Version:6.9-rc5 (mainline) Released:2024-04-21 Source:linux-6.9-rc5.tar.gz Patch:full (incremental)

SiliconANGLE reports that to help organizations detect vulnerabilities earlier, Red Hat has "announced updates to its Trusted Software Supply Chain that enable organizations to shift security 'left' in the software supply chain." Red Hat announced Trusted Software Supply Chain in May 2023, pitching it as a way to address the rising threat of software supply chain attacks. The service secures software pipelines by verifying software origins, automating security processes and providing a secure catalog of verified open-source software packages. [Thursday's updates] are aimed at advancing the ability for customers to embed security into the software development life cycle, thereby increasing software integrity earlier in the supply chain while also adhering to industry regulations and compliance standards. They start with a new tool called Red Hat Trust Artifact Signer. Based on the open-source Sigstore project [founded at Red Hat and now part of the Open Source Security Foundation], Trust Artifact Signer allows developers to sign and verify software artifacts cryptographically without managing centralized keys, to enhance trust in the software supply chain. The second new release, Red Hat Trusted Profile Analyzer, provides a central source for security documentation such as Software Bill of Materials and Vulnerability Exploitability Exchange. The tool simplifies vulnerability management by enabling proactive identification and minimization of security threats. The final new release, Red Hat Trusted Application Pipeline, combines the capabilities of the Trusted Profile Analyzer and Trusted Artifact Signer with Red Hat's internal developer platform to provide integrated security-focused development templates. The feature aims to standardize and accelerate the adoption of secure development practices within organizations. Specifically, Red Hat's announcement says organizations can use their new Trust Application Pipeline feature "to verify pipeline compliance and provide traceability and auditability in the CI/CD process with an automated chain of trust that validates artifact signatures, and offers provenance and attestations."

Read more of this story at Slashdot.

Michael Larabel reports via Phoronix: While Fedora 41 in late 2024 is aiming to have more reproducible package builds, openSUSE Factory has already achieved a significant milestone in bit-by-bit reproducible builds. Since last month openSUSE Factory has been producing bit-by-bit reproducible builds sans the likes of embedded signatures. OpenSUSE Tumbleweed packages for that rolling-release distribution are being verified for bit-by-bit reproducible builds. SUSE/openSUSE is still verifying all packages are yielding reproducible builds but so far it's looking like 95% or more of packages are working out. You can learn more via the openSUSE blog.

Read more of this story at Slashdot.

BrianFagioli shares a report from BetaNews: Mozilla has announced Firefox Nightly for ARM64. This release will cater to the growing demand for support on ARM64 platforms, commonly referred to as AArch64. Feedback from the community has led Mozilla to expand the availability of Firefox Nightly. Users can now access the browser as both .tar archives and .deb packages, depending on their preference and requirements for installation. For those who favor traditional methods, the .tar.bz2 binaries are accessible through Mozilla's downloads page by selecting the option for Firefox Nightly for Linux ARM64/AArch64. Meanwhile, users looking to utilize updates and installation through Mozilla's APT repository can follow specific instructions to install the firefox-nightly package.

Read more of this story at Slashdot.

Linus Torvalds, discussing the AI hype, in a conversation with Dirk Hohndel, Verizon's Head of the Open Source Program Office: Torvalds snarked, "It's hilarious to watch. Maybe I'll be replaced by an AI model!" As for Hohndel, he thinks most AI today is "autocorrect on steroids." Torvalds summed up his attitude as, "Let's wait 10 years and see where it actually goes before we make all these crazy announcements." That's not to say the two men don't think AI will be helpful in the future. Indeed, Torvalds noted one good side effect already: "NVIDIA has gotten better at talking to Linux kernel developers and working with Linux memory management," because of its need for Linux to run AI's large language models (LLMs) efficiently. Torvalds is also "looking forward to the tools actually to find bugs. We have a lot of tools, and we use them religiously, but making the tools smarter is not a bad thing. Using smarter tools is just the next inevitable step. We have tools that do kernel rewriting, with very complicated scripts, and pattern recognition. AI can be a huge help here because some of these tools are very hard to use because you have to specify things at a low enough level." Just be careful, Torvalds warns of "AI BS." Hohndel quickly quipped, "He meant beautiful science. You know, "Beautiful science in, beautiful science out."

Read more of this story at Slashdot.

Version:next-20240419 (linux-next) Released:2024-04-19

Version:next-20240418 (linux-next) Released:2024-04-18

Version:6.8.7 (stable) Released:2024-04-17 Source:linux-6.8.7.tar.xz PGP Signature:linux-6.8.7.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-6.8.7

Version:6.6.28 (longterm) Released:2024-04-17 Source:linux-6.6.28.tar.xz PGP Signature:linux-6.6.28.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-6.6.28

Version:6.1.87 (longterm) Released:2024-04-17 Source:linux-6.1.87.tar.xz PGP Signature:linux-6.1.87.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-6.1.87

Version:5.15.156 (longterm) Released:2024-04-17 Source:linux-5.15.156.tar.xz PGP Signature:linux-5.15.156.tar.sign Patch:full (incremental) ChangeLog:ChangeLog-5.15.156

Version:next-20240417 (linux-next) Released:2024-04-17

Version:next-20240416 (linux-next) Released:2024-04-16

Michael Larabel reports via Phoronix: Within yesterday's Linux 6.9-rc4 release is an interesting little nugget by Linus Torvalds to battle Kconfig parsers that can't correctly handle tabs but rather just assume spaces for whitespace for this kernel configuration format. Due to a patch having been queued last week to replace a tab with a space character in the kernel tracing Kconfig file, Linus Torvalds decided to take matters into his own hand for Kconfig parsers that can't deal with tabs... Torvalds authored a patch to intentionally add some tabs of his own into Kconfig for throwing off any out-of-tree/third-party parsers that can't correctly handle them. Torvalds added these intentional hidden tabs to the common Kconfig file for handling page sizes for the kernel. Thus sure to cause dramatic and noticeable breakage for any parsers not having tabs correctly.

Read more of this story at Slashdot.

Version:next-20240415 (linux-next) Released:2024-04-15

Version:6.9-rc4 (mainline) Released:2024-04-14 Source:linux-6.9-rc4.tar.gz Patch:full (incremental)