Brief items
Security
Stenberg: DISPUTED, not REJECTED
The Curl project has previously had problems with CVEs issued for things that are not security issues. On February 21, Daniel Stenberg wrote about the Curl project's most recent issue with the CVE system, saying:
I keep insisting that the CVE system is broken and that the database of existing CVEs hosted by MITRE (and imported into lots of other databases) is full of questionable content and plenty of downright lies. A primary explanation for us being in this ugly situation is that it is simply next to impossible to get rid of invalid CVEs.
Kernel development
Kernel release status
The current development kernel is 6.8-rc6, released on February 25. According to Linus:
Last week I said that I was hoping things would calm down a bit. Technically things did calm down a bit, and rc6 is smaller than rc5 was. But not by a huge amount, and honestly, while there's nothing really alarming here, there's more here than I would really like at this point in the release.So this may end up being one of those releases that get an rc8. We'll see.
Stable updates: 6.7.6, 6.6.18, 6.1.79, 5.15.149, 5.10.210, 5.4.269, and 4.19.307 were all released on February 23.
The 6.7.7, 6.6.19, 6.1.80, 5.15.150, 5.10.211, 5.4.270, and 4.19.308 updates are all in the review process; they are due on February 29.
The bpftop tool
Netflix has announced the release of a tool called bpftop to help with the performance optimization of BPF programs in the kernel:
bpftop provides a dynamic real-time view of running eBPF programs. It displays the average execution runtime, events per second, and estimated total CPU % for each program. This tool minimizes overhead by enabling performance statistics only while it is active.
Quotes of the week
Static checkers insist that the mpi_alloc() allocation can fail so add a check to prevent a NULL dereference. Small allocations like this can't actually fail in current kernels, but adding a check is very simple and makes the static checkers happy.— Greg Kroah-HartmanThe Linux kernel CVE team has assigned CVE-2023-52472 to this issue.
— ChatGPT via Konstantin Ryabitsev. See also this discussion
- Code Changes: Introduces a new mlx5ctl misc driver for the mlx5 ConnectX family of devices, allowing userspace to execute debug RPCs and access device capabilities directly, bypassing the kernel's netdev interface.
- Code Quality: The patches seem well-structured and follow kernel coding conventions. The series includes detailed explanations and justifications for the changes.
MichalH: was hopin' the new CVE process would be cooler, ya know? like, more important CVEs and stuff. 🤞— Konstantin Ryabitsev goes completely nuts with itGregKH: hey peeps, so like, going where you shouldn't in memory is bad, right? we can't guess how everyone uses the kernel, so marking these fixes with CVEs is smart 🧐
Distributions
Tails 6.0 released
Tails 6.0 is now available. Based on Debian, Tails is a portable operating system designed to run from a USB stick and help users avoid surveillance and censorship. This release updates most Tails applications, and includes important security and usability improvements.
One major new feature in 6.0 is to provide warnings to users about
errors when reading or
writing to persistent storage. This release now ignores USB devices plugged in while the screen is locked, and removes some file and disk-wiping features from the Files application that are "not reliable enough
" on USB sticks and SSDs to continue offering to users.
Users of Tails prior to 6.0~rc1 will need to do a manual upgrade to retain persistent storage. New users can download Tails for USB, or as an ISO to create a DVD or run Tails in a virtual machine.
Distributions quote of the week
Given the recent spread of the "AI" bubble, I think we really need to look into formally addressing the related concerns. In my opinion, at this point the only reasonable course of action would be to safely ban "AI"-backed contribution entirely. In other words, explicitly forbid people from using ChatGPT, Bard, GitHub Copilot, and so on, to create ebuilds, code, documentation, messages, bug reports and so on for use in Gentoo.— Michał Górny
Development
Git 2.44.0 released
Version 2.44.0 of the Git source-code management system has been released. There is a long list of changes, including the git replay command for faster, server-side rebasing, a number of command-line completion improvements, and more.Incus 0.6 released
Version 0.6 of Incus, a fork of LXD, has been released. This release includes a number of changes, including a new storage driver called lvmcluster, improvements for Open Virtual Network (OVN) users, improvements to migration tooling, a number of new security features, and storage bucket backup and re-import. See the release announcement for detailed release notes and complete list of changes. The announcement notes that a Long Term Support (LTS) release of Incus is planned in a few months "to coincide with the LTS releases of LXC and LXCFS
".
Development quote of the week
The best part about being an open source maintainer is the copious amounts of free advice you get from people who know better than you what your project should do.— Daniel Stenberg
Miscellaneous
The Open Collective Foundation is shutting down
The Open Collective Foundation is an organization created to provide legal and financial services for non-profit projects, many of which are associated with free software. Projects hosted there are now beginning to report that the Open Collective Foundation will be shutting down at the end of the year, with an unwinding process over that time.
Unfortunately, over the past year, we have learned that Open Collective Foundation's business model is not sustainable with the number of complex services we have offered and the fees we pay to the Open Collective Inc. tech platform.In late 2023, we made the decision to pause accepting new collectives in order to create space for us to address the issues. Unfortunately, it became clear that it would not be financially feasible to make the necessary corrections, and we determined that OCF is not viable.
Some more information can be found in the Dissolution FAQ. Note that the Open Collective Foundation is distinct from Open Source Collective, which has hastened to point out that it remains in operation as before, and both are distinct from the Open Collective platform.
Page editor: Jake Edge
Next page:
Announcements>>