Post Syndicated from jzb original https://lwn.net/Articles/967981/
The nominations have closed and campaigning is underway to see who
will be the next Debian
Project Leader (DPL). This year, two
candidates are campaigning for the position Jonathan Carter has
held for four eventful years: Sruthi Chandran and
Andreas Tille. Topics that have emerged so far include how the
prospective DPLs would spend project money, their opinions on handling
controversial topics, and project diversity.
Post Syndicated from jzb original https://lwn.net/Articles/967001/
Among the numerous approaches to funding the development and advancement of
open-source software, corporate sponsorship in the form of donations to umbrella
organizations is perhaps the most visible. At SCALE21x in Pasadena, California, Duane O’Brien
presented
a slice of his recent research into the landscape of such sponsorship arrangements,
with an overview of the identifiable trends of the past ten years and some initial
insights he hopes are valuable for sponsors and community members alike.
Post Syndicated from jzb original https://lwn.net/Articles/968299/
AlmaLinux has announced
updated kernels for AlmaLinux 8 and 9 to address CVE-2024-1086, a
use-after-free vulnerability in the kernel that could be exploited to
gain local privilege escalation. This is notable because the fix
marks a divergence between AlmaLinux and Red Hat Enterprise Linux (RHEL):
In January of this year, a kernel flaw was disclosed and named CVE-2024-1086.
This flaw is trivially exploitable on most RHEL-equivalent
systems. There are many proof-of-concept posts available now,
including one from our Infrastructure team lead, Jonathan Wright (Dealing
with CVE-2024-1086). In multi-user scenarios, this flaw is
especially problematic.Though this was flagged as something to be fixed in Red Hat
Enterprise Linux, Red Hat has only rated this as a moderate
impact.
The AlmaLinux project would also like to note that it is not
impacted by the XZ backdoor. “Because enterprise Linux takes a bit
“
longer to adopt those updates (sometimes to the chagrin of our users),
the version of XZ that had the back door inserted hadn’t made it
further than Fedora in our ecosystem.
Post Syndicated from jzb original https://lwn.net/Articles/968250/
The 6.8.3, 6.7.12, 6.6.24, and 6.1.84 stable kernel updates have been
released. Each contains an important set of fixes. Note that 6.7.12 is
the final release for the 6.7.y series, and that branch is now
end-of-life. Users should move to the 6.8.y branch.
Post Syndicated from jzb original https://lwn.net/Articles/968218/
Security updates have been issued by Debian (py7zr), Fedora (biosig4c++ and podman), Oracle (kernel, kernel-container, and ruby:3.1), Red Hat (.NET 7.0, bind9.16, curl, expat, grafana, grafana-pcp, kernel, kernel-rt, kpatch-patch, less, opencryptoki, and postgresql-jdbc), and Ubuntu (cacti).
Post Syndicated from jzb original https://lwn.net/Articles/966631/
On March 21, Redis Ltd. announced that the Redis “in-memory data store
” project would now be
released under non-free, source-available licenses, starting with Redis 7.4. The
news is unwelcome, but not entirely unexpected. What is unusual with this situation is
the number of Redis alternatives to choose from; there are at least
four options to choose as a replacement for those who wish to stay
with free software, including a pre-existing fork called KeyDB and the Linux Foundation’s newly-announced Valkey project. The question now is which one(s)
Linux distributions, users, and providers will choose to take its place.
Post Syndicated from jzb original https://lwn.net/Articles/966835/
Security updates have been issued by Debian (composer and nodejs), Fedora (w3m), Mageia (tomcat), Oracle (expat, firefox, go-toolset:ol8, grafana, grafana-pcp, nodejs:18, and thunderbird), Red Hat (dnsmasq, expat, kernel, kernel-rt, libreoffice, and squid), and SUSE (firefox, krb5, libvirt, and shadow).
Post Syndicated from jzb original https://lwn.net/Articles/966187/
The GNOME project announced
GNOME 46 (code-named “Kathmandu”) on March 20. The release has quite a few updates and improvements
across user applications, developer tools, and under the hood. One
thing stood out while looking over this release—a major emphasis on
Flatpaks as the way to acquire and update GNOME software.
Post Syndicated from jzb original https://lwn.net/Articles/965434/
Cockpit is an interesting
project for web-based Linux administration that has received
relatively little attention over the years. Part of that may be due to
the project’s strategy of minor releases roughly every two weeks,
rather than larger releases with many new features. While the strategy
has done little to garner headlines, it has delivered a useful and
extensible tool to observe, manage, and troubleshoot Linux servers.
Post Syndicated from jzb original https://lwn.net/Articles/966056/
The Python project has announced three security releases, 3.10.14,
3.9.19,
and 3.8.19.
In addition to the security fixes, these releases are notable for two reasons;
they are the first to make use of GitHub Actions to perform
public builds instead of building artifacts “on a local computer of one
“, and the first since Python became a
of the release managers
CVE Numbering Authority (CNA).
Python release team member Łukasz Langa said
that being a CNA means Python is able to “ensure the quality of the vulnerability
” It also
reports is high, and that the severity estimates are accurate.
allows Python to coordinate CVE announcements with the patched versions of
Python, as it has with two CVEs addressed in these releases. CVE-2023-6597
describes a flaw in CPython’s zipfile module that made it vulnerable to a zip-bomb exploit. CVE-2024-0450 is an
issue with Python’s tempfile.TemporaryDirectory class which could be
exploited to modify permissions of files referenced by symbolic links.
Users of affected versions should upgrade soon.
