[$] Debian AI General Resolution withdrawn
Despite careful planning and months of warning, Debian developer Mo
Zhou has acknowledged that the project needs more time to grapple with
the questions around AI models and the Debian Free Software Guidelines
(DFSG). For now, he has withdrawn his proposed General Resolution (GR)
that would have required the original training data for AI models to
be released in order to be considered DFSG-compliant—though the
debates on the topic continue. ⌘ Read more
Red Hat Enterprise Linux 10 released
Red Hat has announced
the release of Red Hat Enterprise Linux (RHEL) 10. A blog post
accompanying the release provides details on some of the more notable
features, such as encrypted DNS, a developer preview of RHEL 10
for RISC-V,
and image\
mode for RHEL using [bootc](https://lwn.net/A … ⌘ Read more
Security updates for Tuesday
Security updates have been issued by Debian (firefox-esr, openjdk-11, openjdk-17, and wireless-regdb), Fedora (iputils, open-vm-tools, sfnt2woff-zopfli, and woff), Red Hat (postgresql:12), SUSE (apache2-mod_auth_openidc, brltty, helm, python-maturin, and rubygem-rack), and Ubuntu (linux-azure-fips). ⌘ Read more
Go cryptography security audit (The Go Blog)
Roland Shoemaker has published a blog post about a
recent security audit of the cryptography packages shipped as part of
the Go standard library. The audit, performed by the Trail of Bits security firm,
uncovered one low-severity vulnerability in the legacy Go+BoringCrypto
integration, as well as a handful of informational findings.
During the review, there were … ⌘ Read more
[$] Reports from OSPM 2025, day one
The seventh edition of the Power Management and Scheduling\
in the Linux Kernel (known as “OSPM”) Summit took place on March 18-20,
2025. It was organized by Juri Lelli, Frauke Jäger, Tommaso Cucinotta, and
Lorenzo Pieralisi, and was hosted by Linutronix at Alte Fabrik,
Uhldingen-Mühlhofen, Germany. The event was sponsored by Linutronix, Arm,
and the Scuola Superiore Sant’Anna in Pisa. ⌘ Read more
Security updates for Monday
Security updates have been issued by Debian (dropbear, firefox-esr, intel-microcode, net-tools, openafs, thunderbird, and xrdp), Fedora (chromium, micropython, syslog-ng, webkitgtk, and xen), Mageia (dropbear and openssh), Oracle (.NET 9.0, kernel, libjpeg-turbo, and yelp and yelp-xsl), Red Hat (compat-openssl11, git-lfs, grafana, kernel, and osbuild and osbuild-composer), Slackware (mozilla), SUSE (cargo-c, gimp, iputils-20240905, kernel, libraw, microcode_ctl, openssh, pnpm, … ⌘ Read more
Kernel prepatch 6.15-rc7
The 6.15-rc7 kernel prepatch is out for
testing. “So while I wish we hadn’t had some of the excitement of last
week, on the whole it all still looks pretty solid, and unless something
strange happens I’ll do the final 6.15 release next weekend.” ⌘ Read more
Five more stable kernels
The
6.14.7,
6.12.29,
6.6.91,
6.1.139, and
5.15.183
stable kernel updates have been released; each contains another set of
important fixes. ⌘ Read more
An Asahi Linux 6.15 progress report
The Asahi Linux
project, which supports Linux on Apple Silicon Macs, has published a
progress report ahead of the 6.15 kernel’s release.
We are pleased to announce that our graphics driver userspace API
(uAPI) has been merged into the Linux kernel. This major milestone
allows us to finally enable OpenGL, OpenCL and Vulkan support for
Apple Silicon in upstream Mesa. This is the only time a graphics
driver’s uAPI has been merged into the kernel independent … ⌘ Read more
Security updates for Friday
Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, kernel, kernel-rt, redis:6, and yelp and yelp-xsl), Debian (chromium), Red Hat (compat-openssl11, kernel, and thunderbird), and SUSE (nbdkit, open-vm-tools, and rustup). ⌘ Read more
In Memoriam: John L. Young (EFF)
The Electronic Frontier Foundation has posted a somewhat belated memorial\
for John Young, the founder of Cryptome.
