Linux Weekly News

Over the years, there have been multiple examples of open-source software that, suddenly, was no longer open source; on August 10, some further examples were added to the pile. That happened when HashiCorp announced that it would be switching the license on its products from the Mozilla Public License 2.0 (MPL) to the Business Source License 1.1 (BSL or BUSL). At least one of the products affected by the change, the Terraform infrastructure-automation tool, has attracted an effort to continue it as an open-source tool in the form of a fork that would be maintained by the nascent OpenTF Foundation. That seems like a sensible reaction to the move, but it also helps serve up yet another reminder that code which is controlled by a single entity is normally always at risk of such adverse changes.

Security updates have been issued by Debian (mediawiki and qt4-x11), Fedora (java-17-openjdk, linux-firmware, and python-yfinance), Red Hat (kernel, kpatch-patch, and subscription-manager), SUSE (evolution, janino, kernel, nodejs16, nodejs18, postgresql15, qt6-base, and ucode-intel), and Ubuntu (inetutils).

The PineTime is an inexpensive smartwatch developed by PINE64 that is designed to run open-source operating systems. Despite its low cost, however, it has most of the features expected from more expensive, proprietary smartwatches. Because it runs open-source software, though, interested developers can add any other useful features that they dream up.

Security updates have been issued by Debian (intel-microcode, lxc, and zabbix), Fedora (clamav), SUSE (python-configobj), and Ubuntu (clamav).

Making a filesystem implementation robust in the face of maliciously created filesystem images is a challenging task even when the implementation is actively maintained, which many in the kernel are not. There is a way to make that task even harder, though: modify that filesystem image behind the implementation's back while it is mounted. A recent discussion on the linux-fsdevel list reveals an ongoing disagreement over whether (and how) this threat should be addressed.

The Document Foundation has announced the release of LibreOffice 7.6 Community. It is the last release using the existing numbering scheme as the office suite will move to date-based release numbers starting with LibreOffice 24.2 in February, 2024. Highlights of this release include support for document themes, including import and export of them, a new navigation panel for Impress and Draw, zoom-gesture support, font-handling improvements, and lots more; the release notes have all the details. LibreOffice 7.6 Community's new features have been developed by 148 contributors: 61% of code commits are from the 52 developers employed by three companies sitting in TDF's Advisory Board – Collabora, Red Hat and allotropia – or other organizations, 15% are from 7 developers at The Document Foundation, and the remaining 24% are from 89 individual volunteers.

Other 202 volunteers – representing hundreds of other people providing translations – have committed localizations in 160 languages. LibreOffice 7.6 Community is released in 120 different language versions, more than any other free or proprietary software, and as such can be used in the native language (L1) by over 5.4 billion people worldwide. In addition, over 2.3 billion people speak one of those 120 languages as their second language (L2).

Security updates have been issued by Debian (fastdds, flask, and kernel), Fedora (chromium, dotnet6.0, dotnet7.0, gerbv, java-1.8.0-openjdk, libreswan, procps-ng, and spectre-meltdown-checker), SUSE (chromium, kernel-firmware, krb5, opensuse-welcome, and python-mitmproxy), and Ubuntu (clamav, firefox, and vim).

Linus Torvalds has released the 6.5-rc7 kernel prepatch, which looks to be the final release candidate before the likely release of Linux 6.5 next Sunday. Torvalds released it a little earlier than usual due to some travel; overall things look to be in good shape: But apart from the timezone difference, everything looks entirely normal. Drivers (GPU, networking and sound dominate - the usual suspects, in other words) and architecture fixes. The latter are mostly arm devicetree fixlets, but also some x86 cleanups and fallout from the embargo last week.

Not a huge amount of patches, and I really get the feeling that a lot of maintainers are on vacation. But I will be optimistic and also blame it all being quiet on things working fairly well.

It is fair to say that the DNF package manager is not the favorite tool of many Fedora users. It was brought in as a replacement for Yum but got off to a rather rocky start; DNF has stabilized over the years, though and the complaints have subsided. That can only mean one thing: it must be time to throw it away and start over from the beginning. The replacement, called DNF5, was slated to be a part of the Fedora 39 release, due in October, but that is not going to happen.

Security updates have been issued by Debian (chromium, rar, and unrar-nonfree), Fedora (microcode_ctl, trafficserver, and webkitgtk), SUSE (ImageMagick, kernel, nodejs16, nodejs18, postgresql12, postgresql15, re2c, and samba), and Ubuntu (ghostscript, haproxy, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux-hwe-5.4, linux-xilinx-zynqmp, poppler, and zziplib).

