lwn.net

The Python Software Foundation (PSF) has announced its annual impact report for 2023. The report includes updates from PSF staff as well as summaries of the foundation's activities, financials, and infrastructure. The PSF celebrated the 20th anniversary of PyCon US, distributed more than $370,000 in grants, and enjoyed impressive traffic on PyPI:

In 2023 PyPI saw a 45% growth in download counts and bandwidth alike, serving 603,378,275 downloads for the 516,402 projects hosted there requiring 747.4 Petabytes of data transfer, or 189.6 Gbps of bandwidth 24x7x365.

See the full report for a breakdown of grant disbursements and trends, PSF expenses, and high-level plans for the rest of 2024.

Daniel Stenberg has posted a report about the recent curl up conference about curl development. It was held over two days in Stockholm. The report has short summaries of the talks with links to the recordings.

curl up is never a big meeting/conference but we have in the past sometimes been around twenty-five attendees. This year's amount of fifteen was the smallest so far, but in this small set of people we have a set of long-term well-known curl contributors. It is not a big list of attendees that creates a good curl up.

In some aspects, such as in gaming, the Linux desktop has made enormous strides in the past few years. In others, such as accessibility, things have stagnated. At Open Source Summit North America (OSSNA), Matt Campbell spoke about the need for, and an approach to, modernizing accessibility for desktop Linux. This included a discussion of Newton, a fledgling project that may greatly improve accessibility on the Linux desktop.

The Free Software Foundation has announced the recipients of its 2023 Free Software Awards: Bruno Haible for work on gnulib, Nick Logozzo as the "outstanding new free software contributior", and code.gouv.fr for projects of social benefit.

When presenting the award to Haible, FSF executive director Zoë Kooyman commented on the significance of Haible's work, saying that Haible's work enabled free software programmers around the world to focus on the main, innovative portions of their program, thus facilitating the development of more and more free software.

Security updates have been issued by Debian (glibc, intel-microcode, less, libkf5ksieve, and ruby3.1), Fedora (chromium, gdcm, httpd, and stalld), Gentoo (Apache Commons BCEL, borgmatic, Dalli, firefox, HTMLDOC, ImageMagick, MediaInfo, MediaInfoLib, MIT krb5, MPlayer, mujs, Pillow, Python, PyPy3, QtWebEngine, Setuptools, strongSwan, and systemd), Oracle (grub2 and shim), Red Hat (git-lfs, kpatch-patch, unbound, and varnish), and SUSE (avahi, grafana and mybatis, java-11-openjdk, java-17-openjdk, skopeo, SUSE Manager Client Tools, SUSE Manager Salt Bundle, and SUSE Manager Server 4.3).

The 6.9-rc7 kernel prepatch is out for testing. "The stats for 6.9 continue to look very normal, and nothing looks particularly alarming."

Kernel developers are encouraged to send their changes in small batches as a way of making life easier for reviewers. So when a longtime developer and maintainer hits the list with a 437-patch series touching 859 files, eyebrows are certain to head skyward. Specifically, this series from Jens Axboe is cleaning up one of the core abstractions that has been part of the Linux kernel almost since the beginning; authors of device drivers (among others) will have to take note.

Security updates have been issued by Fedora (chromium, grub2, httpd, kernel, libcoap, matrix-synapse, python-pip, and rust-pythonize), Red Hat (kernel and libxml2), SUSE (kernel), and Ubuntu (eglibc, glibc and php7.4, php8.1, php8.2).

Greg Kroah-Hartman has announced the release of the 6.8.9, 6.6.30, 6.1.90, 5.15.158, 5.10.216, 5.4.275, and 4.19.313 stable kernels. As is the norm, they contain lots of important fixes throughout the kernel tree.

In Unix-like systems, an open file descriptor carries the right to access the opened object in specific ways. As a general rule, that file descriptor does not enable access to any other objects. The recently merged BPF token feature runs counter to this practice by creating file descriptors that carry specific BPF-related access rights. A similar but different approach to capability-carrying file descriptors, in the form of directory file descriptors that include their own credentials, is currently under consideration in the kernel community.

