LWN.net

The LWN.net Weekly Edition for December 12, 2024 is available.

The RedHat Enterprise Linux (RHEL) 10 beta was released in mid-Novemberand, if all goes according to plan, CentOSStream10should be released before the end of the year. While nothing is etchedin stone just yet, it is a good time for anyone using or targetingRHEL (and its clones) to start taking a look at how Stream10,and the corresponding EPELrepository, is shaping up. This is not only important to RHEL andStream users, but anyone deploying and supporting software onenterprise Linux (EL) derivatives like AlmaLinux, OracleLinux,and RockyLinux as well.

Greg Kroah-Hartman has released version 6.6.65 of the kernel:

The Linux kernel has many tunable parameters. While there is much adviceavailable on the internet about how to set them, few people have the time toweed through the (often contradictory) explanations and choose appropriatevalues. One possible way to address this isa project called bpftune, aprogram that uses BPF to track various metrics about a running system andadjust the sysctl knobs appropriately. The program is developed by Oracle, andis available under a GPLv2 license. Bpftune is currently mostlyfocused on optimizing network settings, but the authors hope that the system isflexible enough to be extended to cover other settings.

Security updates have been issued by Debian (proftpd-dfsg and smarty3), Fedora (python3.14), Gentoo (Distrobox, eza, idna, libvirt, and OpenSC), Red Hat (container-tools:rhel8 and edk2), SUSE (avahi, curl, libsoup2, lxd, nodejs20, python-Django, python310-Django4, python312, squid, and webkit2gtk3), and Ubuntu (expat, intel-microcode, linux, linux-aws, linux-kvm, linux-lts-xenial, and shiro).

Systemd 257 has been released. As usual, the list of changes is long; itincludes support for multipath TCP in socket units, the ability to runprocesses as init in their own PID namespace, a new tool for signing EFIbinaries for secure boot,and a superhero emoji in the run0 shell prompt, among many other things. Also, support for version-1 control groups has been disabled and requiresan elaborate dance to re-enable; it will be removed entirely in the nextrelease, along with support for SystemV service scripts.

Fedora Project Leader (FPL) Matthew Miller writes that he will soon be hanging up the FPL hat:

In a session atOpen Source Summit Europe(OSSEU) back in September, Alex Bucknall gave an overview of a camera "trap"-adevice to capture images in a non-intrusive way-that he helped develop which is being used to monitor seagrass. He works forthe Arribada Initiative, which is anon-profit organizationfocused on creating open-source technology for studying wildlife and ecosystems.The camera system uses the Zephyrrealtime operating system (RTOS) on an open platform that is designed to beinexpensive and usable for multiple applications.

Version1.0.0 of the GNU Shepherd service manager has been released after amere 21years of development.

Security updates have been issued by AlmaLinux (postgresql:15, postgresql:16, and ruby:3.1), Debian (jinja2), Fedora (python-multipart, python-python-multipart, python3.12, retsnoop, rust-rbspy, rust-rustls, and zabbix), Oracle (kernel, libsoup, postgresql:12, postgresql:13, postgresql:15, postgresql:16, redis:7, and ruby:3.1), SUSE (nodejs18, pam, qt6-webengine, and radare2), and Ubuntu (dogtag-pki, linux-intel-iotg, linux-intel-iotg-5.15, ofono, rabbitmq-server, and webkit2gtk).

When the Fedora Engineering Steering Council (FESCo) is up for election, the project postsinterviews of the candidates in order to help Fedora contributors make an informed choice. Thisyear, the candidates areZbigniew Jdrzejewski-Szmek,Toma Hrka,Josh Stone,David Cantrell,Fabio Alessandro Locati, andKevin Fenzi.All of them except for Locati are current members of the steering council.Voting is open until December 20.

In 2019, the Python community had alengthy discussion about changing the rules (that some find counterintuitive) onusing break, continue, or return statements infinally blocks. These are all ways of jumping out of a finallyblock, which can interrupt the handling of a raised exception.At the time, the Python developers chose not to changethings, because the consensus was that the existing behavior was not a problem. Now, afterareport put together by Irit Katriel, the project is once again consideringchanging the language.

The OpenWrt project has issued anadvisory regarding a vulnerability found in its Attended SysupgradeServer that could allow compromised packages to be installed on a router byan attacker. No official OpenWrt images were affected, and thevulnerability is not known to be exploited, but users who have installedimages created with an instance of this server are recommended toreinstall.For a detailed description of how the exploit works, see thisblog post.

