[$] Free-software foundations face fundraising problems
In July, at the GNOME https://lwn.net/Articles/983203/
(AGM),
held at <a href="https://foundation.gnome.org/2023/12/20/guadec-2024-in-denver-colorado/" rel="nofollow">GUADEC
2024</a>,
the message from the GNOME Foundation board was that all was well,
financially speaking. Not great, but the foundation was on a
break-even budget and expected to go into its next fiscal year with a
similar budget and headcount. On October 7, however, the board https://foundation.gnome.org/2024/10/07/update-from-the-board-2024-10/
that it had had to make some cuts, including reducing its staff by
two people. This is not, however, strictly a GNOME problem: similar
organizations, such as the Python Software Foundation (PSF), KDE e.V.,
and the Free Software Foundation Europe (FSFE) are seeing declines in
fundraising while also being affected by inflation.
https://lwn.net/Articles/993665/
Security updates for Wednesday
Security updates have been issued by Debian (dmitry, libheif, and python-sql), Fedora (suricata and wireshark), SUSE (cargo-c, libeverest, protobuf, and qemu), and Ubuntu (golang-1.22, libheif, unbound, and webkit2gtk).
https://lwn.net/Articles/995293/
Several Russian developers lose kernel maintainership status
Perhaps one of the more surprising changes in the 6.12-rc4 development
kernel was <a href="https://git.kernel.org/linus/6e90b675cf94" rel="nofollow">the removal
of several entries</a> from the kernel's MAINTAINERS file. The https://lore.kernel.org/all/2024101835-tiptop-blip-09ed@gregkh/
performing the removal was sent (by Greg Kroah-Hartman) only to the
patches@lists.linux.dev mailing list; the change was included in <a href="https://lwn.net/ml/linux-kernel/ZxUH2J0BL3FCV6Hr@kroah.com/" rel="nofollow">a char-misc drivers
pull request</a> with no particular mention.
The explanation for the removal is simply "various compliance
requirements". Given that the developers involved all appear to be of
Russian origin, it is not too hard to imagine what sort of compliance is
involved here. There has, however, been no public posting of the policy
that required the removal of these entries.
https://lwn.net/Articles/995186/
[$] A report from the 2024 Image-Based Linux Summit
The Image-Based Linux Summit has by now established itself as a yearly event.
Following on from https://lwn.net/Articles/946526/
,
the third edition was held in Berlin on September 24, the
day before
<a href="https://all-systems-go.io" rel="nofollow">
All Systems Go! 2024</a> (ASG). The purpose of this event is to gather
stakeholders from various engineering groups and hold friendly but lively
discussions around the topic of image-based Linux — that is, Linux distributions
based around immutable images, instead of mutable root filesystems.
https://lwn.net/Articles/994704/
Introducing AlmaLinux OS Kitten (AlmaLinux Blog)
The https://almalinux.org/
a new edition called "Kitten",
which will serve as "the direct upstream for AlmaLinux OS and is
the primary point for the AlmaLinux community to engage and influence
the future of AlmaLinux OS". Not intended for production use, the
first release is based on CentOS Stream 10 source, which
will eventually be the basis for Red Hat Enterprise Linux (RHEL)
10:
Because we anticipated many changes in 10, we wanted to get a head
start on building AlmaLinux OS 10. Earlier this year we started
setting up infrastructure and the build pipeline for AlmaLinux OS 10,
and started testing using CentOS Stream 10's code. Based on this
preparation work, we are excited to share that we have successfully
built a preview of AlmaLinux OS 10 that we are calling AlmaLinux OS
Kitten 10.
The first Kitten release previews a number of ways that AlmaLinux will
diverge from RHEL 10, including re-enabling frame pointers,
including Simple Protocol for Independent Computing Environments
(SPICE), and adding packages for Firefox and Thunderbird, which have
been dropped from CentOS Stream 10 in favor of Flatpak versions. New
installation images for Kitten will be built quarterly. See the <a href="https://wiki.almalinux.org/release-notes/kitten-10.html" rel="nofollow">release
notes</a> for download links, installation instructions, and more
information.
https://lwn.net/Articles/995140/
OpenSSL 3.4.0 released
Version 3.4.0 of the OpenSSL SSL/TLS library has been released. It adds a
number of new encryption algorithms, support for "directly fetched
composite signature algorithms such as RSA-SHA2-256", and more. See <a href="https://openssl-library.org/news/openssl-3.4-notes/index.html" rel="nofollow">the
release notes</a> for details.
https://lwn.net/Articles/995098/
Security updates for Tuesday
Security updates have been issued by Debian (ffmpeg, ghostscript, libsepol, openjdk-11, openjdk-17, perl, and python-sql), Oracle (389-ds-base, buildah, containernetworking-plugins, edk2, httpd, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, python-setuptools, skopeo, and webkit2gtk3), Red Hat (buildah), Slackware (openssl), SUSE (apache2, firefox, libopenssl-3-devel, podman, and python310-starlette), and Ubuntu (cups-browsed, firefox, libgsf, and linux-gke).
https://lwn.net/Articles/995095/
A new kernel testing tree
Sasha Levin has https://lwn.net/ml/all/ZxZ8MStt4e8JXeJb@sashalap
a
new tree that is intended to perform continuous-integration tests of pull
requests aimed at the mainline. The plan is for this tree to hold more
finished work than sometimes ends up in linux-next; in a name that seems
destined to create typographical confusion, it is called "linus-next".
