Version 6.9 of the Incus container and virtual-machine management system has been released. Changes include a command to provide virtual machine memory dumps, ability to set network ACLs for instances on bridged networks, and more.
We will also be creating special EPUB books at times. As an example of what is possible, our complete coverage from Kangrejos 2024 and the 2024 Linux Storage, Filesystem, Memory Management, and BPF Summit are available to all readers.
There are surely places where our EPUB books can be improved; please feel free to drop us a note (at lwn@lwn.net) with suggestions.
Security researcher RyotaK has shared a series of vulnerabilities that all have to do with how Git interfaces with external credential managers. In short, while Git guards against newline characters (\n) being injected into a repository's URL, some programming languages also treat carriage return characters (\r) as being newlines. Adding a carriage return to a repository's URL can cause Git and the credential manager to disagree on how the URL should be parsed, ultimately resulting in Git credentials being sent to the wrong host. Malicious repositories could include Git submodules with malformed URLs, triggering the bug. Only password-based authentication with an external credential manager is vulnerable to this attack; SSH-based authentication remains secure. The Git project has chosen to consider this a vulnerability in Git, given the large amount of external software affected. The project has fixed the bug on its end by releasing updates for all supported versions that ban carriage returns in URLs entirely.
Affected software includes GitHub Desktop, Git LFS, and possibly other Git utilities:
Since Git itself doesn't use .lfsconfig file, specifying the URL that contains the newline character in .lfsconfig causes Git LFS to insert the newline character into the message, while bypassing [...] Git's validation.
Earthstar is a privacy-oriented, offline-first, LGPL-licensed database intended to support distributed applications. Unlike other distributed storage libraries, it focuses on providing mutable data with human-meaningful names and modification times, which gives it an interface similar to many non-distributed key-value databases. Now, the developers are looking at switching to a new synchronization protocol — one that is general enough that it might see wider adoption.
Ubuntu will be moving its "official realtime communications
channels
" from IRC to Matrix, beginning March 1, 2025, following
a discussion
on the ubuntu-devel mailing list.
"Official" communication, such as making realtime requests of privileged Ubuntu developer teams, could be expected to be actioned if requested on Matrix only. Similarly, you can consider your social responsibility to other developers in relation to your work in Ubuntu development to be fulfilled if you are present on that platform. And Canonical will follow in its requirement for its employed Ubuntu developers to be present on that agreed platform during their working hours.
This year's edition of the Free and Open Source Software Developers' European Meeting (FOSDEM) begins on February 1 in Brussels. The event is widely regarded as one of the most important open-source conferences. One of the reasons that FOSDEM is held in high esteem by the community is its non-commercial nature. It does accept sponsors, but sponsorships come with few perks and no "pay-for-play" speaking slots. Thus, the scheduling of a keynote by Jack Dorsey—primarily known for his role in co-founding Twitter, and currently CEO and chairman of FOSDEM sponsor Block, Inc.—raised eyebrows and led to plans for a protest. The keynote has since been removed from the schedule, but there are still a number of lingering questions.
Starting on January 19, 2025 Facebook's internal policy makers decided that Linux is malware and labeled groups associated with Linux as being "cybersecurity threats". Any posts mentioning DistroWatch and multiple groups associated with Linux and Linux discussions have either been shut down or had many of their posts removed.We've been hearing all week from readers who say they can no longer post about Linux on Facebook or share links to DistroWatch. Some people have reported their accounts have been locked or limited for posting about Linux.
One can only hope that this is a mistake that will be resolved soon.
Update: Meta has seemingly fixed the problem. It is sad, though, that nothing happened until a large, net-wide fuss forced the issue.
The Go language is designed to make it easy for developers to import other Go packages and compile everything into a static binary for simple distribution. Unfortunately, this complicates things for those who package Go programs for Linux distributions, such as Fedora, that have guidelines which require dependencies to be packaged separately. Fedora's Go special interest group (SIG) is asking for relief and a loosening of the bundling guidelines to allow Go packagers to bundle dependencies into the packages that need them, otherwise known as vendoring. So far, the participants in the discussion have seemed largely in favor of the idea.
Last year, LWN examined the changes lined up for Rust's 2024 edition. Now, with the edition ready to be stabilized in February, it's time to look back at the edition process and see what was successfully adopted, which new changes were added, and what still remains to work on. A surprising amount of new work was proposed, implemented, and stabilized during the year.
Connexion