The 6.12.4 and 6.6.64 stable kernels have been released,each with a set of important fixes throughout the kernel tree, as usual.

The 6.13-rc2 kernel prepatch is out fortesting. "The diffstat looks a bit unusual with 80%+ drivers, and a lot of itone-liners, but that's actually just because of a couple of automatedscripts that got run after -rc1 for some cleanups. Nothingparticularly interesting, but it makes for a lot of noise in the diff."One of those scripts was the EXPORT_SYMBOL_NS() change (to make ituse a quoted string for the namespace name) described in this article.

Security updates have been issued by AlmaLinux (redis:7, ruby, ruby:2.5, and ruby:3.1), Debian (avahi, ceph, chromium, gsl, jinja2, php7.4, renderdoc, ruby-doorkeeper, and zabbix), Fedora (chromium, python3.11, and uv), Gentoo (Asterisk, Cacti, Chromium, Google Chrome, Microsoft Edge. Opera, Dnsmasq, firefox, HashiCorp Consul, icinga2, OATH Toolkit, OpenJDK, PostgreSQL, R, Salt, Spidermonkey, and thunderbird), Mageia (kubernetes), Red Hat (grafana, grafana-pcp, osbuild-composer, and postgresql), SUSE (ansible-core, firefox, glib2, java-1_8_0-ibm, kernel-firmware, nanopb, netty, python310-django-ckeditor, python310-jupyter-ydoc, radare2, skopeo, and webkit2gtk3), and Ubuntu (tinyproxy).

A compromised release was uploaded to PyPI after a project automatically processed a pull request with a flawed script.The GitHub account "OpenIM Robot"(which appears to be controlled byXinwei Xiong) openeda pull request for the ultralyticsPython package. The pull request included a suspicious Git branch name:

Greg Kroah-Hartman released version6.12.3 of the kernel to fixa regression that can cause some machines to fail to boot on version 6.12.2.The other stable branches are continuing on their normal cadence, with6.12.4-rc1 and6.6.64-rc1 starting review today.

The pagestructure sits at the core of the kernel's memory-management subsystem(for now), and a key part of that structure is its reference count, storedin refcount. The page reference count tells the kernel how manyusers a given page has and when it can be freed. That count is not neededfor every page in the system, though. Matthew Wilcox has recently resurrectedan oldpatch set that expands the concept of a "frozen" page - one that lacks ameaningful reference count - to the immediate benefit of the slab allocatorbut in the service of a longer-term goal as well.

Security updates have been issued by AlmaLinux (firefox, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, python3:3.6.8, and thunderbird), Debian (clamav), Fedora (pam), Red Hat (firefox, postgresql:13, postgresql:15, python-tornado, redis:7, ruby, ruby:2.5, and ruby:3.1), SUSE (avahi, docker-stable, java-1_8_0-openjdk, libmozjs-128-0, obs-scm-bridge, php8, and teleport), and Ubuntu (ghostscript, needrestart, and shiro).

Apertis is a Collabora-developedDebian derivative distribution designed to be incorporated into electronicdevices; the v2024release is now available. It is now based on the Bookworm release, andincludes support for Podman, ONNXRuntime, OP-TEE, and more.

In July, Let's Encrypt announced it was endingsupport "as soon as possible" for the OnlineCertificate Status Protocol (OCSP) in favor of CertificateRevocation Lists (CRLs) due to privacy concerns. The organizationhas now announcedthat it has set a timeline, and will be turning off its OCSPresponders on August6, 2025. There is additional action requiredfor Let's Encrypt users who use the OCSP Must Staple Extension:

System76 has announced thefourth alpha release of its Rust-based COSMIC desktop. New featuresin this version include the ability to set default applications,region and language settings, a new Accessibility applet, as well assupport forvariable refresh rate (VRR) in the cosmic-comp compositor and thedisplay settings tool. See the blog post for a full list of fixes andperformance improvements. LWN covered the first alpharelease in August.

It has long been said that naming thingsis one of the hard things to do in computer science. That may beso, but it pales in comparison to the challenge of handlingusernames properly in applications. This is especially true when multipleapplications are involved, and they are all supposed to agree on whatcharacters are, and are not, allowed. The Debian project is facingthat problem right now, as two user-creation utilities disagreed aboutwhich names are allowable. A plan is in place to sort this outbefore the release of Debian13 ("trixie") sometime next year.

