lwn.net

At the recently concluded Maintainers Summit, it was generally agreed that the Rust experiment would continue, and that the path was clear for more Rust code to enter the kernel. But the high-level view taken at such gatherings cannot always account for the difficult details that will inevitably arise as the Rust work proceeds. A recent discussion on the nouveau mailing list may have escaped the notice of many, but it highlights some of the problems that will have to be worked out as important functionality written in Rust heads toward the mainline.

Mozilla has released Firefox versions 131.0.2, ESR 128.3.1, and ESR 115.16.1. These updates address a severe, remotely exploitable code-execution vulnerability that is evidently already being exploited. Updating to a fixed release seems like a wise thing to do.

Greg Kroah-Hartman has announced the release of the 6.11.3, 6.10.14, 6.6.55, and 6.6.56 stable kernels. The 6.6.56 release fixes a problem with building perf in 6.6.55; "If you do not use the perf tool in the 6.6.y tree, there is no need to upgrade.". Meanwhile, 6.10.14 is the last of the 6.10.y series, so users should now be moving to 6.11.y. Other than 6.6.56, they contain the usual long list of important fixes throughout the kernel tree.

Security updates have been issued by Debian (chromium), Fedora (firefox, koji, unbound, webkit2gtk4.0, and xen), Red Hat (glibc, net-snmp, and tomcat), Slackware (mozilla), SUSE (apache-commons-io, buildah, cups-filters, liboath-devel, libreoffice, libunbound8, podman, and redis), and Ubuntu (cups-browsed, cups-filters, edk2, linux-raspi-5.4, and oath-toolkit).

The LWN.net Weekly Edition for October 10, 2024 is available.

Bindgen is a widely used tool that automatically generates Rust bindings from C headers. The Rust-for-Linux project uses it to create some of the bindings between Rust code and the rest of the kernel. John Baublitz presented at Kangrejos about the improvements that he has made to the tool in order to make the generated bindings easier to use, including improved support for macros, bitfields, and enums.

The Julia project has released version 1.11.0. A separate blog post covers some of the highlights. The release includes a number of helpful features.

In previous Julia versions, there was no "programmatic way" of knowing if an unexported name was considered part of the public API or not. Instead, the guideline was basically that if it was not in the manual then it was not public which was a bit underwhelming. To remedy that, there is now a public keyword in Julia that can be used to indicate that an unexported name is part of the public API.

Security updates have been issued by AlmaLinux (firefox, mod_jk, and thunderbird), Debian (apache2 and firefox-esr), Fedora (crosswords, logiops, p7zip, and perl-App-cpanminus), Red Hat (.NET 6.0, firefox, git, kernel, kernel-rt, openssl, and thunderbird), SUSE (buildah, json-lib, kernel, Mesa, mozjs78, pgadmin4, podman, podofo, qatlib, redis7, roundcubemail, rusty_v8, and seamonkey), and Ubuntu (dotnet6, dotnet8, nginx, and ruby-webrick).

In the early days of open source, it was a struggle to get companies to accept the concept and trust its development model. Now, companies have few qualms about using it, but do tend to take open source and those who maintain it for granted. The struggle now is to find ways to compensate producers of the software, sustain the open‑source commons, and avoid burning out maintainers. The Open Source Pledge project is an effort to persuade companies to pay maintainers by making it a social norm. On October 8, the project is launching a marketing campaign to raise awareness and try to get a larger conversation started around paying maintainers.

Alice Ryhl has been working to enable tracepoints — which are widely used throughout the kernel — to be seamlessly placed in Rust code as well. She spoke about her approach at Kangrejos. Her patch set enables efficient use of static tracepoints, but supporting dynamic tracepoints will take some additional effort.

Security updates have been issued by Debian (kernel), Fedora (webkitgtk), Mageia (cups), Oracle (e2fsprogs, kernel, and kernel-container), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, git-lfs, go-toolset:rhel8, golang, grafana-pcp, podman, and skopeo), SUSE (Mesa, mozjs115, podofo, and redis7), and Ubuntu (cups and cups-filters).

OpenBSD 7.6 has been released. Notable new features include work to improve suspend/resume on modern hardware, support for the arm64 Qualcomm Snapdragon X Elite laptops, as well as many improvements in hardware support and driver bug fixes.

With this release all files that existed in the first commit in the OpenBSD source repository have been updated, modified or replaced at some point in time, reaching OpenBSD of Theseus.

See the changelog for all changes between OpenBSD 7.5 and 7.6.

The recent WordPress controversy is not the first time there's been tension between the WordPress community, the interests of Automattic as a business, and Matt Mullenweg's leadership as WordPress's benevolent dictator for life (BDFL). In particular, Mullenweg's focus on pushing WordPress to use a new "editing experience" called Gutenberg caused significant friction—and led to the ClassicPress fork. Users who want to preserve the "classic" WordPress experience without straying too far from the WordPress fold may want to look into ClassicPress.

Version 3.13 of the Python programming language has been released. The "What's New In Python 3.13" page has a summary of all the new features and changes. Highlights of the release include a basic JIT compiler, experimental support for free-threading, and much more. See the changelog for even more details.

The core of the Android operating system, as represented by the Android Open Source Project (AOSP), can only be considered one of the most successful open-source initiatives ever created; its user count is measured in the billions. But few would consider it to be a truly community-oriented project. At the 2024 Linux Plumbers Conference, Chris Simmonds asked why the AOSP community is so hard to find, and what might be done about the situation.

Version 2.47.0 of the Git source-code management system has been released. The changes include a long list of incremental improvements; see the announcement and this GitHub blog post for details.

Version 4.20 of the RPM Package Manager (RPM) has been released. Major changes in this release include a new plugin to prevent filesystem and network access by scriptlets, the BuildSystem directive for declaring the build system to be used by packaged software, and more. LWN covered the development of RPM 4.20 in September.

Security updates have been issued by AlmaLinux (go-toolset:rhel8 and linux-firmware), Arch Linux (oath-toolkit), Debian (e2fsprogs, firefox-esr, libgsf, mediawiki, and oath-toolkit), Fedora (aws, chromium, firefox, p7zip, pgadmin4, python-gcsfs, unbound, webkitgtk, znc, znc-clientbuffer, and znc-push), Mageia (ghostscript and rootcerts nss firefox firefox-l10n), Oracle (kernel, oVirt 4.4 ovirt-engine, and thunderbird), SUSE (chromedriver, chromium, cups-filters, ffmpeg-7, frr, Mesa, openssl-3, openvpn, pcp, and redis), and Ubuntu (firefox and ruby-webrick).

Linus has released 6.12-rc2 for testing.

Anyway, this isn't one of the small rc2's. But looking at historical trends, being a bigger rc2 isn't _that_ unusual, and nothing in here looks all that odd. Yes, the diffstat may look a bit unusual, in that we had a global header renaming (asm/unaligned.h -> linux/unaligned.h) and we had a couple of reverts that stand out as spikes in the stats, but everything else looks nice and small.

Akamai released a report pointing out that the recently-reported CUPS vulnerability (original disclosure) could be used to drive distributed denial-of-service (DDoS) attacks as well. Even if an attacker cannot gain remote control over a computer, they can still cause it to fetch a URL of their choice — potentially getting free DDoS amplification.

The Akamai Security Intelligence and Response Team (SIRT) found that more than 198,000 devices are vulnerable to this attack vector and are accessible on the public internet; roughly 34% of those could be used for DDoS abuse (58,000+).