Post Syndicated from jake original https://lwn.net/Articles/1037974/

The Capability
Hardware Enhanced RISC Instructions (CHERI) project is a rethinking of
computer architecture in order to improve system security. Carl Shaw gave
a presentation at
Linux
Security Summit Europe (LSS EU) about CHERI and the efforts to get
Linux running on it. He introduced capabilities,
which are a mechanism for access control, and outlined their
history, which goes back many decades at this point, then looked more
specifically at the CHERI project and what it will take to apply the
security constraints of capabilities to an operating system like Linux.

Post Syndicated from jake original https://lwn.net/Articles/1039127/

The Open Source Security Foundation
(OpenSSF) has put together a joint statement from many of the public
package repositories for various languages about the need for assistance in
maintaining these commons. Services such as PyPI for Python, crates.io for Rust, and many others are
working together to try to find ways to sustain these services in the face
of challenges from “automated CI systems, large-scale dependency
scanners, and ephemeral container builds” all downloading enormous
amounts of package data, coupled with the rise of generative and agentic AI
“driving a further explosion of machine-driven, often wasteful automated
usage, compounding the existing challenges“. It is not a crisis, yet,
they say, but it is headed in that direction.

Despite serving billions (perhaps even trillions) of downloads each month (largely driven by commercial-scale consumption), many of these services are funded by a small group of benefactors. Sometimes they are supported by commercial vendors, such as Sonatype (Maven Central), GitHub (npm) or Microsoft (NuGet). At other times, they are supported by nonprofit foundations that rely on grants, donations, and sponsorships to cover their maintenance, operation, and staffing.

Regardless of the operating model, the pattern remains the same: a small number of organizations absorb the majority of infrastructure costs, while the overwhelming majority of large-scale users, including commercial entities that generate demand and extract economic value, consume these services without contributing to their sustainability.

Post Syndicated from jake original https://lwn.net/Articles/1039124/

Security updates have been issued by Debian (corosync and kernel), Fedora (checkpointctl, chromium, curl, and perl-Catalyst-Authentication-Credential-HTTP), SUSE (firefox, frr, kernel, rustup, vim, and wireshark), and Ubuntu (glibc and pam).

Post Syndicated from jake original https://lwn.net/Articles/1039053/

Security updates have been issued by Debian (ffmpeg, jetty12, jetty9, jq, and pam), Fedora (curl, libssh, podman-tui, and prometheus-podman-exporter), Oracle (firefox, gnutls, kernel, and thunderbird), and SUSE (bluez, cairo, chromium, cmake, cups, firefox, frr, govulncheck-vulndb, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, mariadb, mybatis, ognl, python-h2, and rke2).

Post Syndicated from jake original https://lwn.net/Articles/1038638/

Security updates have been issued by AlmaLinux (gnutls, mysql:8.4, opentelemetry-collector, and python-cryptography), Debian (nextcloud-desktop), Fedora (chromium, firefox, forgejo, gitleaks, kernel, kernel-headers, lemonldap-ng, perl-Cpanel-JSON-XS, and python-pip), Red Hat (firefox and libxml2), Slackware (expat and mozilla), SUSE (avahi, bluez, cups, curl, firefox-esr, gdk-pixbuf, gstreamer, java-1_8_0-ibm, krb5, net-tools, podman, raptor, sevctl, tkimg, ucode-intel, and vim), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp,
linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-fips, linux-azure-fips, linux-gcp-fips, and linux-gcp-6.14, linux-oracle, linux-oracle-6.14).

Post Syndicated from jake original https://lwn.net/Articles/1037577/

Typst is a program for document
typesetting. It is especially well-suited to technical material
incorporating elements such as mathematics, tables, and floating
figures. It produces high-quality results, comparable to the gold standard,
LaTeX, with a simpler markup
system and easier customization, all while compiling documents
more quickly. Typst is free software, Apache-2.0 licensed, and is written in Rust.

Post Syndicated from jake original https://lwn.net/Articles/1038231/

Security updates have been issued by AlmaLinux (cups, kernel, and mysql-selinux and mysql8.4), Debian (cjson, jetty9, and shibboleth-sp), Fedora (bustle, cef, checkpointctl, chromium, civetweb, cups, forgejo, jupyterlab, kernel, libsixel, linenoise, maturin, niri, perl-Cpanel-JSON-XS, python-uv-build, ruff, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-matchers, rust-monitord, rust-monitord-exporter, rust-secret-service, rust-tracing-subscriber, rustup, tcpreplay, tuigreet, udisks2, uv, and xwayland-satellite), Oracle (cups, gdk-pixbuf2, kernel, mysql-selinux and mysql8.4, and php:8.2), Red Hat (kernel, kernel-rt, and multiple packages), Slackware (cups, kernel, and patch), and SUSE (busybox, busybox-links, chromedriver, chromium, cups-filters, curl, go1.25, jasper, java-11-openj9, java-17-openj9, java-1_8_0-openjdk, kernel, kernel-devel, kubo, libssh-config, orthanc-gdcm, python-aiohttp, python-eventlet, python-h2, and xen).

