Brief items
Security
An update on Memory Safety in Chrome
The Google security blog provides an overview of what is being done to address memory-safety problems in the Chrome browser.
In parallel, we’ll be exploring whether we can use a memory safe language for parts of Chrome in the future. The leading contender is Rust, invented by our friends at Mozilla. This is (largely) compile-time safe; that is, the Rust compiler spots mistakes with pointers before the code even gets to your device, and thus there’s no performance penalty. Yet there are open questions about whether we can make C++ and Rust work well enough together. Even if we started writing new large components in Rust tomorrow, we’d be unlikely to eliminate a significant proportion of security vulnerabilities for many years.
Travis CI flaw exposed secrets of thousands of open source projects (Ars Technica)
This Ars Technica article describes a problem with the Travis continuous-integration service:
A security flaw in Travis CI potentially exposed the secrets of thousands of open source projects that rely on the hosted continuous integration service. Travis CI is a software-testing solution used by over 900,000 open source projects and 600,000 users. A vulnerability in the tool made it possible for secure environment variables—signing keys, access credentials, and API tokens of all public open source projects—to be exfiltrated.
Any project storing secrets in this service would be well advised to replace them.
Kernel development
Kernel release status
The current development kernel is 5.15-rc2, released on September 19. Linus said:
So I've spent a fair amount of this week trying to sort out all the odd warnings, and I want to particularly thank Guenter Roeck for his work on tracking where the build failures due to -Werror come from.Is it done? No. But on the whole I'm feeling fairly good about this all, even if it has meant that I've been looking at some really odd and grotty code. Who knew I'd still worry about some odd EISA driver on alpha, after all these years? A slight change of pace ;)
Stable updates have not been in short supply this week. 5.14.5, 5.13.18, 5.10.66, and 5.4.147 came out on September 16, followed by 5.14.6, 5.13.19, and 5.10.67 on September 18 and 5.14.7, 5.10.68, 5.4.148, 4.19.207, 4.14.247, 4.9.283, and 4.4.284 on September 22. Note that the 5.13.x line ends with 5.13.19.
Distributions
Conill: The long-term consequences of maintainers’ actions
Ariadne Conill looks at the difficulties caused by the OpenSSL 3 transition in the context of Alpine Linux.
For distributions, however, the story is different: cryptography moved to using Rust, because they wanted to leverage all of the static analysis capabilities built into the language. This, too, is a reasonable decision, from a development perspective. From the ecosystem perspective, however, it is problematic, as the Rust ecosystem is still rapidly evolving, and so we cannot support a single branch of the Rust compiler for an entire 2 year lifecycle, which means it exists in community. Our solution, historically, has been to hold cryptography at the latest version that did not require Rust to build. However, that version is not compatible with OpenSSL 3, and so it will eventually need to be upgraded to a new version which is. And so, since cryptography has to move to community, so does paramiko and Ansible.
Schaller: Cool happenings in Fedora Workstation land
Here's a post from Christian Schaller describing a number of the desktop-oriented improvements that can be expected in the Fedora 35 release.
And I know some people will wonder why we spent so much time working with NVidia around their binary driver, but the reality is that NVidia is the market leader, especially in the professional Linux workstation space, and there are lot of people who either would end up not using Linux or using Linux with X without it, including a lot of Red Hat customers and Fedora users. And that is what I and my team are here for at the end of the day, to make sure Red Hat customers are able to get their job done using their Linux systems.
Courtès: What's in a package
Over at the Guix-HPC blog, Ludovic Courtès writes about trying to package the PyTorch machine-learning library for the Guix distribution. Building from source in a user-verifiable manner is part of the philosophy behind Guix, but there were a number of problems that were encountered:The first surprise when starting packaging PyTorch is that, despite being on PyPI, PyTorch is first and foremost a large C++ code base. It does have a setup.py as commonly found in pure Python packages, but that file delegates the bulk of the work to CMake.The second surprise is that PyTorch bundles (or "vendors", as some would say) source code for no less than 41 dependencies, ranging from small Python and C++ helper libraries to large C++ neural network tools. Like other distributions such as Debian, Guix avoids bundling: we would rather have one Guix package for each of these dependencies. The rationale is manifold, but it boils down to keeping things auditable, reducing resource usage, and making security updates practical.
Distribution quote of the week
Imagine that you are the product manager for Debian `which`. According to the hatemail in my inbox, this is the most important utility in the history of time, such that even printing a warning to stderr causes global devastation, block hints, and calls for impeachment.— Clint Adams
Development
GNOME 41 released
The GNOME project has announced the release of GNOME 41.The most notable changes this in release include an improved Software app, new multitasking settings, and enhanced power management features. With these changes, GNOME is smarter, more flexible, and offers a richer and more engaging experience than ever before.The new release also comes with significant improvements for developers, including a new developer documentation website, a major new version of the Human Interface Guidelines, new features in the Builder IDE, GTK 4 enhancements, and much more.
Rosenzweig: Panfrost achieves OpenGL ES 3.1 conformance on Mali-G52
Alyssa Rosenzweig reports that the open-source Panfrost driver for Mali GPUs has achieved official conformance on Mali-G52 for OpenGL ES 3.1.This important milestone is a step forward for the open source driver, as it now certifies Panfrost for use in commercial products containing Mali G52 and paves the way for further conformance submissions on other Mali GPUs.
Postgres 14: It's The Little Things (Kerstiens)
Craig Kerstiens highlights some of the "little things" featured in the upcoming PostgreSQL 14 release.
And now in PostgreSQL 14 there is this seemingly small update, pipeline mode, which, according to the docs, allows applications to send a query without having to read the result of the previously sent query. Taking advantage of the pipeline mode, a client will wait less for the server, since multiple queries/results can be sent/received in a single network transaction.
Hoyt: Structural pattern matching in Python 3.10
Ben Hoyt has published a critical overview of the Python 3.10 pattern-matching feature.
As shown above, there are cases where match really shines. But they are few and far between, mostly when handling syntax trees and writing parsers. A lot of code does have if ... elif chains, but these are often either plain switch-on-value, where elif works almost as well, or the conditions they’re testing are a more complex combination of tests that don’t fit into case patterns (unless you use awkward case _ if cond clauses, but that’s strictly worse than elif).
(Pattern matching has been covered here as well).
Development quote of the week
Now, for the "Xorg is dead" claims - it's very likely that the current release will be the last Xorg release. There is little interest in an X server that runs on hardware, or rather: there's little interest in the effort required to push out releases.— Peter Hutterer
Page editor: Jake Edge
Next page:
Announcements>>