Mozilla wouldappear to have concluded that the solution to its problems is anextensive rebranding effort:

Greg Kroah-Hartman has released the 6.12.2, 6.11.11, and 4.19.325 stable kernels. Note that both6.11.11 and 4.19.325 are the last kernels in those series, "please moveoff to a newer kernel version". In the 4.19.325 release notice, he hasa rather longer-than-usual message, including:

Security updates have been issued by Fedora (thunderbird, tuned, and webkitgtk), Mageia (python-aiohttp and qemu), Oracle (container-tools:ol8, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, kernel:4.18.0, krb5, pam, postgresql:16, python-tornado, python3:3.6.8, thunderbird, tigervnc, tuned, and webkit2gtk3), Red Hat (bzip2, postgresql, postgresql:13, postgresql:15, postgresql:16, python-tornado, and ruby:3.1), Slackware (python3), SUSE (postgresql, postgresql16, postgresql17, postgresql13, postgresql14, postgresql15, python-python-multipart, and python3), and Ubuntu (python-django and recutils).

The LWN.net Weekly Edition for December 5, 2024 is available.

Fedora Project Leader Matthew Miller reportsthat the project's search to replace Pagure as its git forge isalmost complete, with the Fedora Council strongly in favor of Forgejo:

Linus Walleij writesabout a pair of security features for 32-bit Arm systems; these landedin 6.10, but, he says, have now stabilized to the point that distributorsmay want to enable them.

Linux offers two broad ways of performing I/O to files. Buffered I/O,which is the usual way of accessing a file, stores a copy of thetransferred data in the kernel's page cache to speed future accesses.Direct I/O, instead, moves data directly between the storage device and auser-space buffer, avoiding the page cache. Both modes have theiradvantages and disadvantages. In 2019, Jens Axboe proposed an uncached buffered mode to get someof the advantages of both, but that effort stalled at the time. Now, uncached bufferedI/O is back with some impressive performance results behind it.

Version6.0.0 of the Hurl command-line tool has been released. Hurl is acurl-powered utility that runs HTTP requests and tests defined in aplain-text Hurlfile. Notable features in this release include the ability togenerate dynamic values with functions, shorter syntax, and an optionto export Hurl files to a list of curl commands. See the releasenotes for a full list of changes and downloads.

Security updates have been issued by Red Hat (go-toolset:rhel8, grafana, kernel, kernel-rt, kernel:4.18.0, pam, pam:1.5.1, pcs, postgresql:12, postgresql:15, postgresql:16, python3:3.6.8, qemu-kvm, rhc, rhc-worker-playbook, and virt:rhel and virt-devel:rhel) and SUSE (ansible-10, ansible-core, avahi, bpftool, python, python3, python36, webkit2gtk3, and xen).

The traditional structure of a compiler forms a pipeline - parsing,type-checking, optimization, and code-generation, usually in that order. Butmodern programming languages have requirements that are ill-suited to such adesign. Increasingly, compilers are moving toward other designs inorder to support incremental compilation and low-latency responses for useslike integration into IDEs. Rust has, for the last eight years, been pursuing aparticularly unusual design; in that timecompile times havesubstantially improved, but there's still more work to be done.

Security updates have been issued by AlmaLinux (container-tools:rhel8, kernel, kernel-rt:4.18.0, kernel:4.18.0, pam, pam:1.5.1, perl-App-cpanminus, perl-App-cpanminus:1.7044, python-tornado, tigervnc, tuned, and webkit2gtk3), Debian (needrestart and webkit2gtk), Mageia (firefox, glib2.0, krb5, and thunderbird), Red Hat (firefox, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, and thunderbird), SUSE (editorconfig-core-c, kernel, php7, php8, python, python-tornado6, python3-virtualenv, python310, python39, thunderbird, wget, and wireshark), and Ubuntu (firefox and haproxy).

The most recent version of NixOS,24.11,was releasedon November30. It contains GNOME47, Plasma6.2, LLVM19, and lots more:

Security updates have been issued by Debian (dnsmasq, editorconfig-core, lemonldap-ng, proftpd-dfsg, python3.9, simplesamlphp, tgt, and xfpt), Fedora (qbittorrent, webkitgtk, and wireshark), Mageia (libsoup3 & libsoup), Red Hat (buildah, grafana, grafana-pcp, and podman), SUSE (gimp, kernel, postgresql14, python, webkit2gtk3, xen, and zabbix), and Ubuntu (ansible and postgresql-12, postgresql-14, postgresql-16).

