lwn.net

Wayne Davison has announced the release of rsync version 3.3.0, which contains a number of bug fixes and minor enhancements. Davison has also announced a change in maintainers and a move to a new GitHub project:

The github repos have moved to a new RsyncProject organization. Because various life events have been monopolizing my time, I reached out to Tridge [Andrew Tridgell] (the original author) and he has graciously agreed to get back into rsync work, along with Paul Mackerras, who was also an early contributor to rsync. This new team will be working mainly on maintenance tasks, and not so much on new features. If you want to get involved, feel free to reach out on the new discord RsyncProject channels.

The new GitHub organization is here.

The nominations have closed and campaigning is underway to see who will be the next Debian Project Leader (DPL). This year, two candidates are campaigning for the position Jonathan Carter has held for four eventful years: Sruthi Chandran and Andreas Tille. Topics that have emerged so far include how the prospective DPLs would spend project money, their opinions on handling controversial topics, and project diversity.

OpenBSD 7.5 has been released. The list of changes and improvements is, as usual, long; it includes the pinsyscalls() functionality covered here in January.

The Eclipse Foundation, the organization behind the Eclipse IDE and many other software projects, announced a collaboration between several different open-source-software foundations to create a specification describing secure software development best practices. This work is motivated by the European Union's Cyber Resilience Act (CRA).

The leading open source communities and foundations have for years developed and practised secure software development processes. These are processes that have often defined or set industry best practices around things such as coordinated disclosure, peer review, and release processes. These processes have been documented by each of these communities, albeit sometimes using different terminology and approaches. We hypothesise that the cybersecurity process technical documentation that already exists amongst the open source communities can provide a useful starting point for developing the cybersecurity processes required for regulatory compliance.

(Thanks to Martin Michlmayr.)

Version 7.0 of the FFmpeg audio/video toolkit is out. "The most noteworthy changes for most users are a native VVC decoder (currently experimental, until more fuzzing is done), IAMF support, or a multi-threaded ffmpeg CLI tool". There's also the usual list of new formats and codecs, and a few deprecated features have been removed.

Security updates have been issued by Debian (cockpit), Mageia (python-pygments), Red Hat (nodejs), Slackware (httpd and nghttp2), SUSE (avahi, gradle, gradle-bootstrap, and squid), and Ubuntu (xorg-server, xwayland).

The 6.8.4 and 6.6.25 stable kernels have been released. They both contain 11 reversions of workqueue patches.

V8, the JavaScript engine used in Chrome, announced that its memory sandbox is no longer experimental.

Chrome 123 could therefore be considered to be a sort of "beta" release for the sandbox. This blog post uses this opportunity to discuss the motivation behind the sandbox, show how it prevents memory corruption in V8 from spreading within the host process, and ultimately explain why it is a necessary step towards memory safety.

Among the numerous approaches to funding the development and advancement of open-source software, corporate sponsorship in the form of donations to umbrella organizations is perhaps the most visible. At SCALE21x in Pasadena, California, Duane O'Brien presented a slice of his recent research into the landscape of such sponsorship arrangements, with an overview of the identifiable trends of the past ten years and some initial insights he hopes are valuable for sponsors and community members alike.

Version 6.0 LTS of the Incus container management system has been released. "This is a major milestone for Incus as it marks our first release with extended support, suitable for use in production environments where monthly feature releases aren't suitable." Changes include swap limits for containers, a new shell completion mechanism, support for the creation of VLAN interfaces, improved live migration, and more.

Security updates have been issued by CentOS (firefox and thunderbird), Debian (chromium and gtkwave), Fedora (micropython), Slackware (xorg), SUSE (util-linux and xen), and Ubuntu (firefox).

The LWN.net Weekly Edition for April 4, 2024 is available.