John was one of the early, under-recognized heroes of the digital
age. He not only saw the promise of digital technology to help
democratize access to information, he brought that idea into being
and nurtured it for many years. We will miss him and his
unswerving commitment to the public’s r … ⌘ Read more
Rust 1.87.0 released
To commemorate the tenth anniversary of the 1.0 release
of the Rust language,
version\
1.87.0 was announced live today at the 10 Years of Rust
celebration in Utrecht, Netherlands. Notable changes
include the addition of anonymous pipes to the standard library and
the ability for inline assembly ( asm!) to jump to labeled
blocks within Rust code. ⌘ Read more
[$] A new DMA-mapping API
Leon Romanovsky began his session at the 2025 Linux Storage, Filesystem,
Memory Management, and BPF Summit (LSFMM+BPF) by explaining that the improved DMA-mapping API that he has been
working on is a group effort. He, Chaitanya Kulkarni, Christoph Hellwig,
Jason Gunthorpe, and others are proposing to modernize the API and to
“make it more suitable for current kernels”. He told the assembled
storage and filesystem developers that the progress on the proposal has
stalled, but that it was the basis for further … ⌘ Read more
Oniux: kernel-level Tor isolation for Linux applications
The Tor project has announced
the oniux utility which provides Tor network isolation, using Linux
namespaces, for third-party applications.
Namespaces are a powerful feature that gives us the ability to
isolate Tor network access of an arbitrary application. We put each
application in a network namespace that doesn’t provide access … ⌘ Read more
Security updates for Thursday
Security updates have been issued by Debian (open-vm-tools), Fedora (dnsdist), Gentoo (Node.js and Tracker miners), Red Hat (kernel and xdg-utils), SUSE (audiofile, go1.22-openssl, go1.24, grub2, kernel-devel, openssl-1_1, openssl-3, and python311-Django), and Ubuntu (ruby-rack). ⌘ Read more
[$] LWN.net Weekly Edition for May 15, 2025
Inside this week’s LWN.net Weekly Edition:
Front: Home Assistant; YaST; bpfilter; Flatpak; More LSFMM+BPF 2025 coverage.
Briefs: Screen security; Guix on Codeberg; Postgres I/O; GNOME executive director; Nextcloud blog; Podman 5.5.0; OSL sustainability; Quotes; …
Announcements: Newsletters, conferences, security updates, patches, and more. ⌘ Read more
[$] The future of Flatpak
At the Linux Application\
Summit (LAS) in April, Sebastian Wick said that, by many metrics, Flatpak is doing great. The Flatpak
application-packaging format is popular with upstream developers, and
with many users. More and more applications are being published in the
Flathub application store, and the
format is even being adopted by Linux distributions like
Fedora. However, he worried that work on the Flatpak project itself
had s … ⌘ Read more
Podman 5.5.0 released
Version\
5.5.0 of the Podman container-management tool has been
released. Notable features include the addition of a podman machine cp command to copy files into a running Podman\
VM, a podman artifact extract command to copy
contents of an OCI\
artifact to disk, and a --mount=artifa ... ⌘ [Read more](https://lwn.net/Articles/1021217/)
[$] Faster firewalls with bpfilter
From
servers in a data center to desktop computers, many devices
communicating on a network will eventually have to filter network
traffic, whether it’s for security or performance reasons. As a result,
this is a domain where a lot of work is put into improving performance:
a tiny performance improvement can have considerable gains.
Bpfilter is a
project that allows for packet filtering to easily be done with BPF, which can
be faster than other mechanisms. ⌘ Read more
Security updates for Wednesday
Security updates have been issued by AlmaLinux (emacs, firefox, gnutls, java-17-openjdk, java-21-openjdk, osbuild-composer, python39:3.9, and thunderbird), Arch Linux (screen), Debian (varnish), Fedora (chromium), Gentoo (Atop, FreeType, and Spidermonkey), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk and postgresql15, postgresql13), Oracle (389-ds-base, emacs, firefox, kernel, libsoup, libtiff, mod_auth_openidc:2.3, nodejs:20, nodejs:22, … ⌘ Read more
[$] A look at what’s possible with BPF arenas
BPF arenas are areas of memory where the verifier can safely relax its checking of
pointers, allowing programmers to write arbitrary data structures in BPF. Emil
Tsalapatis reported on how his team has used arenas in writing
sched_ext schedulers at the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit. His biggest complaint was about the fact that
kernel pointers can’t be stored in BPF arenas — someth … ⌘ Read more
Nextcloud claims Google is being anticompetitive
Nextcloud provides an
open-source collaboration platform called Nextcloud Hub, which includes file-sharing and syncing
features. The company has written
a blog post explaining that Google has revoked a critical permission
from the Nextcloud Files app for Android that allows it to sync files
to Nextcloud Hub.
