Amarok 3.0 “Castaway” released
The Amarok music player project
has announced
the release of version 3.0, which is codenamed “Castaway”. It is the first
stable version using Qt 5 and KDE Frameworks 5, and the first stable
release since the final Qt-4-based 2.9.0 in 2018.

The road to 3.0 has not been a short one. Much of the Qt5/KF5 porting was done in 2015 already, but finishing and polishing everything up has been a slow, sometimes ong … ⌘ Read more

[$] A leadership crisis in the Nix community
On April 21, a group of anonymous authors and non-anonymous signatories published
a lengthy open letter to the
Nix community
and Nix founder Eelco Dolstra calling for his resignation from the project. They
claimed ongoing problems with the project’s leadership, primarily focusing on the
way his actions have allegedly
undermined people nominally empowered to perform various
moderation and governance tasks. Since its release, the letter … ⌘ Read more

Security updates for Monday
Security updates have been issued by AlmaLinux (buildah, go-toolset:rhel8, golang, java-11-openjdk, java-21-openjdk, libreswan, thunderbird, and tigervnc), Debian (chromium, emacs, frr, mediawiki, ruby-rack, trafficserver, and zabbix), Fedora (chromium, grub2, python-idna, and python-reportlab), Mageia (chromium-browser-stable, firefox, opencryptoki, and thunderbird), Red Hat (container-tools:4.0, container-tools:rhel8, git-lfs, and shim), SUSE (frr, java-11-openjdk, java-1_8_0-ope … ⌘ Read more

McQueen: Update from the GNOME board
Robert McQueen has posted a message\
from the GNOME Foundation board describing the current financial
situation, plans to improve it, and an increase in the size of the board.

The Foundation has a reserves policy which specifies a minimum
amount of money we have to keep in our accounts. This is so that if
there is a significant interruption to our usual income, we can
preserve our core operations while we work on new funding
… ⌘ Read more

Kernel prepatch 6.9-rc6
The 6.9-rc6 kernel prepatch is out for
testing.

Things continue to look pretty normal, and nothing here really
stands out. The biggest single change that stands out in the
diffstat is literally a documentation update, everything else looks
pretty small and spread out. ⌘ Read more

Four weekend stable kernel releases
The
6.8.8,
6.6.29,
6.1.88, and
5.15.157
stable kernels have been released; each contains another set of important
fixes. ⌘ Read more

[$] Giving Rust a chance for in-kernel codecs
Video playback is undeniably one of the most important features in modern
consumer devices. Yet, surprisingly, users are by and large unaware of the
intricate engineering involved in the compression and decompression of
video data, with codecs being left to find a delicate balance between image
quality, bandwidth, and power consumption. In response to constant
performance pressure, video codecs have become complex and hardware
implementations are now common, but programming these devices i … ⌘ Read more

[$] Support for the TSO memory model on Arm CPUs
At the CPU level, a memory model describes, among other things, the amount
of freedom the processor has to reorder memory operations. If low-level
code does not take the memory model into account, unpleasant surprises are
likely to follow. Naturally, different CPUs offer different memory models,
complicating the portability of certain types of concurrent software. To
make life easier, some Arm CPUs offer the ability to emulate the x86 memory
model, but efforts to make that feature avail … ⌘ Read more

Security updates for Friday
Security updates have been issued by Debian (knot-resolver, pdns-recursor, and putty), Fedora (xen), Mageia (editorconfig-core-c, glibc, mbedtls, webkit2, and wireshark), Oracle (buildah), Red Hat (buildah and yajl), Slackware (libarchive), SUSE (dcmtk, openCryptoki, php7, php74, php8, python-gunicorn, python-idna, qemu, and thunderbird), and Ubuntu (cryptojs, freerdp2, nghttp2, and zabbix). ⌘ Read more

[$] Python JIT stabilization
On April 11, Brandt Bucher posted
PEP 744 (“JIT Compilation”),
which summarizes the current state of Python’s new copy-and-patch just-in-time (JIT) compiler. The JIT is currently
experimental, but the PEP proposes some criteria for the circumstances under which it
should become a non-experimental part of Python.
The discussion of the PEP hasn’t
reached a conclusion, but
seve … ⌘ Read more

Ubuntu 24.04 LTS (Noble Numbat) released
Version 24.04 LTS of the Ubuntu distribution is out.

