All posts by daroc

Security updates for Friday

Post Syndicated from daroc original https://lwn.net/Articles/1032174/

Security updates have been issued by AlmaLinux (firefox and thunderbird), Debian (libcommons-lang-java, node-form-data, redis, and sope), Fedora (chromium), Mageia (slurm), Oracle (apache-commons-beanutils, firefox, kernel, redis:6, and thunderbird), Red Hat (kernel, kernel-rt, libxml2, and redis), SUSE (chromium, docker, ffmpeg-7, gnutls, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libgcrypt, rav1e, and sccache), and Ubuntu (linux-lowlatency, linux-lowlatency-hwe-6.8).

[$] A look at the SilverBullet note-taking application

Post Syndicated from daroc original https://lwn.net/Articles/1030941/


SilverBullet
is a MIT-licensed note-taking application, designed to run as a
self-hosted web server. Started in 2022, the project is approaching
its 2.0 release, making this a good time to explore the features it offers.
SilverBullet stores notes as plain

Markdown
files, and provides a

Lua

scripting API to customize the application’s appearance and behavior.

[$] Extending run-time verification for the kernel

Post Syndicated from daroc original https://lwn.net/Articles/1030685/

There are a lot of things people expect the Linux kernel to do correctly. Some
of these are checked by testing or static analysis; a few are ensured by
run-time verification: checking a live property of a running Linux system. For
example, the scheduler has a handful of different correctness properties that
can be
checked in this way.
Nam Cao posted a

patch series
that aims to extend the kinds of properties that the kernel’s
run-time
verification system
can check, by adding support for

linear temporal logic
(LTL). The patch set has seen eleven revisions since the

first version
in March 2025, and recently made it into the linux-next
tree, from where it seems likely to reach the mainline kernel soon.

Security updates for Friday

Post Syndicated from daroc original https://lwn.net/Articles/1031426/

Security updates have been issued by AlmaLinux (git, kernel, nginx:1.24, and sudo), Fedora (dpkg, java-21-openjdk, java-25-openjdk, java-latest-openjdk, and valkey), Oracle (apache-commons-vfs, sudo, tigervnc, and xorg-x11-server), Red Hat (kernel, krb5, and openssh), SUSE (gnutls, ImageMagick, iputils, kernel-livepatch-MICRO-6-0-RT_Update_10, kubernetes1.18, libarchive, ovmf, python, and salt), and Ubuntu (iputils, linux-aws-6.14, linux-raspi, openjdk-21, and openjdk-24).

[$] Deep immutability for Python

Post Syndicated from daroc original https://lwn.net/Articles/1030291/

Python has recently seen a number of experiments to improve its parallel
performance, including exposing

subinterpreters
as part of the standard library. These allow
separate threads within the same Python process to run simultaneously, as long
as any data sent between them is copied, rather than shared.

PEP 795
(“Deep Immutability in Python”)
seeks to make efficient sharing of data between subinterpreters possible by
allowing Python objects to be “frozen”, so that they can be accessed from
multiple subinterpreters without copying or synchronization.
That task is more difficult than it
seems, and the PEP prompted a good deal of skepticism from the Python community.

[$] How to write Rust in the kernel: part 3

Post Syndicated from daroc original https://lwn.net/Articles/1026694/

The interfaces between C and Rust in the kernel have grown over time; any
non-trivial Rust driver will use a number of these. Tasks like allocating memory,
dealing with immovable structures, and interacting with locks are necessary for
handling most devices. There are also many subsystem-specific bindings, but the
focus this time will be on an overview of the bindings that all kernel Rust code
can be expected to use.

Security updates for Friday

Post Syndicated from daroc original https://lwn.net/Articles/1030479/

Security updates have been issued by AlmaLinux (cloud-init, glib2, glibc, kernel, and tomcat), Debian (chromium), Fedora (luajit, minidlna, nginx-mod-modsecurity, python-asteval, rust-sequoia-octopus-librnp, and vim), Oracle (cloud-init, glib2, glibc, java-17-openjdk, kernel, python311-olamkit, tomcat, and tomcat9), SUSE (apache-commons-lang3, bind, coreutils, ffmpeg, gnutls, gstreamer-plugins-good, kubernetes1.25, kubernetes1.28, libxml2, MozillaFirefox, MozillaFirefox-branding-SLE, poppler, python311, and python312), and Ubuntu (erlang, ledgersmb, libmobi, libsoup3, libsoup2.4, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-oem-6.8, linux, linux-gcp, linux-raspi, linux-realtime, linux-aws, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-6.8, linux-azure-nvidia, linux-hwe-6.8, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-intel-iot-realtime, linux-realtime, linux-intel-iotg-5.15, linux-oem-6.14, linux-raspi, linux-realtime, php7.0, php7.2, php8.1, php8.3, php8.4, python-aiohttp, and rails).

Security updates for Friday

Post Syndicated from daroc original https://lwn.net/Articles/1028684/

Security updates have been issued by AlmaLinux (.NET 9.0, container-tools:rhel8, ghostscript, git-lfs, grafana-pcp, pandoc, perl-FCGI:0.78, ruby:2.5, ruby:3.3, tigervnc, and varnish:6), Debian (jpeg-xl and mediawiki), Fedora (darktable, guacamole-server, mingw-gdk-pixbuf, and yarnpkg), Oracle (gimp, kernel, libsoup, python-tornado, python3.12, and thunderbird), Slackware (php), SUSE (libgepub), and Ubuntu (libtpms, linux-aws-5.15, linux-intel-iot-realtime, and linux-bluefield).