SUSE's long story of corporate ownership is gaining a new chapter; the company has announced that its majority shareholder (Marcel LUX III SARL) will be acquiring the remaining shares, and will take the company private and off of the stock exchange. "SUSE’s Management Board and Supervisory Board support the strategic opportunity from delisting of the company as it will allow SUSE to focus fully on its operational priorities and execution of its long-term strategy."

In its default configuration, the Linux kernel will allow processes to allocate more memory than the system can actually provide; this policy enables better utilization of physical memory and works just fine — most of the time. On occasions, though, the kernel may find itself unable to provide memory that processes may think already belongs to them. If the situation gets bad enough, the only solution (short of rebooting) is to declare a sort of memory bankruptcy and write off some of the kernel's debts by killing one or more processes. Over the years, a great deal of effort has gone into heuristics to select the processes that the user is least likely to miss. This problem is still clearly not solved to everybody's satisfaction, though, so it was only a matter of time before somebody introduced a way to select the out-of-memory (OOM) victim using BPF.

Security updates have been issued by Debian (open-vm-tools, openjdk-11, and openssh), Fedora (librsvg2, llhttp, opensc, and rust), Oracle (.NET 6.0, .NET 7.0, iperf3, microcode_ctl, postgresql:10, and python-requests), SUSE (openssl-1_0_0, perl-Cpanel-JSON-XS, postgresql12, and postgresql15), and Ubuntu (ceph, haproxy, heat, libpod, and postgresql-12, postgresql-14, postgresql-15).

The LWN.net Weekly Edition for August 17, 2023 is available.

Readers have been pointing us to HashiCorp's announcement that it is moving to its own "Business Source License" for some of its (formerly) open-source products. Like other companies (example) that have taken this path, HashiCorp is removing the freedom to use its products commercially in ways that it sees as competitive. This is, in a real sense, an old and tiresome story.

The lessons to be drawn from this change are old as well. One is to beware of depending on any platform, free or proprietary, that is controlled by a single company. It is a rare company that will not try to take advantage of that control at some point.

The other is to beware of contributor license agreements. HashiCorp's agreement used to read that it existed "to ensure that our projects remain licensed under Free and Open Source licenses"; the current version doesn't say that anymore. But both versions give HashiCorp the right to play exactly this kind of game with any code contributed by outsiders. Developers who were contributing to a free-software project will now have their code used in a rather more proprietary setting. When a company is given the right to take somebody else's code proprietary, many of them will eventually make use of that right.

The call for topics for the Linux Kernel Maintainers Summit went out on August 15; one proposed topic has generated some interesting discussion about security-bug reporting for the kernel. A recent patch to the kernel's documentation about how to report security bugs recommends avoiding posting to the linux-distros mailing list because its goals and rules do not mesh well with kernel security practices. That led Jiri Kosina to suggest a discussion on security reporting, especially with regard to Linux distributions.

The 6.4.11, 6.1.46, 5.15.127, 5.10.191, 5.4.254, 4.19.292, and 4.14.323 stable kernels have all been released; each contains another set of important fixes.

On August 16, 1993, Ian Murdock announced a new distribution to the comp.os.linux.development Usenet newsgroup:

This is just to announce the imminent completion of a brand-new Linux release, which I'm calling the Debian Linux Release. This is a release that I have put together basically from scratch; in other words, I didn't simply make some changes to SLS and call it a new release. I was inspired to put together this release after running SLS and generally being dissatisfied with much of it, and after much altering of SLS I decided that it would be easier to start from scratch. The base system is now virtually complete (though I'm still looking around to make sure that I grabbed the most recent sources for everything), and I'd like to get some feedback before I add the "fancy" stuff.

After 30 years, Debian is still going strong.

The Debian project has added the LoongArch architecture to its ports collection.

After an initial manual bootstrap of roughly 200 packages, two buildds are now building packages for the newly added "loong64" port with the help of qemu-user. After enough packages have been built for the port to be self-hosting, we're planning to replace these two buildds with real hardware hosted at Loongson.

Security updates have been issued by Debian (datatables.js and openssl), Fedora (ghostscript, java-11-openjdk, java-latest-openjdk, microcode_ctl, and xen), Red Hat (redhat-ds:11), SUSE (java-1_8_0-openj9, kernel, krb5, pcre2, and perl-HTTP-Tiny), and Ubuntu (gstreamer1.0, mysql-8.0, tiff, and webkit2gtk).