Large language models (LLMs) have been the subject of much discussion and scrutiny recently. Of particular interest to open-source enthusiasts are the problems with running LLMs on one's own hardware — especially when doing so requires NVIDIA's proprietary CUDA toolkit, which remains unavailable in many environments. Mozilla has developed llamafile as a potential solution to these problems. Llamafile can compile LLM weights into portable, native executables for easy integration, archival, or distribution. These executables can take advantage of supported GPUs when present, but do not require them.

Security updates have been issued by Debian (glib2.0 and shim), Fedora (glib2, gnome-shell, tcpdump, tpm2-tools, tpm2-tss, and uriparser), Mageia (mutt), Oracle (git-lfs, glibc, kernel, kernel-container, nodejs:18, nodejs:20, and pcp), SUSE (apache2, opensc, openssl-1_1, openssl-3, perl, python-Pillow, python-pyOpenSSL, python-Werkzeug, SUSE Manager Client Tools Beta, tpm2-0-tss, and tpm2.0-tools), and Ubuntu (sqlparse and strongswan).

The 6.9 kernel was released on May 12 after a typical nine-week development cycle. Once again, this is a major release containing a lot of changes and new features. Our merge-window summaries (part 1, part 2) covered those changes; now that the development cycle is complete, the time has come to look at where all that work came from — and to introduce a new and experimental LWN feature for readers interested in this kind of information.

Maintainers of open-source projects sometimes have disagreements with contributors over how contributions are reviewed, modified, merged, and credited. A written policy describing how contributions are handled can help maintainers set reasonable expectations for potential contributors. In turn, that can make the maintainer's job easier because it can help reduce a source of friction in the project. A guide to help create this kind of policy for a project has recently been developed.

Security updates have been issued by AlmaLinux (nodejs:18 and shim), Debian (atril and chromium), Fedora (chromium, glib2, gnome-shell, mediawiki, php-wikimedia-cdb, php-wikimedia-utfnormal, stb, and tcpdump), Gentoo (Kubelet, PoDoFo, Rebar3, and thunderbird), Mageia (glibc and libnbd), Oracle (kernel), Red Hat (bind and dhcp and varnish), and SUSE (chromium, cpio, freerdp, giflib, gnutls, opera, python-Pillow, python-Werkzeug, tinyproxy, and tpm2-0-tss).

Linus has released the 6.9 kernel. "So 6.9 is now out, and last week has looked quite stable (and the whole release has felt pretty normal)." Significant changes in this release include the ability to create pidfds for individual threads, the BPF arena subsystem, the BPF token security mechanism, truncate() support in io_uring, support for the Rust language on 64-bit Arm systems, weighted interleaving in the memory-management subsystem, the device-mapper virtual data optimizer target, initial FUSE passthrough support, and more. See the LWN merge-window summaries (part 1, part 2) for more information.

In April, the Gentoo Linux project banned the use of generative AI/ML tools due to copyright, ethical, and quality concerns. This means contributors cannot use tools like ChatGPT or GitHub Copilot to create content for the distribution such as code, documentation, bug reports, and forum posts. A proposal for Debian to adopt a similar policy revealed a distinct lack of love for those kinds of tools, though it would also seem few contributors support banning them outright.

Security updates have been issued by AlmaLinux (container-tools:4.0, container-tools:rhel8, git-lfs, glibc, libxml2, nodejs:18, and nodejs:20), Debian (dav1d and libpgjava), Fedora (kernel and pypy), Red Hat (glibc and nodejs:16), SUSE (ffmpeg, ffmpeg-4, ghostscript, go1.21, go1.22, less, python-python-jose, python-Werkzeug, and sssd), and Ubuntu (fossil, glib2.0, and libspreadsheet-parsexlsx-perl).

The extensible scheduler class (or "sched_ext") is a comprehensive framework that enables the implementation of CPU schedulers as a set of BPF programs that can be loaded at run time. Despite having attracted a fair amount of interest from the development community, sched_ext has run into considerable opposition and seems far from acceptance into the mainline. The posting by Tejun Heo of a new version of the sched_ext series at the beginning of May has restarted this long-running discussion, but it is not clear what the end result will be.

