Security updates for Wednesday
Security updates have been issued by AlmaLinux (389-ds:1.4, dovecot, emacs, and glib2), Fedora (bluez, iwd, libell, linux-firmware, seamonkey, vim, and wireshark), Mageia (apr, libtiff, Nginx, openssl, orc, unbound, webmin, and zziplib), Red Hat (389-ds:1.4), and SUSE (containerd, curl, go1.22, go1.23, gstreamer-plugins-bad, kernel, ntpd-rs, python-Django, and python311).
https://lwn.net/Articles/989772/
[$] The trouble with iowait
CPU scheduling is a challenging job; since it inherently requires making
guesses about what the demands on the system will be in the future, it
remains reliant on heuristics, despite ongoing efforts to remove them.
Some of those heuristics take special note of tasks that are (or appear to
be) waiting for fast I/O operations. There is some unhappiness, though,
with how this factor is used, leading to a couple of patches taking rather
different approaches to improve the situation.
https://lwn.net/Articles/989272/
Radicle 1.0 released
https://radicle.xyz/2024/09/10/radicle-1.0.html
of the Radicle development platform has been released.
Radicle 1.0 represents the culmination of years of experimentation
and hard work from our team and community, where we set out to
ensure that free and open source software ecosystems can flourish
without having to rely on the whims of Big Tech. We designed
Radicle with a first-principles approach, as a natural extension to
Git, expanding it to work in a collaborative, local-first,
peer-to-peer setting.
LWN https://lwn.net/Articles/966869/
in March.
https://lwn.net/Articles/989605/
Security updates for Tuesday
Security updates have been issued by Debian (cacti), Fedora (aardvark-dns, expat, and firefox), Mageia (ffmpeg, ntfs-3g, and vim), Oracle (emacs, glib2, java-11-openjdk, and qt5-qtbase), Red Hat (emacs, python-setuptools, python3.11, python3.11-setuptools, python3.12-setuptools, python3.9, and python39:3.9), Slackware (netatalk), SUSE (buildah, expat, java-1_8_0-ibm, kanidm, kernel, and postgresql16), and Ubuntu (netty, php7.0, php7.2, tiff, and webkit2gtk).
https://lwn.net/Articles/989602/
[$] Attracting and retaining Debian contributors
Many projects struggle with attracting and retaining contributors; Debian
is no different in that regard. At https://debconf24.debconf.org/
, Carlos Henrique Lima
Melara and Lucas Kanashiro gave a presentation about efforts that the
Brazilian Debian community has made to increase participation. Their ideas
and the lessons
learned can be applied more widely, both for other Debian communities and
for other projects.
https://lwn.net/Articles/987548/
Adams: Linux's bedtime routine
Jacob Adams <a href="https://tookmund.com/2024/09/hibernation-preparation" rel="nofollow">wanders into
the kernel's hibernation code</a>:
How does Linux move from an awake machine to a hibernating one? How
does it then manage to restore all state? These questions led me to
read way too much C in trying to figure out how this particular
hardware/software boundary is navigated.
https://lwn.net/Articles/989489/
Security updates for Monday
Security updates have been issued by Debian (amanda, aom, bluez, python-jwcrypto, and thunderbird), Fedora (chromium, firefox, and thunderbird), Red Hat (bubblewrap and flatpak, containernetworking-plugins, flatpak, and runc), Slackware (python3), SUSE (apache2, bubblewrap and flatpak, postgresql16, and wireshark), and Ubuntu (thunderbird).
https://lwn.net/Articles/989488/
Kernel prepatch 6.11-rc7
Linus has released https://lwn.net/Articles/989425/
for testing.
And I wish I could say that things have calmed down, but I can't
really say that. In fact, rc7 is slightly bigger than both rc6 and
rc5 were, both in number of commits, and in actual diff
size. That's not really how it should work out.
That said, there's nothing *scary* in here.
He is apparently "still waffling" about whether to release 6.11 next
weekend, which would cause the 6.12 merge window to land on top of the
Maintainers Summit, Linux Plumbers Conference, and Open Source Summit.
https://lwn.net/Articles/989426/
[$] Testing AI-enhanced reviews for Linux patches
Code review is in high demand, and short supply, for most open-source projects.
Reviewer time is precious, so any tool that can lighten the load is worth exploring.
That is why Jesse Brandeburg and Kamel Ayari decided to test whether
tools like ChatGPT could review patches to provide quick feedback to
contributors about common problems. In <a href="https://netdevconf.info/0x18/sessions/talk/ai-enhanced-reviews-for-linux-networking.html" rel="nofollow">a
talk</a> at the <a href="https://netdevconf.info/0x18/" rel="nofollow">Netdev
0x18</a> conference this July, Brandeburg provided an overview of an
experiment using machine learning to review emails containing patches
sent to the https://www.kernel.org/doc/html/v5.6/networking/netdev-FAQ.html
mailing list. Large-language models (LLMs) will not be replacing human reviewers anytime
soon, but they may be a useful addition to help humans focus on deeper
reviews instead of simple rule violations.
https://lwn.net/Articles/987319/
Man pages maintenance suspended
Alejandro Colomar, who has been maintaining the Linux man pages for the
last four years, has https://lwn.net/ml/all/4d7tq6a7febsoru3wjium4ekttuw2ouocv6jstdkthnacmzr6x@f2zfbe5hs7h5
that he will have to stop that work.
