lwn.net

It was only a matter of time before somebody tried to bring BPF to the kernel's CPU scheduler. At the end of January, Tejun Heo posted the second revision of a 30-part patch series, co-written with David Vernet, Josh Don, and Barret Rhoden, that does just that. There are clearly interesting things that could be done by deferring scheduling decisions to a BPF program, but it may take some work to sell this idea to the development community as a whole.

Security updates have been issued by Debian (postgresql-11 and sox), Fedora (opusfile), SUSE (bind, jasper, libapr-util1, pkgconf, tiff, and xrdp), and Ubuntu (cinder, imagemagick, less, linux, linux-aws, linux-azure, linux-azure-5.4, linux-gkeop, linux-kvm, linux-oracle, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux, linux-azure, linux-azure-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, linux-azure-4.15, linux-dell300x, linux-gke, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, linux-snapdragon, nova, and swift).

The 6.1.11 and 5.15.93 stable kernel updates have been released; each contains another set of important fixes.

The Thunderbird email client blog has a plan for where the project is going.

Throughout the next 3 years, the Thunderbird project is aiming at these primary objectives:

• Make the code base leaner and more reliable, rewrite ancient code, remove technical debt.
• Rebuild the interface from scratch to create a consistent design system, as well as developing and maintaining an adaptable and extremely customizable user interface.
• Switch to a monthly release schedule.

Serial litigant Craig Wright recently won a procedural ruling in a London court that allows a multi-billion-dollar Bitcoin-related lawsuit to proceed. This case has raised a fair amount of concern within the free-software community, where it is seen as threatening the "no warranty" language included in almost every free-software license. As it happens, this case does not actually involve that language, but it has some potentially worrisome implications anyway.

Security updates have been issued by Debian (chromium, libsdl2, and wireshark), Fedora (pesign, tpm2-tss, and webkitgtk), Oracle (hsqldb, krb5, libksba, tigervnc, and tigervnc and xorg-x11-server), Red Hat (openvswitch2.13, openvswitch2.15, openvswitch2.16, openvswitch2.17, rh-varnish6-varnish, tigervnc, and tigervnc and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), and SUSE (apache2, apache2-mod_security2, apr-util, netatalk, podman, python-swift3, rubygem-globalid, syslog-ng, and thunderbird).

The LWN.net Weekly Edition for February 9, 2023 is available.

The Atlantic Council (described by Wikipedia as "an American think tank in the field of international affairs") has published a lengthy report on the problem of security in open-source software and what might be done about it.

OSS is really not much different from proprietary software: all code can be developed more securely, and the security risks OSS faces are common across most digital systems. For OSS the differences come in the relationships between open-source consumers—from government to the private sector to end users—and the projects they rely on. The lack of clear transactional relationships and the deeply influential role of the diverse, ever-changing contributor community are a challenge for policy and industry to navigate and support sufficiently. The result is an ecosystem that has both enabled digital innovation and often suffered from overburdened developers and under-resourced communities and projects.

A lot of digital ink has been expended in recounting the ongoing Python packaging saga, which is now in its fourth installment (earlier articles: landscape survey, visions and unification, and pip-conda convergence). Most of that covered conversations that took place in November and the discussion largely settled down over the holidays, but it picked up again with a packaging-strategy thread that started in early January. That thread was based on the results of a user survey about packaging that was meant to help guide the Python Packaging Authority (PyPA) and other interested developers, but the guidance provided was somewhat ambiguous—leading to lots more discussion.

The nccgroup blog is carrying a four-part series by Domen Puncer Kugler on how vulnerabilities can make their way into device drivers written in Rust.

In other words, the CONFIG_INIT_STACK_ALL_ZERO build option does nothing for Rust code! Developers must be cautious to avoid shooting themselves in the foot when porting a driver from C to Rust, especially if they previously relied on this config option to mitigate this class of vulnerability. It seems that kernel info leaks and KASLR bypasses might be here to stay, at least, for a little while longer.

