Brief items
Security
Supply Chain Attacks on Linux distributions (Fenrisk)
A security company called Fenrisk has posted an overview of a pair of claimed successful supply-chain attacks on the Fedora and openSUSE distributions.
We successfully identified vulnerabilities in the Pagure, the Git forge used by Fedora to store their package definitions. We also compromised Open Build Service, the all-in-one toolchain used and developed by the openSUSE project for compilation and packaging.Their exploitation by malicious actors would have led to the compromise of all the packages of the distributions Fedora and openSUSE, as well as their downstream distributions, impacting millions of Linux servers and desktops.
[Update: SUSE has put out a statement about the vulnerability; "While this is a serious vulnerability that needed to be fixed quickly, the impact was inaccurately described.
"]
Security quote of the week
To be competitive here, the EU needs to consider privacy and freedom from surveillance as paramount values. That's not always been the case for it: there have always been voices who have pushed for things like backdoors in encryption and greater monitoring from police and security services. Those things will kill any EU effort to provide alternatives. The EU's great strengths in comparison to the US are greater openness and stronger protections of human rights; it should lean into those.
Kernel development
Kernel release status
The current development kernel is 6.14-rc7, released on March 16. "Things continue to look quite calm, and I expect to release the final 6.14 next weekend unless something very surprising happens".
Stable updates: 6.13.7, 6.12.19, 6.6.83, 6.1.131, 5.15.179, 5.10.235, and 5.4.291 were released on March 13.
The 6.13.8, 6.12.20, and 6.6.84 updates are in the review process; they are due on March 21.
Quotes of the week
I'm the maintainer, paying attention is why I get the big bucks. ... ok, in truth, I don't get paid anything, but it's the principle.— Casey Schaufler
Companies and users are willing to pay to improve performance for file systems. [...]— Ted Ts'oHowever, I have *yet* to see any company willing to invest in hardening file systems against maliciously modified file system images. We can debate how much it might cost it to harden a file system, but given how much companies are willing to pay --- zero --- it's mostly an academic question.
Distributions
SystemRescue 12.00 released
Version 12.00 of the SystemRescue live Linux system has been released. SystemRescue is an Arch Linux based bootable toolkit for repairing systems in the event of a crash. Notable changes in this release include an update to Linux 6.12.19, support for bcachefs, and a number of updated disk utilities. See the package list for a complete list of software included in this release.
Development
Choi: announcing Casual Make
Charles Choi has announced the release of the Casual Make: a menu-driven interface, implemented as part of the Casual suite of tools, for Makefile Mode in GNU Emacs.
Emacs supports makefile editing with make-mode which has a mix of useful and half-baked (though thankfully obsoleted in 30.1) commands. It is from this substrate that I'm happy to announce the next Casual user interface: Casual Make.
Of particular note to Casual Make is its attention to authoring and identifying automatic variables whose arcane syntax is un-memorizable. Want to know what $> means? Just select it in the makefile and use the . binding in the Casual Make menu to identify what it does in the mini-buffer.
Casual Make is part of Casual 2.4.0, released on March 12 and is available from MELPA. The 2.4.0 update to Casual also includes documentation in the Info format for the first time.
GIMP 3.0 released
The long-awaited GIMP 3.0 release is now available. Major changes in 3.0 include non‑destructive editing for most commonly‑used filters, improved text creation, better color space management, and an update to GTK 3.
This is the end result of seven years of hard work by volunteer developers, designers, artists, and community members (for reference, GIMP 2.10 was first published in 2018 and the initial development version of GIMP 3.0 was released in 2020).
See the release notes and NEWS file for more details about this release. LWN covered a near-final release of GIMP 3.0 in November last year.
Git 2.49.0 released
Version 2.49.0 of the Git source-code management system has been released. This release comprises 460 non-merge commits since 2.48.0, with contributions from 89 people, including 24 new contributors. There is a long list of improvements and bug fixes; see the highlights blog from GitHub's Taylor Blau for some of the more interesting features.
GNOME 48 released
GNOME 48 ("Bengaluru") has been released. As usual, this release includes a number of new features and enhancements including support for shortcuts in the Orca screen reader on Wayland, new fonts, addition of image editing to Image Viewer, and more.
GNOME 48 includes a number of notable performance improvements. The most significant of these is the introduction of dynamic triple buffering. This change has undergone significant review and testing over a period of five years and improves the perceived smoothness of changes on screen, with fewer skipped frames and more fluid animations. This has been achieved by enhancing the concurrency capabilities of Mutter, the GNOME display manager, and is particularly effective at handling sudden bursts of activity.
The GNOME 48 release also adds new applications to the GNOME Circle collection, such as Drum Machine and the Iotas note-taking application. See "What's new for developers" a rundown of improvements for developers in GNOME 48.
PeerTube 7.1 released
Version 7.1 of PeerTube, a tool for sharing videos online, has been released. Notable features in this release include improved support for the Podcast 2.0 standard, better playback stability, and a new view protocol enabled by default to allow PeerTube to handle more simultaneous viewers. See the release notes for more details.
Development quote of the week
Nobody is going to try to make money on a proprietary fork of an MIT Coreutils. Nobody is hiding their trade secrets there. This isn't the 80s.— Matthew GarrettWhat is a bigger issue is the more symbolic nature of things. People had the opportunity to pick a copyleft licence and chose not to. We can view this as an attack on copyleft (albeit one that's likely symbolic at best), or we can accept that the copyleft community has been doing a poor job winning the hearts and minds of new generations of developers
Page editor: Daroc Alden
Next page:
Announcements>>