I've been doing it in my free time, and no company has sponsored
that work at all. At the moment, I cannot sustain this work
economically any more, and will temporarily and indefinitely stop
working on this project. If any company has interests in the
future of the project, I'd welcome an offer to sponsor my work
here; if so, please let me know.
https://lwn.net/Articles/989215/
The realtime preemption end game — for real this time
Work on realtime preemption for the Linux kernel https://lwn.net/Articles/106010/
almost exactly 20 years ago
(though it had its roots in earlier work, of course). It is fair to say
that finishing that job has taken a bit longer than anybody involved would
have expected. Now, though, Sebastian Andrzej Siewior has <a href="https://lwn.net/ml/all/20240906111841.562402-1-bigeasy@linutronix.de" rel="nofollow">posted a brief
patch series</a> making it possible to enable realtime preemption in the
mainline kernel on three architectures.
With the printk bits merged, PREEMPT_RT could be enabled on X86,
ARM64 and Risc-V. These three architectures merged required changes
over the years leaving me in a position where I have no essential
changes in the queue that would affect them.
Congratulations are due to the many developers who have worked on this
project for the last two decades.
https://lwn.net/Articles/989212/
[$] Application monitoring with OpenSnitch
https://github.com/evilsocket/opensnitch
is an
"interactive application firewall". Like other firewalls, it uses a
series of rules to decide what network traffic should be permitted. Unlike
many other firewalls, though, OpenSnitch does not ask the user to create a list of rules
ahead of time. Instead, the list of rules can be built up
incrementally as applications make connections — and the user can peruse both
the rules that have built up over time, and statistics on the connections that
have been attempted.
https://lwn.net/Articles/988401/
Samba 4.21.0 released
Version 4.21.0 of the Samba Windows interoperability suite has been
released. Changes include some authentication hardening, a number of LDAP
improvements, per-user and per-group veto and hide files, group-managed
service accounts, and quite a bit more.
https://lwn.net/Articles/989047/
Call for candidates for the 2024 Linux Foundation TAB election
The https://lwn.net/ml/all/87zforv3zc.fsf@trenco.lwn.net
has gone out for the 2024 election of members of the Linux Foundation
Technical Advisory Board:
The TAB exists to provide advice from the kernel community to the
Linux Foundation and holds a seat on the LF's board of directors;
it also serves to facilitate interactions both within the community
and with outside entities. Over the last year, the TAB has
overseen the organization of the Linux Plumbers Conference, advised
on the setup of the kernel CVE numbering authority, worked behind
the scenes to help resolve a number of contentious community
discussions, worked with the Linux Foundation on community
conference planning, and more.
Nominations are due by September 20.
https://lwn.net/Articles/988862/
Tellico 4.0 released
https://tellico-project.org/tellico-4-0-released/
collection management
software has been released. This is the first release to use the
KDE Frameworks 6 and Qt6 libraries, with a fallback
available for Frameworks 5 and Qt5. Other notable changes in 4.0
include importing video collections from file metadata and correctly
importing multi-disc album data from https://www.discogs.com/
. Users
of prior versions are advised to make a backup of their data before upgrading.
https://lwn.net/Articles/988837/
[$] Whither the Apple AGX graphics driver?
Much of the early Rust code for the kernel has taken the form of
reimplementations of existing drivers as a proof of concept. One project,
though, is entirely new: the driver for Apple GPUs written by Asahi Lina.
This driver has shipped with <a href="https://asahilinux.org/" rel="nofollow">Asahi
Linux</a> for some time and, by many accounts, is stable, usable, and a
shining example of how Rust can be used in a complex kernel subsystem.
That driver remains outside of the mainline kernel, though, and merging
currently looks like a distant prospect. The reasons for that state of
affairs highlight some of the difficulties inherent in integrating a new
language (and its associated development style) into the Linux kernel.
https://lwn.net/Articles/988438/
Seven stable kernel updates for Wednesday
The https://lwn.net/Articles/988748/
stable kernel updates have all
been released. As usual, they contain important fixes throughout the
tree. Users of those kernels should upgrade.
https://lwn.net/Articles/988747/
Security updates for Wednesday
Security updates have been issued by AlmaLinux (buildah, gvisor-tap-vsock, nodejs:18, python-urllib3, and skopeo), Debian (firefox-esr and openssl), Fedora (apr and seamonkey), Red Hat (podman), Slackware (mozilla and seamonkey), SUSE (bubblewrap and flatpak, buildah, docker, dovecot23, ffmpeg, frr, go1.21-openssl, graphviz, java-1_8_0-openj9, kubernetes1.26, kubernetes1.27, kubernetes1.28, openssl-1_0_0, openssl-3, perl-DBI, python-aiohttp, python-Django, python-WebOb, thunderbird, tiff, ucode-intel, unbound, webkit2gtk3, and xen), and Ubuntu (drupal7 and twisted).
