LWN.net

Like many projects written in C, the kernel makes extensive use of the Cpreprocessor; indeed, the kernel's use is rather more extensive than most.The preprocessor famously has a number of sharp edges associated with it.One might not normally think of increased compilation time as one of them,though. It turns out that some changes to a couple of conceptually simplepreprocessor macros - min() and max() - led to some trulypathological, but hidden, behavior where those macros were used.

We have received thesad news that Dr. Mel Chua has passed away. Mel was probably bestknown in the free-software community as a contributor to the FedoraProject in its early days. The Fedora Community blog honoredMel recently after she had moved to hospice care with tributesfrom several Fedorans. Stephen Jacobs wrote:

Security updates have been issued by Debian (chromium), Fedora (kernel, obs-cef, and xen), Mageia (emacs), Oracle (freeradius, freeradius:3.0, and kernel), Red Hat (emacs, httpd, and kpatch-patch-4_18_0-305_120_1), Slackware (curl), SUSE (apache2, cockpit-wicked, glibc, gnutls, gvfs, less, nghttp2, opensc, python-idna, python-requests, qemu, rpm, tpm2-0-tss, tpm2.0-tools, and unbound), and Ubuntu (clickhouse, exim4, libcommons-collections3-java, linux, linux-aws, linux-kvm, linux-lts-xenial, mysql-8.0, openssl, php-cas, prometheus-alertmanager, and snapd).

The LWN.net Weekly Edition for August 1, 2024 is available.

Arnd Bergmann has posted adetailed timeline for the deprecation of support for old Arm CPUs inboth the kernel and the compiler toolchain. Anybody who is working withthat hardware will likely want to review this list and let the relevantdevelopers know if any of that support is still needed.

Version 2.0 of the Vanilla OS image-based Linux distribution hasbeen released. Dubbed"Orchid", Vanilla OS is now based on Debian Sid (prior versions were Ubuntu-based),allows creationof customized Linux environments, support for running Androidapplications using Waydroid, and many other improvements.

A few years ago, PyGObject-the Pythonpackage that provides bindings for GTK and GNOME applications-was notfaring particularly well. Several maintainers had left the project and itsdevelopment was not keeping pace with changes in GTK. At this year'sGUADEC, Dan Yeaw presented a talkabout the project's decline, improvements in the last year, and hisexperience getting involved in an undermaintained project.

Version 8.0 of the Forgejosoftware-development platform has been released. Notablechanges include the removalof non-free software found in the codebase, improved stability, and areductionin "seemingly random User Interface changes":

A bootstrappable build is one that builds existingsoftware from scratch - for example, building GCC without relying on an existingcopy of GCC. In 2023, the Guix projectannounced that the project had reduced the sizeof the binary bootstrap seed needed to build its operating system to just 357-bytes -not counting the Linux kernel required to run the build process. Now, thelive-bootstrap projecthas gone a step further and removed the need for an existing kernel at all.

Security updates have been issued by Fedora (xdg-desktop-portal-hyprland), Red Hat (freeradius, freeradius:3.0, git-lfs, httpd, kernel, openssh, and varnish:6), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, git, gtk2, gtk3, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, orc, postgresql14, python-dnspython, python-urllib3, shadow, and xen), and Ubuntu (openjdk-17, openjdk-21, openjdk-8, openjdk-lts, and python3.10, python3.8).

At the 2024 LinuxStorage, Filesystem, Memory Management, and BPF Summit, John Groves leda session on famfs, which is a filesystem he has developed that uses thekernel's direct-access (DAX)mechanism to access memory that is shareable between hosts. The discussionwas aimed at whether a different approach should be taken and, inparticular, whether FUSE should be used instead of implementing as anin-kernel filesystem. As noted in the thread about hisproposal for an LSFMM+BPF session, and the mailing-list discussions on the first and secondversion of his patch set, there is some skepticism that a new in-kernelfilesystem is warranted for the use case.

Daniel Robbins, founder of the Gentoo Linux distribution and itsspinoff Funtoo Linux, hasannouncedthat he has decided to end the Funtoo project:

At GUADECin Denver, Colorado on July21, the GNOME Foundation held its annualgeneral meeting (AGM) to provide updates from the foundation's board and committees.Topics included work accomplished in the past year, challengesfacing the GNOME Foundation-including fundraising and finding a newexecutive director-and some insight into plans for the next year. Andlast, but not least, the awarding of the Pants of Thanks.

