lwn.net

Gentoo developer Michał Górny has written a lengthy blog post that explains how Gentoo approaches releases:

Gentoo is something of a hybrid, as it combines the best of both worlds. It is a rolling release distribution with a single shared repository that is available to all users. However, within this repository we use a keywording system to provide a choice between stable and testing packages, to facilitate both production and development systems (with some extra flexibility), and versioned profiles to tackle major lock-step upgrades.

Linux installers receive a disproportionate amount of attention compared to the amount of time that most users spend with them. Ideally, a user spends only a few minutes using the installer, versus years using the distribution after it is installed. Yet, the installer sets the first impression, and if it fails to do its job, little else matters. Installers also have to continually evolve to keep pace with new hardware, changes in distribution packaging (such as image-based Linux distributions), and so forth. Along those lines, the SUSE team that maintains the venerable YaST installer has decided it's time to start (almost) fresh with a new Linux installer project, called Agama, for new projects. YaST is not going away as an administration tool, but it is likely to be relieved of installer duties at some point.

Security updates have been issued by Debian (aom, cinder, dovecot, glance, and nova), Fedora (mysql8.0), Oracle (curl and libreoffice), SUSE (oniguruma, openssl-1_0_0, openssl1, and xen), and Ubuntu (cacti, curl, exfatprogs, firefox, and vim).

At PyCon 2024 in Pittsburgh, Pennsylvania, Anthony Shaw looked at the various kinds of parallelism available to Python programs. There have been two major developments on the parallel-execution front over the last few years, with the effort to provide subinterpreters, each with its own global interpreter lock (GIL), along with the work to remove the GIL entirely. In the talk, he explored the two approaches to try to give attendees a sense of how to make the right choice for their applications.

Version 0.3.0 of the uv Python package and project manager has been released. Introduced in February, uv is written in Rust and aims to be "Cargo for Python". Notable changes in this release include the addition of interfaces for managing projects, installing Python, running scripts, and new documentation. See the accompanying blog post for more information.

One tactic often used by attackers set on compromising a system is heap spraying; in short, the attacker fills as much of the heap as possible with crafted data in the hope of getting the target system to use that data in a bad way. If heap spraying can be blocked, attackers will lose an important tool. The kernel has some heap-spraying defenses now, including the dedicated bucket allocator merged for the upcoming 6.11 release, but its author, Kees Cook, thinks that more can be done.

Security updates have been issued by Debian (squid), Fedora (putty), Mageia (quictls), Oracle (bind, curl, python-setuptools, python3.11-setuptools, and python3.12-setuptools), Red Hat (kernel, kpatch-patch-4_18_0-305_120_1, kpatch-patch-4_18_0-372_87_1 and kpatch-patch-4_18_0-372_91_1, kpatch-patch-4_18_0-477_43_1, kpatch-patch-4_18_0-553, kpatch-patch-5_14_0-284_48_1 and kpatch-patch-5_14_0-284_52_1, kpatch-patch-5_14_0-427_13_1, and libreoffice), SUSE (cosign, dri3proto, presentproto, wayland-protocols, xwayland, freerdp, fwupdate, git, gnome-settings-daemon, hdf5, jasper, java-17-openjdk, java-1_8_0-ibm, java-1_8_0-openjdk, kernel, kernel-firmware, libaom, libqt5-qt3d, libqt5-qtquick3d, ntfs-3g_ntfsprogs, osc, python, python-aiohttp, python-azure-core, python-azure-storage-blob, python- azure-storage-queue, python-typing, python-typing_extensions, python-Jinja2, python-PyMySQL, python-requests, python-tqdm, python-WebOb, python3-sqlparse, python310, python311, qemu, sssd, thunderbird, tiff, unixODBC, uriparser, and wireshark), and Ubuntu (intel-microcode, linux-azure-5.4, and postgresql-12, postgresql-14, postgresql-16).

The FreeBSD Project is, for the second time this year, engaging in a long-running discussion about the possibility of including Rust in its base system. The sequel to the first discussion included some work by Alan Somers to show what it might look like to use Rust code in the base tree. Support for Rust code does not appear much closer to being included in FreeBSD's base system, but the conversation has been enlightening.

