Welcome to LWN.net
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
[$] Modernizing accessibility for desktop Linux
In some aspects, such as in gaming, the Linux desktop has made enormous strides in the past few years. In others, such as accessibility, things have stagnated. At Open Source Summit North America (OSSNA), Matt Campbell spoke about the need for, and an approach to, modernizing accessibility for desktop Linux. This included a discussion of Newton, a fledgling project that may greatly improve accessibility on the Linux desktop.
[$] The file_operations structure gets smaller
Kernel developers are encouraged to send their changes in small batches as a way of making life easier for reviewers. So when a longtime developer and maintainer hits the list with a 437-patch series touching 859 files, eyebrows are certain to head skyward. Specifically, this series from Jens Axboe is cleaning up one of the core abstractions that has been part of the Linux kernel almost since the beginning; authors of device drivers (among others) will have to take note.
[$] Inheritable credentials for directory file descriptors
In Unix-like systems, an open file descriptor carries the right to access the opened object in specific ways. As a general rule, that file descriptor does not enable access to any other objects. The recently merged BPF token feature runs counter to this practice by creating file descriptors that carry specific BPF-related access rights. A similar but different approach to capability-carrying file descriptors, in the form of directory file descriptors that include their own credentials, is currently under consideration in the kernel community.
[$] LWN.net Weekly Edition for May 2, 2024
Posted May 2, 2024 1:11 UTC (Thu)The LWN.net Weekly Edition for May 2, 2024 is available.
Inside this week's LWN.net Weekly Edition
- Front: Ubuntu 24.04; Nix leadership; Embedded security; State of realtime and embedded Linux; TSO on Arm; Rust for codecs; Python JIT.
- Briefs: run0; Dolstra steps down; Ubuntu 24.04 LTS; Amarok 3.0; Git 2.45.0; GNOME financials; GNU nano 8.0; Yocto 5.0; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
[$] A look at Ubuntu Desktop LTS 24.04
Ubuntu 24.04 LTS, code-named "Noble Numbat", was released on April 25. This release includes GNOME 46, installer updates, security enhancements, a lot of updated packages, and a new App Center that puts a heavy emphasis on using Snaps to install software. It is not an ambitious release, but it brings enough to the table that it's a worthwhile update.
[$] Security patterns and anti-patterns in embedded development
When it comes to security, telling developers to do (or not do) something can be ineffective. Helping them understand the why behind instructions, by illustrating good and bad practices using stories, can be much more effective. With several such stories Marta Rybczyńska fashioned an interesting talk about patterns and anti-patterns in embedded Linux security at the Embedded Open Source Summit (EOSS), co-located with Open Source Summit North America (OSSNA), on April 16 in Seattle, Washington.
[$] A leadership crisis in the Nix community
On April 21, a group of anonymous authors and non-anonymous signatories published a lengthy open letter to the Nix community and Nix founder Eelco Dolstra calling for his resignation from the project. They claimed ongoing problems with the project's leadership, primarily focusing on the way his actions have allegedly undermined people nominally empowered to perform various moderation and governance tasks. Since its release, the letter has gained more than 100 signatures.
[$] Giving Rust a chance for in-kernel codecs
Video playback is undeniably one of the most important features in modern consumer devices. Yet, surprisingly, users are by and large unaware of the intricate engineering involved in the compression and decompression of video data, with codecs being left to find a delicate balance between image quality, bandwidth, and power consumption. In response to constant performance pressure, video codecs have become complex and hardware implementations are now common, but programming these devices is becoming increasingly difficult and fraught with opportunities for exploitation. I hope to convey how Rust can help fix this problem.
[$] Support for the TSO memory model on Arm CPUs
At the CPU level, a memory model describes, among other things, the amount of freedom the processor has to reorder memory operations. If low-level code does not take the memory model into account, unpleasant surprises are likely to follow. Naturally, different CPUs offer different memory models, complicating the portability of certain types of concurrent software. To make life easier, some Arm CPUs offer the ability to emulate the x86 memory model, but efforts to make that feature available in the kernel are running into opposition.
[$] Python JIT stabilization
On April 11, Brandt Bucher posted PEP 744 ("JIT Compilation"), which summarizes the current state of Python's new copy-and-patch just-in-time (JIT) compiler. The JIT is currently experimental, but the PEP proposes some criteria for the circumstances under which it should become a non-experimental part of Python. The discussion of the PEP hasn't reached a conclusion, but several members of the community have already raised questions about how the JIT would fit into future iterations of the Python language.
