Linux Weekly News

Security updates have been issued by Debian (freeimage, ghostscript, intel-microcode, spip, and xorg-server), Fedora (chromium, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, PyDrive2, seamonkey, and vim), Gentoo (Leptonica), Mageia (audiofile, gimp, golang, and poppler), Oracle (buildah, containernetworking-plugins, gstreamer1-plugins-bad-free, kernel, kernel-container, libxml2, pixman, podman, postgresql, postgresql:15, runc, skopeo, tracker-miners, and webkit2gtk3), and SUSE (fish).

Linus has released 6.7-rc6 for testing. " Please do give this a test in between the last-minute xmas shopping or whatever else is going on ..."

Changwoo Min provides an introduction to the sched_ext scheduling class:

Sched_ext was proposed to address the problems mentioned above. It allows users to write a custom scheduling policy using BPF without modifying the kernel code. You don't need to struggle to maintain the out-of-tree custom scheduler. In addition, BPF provides a safe kernel programming environment. In particular, the BPF verifier ensures that your custom scheduler has neither a memory bug nor an infinite loop. Also, if your custom scheduler misbehaves -- like failing to schedule a task for too long (say 30 seconds), the kernel portion of sched_ext kills your custom scheduler and falls back to the default kernel scheduler (CFS or EEVDF). Last but not least, you can update the BPF scheduler without reinstalling the kernel and rebooting a server.

(LWN looked at sched_ext in February 2023).

In response to the expressed unhappiness over the recent logo-selection process in the openSUSE project (covered in this article), the project has announced that there will be a new vote:

During the community meeting this week where the results were discussed, participants expressed the view that members of the openSUSE Project have an opportunity to participate in the selection of our new logo, and that SUSE, which holds the trademark to the openSUSE logo, be involved with the process for selecting a branding decision with regard to the results. After all, this decision impacts the collective identity.

To facilitate this, there is a plan to organize a vote between the current logo and the proposed new design, allowing our community to have a say in this important decision. Furthermore, members of the project are collaborating with SUSE on the implications of the branding initiatives and some have expressed the desire for SUSE’s input to ensure there is an aligned vision for the future of openSUSE.

The gccrs project is an ambitious effort started in 2014 to implement a Rust compiler within The GNU Compiler Collection (GCC). Even though the task is far from complete, progress has been made since LWN's previous coverage, according to reports from the project. Meanwhile, another hybrid and more mature approach to GCC Rust code generation is available in rustc_codegen_gcc.

Security updates have been issued by Debian (bluez and haproxy), Fedora (curl, dotnet6.0, dotnet7.0, tigervnc, and xorg-x11-server), Red Hat (avahi and gstreamer1-plugins-bad-free), Slackware (bluez), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, cosign, curl, gstreamer-plugins-bad, haproxy, ImageMagick, kernel, kernel-firmware, libreoffice, tiff, traceroute, tracker-miners, webkit2gtk3, and xrdp), and Ubuntu (audiofile, budgie-extras, libreoffice, strongswan, vim, and yajl).

Wietse Venema posted a note to the postfix-users mailing list about the 25th anniversary of the Postfix mail server. As can be seen, it had a pivotal role in bringing more awareness of open-source software to IBM. Beyond that, of course, it is an excellent piece of software in its own right. As a few on this list may recall, it is 25 years ago today that the "IBM secure mailer" had its public beta release. This was accompanied by a nice article in the New York Times business section.

There is some literature at https://www.postfix.org/press.html that attests how this project accelerated open-source adoption by a very large company.

That release was even noticed by a small publication in its first year of operation.

(Thanks to Kees van Vloten.)

The kernel's stable-update process is intended to produce kernels that are, well, stable; when that promise is lived up to, users can update to newer stable updates without fear. By any account, a bug that corrupts data on ext4 filesystems constitutes a failure to hold to that promise. As is so often the case, this problem is the result of a chain of failures in a system that works well most of the time.

Security updates have been issued by Debian (chromium and rabbitmq-server), Fedora (chromium, kernel, perl-CryptX, and python-jupyter-server), Mageia (curl), Oracle (curl and postgresql), Red Hat (gstreamer1-plugins-bad-free, linux-firmware, postgresql, postgresql:10, and postgresql:15), Slackware (xorg), SUSE (catatonit, containerd, runc, container-suseconnect, gimp, kernel, openvswitch, poppler, python-cryptography, python-Twisted, python3-cryptography, qemu, squid, tiff, webkit2gtk3, xorg-x11-server, and xwayland), and Ubuntu (xorg-server and xorg-server, xwayland).

The LWN.net Weekly Edition for December 14, 2023 is available.

A contest for new logos for the openSUSE project and for four separate distributions of it, Tumbleweed, Leap, Slowroll, and Kalpa, has turned into a bit of an uproar in that community. A vote has been held on the candidates and winners have been announced, but some are questioning why there is a need to change the existing logo (the "Geeko" chameleon) at all. In addition, there are questions about whether the new logo will be trademarked (as previous ones have been)—and how many years that will take.

