Post Syndicated from daroc original https://lwn.net/Articles/964735/

Cranelift is an Apache-2.0-licensed
code-generation backend being developed as part
of the Wasmtime runtime for
WebAssembly.
In October 2023, the Rust project made Cranelift available as an optional
component in its nightly toolchain.
Users can now use Cranelift as the code-generation backend for debug builds of
projects written in Rust,
making it an opportune time to look at what makes Cranelift different.
Cranelift is designed to compete with existing compilers by generating
code more quickly than they can, thanks to a stripped-down design that prioritizes
only the most important optimizations.

Post Syndicated from daroc original https://lwn.net/Articles/965147/

Herb Sutter, chair of the ISO C++ standards committee,

writes about the current problems with writing secure C++,
and his personal opinion on next steps to address this while maintaining
backward compatibility.

If there were 90-98% fewer C++ type/bounds/initialization/lifetime
vulnerabilities we wouldn’t be having this discussion. All languages have CVEs,
C++ just has more (and C still more); so far in 2024,

Rust has 6 CVEs, and

C and C++ combined have 61 CVEs. So zero isn’t the goal; something like a 90%
reduction is necessary, and a 98% reduction is sufficient, to achieve security
parity with the levels of language safety provided by MSLs [memory-safe languages]… and has the strong
benefit that I believe it can be achieved with perfect backward link
compatibility (i.e., without changing C++’s object model, and its lifetime
model which does not depend on universal tracing garbage collection and is not
limited to tree-based data structures) which is essential to our being able to
adopt the improvements in existing C++ projects as easily as we can adopt other
new editions of C++. — After that, we can pursue additional improvements to
other buckets, such as thread safety and overflow safety.

Post Syndicated from daroc original https://lwn.net/Articles/964392/

Serialization is the process of transforming Python objects into a sequence of
bytes which can be used to recreate a copy of the object later — or on another
machine.

pickle is Python’s native serialization module. It can store complex Python
objects,
making it an appealing prospect for moving data without having to write
custom serialization code. For example, pickle is an integral component of
several file
formats used for machine learning. However, using pickle to deserialize
untrusted files is a major security risk, because doing so can invoke arbitrary
Python functions. Consequently, the machine-learning community is working to address the
security issues caused by widespread use of pickle.

Post Syndicated from daroc original https://lwn.net/Articles/964832/

Security updates have been issued by Debian (fontforge), Fedora (chromium, iwd, libell, and thunderbird), Oracle (buildah, kernel, skopeo, and tomcat), Red Hat (opencryptoki), Slackware (ghostscript), SUSE (go1.21, go1.22, google-oauth-java-client, jetty-minimal, openssl-1_0_0, python310, sudo, wpa_supplicant, and xmlgraphics-batik), and Ubuntu (libhtmlcleaner-java, linux, linux-azure, linux-azure-5.15, linux-azure-fde,
linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop,
linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15,
linux-lowlatency-hwe-5.15, linux-nvidia, linux-azure, linux-azure-6.5, linux-hwe-6.5, mqtt-client, ncurses, and puma).

Post Syndicated from daroc original https://lwn.net/Articles/964377/

QUIC is a UDP-based transport protocol that forms the foundation of
HTTP/3.
It was initially developed at Google in 2012, and became an
IETF standard in
2021. Work on the protocol did not stop with its standardization, however. The
QUIC working group
published several follow-up standards. Now, it is working on
four more extensions to QUIC intended to patch over various shortcomings in the
current protocol — although progress has not been quick.

Post Syndicated from daroc original https://lwn.net/Articles/963512/

It has long been possible to run multiple Python interpreters in the same
process — via the C API, but not within the language itself.
Eric Snow has been working to make this ability
available in the language for many years.
Now, Snow has published
PEP 734 (“Multiple Interpreters
in the Stdlib”), the latest work in his
quest, and
submitted
it to the Python steering council for a decision.
If the PEP is approved, users will have
an additional option for writing performant parallel Python code.

Post Syndicated from daroc original https://lwn.net/Articles/964181/

On February 29, the musl project
announced release
1.2.5, including support for loongarch64 and riscv32. This
release also contains support for the
statx(),
preadv2(),
and pwritev2() system calls.

Post Syndicated from daroc original https://lwn.net/Articles/964167/

Greg Kroah-Hartman has announced the release of seven new stable kernels:
6.7.7,
6.6.19,
6.1.80,
5.15.150,
5.10.211,
5.4.270, and
4.19.308.
As usual, they contain many important fixes throughout the kernel tree.

Post Syndicated from daroc original https://lwn.net/Articles/964166/

Security updates have been issued by CentOS (firefox and thunderbird), Debian (gsoap, python-django, and wireshark), Fedora (dotnet7.0 and gifsicle), Mageia (sympa), Oracle (postgresql:10, postgresql:12, thunderbird, and unbound), Red Hat (kpatch-patch, python-pillow, and squid:4), SUSE (nodejs12, nodejs14, nodejs16, nodejs18, and openvswitch3), and Ubuntu (linux-azure, linux-lowlatency, linux-starfive-6.5, php-guzzlehttp-psr7, and php-nyholm-psr7).