Security updates have been issued by Fedora (curl), Mageia (virtualbox), Oracle (squid), Red Hat (kernel), SUSE (apache2, bind, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, devscripts, espeak-ng, freerdp, ghostscript, gnome-shell, gtk2, gtk3, java-11-openjdk, java-17-openjdk, kubevirt, libgit2, openssl-3, orc, p7zip, python-dnspython, and shadow), and Ubuntu (kernel, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia, linux-oem-6.8, linux-raspi, linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux-aws, linux-aws-5.4, linux-aws-5.15, linux-ibm, linux-ibm-5.15, linux-raspi, linux-gcp-5.15, and linux-lowlatency).

Version 2.46.0 of the Gitsource-code management system has been released. This release seems toconsist of a long list of interface and performance improvements ratherthan big new features; see the announcement for the details.

The release of 6.11-rc1marked the end of the 6.11 merge window on July28. By that time,12,102 non-merge changesets had been pulled into the mainline repository;about 8,000 of those came in after thefirst-half summary was written. Quite a few significant changes wereto be found in those changesets; there is also one big change that did notmake it.

Security updates have been issued by AlmaLinux (java-11-openjdk), Debian (bind9), Fedora (darkhttpd, mod_http2, and python-scrapy), Red Hat (python3.11, rhc-worker-script, and thunderbird), SUSE (assimp, gh, opera, python-Django, and python-nltk), and Ubuntu (edk2, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-nvidia-6.5, linux-oracle, linux-raspi, and lua5.4).

Linus Torvalds has released 6.11-rc1 and closed themerge window for this development cycle. "The merge window felt prettynormal, and the stats all look pretty normal too. I was expecting things tobe quieter because of summer vacations, but that (still) doesn't actuallyseem to have been the case."Note that the extensible scheduler class("sched_ext") was not merged, even though Torvalds had said he would back in June. Sched_ext, itseems, will need another development cycle out of tree.

The6.10.2,6.9.12,6.6.43,6.1.102,5.15.164,5.10.223,5.4.281, and4.19.319stable kernel updates have all been released; each contains a relativelysmall set of important fixes, atleast one of which appears to close a minor security hole.

One of the simplest hardening concepts to understand is that memory shouldnever be both writable and executable, otherwise an attacker can use it toload and run arbitrary code. That rule is generally followed in Linuxsystems, but there is a glaring loophole that is exploitable from userspace to inject code into a running process. Attackers have duly exploitedit. A new effort to close the hole ran into trouble early in the mergewindow, but a solution may yet be found in time for the 6.11 kernelrelease.

Security updates have been issued by AlmaLinux (linux-firmware and squid), Debian (bind9), Fedora (kubernetes, thunderbird, and tinyproxy), Oracle (containernetworking-plugins, cups, edk2, httpd, httpd:2.4, kernel, kernel-container, libreoffice, libuv, libvirt, python3, and runc), Red Hat (freeradius:3.0, httpd, and squid), and SUSE (giflib and python-dnspython).

In the previous episode of thevgetrandom() story, Jason Donenfeld had put together a version ofthe getrandom()system call that ran in user space, significantly improving performance forapplications that need a lot of random data while retaining all of theguarantees provided by the system call. At that time, it seemed that aconsensus had built around the implementation and that it was headed towardthe mainline in that form. A few milliseconds after that article wasposted, though, a Linus-Torvalds-shaped obstacle appeared in its path.That obstacle has been overcome and this work has now been merged for the6.11 kernel, but its form has changed somewhat.

On July 12, Jocelyn Falempeproposed a change to the configuration options that Fedora sets for itskernels, in order to make kernel panics easier to report.Falempe would like to enable the kernel's recently addedDRM-panic feature, which addsa graphical crash screen that is reminiscent of the infamousWindows "blue screen of death" for kernel panics. The feature introduces a fewtradeoffs, including currently limited driver support, so the proposal spawned agood deal of discussion.

Version1.80.0 of the Rust language has been released. Changes include the newLazyCell and LazyLock types (which delay datainitialization until the first access), the stabilization of theexclusive-range syntax for match patterns, and more.

The 6.9.11, 6.6.42, and 6.1.101 stable kernels have been released. Asusual, they contain important fixes throughout the tree.

Security updates have been issued by AlmaLinux (containernetworking-plugins, cups, edk2, httpd, httpd:2.4, libreoffice, libuv, libvirt, python3, and runc), Fedora (exim, python-zipp, xdg-desktop-portal-hyprland, and xmedcon), Red Hat (cups, fence-agents, freeradius, freeradius:3.0, httpd:2.4, kernel, kernel-rt, nodejs:18, podman, and resource-agents), Slackware (htdig and libxml2), SUSE (exim), and Ubuntu (ocsinventory-server, php-cas, and poppler).

