2 hét 5 nap óta
Wayne Davison has announced
the release of rsync version 3.3.0, which
contains a number of bug fixes and minor enhancements. Davison has
also announced a change in maintainers and a move to a new GitHub
project:
The github repos have moved to a new RsyncProject organization. Because
various life events have been monopolizing my time, I reached out to
Tridge [Andrew Tridgell] (the original author) and he has graciously agreed to get back into rsync
work, along with Paul Mackerras, who was also an early contributor to
rsync. This new team will be working mainly on maintenance tasks, and not
so much on new features. If you want to get involved, feel free to reach
out on the new discord RsyncProject channels.
The new GitHub organization is here.
jzb
2 hét 6 nap óta
The nominations have closed and campaigning is underway to see who
will be the next Debian
Project Leader (DPL). This year, two
candidates are campaigning for the position Jonathan Carter has
held for four eventful years: Sruthi Chandran and
Andreas Tille. Topics that have emerged so far include how the
prospective DPLs would spend project money, their opinions on handling
controversial topics, and project diversity.
jzb
2 hét 6 nap óta
OpenBSD 7.5 has been released. The list of changes and improvements is, as
usual, long; it includes the
pinsyscalls() functionality covered
here in January.
corbet
2 hét 6 nap óta
The Eclipse Foundation, the organization
behind the Eclipse IDE and many other software projects, announced
a collaboration between several different open-source-software foundations to
create a specification describing secure software development best practices.
This work is motivated by the European Union's Cyber Resilience Act (CRA).
The leading open source communities and foundations have for
years developed and practised secure software development
processes. These are processes that have often defined or set
industry best practices around things such as coordinated
disclosure, peer review, and release processes. These processes
have been documented by each of these communities, albeit
sometimes using different terminology and approaches. We
hypothesise that the cybersecurity process technical
documentation that already exists amongst the open source
communities can provide a useful starting point for developing
the cybersecurity processes required for regulatory compliance.
(Thanks to Martin Michlmayr.)
daroc
2 hét 6 nap óta
Version 7.0 of the
FFmpeg audio/video toolkit is out. "The most noteworthy changes for
most users are a native VVC decoder (currently experimental, until more
fuzzing is done), IAMF support, or a multi-threaded ffmpeg CLI tool".
There's also the usual list of new formats and codecs, and a few deprecated
features have been removed.
corbet
2 hét 6 nap óta
Security updates have been issued by Debian (cockpit), Mageia (python-pygments), Red Hat (nodejs), Slackware (httpd and nghttp2), SUSE (avahi, gradle, gradle-bootstrap, and squid), and Ubuntu (xorg-server, xwayland).
daroc
3 hét óta
The
6.8.4 and
6.6.25 stable kernels have been released.
They both contain 11 reversions of workqueue patches.
jake
3 hét óta
V8, the JavaScript engine used in Chrome,
announced
that its memory sandbox is no longer experimental.
Chrome 123 could therefore be considered to be a sort of "beta"
release for the sandbox. This blog post uses this opportunity to
discuss the motivation behind the sandbox, show how it prevents
memory corruption in V8 from spreading within the host process, and
ultimately explain why it is a necessary step towards memory safety.
daroc
3 hét óta
Among the numerous approaches to funding the development and advancement of
open-source software, corporate sponsorship in the form of donations to umbrella
organizations is perhaps the most visible. At SCALE21x in Pasadena, California, Duane O'Brien
presented
a slice of his recent research into the landscape of such sponsorship arrangements,
with an overview of the identifiable trends of the past ten years and some initial
insights he hopes are valuable for sponsors and community members alike.
jzb
3 hét óta
Version
6.0 LTS of the Incus container management system has been released.
"This is a major milestone for Incus as it marks our first release with
extended support, suitable for use in production environments where monthly
feature releases aren't suitable." Changes include swap limits for
containers, a new shell completion mechanism, support for the creation of
VLAN interfaces, improved live migration, and more.
corbet
3 hét óta
Security updates have been issued by CentOS (firefox and thunderbird), Debian (chromium and gtkwave), Fedora (micropython), Slackware (xorg), SUSE (util-linux and xen), and Ubuntu (firefox).
jake
3 hét 1 nap óta
The LWN.net Weekly Edition for April 4, 2024 is available.
corbet
3 hét 1 nap óta
AlmaLinux has announced
updated kernels for AlmaLinux 8 and 9 to address CVE-2024-1086, a
use-after-free vulnerability in the kernel that could be exploited to
gain local privilege escalation. This is notable because the fix
marks a divergence between AlmaLinux and Red Hat Enterprise Linux (RHEL):
In January of this year, a kernel flaw was disclosed and named CVE-2024-1086.