https://lwn.net/Articles/988746/
[$] Transcribing audio with AI using Speech Note
One of the joys of writing about technology is the opportunity to
cover interesting talks on open‑source and free‑software topics. One
of the pains is creating transcriptions of said talks, or continually
referring back to a recording, to be able to write about
them. https://github.com/mkiol/dsnote
is an
open-source application that uses machine-learning models, running locally, to
translate speech to text and take the pain out of transcription. It
also handles text to speech, and language translations. While not
perfect, its transcriptions are better than one might expect, even when
handling jargon, accents, and less-than-perfect audio.
https://lwn.net/Articles/987315/
[$] Advances in font technology and GTK text rendering
At this year's https://events.gnome.org/event/209/
in Denver, Colorado, Behdad Esfahbod and Matthias Clasen
presented a https://events.gnome.org/event/209/contributions/749/
on a topic that's deeply important to desktop
environments: fonts. Esfahbod covered advances in font
technology that are making their way to becoming standards, and Clasen briefly
discussed improvements in GTK text rendering. The talk presented some
fascinating insights into the problems around accurately rendering
writing systems on the desktop, and where font technologies may be
going in the near future.
https://lwn.net/Articles/987176/
Security updates for Monday
Security updates have been issued by AlmaLinux (postgresql:16), Debian (dovecot, pymatgen, ruby2.7, systemd, and webkit2gtk), Fedora (microcode_ctl, python3.11, vim, and xen), Oracle (kernel, postgresql:12, postgresql:13, postgresql:15, and python39:3.9 and python39-devel:3.9), Slackware (libpcap), SUSE (cacti, cacti-spine, python-Django, and trivy), and Ubuntu (dovecot).
https://lwn.net/Articles/988364/
Kernel prepatch 6.11-rc6
Linus has released https://lwn.net/Articles/988183/
for testing.
"Things look pretty normal, although we have perhaps unusually many
filesystem fixes here, spread out over smb, xfs, bcachefs and netfs."
https://lwn.net/Articles/988184/
Understanding the Postgres Hackers Mailing List Language
Reading an established open-source project's developer mailing list
may leave new contributors wishing they had a decoder ring. Greg
Sabino Mullane has written up a valuable https://www.crunchydata.com/blog/understanding-the-postgres-hackers-mailing-list
for those new to the PostgreSQL hackers (https://www.postgresql.org/list/pgsql-hackers/
)
mailing list that may also be useful for decoding other lists as well:
The mailing lists are full of acronyms and jargon that might not be
familiar to younger people who did not grow up on email (although text
messages have inherited many of the abbreviations). If you are a
non-native English speaker, or under the age of 30, or not steeped in
the world of tech, I offer some solutions below.
To do this, I downloaded the last year's worth of hackers email,
wrote a program to strip out all the non-human stuff (headers, code
blocks, attachments, etc.), and then did some data analysis on the
results.
https://lwn.net/Articles/987892/
[$] A SpamAssassin surprise
Here is a piece of advice for anybody wanting an easy and frustration-free
life: do not run your own email system. While there numerous advantages to
keeping some control over your communications, there is also a long list of
things that can go wrong. A recent failure of spam filtering on the LWN
email system illustrated one of those ways, as well as shining a light on
how even a seemingly independent email system is tied to other services
across the net.
https://lwn.net/Articles/987566/
ElasticSearch and Kibana become free software (again)
Back in 2021, the ElasticSearch search engine and Kibana visualization
platform https://lwn.net/Articles/843274/
under the non-free
Server Side Public License (SSPL). Now, Elastic (the company owning those
projects) has https://www.elastic.co/blog/elasticsearch-is-open-source-again
that those projects will also be distributable under the Affero GPL license.
We never stopped believing and behaving like an open source
community after we changed the license. But being able to use the
term Open Source, by using AGPL, an OSI approved license, removes
any questions, or fud, people might have.
https://lwn.net/Articles/987850/
Airlie: On Rust, Linux, developers, maintainers
Dave Airlie <a href="https://airlied.blogspot.com/2024/08/on-rust-linux-developers-maintainers.html" rel="nofollow">makes
an analogy</a> between the stages of road building and those of adding Rust
to the Linux kernel.
For the wayfinders the process of interacting with maintainers is
frustrating and slow, and they don't enjoy it as much as
wayfinding, and because they still only care about the hotel at the
end, when a maintainer gets into the details of their particular
intersection they don't want to do anything but go stay in their
hotel.
