Linux Weekly News

The RPM Package Manager (RPM) project is nearing the release of RPM 4.20, the last major planned update for the RPM 4.x series. It has few user-facing changes, but several additions and enhancements for developers—as well as some small incompatibilities that will likely require RPM packagers to revise their spec files. 4.20 will be rolling out to many users soon, in Fedora 41, which is scheduled for October. RPM 6.0 is already in the works, with a new package format and opening the door to enabling C++ use in the RPM codebase.

Security updates have been issued by Debian (expat and tinyproxy), Fedora (frr, microcode_ctl, python3.10, python3.12, python3.6, and ruby), Oracle (expat, fence-agents, firefox, ghostscript, java-1.8.0-openjdk, kernel, and thunderbird), Red Hat (firefox, openssl, ruby:3.3, and thunderbird), SUSE (clamav, ffmpeg-4, kernel, libmfx, python3, python312, runc, ucode-intel, and wireshark), and Ubuntu (apache2, git, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-nvidia, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, and linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle).

Tracking of regressions seems like an important task for any project; there is no other way to ensure that known problems are fixed. At the 2024 Maintainers Summit, though, Thorsten Leemhuis, who has been doing that work for the kernel, expressed some doubts about whether it is worth continuing. The result was an energetic session on how regression tracking should be done better, and how this work should be supported.

Version 47 of the GNOME desktop has been released. Changes include configurable accent colors, better small-screen support, some performance improvements, new file open and save dialogs, and more.

The LWN.net Weekly Edition for September 19, 2024 is available.

The 6.10.11, 6.6.52, and 6.1.111 stable kernel updates have all been released. As usual, they contain important fixes throughout the tree. Users of those kernels should upgrade.

Version 6.0 of the Swift programming language has been released. Notable changes include new low-level programming features, expanded Linux support, and a preview release of the Embedded Swift language subset for embedded software development with a toolchain for Arm and RISC-V targets. See the CHANGELOG for full details of changes in 6.0.

Version R1/beta5 for the Haiku project, an open-source "spiritual successor to BeOS", has been released. Notable changes in this release include a TUN/TAP network driver, basic support for USB audio devices, TCP throughput improvements, a rewritten driver for the FAT filesystem, read-only support for Unix File System 2 (UFS2), as well as hundreds of bug fixes and performance improvements since the last release in December 2022. Thanks to Paul Wise for the tip.

A Linux system is made up of a large number of interdependent components, all of which must support each other well. It can thus be surprising that, it seems, the developers working on those components do not often speak with each other. In the hope of improving that situation, efforts have been made in recent years to attract toolchain developers to the kernel-heavy Linux Plumbers Conference. This year, though, the opposite happened as well: the 2024 GNU Tools Cauldron hosted a discussion where kernel developers were invited to discuss their needs.

Version 19.1.0 of the LLVM compiler suite has been released:

This is the first release in the LLVM 19.x series and represents 6 months of work the LLVM community. During this period 1502 unique authors contributed 18925 commits (3605729 lines added and 1665792 lines removed) to LLVM.

As usual, there is a long list of changes; see the release notes for LLVM, Libc++, lld, Clang, and Extra Clang Tools for changes to each.

Security updates have been issued by AlmaLinux (pcs), Debian (expat, galera-4, libreoffice, mariadb-10.5, and php-twig), Fedora (chromium), Red Hat (ghostscript and git), SUSE (gstreamer-plugins-bad, gstreamer-plugins-bad, libvpl, python-dnspython, python3, and python36), and Ubuntu (expat, frr, libxmltok, linux-xilinx-zynqmp, openssl, and quagga).

Kangrejos 2024 started off with a talk from Benno Lossin about his recent work to establish a standard for safety documentation in Rust kernel code. Lossin began his talk by giving a brief review of what safety documentation is, and why it's needed, before moving on to the current status of his work. Safety documentation is easier to read and write when there's a shared vocabulary for discussing common requirements; Lossin wants to establish that shared vocabulary for Rust code in the Linux kernel.

Vanilla OS, an immutable desktop Linux distribution designed for developers and advanced users, has recently published its 2.0 "Orchid" release. Previously based on Ubuntu, Vanilla OS has now shifted to Debian unstable ("sid"). The release has made it easier to install software from other distributions' package repositories, and it is now theoretically possible to install and run Android applications as well.

Four researchers have published a formal proof that Linux's new deterministic random bit generator (DRBG) is secure in a particular sense — specifically, that the number of queries that would need to be made to it to uncover its internal state depends on the quality of the entropy it can collect from different sources. As long as it can gather enough entropy, it produces secure random numbers.

Since the significant structural changes in Linux 4 and Linux 5.17, there has been no research on the provable security of Linux-DRBG. For the first time (to the best of our knowledge), we formally model the Linux-DRBG in Linux 6.4.8 and prove its security in the seedless robustness model

Thanks to Jason Donenfeld for bringing the paper to our attention.

The generation of binary code for the kernel's BPF virtual machine has been limited to the Clang compiler since the beginning; even developers who use GCC to build kernels must use Clang to compile to BPF. Work has been underway for some years on adding a BPF backend to GCC as well; the developers involved ran a session at the 2024 GNU Tools Cauldron to provide an update on that project. It would seem that the BPF backend is close to being ready for production use.

Security updates have been issued by Debian (php-twig and pymongo), Fedora (linux-firmware, microcode_ctl, and python3.13), Mageia (clamav, microcode, postgresql13 and postgresql15, python3-webob, suricata, tcpreplay, tgt, and wireshark), Oracle (httpd, kernel, and linux-kernel), Red Hat (firefox, kernel, kernel-rt, pcs, and thunderbird), SUSE (389-ds, chromium, golang-github-prometheus-prometheus, htmldoc, kernel, SUSE Manager Client Tools, and wireshark), and Ubuntu (clamav, curl, dcmtk, dovecot, nginx, openssh, and python3.10, python3.12, python3.8).

The Linux Foundation has announced the creation of the OpenSearch Software Foundation as a vendor‑neutral home for the OpenSearch search and observability software:

Established in 2021 and previously hosted by Amazon Web Services (AWS), OpenSearch has recorded more than 700 million software downloads and participation from thousands of contributors and more than 200 project maintainers.

AWS created the OpenSearch project as an open-source fork of ElasticSearch and Kibana in 2021 after Elastic moved those projects to non-free licenses. Elastic announced in August that it would relicense the projects under the Affero GPL (AGPL).

The Fedora Engineering Steering Committee (FESCo) has voted to immediately remove the WolfSSL package from all of Fedora's repositories due to its maintainer failing to gain approval to package a new cryptography library for Fedora. Its brief travels through Fedora's package system highlights gaps in documentation, as well as in the package‑review process. The good news is that this may stir Fedora to improve its documentation and revive a formal security team.

Version 8.0.0 of the Valkey open-source in-memory data store is now available. This is the first major release of Valkey since the project forked from Redis in March of this year:

While this is a major version, Valkey takes command set compatibility seriously: Valkey 8.0.0 makes no backwards incompatible changes to the existing command syntax or their responses. Your existing tools and custom software will be able to immediately take advantage of Valkey 8.0.0. Since Valkey 8.0.0 does make some small changes to previously undefined behaviors, it's wise to read the release notes. Additionally, because this version makes changes in how the software uses threading, you may want to re-evaluate your cluster's infrastructure to achieve the highest performance.

The 6.11 kernel was released on September 15 after a typical nine-week development cycle. This release integrates 13,890 non-merge changesets, so it was a moderately busy cycle, slightly more so that 6.10 was. With a new release comes a new round of development statistics; read on for the details.