Linux Weekly News

Version 8.0 of the Forgejo software-development platform has been released. Notable changes include the removal of non-free software found in the codebase, improved stability, and a reduction in "seemingly random User Interface changes":

A gentle way of describing Forgejo User eXperience is that it is an acquired taste: it grew over the years, driven by the inspiration of the person with the keyboard in their hand. Once implemented it almost never changed. A user who started with Forgejo in 2022 can only see minor changes in 2024 and not all of them make intuitive sense. The solution to this problem is simple and was identified early on: User Research. But only in the making of Forgejo v8.0 did it get some momentum.

See the release notes for a full list of changes.

A bootstrappable build is one that builds existing software from scratch — for example, building GCC without relying on an existing copy of GCC. In 2023, the Guix project announced that the project had reduced the size of the binary bootstrap seed needed to build its operating system to just 357-bytes — not counting the Linux kernel required to run the build process. Now, the live-bootstrap project has gone a step further and removed the need for an existing kernel at all.

Security updates have been issued by Fedora (xdg-desktop-portal-hyprland), Red Hat (freeradius, freeradius:3.0, git-lfs, httpd, kernel, openssh, and varnish:6), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, git, gtk2, gtk3, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, orc, postgresql14, python-dnspython, python-urllib3, shadow, and xen), and Ubuntu (openjdk-17, openjdk-21, openjdk-8, openjdk-lts, and python3.10, python3.8).

At the 2024 Linux Storage, Filesystem, Memory Management, and BPF Summit, John Groves led a session on famfs, which is a filesystem he has developed that uses the kernel's direct-access (DAX) mechanism to access memory that is shareable between hosts. The discussion was aimed at whether a different approach should be taken and, in particular, whether FUSE should be used instead of implementing as an in-kernel filesystem. As noted in the thread about his proposal for an LSFMM+BPF session, and the mailing-list discussions on the first and second version of his patch set, there is some skepticism that a new in-kernel filesystem is warranted for the use case.

Daniel Robbins, founder of the Gentoo Linux distribution and its spinoff Funtoo Linux, has announced that he has decided to end the Funtoo project:

Funtoo started as a philosophy to create a fun community of contributors building something great together. For me, it's no longer that so I need to move on to other things. There is not a successor BDFL for Funtoo nor am I interested in trying to find one, or hand the project off to someone else. You can expect the project to wind down through August. If you have a Funtoo container, it will continue to be online through the end of August so you have time to find another hosting solution if you need one.

At GUADEC in Denver, Colorado on July 21, the GNOME Foundation held its annual general meeting (AGM) to provide updates from the foundation's board and committees. Topics included work accomplished in the past year, challenges facing the GNOME Foundation–including fundraising and finding a new executive director–and some insight into plans for the next year. And last, but not least, the awarding of the Pants of Thanks.

Security updates have been issued by Fedora (curl), Mageia (virtualbox), Oracle (squid), Red Hat (kernel), SUSE (apache2, bind, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, devscripts, espeak-ng, freerdp, ghostscript, gnome-shell, gtk2, gtk3, java-11-openjdk, java-17-openjdk, kubevirt, libgit2, openssl-3, orc, p7zip, python-dnspython, and shadow), and Ubuntu (kernel, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia, linux-oem-6.8, linux-raspi, linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux-aws, linux-aws-5.4, linux-aws-5.15, linux-ibm, linux-ibm-5.15, linux-raspi, linux-gcp-5.15, and linux-lowlatency).

Version 2.46.0 of the Git source-code management system has been released. This release seems to consist of a long list of interface and performance improvements rather than big new features; see the announcement for the details.

The release of 6.11-rc1 marked the end of the 6.11 merge window on July 28. By that time, 12,102 non-merge changesets had been pulled into the mainline repository; about 8,000 of those came in after the first-half summary was written. Quite a few significant changes were to be found in those changesets; there is also one big change that did not make it.