The road will get built, it will get traffic on it. There will be
tunnels where we should have intersections, there will be bridges
that need to be built from both sides, but I do think it will get
built.
https://lwn.net/Articles/987849/
Security updates for Friday
Security updates have been issued by AlmaLinux (libvpx, postgresql, postgresql:12, postgresql:13, postgresql:15, and python39:3.9 and python39-devel:3.9), Debian (chromium and ghostscript), Fedora (python3.13), and SUSE (chromium and podman).
https://lwn.net/Articles/987836/
GNU Screen v.5.0.0 is released
Version 5.0.0 of https://www.gnu.org/software/screen/
has
been released. Notable changes in this release include
new commands for authentication, input into multiple windows at the
same time, and to turn on/off truecolor support.
https://lwn.net/Articles/987700/
[$] Plasma Mobile for highly configurable Linux phones
https://plasma-mobile.org
is an open-source
user interface for mobile devices, developed by the KDE community. It's
built on the same foundations as https://kde.org/plasma-desktop/
window
manager. Much like its desktop counterpart, Plasma Mobile caters to
advanced users by offering extensive customizability. It is offered as an
option on phones with <a href="https://plasma-mobile.org/get/" rel="nofollow">various mobile Linux
distributions</a>.
https://lwn.net/Articles/986899/
Security updates for Thursday
Security updates have been issued by AlmaLinux (bind and bind-dyndb-ldap and postgresql:16), Fedora (less and python3.6), Mageia (nodejs & yarnpkg), Oracle (libvpx and postgresql:16), Red Hat (edk2, git, kernel, openldap, postgresql:15, postgresql:16, python3, and python39:3.9 and python39-devel:3.9), SUSE (apache2, python-setuptools, and python3-setuptools), and Ubuntu (linux-oracle).
https://lwn.net/Articles/987664/
Rust-for-Linux Wedson Almeida Filho drops out
Wedson Almeida Filho, one of the key developers driving the https://rust-for-linux.com/
, has <a href="https://lwn.net/ml/all/20240828211117.9422-1-wedsonaf@gmail.com" rel="nofollow">retired from the
project</a>.
After almost 4 years, I find myself lacking the energy and
enthusiasm I once had to respond to some of the nontechnical
nonsense, so it's best to leave it up to those who still have it
in them.
As an example of the sort of "nonsense" he referred to, he provided https://youtu.be/WiPp9YEBV0Q?t=1529
from the
https://lwn.net/Articles/978738/
at the 2024
Linux Storage, Filesystem, Memory-Management, and BPF Summit. His work was
fundamental to getting the project as far as it has come; he will be missed.
https://lwn.net/Articles/987635/
Judge dismisses majority of GitHub Copilot copyright claims (Developer)
Developer https://www.developer-tech.com/news/judge-dismisses-majority-github-copilot-copyright-claims/
that most (but not all) of the claims in the GitHub Copilot lawsuit have
been dismissed with prejudice by the judge.
Judge Jon Tigar's ruling, unsealed last week, leaves only two
claims standing: one accusing the companies of an open-source
license violation and another alleging breach of contract. This
decision marks a substantial setback for the developers who argued
that GitHub Copilot, which uses OpenAI's technology and is owned by
Microsoft, unlawfully trained on their work.
https://lwn.net/Articles/987524/
Security updates for Wednesday
Security updates have been issued by Fedora (calibre, dotnet8.0, dovecot, webkit2gtk4.0, and webkitgtk), Oracle (nodejs:20), Red Hat (bind, bind and bind-dyndb-ldap, postgresql:16, and squid), Slackware (kcron and plasma), SUSE (keepalived and webkit2gtk3), and Ubuntu (drupal7).
https://lwn.net/Articles/987519/
WineHQ to take over Mono
The Mono project was started in 2001 to develop a .NET environment for
Linux systems. Microsoft has owned that project since 2016, but has not
made a major release since 2019. The company has now https://www.mono-project.com/
that Mono is being
handed over to the WineHQ organization, which will maintain https://gitlab.winehq.org/wine-mono/mono
going
forward. Microsoft, meanwhile, is steering users toward its "modern
fork" that it continues to maintain.
https://lwn.net/Articles/987465/
[$] NIST finalizes post-quantum encryption standards
On August 13, the US National Institute of Standards and Technology (NIST)
<a href="https://csrc.nist.gov/news/2024/postquantum-cryptography-fips-approved" rel="nofollow">
published</a> the final form of its new post-quantum cryptographic standards. One
key-exchange mechanism and two digital-signature schemes are now officially
sanctioned by the institute. Adopting the new standards should be fairly
painless for most developers, but the overhead added by the schemes could pose
challenges for some applications.
https://lwn.net/Articles/973231/
Security updates for Tuesday
Security updates have been issued by AlmaLinux (nodejs:20), Debian (python3.11), Fedora (dotnet8.0), Red Hat (bind, krb5, libreoffice, linux-firmware, orc, orc:0.4.28, and orc:0.4.31), SUSE (mariadb and openssl-3), and Ubuntu (linux-aws-5.4).
https://lwn.net/Articles/987393/
[$] A new version of modversions
The genksyms tool has long been buried deeply within the kernel's
build system; it is one of the two C-code parsers shipped with the kernel
(the other being <a href="https://elixir.bootlin.com/linux/v6.11-rc4/source/scripts/kernel-doc" rel="nofollow">the
horrifying kernel-doc script</a>). It is a key part of how the
kernel's module-loading infrastructure works. While genksyms has
quietly done its job for decades, that period may soon be coming to an end.