Security updates have been issued by AlmaLinux (ansible-core, avahi, bind, buildah, containernetworking-plugins, edk2, fence-agents, file, freeglut, freerdp, frr, git-lfs, gnutls, golang, grafana, grafana-pcp, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, harfbuzz, httpd, ipa, libjpeg-turbo, libnbd, LibRaw, libreswan, libsndfile, libssh, libtiff, libvirt, libX11, libXpm, mingw components, mingw-glib2, mingw-pixman, mod_http2, mod_jk and mod_proxy_cluster, motif, mutt, openssl and openssl-fips-provider, osbuild-composer, pam, pcp, perl, pmix, podman, python-jinja2, python-jwcrypto, python3.11, python3.11-cryptography, python3.11-urllib3, qemu-kvm, qt5-qtbase, runc, skopeo, sssd, systemd, tcpdump, tigervnc, toolbox, webkit2gtk3, xorg-x11-server, xorg-x11-server-Xwayland, and zziplib), CentOS (firefox, grub2, kernel, squid, thunderbird, tigervnc, and xorg-x11-server), Debian (chromium, glib2.0, python-idna, webkit2gtk, and wordpress), Fedora (freerdp, freerdp2, and pypy), Mageia (chromium-browser-stable, exfatprogs, freeglut, libtiff, libvirt, libxml2, openpmix, php-tcpdf, ruby, tpm2-tools, tpm2-tss, traceroute, and zziplib), Oracle (bind, buildah, git-lfs, gnutls, golang, grafana, grafana-pcp, libreswan, libvirt, libxml2, mod_http2, podman, python-jwcrypto, skopeo, sssd, and tigervnc), Red Hat (nodejs:18, nodejs:20, and squid:4), and SUSE (avahi, ghostscript, go1.21, go1.22, python-pymongo, python-Werkzeug, and sssd).

The LWN.net Weekly Edition for May 9, 2024 is available.

The so-called software supply chain starts with source code. But most security measures and tooling don't kick in until source is turned into an artifact—a source tarball, binary build, container image, or other method of delivering a release to users. The gittuf project is an attempt to provide a security layer for Git that can handle key management, enforce security policies for repositories, and guard against attacks at the version-control layer. At Open Source Summit North America (OSSNA), Aditya Sirish A Yelgundhalli and Billy Lynch presented an introduction to gittuf with an overview of its goals and status.

Fedora Magazine reports that the Fedora Asahi Remix for Apple Arm hardware, based on Fedora 40, is now available:

Fedora Asahi Remix offers KDE Plasma 6 as our flagship desktop experience. It also features a custom Calamares-based initial setup wizard. A GNOME variant is also available, featuring GNOME 46, with both desktop variants matching what Fedora Linux offers. Fedora Asahi Remix also provides a Fedora Server variant for server workloads and other types of headless deployments. Finally, we offer a Minimal image for users that wish to build their own experience from the ground up.

See the installation guide to get started with the Asahi Remix.

Security updates have been issued by Debian (glib2.0 and php7.3), Gentoo (Commons-BeanUtils, Epiphany, glibc, MariaDB, Node.js, NVIDIA Drivers, qtsvg, rsync, U-Boot tools, and ytnef), Oracle (kernel), Red Hat (git-lfs and kernel), SUSE (flatpak, less, python311, rpm, and sssd), and Ubuntu (libde265, libvirt, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-oem-6.5, and nghttp2).

A proposal to switch the default desktop for Fedora Workstation from GNOME to KDE Plasma largely went over like the proverbial lead balloon—unsurprisingly. But the conversation about the proposal did surface some areas where the distribution could perhaps be more inclusive with regard to the other desktop choices available. The project believes that it benefits from being opinionated and not requiring users to make multiple decisions before they can even install the distribution, but there is a balance to be found.

The systemd project is preparing for a new release. Version 256-rc1 was released on April 25 with a large number of changes and new features. Most of the changes relate to security, easier configuration, unprivileged access to system resources, or all three of these. Users of systemd will find setting up containers — even without root access — much simpler and more secure.

Version 14.1 of the GCC compiler suite has been released. The list of changes is long; it includes support for more C++26 features, preparation for Fortran 2023 support, a new -fhardened flag to enable security-hardening features, vectorizer improvements, and a number of static-analyzer improvements. See the release notes for details.

The Go Blog has a detailed article on the new, more secure random-number generator implemented for the 1.22 release.

For example, when Go 1.20 deprecated math/rand's Read, we heard from developers who discovered (thanks to tooling pointing out use of deprecated functionality) they had been using it in places where crypto/rand's Read was definitely needed, like generating key material. Using Go 1.20, that mistake is a serious security problem that merits a detailed investigation to understand the damage. Where were the keys used? How were the keys exposed? Were other random outputs exposed that might allow an attacker to derive the keys? And so on. Using Go 1.22, that mistake is just a mistake.

Security updates have been issued by Debian (kernel), Gentoo (libjpeg-turbo, xar, and Xpdf), Red Hat (bind, dhcp and glibc), and SUSE (bouncycastle, curl, flatpak, less, and xen).