Version 1.78.0 of the Rust language has been released. Changes include a new mechanism for diagnostic attributes, changes to how assertions around unsafe blocks are handled, and more.

Rust now supports a #[diagnostic] attribute namespace to influence compiler error messages. These are treated as hints which the compiler is not required to use, and it is also not an error to provide a diagnostic that the compiler doesn't recognize. This flexibility allows source code to provide diagnostics even when they're not supported by all compilers, whether those are different versions or entirely different implementations.

Security updates have been issued by Debian (chromium and distro-info-data), Fedora (et, php-tcpdf, python-aiohttp, python-openapi-core, thunderbird, tpm2-tools, and tpm2-tss), Red Hat (nodejs:16 and podman), and Ubuntu (firefox).

The LWN.net Weekly Edition for May 2, 2024 is available.

Version 8.0 of the terminal text editor GNU nano has been released. This update includes several changes to keybindings to be more newcomer-friendly, such as remapping Ctrl-F to forward-search and adding an option for modern bindings:

Command-line option --modernbindings (-/) makes ^Q quit, ^X cut, ^C copy, ^V paste, ^Z undo, ^Y redo, ^O open a file, ^W write a file, ^R replace, ^G find again, ^D find again backwards, ^A set the mark, ^T jump to a line, ^P show the position, and ^E execute.

The release also provides access to 14 levels of gray scale in xterm (up from four), as well as many bug fixes.

Ubuntu 24.04 LTS, code-named "Noble Numbat", was released on April 25. This release includes GNOME 46, installer updates, security enhancements, a lot of updated packages, and a new App Center that puts a heavy emphasis on using Snaps to install software. It is not an ambitious release, but it brings enough to the table that it's a worthwhile update.

The NixOS Foundation board announced on April 30 that Eelco Dolstra is stepping down from the board following the recent calls for his resignation.

Eelco is the principal author of Nix and undoubtedly a central figure in the ecosystem that grew around it. We confirm that Eelco showed no intention to be perceived as or act like the BDFL [Benevolent Dictator for Life] of the Nix ecosystem, or the Nix code base. To commit to that in a timely manner, he has decided to formally step down from the board.

The board also announced its intent to set up new, explicit governance for the project, answerable to the community:

We will appoint a constitutional assembly within the next 14 days. Its task will be to set up a new governance structure, run by the community, that is capable of serving the community's needs. Once established, we will delegate our power to institutions within that new structure. This entire process will take place in a public space, such that it's traceable for anyone concerned. We are committed to listening to everyone who may help with solving the problems the community is facing.

Security updates have been issued by Debian (nghttp2 and qtbase-opensource-src), Mageia (cjson, freerdp, guava, krb5, libarchive, and mediawiki), Oracle (container-tools:4.0 and container-tools:ol8), Red Hat (bind, buildah, container-tools:3.0, container-tools:rhel8, expat, gnutls, golang, grafana, kernel, kernel-rt, libreswan, libvirt, linux-firmware, mod_http2, pcp, pcs, podman, python-jwcrypto, rhc-worker-script, shadow-utils, skopeo, sssd, tigervnc, unbound, and yajl), SUSE (kernel and python311), and Ubuntu (gerbv and node-json5).

When it comes to security, telling developers to do (or not do) something can be ineffective. Helping them understand the why behind instructions, by illustrating good and bad practices using stories, can be much more effective. With several such stories Marta Rybczyńska fashioned an interesting talk about patterns and anti-patterns in embedded Linux security at the Embedded Open Source Summit (EOSS), co-located with Open Source Summit North America (OSSNA), on April 16 in Seattle, Washington.

Version 5.0 of the Yocto Project distribution builder has been released. The list of new features is long; see the release notes for the details.

This Mastodon stream from Lennart Poettering describes a sudo replacement — called run0 — that will be part of the upcoming systemd 256 release. It takes a rather different approach to the execution of privileged commands, avoiding the use of setuid (which he calls "SUID") permissions entirely.

So, in my ideal world, we'd have an OS entirely without SUID. Let's throw out the concept of SUID on the dump of UNIX' bad ideas. An execution context for privileged code that is half under the control of unprivileged code and that needs careful manual clean-up is just not how security engineering should be done in 2024 anymore.