It would seem that genksyms is not up to the task of handling Rust
code, so Sami Tolvanen is <a href="https://lwn.net/ml/all/20240815173903.4172139-21-samitolvanen@google.com/" rel="nofollow">proposing
a new tool</a> to handle this task going forward.
https://lwn.net/Articles/986892/
[$] The history, status, and plans for reproducible builds
On the second day of https://debconf24.debconf.org/
in Busan, South Korea, Holger Levsen provided a history lesson on the
"first 11 years" of the https://reproducible-builds.org/
.
He has been involved in the project for most of that time and has been a
Debian user since the mid-1990s, contributor since 2001, and a Debian
member since 2007; "I love Debian". Meanwhile, his aim is to make all free
software be reproducible, so that anyone can check that a binary program
comes from the source code it purports to.
https://lwn.net/Articles/985739/
Forgejo changes license to GPLv3+
The
<a href="https://forgejo.org/" rel="nofollow">
Forgejo</a> project has https://forgejo.org/2024-08-gpl/
that, starting from version 9.0, Forgejo will be released under the GPLv3 license (or a later version). Older versions of the software forge remain MIT-licensed.
A copyleft license makes reusing other copyleft software easier. Recently, we discovered that
<a href="https://forgejo.org/2024-07-non-free-dependency-found/" rel="nofollow">
some of the dependencies we used were incompatible with the license Forgejo was distributed with</a>, and they had to be removed for now. Choosing copyleft licenses enables us to reuse more work, and saves us precious time to focus on improving Forgejo itself.
https://lwn.net/Articles/986998/
Security updates for Friday
Security updates have been issued by Fedora (community-mysql, iaito, and radare2), Oracle (python3.12-setuptools and tomcat), Red Hat (krb5 and podman), Slackware (ffmpeg), SUSE (apache2, expat, firefox, webkit2gtk3, and xen), and Ubuntu (imagemagick and libxstream-java).
https://lwn.net/Articles/986997/
LibreOffice 24.8 released
<a href="https://blog.documentfoundation.org/blog/2024/08/22/libreoffice-248/" rel="nofollow">Version
24.8</a> of the LibreOffice office suite has been released. Changes
include the ability to filter identifying information from exported files,
easier creation of cross reference, better control over hyphenation, a
number of new spreadsheet functions, accessibility improvements, and more.
https://lwn.net/Articles/986906/
[$] A review of file descriptor memory safety in the kernel
On July 30, Al Viro sent
<a href="https://lwn.net/ml/all/20240730050927.GC5334@ZenIV/" rel="nofollow">
a patch set</a> to the linux-fsdevel mailing list with a
comprehensive cover letter explaining his
recent work on ensuring that the kernel's internal representation of
file descriptors are used correctly in the kernel.
File descriptors are ubiquitous; many system calls
need to handle them. Viro's review
identified a few existing bugs, and may prevent more in the future. He also had
suggestions for ways to keep uses consistent throughout the kernel.
https://lwn.net/Articles/985853/
Garrett: What is an SBAT and why does everyone suddenly care
Matthew Garrett <a href="https://mjg59.dreamwidth.org/70348.html" rel="nofollow">describes
the role of the Secure Boot Advanced Targeting mechanism</a> and how it
played into the recent Windows upgrade problems.
So why is this suddenly relevant? SBAT was developed
collaboratively between the Linux community and Microsoft, and
Microsoft chose to push a Windows update that told systems not to
trust versions of grub with a security generation below a certain
level. This was because those versions of grub had genuine security
vulnerabilities that would allow an attacker to compromise the
Windows secure boot chain, and we've seen real world examples of
malware wanting to do that.
https://lwn.net/Articles/986844/
“Something has gone seriously wrong,” dual-boot systems warn after Microsoft update (ars technica)
Ars technica https://arstechnica.com/security/2024/08/a-patch-microsoft-spent-2-years-preparing-is-making-a-mess-for-some-linux-users/
a recent https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2022-2601
that is causing problems for users with systems that dual-boot Windows
and Linux.
"Note that Windows says this update won't apply to systems that
dual-boot Windows and Linux," one frustrated person wrote. "This
obviously isn't true, and likely depends on your system configuration
and the distribution being run. It appears to have made some linux efi
shim bootloaders incompatible with microcrap efi bootloaders (that's
why shifting from MS efi to 'other OS' in efi setup works). It appears
that Mint has a shim version that MS SBAT doesn't recognize."
