Linux Weekly News

On August 13, the US National Institute of Standards and Technology (NIST) published the final form of its new post-quantum cryptographic standards. One key-exchange mechanism and two digital-signature schemes are now officially sanctioned by the institute. Adopting the new standards should be fairly painless for most developers, but the overhead added by the schemes could pose challenges for some applications.

Security updates have been issued by AlmaLinux (nodejs:20), Debian (python3.11), Fedora (dotnet8.0), Red Hat (bind, krb5, libreoffice, linux-firmware, orc, orc:0.4.28, and orc:0.4.31), SUSE (mariadb and openssl-3), and Ubuntu (linux-aws-5.4).

The developers of the Pidgin chat program have announced that a malicious plugin had been listed on its third-party plugins list for over one month. This plugin included a key logger and could capture screenshots.

It went unnoticed at the time that the plugin was not providing any source code and was only providing binaries for download. Going forward, we will be requiring that all plugins that we link to have an OSI Approved Open Source License and that some level of due diligence has been done to verify that the plugin is safe for users.

The FreeBSD Foundation has announced that Germany's Sovereign Tech Fund (STF) has agreed to invest €686,400 toward improvements in the FreeBSD project's infrastructure, security, regulatory compliance, and developer experience:

The work commissioned by STF also aligns closely with the recent August 9, 2024 summary report released by the U.S. Office of the National Cyber Director (ONCD), consolidating feedback from the 2023 request for information on key priorities for securing the open source software ecosystem. By enhancing security controls and SBOM tooling, the FreeBSD Foundation is helping to keep FreeBSD at the forefront of improved vulnerability disclosure mechanisms and secure software foundations.

The genksyms tool has long been buried deeply within the kernel's build system; it is one of the two C-code parsers shipped with the kernel (the other being the horrifying kernel-doc script). It is a key part of how the kernel's module-loading infrastructure works. While genksyms has quietly done its job for decades, that period may soon be coming to an end. It would seem that genksyms is not up to the task of handling Rust code, so Sami Tolvanen is proposing a new tool to handle this task going forward.

Security updates have been issued by Debian (chromium, python-html-sanitizer, and trafficserver), Fedora (nginx, nginx-mod-fancyindex, nginx-mod-modsecurity, nginx-mod-naxsi, nginx-mod-vts, python-webob, python3-docs, python3.11, python3.12, python3.9, and zabbix), Red Hat (bind, bind and bind-dyndb-ldap, bind9.16, httpd, kernel, kernel-rt, and nodejs:20), SUSE (caddy, chromium, chromium, gn, rust-bindgen, cockpit, fetchmail, gdcm, gh, keybase-client, libhtp, libofx, nano, plasma5-workspace, python-nltk, python-notebook, xen, and znc), and Ubuntu (linux-azure, linux-azure-4.15, linux-azure-5.4, and linux-oracle-5.15).

The 6.11-rc5 kernel prepatch is out for testing. "Other than the timing, there's not a whole lot unusual here. The diffstat looks fairly flat, which means 'mostly pretty small changes'." Linus Torvalds added a note that today marks the 33rd anniversary of the first Linux announcement; "A third of a century. And it *still* isn't ready".

On the second day of DebConf24 in Busan, South Korea, Holger Levsen provided a history lesson on the "first 11 years" of the Reproducible Builds project. He has been involved in the project for most of that time and has been a Debian user since the mid-1990s, contributor since 2001, and a Debian member since 2007; "I love Debian". Meanwhile, his aim is to make all free software be reproducible, so that anyone can check that a binary program comes from the source code it purports to.

The Forgejo project has announced that, starting from version 9.0, Forgejo will be released under the GPLv3 license (or a later version). Older versions of the software forge remain MIT-licensed.

A copyleft license makes reusing other copyleft software easier. Recently, we discovered that some of the dependencies we used were incompatible with the license Forgejo was distributed with, and they had to be removed for now. Choosing copyleft licenses enables us to reuse more work, and saves us precious time to focus on improving Forgejo itself.

Security updates have been issued by Fedora (community-mysql, iaito, and radare2), Oracle (python3.12-setuptools and tomcat), Red Hat (krb5 and podman), Slackware (ffmpeg), SUSE (apache2, expat, firefox, webkit2gtk3, and xen), and Ubuntu (imagemagick and libxstream-java).