The 6.6.7, 6.1.68, 5.15.143, 5.10.204, 5.4.264, 4.19.302, and 4.14.333 stable kernel updates have all been released; each contains another set of important fixes.

The Rust for Linux (RFL) project may not have (yet) resulted in user-visible changes to the Linux kernel, but it seems the wider world has taken notice. Hongyu Li has announced that the Rust for Linux code is now part of a satellite just launched out of China. The satellite is running a system called RROS, which follows the old RTLinux pattern of running a realtime kernel alongside Linux. The realtime core is written in Rust, using the RFL groundwork.

Despite its imperfections, we still want to share RROS with the community, showcasing our serious commitment to using RFL for substantial projects and contributing to the community's growth. Our development journey with RROS has been greatly enriched by the support and knowledge from the RFL community. We also have received invaluable assistance from enthusiastic forks here, especially when addressing issues related to safety abstraction

(Thanks to Dirk Behme).

A new book called OpenPGP for application developers has been released under the Creative Commons BY-SA license.

This document is not intended for end-users or implementers of OpenPGP libraries (or other software that directly handles internal OpenPGP data structures).

Instead, this document is focused on the second group, application developers, who use OpenPGP functionality in their software projects. It describes the properties of the OpenPGP system and its uses. It presupposes solid knowledge of software development concepts and of general cryptographic concepts. Thus, this text describes OpenPGP at the “library-level,” teaching concepts that will help software developers get started as a user of any implementation (e.g., OpenPGP.js, Sequoia-PGP).

Security updates have been issued by Debian (debian-security-support and xorg-server), Fedora (java-17-openjdk, libcmis, and libreoffice), Mageia (fish), Red Hat (buildah, containernetworking-plugins, curl, fence-agents, kernel, kpatch-patch, libxml2, pixman, podman, runc, skopeo, and tracker-miners), SUSE (kernel, SUSE Manager 4.3.10 Release Notes, and SUSE Manager Client Tools), and Ubuntu (gnome-control-center, linux-gcp, linux-kvm, linux-gkeop, linux-gkeop-5.15, linux-hwe-6.2, linux-lowlatency-hwe-6.2, linux-nvidia-6.2, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, netatalk, and pydantic).

Konstantin Ryabitsev has announced that the movement of kernel mailing lists away from the venerable vger.kernel.org system is nearly complete:

Over the past few months we've migrated all of the vger.kernel.org mailing lists, with the exception of the Big One (linux-kernel, aka LKML). This list alone is responsible for about 80% of all vger mailing list traffic, so we left it for the last.

This Thursday, December 14, at 11AM Pacific (19:00 UTC), we will switch the MX record for vger to point to the new location (subspace.kernel.org), which will complete the mailing list migration from the legacy vger server to the new infrastructure.

The story of Canonical's takeover of the LXD container manager, and the subsequent creation of the Incus fork, has been simmering for a while. Now Incus developer Stéphane Graber reports that Canonical has changed the license and contribution terms for LXD:

Per the commit message performing the re-licensing, all further contributions will be under the AGPLv3 license and all contributions from Canonical employees have been re-licensed to AGPLv3.

However, Canonical does not own the copyright on any contribution from non-employees, such as the many changes they have imported from Incus over the past few months. Those therefore remain under the Apache2 license that they were contributed under.

As a result, Canonical cannot release LXD under the AGPLv3 license and likely never will be able to. LXD is now under a weird mix of Apache2 and AGPLv3 with no clear metadata indicating what file or what part of each file is under one license or the other.

He also notes that this change will put an end to the flow of patches — in either direction — between the two projects.

So-called "immutable" Linux distributions have been in development for some time, but (unless you count Chrome OS) haven't gained much traction. Project Bluefin, is a heavily customized set of Fedora Silverblue images coming from the Universal Blue community; they are designed to deliver a reliable Linux desktop that's as easy to use as a Chromebook but more customizable. Bluefin's mission is to change up the desktop experience and attract a new generation of open-source contributors with a "cloud-native" take on developing and delivering the operating system.

Security updates have been issued by Debian (libreoffice and webkit2gtk), Fedora (java-1.8.0-openjdk and seamonkey), Oracle (apr, edk2, kernel, and squid:4), Red Hat (postgresql:12, tracker-miners, and webkit2gtk3), SUSE (curl, go1.20, go1.21, hplip, openvswitch, opera, squid, and xerces-c), and Ubuntu (binutils, ghostscript, libreoffice, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gke, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-xilinx-zynqmp, postfixadmin, python3.11, and webkit2gtk).

James Bottomley writes that open-source developers are increasingly likely to be held liable for flaws in their code and suggests a solution:

Indemnification means one party, in particular circumstances, agreeing to be on the hook for the legal responsibilities of another party. This is actually a well known way not of avoiding liability but transferring it to where it belongs. As such, it’s easily sellable in the court of public opinion: we’re not looking to avoid liability, merely trying to make sure it lands on those who are making all the money from the code.