The reports indicate that multiple distributions, including Debian,
Ubuntu, Linux Mint, Zorin OS, and Puppy Linux, are all
affected. Microsoft has yet to acknowledge the error publicly, explain
how it wasn't detected during testing, or provide technical guidance
to those affected. Company representatives didn't respond to an email
seeking answers.
https://lwn.net/Articles/986659/
Górny: Gentoo: profiles and keywords rather than releases
Gentoo developer Michał Górny has written a lengthy <a href="https://blogs.gentoo.org/mgorny/2024/08/20/gentoo-profiles-and-keywords-rather-than-releases/" rel="nofollow">blog
post</a> that explains how Gentoo approaches releases:
Gentoo is something of a hybrid, as it combines the best of both
worlds. It is a rolling release distribution with a single shared
repository that is available to all users. However, within this
repository we use a keywording system to provide a choice between
stable and testing packages, to facilitate both production and
development systems (with some extra flexibility), and versioned
profiles to tackle major lock-step upgrades.
https://lwn.net/Articles/986655/
[$] Python subinterpreters and free-threading
At
https://us.pycon.org/2024/
in Pittsburgh,
Pennsylvania, Anthony Shaw looked at the various kinds of parallelism
available to Python programs. There have been two major developments on
the parallel-execution front over the last few years, with the effort to
provide https://lwn.net/Articles/820424/
, each with its own
global interpreter lock (GIL), along with the work to https://lwn.net/Articles/940780/
. In the talk, he
explored the two approaches to try to give attendees a sense of how to make
the right choice for their applications.
https://lwn.net/Articles/985041/
[$] Per-call-site slab caches for heap-spraying protection
One tactic often used by attackers set on compromising a system is https://en.wikipedia.org/wiki/Heap_spraying
; in
short, the attacker fills as much of the heap as possible with crafted data
in the hope of getting the target system to use that data in a bad way. If
heap spraying can be blocked, attackers will lose an important tool. The
kernel has some heap-spraying defenses now, including the https://lwn.net/Articles/965837/
merged for the
upcoming 6.11 release, but its author, Kees Cook, thinks that more can be
done.
https://lwn.net/Articles/986174/
[$] FreeBSD considers Rust in the base system
The https://www.freebsd.org/
is, for the second
time this year, engaging in a long-running discussion about the
possibility of including Rust in its <a href="https://www.over-yonder.net/~fullermd/rants/bsd4linux/03" rel="nofollow">base
system</a>. The sequel to the first discussion included some work by
Alan Somers to show what it might look like to use Rust code in the
base tree. Support for Rust code does not appear much closer to being
included in FreeBSD's base system, but the conversation has been
enlightening.
https://lwn.net/Articles/985210/
Kernel prepatch 6.11-rc4
The https://lwn.net/Articles/986162/
is out for
testing. According to Linus:
But it all looks fairly normal. rc4 is bigger than either rc2 or
rc3 were, but not hugely so, and it's actually a normal pattern,
where it takes a while before people find some issues. So nothing
feels all that odd.
https://lwn.net/Articles/986163/
[$] Custom string formatters in Python
Python has had
https://lwn.net/Articles/656898/
(f-strings), a syntactic shorthand for building
strings, since 2015. Recently, Jim Baker, Guido van Rossum, and Paul Everitt have
proposed
<a href="https://peps.python.org/pep-0750/" rel="nofollow">
PEP 750</a> ("Tag Strings For Writing Domain-Specific Languages") which would
generalize and expand that mechanism to provide Python library writers with additional
flexibility. Reactions to the proposed change were somewhat positive, although
there was a good deal of discussion of (and opposition to)
the PEP's inclusion of lazy evaluation of template parameters.
https://lwn.net/Articles/985346/
[$] Memory-management: tiered memory, huge pages, and EROFS
The kernel's memory-management developers have been busy in recent times;
it can be hard to keep up with all that has been happening in this core
area. In an attempt to catch up, here is a look at recent work
affecting tiered-memory systems, underutilized huge pages, and duplicated
file data in the Enhanced Read-Only Filesystem (EROFS).
https://lwn.net/Articles/984839/
Security updates for Thursday
Security updates have been issued by AlmaLinux (container-tools:rhel8), Debian (flatpak), Fedora (389-ds-base, dotnet8.0, and roundcubemail), Red Hat (bind9.16, firefox, python-setuptools, and thunderbird), Slackware (dovecot), SUSE (389-ds, curl, kernel, kernel-firmware, kubernetes1.25, openssl-1_1, openssl-3, python-Pillow, and zziplib), and Ubuntu (busybox, linux-azure, and ruby-rmagick).
https://lwn.net/Articles/985845/
[$] Standards for use of unsafe Rust in the kernel
Rust is intended to let programmers write safer code.
But compilers are
not omniscient, and writing Rust code that interfaces with hardware (or that
works with memory outside of Rust's lifetime paradigm) requires, at
some point, the programmer's assurance that some operations are permissible. Benno Lossin
<a href="https://lwn.net/ml/all/20240717221133.459589-1-benno.lossin@proton.me/" rel="nofollow">
suggested adding
some more documentation</a> to
<a href="https://rust-for-linux.com/" rel="nofollow">
the Rust-for-Linux project</a> clarifying the
standards for commenting uses of unsafe in kernel code. There's general
agreement that such standards are necessary, but less agreement on exactly when
it is appropriate to use unsafe.
