LWN.net

When the developers of the Linux security module (LSM) subsystem findthemselves disagreeing with other kernel developers, it tends to be becausethose other developers don't think to — or don't want to — add securityhooks to their shiny new subsystems. Sometimes, though, the addition ofnew hooks by non-LSM developers can also create some friction. AndriiNakryiko's posting of a pair ofBPF-related security hooks raised a couple of interesting questions,one of which spurred a fair amount of discussion, and one that did not.

Security updates have been issued by Fedora (chromium, perl-Alien-ProtoBuf, and redis), Oracle (kernel), SUSE (dmidecode, fwupd, libtpms, libxml2, openssl-ibmca, and webkit2gtk3), and Ubuntu (cloud-init, ghostscript, linux, linux-aws, linux-aws-5.15, linux-azure, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, and linux, linux-aws, linux-kvm, linux-lts-xenial).

The LWN.net Weekly Edition for April 27, 2023 is available.

Longtime Pythonista Ned Batchelder gave the first of four keynotes at PyCon's20th-anniversary edition, PyCon 2023, which was heldApril 19-27 in Salt Lake City, Utah. In fact, it is still being heldat the time of this writing; the sprints continue for four days after thethree days of main-conference talks. Batchelder presented his thoughts oncommunication, how it can often go awry for technical people, and how tomake it work better.

The6.2.13,6.1.26,5.15.109,5.10.179,5.4.242,4.19.282, and4.14.314stable kernels have all been released; each contains another set ofimportant fixes and updates.

Version13.1 of the GCC compiler suite has been released.

Security updates have been issued by Fedora (chromium, lilypond, and lilypond-doc), Oracle (java-1.8.0-openjdk), Red Hat (emacs, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-rt, pesign, and virt:rhel, virt-devel:rhel), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), Slackware (git), SUSE (fwupd, git, helm, and runc), and Ubuntu (firefox, golang-1.18, linux-hwe-5.15, and openssl, openssl1.0).

Static-site generators are tools that generateHTML pages from source files, often written in Markdown oranother markup language. They have built-in templates and themes, which allowsdevelopers to create lightweight and secure web sites that can be easilymaintained using version control. One of these tools is Nikola, written in Python.

There is a newstable Git release containing fixes for three separate securityvulnerabilities. The fixes have also been backported to the older v2.39.3,v2.38.5, v2.37.7, v2.36.6, v2.35.8, v2.34.8, v2.33.8, v2.32.7, v2.31.8, andv2.30.9 releases. Sites using Git in untrusted environments — or withuntrusted input — should probably upgrade soon.

Philip Herron and Arthur Cohen have posted anupdate on the status of gccrs — the GCC frontend for the Rust language— and why it will not be a part of the upcoming GCC 13 release.

Security updates have been issued by CentOS (firefox, java-11-openjdk, and thunderbird), Debian (apache2), Fedora (kernel), Oracle (emacs), Red Hat (emacs, haproxy, java-1.8.0-openjdk, kernel, kernel-rt, kpatch-patch, pcs, pki-core:10.6, and qatzip), and SUSE (avahi, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, giflib, kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container, ovmf, and protobuf-c).

The 6.3 kernel was releasedon April 24 after a nine-week development cycle. As is the case withall mainline releases, this is amajor kernel release with a lot of changes and a big pile of new features.The time has come, yet again, for a look at where that work came from andwho supported it.

Security updates have been issued by Debian (389-ds-base, chromium, connman, curl, redis, and thunderbird), Fedora (ceph, doctl, dr_libs, ffmpeg, freeimage, golang-github-digitalocean-godo, insight, libreswan, mingw-binutils, mingw-freeimage, mingw-freetype, openvswitch, rnp, suricata, webkitgtk, and wireshark), Mageia (dnsmasq, emacs, openimageio, php-smarty, redis, squirrel/supertux, and tcpdump), Red Hat (emacs), and SUSE (avahi, chromium, dmidecode, indent, jettison, openssl, openstack-cinder, openstack-nova, python-oslo.utils, and ovmf).

Linus has released the 6.3 kernel asexpected.

This ten days old but hopefully better late than never: the Python SoftwareFoundation has put out anarticle describing how the proposed European "cyber resilience act"threatens the free-software community.

The concept of movable memory was initially designed for hot-pluggablememory on server-class systems, but it would now appear that this mechanismis finding a new use in consumer-electronics devices as well. Thedesignated movable block patch set was first submittedby Doug Berger in September 2022. By adding more flexibility around theconfiguration and use of movable memory, this work will, it is hoped, improve howLinux performs on resource-constrained systems.

The Python Package Index (PyPI) has, likemany language-specific repositories, had ongoing problems with malicious uploads. PyPIis now launching an authentication mechanism called trustedpublishers in an attempt to fight this problem.

