5 hónap 4 hét óta
Inside this week's LWN.net Weekly Edition:
- Front: PyPI terms of service; Zig 0.14; Matrix; Timer IDs and ABI; Module integrity checking; Capability analysis.
- Briefs: Path traversal; Below vulnerability; Ubuntu 25.04; Flang; Gstreamer 1.26.0; Framework Mono 6.14.0; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
corbet
5 hónap 4 hét óta
jake
5 hónap 4 hét óta
Damien Neil has written an article for the Go Blog about path
traversal vulnerabilities and the os.Root API added in Go 1.24 to help prevent
them.
Root permits relative path components and symlinks that do not escape
the root. For example, root.Open("a/../b") is permitted. Filenames are
resolved using the semantics of the local platform: On Unix systems,
this will follow any symlink in "a" (so long as that link does not
escape the root); while on Windows systems this will open "b" (even if
"a" does not exist).
jzb
5 hónap 4 hét óta
The Zig project has
announced the release of the 0.14 version of the language,
including changes from more than 250 contributors. Zig is a low-level,
memory-unsafe programming language that aims to compete with C instead of
depending on it. Even though the language has not yet had a stable release,
there are a number of projects using it as an alternative to C with better
metaprogramming.
While the project's release
schedule has been a bit inconsistent, with the release of version 0.14 being
delayed
several times, the release contains a number of new convenience features,
broader architecture support, and the next steps toward removing Zig's
dependency on LLVM.
daroc
5 hónap 4 hét óta
The SUSE Security Team blog has a post with a
detailed analysis of a vulnerability (CVE-2025-27591)
in the below
tool for recording and displaying system data.
In January 2025, Below was packaged and submitted to openSUSE
Tumbleweed. Below runs as a systemd service with root privileges. The
SUSE security team monitors additions and changes to systemd service
unit files in openSUSE Tumbleweed, and through this we noticed
problematic log directory permissions applied in Below's code.
jzb
5 hónap 4 hét óta
The LLVM project's Fortran compiler, which has for many years gone by the name "flang-new", will now simply be "flang", starting from LLVM's 20.1.0 release on March 4. The
announcement, which includes details about the history of flang, comes after a long period of development and discussion. The community has considered renaming flang several times before now, but has always held off out of a feeling that the compiler was not yet ready. Now, the members of the project believe that flang has become stable and complete enough to earn its name.
We are almost 10 years from the first announcement of what would
become LLVM Flang. In the LLVM monorepo alone there have been close
to 10,000 commits from around 400 different contributors. Undoubtedly
more in Classic Flang before that.
daroc
5 hónap 4 hét óta
jzb
5 hónap 4 hét óta
Security updates have been issued by Debian (libmodbus), Fedora (thunderbird and vyper), Mageia (firefox, nss, python-django, python-jinja2, and thunderbird, thunderbird-l10n), Oracle (bind, kernel, rsync, and tigervnc), Red Hat (.NET 8.0, .NET 9.0, and libxml2), SUSE (iniparser and kernel), and Ubuntu (dotnet8, dotnet9, freerdp2, jinja2, libreoffice, linux, linux-hwe, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-kvm, linux-oracle, linux-kvm, and opensc).
jzb
5 hónap 4 hét óta
Matrix
provides an open network for secure, decentralized communication. It
has enjoyed some success over the last few years as an IRC replacement
and real-time chat for a number of open-source projects. But adoption
by a subset of open-source developers is a far cry from the mainstream
adoption that Matthew Hodgson, Matrix project lead and CEO of Element (the company that created
Matrix), would like to see. At FOSDEM 2025, he discussed the
history of Matrix, its missteps in chasing mainstream adoption, its
current status, as well as some of the wishlist features for taking
Matrix into the mainstream.
jzb
5 hónap 4 hét óta
Version 6.14.0 of Framework
Mono has been announced.
This is the first release of Framework Mono from its new home at
WineHQ. It includes work from the past 5 years that was never included
in a stable release because no stable branch had been created in that
time. Highlights are native support for ARM64 on macOS and many
improvements to windows forms for X11.
