[$] LWN's guide to 2024
The calendar has flipped over into 2024 — another year has begun. Here at
LWN, we do not have a better idea of what this year will bring than anybody
else does, but that doesn't keep us from going out on a shaky limb and
making predictions anyway. Here, for the curious, are a few things that we
think may be in store for 2024.
https://lwn.net/Articles/954544/
Security updates for Tuesday
Security updates have been issued by Red Hat (firefox and thunderbird), SUSE (gstreamer-plugins-bad, libssh2_org, and webkit2gtk3), and Ubuntu (firefox and thunderbird).
https://lwn.net/Articles/956568/
[$] The trouble with MAX_ORDER
One might not think that much could be said about a simple macro defining a
constant integer value. But the kernel is special, it seems. A change to
the definition of MAX_ORDER has had a number of follow-on effects,
and the task of cleaning up after this change is not done yet. So perhaps
a look at MAX_ORDER is in order.
https://lwn.net/Articles/956321/
Scribus 1.6.0 released
Version 1.6.0 of the <a href="https://www.scribus.net/" rel="nofollow">Scribus
desktop-publishing application</a> has been https://www.scribus.net/scribus-1-6-0-released/
. The
list of new features is rather long and includes a user interface overhaul,
improvements for HiDPI screens, new scripting commands, lots of
typographical improvements and features, a new picture browser for
graphical asset management, support for more gradient types, and much more.
Scribus 1.6.0 is the long awaited release in the next stable series,
replacing 1.4.8 and development versions in the 1.5.x series. This version
has been in development for some years and contains thousands of
enhancements and fixes across all areas of the program. It has more
features, is faster, and is more stable.
https://lwn.net/Articles/956522/
Julia 1.10 released
The https://julialang.org/
. It is mainly a performance release, with only two new language features mentioned in the release notes: "JuliaSyntax.jl is now used as the default parser, providing better diagnostics and faster parsing." and the addition of two Unicode symbols for use as binary operators: "⥺ (U+297A, \leftarrowsubset) and ⥷ (U+2977, \leftarrowless)". Package-loading time has been improved further and the mark phase of garbage collection has been parallelized, among other improvements.
https://lwn.net/Articles/956456/
Gnuplot 6.0 released
Version 6.0 of the Gnuplot plotting system
has been released.
Gnuplot has been supported and under active development since 1986.
This is the first new major version of gnuplot since the release of
version 5 in January 2015. It introduces extensions to the gnuplot
command language, an expanded collection of special and
complex-valued functions, additional 2D and 3D plotting styles, and
support for new output protocols.
See <a href="https://gnuplot.sourceforge.net/ReleaseNotes_6_0_0.html" rel="nofollow">the
release notes</a> for details.
https://lwn.net/Articles/956454/
Security updates for Thursday
Security updates have been issued by Debian (haproxy, libssh, and nodejs), Fedora (filezilla and minizip-ng), Gentoo (Git, libssh, and OpenSSH), and SUSE (gstreamer, postfix, webkit2gtk3, and zabbix).
https://lwn.net/Articles/956257/
Ruby 3.3.0 Released
As is the tradition for the https://www.ruby-lang.org/en/
(Yet another Ruby JIT) just-in-time compiler. Ruby 3.3 adds a new Ruby-based JIT, RJIT, that targets x86_64, which is available for experimental purposes. There are lots of other improvements and new features described in the announcement.
https://lwn.net/Articles/956115/
Kernel prepatch 6.7-rc7
The https://lwn.net/Articles/956091/
kernel prepatch is out for
testing.