The linus-next tree aims to provide a more stable and testable
integration point compared to linux-next, addressing the runtime
issues that make testing linux-next challenging and focusing on
code that's about to be pulled by Linus.
https://lwn.net/Articles/994983/
Kernel prepatch 6.12-rc4
Linus has released https://lwn.net/Articles/994842/
for testing.
"I'm not happy with how big this is - it's probably far from the biggest
rc4 ever, but it _is_ the biggest rc4 we've had in the 6.x series at least
in number of commits."
https://lwn.net/Articles/994843/
[$] The long road to lazy preemption
The kernel's CPU scheduler currently offers several preemption modes that
implement a range of tradeoffs between system throughput and response time.
Back in September 2023, a <a href="https://lwn.net/Articles/944686/" rel="nofollow">discussion
on scheduling</a> led to the concept of "lazy preemption", which could
simplify scheduling in the kernel while providing better results. Things
went quiet for a while, but lazy preemption has returned in the form of https://lwn.net/ml/all/20241007074609.447006177@infradead.org
from Peter Zijlstra. While the concept appears to work well, there is
still a fair amount of work to be done.
https://lwn.net/Articles/994322/
Security updates for Friday
Security updates have been issued by AlmaLinux (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, and webkit2gtk3), Debian (apache2), Red Hat (expat), SUSE (cups-filters, jetty-minimal, OpenIPMI, and python-starlette), and Ubuntu (linux-azure, linux-azure, linux-azure-5.15, linux-azure, linux-azure-5.4, and oath-toolkit).
https://lwn.net/Articles/994703/
Rust 1.82.0 released
<a href="https://blog.rust-lang.org/2024/10/17/Rust-1.82.0.html" rel="nofollow">Version
1.82.0</a> of the Rust language has been released. There are a lot of new
features this time, including a cargo info command, tier-1 support
for 64-bit Apple Arm systems, a new native syntax (&raw) to create
raw pointers, changes to unsafe extern, unsafe attributes,
standardized rules around the handling of floating-point not-a-number
values, and more.
https://lwn.net/Articles/994654/
[$] A look at the aerc mail client
Email has become somewhat unfashionable as a collaboration tool for
open-source projects, but there are still a number of projects—such as
PostgreSQL and the Linux kernel—that expect contributors to send and
review patches via email. The https://aerc-mail.org/
mail client is aimed at developers looking for a text-based, efficient, and
extensible client that is meant to be used for working with Git and
email. It uses Vim-style keybindings by default, and has an interface
inspired by https://github.com/tmux/tmux/wiki
that
lets users manage multiple accounts, mails, and embedded terminals at once.
https://lwn.net/Articles/993498/
[$] Using LKMM atomics in Rust
Rust, like C, has its own memory model describing how concurrent access to the
same data by multiple threads can behave.
The Linux kernel, however, has its own
ideas. The
<a href="https://lwn.net/Articles/718628/" rel="nofollow">
Linux kernel memory model</a> (LKMM) is subtly different from both the
standard C memory model and Rust's model.
At Kangrejos, Boqun Feng gave a presentation about the
need to reconcile the memory models used by Rust and the kernel,
including a few potential avenues for doing so. While
no consensus was reached, it is an area of active discussion.
https://lwn.net/Articles/993785/
[$] Two pidfd tweaks: PIDFD_GET_INFO and PIDFD_SELF
The pidfd mechanism, which uses file descriptors to refer to processes in
an unambiguous and race-free way, <a href="https://lwn.net/Articles/773459/" rel="nofollow">was first
introduced</a> in 2018. Since then, the interface has https://lwn.net/Articles/794707/
, but
development has slowed over time as the interface has matured. There are,
however, a couple of patches in circulation that are meant to make working
with pidfds simpler in some situations.
https://lwn.net/Articles/992991/
Security updates for Wednesday
Security updates have been issued by AlmaLinux (buildah, containernetworking-plugins, and skopeo), Fedora (pdns-recursor and valkey), Mageia (unbound), Red Hat (fence-agents, firefox, java-11-openjdk, python-setuptools, python3-setuptools, resource-agents, and thunderbird), SUSE (etcd-for-k8s, libsonivox3, rubygem-puma, and unbound), and Ubuntu (apr, libarchive, linux, linux-aws, linux-aws-hwe, linux-azure-4.15, linux-gcp,
linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, nano, and vim).
https://lwn.net/Articles/994436/
[$] Zapping pointers out of thin air
Paul McKenney gave a presentation at Kangrejos this year that wasn't (directly)
related to Rust. Instead, he spoke about the work he has been doing in concert
with many other contributors on improving the handling of subtle concurrency
problems in C++.
Although he cautioned that his talk was only an overview, and not a
substitute for reading the relevant papers, he hoped that the things the C++
community is working on would be of interest to the Rust developers present as
well, and potentially inform future work on the language. McKenney's talk was,
as is his style, full of subtle examples of weird multithreaded behavior.
