Welcome to LWN.net
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
[$] Meeting the Debian Technical Committee
It is something of a DebConf tradition that members of the Debian Technical Committee (TC) take the stage to talk about the work that the committee does—and more. DebConf24 in Busan, South Korea was no exception, as TC chair Sean Whitton, who will complete his term at the end of the year, and one of its newest members, Stefano Rivera, described the constitutional underpinnings of the TC, how it tries to make decisions when it needs to, and the constant process of recruiting new members. After that, they took a few questions from the audience. The session provided a nice overview of the TC and its role in Debian, but it may well be of interest further afield.
[$] Distinguishing Debian testing from unstable
Sometimes, the smallest changes create the longest discussions. As a case in point, a proposal to make a one-line change in an informational text file on systems running the Debian unstable distribution has blown up into an interminable and sometimes unfriendly debate. At its core, though, this discussion comes down to a seemingly simple question: should a program be able to determine whether it is running on a Debian testing or unstable system?
[$] Endless OS aimed at educational and offline environments
Endless OS is a Linux distribution with a focus on improving access to educational tools by providing a simple-to-manage, full-featured desktop for educators and students — one that works offline, with minimal maintenance. The distribution also aims to be suitable for older devices, in order to promote access to computers by ensuring those systems remain usable. In pursuit of those goals, it makes some unusual technical choices. But what makes the distribution really shine is its curated collection of software and educational resources.
[$] LWN.net Weekly Edition for August 8, 2024
Posted Aug 8, 2024 1:37 UTC (Thu)The LWN.net Weekly Edition for August 8, 2024 is available.
Inside this week's LWN.net Weekly Edition
- Front: Business Source License; Divvi Up; min() and max(); CRIB; Filesystem interruptibility; Error sources; CircuitPython.
- Briefs: Firefox 129.0; GNU Binutils 2.43; Puppeteer Firefox support; Sovereign tech fund; Mel Chua RIP; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
[$] CRIB: checkpoint/restore in BPF
The desire for the ability to checkpoint a process — to record its state in a form that can be restarted at a future time — on Linux is almost as old as Linux itself. See, for example, this announcement of a checkpoint project that appeared in LWN in 1998. While working solutions exist, they can be somewhat fragile and difficult to use; it is not surprising that some people are interested in finding a better alternative. A current effort goes by the name CRIB, for Checkpoint/Restore in (naturally) BPF. It is far from clear that CRIB will replace the existing solutions, but it is an interesting look at a different way of solving the problem.
[$] Tracing the source of filesystem errors
There are lots of places in the kernel where an EINVAL can be returned to user space, but it is often unclear what the actual underlying problem is because the errno error codes are too generic. That is the problem that Miklos Szeredi wanted to discuss in a filesystem session that he led remotely at the 2024 Linux Storage, Filesystem, Memory Management, and BPF Summit. He would like to help those who are trying to debug problems trace where in the kernel a particular error code is being generated.
[$] CircuitPython: Python for microcontrollers, simplified
CircuitPython is an open-source implementation of the Python programming language for microcontroller boards. The project, which is sponsored by Adafruit Industries, is designed with new programmers in mind, but it also has many features that may be of interest to more-experienced developers. The recent 9.1.0 release adds a few minor features, but it follows just a few months after CircuitPython 9.0.0, which brings some more significant changes, including improved graphics and USB support.
[$] Handling filesystem interruptibility
David Howells wanted to discuss changing the way filesystem code handles the ability to interrupt or kill operations, in order to fix some longstanding problems with network (and other) filesystems, in a session at the 2024 Linux Storage, Filesystem, Memory Management, and BPF Summit. As noted in his session proposal, some filesystems may be expecting to not be interruptible, but are calling code can take locks and mutexes that are interruptible (or killable), which are effectively changing the state of the task incorrectly. He would like to find a solution for that problem.
[$] The complexity of BUSL transformation
The Business Source License (BUSL) is a source-available license that "converts" to an open-source license after a period of time. In theory, this means that a few years after a version of a product is released under the BUSL, it becomes open source and is fair game for Linux distributions to package along with regular open-source projects. In practice, the license throws a few curveballs that require special consideration and caution, as the Fedora Project recently discussed.
[$] Divvi Up: privacy-respecting telemetry aggregation
There is ongoing discussion about the ethics and effectiveness of telemetry following some recent LWN articles that touched on Thunderbird's use of opt-out telemetry and planned metrics in Fedora. The Internet Security Research Group (ISRG), the nonprofit behind Let's Encrypt, has a potential solution to the problem of how to collect and aggregate telemetry without violating users' privacy. The scheme is based on a draft protocol being standardized with the Internet Engineering Task Force (IETF), and has an open-source implementation available.
Three weekend stable kernels
The 6.10.4, 6.6.45, and 6.1.104 stable kernel updates have been released; each contains another set of important updates as usual.