Anyway, rc7 itself looks fairly normal. It's actually a bit bigger
than rc6 was, but not hugely so, and nothing in here looks at all
strange. Please do give it a whirl if you have the time and the
energy, but let's face it, I expect things to be very quiet and
this to be one of those "nothing happens" weeks. Because even if
you aren't celebrating this time of year, you might take advantage
of the peace and quiet.
https://lwn.net/Articles/956092/
Stable kernel 5.15.145
The https://lwn.net/Articles/956081/
stable kernel has been
released. It consists mostly of fixes to the ksmbd subsystem, which has
been marked as broken due to (until now) a lack of support for the 5.15.x
kernels.
https://lwn.net/Articles/956082/
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr), Fedora (kernel), Mageia (bluez), Oracle (fence-agents, gstreamer1-plugins-bad-free, opensc, openssl, postgresql:10, and postgresql:12), Red Hat (postgresql:15 and tigervnc), Slackware (proftpd), and SUSE (docker, rootlesskit, firefox, go1.20-openssl, go1.21-openssl, gstreamer-plugins-bad, libreoffice, libssh2_org, poppler, putty, rabbitmq-server, wireshark, xen, xorg-x11-server, and xwayland).
https://lwn.net/Articles/955914/
LSFMM+BPF 2024 call for proposals
The 2024 Linux Storage, Filesystem, Memory-Management, and BPF Summit will
be held May 13 to 15 in Salt Lake City, Utah, USA. The <a href="https://lwn.net/ml/linux-mm/4343d07b-b1b2-d43b-c201-a48e89145e5c@iogearbox.net/" rel="nofollow">call
for proposals</a> has already gone out, with a deadline of March 1.
"LSF/MM/BPF is an invitation-only technical workshop to map out
improvements to the Linux storage, filesystem, BPF, and memory management
subsystems that will make their way into the mainline kernel within the
coming years."
https://lwn.net/Articles/955827/
Firefox 121.0 released
<a href="https://www.mozilla.org/en-US/firefox/121.0/releasenotes/" rel="nofollow">Version
121.0</a> of the Firefox browser is out. Along with the usual pile of
security fixes, this release add the ability to force links to be rendered
with underlines and use of Wayland by default if it is available: "This
brings support for touchpad & touchscreen gestures, swipe-to-nav,
per-monitor DPI settings, better graphics performance, and more."
https://lwn.net/Articles/955679/
Security updates for Tuesday
Security updates have been issued by Debian (webkit2gtk), Fedora (rdiff-backup and xorg-x11-server-Xwayland), Mageia (cjose and ghostscript), Oracle (avahi), Red Hat (postgresql:10), and SUSE (avahi, freerdp, libsass, and ncurses).
https://lwn.net/Articles/955678/
[$] Ext4 data corruption hits the stable kernels
The kernel's stable-update process is intended to produce kernels that are,
well, stable; when that promise is lived up to, users can update to newer
stable updates without fear. By any account, a bug that corrupts data on
ext4 filesystems constitutes a failure to hold to that promise. As is so
often the case, this problem is the result of a chain of failures in a
system that works well most of the time.
https://lwn.net/Articles/954770/
Kernel prepatch 6.7-rc5
The https://lwn.net/Articles/954468/
kernel prepatch is out for
testing.
Nothing looks particularly scary, which is good, because if it had
been, I wouldn't have had the capacity to deal with it last week.
Let's hope it stays that way even as I am getting better. Because the
holidays are almost upon us, and I'm woefully underprepared.
https://lwn.net/Articles/954469/
GDB 14.1 released
Version 14.1 of the GDB debugger is out. Changes include initial support
for the <a href="https://microsoft.github.io/debug-adapter-protocol//" rel="nofollow">debugger
adapter protocol</a>, NO_COLOR support, the ability to work with
integer types larger than 64 bits, a number of enhancements to the
Python API, and more.
https://lwn.net/Articles/953732/
Bueso: LPC 2023: CXL Microconference
Davidlohr Bueso has posted <a href="https://blog.stgolabs.net/2023/12/lpc-2023-cxl-microconference.html" rel="nofollow">a
summary of the CXL microconference</a> at the recently concluded Linux
Plumbers Conference. "The goals for the track were to openly discuss
current on-going development efforts around the core driver, as well as
experimental memory management topics which lead to accommodating kernel
infrastructure for new technology and use cases."