Interested readers may wish to refer to
<a href="https://kangrejos.com/2024/Lifetime-End%20Pointer%20Zap%20&%20How%20to%20Avoid%20OOTA%20Without%20Really%20Trying.pdf" rel="nofollow">
his slides</a> in an attempt to follow along.
https://lwn.net/Articles/993484/
[$] Debian's "secret" sauce
While Debian's "sauce" is not actually all that secret, it is not particularly
well-known either, Samuel Henrique said at the start of his https://debconf24.debconf.org/
talk. There is a lot
of software-engineering effort that has been put in place by the
distribution in order to create and maintain its releases, but "loads of
people are not aware" of it. That may be due to the fact that all of
that is
not really documented anywhere in a central location that he can just point
someone to. Recognizing that is what led him to give the talk;
hopefully it will be a "first step toward" helping solve the problem.
https://lwn.net/Articles/990177/
Kernel prepatch 6.12-rc3
The https://lwn.net/Articles/993955/
kernel prepatch is out for
testing.
So the diffstat looks a bit odd, because one of the fixes here
caused the UTF tables to be regenerated, and an effective one-liner
change turned into 6703 lines of diff.
But if you ignore that effect, everything looks normal.
https://lwn.net/Articles/993956/
[$] FFI type mismatches in Rust for Linux
At Kangrejos, Gary Guo wanted to discuss three problems with the way
Rust and C code in the kernel interact: mismatched types, too many type casts,
and the overhead of helper functions. To fix the first two problems, Guo proposed
changing the way the kernel maps C types into Rust types. The last problem was a
bit trickier, but he has a clever workaround for that, based on tricking
the compiler into inlining the helper functions across language boundaries.
https://lwn.net/Articles/993163/
Security updates for Friday
Security updates have been issued by AlmaLinux (.NET 6.0, .NET 8.0, and openssl), Debian (firefox-esr), Fedora (firefox), Mageia (php, quictls, and vim), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, firefox, podman, skopeo, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, kernel, and xen), and Ubuntu (golang-1.17, libgsf, and linux-aws-6.8, linux-oracle-6.8).
https://lwn.net/Articles/993778/
[$] On Rust in enterprise kernels
At the recently concluded Maintainers Summit, it was <a href="https://lwn.net/Articles/991062/" rel="nofollow">generally agreed that the Rust experiment would
continue</a>, and that the path was clear for more Rust code to enter the
kernel. But the high-level view taken at such gatherings cannot always
account for the difficult details that will inevitably arise as the Rust
work proceeds. A recent discussion on the nouveau mailing list may have
escaped the notice of many, but it highlights some of the problems that
will have to be worked out as important functionality written in Rust heads
toward the mainline.
https://lwn.net/Articles/993337/
Updating Firefox is highly recommended
Mozilla has released Firefox versions 131.0.2, ESR 128.3.1, and ESR
115.16.1. These updates address <a href="https://www.mozilla.org/en-US/security/advisories/mfsa2024-51/" rel="nofollow">a
severe, remotely exploitable code-execution vulnerability</a> that is
evidently already being exploited. Updating to a fixed release seems like
a wise thing to do.
https://lwn.net/Articles/993608/
Security updates for Thursday
Security updates have been issued by Debian (chromium), Fedora (firefox, koji, unbound, webkit2gtk4.0, and xen), Red Hat (glibc, net-snmp, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, buildah, cups-filters, liboath-devel, libreoffice, libunbound8, podman, and redis), and Ubuntu (cups-browsed, cups-filters, edk2, linux-raspi-5.4, and oath-toolkit).
https://lwn.net/Articles/993595/
[$] Improving bindgen for the kernel
<a href="https://rust-lang.github.io/rust-bindgen/" rel="nofollow">
Bindgen</a> is a widely used tool that automatically generates Rust bindings from C
headers. The
<a href="https://rust-for-linux.com/" rel="nofollow">
Rust-for-Linux</a> project uses it to create some of
the bindings between Rust code and the rest of the kernel. John Baublitz
presented at Kangrejos about the improvements that he has made to the tool in
order to make the generated bindings easier to use, including improved support
for macros, bitfields, and enums.
https://lwn.net/Articles/992693/
Julia v1.11.0 has been released
The Julia project has
<a href="https://discourse.julialang.org/t/julia-v1-11-0-has-been-released-and-v1-10-is-now-lts/121064" rel="nofollow">
released</a> version 1.11.0. A separate
<a href="https://julialang.org/blog/2024/10/julia-1.11-highlights/" rel="nofollow">
blog post</a> covers some of the highlights. The release includes a number of helpful features.
In previous Julia versions, there was no "programmatic way" of knowing if an unexported name was considered part of the public API or not. Instead, the guideline was basically that if it was not in the manual then it was not public which was a bit underwhelming. To remedy that, there is now a public keyword in Julia that can be used to indicate that an unexported name is part of the public API.
https://lwn.net/Articles/993436/
Security updates for Wednesday
Security updates have been issued by AlmaLinux (firefox, mod_jk, and thunderbird), Debian (apache2 and firefox-esr), Fedora (crosswords, logiops, p7zip, and perl-App-cpanminus), Red Hat (.NET 6.0, firefox, git, kernel, kernel-rt, openssl, and thunderbird), SUSE (buildah, json-lib, kernel, Mesa, mozjs78, pgadmin4, podman, podofo, qatlib, redis7, roundcubemail, rusty_v8, and seamonkey), and Ubuntu (dotnet6, dotnet8, nginx, and ruby-webrick).
https://lwn.net/Articles/993433/
[$] The Open Source Pledge: peer pressure to pay maintainers
In the early days of open source, it was a struggle to get companies
to accept the concept and trust its development model.
