LWN.net

The Rust community has been working to reform its governance model; thatwork is now being presented as adraft document describing how that model will work.

As we have seen in earlier articles, the packaging landscape for Python isfragmented and complex, though users of the language have been clamoringfor some kind of unification for a decade or more at this point. The developers behindpip and other packaging tools would like to find a way to satisfythis wish fromPython-language users and developers, thus they have been discussing possiblesolutions with increasing urgency, it seems, of late. In order to do that,though, it is important to understand what specific items—and types of Pythonusers—to target.

The Ubuntu Flavorsofferings (Kubuntu and the like) have decidedthat the way to improve the user experience is to put more emphasis on theSnap package format.

The6.1.13,5.15.95,5.10.169,5.4.232,4.19.273, and4.14.306stable kernel updates have all been released; each contains another set ofimportant fixes.

Security updates have been issued by Debian (amanda, apr-util, and tiff), Fedora (apptainer, git, gssntlmssp, OpenImageIO, openssl, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (firefox and thunderbird), Red Hat (python3), SUSE (gnutls, php7, and python-Django), and Ubuntu (chromium-browser, libxpm, and mariadb-10.3, mariadb-10.6).

FIDO2 is a standard forauthenticating users without the need for passwords. While the technology hasbeen introduced mainly to protect accounts on web sites, it's also usefulfor other purposes, such as logging into Linux systems. The same technologycan even be used beyond authentication, for example to sign files or Gitcommits. A couple of talks at FOSDEM2023 in Brussels presented the possibilities for Linux users.

Security updates have been issued by CentOS (libksba, thunderbird, and tigervnc and xorg-x11-server), Debian (clamav, nss, python-django, and sox), Fedora (kernel and thunderbird), Mageia (curl, firefox, nodejs-qs, qtbase5, thunderbird, upx, and webkit2), Red Hat (httpd:2.4, kernel, kernel-rt, kpatch-patch, pcs, php:8.0, python-setuptools, Red Hat build of Cryostat, Red Hat Virtualization Host 4.4.z SP 1, samba, systemd, tar, and thunderbird), Scientific Linux (firefox and thunderbird), and SUSE (clamav, firefox, jhead, mozilla-nss, prometheus-ha_cluster_exporter, tar, and ucode-intel).

The 6.2 kernel was released on February 19,at the end of a ten-week development cycle. This time around, 15,536non-merge changesets found their way into the mainline repository, makingthis cycle significantly more active than itspredecessor. Read on for a look at the work that went into this kernelrelease.

Version 13.1 of the GNU GDB debugger has been released. Changes includesupport for the LoongArch and CSKY architectures, a number of Python APIimprovements, support for zstd-compressed debug sections, and more.

Security updates have been issued by Debian (c-ares, gnutls28, golang-github-opencontainers-selinux, isc-dhcp, nss, openssl, snort, and thunderbird), Fedora (clamav, curl, phpMyAdmin, thunderbird, vim, webkitgtk, and xen), Red Hat (firefox), Slackware (kernel), SUSE (apache2-mod_security2, gssntlmssp, postgresql-jdbc, postgresql12, and timescaledb), and Ubuntu (firefox).

Linus has released the 6.2 kernel asexpected.

Security updates have been issued by Debian (webkit2gtk and wpewebkit), Fedora (firefox, phpMyAdmin, tpm2-tools, and tpm2-tss), Slackware (mozilla), SUSE (mozilla-nss, rubygem-actionpack-4_2, rubygem-actionpack-5_1, and tar), and Ubuntu (linux-azure and linux-hwe-5.19).

Systemd 253 has been released. As always, the list of changes isextensive. Support for version-1 control groups and separate /usrsystems is going away later this year. There is a new tool for workingwith unifiedkernel images, a number of new unit-file options have been added, andmuch more; click below for the full list.

When LWN looked at the composefs filesystemin December, we reported that there had been "little response" to thepatches. That is no longer the case. Whether composefs (or something likeit) should be merged has become the subject of an extended debate; at itscore, the discussion is over just how Linux should support certain types ofcontainer workloads.

Security updates have been issued by Debian (firefox-esr), Fedora (community-mysql, edk2, firefox, and git), Slackware (curl and git), SUSE (apache2-mod_security2, aws-efs-utils, bind, curl, git, ImageMagick, java-11-openjdk, java-17-openjdk, java-1_8_0-openjdk, kernel, libksba, and mozilla-nss), and Ubuntu (golang-golang-x-text, golang-x-text, linux-aws, linux-aws-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-intel-iotg, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-oracle-5.4, linux-gke, linux-gke-5.15, nss, and xorg-server, xorg-server-hwe-16.04).

The LWN.net Weekly Edition for February 16, 2023 is available.

