Vue lecture
[$] Managing expectations with a contributions and credit policy
Security updates for Monday
The 6.9 kernel is out
So 6.9 is now out, and last week has looked quite stable (and the whole release has felt pretty normal)." Significant changes in this release include the ability to create pidfds for individual threads, the BPF arena subsystem, the BPF token security mechanism, truncate() support in io_uring, support for the Rust language on 64-bit Arm systems, weighted interleaving in the memory-management subsystem, the device-mapper virtual data optimizer target, initial FUSE passthrough support, and more. See the LWN merge-window summaries (part 1, part 2) for more information.
[$] Debian dismisses AI-contributions policy
In April, the Gentoo Linux project banned the use of generative AI/ML tools due to copyright, ethical, and quality concerns. This means contributors cannot use tools like ChatGPT or GitHub Copilot to create content for the distribution such as code, documentation, bug reports, and forum posts. A proposal for Debian to adopt a similar policy revealed a distinct lack of love for those kinds of tools, though it would also seem few contributors support banning them outright.
Security updates for Friday
[$] Another push for sched_ext
Security updates for Thursday
[$] LWN.net Weekly Edition for May 9, 2024
[$] Securing Git repositories with gittuf
The so-called software supply chain starts with source code. But most security measures and tooling don't kick in until source is turned into an artifact—a source tarball, binary build, container image, or other method of delivering a release to users. The gittuf project is an attempt to provide a security layer for Git that can handle key management, enforce security policies for repositories, and guard against attacks at the version-control layer. At Open Source Summit North America (OSSNA), Aditya Sirish A Yelgundhalli and Billy Lynch presented an introduction to gittuf with an overview of its goals and status.
Fedora Asahi Remix 40 is now available
Fedora Magazine reports that the Fedora Asahi Remix for Apple Arm hardware, based on Fedora 40, is now available:
Fedora Asahi Remix offers KDE Plasma 6 as our flagship desktop experience. It also features a custom Calamares-based initial setup wizard. A GNOME variant is also available, featuring GNOME 46, with both desktop variants matching what Fedora Linux offers. Fedora Asahi Remix also provides a Fedora Server variant for server workloads and other types of headless deployments. Finally, we offer a Minimal image for users that wish to build their own experience from the ground up.
See the installation guide to get started with the Asahi Remix.
Security updates for Wednesday
[$] A proposal to switch Fedora Workstation's desktop
[$] Systemd heads for a big round-number release
The systemd project is preparing for a new release. Version 256-rc1 was released on April 25 with a large number of changes and new features. Most of the changes relate to security, easier configuration, unprivileged access to system resources, or all three of these. Users of systemd will find setting up containers — even without root access — much simpler and more secure.
GCC 14.1 released
Secure Randomness in Go 1.22 (Go Blog)
For example, when Go 1.20 deprecated math/rand's Read, we heard from developers who discovered (thanks to tooling pointing out use of deprecated functionality) they had been using it in places where crypto/rand's Read was definitely needed, like generating key material. Using Go 1.20, that mistake is a serious security problem that merits a detailed investigation to understand the damage. Where were the keys used? How were the keys exposed? Were other random outputs exposed that might allow an attacker to derive the keys? And so on. Using Go 1.22, that mistake is just a mistake.
Security updates for Tuesday
2023 PSF annual impact report
The Python Software Foundation (PSF) has announced its annual impact report for 2023. The report includes updates from PSF staff as well as summaries of the foundation's activities, financials, and infrastructure. The PSF celebrated the 20th anniversary of PyCon US, distributed more than $370,000 in grants, and enjoyed impressive traffic on PyPI:
In 2023 PyPI saw a 45% growth in download counts and bandwidth alike, serving 603,378,275 downloads for the 516,402 projects hosted there requiring 747.4 Petabytes of data transfer, or 189.6 Gbps of bandwidth 24x7x365.
See the full report for a breakdown of grant disbursements and trends, PSF expenses, and high-level plans for the rest of 2024.
Stenberg: I survived curl up 2024
Daniel Stenberg has posted a report about the recent curl up conference about curl development. It was held over two days in Stockholm. The report has short summaries of the talks with links to the recordings.
curl up is never a big meeting/conference but we have in the past sometimes been around twenty-five attendees. This year's amount of fifteen was the smallest so far, but in this small set of people we have a set of long-term well-known curl contributors. It is not a big list of attendees that creates a good curl up.