Post Syndicated from jzb original https://lwn.net/Articles/971004/

Security updates have been issued by Fedora (abseil-cpp, chromium, filezilla, libfilezilla, and xorg-x11-server-Xwayland), Oracle (firefox, gnutls, golang, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel, libreswan, mod_http2, owO: thunderbird, and thunderbird), Red Hat (container-tools:rhel8, gnutls, grub2, kernel, kernel-rt, less, linux-firmware, opencryptoki, pcs, postgresql-jdbc, and thunderbird), Slackware (ruby), SUSE (kubernetes1.23, kubernetes1.24, and opensc), and Ubuntu (firefox, linux-azure, linux-lowlatency, linux-nvidia, and ruby-sanitize).

Post Syndicated from jzb original https://lwn.net/Articles/970293/

One of the mainstays of the the Linux Foundation’s Open Source Summit is the “fireside chat”
(sans fire) between Linus Torvalds and Dirk Hohndel to discuss open source and
Linux kernel topics of the day. On April 17, at Open Source Summit
North America (OSSNA) in Seattle, Washington, they held with tradition
and discussed a range of topics including proper whitespace parsing,
security, and the current AI craze.

Post Syndicated from jzb original https://lwn.net/Articles/970072/

Gentoo Council member Michał Górny posted
an RFC to the gentoo-dev mailing
list in late February about banning “‘AI’-backed (LLM/GPT/whatever)
contributions” to the Gentoo Linux project. Górny wrote that the spread of the
“AI bubble” indicated a need for Gentoo to formally take a stand on AI
tools. After a lengthy discussion, the Gentoo Council voted
unanimously this week to adopt his proposal and ban contributions generated with AI/ML tools.

Post Syndicated from jzb original https://lwn.net/Articles/969145/

Fedora 40 Beta was released
on March 26, and the final release is nearing completion. So far,
the release is coming together nicely with major
updates for GNOME, KDE Plasma, and the usual cavalcade of
smaller updates and enhancements. As part of the release, the project also scuttled Delta
RPMs and OpenSSL 1.1.

Post Syndicated from jzb original https://lwn.net/Articles/969373/

The Gentoo Linux project has announced
that it is now an Associated Project of Software in the Public Interest
(SPI), which will allow it to accept tax deductible donations in the
US and reduce its “non-technical workload“:

The current Gentoo Foundation has bylaws restricting its behavior
to that of a non-profit, is a recognized non-profit only in New
Mexico, but a for-profit entity at the US federal level. A direct
conversion to a federally recognized non-profit would be unlikely to
succeed without significant effort and cost.

[…] SPI is already now recognized at US federal level as a
full-[fledged] non-profit 501(c)(3). It also handles several projects of
similar type and size (e.g., Arch and Debian) and as such has exactly
the experience and background that Gentoo needs.

According to the announcement, the goal is to “eventually
transfer the existing assets to SPI and dissolve the Gentoo
Foundation“. How to do that is still under discussion. This will
not affect Förderverein
Gentoo e.V., which has public-benefit status in Germany and can
accept tax deductible donations in Europe.

Post Syndicated from jzb original https://lwn.net/Articles/969352/

Greg Kroah-Hartman has announced another round of stable kernel
updates: 6.8.5, 6.6.26, 6.1.85, and 5.15.154 have all been released; each
contains another set of important fixes, including the mitigations for the
recently disclosed branch history injection
hardware vulnerability.

Post Syndicated from jzb original https://lwn.net/Articles/969314/

Security updates have been issued by Debian (gtkwave), Fedora (dotnet7.0, dotnet8.0, and python-pillow), Mageia (apache, gstreamer1.0, libreoffice, perl-Data-UUID, and xen), Oracle (kernel, kernel-container, and varnish), Red Hat (edk2, kernel, rear, and unbound), SUSE (apache2-mod_jk, gnutls, less, and xfig), and Ubuntu (bind9, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4,
linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4,
linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4,
linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-azure, linux-azure-6.5, linux-gcp, linux-gcp-6.5,
linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5,
linux-oem-6.5, linux-oracle, linux-oracle-6.5, linux-starfive,
linux-starfive-6.5, linux, linux-azure, linux-azure-5.15, linux-azure-fde,
linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop,
linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15,
linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency,
linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15,
linux-raspi, linux-azure, and xorg-server, xwayland).

Post Syndicated from jzb original https://lwn.net/Articles/969046/

Version 4.2.0 of the Rivendell
radio automation system has been released. Changes include a new data
feed for ‘next’ data objects, improvements to its podcast system,
numerous bug fixes, and more.

Post Syndicated from jzb original https://lwn.net/Articles/969003/

Version 2.4.0 of the GNU Stow symbolic-link manager has been released.
This marks the first release for
GNU Stow since 2019. Maintainer
Adam Spires wrote:

I would like to sincerely apologise to all Stow users for this
incredibly overdue release, the cadence of which is perhaps vaguely
reminiscent of releases by the great Donald Knuth, except with none of
the grace and deliberate planning.

Spires notes that this release “makes considerable efforts to make the
internals more understandable and easy to maintain“, and has put out a
call for a co-maintainer.

Post Syndicated from jzb original https://lwn.net/Articles/968999/

Security updates have been issued by Debian (jetty9, libcaca, libgd2, tomcat9, and util-linux), Fedora (chromium, micropython, and upx), Mageia (chromium-browser-stable, dav1d, libreswan, libvirt, nodejs, texlive-20220321, and util-linux), Red Hat (less, nodejs:20, and varnish), Slackware (tigervnc), and SUSE (buildah, c-ares, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, curl, expat, go1.21, go1.22, guava, helm, indent, krb5, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libcares2, libvirt, ncurses, nghttp2, podman, postfix, python-Django, python-Pillow, python310, qemu, rubygem-rack, thunderbird, ucode-intel, and xen).

