Security updates have been issued by Debian (ffmpeg, ghostscript, libarchive, and tinyxml), Fedora (CuraEngine, epiphany, gzip, usd, vim, xen, and xz), Oracle (maven-shared-utils and qemu), Red Hat (gzip, python27-python and python27-python-pip, rh-maven36-maven-shared-utils, rh-python38-python, rh-python38-python-lxml, and rh-python38-python-pip, and zlib), Slackware (pidgin), SUSE (jasper, java-11-openjdk, libcaca, libslirp, mariadb, mutt, nodejs12, opera, and python-Twisted), and Ubuntu (libinput).
The 5.18-rc5 kernel prepatch is out fortesting. "So if rc4 last week was tiny and smaller than usual, it seems to havebeen partly timing, and rc5 is now a bit larger than usual.But only a very tiny bit larger - certainly not outrageously so, andnot something that worries me."
One of the changes merged for the 5.18 kernel was a specialized memory allocator for BPFprograms that have been loaded into the kernel. Since then, though, thisfeature has run into a fair amount of turbulence and will almost certainly be disabledin the final 5.18 release. This outcome is partly a result of bugs in theallocator itself, but this work also had the bad luck to trip some olderand deeper bugs within the kernel's memory-management subsystem.
Security updates have been issued by Fedora (dhcp, gzip, podman, rsync, and usd), Mageia (firefox/nss/rootcerts, kernel, kernel-linus, and thunderbird), Oracle (container-tools:2.0, container-tools:3.0, mariadb:10.3, and zlib), Red Hat (Red Hat OpenStack Platform 16.2 (python-twisted), xmlrpc-c, and zlib), SUSE (glib2, nodejs12, nodejs14, python-paramiko, python-pip, and python-requests), and Ubuntu (curl, ghostscript, libsdl1.2, libsdl2, mutt, networkd-dispatcher, and webkit2gtk).
There is a long and growing list of options for getting information out ofthe kernel but, in the real world, print statements still tend to be thetool of choice. The kernel's printk()function often comes up short, despite the fact that it provides a set ofkernel-specific features, so there has, for some time, been interest inbetter APIs for textual output from the kernel. The "printbuf"proposal from Kent Overstreet is one step in that direction, but willneed some changes to make it work well with features the kernel alreadyhas.
Running code from inside a cloned Git repository is potentially risky, butnormally just inspecting such a repository is considered to be safe. As arecent posting to the Git mailing list shows, however, there are stillrisks lurking inside these repositories; code that lives in them can betriggered in unexpected ways. In particular, malicious "bare" repositoriescan be added as a subdirectory of a repository; they can be configured to runcode whenever Git commands are executed there, which is something that canhappen in surprising ways. There is now an effortunderway to try to address the problem in Git, without breaking thelegitimate need for including bare repositories into a Git tree.
As was recently reported here, the Fedoraproject has been considering dropping support for legacy BIOS systems inupcoming releases. The idea was controversial at best, and the minutes from the April 26 FESCo meetingshow that it has been rejected, for now at least. The BIOS SIG will beasked for a new plan for BIOS support in Fedora.
Version 4.0 of the YoctoProject distribution builder is out. Changes include a move to the 5.15 kernel, reproducibility fixes, improvedoverlayfs support, numerous security updates, and a long list of new recipes.
The5.17.5,5.15.36,5.10.113,5.4.191,4.19.240,4.14.277, and4.9.312stable kernels have all been released, one day earlier than had originallybeen expected.As usual, each contains another set of important fixes.
Security updates have been issued by Mageia (virtualbox), Red Hat (container-tools:2.0, container-tools:3.0, gzip, kernel, kernel-rt, kpatch-patch, mariadb:10.3, mariadb:10.5, maven-shared-utils, polkit, vim, xmlrpc-c, and zlib), Scientific Linux (maven-shared-utils), SUSE (ant, go1.17, go1.18, kernel, and xen), and Ubuntu (fribidi, git, libcroco, libsepol, linux, linux-gcp, linux-ibm, linux-lowlatency, openjdk-17, and openjdk-lts).
