In late March,
version 78.0.1 of
Setuptools — an important
Python packaging tool — was released. It was scarcely half an hour before
the first bug
report came in, and it quickly became clear that the change was far
more disruptive than anticipated. Within only about five hours
78.0.2 was
published to roll back the change, and multiple discussions were
started about how to limit the damage caused by future breaking
changes. Nevertheless, many users still felt the response was
inadequate. Some previous Setuptools releases have also caused problems on a smaller but still notable scale, and hopefully the developers will be more cautious going forward. But there are also lessons here for the developers of Python package installers, ordinary Python developers and end users, and even Linux distribution maintainers.
Security updates have been issued by AlmaLinux (.NET 8.0, avahi, buildah, compat-openssl10, compat-openssl11, expat, firefox, gimp, git, grafana, libsoup, libxslt, mod_auth_openidc, nginx, nodejs:22, osbuild-composer, php, redis, redis:7, skopeo, thunderbird, vim, webkit2gtk3, xterm, and yelp), Arch Linux (dropbear, freetype2, go, nodejs, nodejs-lts-iron, nodejs-lts-jod, python-django, webkit2gtk, webkit2gtk-4.1, webkitgtk-6.0, and wpewebkit), Debian (mongo-c-driver), Fedora (openssh, perl-Mojolicious, thunderbird, yelp, and yelp-xsl), Red Hat (firefox, java-1.8.0-openjdk, java-11-openjdk with Extended Lifecycle Support, java-21-ibm-semeru-certified-jdk, java-21-openjdk, kernel, libxslt, ruby, ruby:3.1, ruby:3.3, unbound, and webkit2gtk3), SUSE (glib2, grub2, kernel, libwebp, openssh, and s390-tools), and Ubuntu (linux, linux-azure, linux-azure-6.11, linux-gcp, linux-gcp-6.11, linux-hwe-6.11, linux-oem-6.11, linux-raspi, linux-realtime, linux-azure, linux-azure-5.15, linux-nvidia-tegra, linux-azure, linux-azure-6.8, linux-oem-6.8, linux-azure, linux-kvm, linux-azure-fips, linux-azure-nvidia, linux-gcp, linux-gcp-6.8, linux-gkeop, linux-gke, linux-intel-iot-realtime, linux-realtime, linux-raspi-realtime, mariadb-10.6, and postgresql-12, postgresql-14, postgresql-16).
Ihor Solodrai has been working on the BPF subsystem's continuous-integration
(CI) testing for the last six months. At the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit, he remotely shared
an update on his work, and solicited feedback on how the tests could be further
improved. Much of the work he's done has been specific to the BPF subsystem, but
some is more generic and could potentially be of use to other subsystems. He
also shared some general lessons learned from working on the BPF CI tests.
Despite careful planning and months of warning, Debian developer Mo
Zhou has acknowledged that the project needs more time to grapple with
the questions around AI models and the Debian Free Software Guidelines
(DFSG). For now, he has withdrawn his proposed General Resolution (GR)
that would have required the original training data for AI models to
be released in order to be considered DFSG-compliant—though the
debates on the topic continue.
Red Hat has announced
the release of Red Hat Enterprise Linux (RHEL) 10. A blog post
accompanying the release provides details on some of the more notable
features, such as encrypted DNS, a developer preview of RHEL 10
for RISC-V,
and image
mode for RHEL using bootc.
Image mode for RHEL lets you deploy your OS as a bootc image to your
hardware, virtual machine or cloud, and then layer your app on top of
it. That's a far less complex operation than traditional packaged
deployments, and it gives developers and image maintainers a common
experience and total control over their environment.
RHEL 10 includes the 6.12.0 kernel, GCC 14.2, GNU
Binutils 2.41, GNU C Library (glibc) 2.39, Python 3.12,
Perl 5.40, and more. See the release
notes for a full list of changes. LWN covered
CentOS Stream 10 in December, which provided an early look
at what would be in the RHEL 10 release.