https://lwn.net/Articles/953706/
Security updates for Monday
Security updates have been issued by Debian (amanda, ncurses, nghttp2, opendkim, rabbitmq-server, and roundcube), Fedora (golang-github-openprinting-ipp-usb, kernel, kernel-headers, kernel-tools, and samba), Mageia (audiofile, galera, libvpx, and virtualbox), Oracle (kernel and postgresql:13), SUSE (openssl-3, optipng, and python-Pillow), and Ubuntu (firefox).
https://lwn.net/Articles/953702/
[$] Reducing kernel-maintainer burnout
Overstressed maintainers are a constant topic of conversation throughout
the open-source community. Kernel maintainers have been complaining more
loudly than usual recently about overwork and stress. The problems that
maintainers are facing are clear; what to do about them is rather less so.
A session at the 2023 Maintainers Summit took up the topic yet again with
the hope of finding some solutions; there may be answers, perhaps even
within the kernel community, but a general solution still seems distant.
https://lwn.net/Articles/952034/
Happy Thanksgiving
November 23 is the US Thanksgiving holiday; as is our tradition, we will
not be publishing an LWN Weekly Edition this week as we will be far too
busy eating. We wish a good holiday to all of our readers (whether they
celebrate it or not); the weekly edition will return on November 30.
https://lwn.net/Articles/952354/
[$] Committing to Rust for kernel code
Rust has been a prominent topic at the Kernel Maintainers Summit for the
last couple of years, and the 2023 meeting continued that tradition. As
Rust-for-Linux developer Miguel Ojeda noted at the beginning of the session
dedicated to the topic, the level of interest in using Rust for kernel
development has increased significantly over the last year. But Rust was
explicitly added to Linux as an experiment; is the kernel community now
ready to say that the experiment has succeeded?
https://lwn.net/Articles/952029/
Kernel prepatch 6.7-rc2
The https://lwn.net/Articles/951906/
is out for
testing. "The most noticeable thing is probably the turbostat tool
update, which actually came in during the merge window, but was delayed by
just waiting for getting the pull request properly signed."
https://lwn.net/Articles/951907/
[$] Preventing atomic-context violations in Rust code with klint
One of the core constraints when programming in the kernel is the need to
avoid sleeping when running in atomic context. For the most part, the
responsibility for adherence to this rule is placed on the developer's
shoulders; Rust developers, though, want the compiler to ensure that code
is safe whenever possible. At the <a href="https://lpc.events/" rel="nofollow">2023 Linux
Plumbers Conference</a>, Gary Guo presented (via a remote link) the klint
tool, which can find
and flag many atomic-context violations before they turn into
user-affecting bugs.
https://lwn.net/Articles/951550/
Security updates for Friday
Security updates have been issued by Debian (webkit2gtk), Fedora (microcode_ctl, pack, and tigervnc), Slackware (gimp), SUSE (frr, gcc13, go1.20, go1.20-openssl, go1.21, go1.21-openssl, libnbd, libxml2, python-Pillow, python-urllib3, and xen), and Ubuntu (intel-microcode and openvpn).
https://lwn.net/Articles/951801/
[$] The real realtime preemption end game
The addition of realtime support to Linux is a long story; it first
https://lwn.net/Articles/106010/
in 2004. For much of that
time, it has seemed like only a little more work was needed to get across
the finish line; thus we ran headlines like <a href="https://lwn.net/Articles/345076/" rel="nofollow">the
realtime preemption endgame</a> — in 2009. At the https://lpc.events/
, Thomas
Gleixner informed the group that, now, the end truly is near. There is
really only one big problem left to be solved before all of that work can
land in the mainline.
