Linux Weekly News

Linus has released the 6.10 kernel.

So the final week was perhaps not quite as quiet as the preceding ones, which I don't love - but it also wasn't noisy enough to warrant an extra rc.

Changes in 6.10 include the removal of support for some ancient Alpha CPUs, shadow-stack support for the x32 sub-architecture, Rust-language support on RISC-V systems, support for some Windows NT synchronization primitives (though it is marked "broken" in 6.10), the mseal() system call, fsverity support in the FUSE filesystem subsystem, ioctl() support in the Landlock security module, the memory-allocation profiling subsystem, and more.

See the LWN merge-window summaries (part 1, part 2) and the KernelNewbies 6.10 page for more details.

The GNOME Foundation has announced that executive director Holly Million is stepping down at the end of July, and will be replaced by Richard Littauer as interim executive director:

On behalf of the whole GNOME community, the Board of Directors would like to give our utmost thanks to Holly for her achievements during the past 10 months, including drafting a bold five-year strategic plan for the Foundation, securing two important fiscal sponsorship agreements with GIMP and Black Python Devs, writing our first funding proposal that will now enable the Foundation to apply for more grants, vastly improving our financial operations, and implementing a break-even budget to preserve our financial reserves.

The Foundation's Interim Executive Director, Richard Littauer, brings years of open source leadership as part of his work as an organizer of SustainOSS and CURIOSS, as a sustainability coordinator at the Open Source Initiative, and as a community development manager at Open Source Collective, and through open source contributions to many projects, such as Node.js and IPFS. The Board appointed Richard in June and is confident in his ability to guide the Foundation during this transitional period.

Million says she is leaving to pursue a PhD in psychology. The board plans to announce its search plan for a permanent executive directory after GUADEC, which takes place July 19 through 24.

Linux Mint has released a beta of its next long-term-support (LTS) release, Linux Mint 22 (code-named "Wilma"), based on Ubuntu 24.04. Aside from the standard software updates that come with any major upgrade, some of Wilma's largest selling points are what it doesn't have; namely snap packages or GNOME applications that have broken theming on non-GNOME desktops like Mint's Cinnamon desktop.

Security updates have been issued by Debian (apache2), Fedora (mingw-python3 and python-urllib3), Oracle (dotnet6.0, dotnet8.0, fence-agents, openssh, pki-core, and virt:ol and virt-devel:rhel), SUSE (apache2, firefox, libvpx, oniguruma, python-zipp, python310, thunderbird, and tomcat10), and Ubuntu (apache2, apport, linux, linux-azure, linux-gcp, linux-ibm, linux-intel, linux-lowlatency, linux-oem-6.8, linux-raspi, linux, linux-gcp, linux-nvidia-6.5, linux-raspi, linux-gke, and python-django).

Since the disagreements that led to Eelco Dolstra stepping down from the NixOS Foundation board, there have been a number of projects forked from or inspired by Nix that have stepped up to compete with it. Two months on, some of these projects are now well-established enough to look at what they have to offer and how they compare to each other. Overall, users have a number of good options to choose from, whether they're seeking a compatible replacement for Nix (the configuration language and package manager) or NixOS (the Linux distribution), or something that takes the same ideas in a different direction.

The sixth edition of the Power Management and Scheduling in the Linux Kernel (OSPM) Summit took place on May 30-31 2024, and was graciously hosted by the Institut de Recherche en Informatique de Toulouse (IRIT) in Toulouse, France. This is the first of a series of articles describing the discussions held at OSPM 2024; topics covered include latency hints, energy-aware scheduling, ChromeOS, and user-space schedulers.

The 6.9.9, 6.6.39, and 6.1.98 stable kernels have been released. As usual, they contain lots of important fixes throughout the tree.