Linux Mint has announced version 22 ofthe distribution in three editions: Cinnamon, MATE, and Xfce. Mint 22is based on Ubuntu 24.04 and uses kernel version 6.8.0:

The LWN.net Weekly Edition for July 25, 2024 is available.

Greg Kroah-Hartman has released the 6.10.1 stable kernel update. This releasecontains a small number of seemingly urgent regression fixes. Users ofthis kernel series are advised to upgrade.

Updated installation images for the OpenMandriva ROME rolling release Linux distribution are now available. Notable features in the24.07 snapshot include KDEPlasma6 as the default desktop, the addition of Proton and Protonexperimental packages for playing Windows games on Linux, as well as GNOME46.3 and LXQt2.0.0 spins.

OpenSSL has announcedthat it has adopted a new governance framework:

David Howells wanted to discuss swap handling in light of multi-page foliosin a combined storage, filesystem, and memory-management session atthe 2024 Linux Storage,Filesystem, Memory Management, and BPF Summit. Swapping has always beendone with a one-to-one mapping of memory pages to swap slots, he said, butswapping multi-page folios breaks that assumption. He wondered if it wouldmake sense to use filesystem techniques to track swapped-out folios.

Ryan Sipes told the audience during his keynote atGUADEC2024 in Denver, Colorado that the Thunderbird mail client "probably shouldn't still be alive". Thunderbird, however, is not onlyalive-it is arguably in better shape than everbefore. According to Sipes, the project's turnaround is a result ofgovernance, storytelling, and learning to be comfortable asking usersfor money. He would also like it quite a bit if Linux distributions stoppedturning off telemetry.

Let's Encrypt hasannouncedthat it intends to end support "as soon as possible" for the Online Certificate Status Protocol (OCSP) over privacy concerns. OCSP was developed as alighter-weight alternative toCertificate Revocation Lists (CRLs) that did not involve downloadingthe entire CRL in order to check whether a certificate was valid. Let's Encrypt will continuesupporting OCSP as long as it is a requirement for Microsoft'sTrusted Root Program, but hopes to discontinue it soon:

Security updates have been issued by Fedora (ghostscript and xmedcon), Gentoo (Dmidecode, ExifTool, and Freenet), Red Hat (containernetworking-plugins, cups, edk2, httpd, httpd:2.4, kernel, kernel-rt, krb5, libreoffice, libuv, libvirt, linux-firmware, nghttp2, nodejs, openssh, python3, runc, thunderbird, and tpm2-tss), Slackware (aaa_glibc, bind, and mozilla), SUSE (postgresql14, python-sentry-sdk, and shadow), and Ubuntu (activemq, bind9, haproxy, nova, provd, python-zipp, squid, squid3, and tomcat).

Simon Willison, co-creator of the popular Django web framework for Python,gave a keynote presentation at PyCon2024 on a topic that isunrelated to that work: large language models (LLMs).The topic grew out of some other work that he is doing on Datasette, which is a Python-based"tool for exploring and publishing data". The talk was a lookbeyond the hype to try to discover what useful things you can actually dotoday using these models. Unsurprisingly, there were somecautionary notes from Willison, as well.

The Python Software Foundation (PSF) board has announcedimprovements to its grants program that have been enacted as aresponse to "concerns and frustrations" with the program:

Mark Zuckerberg has postedan article announcing some new releases of the Llama large languagemodel and going on at length about why open-source models are important:

LWN has covered BPFsince its initial introduction to Linux, usually through the lens of the newestdevelopments; this can make it hard to view the whole picture. BPF providesa way to extend a running kernel, without having to recompile and reboot.It does this in a safe way, so that malicious BPFprograms cannot crash a running kernel, thanks to the BPF verifier. So how doesthe verifier actually work, what are its limits, and how has it changed sincethe early days of BPF?

Version 2.40 of the GNU CLibrary has been released. Changes include partial support for the ISO C23standard, a new tunable for the testing of setuid programs, improved 64-bitArm vector support, and a handful of security fixes. See the release notesfor details.

