Linux Weekly News

The Register attended a talk about Ubuntu's upcoming Core Desktop immutable distribution.

We suspect that Core Desktop might yet be the tool that validates Canonical's Snap format and helps to overcome some of the resistance it faces. Snap's single-file distribution format is simple and enables transactional installation – including, critically, rollback – without a fancy filesystem underneath, or elaborate distribution methods such as libostree.

Security updates have been issued by Debian (python-urllib3 and tang), Fedora (chromium, mlpack, open-vm-tools, and salt), Red Hat (avahi, binutils, buildah, c-ares, cloud-init, containernetworking-plugins, cups, curl, dnsmasq, edk2, flatpak, frr, gdb, ghostscript, glib2, gmp, grafana, haproxy, httpd, mod_http2, java-21-openjdk, kernel, krb5, libfastjson, liblouis, libmicrohttpd, libpq, libqb, librabbitmq, LibRaw, libreoffice, libreswan, libssh, libtiff, libvirt, libX11, linux-firmware, mod_auth_openidc, ncurses, nghttp2, opensc, pcs, perl-CPAN, perl-HTTP-Tiny, podman, procps-ng, protobuf-c, python-cryptography, python-pip, python-tornado, python-wheel, python3.11, python3.11-pip, python3.9, qemu-kvm, qt5 stack, runc, samba, samba, evolution-mapi, openchange, shadow-utils, skopeo, squid, sysstat, tang, tomcat, toolbox, tpm2-tss, webkit2gtk3, wireshark, xorg-x11-server, xorg-x11-server-Xwayland, and yajl), Slackware (sudo), SUSE (squid), and Ubuntu (python-urllib3).

There has been a lot of action for the Python C API in the last month or so—much of it organizational in nature. As predicted in our late September article on using the "limited" C API in the standard library, the core developer sprint in October was the scene of some discussions about the API and the plans for it. Out of those discussions have come two PEPs, one of which describes the API, its purposes, strengths, and weaknesses, while the other would establish a C API working group to coordinate and oversee the development and maintenance of it.

Alexander "Solar Designer" Peslyak, the longtime maintainer of the oss-security and linux-distros mailing lists, has announced that this work has gained a sponsor:

After 15+ years of being a 100% volunteer effort, Openwall's maintenance of oss-security and (linux-)distros is finally sponsored by the OpenSSF, a project of the Linux Foundation. This sponsorship does not provide the Linux Foundation with the ability to set policies for community resources managed by Openwall. I am grateful for the support, which will help ensure continued operation of these resources on a new level while retaining independence.

As part of this arrangement, Peslyak is now producing statistics on vulnerability handling; the first set for 2023 has been posted.

Fedora 39 has been released, one day after the Fedora project's 20th anniversary. See the list of approved changes and this Fedora Magazine article for more information.

As always, we’ve updated many, many other packages as we work to bring you the best of everything the free and open source software world has to offer. Fedora Linux 39 includes gcc 13.2, binutils 2.40, glibc 2.38, gdb 13.2, and rpm 4.19. It also has updates to popular programming language stacks, including Python 3.12 and Rust 1.73.

Security updates have been issued by Debian (trapperkeeper-webserver-jetty9-clojure), Mageia (libsndfile, packages, thunderbird, and x11-server), Oracle (.NET 6.0), SUSE (kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container, redis, and squid), and Ubuntu (gsl).

Containers and virtual machines on Linux communicate with the world via virtual network devices. This arrangement makes the full power of the Linux networking stack available, but it imposes the full overhead of that stack as well. Often, the routing of this networking traffic can be handled with relatively simple logic; the BPF-programmable network device, which was merged for the 6.7 kernel release, makes it possible to avoid expensive network processing, in at least some cases.

Security updates have been issued by Debian (chromium, open-vm-tools, openjdk-17, pmix, and trafficserver), Fedora (netconsd, podman, suricata, and usd), Oracle (.NET 6.0, .NET 7.0, binutils, ghostscript, java-1.8.0-openjdk, kernel, and squid), SUSE (apache-ivy, gstreamer-plugins-bad, kernel, nodejs12, opera, poppler, rubygem-activesupport-5.2, tiff, util-linux, and virtualbox), and Ubuntu (krb5).

