Post Syndicated from daroc original https://lwn.net/Articles/1024317/

Security updates have been issued by AlmaLinux (go-toolset:rhel8, golang, nodejs:20, nodejs:22, openssh, and python36:3.6), Debian (edk2, libfile-find-rule-perl, and webkit2gtk), Fedora (emacs, libvpx, perl-FCGI, and seamonkey), Mageia (cifs-utils), Red Hat (containernetworking-plugins, go-toolset:rhel8, golang, gvisor-tap-vsock, krb5, mod_auth_openidc:2.3, protobuf, and thunderbird), Slackware (seamonkey), SUSE (gimp, gnutls, haproxy, opensaml, openssh, openvpn, python-cryptography, python-tornado, python311-nh3, and python311-selenium), and Ubuntu (gst-plugins-bad1.0 and linux-fips).

Post Syndicated from daroc original https://lwn.net/Articles/1023306/

The European Union’s

Cyber Resilience Act (CRA) has caused a stir in the
software-development world. Thanks to advocacy by the Eclipse Foundation, Open
Source Initiative, Linux Foundation, Mozilla, and others, open-source software
projects generally have minimal requirements under the CRA
— but nothing to do with law is ever quite
so simple. Marta Rybczyńska spoke at Linaro Connect 2025 about the impact of the
CRA on the open-source ecosystem, with an emphasis on the importance of
understanding a project’s role under the CRA. She later participated in a panel
discussion with Joakim Bech, Kate Stewart, and Mike Bursell about how the CRA
would impact embedded open-source development.

Post Syndicated from daroc original https://lwn.net/Articles/1022648/

Cong Wang and Daniel Borkmann each led session at the 2025 Linux Storage,
Filesystem, Memory Management, and BPF Summit about their respective
plans to speed up networking in the Linux kernel. Both sessions described ways
to remove unnecessary operations in the networking stack, but they focused on
different areas. Wang spoke about using BPF to speed up socket operations,
while Borkmann spoke about eliminating the overhead of networking
operations on virtual machines.

Post Syndicated from daroc original https://lwn.net/Articles/1022889/

This year’s

Linaro Connect in Lisbon, Portugal featured a number of talks about the use of
open-source components in safety-critical systems. Kate Stewart gave a keynote on the topic
on the first day of the conference. In it, she highlighted several projects that
have been working to pursue safety certification and spoke about the importance of
being able to trace software’s origins to safety. In a talk on the second day, Roberto
Bagnara shared his experience with working on one of those projects, the Xen
hypervisor, to conform to a formal set of rules for safety-critical code.

Post Syndicated from daroc original https://lwn.net/Articles/1023259/

Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, firefox, ghostscript, gstreamer1-plugins-bad-free, libsoup3, mingw-freetype, perl, ruby, sqlite, thunderbird, unbound, valkey, and xz), Debian (chromium, firefox-esr, libavif, linux-6.1, modsecurity-apache, mydumper, systemd, and thunderbird), Fedora (coreutils, dnsdist, docker-buildx, maturin, mingw-python-flask, mingw-python-flit-core, ruff, rust-hashlink, rust-rusqlite, and thunderbird), Red Hat (pcs), SUSE (augeas, brltty, brotli, ca-certificates-mozilla, dnsdist, glibc, grub2, kernel, libsoup, libsoup2, libxml2, open-vm-tools, perl, postgresql13, postgresql15, postgresql16, postgresql17, python-cryptography, python-httpcore, python-h11, python311, runc, s390-tools, slurm, slurm_20_11, slurm_22_05, slurm_23_02, slurm_24_11, tomcat, and webkit2gtk3), and Ubuntu (linux-aws).

Post Syndicated from daroc original https://lwn.net/Articles/1022512/

As of this writing, 5,546 non-merge changesets have been pulled into the mainline
kernel repository for the 6.16 release. This is a bit less than half of the
total commits for 6.15, so the merge window is well on its way. Read on for our
summary of the first half of the 6.16 merge window.

Post Syndicated from daroc original https://lwn.net/Articles/1022034/

Mahé Tardy led two sessions about some of the challenges that he, Kornilios Kourtis,
and John Fastabend have run into in their work on

Tetragon (Apache-licensed BPF-based security monitoring software)
at the Linux Storage, Filesystem, Memory Management, and BPF Summit. The session
prompted discussion about the feasibility of letting BPF programs
send data over the network, as well as potential new kfuncs to let BPF firewalls
send TCP reset packets. Tardy presented several possible ways that these could
be accomplished.

Post Syndicated from daroc original https://lwn.net/Articles/1021825/

Srinivas Narayana led a remote session about extending

Agni to prove the correctness of
the BPF verifier’s handling of different execution paths as part of the Linux Storage,
Filesystem, Memory Management, and BPF Summit. The problem of ensuring the
correctness of path exploration
is much more difficult than the problem of
ensuring the correctness of arithmetic operations
(which was

the subject of the previous session), however. Narayana’s plan to
tackle the problem makes use of a mixture of specialized techniques — and may
need some assistance from the BPF developers to make it feasible at all.