Today's crop of new stable kernels consists of seven new versions: 6.10.6, 6.6.47, 6.1.106, 5.15.165, 5.10.224, 5.4.282, and 4.19.320. As usual, each contains important fixes throughout the kernel tree.

Security updates have been issued by Debian (python-asyncssh), Fedora (bind, bind-dyndb-ldap, httpd, and tor), SUSE (cosign, cpio, curl, expat, java-11-openjdk, ncurses, netty, netty-tcnative, opera, python-Django, python-Pillow, shadow, sudo, and wpa_supplicant), and Ubuntu (firefox).

The Rust code being added to the kernel is documented using the usual rustdoc conventions; that documentation is now available on kernel.org in formatted form. There is also the linux-next version of the documentation for Rust code that will land in the kernel soon.

The fourth 6.11 kernel prepatch is out for testing. According to Linus:

But it all looks fairly normal. rc4 is bigger than either rc2 or rc3 were, but not hugely so, and it's actually a normal pattern, where it takes a while before people find some issues. So nothing feels all that odd.

The Gentoo Linux project has announced that it is dropping support for Itanium:

Following the removal of IA-64 (Itanium) support in the Linux kernel and glibc, and subsequent discussions on our mailing list, as well as a vote by the Gentoo Council, Gentoo will discontinue all ia64 profiles and keywords. The primary reason for this decision is the inability of the Gentoo IA-64 team to support this architecture without kernel support, glibc support, and a functional development box (or even a well-established emulator). In addition, there have been only very few users interested in this type of hardware.

Python has had formatted string literals (f-strings), a syntactic shorthand for building strings, since 2015. Recently, Jim Baker, Guido van Rossum, and Paul Everitt have proposed PEP 750 ("Tag Strings For Writing Domain-Specific Languages") which would generalize and expand that mechanism to provide Python library writers with additional flexibility. Reactions to the proposed change were somewhat positive, although there was a good deal of discussion of (and opposition to) the PEP's inclusion of lazy evaluation of template parameters.

Security updates have been issued by Fedora (389-ds-base, dotnet8.0, python3.13, roundcubemail, thunderbird, and tor), Mageia (roundcubemail), Oracle (.NET 8.0, bind and bind-dyndb-ldap, bind9.16, container-tools:ol8, edk2, firefox, gnome-shell, grafana, httpd:2.4, jose, kernel, krb5, mod_auth_openidc:2.3, orc, poppler, python-urllib3, python3.11-setuptools, thunderbird, and wget), Red Hat (kernel), SUSE (apptainer, curl, kernel, kernel-firmware, libqt5-qtbase, python-aiosmtpd, and ucode-intel), and Ubuntu (bind9, gnome-shell, libreoffice, and orc).

The kernel's memory-management developers have been busy in recent times; it can be hard to keep up with all that has been happening in this core area. In an attempt to catch up, here is a look at recent work affecting tiered-memory systems, underutilized huge pages, and duplicated file data in the Enhanced Read-Only Filesystem (EROFS).

Security updates have been issued by AlmaLinux (container-tools:rhel8), Debian (flatpak), Fedora (389-ds-base, dotnet8.0, and roundcubemail), Red Hat (bind9.16, firefox, python-setuptools, and thunderbird), Slackware (dovecot), SUSE (389-ds, curl, kernel, kernel-firmware, kubernetes1.25, openssl-1_1, openssl-3, python-Pillow, and zziplib), and Ubuntu (busybox, linux-azure, and ruby-rmagick).

The LWN.net Weekly Edition for August 15, 2024 is available.

Three new stable kernels have been released: 6.10.5, 6.6.46, and 6.1.105. As usual, they contain important fixes all over the kernel tree.

Rust is intended to let programmers write safer code. But compilers are not omniscient, and writing Rust code that interfaces with hardware (or that works with memory outside of Rust's lifetime paradigm) requires, at some point, the programmer's assurance that some operations are permissible. Benno Lossin suggested adding some more documentation to the Rust-for-Linux project clarifying the standards for commenting uses of unsafe in kernel code. There's general agreement that such standards are necessary, but less agreement on exactly when it is appropriate to use unsafe.