All posts by corbet

Security updates for Tuesday

Post Syndicated from corbet original https://lwn.net/Articles/993276/

Security updates have been issued by Debian (kernel), Fedora (webkitgtk), Mageia (cups), Oracle (e2fsprogs, kernel, and kernel-container), Red Hat (buildah, container-tools:rhel8, containernetworking-plugins, git-lfs, go-toolset:rhel8, golang, grafana-pcp, podman, and skopeo), SUSE (Mesa, mozjs115, podofo, and redis7), and Ubuntu (cups and cups-filters).

[$] In search of the AOSP community

Post Syndicated from corbet original https://lwn.net/Articles/992992/

The core of the Android operating system, as represented by the Android Open Source Project (AOSP),
can only be considered one of the most successful open-source initiatives
ever created; its user count is measured in the billions. But few would
consider it to be a truly community-oriented project. At the 2024 Linux Plumbers Conference, Chris Simmonds
asked why the AOSP community is so hard to find, and what might be done
about the situation.

Kernel prepatch 6.12-rc2

Post Syndicated from corbet original https://lwn.net/Articles/993107/

Linus has released 6.12-rc2 for testing.

Anyway, this isn’t one of the small rc2’s. But looking at
historical trends, being a bigger rc2 isn’t _that_ unusual, and
nothing in here looks all that odd. Yes, the diffstat may look a
bit unusual, in that we had a global header renaming
(asm/unaligned.h -> linux/unaligned.h) and we had a couple of
reverts that stand out as spikes in the stats, but everything else
looks nice and small.

[$] Coping with complex cameras

Post Syndicated from corbet original https://lwn.net/Articles/992411/

Cameras were never the simplest of devices for Linux to support; they have
a wide range of operating parameters and can generate high rates of data.
In recent years, though, they have become increasingly complex, stressing
the ability of the kernel’s media
subsystem to manage them. At the 2024 Linux Plumbers Conference, developers from
that subsystem and beyond gathered to discuss the state of affairs and how
complex camera devices should be supported in the future.

[$] An update on gccrs development

Post Syndicated from corbet original https://lwn.net/Articles/991199/

One concern that has often been expressed about the Rust language is that
there is only one compiler for it. That makes it hard to say what the
standard version of the language is and restricts the architectures that
can be targeted by Rust code to those that the available compiler supports.
Adding a Rust frontend to GCC would do much to address those concerns; at
the 2024 GNU Tools
Cauldron, Pierre-Emmanuel Patry gave an update on the state of that
work and what its objectives are.

[$] The rest of the 6.12 merge window

Post Syndicated from corbet original https://lwn.net/Articles/991301/

Linus Torvalds released
6.12-rc1 and closed the 6.12 merge window on September 29; at that
point, 11,260 non-merge change sets had been pulled into the mainline for
the 6.12 release. That is the lowest number of merge-window changes since
5.17-rc1 in January 2022, which brought in 11,068 changesets. Nonetheless,
6.12 brings a number of interesting changes, many of which were included in
the roughly 4,500 changes merged since the
summary of the first half of the 6.12 merge window was written.

Arch Linux getting support from Valve

Post Syndicated from corbet original https://lwn.net/Articles/992194/

The Arch Linux project has announced that Valve will be helping the
distribution with a couple of important initiatives:

Valve is generously providing backing for two
critical projects that will have a huge impact on our distribution: a
build service infrastructure and a secure signing enclave. By supporting
work on a freelance basis for these topics, Valve enables us to work on
them without being limited solely by the free time of our volunteers.

Kernel prepatch 6.12-rc1

Post Syndicated from corbet original https://lwn.net/Articles/992185/

Linus has released 6.12-rc1 and closed the
merge window for this release.

Despite conference travel (both for me and several maintainers),
things seemed to go mostly fairly normally. There’s a couple of
notable new features in here: For one thing, PREEMPT_RT is now
mainlined and enabled as a config option (you do need to enable
“EXPERT” to get the question). For another, sched_ext also got
merged.

Górny: The perils of transition to 64-bit time_t

Post Syndicated from corbet original https://lwn.net/Articles/992120/

Michał Górny describes
the challenges involved in transitioning Gentoo to year-2038-safe time
representations:

There is a general agreement that the way forward is to change
time_t to a 64-bit type. Musl has already switched to that, glibc
supports it as an option. A number of other distributions such as
Debian have taken the leap and switched. Unfortunately,
source-based distributions such as Gentoo don’t have it that
easy. So we are still debating the issue and experimenting, trying
to figure out a maximally safe upgrade path for our users.

Unfortunately, that’s nowhere near trivial. Above all, we are
talking about a breaking ABI change.

[$] Sched_ext at LPC 2024

Post Syndicated from corbet original https://lwn.net/Articles/991205/

The extensible scheduler class (sched_ext)
enables the implementation of CPU schedulers as a set of BPF programs
loaded from user space; it first hit the mailing lists in late 2022.
Sched_ext has engendered its share of controversy since, but is currently
slated to be part of the 6.12 kernel release. At the 2024 Linux Plumbers Conference, the growing
sched_ext community held one of its first public gatherings; sched_ext
would appear to have launched a new burst of creativity in scheduler
design.

Eliminating Memory Safety Vulnerabilities at the Source (Google Security Blog)

Post Syndicated from corbet original https://lwn.net/Articles/991775/

Here’s a
post on the Google Security Blog on how switching to a memory-safe
language can quickly reduce vulnerabilities in a project, even if a large
body of older code persists.

This leads to two important takeaways:

  • The problem is overwhelmingly with new code, necessitating a
    fundamental change in how we develop code.

  • Code matures and gets safer with time, exponentially, making the
    returns on investments like rewrites diminish over time as code gets
    older.

For example, based on the average vulnerability lifetimes, 5-year-old code
has a 3.4x (using lifetimes from the study) to 7.4x (using lifetimes
observed in Android and Chromium) lower vulnerability density than new
code.

[$] Committing to Rust in the kernel

Post Syndicated from corbet original https://lwn.net/Articles/991062/

The project to enable the writing of kernel code in Rust has been underway
for several years, and each kernel release includes more Rust code. Even
so, some developers have expressed frustration at the time it takes to get
new functionality merged, and an air of uncertainty still hangs over
the project. At the 2024 Maintainers Summit, Miguel Ojeda led a discussion
on the status of Rust in the kernel and whether the time had come to stop
considering it an experimental project. There were not answers to all of the
questions, but it seems clear that Rust in the kernel will continue
steaming ahead.

Security updates for Tuesday

Post Syndicated from corbet original https://lwn.net/Articles/991492/

Security updates have been issued by Gentoo (GCC, Hunspell, Tor, and ZNC), SUSE (apr-devel, cargo-c, chromedriver, firefox, kernel, libecpg6, libmfx, onefetch, postgresql12, postgresql13, postgresql14, postgresql15, postgresql16, python310-azure-identity, python39, qemu, rage-encryption, stgit, and system-user-zabbix), and Ubuntu (kernel, linux-ibm-5.15, linux-oracle-5.15, linux-xilinx-zynqmp, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-raspi, and py7zr).