Post Syndicated from jake original https://lwn.net/Articles/1036908/

Creating welcoming communities within open-source projects is a recurring
topic at conferences; those projects rely on contributions from others, so
making them welcome is important. The kernel has, rather infamously
over the years, been an oft-cited example of an unwelcoming project, though
there have been (and are) multiple efforts to change that with varying
degrees of success. Hans de Goede talked about such efforts within his
corner of the kernel project in a talk (YouTube video) at
Open
Source Summit Europe.

Post Syndicated from jake original https://lwn.net/Articles/1037788/

The VMScape
vulnerability is a Spectre variant that “allows a malicious KVM guest to
leak sensitive information such as encryption/decryption keys from a
userspace hypervisor such as QEMU“. Greg Kroah-Hartman has announced
the 6.16.7, 6.12.47, 6.6.106, 6.1.152, 5.15.193, and 5.10.244 stable kernels, which add a
mitigation for the hardware bug.

Post Syndicated from jake original https://lwn.net/Articles/1037777/

Security updates have been issued by AlmaLinux (python3.12-cryptography), Debian (chromium, hsqldb1.8.0, and imagemagick), Fedora (bustle, cef, maturin, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-monitord, rust-monitord-exporter, rustup, tuigreet, and wireshark), Oracle (kernel, microcode_ctl, and python3.12-cryptography), Red Hat (httpd:2.4 and multiple packages), SUSE (coreutils, curl, dpkg, ffmpeg-4, glib2, gnutls, go1.23-openssl, go1.24-openssl, go1.25-openssl, grub2, ImageMagick, jbigkit, kernel, libxslt, Mesa, opensc, opera, perl-JSON-XS, polkit, postgresql16, protobuf, python311, python311-deepdiff, sqlite3, ucode-intel, and warewulf4), and Ubuntu (bind9 and libxml2).

Post Syndicated from jake original https://lwn.net/Articles/1036168/

A new project, targeting Linux for the proverbial final frontier—outer
space—was the subject of a talk (YouTube video) at
the Embedded Linux Conference, which was held as part of Open
Source Summit Europe in Amsterdam in late August. Ramón Roche
introduced Space Grade
Linux (SGL), which is currently incubating as a special interest group
(SIG) of the Embedding Linux in Safety
Applications (ELISA) project. The idea is to create a distribution
with a base layer that can be used for off-planet missions of various
sorts, along with other layers that can be used to customize it for
different space-based use cases.

Post Syndicated from jake original https://lwn.net/Articles/1037157/

Security updates have been issued by Debian (chromium, libhtp, modsecurity-apache, shibboleth-sp, and wireless-regdb), Fedora (chromium, kea, tcpreplay, and yq), Mageia (rootcerts, nspr, nss & firefox and thunderbird), Red Hat (python3), and SUSE (7zip, chromedriver, go1.25, libQt5Pdf5, libsixel-bash-completion, libsoup2, libwireshark18, netty, rav1e, and trivy).

Post Syndicated from jake original https://lwn.net/Articles/1036785/

Greg Kroah-Hartman has announced the release of the 6.16.5, 6.12.45, 6.6.104, 6.1.150, 5.15.191, 5.10.242, and 5.4.298 stable kernels. Each contains
important fixes throughout the kernel tree; users should upgrade.

Post Syndicated from jake original https://lwn.net/Articles/1036733/

Security updates have been issued by AlmaLinux (httpd:2.4, kernel, pam, postgresql:12, and python3.12), Debian (clamav and node-cipher-base), Fedora (exiv2 and libsixel), Oracle (httpd, kernel, pam, postgresql:12, postgresql:13, postgresql:15, and udisks2), SUSE (gimp, libmupen64plus-devel, munge, nvidia-open-driver-G06-signed, ovmf, postgresql15, python-aiohttp, python-Django, rav1e, redis, and ruby2.5), and Ubuntu (ffmpeg, kdepim, kf5-messagelib, kmail, kmail-account-wizard, linux-azure, linux-azure-6.8, linux-azure-nvidia, php7.0, php7.2, php7.4, protobuf, python-django, ruby2.5, ruby2.7, ruby3.0, ruby3.2, ruby3.3, and rubygems).

