lwn.net
[$] A tale of two troublesome drivers
What we need to take away from the XZ Backdoor (openSUSE News)
Debian, as well as the other affected distributions like openSUSE are carrying a significant amount of downstream-only patches to essential open-source projects, like in this case OpenSSH. With hindsight, that should be another Heartbleed-level learning for the work of the distributions. These patches built the essential steps to embed the backdoor, and do not have the scrutiny that they likely would have received by the respective upstream maintainers. Whether you trust Linus Law or not, it was not even given a chance to chime in here. Upstream did not fail on the users, distributions failed on upstream and their users here.
Security updates for Friday
[$] Completing the EEVDF scheduler
Security updates for Thursday
[$] LWN.net Weekly Edition for April 11, 2024
Gentoo Linux becomes an SPI Associated Project
The Gentoo Linux project has announced that it is now an Associated Project of Software in the Public Interest (SPI), which will allow it to accept tax deductible donations in the US and reduce its "non-technical workload":
The current Gentoo Foundation has bylaws restricting its behavior to that of a non-profit, is a recognized non-profit only in New Mexico, but a for-profit entity at the US federal level. A direct conversion to a federally recognized non-profit would be unlikely to succeed without significant effort and cost.
[...] SPI is already now recognized at US federal level as a full-[fledged] non-profit 501(c)(3). It also handles several projects of similar type and size (e.g., Arch and Debian) and as such has exactly the experience and background that Gentoo needs.
According to the announcement, the goal is to "eventually transfer the existing assets to SPI and dissolve the Gentoo Foundation". How to do that is still under discussion. This will not affect Förderverein Gentoo e.V., which has public-benefit status in Germany and can accept tax deductible donations in Europe.
Four stable kernel updates
Greg Kroah-Hartman has announced another round of stable kernel updates: 6.8.5, 6.6.26, 6.1.85, and 5.15.154 have all been released; each contains another set of important fixes, including the mitigations for the recently disclosed branch history injection hardware vulnerability.
[$] Book review: Practical Julia
[$] Continued attacks on HTTP/2
On April 3 security researcher Bartek Nowotarski published the details of a new denial-of-service (DoS) attack, called a "continuation flood", against many HTTP/2-capable web servers. While the attack is not terribly complex, it affects many independent implementations of the HTTP/2 protocol, even though multiple similar vulnerabilities over the years have given implementers plenty of warning.
Security updates for Wednesday
The "branch history injection" hardware vulnerability
Branch History Injection (BHI) attacks may allow a malicious application to influence indirect branch prediction in kernel by poisoning the branch history. eIBRS isolates indirect branch targets in ring0. The BHB can still influence the choice of indirect branch predictor entry, and although branch predictor entries are isolated between modes when eIBRS is enabled, the BHB itself is not isolated between modes.
See this commit for documentation on the command-line parameter that controls this mitigation. There are stable kernel releases (6.8.5, 6.6.26, 6.1.85, and 5.15.154) in the works that also contain the mitigations.
[$] The first Linaro Forum for Arm Linux kernel topics
OpenSSL 3.3.0 released
[$] Diagnosing workqueues
There are many mechanisms for deferred work in the Linux kernel. One of them, workqueues, has seen increasing use as part of the move away from software interrupts. Alison Chaiken gave a talk at SCALE about how they compare to software interrupts, the new challenges they pose for system administrators, and what tools are available to kernel developers wishing to diagnose problems with workqueues as they become increasingly prevalent.
Security updates for Tuesday
Rivendell v4.2.0 released
Version 4.2.0 of the Rivendell radio automation system has been released. Changes include a new data feed for 'next' data objects, improvements to its podcast system, numerous bug fixes, and more.
Introducing Jpegli: A New JPEG Coding Library (Google Open Source Blog)
Jpegli can be encoded with 10+ bits per component. Traditional JPEG coding solutions offer only 8 bit per component dynamics causing visible banding artifacts in slow gradients. Jpegli's 10+ bits coding happens in the original 8-bit formalism and the resulting images are fully interoperable with 8-bit viewers. 10+ bit dynamics are available as an API extension and application code changes are needed to benefit from it.
The library is BSD-licensed.
[$] The PostgreSQL community debates ALTER SYSTEM
GNU Stow 2.4.0 released
Version 2.4.0 of the GNU Stow symbolic-link manager has been released. This marks the first release for GNU Stow since 2019. Maintainer Adam Spires wrote:
I would like to sincerely apologise to all Stow users for this incredibly overdue release, the cadence of which is perhaps vaguely reminiscent of releases by the great Donald Knuth, except with none of the grace and deliberate planning.Spires notes that this release "makes considerable efforts to make the internals more understandable and easy to maintain", and has put out a call for a co-maintainer.