Linux Weekly News

Security updates have been issued by AlmaLinux (binutils, libsoup, squid:4, tigervnc, and webkit2gtk3), Debian (icinga2, postgresql-13, postgresql-15, smarty3, symfony, thunderbird, and waitress), Fedora (dotnet9.0, ghostscript, microcode_ctl, php-bartlett-PHP-CompatInfo, python-waitress, and webkitgtk), Gentoo (Perl, Pillow, and X.Org X server, XWayland), Oracle (binutils, cups-filters, giflib, squid, and webkit2gtk3), Red Hat (webkit2gtk3), SUSE (ansible-core, apache2, gio-branding-upstream, icinga2, kernel-devel, libnghttp2-14, libsoup-2_4-1, libsoup-3_0-0, libvirt, nodejs-electron, postgresql13, postgresql16, python39, rclone, thunderbird, ucode-intel-20241112, and wget), and Ubuntu (python-asyncssh and tomcat9).

Linus has released the 6.12 kernel. "No strange surprises this last week, so we're sticking to the regular release schedule, and that obviously means that the merge window opens tomorrow.".

Headline features in this release include: support for the Arm permission overlay extension, better compile-time control over which Spectre mitigations to employ, the last pieces of realtime preemption support, the realtime deadline server mechanism, more EEVDF scheduler development, the extensible scheduler class, the device memory TCP work, use of static calls in the security-module subsystem, the integrity policy enforcement security module, the ability to handle devices with a block size larger than the system page size in the XFS filesystem, and more. See the LWN merge-window summaries (part 1, part 2) and the KernelNewbies 6.12 page for more details.

The 6.11.9, 6.6.62, 6.1.118, 5.15.173, 5.10.230, 5.4.286, and 4.19.324 stable kernels have all been released; each contains another set of important fixes.

The OpenWrt router-oriented distribution has long used its own opkg package manager. The project has just announced, though, that future releases will use the apk package manager from Alpine Linux instead. "This new package manager offers a number of advantages over the older opkg system and is a significant milestone in the development of the OpenWrt platform. The older opkg package manager has been deprecated and is no longer part of OpenWrt." There is some more information on this page.

The kernel's loadable-module facility allows code to be loaded into (and sometimes removed from) a running kernel. Among other things, loadable modules make it possible to run a kernel with only the subsystems needed for the system's hardware and workload. Loadable modules can also make it easy for out-of-tree code to access parts of the kernel that developers would prefer to keep private; this has led to many discussions in the past. The topic has returned to the kernel's mailing lists with two different patch sets aimed at further tightening the restrictions applied to loadable modules.

The Fedora Project is set to welcome a second desktop edition to its lineup after months (or years, depending when one starts the clock) of discussions. The project recently decided to allow a new working group to move forward with a KDE Plasma Desktop edition that will sit alongside the existing GNOME-based Fedora Workstation edition. This puts KDE on a more equal footing within the project, which, it is hoped, will bring more contributors and users interested in KDE to adopt Fedora as their Linux distribution of choice.

Security updates have been issued by Debian (curl and unbound), Fedora (krb5 and microcode_ctl), Red Hat (kernel and kernel-rt), SUSE (glib2, python3-wxPython, and ucode-intel), and Ubuntu (golang-1.17, golang-1.18, libgd2, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-gke, linux-raspi, linux-raspi, linux-raspi-5.4, and php7.0, php7.2).

The Python Package Index (PyPI) has announced that it has finalized support for PEP 740 ("Index support for digital attestations"). Trail of Bits, which performed much of the development work for the implementation, has an in-depth blog post about the work and its adoption, as well as what is left undone:

One thing is notably missing from all of this work: downstream verification. [...]

This isn't an acceptable end state (cryptographic attestations have defensive properties only insofar as they're actually verified), so we're looking into ways to bring verification to individual installing clients. In particular, we're currently working on a plugin architecture for pip that will enable users to load verification logic directly into their pip install flows.

Direct memory access (DMA) I/O is simple in concept: a peripheral device moves data directly to or from memory while the CPU is busy doing other things. As is so often the case, DMA is rather more complicated in practice, and the kernel has developed a complicated internal API to support it. It turns out that the DMA API, as it exists now, can affect the performance of some high-bandwidth devices. In an effort to address that problem, Leon Romanovsky is making the API even more complex with this patch series adding a new two-step mapping API.

