LWN.netNews from the source
Ubuntu 23.10 and 24.04 LTS introduced a feature using AppArmor torestrict access to user namespaces. Qualys hasreportedthree ways to bypass AppArmor's restrictions and enable local users togain full administrative capabilities within a user namespace. Ubuntuhas followed up with apostthat explains the namespace-restriction feature in detail, and saysthese bypasses do not constitute security vulnerabilities.
While a superficial observation of the application of user namespaces may indicate privileged (root level) access, this is a fictitious state that is operating as expected, with access control still mapped to the real (root namespace) user's permissions. As such, these bypasses do not enable more access than what the default Linux kernelunprivileged user namespace feature allows in most Linuxdistributions. They do, however, demonstrate limitations that we arelooking to address in order to strengthen existing protections againstas-of-yet-unknown Linux kernel vulnerabilities.
LWNcovered Ubuntu 24.04 LTS last May.
One recurring criticism of Rust has been that the language has no official specification. This is a barrier to adoption in some safety-conscious organizations, as well as to writing alternate language implementations. Now, the Rust project hasannouncedthat it will be adopting theFerrocene Language Specification (FLS) developed byFerrous Systems and maintaining it as part of the core project. While this may not satisfy die-hard standardization-process enthusiasts, it's a step toward removing another barrier to using Rust in safety-critical systems.
It's in that light that we're pleased to announce that we'll be adopting the FLS into the Rust Project as part of our ongoing specification efforts. This adoption is being made possible by the gracious donation of the FLS by Ferrous Systems. We're grateful to them for the work they've done in assembling the FLS, in making it fit for qualification purposes, in promoting its use and the use of Rust generally in safety-critical industries, and now, for working with us to take the next step and to bring the FLS into the Project.
Arthur Cohen has posted a massive series of patches in four parts(part 1,part 2,part 3,part 4)upstreaming all of the recent work on the GCC Rust front end. Thesechanges include the Polonius borrow checker, the foreign-functioninterface, inline assembly support,if-let statement handling,multiple built-in derive macros,for loops, and more.
The 2024 Linux Storage, Filesystem, Memory-Management, and BPF Summitincludeda tense session on the use of Rustcode in the kernel's filesystem layer. The Rust topic returned in 2025 ina session run by Andreas Hindborg, with a scope that also covered thestorage and memory-management layers. A lot of progress has been made, andthe discussion was less adversarial this year, but there are still processissues that need to be worked out.
Security updates have been issued byArch Linux (exim),Debian (exim4, ghostscript, and libcap2),Red Hat (container-tools:rhel8),SUSE (apache-commons-vfs2, argocd-cli, azure-cli-core, buildah, chromedriver, docker-stable, ed25519-java, kernel, kubernetes1.29-apiserver, kubernetes1.30-apiserver, kubernetes1.32-apiserver, libmbedcrypto7, microcode_ctl, php7, podman, proftpd, tomcat10, and webkit2gtk3), andUbuntu (containerd, exim4, mariadb, opensaml, and org-mode).
Akamai has sent outapress release saying that it is now hosting the kernel.orgrepositories.
The Linux kernel is massive — approximately 28 million lines ofcode. Since 2005, more than 13,500 developers from more than 1,300different companies have contributed to the Linuxkernel. Additionally, there are many kernel versions, anddevelopers update the code constantly, distributing that code todevelopers who are working on various distributions ofLinux. Akamai now delivers the infrastructure that these developersand their users rely on, at no cost, supporting the Gitenvironments developers use to access kernel sources quickly,regardless of where they're based.
The LWN.net Weekly Edition for March 27, 2025 is available.
Inside this week's LWN.net Weekly Edition
Version0.11 of the Neovim text editor has been released. Notable changesin this release include simpler Language Server Protocol (LSP) clientsetup, improved tree-sitter performance, better emoji support, andenhancements for Neovim's embedded terminal emulator. See therelease notes fora full list of changes.
In ashortnote to theReproducible Buildsmailing list, Debian developer Roland Clobus announced that liveimages for Debian 12.10 ("bookworm") are now 100% reproducible. See thereproduciblelive images andDebian Live todopages on the Debian wiki for more information on the images.
Thefolio transition is one of the mostfundamental kernel changes ever made; it can be thought of as being similarto replacing the foundation of a building while it remains open forbusiness. So it is not surprising that, for some years, the annual LinuxStorage, Filesystem, Memory-Management, and BPF Summit has included asession on the state of this transition. The 2025 Summit was no exception,with Matthew Wilcox updating the group on what has been accomplished, whatremains to be done, and where some of the significant problems are.