Version 24.8 of the LibreOffice office suite has been released. Changes include the ability to filter identifying information from exported files, easier creation of cross reference, better control over hyphenation, a number of new spreadsheet functions, accessibility improvements, and more.

On July 30, Al Viro sent a patch set to the linux-fsdevel mailing list with a comprehensive cover letter explaining his recent work on ensuring that the kernel's internal representation of file descriptors are used correctly in the kernel. File descriptors are ubiquitous; many system calls need to handle them. Viro's review identified a few existing bugs, and may prevent more in the future. He also had suggestions for ways to keep uses consistent throughout the kernel.

Matthew Garrett describes the role of the Secure Boot Advanced Targeting mechanism and how it played into the recent Windows upgrade problems.

So why is this suddenly relevant? SBAT was developed collaboratively between the Linux community and Microsoft, and Microsoft chose to push a Windows update that told systems not to trust versions of grub with a security generation below a certain level. This was because those versions of grub had genuine security vulnerabilities that would allow an attacker to compromise the Windows secure boot chain, and we've seen real world examples of malware wanting to do that.

Security updates have been issued by AlmaLinux (.NET 8.0, bind, bind9.16, curl, edk2, firefox, gnome-shell, grafana, jose, krb5, libreoffice, mod_auth_openidc:2.3, orc, pcs, poppler, python-setuptools, python-urllib3, python3.11-setuptools, python3.12-setuptools, thunderbird, tomcat, and wget), Fedora (webkitgtk), SUSE (apache2, glib2, and roundcubemail), and Ubuntu (kernel, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-raspi, linux, linux-aws, linux-azure, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-ibm, linux-lowlatency, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-aws, linux-aws-hwe, linux-bluefield, linux-hwe-5.15, linux-raspi-5.4, and qemu).

The LWN.net Weekly Edition for August 22, 2024 is available.

Ars Technica covers a recent update that is causing problems for users with systems that dual-boot Windows and Linux.

"Note that Windows says this update won't apply to systems that dual-boot Windows and Linux," one frustrated person wrote. "This obviously isn't true, and likely depends on your system configuration and the distribution being run. It appears to have made some linux efi shim bootloaders incompatible with microcrap efi bootloaders (that's why shifting from MS efi to 'other OS' in efi setup works). It appears that Mint has a shim version that MS SBAT doesn't recognize."

The reports indicate that multiple distributions, including Debian, Ubuntu, Linux Mint, Zorin OS, and Puppy Linux, are all affected. Microsoft has yet to acknowledge the error publicly, explain how it wasn't detected during testing, or provide technical guidance to those affected. Company representatives didn't respond to an email seeking answers.

Gentoo developer Michał Górny has written a lengthy blog post that explains how Gentoo approaches releases:

Gentoo is something of a hybrid, as it combines the best of both worlds. It is a rolling release distribution with a single shared repository that is available to all users. However, within this repository we use a keywording system to provide a choice between stable and testing packages, to facilitate both production and development systems (with some extra flexibility), and versioned profiles to tackle major lock-step upgrades.

Linux installers receive a disproportionate amount of attention compared to the amount of time that most users spend with them. Ideally, a user spends only a few minutes using the installer, versus years using the distribution after it is installed. Yet, the installer sets the first impression, and if it fails to do its job, little else matters. Installers also have to continually evolve to keep pace with new hardware, changes in distribution packaging (such as image-based Linux distributions), and so forth. Along those lines, the SUSE team that maintains the venerable YaST installer has decided it's time to start (almost) fresh with a new Linux installer project, called Agama, for new projects. YaST is not going away as an administration tool, but it is likely to be relieved of installer duties at some point.

Security updates have been issued by Debian (aom, cinder, dovecot, glance, and nova), Fedora (mysql8.0), Oracle (curl and libreoffice), SUSE (oniguruma, openssl-1_0_0, openssl1, and xen), and Ubuntu (cacti, curl, exfatprogs, firefox, and vim).

At PyCon 2024 in Pittsburgh, Pennsylvania, Anthony Shaw looked at the various kinds of parallelism available to Python programs. There have been two major developments on the parallel-execution front over the last few years, with the effort to provide subinterpreters, each with its own global interpreter lock (GIL), along with the work to remove the GIL entirely. In the talk, he explored the two approaches to try to give attendees a sense of how to make the right choice for their applications.