GCC 14.1 released
Version 14.1 of the GCC compiler suite has been released. The list of changes is long; it includes support for more C++26 features, preparation for Fortran 2023 support, a new -fhardened flag to enable security-hardening features, vectorizer improvements, and a number of static-analyzer improvements. See the release notes for details.
Secure Randomness in Go 1.22 (Go Blog)
The Go Blog has a detailed article on the new, more secure random-number generator implemented for the 1.22 release.
For example, when Go 1.20 deprecated math/rand's Read, we heard from developers who discovered (thanks to tooling pointing out use of deprecated functionality) they had been using it in places where crypto/rand's Read was definitely needed, like generating key material. Using Go 1.20, that mistake is a serious security problem that merits a detailed investigation to understand the damage. Where were the keys used? How were the keys exposed? Were other random outputs exposed that might allow an attacker to derive the keys? And so on. Using Go 1.22, that mistake is just a mistake.
Security updates for Tuesday
Security updates have been issued by Debian (kernel), Gentoo (libjpeg-turbo, xar, and Xpdf), Red Hat (bind, dhcp and glibc), and SUSE (bouncycastle, curl, flatpak, less, and xen).
2023 PSF annual impact report
The Python Software Foundation (PSF) has announced its annual impact report for 2023. The report includes updates from PSF staff as well as summaries of the foundation's activities, financials, and infrastructure. The PSF celebrated the 20th anniversary of PyCon US, distributed more than $370,000 in grants, and enjoyed impressive traffic on PyPI:
In 2023 PyPI saw a 45% growth in download counts and bandwidth alike, serving 603,378,275 downloads for the 516,402 projects hosted there requiring 747.4 Petabytes of data transfer, or 189.6 Gbps of bandwidth 24x7x365.
See the full report for a breakdown of grant disbursements and trends, PSF expenses, and high-level plans for the rest of 2024.
Stenberg: I survived curl up 2024
Daniel Stenberg has posted a report about the recent curl up conference about curl development. It was held over two days in Stockholm. The report has short summaries of the talks with links to the recordings.
curl up is never a big meeting/conference but we have in the past sometimes been around twenty-five attendees. This year's amount of fifteen was the smallest so far, but in this small set of people we have a set of long-term well-known curl contributors. It is not a big list of attendees that creates a good curl up.
The 2023 FSF Free Software Awards
The Free Software Foundation has announced the recipients of its 2023 Free Software Awards: Bruno Haible for work on gnulib, Nick Logozzo as the "outstanding new free software contributior", and code.gouv.fr for projects of social benefit.
When presenting the award to Haible, FSF executive director Zoë Kooyman commented on the significance of Haible's work, saying that Haible's work enabled free software programmers around the world to focus on the main, innovative portions of their program, thus facilitating the development of more and more free software.
Security updates for Monday
Security updates have been issued by Debian (glibc, intel-microcode, less, libkf5ksieve, and ruby3.1), Fedora (chromium, gdcm, httpd, and stalld), Gentoo (Apache Commons BCEL, borgmatic, Dalli, firefox, HTMLDOC, ImageMagick, MediaInfo, MediaInfoLib, MIT krb5, MPlayer, mujs, Pillow, Python, PyPy3, QtWebEngine, Setuptools, strongSwan, and systemd), Oracle (grub2 and shim), Red Hat (git-lfs, kpatch-patch, unbound, and varnish), and SUSE (avahi, grafana and mybatis, java-11-openjdk, java-17-openjdk, skopeo, SUSE Manager Client Tools, SUSE Manager Salt Bundle, and SUSE Manager Server 4.3).
Kernel prepatch 6.9-rc7
The 6.9-rc7 kernel prepatch is out for
testing. "The stats for 6.9 continue to look very normal, and nothing
looks particularly alarming.
"
Security updates for Friday
Security updates have been issued by Fedora (chromium, grub2, httpd, kernel, libcoap, matrix-synapse, python-pip, and rust-pythonize), Red Hat (kernel and libxml2), SUSE (kernel), and Ubuntu (eglibc, glibc and php7.4, php8.1, php8.2).