Version 124.0 of the Firefox browser is out. Changes include support for "caret browsing mode" in the PDF viewer and the ability to control the sorting of tabs in the Firefox View screen.

Version 46 of the GNOME desktop has been released. "GNOME 46 is code-named 'Kathmandu', in recognition of the amazing work done by the organizers of GNOME.Asia 2023." Significant changes include a new global search feature, enhancements to the Files app, improved remote login support, and more.

The LWN.net Weekly Edition for March 21, 2024 is available.

Danilo Krummrich has announced the existence of the "Nova" project within Red Hat.

We just started to work on Nova, a Rust-based GSP-only driver for Nvidia GPUs. Nova, in the long term, is intended to serve as the successor of Nouveau for GSP-firmware-based GPUs.

With Nova we see the chance to significantly decrease the complexity of the driver compared to Nouveau for mainly two reasons. First, Nouveau's historic architecture, especially around nvif/nvkm, is rather complicated and inflexible and requires major rework to solve certain problems (such as locking hierarchy in VMM / MMU code for VM_BIND currently being solved with a workaround) and second, with a GSP-only driver there is no need to maintain compatibility with pre-GSP code.

Besides that, we also want to take the chance to contribute to the Rust efforts in the kernel and benefit from from more memory safety offered by the Rust programming language.

Given that the effort has just begun, it will be a while before this driver shows up in a distribution release.

The Redis in-memory database system has had its license changed to either the Redis Source Available License or the Server Side Public License (covered here in 2018); neither license qualifies as free software.

Under the new license, cloud service providers hosting Redis offerings will no longer be permitted to use the source code of Redis free of charge. For example, cloud service providers will be able to deliver Redis 7.4 only after agreeing to licensing terms with Redis, the maintainers of the Redis code.

Distributors like Fedora are already looking at removing Redis as a consequence. (Thanks to Emmanuel Seyman).

Verson 5.39.9 of the Perl language has been released. Changes this time include a new "medium-precedence" logical exclusive-or operator, a number of updated modules, and more; see this page for details.

Version 1.77.0 of the Rust language has been released. Changes include support for NUL-terminated C-string literals, the ability for async functions to call themselves recursively, the stabilization of the offset_of!() macro, and more.

While a programming error in the kernel may be subject to direct exploitation, usually a more roundabout approach is required to take advantage of a security bug. One popular approach for those wishing to take advantage of vulnerabilities is heap spraying, and it has often been employed to compromise the kernel. In the future, though, heap-spraying attacks may be a bit harder to pull off, thanks to the "dedicated bucket allocator" proposed by Kees Cook.

Version 29.3 of the Emacs editor has been released:

Emacs 29.3 is an emergency bugfix release; it includes no new features except a small number of changes intended to resolve security vulnerabilities uncovered in Emacs 29.2.

Those vulnerabilities mostly have to do with executing untrusted Lisp code; see the NEWS file for a bit more information.

The 6.9-rc1 kernel prepatch was released on March 24, closing the merge window for this development cycle. By that time, 12,435 non-merge changesets had been merged into the mainline, making for a less-busy merge window than the last couple of kernel releases (but similar to the 12,492 seen for 6.5). Well over 7,000 of those changes were merged after the first-half merge-window summary was written, meaning that the latter part of the merge window brought many more interesting changes.

The PostgreSQL community is dealing with the loss of Simon Riggs, who passed away on March 26:

Simon was responsible for many of the enterprise features we find in PostgreSQL today, including point in time recovery, hot standby, and synchronous replication. He was the founder of 2ndQuadrant which employed many of the PostgreSQL developers, later becoming part of EDB where he worked as a Postgres Fellow until his retirement. He was responsible for the UK PostgreSQL conferences for many years until he passed that responsibility to PostgreSQL Europe last year.

Version 4.20.0 of the Samba Windows interoperability suite has been released. Changes include better support for group-managed service accounts, an experimental Windows search protocol client, support for conditional access control entries, and more.