Security updates have been issued by Debian (golang-1.11 and libxml2), Fedora (chromium, dr_libs, frr, ruby, and runc), Oracle (java-11-openjdk and java-17-openjdk), Red Hat (emacs, httpd and mod_http2, kpatch-patch, and webkit2gtk3), SUSE (libmicrohttpd, nodejs16, ovmf, and wireshark), and Ubuntu (kauth and patchelf).

GNOME is, of course, a widely-useddesktop environment for Linuxsystems; on March 22, the project released GNOME 44,codenamed "Kuala Lumpur". This version features enhancements to the settings panels, quick settings, the files application, and an updated filechooser with a grid view, among others. The full list of changes canbe seen in the releasenotes available on the GNOME website.

The Ubuntu 23.04 release is out. Headline features include a newinstaller, GNOME 44, Azure Active Directory authentication, and more.

Distributors have been enabling the SELinux security module for nearly20 years now, and many administrators have been disabling it on theirsystems for almost as long. There are a few ways in which SELinux can bedisabled on any given system, including command-line options, a run-timeswitch, or simply not loading a policy after boot. One of those ways,however, is about to be disabled itself.

The latest crop of stable kernels is out; 6.2.12, 6.1.25, 5.15.108, 5.10.178, 5.4.241, 4.19.281, and 4.14.313 have been released. As is usual,they all contain important fixes throughout the kernel tree.

Security updates have been issued by Debian (golang-1.11), Fedora (chromium, golang-github-cenkalti-backoff, golang-github-cli-crypto, golang-github-cli-gh, golang-github-cli-oauth, golang-github-gabriel-vasile-mimetype, libpcap, lldpd, parcellite, tcpdump, thunderbird, and zchunk), Red Hat (java-11-openjdk, java-17-openjdk, and kernel), SUSE (chromium, dnsmasq, ImageMagick, nodejs16, openssl-1_0_0, openssl1, ovmf, and python-Flask), and Ubuntu (dnsmasq, libxml2, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, and linux-snapdragon).

The LWN.net Weekly Edition for April 20, 2023 is available.

Vanilla OS, a lightweight,immutable operating system designed for developers and advanced users, has been using Ubuntu as its base. However, arecent announcementhas revealed that, in the upcoming Vanilla OS 2.0 Orchid release, theproject will be shifting to Debian unstable (Sid) asits new base operating system. Vanilla OS is making the switch due to Ubuntu's changes toits version of the GNOME desktop environment along with the distribution'sreliance on the Snap packaging format.The decision has generated a fair amount of interest anddiscussion within the open-source community.

The desktop-oriented Solus distributionhas been through a difficult period; this post describesthe extensive changes that have been made in response.

Security updates have been issued by Debian (asterisk), Fedora (lldpd and openssh), Red Hat (curl, kernel, and openvswitch2.13), SUSE (compat-openssl098, glib2, grafana, helm, libgit2, openssl, and openssl-1_1), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, and vim).

The 2023 Linux Plumbers Conference (November 13-15, Richmond VA, USA) hasput out its calls for proposals for therefereed track (due August 6) and themicroconference track (June 1). Proposals are also being acceptedfor the kernel-summit track.

For developers seeking to create applications with terminal userinterfaces (TUIs), options have been relatively limited compared to thevast number of graphical user interface (GUI) frameworks available. As aresult, many command-line applications reinvent the same user interfaceelements. Textual aims toremedy this: it's a rapid-application-development framework forPython TUI applications. Offering cross-platform support, Textualincorporates layouts, CSS-like styles, and an expanding collection ofwidgets.

Richard Brown has posted anupdate on the status of the SUSE Adaptable Linux Platform (ALP) projectand what it means for the openSUSE distribution.

Version 5.13 of the LXD virtual-machine manager has been released. Newfeatures include fast live migration, support for AMD's secure enclaves,and more. See thisannouncement for details.

The Fedora 38release is available. Fedora has mostly moved past its old pattern oflate releases, but it's still a bit surprising that this release came outone week ahead of the scheduled date. Some of the changes in thisrelease, includingreduced shutdown timeoutsand frame pointers have been covered herein the past; see the announcement and the Workstation-edition"what'snew" post for details on the rest.

Security updates have been issued by Debian (protobuf), Fedora (libpcap, libxml2, openssh, and tcpdump), Mageia (kernel and kernel-linus), Oracle (firefox, kernel, kernel-container, and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (gradle, kernel, nodejs10, nodejs12, nodejs14, openssl-3, pgadmin4, rubygem-rack, and wayland), and Ubuntu (firefox).

Matthew Garrett pointsout that many Linux systems using encrypted disks were installed with arelatively weak key derivation function that could make it relatively easyfor a well-resourced attacker to break the encryption:

The digiKam photo-management tool has announced its 8.0.0 release, after two years of development, bug fixing, and testing. Major new features include a documentation overhaul (with a new web site), support for more file formats, a new optical character recognition (OCR) tool, improved metadata handling, a neural-net-based image quality classifier, better integration with G'MIC-Qt, a Qt6-compatible code base, and lots more. See the announcement for all the details.