Now, companies have few qualms about using it, but do tend to <a href="https://www.goodtechthings.com/oss-sos/" rel="nofollow">take open source and
those who maintain it for granted</a>. The struggle now is to find ways
to compensate producers of the software, sustain the open‑source
commons, and avoid burning out maintainers. The https://opensourcepledge.com/
project is
an effort to persuade companies to pay maintainers by making it a social
norm. On October 8, the project is launching a marketing campaign to raise
awareness and try to get a larger conversation started around paying
maintainers.
https://lwn.net/Articles/993073/
Security updates for Tuesday
Security updates have been issued by Debian (kernel), Fedora (webkitgtk), Mageia (cups), Oracle (e2fsprogs, kernel, and kernel-container), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, git-lfs, go-toolset:rhel8, golang, grafana-pcp, podman, and skopeo), SUSE (Mesa, mozjs115, podofo, and redis7), and Ubuntu (cups and cups-filters).
https://lwn.net/Articles/993276/
OpenBSD 7.6 released
OpenBSD 7.6 has been https://www.openbsd.org/76.html
. Notable new
features include work to improve suspend/resume on modern hardware,
support for the arm64 Qualcomm Snapdragon X Elite laptops, as well as many
improvements in hardware support and driver bug fixes.
With this release all files that existed in the first commit
in the OpenBSD source repository have been updated,
modified or replaced at some point in time, reaching OpenBSD of Theseus.
See the https://www.openbsd.org/plus76.html
for all changes between OpenBSD 7.5 and 7.6.
https://lwn.net/Articles/993203/
[$] ClassicPress: WordPress without the block editor
The <a href="https://lwn.net/Articles/991906/" rel="nofollow">recent WordPress
controversy</a> is not the first time there's been tension between the
https://wordpress.org/
as a business, and Matt
Mullenweg's leadership as WordPress's benevolent dictator for
life (BDFL). In particular, Mullenweg's focus on pushing WordPress to use a new
"editing experience" called https://wordpress.org/gutenberg/
caused significant
friction—and led to the https://www.classicpress.net/
fork. Users who
want to preserve the "classic" WordPress experience without straying
too far from the WordPress fold may want to look into ClassicPress.
https://lwn.net/Articles/992219/
[$] In search of the AOSP community
The core of the Android operating system, as represented by the https://source.android.com/
(AOSP),
can only be considered one of the most successful open-source initiatives
ever created; its user count is measured in the billions. But few would
consider it to be a truly community-oriented project. At the 2024 https://lpc.events/
, Chris Simmonds
asked why the AOSP community is so hard to find, and what might be done
about the situation.
https://lwn.net/Articles/992992/
RPM 4.20 released
https://rpm.org/wiki/Releases/4.20.0
of
the RPM Package Manager (RPM) has been released. Major changes in this
release include a new plugin to prevent filesystem and network access
by scriptlets, the BuildSystem directive for declaring the
build system to be used by packaged software, and more. LWN https://lwn.net/Articles/988927/
the development of
RPM 4.20 in September.
https://lwn.net/Articles/993161/
Kernel prepatch 6.12-rc2
Linus has released https://lwn.net/Articles/993106/
for testing.
Anyway, this isn't one of the small rc2's. But looking at
historical trends, being a bigger rc2 isn't _that_ unusual, and
nothing in here looks all that odd. Yes, the diffstat may look a
bit unusual, in that we had a global header renaming
(asm/unaligned.h -> linux/unaligned.h) and we had a couple of
reverts that stand out as spikes in the stats, but everything else
looks nice and small.
https://lwn.net/Articles/993107/
Akamai finds many systems with exposed CUPS vulnerability
Akamai
<a href="https://www.akamai.com/blog/security-research/october-cups-ddos-threat" rel="nofollow">
released a report</a> pointing out that the
<a href="https://lwn.net/Articles/991929/" rel="nofollow">
recently-reported CUPS vulnerability</a>
(https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/
)
could be used to drive distributed denial-of-service (DDoS) attacks as well. Even if an attacker cannot gain remote control over a computer, they can still cause it to fetch a URL of their choice — potentially getting free DDoS amplification.
The Akamai Security Intelligence and Response Team (SIRT) found that more than 198,000 devices are vulnerable to this attack vector and are accessible on the public internet; roughly 34% of those could be used for DDoS abuse (58,000+).
https://lwn.net/Articles/993044/
[$] Smart pointers for the kernel
Rust has a plethora of smart-pointer types, including reference-counted
pointers, which have special support in the compiler to make them
easier to use. The Rust-for-Linux project would like to reap those same benefits
for its smart pointers, which need to be written by hand to conform to
the
<a href="https://lwn.net/Articles/718628/" rel="nofollow">
Linux kernel
memory model</a>. Xiangfei Ding
presented at Kangrejos about the work to enable custom
smart pointers to function the same as built-in smart pointers.
https://lwn.net/Articles/992055/
oath-toolkit: privilege escalation in pam_oath.so (SUSE Security Team Blog)
The SUSE Security Team Blog has a <a href="https://security.opensuse.org/2024/10/04/oath-toolkit-vulnerability.html" rel="nofollow">detailed
report</a> on its discovery of https://www.nongnu.org/oath-toolkit/security/CVE-2024-47191/
in the
https://gitlab.com/oath-toolkit/oath-toolkit
,
which provides libraries and utilities for managing one-time password
(OTP) authentication.
