Inside this week's LWN.net Weekly Edition:
- Front: OpenH264 in Fedora; Wallabag; Safety certification; 6.16 Merge window; Bounce buffering; Hardening repository problems; Device-initiated I/O; Faster networking; OSPM 2025; Free software in science.
- Briefs: Kea vulnerabilities; Alpine Linux 3.22.0; Fedora strategy; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
This year's
Linaro Connect in Lisbon, Portugal featured a number of talks about the use of
open-source components in safety-critical systems. Kate Stewart gave a keynote on the topic
on the first day of the conference. In it, she highlighted several projects that
have been working to pursue safety certification and spoke about the importance of
being able to trace software's origins to safety. In a talk on the second day, Roberto
Bagnara shared his experience with working on one of those projects, the Xen
hypervisor, to conform to a formal set of rules for safety-critical code.
Security updates have been issued by AlmaLinux (varnish), Debian (asterisk and roundcube), Fedora (systemd), Mageia (golang), Red Hat (ghostscript, perl-CPAN, python36:3.6, and rsync), SUSE (govulncheck-vulndb, libsoup-2_4-1, and postgresql, postgresql16, postgresql17), and Ubuntu (mariadb, open-vm-tools, php-twig, and python-tornado).
Version
3.22.0 of the Alpine Linux distribution has been released. Notable
changes in this release include the removal of the X11 session for KDE
Plasma, a switch to systemd-efistub, and experimental support
for user
services with the OpenRC
init system. See the release
notes for a detailed list of changes.
Kees Cook's
"hardening
fixes" pull request for the 6.16 merge window looked like a
straightforward exercise; it only contained four commits. So just about
everybody was surprised when it resulted in Cook being temporarily blocked
from his kernel.org account among fears of malicious activity. When the
dust settled, though, the red alert was canceled. It turns out,
surprisingly, that Git is a tool with which one can inflict substantial
self-harm in a moment of inattention.
Software patents and workarounds for them are, once again,
causing headaches for open-source projects and users. This time
around, Fedora users have been vulnerable to a serious flaw in the OpenH264 library for
months—not for want of a fix, but because of the Rube
Goldberg machine methodology of distributing the library to Fedora
users. The software is open source under a two-clause BSD license; the RPMs are built and
signed by Fedora, but the final product is distributed by Cisco, so
the company can pick up the tab for license fees. Unfortunately, a
breakdown in the process of handing RPMs to Cisco for distribution has
left Fedora users vulnerable, and inaction on Fedora's part has left
users unaware that they are at risk.
Security updates have been issued by Debian (espeak-ng, kitty, kmail-account-wizard, krb5, libreoffice, libvpx, net-tools, python-flask-cors, symfony, tcpdf, thunderbird, and twitter-bootstrap3), Fedora (chromium, dropbear, firefox, gstreamer1-plugins-bad-free, python-tornado, systemd, and thunderbird), Mageia (coreutils, deluge, glib2.0, and redis), Oracle (firefox, kernel, and systemd), Red Hat (firefox, kernel, kernel-rt, varnish, varnish:6, and zlib), SUSE (bind, curl, dnsdist, docker, ffmpeg-7, firefox, glibc, golang-github-prometheus-alertmanager, govulncheck-vulndb, icinga2, iputils, java-11-openjdk, java-1_8_0-ibm, kea, kernel, libopenssl-3-devel, libsoup, libxml2, nodejs-electron, open-vm-tools, openbao, perl-Net-Dropbox-API, pluto, poppler, postgresql14, postgresql15, postgresql16, postgresql17, python312-setuptools, runc, s390-tools, skopeo, sqlite3, thunderbird, and unbound), and Ubuntu (apport and libphp-adodb).
The seventh edition of the
Power Management and Scheduling
in the Linux Kernel Summit (known as "OSPM") took place on March 18-20,
2025. Topics discussed on the third (and final) day include proxy
execution, energy-aware scheduling, the deadline scheduler, and an
evaluation of
the kernel's EEVDF scheduler.
Mozilla has decided to throw in
the towel on Pocket, a social-bookmarking
service that it acquired in 2017. This has left many users scrambling
for a replacement for Pocket before its shutdown in July. One possible
option is wallabag, a
self-hostable, MIT-licensed project for saving web content for later
reading. It can import saved data from services like Pocket, share
content on the web, export to various formats, and more. Even better,
it puts users in control of their data long-term.
Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, firefox, ghostscript, gstreamer1-plugins-bad-free, libsoup3, mingw-freetype, perl, ruby, sqlite, thunderbird, unbound, valkey, and xz), Debian (chromium, firefox-esr, libavif, linux-6.1, modsecurity-apache, mydumper, systemd, and thunderbird), Fedora (coreutils, dnsdist, docker-buildx, maturin, mingw-python-flask, mingw-python-flit-core, ruff, rust-hashlink, rust-rusqlite, and thunderbird), Red Hat (pcs), SUSE (augeas, brltty, brotli, ca-certificates-mozilla, dnsdist, glibc, grub2, kernel, libsoup, libsoup2, libxml2, open-vm-tools, perl, postgresql13, postgresql15, postgresql16, postgresql17, python-cryptography, python-httpcore, python-h11, python311, runc, s390-tools, slurm, slurm_20_11, slurm_22_05, slurm_23_02, slurm_24_11, tomcat, and webkit2gtk3), and Ubuntu (linux-aws).