Security updates have been issued by Debian (ffmpeg, ghostscript, libarchive, and tinyxml), Fedora (CuraEngine, epiphany, gzip, usd, vim, xen, and xz), Oracle (maven-shared-utils and qemu), Red Hat (gzip, python27-python and python27-python-pip, rh-maven36-maven-shared-utils, rh-python38-python, rh-python38-python-lxml, and rh-python38-python-pip, and zlib), Slackware (pidgin), SUSE (jasper, java-11-openjdk, libcaca, libslirp, mariadb, mutt, nodejs12, opera, and python-Twisted), and Ubuntu (libinput).

Drew DeVault has announced the existence of a new programming language called "Hare".

Hare is a systems programming language designed to be simple, stable, and robust. Hare uses a static type system, manual memory management, and a minimal runtime. It is well-suited to writing operating systems, system tools, compilers, networking software, and other low-level, high performance tasks.

Nathan Willis took a long look at the Open Source Initiative's 2022 board election and wasn't entirely pleased with what he saw.

So it’s a troubling ballot to look at. There’s an ostensibly non-profit organization that’s an official OSI affiliate trying to run its CEO as an individual candidate while also running a second member (a board director) on the appropriate, affiliate ballot in the same election. There’s also two financial sponsors running candidates on the individual ballot, one of them (Red Hat) running two candidates at the same time for the two open seats.

The 5.18-rc5 kernel prepatch is out for testing. "So if rc4 last week was tiny and smaller than usual, it seems to have been partly timing, and rc5 is now a bit larger than usual. But only a very tiny bit larger - certainly not outrageously so, and not something that worries me."

The 5.15.37 and 4.19.241 stable kernel updates have been released; each contains a relatively small number of important fixes.

TechRepublic has published an interview with Fedora project leader Matthew Miller.

Basically, every modern language provides a lot of building blocks that usually come from other smaller open-source projects. These are libraries, and they do things like format text, handle images, connect to databases and deal with talking across the internet. Projects like Fedora or Debian used to work to try to package up every such library in our own format, made to work nicely with everything else.

Now, every new language — Rust, for example — comes with its own tools to manage these, and they don’t work nicely together with our old way. The sheer scale is overwhelming — for Rust alone, as I checked just now there are 81,541 such libraries. We can’t keep up with repackaging all of that into our own format, let alone that plus all of the other languages. We need to approach this differently in order to still provide a good solution to software developers.

I think a lot of that will need machine learning and automation … we’ll need to keep adjusting so we can provide the value that Linux distributions give users in trust, security and coherent integration at an exponential scale.

One of the changes merged for the 5.18 kernel was a specialized memory allocator for BPF programs that have been loaded into the kernel. Since then, though, this feature has run into a fair amount of turbulence and will almost certainly be disabled in the final 5.18 release. This outcome is partly a result of bugs in the allocator itself, but this work also had the bad luck to trip some older and deeper bugs within the kernel's memory-management subsystem.

Security updates have been issued by Fedora (dhcp, gzip, podman, rsync, and usd), Mageia (firefox/nss/rootcerts, kernel, kernel-linus, and thunderbird), Oracle (container-tools:2.0, container-tools:3.0, mariadb:10.3, and zlib), Red Hat (Red Hat OpenStack Platform 16.2 (python-twisted), xmlrpc-c, and zlib), SUSE (glib2, nodejs12, nodejs14, python-paramiko, python-pip, and python-requests), and Ubuntu (curl, ghostscript, libsdl1.2, libsdl2, mutt, networkd-dispatcher, and webkit2gtk).

There is a long and growing list of options for getting information out of the kernel but, in the real world, print statements still tend to be the tool of choice. The kernel's printk() function often comes up short, despite the fact that it provides a set of kernel-specific features, so there has, for some time, been interest in better APIs for textual output from the kernel. The "printbuf" proposal from Kent Overstreet is one step in that direction, but will need some changes to make it work well with features the kernel already has.