Security updates have been issued by Debian (heimdal, openssl, shim, and xorg-server), Oracle (kernel and thunderbird), Red Hat (git, libksba, samba, and tigervnc), Scientific Linux (thunderbird), Slackware (openssl and xorg), SUSE (EternalTerminal, openssl-1_0_0, openssl-1_1, openssl-3, openssl1, polkit, and sssd), and Ubuntu (git, grunt, heimdal, openssl, openssl1.0, and xorg-server, xorg-server-hwe-18.04, xwayland).

The Flatpak package format promises to bring "the future of apps on Linux", but a Linux distribution like Fedora already provides packages in its native format—and built to its specifications. Flatpaks that come from upstream projects may or may not follow the packaging guidelines, philosophy, and practices so they exist in their own world, separate from the packages that come directly from Fedora. But those worlds have collided to a certain extent over the past year to two. Recently, a packager announced their plans to stop packaging the Bottles tool, used for running Windows programs in Wine-based containers on Linux, in favor of recommending that Fedora users install the upstream Flatpak.

Security updates have been issued by Debian (graphite-web, openjdk-11, webkit2gtk, wpewebkit, and xorg-server), Mageia (advancecomp, apache, dojo, git, java/timezone, libtiff, libxpm, netatalk, nodejs-minimist, opusfile, python-django, python-future, python-mechanize, ruby-sinatra, sofia-sip, thunderbird, and tigervnc), Oracle (git and thunderbird), Red Hat (git, libksba, rh-git227-git, rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon, and thunderbird), SUSE (apache2, nginx, php8-pear, redis, rubygem-activesupport-5_1, rubygem-rack, sssd, xorg-x11-server, and xwayland), and Ubuntu (tmux).

The most recent batch of stable kernels has been released: 6.1.10, 5.15.92, 5.10.167, 5.4.231, 4.19.272, and 4.14.305. Those updates contain a relatively small number of important fixes throughout the kernel tree.

Computer-aided design (CAD) software is expensive to develop, which is a good reason to appreciate the existing free and open-source alternatives to some of the big names in the industry. This article takes a bird's-eye view at free and open-source software for 2D drafting and 3D parametric solid modeling, its progress over the years, as well as wins and ongoing challenges.

Security updates have been issued by Debian (libhtml-stripscripts-perl), Fedora (binwalk, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, kernel, sudo, and syncthing), SUSE (syslog-ng), and Ubuntu (editorconfig-core, firefox, pam, and thunderbird).

The 6.2-rc7 kernel prepatch is out for testing.

So the 6.2 rc releases are continuing to be fairly small and controlled, to the point where normally I'd just say that this is the last rc. But since I've stated multiple times that I'll do an rc8 due to the holiday start of the release, that's what I'll do.

Of all the attacks on cryptographic code, timing attacks may be among the most insidious. An algorithm that appears to be coded correctly, perhaps even with a formal proof of its correctness, may be undermined by information leaked as the result of data-dependent timing differences. Both Arm and Intel have introduced modes that are intended to help defend against timing attacks, but the extent to which those modes should be used in the kernel is still under discussion.

Security updates have been issued by Fedora (chromium and vim), Slackware (openssh), and Ubuntu (lrzip and tiff).

Version 7.5 of the LibreOffice Community edition is now available. LibreOffice is, of course, the FOSS desktop office suite; version 7.5 brings new features to multiple parts of the tool, including major improvements to dark mode, better PDF exports, improved bookmarks in Writer, data tables for charts in Calc, better interoperability with Microsoft Office, and lots more. Check out the release notes for further information. LibreOffice 7.5 Community's new features have been developed by 144 contributors: 63% of code commits are from the 47 developers employed by three companies sitting in TDF's Advisory Board - Collabora, Red Hat and allotropia - or other organizations, 12% are from 6 developers at The Document Foundation, and the remaining 25% are from 91 individual volunteers.

Other 112 volunteers - representing hundreds of other people providing translations - have committed localizations in 158 languages. LibreOffice 7.5 Community is released in 120 different language versions, more than any other free or proprietary software, and as such can be used in the native language (L1) by over 5.4 billion people worldwide. In addition, over 2.3 billion people speak one of those 120 languages as their second language (L2).