Linux Weekly News

• Front: Rsync vulnerability; Going mouseless; Commit IDs; 6.13 Development statistics; Python string formating; Python None-aware operators.
• Briefs: Kernel 6.13; Dillo 3.2.0; GDB 16.1; OpenVox; Wine 10.0; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

The FreeBSD Foundation has announced that it has undertaken a project to deliver zero-trust builds commissioned by the Sovereign Tech Agency (STA).

The Zero-Trust Build project is scheduled from Jan-Aug 2025 and centers on the FreeBSD build process, and in particular, release building. The primary goal of this work is to enable the entire release process to run without requiring root access, and that build artifacts build reproducibly – that is, that a third party can build bit-for-bit identical artifacts.

Additionally, the project aims to enhance build process documentation, ensuring that release building is straightforward and does not require specialized knowledge. The work is targeted for completion prior to the release of FreeBSD 15.0.

The Foundation says that updates should not impact users of FreeBSD release images, but it may have an impact on developers basing projects or products on FreeBSD that make modifications to its release process.

The computer mouse is a wonderful invention, but for the past few months I've been working to use mine as little as possible for productivity and ergonomic reasons. It should not be surprising that there are quite a few open-source applications, utilities, and configuration options that are either designed to or incidentally assist in creating a keyboard-driven desktop. This includes tiling window management with PaperWM, the Vimium browser extension, Input Remapper, and more.

The Vox Pupuli project has announced the first release of OpenVox, a "soft-fork" of the Puppet automation framework. The intention to fork was announced in December 2024.

OpenVox 8.11 is functionally equivalent to Puppet and should be a drop-in replacement. Be aware, of course, that even though you can type the same commands, use all the same modules and extensions, and configure the same settings, OpenVox is not yet tested to the same standard that Puppet is. [...]

Please don't use these packages on critical production infrastructures yet, unless you're comfortable with troubleshooting and reporting back on the silly errors we've made while rebranding and rebuilding.

On January 14, Nick Tait announced the discovery of six vulnerabilities in rsync, the popular file-synchronization tool. While software vulnerabilities are not uncommon, the most serious one he announced allows for remote code execution on servers that run rsyncd — and possibly other configurations. The bug itself is fairly simple, but this event provides a nice opportunity to dig into it, show why it is so serious, and consider ways the open-source community can prevent such mistakes in the future.

Version 3.2.0 of the Dillo web browser has been released about a month after its 25th anniversary. Notable new features in 3.2.0 include SVG support for math formulas, optional support for WebP images, and more.

Significant features in this release include the lazy preemption model for CPU scheduling, Arm64 Guarded Control Stack support, the PIDFD_GET_INFO() operation, multi-grain file timestamps, beginning atomic write support for the ext4 and XFS filesystems, the setxattrat(), getxattrat(), listxattrat(), and removexattrat() system calls, private stacks for BPF programs, a new mechanism for adding guard pages to a memory mapping, the removal of the reiserfs filesystem, and more. See the LWN merge-window summaries (part 1, part 2) and the KernelNewbies 6.13 page for more information.

Greg Kroah-Hartman has released the 6.1.126 stable kernel to fix build failures with the 6.1.125 stable release.

The idea of adding None-aware operators to Python has sprung up once again. These would make traversing structures with None values in them easier, by short-circuiting lookups when a None is encountered. Almost exactly a year ago, LWN covered the previous attempt to bring the operators to Python, but there have been periodic discussions stretching back to 2015 and possibly before. This time Noah Kim has taken up the cause. After some debate, he eventually settled on redrafting the existing PEP to have a more limited scope, which might finally see it move past the cycle of debate, resurrection, and abandonment that it has been stuck in for most of the last decade.

The 6.12.10, 6.6.72, and 6.1.125 stable kernels have been released on the expected schedule.