The Google Project Zero blog celebrates the launch of the Pixel 8 handset, the first to make use of Arm's Memory Tagging Extension (MTE). Linux has supported MTE since the 5.10 release in 2020, but that support has only now shown up (in experimental form) in an available handset.

I think this is a huge improvement for the general security of the device - many zero-click attack surfaces involve large amounts of unsafe C/C++ code, whether that's WebRTC for calling, or one of the many media or image file parsing libraries. MTE is not a silver bullet for memory safety - but the release of the first production device with the ability to run almost all user-mode applications with synchronous-MTE is a huge step forward, and something that's worth celebrating!

The article includes detailed instructions for how to turn the MTE feature on.

The Open Enterprise Linux Association, a joint venture founded by CIQ, Oracle, and SUSE, has announced its first code release.

OpenELA is excited to announce that the source code for all packages necessary for anyone to build a derivative Enterprise Linux operating system is now available. The initial focus is on EL8 and EL9, and packages for EL7 are forthcoming. The project is committed to ensuring the continued availability of EL sources to the community indefinitely.

The organization has also announced a technical steering committee made up of "highly experienced individuals from the founding companies".

As of this writing, 9,842 non-merge changesets have found their way into the mainline repository since the 6.7 merge window opened. Nearly a third of those consist of the entire bcachefs development history but, even discounting that, there has been a lot of material landing for the next release. Read on for a summary of the most interesting changes pulled so far in this development cycle.

Security updates have been issued by Debian (phppgadmin and vlc), Fedora (attract-mode, chromium, and netconsd), Red Hat (.NET 7.0, c-ares, curl, ghostscript, insights-client, python, squid, and squid:4), SUSE (kernel and roundcubemail), and Ubuntu (libsndfile).

One of the core objectives of any confidential-computing implementation is to protect a guest system's memory from access by actors outside of the guest itself. The host computer and hypervisor are part of the group that is to be excluded from such access; indeed, they are often seen as threat in their own right. Hardware vendors have added features like memory encryption to make memory inaccessible to the host, but such features can be difficult to use and are not available on all CPUs, so there is ongoing interest in software-only solutions that can improve confidentiality. The guest-first memory patch set, posted by Sean Christopherson and containing work by several developers, looks poised to bring some software-based protection to an upcoming kernel release.

Julia Evans has posted a list of confusing Git terms and behavior along with explanations of what is actually going on.

“Your branch is up to date with ‘origin/main’”

This message seems straightforward – it’s saying that your main branch is up to date with the origin!

But it’s actually a little misleading. You might think that this means that your main branch is up to date. It doesn’t. What it actually means is – if you last ran git fetch or git pull 5 days ago, then your main branch is up to date with all the changes as of 5 days ago.

So if you don’t realize that, it can give you a false sense of security.

Home Assistant 2023.11 is available. New features include a to-do list manager, Matter 1.2 support, customizable tile cards, new integrations, and more. (LWN looked at Home Assistant last month).

The GNU awk text-processing utility, gawk, has released version 5.3.0. The main new features add compatibility with "The One True Awk" (also known as "BWK awk"); version 5.3.0 adds CSV (comma-separated values) parsing and the ability to use \u escape sequences for Unicode code points. Read on for other changes in the release.

The 6.5.10 and 6.1.61 stable kernels have been released. As usual, they contain important fixes throughout the kernel tree; users of those series should upgrade.

Security updates have been issued by Gentoo (Netatalk), Oracle (firefox), Red Hat (.NET 6.0, .NET 6.0, .NET 7.0, binutils, and qemu-kvm), SUSE (gcc13, tomcat, and xorg-x11-server), and Ubuntu (axis, libvpx, linux-starfive, thunderbird, and xrdp).

The LWN.net Weekly Edition for November 2, 2023 is available.

LWN.net is looking to hire a full-time writer/editor to help us keep the news flowing and to expand our content in areas of interest to our readers. We are certain that the person we need is out there somewhere, and are counting on help from LWN readers to find them. Read on for details on who we are looking for and how we see them fitting in here.