This flaw is trivially exploitable on most RHEL-equivalent
systems. There are many proof-of-concept posts available now,
including one from our Infrastructure team lead, Jonathan Wright (Dealing
with CVE-2024-1086). In multi-user scenarios, this flaw is
especially problematic.
Though this was flagged as something to be fixed in Red Hat
Enterprise Linux, Red Hat has only rated this as a moderate
impact.
The AlmaLinux project would also like to note that it is not
impacted by the XZ backdoor. "Because enterprise Linux takes a bit
longer to adopt those updates (sometimes to the chagrin of our users),
the version of XZ that had the back door inserted hadn't made it
further than Fedora in our ecosystem."
jzb
3 hét 1 nap óta
David Malcolm
writes
about some static-analyzer features that are coming in the GCC 14
release.
Solving the halting problem?
Obviously I'm kidding with the title here, but for GCC 14 I've
implemented a new warning: -Wanalyzer-infinite-loop that's able to
detect some simple cases of infinite loops.
See also: this report from the 2023 GNU
Tools Cauldron.
corbet
3 hét 1 nap óta
The 6.8.3, 6.7.12, 6.6.24, and 6.1.84 stable kernel updates have been
released. Each contains an important set of fixes. Note that 6.7.12 is
the final release for the 6.7.y series, and that branch is now
end-of-life. Users should move to the 6.8.y branch.
jzb
3 hét 1 nap óta
The Rust programming language differs from C in many ways; those
differences tend to be what users admire in the language. But those
differences can also lead to an impedance mismatch when Rust code is
integrated into a C-dominated system, and it can be even worse in the
kernel, which is not a typical C program. Memory models are a case in
point. A programming language's view of memory is sufficiently fundamental
and arcane that many developers never have to learn much about it. It is
hard to maintain that sort of blissful ignorance while working in the
kernel, though, so a recent discussion of how to choose a memory model for
kernel code in Rust is of interest.
corbet
3 hét 1 nap óta
The SUSE Security Team Blog is carrying
a
detailed article on SUSE's review of the KDE6 release.
The SUSE security team restricts the installation of system wide
D-Bus services and Polkit policies in openSUSE distributions and
derived SUSE products. Any package that ships these features needs
to be reviewed by us first, before it can be added to production
repositories.
In November, openSUSE KDE packagers approached us with a long list
of KDE components for an upcoming KDE6 major release. The packages
needed adjusted D-Bus and Polkit whitelistings due to renamed
interfaces or other breaking changes. Looking into this many
components at once was a unique experience that also led to new
insights, which will be discussed in this article.
corbet
3 hét 1 nap óta
Security updates have been issued by Debian (py7zr), Fedora (biosig4c++ and podman), Oracle (kernel, kernel-container, and ruby:3.1), Red Hat (.NET 7.0, bind9.16, curl, expat, grafana, grafana-pcp, kernel, kernel-rt, kpatch-patch, less, opencryptoki, and postgresql-jdbc), and Ubuntu (cacti).
jzb
3 hét 1 nap óta
The first stable release of Redict, a fork of the Redis in-memory database
under a copyleft license, has been
announced.
You may be wondering why Redict would be of interest to you,
particularly when compared with Valkey,
another Redis fork that was announced on Thursday.
In technical terms, we are focusing on stability and long-term
maintenance, and on achieving excellence within our current
scope. We believe that Redict is near feature-complete and that it
is more valuable to our users if we take a conservative stance to
innovation and focus on long-term reliability instead. This is in
part a choice we've made to distinguish ourselves from Valkey,
whose commercial interests are able to invest more resources into
developing more radical innovations, but also an acknowledgement of
a cultural difference between our projects, in that the folks
behind Redict place greater emphasis on software with a finite
scope and ambitions towards long-term stability rather than
focusing on long-term growth in scope and complexity.
corbet
3 hét 2 nap óta
Versions 5.6.0 and 5.6.1 of the
XZ
compression utility and library
were shipped with a backdoor that targeted
OpenSSH.
Andres Freund
discovered the backdoor by
noticing that failed SSH logins were taking a lot of
CPU time while doing some
micro-benchmarking, and tracking down the backdoor from there. It was introduced
by XZ co-maintainer "Jia Tan" — a probable alias for person or persons unknown.
The backdoor is a sophisticated attack with multiple parts, from the build
system, to link time, to run time.
daroc
Ellenőrizve
6 perc 51 másodperc ago
LWN.net is a comprehensive source of news and opinions from
and about the Linux community. This is the main LWN.net feed,
listing all articles which are posted to the site front page.
Feliratkozás a következőre: Linux Weekly News hírcsatorna