Linux Mint version 22.1, a long-term-support (LTS) release with support until 2029, is now available. Notable changes in this release include a transition to Aptkit for background package management tasks, Captain to install Debian packages, and a new default theme with improved Wayland compatibility. See the release notes for known issues.

Nick Tait announced on the oss-security mailing list that rsync, the widely used file transfer program, had a number of serious vulnerabilities. Users can mitigate all six vulnerabilities by upgrading to version 3.4.0, which was released on January 14. While all users should upgrade, servers that use rsyncd are especially impacted:

In the most severe CVE, an attacker only requires anonymous read access to a rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on.

Security updates have been issued by Arch Linux (rsync), Debian (rsync), Fedora (perl-Net-OAuth and redis), Red Hat (ipa, raptor2, rsync, and tuned), Slackware (rsync), SUSE (apache2-mod_jk, git, kernel, rclone, rsync, and webkit2gtk3), and Ubuntu (git, linux-azure-5.4, pdns, pdns-recursor, python-django, rlottie, and rsync).

The Mastodon project has announced that founder Eugen Rochko will be transferring "key Mastodon ecosystem and platform components (including name and copyrights, among other assets)" to a new non-profit organization:

Practically Mastodon will remain headquartered in and operate from Europe primarily. We will continue day-to-day operations through the Mastodon GmbH for-profit entity, which will become wholly owned by the new European not-for-profit entity. The Mastodon GmbH entity automatically became a for-profit as a result of its charitable status being stripped away in Germany. The existing US-based non-profit entity, the 501(c)(3), will continue to function as a fundraising hub.

[...] We are in the process of a phased transition. First we are establishing a new legal home for Mastodon and transferring ownership and stewardship. We are taking the time to select the appropriate jurisdiction and structure in Europe. Then we will determine which other (subsidiary) legal structures are needed to support operations and sustainability.

Rochko has, naturally, also posted about the transition on Mastodon.social.

TuxFamily is a French free-software-hosting service that has been in operation since 1999. It is a non-profit that accepts "any project released under a free license", whether that is a software license or a free-content license, such as CC-BY-SA. It is also, unfortunately, slowly dying due to hardware failures and lack of interest. For example, the site's download servers are currently offline with no plan to restore them.

The ptrace() system call allows a suitably privileged process to modify another in a large number of ways. Among other things, ptrace() can intercept system calls and make changes to them, but such operations can be fiddly and architecture-dependent. This patch series from Dmitry Levin seeks to improve that situation by adding a new ptrace() operation to make changes to another process's system calls in an architecture-independent manner.

Security updates have been issued by AlmaLinux (kernel, NetworkManager, and thunderbird), Fedora (golang-github-aws-sdk-2, golang-github-aws-smithy, golang-github-ncw-swift-2, rclone, and thunderbird), Mageia (ceph, firefox, and thunderbird), Oracle (kernel, NetworkManager, and thunderbird), Red Hat (fence-agents and raptor2), SUSE (dpdk, firefox, frr, grafana, operator-sdk, perl-Module-ScanDeps, proftpd, python311-mistune, redis, thunderbird, valkey, and yq), and Ubuntu (hplip and webkit2gtk).

Hans de Goede has posted an update about his work to support IPU6 cameras on Fedora and submitting fixes upstream.

The initial IPU6 camera support landed in Fedora 41 only works on a limited set of laptops. The reason for this is that with MIPI cameras every different sensor and glue-chip like IO-expanders needs to be supported separately.

I have been working on making the camera work on more laptop models. After receiving and sending many emails and blog post comments about this I have started filing Fedora bugzilla issues on a per sensor and/or laptop-model basis to be able to properly keep track of all the work.

LWN covered the lack of IPU6 drivers in 2022.

Chimera Linux is a new distribution designed to be "simple, transparent, and easy to pick up". The distribution is built from scratch, and recently announced its first beta release. While the documentation and installation process are both a bit rough, the project already provides a usable desktop with plenty of useful software — one built primarily on tools adopted from BSD.

The blog of the SeaMonkey project, which develops an all-in-one internet application suite based on Mozilla code, has reported the sad news of the sudden passing of Bill Gianopoulos ("WG9s") on January 6 (obituary). He was a core developer and release engineer for the project.