Security updates have been issued by AlmaLinux (dotnet6.0, dotnet8.0, fence-agents, and virt:rhel and virt-devel:rhel), Debian (exim4 and firefox-esr), Fedora (dotnet8.0, firefox, onnx, qt6-qtbase, squid, and wordpress), Mageia (golang, netatalk, php, and poppler), Red Hat (ghostscript, httpd, openssh, python3, and ruby), Slackware (mozilla), SUSE (kernel and openssh), and Ubuntu (linux-aws-5.4, linux-azure, linux-ibm-5.15, and python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12).

The research value of this USENIX paper by Hongyu Li et al. is not entirely clear, but it does show that the Rust-for-Linux project is gaining wider attention.

Despite more novice developers being attracted by Rust to the kernel community, we have found their commits are mainly for constructing Rust-relevant toolchains as well as Rust crates alone; they do not, however, take part in kernel code development. By contrast, 5 out of 6 investigated drivers (as seen in Table 5) are mainly contributed by authors from the Linux community. This implies a disconnection be- tween the young and the seasoned developers, and that the bar of kernel programming is not lowered by Rust language.

As a bonus, it includes a ChatGPT analysis of LWN and Hacker News comments.

The LWN.net Weekly Edition for July 11, 2024 is available.

Doug Brown documents the long journey to fixing a bug in the GDebi utility for installing Debian packages. He first encountered the bug in Ubuntu MATE 18.04: "at the time I just ignored this issue. I didn't want to deal with it. I went off to the trusty Linux terminal and installed Chrome that way instead".

Two and a half years ago, I committed to doing more open-source contributions in my free time and was finally irritated enough about this problem to look into it. I searched around for more info. Lo and behold, lots of people were also affected and there was already an issue from 2019 on Ubuntu's bug tracker about it.

[...] As is commonly the case in software development, the difficult part of this fix had nothing to do with the code itself. All of my effort was spent figuring out Ubuntu's patch submission processes and advocating for my merge request. Nobody else seemed to be interested in doing the work to actually fix this bug that has been plaguing Ubuntu MATE and Xubuntu, not to mention some Debian users, for over 6 years. After dealing with the long process of getting my merge request approved, I think I'm starting to understand why!

Brown notes that the fix is now packaged for the upcoming Ubuntu 24.10 release, and should be backported to 22.04 and 24.04 eventually.

Fedora Atomic Desktop and Fedora IoT systems installed before Fedora 40 may fail to boot after an update if secure boot is enabled. Fedora Magazine has a post by Timothée Ravier about the problem, how users can work around it, and what the project is doing to avoid the similar problems in the future:

On Fedora Atomic Desktops and Fedora IoT systems, the components that are part of the boot chain (Shim, GRUB) are not (yet) automatically updated alongside the rest of the system. Thus, if you have installed a Fedora Atomic Desktop or a Fedora IoT system before Fedora 40, it uses an old versions of the Shim and bootloader binaries to boot your system.

When Secure Boot is enabled, the EFI firmware loads Shim first. Shim is signed by the Microsoft Third Party Certificate Authority so that it can be verified on most hardware out of the box. The Shim binary includes the Fedora certificates used to verify binaries signed by Fedora. Then Shim loads GRUB, which in turn loads the Linux kernel. Both are signed by Fedora.

Until recently, the kernel binaries where signed two times, with an older key and a newer one. With the 6.9 kernel update, the kernel is no longer signed with the old key. If GRUB or Shim is old enough and does not know about the new key, the signature verification fails.

The eventfs filesystem provides an interface to the tracepoints that are available to be used by various Linux tracing tools (e.g. ftrace, perf, uprobes, etc.); it is meant to be a version of the tracefs filesystem that dynamically allocates its entries as needed. The goal is to reduce the memory required for multiple instances of tracefs, as Steven Rostedt described in a session at the 2022 Linux Storage, Filesystem, Memory Management, and BPF Summit. He returned to the 2024 edition of the summit to talk further about how to make pseudo (or virtual) filesystems, such as tracefs/eventfs, more like regular Linux filesystems, where the directory entries (dentries) and inodes are only created (and cached) as needed.

