lwn.net

The LWN.net Weekly Edition for April 11, 2024 is available.

The Gentoo Linux project has announced that it is now an Associated Project of Software in the Public Interest (SPI), which will allow it to accept tax deductible donations in the US and reduce its "non-technical workload":

The current Gentoo Foundation has bylaws restricting its behavior to that of a non-profit, is a recognized non-profit only in New Mexico, but a for-profit entity at the US federal level. A direct conversion to a federally recognized non-profit would be unlikely to succeed without significant effort and cost.

[...] SPI is already now recognized at US federal level as a full-[fledged] non-profit 501(c)(3). It also handles several projects of similar type and size (e.g., Arch and Debian) and as such has exactly the experience and background that Gentoo needs.

According to the announcement, the goal is to "eventually transfer the existing assets to SPI and dissolve the Gentoo Foundation". How to do that is still under discussion. This will not affect Förderverein Gentoo e.V., which has public-benefit status in Germany and can accept tax deductible donations in Europe.

Greg Kroah-Hartman has announced another round of stable kernel updates: 6.8.5, 6.6.26, 6.1.85, and 5.15.154 have all been released; each contains another set of important fixes, including the mitigations for the recently disclosed branch history injection hardware vulnerability.

A recent book by LWN guest author Lee Phillips provides a nice introduction to the Julia programming language. Practical Julia does more than that, however. As its subtitle ("A Hands-On Introduction for Scientific Minds") implies, the book focuses on bringing Julia to scientists, rather than programmers, which gives it something of a different feel from most other books of this sort.

On April 3 security researcher Bartek Nowotarski published the details of a new denial-of-service (DoS) attack, called a "continuation flood", against many HTTP/2-capable web servers. While the attack is not terribly complex, it affects many independent implementations of the HTTP/2 protocol, even though multiple similar vulnerabilities over the years have given implementers plenty of warning.

Security updates have been issued by Debian (gtkwave), Fedora (dotnet7.0, dotnet8.0, and python-pillow), Mageia (apache, gstreamer1.0, libreoffice, perl-Data-UUID, and xen), Oracle (kernel, kernel-container, and varnish), Red Hat (edk2, kernel, rear, and unbound), SUSE (apache2-mod_jk, gnutls, less, and xfig), and Ubuntu (bind9, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-azure, linux-azure-6.5, linux-gcp, linux-gcp-6.5, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-starfive, linux-starfive-6.5, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, and xorg-server, xwayland).

The mainline kernel has just received a set of commits mitigating the latest x86 hardware vulnerability, known as "branch history injection". From this commit:

Branch History Injection (BHI) attacks may allow a malicious application to influence indirect branch prediction in kernel by poisoning the branch history. eIBRS isolates indirect branch targets in ring0. The BHB can still influence the choice of indirect branch predictor entry, and although branch predictor entries are isolated between modes when eIBRS is enabled, the BHB itself is not isolated between modes.

See this commit for documentation on the command-line parameter that controls this mitigation. There are stable kernel releases (6.8.5, 6.6.26, 6.1.85, and 5.15.154) in the works that also contain the mitigations.

On February 20, Linaro held the initial get-together for what is intended to be a regular Linux Kernel Forum for the Arm-focused kernel community. This gathering aims to convene approximately a few weeks prior to the merge window opening and prior to the release of the current kernel version under development. Topics covered in the first gathering include preparing 64-bit Arm kernels for low-end embedded systems, memory errors and Compute Express Link (CXL), devlink objectives, and scheduler integration.

Version 3.3.0 of the OpenSSL SSL/TLS implementation has been released. Changes include a number of additions to its QUIC protocol support, some year-2038 improvements for 32-bit systems, and a lot of cryptographic features with descriptions like "Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple times with different output sizes." See the release notes for details.

There are many mechanisms for deferred work in the Linux kernel. One of them, workqueues, has seen increasing use as part of the move away from software interrupts. Alison Chaiken gave a talk at SCALE about how they compare to software interrupts, the new challenges they pose for system administrators, and what tools are available to kernel developers wishing to diagnose problems with workqueues as they become increasingly prevalent.