Google is stati … ⌘ Read more
Security updates for Tuesday
Security updates have been issued by Debian (libeconf and rubygems), Fedora (libxmp), Gentoo (glibc), Oracle (java-1.8.0-openjdk, kernel, libxslt, and virtuoso-opensource), SUSE (augeas, git-lfs, kanidm, and tomcat10), and Ubuntu (linux-lts-xenial). ⌘ Read more
Multiple security issues in Screen
The SUSE Security Team has published
an article detailing several security\
issues it has uncovered with GNU Screen. This includes
a local root exploit when Screen is shipped setuid-root, as it is in
some Linux and BSD distributions. The security team also reports [problems\
in coordinating disclosure … ⌘ Read more
Guix project migrating to Codeberg
The Guix project has announced
that it is migrating all of its Git repositories, as well as bug
tracking and patch tracking, from Savannah to the Codeberg Git forge.
As a user, the main change is that your
channels.scm
configuration files, if they refer to the
git.savannah.gnu.orgURL, should be changed to refer to
https://codeberg.org ... ⌘ [Read more](https://lwn.net/Articles/1020885/)
[$] The last of YaST?
The announcement
of the openSUSE Leap 16.0 beta contained something of a
surprise—along with the usual set of changes and updates, it
informed the community of the retirement of “the traditional YaST
stack” from Leap. The YaST (“Yet another Setup Tool”)
installation and configuration utility has been a core part of the
openSUSE distribution since its [inception](https://lists.opensuse.org/archives/list/users@lists.opensuse … ⌘ Read more
Security updates for Monday
Security updates have been issued by Debian (libbson-xs-perl, postgresql-13, redis, and simplesamlphp), Fedora (chromium, deluge, epiphany, golang-github-nats-io-nkeys, libxmp, nodejs22, perl-Compress-Raw-Lzma, php-adodb, python-h11, and xz), Gentoo (firefox, NVIDIA Drivers, Orc, PAM, and thunderbird), Mageia (libreoffice, python-django, and transfig), Red Hat (emacs, firefox, python39:3.9, and thunderbird), SUSE (bird3, freetype2, ldap-proxy, libmosquitto1, and ruby3.4-rubygem-rack … ⌘ Read more
Kernel prepatch 6.15-rc6
Linus has released 6.15-rc6 for testing.
Everything still looks fairly normal - we’ve got a bit more commits
than we did in rc5, which isn’t the trend I want to see as the
release progresses, but the difference isn’t all that big and it
feels more like just the normal noise in timing fluctuation in pull
requests of fixes than any real signal.So I won’t worry about it. We’ve got another two weeks to go in the
normal release schedule, and it still feels … ⌘ Read more
[$] A kernel developer plays with Home Assistant: general impressions
Those of us who have spent our lives playing with computers naturally see
the appeal of deploying them though the home for both data acquisition and
automation. But many of us who have watched the evolution of the
technology industry are increasingly unwilling to entrust critical
household functions to cloud-based servers run by companies that may not
have our best interests at heart. The Apache-licensed Home Assistant project offe … ⌘ Read more
Albertson: OSL’s path to sustainability
Lance Albertson writes that the
Oregon State University Open Source Lab has been funded for the next
year, following his announcement in April
that the future of OSL was in jeopardy. OSL is now focusing on
becoming self-sustainable long term.
The recent support was amazing for our immediate team needs. But
for the OSL to thrive long-term, we need a sustainable financial
foundation. This is crucial, as the … ⌘ Read more
Five more Friday stable kernels
Greg Kroah-Hartman has announced the release of the
6.14.2,
6.12.28,
6.6.90,
6.1.138, and
5.15.182 stable kernel versions. ⌘ Read more
Security updates for Friday
Security updates have been issued by Debian (fossil, libapache2-mod-auth-openidc, and request-tracker4), Fedora (thunderbird), Mageia (firefox and thunderbird), SUSE (389-ds, apparmor, cargo-c, chromium, go1.24, govulncheck-vulndb, java-1_8_0-openjdk, kanidm, libsoup, mozjs102, openssl-1_1, openssl-3, python-Django, sccache, tealdeer, tomcat, transfig, wasm-bindgen, and wireshark), and Ubuntu (libreoffice and python-h11). ⌘ Read more
GNOME Foundation announces new executive director
The GNOME Foundation has announced
the hiring of Steven Deobald as its new executive director.
Steven has been a GNOME user since 2002 and has been involved in
numerous free software initiatives throughout his career. His
professional background spans technical leadership, cooperative
business development, and nonprofit work. Having worked with projects
like [XTDB](htt … ⌘ Read more
[$] A FUSE implementation for famfs
The famfs
filesystem is meant to provide a shared-memory filesystem for large data
sets that are accessed for computations by multiple systems. It was
developed by John Groves, who led a combined filesystem and
memory-management session at
the 2025 Linux Storage, Filesystem, Memory
Management, and BPF Summit (LSFMM+BPF) to discuss it. The session was a
follow-up to [the famfs session at last year’s\
summit](https://lwn.net/Articles … ⌘ Read more
Security updates for Thursday
Security updates have been issued by Debian (chromium, libapache2-mod-auth-openidc, mariadb-10.5, and openssh), Red Hat (osbuild-composer), Slackware (mariadb), SUSE (apache2-mod_auth_openidc, glib2, ImageMagick, libsoup, libsoup2, libva, openvpn, sqlite3, and weblate), and Ubuntu (libsoup3, php-horde-css-parser, and python-django). ⌘ Read more
OpenSUSE removes the Deepin desktop
The openSUSE project has posted a\
detailed explanation on why the Deepin Desktop has been removed
from the distribution; it comes down to a history of security problems and
a deliberate bypass (by the packager) of openSUSE’s security review.
Perhaps tired of waiting, the packager decided to try a different
avenue to get the remaining Deepin components into openSUSE
skirting the review … ⌘ Read more
Fitti: Waiting for Postgres 18: Accelerating Disk Reads with Asynchronous I/O
Lukas Fitti writes in detail
on the pganalyze blog about the asynchronous I/O capability coming with the
PostgreSQL 18 release.
Asynchronous I/O delivers the most noticeable gains in cloud
environments where storage is network-attached, such as Amazon EBS
volumes. In these setups, individual disk reads often take multiple
milliseconds, introducing substantial latency compared to local
SSDs.
… ⌘ Read more
[$] LWN.net Weekly Edition for May 8, 2025
Inside this week’s LWN.net Weekly Edition:
Front: Debian and essential packages; Custom BPF OOM killers; Speculation barriers for BPF programs; More LSFMM+BPF 2025 coverage.
Briefs: Deepin on openSUSE; AUTOSEL; Mission Center 1.0.0; OASIS ODF; Redis license; USENIX ATC; Quotes; …
Announcements: Newsletters, conferences, security updates, patches, and more. ⌘ Read more
Home Assistant 2025.5 released
Version\
2025.5 of the Home Assistant home automation system has been released.
With this release, the project is celebrating two million active
installations. Changes include improvements to the backup system, Z-Wave
Long Range support, a number of new integrations, and more. ⌘ Read more
[$] Hash table memory usage and a BPF interpreter bug
Anton Protopopov led a short discussion at the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit about amount of memory used
by hash tables in BPF programs. He thinks that the current memory layout is
inefficient, and wants to split the structure that holds table entries into two
variants for different kinds of maps. When that proposal proved
uncontroversial, he also took the chance to talk about a bug in BPF’s call
instruction. ⌘ Read more
[$] Debian’s AWKward essential set
The Debian project has the concept of essential\
packages, which provide the bare minimum functionality considered
absolutely necessary (or “essential”) for a system to
function. Packages tagged as essential, and the packages that are
required by the set of essential packages, are always installed as
part of a Debian system. However, Debian’s packaging rules do not
require developers to explicitly declare dependencies on t … ⌘ Read more
Deepin Desktop removed from openSUSE
The SUSE Security Team has announced the removal of the Deepin
Desktop from openSUSE due to violations of the project’s packaging
policy.
The discovery of the bypass of the security whitelistings via the
deepin-feature-enablepackage marks a turning point in our assessment
of Deepin. We don’t believe that the openSUSE Deepin packager acted
with bad intent when he implemented the “license agreement” dialog to
bypas … ⌘ Read more
Security updates for Wednesday
Security updates have been issued by Fedora (incus and nodejs20), Red Hat (freetype, kernel, kernel-rt, libsoup, libtiff, redis, redis:6, and thunderbird), SUSE (apparmor, chromium, grafana, ImageMagick, java-11-openjdk, java-17-openjdk, libsoup, libsoup2, libxslt, opensaml, rabbitmq-server, rubygem-rack-1_6, sqlite3, and thunderbird), and Ubuntu (kernel, libfcgi, libraw, libsoup2.4, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ib … ⌘ Read more
The state of SSL stacks
Willy Tarreau and William Lallemand have posted an extensive white\
paper examining the landscape of the available SSL implementations.
OpenSSL 3.0 performs significantly worse than alternative SSL
libraries, forcing organizations to provision more hardware just to
maintain existing throughput. This raises important questions about
performance, energy efficiency, and operational costs.Examining alternatives—BoringSSL, LibreSSL, WolfSSL, and
… ⌘ Read more
The end of the USENIX Annual Technical Conference
On the 50th anniversary of the USENIX organization, its flagship Annual
Technical Conference (ATC) is coming\
to an end.
For the past two decades, as more USENIX conferences have joined
the USENIX calendar by focusing on specific topics that grew out of
ATC itself, attendance at ATC has steadily decreased to the point
where there is no longer a critical mass of researchers and
p … ⌘ Read more
Mission Center 1.0.0 released
Version\
1.0.0 of Mission Center, a system monitoring application, has been
released. Notable changes in this release include the addition of
SMART data for SATA and NVMe devices, display of per-process\
network usage, as well as a redesigned Apps Page that provides
more information about applications and processes. Mission Center’s
backend ap … ⌘ Read more
[$] Filtering fanotify events with BPF
Linux systems can have large filesystems; trying to keep up with the
stream of
fanotify filesystem-monitoring notifications for them can be a struggle.
Fanotify is one of a few ways to monitor accesses to filesystems provided by the kernel.
Song Liu led a discussion
on how to improve in-kernel filtering of fanotify events to a joint
session of the filesystem and BPF tracks at the 2025 Linux Storage, Filesystem,
Memo … ⌘ Read more
[$] Improving FUSE writeback performance
In a combined filesystem and memory-management session at
the 2025 Linux Storage, Filesystem, Memory
Management, and BPF Summit (LSFMM+BPF), Joanne Koong led a discussion on
improving the writeback performance for the Filesystem in\
Userspace (FUSE) layer. Writeback is how data that is written to the
filesystem is actually flushed to the disk; it is the process of writing
dirty pages from the page cache to storage. The current FUSE
imple … ⌘ Read more
Security updates for Tuesday
Security updates have been issued by Fedora (chromium and kappanhang), Red Hat (osbuild-composer and thunderbird), SUSE (chromedriver), and Ubuntu (c-ares, corosync, mysql-8.0, mysql-8.4, openjdk-17, openjdk-21, openjdk-24, openjdk-8, and openjdk-lts). ⌘ Read more
A new AUTOSEL release
AUTOSEL is a tool that is used to find kernel patches that should be
considered for backporting into the stable releases. Sasha Levin has announced a new and completely
rewritten version of AUTOSEL for those who would like to play with it.
Unlike the previous version that relied on word statistics and
older neural network techniques, AUTOSEL leverages modern large
language models and embedding technology to provide significantly
more accurate recommen … ⌘ Read more
[$] Injecting speculation barriers into BPF programs
The disclosure of the Spectre\
class of hardware vulnerabilities created a lot of pain for kernel
developers (and many others). That pain was especially acutely felt in the
BPF community. While an attacker might have to painfully search the kernel
code base for exploitable code, an attacker using BPF can simply write and
load their own speculation gadgets, which is a much more efficient way of
operating. The BPF comm … ⌘ Read more
Two stable kernels released—with build fixes only
The 6.12.27 and 6.1.137 stable kernels have been released to
fix build problems in their predecessors. Only those who are having
build troubles with 6.12.26 or 6.1.136 need to upgrade. ⌘ Read more
Security updates for Monday
Security updates have been issued by Debian (ansible, containerd, and vips), Fedora (chromium, java-17-openjdk, nodejs-bash-language-server, nodejs-pnpm, ntpd-rs, redis, rust-hickory-proto, thunderbird, and valkey), Mageia (apache-mod_auth_openidc, fcgi, graphicsmagick, kernel-linus, pam, poppler, and tomcat), Red Hat (firefox, libsoup, nodejs:20, redis:6, rsync, webkit2gtk3, xmlrpc-c, and yelp), and SUSE (audiofile, ffmpeg, firefox, libsoup-2_4-1, libsoup-3_0-0, libva, libxml2, and … ⌘ Read more
Kernel prepatch 6.15-rc5
Linus has released 6.15-rc5 for testing.