https://lwn.net/Articles/982868/
[$] Zettlr: note-taking and publishing with Markdown
https://daringfireball.net/projects/markdown/
editors are a dime a dozen. Cheaper than that, actually,
since many of them are open‑source software. Despite the sheer number of
options, finding an editor that has all of the features that one might want can
be tricky. For some users, https://www.zettlr.com/
might the right tool. It is a <a href="https://en.wikipedia.org/wiki/WYSIWYM" rel="nofollow">What You See is What You
Mean</a> (WYSIWYM) editor that stores its work locally as plain Markdown
files. The project is billed as a "one-stop publication
workbench", and is suitable for writing anything from blog posts to
academic papers, maintaining a personal journal, or keeping notes in a https://en.wikipedia.org/wiki/Zettelkasten
. It
is simple to get started with, but rewards deeper exploration and
customization.
https://lwn.net/Articles/984502/
[$] Changes coming in PostgreSQL 17
The
<a href="https://www.postgresql.org/" rel="nofollow">
PostgreSQL</a> project has
<a href="https://www.postgresql.org/about/news/postgresql-164-158-1413-1316-1220-and-17-beta-3-released-2910/" rel="nofollow">
released</a> beta
versions of PostgreSQL 17 containing several interesting security and usability
improvements, alongside the usual performance improvements and bug fixes. If the
release proceeds according to the usual timeline, the full release of version 17
is expected in September or October.
The most important changes are in what PostgreSQL does when a database
supervisor has their credentials revoked, and added
support for incremental database backups.
https://lwn.net/Articles/984599/
Lix makes its second release
https://lix.systems
since forking. This one includes substantial changes to the backend code, including removing a dependency on Bison, and getting a change to the Nix language back upstream.
The general theme of Lix 2.91 is to perform another wave of
refactorings and design improvements in preparation for our evolution
plans.
Nevertheless, there are a few exciting user facing changes[.]
https://lwn.net/Articles/985484/
Incus 6.4 released
Version 6.4 of the Incus container manager is out.
This release builds upon the recently added OCI support from Incus
6.3, making it even easier to run application containers. It also
adds a number of useful new features for clustered and larger
environments with more control on the virtual CPU used when live
migrating VMs and finer grained resource constraints within
projects.
See <a href="https://discuss.linuxcontainers.org/t/incus-6-4-has-been-released/21323" rel="nofollow">this
announcement</a> for details.
https://lwn.net/Articles/985482/
Security updates for Tuesday
Security updates have been issued by Debian (kernel and roundcube), Fedora (microcode_ctl, pypy, python2.7, and python3.6), Oracle (389-ds-base, httpd, kernel, kernel-container, and linux-firmware), Red Hat (kernel-rt), SUSE (firefox, kubernetes1.23, libqt5-qtbase, openssl-1_1, python-gunicorn, python-Twisted, python-urllib3, and qt6-base), and Ubuntu (linux-aws-5.15, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-raspi, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-oem-6.8, linux-oracle-5.15, and qemu).
https://lwn.net/Articles/985481/
Security updates for Monday
Security updates have been issued by AlmaLinux (httpd:2.4), Fedora (chromium, firefox, frr, neatvnc, nss, python-setuptools, and python3.13), Gentoo (AFLplusplus, Bundler, dpkg, GnuPG, GPAC, libde265, matio, MuPDF, PHP, protobuf, protobuf-python, protobuf-c, rsyslog, Ruby on Rails, and runc), Red Hat (389-ds-base, container-tools:rhel8, and httpd:2.4), SUSE (bind and ca-certificates-mozilla), and Ubuntu (linux-azure).
https://lwn.net/Articles/985336/
[$] Meeting the Debian Technical Committee
It is something of a DebConf tradition that members of the <a href="https://www.debian.org/devel/tech-ctte" rel="nofollow">Debian Technical
Committee</a> (TC) take the stage to talk about the work that the committee
does—and more. https://debconf24.debconf.org/
in
Busan, South Korea was no exception, as TC chair Sean Whitton, who
will complete his term at the end of the year, and one
of its newest members, Stefano Rivera, described the constitutional
underpinnings of the TC, how it tries to make decisions when it needs to,
and the constant process of recruiting new members. After that, they took
a few questions from the audience. The session provided a nice overview of
the TC and its role in Debian, but it may well be of interest further afield.
https://lwn.net/Articles/984720/
A new kernel-version policy for Ubuntu
The Canonical Kernel Team has https://discourse.ubuntu.com/t/kernel-version-selection-for-ubuntu-releases/47007
a new policy regarding the version of the kernel that will ship with each
Ubuntu release; the result will generally be the shipping of newer
releases.
To provide users with the absolute latest in features and hardware
support, Ubuntu will now ship the absolute latest available version
of the upstream Linux kernel at the specified Ubuntu release freeze
date, even if upstream is still in Release Candidate (RC) status.