This release continues Ubuntu’s proud tradition of integrating the
latest and greatest open source technologies into a high-quality,
easy-to-use Linux distribution. The team has been hard at work
through this cycle, together with the community and our partners,
to introduce new features and fix bugs.

The list of changes and enhancements is long; click below for some details.
More information can be found in [the\
release notes … ⌘ Read more

[$] The state of realtime and embedded Linux at OSSNA
Linux, famously, appears in a wide range of systems. While servers and
large data centers get a lot of the attention, and this year will always be
the year of the Linux desktop, there is also a great deal of Linux to be
found in realtime and embedded applications. Two talks held in the
realtime and embedded tracks of the 2024 Open\
Source Summit North America provided listeners with an update on how
Linux is do … ⌘ Read more

Security updates for Thursday
Security updates have been issued by Fedora (curl, filezilla, flatpak, kubernetes, libfilezilla, thunderbird, and xen), Oracle (go-toolset:ol8, kernel, libreswan, shim, and tigervnc), Red Hat (buildah, gnutls, libreswan, tigervnc, and unbound), SUSE (cockpit-wicked, nrpe, and python-idna), and Ubuntu (dnsmasq, freerdp2, linux-azure-6.5, and thunderbird). ⌘ Read more

[$] LWN.net Weekly Edition for April 25, 2024
The LWN.net Weekly Edition for April 25, 2024 is available. ⌘ Read more

GitHub comments used to distribute malware (BleepingComputer)
BleepingComputer
reported on April 20 that some malware was being distributed via GitHub.
Uploading files as part of a comment gives them a URL that appears to be
associated with a repository, even if the comment is never posted.

A GitHub flaw, or possibly a design decision, is being abused by threat actors
to distribute malware using URLs associated with M … ⌘ Read more

A new crash reporter for Firefox
On April 23, Mozilla
announced that Firefox’s crash reporter has been rewritten in Rust, allowing the
project to address a backlog of issues.

Even though it is important to properly handle main process crashes, the crash
reporter hasn’t received significant development in a while (aside from
development to ensure that crash reports and telemetry continue to reliably be
delivered)! It has long been stuck in a … ⌘ Read more

QEMU 9.0 released
Version 9.0 of
the QEMU emulator has been released. “This release contains 2700+
commits from 220 authors.” The list of improvements is long; see the
announcement and the\
changelog for details. ⌘ Read more

[$] Existential types in Rust
For several years, contributors to the Rust project have
been working to improve support for asynchronous
code. The benefits of these efforts are not confined to asynchronous code,
however. Members of the Rust community have been working toward adding explicit
existential types to Rust since 2017. Existential types are not a common feature
of programming languages (something
[the RFC](https://rust-lang.github.io/rfcs/2515-type_alias_impl_trait … ⌘ Read more

Security updates for Wednesday
Security updates have been issued by Fedora (abseil-cpp, chromium, filezilla, libfilezilla, and xorg-x11-server-Xwayland), Oracle (firefox, gnutls, golang, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, libreswan, mod_http2, owO: thunderbird, and thunderbird), Red Hat (container-tools:rhel8, gnutls, grub2, kernel, kernel-rt, less, linux-firmware, opencryptoki, pcs, postgresql-jdbc, and thunderbird), Slackware (ruby), SUSE (kubernetes1.23, kubernetes1.2 … ⌘ Read more

[$] A change in direction for security-module stacking?
The long-running effort to complete the work on stacking (or composing) the
Linux security modules (LSMs) recently encountered a barrier—in the form of
a “suggestion” to discontinue it from Linus Torvalds. His complaint
revolved around the indirect function calls that are used to implement
LSMs, but he also did not think much of the effort to switch away from
those calls. While it does not appear that a major course-change is in store
for LSMs, it is clear that Torvalds is not ha … ⌘ Read more

Fedora 40 released
The Fedora 40 distribution has been\
released. See the “what’s new” pages for Fedora\
Workstation and Fedora\
KDE to learn more about the desktop spins, along with this LWN article, for more information. ⌘ Read more

[$] Rust for embedded Linux kernels
The Rust programming language, it is hoped, will bring a new level of
safety to the Linux kernel. At the moment, though, there are still a
number of impediments to getting useful Rust code into the kernel. In the
Embedded Open Source Summit track of the Open\
Source Summit North America, Fabien Parent provided an overview of his
work aimed at improving the infrastructure needed to write the device
drivers needed by embedded syst … ⌘ Read more

Security updates for Tuesday
Security updates have been issued by Debian (glibc and samba), Fedora (chromium, cjson, mingw-python-idna, and pgadmin4), Mageia (kernel, kmod-xtables-addons, kmod-virtualbox, kernel-linus, and perl-Clipboard), Red Hat (go-toolset:rhel8, golang, java-11-openjdk, kpatch-patch, and shim), Slackware (freerdp), SUSE (apache-commons-configuration, glibc, jasper, polkit, and qemu), and Ubuntu (google-guest-agent, google-osconfig-agent, linux-lowlatency-hwe-6.5, pillow, and squid). ⌘ Read more

The Open Home Foundation launches
The Open Home Foundation has announced\
its existence as a home and support resource for free home-automation
projects.

We created the Open Home Foundation to fight for the fundamental
principles of privacy, choice, and sustainability for smart
homes. And every person who lives in one.

Ahead of today, we’ve transferred over 240 projects, standards,
drivers, and libraries—Home Assistant, ESPHome, Zigpy, Piper … ⌘ Read more

Andreas Tille elected as Debian project leader
The Debian project leader

election results are in and Andreas Tille
has been elected.
In a fairly competitive vote, Tille beat Sruthi Chandran to fill the
position for
the coming year. We looked at the election and the\
candidates a few weeks back. ⌘ Read more

[$] Linus and Dirk chat about AI, XZ, hardware, and more
One of the mainstays of the the Linux Foundation’s Open Source Summit is the “fireside chat”
(sans fire) between Linus Torvalds and Dirk Hohndel to discuss open source and
Linux kernel topics of the day. On April 17, at Open Source Summit\
North America (OSSNA) in Seattle, Washington, they held with tradition
and discussed a range of topics including proper whitespace parsing,
security, and the current AI cr … ⌘ Read more

Hutterer: udev-hid-bpf: quickstart tooling to fix your HID devices with eBPF
Peter Hutterer announces\
udev-hid-bpf, a tool to facilitate the loading of BPF programs that
make human-input devices work correctly.

eBPF was originally written for network packet filters but as of
kernel v6.3 and thanks to Benjamin, we have BPF in the HID
subsystem. HID actually lends itself really well to BPF because,
well, we have a byte array and to fix our devi … ⌘ Read more

Security updates for Monday
Security updates have been issued by AlmaLinux (firefox and java-1.8.0-openjdk), Debian (chromium, flatpak, guix, openjdk-11, openjdk-17, thunderbird, and tomcat9), Fedora (chromium, firefox, glibc, nghttp2, nodejs18, python-aiohttp, python-django3, python-pip, and uxplay), Mageia (putty & filezilla), Red Hat (Firefox, firefox, java-1.8.0-openjdk, java-21-openjdk, nodejs:18, shim, and thunderbird), Slackware (freerdp), SUSE (apache-commons-configuration2, nodejs14, perl-CryptX, p … ⌘ Read more

Kernel prepatch 6.9-rc5
Linus has released 6.9-rc5 for testing.

