Efforts to introduce malicious code into the open-source supply chain have been on the rise in recent years, and there is no indication that they will abate anytime soon. These attacks are often found quickly, but not quickly enough to prevent the compromised code from being automatically injected into other projects or code deployed by users where it can wreak havoc. One method of avoiding supply-chain attacks is to add a delay of a few days before pulling upates in what is known as a "dependency cooldown". That tactic is starting to find favor with users and some language ecosystem package managers. While this practice is considered a reasonable response by many, others are complaining that those employing dependency cooldowns are free-riding on the larger community by letting others take the risk.

In Rust, types either possess a constant size known at compile time, or a dynamically calculated size known at run time. That is fine for most purposes, but recent proposals for the language have shown the need for a more fine-grained hierarchy. RFC 3729 from David Wood and Rémy Rakic would add a hierarchy of traits to describe types with sizes known under different circumstances. While the idea has been subject to discussion for many years, a growing number of use cases for the feature have come to light.

Version 2.26.0 of the LilyPond music-engraving program has been released. Major changes include the ability to use the Cairo library to generate output and improvements in spacing between clefs and time signatures. See the release notes for a full list of miscellaneous improvements as well as what's new with musical and specialist notation.

Greg Kroah-Hartman has announced the release of the 7.0.1, 6.19.14, 6.18.24, and 6.12.83 stable kernels. As usual, each contains important fixes throughout the tree. Users are encouraged to upgrade.

Note that the 6.19.x series ends with 6.19.14.

Remove the amateur radio (AX.25, NET/ROM, ROSE) protocol implementation and all associated hamradio device drivers from the kernel tree. This set of protocols has long been a huge bug/syzbot magnet, and since nobody stepped up to help us deal with the influx of the AI-generated bug reports we need to move it out of tree to protect our sanity.

Elite security researchers find bugs that fuzzers can't largely by reasoning through the source code. This is effective, but time-consuming and bottlenecked on scarce human expertise. Computers were completely incapable of doing this a few months ago, and now they excel at it. We have many years of experience picking apart the work of the world's best security researchers, and Mythos Preview is every bit as capable. So far we've found no category or complexity of vulnerability that humans can find that this model can't.

This can feel terrifying in the immediate term, but it's ultimately great news for defenders. A gap between machine-discoverable and human-discoverable bugs favors the attacker, who can concentrate many months of costly human effort to find a single bug. Closing this gap erodes the attacker's long-term advantage by making all discoveries cheap.

The Fedora Project has been wrestling with the question of who should be able to vote in Fedora elections recently, with project membership being a major topic at the Fedora Council face-to-face held in early February. Now the project is considering a new contributor status, "Fedora Verified", and is looking to get input on the idea from the community.

What are the proposed benefits? The primary motivation behind "Fedora Verified" is to build trust-based recognition that grants elevated, privileged rights within the project. Most notably, this status would determine eligibility for strategic governance activities, such as:

• Voting in Fedora community elections.
• Running for leadership or decision-making roles within the project (i.e., Fedora Council, FESCo, Mindshare Committee, EPEL Steering Committee).
• (Potential, unplanned) Accessing specific shared project resources or educational opportunities (e.g., Red Hat training credits).

The blog post includes a list of proposed baseline metrics for "Verified" status as well as open questions to be decided. A survey on the topic will be open until May 5.

Version 150 of the Firefox web browser has been released. Notable changes include local-network-access restrictions being turned on for all users, the ability to reorder, copy, delete, paste, and export pages from a PDF using Firefox's built-in viewer, as well as improvements in its split view feature, and more. See also the release notes for developers and list of security fixes in this release.

(Update: Mozilla seems to have removed the local-network-access restrictions information since the release was published yesterday.)

Git maintainer Junio Hamano has announced Git 2.54.0, which includes contributions from 137 people; 66 of those people are first-time contributors to the project. Changes include the addition of Git history rewriting, Git's web interface (gitweb) "has been taught to be mobile friendly", and much more. See the announcement for all improvements, additions, and bug fixes. Hamano is now taking a short break:

I will go offline for a couple of weeks starting this evening, hopefully after updating 'next' and possibly also pushing out the first batch of the new cycle. There is no designated interim maintainer this time, but I trust that the community can self organize during my absense, if the shape of the release and the tree turns out to be super bad ;-).

See this GitHub blog entry for highlights from this release.

Robin Candau has announced the availability of a bit-for-bit reproducible container image for Arch Linux:

The bit-for-bit reproducibility of the image is confirmed by digest equality across builds (podman inspect --format '{{.Digest}}' <image>) and by running diffoci to compare builds. We provide documentation on how to reproduce this Docker image (as we did for the WSL image as well).

Building the base rootFS for the Docker image in a deterministic way was the main challenge, but it reuses the same process as for our WSL image (as both share the same rootFS build system).

[...] This represents another meaningful achievement in our "reproducible builds" efforts and we're already looking forward to the next step!

The Document Foundation (TDF) is the nonprofit entity behind the LibreOffice productivity suite. Most of the time, the software takes the spotlight, but that has changed in the past few weeks, and not for pleasant reasons. TDF has revoked foundation membership status from about 30 people who work for or have contracting status with Collabora. In response, Collabora has announced plans to focus on a "entirely new, cut-down, differentiated Collabora Office" project and reduce its involvement with LibreOffice. TDF's representatives claim that its actions were necessary to maintain the foundation's nonprofit status, while other community members assert that this is part of a power grab. The facts seem to indicate that there are legitimate issues to be addressed, but it is unclear that TDF needed to go so far as to disenfranchise all Collabora-affiliated contributors.

Debian Project secretary Kurt Roeckx has announced the Debian Project Leader (DPL) election results: the winner of the election is Sruthi Chandran. She will replace two-term DPL Andreas Tille.

Greg Kroah-Hartman has announced the release of the 6.19.13, 6.18.23, 6.12.82, 6.6.135, 6.1.169, 5.15.203, and 5.10.253 stable kernels. Each contains a number of important fixes throughout the tree; users are advised to upgrade.

Shor's algorithm is the main practical example of an algorithm that runs more quickly on a quantum computer than a classical computer — at least in theory. Shor's algorithm allows large numbers to be factored into their component prime factors quickly. In reality, existing quantum computers do not have nearly enough memory to factor interesting numbers using Shor's algorithm, despite decades of research. A new paper provides a major step in that direction, however. While still impractical on today's quantum computers, the recent discovery cuts the amount of memory needed to attack 256-bit elliptic-curve cryptography by a factor of 20. More interesting, however, is that the researchers chose to publish a zero-knowledge proof demonstrating that they know a quantum circuit that shows these improvements, rather than publishing the actual knowledge of how to do it.