lwn.net
Kernel prepatch 6.8-rc6
Last week I said that I was hoping things would calm down a bit. Technically things did calm down a bit, and rc6 is smaller than rc5 was. But not by a huge amount, and honestly, while there's nothing really alarming here, there's more here than I would really like at this point in the release.
So this may end up being one of those releases that get an rc8. We'll see.
Git 2.44.0 released
[$] Forgejo makes a full break from Gitea
The world of open-source "forges" is becoming a little more fragmented. The Forgejo project is a software-development platform that started as a "soft" fork of Gitea in late 2022. On February 16, Forgejo announced its intent to become a "hard fork" of Gitea to help address its mission of community-controlled development and to "liberate software development from the shackles of proprietary tools". In a world where proprietary tools cast a long shadow over open-source development that's a welcome sentiment—if the project can deliver.
Lots of new stable kernels
Security updates for Friday
Stenberg: DISPUTED, not REJECTED
The Curl project has previously had problems with CVEs issued for things that are not security issues. On February 21, Daniel Stenberg wrote about the Curl project's most recent issue with the CVE system, saying:
I keep insisting that the CVE system is broken and that the database of existing CVEs hosted by MITRE (and imported into lots of other databases) is full of questionable content and plenty of downright lies. A primary explanation for us being in this ugly situation is that it is simply next to impossible to get rid of invalid CVEs.[$] When ELF notes reveal too much
Security updates for Thursday
[$] LWN.net Weekly Edition for February 22, 2024
[$] Sudo and its alternatives
[$] A proposal for shared memory in BPF programs
Alexei Starovoitov introduced a patch series for the Linux kernel on February 6 to add bpf_arena, a new type of shared memory between BPF programs and user space. Starovitov expects arenas to be useful both for bidirectional communication between user space and BPF programs, and for use as an additional heap for BPF programs. This will likely be useful to BPF programs that implement complex data structures directly, instead of relying on the kernel to supply them. Starovoitov cited Google's ghOSt project as an example and inspiration for the work.
RawTherapee 5.10 released
Security updates for Wednesday
The "KeyTrap" DNS vulnerability
With just a single DNS packet, hackers could paralyze all common DNS implementations and public DNS providers. Exploiting this attack would have serious consequences for any application that uses the internet, including the unavailability of technologies such as web browsers, email and instant messaging. This devastating effect prompted major DNS vendors to call KeyTrap "The worst attack on DNS ever discovered"
Some more information and pointers to updates can be found on the CVE-2023-50387 page; some distributors have been faster to get updates out than others.
(Thanks to Dave Täht).
[$] A modest update to Qubes OS
Qubes OS is a security-focused desktop Linux distribution built on Fedora Linux and the Xen hypervisor. Qubes uses virtualization to run applications, system services, and devices access via virtual machines called "qubes" that have varying levels of trust and persistence to provide an open-source "reasonably secure" operating system with "serious privacy". The Qubes 4.2.0 release, from December 2023, brings a number of refinements to make Qubes OS easier to manage and use.
Righi: Writing a scheduler for Linux in Rust that runs in user-space
.select_cpu() implements the logic to assign a target CPU to a task that wants to run, typically you have to decide if you want to keep the task on the same CPU or if it needs to be migrated to a different one (for example if the current CPU is busy); if we can find an idle CPU at this stage there’s no reason to call the scheduler, the task can be immediately dispatched here.
Hare programming language 0.24.0 released
Drew DeVault announced the first numbered release of the Hare programming language on February 16.
Many Hare users want to ship their Hare projects to users, and as such, software written in Hare is making its way into Linux distributions and the like. However, due to Hare's unstable nature, we have not provided any versioned releases, forcing any distributions who want to package Hare to package Hare's master branch, which is less than ideal.Security updates for Tuesday
[$] A Spritely distributed-computing library
Spritely is a project seeking to build a platform for sovereign distributed applications — applications where users run their own nodes in order to control their own data — as the basis of a new social internet. While there are many such existing projects, Spritely takes an unusual approach based on a new interoperable protocol for efficient, secure remote procedure calls (RPC). The project is in its early stages, with many additional features planned, but it is already possible to play around with Goblins, the distributed actor library that Spritely intends to build on.