Fellow SUSE engineer Fabian Vogt approached our Security Team about
the project's PAM module. A couple of years ago, the module gained a
feature which allows to place the OTP state file (called usersfile) in
the home directory of the to-be-authenticated user. Fabian noticed
that the PAM module performs unsafe file operations in users' home
directories. Since PAM stacks typically run as root, this can easily
cause security issues.
https://lwn.net/Articles/992948/
Security updates for Friday
Security updates have been issued by AlmaLinux (firefox, golang, linux-firmware, and thunderbird), Debian (kernel and zabbix), Fedora (firefox, pgadmin4, and php), Mageia (chromium-browser-stable, cjson, hostapd and wpa_supplicant, and openjpeg2), Oracle (firefox, flatpak, and go-toolset:ol8), Red Hat (cups-filters, firefox, grafana, linux-firmware, python3, python3.11, and python3.9), SUSE (expat, firefox, libpcap, and opensc), and Ubuntu (freeradius, imagemagick, and unzip).
https://lwn.net/Articles/992936/
Security updates for Thursday
Security updates have been issued by AlmaLinux (cups-filters), Debian (chromium and php8.2), Fedora (firefox), Oracle (cups-filters, flatpak, kernel, krb5, oVirt 4.5 ovirt-engine, and python-urllib3), Red Hat (cups-filters, firefox, go-toolset:rhel8, golang, and thunderbird), SUSE (postgresql16), and Ubuntu (gnome-shell and linux-azure-fde-5.15).
https://lwn.net/Articles/992798/
[$] BTF, Rust, and the kernel toolchain
<a href="https://www.kernel.org/doc/html/latest/bpf/btf.html" rel="nofollow">
BPF Type Format</a> (BTF),
BPF's debugging information format, has undergone rapid evolution to match
the evolving needs of BPF programs. José Marchesi spoke at Kangrejos about some
of that work — and how it could impact Rust, specifically. He discussed debug
information, kernel-specific relocations, and the planned changes to kernel
stack unwinding. Each of these will require some amount of work to fully
support in Rust, but preliminary signs look promising.
https://lwn.net/Articles/991719/
Manjaro 24.1 released
<a href="https://forum.manjaro.org/t/manjaro-24-1-xahea-released/168699/1" rel="nofollow">Version
24.1</a> of the Arch-based https://manjaro.org/
distribution is now available with the 6.10 Linux kernel,
GNOME 46.5, KDE Plasma 6.1 and KDE Gear 24.08:
Plasma 6.1 on Wayland now has a feature that "remembers" what you were
doing in your last session like it did under X11. Although this is
still work in progress, If you log off and shut down your computer
with a dozen open windows, Plasma will now open them for you the next
time you power up your desktop, making it faster and easier to get
back to what you were doing. At Manjaro we are still defaulting to
X11, however switching to Wayland can be done easily by selecting the
wanted session in your display manager.
The project also offers minimal install images with the 6.6 LTS and
6.1 LTS kernels to support older hardware as needed.
https://lwn.net/Articles/992660/
[$] An update on gccrs development
One concern that has often been expressed about the Rust language is that
there is only one compiler for it. That makes it hard to say what the
standard version of the language is and restricts the architectures that
can be targeted by Rust code to those that the available compiler supports.
Adding a Rust frontend to GCC would do much to address those concerns; at
the <a href="https://gcc.gnu.org/wiki/cauldron2024" rel="nofollow">2024 GNU Tools
Cauldron</a>, Pierre-Emmanuel Patry gave an update on the state of that
work and what its objectives are.
https://lwn.net/Articles/991199/
Security updates for Tuesday
Security updates have been issued by Debian (debian-security-support, nghttp2, and sqlite3), Oracle (cups-filters, kernel, and osbuild-composer), SUSE (openssl-3), and Ubuntu (bubblewrap, flatpak and python2.7, python3.5).
https://lwn.net/Articles/992444/
[$] Coccinelle for Rust
Tathagata Roy has been working to make the
<a href="https://coccinelle.gitlabpages.inria.fr/website/" rel="nofollow">
Coccinelle</a> tool that is used (among other things)
to automate the refactoring of C code work on Rust
code as well. Roy gave a
presentation at https://kangrejos.com/
about that work,
including the creative approaches necessary to work with Rust's more complicated
control flow and syntax.