From the moon landing to the James Webb Space Telescope and many otherscientific missions, software is critical for the US National Aeronautics and Space Administration(NASA). Sharing information has also been in the DNA of the spaceagency from the beginning. As a result, NASA also contributes to andreleases open-source software and open data. In a keynote at FOSDEM 2023, Science Data Officer Steve Crawford talked about NASA andopen-source software, including the challenges NASA has faced in using opensource and the agency's recent initiatives to lower barriers.

The 5.10.168 stable kernel update hasfinally emerged from the review process and been released; it contains yetanother set of important fixes.

Jens Axboe has posted adetailed guide to improving the performance of networking applicationswith io_uring.

Canonical has announcedthe general availability of a realtime variant of its distribution.

Version110.0 of the Firefox browser has been released. Significant newfeatures include the ability to import bookmarks from the Opera and Vivaldibrowsers and GPU sandboxing on Windows systems.

Security updates have been issued by Debian (gnutls28 and haproxy), Fedora (syslog-ng), Mageia (apr-util, chromium-browser-stable, editorconfig-core-c, ffmpeg, libzen, phpmyadmin, tpm2-tss, and webkit2), Oracle (kernel and kernel-container), Slackware (mozilla and php), SUSE (git, haproxy, kernel, nodejs18, phpMyAdmin, and timescaledb), and Ubuntu (APR-util, git, and haproxy).

Many people, when they are installing a Linux distribution for a singlepurpose such as running containers, would prefer an install-and-forgettype of deployment. At FOSDEM 2023 in Brussels, severalprojects of this minimal Linux distribution type were presented. FedoraCoreOS, Ubuntu Core, openSUSE MicroOS, and Bottlerocket OSall tackle this problem in their own way. The talks at FOSDEM gave aninteresting overview of how these projects differ in their approaches.

The6.1.12 and5.15.94stable kernel updates have been released, each with the usual set ofimportant fixes. There is also a 5.10.168 release in the works, but it raninto some snags in thereview process; it can be expected shortly.Another set of updates, containing the mitigations for the just-disclosedcross-threadreturn-address prediction vulnerability (yet another Spectre variantthat affects AMD processors), can be expected soon.

Security updates have been issued by Debian (imagemagick), Fedora (xml-security-c), Red Hat (grub2), SUSE (chromium, freerdp, libbpf, and python-setuptools), and Ubuntu (fig2dev and python-django).

A newinstallment of the rejuvenated kernel podcast has been posted.

The field of confidential computing is still in its infancy, to the pointwhere it lacks a clear, agreed, and established problem description. ElenaReshetova and Andi Kleen from Intel recently started the conversation by sharing their view of a potential threatmodel in the form of thisdocument, which is specific to the Intel Trust Domain Extension (TDX)on Linux, but which is intended to be applicable to otherconfidential-computing solutions as well. The resulting conversationshowed that there is some ground to be covered to achieve a consensus onthe model in the community.

Security updates have been issued by Debian (libde265 and snort), Fedora (chromium, openssl, php-symfony4, qt5-qtbase, qt6-qtbase, tigervnc, vim, wireshark, xorg-x11-server, and xorg-x11-server-Xwayland), Slackware (gnutls), SUSE (apr-util, grafana, java-1_8_0-ibm, kernel, less, libksba, opera, postgresql12, postgresql13, postgresql14, postgresql15, python-py, webkit2gtk3, wireshark, and xrdp), and Ubuntu (nova and webkit2gtk).

The eighthand presumably final 6.2 kernel prepatch has been released.

For those who have been anxiously awaiting the release of a GCC-basedcompiler for the COBOL language, James K. Lowden has astatus report with some good news:

It was only a matter of time before somebody tried to bring BPF to thekernel's CPU scheduler. At the end of January, Tejun Heo posted the secondrevision of a 30-part patch series, co-written with David Vernet, JoshDon, and Barret Rhoden, that does just that. There are clearly interestingthings that could be done by deferring scheduling decisions to a BPFprogram, but it may take some work to sell this idea to the developmentcommunity as a whole.

Security updates have been issued by Debian (postgresql-11 and sox), Fedora (opusfile), SUSE (bind, jasper, libapr-util1, pkgconf, tiff, and xrdp), and Ubuntu (cinder, imagemagick, less, linux, linux-aws, linux-azure, linux-azure-5.4, linux-gkeop, linux-kvm, linux-oracle, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux, linux-azure, linux-azure-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, linux-azure-4.15, linux-dell300x, linux-gke, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, linux-snapdragon, nova, and swift).

The 6.1.11 and 5.15.93 stable kernel updates have beenreleased; each contains another set of important fixes.

The Thunderbird email client blog has aplan for where the project is going.

Serial litigant Craig Wright recently wona procedural ruling in a London court that allows amulti-billion-dollar Bitcoin-related lawsuit to proceed. This case hasraised a fair amount of concern within the free-software community, whereit is seen as threatening the "no warranty" language included in almostevery free-software license. As it happens, this case does not actuallyinvolve that language, but it has some potentially worrisome implicationsanyway.