https://lwn.net/Articles/951337/
Security updates for Thursday
Security updates have been issued by Debian (chromium and openvpn), Oracle (kernel, microcode_ctl, plexus-archiver, and python), Red Hat (.NET 6.0, dotnet6.0, dotnet7.0, dotnet8.0, kernel, linux-firmware, and open-vm-tools), SUSE (apache2, chromium, jhead, postgresql12, postgresql13, and qemu), and Ubuntu (dotnet6, dotnet7, dotnet8, frr, python-pip, quagga, and tidy-html5).
https://lwn.net/Articles/951681/
A GNU COBOL status update
For the COBOL users out there, James K. Lowden has <a href="https://lwn.net/ml/gcc/20231113163647.ddbda1708295a0a5e41f9875@schemamania.org/" rel="nofollow">posted
an update</a> on the current status of the GNU COBOL compiler.
When in November we turn back our clocks, then naturally do
programmers' thoughts turn to Cobol, its promise, and future.
At last post, nine months ago, we were working our way through the
NIST CCVS/85 test suite. I am pleased to report that process is
complete. As far as NIST is concerned, gcobol is a Cobol compiler.
https://lwn.net/Articles/951498/
Security updates for Tuesday
Security updates have been issued by Debian (postgresql-11, postgresql-13, and postgresql-15), Fedora (chromium, optipng, and radare2), Scientific Linux (plexus-archiver and python), Slackware (tigervnc), SUSE (apache2, containerized-data-importer, kernel-firmware-nvidia-gspx-G06, nvidia-open- driver-G06-signed, postgresql, postgresql15, postgresql16, postgresql12, postgresql13, python-Django1, squashfs, and xterm), and Ubuntu (firefox and memcached).
https://lwn.net/Articles/951311/
[$] The rest of the 6.7 merge window
By the time that the 6.7 merge window closed on November 12, 15,418
non-merge changesets had been pulled into the mainline kernel. That makes
this one of the busiest merge windows ever; if one discounts the lengthy
bcachefs development history (some 2,800 commits), though, then the patch
volume is roughly in line with other recent kernels. Over 5,000 of those
commits were merged after <a href="https://lwn.net/Articles/949294/" rel="nofollow">our first-half
merge-window summary</a> was written.
https://lwn.net/Articles/949957/
Security updates for Monday
Security updates have been issued by Debian (audiofile and ffmpeg), Fedora (keylime, python-pillow, and tigervnc), Mageia (quictls and vorbis-tools), Oracle (grub2), Red Hat (galera, mariadb, plexus-archiver, python, squid, and squid34), and SUSE (clamav, kernel, mupdf, postgresql14, tomcat, tor, and vlc).
https://lwn.net/Articles/951237/
Security updates for Friday
Security updates have been issued by Fedora (community-mysql, matrix-synapse, and xorg-x11-server-Xwayland), Mageia (squid and vim), Oracle (dnsmasq, python3, squid, squid:4, and xorg-x11-server), Red Hat (fence-agents, insights-client, kernel, kpatch-patch, mariadb:10.5, python3, squid, squid:4, tigervnc, and xorg-x11-server), Scientific Linux (bind, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, libssh2, python-reportlab, python3, squid, thunderbird, and xorg-x11-server), SUSE (go1.21), and Ubuntu (linux-gke and linux-iot).
https://lwn.net/Articles/951066/
The end of the Red Hat security-announcements list
Red Hat has https://listman.redhat.com/archives/rhsa-announce/2023-October/012854.html
that its longstanding "rhsa-announce" mailing list will be shut down on
October 10. That is the list that receives security advisories for
Red Hat Enterprise Linux and a whole slew of related products. Anybody who
was counting on that list for Red Hat security advisories will need to find
an alternative; a few options are listed in the announcement.
https://lwn.net/Articles/946851/
Security updates for Friday
Security updates have been issued by Debian (grub2, libvpx, libx11, libxpm, and qemu), Fedora (firefox, matrix-synapse, tacacs, thunderbird, and xrdp), Oracle (glibc), Red Hat (bind, bind9.16, firefox, frr, ghostscript, glibc, ImageMagick, libeconf, python3.11, python3.9, and thunderbird), Scientific Linux (ImageMagick), SUSE (kernel, libX11, and tomcat), and Ubuntu (linux-hwe-5.15, linux-oracle-5.15).
https://lwn.net/Articles/946848/
Ferrocene released as open source
Ferrous Systems has https://ferrous-systems.com/blog/ferrocene-open-source/
that its Ferrocene Rust compiler will be released under the Apache-2.0 and
MIT licenses.
