Jeff Xu has been working on a patch set that makes certain mappings in a process's address space impossible to change, sealing them against tampering. This has some potential security benefits — mainly, making sure that someone cannot relocate the vsyscall and vDSO mappings — but some kernel developers haven't been impressed with the patches. While the core functionality (sealing the mappings) is sound, some of the supporting code for enabling and disabling the new feature caused concern by going against the normal design for such things. Reviewers also questioned how this feature would interact with checkpointing and with sandboxing.

Matthias Clasen has written a short update on a GTK hackfest that took place at FOSDEM and what's coming in GTK 4.18. This includes fixes for pointer sizes in Wayland when fractional scaling is enabled, removal of the old GL renderer in favor of the GL renderer introduced in GTK 4.13.6, and deprecation of X11 and Broadway backends with intent to remove them in GTK 5.

The deprecated backends will remain available until then, and no action is required by developers at this time, Clasen wrote: "There is no need to act on deprecations until you are actively porting your app to the next major version of GTK, which is not on the horizon yet".

This is actually a _tiny_ merge window, and that's ok. The holidays clearly meant that people did less development than during a normal cycle, and that then shows up as a much smaller-than-average release. I really felt like this year we got the whole holiday season release timing right, and this is just another sign of that.

The election to replace outgoing openSUSE board members is underway, with four candidates vying for three seats. The election was initially scheduled to be completed in December, but the timeline was extended due to too few candidates standing for the seats. Voting closes on February 2 and the results are expected to be announced on February 3.

It is disappointing that the open source community cannot operate independently of international sanctions programs, but these sanctions are the law of each country and are not optional. Many developers work on open source projects in their spare time, or for fun. Dealing with U.S. and international sanctions was unlikely on the list of things that most (or very likely any) open source developers thought they were signing up for. We hope that in time relevant authorities will clarify that open source and standards activities may continue unabated. Until that time, however, with the direct and indirect sponsorship of developers by companies, the intersection of sanctions on corporate entities leaves us in a place where we cannot ignore the potential risks.

The current cost for the services, much of which is for 50TB of bandwidth data transfer per month and a half-dozen beefy servers for running continuous-integration (CI) jobs, comes to around $24,000 per month. Tissoires believes that the project should start paying for service somewhere, in order to avoid upheaval of this sort, sometimes on short or no notice. "I personally think we better have fd.o pay for its own servers, and then have sponsors chip in. This way, when a sponsor goes away, it's technically much simpler to just replace the money than change datacenter." Various options are being discussed there, but any move is likely to disrupt normal services for a week or more.

• Front: Go vendoring in Fedora; Rust 2024 edition; 6.14 Merge window; uretprobe(); FOSDEM keynote; Earthstar.
• Briefs: Git security; Ubuntu discussion; LWN EPUBs; Facebook moderation; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

Version 6.9 of the Incus container and virtual-machine management system has been released. Changes include a command to provide virtual machine memory dumps, ability to set network ACLs for instances on bridged networks, and more.

We will also be creating special EPUB books at times. As an example of what is possible, our complete coverage from Kangrejos 2024 and the 2024 Linux Storage, Filesystem, Memory Management, and BPF Summit are available to all readers.

There are surely places where our EPUB books can be improved; please feel free to drop us a note (at lwn@lwn.net) with suggestions.

Security researcher RyotaK has shared a series of vulnerabilities that all have to do with how Git interfaces with external credential managers. In short, while Git guards against newline characters (\n) being injected into a repository's URL, some programming languages also treat carriage return characters (\r) as being newlines. Adding a carriage return to a repository's URL can cause Git and the credential manager to disagree on how the URL should be parsed, ultimately resulting in Git credentials being sent to the wrong host. Malicious repositories could include Git submodules with malformed URLs, triggering the bug. Only password-based authentication with an external credential manager is vulnerable to this attack; SSH-based authentication remains secure. The Git project has chosen to consider this a vulnerability in Git, given the large amount of external software affected. The project has fixed the bug on its end by releasing updates for all supported versions that ban carriage returns in URLs entirely.

Affected software includes GitHub Desktop, Git LFS, and possibly other Git utilities:

Since Git itself doesn't use .lfsconfig file, specifying the URL that contains the newline character in .lfsconfig causes Git LFS to insert the newline character into the message, while bypassing [...] Git's validation.