Thanks to a colleague who introduced me to Nim during last week’s SUSE Labs conference, I became a man with a dream, and after fiddling with compiler flags and obviously not reading documentation, I finally made it.

This is something that shouldn’t exist; from the list of ideas that should never have happened.

But it does. It’s a Perl interpreter embedded in Rust. Get over it.

Once cloned, you can run the following commands to see it in action:

• cargo run --verbose -- hello.pm showtime
• cargo run --verbose -- hello.pm get_quick_headers

How it works

There is a lot of autogenerated code, mainly for two things:

• bindings.rs and wrapper.h; I made a lot of assumptions and perlxsi.c may or may not be necessary in the future (see main::xs_init_rust), depends on how bad or terrible my C knowledge is by the time you’re reading this.
• xs_init_rust function is the one that does the magic, as far as my understanding goes, by hooking up boot_DynaLoader to DynaLoader in Perl via ffi.

With those two bits in place, and thanks to the magic of the bindgen crate, and after some initialization, I decided to use Perl_call_argv, do note that Perl_ in this case comes from bindgen, I might change later the convention to ruperl or something to avoid confusion between that a and perl_parse or perl_alloc which (if I understand correctly) are exposed directly by the ffi interface.

What I ended up doing, is passing the same list of arguments (for now, or at least for this PoC), directly to Perl_call_argv, which will in turn, take the third argument and pass it verbatim as the call_argv

        Perl_call_argv(myperl, perl_sub, flags_ptr, perl_parse_args.as_mut_ptr());

Right now hello.pm defines two sub routines, one to open a file, write something and print the time to stdout, and a second one that will query my blog, and show the headers. This is only example code, but enough to demostrate that the DynaLoader works, and that the embedding also works :)

I got most of this working by following the perlembed guide.

Why?

Why not?.

I want to see if I can embed also python in the same binary, so I can call native perl, from native python and see how I can fiddle all that into os-autoinst

Where to find the code?

On github: https://github.com/foursixnine/ruperl or under https://crates.io/crates/ruperl

Welcome to the monthly update for openSUSE Tumbleweed for April 2024. This month began after addressing last month’s supply chain attack against xz compression library for the rolling release. An explanation of that XZ Backdoor, how it was address and what was learned can be found on news.opensuse.org.

A flurry of updates, enhancements, and crucial security fixes arrived in openSUSE’s rolling release this month as the busy season for conferences begins. Should readers desire a more frequent amount of information about snapshot updates, readers are encouraged to subscribe to the openSUSE Factory mailing list.

