Linux Weekly News

fish is a shell with a custom language and several affordances not available out of the box in other shells, such as directory-sensitive command completion. Although the project does not normally make beta releases, the newly announced 4.0b1 release will have one in order to ensure that no problems were introduced after a major effort to switch the code base from C++ to Rust.

fish is a smart and user-friendly command line shell with clever features that just work, without needing an advanced degree in bash scriptology. Today we are announcing an open beta, inviting all users to try out the upcoming 4.0 release.

fish 4.0 is a big upgrade. It's got lots of new features to make using the command line easier and more enjoyable, such as more natural key binding and expanded history search. And under the hood, we've rebuilt the foundation in Rust to embrace modern computing.

The LWN.net Weekly Edition for December 19, 2024 is available.

Emacs has had a few bugs related to accidentally permitting the execution of untrusted code. Unfortunately, it seems as though another bug of that sort has appeared — and may be harder to patch, because the problem comes from the way Emacs handles expansion of Lisp macros in code being analyzed. The vulnerability is only practically exploitable in a non-default configuration, so not every Emacs user has something to worry about. The Emacs developers are reportedly working on a fix, but have not yet shared details about it. In the meantime, every Emacs version since at least 26.1 (released in May 2018) through the current development version is vulnerable.

Security updates have been issued by AlmaLinux (libsndfile, php:7.4, python3.11, python3.12, and python36:3.6), Debian (dpdk), Mageia (curl and socat), Oracle (firefox and tuned), Red Hat (bluez, containernetworking-plugins, edk2, edk2:20220126gitbb1bba3d77, edk2:20240524, expat, gstreamer1-plugins-base, gstreamer1-plugins-base and gstreamer1-plugins-good, gstreamer1-plugins-good, kernel, libsndfile, libsndfile:1.0.31, mpg123, mpg123:1.32.9, pam, python3.11-urllib3, skopeo, tuned, unbound, and unbound:1.16.2), SUSE (cloudflared, curl, docker, firefox, gstreamer-plugins-good, kernel, libmozjs-115-0, libmozjs-128-0, libmozjs-78-0, libsoup, ovmf, python-urllib3_1, subversion, thunderbird, and traefik), and Ubuntu (editorconfig-core, libspring-java, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-raspi, linux, linux-lowlatency, linux-oracle, linux-aws, linux-aws-5.15, linux-aws, linux-aws-5.4, linux-bluefield, linux-oracle, linux-oracle-5.4, and linux-oem-6.11).

Fedora Magazine reports that the Fedora Asahi Remix 41 for Apple Silicon is now available:

In addition to all the exciting improvements brought by Fedora Linux 41, Fedora Asahi Remix 41 provides x86/x86-64 emulation integration including support for AAA games to Apple Silicon. The game support is based on the new conformant Vulkan 1.4 driver. It also continues to provide extensive device support, including high quality audio out of the box.

LWN covered a talk from the X.org Developers Conference (XDC) by Alyssa Rosenzweig on the status of Asahi's GPU drivers in October.

Since we last looked at the WordPress dispute, WP Engine has sought a preliminary injunction against Automattic and its founder Matt Mullenweg to restore its access to WordPress.org, and more. The judge in the case granted a preliminary injunction on December 10. The case is, of course, of interest to users and developers working with WordPress—but it may also have implications for other open-source projects well beyond the WordPress community.

Version 2024.4 of the Kali Linux penetration-testing distribution has been released. Changes include a switch to Python 3.12, the removal of i386 kernel support, GNOME 47, and more.

Security updates have been issued by Debian (gstreamer1.0), Fedora (jupyterlab and python-notebook), Oracle (gimp:2.8.22, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, php:8.2, postgresql, and python3.11), SUSE (aws-iam-authenticator, firefox, installation-images, kernel, libaom, libyuv, libsoup, libsoup2, python-aiohttp, socat, thunderbird, and vim), and Ubuntu (curl, Docker, imagemagick, and kernel).

The Sequoia PGP project has announced version 1.0 of the sq command-line tool for managing OpenPGP encryption and signatures. It also provides a decentralized public key infrastructure (PKI), and key management facilities. This is the first stable release since development began on the project in 2017.

sq's PKI is probably its most notable feature, and the one we invested the most time in. The PKI is used to authenticate certificates, and messages. Authentication is necessary to ensure that you are encrypting to the person you think you are, and to identify who really authored a message; without authentication, encryption and verification are much weaker.

Emacs is, famously, an editor—perhaps far more—that is extensible using its own variant of the Lisp programming language, Emacs Lisp (or Elisp). This year's edition of EmacsConf, which is an annual "gathering" that has been held online for the past five years, had two separate talks on using a different variant of Lisp, Guile, for Emacs. Both projects would preserve Elisp compatibility, which is a must, but they would use Guile differently. The first talk we will cover was given by Robin Templeton, who described the relaunch of the Guile-Emacs project, which would replace the Elisp in Emacs with a compiler using Guile. A subsequent article will look at the other talk, which is about an Emacs clone written using Guile.