Post Syndicated from daroc original https://lwn.net/Articles/1020664/

The BPF verifier is an increasingly complex and security-critical piece of code.
When the kinds of people who are apt to work on BPF see a situation like that,
they naturally question whether it’s possible to use formal verification to
ensure that the implementation of the code in question is correct. Santosh
Nagarakatte led the first of two extra-long sessions in the BPF track
of the 2025 Linux Storage, Filesystem, Memory Management, and BPF Summit
about his team’s work formally verifying the BPF verifier with a
custom tool called

Agni.

Post Syndicated from daroc original https://lwn.net/Articles/1020266/

Ihor Solodrai has been working on the BPF subsystem’s continuous-integration
(CI) testing for the last six months. At the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit, he remotely shared
an update on his work, and solicited feedback on how the tests could be further
improved. Much of the work he’s done has been specific to the BPF subsystem, but
some is more generic and could potentially be of use to other subsystems. He
also shared some general lessons learned from working on the BPF CI tests.

Post Syndicated from daroc original https://lwn.net/Articles/1017705/

From
servers in a data center to desktop computers, many devices
communicating on a network will eventually have to filter network
traffic, whether it’s for security or performance reasons. As a result,
this is a domain where a lot of work is put into improving performance:
a tiny performance improvement can have considerable gains.

Bpfilter is a
project that allows for packet filtering to easily be done with BPF, which can
be faster than other mechanisms.

Post Syndicated from daroc original https://lwn.net/Articles/1019885/

BPF arenas are areas of memory where the verifier can safely relax its checking of
pointers, allowing programmers to write arbitrary data structures in BPF. Emil
Tsalapatis reported on how his team has used arenas in writing

sched_ext schedulers at the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit. His biggest complaint was about the fact that
kernel pointers can’t be stored in BPF arenas — something that the BPF
developers hope to address, although there are some implementation problems that
must be sorted out first.

Post Syndicated from daroc original https://lwn.net/Articles/1020657/

Greg Kroah-Hartman has announced the release of the
6.14.6,
6.12.28,
6.6.90,
6.1.138, and
5.15.182 stable kernel versions.

Post Syndicated from daroc original https://lwn.net/Articles/1020653/

Security updates have been issued by Debian (fossil, libapache2-mod-auth-openidc, and request-tracker4), Fedora (thunderbird), Mageia (firefox and thunderbird), SUSE (389-ds, apparmor, cargo-c, chromium, go1.24, govulncheck-vulndb, java-1_8_0-openjdk, kanidm, libsoup, mozjs102, openssl-1_1, openssl-3, python-Django, sccache, tealdeer, tomcat, transfig, wasm-bindgen, and wireshark), and Ubuntu (libreoffice and python-h11).

Post Syndicated from daroc original https://lwn.net/Articles/1019667/

Anton Protopopov led a short discussion at the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit about amount of memory used
by hash tables in BPF programs. He thinks that the current memory layout is
inefficient, and wants to split the structure that holds table entries into two
variants for different kinds of maps. When that proposal proved
uncontroversial, he also took the chance to talk about a bug in BPF’s call
instruction.

Post Syndicated from daroc original https://lwn.net/Articles/1018493/

Linux systems can have large filesystems; trying to keep up with the
stream of

fanotify filesystem-monitoring notifications for them can be a struggle.
Fanotify is one of a few ways to monitor accesses to filesystems provided by the kernel.
Song Liu led a discussion
on how to improve in-kernel filtering of fanotify events to a joint
session of the filesystem and BPF tracks at the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit. He wants to combine the best parts of a few
different approaches to efficiently filter filesystem events.

Post Syndicated from daroc original https://lwn.net/Articles/1019869/

Security updates have been issued by Debian (chromium, nodejs, openjdk-17, and thunderbird), Fedora (firefox, golang-github-nvidia-container-toolkit, and thunderbird), Mageia (kernel), Oracle (ghostscript, glibc, kernel, libxslt, php:8.1, and thunderbird), SUSE (cmctl, firefox-esr, govulncheck-vulndb, java-21-openjdk, libxml2, poppler, python-h11, and redis), and Ubuntu (docker.io, ghostscript, linux-xilinx-zynqmp, and micropython).

Post Syndicated from daroc original https://lwn.net/Articles/1018475/

Modern compilers perform a lot of optimizations, which can complicate debugging.
Song Liu and Thierry Treyer spoke about a potential improvement to

BPF Type Format (BTF) debugging information that could partially combat that
problem at the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit.
They want to add information on selectively inlined functions to BTF in order to
better support tracing tools.
Treyer participated remotely.

Post Syndicated from daroc original https://lwn.net/Articles/1018320/

Martin Lau gave a talk in the BPF track of the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit about a performance problem
plaguing the networking subsystem, and some potential ways to fix it. He works on
BPF programs that need to store socket-local data; amid other improvements to
the networking and BPF subsystems, retrieving that data has become a noticeable
bottleneck for his use case. His proposed fix prompted a good deal of discussion
about how the data should be laid out.

Post Syndicated from daroc original https://lwn.net/Articles/1017549/

The Linux kernel can be configured so that
kernel modules must be signed or

otherwise authenticated to be loaded
into the kernel. Some BPF developers want that to be an option for BPF programs
as well — after all, if those are going to run as part of the kernel,
they should be subject to the same code-signing requirements. Blaise Boscaccy
and Cong Wang presented two different visions for how BPF code signing could
work at the 2025 Linux Storage, Filesystem, Memory-Management, and BPF Summit.