The backers of the GNU Toolchain Infrastructure Project, which was the subject of an intense discussion at the GNU Tools Cauldron, have finally posted their plans publicly.

Linux Foundation IT services plans for the GNU Toolchain include Git repositories, mailing lists, issue tracking, web sites, and CI/CD, implemented with strong authentication, attestation, and security posture. Utilizing the experience and infrastructure of the LF IT team that is already used by the Linux kernel community will provide the most effective solution and best experience for the GNU Toolchain developer community.

The openSUSE News site is looking forward to the imminent preview release of the openSUSE Adaptable Linux Platform (ALP) distribution:

As far as “Les Droites” goes, users can look forward to a SLE Micro like HostOS with self-healing abilities contributing to our OS-as-a-Service/ZeroTouch story. The Big Idea is that the user focuses on the application rather than the underlying host, which manages, heals, and self-optimizes itself. Both Salt (pre-installed) and Ansible will be available to simplify further management.

Users can look forward to Full Disk Encryption (FDE) with TPM support by default on x86_64. Another part of the deliverables are numerous containerized system components including yast2, podman, k3s, cockpit, Display Manager (GDM), and KVM. All of which users can experiment with, which are simply referred to as Workloads.

The 5.19.12, 5.15.71, 5.10.146, 5.4.215, 4.19.260, 4.14.295, and 4.9.330 stable kernel updates have all been released; each contains another set of important fixes.

Security updates have been issued by Debian (gdal, maven-shared-utils, thunderbird, webkit2gtk, and wpewebkit), Fedora (firefox and libofx), SUSE (dpdk, firefox, flatpak, grafana, kernel, libcaca, and opera), and Ubuntu (ghostscript and linux-gcp-5.15).

Andrey Konovalov began his 2022 Linux Security Summit Europe (LSS EU) talk with a bold statement: "fuzzing is useless". As might be guessed, he qualified that assertion quickly by adding "without dynamic bug detectors". These bug detectors include "sanitizers" of various sorts, such as the Kernel Address Sanitizer (KASAN), but there are others. Konovalov looked in detail at KASAN and gave an overview of the sanitizer landscape along with some ideas of ways to push these bug detectors further—to find even more kernel bugs.

Version 5.6 of the LXD container manager is out. Changes include the ability to stream log messages to a Grafana Loki server, Infiniband support for virtual machines, a restricted network access mode, and more.

Version 5.2 of the Bash shell has been released.

The most notable new feature is the rewritten command substitution parsing code, which calls the bison parser recursively. This replaces the ad-hoc parsing used in previous versions, and allows better syntax checking and catches syntax errors much earlier. The shell attempts to do a much better job of parsing and expanding array subscripts only once; this has visible effects in the `unset' builtin, word expansions, conditional commands, and other builtins that can assign variable values as a side effect.

Yoshua Wuyts gives an overview of async Rust and why it is interesting.

Conversations around "why async" often focus on performance - a topic which is highly dependent on workloads, and results with people wholly talking past each other. While performance is not a bad reason to choose async Rust, we often we only notice performance when we experience a lack of it. So I want to instead on which features async Rust provides which aren't present in non-async Rust.

Security updates have been issued by Debian (dovecot and firefox-esr), Fedora (firefox and grafana), Red Hat (firefox and thunderbird), Slackware (dnsmasq and vim), SUSE (dpdk, firefox, kernel, libarchive, libcaca, mariadb, openvswitch, opera, permissions, podofo, snakeyaml, sqlite3, unzip, and vsftpd), and Ubuntu (expat, libvpx, linux-azure-fde, linux-oracle, squid, squid3, and webkit2gtk).

The CHERI architecture is the product of a research program to extend common CPU architectures in a way that prevents many types of memory-related bugs (and vulnerabilities). At the 2022 GNU Tools Cauldron, Alex Coplan and Szabolcs Nagy described the work that has been done to bring GCC and the GNU C Library (glibc) to this architecture. CHERI is a fundamentally different approach to how memory is accessed, and supporting it properly is anything but a trivial task.

