Security updates have been issued by Debian (pngcheck), Fedora (qemu), Mageia (admesh, busybox, emacs, libarchive, netkit-telnet, ruby, rxvt-unicode, and shadowutils), Oracle (bcel and kernel), Red Hat (389-ds-base, bcel, dbus, firefox, grub2, kernel, kernel-rt, kpatch-patch, thunderbird, and usbguard), Scientific Linux (bcel), SUSE (containerd, firefox, grafana, java-1_8_0-openjdk, libtpms, net-snmp, and wireshark), and Ubuntu (pillow).

Everything Open is, seemingly, the future form of the conference once known as linux.conf.au; see this page for a discussion of the reasoning behind the change. The inaugural event will be held March 14 to 16 in Melbourne, Australia, and the call for proposals has gone out now, with a deadline of January 15. "Our aim is to create a deeply technical conference where we bring together industry leaders and experts on a wide range of subjects."

X.org users running in potentially hostile environments will want to look into the xorg-server 21.1.5 release, which fixes several potentially serious security vulnerabilities. "All theses issues can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions".

Version 108 of the Firefox browser has been released. The headline feature this time around appears to be the enabling of import maps by default, along with support for the Web MIDI API and the usual set of security fixes.

Back in September, we looked at a Python Enhancement Proposal (PEP) to add "lazy" imports to the language; the execution of such an import would be deferred until its symbols were needed in order to save program-startup time. While the problem of startup time for short-running, often command-line-oriented, tools is widely acknowledged in the Python community, and the idea of deferring imports is generally popular, there are concerns about the effect of the feature on the ecosystem as a whole. Since our article, the PEP has been revised and discussed further, but the feature was recently rejected by the steering council (SC) because of those concerns; that has not completely ended the quest for lazy imports, however.

Bugzilla project lead Dave Miller has posted a plan for several upcoming releases of the bug-tracking tool. The post starts with: "Surprise! Bugzilla’s not dead yet. :-)". It is, in effect, an update to his August posting to the Bugzilla developers mailing list. In the new post, he outlines the plan for releases of multiple branches, lists specific areas where help is needed, and describes some project infrastructure improvements. I would like to put out a new multi-branch release of Bugzilla as soon as we can get all the pieces in place to do so. I was hoping to do this within a few weeks of the original post to the developers list, but that was back in August and it hasn’t happened yet. At this point I think we’ll be really lucky if it happens before the end of December; though mid-January is definitely a possibility. As a forewarning to everyone, there will be security content in it, and that’s part of the holdup.

Security updates have been issued by Debian (node-tar and pngcheck), SUSE (colord, containerd, and tiff), and Ubuntu (containerd, linux-azure, linux-azure, linux-azure-5.4, linux-oem-5.17, and vim).

Version 2.39.0 of the Git source-code management system is out. "It is comprised of 483 non-merge commits since v2.38.0, contributed by 86 people, 31 of which are new faces". This release seems to mostly offer incremental improvements; see the announcement or this GitHub blog post for details.

The 6.1 kernel was released on December 11; by the time of this release, 13,942 non-merge changesets had been pulled into the mainline, growing the kernel by 412,000 lines of code. This is thus not the busiest development cycle ever, but neither is it the slowest, and those changesets contained a number of fundamental changes. This release will also be the long-term-support kernel for 2022. Read on for a look at where the work in 6.1 came from.

Security updates have been issued by Debian (cacti, grub2, hsqldb, node-eventsource, and openexr), Fedora (bcel, keylime, rust-capnp, rust-sequoia-octopus-librnp, xfce4-screenshooter, and xfce4-settings), Oracle (nodejs:18), Scientific Linux (grub2), Slackware (libarchive), SUSE (go1.18, go1.19, nautilus, opera, python-slixmpp, and samba), and Ubuntu (python2.7, python3.5, qemu, and squid3).

Version 3.0 of the OpenShot video editor is out.

One of the largest and most noticeable changes to OpenShot 3.0 is our improved video preview, resulting in smoother video preview and fewer freezes and pauses during previewing. But to understand why things are so much smoother, we need to look deeper into our decoding engine. We have rearchitected our decoder to be much more resilient to missing packets, missing timestamps, and better understanding when we are missing video or audio data, so we can move on without pausing.

Linus has released the 6.1 kernel; he is preparing for a tricky holiday merge window: So here we are, a week late, but last week was nice and slow, and I'm much happier about the state of 6.1 than I was a couple of weeks ago when things didn't seem to be slowing down.

Of course, that means that now we have the merge window from hell, just before the holidays, with me having some pre-holiday travel coming up too. So while delaying things for a week was the right thing to do, it does make the timing for the 6.2 merge window awkward.

Headline features in 6.1 include reworked, LLVM-based control-flow integrity, initial support for kernel development in Rust, support for destructive BPF programs, some significant io_uring performance improvements, better user-space control over transparent huge-page creation, improved memory-tiering support, fundamental memory-management rewrites in the form of the multi-generational LRU and the maple tree data structure, the kernel memory sanitizer, and much more. See the LWN merge-window summaries (part 1, part 2) and the KernelNewbies 6.1 page for more information.

Virtual-memory systems provide a great deal of flexibility in how memory can be mapped and protected. Unfortunately, memory-management flexibility can also be useful to attackers bent on compromising a system. In the OpenBSD world, a new system call is being added to reduce this flexibility; it is, though, a system call that almost no code is expected to use.

Security updates have been issued by Debian (leptonlib), Fedora (woff), Red Hat (grub2), Slackware (emacs), SUSE (busybox, chromium, java-1_8_0-openjdk, netatalk, and rabbitmq-server), and Ubuntu (gcc-5, gccgo-6, glibc, protobuf, and python2.7, python3.10, python3.6, python3.8).

Version 8.2.0 of the PHP language is out.

PHP 8.2 is a major update of the PHP language.It contains many new features, including readonly classes, null, false, and true as stand-alone types, deprecated dynamic properties, performance improvements and more.

Each new kernel release fixes a lot of bugs, but each release also introduces new bugs of its own. That leads to a fundamental question: is the kernel community fixing bugs more quickly than it is adding them? The answer is less than obvious but, if it could be found, it would give an important indication of the long-term future of the kernel code base. While digging into the kernel's revision history cannot give a definitive answer to that question, it can provide some hints as to what that answer might be.

Greg Kroah-Hartman has released the 6.0.12, 5.15.82, 5.10.158, 5.4.226, 4.19.268, 4.14.301, and 4.9.335 stable kernels. As is the norm, they contain important fixes throughout the kernel tree; users of those series should upgrade.

Security updates have been issued by Debian (dlt-daemon, jqueryui, and virglrenderer), Fedora (firefox, vim, and woff), Oracle (kernel and nodejs:18), Red Hat (java-1.8.0-ibm and redhat-ds:11), Slackware (python3), SUSE (buildah, matio, and osc), and Ubuntu (heimdal and postgresql-9.5).

The LWN.net Weekly Edition for December 8, 2022 is available.

Version 12.0 of the Tor browser has been released. Changes include multi-locale support, Apple silicon support, HTTPS-only behavior by default on Android and more.