The Ubuntu 22.04 LTS release, codenamed "Jammy Jellyfish", is now available. It comes in several editions (Desktop, Server, Cloud, and Core) and multiple flavors (Ubuntu Budgie, Kubuntu, Lubuntu, Ubuntu Kylin, Ubuntu MATE,UbuntuStudio, and Xubuntu). Lots more information can be found in the release notes.
The Debian project leader election has completed and Jonathan Carter has been reelected for his third term. For more information, see the Debian vote page. We looked at the candidates back in March.
The world of music and audio production is largely dominated byproprietary software vendors. Among them, Steinberg stands out as a companythat created some of the most-used software, including the Cubase and Nuendo digital audioworkstations. Steinberg is also known as the creator of the VST plugin APIthat, largely due to its licensing policy, has irritated developers enough toinspire multiple attempts at creating an open-source alternative. Even now,when the VST3 SDK is available under theGPLv3 license, the way the company exercises its control over the SDKkeeps pushing developers away toward other open-source solutions.This is an introduction to open-source pluginAPIs for musicians and sound engineers alike. It focuses on the options inthe larger ecosystem and how their shortcomings led to the creation of newalternatives with liberal licensing.
The OpenWrt 21.02.3and 19.07.10updates have been released. These updates contain some security fixes andimproved device support. It's noting that this is the last 19.07 update:
A proposal to "deprecate" support for BIOS-only systems for Fedora, by no longersupporting new installations on those systems, led to a predictably longdiscussion on the Fedora devel mailing list. There are, it seems, quite a fewusers who still have BIOS-based systems; many do not want tohave to switch away from Fedora simply to keep their systems up to date.But, sometime in the future, getting rid of BIOS support seems inevitable since theburden on those maintaining the tools for installing and bootingthose systems is non-trivial and likely to grow over time. To headthat off, a special interest group (SIG) may form to help keep BIOS supportalive until it really is no longer needed.
On his blog, Tom Tromey writes about speeding up the startup of the GDB debugger. He sees 7x improvements in startup time (e.g. 2.2 to 0.3 seconds) for C++ code.
Security updates have been issued by Debian (condor), Red Hat (389-ds:1.4, container-tools:2.0, kernel, kernel-rt, and kpatch-patch), SUSE (chrony, containerd, expat, git, icedtea-web, jsoup, jsr-305, kernel, libeconf, shadow and util-linux, protobuf, python-libxml2-python, python3, slirp4netns, sssd, vim, and wpa_supplicant), and Ubuntu (bash).
The5.17.4,5.15.35,5.10.112,5.4.190,4.19.239,4.14.276,and 4.9.311 stable kernel updates have all beenreleased; each contains another relatively large set of important fixes.
A mega-thread in the python-ideas mailing list is hardly surprising, ofcourse; wehave covered quite a few of them over the years. A recent examplehelps shine a light into a dark—or at least dim—corner of the Pythonlanguage: the super()built-in function for use by methods in class hierarchies.There are some, perhaps surprising, aspects to super() along withwrinkles in how to properly use it. But it has been part of the languagefor a long time, so changes to its behavior, as was suggested in thethread, are pretty unlikely.
Luis Falcon brings the sad news that Pedro Francisco haspassed on. "Pedro created and managed MasGNULinux, a Spanish blog with news about FreeSoftware and GNU/Linux. MasGNULinux was the best reference in the latestFree Software projects for the Spanish speaking community."
Security updates have been issued by Debian (gzip and xz-utils), Fedora (dhcp and rsync), Mageia (chromium-browser-stable), openSUSE (chromium), SUSE (gzip, openjpeg2, and zabbix), and Ubuntu (klibc).
Over on the blog for the GNU Guix project, which is a "transactional package manager and an advanced distribution of the GNU system that respects user freedom", the project reflects on its ten-year journey. The post consists of personal accounts from around two dozen contributors about the project, its history, and its community.
Version 2.36.0 of the Gitsource-code management system is out. As usual, the list of new featuresis long; this GitHubblog post covers some of the highlights:
The ftrace and perf subsystems provide visibility into the workings of thekernel; by activating existing tracepoints, interested developers can seewhat is happening at specific points in the code. As much as kerneldevelopers may resist the notion, though, not all events of interest on asystem happen within the kernel. Administrators will often want to lookinside user-space processes as well; they would be even happier with amechanism that allows the simultaneous tracing of events in both the kerneland user space. The user-eventssubsystem, developed by Beau Belgrave and addedduring the 5.18 merge window, promises that capability, but users will almost certainly have to waitanother cycle to gain access to it.