The post goes on to acknowledge that "there are issues with this
approach"; there are a lot of policy details that will apply depending
on just how raw the shipped kernel is.
https://lwn.net/Articles/985043/
[$] Distinguishing Debian testing from unstable
Sometimes, the smallest changes create the longest discussions. As a case
in point, a proposal to make a one-line change in an informational text
file on systems running the Debian unstable distribution has blown up into
an interminable and sometimes unfriendly debate. At its core, though, this
discussion comes down to a seemingly simple question: should a program be
able to determine whether it is running on a Debian testing or unstable
system?
https://lwn.net/Articles/984635/
New attack against the SLUB allocator
Researchers from Graz University of Technology have
https://www.stefangast.eu/papers/slubstick.pdf
details of a new attack
on the Linux kernel called SLUBstack. The attack uses timing information to turn an ability to trigger use-after-free or double-free bugs into the ability to overwrite page tables, and thence into the ability to read and write arbitrary areas of memory. The good news is that this attack does require an existing bug to be usable; the bad news is that the kernel regularly sees bugs of this kind.
We assume that an unprivileged user has code execution.
Additionally, we consider the presence of a heap vulnerability
in the Linux kernel. We assume that the Linux kernel
incorporates all defense mechanisms available in version 6.4, the
most recent Linux kernel version when we started our work.
These mechanisms include features such as WˆX, KASLR,
SMAP, and kCFI. We do not assume any microarchitectural
vulnerabilities, e.g., transient execution, fault
injection, or hardware side channels.
https://lwn.net/Articles/984984/
0.0.0.0 Day: Exploiting Localhost APIs From the Browser (Oligo Security)
The Oligo Security blog https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser
a web-browser vulnerability that has been named "0.0.0.0 day". In short,
browsers will allow JavaScript code to open connections to the all-zeroes
IPv4 address; the result is that any port that is open on the local host
can be accessed by a remote site. "When services use localhost, they
assume a constrained environment. This assumption, which can (as in the
case of this vulnerability) be faulty, results in insecure server
implementations."
https://lwn.net/Articles/984838/
[$] Endless OS aimed at educational and offline environments
<a href="https://www.endlessos.org/os" rel="nofollow">
Endless OS</a> is a Linux distribution with a focus on improving access to
educational tools by providing a simple-to-manage, full-featured desktop for
educators and students — one that works offline, with minimal maintenance. The
distribution also aims to be suitable for older devices, in order to promote access to
computers by ensuring those systems remain usable.
In pursuit of those goals, it makes some unusual technical
choices. But what makes the distribution really shine is its curated collection
of software and educational resources.
https://lwn.net/Articles/984086/
Security updates for Thursday
Security updates have been issued by AlmaLinux (freeradius and freeradius:3.0), Debian (chromium, odoo, and roundcube), Fedora (microcode_ctl, mingw-qt5-qtbase, mingw-qt6-qtbase, opentofu, orc, python-setuptools, and vim), Gentoo (Nokogiri), Oracle (kernel), Red Hat (go-toolset:rhel8, golang, kernel, krb5, libtiff, python-setuptools, and python39:3.9 and python39-devel:3.9), SUSE (python-Django), and Ubuntu (krb5).
https://lwn.net/Articles/984807/
Firefox support added to Puppeteer
Mozilla has https://hacks.mozilla.org/2024/08/puppeteer-support-for-firefox/
, a browser automation and testing library, now has first-class support for Firefox using the
https://w3c.github.io/webdriver-bidi/
protocol. Puppeteer can be used to drive headless browser instances, and is commonly used for automated end-to-end web site tests.
Whilst the features offered by Puppeteer won't be a surprise,
bringing support to multiple browsers has been a significant
undertaking. The Firefox support is not based on a Firefox-specific
automation protocol, but on WebDriver BiDi, a cross browser protocol
that's undergoing standardization at the W3C, and currently has
implementation in both Gecko and Chromium. This use of a
cross-browser protocol should make it much easier to support many
different browsers going forward.
https://lwn.net/Articles/984733/
[$] CRIB: checkpoint/restore in BPF
The desire for the ability to checkpoint a process — to record its state in
a form that can be restarted at a future time — on Linux is almost as old as
Linux itself. See, for example, https://lwn.net/1998/0528/a/checkpoint.html
of a checkpoint
project that appeared in LWN in 1998. While working solutions exist, they
can be somewhat fragile and difficult to use; it is not surprising that
some people are interested in finding a better alternative. A current
effort goes by the name CRIB,
for Checkpoint/Restore in (naturally) BPF. It is far from clear that CRIB
will replace the existing solutions, but it is an interesting look at a
different way of solving the problem.
https://lwn.net/Articles/984313/
[$] Tracing the source of filesystem errors
There are lots of places in the kernel where an EINVAL can be
returned to user space, but it is often unclear what the actual underlying
problem is because the https://man7.org/linux/man-pages/man3/errno.3.html
error codes are too generic. That is the problem that Miklos Szeredi
wanted to discuss in a filesystem session that he led remotely at the 2024 <a href="https://events.linuxfoundation.org/lsfmmbpf/" rel="nofollow">Linux Storage,
Filesystem, Memory Management, and BPF Summit</a>. He would like to help
those who are trying to debug problems trace where in the kernel a
particular error code is being generated.
https://lwn.net/Articles/984556/
Oddbean new post about login | logout
Notes by LWN.net (RSS Feed) | export