See the release
notes for a full list of new features and plans for future
releases.
jzb
5 hónap 4 hét óta
Security updates have been issued by Debian (libaws, ruby2.7, and squid), Fedora (bigloo, emacs, neovim, python-jinja2, rizin, and tree-sitter), Oracle (kernel), Red Hat (grub2, kernel, kernel-rt, and libxml2), SUSE (iniparser, kernel, krb5, libxkbfile, and u-boot), and Ubuntu (gnuchess, openjdk-17-crac, openjdk-21-crac, and openvpn).
corbet
6 hónap óta
The Python project's recent switch to a tail-calling interpreter may not provide as large a speed advantage as initially thought. A blog post from Nelson Elhage gives the details. In short, switching to a tail-call-based interpreter accidentally works around an unfixed regression in LLVM 19. On other compilers, the performance benefit (while still present) is more moderate.
When the tail-call interpreter was announced, I was surprised and impressed by the performance improvements, but also confused: I'm not an expert, but I'm passingly-familiar with modern CPU hardware, compilers, and interpreter design, and I couldn't explain why this change would be so effective. I became curious – and perhaps slightly obsessed – and the reports in this post are the result of a few weeks of off-and-on compiling and benchmarking and disassembly of dozens of different Python binaries, in an attempt to understand what I was seeing.
daroc
6 hónap óta
One of the advantages of the Rust type system is its ability to encapsulate
requirements about the state of the program in the type system;
often, this state includes which locks must be held to be able to carry out
specific operations. C lacks the ability to express these
requirements, but there would be obvious benefits if that kind of feature
could be grafted onto the language. The Clang compiler has made some
strides in that direction with its
thread-safety
analysis feature; two developers have been independently working to
take advantage of that work for the kernel.
corbet
6 hónap óta
Security updates have been issued by Debian (openvpn and thunderbird), Fedora (buildah, chromium, podman-tui, python-spotipy, qt6-qtwebengine, and vim), Mageia (chromium-browser-stable and gpac), Oracle (krb5), Red Hat (firefox, kernel, kernel-rt, libxml2, and pcs), SUSE (buildah, chromedriver, chromium, firefox, go1.23, go1.24, grype, python, python311-GitPython, ruby3.4-rubygem-rack, thunderbird, and xen), and Ubuntu (xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04).
daroc
6 hónap óta
Linus has released
6.14-rc6 for testing.
"This release remains on track, nothing special to report".
corbet
6 hónap óta
The
6.6.82 stable kernel has been
released. "All i386 users of the 6.6 kernel series must upgrade (as
they skipped the last release.) All other arches can skip this one as it
should not affect them."
corbet
6 hónap óta
Greg Kroah-Hartman has announced the release of four more stable kernels:
6.13.6,
6.12.18,
6.6.81, and
6.1.130.
Unlike a normal release, Kroah-Hartman did not call for all users to
update their kernels. Specifically, the 6.6.81 kernel is currently broken on
i386 systems, and users should wait for 6.6.82.
daroc
6 hónap óta
Matthieu Clemenceau has published
a status update from the Foundations Team on Ubuntu 25.04 (Plucky Puffin) development to the Ubuntu
Discourse forum. This includes updates on Ubuntu's adoption
of Dracut as an alternative to initramfs-tools, a move to
a single ISO for arm64 devices rather than device-specific images, and
reverting the planned O3 optimization flags for Plucky Puffin.
Earlier in this cycle, we
announced
plans to enable the O3 optimization level for all Ubuntu packages
by default. As part of this effort, we conducted extensive
benchmarking, which revealed that while some workloads saw
improvements, overall system performance slightly declined, and binary
sizes increased. Given these results, we are likely to revert this
change soon.
The beta for Ubuntu 25.04 is planned
for March 27, with the final release scheduled on April 17.
jzb
6 hónap óta
On January 20, Thomas Weißschuh shared a new
patch set implementing an alternate method for checking the integrity of
loadable kernel modules. This mechanism, which checks module integrity based
on hashes computed at build time instead of using cryptographic signatures,
could enable reproducible kernel builds in more contexts. Several distributions
have already expressed interest in the patch set if Weißschuh can get it
into the kernel.
daroc
6 hónap óta
Security updates have been issued by Debian (chromium), Fedora (firefox and man2html), Mageia (erlang, ffmpeg, and vim), Oracle (doxygen, firefox, python-jinja2, squid, and webkit2gtk3), Red Hat (nodejs:18), SUSE (emacs, go1.23, go1.24, and pcp), and Ubuntu (ansible, firefox, linux-azure, linux-nvidia, and python-django).
daroc
Ellenőrizve
11 perc 58 másodperc ago
LWN.net is a comprehensive source of news and opinions from
and about the Linux community. This is the main LWN.net feed,
listing all articles which are posted to the site front page.
Feliratkozás a következőre: Linux Weekly News hírcsatorna