But if you ignore those oddities, it all looks pretty normal and
things appear fairly calm. Which is just as well, since the first
part of the week I was on a quick trip to Seattle, and the second
part of the week I’ve been doing a passable imitation of the
Fontana di Trevi, except my medium is mucus. ⌘ Read more

[$] Weighted memory interleaving and new system calls
Gregory Price recently posted
a patch set that adds support for weighted memory interleaving — allowing a
process’s memory to be distributed between
non-uniform memory access (NUMA)
nodes in a more controlled way.
According to his performance measurements, the patch set could provide a
significant improvement for computers with network-atta … ⌘ Read more

Security updates for Friday
Security updates have been issued by AlmaLinux (gnutls, java-17-openjdk, mod_http2, and squid), Debian (firefox-esr), Fedora (editorconfig, perl-Clipboard, php, rust, and wordpress), Mageia (less, libreswan, puppet, and x11-server, x11-server-xwayland, and tigervnc), Slackware (aaa_glibc), and SUSE (firefox, graphviz, kernel, nodejs12, pgadmin4, tomcat, and wireshark). ⌘ Read more

[$] Gentoo bans AI-created contributions
Gentoo Council member Michał Górny posted
an RFC to the gentoo-dev mailing
list in late February about banning “‘AI’-backed (LLM/GPT/whatever)
contributions” to the Gentoo Linux project. Górny wrote that the spread of the
“AI bubble” indicated a need for Gentoo to formally take a stand on AI
tools. After a lengthy discussion, the Gentoo Council [voted](http … ⌘ Read more

[$] Warning about WARN_ON()
Kernel developers, like conscientious developers for many projects, will
often include checks in the code for conditions that are never expected to
occur, but which would indicate a serious problem should that expectation
turn out to be incorrect. For years, developers have been encouraged (to
put it politely) to avoid using assertions that crash the machine for such
conditions unless there is truly no alternative. Increasingly, though, use
of the kernel’s WARN_ON() family of macros, which developers were
… ⌘ Read more

Security updates for Thursday
Security updates have been issued by Debian (firefox-esr, jetty9, libdatetime-timezone-perl, tomcat10, and tzdata), Fedora (cockpit, filezilla, and libfilezilla), Red Hat (firefox, gnutls, java-1.8.0-openjdk, java-17-openjdk, kernel, kernel-rt, less, mod_http2, nodejs:18, rhc-worker-script, and shim), Slackware (mozilla), SUSE (kernel), and Ubuntu (apache2, glibc, and linux-xilinx-zynqmp). ⌘ Read more

[$] LWN.net Weekly Edition for April 18, 2024
The LWN.net Weekly Edition for April 18, 2024 is available. ⌘ Read more

[$] Managing to-do lists on the command line with Taskwarrior
Managing to-do lists is something of a universal necessity. While some
people handle them mentally or on paper, others resort to a web-based tool or
a mobile
application. For those preferring the command line, the MIT-licensed Taskwarrior offers a flexible solution
with a healthy community and lots of extensions. ⌘ Read more

Four more stable kernels
The
6.8.7,
6.6.28,
6.1.87, and
5.15.156 stable kernel updates have all been
released. ⌘ Read more

Security updates for Wednesday
Security updates have been issued by Debian (apache2 and cockpit), Fedora (firefox, kernel, mbedtls, python-cbor2, wireshark, and yyjson), Mageia (nghttp2), Red Hat (kernel, kernel-rt, opencryptoki, pcs, shim, squid, and squid:4), Slackware (firefox), SUSE (emacs, firefox, and kernel), and Ubuntu (linux-aws, linux-aws-5.15, linux-aws-6.5, linux-raspi, and linux-iot). ⌘ Read more

[$] Identifying dependencies used via dlopen()
The recent XZ backdoor has sparked a lot of discussion about how the open-source
community links and packages software. One possible
security improvement being discussed
is changing how
projects like systemd link to dynamic libraries that are only used for
optional functionality: using
dlopen() to load those libraries only
when required. This could
shrink the attack surface exposed by dependencies, b … ⌘ Read more

[$] Fedora 40 firms up for release
Fedora 40 Beta was released
on March 26, and the final release is nearing completion. So far,
the release is coming together nicely with major
updates for GNOME, KDE Plasma, and the usual cavalcade of
smaller updates and enhancements. As part of the release, the project also scuttled Delta\
RPMs and OpenSSL 1.1. ⌘ Read more

PuTTY 0.81 security release
Version\
0.81 of the PuTTY SSH client is out with a fix for CVE-2024-31497;
some users will want to update and generate new keys:

PuTTY 0.81, released today, fixes a critical vulnerability
CVE-2024-31497 in the use of 521-bit ECDSA keys
(ecdsa-sha2-nistp521). If you have used a 521-bit ECDSA private
key with any previous version of PuTTY, consider the private key
compromised … ⌘ Read more

Security updates for Tuesday
Security updates have been issued by Debian (php7.4 and php8.2), Fedora (c-ares), Mageia (python-pillow and upx), Oracle (bind and dhcp, bind9.16, httpd:2.4/mod_http2, kernel, rear, and unbound), SUSE (eclipse, maven-surefire, tycho, emacs, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, nodejs16, nodejs18, nodejs20, texlive, vim, webkit2gtk3, and xen), … ⌘ Read more

OpenSSF and OpenJS warn about social-engineering attacks
The Open Source Security Foundation and the OpenJS Foundation have jointly
posted a\
warning about XZ-like social-engineering attacks after OpenJS was
seemingly targeted.

The OpenJS Foundation Cross Project Council received a suspicious
series of emails with similar messages, bearing different names and
overlapp … ⌘ Read more

[$] Cleaning up after BPF exceptions
Kumar Kartikeya Dwivedi has been working to add support for exceptions to BPF
since mid-2023. In July, Dwivedi posted
the first patch set in this effort, which adds support for basic stack unwinding.
In February 2024, he posted
the second patch set
aimed at letting the kernel release resources held by the BPF program when an
exception occurs. This makes exceptions usable in many more contexts. ⌘ Read more

Security updates for Monday
Security updates have been issued by AlmaLinux (bind, bind and dhcp, bind9.16, gnutls, httpd:2.4/mod_http2, squid:4, and unbound), Debian (kernel, trafficserver, and xorg-server), Fedora (chromium, kernel, libopenmpt, and rust-h2), Mageia (apache-mod_jk, golang, indent, openssl, perl-HTTP-Body, php, rear, ruby-rack, squid, varnish, and xfig), Oracle (bind, squid, unbound, and X.Org server), Red Hat (bind and dhcp and unbound), Slackware (less and php), SUSE (gnutls, python- … ⌘ Read more

Kernel prepatch 6.9-rc4
The 6.9-rc4 kernel prepatch is out for
testing. “Nothing particularly unusual going on this week - some new hw
mitigations may stand out, but after a decade of this I can’t really call
it ‘unusual’ any more, can I?” ⌘ Read more

Saturday’s stable kernel updates
The
6.8.6,
6.6.27,
6.1.86,
5.15.155,
5.10.215,
5.4.274, and
4.19.312
stable kernel updates have all been released; each contains a relatively
large number of important fixes. ⌘ Read more

[$] A tale of two troublesome drivers
The kernel project merges dozens of drivers with every development cycle,
and almost every one of those drivers is entirely uncontroversial.
Occasionally, though, a driver submission raises wider questions, leading
to lengthy discussion and, perhaps, opposition. That is currently the case
with two separate drivers, both with ties to the networking subsystem. One
of them is hung up on questions of whether (and how) all device
functionality should be made available to user space, while the other has … ⌘ Read more

What we need to take away from the XZ Backdoor (openSUSE News)
Dirk Mueller has posted a\
lengthy analysis of the XZ backdoor on the openSUSE News site, with a
focus on openSUSE’s response.

Debian, as well as the other affected distributions like openSUSE
are carrying a significant amount of downstream-only patches to
essential open-source projects, like in this case OpenSSH. With
hindsight, that should be another Heartbleed-level learning for the
work … ⌘ Read more

Security updates for Friday
Security updates have been issued by Debian (chromium), Fedora (rust, trafficserver, and upx), Mageia (postgresql-jdbc and x11-server, x11-server-xwayland, tigervnc), Red Hat (bind, bind9.16, gnutls, httpd:2.4, squid, unbound, and xorg-x11-server), SUSE (perl-Net-CIDR-Lite), and Ubuntu (apache2, maven-shared-utils, and nss). ⌘ Read more