The 6.13 merge window closed with the release of 6.13-rc1 on December1. By that time,11,307 non-merge commits had been pulled into the mainlinerepository; about 9,500 of those landed after our first-half merge-window summary waswritten. There was a lot of new material in these patches, includingarchitecture-support improvements, new BPF features, an efficient way toadd guard pages to an address space, more Rust support, a vast number ofnew device drivers, and more.

Linus has released 6.13-rc1 and closed themerge window for this release. "And for once - possibly the first timeever - it looks like the release cycle doesn't clash horribly up withthe holiday season, and we'll have time both to stabilize this release,_and_ the work for 6.14 won't be starting until well into January."

Version1.83.0 of the Rust language has been released.

The OpenWrt One router, which was reviewedhere recently, isnow generally available.

Security updates have been issued by Debian (firefox-esr, redis, twisted, and tzdata), Fedora (firefox, nss, pam, rust-rustls, rust-zlib-rs, thunderbird, tuned, and xen), and SUSE (cobbler, kernel, libjxl-devel, libuv, postgresql12, postgresql14, postgresql15, python-waitress, seamonkey, tomcat, and tomcat10).

Earlier today, one of our subscribers, anselm, posted the one millionth item in our database during a discussion in the comments about the GPL. One million articles and comments is a big milestone - one representing twenty two years of work by both the editors of LWN and the community. I think reaching this milestone on Thanksgiving is a lovely coincidental reminder of how far LWN has come, and how that wouldn't have been possible without your support. So thank you for reading.

The long-awaited release of the GNU ImageManipulation Program (GIMP)3.0 is on the way, marking the firstmajor update since version2.10 wasreleased in April2018. It now features a GTK3 user interface and GIMP3.0introduces significant changes to the core platform and plugins. Thisrelease also brings performance and usability improvements, as well as morecompatibility with Wayland and complex input sources.

Security updates have been issued by Debian (firefox-esr, netatalk, and thunderbird), Fedora (firefox, libsoup3, mingw-glib2, mingw-libsoup, mingw-python-waitress, mingw-python3, nss, perl-Module-ScanDeps, php, and python-aiohttp), Mageia (dcmtk, golang, iptraf-ng, libsndfile, microcode, php, postgresql15 & postgresql13, rapidjson, tomcat, wget, and zbar), Red Hat (openssl and openssl-fips-provider, toolbox, and webkit2gtk3), SUSE (firefox, frr, glib2, hplip, kernel, neomutt-20241114, ovmf, python-aiohttp, python-virtualenv, python310-tornado6, qemu, webkit2gtk3, and xen), and Ubuntu (mpg123 and vim).

Version8 of the Ubuntu-based elementary OS has been released. Thisrelease includes a rewritten Dock, new window-management features,improvements in the installation and initial setup procedures forvisually impaired users, as well as a new Secure Session mode:

For the most part, the 6.13 merge window has gone smoothly, with relativelyfew problems or disagreements - other than thisone, of course. There is one other exception, though, relating to thekernel's presentation of a process's command line to interested user-spaceobservers when a relatively new system call is used. A pull request with asimple change to make that information more user-friendly ran afoul ofLinus Torvalds, who has his own view of how it should be managed.

Security updates have been issued by Debian (mpg123 and php8.2), Fedora (libsndfile, mingw-glib2, mingw-libsoup, mingw-python3, and qbittorrent), Oracle (pam:1.5.1 and perl-App-cpanminus), Red Hat (firefox, thunderbird, and webkit2gtk3), Slackware (mozilla), SUSE (firefox, rclone, tomcat, tomcat10, and xen), and Ubuntu (gh, libsoup2.4, libsoup3, pygments, TinyGLTF, and twisted).

Arch Linux is popular as a basefor other Linux distributions; examples of Arch-derivatives include EndeavourOS, Manjaro, Parabola, and SteamOS.There's one small problem: the control files used to describe how to buildpackages for Arch Linux have no stated license. That creates a bit ofuncertainty about the rights and responsibilities for the downstreamderivatives. So far, that doesn't seem to have been a problem, nor hasit stopped other projects from assuming that reuse isallowed. However, the Arch project is looking to add some clarity byexplicitly assigning a liberal license to its packagesources. Currently the project is in the process of reaching out tocontributors to see if they have any objections.

Mozilla has announcedthe release of Firefox133.0. Notable in this release is the additionof a new anti-tracking feature, Bounce Tracking Protection, whichdetects trackers based on redirectbehavior and automatically purges their cookies and site data tothwart tracking. The release also includes varioussecurity fixes and more.