Python's super()built-in function can be somewhat confusing, as highlighted by a hugepython-ideas thread that we started lookingat last week. It is used by methods in class hierarchies to accessmethods and attributes in a parent class, but exactly which classthat super() resolves to is perhaps a bit unclear in multiple-inheritance hierarchies.The discussion in the second "half" of the thread further highlighted somelesser-known parts of the language.
Security updates have been issued by Debian (ffmpeg), Fedora (htmldoc, moby-engine, plantuml, and zchunk), Oracle (java-1.8.0-openjdk, java-17-openjdk, and kernel), Red Hat (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk), Slackware (freerdp), SUSE (kernel, mutt, SUSE Manager Client Tools, and xen), and Ubuntu (barbican and git).
The kernel gained support for the TLSprotocol in the 4.13 release, which came out in September 2017. Thatsupport is incomplete, though, in that it does not provide the kernel witha way to initiate a TLS connection on its own. Instead, user space createsa socket and performs the TLS handshake before handing the socket to thekernel, which can then transfer data using TLS. The situation may be aboutto change as a result of thispatch series from Chuck Lever — though user space will still need toremain in the picture.
Security updates have been issued by Fedora (kernel, kernel-headers, kernel-tools, libinput, podman-tui, and vim), Mageia (git, gzip/xz, libdxfrw, libinput, librecad, and openscad), and SUSE (dnsmasq, git, libinput, libslirp, libxml2, netty, podofo, SDL, SDL2, and tomcat).
The 5.18-rc4 kernel prepatch is out fortesting. "Fairly slow and calm week - which makes me just suspectthat the other shoe will drop at some point. But maybe things are justgoing really well this release. It's bound to happen _occasionally_, afterall."
Subsystem maintainers routinely use gitrequest-pull as part of the process of sending work upstream. Normally, the result includes a list ofcommits included in the request and a nicediffstat that shows which files will be touched and how much of each willbe changed; examplesabound on the kernel mailing lists. Occasionally, though, a repository with a relativelycomplicated development history will yield a massive diffstat containing agreat deal of unrelated work. The result looks ugly and obscures what thepull request is actually doing. This document describes what is happeningand how to fix things up; it is derived from The Wisdom of Linus Torvalds,which has been posted numerous times over the years (example 1,example 2).
Security updates have been issued by Fedora (composer, golang-x-crypto, rubygem-nokogiri, wavpack, xen, and xz) and SUSE (dnsmasq, openjpeg, swtpm, tomcat, and xen).
The Ubuntu 22.04 LTS release, codenamed "Jammy Jellyfish", is now available. It comes in several editions (Desktop, Server, Cloud, and Core) and multiple flavors (Ubuntu Budgie, Kubuntu, Lubuntu, Ubuntu Kylin, Ubuntu MATE,UbuntuStudio, and Xubuntu). Lots more information can be found in the release notes.
The Debian project leader election has completed and Jonathan Carter has been reelected for his third term. For more information, see the Debian vote page. We looked at the candidates back in March.
The world of music and audio production is largely dominated byproprietary software vendors. Among them, Steinberg stands out as a companythat created some of the most-used software, including the Cubase and Nuendo digital audioworkstations. Steinberg is also known as the creator of the VST plugin APIthat, largely due to its licensing policy, has irritated developers enough toinspire multiple attempts at creating an open-source alternative. Even now,when the VST3 SDK is available under theGPLv3 license, the way the company exercises its control over the SDKkeeps pushing developers away toward other open-source solutions.This is an introduction to open-source pluginAPIs for musicians and sound engineers alike. It focuses on the options inthe larger ecosystem and how their shortcomings led to the creation of newalternatives with liberal licensing.
The OpenWrt 21.02.3and 19.07.10updates have been released. These updates contain some security fixes andimproved device support. It's noting that this is the last 19.07 update:
A proposal to "deprecate" support for BIOS-only systems for Fedora, by no longersupporting new installations on those systems, led to a predictably longdiscussion on the Fedora devel mailing list. There are, it seems, quite a fewusers who still have BIOS-based systems; many do not want tohave to switch away from Fedora simply to keep their systems up to date.But, sometime in the future, getting rid of BIOS support seems inevitable since theburden on those maintaining the tools for installing and bootingthose systems is non-trivial and likely to grow over time. To headthat off, a special interest group (SIG) may form to help keep BIOS supportalive until it really is no longer needed.