Ferrocene is the main Rust compiler - rustc - but quality managed
and qualified for use in automotive and industrial environments
(currently by ISO 26262 and IEC 61508) by Ferrous Systems. It
operates as a downstream to the Rust project, further increasing
its testing and quality on specific platforms.
The license is free, but this is not being run as an open-source project;
specifically, contributions from the "general public" are not accepted.
https://lwn.net/Articles/946732/
[$] GCC features to help harden the kernel
Hardening the Linux kernel is an endless task, with work required on
multiple fronts. Sometimes, that work is not done in the kernel itself;
other tools, including compilers, can have a significant role to play.
At the <a href="https://gcc.gnu.org/wiki/cauldron2023" rel="nofollow">2023 GNU Tools
Cauldron</a>, Qing Zhao covered some of the work that has been done in the
GCC compiler to help with the hardening of the kernel — along with work
that still needs to be done.
https://lwn.net/Articles/946041/
[$] Linux ecosystem contributions from SteamOS
The https://store.steampowered.com/steamos
Linux
distribution is focused on gaming, naturally, but the effort to build it
has resulted
in contributions to multiple areas in the Linux ecosystem. Alberto Garcia
has been working on SteamOS and came to Bilbao, Spain to describe some of those
contributions at Open Source Summit Europe 2023. There are some obvious
areas where a gaming-focused OS might contribute upstream, such as
graphics, but the talk showed contributions in several other areas as well.
https://lwn.net/Articles/946188/
Security updates for Tuesday
Security updates have been issued by Debian (exim4), Fedora (firecracker, rust-aes-gcm, rust-axum, rust-tokio-tungstenite, rust-tungstenite, and rust-warp), Gentoo (nvidia-drivers), Mageia (chromium-browser-stable, glibc, and libwebp), Red Hat (kernel), SUSE (ghostscript and python3), and Ubuntu (firefox, libtommath, libvpx, and thunderbird).
https://lwn.net/Articles/946313/
Notes from the Git Contributor's Summit
For those who are curious about the recently concluded Git Contributor's
Summit, Taylor Blau has posted https://lwn.net/ml/git/ZRregi3JJXFs4Msb@nand.local/
from the event. Topics include next-generation backends, libification,
backward compatibility, project management, and more.
https://lwn.net/Articles/946208/
Kernel prepatch 6.6-rc4
Linus has released https://lwn.net/Articles/946092/
for testing.
"There's nothing particularly odd in here, if you don't count a week of
no networking pull as being odd. That does result in rc4 being fairly
small, but I suspect we'll just see a bigger rc5 to compensate."
https://lwn.net/Articles/946093/
[$] Impressions from the GNU Project's 40th anniversary celebration
On September 27, 1983, Richard Stallman <a href="https://www.gnu.org/gnu/initial-announcement.en.html" rel="nofollow">announced the
founding of the GNU project</a>. His goal, which seemed wildly optimistic
and unattainable at the time, was to write a complete Unix-like operating
system from the beginning
and make it freely available. Exactly 40 years later, the GNU project
celebrated with https://www.gnu.org/gnu40
in
Switzerland. Your editor had the good fortune to be able to attend.
https://lwn.net/Articles/945912/
Security updates for Friday
Security updates have been issued by Debian (firefox-esr, jetty9, and vim), Gentoo (Fish, GMP, libarchive, libsndfile, Pacemaker, and sudo), Oracle (nodejs:16 and nodejs:18), Red Hat (virt:av and virt-devel:av), Slackware (mozilla), SUSE (chromium, firefox, Golang Prometheus, iperf, libqb, and xen), and Ubuntu (linux-raspi).