https://lwn.net/Articles/991399/
[$] The rest of the 6.12 merge window
Linus Torvalds <a href="https://lwn.net/ml/all/CAHk-=wiwVOCZsC6a4dLdb1UjL2fS_CnLNjrPL0XGFbDd9C26Cg@mail.gmail.com/" rel="nofollow">released
6.12-rc1</a> and closed the 6.12 merge window on September 29; at that
point, 11,260 non-merge change sets had been pulled into the mainline for
the 6.12 release. That is the lowest number of merge-window changes since
5.17-rc1 in January 2022, which brought in 11,068 changesets. Nonetheless,
6.12 brings a number of interesting changes, many of which were included in
the roughly 4,500 changes merged since <a href="https://lwn.net/Articles/990750/" rel="nofollow">the
summary of the first half of the 6.12 merge window</a> was written.
https://lwn.net/Articles/991301/
Tcl/Tk 9.0 released
The most recent major release of the https://www.tcl.tk/
. The 9.0 release brings 64-bit data values, better Unicode support, the ability to use zip files as filesystems, a switch to use epoll() or kqueue() where they are available, SVG support in Tk, access to notifications and other desktop-platform services in Tk, and lots more. For more information, see the release notes for Tcl and Tk that can be downloaded as Markdown files from the announcement page. (Thanks to Matt Bradley.)
https://lwn.net/Articles/992284/
Arch Linux getting support from Valve
The Arch Linux project has announced that Valve will be helping the
distribution with a couple of important initiatives:
Valve is generously providing backing for two
critical projects that will have a huge impact on our distribution: a
build service infrastructure and a secure signing enclave. By supporting
work on a freelance basis for these topics, Valve enables us to work on
them without being limited solely by the free time of our volunteers.
https://lwn.net/Articles/992194/
Kernel prepatch 6.12-rc1
Linus has https://lwn.net/Articles/992184/
and closed the
merge window for this release.
Despite conference travel (both for me and several maintainers),
things seemed to go mostly fairly normally. There's a couple of
notable new features in here: For one thing, PREEMPT_RT is now
mainlined and enabled as a config option (you do need to enable
"EXPERT" to get the question). For another, sched_ext also got
merged.
https://lwn.net/Articles/992185/
Górny: The perils of transition to 64-bit time_t
Michał Górny <a href="https://blogs.gentoo.org/mgorny/2024/09/28/the-perils-of-transition-to-64-bit-time_t/" rel="nofollow">describes
the challenges</a> involved in transitioning Gentoo to year-2038-safe time
representations:
There is a general agreement that the way forward is to change
time_t to a 64-bit type. Musl has already switched to that, glibc
supports it as an option. A number of other distributions such as
Debian have taken the leap and switched. Unfortunately,
source-based distributions such as Gentoo don't have it that
easy. So we are still debating the issue and experimenting, trying
to figure out a maximally safe upgrade path for our users.
Unfortunately, that's nowhere near trivial. Above all, we are
talking about a breaking ABI change.
https://lwn.net/Articles/992120/
Remote exploit of CUPS
Security researcher Simone Margaritelli
<a href="https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/" rel="nofollow">
has reported</a> a new vulnerability in
<a href="https://openprinting.github.io/cups/" rel="nofollow">
CUPS</a>, the software that many Linux systems use to manage printers and print jobs. Margaritelli describes the impact of the attack by saying:
A remote unauthenticated attacker can silently replace existing printers' (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer).
The vulnerability relies on a few related problems in CUPS libraries and utilities; versions before 2.0.1 or 2.1b1 (depending on the component) may be affected.
https://lwn.net/Articles/991929/
[$] Getting PCI driver abstractions upstream
Danilo Krummrich gave a talk at Kangrejos 2024 focusing on the question of how
the Rust-for-Linux project could improve at getting device and driver
abstractions upstream. As a case study, he used some of his recent work that
attempts to make it possible to write a PCI driver entirely in Rust. There
wasn't time to go into as much detail as he would have liked, but he did
demonstrate that it is possible to interface with the kernel's module loader in
a way that is much harder to
screw up than the current standard approach in C.
https://lwn.net/Articles/990918/
PostgreSQL 17 released
<a href="https://www.postgresql.org/about/news/postgresql-17-released-2936/" rel="nofollow">Version
17</a> of the https://www.postgresql.org/
database has been released.
This release of PostgreSQL adds significant overall performance gains,
including an overhauled memory management implementation for vacuum,
optimizations to storage access and improvements for high concurrency
workloads, speedups in bulk loading and exports, and query execution
improvements for indexes. PostgreSQL 17 has features that benefit
brand new workloads and critical systems alike, such as additions to
the developer experience with the SQL/JSON JSON_TABLE command, and
enhancements to logical replication that simplify management of high
availability workloads and major version upgrades.
LWN recently https://lwn.net/Articles/984599/
some of the interesting new features and security enhancements in
PostgreSQL 17.
https://lwn.net/Articles/991904/
Uniting for Internet Freedom: Tor Project & Tails Join Forces (Tor blog)
The online-privacy-focused <a href="https://www.torproject.org/" rel="nofollow">Tor
project</a> has https://blog.torproject.org/tor-tails-join-forces/
that it has "joined forces and merged operations" with the https://tails.net/
Linux distribution.
Countering the threat of global mass surveillance and censorship to a free Internet, Tor and Tails provide essential tools to help people around the world stay safe online. By joining forces, these two privacy advocates will pool their resources to focus on what matters most: ensuring that activists, journalists, other at-risk and everyday users will have access to improved digital security tools.
