[$] Building secure images with NixOS
Image-based Linux distributions have seen increasing
popularity, recently. They promise reliability and security, but pose packaging
problems for existing distributions. Ryan Lahfa and Niklas Sturm spoke about the
work that NixOS has done to enable an image-based workflow at this year's All
Systems Go! conference in Berlin.
Unfortunately, LWN was not able to cover
the conference for scheduling reasons, but the videos of the event are available
for anyone interested in watching the talks.
Lahfa and Sturm explained that
it is currently possible to create a NixOS system that cryptographically
verifies the kernel, initrd, and Nix store on boot — although doing so still has
some rough edges. Making an image-based NixOS installation is similarly
possible.
Funding restored for man-page maintenance
Man pages maintainer Alejandro Colomar announced in
September that he was suspending his work due to a lack of support. He has now
let it be known that funding has been found for the next year at least:
We've been talking for a couple of months, and we have already agreed to sign a
contract through the LF [Linux Foundation], where a number of companies
provide the funds for the contract. The contract will cover the next 12 months
for the agreed amount, and we should sign it in the following days. Since
I've already seen a draft of the contract, and it looks good, I've already
started maintaining the project again, starting on Nov 1st.
Security updates for Wednesday
Security updates have been issued by AlmaLinux (libtiff),
Debian (context, libheif, and thunderbird), Fedora (php-tcpdf, syncthing, and
thunderbird), Gentoo (EditorConfig core C library, Flatpak, Neat VNC, and
Ubiquiti UniFi), Oracle (bcc, bpftrace, grafana-pcp, haproxy, kernel, krb5,
libtiff, python-gevent, python3.11-urllib3, python3.12-urllib3, and xmlrpc-c),
Red Hat (python3.11-urllib3), SUSE (audacity, curl, govulncheck-vulndb, gradle,
htmldoc, libgsf, python310, and qbittorrent), and Ubuntu (linux-aws-5.4, linux-
oracle-5.4, mpg123, and python-werkzeug).
LXQt 2.1.0 released
Version 2.1.0 of the LXQt lightweight Qt desktop
environment has been released. The highlight of this release is support for
multiple Wayland compositors: Through its new component lxqt-wayland-session,
LXQt 2.1.0 supports 7 Wayland sessions (with Labwc, KWin, Wayfire, Hyprland,
Sway, River and Niri), has two Wayland back-ends in lxqt-panel (one for
kwin_wayland and the other general), and will add more later. All LXQt
components that are not limited to X11 — i.e., most components — work fine on
Wayland. [...] Of course, the X11 session will be supported indefinitely.
Wayland is optional and rather experimental.
[$] Safety in an unsafe world
Joshua Liebow-Feeser took to the stage at RustConf to
describe the methodology that his team uses to encode arbitrary constraints in
the Rust type system when working on the Fuchsia operating system
(slides).
The technique is not unknown to the Rust community, but Liebow-
Feeser did a good job of both explaining the method and making a case for why it
should be used more widely.