https://lwn.net/Articles/945965/
[$] Security policies for GNU toolchain projects
While the CVE process was created in response to real problems, it's https://lwn.net/Articles/944209/
that CVE numbers are
creating problems of their own. At the https://gcc.gnu.org/wiki/cauldron2023
,
Siddhesh Poyarekar expressed the frustration that toolchain developers have
felt as the result of arguing with security researchers about CVE-number
assignments. In response, the GNU toolchain community is trying to better
characterize what is — and is not — considered to be a security-relevant
bug in its software.
https://lwn.net/Articles/945536/
[$] Moving the kernel to large block sizes
Using larger block sizes in the kernel for I/O is a recurring topic in
storage and
block-layer circles. The topic came up in https://lwn.net/Articles/933437/
at the Linux Storage, Filesystem, Memory-Management and BPF Summit (LSFMM)
back in
May. One of the participants in those discussions, Hannes Reinecke, gave
a talk at Open Source Summit Europe 2023 with an overview of the reasons
behind using larger blocks for I/O, the current status of that work, and
where it all might lead from here.
https://lwn.net/Articles/945646/
[$] AI from a legal perspective
The AI boom is clearly upon us, but there are still plenty of questions
swirling around this technology. Some of those questions are legal ones
and there have been lawsuits filed to try to get clarification—and perhaps
monetary damages. Van Lindberg is a lawyer who is well-known in the
open-source world; he came to <a href="https://events.linuxfoundation.org/open-source-summit-europe/" rel="nofollow">Open
Source Summit Europe</a> 2023 in Bilbao, Spain to try to put the current
work in AI into its legal context.
https://lwn.net/Articles/945504/
Firefox 118.0 released
<a href="https://www.mozilla.org/en-US/firefox/118.0/releasenotes/" rel="nofollow">Version
118.0</a> of the Firefox browser has been released. Changes include
improved fingerprinting prevention and automated translation: "Automated
translation of web content is now available to Firefox users! Unlike
cloud-based alternatives, translation is done locally in Firefox, so that
the text being translated does not leave your machine."
https://lwn.net/Articles/945608/
Security updates for Tuesday
Security updates have been issued by Debian (exempi, glib2.0, lldpd, and netatalk), Fedora (curl, libppd, and linux-firmware), Oracle (kernel), and SUSE (Cadence, frr, modsecurity, python-CairoSVG, python-GitPython, and tcpreplay).
https://lwn.net/Articles/945559/
LibrePCB 1.0.0 Released
The https://librepcb.org/blog/2023-09-24_release_1.0.0/
"free, cross-platform, easy-to-use electronic design automation suite to draw schematics and design printed circuit boards".
As noted in a https://librepcb.org/blog/2023-05-15_roadmap_1.0/
, a grant has helped spur development of the tool.
The focus for the release has been in adding features that were needed so that "there should be no show stopper anymore which prevents you from using LibrePCB for more complex PCB [printed circuit board] designs".
New features include a 3D viewer and export format for working with designs in a mechanical computer aided design (CAD) tool, support for manufacturer part number (MFN) management, and lots of board editor features such as
thermal relief pads in planes, blind & buried vias,
keepout zones, and more. [Thanks to Alphonse Ogulla.]
https://lwn.net/Articles/945519/
[$] The European Cyber Resilience Act
The security of digital products has become a topic of regulation
in recent years. Currently, the European Union is moving forward
with another new law, which, if it comes into effect in a form
close to the current draft, will affect software developers worldwide.
This new proposal, called the "Cyber
Resilience Act" (CRA), brings mandatory security requirements on all
digital products, both software
and hardware, that are available in Europe. While it aims at a worthy goal, the
proposal is causing a stir among open-source communities.
https://lwn.net/Articles/944300/
The Debian Project mourns the loss of Abraham Raji
The Debian project is https://www.debian.org/News/2023/20230914
, who was killed in an accident on September 13.
