lwn.net

Peter Hutterer writes about the disabling of support for byte-swapped clients in the X.org server and the reasons why this was done.

These days, encountering a Big Endian host is increasingly niche, letting it run an X client that connects to your local little-endian X server is even more niche. I think the only regular real-world use-case for this is running X clients on an s390x, connecting to your local intel-ish (and thus little endian) workstation. Not something most users do on a regular basis. So right now, the byte-swapping code is mainly a free attack surface that 99% of users never actually use for anything real. So... let's not do that?

The kernel's fscrypt subsystem enables filesystems to store files and directories in encrypted form, protecting them against offline attacks. A few filesystems support encryption with fscrypt currently, but Btrfs is an exception, despite a number of attempts to add this feature. The problem is that, as so often seems to be the case, Btrfs works differently and does not fit well with one of the key assumptions in the design of fscrypt. With this patch series, Sweet Tea Dorminy is working to enhance fscrypt to be a better fit for filesystems like Btrfs.

Security updates have been issued by Fedora (binwalk), Oracle (kernel and webkit2gtk3), Red Hat (webkit2gtk3), Slackware (vim), and Ubuntu (libksba and nautilus).

The LWN.net Weekly Edition for January 5, 2023 is available.

The Linux security module (LSM) subsystem has long had limitations on which modules could be combined in a given running kernel. Some parts of the problem have been solved over the years—"smaller" LSMs can be combined at will with a single, more complex LSM—but combining (or "stacking") SELinux with, say, Smack or AppArmor has never been possible. Back in October, we looked at the most recent attempt to add that ability, which resulted in patches to add two new system calls for LSM. By the end of December, the number of new system calls had risen to three.

The 6.1.3, 6.0.17, and 5.10.162 stable kernel updates have been released. Each contains a moderate set of important fixes.

Security updates have been issued by Fedora (xorg-x11-server-Xwayland), Red Hat (webkit2gtk3), SUSE (rmt-server), and Ubuntu (freeradius).

The Fedora community is currently discussing a proposal to start supporting a unified kernel image (UKI) for the distribution; these images would combine several pieces that are generally separate today (e.g. initrd, kernel, and kernel command line). There are a number of advantages to such a kernel image, at least for some kinds of systems, but there is worry from some about where the endpoint of this work lies. There is a need to ensure that Fedora can still boot non-unified, perhaps locally built, kernels and can support other use cases that unification might preclude.

Security updates have been issued by Oracle (bcel), SUSE (ca-certificates-mozilla, glibc, minetest, multimon-ng, nautilus, ovmf, python-Django, samba, saphanabootstrap-formula, and xrdp), and Ubuntu (usbredir).

Yet another new year is upon us, and that can only mean one thing: the time has come for your editor to look into his crystal ball and make some predictions for what 2023 will hold. Said crystal ball is known to suffer from speculative-execution problems and parity errors, but it's the best that LWN's budget will afford. Read on for a highly unreliable look at what's to come.

DistroWatch Weekly celebrates its 1000th issue and 20 years of publication.

How much material is in two decades of Weekly editions? It's in the ballpark of 2,500 articles or approximately 5,600,000 words. It's an overview of a few thousand news announcements, more than 13,000 screenshots, over 6,500 stable open source operating system releases summarized, and more than 2,800 torrents seeded. We've published answers to over 470 questions from curious community members and over 80 Tips & Tricks articles. You could say we've been busy over the past 20 years!

Anybody who installed a nightly release from the PyTorch machine-learning library between December 25 and 30 will want to uninstall it immediately:

At around 4:40pm GMT on December 30 (Friday), we learned about a malicious dependency package (torchtriton) that was uploaded to the Python Package Index (PyPI) code repository with the same package name as the one we ship on the PyTorch nightly package index. Since the PyPI index takes precedence, this malicious package was being installed instead of the version from our official repository. This design enables somebody to register a package by the same name as one that exists in a third party index, and pip will install their version by default.

This malicious package has the same name torchtriton but added in code that uploads sensitive data from the machine.

Security updates have been issued by Debian (cacti, emacs, exuberant-ctags, libjettison-java, mplayer, node-loader-utils, node-xmldom, openvswitch, ruby-image-processing, webkit2gtk, wpewebkit, and xorg-server), Fedora (OpenImageIO, systemd, w3m, and webkit2gtk3), Mageia (curl, freeradius, libksba, libtar, python-ujson, sogo, thunderbird, and webkit2), Red Hat (bcel), and SUSE (ffmpeg, ffmpeg-4, mbedtls, opera, saphanabootstrap-formula, sbd, vlc, and webkit2gtk3).

The second 6.2 kernel prepatch is out for testing — but there isn't a lot there.

So the week started so slow due to the holidays that I thought I might not have any reason to do an rc2 at all, but by the end of the week I did end up getting a smattering of pull requests, so here we are. It's tiny, even smaller than usual for an rc2, and honestly, I'd expect that trend to continue for rc3.

Vanilla OS is a new, Ubuntu-based distribution with an immutable(ish) core and a focus on containers. Version 22.10, the first stable release, is out.

Vanilla OS is not an ordinary Linux distribution, it is a project that sets itself many goals and is not afraid to put itself out there, proudly displaying its unique technologies such as the Apx sub-system, its own automatic update system, and ABRoot transactions.

Version 20 of the Android-based LineageOS distribution has been released.

We have been working extremely hard since Android 13’s release last October to port our features to this new version of Android. Thanks to our hard work adapting to Google’s largely UI-based changes in Android 12, and Android 13’s dead-simple device bring-up requirements, we were able to rebase our changes onto Android 13 much more efficiently. This led to a lot of time to spend on cool new features such as our awesome new camera app, Aperture, which was written in large part by developers SebaUbuntu, LuK1337, and luca020400.

The 6.1.2, 6.0.16, and 5.15.86 stable kernel updates have been released. As is typical for the first post-rc1 updates, each of these contains a huge number of important fixes.

Security updates have been issued by Debian (libcommons-net-java), Fedora (python3.6), and SUSE (conmon, polkit-default-privs, thunderbird, and webkit2gtk3).

Security updates have been issued by Debian (multipath-tools), Fedora (containerd and trafficserver), Gentoo (libksba and openssh), and SUSE (webkit2gtk3).

Security updates have been issued by Fedora (curl) and SUSE (curl, freeradius-server, sqlite3, systemd, and vim).