lwn.net

Security updates have been issued by AlmaLinux (cups-filters, net-snmp, and osbuild-composer), Debian (booth, cups, cups-filters, python-asyncssh, ruby-httparty, ruby-loofah, ruby-rails-html-sanitizer, tryton-server, unbound, and wireshark), Fedora (chromium, cjson, cups, cups-browsed, libcupsfilters, and libppd), Gentoo (Apache HTTPD, Docker, HashiCorp Consul, IcedTea, nginx, tmux, and yt-dlp), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, & java-latest-openjdk and libreoffice), Red Hat (git-lfs, grafana, and osbuild-composer), and SUSE (chromedriver, chromium, coredns, json-java-20240303, kernel, libmozjs-128-0, maven-archetype, python3, python312, and quagga).

The Arch Linux project has announced that Valve will be helping the distribution with a couple of important initiatives:

Valve is generously providing backing for two critical projects that will have a huge impact on our distribution: a build service infrastructure and a secure signing enclave. By supporting work on a freelance basis for these topics, Valve enables us to work on them without being limited solely by the free time of our volunteers.

Linus has released 6.12-rc1 and closed the merge window for this release.

Despite conference travel (both for me and several maintainers), things seemed to go mostly fairly normally. There's a couple of notable new features in here: For one thing, PREEMPT_RT is now mainlined and enabled as a config option (you do need to enable "EXPERT" to get the question). For another, sched_ext also got merged.

Michał Górny describes the challenges involved in transitioning Gentoo to year-2038-safe time representations:

There is a general agreement that the way forward is to change time_t to a 64-bit type. Musl has already switched to that, glibc supports it as an option. A number of other distributions such as Debian have taken the leap and switched. Unfortunately, source-based distributions such as Gentoo don't have it that easy. So we are still debating the issue and experimenting, trying to figure out a maximally safe upgrade path for our users.

Unfortunately, that's nowhere near trivial. Above all, we are talking about a breaking ABI change.

In the wake of the XZ backdoor, the Debian project has revisited some of the patches included in its OpenSSH packages to improve security. The outcome of this is that the project will be splitting out support for Kerberos key exchange into a separate set of packages, though not until after the Debian 13 ("trixie") release expected next year. The impact on Debian users should be minimal, but it is an interesting look into the changes Linux distributions make to upstream software as well as some of the long-term consequences of those choices.

Security updates have been issued by Debian (chromium and trafficserver), Fedora (chromium), Mageia (apache-mod_jk, gnome-shell, kernel, kmod-xtables-addons, and kmod-virtualbox, kernel-linus, and python3), Oracle (container-tools:ol8, dovecot, emacs, expat, firefox, git-lfs, gtk3, kernel, nano, net-snmp, osbuild-composer, python3, python3.11, python3.12, ruby:3.3, and virt:ol and virt-devel:rhel), Slackware (boost), SUSE (kernel), and Ubuntu (configobj, cups, cups-browsed, cups-filters, libcupsfilters, and libppd).

Security researcher Simone Margaritelli has reported a new vulnerability in CUPS, the software that many Linux systems use to manage printers and print jobs. Margaritelli describes the impact of the attack by saying:

A remote unauthenticated attacker can silently replace existing printers' (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer).

The vulnerability relies on a few related problems in CUPS libraries and utilities; versions before 2.0.1 or 2.1b1 (depending on the component) may be affected.

Red Hat has released a security bulletin as well.

Danilo Krummrich gave a talk at Kangrejos 2024 focusing on the question of how the Rust-for-Linux project could improve at getting device and driver abstractions upstream. As a case study, he used some of his recent work that attempts to make it possible to write a PCI driver entirely in Rust. There wasn't time to go into as much detail as he would have liked, but he did demonstrate that it is possible to interface with the kernel's module loader in a way that is much harder to screw up than the current standard approach in C.

Version 17 of the PostgreSQL database has been released.

This release of PostgreSQL adds significant overall performance gains, including an overhauled memory management implementation for vacuum, optimizations to storage access and improvements for high concurrency workloads, speedups in bulk loading and exports, and query execution improvements for indexes. PostgreSQL 17 has features that benefit brand new workloads and critical systems alike, such as additions to the developer experience with the SQL/JSON JSON_TABLE command, and enhancements to logical replication that simplify management of high availability workloads and major version upgrades.

LWN recently covered some of the interesting new features and security enhancements in PostgreSQL 17.

The online-privacy-focused Tor project has announced that it has "joined forces and merged operations" with the Tails OS Linux distribution. Countering the threat of global mass surveillance and censorship to a free Internet, Tor and Tails provide essential tools to help people around the world stay safe online. By joining forces, these two privacy advocates will pool their resources to focus on what matters most: ensuring that activists, journalists, other at-risk and everyday users will have access to improved digital security tools.

