Brief items
Security
Git 2.40.1 (and several others) released
There is a new stable Git release containing fixes for three separate security vulnerabilities. The fixes have also been backported to the older v2.39.3, v2.38.5, v2.37.7, v2.36.6, v2.35.8, v2.34.8, v2.33.8, v2.32.7, v2.31.8, and v2.30.9 releases. Sites using Git in untrusted environments — or with untrusted input — should probably upgrade soon."Trusted publishers" on the Python Package Index
The Python Package Index (PyPI) has, like many language-specific repositories, had ongoing problems with malicious uploads. PyPI is now launching an authentication mechanism called trusted publishers in an attempt to fight this problem.
Instead, PyPI maintainers can configure PyPI to trust an identity provided by a given OpenID Connect Identity Provider (IdP). This allows allows PyPI to verify and delegate trust to that identity, which is then authorized to request short-lived, tightly-scoped API tokens from PyPI. These API tokens never need to be stored or shared, rotate automatically by expiring quickly, and provide a verifiable link between a published package and its source.
Security quote of the week
But dystopia isn't the only possible future. A.I. could advance the public good, not private profit, and bolster democracy instead of undermining it. That would require an A.I. not under the control of a large tech monopoly, but rather developed by government and available to all citizens. This public option is within reach if we want it.— Bruce Schneier, Henry Farrell, and Nathan SandersAn A.I. built for public benefit could be tailor-made for those use cases where technology can best help democracy. It could plausibly educate citizens, help them deliberate together, summarize what they think, and find possible common ground. Politicians might use large language models, or LLMs, like GPT4 to better understand what their citizens want.
Today, state-of-the-art A.I. systems are controlled by multibillion-dollar tech companies: Google, Meta, and OpenAI in connection with Microsoft. These companies get to decide how we engage with their A.I.s and what sort of access we have. They can steer and shape those A.I.s to conform to their corporate interests. That isn't the world we want. Instead, we want A.I. options that are both public goods and directed toward public good.
Kernel development
Kernel release status
The 6.3 kernel is out, released by Linus on April 23. He said:
It's been a calm release this time around, and the last week was really no different. So here we are, right on schedule, with the 6.3 release out and ready for your enjoyment.That doesn't mean that something nasty couldn't have been lurking all these weeks, of course, but let's just take things at face value and hope it all means that everything is fine, and it really was a nice controlled release cycle. It happens.
Significant changes in this release include the removal of a lot of obsolete Arm board files and drivers, ongoing improvements to the (still minimal) Rust language support, red-black trees for BPF programs, ID-mapped mounts for tmpfs filesystems, BIG TCP support for IPv4, support for non-executable memfds, the hwnoise jitter-measurement tool, and a lot more. See the LWN merge-window summaries (part 1, part 2) and the (in-progress) KernelNewbies 6.3 page for more information.
Stable updates: 6.2.12, 6.1.25, 5.15.108, 5.10.178, 5.4.241, 4.19.281, and 4.14.313 were released on April 20, followed by 6.2.13, 6.1.26, 5.15.109, 5.10.179, 5.4.242, 4.19.282, and 4.14.314 on April 26.
Quote of the week
I have spent years learning / contributing to RCU with several features, talks and presentations, with my most recent work being on Lazy-RCU.— Joel FernandesPlease consider me for M [maintainer status], so I can tell my wife why I spend a lot of my weekends and evenings on this complicated and mysterious thing -- which is mostly in the hopes of preventing the world from burning down because everything runs on this one way or another.
Distributions
Ubuntu 23.04 (Lunar Lobster) released
The Ubuntu 23.04 release is out. Headline features include a new installer, GNOME 44, Azure Active Directory authentication, and more.
The newest Edubuntu, Kubuntu, Lubuntu, Ubuntu Budgie, Ubuntu Cinnamon, Ubuntu Kylin, Ubuntu MATE, Ubuntu Studio, Ubuntu Unity, and Xubuntu are also being released today.
See the release notes for more information.
Development
GCC 13.1 released
Version 13.1 of the GCC compiler suite has been released.
This release integrates a frontend for the Modula-2 language which was previously available separately and lays foundation for a frontend for the Rust language which will be available in a future release.
Other changes include the removal of support for the STABS debugging-information format, addition of a number of C++23 features, a number of static-analyzer improvements, support for a number of recent CPU features, and more. See this page for details.
An update on the GCC frontend for Rust
Philip Herron and Arthur Cohen have posted an update on the status of gccrs — the GCC frontend for the Rust language — and why it will not be a part of the upcoming GCC 13 release.
While all of this appears like a lot of work, we are confident in our progress and hope to get closer and closer to getting the core crate working in the next few months. There is also a lot of important work remaining in order to produce a valid Rust compiler, which is why we will spend the coming months focusing on the core crate as well as a borrow-checker implementation, and the development of the necessary tooling to allow us to try and pass the Rust 1.49 testsuite.We aim to distribute the Rust 1.49 version of the standard library with our compiler in the next major GCC release, GCC 14, and hope to backport enough changes to the GCC 13 branch to get the core crate working in time for the GCC 13.2 release. This will enable users to easily start experimenting with the compiler for #![no_std] Rust programs and, hopefully, some embedded targets.
Miscellaneous
The Python Software Foundation on European cybersecurity
This ten days old but hopefully better late than never: the Python Software Foundation has put out an article describing how the proposed European "cyber resilience act" threatens the free-software community.
Under the current language, the PSF could potentially be financially liable for any product that includes Python code, while never having received any monetary gain from any of these products. The risk of huge potential costs would make it impossible in practice for us to continue to provide Python and PyPI to the European public.
The Internet Systems Consortium has also recently put out a statement on the proposal.
Page editor: Jake Edge
Next page:
Announcements>>