Brief items
Security
Security quote of the week
Talking Trojan: Analyzing an Industry-Wide Disclosure tells the story of what happened after we discovered the Trojan Source vulnerability, which broke almost all computer languages, and the Bad Characters vulnerability, which broke almost all large NLP tools. This provided a unique opportunity to measure software maintenance in action. Who patched quickly, reluctantly, or not at all? Who paid bug bounties, and who dodged liability? What parts of the disclosure ecosystem work well, which are limping along, and which are broken?— Nicholas Boucher, one of the authorsSecurity papers typically describe a vulnerability but say little about how it was disclosed and patched. And while disclosing one vulnerability to a single vendor can be hard enough, modern supply chains multiply the number of affected parties leading to an exponential increase in the complexity of the disclosure. One vendor will want an in-house web form, another will use an outsourced bug bounty platform, still others will prefer emails, and *nix OS maintainers will use a very particular PGP mailing list. Governments sort-of want to assist with disclosures but prefer to use yet another platform. Many open-source projects lack an embargoed disclosure process, but it is often in the interest of commercial operating system maintainers to write embargoed patches – if you can get hold of the right people.
Kernel development
Kernel release status
The current development kernel is 6.0-rc7, released on September 25. Linus said:
So I was thinking rc7 might end up larger than usual due to travel hitting rc6, but it doesn't really seem to have happened.Yeah, maybe it's marginally bigger than the historical average for this time of the release cycle, but it definitely isn't some outlier, and it looks fairly normal. Which is all good, and makes me think that the final release will happen right on schedule next weekend, unless something unexpected happens. Knock wood.
Stable updates: 5.19.11, 5.15.70, and 5.10.145 were released on September 23, followed by 5.19.12, 5.15.71, 5.10.146, 5.4.215, 4.19.260, 4.14.295, and 4.9.330 on September 28.
Quote of the week
I'm sure b4 is a fine tool. I'm told mutt is useful. Gitweb is kewl. But adopting a new and exciting development methodology every few years since about 1978 has given me a real appreciation for the raw email approach.— Casey Schaufler
Distributions
Arch Linux drops Python 2
Arch Linux has announced that Python 2 is being removed from the distribution's repositories. "If you still require the python2 package you can keep it around, but please be aware that there will be no security updates."
ALP prototype 'Les Droites' is to be expected later this week (openSUSE News)
The openSUSE News site is looking forward to the imminent preview release of the openSUSE Adaptable Linux Platform (ALP) distribution:
As far as “Les Droites” goes, users can look forward to a SLE Micro like HostOS with self-healing abilities contributing to our OS-as-a-Service/ZeroTouch story. The Big Idea is that the user focuses on the application rather than the underlying host, which manages, heals, and self-optimizes itself. Both Salt (pre-installed) and Ansible will be available to simplify further management.Users can look forward to Full Disk Encryption (FDE) with TPM support by default on x86_64. Another part of the deliverables are numerous containerized system components including yast2, podman, k3s, cockpit, Display Manager (GDM), and KVM. All of which users can experiment with, which are simply referred to as Workloads.
Development
Bash 5.2 released
Version 5.2 of the Bash shell has been released.
The most notable new feature is the rewritten command substitution parsing code, which calls the bison parser recursively. This replaces the ad-hoc parsing used in previous versions, and allows better syntax checking and catches syntax errors much earlier. The shell attempts to do a much better job of parsing and expanding array subscripts only once; this has visible effects in the `unset' builtin, word expansions, conditional commands, and other builtins that can assign variable values as a side effect.
LXD 5.6 released
Version 5.6 of the LXD container manager is out. Changes include the ability to stream log messages to a Grafana Loki server, Infiniband support for virtual machines, a restricted network access mode, and more.Rust 1.64.0 released
Version 1.64.0 of the Rust language has been released. Changes include the stabilization of the IntoFuture trait, easier access to C-compatible types, the availability of rust-analyzer via rustup, and more.Wuyts: Why async Rust
Yoshua Wuyts gives an overview of async Rust and why it is interesting.
Conversations around "why async" often focus on performance - a topic which is highly dependent on workloads, and results with people wholly talking past each other. While performance is not a bad reason to choose async Rust, we often we only notice performance when we experience a lack of it. So I want to instead on which features async Rust provides which aren't present in non-async Rust.
Miscellaneous
Announcing the GNU Toolchain Infrastructure Project
The backers of the GNU Toolchain Infrastructure Project, which was the subject of an intense discussion at the GNU Tools Cauldron, have finally posted their plans publicly.
Linux Foundation IT services plans for the GNU Toolchain include Git repositories, mailing lists, issue tracking, web sites, and CI/CD, implemented with strong authentication, attestation, and security posture. Utilizing the experience and infrastructure of the LF IT team that is already used by the Linux kernel community will provide the most effective solution and best experience for the GNU Toolchain developer community.
Page editor: Jake Edge
Next page:
Announcements>>