thanjust microblogging. Many other popular services also have open-sourcealternatives that speak ActivityPub. Proprietary services operated bycommercial interests usually deliberately limit interoperability, but usersof any ActivityPub-enabled service should be able to communicate with eachother, even if they are using different services. This promise ofinteroperability is often limited in practice, though; while ActivityPubspecifies how multiple types of contentcan be published, the kinds of content that can bedisplayed or interacted with vary from project to project.

Version 2.4.0 of the GNU Privacy Guard has been released. "Exactly 25 years ago the very first release of GnuPG was published. Weare pleased to take this opportunity to announce the availability of anew stable GnuPG release: version 2.4.0." Changes in this releaseinclude full support for the key database daemon, some performanceimprovements, a change to AES256 as the default cipher, and much more.

Security updates have been issued by Fedora (mujs) and SUSE (kernel and thunderbird).

Linux Mint has announced the release of version 21.1 of the distribution in three editions: Cinnamon (what's new), MATE (what's new), and Xfce (what's new).Mint 21.1 is based on Ubuntu 22.04 and uses kernel version 5.15.

The memfd interface is a bit of a strange and Linux-specific beast; it wasinitially created to support the securepassing of data between cooperating processes on a single system. It hassince gained other roles, but it may still come as a surprise to some tolearn that memory regions created for memfds, unlike almost any other dataarea, have the execute permission bit set. That can facilitate attacks; thispatch set from Jeff Xu proposes an addition to the memfd API to closethat hole.

Greg Kroah-Hartman has announced the release of the 6.0.14, 5.15.84, 5.10.160, and 5.4.228 stable kernels. They contain arelatively small number of important fixes throughout the tree.

Security updates have been issued by Debian (chromium and thunderbird), Fedora (keylime, libarchive, libtasn1, pgadmin4, rubygem-nokogiri, samba, thunderbird, wireshark, and xorg-x11-server-Xwayland), Gentoo (curl, libreoffice, nss, unbound, and virtualbox), Mageia (advancecomp, couchdb, firefox, freerdp, golang, heimdal, kernel, kernel-linus, krb5, leptonica, libetpan, python-slixmpp, thunderbird, and xfce4-settings), Oracle (firefox, nodejs:16, and thunderbird), Scientific Linux (firefox and thunderbird), Slackware (samba), SUSE (chromium and kernel), and Ubuntu (linux-oem-5.17).

Version 4.0.0 of the Apache SpamAssassin spam filter has been released.

Version5.0.0 of the OCaml programming language is out.

Security updates have been issued by Debian (firefox-esr, libde265, php7.3, and thunderbird), Fedora (firefox, freeradius, freerdp, and xorg-x11-server), Oracle (firefox, prometheus-jmx-exporter, and thunderbird), Red Hat (firefox, nodejs:16, prometheus-jmx-exporter, and thunderbird), and SUSE (ceph and chromium).

Version 4.18 ofthe Xfce desktop environment has been released.

Once upon a time, Linus Torvalds would try to set a pace of about 1,000changesets pulled into the mainline each day during the early part of themerge window. For 6.2, though, the situation is different; no less than9,278 non-merge changesets were pulled during the first two days. Needlessto say, these commits affect the kernel in numerous ways, even though thereare fewer fundamental changes than were seen in 6.1.

Security updates have been issued by Debian (firefox-esr and git), Slackware (mozilla and xorg), SUSE (apache2-mod_wsgi, capnproto, xorg-x11-server, xwayland, and zabbix), and Ubuntu (emacs24, firefox, linux-azure, linux-azure-5.15, linux-azure-fde, linux-oem-6.0, and xorg-server, xorg-server-hwe-18.04, xwayland).

Ted Ts'o, in collaboration with the Linux Foundation Technical AdvisoryBoard, has put together a document called the Linux kernelcontribution maturity model to help companies improve theirparticipation in the kernel development process.

The6.0.13,5.15.83,5.10.159,5.4.227,4.19.269,4.14.302, and4.9.336stable kernel updates have all been released; each contains another set ofimportant fixes.

The LWN.net Weekly Edition for December 15, 2022 is available.

A report from the syzbotkernel fuzz-testing robot does not usually spawn a vitriolic mailing-list thread, but that is just what happened recently.While the invective is regrettable, the underlying issue is important. Thedispute revolves around how best to report bugs to affected subsystems and, ultimately, how not to waste maintainers' time.

Security updates have been issued by Debian (pngcheck), Fedora (qemu), Mageia (admesh, busybox, emacs, libarchive, netkit-telnet, ruby, rxvt-unicode, and shadowutils), Oracle (bcel and kernel), Red Hat (389-ds-base, bcel, dbus, firefox, grub2, kernel, kernel-rt, kpatch-patch, thunderbird, and usbguard), Scientific Linux (bcel), SUSE (containerd, firefox, grafana, java-1_8_0-openjdk, libtpms, net-snmp, and wireshark), and Ubuntu (pillow).

Everything Open is,seemingly, the future form of the conference once known as linux.conf.au;see thispage for a discussion of the reasoning behind the change. Theinaugural event will be held March 14 to 16 in Melbourne,Australia, and the call forproposals has gone out now, with a deadline of January 15."Our aim is to create a deeply technical conference where we bringtogether industry leaders and experts on a wide range of subjects."

X.org users running in potentially hostile environments will want to lookinto the xorg-server 21.1.5 release, whichfixes several potentially serious securityvulnerabilities. "All theses issues can lead to local privilegeselevation on systems where the X server is running privileged and remotecode execution for ssh X forwarding sessions".

Version108 of the Firefox browser has been released. The headline featurethis time around appears to be the enabling of import maps bydefault, along with support for theWeb MIDI API and the usual set of security fixes.