[$] Yet another way to configure transparent huge pages

Post Syndicated from daroc original https://lwn.net/Articles/1025629/


Transparent huge pages
(THPs) are, theoretically, supposed to allow processes to
benefit from larger page sizes without changes to their code. This does work,
but the performance impacts from THPs are not always a benefit, so system
administrators with specific knowledge of their workloads may want the ability
to fine-tune THPs to the application. On May 15, Usama Arif

shared
a patch set that would add a

prctl()
option for setting THP defaults for a process; that patch
set has sparked discussion about whether such a setting is a good fit for
prctl(), and what alternative designs may work instead.

[$] How to write Rust in the kernel: part 2

Post Syndicated from daroc original https://lwn.net/Articles/1025232/

In 2023, Fujita Tomonori

wrote a Rust version
of the existing driver for the
Asix AX88796B embedded Ethernet controller. At slightly more than 100 lines,
it’s about as simple as a driver can be, and therefore is a useful touchstone for
the differences between writing Rust and C in the kernel. Looking at the Rust
syntax, types, and APIs used by the driver and contrasting them with the C
version will help illustrate those differences.

Security updates for Friday

Post Syndicated from daroc original https://lwn.net/Articles/1027251/

Security updates have been issued by Debian (freeradius and icu), Fedora (clamav, glow, libssh, perl-Crypt-OpenSSL-RSA, perl-CryptX, podman, trafficserver, and xorg-x11-server), Mageia (gdk-pixbuf2.0 and thunderbird), Red Hat (osbuild-composer and weldr-client), SUSE (afterburn, google-osconfig-agent, libblockdev, pam, python-tornado6, screen, and yelp-xsl), and Ubuntu (libxslt and python-pip).

[$] How to write Rust in the kernel: part 1

Post Syndicated from daroc original https://lwn.net/Articles/1024202/

The Linux kernel is seeing a steady accumulation of Rust code. As it becomes
more prevalent, maintainers may want to know how to read, review, and test the
Rust code that relates to their areas of expertise. Just as kernel C code is
different from user-space C code, so too is kernel Rust code somewhat different
from user-space Rust code. That fact makes Rust’s

extensive documentation
of
less use than it otherwise would be, and means that potential contributors with
user-space experience will need some additional instruction.
This article is the first in a multi-part series aimed at helping existing
kernel contributors become familiar with Rust, and helping existing Rust
programmers become familiar with what the kernel does differently from the
typical Rust project.

Tag2upload is now ready for experimentation

Post Syndicated from daroc original https://lwn.net/Articles/1026248/

Debian’s long-awaited tag2upload service is
now ready for Debian maintainers to use in some circumstances. Tag2upload makes it easier for maintainers to upload packages, by allowing them to push a signed Git commit that will automatically be picked up and built, instead of pushing a build from their local machine. LWN covered the
discussion around the service in July of last year. With the timing of its readiness, it’s likely to become more useful once Debian 13 (“trixie”) is released.

Be very aware of the freeze! Do not just upload to unstable as
your first test! Uploads to unstable, targeting trixie, can be
done with tag2upload – but in most cases you will probably want to
upload the same package to experimental first.

Security updates for Friday

Post Syndicated from daroc original https://lwn.net/Articles/1026281/

Security updates have been issued by SUSE (apache2-mod_security2, augeas, ghc-pandoc, gstreamer, ignition, kernel, libblockdev, libxml2, nodejs20, openssl-3, pam_pkcs11, perl, python3, systemd, ucode-intel, webkit2gtk3, and xen) and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, linux-gcp-5.4,
linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4,
linux-xilinx-zynqmp, linux-aws-fips, linux-gcp-fips, python3.13, python3.12, and roundcube).

[$] A parallel path for GPU restore in CRIU

Post Syndicated from daroc original https://lwn.net/Articles/1024747/

The fundamental concept of checkpoint/restore is elegant: capture a
process’s state and resurrect it later, perhaps elsewhere. Checkpointing
meticulously records a process’s memory, open files, CPU state, and more into a
snapshot. Restoration then reconstructs the process from this state. This
established technique faces new challenges with GPU-accelerated applications,
where low-latency restoration is crucial for
fault
tolerance
, live migration, and
fast startups. Recently, the restore process for AMD GPUs has been redesigned to
eliminate substantial bottlenecks.

Security updates for Friday

Post Syndicated from daroc original https://lwn.net/Articles/1025354/

Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, glibc, kernel, and mod_security), Fedora (chromium, gh, mingw-icu, nginx-mod-modsecurity, python3.10, python3.9, thunderbird, valkey, and yarnpkg), Oracle (.NET 8.0, .NET 9.0, glibc, grafana-pcp, kernel, libxml2, mod_security, nodejs:20, and thunderbird), SUSE (audiofile, helm, kubernetes-old, kubernetes1.23, kubernetes1.24, libcryptopp, postgresql15, thunderbird, and valkey), and Ubuntu (linux-nvidia-tegra-igx).

[$] Finding locking bugs with Smatch

Post Syndicated from daroc original https://lwn.net/Articles/1023646/

Smatch is a GPL-licensed
static-analysis tool for C that has a lot of specialized checks for the kernel. Smatch
has been used in the kernel for more than 20 years; Dan
Carpenter, its primary author, decided last year that some details of its plugin system
were due for a rewrite. He spoke at Linaro Connect 2025 about his work on
Smatch, the changes to its implementation, and how those changes enabled him to easily
add additional checks for locking bugs in the kernel.