Sxmo, short for "Simple X Mobile", is described on its web site as "a minimalist environment for Linux mobile devices"; it offers a menu-driven interface that is controlled with the phone's hardware buttons. Sxmo enables the user to send SMS messages from a text editor and is entirely customizable with shell scripts. This peculiar mobile user interface significantly differs from the prevailing approach—but it works.

Security updates have been issued by AlmaLinux (buildah, gvisor-tap-vsock, kernel-rt, libreswan, linux-firmware, pki-core, and podman), Fedora (firefox and jpegxl), Gentoo (Buildah, HarfBuzz, and LIVE555 Media Server), Oracle (buildah, gvisor-tap-vsock, kernel, libreswan, and podman), Red Hat (containernetworking-plugins, dotnet6.0, dotnet8.0, fence-agents, kernel, libreswan, libvirt, perl-HTTP-Tiny, python39:3.9, toolbox, and virt:rhel and virt-devel:rhel modules), SUSE (firefox, freeradius-server, haproxy, jbigkit, kernel, kernel-firmware, pam, ppp, python3-cryptography, skopeo, and tar), and Ubuntu (dotnet6, dotnet8, exim4, firefox, golang-1.21, golang-1.22, openssh, and python-django).

There are a number of kernel filesystems that store their directory entries directly in the directory-entry cache (dcache) without having any permanent storage for those objects. It started out as a "neat hack" for ramfs, Al Viro said, at the start of his filesystem-track session at the 2024 Linux Storage, Filesystem, Memory Management, and BPF Summit. Unfortunately, as the use of this technique has grown into other filesystems, there has been a lot of scope creep that has gotten out of control. He wanted to discuss some new infrastructure that he is working on to try to clean some of that up.

Version 128.0 of the Firefox browser has been released. Changes this time include the ability to translate highlighted phrases from the context menu, display of recent searches on opening the address bar (US/Canada only), a streamlined dialog for clearing user data, and more.

The PSP security protocol (PSP) is a way to transparently encrypt packets by efficiently offloading encryption and decryption to the network interface cards (NICs) that Google uses for connections inside its data centers. The protocol is similar to IPsec, in that it allows for wrapping arbitrary traffic in a layer of encryption. The difference is that PSP is encapsulated in UDP, and designed from the beginning to reduce the amount of state that NICs have to track in order to send and receive encrypted traffic, allowing for more simultaneous connections. Jakub Kicinski wants to add support for the protocol to the Linux kernel.

Alexander "Solar Designer" Peslyak has disclosed another OpenSSH vulnerability that can be exploited for remote code execution, but only on distributions that have applied a patch to add auditing support. Specifically, RHEL 9 and derivatives are affected, as are Fedora 36 and 37 (but not later releases).

The main difference from CVE-2024-6387 is that the race condition and RCE potential are triggered in the privsep child process, which runs with reduced privileges compared to the parent server process. So immediate impact is lower. However, there may be differences in exploitability of these vulnerabilities in a particular scenario, which could make either one of these a more attractive choice for an attacker, and if only one of these is fixed or mitigated then the other becomes more relevant.

Security updates have been issued by AlmaLinux (virt:rhel and virt-devel:rhel), Fedora (ghostscript, golang, httpd, libnbd, netatalk, rust-sequoia-chameleon-gnupg, rust-sequoia-gpg-agent, rust-sequoia-keystore, rust-sequoia-openpgp, and rust-sequoia-sq), Mageia (apache), Red Hat (booth, buildah, edk2, fence-agents, git, gvisor-tap-vsock, kernel, kernel-rt, less, libreswan, linux-firmware, openssh, pki-core, podman, postgresql-jdbc, python3, tpm2-tss, virt:rhel, and virt:rhel and virt-devel:rhel modules), SUSE (krb5, poppler, and python-docker), and Ubuntu (apache2, cinder, glance, nova, and Tomcat).