On his blog, Tom Tromey writes about speeding up the startup of the GDB debugger. He sees 7x improvements in startup time (e.g. 2.2 to 0.3 seconds) for C++ code.
Security updates have been issued by Debian (condor), Red Hat (389-ds:1.4, container-tools:2.0, kernel, kernel-rt, and kpatch-patch), SUSE (chrony, containerd, expat, git, icedtea-web, jsoup, jsr-305, kernel, libeconf, shadow and util-linux, protobuf, python-libxml2-python, python3, slirp4netns, sssd, vim, and wpa_supplicant), and Ubuntu (bash).
The5.17.4,5.15.35,5.10.112,5.4.190,4.19.239,4.14.276,and 4.9.311 stable kernel updates have all beenreleased; each contains another relatively large set of important fixes.
A mega-thread in the python-ideas mailing list is hardly surprising, ofcourse; wehave covered quite a few of them over the years. A recent examplehelps shine a light into a dark—or at least dim—corner of the Pythonlanguage: the super()built-in function for use by methods in class hierarchies.There are some, perhaps surprising, aspects to super() along withwrinkles in how to properly use it. But it has been part of the languagefor a long time, so changes to its behavior, as was suggested in thethread, are pretty unlikely.
Luis Falcon brings the sad news that Pedro Francisco haspassed on. "Pedro created and managed MasGNULinux, a Spanish blog with news about FreeSoftware and GNU/Linux. MasGNULinux was the best reference in the latestFree Software projects for the Spanish speaking community."
Security updates have been issued by Debian (gzip and xz-utils), Fedora (dhcp and rsync), Mageia (chromium-browser-stable), openSUSE (chromium), SUSE (gzip, openjpeg2, and zabbix), and Ubuntu (klibc).
Over on the blog for the GNU Guix project, which is a "transactional package manager and an advanced distribution of the GNU system that respects user freedom", the project reflects on its ten-year journey. The post consists of personal accounts from around two dozen contributors about the project, its history, and its community.
Version 2.36.0 of the Gitsource-code management system is out. As usual, the list of new featuresis long; this GitHubblog post covers some of the highlights:
The ftrace and perf subsystems provide visibility into the workings of thekernel; by activating existing tracepoints, interested developers can seewhat is happening at specific points in the code. As much as kerneldevelopers may resist the notion, though, not all events of interest on asystem happen within the kernel. Administrators will often want to lookinside user-space processes as well; they would be even happier with amechanism that allows the simultaneous tracing of events in both the kerneland user space. The user-eventssubsystem, developed by Beau Belgrave and addedduring the 5.18 merge window, promises that capability, but users will almost certainly have to waitanother cycle to gain access to it.
Security updates have been issued by Debian (abcm2ps and chromium), Fedora (cacti, cacti-spine, and fribidi), and Mageia (crun, docker-containerd, libarchive, mediawiki, and ruby).
The 5.18-rc3 kernel prepatch is out fortesting. "It's Sunday afternoon, and you all know what that means. It's time foranother release candidate.(Yes, yes, it's also Easter Sunday, but priorities, people!)"
Version 9.1 of the GNU coreutils package has been released with lots ofsmall tweaks and improvements. "ls no longer colors files withcapabilities by default, as file-based capabilities are very rarely used,and lookup increases processing per file by about 30%. It's best to usegetcap [-r] to identify files with capabilities."
Your editor has a certain tendency to accumulate books, to the point thatthey crowd everything else out of the house. There is a lot to be said forbooks: a physical book has auser interface that has been optimized over centuries, and one can have areasonably high degree of certainty that any given book will still work afew decades from now. Neither of those can be said for electronic books,but they do have the advantages of taking less shelf space and being moreportable. So electronic books are part of the reading menu, whichnaturally leads to the search for a free reader for those books; KOReader turns out to be an interestingalternative.
Greg Kroah-Hartman has announced the release of the 5.4.189 and 4.19.238 stable kernels. As usual, theycontain important fixes throughout the tree and users should upgrade.
LWN.net