Security updates have been issued by Debian (abcm2ps and chromium), Fedora (cacti, cacti-spine, and fribidi), and Mageia (crun, docker-containerd, libarchive, mediawiki, and ruby).
The 5.18-rc3 kernel prepatch is out fortesting. "It's Sunday afternoon, and you all know what that means. It's time foranother release candidate.(Yes, yes, it's also Easter Sunday, but priorities, people!)"
Version 9.1 of the GNU coreutils package has been released with lots ofsmall tweaks and improvements. "ls no longer colors files withcapabilities by default, as file-based capabilities are very rarely used,and lookup increases processing per file by about 30%. It's best to usegetcap [-r] to identify files with capabilities."
Your editor has a certain tendency to accumulate books, to the point thatthey crowd everything else out of the house. There is a lot to be said forbooks: a physical book has auser interface that has been optimized over centuries, and one can have areasonably high degree of certainty that any given book will still work afew decades from now. Neither of those can be said for electronic books,but they do have the advantages of taking less shelf space and being moreportable. So electronic books are part of the reading menu, whichnaturally leads to the search for a free reader for those books; KOReader turns out to be an interestingalternative.
Greg Kroah-Hartman has announced the release of the 5.4.189 and 4.19.238 stable kernels. As usual, theycontain important fixes throughout the tree and users should upgrade.
Security updates have been issued by Debian (fribidi and python-django), Fedora (postgresql-jdbc, stargz-snapshotter, and thunderbird), Slackware (git, gzip, and xz), and SUSE (kernel, SDL2, and tomcat).
Support for developing in the Rustlanguage is headed toward the kernel, though just when itwill land in the mainline is yet to be determined. The Rust patches areprogressing, though, and beginning to attract attention from beyond thekernel community. When two languages — and two different developmentcommunities — come together, the result can be a sort of cultural clash.Some early signs of that are appearing with regard to Rust in the kernel;if the resulting impedance mismatches can be worked out, the result couldbe a better development environment for everybody involved.
Security updates have been issued by Debian (lrzip), Fedora (community-mysql, expat, firefox, kernel, mingw-openjpeg2, nss, and openjpeg2), Mageia (ceph, subversion, and webkit2), openSUSE (chromium), Oracle (httpd:2.4), Red Hat (kpatch-patch), Slackware (ruby), SUSE (kernel and netatalk), and Ubuntu (gzip and xz-utils).
SUSE has begun todiscuss its plans for the next version of SUSE Linux Enterprise on theopenSUSE lists. It appears that there will be some significant changes.
Using strings with contents that are supplied by users can be fraught withperil; SQL injection is a well-known technique for attacking applicationsthat stems from that, for example. Generally, database frameworks andlibraries provide mechanisms that seek to lead programmers toward doing TheRight Thing, with parameterized queries and the like, but they cannotenforce that—inventive developers will seemingly always find ways to injectuser input into places it should not go. A recently adopted PythonEnhancement Proposal (PEP) provides a way to enforce the use of strings that are untainted by user input, but it uses the optional typing featuresof the language to do so; those wanting to take advantage of it will needto be running a type-checking program.
The 5.17.3,5.16.20,5.15.34, and5.10.111 stable kernel updates have beenreleased after a relatively quick review cycle. Each contains a relativelylarge set of important fixes. Note that 5.16.20 is the final update in the5.16.x series.
Security updates have been issued by Arch Linux (gzip, python-django, and xz), Debian (chromium, subversion, and zabbix), Red Hat (expat, kernel, and thunderbird), SUSE (go1.16, go1.17, kernel, libexif, libsolv, libzypp, zypper, opensc, subversion, thunderbird, and xz), and Ubuntu (git, linux-bluefield, nginx, and subversion).
Version 6.3 of the Qtgraphics library has been released. "Qt 6.3 also comes with a decentset of new functionality. A total of 250 user stories and tasksimplementing new functionality have been completed for 6.3. Those are ofcourse too many to list individually, and if you want to have all thedetails, have a look at our newfeatures page and our Release Notes."
Git maintainer Junio C Hamano has announced therelease of v2.35.2, along with multiple other Git versions("v2.30.3, v2.31.2, v2.32.1, v2.33.2, and v2.34.2"), to fix a security problem that can happen on multi-usermachines (CVE-2022-24765).This GitHub blogpost has more details, though the GitHub service itself is notvulnerable. The description in the announcement seems a bitWindows-centric, but Linux multi-user systems are apparently vulnerable as well:
When last we looked in on the proposedtrusted_for() system call, which would allow user-space interpretersand other tools to ask the kernel whether a file is "trusted" for execution, itlooked like it was on-track for the mainline. That was back inOctober 2020; the patch has been updated multiple times since then,made its way into linux-next, and a pullrequest was made by Mickaël Salaün for the 5.18 merge window. Butit seems that there will be more to the story of getting this functionalityinto the kernel, as Linus Torvalds declined to pull trusted_for(),at least partly because he did not like the name, but there were otherreasons as well. While he is not opposedto the functionality it would provide, he also had strong feelings that anew system callwas not the right approach.