A new batch of stable kernels has just been released: 6.11.8, 6.6.61, 6.1.117, and 5.15.172. As usual, they contain important fixes throughout the kernel tree.

Security updates have been issued by Fedora (llama-cpp, mingw-expat, python3.6, webkit2gtk4.0, and xorg-x11-server-Xwayland), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk & java-latest-openjdk and libarchive), Oracle (expat, gstreamer1-plugins-base, kernel, libsoup, podman, and tigervnc), SUSE (buildah, java-1_8_0-openjdk, and switchboard-plug-bluetooth), and Ubuntu (zlib).

The LWN.net Weekly Edition for November 14, 2024 is available.

Programming language polyglots are files that are valid programs in multiple languages, and do different things in each. While polyglots are normally nothing more than a curiosity, the Cosmopolitan Libc project has been trying to put them to a novel use: producing native, multi-platform binaries that run directly on several operating systems and architectures. There are still some rough edges with the project's approach, but it is generally possible to build C programs into a polyglot format with with minimal tweaking.

Security updates have been issued by AlmaLinux (expat), Fedora (chromium and golang-github-nvidia-container-toolkit), Mageia (curl, expat, mpg123, networkmanager-libreswan, openssl, php-tcpdf, qbittorrent, and x11-server, x11-server-xwayland, and tigervnc), Red Hat (kernel and libsoup), Slackware (mozilla), SUSE (firefox, kernel, python-PyPDF2, and xen), and Ubuntu (dotnet9, ghostscript, linux-aws, linux-oem-6.8, and pydantic).

Over the years, there has been steady progress in adding security features to compilers and other tools to assist with hardening the Linux kernel (and, of course, other programs). In something of a tradition in the toolchains track at the Linux Plumbers Conference, Kees Cook and Qing Zhao have led a session on that progress and further plans; this year, they were joined by Justin Stitt (YouTube video).

Garrett LeSage has written an in-depth article for Fedora Magazine about a new web-based user interface (UI) for Fedora's Anaconda installer, planned to ship with Fedora 42. The article looks at the rationale for moving from GTK 3 to a web-based UI, provides a number of screenshots and demo screencasts, as well as instructions on trying out the new installer with Fedora Rawhide.

Security updates have been issued by AlmaLinux (gstreamer1-plugins-base), Debian (chromium, ghostscript, libarchive, mpg123, ruby-saml, and symfony), Fedora (buildah and podman), Red Hat (buildah, containernetworking-plugins, podman, skopeo, and xorg-x11-server-Xwayland), Slackware (wget), SUSE (pcp), and Ubuntu (linux, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux-xilinx-zynqmp and mysql-8.0).

What have been the most significant security-related incidents for the open-source community in 2024 (so far)? Marta Rybczyńska recently ran a poll and got some interesting results. At the 2024 Open Source Summit Japan, she presented those results along with some commentary of her own. The events in question are unlikely to be a surprise to LWN readers, but the overall picture that was presented was worth a look.

Longtime Debian and Tor developer, Jérémy Bobbio—perhaps better known as "Lunar"—died on November 8. Lunar was one of the founders of the reproducible builds movement and more recently had been working with Software Heritage. More information and tributes in French can be found at this site. They will be missed.

Security updates have been issued by AlmaLinux (podman), Debian (guix, libarchive, and nss), Fedora (expat, iaito, opendmarc, python-werkzeug, radare2, squid, and xorg-x11-server), Mageia (htmldoc, libheif, nspr, nss, firefox & rust, python-urllib3, python-werkzeug, quictls, ruby-webrick, and thunderbird), Oracle (firefox and NetworkManager-libreswan), SUSE (apache2, chromedriver, chromium, coredns, expat, govulncheck-vulndb, httpcomponents-client, java-17-openjdk, java-21-openjdk, libheif, python-wxPython, python311, python312, qbittorrent, ruby3.3-rubygem-actionmailer, ruby3.3-rubygem-actiontext, ruby3.3-rubygem-puma, ruby3.3-rubygem-rails, and virtualbox), and Ubuntu (openjdk-17, openjdk-21, openjdk-8, openjdk-lts, and qemu).