The Linux Storage, Filesystem, Memory-Management, and BPF Summit is scheduled for May 2 to 4 in Palm Springs, California; with luck it will actually happen this year. As usual, it is an invitation-only event, with a preference for those who bring interesting topics to discuss. The call for proposals is out now, with a request for proposals to arrive before March 1.

Version 2.0 of GNU Poke, a binary-data editor, has been released. "A lot of things have changed and improved with respect to the 1.x series; we have fixed many bugs and added quite a lot of new exciting and useful features." Look below for an extensive list of changes.

Greg Kroah-Hartman has announced the release of the 5.16.3, 5.15.17, 5.10.94, 5.4.174, 4.19.226, 4.14.263, 4.9.298, and 4.4.300 stable kernels. These all contain a huge number of fixes all over the tree, so huge that 5.16.3 broke the scripts used to create stable kernels; users should upgrade.

In mid-December, Thorsten Behrens, a board member for the Document Foundation (TDF), posted a seemingly simple proposal for an "attic" that would become the home of abandoned projects. No specific projects were named as the first intended residents of the attic, but the proposal clearly related to the LibreOffice Online (LOOL) project. The following discussion made it clear that the unhappiness around LOOL has yet to fade away, and that the Foundation still has some work to do when it comes to defining its relationship with its corporate members.

Security updates have been issued by CentOS (polkit), Debian (uriparser), Fedora (cryptsetup, flatpak, flatpak-builder, and polkit), Gentoo (polkit), Mageia (virtualbox), Red Hat (httpd24-httpd, httpd:2.4, and parfait:0.5), SUSE (clamav, log4j, python-numpy, and strongswan), and Ubuntu (vim).

The LWN.net Weekly Edition for January 27, 2022 is available.

Back in May, we looked at a Google proposal to replace third-party cookies with something called the "Federated Learning of Cohorts" (FLoC). Third-party cookies were once used to track users all over the web so that advertisers could, supposedly, target their ads better, but, of the major browsers, only Google's Chrome browser fails to block them today. Google took a fair amount of flak for FLoC, since it was not perceived to be much of a win for users' privacy—and was mostly a sop to the (Google-dominated) web-advertising industry. Now the company is back with a different proposal that could, eventually, replace third-party cookies in Chrome: Topics.

Security updates have been issued by CentOS (httpd), Debian (libxfont, lrzsz, nss, openjdk-17, policykit-1, webkit2gtk, and wpewebkit), Mageia (polkit), openSUSE (expat, json-c, kernel, polkit, qemu, rust1.55, rust1.57, thunderbird, unbound, and webkit2gtk3), Oracle (httpd:2.4, java-11-openjdk, and polkit), Red Hat (httpd:2.4, OpenShift Container Platform 3.11.570, polkit, and Red Hat OpenStack Platform 16.1 (etcd)), Scientific Linux (polkit), Slackware (polkit), SUSE (aide, expat, firefox, json-c, kernel, polkit, qemu, rust, rust1.55, rust1.57, thunderbird, unbound, and webkit2gtk3), and Ubuntu (policykit-1 and xorg-server).

A few weeks back, we looked at a proposal to add an integrity-management feature to Fedora. One of the selling points was that the integrity checking could be done using the PGP signatures that are already embedded into the RPM package files that Fedora uses. But the kernel needs to be able to verify PGP signatures in order for the Fedora feature to work. That addition to the kernel has been proposed, but some in the kernel-development community seem less than completely enthusiastic about bringing PGP support into the kernel itself.

Qualys has announced the disclosure of a local-root vulnerability in Polkit. They are calling it "PwnKit" and have even provided a proof-of-concept video.

Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu, Debian, Fedora, and CentOS. Other Linux distributions are likely vulnerable and probably exploitable. This vulnerability has been hiding in plain sight for 12+ years and affects all versions of pkexec since its first version in May 2009.

Updates from distributors are already rolling out.

Version 2.35.0 of the Git source-code management system has been released. There are a lot of changes, as usual; see the announcement and this GitHub blog entry for details.

Security updates have been issued by CentOS (java-11-openjdk), Debian (aide, apr, ipython, openjdk-11, qt4-x11, and strongswan), Fedora (binaryen and rust), Mageia (expat, htmldoc, libreswan, mysql-connector-c++, phpmyadmin, python-celery, python-numpy, and webkit2), openSUSE (kernel and virtualbox), Red Hat (etcd, libreswan, nodejs:14, OpenJDK 11.0.14, OpenJDK 17.0.2, and rpm), Slackware (expat), SUSE (java-1_7_1-ibm, kernel, and zxing-cpp), and Ubuntu (strongswan).

Linus Torvalds released 5.17-rc1 and closed the 5.17 merge window on January 23 after having pulled just over 11,000 non-merge changesets into the mainline repository. A little over 4,000 of those changesets arrived after our first-half merge-window summary was written. Activity thus slowed down, as expected, in the second half of the merge window, but there still a number of significant changes that made it in for the next kernel release.

Security updates have been issued by Debian (chromium, golang-1.7, golang-1.8, pillow, qtsvg-opensource-src, util-linux, and wordpress), Fedora (expat, harfbuzz, kernel, qt5-qtsvg, vim, webkit2gtk3, and zabbix), Mageia (glibc, kernel, and kernel-linus), openSUSE (bind, chromium, and zxing-cpp), Oracle (kernel), Red Hat (java-11-openjdk and kpatch-patch), Scientific Linux (java-11-openjdk), SUSE (bind, clamav, zsh, and zxing-cpp), and Ubuntu (aide, dbus, and thunderbird).

Ariadne Conill writes about the FSF's policy toward proprietary firmware and, specifically, the rules for "Respects Your Freedom" certification.

Purism was able to accomplish this by making the Librem 5 have not one, but two processors: when the phone first boots, it uses a secondary CPU as a service processor, which loads all of the relevant blobs (such as those required to initialize the DDR4 memory) before starting the main CPU and shutting itself off. In this way, they could have all the blobs they needed to use, without having to worry about them being user visible from PureOS. Under the policy, that left them free and clear for certification.

This is not a new story; see Papering over a binary blob from 2011, for example.

The first 5.17 kernel prepatch is out for testing, and the merge window is closed for this release.

5.17 doesn't seem to be slated to be a huge release, and everything looks fairly normal. We've got a bit more activity than usual in a couple of corners of the kernel (random number generator and the fscache rewrite stand out), but even with those things, the big picture view looks very much normal: the bulk is various driver updates, with architectures updates, documentation, and tooling being the bulk of the rest.

One of your editor's long-time hobbies is photography; it is an activity that can be rewarding even with the lack of any particular talent — a useful attribute. Photography has changed greatly over the years; as a result, those hard-earned darkroom skills are of little use, and photo processing has become yet another software problem. This is a field that supports a lot of proprietary software, but there is also no shortage of free software available. The time has come to combine work and pleasure and catch up with the state of free software for photography, starting with the darktable raw photo editor.

Anybody who upgraded to the recent Rust 1.58.0 release will probably want to move on to Rust 1.58.1; among other things it contains a fix for a security vulnerability in the standard library. "We recommend all users to update their toolchain immediately and rebuild their programs with the updated compiler".

Security updates have been issued by Debian (aide, flatpak, kernel, libspf2, and usbview), Fedora (kernel, libreswan, nodejs, texlive-base, and wireshark), openSUSE (aide, cryptsetup, grafana, permissions, rust1.56, and stb), SUSE (aide, apache2, cryptsetup, grafana, permissions, rust1.56, and webkit2gtk3), and Ubuntu (aide, thunderbird, and usbview).