Security updates have been issued byDebian (nginx and ruby-rack),Fedora (expat and libxslt),Mageia (bluez, dcmtk, ffmpeg, and radare2),Red Hat (container-tools:rhel8, gvisor-tap-vsock, kernel, kernel-rt, libreoffice, and podman),SUSE (buildah, forgejo, gitleaks, google-guest-agent, google-osconfig-agent, govulncheck-vulndb, grafana, helm, libxslt, php8, python-gunicorn, and python-Jinja2), andUbuntu (freerdp2 and varnish).
Boudhayan Bhattcharya has posted a lengthyarticleabout theannouncementthat the Freedesktop project is dropping OpenH264 from theFreedesktop SDK for Flatpakapplications and runtimes.
Some Flatpak applications that depend on the Freedesktop runtimeversion 23.08 will lose H.264 playback support starting with therelease scheduled for April, unless application developers replace itwith theffmpeg-full extension. The 24.08 runtime isunaffected, and future releases will include a newcodecs-extra extension to replace OpenH264 that includesFFmpeg with support for a number ofpatented codecs.
Considering all things, I think and hope we made the correct decisionand hopefully the neworg.freedesktop.Platform.codecs-extra worksout. libx264, libx265 and others are built from source and there areno binaries or extra-data involved. So we should theoretically be ableto patch and fix any issues that come up in the future.
Apart from all this, I'm slightly worried at the prospects of legalissues cropping up with this setup and also that the new extensioncontains "too much", but we will have to see where things flow.
By the time that Linus Torvaldsreleasedthe 6.14 kernel, 11,003 non-merge changesets had been pulled into themainline, making this one of the smallest releases we have seen in sometime. Indeed, one must go back tothe 4.0release, which happened almost exactly ten years ago, to find a releasewith fewer changesets than 6.14. Even so, "small" is relative, and 6.14contains a lot of significant changes.
Security updates have been issued byDebian (ruby-rack),Fedora (chromium, golang-github-openprinting-ipp-usb, OpenIPMI, and python-jinja2),Mageia (kernel, kernel-linus, and wpa_supplicant, hostapd),Red Hat (fence-agents, kernel, kernel-rt, libxml2, libxslt, and pcs),SUSE (cadvisor, docker, freetype2, nodejs-electron, php8, rsync, u-boot, warewulf4, webkit2gtk3, and zvbi), andUbuntu (elfutils, python3.5, python3.8, ruby-rack, smartdns, and zvbi).
Linus hasreleased the 6.14 kernel, a bitlater than expected:
So it's early Monday morning (well - early for me, I'm not really amorning person), and I'd love to have some good excuse for why Ididn't do the 6.14 release yesterday on my regular Sunday afternoonrelease schedule.I'd like to say that some important last-minute thing came up anddelayed things.
But no. It's just pure incompetence.
See the LWN merge-window summaries (part 1,part 2) andthe KernelNewbies 6.14 pagefor details on what's new in this release.
The adoption of open-source software in governments has had its ups anddowns. While open source seems like a "no-brainer", it turns out thatgovernments can be surprisingly resistant to using FOSS for a variety ofreasons. Federico González Waite spoke in the Open Government track atSCALE 22x in Pasadena,California to recount hisexperiencesworking with and for the Mexican government. He led multiple projectsto switch away from proprietary, often predatory, software companies withsome success—and failure.
Security updates have been issued byDebian (libxslt, mercurial, and webkit2gtk),Fedora (chromium, dotnet8.0, ffmpeg, jupyterlab, and kitty),Mageia (expat and libxslt),Red Hat (pcs),SUSE (apptainer, chromium, kernel, libarchive, mercurial, python311, radare2, xorg-x11-server, and zvbi), andUbuntu (golang-github-cli-go-gh-v2 and nltk).
Greg Kroah-Hartman has announced the release of the6.13.8,6.12.20, and6.6.84 stable kernels. Each contains anumber of important fixes throughout the kernel tree; users of thoseseries should upgrade.
TheOpen Source Initiative(OSI) hasannouncedthe results of its recent board of directors election. Ruth Suehle andMcCoy Smith are new to the board, while Carlo Piana will serve anotherterm. The results, however, seem tainted in the eyes of someparticipants and observers. The election has been plagued by misstepsfrom the beginning. It has culminated with the exclusion of threecandidates for failing to meet a requirement to sign the OSI board agreement, which was added after the election was over and before results were tallied or announced.
As a system runs and its memory becomes fragmented, allocating large,physically contiguous regions of memory becomes increasingly difficult.Much effort over the years has gone into avoiding the need to make suchallocations whenever possible, but there are times when they simply cannotbe avoided. The kernel'scontiguous memoryallocator (CMA) subsystem attempts to make such allocations possible,but it has never been a perfect solution. Suren Baghdasaryan is is tryingto improve that situation with theguaranteedcontiguous memory allocator patch set, which includes work from MinchanKim as well.
Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds