Welcome to LWN.net
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
[$] May the FOLL_FORCE not be with you
One of the simplest hardening concepts to understand is that memory should never be both writable and executable, otherwise an attacker can use it to load and run arbitrary code. That rule is generally followed in Linux systems, but there is a glaring loophole that is exploitable from user space to inject code into a running process. Attackers have duly exploited it. A new effort to close the hole ran into trouble early in the merge window, but a solution may yet be found in time for the 6.11 kernel release.
[$] What became of getrandom() in the vDSO
In the previous episode of the vgetrandom() story, Jason Donenfeld had put together a version of the getrandom() system call that ran in user space, significantly improving performance for applications that need a lot of random data while retaining all of the guarantees provided by the system call. At that time, it seemed that a consensus had built around the implementation and that it was headed toward the mainline in that form. A few milliseconds after that article was posted, though, a Linus-Torvalds-shaped obstacle appeared in its path. That obstacle has been overcome and this work has now been merged for the 6.11 kernel, but its form has changed somewhat.
[$] More informative kernel panics for Fedora
On July 12, Jocelyn Falempe proposed a change to the configuration options that Fedora sets for its kernels, in order to make kernel panics easier to report. Falempe would like to enable the kernel's recently added DRM-panic feature, which adds a graphical crash screen that is reminiscent of the infamous Windows "blue screen of death" for kernel panics. The feature introduces a few tradeoffs, including currently limited driver support, so the proposal spawned a good deal of discussion.
[$] LWN.net Weekly Edition for July 25, 2024
Posted Jul 25, 2024 2:01 UTC (Thu)The LWN.net Weekly Edition for July 25, 2024 is available.
Inside this week's LWN.net Weekly Edition
- Front: Thunderbird; Imitation intelligence; NumPy; Fedora telemetry; BPF verifier; 6.11 Merge window; Controlling script execution; Filesystem testing; Swap and FS-Cache.
- Briefs: Let's Encrypt; OpenMandriva ROME 24.07; GNU C Library 2.40; OpenSSL governance; PSF grants; ASF brand; NGI funding; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
[$] Large folios, swap, and FS-Cache
David Howells wanted to discuss swap handling in light of multi-page folios in a combined storage, filesystem, and memory-management session at the 2024 Linux Storage, Filesystem, Memory Management, and BPF Summit. Swapping has always been done with a one-to-one mapping of memory pages to swap slots, he said, but swapping multi-page folios breaks that assumption. He wondered if it would make sense to use filesystem techniques to track swapped-out folios.
[$] Lessons from the death and rebirth of Thunderbird
Ryan Sipes told the audience during his keynote at GUADEC 2024 in Denver, Colorado that the Thunderbird mail client "probably shouldn't still be alive". Thunderbird, however, is not only alive—it is arguably in better shape than ever before. According to Sipes, the project's turnaround is a result of governance, storytelling, and learning to be comfortable asking users for money. He would also like it quite a bit if Linux distributions stopped turning off telemetry.
[$] Imitation, not artificial, intelligence
Simon Willison, co-creator of the popular Django web framework for Python,
gave a keynote presentation at PyCon 2024 on a topic that is
unrelated to that work: large language models (LLMs).
The topic grew out of some other work that he is doing on Datasette, which is a Python-based
"tool for exploring and publishing data
". The talk was a look
beyond the hype to try to discover what useful things you can actually do
today using these models. Unsurprisingly, there were some
cautionary notes from Willison, as well.
[$] A look inside the BPF verifier
LWN has covered BPF since its initial introduction to Linux, usually through the lens of the newest developments; this can make it hard to view the whole picture. BPF provides a way to extend a running kernel, without having to recompile and reboot. It does this in a safe way, so that malicious BPF programs cannot crash a running kernel, thanks to the BPF verifier. So how does the verifier actually work, what are its limits, and how has it changed since the early days of BPF?
[$] "Opt-in" metrics planned for Fedora Workstation 42
Red Hat, through members of the Fedora Workstation Working Group, has taken another swing at persuading the Fedora Project to allow metrics related to the real-world use of the Workstation edition to be collected. The first proposal, aimed for Fedora 40, was withdrawn to be reworked based on feedback. This time around, the proponents have shifted from asking for opt-out telemetry to opt-in metrics, with more detail about what would be collected and the policies that would govern data collection. The change seems to be on its way to approval by the Fedora Engineering Steering Council (FESCo) and is set to take effect for Fedora 42.
[$] A new major version of NumPy
The NumPy project released version 2.0.0 on June 16, the first major release of the widely used Python-based numeric-computing library since 2006. The release has been planned for some time, as an opportunity to clean up NumPy's API. As with most NumPy updates, there are performance improvements to several individual functions. There are only a few new features, but several backward-incompatible changes, including a change to NumPy's numeric-promotion rules. Changes to the Python API require relatively minor changes to Python code using the library, but the changes to the C API may be more difficult to adapt to. In both cases, the official migration guide describes what needs to be adapted to the new version.
Security updates for Friday
Security updates have been issued by AlmaLinux (linux-firmware and squid), Debian (bind9), Fedora (kubernetes, thunderbird, and tinyproxy), Oracle (containernetworking-plugins, cups, edk2, httpd, httpd:2.4, kernel, kernel-container, libreoffice, libuv, libvirt, python3, and runc), Red Hat (freeradius:3.0, httpd, and squid), and SUSE (giflib and python-dnspython).
Rust 1.80.0 released
Version 1.80.0 of the Rust language has been released. Changes include the new LazyCell and LazyLock types (which delay data initialization until the first access), the stabilization of the exclusive-range syntax for match patterns, and more.
Three new stable kernels
The 6.9.11, 6.6.42, and 6.1.101 stable kernels have been released. As usual, they contain important fixes throughout the tree.
Security updates for Thursday
Security updates have been issued by AlmaLinux (containernetworking-plugins, cups, edk2, httpd, httpd:2.4, libreoffice, libuv, libvirt, python3, and runc), Fedora (exim, python-zipp, xdg-desktop-portal-hyprland, and xmedcon), Red Hat (cups, fence-agents, freeradius, freeradius:3.0, httpd:2.4, kernel, kernel-rt, nodejs:18, podman, and resource-agents), Slackware (htdig and libxml2), SUSE (exim), and Ubuntu (ocsinventory-server, php-cas, and poppler).
Linux Mint 22 "Wilma" released
Linux Mint has announced version 22 of the distribution in three editions: Cinnamon, MATE, and Xfce. Mint 22 is based on Ubuntu 24.04 and uses kernel version 6.8.0:
Linux Mint 22 is a long term support release which will be supported until 2029. It comes with updated software and brings refinements and many new features to make your desktop even more comfortable to use.
LWN covered the Linux Mint 22 beta in early July. See the new features page and release notes for more information on this release.
Stable kernel update 6.10.1
Greg Kroah-Hartman has released the 6.10.1 stable kernel update. This release contains a small number of seemingly urgent regression fixes. Users of this kernel series are advised to upgrade.
OpenMandriva ROME 24.07 released
Updated installation images for the OpenMandriva ROME rolling release Linux distribution are now available. Notable features in the 24.07 snapshot include KDE Plasma 6 as the default desktop, the addition of Proton and Proton experimental packages for playing Windows games on Linux, as well as GNOME 46.3 and LXQt 2.0.0 spins.
OpenSSL announces new governance structure
OpenSSL has announced that it has adopted a new governance framework:
The OpenSSL Management Committee (OMC) has been dissolved, and two boards of directors have been elected for the Foundation and the Corporation. Each organization has ten voting members. These boards share all the responsibilities and authorities of the former OMC co-equally.
To further engage our communities, we are establishing two advisory committees for each entity: a Business Advisory Committee (BAC) and a Technical Advisory Committee (TAC). The communities will elect the members of the BACs and TACs, creating a direct channel for community input in roadmap development and reflecting the diverse perspectives of OpenSSL's communities.
OpenSSL has also announced that two projects have adopted the OpenSSL Mission and become OpenSSL projects: Bouncy Castle, which provides cryptographic APIs for Java and C#, and the cryptlib security software development toolkit. See the announcement for full details.
Let's Encrypt plans to drop support for OCSP
Let's Encrypt has
announced
that it intends to end support "as soon as possible
" for the
Online Certificate Status Protocol (OCSP) over privacy concerns. OCSP was developed as a
lighter-weight alternative to
Certificate Revocation Lists (CRLs) that did not involve downloading
the entire CRL in order to check whether a certificate was valid. Let's Encrypt will continue
supporting OCSP as long as it is a requirement for Microsoft's
Trusted Root Program, but hopes to discontinue it soon:
We plan to end support for OCSP primarily because it represents a considerable risk to privacy on the Internet. When someone visits a website using a browser or other software that checks for certificate revocation via OCSP, the Certificate Authority (CA) operating the OCSP responder immediately becomes aware of which website is being visited from that visitor's particular IP address. Even when a CA intentionally does not retain this information, as is the case with Let's Encrypt, CAs could be legally compelled to collect it. CRLs do not have this issue.
People using Let's Encrypt as their CA should, for the most part, not need to change their setups. All modern browsers support CRLs, so end-users shouldn't notice an impact either.
Security updates for Wednesday
Security updates have been issued by Fedora (ghostscript and xmedcon), Gentoo (Dmidecode, ExifTool, and Freenet), Red Hat (containernetworking-plugins, cups, edk2, httpd, httpd:2.4, kernel, kernel-rt, krb5, libreoffice, libuv, libvirt, linux-firmware, nghttp2, nodejs, openssh, python3, runc, thunderbird, and tpm2-tss), Slackware (aaa_glibc, bind, and mozilla), SUSE (postgresql14, python-sentry-sdk, and shadow), and Ubuntu (activemq, bind9, haproxy, nova, provd, python-zipp, squid, squid3, and tomcat).