Christian Schaller writes about the desktop-oriented work aimed at the upcoming Fedora 40 release.

Another major feature landing in Fedora Workstation 40 that Jonas Ådahl and Ray Strode has spent a lot of effort on is finalizing the remote desktop support for GNOME on Wayland. So there has been support for remote connections for already logged in sessions already, but with these updates you can do the login remotely too and thus the session do not need to be started already on the remote machine. This work will also enable 3rd party solutions to do remote logins on Wayland systems, so while I am not at liberty to mention names, be on the lookout for more 3rd party Wayland remoting software becoming available this year.

Radicle is a new, peer-to-peer, MIT/Apache-licensed collaboration platform written in Rust and built on top of Git. It adds support for issues and pull requests (which Radicle calls "patches") on top of core Git, which are stored in the Git repository itself. Unlike GitHub, GitLab, and similar forges, Radicle is distributed; it doesn't rely on having everyone use the same server. Instead, Radicle instances form a network that synchronizes changes between nodes.

Andres Freund has posted a detailed investigation into a backdoor that was shipped with versions 5.6.0 and 5.6.1 of the xz compression utility. It appears that the malicious code may be aimed at allowing SSH authentication to be bypassed.

I have not yet analyzed precisely what is being checked for in the injected code, to allow unauthorized access. Since this is running in a pre-authentication context, it seems likely to allow some form of access or other form of remote code execution.

The affected versions are not yet widely shipped, but checking systems for the bad version would be a good idea.

Update: there are advisories out now from Arch, Debian, Red Hat, and openSUSE.

A further update from openSUSE:

For our openSUSE Tumbleweed users where SSH is exposed to the internet we recommend installing fresh, as it’s unknown if the backdoor has been exploited. Due to the sophisticated nature of the backdoor an on-system detection of a breach is likely not possible. Also rotation of any credentials that could have been fetched from the system is highly recommended.

I'm on a holiday and only happened to look at my emails and it seems to be a major mess.

— Lasse Collin

The reality that we are struggling with is that the free software infrastructure on which much of computing runs is massively and painfully underfunded by society as a whole, and is almost entirely dependent on random people maintaining things in their free time because they find it fun, many of whom are close to burnout. This is, in many ways, the true root cause of this entire event.

— Russ Allbery

Incredible work from Andres. The attackers made a serious strategic mistake: they made PostgreSQL slightly slower.

— Thomas Munro

There is no way to discuss this in public without turning a single malicious entity into 10 000 malicious entities once the information is widely known.

Making sure the impact and mitigations are known before posting this publicly so that everyone knows what to do before the 10 000 malicious entities start attacking is just common sense.

— Marc Deslauriers

Again the FOSS world has proven to be vigilant and proactive in finding bugs and backdoors, IMHO. The level of transparency is stellar, especially compared to proprietary software companies. What the FOSS world has accomplished in 24 hours after detection of the backdoor code in #xz deserves a moment of humbleness. Instead we have flamewars and armchair experts shouting that we must change everything NOW. Which would introduce even more risks. Progress is made iteratively. Learn, adapt, repeat.

— Jan Wildeboer

The 6.9-rc2 kernel prepatch is out for testing. "Neither snow nor rain nor heat nor gloom of night stays kernel rc releases. Nor does Easter."

Version 10.0 of the NetBSD system has been released.

The netbsd-10 release branch is more than a year old now, so it is high time the 10.0 release makes it to the front stage. This matches the long time it took for the development branch to get ready for branching, a lot of development went into this new release.

This also caused the release announcement to be one of the longest we ever did.

As might be imagined, there are a lot of changes; see the above-mentioned release announcement for the details.

Security updates have been issued by Fedora (kernel and webkitgtk), Mageia (unixODBC and w3m), and SUSE (libvirt, netty, netty-tcnative, and perl-DBD-SQLite).