Post Syndicated from jzb original https://lwn.net/Articles/966053/
Security updates have been issued by Debian (fontforge and imagemagick), Fedora (firefox), Mageia (cherrytree, python-django, qpdf, and sqlite3), Red Hat (bind, cups, emacs, fwupd, gmp, kernel, libreoffice, libX11, nodejs, opencryptoki, postgresql-jdbc, postgresql:10, postgresql:13, and ruby:3.1), Slackware (gnutls and mozilla), and Ubuntu (firefox, linux, linux-bluefield, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm,
linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-aws, linux-aws-5.4, linux-aws, linux-aws-6.5, and linux-oracle, linux-oracle-5.15).
Post Syndicated from jzb original https://lwn.net/Articles/965584/
Zach Mitchell has announced the 1.0 release of Flox, a tool that lets its users install packages from nixpkgs inside portable virtual environments, and share those virtual environments with others as an alternative to Docker-style containers. Flox is based on Nix but allows users to skip learning how to work with the Nix language:
With Flox we’re providing a substantially better user experience. We provide the suite of package manager functionality with install, uninstall, etc, but we also provide an entire new suite of functionality with the ability to share environments via flox push, flox pull, and flox activate --remote.
Flox is GPLv2-licensed, and releases are available as RPMs and Debian packages for x86_64 and arm64 systems.
Post Syndicated from jzb original https://lwn.net/Articles/965603/
Sasha Levin has announced the release of the 6.8.1,
6.7.10, 6.6.22,
6.1.82, 5.15.152,
5.10.213, 5.4.272,
and 4.19.310 stable kernels. As always, they contain important fixes throughout the tree. Users of those kernels should upgrade.
Post Syndicated from jzb original https://lwn.net/Articles/965576/
Security updates have been issued by Debian (composer and node-xml2js), Fedora (baresip), Mageia (fonttools, libgit2, mplayer, open-vm-tools, and packages), Red Hat (dnsmasq, gimp:2.8, and kernel-rt), and SUSE (389-ds, gdb, kernel, python-Django, python3, python36-pip, spectre-meltdown-checker, sudo, and thunderbird).
Post Syndicated from jzb original https://lwn.net/Articles/964739/
Kaitlyn Abdo of Fedora’s AI/ML
SIG opened an issue with the
Fedora Engineering Steering Committee (FESCo) recently that carried a few tricky
questions about packaging machine-learning (ML) models for Fedora.
Specifically, the SIG is looking for guidance on whether pre-trained weights for
PyTorch constitute code or content. And, if the models are released under a
license approved by the
Open Source Initiative (OSI),
does it matter what data the models were trained on? The issue was quickly
tossed over to Fedora’s legal
mailing list and sparked an interesting discussion about how to
handle these items, and a temporary path forward.
Post Syndicated from jzb original https://lwn.net/Articles/965278/
Security updates have been issued by Fedora (edk2, freeipa, kernel, and liblas), Oracle (kernel), Red Hat (docker, edk2, kernel, kernel-rt, and kpatch-patch), SUSE (axis, fontforge, gnutls, java-1_8_0-openjdk, kernel, python3, sudo, and zabbix), and Ubuntu (dotnet7, dotnet8, libgoogle-gson-java, openssl, and ovn).
Post Syndicated from jzb original https://lwn.net/Articles/964402/
Name collisions aren’t just a problem for software
development—organizations, projects, and software that have the
same or similar names can cause serious confusion. That was certainly
the case on February 28 when the Open Collective
Foundation (OCF) began to notify its hosted projects that it would
be shutting down by the end of 2024. The announcement surprised
projects hosted with OCF, as one might expect. It also worried and
confused users of the Open Collective software platform from Open Collective, Inc. (OCI), as
well as organizations hosted by the Open Source
Collective (OSC) and Open Collective
Europe (OC Europe). There is enough confusion about the names,
relationships between the organizations, and impact on projects like
Flatpak, Homebrew, and htop hosted by OCF, that a
deeper look is warranted.
Post Syndicated from jzb original https://lwn.net/Articles/960630/
The Fedora Project switched
to MariaDB as the default implementation of MySQL in Fedora 19 in 2013. Once a drop-in
replacement for MySQL, MariaDB has diverged enough that this is no longer
the case—and, despite concerns about Oracle
and optimism that MariaDB would supplant MySQL, the reality is that MySQL
and MariaDB seem to be here to stay. With that in mind, Fedora developer
Michal Schorm
proposed that the project revise the way MySQL and MariaDB
are packaged in Fedora starting with Fedora 40.
Post Syndicated from jzb original https://lwn.net/Articles/964574/
The postmarketOS project, which produces
a Linux distribution for phones and mobile devices,
has announced
that it is in the early stages of adding systemd to make it easier to support GNOME and KDE.
Users who prefer the OpenRC
init system are assured they will still have that option when building their own
images “as long as OpenRC is in Alpine Linux (on which postmarketOS is
“:
based)
As with text editors, some people are really passionate about their favorite init
systems. When discussing this announcement, please keep a friendly tone. Remember
that we all share the love for free and open source software, and that our
communities work best if we focus on shared values instead of fighting over what
implementations to use.
Proof-of-concept images
are available now for a limited set of devices. Users are warned these images are “buggy,
“. Those interested
unreliable, and NOT suitable for use on a device you rely on
in helping with testing and development are encouraged to follow along and report
bugs on the systemd
issue at GitLab.
By continuing to use the site, you agree to the use of cookies. more information
The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.