Welcome to LWN.net
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
[$] The first half of the 6.8 merge window
The 6.8 merge window has gotten off to a relatively slow start; reasons for that include a significant scheduler performance regression that Linus Torvalds stumbled into and has spent time tracking down. Even so, 4,282 non-merge changesets have found their way into the mainline repository for the 6.8 release as of this writing. These commits have brought a number of significant changes and new features.
[$] The kernel "closure" API
The data structure known as a "closure" first found its way into the mainline kernel with the addition of bcache in the 3.10 development cycle. With the advent of bcachefs in 6.7, though, it acquired a second user and was moved to the kernel's lib directory, making it available to other kernel users as well. The documentation of closures in the source is better than that of many things in the kernel, but there is still room for a gentler introduction.
[$] LWN.net Weekly Edition for January 11, 2024
Posted Jan 11, 2024 0:16 UTC (Thu)The LWN.net Weekly Edition for January 11, 2024 is available.
Inside this week's LWN.net Weekly Edition
- Front: Org Mode; CVE-2012-5639; Kernel-text replication; None-aware operators; 6.7 Development statistics.
- Briefs: Linux 6.7; Regression tracking; OpenWrt One; Solus 4.5; Python JIT; Vcc; Niklaus Wirth RIP; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
[$] Notes on Emacs Org mode
As part of my quest to master Emacs, which is sort of a sub-quest on the way toward learning more about Lisp, I have spent a fair amount of time discovering various corners of the Emacs world. One of those is the famous "Org mode" that is used for a wide variety of organizational tasks within the editor—and not just Emacs, but for Vim and others too. Org mode can be used for to-do lists, notes with interconnections between them, literate programming, web sites, and more. Now my quests are growing quests of their own and digging into Org mode is one of those.
[$] The odd saga of CVE-2012-5639
A new release for any project with a fix for a 12-year old CVE is going to stand out pretty obviously; a recent release has a fix of that nature, but the trail of CVE-2012-5639 is rather elusive. The Apache OpenOffice project made its 4.1.15 release with fixes for four CVEs, including one for CVE-2012-5639 ("Loading internal / external resources without warning"), on December 22. But nearly everything about that CVE seems rather murky, and it is difficult to get a clear picture of what, exactly, was done in OpenOffice to address the problem.
[$] Some 6.7 development statistics
The 6.7 kernel was released on January 7 after a ten-week development cycle. This was, as it turns out, the busiest cycle ever with regard to the number of changesets merged. The time has come for our usual look at where all those changesets came from, with a side trip into how long kernel developers tend to stick around.
[$] Kernel-text replication on NUMA systems
Kernel developers often go out of their way to reduce the memory used by the kernel itself; that memory is not available for the workloads that people are actually interested in running on their systems. Lower memory usage also tends to lead to better performance overall. But there are times when the expenditure of some extra memory can make the system faster. The replication of the kernel's text (executable code) and read-only data across a NUMA system may be a case in point; patch sets have been posted adding that capability to two architectures.
[$] The return of None-aware operators for Python
The saga of the None-aware (or null-coalescing) operators for Python continues. We last looked in on the topic a little over a year ago and noted that either adoption or a clear rejection of the idea might help tamp down its regular recurrence. That has not happened, so, predictably, it was raised again—and does not look any closer to resolution this time around.
LWN.net Weekly Edition for January 4, 2024
Posted Jan 4, 2024 1:40 UTC (Thu)The LWN.net Weekly Edition for January 4, 2024 is available.
Inside this week's LWN.net Weekly Edition
- Front: LWN's 2024 predictions; SMTP smuggling; Data-type profiling; MAX_ORDER; The Linux graphics stack.
- Briefs: Maestro; Debian CRA statement; Binary Gentoo; Gnuplot 6; Julia 1.10; Ruby 3.3; Scribus 1.6; Vim 9.1; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
Smuggling email inside of email
Normally, when a new vulnerability is discovered and releases are coordinated with those affected, the announcement is done at a convenient time—not generally right before the end-of-year holidays, for example. The SMTP Smuggling vulnerability has taken a different path, however, with its announcement landing on December 18. That may well have been unpleasant for some administrators that had not yet updated, but it was particularly problematic for some projects that had not been made aware of the vulnerability at all—though it was known to affect several open-source mailers.
Stable kernel 5.10.207
The 5.10.207 stable kernel update has been released; it consists entirely of a handful of reverts of SCSI patches.
