Tech News Digest – April 17, 2025

Dallas SpohnDallas Spohn
4 min read

Tech News Digest - 2025-04-17

📢 Or is it?

[$] LWN.net Weekly Edition for April 17, 2025

Category: Linux
Tags: General
Published: Thu, 17 Apr 2025 01:00:42 +0000
TL;DR: Here is a summary of the article in 2 sentences:

The latest LWN.net Weekly Edition features articles on APT 3.0, Fedora 42, and various Linux Security Features Module (LSFMM) and BPF (Berkeley Packet Filter) developments. The edition also includes briefs on CVE funding, software updates, and announcements regarding newsletters, conferences, security patches, and more.
Inside this week's LWN.net Weekly Edition:

  • Front: APT 3.0; Fedora 42; Lots more LSFMM+BPF coverage.
  • Briefs: CVE funding; Yelp vulnerability; Fedora 42; Manjaro 25.0; GCC 15; Pinta 3.0; Quotes; ...
  • Announcements: Newsletters, conferences, security updates, patches, and more.


Read more

[$] What's new in APT 3.0

Category: Linux
Tags: General
Published: Wed, 16 Apr 2025 18:07:18 +0000
TL;DR: Here is a 2-sentence summary:

Debian's Advanced Package Tool (APT) has been upgraded to version 3.0, which will be included in the upcoming Debian 13 ("trixie") release planned for 2025. The new APT features user-interface improvements, uses Sequoia to verify package signatures, and includes a new solver called solver3 that improves how it evaluates and resolves package dependencies.

Debian's Advanced Package Tool (APT) is the suite of utilities that handle package management on Debian and Debian-derived operating systems. APT recently received a major upgrade to 3.0 just in time for inclusion in Debian 13 ("trixie"), which is planned for release sometime in 2025. The version bump is warranted; the latest APT has user-interface improvements, switches to Sequoia to verify package signatures, and includes solver3—a new solver that is designed to improve how it evaluates and resolves package dependencies.


Read more
## Catanzaro: Dangerous arbitrary file read vulnerability in Yelp Category: Linux
Tags: General
Published: Wed, 16 Apr 2025 17:54:00 +0000
TL;DR: Here is a summary of the text in 2 sentences: A severe vulnerability, CVE-2025-3155, was discovered in GNOME's help browser Yelp, allowing attackers to read arbitrary files and execute JavaScript code. The issue has been public for several weeks and not yet fixed upstream, prompting Michael Catanzaro to ask Linux vendors to apply proposed patches to mitigate the risk despite the lack of an official fix.

GNOME contributor Michael Catanzaro has written a blog post about a noteworthy vulnerability in GNOME's help browser, Yelp.

I don't normally blog about particular CVEs, but Yelp CVE-2025-3155 is noteworthy because it is quite severe, public for several weeks now, and not yet fixed upstream. In short, help files can read your filesystem and execute arbitrary JavaScript code, allowing an attacker to exfiltrate any files your Unix user has access to.

The vulnerability was first reported on December 25, and it was made public on March 26 after the 90-day-disclosure deadline was reached. Patches have been proposed to fix the issue. The bug reporter has published a writeup demonstrating the attack. Catanzaro asks that Linux vendors "please consider applying the provided patches even though they have not yet been accepted upstream".


Read more

[$] Parallel directory operations

Category: Linux
Tags: Linux
Published: Wed, 16 Apr 2025 17:09:52 +0000
TL;DR: Here is a summary of the text in 2 sentences:

Jeff Layton discussed allowing directories to be modified in parallel at the 2025 Linux Storage, Filesystem, Memory Management, and BPF Summit, citing use cases for NFS and Lustre filesystems where contention when creating multiple files in a directory causes performance problems. Layton noted that the inode read-write semaphore is serializing operations and wanted to explore alternative solutions.
Allowing directories to be modified in parallel was the topic of Jeff Layton's filesystem-track session at the 2025 Linux Storage, Filesystem, Memory Management, and BPF Summit (LSFMM+BPF). There are certain use cases, including for the NFS and Lustre filesystems, as mentioned in a patch set referenced in the topic proposal, where contention in creating multiple files in a directory is causing noticeable performance problems. In some testing, Layton has found that the inode read-write semaphore (i_rwsem) for the directory is serializing operations; he wanted to discuss alternatives.
Read more

[$] Taking BPF programs beyond one-million instructions

Category: Linux
Tags: General
Published: Wed, 16 Apr 2025 16:44:29 +0000
TL;DR: Here is a summary of the text in 2 sentences:

The BPF verifier is not capable of solving the halting problem and therefore assumes that an unverifiable program will run too long, rather than allowing it to potentially cause issues. The ultimate limit on BPF programs is one million instructions, beyond which the verifier will refuse to process any further code, regardless of its correctness.

The BPF verifier is not magic; it cannot solve the halting problem. Therefore, it has to err on the side of assuming that a program will run too long if it cannot prove that the program will not. The ultimate check on the size of a BPF program is the one-million-instruction limit — the verifier will refuse to process more than one-million instructions, no matter what a BPF program does. Alexei Starovoitov gave a talk at the 2025 Linux Storage, Filesystem, Memory-Management, and BPF Summit about that limit, why correctly written BPF programs shouldn't hit it, and how to make the user experience of large BPF programs better in the future.


Read more

0
Subscribe to my newsletter

Read articles from Dallas Spohn directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Linuxgeneralansibleautomationred hat online learning subscription

Written by

Dallas Spohn
Dallas Spohn

Dallas, a seasoned professional with a diverse background, transitions seamlessly between roles as a systems admin turned developer, technical writer, and curriculum developer at Red Hat. With a knack for unraveling complex concepts, he crafts engaging materials primarily in DocBook, guiding enthusiasts through the intricacies of Red Hat's certification courses. In his earlier days, Dallas's passion for Anime led him to contribute to Anime News Network, channeling his creativity and expertise into captivating content. His contributions extended beyond writing as he interviewed prominent figures in the Anime industry, offering insights into their creative processes and visions. Beyond his professional pursuits, he's a devoted husband and father, cherishing moments with his loved ones. Dallas's journey in the tech industry spans various roles, from a security developer at NTT Security to an operations architect overseeing Linux servers for commercial transcoding. His tenure at esteemed institutions like Goldman Sachs and Lockheed Martin has honed his skills as a systems engineer, instilling in him a deep-rooted understanding of complex systems. An avid FPV pilot, Dallas finds exhilaration in soaring through the skies with his drones, often contemplating the lessons learned from his aerial adventures. His diverse experiences, including serving as a naval submariner aboard the USS Alexandria and pursuing higher education in England, enrich his perspective and fuel his thirst for knowledge.