Post Syndicated from jake original https://lwn.net/Articles/1036084/

Security updates have been issued by AlmaLinux (postgresql16, postgresql:16, python3.11, and thunderbird), Debian (firebird4.0, libcommons-lang3-java, mbedtls, nodejs, openvpn, and ruby-saml), Fedora (cef, chromium, docker-buildx, exiv2, firefox, rocm-rpp, and udisks2), Oracle (postgresql:16), Red Hat (fence-agents, firefox, gdk-pixbuf2, httpd, kernel, kernel-rt, libarchive, libxml2, multiple packages, postgresql, postgresql16, postgresql:15, postgresql:16, python3.11, python3.12, python39:3.9, and thunderbird), Slackware (udisks2), SUSE (go-sendxmpp, helm, ImageMagick, javamail, jq, kea, kernel, libarchive, libsoup, libssh, libxml2, openssl-3, postgresql14, postgresql15, python, python-future, systemd, and xz), and Ubuntu (open-vm-tools and python2.7).

Post Syndicated from jake original https://lwn.net/Articles/1034684/

The GNOME project, which recently celebrated its
28th birthday, has never had a formal technical governance; progress
has been driven by individuals and groups that advocated for—and worked
toward—a particular goal in an ad hoc fashion. Longtime GNOME contributor
Emmanuele Bassi would like to see that change by adding cross-project teams
and a steering committee for the project; to that end, he gave a talk (YouTube
video) at GUADEC 2025
in late July on his idea to establish some technical governance for the
project. He also put together a blog
post with his notes from the talk. The audience reaction was
favorable, so he has followed up on the GNOME discussion forum with an RFC on
governance to try to move the effort along.

Post Syndicated from jake original https://lwn.net/Articles/1035464/

Security updates have been issued by AlmaLinux (aide, firefox, kernel, and mod_http2), Debian (chromium and unbound), Fedora (mod_auth_openidc), Oracle (fence-agents and kernel), SUSE (ignition, jetty-minimal, kernel, libmozjs-128-0, matrix-synapse, postgresql13, postgresql15, postgresql16, and postgresql17), and Ubuntu (kernel).

Post Syndicated from jake original https://lwn.net/Articles/1034932/

Security updates have been issued by AlmaLinux (kernel and tomcat9), Debian (iperf3, mupdf, qemu, thunderbird, and unbound), Fedora (glab, kubernetes1.31, kubernetes1.32, kubernetes1.33, and toolbox), Oracle (kernel and tomcat9), Red Hat (firefox, kernel, kernel-rt, and squid), SUSE (abseil-cpp-devel, aide, flake-pilot, gdk-pixbuf, glibc, go-sendxmpp, ImageMagick, jetty-annotations, jupyter-bqplot-jupyterlab, libtiff-devel-32bit, pam, pdns-recursor, ruby3.4-rubygem-activerecord, rust-keylime, terragrunt, and thunderbird), and Ubuntu (linux-azure and linux-azure-fips).

Post Syndicated from jake original https://lwn.net/Articles/1034121/

The Microdot
web framework is quite small, as its name would imply; it supports both
standard CPython and MicroPython,
so it can be used on systems ranging from internet-of-things (IoT) devices
all the way up to large, cloudy servers. It was developed by Miguel
Grinberg, who gave a presentation about it at EuroPython 2025. His name
may sound familiar from his well-known Flask
Mega-Tutorial, which has introduced many to the Flask lightweight Python-based
web framework. It should come as no surprise, then, that Microdot is
inspired by its rather larger cousin, so Flask enthusiasts will find much
to like in Microdot—and will come up to speed quickly should their needs turn
toward smaller systems.

Post Syndicated from jake original https://lwn.net/Articles/1034650/

Security updates have been issued by AlmaLinux (libarchive, mingw-sqlite, pki-deps:10.6, and tomcat), Debian (chromium and firefox-esr), Fedora (python3.6 and suricata), Oracle (go-toolset:rhel8, kernel, libarchive, mingw-sqlite, tomcat, and xterm), Red Hat (kernel), Slackware (mozilla), SUSE (aws-efs-utils, docker-machine-driver-kvm2, nova, pluto, polaris, and python310), and Ubuntu (ceph, gcc-10, gcc-11, gcc-12, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gkeop, linux-ibm,
linux-ibm-6.8, linux-hwe-6.14, linux-oem-6.14, linux-ibm, linux-intel-iotg, linux-oracle, linux-raspi, linux-iot, poppler, and tiff).