Linux Weekly News
Security updates for Monday
The 6.10 kernel has been released
So the final week was perhaps not quote as quiet as the preceding ones, which I don't love - but it also wasn't noisy enough to warrant an extra rc.
Changes in 6.10 include the removal of support for some ancient Alpha CPUs, shadow-stack support for the x32 sub-architecture, Rust-language support on RISC-V systems, support for some Windows NT synchronization primitives (though it is marked "broken" in 6.10), the mseal() system call, fsverity support in the FUSE filesystem subsystem, ioctl() support in the Landlock security module, the memory-allocation profiling subsystem, and more.
See the LWN merge-window summaries (part 1, part 2) and the KernelNewbies 6.10 page for more details.
GNOME Foundation Announces Transition of Executive Director
The GNOME Foundation has announced that executive director Holly Million is stepping down at the end of July, and will be replaced by Richard Littauer as interim executive director:
On behalf of the whole GNOME community, the Board of Directors would like to give our utmost thanks to Holly for her achievements during the past 10 months, including drafting a bold five-year strategic plan for the Foundation, securing two important fiscal sponsorship agreements with GIMP and Black Python Devs, writing our first funding proposal that will now enable the Foundation to apply for more grants, vastly improving our financial operations, and implementing a break-even budget to preserve our financial reserves.
The Foundation's Interim Executive Director, Richard Littauer, brings years of open source leadership as part of his work as an organizer of SustainOSS and CURIOSS, as a sustainability coordinator at the Open Source Initiative, and as a community development manager at Open Source Collective, and through open source contributions to many projects, such as Node.js and IPFS. The Board appointed Richard in June and is confident in his ability to guide the Foundation during this transitional period.
Million says she is leaving to pursue a PhD in psychology. The board plans to announce its search plan for a permanent executive directory after GUADEC, which takes place July 19 through 24.
[$] A look at Linux Mint 22
Linux Mint has released a beta of its next long-term-support (LTS) release, Linux Mint 22 (code-named "Wilma"), based on Ubuntu 24.04. Aside from the standard software updates that come with any major upgrade, some of Wilma's largest selling points are what it doesn't have; namely snap packages or GNOME applications that have broken theming on non-GNOME desktops like Mint's Cinnamon desktop.
Security updates for Friday
[$] Nix alternatives and spinoffs
Since the disagreements that led to Eelco Dolstra stepping down from the NixOS Foundation board, there have been a number of projects forked from or inspired by Nix that have stepped up to compete with it. Two months on, some of these projects are now well-established enough to look at what they have to offer and how they compare to each other. Overall, users have a number of good options to choose from, whether they're seeking a compatible replacement for Nix (the configuration language and package manager) or NixOS (the Linux distribution), or something that takes the same ideas in a different direction.
[$] Reports from OSPM 2024, part 1
Security updates for Thursday
An empirical study of Rust for Linux
Despite more novice developers being attracted by Rust to the kernel community, we have found their commits are mainly for constructing Rust-relevant toolchains as well as Rust crates alone; they do not, however, take part in kernel code development. By contrast, 5 out of 6 investigated drivers (as seen in Table 5) are mainly contributed by authors from the Linux community. This implies a disconnection be- tween the young and the seasoned developers, and that the bar of kernel programming is not lowered by Rust language.
As a bonus, it includes a ChatGPT analysis of LWN and Hacker News comments.
[$] LWN.net Weekly Edition for July 11, 2024
Brown: Fixing a 6-year-old bug in Ubuntu MATE and Xubuntu
Doug Brown documents the long journey to fixing a bug in the GDebi utility for installing Debian packages. He first encountered the bug in Ubuntu MATE 18.04: "at the time I just ignored this issue. I didn't want to deal with it. I went off to the trusty Linux terminal and installed Chrome that way instead".
Two and a half years ago, I committed to doing more open-source contributions in my free time and was finally irritated enough about this problem to look into it. I searched around for more info. Lo and behold, lots of people were also affected and there was already an issue from 2019 on Ubuntu's bug tracker about it.
[...] As is commonly the case in software development, the difficult part of this fix had nothing to do with the code itself. All of my effort was spent figuring out Ubuntu's patch submission processes and advocating for my merge request. Nobody else seemed to be interested in doing the work to actually fix this bug that has been plaguing Ubuntu MATE and Xubuntu, not to mention some Debian users, for over 6 years. After dealing with the long process of getting my merge request approved, I think I'm starting to understand why!
Brown notes that the fix is now packaged for the upcoming Ubuntu 24.10 release, and should be backported to 22.04 and 24.04 eventually.
Fix for Fedora Atomic Desktop and Fedora IoT boot failure
Fedora Atomic Desktop and Fedora IoT systems installed before Fedora 40 may fail to boot after an update if secure boot is enabled. Fedora Magazine has a post by Timothée Ravier about the problem, how users can work around it, and what the project is doing to avoid the similar problems in the future:
On Fedora Atomic Desktops and Fedora IoT systems, the components that are part of the boot chain (Shim, GRUB) are not (yet) automatically updated alongside the rest of the system. Thus, if you have installed a Fedora Atomic Desktop or a Fedora IoT system before Fedora 40, it uses an old versions of the Shim and bootloader binaries to boot your system.
When Secure Boot is enabled, the EFI firmware loads Shim first. Shim is signed by the Microsoft Third Party Certificate Authority so that it can be verified on most hardware out of the box. The Shim binary includes the Fedora certificates used to verify binaries signed by Fedora. Then Shim loads GRUB, which in turn loads the Linux kernel. Both are signed by Fedora.
Until recently, the kernel binaries where signed two times, with an older key and a newer one. With the 6.9 kernel update, the kernel is no longer signed with the old key. If GRUB or Shim is old enough and does not know about the new key, the signature verification fails.
[$] Improving pseudo filesystems
[$] Sxmo: a text-centric mobile user interface
Security updates for Wednesday
[$] A new API for tree-in-dcache filesystems
Firefox 128.0 released
[$] Offload-friendly network encryption in the kernel
The PSP security protocol (PSP) is a way to transparently encrypt packets by efficiently offloading encryption and decryption to the network interface cards (NICs) that Google uses for connections inside its data centers. The protocol is similar to IPsec, in that it allows for wrapping arbitrary traffic in a layer of encryption. The difference is that PSP is encapsulated in UDP, and designed from the beginning to reduce the amount of state that NICs have to track in order to send and receive encrypted traffic, allowing for more simultaneous connections. Jakub Kicinski wants to add support for the protocol to the Linux kernel.