Security updates have been issued by AlmaLinux (java-11-openjdk), Debian (bind9), Fedora (darkhttpd, mod_http2, and python-scrapy), Red Hat (python3.11, rhc-worker-script, and thunderbird), SUSE (assimp, gh, opera, python-Django, and python-nltk), and Ubuntu (edk2, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-nvidia-6.5, linux-oracle, linux-raspi, and lua5.4).

Linus Torvalds has released 6.11-rc1 and closed the merge window for this development cycle. "The merge window felt pretty normal, and the stats all look pretty normal too. I was expecting things to be quieter because of summer vacations, but that (still) doesn't actually seem to have been the case."

Note that the extensible scheduler class ("sched_ext") was not merged, even though Torvalds had said he would back in June. Sched_ext, it seems, will need another development cycle out of tree.

The 6.10.2, 6.9.12, 6.6.43, 6.1.102, 5.15.164, 5.10.223, 5.4.281, and 4.19.319 stable kernel updates have all been released; each contains a relatively small set of important fixes, at least one of which appears to close a minor security hole.

One of the simplest hardening concepts to understand is that memory should never be both writable and executable, otherwise an attacker can use it to load and run arbitrary code. That rule is generally followed in Linux systems, but there is a glaring loophole that is exploitable from user space to inject code into a running process. Attackers have duly exploited it. A new effort to close the hole ran into trouble early in the merge window, but a solution may yet be found in time for the 6.11 kernel release.

Security updates have been issued by AlmaLinux (linux-firmware and squid), Debian (bind9), Fedora (kubernetes, thunderbird, and tinyproxy), Oracle (containernetworking-plugins, cups, edk2, httpd, httpd:2.4, kernel, kernel-container, libreoffice, libuv, libvirt, python3, and runc), Red Hat (freeradius:3.0, httpd, and squid), and SUSE (giflib and python-dnspython).

In the previous episode of the vgetrandom() story, Jason Donenfeld had put together a version of the getrandom() system call that ran in user space, significantly improving performance for applications that need a lot of random data while retaining all of the guarantees provided by the system call. At that time, it seemed that a consensus had built around the implementation and that it was headed toward the mainline in that form. A few milliseconds after that article was posted, though, a Linus-Torvalds-shaped obstacle appeared in its path. That obstacle has been overcome and this work has now been merged for the 6.11 kernel, but its form has changed somewhat.

On July 12, Jocelyn Falempe proposed a change to the configuration options that Fedora sets for its kernels, in order to make kernel panics easier to report. Falempe would like to enable the kernel's recently added DRM-panic feature, which adds a graphical crash screen that is reminiscent of the infamous Windows "blue screen of death" for kernel panics. The feature introduces a few tradeoffs, including currently limited driver support, so the proposal spawned a good deal of discussion.

Version 1.80.0 of the Rust language has been released. Changes include the new LazyCell and LazyLock types (which delay data initialization until the first access), the stabilization of the exclusive-range syntax for match patterns, and more.

The 6.9.11, 6.6.42, and 6.1.101 stable kernels have been released. As usual, they contain important fixes throughout the tree.

Security updates have been issued by AlmaLinux (containernetworking-plugins, cups, edk2, httpd, httpd:2.4, libreoffice, libuv, libvirt, python3, and runc), Fedora (exim, python-zipp, xdg-desktop-portal-hyprland, and xmedcon), Red Hat (cups, fence-agents, freeradius, freeradius:3.0, httpd:2.4, kernel, kernel-rt, nodejs:18, podman, and resource-agents), Slackware (htdig and libxml2), SUSE (exim), and Ubuntu (ocsinventory-server, php-cas, and poppler).

Linux Mint has announced version 22 of the distribution in three editions: Cinnamon, MATE, and Xfce. Mint 22 is based on Ubuntu 24.04 and uses kernel version 6.8.0:

Linux Mint 22 is a long term support release which will be supported until 2029. It comes with updated software and brings refinements and many new features to make your desktop even more comfortable to use.

LWN covered the Linux Mint 22 beta in early July. See the new features page and release notes for more information on this release.