Security updates have been issued by Debian (thunderbird and usbguard), Fedora (containerd, firefox, golang-github-containerd-imgcrypt, nss, and vim), Oracle (firefox, kernel, kernel-container, and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (libexif, mozilla-nss, mysql-connector-java, and qemu), and Ubuntu (libarchive and python-django).
Filesystems and the virtual filesystem layer are in the business ofmanaging files that actually exist, but the Linux "dentry cache", whichremembers the results of file-name lookups, also keeps track of files thatdon't exist. This cache of "negative dentries" plays an importantrole in the overall performance of the system but, if it is allowed to growtoo large, its role can become negative in its own right. As the 2022 Linux Storage, Filesystem,and Memory-Management Summit (LSFMM) approaches, the subject of negativedentries has come up yet again; whether one can be positive about theprospects for a resolution this time around remains unclear.
The second 5.18 kernel prepatch is out fortesting. "Things look fairly normal here, although it's early in therelease cycle so it's a bit hard to say for sure. But at least it's notlooking particularly odd, and we have fixes all over."
Security updates have been issued by Debian (gzip, libxml2, minidlna, openjpeg2, thunderbird, webkit2gtk, wpewebkit, xen, and xz-utils), Fedora (crun, unrealircd, and vim), Mageia (389-ds-base, busybox, flatpak, fribidi, gdal, python-paramiko, and usbredir), openSUSE (opera and seamonkey), Oracle (kernel and kernel-container), Red Hat (firefox), Scientific Linux (firefox), Slackware (libarchive), SUSE (389-ds, libsolv, libzypp, zypper, and python), and Ubuntu (python-django and tcpdump).
OpenSSH 9.0 has been released. It is claimed to be primarily a bug-fixrelease, but it also switches to a new, quantum-computer-proof key-exchangeprotocol by default and includes a number of sftp changes, some ofwhich may create some compatibility issues (described in the announcement)with scp.
The readahead code in the Linux kernel is nominally responsible forreading data that has not yet been explicitly requested from storage,with the idea that it might be needed soon. The code is stable, functional, widelyused, and uncontroversial, so it is reasonable to expect the code to be ofhigh quality, and largely this is true. Recently, I found the need todocument this code, which naturally shone a rather different light onit. This work revealed minor problems with functionality and significantproblems with naming.
The 5.17.2, 5.16.19, 5.15.33, and 5.10.110 stable kernels have been released.These post-merge-window updates have a larger than usual set offixes, throughout the tree. Users of those series should upgrade.
Security updates have been issued by Arch Linux (libtiff), Debian (chromium), Fedora (buildah and chromium), openSUSE (firefox), SUSE (firefox, libsolv, libzypp, and openjpeg2), and Ubuntu (firefox and python-oslo.utils).
Version1.60.0 of the Rust language is available. Changes includecoverage-testing improvements, the return of incremental compilation, andchanges to the Instant type:
Cloud computing is a wonderful thing; it allows efficient use of computingsystems and makes virtual machines instantly available at the click of amouse or API call. But cloud computing can also be problematic; thesecurity of virtual machines is dependent on the security of thehost system. In most deployed systems, a host computer can dig through itsguests' memory at will; users running guest systems have to just hope thatdoesn't happen. There are a number of solutions to that problem underdevelopment, including thisKVM guest-private memory patch set by Chao Peng andothers, but some open questions remain.
Security updates have been issued by Arch Linux (bind), Debian (firefox-esr), Fedora (fribidi, gdal, and mingw-gdal), openSUSE (pdns-recursor and SDL2), Oracle (kernel), Slackware (mozilla), SUSE (glibc and openvpn-openssl1), and Ubuntu (fribidi and linux-azure-5.13, linux-oracle-5.13).
Running a command like lsof,which lists the open files on the system along with information about theprocess that has each file open, takes a lot of system calls, mostly to read asmall amount of information from many /proc files. Providing anew interface to collect those calls together into a single (or, at least,fewer) system calls is the target of Miklos Szeredi's getvalues()RFC patch that was posted on March 22. While the proposal doesnot look like it is going far, at least in its current form, it did sparksome discussion of the need—or lack thereof—for a way to reduce this kindof overhead, as well as to explore some alternative ways to get there via code thatalready exists in the kernel.
LWN.net