Security updates have been issued by Fedora (gtk3 and jpegxl), Red Hat (kpatch-patch and thunderbird), SUSE (apache2, git, gnome-shell, java-11-openjdk, java-21-openjdk, kernel, kernel-firmware, kernel-firmware-nvidia-gspx-G06, libgit2, mozilla-nss, nodejs20, python-Django, and python312), and Ubuntu (linux-aws, linux-aws, linux-aws-5.4, linux-iot, linux-aws-5.15, pymongo, and ruby-rack).

Red Hat, through members of the FedoraWorkstation Working Group, has taken anotherswing at persuading the Fedora Project to allow metrics related tothe real-world use of the Workstation edition to be collected. The firstproposal, aimed for Fedora40, was withdrawn to be reworkedbased on feedback. This time around, the proponents have shifted fromasking for opt-out telemetry to opt-in metrics, with more detail aboutwhat would be collected and the policies that would govern data collection. Thechange seems to be on its way to approval by the Fedora EngineeringSteering Council (FESCo) and is set to take effect forFedora42.

Security updates have been issued by Fedora (botan2, chromium, ffmpeg, fluent-bit, gtk3, httpd, suricata, tcpreplay, and thunderbird), Mageia (apache, chromium-browser-stable, libfm & libfm-qt, and thunderbird), Oracle (firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, libndp, qt5-qtbase, ruby, skopeo, thunderbird, and virt:ol and virt-devel:rhel), Red Hat (containernetworking-plugins, firefox, libndp, qt5-qtbase, and thunderbird), SUSE (caddy, chromium, emacs, global, mockito, snakeyaml, testng, and opera), and Ubuntu (thunderbird).

The Next Generation Internet(NGI) project, an initiative of the EU's European Commission (EC),provides funding in the form of grants for a wide variety ofopen-source software,includingRedox,Briar,SourceHut, and many more.But the NGI project is not among those that would be funded under the current draft budget for 2025,as The Register reports. More than 60 organizations have signed on to an open letter asking theEC to reconsider:

The NumPy project released version 2.0.0 onJune 16, the first major release of the widelyused Python-based numeric-computing library since 2006. The release has been planned for sometime, as an opportunity to clean up NumPy's API. As with most NumPy updates,there are performance improvements to several individual functions. There are only a few newfeatures, but several backward-incompatible changes, including a change toNumPy's numeric-promotion rules. Changes to the Python API require relatively minor changes toPython code using the library, but the changes to the C API may be moredifficult to adapt to. Inboth cases, the officialmigration guide describes what needs to be adapted to the new version.

The kernel will not consent to execute just any file that happens to besitting in a filesystem; there are formalities, such as the checking ofexecute permission and consulting security policies, to get through first.On some systems, security policies have been established to limit executionto specifically approved programs. But there are files that are notexecuted directly by the kernel; these include scripts fed to languageinterpreters like Python, Perl, or a shell. An attacker who is able to getan interpreter to execute a file may be able to bypass a system's securitypolicies. Mickael Salaun has been working on closing this hole for years;the latestattempt takes the form of a new flag to the execveat()system call.

Security updates have been issued by AlmaLinux (firefox, java-1.8.0-openjdk, java-17-openjdk, java-21-openjdk, libndp, openssh, qt5-qtbase, ruby, skopeo, and thunderbird), Debian (thunderbird), Fedora (dotnet6.0, httpd, python-django, python-django4.2, qt6-qtbase, rapidjson, and ruby), Red Hat (389-ds-base, firefox, java-1.8.0-openjdk, java-11-openjdk, libndp, qt5-qtbase, and thunderbird), Slackware (httpd), SUSE (apache2, chromium, and kernel), and Ubuntu (apache2, linux-aws, linux-azure-fde, linux-azure-fde-5.15, linux-hwe-5.15, linux-aws-6.5, linux-lowlatency-hwe-6.5, linux-oracle-6.5, linux-starfive-6.5, and linux-raspi, linux-raspi-5.4).

The sad news that Peter de Schrijver has passed away has just reached us. An obituary in Dutch relates that he passed in a Helsinki hospital on July 12. Mind Software Consulting, which he founded, has a message of condolences as well.De Schrijver was a Debian Developer and a Linux kernel contributor; he will be missed.

The Apache Software Foundation (ASF)has announcedthat it will be changing its logo to remove the feather that has been partof its brand since 1997. ASF members will have input on the rebranding process and beable to vote on the new logo, which will be unveiled at the Community Over Code conference in October.

Greg Kroah-Hartman has released seven new stable kernels: 6.9.10, 6.6.41, 6.1.100, 5.15.163, 5.10.222, 5.4.280, and 4.19.318. As usual, each contains importantfixes throughout the kernel tree.