In late 2023, Tails approached the Tor Project with the idea of merging operations. Tails had outgrown its existing structure. Rather than expanding Tails's operational capacity on their own and putting more stress on Tails workers, merging with the Tor Project, with its larger and established operational framework, offered a solution. By joining forces, the Tails team can now focus on their core mission of maintaining and improving Tails OS, exploring more and complementary use cases while benefiting from the larger organizational structure of The Tor Project.
https://lwn.net/Articles/991899/
[$] Sched_ext at LPC 2024
The https://lwn.net/Articles/922405/
enables the implementation of CPU schedulers as a set of BPF programs
loaded from user space; it first hit the mailing lists in late 2022.
Sched_ext has engendered its share of controversy since, but is currently
slated to be part of the 6.12 kernel release. At the 2024 https://lpc.events/
, the growing
sched_ext community held one of its first public gatherings; sched_ext
would appear to have launched a new burst of creativity in scheduler
design.
https://lwn.net/Articles/991205/
Eliminating Memory Safety Vulnerabilities at the Source
(Google Security Blog)
Here's <a href="https://security.googleblog.com/2024/09/eliminating-memory-safety-vulnerabilities-Android.html" rel="nofollow">a
post on the Google Security Blog</a> on how switching to a memory-safe
language can quickly reduce vulnerabilities in a project, even if a large
body of older code persists.
This leads to two important takeaways:
The problem is overwhelmingly with new code, necessitating a
fundamental change in how we develop code.
Code matures and gets safer with time, exponentially, making the
returns on investments like rewrites diminish over time as code gets
older.
For example, based on the average vulnerability lifetimes, 5-year-old code
has a 3.4x (using lifetimes from the study) to 7.4x (using lifetimes
observed in Android and Chromium) lower vulnerability density than new
code.
https://lwn.net/Articles/991775/
[$] What the Nova GPU driver needs
In March, Danilo Krummrich https://lwn.net/Articles/966129
the new
Nova GPU driver — a successor to Noveau for controlling NVIDIA GPUs.
At Kangrejos 2024, Krummrich gave a
presentation about what it is, why it's needed, and where it's
going next. Hearing about the needs of the driver provoked extended discussion
on related topics, including what level of safety is reasonable to expect from
drivers, given that they must interact with the hardware.
https://lwn.net/Articles/990736/
[$] Linus and Dirk on succession, Rust, and more
The "Linus and Dirk show" has been a fixture at Open Source Summit for as
long as the conference has existed; it started back when the conference was
called LinuxCon. Since Linus Torvalds famously does not like to give
talks, as he said during this year's edition at https://events.linuxfoundation.org/open-source-summit-europe/
(OSSEU) in Vienna, Austria, he and Dirk Hohndel have been sitting down for an
informal chat on a wide range of topics as a keynote session. That way,
Torvalds does not need to prepare, but also does not know what topics
will be brought up, which makes it "so much more fun for one of us", Hohndel
said with a grin. The topics this time ranged from the just-released 6.11
kernel and the upcoming Linux 6.12, through Rust for the kernel, to the recurring topic of succession and
the graying of Linux maintainers.
https://lwn.net/Articles/990534/
Security updates for Wednesday
Security updates have been issued by Debian (booth), Gentoo (Xpdf), Oracle (go-toolset:ol8, golang, grafana, grafana-pcp, kernel, libnbd, openssl, pcp, and ruby:3.3), Red Hat (container-tools:rhel8, go-toolset:rhel8, golang, kernel, and kernel-rt), SUSE (apr, cargo-audit, chromium, obs-service-cargo, python311, python36, quagga, traefik, and xen), and Ubuntu (intel-microcode, linux-azure-fde-5.15, and puma).
https://lwn.net/Articles/991701/
[$] KDE sets its goals through 2026
Almost a decade ago https://ev.kde.org/
,
the non-profit organization that supports <a href="http://kde.org/" rel="nofollow">KDE</a>, started a https://community.kde.org/Goals/Goals_Process
for
selecting https://kde.org/goals/
to help the community unite behind a common vision for where the
project should go in the near future. KDE
recently wrapped up its 2022-2024 https://community.kde.org/Goals
on September 7, in Würzburg,
Germany. This time around, KDE will be looking to streamline its
application-development experience, improve support for input devices,
and bring in new contributors.
https://lwn.net/Articles/990604/
[$] Committing to Rust in the kernel
The project to enable the writing of kernel code in Rust has been underway
for several years, and each kernel release includes more Rust code. Even
so, some developers have expressed frustration at the time it takes to get
new functionality merged, and an air of uncertainty still hangs over
the project. At the 2024 Maintainers Summit, Miguel Ojeda led a discussion
on the status of Rust in the kernel and whether the time had come to stop
considering it an experimental project. There were not answers to all of the
questions, but it seems clear that Rust in the kernel will continue
steaming ahead.
https://lwn.net/Articles/991062/
Hy 1.0.0 released
Version 1.0.0 of <a href="http://hylang.org/" rel="nofollow">Hy</a>, a Lisp dialect that is embedded in Python, has been https://github.com/hylang/hy/discussions/2608
after nearly 12 years in development. This is the first stable release of the project:
Henceforth, breaking changes to documented parts of the language
(other than dropping support for versions of Python that are
themselves no longer supported by the CPython developers) will
increase the major version number, and my intention is for that not to
happen often, if at all.
