The postmarketOS project, which produces a Linux distribution for phones and mobile devices, has announced that it is in the early stages of adding systemd to make it easier to support GNOME and KDE.

Users who prefer the OpenRC init system are assured they will still have that option when building their own images "as long as OpenRC is in Alpine Linux (on which postmarketOS is based)":

As with text editors, some people are really passionate about their favorite init systems. When discussing this announcement, please keep a friendly tone. Remember that we all share the love for free and open source software, and that our communities work best if we focus on shared values instead of fighting over what implementations to use.

Proof-of-concept images are available now for a limited set of devices. Users are warned these images are "buggy, unreliable, and NOT suitable for use on a device you rely on". Those interested in helping with testing and development are encouraged to follow along and report bugs on the systemd issue at GitLab.

The Fedora Project switched to MariaDB as the default implementation of MySQL in Fedora 19 in 2013. Once a drop-in replacement for MySQL, MariaDB has diverged enough that this is no longer the case—and, despite concerns about Oracle and optimism that MariaDB would supplant MySQL, the reality is that MySQL and MariaDB seem to be here to stay. With that in mind, Fedora developer Michal Schorm proposed that the project revise the way MySQL and MariaDB are packaged in Fedora starting with Fedora 40.

Name collisions aren't just a problem for software development—organizations, projects, and software that have the same or similar names can cause serious confusion. That was certainly the case on February 28 when the Open Collective Foundation (OCF) began to notify its hosted projects that it would be shutting down by the end of 2024. The announcement surprised projects hosted with OCF, as one might expect. It also worried and confused users of the Open Collective software platform from Open Collective, Inc. (OCI), as well as organizations hosted by the Open Source Collective (OSC) and Open Collective Europe (OC Europe). There is enough confusion about the names, relationships between the organizations, and impact on projects like Flatpak, Homebrew, and htop hosted by OCF, that a deeper look is warranted.

Kaitlyn Abdo of Fedora's AI/ML SIG opened an issue with the Fedora Engineering Steering Committee (FESCo) recently that carried a few tricky questions about packaging machine-learning (ML) models for Fedora. Specifically, the SIG is looking for guidance on whether pre-trained weights for PyTorch constitute code or content. And, if the models are released under a license approved by the Open Source Initiative (OSI), does it matter what data the models were trained on? The issue was quickly tossed over to Fedora's legal mailing list and sparked an interesting discussion about how to handle these items, and a temporary path forward.

Sasha Levin has announced the release of the 6.8.1, 6.7.10, 6.6.22, 6.1.82, 5.15.152, 5.10.213, 5.4.272, and 4.19.310 stable kernels. As always, they contain important fixes throughout the tree. Users of those kernels should upgrade.

Zach Mitchell has announced the 1.0 release of Flox, a tool that lets its users install packages from nixpkgs inside portable virtual environments, and share those virtual environments with others as an alternative to Docker-style containers. Flox is based on Nix but allows users to skip learning how to work with the Nix language:

With Flox we're providing a substantially better user experience. We provide the suite of package manager functionality with install, uninstall, etc, but we also provide an entire new suite of functionality with the ability to share environments via flox push, flox pull, and flox activate --remote.

Flox is GPLv2-licensed, and releases are available as RPMs and Debian packages for x86_64 and arm64 systems.

The Python project has announced three security releases, 3.10.14, 3.9.19, and 3.8.19. In addition to the security fixes, these releases are notable for two reasons; they are the first to make use of GitHub Actions to perform public builds instead of building artifacts "on a local computer of one of the release managers", and the first since Python became a CVE Numbering Authority (CNA).

Python release team member Łukasz Langa said that being a CNA means Python is able to "ensure the quality of the vulnerability reports is high, and that the severity estimates are accurate." It also allows Python to coordinate CVE announcements with the patched versions of Python, as it has with two CVEs addressed in these releases. CVE-2023-6597 CVE-2024-0450 describes a flaw in CPython's zipfile module that made it vulnerable to a zip-bomb exploit. CVE-2024-0450 CVE-2023-6597 is an issue with Python's tempfile.TemporaryDirectory class which could be exploited to modify permissions of files referenced by symbolic links. Users of affected versions should upgrade soon.

Cockpit is an interesting project for web-based Linux administration that has received relatively little attention over the years. Part of that may be due to the project's strategy of minor releases roughly every two weeks, rather than larger releases with many new features. While the strategy has done little to garner headlines, it has delivered a useful and extensible tool to observe, manage, and troubleshoot Linux servers.

The GNOME project announced GNOME 46 (code-named "Kathmandu") on March 20. The release has quite a few updates and improvements across user applications, developer tools, and under the hood. One thing stood out while looking over this release—a major emphasis on Flatpaks as the way to acquire and update GNOME software.

On March 21, Redis Ltd. announced that the Redis "in-memory data store" project would now be released under non-free, source-available licenses, starting with Redis 7.4. The news is unwelcome, but not entirely unexpected. What is unusual with this situation is the number of Redis alternatives to choose from; there are at least four options to choose as a replacement for those who wish to stay with free software, including a pre-existing fork called KeyDB and the Linux Foundation's newly-announced Valkey project. The question now is which one(s) Linux distributions, users, and providers will choose to take its place.

The 6.8.3, 6.7.12, 6.6.24, and 6.1.84 stable kernel updates have been released. Each contains an important set of fixes. Note that 6.7.12 is the final release for the 6.7.y series, and that branch is now end-of-life. Users should move to the 6.8.y branch.

AlmaLinux has announced updated kernels for AlmaLinux 8 and 9 to address CVE-2024-1086, a use-after-free vulnerability in the kernel that could be exploited to gain local privilege escalation. This is notable because the fix marks a divergence between AlmaLinux and Red Hat Enterprise Linux (RHEL):

In January of this year, a kernel flaw was disclosed and named CVE-2024-1086. This flaw is trivially exploitable on most RHEL-equivalent systems. There are many proof-of-concept posts available now, including one from our Infrastructure team lead, Jonathan Wright (Dealing with CVE-2024-1086). In multi-user scenarios, this flaw is especially problematic.

Though this was flagged as something to be fixed in Red Hat Enterprise Linux, Red Hat has only rated this as a moderate impact.

The AlmaLinux project would also like to note that it is not impacted by the XZ backdoor. "Because enterprise Linux takes a bit longer to adopt those updates (sometimes to the chagrin of our users), the version of XZ that had the back door inserted hadn't made it further than Fedora in our ecosystem."