Welcome to LWN.net
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
[$] LWN.net Weekly Edition for December 19, 2024
Posted Dec 19, 2024 1:58 UTC (Thu)The LWN.net Weekly Edition for December 19, 2024 is available.
Inside this week's LWN.net Weekly Edition
- Front: Guile for Emacs; Emacs completion vulnerability; WordPress injunction; A last look at 4.19; Git commit IDs; PTP.
- Briefs: Ultralytics analysis; Centos Stream and EPEL 10; Fedora Asahi 41; Kali Linux 2024.4; Kubernetes v1.32; sq 1.0; Xfce 4.20; Quote; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
[$] Emacs code completion can cause compromise
Emacs has had a few bugs related to accidentally permitting the execution of untrusted code. Unfortunately, it seems as though another bug of that sort has appeared — and may be harder to patch, because the problem comes from the way Emacs handles expansion of Lisp macros in code being analyzed. The vulnerability is only practically exploitable in a non-default configuration, so not every Emacs user has something to worry about. The Emacs developers are reportedly working on a fix, but have not yet shared details about it. In the meantime, every Emacs version since at least 26.1 (released in May 2018) through the current development version is vulnerable.
[$] WP Engine granted preliminary injunction in WordPress case
Since we last looked at the WordPress dispute, WP Engine has sought a preliminary injunction against Automattic and its founder Matt Mullenweg to restore its access to WordPress.org, and more. The judge in the case granted a preliminary injunction on December 10. The case is, of course, of interest to users and developers working with WordPress—but it may also have implications for other open-source projects well beyond the WordPress community.
[$] Using Guile for Emacs
Emacs is, famously, an editor—perhaps far more—that is extensible using its own variant of the Lisp programming language, Emacs Lisp (or Elisp). This year's edition of EmacsConf, which is an annual "gathering" that has been held online for the past five years, had two separate talks on using a different variant of Lisp, Guile, for Emacs. Both projects would preserve Elisp compatibility, which is a must, but they would use Guile differently. The first talk we will cover was given by Robin Templeton, who described the relaunch of the Guile-Emacs project, which would replace the Elisp in Emacs with a compiler using Guile. A subsequent article will look at the other talk, which is about an Emacs clone written using Guile.
[$] Facing the Git commit-ID collision catastrophe
Commits in the Git source-code management system are identified by the SHA-1 hash of their contents — though the specific hash may change someday. The full hash is a 160-bit quantity, normally written as a 40-character hexadecimal string. While those strings are convenient for computers to work with, humans find them to be a bit unwieldy, so it is common to abbreviate the hash values to shorter strings. Geert Uytterhoeven recently proposed increasing the length of those abbreviated hashes as used in the kernel community, but the problem he was working to solve may not be as urgent as it seems.
[$] Providing precise time over the network
Handling time in a networked environment is never easy. The Network Time Protocol (NTP) has been used to synchronize clocks across the internet for almost 40 years — but, as computers and networks get faster, the degree of synchronization it offers is not sufficient for some use cases. The Precision Time Protocol (PTP) attempts to provide more precise time synchronization, at the expense of requiring dedicated kernel and hardware support. The Linux kernel has supported PTP since 2011, but the protocol has recently seen increasing use in data centers. As PTP becomes more widespread, it may be useful to have an idea how it compares to NTP.
[$] A last look at the 4.19 stable series
The release of the 4.19.325 stable kernel update on December 5 marked the end of an era of sorts. This kernel had been supported for just over six years since its initial release in October 2018; over that time, 325 updates were released, adding 30,109 fixes. Few Linux kernels receive public support for so long; it is worth taking a look at this kernel's history to see how it played out.
LWN.net Weekly Edition for December 12, 2024
Posted Dec 12, 2024 0:38 UTC (Thu)The LWN.net Weekly Edition for December 12, 2024 is available.
Inside this week's LWN.net Weekly Edition
- Front: Debian usernames; CentOS Stream 10; Seagrass monitoring; Python's finally; Page reference counts; bpftune.
- Briefs: Let's Encrypt OSCP support; OpenWrt vulnerability; Apertis v2024; COSMIC Alpha 4; FESCo election; GNU Shepard 1.0.0; Systemd 257; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
A look at CentOS Stream 10
The Red Hat Enterprise Linux (RHEL) 10 beta was released in mid-November and, if all goes according to plan, CentOS Stream 10 should be released before the end of the year. While nothing is etched in stone just yet, it is a good time for anyone using or targeting RHEL (and its clones) to start taking a look at how Stream 10, and the corresponding EPEL repository, is shaping up. This is not only important to RHEL and Stream users, but anyone deploying and supporting software on enterprise Linux (EL) derivatives like AlmaLinux, Oracle Linux, and Rocky Linux as well.
Auto-tuning the kernel
The Linux kernel has many tunable parameters. While there is much advice available on the internet about how to set them, few people have the time to weed through the (often contradictory) explanations and choose appropriate values. One possible way to address this is a project called bpftune, a program that uses BPF to track various metrics about a running system and adjust the sysctl knobs appropriately. The program is developed by Oracle, and is available under a GPLv2 license. Bpftune is currently mostly focused on optimizing network settings, but the authors hope that the system is flexible enough to be extended to cover other settings.
