Brief items
Security
Another npm supply-chain attack
The Socket.dev blog describes this week's attack on JavaScript packages in the npm repository.
A malicious update to @ctrl/tinycolor (2.2M weekly downloads) was detected on npm as part of a broader supply chain attack that impacted more than 40 packages spanning multiple maintainers.The compromised versions include a function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local script (bundle.js), repacks the archive, and republishes it, enabling automatic trojanization of downstream packages.
There is some more information in this Krebs on Security article.
Security quotes of the week
Every day, thousands of researchers race to solve the AI alignment problem. But they struggle to coordinate on the basics, like whether a misaligned superintelligence will seek to destroy humanity, or just enslave and torture us forever. Who, then, aligns the aligners?— Center for the Alignment of AI Alignment Centers
The security industry is a machine that turns— Alexia StarlingTHE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KINDinto
YOU ARE PART OF A SUPPLY CHAIN ATTACK, SHAME ON YOU
Kernel development
Kernel release status
The current development kernel is 6.17-rc6, released on September 14. Linus remarked: "But really, none of it is very large. So everything seems slated for a normal release in two weeks. Please do keep testing, so that we don't get complacent."
Stable updates: 6.12.47, 6.6.106, 6.1.152, 5.15.193, and 5.10.244 were released on September 11 with mitigations for the VMScape Spectre variant.
The 6.16.8, 6.12.48, 6.6.107, and 6.1.153 updates are in the review process; they are due on September 19.
Distributions
Jackson: tag2upload in the first month of forky
Ian Jackson has published a blog post summarizing the tag2upload service's first month of handling uploads for the upcoming Debian 14 ("forky") release:
We announced tag2upload's open beta in mid-July. That was in the middle of the the freeze for trixie, so usage was fairly light until the forky floodgates opened.
Since then the service has successfully performed 637 uploads, of which 420 were in the last 32 days. That's an average of about 13 per day. For comparison, during the first half of September up to today there have been 2475 uploads to unstable. That's about 176/day.
So, tag2upload is already handling around 7.5% of uploads. This is very gratifying for a service which is advertised as still being in beta!
LWN covered tag2upload in July 2024.
Distributions quote of the week
A part of me wants to live in a universe where LEGO ended up being a dominant computer manufacturer and immutable OSes were literally motherboard ROM bricks we physically switched out to update.— Jef Spaleta
Development
Firefox 143.0 released
Version 143.0 of the Firefox browser has been released. Changes include the ability to pin tabs by dragging them to the edge, previews in the camera permissions dialog, improved fingerprinting protection, and (optional) automatic deletion of files downloaded in private browsing mode.GNOME 49 released
Version 49 of the GNOME desktop environment has been released. Changes include new default video (Showtime) and PDF-viewing (Papers) applications, a number of calendar improvements, and updates to the Web, Maps, and Software applications.Libxml2 2.15.0 released
Version 2.15.0 of libxml2 has been released. Notable changes include the disabling of Python bindings by default, using Doxygen to generate API documentation, as well as bringing HTML serialization and handling of character encodings more in line with the HTML5 specification.
Nick Wellnhofer has also announced that he is stepping down as libxml2 maintainer, and Iván Chavero has volunteered to take over. LWN covered libxml2 in June.
Systemd v258 released
Systemd v258 has been released with a long list of new features and changes; slice units now have basic workload management features, quotas for tmpfs have been added, the "systemctl start" command now has a verbose (-v) option, and more. This release also, finally, completely removes support for control groups v1 support. LWN covered some of systemd v258's features and changes in August.
Varnish 8.0.0 and bonus project news
Version 8.0.0 of Varnish Cache has been released. In addition to a number of changes to varnishd parameters, the ability to access some runtime parameters using the Varnish Configuration Language, and other improvements, 8.0.0 comes with big news; the project is forming an organization called a forening that will set out formal governance for the project.The move also comes with a name change due to legal difficulties in securing the Varnish Cache name:
The new association and the new project will be named "The Vinyl Cache Project", and this release 8.0.0, will be the last under the "Varnish Cache" name. The next release, in March will be under the new name, and will include compatility scripts, to make the transition as smooth as possible for everybody.
I want to make it absolutely clear that this is 100% a mess of my making: I should have insisted on a firm written agreement about the name sharing, but I did not.
I will also state for the record, that there are no hard feelings between Varnish Software and the FOSS project.
Varnish Software has always been, and still is, an important and valued contributor to the FOSS project, but sometimes even friends can make a mess of a situation.
Development quote of the week
— Erich KeaneI'm vastly in favor of changing our AI policy to just disallow it. CONTROLLING that is going to be an honor-system, but it needs to be done anyway, it is harmful to everyone.
I am one of the largest-by-most-metric reviewers on Clang. We've seen a bunch of reviews, and frankly, it has resulted in us being less welcome to newbies. Historically, if I got a review that the person didn't have a sufficient understanding of what they were doing, I'd be able to 'hand hold' a reasonable amount. I typically did this since:
- It was 'less' often
- The people 'learned' quickly and thus could participate/get better over time.
- The mistakes were likely results of copy/paste, and it often identified issues elsewhere.
- The individuals were very respectful/receptive to the changes, and asked reasonable/productive followup/pushback questions.
HOWEVER, ones that I suspect are AI contributors fail at all of these;
- We are getting these more often. This makes my workload (for something I don't get paid to do!) that much greater. This means SOMETHING has to give, and usually, it is 'reviews that are furthest from completion', typically new contributors/AI contributions.
- In my experience, folks using AI do a much worse job at understanding their patch, and thus a much worse job at getting better over time. The amount of effort to make these contributors start making better contributions is so much more as to not be worth it anymore.
- we get no such benefit.
- Thanks in part to 2, and worse, folks using AI to generate responses to me, they are much worse at asking productive followups/pushbacks.
As a result, the first group (just new contributors using their brains) are getting thrown in with the latter group (used AI), and are getting ignored/MUCH worse reviews, and thus don't get the benefits of review. (A bit of 'throwing out the baby with the bathwater' unfortunately).
Miscellaneous
How FOSS Projects Handle Legal Takedown Requests (F-Droid)
The F-Droid project has some advice for free-software projects on how to deal with takedown requests.
As part of our legal resilience research, we spoke with a range of legal experts, software freedom advocates, and maintainers of mature FOSS infrastructure to understand how others manage these moments. In this article, we share what we learned, and how F-Droid is incorporating these lessons into its own approach.
Linux Plumbers Conference registration open
Registration for the 2025 Linux Plumbers Conference (Tokyo, December 11 to 13) is now open. LPC tickets often sell out quickly, so it would be best not to delay if you intend to attend.
Page editor: Daroc Alden
Next page:
Announcements>>