Security updates have been issued by AlmaLinux (dpdk, firefox, iperf3, thunderbird, and webkit2gtk3), Debian (firefox-esr, gnuchess, node-mocha, openafs, python-django, and thunderbird), Fedora (libxmp, python-jinja2, suricata, thunderbird, and xen), Mageia (avahi, libjxl, opencontainers-runc, radare2, rizin, and tinyproxy), Oracle (cups, dpdk, firefox, iperf3, kernel, thunderbird, and webkit2gtk3), SUSE (apptainer, chromedriver, dnsmasq, govulncheck-vulndb, gstreamer, gstreamer-plugins-base, gstreamer-plugins-good, logback, and python311-slixmpp), and Ubuntu (libxmltok, linux-realtime, roundcube, and snapd).

Linus has released 6.13-rc7 for testing. "So unless something odd happens the upcoming week, I expect to release a final 6.13 next week as per the normal schedule". Read the full announcement for your details on how to get a free guitar pedal assembled by Linus himself.

Version 2.48.0 of the Git source-code management system has been released. There is a long list of incremental improvements and bug fixes; see the announcement and the highlights blog from GitHub for details.

We have just now received word of the passing of Paolo Mantegazza, the driving force behind the Real Time Application Interface project and a key figure in the development of realtime Linux.

Paolo used to describe himself as a simple practitioner of software development, one of whose missions was to contribute a free real-time system his students could use, study and improve for their research work at the university, welcoming others to join. Many Linux users and businesses owe him a lot, because under his leadership, the RTAI project has always defended the freedom of developers to implement real-time systems, particularly at times when it was threatened. His fierce will for RTAI served the Xenomai project, as well as others.

He will be missed. (LWN interviewed Mantegazza in 2001).

The death of Bram Moolenaar, Vim founder and benevolent dictator for life (BDFL), in 2023 sent a shock through the community, and raised concern about the future of the project. At VimConf 2024 in November, current Vim maintainer Christian Brabandt delivered a keynote on "the new Vim project" that detailed how the community has reorganized itself to continue maintaining Vim and what the future looks like.

Automattic has announced that it is reallocating its resources away from contributing to the WordPress project as a response to the WP Engine lawsuit:

As part of this reset, Automattic will match its volunteering pledge with those made by WP Engine and other players in the ecosystem, or about 45 hours a week that qualify under the Five For the Future program as benefitting the entire community and not just a single company. These hours will likely go towards security and critical updates.

LWN last covered the ongoing WordPress saga in December. [Thanks to Paul Wise for the heads-up on this latest development.]

After yesterday's stable kernel releases, Chris Clayton reported a build problem with 6.6.70, which prompted Greg Kroah-Hartman to release 6.6.71 to fix it.

Security updates have been issued by Fedora (chromium and mingw-poppler), Red Hat (dpdk, thunderbird, and webkit2gtk3), SUSE (firefox, govulncheck-vulndb, gstreamer, gstreamer-plugins-base, gstreamer-plugins-good, libmfx, openjpeg2, python310, python312, python39, tomcat, and webkit2gtk3), and Ubuntu (golang-golang-x-net).

Version 1.84.0 of the Rust language has been released. Changes include improved version selection for dependencies in Cargo, the beginning of the migration to a new trait solver, and some updated pointer-provenance APIs.

Most of the time, programmers do not need to worry much about provenance, and it is very clear how a pointer got derived. However, when casting pointers to integers and back, the provenance of the resulting pointer is underspecified. With this release, Rust is adding a set of APIs that can in many cases replace the use of integer-pointer-casts, and therefore avoid the ambiguities inherent to such casts. In particular, the pattern of using the lowest bits of an aligned pointer to store extra information can now be implemented without ever casting a pointer to an integer or back. This makes the code easier to reason about, easier to analyze for the compiler, and also benefits tools like Miri and architectures like CHERI that aim to detect and diagnose pointer misuse.

The Software Freedom Conservancy is reporting that AVM has released the full source and installation scripts for its routers in response to a lawsuit, filed by Sebastian Steck, based on Lesser GNU Public License rights.

Historically, lawsuits have focused on the copyrights licensed under GPL (or the GPL and LGPL together). Steck's lawsuit uniquely focused exclusively on users' rights under the LGPL. Steck's work showed that despite being a "Lesser" license than GPL, LGPLv2.1 still guarantees users the right to repair, modify and reinstall modified versions of the software on their device. There is now no doubt that both GPL and LGPL mandate the device owner's ability to make changes to the software in the flash memory so those changes persist across reboots.