The kernel subsystem maintainers out there probably have a deepunderstanding of the sinking feeling that results from opening one's inboxand seeing a response from Linus Torvalds to a pull request. When all goeswell, pull requests are acted upon silently; a response usually means thatall has not gone well. Several maintainers got to experience thatfeeling during the 6.3 merge window, which seemed to generate more than theusual number of grumpy responses related to merge commits. Avoiding thatsituation is not hard, though, with a bit of attention paid to how mergesare done.

Security updates have been issued by Debian (chromium, rails, and ruby-rack), Fedora (firefox, ghostscript, libldb, samba, and tigervnc), Mageia (ceph, davmail, firefox, golang, jpegoptim, libheif, python-certifi, python-flask-restx, thunderbird, and tomcat), Oracle (firefox), Red Hat (firefox), Scientific Linux (firefox), SUSE (apache2-mod_auth_openidc, aws-nitro-enclaves-cli, container-suseconnect, firefox, golang-github-prometheus-prometheus, harfbuzz, java-1_8_0-ibm, kernel, liblouis, php7, tftpboot-installation images, tomcat, and wayland), and Ubuntu (chromium-browser, imagemagick, kamailio, and libreoffice).

The 6.3-rc7 kernel prepatch is out fortesting. "Let's hope we have just one more calm week, and we'll havehad a nice uneventful release cycle. Knock wood".

On her blog, Máirín Duffy writesabout using open-source software to run a virtual conference. The Fedora design teamrecently ran the first CreativeFreedom Summit as a virtual conference for FOSS creative tools. The teamcould have used the same non-open-source platform that is used by the Flock Fedora conference, but took adifferent path:

Security updates have been issued by Debian (haproxy and openvswitch), Fedora (bzip3, libyang, mingw-glib2, thunderbird, xorg-x11-server, and xorg-x11-server-Xwayland), and Ubuntu (apport, ghostscript, linux-bluefield, node-thenify, and python-flask-cors).

Greg Kroah-Hartman has announced the release of the 6.2.11, 6.1.24, and 5.15.107 stable kernels. They contain anothercollection of important fixes throughout the kernel tree.

The kernelsamepage merging (KSM) feature can save significant amounts of memorywith some types of workloads, but security concerns have greatly limitedits use. Even when KSM can be safely enabled, though, the control interfaceprovided by the kernel makes it unlikely that KSM actually will be used. Asmall patchseries from Stefan Roesch aims to change this situation by improvingand simplifying how KSM is managed.

Security updates have been issued by Debian (chromium, firefox-esr, lldpd, and zabbix), Fedora (ffmpeg, firefox, pdns-recursor, polkit, and thunderbird), Oracle (kernel and nodejs:14), Red Hat (nodejs:14, openvswitch2.17, openvswitch3.1, and pki-core:10.6), Slackware (mozilla), SUSE (nextcloud-desktop), and Ubuntu (exo, linux, linux-kvm, linux-lts-xenial, linux-aws, smarty3, and thunderbird).

The LWN.net Weekly Edition for April 13, 2023 is available.

Orchids are, of course,flowers, and flowers generally need pollinatorsin order to reproduce. A seemingly offhand comment about the unknown natureof the pollinator(s) for a species of orchid in Western Australiahas led Paul Hamilton to undertake a multi-year citizen-science project totry to fill that hole. He came to Everything Open 2023 togive a report on the progress of the search.

Security updates have been issued by Fedora (chromium, ghostscript, glusterfs, netatalk, php-Smarty, and skopeo), Mageia (ghostscript, imgagmagick, ipmitool, openssl, sudo, thunderbird, tigervnc/x11-server, and vim), Oracle (curl, haproxy, and postgresql), Red Hat (curl, haproxy, httpd:2.4, kernel, kernel-rt, kpatch-patch, and postgresql), Slackware (mozilla), SUSE (firefox), and Ubuntu (dotnet6, dotnet7, firefox, json-smart, linux-gcp, linux-intel-iotg, and sudo).

Python 3.12 approaches. While the full feature set of the finalrelease—slated for October 2023—is still not completely known, by nowwe have a good sense for what it will offer. It picks up where Python 3.11 left off, improving error messages and performance. These changes are accompanied by a smattering of smallerchanges, though Linux users will likely make use of one in particular:support for the perf profiler.

The latest release of FreeBSD, version 13.2, has been released. It contains lots of package upgrades including to OpenSSH 9.2p1, OpenSSL 1.1.1t, and OpenZFS 2.1.9. Other new features include upgrading the bhyve hypervisor to now support more than 16 virtual CPUs in a guest, a WireGuard VPN driver, netlink for network configuration, and lots more. See the release notes for more information.

A draftupdated trademark policy for the Rust language is being circulated forcomments. It is not a short read.

Security updates have been issued by Debian (keepalived and lldpd), Oracle (kernel), and SUSE (kernel, podman, seamonkey, and upx).