In late 2023, Tails approached the Tor Project with the idea of merging operations. Tails had outgrown its existing structure. Rather than expanding Tails's operational capacity on their own and putting more stress on Tails workers, merging with the Tor Project, with its larger and established operational framework, offered a solution. By joining forces, the Tails team can now focus on their core mission of maintaining and improving Tails OS, exploring more and complementary use cases while benefiting from the larger organizational structure of The Tor Project.

The extensible scheduler class (sched_ext) enables the implementation of CPU schedulers as a set of BPF programs loaded from user space; it first hit the mailing lists in late 2022. Sched_ext has engendered its share of controversy since, but is currently slated to be part of the 6.12 kernel release. At the 2024 Linux Plumbers Conference, the growing sched_ext community held one of its first public gatherings; sched_ext would appear to have launched a new burst of creativity in scheduler design.

Security updates have been issued by AlmaLinux (container-tools:rhel8, dovecot, emacs, expat, git-lfs, go-toolset:rhel8, golang, grafana, grafana-pcp, gtk3, kernel, kernel-rt, nano, python3, python3.11, python3.12, and virt:rhel and virt-devel:rhel), Debian (mediawiki and puredata), Fedora (chisel), Mageia (glib2.0, gtk+2.0 and gtk+3.0, and python-astropy), Red Hat (git-lfs, grafana, grafana-pcp, kernel, and kernel-rt), SUSE (kubernetes1.24, kubernetes1.25, kubernetes1.26, kubernetes1.27, kubernetes1.28, opensc, and python36), and Ubuntu (apparmor, apr, ca-certificates, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-raspi, openjpeg2, ruby-rack, and tomcat8, tomcat9).

Here's a post on the Google Security Blog on how switching to a memory-safe language can quickly reduce vulnerabilities in a project, even if a large body of older code persists.

This leads to two important takeaways:

• The problem is overwhelmingly with new code, necessitating a fundamental change in how we develop code.
• Code matures and gets safer with time, exponentially, making the returns on investments like rewrites diminish over time as code gets older.

For example, based on the average vulnerability lifetimes, 5-year-old code has a 3.4x (using lifetimes from the study) to 7.4x (using lifetimes observed in Android and Chromium) lower vulnerability density than new code.

The LWN.net Weekly Edition for September 26, 2024 is available.

The Vanilla OS project has published a blog post to answer questions that users have raised since the release of Vanilla OS 2. The post has information about the update strategy for the distribution, an enterprise version with support, and plans for an experimental version called Vanilla OS Vision.

We are not planning for a potential Vanilla OS 3 because it is not yet necessary. As previously explained, our focus right now is on bug fixing and making the system as solid as possible, especially in light of collaborations with OEMs. We're all excited about laying the foundation for a third version of Vanilla OS, but we have responsibilities to attend to first.

This does not mean that there will never be one, nor does it mean that Orchid will become stagnant. On the contrary, as previously mentioned, our updates not only bring fixes but also updates to system components, improvements to existing features, and updates to components like GNOME (we are planning the release of GNOME 47 soon, for example).

In March, Danilo Krummrich announced the new Nova GPU driver — a successor to Nouveau for controlling NVIDIA GPUs. At Kangrejos 2024, Krummrich gave a presentation about what it is, why it's needed, and where it's going next. Hearing about the needs of the driver provoked extended discussion on related topics, including what level of safety is reasonable to expect from drivers, given that they must interact with the hardware.

The "Linus and Dirk show" has been a fixture at Open Source Summit for as long as the conference has existed; it started back when the conference was called LinuxCon. Since Linus Torvalds famously does not like to give talks, as he said during this year's edition at Open Source Summit Europe (OSSEU) in Vienna, Austria, he and Dirk Hohndel have been sitting down for an informal chat on a wide range of topics as a keynote session. That way, Torvalds does not need to prepare, but also does not know what topics will be brought up, which makes it "so much more fun for one of us", Hohndel said with a grin. The topics this time ranged from the just-released 6.11 kernel and the upcoming Linux 6.12, through Rust for the kernel, to the recurring topic of succession and the graying of Linux maintainers.

Security updates have been issued by Debian (booth), Gentoo (Xpdf), Oracle (go-toolset:ol8, golang, grafana, grafana-pcp, kernel, libnbd, openssl, pcp, and ruby:3.3), Red Hat (container-tools:rhel8, go-toolset:rhel8, golang, kernel, and kernel-rt), SUSE (apr, cargo-audit, chromium, obs-service-cargo, python311, python36, quagga, traefik, and xen), and Ubuntu (intel-microcode, linux-azure-fde-5.15, and puma).

Almost a decade ago KDE e.V., the non-profit organization that supports KDE, started a process for selecting goals to help the community unite behind a common vision for where the project should go in the near future. KDE recently wrapped up its 2022-2024 cycle and announced the goals for 2024-2026 at Akademy on September 7, in Würzburg, Germany. This time around, KDE will be looking to streamline its application-development experience, improve support for input devices, and bring in new contributors.

Version 10.0.0 of the HarfBuzz text-shaping engine has been released. Notable changes in this release include Unicode 16.0.0 support, adding Cairo script as an output format for hb-view, and a number of bug fixes.