Abraham was a popular and respected Debian Developer as well a prominent free software champion in his home state of Kerala, India. He was a talented graphic designer and led design and branding work for DebConf23 and several other local events in recent years. Abraham gave his time selflessly when mentoring new contributors to the Debian project, and he was instrumental in creating and maintaining the Debian India website.
The Debian Project honors his good work and strong dedication to Debian and Free Software. Abraham’s contributions will not be forgotten, and the high standards of his work will continue to serve as an inspiration to others.
https://lwn.net/Articles/944596/
[$] Shrinking shrinker locking overhead
Much of the kernel's performance is dependent on caching — keeping useful
information around for future use to avoid the cost of looking it up again.
The kernel aggressively caches pages of file data, directory entries,
inodes, slab objects, and much more. Without active measures, though,
caches will tend to grow without bounds, leading to memory exhaustion. The
kernel's "shrinker" mechanism exists to be that active measure, but
shrinkers have some performance difficulties of their own. <a href="https://lwn.net/ml/linux-mm/20230911094444.68966-1-zhengqi.arch@bytedance.com/" rel="nofollow">This
patch series</a> from Qi Zheng seeks to address one of the worst of those
by removing some locking overhead.
https://lwn.net/Articles/944199/
[$] Why glibc's fstat() is slow
The https://man7.org/linux/man-pages/man2/stat.2.html
system call retrieves some of the metadata — owner, size, protections,
timestamps, and so on — associated with an open file descriptor. One might
not think of it as a performance-critical system call, but there are
workloads that make a lot of fstat() calls; it is not something
that should be slowed unnecessarily. As it turns out, though, the GNU C
Library (glibc) has been doing exactly that, but a fix is in the works.
https://lwn.net/Articles/944214/
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr, libwebp, ruby-loofah, and ruby-rails-html-sanitizer), Fedora (open-vm-tools and salt), Oracle (.NET 7.0, dmidecode, flac, gcc, httpd:2.4, keylime, libcap, librsvg2, and qemu-kvm), Red Hat (.NET 6.0 and .NET 7.0), Slackware (libarchive and mozilla), SUSE (chromium and kernel), and Ubuntu (curl, firefox, ghostscript, open-vm-tools, postgresql-9.5, and thunderbird).
https://lwn.net/Articles/944481/
A GCC -fstack-protector vulnerability on arm64
The GCC stack-protector feature detects stack-based buffer overruns by
putting a canary value on the stack and noticing if that value is changed.
<a href="https://github.com/metaredteam/external-disclosures/security/advisories/GHSA-x7ch-h5rf-w2mf" rel="nofollow">It
turns out</a>, though, that dynamically allocated local variables (such as
variable-length arrays and space obtained with alloca()) are
placed beyond the canary, so overflows of those variables will not be
detected. As a result, arm64 binaries built with vulnerable versions of
GCC are not as protected as they should be and need to be rebuilt.
Dynamic allocations are just as susceptible to overflows as other
locals. In fact, they're arguably more susceptible because they're
almost always arrays, whereas fixed locals are often integers,
pointers, or other types to which variable-length data is never
written. GCC's own heuristics for when to use a stack guard reflect
this.
Kees Cook, meanwhile, has https://fosstodon.org/@kees/111054213020992461
that
the kernel no longer uses variable-length arrays, so kernel builds should
not be affected by this vulnerability.
https://lwn.net/Articles/944307/
Benjamin: Towards a new SymPy
In a https://oscarbenjamin.github.io/blog/czi/index.html#new-sympy
covers polynomial handling; subsequent articles will examine other pieces of the puzzle.
I will be writing this in a series of blog posts. This first post will outline the structure of the foundations of a computer algebra system (CAS) like SymPy, describe some problems SymPy currently has and what can be done to address them. Then subsequent posts will focus in more detail on particular components and the work that has been done and what should be done in the future.
https://lwn.net/Articles/943995/
[$] Prerequisites for large anonymous folios
The work to add support for <a href="https://lwn.net/Articles/937239/" rel="nofollow">large anonymous
folios</a> to the kernel has been underway for some time, but this feature
has not yet landed in the mainline. The author of this work, Ryan Roberts,
has been trying to get a handle on what the remaining obstacles are so he
can address them. On September 6, an online meeting of
memory-management developers discussed that topic and made some progress;
there is still some work to do, though, before large anonymous folios can
go upstream.
https://lwn.net/Articles/943758/
Security updates for Friday
Security updates have been issued by Debian (chromium, libssh2, memcached, and python-django), Fedora (netconsd), Oracle (firefox and thunderbird), Scientific Linux (firefox), SUSE (open-vm-tools), and Ubuntu (grub2-signed, grub2-unsigned, shim, and shim-signed, plib, and python2.7, python3.5).
https://lwn.net/Articles/943990/
Google bakes a user-tracking ad platform directly into Chrome (ars technica)
<a href="https://arstechnica.com/gadgets/2023/09/googles-widely-opposed-ad-platform-the-privacy-sandbox-launches-in-chrome/" rel="nofollow">This
ars technica article</a> looks at the widespread deployment of Google's
"privacy sandbox" in the Chrome browser:
If you haven't been following this, this feature will track the web
pages you visit and generate a list of advertising topics that it
will share with web pages whenever they ask, and it's built
directly into the Chrome browser. It's been in the news previously
as "FLoC" and then the "Topics API," and despite widespread
opposition from just about every non-advertiser in the world,
Google owns Chrome and is one of the world's biggest advertising
companies, so this is being railroaded into the production builds.
For those who use Chrome anyway, there are instructions on how to disable
this functionality.
https://lwn.net/Articles/943969/
Ubuntu to add TPM-backed full-disk encryption
The Ubuntu blog has <a href="https://ubuntu.com/blog/tpm-backed-full-disk-encryption-is-coming-to-ubuntu" rel="nofollow">a
detailed article</a> on plans to add full-disk encryption, with the key
stored in the system's trusted platform module (TPM), to the desktop
distribution.
In order to deliver these benefits, the implementation of
TPM-backed FDE relies on two main design principles. First, it
seals the FDE secret key to the full EFI state, including the
kernel command line. Second, access to the decryption key will only
be permitted if and when the device boots software that has been
defined as authorised to access the confidential data. This is
when the initrd code will unseal the key in the secure-boot
protected kernel.efi at boot time.
https://lwn.net/Articles/943869/
[$] Replacing openSUSE Leap
https://get.opensuse.org/leap/15.5/
is a hybrid
distribution; it is based on SUSE's enterprise distribution (SLE), which
follows the "slow and stable" approach, but adds a number of newer packages
on top. Leap is intended to be a desktop-oriented distribution with a stable
and reliable base. As SUSE transitions away from its traditional
enterprise distribution toward its <a href="https://susealp.io/" rel="nofollow">"Adaptable
Linux Platform" (ALP)</a>, though, the stable base upon which openSUSE Leap
is built is going away. The openSUSE community is currently discussing how
the project should respond.
https://lwn.net/Articles/943591/
Security updates for Thursday
Security updates have been issued by Fedora (erofs-utils, htmltest, indent, libeconf, netconsd, php-phpmailer6, tinyexr, and vim), Red Hat (firefox), and Ubuntu (linux-aws, linux-aws-5.15, linux-ibm-5.15, linux-oracle, linux-oracle-5.15, linux-azure, linux-azure-fde-5.15, linux-gke, linux-gkeop, linux-intel-iotg-5.15, linux-raspi, linux-oem-6.1, linux-raspi, linux-raspi-5.4, shiro, and sox).
https://lwn.net/Articles/943856/
Oddbean new post about login | logout
Notes by LWN.net (RSS Feed) | export