The Forgejo project has announced that, starting from version 9.0, Forgejo will be released under the GPLv3 license (or a later version). Older versions of the software forge remain MIT-licensed.

A copyleft license makes reusing other copyleft software easier. Recently, we discovered that some of the dependencies we used were incompatible with the license Forgejo was distributed with, and they had to be removed for now. Choosing copyleft licenses enables us to reuse more work, and saves us precious time to focus on improving Forgejo itself.

On July 30, Al Viro sent a patch set to the linux-fsdevel mailing list with a comprehensive cover letter explaining his recent work on ensuring that the kernel's internal representation of file descriptors are used correctly in the kernel. File descriptors are ubiquitous; many system calls need to handle them. Viro's review identified a few existing bugs, and may prevent more in the future. He also had suggestions for ways to keep uses consistent throughout the kernel.

Python has had formatted string literals (f-strings), a syntactic shorthand for building strings, since 2015. Recently, Jim Baker, Guido van Rossum, and Paul Everitt have proposed PEP 750 ("Tag Strings For Writing Domain-Specific Languages") which would generalize and expand that mechanism to provide Python library writers with additional flexibility. Reactions to the proposed change were somewhat positive, although there was a good deal of discussion of (and opposition to) the PEP's inclusion of lazy evaluation of template parameters.

Rust is intended to let programmers write safer code. But compilers are not omniscient, and writing Rust code that interfaces with hardware (or that works with memory outside of Rust's lifetime paradigm) requires, at some point, the programmer's assurance that some operations are permissible. Benno Lossin suggested adding some more documentation to the Rust-for-Linux project clarifying the standards for commenting uses of unsafe in kernel code. There's general agreement that such standards are necessary, but less agreement on exactly when it is appropriate to use unsafe.

The PostgreSQL project has released beta versions of PostgreSQL 17 containing several interesting security and usability improvements, alongside the usual performance improvements and bug fixes. If the release proceeds according to the usual timeline, the full release of version 17 is expected in September or October. The most important changes are in what PostgreSQL does when a database supervisor has their credentials revoked, and added support for incremental database backups.

Lix, the fork of Nix that LWN covered in July, has made its second release since forking. This one includes substantial changes to the backend code, including removing a dependency on Bison, and getting a change to the Nix language back upstream.

The general theme of Lix 2.91 is to perform another wave of refactorings and design improvements in preparation for our evolution plans.

Nevertheless, there are a few exciting user facing changes[.]

Researchers from Graz University of Technology have published details of a new attack on the Linux kernel called SLUBStick. The attack uses timing information to turn an ability to trigger use-after-free or double-free bugs into the ability to overwrite page tables, and thence into the ability to read and write arbitrary areas of memory. The good news is that this attack does require an existing bug to be usable; the bad news is that the kernel regularly sees bugs of this kind.

We assume that an unprivileged user has code execution. Additionally, we consider the presence of a heap vulnerability in the Linux kernel. We assume that the Linux kernel incorporates all defense mechanisms available in version 6.4, the most recent Linux kernel version when we started our work. These mechanisms include features such as WˆX, KASLR, SMAP, and kCFI. We do not assume any microarchitectural vulnerabilities, e.g., transient execution, fault injection, or hardware side channels.

Endless OS is a Linux distribution with a focus on improving access to educational tools by providing a simple-to-manage, full-featured desktop for educators and students — one that works offline, with minimal maintenance. The distribution also aims to be suitable for older devices, in order to promote access to computers by ensuring those systems remain usable. In pursuit of those goals, it makes some unusual technical choices. But what makes the distribution really shine is its curated collection of software and educational resources.

Mozilla has announced that Puppeteer, a browser automation and testing library, now has first-class support for Firefox using the WebDriver BiDi protocol. Puppeteer can be used to drive headless browser instances, and is commonly used for automated end-to-end web-site tests.

Whilst the features offered by Puppeteer won't be a surprise, bringing support to multiple browsers has been a significant undertaking. The Firefox support is not based on a Firefox-specific automation protocol, but on WebDriver BiDi, a cross browser protocol that's undergoing standardization at the W3C, and currently has implementation in both Gecko and Chromium. This use of a cross-browser protocol should make it much easier to support many different browsers going forward.

There is ongoing discussion about the ethics and effectiveness of telemetry following some recent LWN articles that touched on Thunderbird's use of opt-out telemetry and planned metrics in Fedora. The Internet Security Research Group (ISRG), the nonprofit behind Let's Encrypt, has a potential solution to the problem of how to collect and aggregate telemetry without violating users' privacy. The scheme is based on a draft protocol being standardized with the Internet Engineering Task Force (IETF), and has an open-source implementation available.

A bootstrappable build is one that builds existing software from scratch — for example, building GCC without relying on an existing copy of GCC. In 2023, the Guix project announced that the project had reduced the size of the binary bootstrap seed needed to build its operating system to just 357-bytes — not counting the Linux kernel required to run the build process. Now, the live-bootstrap project has gone a step further and removed the need for an existing kernel at all.

On July 12, Jocelyn Falempe proposed a change to the configuration options that Fedora sets for its kernels, in order to make kernel panics easier to report. Falempe would like to enable the kernel's recently added DRM-panic feature, which adds a graphical crash screen that is reminiscent of the infamous Windows "blue screen of death" for kernel panics. The feature introduces a few tradeoffs, including currently limited driver support, so the proposal spawned a good deal of discussion.

Let's Encrypt has announced that it intends to end support "as soon as possible" for the Online Certificate Status Protocol (OCSP) over privacy concerns. OCSP was developed as a lighter-weight alternative to Certificate Revocation Lists (CRLs) that did not involve downloading the entire CRL in order to check whether a certificate was valid. Let's Encrypt will continue supporting OCSP as long as it is a requirement for Microsoft's Trusted Root Program, but hopes to discontinue it soon:

We plan to end support for OCSP primarily because it represents a considerable risk to privacy on the Internet. When someone visits a website using a browser or other software that checks for certificate revocation via OCSP, the Certificate Authority (CA) operating the OCSP responder immediately becomes aware of which website is being visited from that visitor's particular IP address. Even when a CA intentionally does not retain this information, as is the case with Let's Encrypt, CAs could be legally compelled to collect it. CRLs do not have this issue.

People using Let's Encrypt as their CA should, for the most part, not need to change their setups. All modern browsers support CRLs, so end-users shouldn't notice an impact either.