Security updates have been issued by Debian (gst-plugins-base1.0, gstreamer1.0, and libpgjava), Fedora (bpftool, chromium, golang-x-crypto, kernel, kernel-headers, linux-firmware, pytest, python3.10, subversion, and thunderbird), Gentoo (NVIDIA Drivers), Oracle (kernel, perl-App-cpanminus:1.7044, php:7.4, php:8.1, php:8.2, postgresql, python3.11, python3.12, python3.9:3.9.21, python36:3.6, ruby, and ruby:2.5), SUSE (docker-stable, firefox-esr, gstreamer, gstreamer-plugins-base, gstreamer-plugins-good, kernel, python-Django, python312, and socat), and Ubuntu (mpmath).

Linus has released 6.13-rc3 for testing. "Earlier this week it felt to me like things might have already started to quiet down in prep for the holidays, but doing the statistics on rc3 that doesn't actually seem to be the case - this looks very regular both in number of commits and in diff size".

Version 4.20 of the Xfce desktop environment has been released. "The major focus during this development cycle was the preparation of the codebase to be ready for Wayland". See the Xfce 4.20 tour for an overview of the changes in this release.

The 6.12.5, 6.6.66, 6.1.120, 5.15.174, 5.10.231, and 5.4.287 stable kernels have all been released; each contains a relatively large set of important fixes.

Commits in the Git source-code management system are identified by the SHA-1 hash of their contents — though the specific hash may change someday. The full hash is a 160-bit quantity, normally written as a 40-character hexadecimal string. While those strings are convenient for computers to work with, humans find them to be a bit unwieldy, so it is common to abbreviate the hash values to shorter strings. Geert Uytterhoeven recently proposed increasing the length of those abbreviated hashes as used in the kernel community, but the problem he was working to solve may not be as urgent as it seems.

Handling time in a networked environment is never easy. The Network Time Protocol (NTP) has been used to synchronize clocks across the internet for almost 40 years — but, as computers and networks get faster, the degree of synchronization it offers is not sufficient for some use cases. The Precision Time Protocol (PTP) attempts to provide more precise time synchronization, at the expense of requiring dedicated kernel and hardware support. The Linux kernel has supported PTP since 2011, but the protocol has recently seen increasing use in data centers. As PTP becomes more widespread, it may be useful to have an idea how it compares to NTP.

The CentOS Project has announced the general availability of CentOS Stream 10. See the release notes for information on new features, changes, and removed software. The Extra Packages for Enterprise Linux (EPEL) 10 repository is also available, and will be adding minor version repositories:

For the EPEL 9 release, we started building packages about six months before the RHEL 9 release by using CentOS Stream 9 as the initial build environment. For EPEL 10, we're expanding on that approach and doing the same thing for each minor version of RHEL 10. We will have separate DNF repositories for each minor version of RHEL 10, including CentOS Stream 10 as the leading minor version. Packages built for one minor version will carry forward to the next minor version. You can find more details about this structure in our branching documentation.

LWN covered Stream 10 and EPEL 10 on December 11.

Security updates have been issued by Debian (chromium, pgpool2, and smarty4), Fedora (chromium, linux-firmware, matrix-synapse, open62541, and thunderbird), Red Hat (kernel, kernel-rt, python3.11, python3.12, python3.9:3.9.18, python3.9:3.9.21, and ruby:2.5), SUSE (buildah, chromium, govulncheck-vulndb, java-1_8_0-ibm, libsvn_auth_gnome_keyring-1-0, python310-Django, qemu, and radare2), and Ubuntu (linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux-gkeop, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, php7.0, php7.2, python-asyncssh, and smarty3).

Version 1.32 (dubbed "Penelope") of Kubernetes has been released with 13 major features graduating to Stable status, 12 entering Beta, and 19 entering Alpha.

If Kubernetes is Ancient Greek for "pilot", in this release we start from that origin and reflect on the last 10 years of Kubernetes and our accomplishments: each release cycle is a journey, and just like Penelope, in "The Odyssey", weaved for 10 years -- each night removing parts of what she had done during the day -- so does each release add new features and removes others, albeit here with a much clearer purpose of constantly improving Kubernetes.

The Python Package Index (PyPI) Blog has an analysis of the compromise of the ultralytics project, and what PyPI has learned from this event:

PyPI staff and volunteers do their best to remove malware, but because the service is open to anyone looking to publish software there is an unfortunately high amount of abuse. Thankfully most of this abuse does not have the same widespread impact as a targeted attack on an already widely-used project.

Mike Fiedler, the PyPI Safety and Security Engineer is working on new systems for reducing the time that malware is available to be installed on PyPI, through APIs that security researchers can automatically send reports to and new "quarantine" release status to prevent harm while a human investigates the situation. Expect more in this space in 2025!