Security updates have been issued by Debian (firefox-esr, openjdk-11, openjdk-17, and wireless-regdb), Fedora (iputils, open-vm-tools, sfnt2woff-zopfli, and woff), Red Hat (postgresql:12), SUSE (apache2-mod_auth_openidc, brltty, helm, python-maturin, and rubygem-rack), and Ubuntu (linux-azure-fips).
Roland Shoemaker has published a blog post about a
recent security audit of the cryptography packages shipped as part of
the Go standard library. The audit, performed by the Trail of Bits security firm,
uncovered one low-severity vulnerability in the legacy Go+BoringCrypto
integration, as well as a handful of informational findings.
During the review, there were a number of questions about our
cgo-based Go+BoringCrypto integration, which provides a FIPS 140-2
compliant cryptography mode for internal usage at Google. The
Go+BoringCrypto code is not supported by the Go team for external use,
but has been critical for Google's internal usage of Go.
The Trail of Bits team found one vulnerability and one non-security relevant bug,
both of which were results of the manual memory management required to
interact with a C library. Since the Go team does not support usage of
this code outside of Google, we have chosen not to issue a CVE or Go
vulnerability database entry for this issue, but we fixed it in the Go 1.25 development
tree.
The entire report is available
as a PDF for those who enjoy a little light security reading.
The seventh edition of the
Power Management and Scheduling
in the Linux Kernel (known as "OSPM") Summit took place on March 18-20,
2025. It was organized by Juri Lelli, Frauke Jäger, Tommaso Cucinotta, and
Lorenzo Pieralisi, and was hosted by Linutronix at Alte Fabrik,
Uhldingen-Mühlhofen, Germany. The event was sponsored by Linutronix, Arm,
and the Scuola Superiore Sant'Anna in Pisa.
Security updates have been issued by Debian (dropbear, firefox-esr, intel-microcode, net-tools, openafs, thunderbird, and xrdp), Fedora (chromium, micropython, syslog-ng, webkitgtk, and xen), Mageia (dropbear and openssh), Oracle (.NET 9.0, kernel, libjpeg-turbo, and yelp and yelp-xsl), Red Hat (compat-openssl11, git-lfs, grafana, kernel, and osbuild and osbuild-composer), Slackware (mozilla), SUSE (cargo-c, gimp, iputils-20240905, kernel, libraw, microcode_ctl, openssh, pnpm, python311-cramjam, python311-httptools, python311-jwcrypto, python311-loguru, python311-mechanize, python311-nltk, python311-oauthlib, python311-py7zr, python311-pycapnp, python311-pyspnego, python311-pywayland, python311-suds, python311-treq, python311-ujson, python311-waitress, ruby3.4-rubygem-actionmailer, ruby3.4-rubygem-actiontext, ruby3.4-rubygem-activerecord, ruby3.4-rubygem-activestorage, ruby3.4-rubygem-fluentd, ruby3.4-rubygem-globalid, ruby3.4-rubygem-jquery-rails, ruby3.4-rubygem-kramdown, ruby3.4-rubygem-loofah, ruby3.4-rubygem-multi_xml, ruby3.4-rubygem-puma, ruby3.4-rubygem-rails, ruby3.4-rubygem-rails-html-sanitizer, ruby3.4-rubygem-sprockets, ruby3.4-rubygem-web-console, ruby3.4-rubygem-websocket-extensions, ucode-intel-20250512, and valkey), and Ubuntu (dotnet8, dotnet9, linux, linux-aws, linux-aws-6.8, linux-ibm, linux-lowlatency,
linux-lowlatency-hwe-6.8, linux-oracle, linux, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-oracle, linux, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-intel-iotg,
linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia,
linux-oracle, linux-oracle-5.15, linux-fips, linux-gcp, linux-gcp-5.15, linux-gcp-fips, linux-gke, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-realtime, and linux-xilinx-zynqmp).