The 1.0.0 release supports Python 3.8 through 3.13. See the <a href="http://hylang.org/hy/doc/v1.0.0" rel="nofollow">documentation</a> and the "<a href="http://hylang.org/hy/doc/v1.0.0/whyhy" rel="nofollow">Why Hy?</a>" page for why
one might want to use it.
https://lwn.net/Articles/991401/
[$] Resources for learning Rust for kernel development
Dirk Behme led a second session, back-to-back with
https://lwn.net/Articles/990489/
at
Kangrejos 2024, discussing providing better guidance for users of the kernel's
Rust abstractions. Just after that,
Carlos Bilbao and Miguel Ojeda had their own time slot dedicated to collecting
resources that could be of use to someone trying to come up to speed
on kernel development in
Rust. The attendees provided a lot of guidance in both sessions, and
discussed what they could do to make things easier for people coming
from non-Rust backgrounds.
https://lwn.net/Articles/990619/
[$] The 6.12 merge window begins
As of this writing, 6,778 non-merge changesets have been pulled into the
mainline kernel for the 6.12 release — over half of the work that had been
staged in linux-next prior to the opening of the merge window. There has
been a lot of refactoring and cleanup work this time around, but also some
significant changes. Read on for a summary of the first half of the 6.12
merge window.
https://lwn.net/Articles/990750/
OpenSSH 9.9 released
The OpenSSH project has https://www.openssh.com/txt/release-9.9
version 9.9. This version includes support for the
https://lwn.net/Articles/973231/
.
The release also includes
the next step in the deprecation of DSA keys — they are now disabled by default at compile time,
and are expected to be removed entirely in early 2025. The release also contains the normal mixture of bug fixes and small usability improvements.
https://lwn.net/Articles/991028/
[$] Considering kernel pass-through interfaces
The kernel normally sits firmly between user space and the system's
peripheral devices, and provides a standard interface to those devices. At
times, though, a more direct interface to a device is desired — but such
interfaces can be controversial. At the 2024 Maintainers Summit, the
assembled developers considered a specific case — the proposed https://lwn.net/Articles/969383/
— as well as the role of such
drivers in general.
https://lwn.net/Articles/990802/
Security updates for Friday
Security updates have been issued by Debian (chromium), Fedora (bluez, chromium, frr, iwd, libell, python3.11, python3.8, python3.9, and ruby), Mageia (kernel, kmod-xtables-addons, and kmod-virtualbox and kernel-linus), Red Hat (kernel), SUSE (kernel, kubernetes1.23, kubernetes1.24, kubernetes1.25, libmfx, and python-azure-identity), and Ubuntu (emacs, emacs24, emacs25, libreoffice, postgresql-9.5, python2.7, python3.5, and tgt).
https://lwn.net/Articles/991027/
The realtime preemption pull request
<img src="https://lwn.net/images/conf/2024/ms/rt-pull-sm.png" alt="[pull request]" align="right">
On September 19, Thomas Gleixner delivered the pull request for the
realtime preemption enablement patches to Linus Torvalds — in printed form,
wrapped in gold, with a ribbon, as Torvalds had requested. It was a
significant milestone, marking the completion of a project that required
20 years of effort. Congratulations are due to everybody involved.
Torvalds https://git.kernel.org/linus/baeb9a7d8b60
the pull request the following morning.
https://lwn.net/Articles/990985/
[$] Best practices for error handling in kernel Rust
Dirk Behme led a session discussing the use of Rust's question-mark operator in
the kernel at Kangrejos 2024. He was particularly concerned with the concept of
"silent" errors that don't print any messages to the console.
Other attendees were less convinced that this was a problem, but his presentation
sparked a lot of discussion about whether the Rust-for-Linux project could
improve error handling in kernel Rust code.
https://lwn.net/Articles/990489/
[$] RPM 4.20 is coming
The https://rpm.org/
(RPM) project is
nearing the release of RPM 4.20, the last major planned update for the RPM 4.x
series. It has few user-facing changes, but
several additions and enhancements for developers—as well as
some small incompatibilities that will likely require RPM packagers to
revise their <a href="https://rpm-packaging-guide.github.io/#what-is-a-spec-file" rel="nofollow">spec
files</a>. 4.20 will be rolling out to many users soon, in
Fedora 41, which is scheduled for October. RPM 6.0 is
already in the works, with a new package format and opening the door
to enabling C++ use in the RPM codebase.
https://lwn.net/Articles/988927/
[$] The uncertain future of kernel regression tracking
Tracking of regressions seems like an important task for any project; there
is no other way to ensure that known problems are fixed. At the 2024
Maintainers Summit, though, Thorsten Leemhuis, who has been doing that work
for the kernel, expressed some doubts about whether it is worth continuing.
The result was an energetic session on how regression tracking should be
done better, and how this work should be supported.
https://lwn.net/Articles/990599/
GNOME 47 released
https://release.gnome.org/47/
of the GNOME desktop
has been released. Changes include configurable accent colors, better
small-screen support, some performance improvements, new file open and save
dialogs, and more.
https://lwn.net/Articles/990788/
Oddbean new post about login | logout
Notes by LWN.net (RSS Feed) | export