Post Syndicated from jzb original https://lwn.net/Articles/968732/

Wayne Davison has announced
the release of rsync version 3.3.0, which
contains a number of bug fixes and minor enhancements. Davison has
also announced a change in maintainers and a move to a new GitHub
project:

The github repos have moved to a new RsyncProject organization. Because
various life events have been monopolizing my time, I reached out to
Tridge [Andrew Tridgell] (the original author) and he has graciously agreed to get back into rsync
work, along with Paul Mackerras, who was also an early contributor to
rsync. This new team will be working mainly on maintenance tasks, and not
so much on new features. If you want to get involved, feel free to reach
out on the new discord RsyncProject channels.

The new GitHub organization is here.

Post Syndicated from jzb original https://lwn.net/Articles/967981/

The nominations have closed and campaigning is underway to see who
will be the next Debian
Project Leader (DPL). This year, two
candidates are campaigning for the position Jonathan Carter has
held for four eventful years: Sruthi Chandran and
Andreas Tille. Topics that have emerged so far include how the
prospective DPLs would spend project money, their opinions on handling
controversial topics, and project diversity.

Post Syndicated from jzb original https://lwn.net/Articles/967001/

Among the numerous approaches to funding the development and advancement of
open-source software, corporate sponsorship in the form of donations to umbrella
organizations is perhaps the most visible. At SCALE21x in Pasadena, California, Duane O’Brien
presented
a slice of his recent research into the landscape of such sponsorship arrangements,
with an overview of the identifiable trends of the past ten years and some initial
insights he hopes are valuable for sponsors and community members alike.

Post Syndicated from jzb original https://lwn.net/Articles/968299/

AlmaLinux has announced
updated kernels for AlmaLinux 8 and 9 to address CVE-2024-1086, a
use-after-free vulnerability in the kernel that could be exploited to
gain local privilege escalation. This is notable because the fix
marks a divergence between AlmaLinux and Red Hat Enterprise Linux (RHEL):

In January of this year, a kernel flaw was disclosed and named CVE-2024-1086.
This flaw is trivially exploitable on most RHEL-equivalent
systems. There are many proof-of-concept posts available now,
including one from our Infrastructure team lead, Jonathan Wright (Dealing
with CVE-2024-1086). In multi-user scenarios, this flaw is
especially problematic.

Though this was flagged as something to be fixed in Red Hat
Enterprise Linux, Red Hat has only rated this as a moderate
impact.

The AlmaLinux project would also like to note that it is not
impacted by the XZ backdoor. “Because enterprise Linux takes a bit
longer to adopt those updates (sometimes to the chagrin of our users),
the version of XZ that had the back door inserted hadn’t made it
further than Fedora in our ecosystem.“

Post Syndicated from jzb original https://lwn.net/Articles/968250/

The 6.8.3, 6.7.12, 6.6.24, and 6.1.84 stable kernel updates have been
released. Each contains an important set of fixes. Note that 6.7.12 is
the final release for the 6.7.y series, and that branch is now
end-of-life. Users should move to the 6.8.y branch.

Post Syndicated from jzb original https://lwn.net/Articles/968218/

Security updates have been issued by Debian (py7zr), Fedora (biosig4c++ and podman), Oracle (kernel, kernel-container, and ruby:3.1), Red Hat (.NET 7.0, bind9.16, curl, expat, grafana, grafana-pcp, kernel, kernel-rt, kpatch-patch, less, opencryptoki, and postgresql-jdbc), and Ubuntu (cacti).

Post Syndicated from jzb original https://lwn.net/Articles/966631/

On March 21, Redis Ltd. announced that the Redis “in-memory data store” project would now be
released under non-free, source-available licenses, starting with Redis 7.4. The
news is unwelcome, but not entirely unexpected. What is unusual with this situation is
the number of Redis alternatives to choose from; there are at least
four options to choose as a replacement for those who wish to stay
with free software, including a pre-existing fork called KeyDB and the Linux Foundation’s newly-announced Valkey project. The question now is which one(s)
Linux distributions, users, and providers will choose to take its place.

Post Syndicated from jzb original https://lwn.net/Articles/966835/

Security updates have been issued by Debian (composer and nodejs), Fedora (w3m), Mageia (tomcat), Oracle (expat, firefox, go-toolset:ol8, grafana, grafana-pcp, nodejs:18, and thunderbird), Red Hat (dnsmasq, expat, kernel, kernel-rt, libreoffice, and squid), and SUSE (firefox, krb5, libvirt, and shadow).

Post Syndicated from jzb original https://lwn.net/Articles/966187/

The GNOME project announced
GNOME 46 (code-named “Kathmandu”) on March 20. The release has quite a few updates and improvements
across user applications, developer tools, and under the hood. One
thing stood out while looking over this release—a major emphasis on
Flatpaks as the way to acquire and update GNOME software.

Post Syndicated from jzb original https://lwn.net/Articles/965434/

Cockpit is an interesting
project for web-based Linux administration that has received
relatively little attention over the years. Part of that may be due to
the project’s strategy of minor releases roughly every two weeks,
rather than larger releases with many new features. While the strategy
has done little to garner headlines, it has delivered a useful and
extensible tool to observe, manage, and troubleshoot Linux servers.