Brief items
Security
pcp: pmcd network daemon review (SUSE Security Team Blog)
The SUSE Security Team Blog has a detailed review of the Performance Co-Pilot (PCP) 6.2.1 release:
The rather complex PCP software suite was difficult to judge just from a cursory look, so we decided to take a closer look especially at PCP's networking logic at a later time. This report contains two CVEs and some non-CVE related findings we also gathered during the follow-up review.
CVE-2024-45769, a flaw that could allow an attacker to send crafted data to crash pcmd, and CVE-2024-45770, which could allow a full local root exploit from the pcp user to root, have been addressed in the 6.3.1 release of PCP.
Security quotes of the week
That's a hard problem to fix. We can't imagine Washington passing a law requiring iPhones to be made entirely in the United States. Labor costs are too high, and our country doesn't have the domestic capacity to make these things. Our supply chains are deeply, inexorably international, and changing that would require bringing global economies back to the 1980s.— Bruce SchneierSo what happens now? As for Hezbollah, its leaders and operatives will no longer be able to trust equipment connected to a network—very likely one of the primary goals of the attacks. And the world will have to wait to see if there are any long-term effects of this attack and how the group will respond.
But now that the line has been crossed, other countries will almost certainly start to consider this sort of tactic as within bounds. It could be deployed against a military during a war or against civilians in the run-up to a war. And developed countries like the United States will be especially vulnerable, simply because of the sheer number of vulnerable devices we have.
Congress hasn't updated consumer privacy law since 1988, when it took the bold step of…banning video-store clerks from telling the newspapers which VHS cassettes you took home. Since then, a coalition of commercial surveillance companies and the cops and spies who treat their data-lakes as massive, off-the-books anaerobic lagoons of warrantless surveillance data has prevented the passage of any new privacy protections for Americans.— Cory DoctorowThe result? Stalkers, creeps, spies (both governmental and corporate), identity thieves, spearphishers and other villainous scum are running wild, endangering every American's financial, physical and political wellbeing. The correct amount of commercial data-brokerage for America is zero.
Kernel development
Kernel release status
The 6.12 merge window is still open; it can be expected to close on September 29.Stable updates: none have been released in the last week.
The realtime preemption pull request
![[pull request]](https://static.lwn.net/images/conf/2024/ms/rt-pull-sm.png)
On September 19, Thomas Gleixner delivered the pull request for the
realtime preemption enablement patches to Linus Torvalds — in printed form,
wrapped in gold, with a ribbon, as Torvalds had requested. It was a
significant milestone, marking the completion of a project that required
20 years of effort. Congratulations are due to everybody involved.
Torvalds acted on
the pull request the following morning.
Quote of the week
So the conclusion from this is that anyone saying "we can't keep up with all the CVEs" is admitting that they can't keep up with all the current (and past!) vulnerabilities present in the kernel.— Kees CookEither they don't have a threat model, can't triage patches against their threat model, or can't keep up with stable releases due to whatever deployment testing gaps they have.
There are very few deployments I'm aware that can, honestly. This is hardly new, but now it is more visible.
Distributions
Vanilla OS 2 - future plans, updates, and next release
The Vanilla OS project has published a blog post to answer questions that users have raised since the release of Vanilla OS 2. The post has information about the update strategy for the distribution, an enterprise version with support, and plans for an experimental version called Vanilla OS Vision.
We are not planning for a potential Vanilla OS 3 because it is not yet necessary. As previously explained, our focus right now is on bug fixing and making the system as solid as possible, especially in light of collaborations with OEMs. We're all excited about laying the foundation for a third version of Vanilla OS, but we have responsibilities to attend to first.
This does not mean that there will never be one, nor does it mean that Orchid will become stagnant. On the contrary, as previously mentioned, our updates not only bring fixes but also updates to system components, improvements to existing features, and updates to components like GNOME (we are planning the release of GNOME 47 soon, for example).
Distributions quote of the week
I mean, you say that, but Python is by far the most obvious choice. It's the most popular programming language in the IEEE Spectrum 2024 survey by a very large margin, and the next most popular languages (Java, JavaScript, and C++) are all less suitable for this type of integration programming. You have to go down to eighth place before you find Go, at about a fifth the popularity of Python.
Python is also replacing Java as the language of college CS classes, which means the base of people who know at least some Python is probably larger than any other language filling the same niche.
I think the only real competitor to Python today on the popularity and existing knowledge front would be JavaScript, and I think it's less suitable for the type of development we do in Debian.
— Russ Allbery, on alternatives to Perl for Debian tooling.
Development
GNOME 47 released
Version 47 of the GNOME desktop has been released. Changes include configurable accent colors, better small-screen support, some performance improvements, new file open and save dialogs, and more.HarfBuzz 10.0.0 released
Version 10.0.0 of the HarfBuzz text-shaping engine has been released. Notable changes in this release include Unicode 16.0.0 support, adding Cairo script as an output format for hb-view, and a number of bug fixes.
Hy 1.0.0 released
Version 1.0.0 of Hy, a Lisp dialect that is embedded in Python, has been released after nearly 12 years in development. This is the first stable release of the project:
Henceforth, breaking changes to documented parts of the language (other than dropping support for versions of Python that are themselves no longer supported by the CPython developers) will increase the major version number, and my intention is for that not to happen often, if at all.
The 1.0.0 release supports Python 3.8 through 3.13. See the documentation and the "Why Hy?" page for why one might want to use it. For the historically minded, LWN covered a PyCon talk on Hy in 2014.
OpenSSH 9.9 released
The OpenSSH project has released version 9.9. This version includes support for the new post-quantum cryptography standard from NIST. The release also includes the next step in the deprecation of DSA keys — they are now disabled by default at compile time, and are expected to be removed entirely in early 2025. The release also contains the normal mixture of bug fixes and small usability improvements.
Development quotes of the week
Recent discussion about some older C libraries has me realizing that some of those are going to be Roman road-style infrastructure, probably used for literal centuries and setting design choices that may well be used for millennia if our civilization lasts that long.
This is of course horrifying.
Actively celebrate people who step back from maintainer positions. Celebrate what they accomplished and what they are moving on to. Don’t punish or otherwise shame quitting. This also incentivizes other people to step up, knowing that they don’t necessarily have to do it forever.
Page editor: Daroc Alden
Next page:
Announcements>>