A new kernel-version policy for Ubuntu
The Canonical Kernel Team has announced a new policy regarding the version of the kernel that will ship with each Ubuntu release; the result will generally be the shipping of newer releases.
To provide users with the absolute latest in features and hardware support, Ubuntu will now ship the absolute latest available version of the upstream Linux kernel at the specified Ubuntu release freeze date, even if upstream is still in Release Candidate (RC) status.
The post goes on to acknowledge that "there are issues with this
approach
"; there are a lot of policy details that will apply depending
on just how raw the shipped kernel is.
New attack against the SLUB allocator
Researchers from Graz University of Technology have published details of a new attack on the Linux kernel called SLUBStick. The attack uses timing information to turn an ability to trigger use-after-free or double-free bugs into the ability to overwrite page tables, and thence into the ability to read and write arbitrary areas of memory. The good news is that this attack does require an existing bug to be usable; the bad news is that the kernel regularly sees bugs of this kind.
We assume that an unprivileged user has code execution. Additionally, we consider the presence of a heap vulnerability in the Linux kernel. We assume that the Linux kernel incorporates all defense mechanisms available in version 6.4, the most recent Linux kernel version when we started our work. These mechanisms include features such as WˆX, KASLR, SMAP, and kCFI. We do not assume any microarchitectural vulnerabilities, e.g., transient execution, fault injection, or hardware side channels.
Security updates for Friday
Security updates have been issued by AlmaLinux (httpd, kernel, kernel-rt, and libtiff), Debian (postgresql-13, postgresql-15, and thunderbird), Fedora (frr, thunderbird, vim, and xrdp), Gentoo (Librsvg, Nautilus, ncurses, Percona XtraBackup, QEMU, and re2c), Red Hat (httpd, kernel, kernel-rt, openssl, and python-setuptools), SUSE (bind, ffmpeg-4, kubernetes1.23, kubernetes1.24, python-Django, and python3-Twisted), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-oem-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle, linux-oracle-5.4, and salt).
0.0.0.0 Day: Exploiting Localhost APIs From the Browser (Oligo Security)
The Oligo Security blog discloses
a web-browser vulnerability that has been named "0.0.0.0 day". In short,
browsers will allow JavaScript code to open connections to the all-zeroes
IPv4 address; the result is that any port that is open on the local host
can be accessed by a remote site. "When services use localhost, they
assume a constrained environment. This assumption, which can (as in the
case of this vulnerability) be faulty, results in insecure server
implementations.
"
Security updates for Thursday
Security updates have been issued by AlmaLinux (freeradius and freeradius:3.0), Debian (chromium, odoo, and roundcube), Fedora (microcode_ctl, mingw-qt5-qtbase, mingw-qt6-qtbase, opentofu, orc, python-setuptools, and vim), Gentoo (Nokogiri), Oracle (kernel), Red Hat (go-toolset:rhel8, golang, kernel, krb5, libtiff, python-setuptools, and python39:3.9 and python39-devel:3.9), SUSE (python-Django), and Ubuntu (krb5).
Firefox support added to Puppeteer
Mozilla has announced that Puppeteer, a browser automation and testing library, now has first-class support for Firefox using the WebDriver BiDi protocol. Puppeteer can be used to drive headless browser instances, and is commonly used for automated end-to-end web-site tests.
Whilst the features offered by Puppeteer won't be a surprise, bringing support to multiple browsers has been a significant undertaking. The Firefox support is not based on a Firefox-specific automation protocol, but on WebDriver BiDi, a cross browser protocol that's undergoing standardization at the W3C, and currently has implementation in both Gecko and Chromium. This use of a cross-browser protocol should make it much easier to support many different browsers going forward.
Security updates for Wednesday
Security updates have been issued by Debian (firefox-esr, openjdk-17, and wpa), Gentoo (aiohttp, Bitcoin, Cairo, Go, json-c, Levenshtein, libXpm, nghttp2, PostgreSQL, and Redis), Red Hat (kernel, kernel-rt, python-setuptools, python-urllib3, python3.11-setuptools, and wget), Slackware (mozilla), SUSE (bind, curl, docker, ffmpeg, ffmpeg-4, kernel, kernel-firmware, libnbd, patch, shadow, and thunderbird), and Ubuntu (python-django and wpa).
Firefox 129.0 released
Version 129.0 of the Firefox browser has been released. Changes include some improvements to the reader mode, tab previews, and use of HTTPS by default.
Security updates for Tuesday
Security updates have been issued by Debian (libreoffice), Gentoo (containerd and firefox), Red Hat (httpd), SUSE (ca-certificates-mozilla, ksh, openssl-3-livepatches, podman, python-Twisted, and skopeo), and Ubuntu (imagemagick).