Security updates have been issued by Debian (expat), Oracle (less and nodejs:20), Slackware (libarchive), SUSE (kubernetes1.23, nghttp2, qt6-base, and util-linux), and Ubuntu (python-django).

Version 4.2.0 of the Rivendell radio automation system has been released. Changes include a new data feed for 'next' data objects, improvements to its podcast system, numerous bug fixes, and more.

The Google Open Source Blog is carrying an announcement for a new JPEG library called "Jpegli". There are a number of advantages claimed, including:

Jpegli can be encoded with 10+ bits per component. Traditional JPEG coding solutions offer only 8 bit per component dynamics causing visible banding artifacts in slow gradients. Jpegli's 10+ bits coding happens in the original 8-bit formalism and the resulting images are fully interoperable with 8-bit viewers. 10+ bit dynamics are available as an API extension and application code changes are needed to benefit from it.

The library is BSD-licensed.

Sometimes the smallest patches create the biggest discussions. A case in point would be the process by which the PostgreSQL community — not a group normally prone to extended, strongly worded megathreads — resolved the question of whether to merge a brief patch adding a new configuration parameter. Sometimes, a proposal that looks like a security patch is not, in fact, intended to be a security patch, but getting that point across can be difficult.

Version 2.4.0 of the GNU Stow symbolic-link manager has been released. This marks the first release for GNU Stow since 2019. Maintainer Adam Spires wrote:

I would like to sincerely apologise to all Stow users for this incredibly overdue release, the cadence of which is perhaps vaguely reminiscent of releases by the great Donald Knuth, except with none of the grace and deliberate planning.

Spires notes that this release "makes considerable efforts to make the internals more understandable and easy to maintain", and has put out a call for a co-maintainer.

Security updates have been issued by Debian (jetty9, libcaca, libgd2, tomcat9, and util-linux), Fedora (chromium, micropython, and upx), Mageia (chromium-browser-stable, dav1d, libreswan, libvirt, nodejs, texlive-20220321, and util-linux), Red Hat (less, nodejs:20, and varnish), Slackware (tigervnc), and SUSE (buildah, c-ares, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, curl, expat, go1.21, go1.22, guava, helm, indent, krb5, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libcares2, libvirt, ncurses, nghttp2, podman, postfix, python-Django, python-Pillow, python310, qemu, rubygem-rack, thunderbird, ucode-intel, and xen).

The 6.9-rc3 kernel prepatch is out for testing.

Ok, so this rc3 looks a bit different than the usual ones, because there's a large series to bcachefs to do filesystem repair after corruption. Not normally something we'd see in an rc kernel, but hey, if you had a corrupted bcachefs filesystem you'd probably want this, and if you thought bcachefs was stable already, I have a bridge to sell you. Special deal only for you, real cheap.

Wayne Davison has announced the release of rsync version 3.3.0, which contains a number of bug fixes and minor enhancements. Davison has also announced a change in maintainers and a move to a new GitHub project:

The github repos have moved to a new RsyncProject organization. Because various life events have been monopolizing my time, I reached out to Tridge [Andrew Tridgell] (the original author) and he has graciously agreed to get back into rsync work, along with Paul Mackerras, who was also an early contributor to rsync. This new team will be working mainly on maintenance tasks, and not so much on new features. If you want to get involved, feel free to reach out on the new discord RsyncProject channels.

The new GitHub organization is here.

The nominations have closed and campaigning is underway to see who will be the next Debian Project Leader (DPL). This year, two candidates are campaigning for the position Jonathan Carter has held for four eventful years: Sruthi Chandran and Andreas Tille. Topics that have emerged so far include how the prospective DPLs would spend project money, their opinions on handling controversial topics, and project diversity.

OpenBSD 7.5 has been released. The list of changes and improvements is, as usual, long; it includes the pinsyscalls() functionality covered here in January.