New Features and Enhancements

• Linux Kernel: The month of April had a few kernel updates. Notable changes with the 6.8.5 version included mitigation for Branch History Injection (BHI) vulnerabilities, improvements to Spectre mitigation, updates for Intel graphics drivers, fixes for SMB client vulnerabilities and fixes for RISC-V architecture. Version 6.8.7 included updates and fixes for AMD display drivers, Intel i915 driver, x86 speculative execution vulnerabilities, arm 64 device tree files, DRM drivers, filesystem handling, and more.
• KDE Frameworks 6.1.0: The numpy package introduces enhanced support for structured arrays and flexible indexing, while pandas incorporates improved handling of missing data and new methods for data manipulation. Additionally, the matplotlib package offers enhanced customization options for plot aesthetics. New algorithms for machine learning tasks in scikit-learn were included in the update.
• KDE Gear 24.02.2: The KDE Gear 24.02.2 update encompasses a wide range of fixes and enhancements, including resolving issues with tag addition functionality in Akonadi, addressing translated shortcut and icon appearance problems in Akregator, various improvements and fixes in ark such as disabling RAR4 compression method, multiple fixes in Elisa including volume slider and track playback issues and numerous enhancements in Konsole. There were fixes for calendar selection and the todo view updates in Korganizer.
• PHP8 8.3.6: There were significant bug fixes, security patches and improvements across different components including in the update. Besides fixes with Core, DOM, GD, Opcache and Session other fixes include:
  • FPM: Fixes have been applied to address issues with the configuration test running twice in daemonized mode and incorrect checks in fpm_shm_free().
  • Gettext: Fixes have been made to address issues with dcgettext and dcngettext calls with specific configurations.
  • MySQLnd: Various fixes have been applied, including correcting handshake response and charset length checks.
  • Random: Compatibility improvements have been introduced for PHP versions prior to 8.2, and issues with global Mt19937 reset have been resolved.
  • Standard: Validation has been added for specific characters in the mail() function, and various bug fixes have been implemented, including addressing command injection and cookie bypass vulnerabilities. (Noted in CVE-2024-1874, CVE-2024-2756 and fixing issues with mb_encode_mimeheader and password_verify with CVE-2024-3096 and CVE-2024-2757.
• Mozilla Firefox 125.0.2. The browser brought new features such as:
  • Support for AV1 codec in Encrypted Media Extensions (EME) for improved video playback quality.
  • Enhanced PDF viewer capabilities with text highlighting.
  • Introduction of the URL Paste Suggestion feature, improving usability by allowing quick navigation to URLs copied to the clipboard.
  • Multiple critical security fixes addressing vulnerabilities like out-of-bounds reads and use-after-free errors that enhance browser security.
• dracut: There were improvements such as the addition of tpm2.target and systemd-tpm2-generator and several memory leak fixes.
• ffmpeg: Versions 4 and 6 took care of some video handling issues and made fixes for memory leaks with improved EOF handling. The updates addresses:
  • CVE-2023-51793 and CVE-2023-49502.
  • CVE-2023-50008 and CVE-2023-50007
• sqlite3: An update from version 3.45.2 to 3.45.3 addresses a long-standing bug affecting the accuracy of trigger responses in certain UPSERT operations to ensure for more reliable database operations.
• Flatpak: The 1.15.8 update had some security fixes to prevent sandbox escape and various other usability improvements.
• Python3.11: The 3.11.9 version had various security patches and bug fixes, such as addressing CVE-2023-52425, updating bundled libexpat to version 2.6.0, fixing possible crashes in collections.deque.index() and improves SSLContext behavior.
• Cppcheck: New checks in version 2.14.0 include:
  • eraseIteratorOutOfBounds: Warns about calling erase() on an iterator that is out of bounds, enhancing the robustness of code.
  • returnByReference: Warns when a large class member is returned by value from a getter function, which can impact performance and memory usage.

Other Package Updates

• SDL2: Version 2.30.2 introduces support for various new controllers, including the 6-button SEGA Mega Drive Control Pad and the Hori Fighting Stick EX2.
• Cryptsetup: Version 2.7.2 addressed several issues, including fixes for OPAL device formatting and activation.
• SpamAssassin: A package with a great name, version 4.0.1 enhances URL shortener link redirection handling and improved TxRep locking management, which bolsters email security for users.

Bug Fixes

• Xwayland: CVE-2024-31083 This critical security vulnerability mitigates an Xorg servers vulnerable due to use-after-free flaw in ProcRenderAddGlyphs(), allowing authenticated attackers to execute arbitrary code.
• [PHP8]((https://www.php.net/):CVE-2023-51793, CVE-2023-49502, CVE-2023-50008 and CVE-2023-50007
• glibc: CVE-2024-2961 allows buffer overflow when converting to ISO-2022-CN-EXT, causing crashes or variable overwrites. libxml2: CVE-2024-25062 was a vulnerablity to use-after-free via crafted XML documents.
• Python3.11: CVE-2023-52425, CVE-2023-6597
• QEMU: Backports and bugfixes were made for a flaw that allows a malicious guest to crash QEMU and cause a denial of service condition with CVE-2024-3567. CVE-2024-3446 could affect arbitrary code execution and CVE-2024-3447 was also backported.
• Freerdp2: Version 2.11.5 provided fixes for CVE-2023-40574, which experienced an Out-Of-Bounds Write in the writePixelBGRX function that was likely due to incorrect variable calculations, and CVE-2023-40575, which results in crashes.

Conclusion

The month of April 2024 had a blend of feature enhancements and crucial security fixes. From improved gaming support with SDL2 to strengthened encryption practices with Cryptsetup, users benefited from a host of updates aimed at enhancing functionality, stability and security. Other packages to update in Tumbleweed during the month were Mesa, GTK4, transactional-update and more .

For those Tumbleweed users that want to contribute, subscribe to the openSUSE Factory mailing list. The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Contributing to openSUSE Tumbleweed

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

openSUSE Leap 15.6 exited Beta and entered its Release Candidate phase with build 669.1 last week. You can get Leap 15.6 RC install images from get.opensuse.org.