AlmaLinux has announced updated kernels for AlmaLinux 8 and 9 to address CVE-2024-1086, a use-after-free vulnerability in the kernel that could be exploited to gain local privilege escalation. This is notable because the fix marks a divergence between AlmaLinux and Red Hat Enterprise Linux (RHEL):

In January of this year, a kernel flaw was disclosed and named CVE-2024-1086. This flaw is trivially exploitable on most RHEL-equivalent systems. There are many proof-of-concept posts available now, including one from our Infrastructure team lead, Jonathan Wright (Dealing with CVE-2024-1086). In multi-user scenarios, this flaw is especially problematic.

Though this was flagged as something to be fixed in Red Hat Enterprise Linux, Red Hat has only rated this as a moderate impact.

The AlmaLinux project would also like to note that it is not impacted by the XZ backdoor. "Because enterprise Linux takes a bit longer to adopt those updates (sometimes to the chagrin of our users), the version of XZ that had the back door inserted hadn't made it further than Fedora in our ecosystem."

David Malcolm writes about some static-analyzer features that are coming in the GCC 14 release.

Solving the halting problem?

Obviously I'm kidding with the title here, but for GCC 14 I've implemented a new warning: -Wanalyzer-infinite-loop that's able to detect some simple cases of infinite loops.

See also: this report from the 2023 GNU Tools Cauldron.

The 6.8.3, 6.7.12, 6.6.24, and 6.1.84 stable kernel updates have been released. Each contains an important set of fixes. Note that 6.7.12 is the final release for the 6.7.y series, and that branch is now end-of-life. Users should move to the 6.8.y branch.

The Rust programming language differs from C in many ways; those differences tend to be what users admire in the language. But those differences can also lead to an impedance mismatch when Rust code is integrated into a C-dominated system, and it can be even worse in the kernel, which is not a typical C program. Memory models are a case in point. A programming language's view of memory is sufficiently fundamental and arcane that many developers never have to learn much about it. It is hard to maintain that sort of blissful ignorance while working in the kernel, though, so a recent discussion of how to choose a memory model for kernel code in Rust is of interest.

The SUSE Security Team Blog is carrying a detailed article on SUSE's review of the KDE6 release.

The SUSE security team restricts the installation of system wide D-Bus services and Polkit policies in openSUSE distributions and derived SUSE products. Any package that ships these features needs to be reviewed by us first, before it can be added to production repositories.

In November, openSUSE KDE packagers approached us with a long list of KDE components for an upcoming KDE6 major release. The packages needed adjusted D-Bus and Polkit whitelistings due to renamed interfaces or other breaking changes. Looking into this many components at once was a unique experience that also led to new insights, which will be discussed in this article.

Security updates have been issued by Debian (py7zr), Fedora (biosig4c++ and podman), Oracle (kernel, kernel-container, and ruby:3.1), Red Hat (.NET 7.0, bind9.16, curl, expat, grafana, grafana-pcp, kernel, kernel-rt, kpatch-patch, less, opencryptoki, and postgresql-jdbc), and Ubuntu (cacti).

The first stable release of Redict, a fork of the Redis in-memory database under a copyleft license, has been announced.

You may be wondering why Redict would be of interest to you, particularly when compared with Valkey, another Redis fork that was announced on Thursday.

In technical terms, we are focusing on stability and long-term maintenance, and on achieving excellence within our current scope. We believe that Redict is near feature-complete and that it is more valuable to our users if we take a conservative stance to innovation and focus on long-term reliability instead. This is in part a choice we've made to distinguish ourselves from Valkey, whose commercial interests are able to invest more resources into developing more radical innovations, but also an acknowledgement of a cultural difference between our projects, in that the folks behind Redict place greater emphasis on software with a finite scope and ambitions towards long-term stability rather than focusing on long-term growth in scope and complexity.

Versions 5.6.0 and 5.6.1 of the XZ compression utility and library were shipped with a backdoor that targeted OpenSSH. Andres Freund discovered the backdoor by noticing that failed SSH logins were taking a lot of CPU time while doing some micro-benchmarking, and tracking down the backdoor from there. It was introduced by XZ co-maintainer "Jia Tan" — a probable alias for person or persons unknown. The backdoor is a sophisticated attack with multiple parts, from the build system, to link time, to run time.