Linux Mint 21.3 "Virginia" released
The Linux Mint distribution has announced the release of Linux Mint 21.3, which is codenamed "Virginia". It has the Cinnamon 6.0 desktop, "comes with full support for SecureBoot and compatibility with a wider variety of BIOS and EFI implementation
", has added new features to the Hypnotix TV-viewer application, and more. See the release notes for even more information about it.
Information on the SourceHut outage
Users of SourceHut will have noticed that the site has been unreachable; Drew DeVault has now posted a report on what is happening (it's a distributed denial-of-service attack) and what is being done to recover.
We deal with ordinary DDoS attacks in the normal course of operations, and we are generally able to mitigate them on our end. However, this is not an ordinary DDoS attack; the attacker posesses considerable resources and is operating at a scale beyond that which we have the means to mitigate ourselves. In response, before we could do much ourselves to understand or mitigate the problem, our upstream network provider null routed SourceHut entirely, rendering both the internet at large, and SourceHut staff, unable to reach our servers.
Security updates for Friday
Security updates have been issued by Debian (kernel, linux-5.10, php-phpseclib, php-phpseclib3, and phpseclib), Fedora (openssh and tinyxml), Gentoo (FreeRDP and Prometheus SNMP Exporter), Mageia (packages), Red Hat (openssl), SUSE (gstreamer-plugins-rs and python-django-grappelli), and Ubuntu (dotnet6, dotnet7, dotnet8, openssh, and xerces-c).
OpenSSH announces DSA-removal timeline
For those of you still using DSA keys with SSH: the project has announced its plans to remove support for that algorithm around the beginning of 2025.
The only remaining use of DSA at this point should be deeply legacy devices. As such, we no longer consider the costs of maintaining DSA in OpenSSH to be justified. Moreover, we hope that OpenSSH's final removal of this insecure algorithm accelerates its deprecation in other SSH implementations and allows maintainers of cryptography libraries to remove it too.
Security updates for Thursday
Security updates have been issued by Debian (chromium), Fedora (chromium, python-paramiko, tigervnc, and xorg-x11-server), Oracle (ipa, libxml2, python-urllib3, python3, and squid), Red Hat (.NET 6.0, .NET 7.0, .NET 8.0, container-tools:4.0, fence-agents, frr, gnutls, idm:DL1, ipa, kernel, kernel-rt, libarchive, libxml2, nss, openssl, pixman, python-urllib3, python3, tigervnc, tomcat, and virt:rhel and virt-devel:rhel modules), SUSE (gstreamer-plugins-bad), and Ubuntu (firefox, Go, linux-aws, linux-gcp-5.15, linux-intel-iotg-5.15, linux-iot, linux-oem-6.1, and twisted).
Stable kernel 4.14.336 (and others)
The 4.14.336 stable kernel update has been released with a small handful of fixes; this is the end of the line for the 4.14 stable series:
This is the LAST 4.14.y kernel to be released. It is now officially end-of-life. Do NOT use this kernel version anymore, please move to a newer one, as shown on the kernel.org releases page.All users of the 4.14 kernel series must upgrade. But then, move to a newer release. If you are stuck at this version due to a vendor requiring it, go get support from that vendor for this obsolete kernel tree, as that is what you are paying them for :)
Update: 6.6.11 and 6.1.72 have also now been released.
Security updates for Wednesday
Security updates have been issued by Fedora (libssh), Gentoo (FAAD2 and RedCloth), Red Hat (kpatch-patch and nss), SUSE (hawk2, LibreOffice, opera, and tar), and Ubuntu (glibc, golang-1.13, golang-1.16, linux-azure, linux-gkeop, monit, and postgresql-9.5).
Vcc: a Clang compiler for Vulkan
The Vcc compiler has been announced.
It’s exactly what the name implies: a clang-based compiler that outputs code that runs on Vulkan.Vcc can be thought of as a GLSL and HLSL competitor, but the true intent of this project is to retire the concept of shading languages entirely. Unlike existing shading languages, Vcc makes a honest attempt to bring the entire C/C++ language family to Vulkan, which means implementing a number of previously unseen features in Vulkan shaders
The OpenWrt One project
OpenWrt developer John Crispin says:
"In 2024 the OpenWrt project turns 20 years! Let's celebrate this
anniversary by launching our own first and fully upstream supported
hardware design.
" The rest of the message describes the proposed
OpenWrt-native network-routing system, based on Banana Pi boards; the project is
being organized through the Software Freedom Conservancy. (Thanks to Dave
Täht).