Linux Weekly News

Security updates have been issued by Debian (gzip and xz-utils), Fedora (dhcp and rsync), Mageia (chromium-browser-stable), openSUSE (chromium), SUSE (gzip, openjpeg2, and zabbix), and Ubuntu (klibc).

Steve McIntyre argues that Debian needs to rethink its approach to non-free firmware.

Today, a user with a new laptop from most vendors will struggle to use it at all with our firmware-free Debian installation media. Modern laptops normally don't come with wired ethernet now. There won't be any usable graphics on the laptop's screen. A visually-impaired user won't get any audio prompts. These experiences are not acceptable, by any measure.

Over on the blog for the GNU Guix project, which is a "transactional package manager and an advanced distribution of the GNU system that respects user freedom", the project reflects on its ten-year journey. The post consists of personal accounts from around two dozen contributors about the project, its history, and its community. It’s been ten years today since the very first commit to what was already called Guix—the unimaginative name is a homage to Guile and Nix, which Guix started by blending together. On April 18th, 2012, there was very little to see and no actual "project". The project formed in the following months and became a collective adventure around a shared vision.

Ten years later, it’s amazing to see what more than 600 people achieved, with 94K commits, countless hours of translation, system administration, web design work, and no less than 175 blog posts to share our enthusiasm at each major milestone. It’s been quite a ride!

Version 2.36.0 of the Git source-code management system is out. As usual, the list of new features is long; this GitHub blog post covers some of the highlights:

But this [merge conflict] output can be understandably difficult to interpret. In Git 2.36, --remerge-diff takes a different approach. Instead of showing you the diffs between the merge resolution and each parent simultaneously, --remerge-diff shows you the diff between the file with merge conflicts, and the resolution.

The ftrace and perf subsystems provide visibility into the workings of the kernel; by activating existing tracepoints, interested developers can see what is happening at specific points in the code. As much as kernel developers may resist the notion, though, not all events of interest on a system happen within the kernel. Administrators will often want to look inside user-space processes as well; they would be even happier with a mechanism that allows the simultaneous tracing of events in both the kernel and user space. The user-events subsystem, developed by Beau Belgrave and added during the 5.18 merge window, promises that capability, but users will almost certainly have to wait another cycle to gain access to it.

Security updates have been issued by Debian (abcm2ps and chromium), Fedora (cacti, cacti-spine, and fribidi), and Mageia (crun, docker-containerd, libarchive, mediawiki, and ruby).

The 5.18-rc3 kernel prepatch is out for testing. "It's Sunday afternoon, and you all know what that means. It's time for another release candidate. (Yes, yes, it's also Easter Sunday, but priorities, people!)"

Anybody who might be considering acquiring a "Freedom Phone" might want to have a look at Matthew Garrett's analysis first.

Anyway. We have a company that seems to be combining blockchain and MLM [multi-level marketing], has some opinions about Quantum Entanglement, bases the security of its platform on a set of novel cryptographic primitives that seem to have had no external review, has implemented an API that just hands out personal information without any authentication and an app that appears more than happy to upload all your contact details without telling you first, has failed to update this app to keep up with upstream security updates, and is violating the upstream license.

Version 9.1 of the GNU coreutils package has been released with lots of small tweaks and improvements. "ls no longer colors files with capabilities by default, as file-based capabilities are very rarely used, and lookup increases processing per file by about 30%. It's best to use getcap [-r] to identify files with capabilities."

Your editor has a certain tendency to accumulate books, to the point that they crowd everything else out of the house. There is a lot to be said for books: a physical book has a user interface that has been optimized over centuries, and one can have a reasonably high degree of certainty that any given book will still work a few decades from now. Neither of those can be said for electronic books, but they do have the advantages of taking less shelf space and being more portable. So electronic books are part of the reading menu, which naturally leads to the search for a free reader for those books; KOReader turns out to be an interesting alternative.

Greg Kroah-Hartman has announced the release of the 5.4.189 and 4.19.238 stable kernels. As usual, they contain important fixes throughout the tree and users should upgrade.

Security updates have been issued by Debian (fribidi and python-django), Fedora (postgresql-jdbc, stargz-snapshotter, and thunderbird), Slackware (git, gzip, and xz), and SUSE (kernel, SDL2, and tomcat).

Support for developing in the Rust language is headed toward the kernel, though just when it will land in the mainline is yet to be determined. The Rust patches are progressing, though, and beginning to attract attention from beyond the kernel community. When two languages — and two different development communities — come together, the result can be a sort of cultural clash. Some early signs of that are appearing with regard to Rust in the kernel; if the resulting impedance mismatches can be worked out, the result could be a better development environment for everybody involved.

Security updates have been issued by Debian (lrzip), Fedora (community-mysql, expat, firefox, kernel, mingw-openjpeg2, nss, and openjpeg2), Mageia (ceph, subversion, and webkit2), openSUSE (chromium), Oracle (httpd:2.4), Red Hat (kpatch-patch), Slackware (ruby), SUSE (kernel and netatalk), and Ubuntu (gzip and xz-utils).

SUSE has begun to discuss its plans for the next version of SUSE Linux Enterprise on the openSUSE lists. It appears that there will be some significant changes.

Intending to do radical changes (regarding technology- but also design-wise) we choose "Adaptable Linux Platform" or short "ALP" as codename for that next generation. This indicates already that some things will be quite different than a "mere "SLE 15++ would be ;) [...]

Another important point is that we intend to split what was a more generic, everything is closely intertwined into two parts: One smaller hardware enabling piece, a kind of "host OS", and the and the layer providing and supporting applications, which will be container (and VM) based.

The LWN.net Weekly Edition for April 14, 2022 is available.

Using strings with contents that are supplied by users can be fraught with peril; SQL injection is a well-known technique for attacking applications that stems from that, for example. Generally, database frameworks and libraries provide mechanisms that seek to lead programmers toward doing The Right Thing, with parameterized queries and the like, but they cannot enforce that—inventive developers will seemingly always find ways to inject user input into places it should not go. A recently adopted Python Enhancement Proposal (PEP) provides a way to enforce the use of strings that are untainted by user input, but it uses the optional typing features of the language to do so; those wanting to take advantage of it will need to be running a type-checking program.

The 5.17.3, 5.16.20, 5.15.34, and 5.10.111 stable kernel updates have been released after a relatively quick review cycle. Each contains a relatively large set of important fixes. Note that 5.16.20 is the final update in the 5.16.x series.

Security updates have been issued by Arch Linux (gzip, python-django, and xz), Debian (chromium, subversion, and zabbix), Red Hat (expat, kernel, and thunderbird), SUSE (go1.16, go1.17, kernel, libexif, libsolv, libzypp, zypper, opensc, subversion, thunderbird, and xz), and Ubuntu (git, linux-bluefield, nginx, and subversion).

Version 6.3 of the Qt graphics library has been released. "Qt 6.3 also comes with a decent set of new functionality. A total of 250 user stories and tasks implementing new functionality have been completed for 6.3. Those are of course too many to list individually, and if you want to have all the details, have a look at our new features page and our Release Notes."