Security updates for Wednesday
Security updates have been issued by AlmaLinux (libsndfile, php:7.4, python3.11, python3.12, and python36:3.6), Debian (dpdk), Mageia (curl and socat), Oracle (firefox and tuned), Red Hat (bluez, containernetworking-plugins, edk2, edk2:20220126gitbb1bba3d77, edk2:20240524, expat, gstreamer1-plugins-base, gstreamer1-plugins-base and gstreamer1-plugins-good, gstreamer1-plugins-good, kernel, libsndfile, libsndfile:1.0.31, mpg123, mpg123:1.32.9, pam, python3.11-urllib3, skopeo, tuned, unbound, and unbound:1.16.2), SUSE (cloudflared, curl, docker, firefox, gstreamer-plugins-good, kernel, libmozjs-115-0, libmozjs-128-0, libmozjs-78-0, libsoup, ovmf, python-urllib3_1, subversion, thunderbird, and traefik), and Ubuntu (editorconfig-core, libspring-java, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-kvm, linux-raspi, linux, linux-lowlatency, linux-oracle, linux-aws, linux-aws-5.15, linux-aws, linux-aws-5.4, linux-bluefield, linux-oracle, linux-oracle-5.4, and linux-oem-6.11).
Fedora Asahi Remix 41 is now available
Fedora Magazine reports that the Fedora Asahi Remix 41 for Apple Silicon is now available:
In addition to all the exciting improvements brought by Fedora Linux 41, Fedora Asahi Remix 41 provides x86/x86-64 emulation integration including support for AAA games to Apple Silicon. The game support is based on the new conformant Vulkan 1.4 driver. It also continues to provide extensive device support, including high quality audio out of the box.
LWN covered a talk from the X.org Developers Conference (XDC) by Alyssa Rosenzweig on the status of Asahi's GPU drivers in October.
Kali Linux 2024.4 released
Version 2024.4 of the Kali Linux penetration-testing distribution has been released. Changes include a switch to Python 3.12, the removal of i386 kernel support, GNOME 47, and more.
Security updates for Tuesday
Security updates have been issued by Debian (gstreamer1.0), Fedora (jupyterlab and python-notebook), Oracle (gimp:2.8.22, gstreamer1-plugins-base, gstreamer1-plugins-good, kernel, php:8.2, postgresql, and python3.11), SUSE (aws-iam-authenticator, firefox, installation-images, kernel, libaom, libyuv, libsoup, libsoup2, python-aiohttp, socat, thunderbird, and vim), and Ubuntu (curl, Docker, imagemagick, and kernel).
A sapling matures: meet sq 1.0
The Sequoia PGP project has announced version 1.0 of the sq command-line tool for managing OpenPGP encryption and signatures. It also provides a decentralized public key infrastructure (PKI), and key management facilities. This is the first stable release since development began on the project in 2017.
sq's PKI is probably its most notable feature, and the one we invested the most time in. The PKI is used to authenticate certificates, and messages. Authentication is necessary to ensure that you are encrypting to the person you think you are, and to identify who really authored a message; without authentication, encryption and verification are much weaker.
Security updates for Monday
Security updates have been issued by Debian (gst-plugins-base1.0, gstreamer1.0, and libpgjava), Fedora (bpftool, chromium, golang-x-crypto, kernel, kernel-headers, linux-firmware, pytest, python3.10, subversion, and thunderbird), Gentoo (NVIDIA Drivers), Oracle (kernel, perl-App-cpanminus:1.7044, php:7.4, php:8.1, php:8.2, postgresql, python3.11, python3.12, python3.9:3.9.21, python36:3.6, ruby, and ruby:2.5), SUSE (docker-stable, firefox-esr, gstreamer, gstreamer-plugins-base, gstreamer-plugins-good, kernel, python-Django, python312, and socat), and Ubuntu (mpmath).
Kernel prepatch 6.13-rc3
Linus has released 6.13-rc3 for testing.
"Earlier this week it felt to me like things might have already started
to quiet down in prep for the holidays, but doing the statistics on rc3
that doesn't actually seem to be the case - this looks very regular both in
number of commits and in diff size
".
Xfce 4.20 released
Version 4.20
of the Xfce desktop environment has been released. "The major focus
during this development cycle was the preparation of the codebase to be
ready for Wayland
". See the Xfce 4.20 tour for an
overview of the changes in this release.
A pile of stable kernel updates
The 6.12.5, 6.6.66, 6.1.120, 5.15.174, 5.10.231, and 5.4.287 stable kernels have all been released; each contains a relatively large set of important fixes.
CentOS Stream 10 and EPEL 10 released
The CentOS Project has announced the general availability of CentOS Stream 10. See the release notes for information on new features, changes, and removed software. The Extra Packages for Enterprise Linux (EPEL) 10 repository is also available, and will be adding minor version repositories:
For the EPEL 9 release, we started building packages about six months before the RHEL 9 release by using CentOS Stream 9 as the initial build environment. For EPEL 10, we're expanding on that approach and doing the same thing for each minor version of RHEL 10. We will have separate DNF repositories for each minor version of RHEL 10, including CentOS Stream 10 as the leading minor version. Packages built for one minor version will carry forward to the next minor version. You can find more details about this structure in our branching documentation.
LWN covered Stream 10 and EPEL 10 on December 11.