Security updates have been issued by Debian (chromium, golang-1.7, and golang-1.8), Fedora (bettercap, chisel, containerd, doctl, gobuster, golang-contrib-opencensus-resource, golang-github-appc-docker2aci, golang-github-appc-spec, golang-github-containerd-continuity, golang-github-containerd-stargz-snapshotter, golang-github-coredns-corefile-migration, golang-github-envoyproxy-protoc-gen-validate, golang-github-francoispqt-gojay, golang-github-gogo-googleapis, golang-github-gohugoio-testmodbuilder, golang-github-google-containerregistry, golang-github-google-slothfs, golang-github-googleapis-gnostic, golang-github-googlecloudplatform-cloudsql-proxy, golang-github-grpc-ecosystem-gateway-2, golang-github-haproxytech-client-native, golang-github-haproxytech-dataplaneapi, golang-github-instrumenta-kubeval, golang-github-intel-goresctrl, golang-github-oklog, golang-github-pact-foundation, golang-github-prometheus, golang-github-prometheus-alertmanager, golang-github-prometheus-node-exporter, golang-github-prometheus-tsdb, golang-github-redteampentesting-monsoon, golang-github-spf13-cobra, golang-github-xordataexchange-crypt, golang-gopkg-src-d-git-4, golang-k8s-apiextensions-apiserver, golang-k8s-code-generator, golang-k8s-kube-aggregator, golang-k8s-sample-apiserver, golang-k8s-sample-controller, golang-mongodb-mongo-driver, golang-storj-drpc, golang-x-perf, gopass, grpcurl, onionscan, shellz, shhgit, snowcrash, stb, thunderbird, and xq), Oracle (gzip, kernel, and polkit), Slackware (curl), SUSE (buildah, cifs-utils, firewalld, golang-github-prometheus-prometheus, libaom, and webkit2gtk3), and Ubuntu (nginx and thunderbird).

The LWN.net Weekly Edition for April 28, 2022 is available.

Running code from inside a cloned Git repository is potentially risky, but normally just inspecting such a repository is considered to be safe. As a recent posting to the Git mailing list shows, however, there are still risks lurking inside these repositories; code that lives in them can be triggered in unexpected ways. In particular, malicious "bare" repositories can be added as a subdirectory of a repository; they can be configured to run code whenever Git commands are executed there, which is something that can happen in surprising ways. There is now an effort underway to try to address the problem in Git, without breaking the legitimate need for including bare repositories into a Git tree.

As was recently reported here, the Fedora project has been considering dropping support for legacy BIOS systems in upcoming releases. The idea was controversial at best, and the minutes from the April 26 FESCo meeting show that it has been rejected, for now at least. The BIOS SIG will be asked for a new plan for BIOS support in Fedora.

Version 4.0 of the Yocto Project distribution builder is out. Changes include a move to the 5.15 kernel, reproducibility fixes, improved overlayfs support, numerous security updates, and a long list of new recipes.

The 5.17.5, 5.15.36, 5.10.113, 5.4.191, 4.19.240, 4.14.277, and 4.9.312 stable kernels have all been released, one day earlier than had originally been expected. As usual, each contains another set of important fixes.

Security updates have been issued by Mageia (virtualbox), Red Hat (container-tools:2.0, container-tools:3.0, gzip, kernel, kernel-rt, kpatch-patch, mariadb:10.3, mariadb:10.5, maven-shared-utils, polkit, vim, xmlrpc-c, and zlib), Scientific Linux (maven-shared-utils), SUSE (ant, go1.17, go1.18, kernel, and xen), and Ubuntu (fribidi, git, libcroco, libsepol, linux, linux-gcp, linux-ibm, linux-lowlatency, openjdk-17, and openjdk-lts).

Python's super() built-in function can be somewhat confusing, as highlighted by a huge python-ideas thread that we started looking at last week. It is used by methods in class hierarchies to access methods and attributes in a parent class, but exactly which class that super() resolves to is perhaps a bit unclear in multiple-inheritance hierarchies. The discussion in the second "half" of the thread further highlighted some lesser-known parts of the language.

Version 19 of the Android-based LineageOS distribution has been released.

With that said, we have been working extremely hard since Android 12’s release last October to port our features to this new version of Android. Thanks to our hard work adapting to Google’s fairly large changes in Android 11, we were able to rebase our changes onto Android 12 much more efficiently. This led to a lot of time to spend on cool new features, as well as adapt our additions to Android 12’s new Material You design language!

Beyond the move to Android 12, this release includes improvements to a lot of apps, a new setup wizard, and more. Less happily, this release has had to leave a lot of older devices behind; a device must be able to run a 4.9 or newer kernel to be able to run LineageOS 19.

Security updates have been issued by Debian (ffmpeg), Fedora (htmldoc, moby-engine, plantuml, and zchunk), Oracle (java-1.8.0-openjdk, java-17-openjdk, and kernel), Red Hat (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk), Slackware (freerdp), SUSE (kernel, mutt, SUSE Manager Client Tools, and xen), and Ubuntu (barbican and git).

The kernel gained support for the TLS protocol in the 4.13 release, which came out in September 2017. That support is incomplete, though, in that it does not provide the kernel with a way to initiate a TLS connection on its own. Instead, user space creates a socket and performs the TLS handshake before handing the socket to the kernel, which can then transfer data using TLS. The situation may be about to change as a result of this patch series from Chuck Lever — though user space will still need to remain in the picture.