lwn.net

A new kernel testing tree
The linus-next tree aims to provide a more stable and testable integration point compared to linux-next, addressing the runtime issues that make testing linux-next challenging and focusing on code that's about to be pulled by Linus.
Bootc 1.1.0 released
Version 1.1.0 of the bootc utility for performing transactional, in-place operating system updates using Open Container Initative (OCI) images, has been released. This release "officially stabilizes all APIs" for bootc and includes a number of bug fixes. LWN covered bootc in June.
[$] Python PGP proposal poses packaging puzzles
Sigstore is a project that is meant to simplify and improve the process of signing, verifying, and protecting software. It is a relatively new project, declared "generally available" in 2022. Python is an early adopter of sigstore; it started providing signatures for CPython artifacts with Python 3.11 in 2022. This is in addition to the OpenPGP signatures it has been providing since at least 2001. Now, Seth Michael Larson—the Python Software Foundation (PSF) security developer-in-residence—would like to deprecate the PGP signature and move to sigstore exclusively by next year. If that happens, it will involve some changes in the way that Linux distributions verify Python releases, since none of the major distributions have processes for working with sigstore.
Security updates for Monday
A vulnerability in the Guix build system
The Guix project has disclosed a security vulnerability in the build daemon that the distribution uses to build and install software locally. The vulnerability allows an existing unprivileged user to get access to a setuid binary, and from there potentially interfere with any other software built or installed on the computer. The project recommends upgrading the guix daemon now, to avoid the issue.
This exploit requires the ability to start a derivation build and the ability to run arbitrary code with access to the store in the root PID namespace on the machine the build occurs on. As such, this represents an increased risk primarily to multi-user systems and systems using dedicated privilege-separation users for various daemons: without special sandboxing measures, any process of theirs can take advantage of this vulnerability.