This means the release is considered featurefull and contributors should focus on bug fixes and eliminating any remaining build failures.

Users who are eager to install Leap 15.6 on their machines should check the release’s known issues to see if there is any issue that prevents the use of the RC.

The release team was able to deliver a long time awaited Cockpit for both Leap and SUSE Package Hub users. Users might be familiar with Cockpit’s web-based admin interface from Leap Micro tutorials.

Users are advised not to publicly expose Port 9090 used with the admin interface; just like people shouldn’t expose their router’s web interface to the public.

`$ sudo zypper in cockpit`

`$ sudo systemctl enable --now cockpit.socket`

`$ firefox https://localhost:9090 # login as root for admin access`

Previous attempts to include Cockpit in Leap 15.5 were made, but there were several blockers. Inclusion was possible thanks to a refresh of the python311 stack, which was part of massive update effort for SUSE Linux Enterprise Server 15 Service Pack 6 along with unification branding. The team was able to build Cockpit once and provide it for both SLES and Leap users with this RC.

There is no existing SELinux policy on Leap 15.X so the SELinux part of Cockpit is not expected to be working. The release team expects to have an SELinux policy in Leap 16, so this will be working for future releases.

Happy Hacking!

Your favorite Linux distribution is X. You test everything there. However, your colleagues use distro Y, and another team distro Z. Nightmares start here: the same commands install a different set of syslog-ng features, configuration defaults and use different object names in the default configuration. I ran into these problems while working with Gábor Samu on his HPC logging blog.

From this blog you can learn about some of the main differences in packaging and configuration of syslog-ng in various Linux distributions and FreeBSD, and how to recognize these when configuring syslog-ng on a different platform.

https://www.syslog-ng.com/community/b/blog/posts/using-syslog-ng-on-multiple-platforms

Dear Tumbleweed users and hackers,

This week has been filled with 7 snapshots (0411, 0412, 0414, 0415, 0416, 0416, and 0418). From a staging perspective, things looked rather easy – which means the package maintainers have done a great job submitting things that work and have most likely been pretested. The most interesting changes during this week include:

• Apache 2.4.59
• Linux kernel 6.8.5 & 6.8.6
• Pam 1.6.1
• Kiwi 10.0.10 & 10.0.12
• KDE Gear 24.02.2
• KDE Frameworks 6.1.0
• KDE Plasma 6.0.4
• SDL3 (no consumers yet)

Staging projects are well balanced, some are in ready to accept for the next snapshots, some are building/testing and, as usual, some are failing tests. The most interesting changes currently being tested are:

• Python 3.11.9 & 3.12.3
• Linux kernel 6.8.7 & kernel-longterm 6.6.28
• util-linux 2.40
• libxml 2.12.6: a long-lasting attempt to get to 2.12.x – but the results are looking good by now. There are two packages left that are failing: VirtualBox & libqt5-qtwebengine. For both, there should be some fixes available.
• dbus-broker: no progress this week
• GCC 14: phase 2: use gcc14 as the default compiler – lots of help needed: https://build.opensuse.org/project/show/openSUSE:Factory:Staging:Gcc7

In March, the configuration for building openSUSE Factory was changed to be bit-by-bit reproducible (except for the embedded signature). Following this, the first openSUSE Tumbleweed packages were verified to be bit-by-bit reproducible.

Thank you to everyone who helped to make this happen. This was an important improvement.

It will take some time to do this verification for all packages to see how many of our packages are reproducible to this detail. Previous verifications, while ignoring some differences that this fixed, succeeded for more than 95 percent of packages.

Contribute

The effort on reproducible builds is a collaboration across many distributions. See how to contribute to reproducible builds in openSUSE.

Uses

Reproducible builds have a multitude of uses for security and quality. To further enhance their utility, reproducible builds need to be combined with other techniques such as distributed post-merge code review and capability based designs.

A recent example is that reproducible builds allow for the creation of proof, simply by rebuilding and comparing the result, that a GCC build whose source was extracted with a compromised xz was not compromised; this process was achieved without needing to reverse engineer how the compromise occurred. Similarly, reproducible builds were reported as being usefully during investigations of the xz compromise.

reproducible builds enable collaboration that otherwise would not be possible by supporting more scientifically-based arguments for security, which can be independently verified.