[$] Standards for use of unsafe Rust in the kernel
Rust is intended to let programmers write safer code.
But compilers are
not omniscient, and writing Rust code that interfaces with hardware (or that
works with memory outside of Rust's lifetime paradigm) requires, at
some point, the programmer's assurance that some operations are permissible. Benno Lossin
<a href="https://lwn.net/ml/all/20240717221133.459589-1-benno.lossin@proton.me/" rel="nofollow">
suggested adding
some more documentation</a> to
<a href="https://rust-for-linux.com/" rel="nofollow">
the Rust-for-Linux project</a> clarifying the
standards for commenting uses of unsafe in kernel code. There's general
agreement that such standards are necessary, but less agreement on exactly when
it is appropriate to use unsafe.
https://lwn.net/Articles/982868/
[$] Zettlr: note-taking and publishing with Markdown
https://daringfireball.net/projects/markdown/
editors are a dime a dozen. Cheaper than that, actually,
since many of them are open‑source software. Despite the sheer number of
options, finding an editor that has all of the features that one might want can
be tricky. For some users, https://www.zettlr.com/
might the right tool. It is a <a href="https://en.wikipedia.org/wiki/WYSIWYM" rel="nofollow">What You See is What You
Mean</a> (WYSIWYM) editor that stores its work locally as plain Markdown
files. The project is billed as a "one-stop publication
workbench", and is suitable for writing anything from blog posts to
academic papers, maintaining a personal journal, or keeping notes in a https://en.wikipedia.org/wiki/Zettelkasten
. It
is simple to get started with, but rewards deeper exploration and
customization.
https://lwn.net/Articles/984502/
[$] Changes coming in PostgreSQL 17
The
<a href="https://www.postgresql.org/" rel="nofollow">
PostgreSQL</a> project has
<a href="https://www.postgresql.org/about/news/postgresql-164-158-1413-1316-1220-and-17-beta-3-released-2910/" rel="nofollow">
released</a> beta
versions of PostgreSQL 17 containing several interesting security and usability
improvements, alongside the usual performance improvements and bug fixes. If the
release proceeds according to the usual timeline, the full release of version 17
is expected in September or October.
The most important changes are in what PostgreSQL does when a database
supervisor has their credentials revoked, and added
support for incremental database backups.
https://lwn.net/Articles/984599/
Lix makes its second release
https://lix.systems
since forking. This one includes substantial changes to the backend code, including removing a dependency on Bison, and getting a change to the Nix language back upstream.
The general theme of Lix 2.91 is to perform another wave of
refactorings and design improvements in preparation for our evolution
plans.
Nevertheless, there are a few exciting user facing changes[.]
https://lwn.net/Articles/985484/
Incus 6.4 released
Version 6.4 of the Incus container manager is out.
This release builds upon the recently added OCI support from Incus
6.3, making it even easier to run application containers. It also
adds a number of useful new features for clustered and larger
environments with more control on the virtual CPU used when live
migrating VMs and finer grained resource constraints within
projects.
See <a href="https://discuss.linuxcontainers.org/t/incus-6-4-has-been-released/21323" rel="nofollow">this
announcement</a> for details.
https://lwn.net/Articles/985482/
Security updates for Tuesday
Security updates have been issued by Debian (kernel and roundcube), Fedora (microcode_ctl, pypy, python2.7, and python3.6), Oracle (389-ds-base, httpd, kernel, kernel-container, and linux-firmware), Red Hat (kernel-rt), SUSE (firefox, kubernetes1.23, libqt5-qtbase, openssl-1_1, python-gunicorn, python-Twisted, python-urllib3, and qt6-base), and Ubuntu (linux-aws-5.15, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-raspi, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-oem-6.8, linux-oracle-5.15, and qemu).
https://lwn.net/Articles/985481/
Security updates for Monday
Security updates have been issued by AlmaLinux (httpd:2.4), Fedora (chromium, firefox, frr, neatvnc, nss, python-setuptools, and python3.13), Gentoo (AFLplusplus, Bundler, dpkg, GnuPG, GPAC, libde265, matio, MuPDF, PHP, protobuf, protobuf-python, protobuf-c, rsyslog, Ruby on Rails, and runc), Red Hat (389-ds-base, container-tools:rhel8, and httpd:2.4), SUSE (bind and ca-certificates-mozilla), and Ubuntu (linux-azure).
https://lwn.net/Articles/985336/
[$] Meeting the Debian Technical Committee
It is something of a DebConf tradition that members of the <a href="https://www.debian.org/devel/tech-ctte" rel="nofollow">Debian Technical
Committee</a> (TC) take the stage to talk about the work that the committee
does—and more. https://debconf24.debconf.org/
in
Busan, South Korea was no exception, as TC chair Sean Whitton, who
will complete his term at the end of the year, and one
of its newest members, Stefano Rivera, described the constitutional
underpinnings of the TC, how it tries to make decisions when it needs to,
and the constant process of recruiting new members. After that, they took
a few questions from the audience. The session provided a nice overview of
the TC and its role in Debian, but it may well be of interest further afield.
https://lwn.net/Articles/984720/
A new kernel-version policy for Ubuntu
The Canonical Kernel Team has https://discourse.ubuntu.com/t/kernel-version-selection-for-ubuntu-releases/47007
a new policy regarding the version of the kernel that will ship with each
Ubuntu release; the result will generally be the shipping of newer
releases.
To provide users with the absolute latest in features and hardware
support, Ubuntu will now ship the absolute latest available version
of the upstream Linux kernel at the specified Ubuntu release freeze
date, even if upstream is still in Release Candidate (RC) status.
The post goes on to acknowledge that "there are issues with this
approach"; there are a lot of policy details that will apply depending
on just how raw the shipped kernel is.
https://lwn.net/Articles/985043/
[$] Distinguishing Debian testing from unstable
Sometimes, the smallest changes create the longest discussions. As a case
in point, a proposal to make a one-line change in an informational text
file on systems running the Debian unstable distribution has blown up into
an interminable and sometimes unfriendly debate. At its core, though, this
discussion comes down to a seemingly simple question: should a program be
able to determine whether it is running on a Debian testing or unstable
system?
https://lwn.net/Articles/984635/
New attack against the SLUB allocator
Researchers from Graz University of Technology have
https://www.stefangast.eu/papers/slubstick.pdf
details of a new attack
on the Linux kernel called SLUBstack. The attack uses timing information to turn an ability to trigger use-after-free or double-free bugs into the ability to overwrite page tables, and thence into the ability to read and write arbitrary areas of memory. The good news is that this attack does require an existing bug to be usable; the bad news is that the kernel regularly sees bugs of this kind.
We assume that an unprivileged user has code execution.
Additionally, we consider the presence of a heap vulnerability
in the Linux kernel. We assume that the Linux kernel
incorporates all defense mechanisms available in version 6.4, the
most recent Linux kernel version when we started our work.
These mechanisms include features such as WˆX, KASLR,
SMAP, and kCFI. We do not assume any microarchitectural
vulnerabilities, e.g., transient execution, fault
injection, or hardware side channels.
https://lwn.net/Articles/984984/
0.0.0.0 Day: Exploiting Localhost APIs From the Browser (Oligo Security)
The Oligo Security blog https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser
a web-browser vulnerability that has been named "0.0.0.0 day". In short,
browsers will allow JavaScript code to open connections to the all-zeroes
IPv4 address; the result is that any port that is open on the local host
can be accessed by a remote site. "When services use localhost, they
assume a constrained environment. This assumption, which can (as in the
case of this vulnerability) be faulty, results in insecure server
implementations."
https://lwn.net/Articles/984838/
[$] Endless OS aimed at educational and offline environments
<a href="https://www.endlessos.org/os" rel="nofollow">
Endless OS</a> is a Linux distribution with a focus on improving access to
educational tools by providing a simple-to-manage, full-featured desktop for
educators and students — one that works offline, with minimal maintenance. The
distribution also aims to be suitable for older devices, in order to promote access to
computers by ensuring those systems remain usable.
In pursuit of those goals, it makes some unusual technical
choices. But what makes the distribution really shine is its curated collection
of software and educational resources.
https://lwn.net/Articles/984086/
Security updates for Thursday
Security updates have been issued by AlmaLinux (freeradius and freeradius:3.0), Debian (chromium, odoo, and roundcube), Fedora (microcode_ctl, mingw-qt5-qtbase, mingw-qt6-qtbase, opentofu, orc, python-setuptools, and vim), Gentoo (Nokogiri), Oracle (kernel), Red Hat (go-toolset:rhel8, golang, kernel, krb5, libtiff, python-setuptools, and python39:3.9 and python39-devel:3.9), SUSE (python-Django), and Ubuntu (krb5).
https://lwn.net/Articles/984807/
Firefox support added to Puppeteer
Mozilla has https://hacks.mozilla.org/2024/08/puppeteer-support-for-firefox/
, a browser automation and testing library, now has first-class support for Firefox using the
https://w3c.github.io/webdriver-bidi/
protocol. Puppeteer can be used to drive headless browser instances, and is commonly used for automated end-to-end web site tests.
Whilst the features offered by Puppeteer won't be a surprise,
bringing support to multiple browsers has been a significant
undertaking. The Firefox support is not based on a Firefox-specific
automation protocol, but on WebDriver BiDi, a cross browser protocol
that's undergoing standardization at the W3C, and currently has
implementation in both Gecko and Chromium. This use of a
cross-browser protocol should make it much easier to support many
different browsers going forward.
https://lwn.net/Articles/984733/
[$] CRIB: checkpoint/restore in BPF
The desire for the ability to checkpoint a process — to record its state in
a form that can be restarted at a future time — on Linux is almost as old as
Linux itself. See, for example, https://lwn.net/1998/0528/a/checkpoint.html
of a checkpoint
project that appeared in LWN in 1998. While working solutions exist, they
can be somewhat fragile and difficult to use; it is not surprising that
some people are interested in finding a better alternative. A current
effort goes by the name CRIB,
for Checkpoint/Restore in (naturally) BPF. It is far from clear that CRIB
will replace the existing solutions, but it is an interesting look at a
different way of solving the problem.
https://lwn.net/Articles/984313/
[$] Tracing the source of filesystem errors
There are lots of places in the kernel where an EINVAL can be
returned to user space, but it is often unclear what the actual underlying
problem is because the https://man7.org/linux/man-pages/man3/errno.3.html
error codes are too generic. That is the problem that Miklos Szeredi
wanted to discuss in a filesystem session that he led remotely at the 2024 <a href="https://events.linuxfoundation.org/lsfmmbpf/" rel="nofollow">Linux Storage,
Filesystem, Memory Management, and BPF Summit</a>. He would like to help
those who are trying to debug problems trace where in the kernel a
particular error code is being generated.
https://lwn.net/Articles/984556/
Security updates for Wednesday
Security updates have been issued by Debian (firefox-esr, openjdk-17, and wpa), Gentoo (aiohttp, Bitcoin, Cairo, Go, json-c, Levenshtein, libXpm, nghttp2, PostgreSQL, and Redis), Red Hat (kernel, kernel-rt, python-setuptools, python-urllib3, python3.11-setuptools, and wget), Slackware (mozilla), SUSE (bind, curl, docker, ffmpeg, ffmpeg-4, kernel, kernel-firmware, libnbd, patch, shadow, and thunderbird), and Ubuntu (python-django and wpa).
https://lwn.net/Articles/984702/
Security updates for Tuesday
Security updates have been issued by Debian (libreoffice), Gentoo (containerd and firefox), Red Hat (httpd), SUSE (ca-certificates-mozilla, ksh, openssl-3-livepatches, podman, python-Twisted, and skopeo), and Ubuntu (imagemagick).
https://lwn.net/Articles/984598/
[$] Handling filesystem interruptibility
David Howells wanted to discuss changing the way filesystem code handles
the ability to interrupt or kill operations, in order to fix some
longstanding problems with network
(and other) filesystems, in a session at
the 2024 <a href="https://events.linuxfoundation.org/lsfmmbpf/" rel="nofollow">Linux
Storage, Filesystem, Memory Management, and BPF Summit</a>. As noted in
his <a href="https://lwn.net/ml/all/2701318.1706863882%40warthog.procyon.org.uk/" rel="nofollow">session
proposal</a>, some filesystems may be expecting to not be interruptible,
but are calling code can take locks and mutexes that are interruptible (or
killable), which are effectively
changing the state of the task incorrectly.
He would like to find a solution for that problem.
https://lwn.net/Articles/983714/
[$] The complexity of BUSL transformation
The <a href="https://spdx.org/licenses/BUSL-1.1.html" rel="nofollow">Business
Source License</a> (BUSL) is a source-available license that "converts"
to an open-source license after a period of time. In theory, this
means that a few years after a version of a product is released under
the BUSL, it becomes open source and is fair game for Linux
distributions to package along with regular open-source projects. In
practice, the license throws a few curveballs that require special
consideration and caution, as the Fedora Project recently discussed.
https://lwn.net/Articles/984249/
GNU Binutils 2.43 released
Version 2.43 of the GNU Binutils package is out. Changes include some
improvements to the assembler and the linker, better support for hardware
event counters in the Gprofng profiler, and more.
https://lwn.net/Articles/984539/
Security updates for Monday
Security updates have been issued by Debian (openjdk-11), Fedora (bind, bind-dyndb-ldap, chromium, ffmpeg, hostapd, trafficserver, and wpa_supplicant), and Ubuntu (curl and linux-oem-6.5).
https://lwn.net/Articles/984552/
[$] Pulling Linux up by its bootstraps
A <a href="https://lwn.net/Articles/841797/" rel="nofollow">
bootstrappable build</a> is one that builds existing
software from scratch — for example, building GCC without relying on an existing
copy of GCC. In 2023, the Guix project
https://lwn.net/Articles/930650/
that the project had reduced the size
of the binary bootstrap seed needed to build its operating system to just 357-bytes —
not counting the Linux kernel required to run the build process. Now, the
https://github.com/fosslinux/live-bootstrap
project
has gone a step further and removed the need for an existing kernel at all.
https://lwn.net/Articles/983340/
[$] Large folios, swap, and FS-Cache
David Howells wanted to discuss swap handling in light of multi-page folios
in a combined storage, filesystem, and memory-management session at
the 2024 <a href="https://events.linuxfoundation.org/lsfmmbpf/" rel="nofollow">Linux Storage,
Filesystem, Memory Management, and BPF Summit</a>. Swapping has always been
done with a one-to-one mapping of memory pages to swap slots, he said, but
swapping multi-page folios breaks that assumption. He wondered if it would
make sense to use filesystem techniques to track swapped-out folios.
https://lwn.net/Articles/982887/
[$] Lessons from the death and rebirth of Thunderbird
Ryan Sipes told the audience during his keynote at
https://events.gnome.org/event/209/
mail client
"probably shouldn't still be alive". Thunderbird, however, is not only
alive—it is arguably in better shape than ever
before. According to Sipes, the project's turnaround is a result of
governance, storytelling, and learning to be comfortable asking users
for money. He would also like it quite a bit if Linux distributions stopped
turning off telemetry.
https://lwn.net/Articles/982610/
GNOME Foundation Announces Transition of Executive Director
The https://foundation.gnome.org/
that executive director Holly Million is stepping down at the end of
July, and will be replaced by Richard Littauer as interim executive
director:
On behalf of the whole GNOME community, the Board of Directors
would like to give our utmost thanks to Holly for her achievements
during the past 10 months, including drafting a bold five-year
strategic plan for the Foundation, securing two important fiscal
sponsorship agreements with GIMP and Black Python Devs, writing our
first funding proposal that will now enable the Foundation to apply
for more grants, vastly improving our financial operations, and
implementing a break-even budget to preserve our financial
reserves.
The Foundation's Interim Executive Director, Richard Littauer,
brings years of open source leadership as part of his work as an
organizer of SustainOSS and CURIOSS, as a sustainability coordinator
at the Open Source Initiative, and as a community development manager
at Open Source Collective, and through open source contributions to
many projects, such as Node.js and IPFS. The Board appointed Richard
in June and is confident in his ability to guide the Foundation during
this transitional period.
Million says she is leaving to pursue a PhD in psychology. The
board plans to announce its search plan for a permanent executive
directory after https://events.gnome.org/event/209/
, which takes
place July 19 through 24.
https://lwn.net/Articles/981850/
Kernel prepatch 6.9-rc6
The https://lwn.net/Articles/971413/
kernel prepatch is out for
testing.
Things continue to look pretty normal, and nothing here really
stands out. The biggest single change that stands out in the
diffstat is literally a documentation update, everything else looks
pretty small and spread out.
https://lwn.net/Articles/971414/
[$] Support for the TSO memory model on Arm CPUs
At the CPU level, a memory model describes, among other things, the amount
of freedom the processor has to reorder memory operations. If low-level
code does not take the memory model into account, unpleasant surprises are
likely to follow. Naturally, different CPUs offer different memory models,
complicating the portability of certain types of concurrent software. To
make life easier, some Arm CPUs offer the ability to emulate the x86 memory
model, but efforts to make that feature available in the kernel are running
into opposition.
https://lwn.net/Articles/970907/
Security updates for Friday
Security updates have been issued by Debian (knot-resolver, pdns-recursor, and putty), Fedora (xen), Mageia (editorconfig-core-c, glibc, mbedtls, webkit2, and wireshark), Oracle (buildah), Red Hat (buildah and yajl), Slackware (libarchive), SUSE (dcmtk, openCryptoki, php7, php74, php8, python-gunicorn, python-idna, qemu, and thunderbird), and Ubuntu (cryptojs, freerdp2, nghttp2, and zabbix).
https://lwn.net/Articles/971289/
Security updates for Thursday
Security updates have been issued by Fedora (curl, filezilla, flatpak, kubernetes, libfilezilla, thunderbird, and xen), Oracle (go-toolset:ol8, kernel, libreswan, shim, and tigervnc), Red Hat (buildah, gnutls, libreswan, tigervnc, and unbound), SUSE (cockpit-wicked, nrpe, and python-idna), and Ubuntu (dnsmasq, freerdp2, linux-azure-6.5, and thunderbird).
https://lwn.net/Articles/971140/
[$] A change in direction for security-module stacking?
The long-running effort to complete the work on stacking (or composing) the
Linux security modules (LSMs) recently encountered a barrier—in the form of
a "suggestion" to discontinue it from Linus Torvalds. His complaint
revolved around the indirect function calls that are used to implement
LSMs, but he also did not think much of the effort to switch away from
those calls. While it does not appear that a major course-change is in store
for LSMs, it is clear that Torvalds is not happy with the direction of that
subsystem.
https://lwn.net/Articles/970070/
Security updates for Tuesday
Security updates have been issued by Debian (glibc and samba), Fedora (chromium, cjson, mingw-python-idna, and pgadmin4), Mageia (kernel, kmod-xtables-addons, kmod-virtualbox, kernel-linus, and perl-Clipboard), Red Hat (go-toolset:rhel8, golang, java-11-openjdk, kpatch-patch, and shim), Slackware (freerdp), SUSE (apache-commons-configuration, glibc, jasper, polkit, and qemu), and Ubuntu (google-guest-agent, google-osconfig-agent, linux-lowlatency-hwe-6.5, pillow, and squid).
https://lwn.net/Articles/970889/
[$] Linus and Dirk chat about AI, XZ, hardware, and more
One of the mainstays of the the Linux Foundation's Open Source Summit is the "fireside chat"
(sans fire) between Linus Torvalds and Dirk Hohndel to discuss open source and
Linux kernel topics of the day. On April 17, at <a href="https://events.linuxfoundation.org/open-source-summit-north-america/" rel="nofollow">Open Source Summit
North America</a> (OSSNA) in Seattle, Washington, they held with tradition
and discussed a range of topics including proper whitespace parsing,
security, and the current AI craze.
https://lwn.net/Articles/970293/
Kernel prepatch 6.9-rc5
Linus has https://lwn.net/Articles/970666/
for testing.
But if you ignore those oddities, it all looks pretty normal and
things appear fairly calm. Which is just as well, since the first
part of the week I was on a quick trip to Seattle, and the second
part of the week I've been doing a passable imitation of the
Fontana di Trevi, except my medium is mucus.
https://lwn.net/Articles/970667/
Security updates for Friday
Security updates have been issued by AlmaLinux (gnutls, java-17-openjdk, mod_http2, and squid), Debian (firefox-esr), Fedora (editorconfig, perl-Clipboard, php, rust, and wordpress), Mageia (less, libreswan, puppet, and x11-server, x11-server-xwayland, and tigervnc), Slackware (aaa_glibc), and SUSE (firefox, graphviz, kernel, nodejs12, pgadmin4, tomcat, and wireshark).
https://lwn.net/Articles/970508/
Security updates for Thursday
Security updates have been issued by Debian (firefox-esr, jetty9, libdatetime-timezone-perl, tomcat10, and tzdata), Fedora (cockpit, filezilla, and libfilezilla), Red Hat (firefox, gnutls, java-1.8.0-openjdk, java-17-openjdk, kernel, kernel-rt, less, mod_http2, nodejs:18, rhc-worker-script, and shim), Slackware (mozilla), SUSE (kernel), and Ubuntu (apache2, glibc, and linux-xilinx-zynqmp).
https://lwn.net/Articles/970324/
[$] Managing to-do lists on the command line with Taskwarrior
Managing to-do lists is something of a universal necessity. While some
people handle them mentally or on paper, others resort to a web-based tool or
a mobile
application. For those preferring the command line, the MIT-licensed https://taskwarrior.org
offers a flexible solution
with a healthy community and lots of extensions.
https://lwn.net/Articles/969904/
[$] Cleaning up after BPF exceptions
Kumar Kartikeya Dwivedi has been working to add support for exceptions to BPF
since mid-2023. In July, Dwivedi posted
<a href="https://lwn.net/Articles/938435/" rel="nofollow">
the first patch set</a> in this effort, which adds support for basic stack unwinding.
In February 2024, he posted
<a href="https://lwn.net/ml/bpf/20240201042109.1150490-1-memxor@gmail.com/" rel="nofollow">
the second patch set</a>
aimed at letting the kernel release resources held by the BPF program when an
exception occurs. This makes exceptions usable in many more contexts.
https://lwn.net/Articles/969185/
Security updates for Monday
Security updates have been issued by AlmaLinux (bind, bind and dhcp, bind9.16, gnutls, httpd:2.4/mod_http2, squid:4, and unbound), Debian (kernel, trafficserver, and xorg-server), Fedora (chromium, kernel, libopenmpt, and rust-h2), Mageia (apache-mod_jk, golang, indent, openssl, perl-HTTP-Body, php, rear, ruby-rack, squid, varnish, and xfig), Oracle (bind, squid, unbound, and X.Org server), Red Hat (bind and dhcp and unbound), Slackware (less and php), SUSE (gnutls, python-Pillow, webkit2gtk3, xen, xorg-x11-server, and xwayland), and Ubuntu (yard).
https://lwn.net/Articles/969873/
Kernel prepatch 6.9-rc4
The https://lwn.net/Articles/969790/
kernel prepatch is out for
testing. "Nothing particularly unusual going on this week - some new hw
mitigations may stand out, but after a decade of this I can't really call
it 'unusual' any more, can I?"
https://lwn.net/Articles/969791/
Security updates for Thursday
Security updates have been issued by AlmaLinux (kernel, less, libreoffice, nodejs:18, nodejs:20, rear, thunderbird, and varnish), Debian (pillow), Fedora (dotnet7.0), SUSE (sngrep, texlive-specs-k, tomcat, tomcat10, and xorg-x11-server), and Ubuntu (nss, squid, and util-linux).
https://lwn.net/Articles/969468/
[$] Book review: Practical Julia
A recent book by <a href="https://lwn.net/Archives/GuestIndex/#Phillips_Lee" rel="nofollow">LWN guest
author Lee Phillips</a> provides a nice introduction to the https://julialang.org/
programming language.
https://nostarch.com/practical-julia
does more than that, however. As its subtitle ("A Hands-On Introduction
for Scientific Minds") implies, the book focuses on bringing Julia to
scientists, rather than programmers, which gives it something of a
different feel from most other books of this sort.
https://lwn.net/Articles/966684/
[$] Continued attacks on HTTP/2
On April 3 security researcher Bartek Nowotarski
<a href="https://nowotarski.info/http2-continuation-flood-technical-details/" rel="nofollow">
published</a> the details of a new denial-of-service (DoS)
attack, called a "continuation flood", against many
https://en.wikipedia.org/wiki/HTTP/2
-capable web
servers. While the attack is not terribly complex, it affects many independent
implementations of the HTTP/2 protocol, even though multiple
similar vulnerabilities over the years have given implementers plenty of warning.
https://lwn.net/Articles/968600/
OpenSSL 3.3.0 released
Version 3.3.0 of the OpenSSL SSL/TLS implementation has been released.
Changes include a number of additions to its QUIC protocol support, some
year-2038 improvements for 32-bit systems, and a lot of cryptographic
features with descriptions like "Added a new EVP_DigestSqueeze()
API. This allows SHAKE to squeeze multiple times with different output
sizes." See <a href="https://www.openssl.org/news/openssl-3.3-notes.html" rel="nofollow">the release
notes</a> for details.
https://lwn.net/Articles/969172/
[$] Diagnosing workqueues
There are many mechanisms for deferred work in the Linux kernel. One of them,
<a href="https://docs.kernel.org/core-api/workqueue.html" rel="nofollow">
workqueues</a>, has seen increasing use as part of
the move away from software interrupts. Alison Chaiken gave a talk
at https://www.socallinuxexpo.org/scale/21x
about how they compare to software interrupts, the new challenges they pose for
system administrators, and what tools are available to
kernel developers wishing to diagnose problems with workqueues as they become
increasingly prevalent.
https://lwn.net/Articles/967016/
Security updates for Tuesday
Security updates have been issued by Debian (expat), Oracle (less and nodejs:20), Slackware (libarchive), SUSE (kubernetes1.23, nghttp2, qt6-base, and util-linux), and Ubuntu (python-django).
https://lwn.net/Articles/969141/
Kernel prepatch 6.9-rc3
The https://lwn.net/Articles/968936/
kernel prepatch is out for
testing.
Ok, so this rc3 looks a bit different than the usual ones, because
there's a large series to bcachefs to do filesystem repair after
corruption. Not normally something we'd see in an rc kernel, but
hey, if you had a corrupted bcachefs filesystem you'd probably want
this, and if you thought bcachefs was stable already, I have a
bridge to sell you. Special deal only for you, real cheap.
https://lwn.net/Articles/968937/
FFmpeg 7.0 released
https://ffmpeg.org//index.html#pr7.0
of the
FFmpeg audio/video toolkit is out. "The most noteworthy changes for
most users are a native VVC decoder (currently experimental, until more
fuzzing is done), IAMF support, or a multi-threaded ffmpeg CLI tool".
There's also the usual list of new formats and codecs, and a few deprecated
features have been removed.
https://lwn.net/Articles/968565/
Security updates for Friday
Security updates have been issued by Debian (cockpit), Mageia (python-pygments), Red Hat (nodejs), Slackware (httpd and nghttp2), SUSE (avahi, gradle, gradle-bootstrap, and squid), and Ubuntu (xorg-server, xwayland).
https://lwn.net/Articles/968561/
AlmaLinux OS - CVE-2024-1086 and XZ (AlmaLinux blog)
https://almalinux.org/
updated kernels for AlmaLinux 8 and 9 to address CVE-2024-1086, a
use-after-free vulnerability in the kernel that could be exploited to
gain local privilege escalation. This is notable because the fix
marks a divergence between AlmaLinux and Red Hat Enterprise Linux (RHEL):
In January of this year, a kernel flaw was disclosed and named https://nvd.nist.gov/vuln/detail/CVE-2024-1086
.
This flaw is trivially exploitable on most RHEL-equivalent
systems. There are many proof-of-concept posts available now,
including one from our Infrastructure team lead, Jonathan Wright (<a href="https://jonathanspw.com/posts/2024-03-31-dealing-with-cve-2024-1086/" rel="nofollow">Dealing
with CVE-2024-1086</a>). In multi-user scenarios, this flaw is
especially problematic.
Though this was flagged as something to be fixed in Red Hat
Enterprise Linux, Red Hat has only rated this as a <a href="https://access.redhat.com/security/cve/CVE-2024-1086" rel="nofollow">moderate
impact</a>.
The AlmaLinux project would also like to note that it is not
impacted by the XZ backdoor. "Because enterprise Linux takes a bit
longer to adopt those updates (sometimes to the chagrin of our users),
the version of XZ that had the back door inserted hadn't made it
further than Fedora in our ecosystem."
https://lwn.net/Articles/968299/
Security updates for Wednesday
Security updates have been issued by Debian (py7zr), Fedora (biosig4c++ and podman), Oracle (kernel, kernel-container, and ruby:3.1), Red Hat (.NET 7.0, bind9.16, curl, expat, grafana, grafana-pcp, kernel, kernel-rt, kpatch-patch, less, opencryptoki, and postgresql-jdbc), and Ubuntu (cacti).
https://lwn.net/Articles/968218/
Security updates for Thursday
Security updates have been issued by Fedora (perl-Data-UUID, python-pygments, and thunderbird), Mageia (clojure, grub2, kernel,kmod-xtables-addons,kmod-virtualbox, kernel-linus, nss firefox, nss, python3, python, tcpreplay, and thunderbird), Oracle (nodejs:18), Red Hat (.NET 6.0 and dnsmasq), SUSE (avahi and python39), and Ubuntu (curl, linux-intel-iotg, linux-intel-iotg-5.15, unixodbc, and util-linux).
https://lwn.net/Articles/966961/
[$] Cranelift code generation comes to Rust
https://cranelift.dev/
is an Apache-2.0-licensed
code-generation backend being developed as part
of the https://wasmtime.dev/
runtime for
https://webassembly.org/
.
In October 2023, the Rust project made Cranelift available as an optional
component in its nightly toolchain.
Users can now use Cranelift as the code-generation backend for debug builds of
projects written in Rust,
making it an opportune time to look at what makes Cranelift different.
Cranelift is designed to compete with existing compilers by generating
code more quickly than they can, thanks to a stripped-down design that prioritizes
only the most important optimizations.
https://lwn.net/Articles/964735/
[$] Untangling the Open Collectives
Name collisions aren't just a problem for software
development—organizations, projects, and software that have the
same or similar names can cause serious confusion. That was certainly
the case on February 28 when the <a href="https://opencollective.com/foundation" rel="nofollow">Open Collective
Foundation</a> (OCF) began to notify its hosted projects that it would
be shutting down by the end of 2024. The announcement surprised
projects hosted with OCF, as one might expect. It also worried and
confused users of the Open Collective software platform from https://opencollective.com/
(OCI), as
well as organizations hosted by the <a href="https://opencollective.com/opensource" rel="nofollow">Open Source
Collective</a> (OSC) and <a href="https://docs.opencollective.com/oceurope/" rel="nofollow">Open Collective
Europe</a> (OC Europe). There is enough confusion about the names,
relationships between the organizations, and impact on projects like
https://opencollective.com/flatpak
hosted by OCF, that a
deeper look is warranted.
https://lwn.net/Articles/964402/
[$] A look at dynamic linking
The dynamic linker is a critical component of modern Linux systems, being
responsible for setting up the address space of most processes. While statically
linked binaries have become more popular over time as the tradeoffs that
originally led to dynamic linking become less relevant, dynamic linking is still
the default. This article looks at what steps the dynamic linker takes to
prepare a program for execution.
https://lwn.net/Articles/961117/
[$] So you think you understand IP fragmentation?
What is IP fragmentation, why is it important, and do people understand
it? The answer to that last question is "not as well as they think". This
article will also answer the rest of those
questions and introduce https://valerieaurora.org/fragquiz.html
, a game that I
wrote to allow players to guess how IP packets will behave when they are
too large for the network. As evidence that IP fragmentation is not
well-understood, a room full of networking experts played fragquiz and got
a score that was
nowhere close to perfect. In addition, I will describe a new algorithm for
fragmentation avoidance, which some colleagues and I
developed, that helped motivate development of fragquiz.
https://lwn.net/Articles/960913/
Security updates for Wednesday
Security updates have been issued by Red Hat (gimp) and Ubuntu (firefox, linux-oracle, linux-oracle-5.15, and python-django).
https://lwn.net/Articles/961173/
[$] GNU C Library version 2.39
The GNU C Library (glibc)
<a href="https://sourceware.org/pipermail/libc-alpha/2024-January/154363.html" rel="nofollow">
released version 2.39</a> on January 31, including
several new features. Notable highlights include new functions for spawning
child processes, support for shadow stacks on x86_64, new security features, and
the removal of libcrypt. The glibc maintainers had also hoped to include
improvements to qsort(), which ended up not making it into this
release. Glibc releases are made every six months.
https://lwn.net/Articles/960309/
Security updates for Tuesday
Security updates have been issued by CentOS (firefox, gstreamer1-plugins-bad-free, and tigervnc), Debian (ruby-sanitize), Fedora (kernel, kernel-headers, qt5-qtwebengine, and runc), Oracle (gnutls, kernel, libssh, rpm, runc, and tigervnc), Red Hat (runc), and SUSE (bouncycastle, jsch, python, and runc).
https://lwn.net/Articles/961083/
Security updates for Monday
Security updates have been issued by Debian (rear, runc, sudo, and zbar), Fedora (chromium, grub2, libebml, mingw-python-pygments, and python-aiohttp), Gentoo (FreeType, GNAT Ada Suite, Microsoft Edge, NBD Tools, OpenSSL, QtGui, SDDM, Wireshark, and Xen), Mageia (dracut, glibc, nss and firefox, openssl, packages, perl, and thunderbird), Slackware (libxml2), SUSE (java-11-openjdk, java-17-openjdk, perl, python-uamqp, slurm, and xerces-c), and Ubuntu (libssh and openssl).
https://lwn.net/Articles/960952/
[$] Zig 2024 roadmap
The https://ziglang.org/https://www.youtube.com/watch?v=5eL_LcxwwHg
was presented in a talk last week on
https://zig.show/
(a show covering
Zig news). Andrew Kelley, the benevolent dictator for life of the Zig project,
presented his goals
for the language, largely focusing on compiler performance and continuing
progress toward stabilization for the language. He discussed details of his plan
for incremental compilation, and addressed the sustainability of the project in
terms of both code contributions and financial support.
https://lwn.net/Articles/959915/
Phipps: The European regulators listened to the Open Source communities
Simon Phipps <a href="https://blog.opensource.org/the-european-regulators-listened-to-the-open-source-communities/" rel="nofollow">writes
on the Open Source Initiative blog</a> that the latest version of the
European Cyber Resilience Act is much improved: "As a result of all this
effort from so many people, the final text of the CRA mitigated pretty much
all the risks we had identified to individual developers and to Open Source
foundations."
https://lwn.net/Articles/960606/
Security updates for Friday
Security updates have been issued by Debian (chromium, man-db, and openjdk-17), Fedora (chromium, indent, jupyterlab, kernel, and python-notebook), Gentoo (glibc), Oracle (firefox, thunderbird, and tigervnc), Red Hat (rpm), SUSE (cpio, gdb, gstreamer, openconnect, slurm, slurm_18_08, slurm_20_02, slurm_20_11, slurm_22_05, slurm_23_02, squid, webkit2gtk3, and xerces-c), and Ubuntu (imagemagick and xorg-server, xwayland).
https://lwn.net/Articles/960604/
[$] The hard life of a virtual-filesystem developer
Filesystem development is not an easy task; the performance demands are
typically high, and the consequences for mistakes usually involve lost data
and irate users. The implementation of a virtual (or "pseudo") filesystem
— a filesystem implemented within the kernel and lacking a normal backing
store — can also be challenging, but for different reasons. A series of
conversations around the eventfs virtual filesystem has turned a spotlight
on the difficulty of creating a virtual filesystem for Linux.
https://lwn.net/Articles/960088/
Damn Small Linux 2024 released
A new version of the <a href="https://www.damnsmalllinux.org/" rel="nofollow">Damn Small
Linux</a> distribution has come out with an updated definition of "damn
small":
The new goal of DSL is to pack as much usable desktop distribution
into an image small enough to fit on a single CD, or a hard limit
of 700MB. This project is meant to service older computers and have
them continue to be useful far into the future. Such a notion sits
well with my values. I think of this project as my way of keeping
otherwise usable hardware out of landfills.
https://lwn.net/Articles/960446/
Security updates for Tuesday
Security updates have been issued by Debian (pillow, postfix, and redis), Fedora (python-templated-dictionary and selinux-policy), Red Hat (gnutls, kpatch-patch, libssh, and tomcat), and Ubuntu (amanda, ceph, linux-azure, linux-azure-4.15, linux-kvm, and tinyxml).
https://lwn.net/Articles/960008/
Oddbean new post about login | logout
Notes by LWN.net (RSS Feed) | export