The Human Interface Device (HID) standard dates back to the Windows 95 era. It describes how devices like mice and keyboards present themselves to the host computer, and has created a world where a single driver can handle a wide variety of devices from multiple manufacturers. Or it would have, if there weren't actual device manufacturers involved. In the real world, devices stretch and break the standard, each in its own special way. At the 2022 Linux Plumbers Conference, Benjamin Tissoires described how BPF can be used to simplify the task of supporting HID devices.

Security updates have been issued by Debian (expat and poppler), Fedora (dokuwiki), Gentoo (fetchmail, grub, harfbuzz, libaacplus, logcheck, mrxvt, oracle jdk/jre, rizin, smarty, and smokeping), Mageia (tcpreplay, thunderbird, and webkit2), SUSE (dpdk, permissions, postgresql14, puppet, and webkit2gtk3), and Ubuntu (linux-gkeop and sosreport).

The 6.0-rc7 kernel prepatch is out for testing.

So I was thinking rc7 might end up larger than usual due to travel hitting rc6, but it doesn't really seem to have happened.

Yeah, maybe it's marginally bigger than the historical average for this time of the release cycle, but it definitely isn't some outlier, and it looks fairly normal. Which is all good, and makes me think that the final release will happen right on schedule next weekend, unless something unexpected happens. Knock wood.

The 6.0-rc7 kernel prepatch is out for testing.

So I was thinking rc7 might end up larger than usual due to travel hitting rc6, but it doesn't really seem to have happened.

Yeah, maybe it's marginally bigger than the historical average for this time of the release cycle, but it definitely isn't some outlier, and it looks fairly normal. Which is all good, and makes me think that the final release will happen right on schedule next weekend, unless something unexpected happens. Knock wood.

The 6.0-rc7 kernel prepatch is out for testing.

So I was thinking rc7 might end up larger than usual due to travel hitting rc6, but it doesn't really seem to have happened.

Yeah, maybe it's marginally bigger than the historical average for this time of the release cycle, but it definitely isn't some outlier, and it looks fairly normal. Which is all good, and makes me think that the final release will happen right on schedule next weekend, unless something unexpected happens. Knock wood.

Arch Linux has announced that Python 2 is being removed from the distribution's repositories. "If you still require the python2 package you can keep it around, but please be aware that there will be no security updates."

For better or worse, C is the lingua franca in the world of kernel engineering. The core logic of the Linux kernel is written entirely in C (with a bit of assembly), as are its drivers and modules. While C is rightfully celebrated for its powerful yet simple semantics, it is an older language that lacks many of the features present in modern languages such as Rust. The BPF subsystem, on the other hand, provides a programming environment that allows engineers to write programs that can run safely in kernel space. At the 2022 Linux Plumbers Conference in Dublin, Ireland, Alexei Starovoitov presented an overview of how BPF has evolved over the years to provide a new model for kernel programming.

The 5.19.11, 5.15.70, and 5.10.145 stable kernels are now available. As usual, they contain important fixes throughout the kernel tree.

Security updates have been issued by Debian (bind9, expat, firefox-esr, mediawiki, and unzip), Fedora (qemu and thunderbird), Oracle (webkit2gtk3), SUSE (ardana-ansible, ardana-cobbler, ardana-tempest, grafana, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-neutron-gbp, openstack-nova, python-Django1, rabbitmq-server, rubygem-puma, ardana-ansible, ardana-cobbler, grafana, openstack-heat-templates, openstack-murano, python-Django, rabbitmq-server, rubygem-puma, dpdk, freetype2, rubygem-rack, and virtualbox), and Ubuntu (etcd, libjpeg-turbo, linux-gcp, linux-gke, linux-raspi, linux-oem-5.17, linux-raspi-5.4, python-oauthlib, and python3.5).

At the 2022 Linux Security Summit Europe (LSS EU), Gustavo A. R. Silva reported in on work he has been doing on "flexible" arrays in the kernel. While these arrays provide some ... flexibility ... they are also a source of bugs, which can often result in security vulnerabilities. He has been working on ways to make the use of flexible arrays safer in the kernel.