Linux Weekly News

This Ars Technica article looks at the widespread deployment of Google's "privacy sandbox" in the Chrome browser:

If you haven't been following this, this feature will track the web pages you visit and generate a list of advertising topics that it will share with web pages whenever they ask, and it's built directly into the Chrome browser. It's been in the news previously as "FLoC" and then the "Topics API," and despite widespread opposition from just about every non-advertiser in the world, Google owns Chrome and is one of the world's biggest advertising companies, so this is being railroaded into the production builds.

For those who use Chrome anyway, there are instructions on how to disable this functionality.

The Ubuntu blog has a detailed article on plans to add full-disk encryption, with the key stored in the system's trusted platform module (TPM), to the desktop distribution.

In order to deliver these benefits, the implementation of TPM-backed FDE relies on two main design principles. First, it seals the FDE secret key to the full EFI state, including the kernel command line. Second, access to the decryption key will only be permitted if and when the device boots software that has been defined as authorised to access the confidential data. This is when the initrd code will unseal the key in the secure-boot protected kernel.efi at boot time.

OpenSUSE Leap is a hybrid distribution; it is based on SUSE's enterprise distribution (SLE), which follows the "slow and stable" approach, but adds a number of newer packages on top. Leap is intended to be a desktop-oriented distribution with a stable and reliable base. As SUSE transitions away from its traditional enterprise distribution toward its "Adaptable Linux Platform" (ALP), though, the stable base upon which openSUSE Leap is built is going away. The openSUSE community is currently discussing how the project should respond.

Security updates have been issued by Fedora (erofs-utils, htmltest, indent, libeconf, netconsd, php-phpmailer6, tinyexr, and vim), Red Hat (firefox), and Ubuntu (linux-aws, linux-aws-5.15, linux-ibm-5.15, linux-oracle, linux-oracle-5.15, linux-azure, linux-azure-fde-5.15, linux-gke, linux-gkeop, linux-intel-iotg-5.15, linux-raspi, linux-oem-6.1, linux-raspi, linux-raspi-5.4, shiro, and sox).

The LWN.net Weekly Edition for September 7, 2023 is available.

The 6.5.2, 6.4.15, 6.1.52, and 5.15.131 stable kernels have been released; each contains another set of important fixes.

A recent discussion on the Python forum looked at a way to protect module objects (and users) from mistaken attribute assignment and deletion. There are ways to get the same effect today, but the mechanism that would be used causes a performance penalty for an unrelated, and heavily used, action: attribute lookup on modules. Back in 2017, PEP 562 ("Module __getattr__ and __dir__") set the stage for adding magic methods to module objects; now a new proposal would extend that idea to add __setattr__() and __delattr__() to them.

The Mozilla Foundation has published a report on the data-collection and privacy practices of 25 car brands.

We reviewed 25 car brands in our research and we handed out 25 "dings" for how those companies collect and use data and personal information. That’s right: every car brand we looked at collects more personal data than necessary and uses that information for a reason other than to operate your vehicle and manage their relationship with you. For context, 63% of the mental health apps (another product category that stinks at privacy) we reviewed this year received this "ding."

Proof, once again, that running Linux does not automatically make a device privacy-friendly.

Leandro Moreira is maintaining a detailed description of Linux network tuning parameters and how they all tie together. There is a lot of good information for administrators seeking a better understanding of how all those knobs work and interoperate. (Seen on HN).

Security updates have been issued by Debian (aom and php7.3), Fedora (freeimage and mingw-freeimage), Scientific Linux (thunderbird), SUSE (amazon-ssm-agent, chromium, container-suseconnect, docker, glib2, php7, python-Django1, and rubygem-rails-html-sanitizer), and Ubuntu (kernel, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-hwe-5.4, linux-ibm, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-aws-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, and linux, linux-gcp, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia).

The Linux Vendor Firmware Service (LVFS) provides a repository where vendors can upload firmware updates that can be accessed by the fwupd firmware update daemon on Linux systems. That mechanism allows users to keep the hardware components of their systems up to date with the latest firmware releases, but it has gotten so popular that the daily metadata queries are starting to swamp the LVFS content delivery network (CDN) server. So Richard Hughes, who developed fwupd and LVFS, suggested that it would make sense to start looking at ways to reduce that burden; the idea was discussed in a recent thread on the Fedora devel mailing list.

FOSS Force looks at the KDE Gear 23.08 release.

For this release, developers have been working in high gear (no pun intended) as there were important improvements made to many of Gear’s most iconic applications. Not only that: just a little over a year after its arrival, the Kalendar app is going through a name change as it morphs into what appears will eventually become a full-featured email application.

Security updates have been issued by Debian (file and thunderbird), Fedora (exercism, libtommath, moby-engine, and python-pyramid), Oracle (cups and kernel), Red Hat (firefox, kernel, kernel-rt, kpatch-patch, and thunderbird), SUSE (amazon-ecs-init, buildah, busybox, djvulibre, exempi, firefox, gsl, keylime, kubernetes1.18, php7, and sccache), and Ubuntu (docker-registry and linux-azure-5.4).

The kernel-development community has recently been discussing a number of independent patches, each of which is intended to help improve the security of deployed systems in some way. They touch on a number of areas within the kernel, including the question of how widely io_uring should be available, how to allow virtual machines to attest to their integrity, and the best way to inform applications when their random-number generators need to be reseeded.

Security updates have been issued by Debian (thunderbird), Fedora (firefox, kernel, kubernetes, and mediawiki), Mageia (openldap), SUSE (terraform), and Ubuntu (atftp, busybox, and thunderbird).

The 6.5.1, 6.4.14, 6.1.51, 5.15.130, 5.10.194, 5.4.256, 4.19.294, and 4.14.325 stable kernel updates have all been released; each contains another set of important fixes.

The pidfd API has been added to the kernel over the last several years to provide a race-free way for processes to refer to each other. While the GNU C Library (glibc) gained basic pidfd support with the 2.36 release in 2022, it still lacks a complete solution for race-free process creation. This patch set from Adhemerval Zanella seems likely to fill that gap in the near future, though, with an extension to the posix_spawn() API.

Security updates have been issued by Debian (chromium, firefox-esr, and gst-plugins-ugly1.0), Fedora (firefox, libeconf, libwebsockets, mosquitto, and rust-rustls-webpki), SUSE (amazon-ssm-agent, open-vm-tools, and terraform-provider-helm), and Ubuntu (linux-azure, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp-5.15, linux-gcp-5.4, linux-oracle-5.4, linux-gkeop, linux-gkeop-5.15, linux-intel-iotg, linux-kvm, linux-oracle, and python-git).

As of this writing, 4,588 non-merge changesets have been pulled into the mainline repository for the 6.6 kernel release. The 6.6 merge window, in other words, is just getting started. Nonetheless, a fair amount of significant work has already been pulled, so the time has come to summarize what has happened so far in this development cycle.

Security updates have been issued by Debian (firefox-esr, json-c, opendmarc, and otrs2), Red Hat (java-1.8.0-ibm and kpatch-patch), Scientific Linux (kernel), Slackware (mozilla), SUSE (haproxy, php7, vim, and xen), and Ubuntu (elfutils, frr, and linux-gcp, linux-starfive).