Security updates have been issued by Debian (chromium, libsdl2, and wireshark), Fedora (pesign, tpm2-tss, and webkitgtk), Oracle (hsqldb, krb5, libksba, tigervnc, and tigervnc and xorg-x11-server), Red Hat (openvswitch2.13, openvswitch2.15, openvswitch2.16, openvswitch2.17, rh-varnish6-varnish, tigervnc, and tigervnc and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), and SUSE (apache2, apache2-mod_security2, apr-util, netatalk, podman, python-swift3, rubygem-globalid, syslog-ng, and thunderbird).

The LWN.net Weekly Edition for February 9, 2023 is available.

The Atlantic Council (described byWikipedia as "an American think tank in the field of internationalaffairs") has published alengthy report on the problem of security in open-source software andwhat might be done about it.

A lot of digital ink has been expended in recounting the ongoingPython packaging saga, which is now in its fourth installment(earlier articles: landscape survey, visions and unification, and pip-conda convergence). Most of thatcovered conversations thattook place in November and the discussion largely settled down over theholidays, but it picked up again with a packaging-strategythread that started in early January. That thread was based on the resultsof a user survey about packaging that was meant to help guide the Python Packaging Authority (PyPA)and other interested developers, but the guidance provided was somewhatambiguous—leading to lots more discussion.

The nccgroup blog is carrying afour-part series by Domen Puncer Kugler on how vulnerabilities can maketheir way into device drivers written in Rust.

Security updates have been issued by Debian (heimdal, openssl, shim, and xorg-server), Oracle (kernel and thunderbird), Red Hat (git, libksba, samba, and tigervnc), Scientific Linux (thunderbird), Slackware (openssl and xorg), SUSE (EternalTerminal, openssl-1_0_0, openssl-1_1, openssl-3, openssl1, polkit, and sssd), and Ubuntu (git, grunt, heimdal, openssl, openssl1.0, and xorg-server, xorg-server-hwe-18.04, xwayland).

The Flatpak package format promises tobring "the future of apps on Linux", but a Linux distribution likeFedora already provides packages in its native format—and builtto its specifications. Flatpaks that come from upstream projects may ormay not follow the packaging guidelines, philosophy, and practices so theyexist in their own world, separate from the packages that come directlyfrom Fedora. But those worlds havecollided to a certain extent over the past year to two. Recently, apackager announced their plans to stop packaging the Bottles tool, used for runningWindows programs in Wine-based containers on Linux, in favor ofrecommending that Fedora users install the upstream Flatpak.

Security updates have been issued by Debian (graphite-web, openjdk-11, webkit2gtk, wpewebkit, and xorg-server), Mageia (advancecomp, apache, dojo, git, java/timezone, libtiff, libxpm, netatalk, nodejs-minimist, opusfile, python-django, python-future, python-mechanize, ruby-sinatra, sofia-sip, thunderbird, and tigervnc), Oracle (git and thunderbird), Red Hat (git, libksba, rh-git227-git, rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon, and thunderbird), SUSE (apache2, nginx, php8-pear, redis, rubygem-activesupport-5_1, rubygem-rack, sssd, xorg-x11-server, and xwayland), and Ubuntu (tmux).

The most recent batch of stable kernels has been released: 6.1.10, 5.15.92, 5.10.167, 5.4.231, 4.19.272, and 4.14.305. Those updates contain a relatively smallnumber of important fixes throughout the kernel tree.

Computer-aided design (CAD) software is expensive to develop, which is agood reason to appreciate the existing free and open-source alternatives to someof the big names in the industry. This article takes a bird's-eye view at freeand open-source software for 2D drafting and 3D parametric solid modeling,its progress over the years, as well as wins and ongoing challenges.

Security updates have been issued by Debian (libhtml-stripscripts-perl), Fedora (binwalk, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, kernel, sudo, and syncthing), SUSE (syslog-ng), and Ubuntu (editorconfig-core, firefox, pam, and thunderbird).

The 6.2-rc7 kernel prepatch is out fortesting.

Of all the attacks on cryptographic code, timing attacks may be among themost insidious. An algorithm that appears to be coded correctly, perhapseven with a formal proof of its correctness, may be undermined byinformation leaked as the result of data-dependent timing differences.Both Arm and Intel have introduced modes that are intended to help defendagainst timing attacks, but the extent to which those modes should be usedin the kernel is still under discussion.

Security updates have been issued by Fedora (chromium and vim), Slackware (openssh), and Ubuntu (lrzip and tiff).

Version 7.5 of the LibreOffice Community edition is now available. LibreOffice is, of course, the FOSS desktop office suite; version 7.5 brings new features to multiple parts of the tool, including major improvements to dark mode, better PDF exports, improved bookmarks in Writer, data tables for charts in Calc, better interoperability with Microsoft Office, and lots more. Check out the release notes for further information.