Post Syndicated from daroc original https://lwn.net/Articles/962788/

Nix and
Guix are a pair of unusual package managers
based on the idea of declarative configurations. Their associated Linux
distributions — NixOS and the Guix System — take the idea further by allowing users
to define a single centralized configuration describing the state of the entire
system. Both have
been previously
mentioned on LWN, but not covered extensively. They offer different takes on
the central idea of treating packages like immutable values.

Post Syndicated from daroc original https://lwn.net/Articles/963240/

The Curl project has previously had problems with
CVEs issued for things that are not security issues. On February 21,
Daniel Stenberg
wrote about the Curl project’s most recent issue with the CVE system, saying:

I keep insisting that the CVE system is broken and that the database of
existing CVEs hosted by MITRE (and imported into lots of other
databases) is full of questionable content and plenty of downright
lies. A primary explanation for us being in this ugly situation is that
it is simply next to impossible to get rid of invalid CVEs.

Post Syndicated from daroc original https://lwn.net/Articles/961941/

Alexei Starovoitov introduced

a patch series for the Linux kernel on February 6 to add bpf_arena, a new type
of shared memory between
BPF
programs and user space.
Starovitov expects arenas to be useful both for bidirectional communication
between user space and BPF programs, and for use as an additional heap for BPF
programs. This will likely be useful to BPF programs that implement
complex data structures directly, instead of relying on the kernel to supply them.
Starovoitov cited Google’s
ghOSt project
as an example and inspiration for the work.

Post Syndicated from daroc original https://lwn.net/Articles/962882/

Drew DeVault
announced the first numbered release of the
Hare programming language on February 16.

Many Hare users want to ship their Hare projects to users, and as such, software written in Hare is making its way into Linux distributions and the like. However, due to Hare’s unstable nature, we have not provided any versioned releases, forcing any distributions who want to package Hare to package Hare’s master branch, which is less than ideal.

Post Syndicated from daroc original https://lwn.net/Articles/960912/

Spritely is a project seeking to
build a platform for sovereign distributed applications — applications where
users run their own nodes in order to control their own data — as the basis of a
new social internet.
While there are many such existing
projects, Spritely takes an unusual approach based on a new
interoperable protocol for
efficient, secure remote procedure calls (RPC). The project is in its early stages,
with many additional features planned, but it is already possible to play around
with Goblins, the distributed
actor library that Spritely intends to build on.

Post Syndicated from daroc original https://lwn.net/Articles/961405/

On February 2, Google announced this year’s

“Season of Docs”, a program complementing its Summer of Code program
by providing funding to open source projects to hire technical writers to improve
their documentation. Interested projects have until April 2 to apply.

Google Season of Docs provides direct grants to open source projects to improve their documentation and gives professional technical writers an opportunity to gain experience in open source. Together we raise awareness of open source, of docs, and of technical writing.

Post Syndicated from daroc original https://lwn.net/Articles/960309/

The GNU C Library (glibc)

released version 2.39 on January 31, including
several new features. Notable highlights include new functions for spawning
child processes, support for shadow stacks on x86_64, new security features, and
the removal of libcrypt. The glibc maintainers had also hoped to include
improvements to qsort(), which ended up not making it into this
release. Glibc releases are made every six months.

Post Syndicated from daroc original https://lwn.net/Articles/959915/

The Zig language
2024 roadmap
was presented in a talk last week on
Zig Showtime (a show covering
Zig news). Andrew Kelley, the benevolent dictator for life of the Zig project,
presented his goals
for the language, largely focusing on compiler performance and continuing
progress toward stabilization for the language. He discussed details of his plan
for incremental compilation, and addressed the sustainability of the project in
terms of both code contributions and financial support.

Post Syndicated from daroc original https://lwn.net/Articles/959562/

Return-oriented programming (ROP) attacks are hard to defend against.
Partial mitigations such as address-space layout randomization, stack
canaries, and other techniques are commonly deployed to try and frustrate
ROP attacks. Now, OpenBSD is experimenting with a new
mitigation that makes it harder for attackers to make system
calls, although some security researchers have expressed doubt that it will
prove effective at stopping real-world attacks.
In his
announcement message, Theo de Raadt said that this work
“makes some specific low-level attack
methods unfeasable on OpenBSD, which will force the use of other methods.”

Post Syndicated from daroc original https://lwn.net/Articles/958792/

In December, the Rust project released

a call for proposals for inclusion in the 2024 edition. Rust handles
backward incompatible changes by using
Editions,
which permit projects to specify a single stable edition for their code
and allow libraries written
in different editions to be linked together. Proposals for Rust 2024 are
now in, and have until the end of February to be debated and decided on. Once
the proposals are accepted, they have until May to be implemented in time for
the 2024 edition to be released in the second half of the year.

Post Syndicated from daroc original https://lwn.net/Articles/958794/

SourceHut has published

a post-mortem of its
outage earlier this month.
The post-mortem covers the causes of the outage and what steps SourceHut
took to mitigate it, ending by saying:

As unfortunate as these events were, we welcome opportunities to stress-test
our emergency procedures; we found them to be compatible with our objectives
for the alpha and we learned a lot of ways to improve our reliability
further for the future. We are going to continue working on our
post-incident tasks, building up our infrastructure’s resilience,
reliability, and scalability as planned. Once we address the high-priority
tasks, though, our first order of business in the immediate future will be
to get some rest.