“So it all feels like things are just continuing to go well this
release. Let’s hope I didn’t jinx it by saying so.” ⌘ Read more
[$] Flexible data placement
At
the 2025 Linux Storage, Filesystem, Memory
Management, and BPF Summit (LSFMM+BPF) Kanchan Joshi and Keith Busch led a
combined storage and filesystem session on data placement, which concerns
how the data on a storage device is actually written. In a discussion
that hearkened back to previous summits, the idea is to give hints to enterprise-class
SSDs to help them make better choices on where the data should go; hinting
was most recently [discussed at the summit in 2023](https://lwn.net/Articles/932900/ … ⌘ Read more
Security updates for Friday
Security updates have been issued by Debian (chromium, nodejs, openjdk-17, and thunderbird), Fedora (firefox, golang-github-nvidia-container-toolkit, and thunderbird), Mageia (kernel), Oracle (ghostscript, glibc, kernel, libxslt, php:8.1, and thunderbird), SUSE (cmctl, firefox-esr, govulncheck-vulndb, java-21-openjdk, libxml2, poppler, python-h11, and redis), and Ubuntu (docker.io, ghostscript, linux-xilinx-zynqmp, and micropython). ⌘ Read more
A pile of stable kernel updates
The
6.14.5,
6.12.26,
6.6.89,
6.1.136,
5.15.181,
5.10.237, and
5.4.293
stable kernel updates have all been released; each contains another set of
important fixes. ⌘ Read more
Redis is now available under the AGPLv3 open source license (Redis blog)
After a somewhat tumultuous switch to the\
Server Side Public License (SSPL) in March 2024, Redis has backtracked
and is now offering Redis under the\
Affero GPLv3 (AGPLv3) starting with Redis 8, CEO Rowan Trollope
announced. The change back to an open-source license was led by Redis creator Salvatore\
”antirez” Sanfillipo, who also contributed the new Vector Set … ⌘ Read more
Celebrating 20 Years of the OASIS Open Document Format
The Document\
Foundation is celebrating
the 20th anniversary of the ratification of the Open Document Format
(ODF) as an OASIS
standard.
Two decades after its approval in 2005, ODF is the only open
standard for office documents, promoting digital independence,
interoperability and content … ⌘ Read more
[$] Custom out-of-memory killers in BPF
The out-of-memory (OOM) killer has long been a scary and controversial part
of the Linux kernel. It is summoned from some dark place when the system
as a whole (or, more recently, any given control group) is running so low
on memory that further allocations are not possible; its job is to kill off
processes until a sufficient amount of memory has been freed. Roman
Gushchin has found a way to make the OOM killer even scarier: adding the
ability to [load\
custom OOM killers in BPF](https://lwn.ne … ⌘ Read more
Security updates for Thursday
Security updates have been issued by Debian (expat, fig2dev, firefox-esr, golang-github-gorilla-csrf, jinja2, libxml2, nagvis, qemu, request-tracker4, request-tracker5, u-boot, and vips), Fedora (firefox, giflib, and thunderbird), Mageia (imagemagick), Red Hat (thunderbird), SUSE (amber-cli, libjxl, and redis), and Ubuntu (h2o, poppler, and postgresql-10). ⌘ Read more
[$] LWN.net Weekly Edition for May 1, 2025
Inside this week’s LWN.net Weekly Edition:
Front: Mailman 2 vulnerabilities; AI in Debian; __nonstring__; Cache-aware scheduling; Freezing filesystems; Socket-level storage; Debugging information; LWN in 2025.
Briefs: Debian election; Kali Linux key; OpenBSD 7.7; Firefox 138.0; GCC 15.1; Meson 1.8.0; Valgrind 3.25.0; FSF review; OSI retrospective; Mastodon; Quotes; …
[Announcements](https://lwn.net/Arti … ⌘ Read more
Albertson: Future of OSL in Jeopardy
Lance Albertson writes
that the Oregon State University Open Source Lab, the home of many
prominent free-software projects over the years, has run into financial
trouble:
I am writing to inform you about a critical and time-sensitive
situation facing the Open Source Lab. Over the past several years,
we have been operating at a deficit due to a decline in corporate
donations. While OSU’s College of Engineering (CoE) has generously
filled this ga … ⌘ Read more
[$] The mystery of the Mailman 2 CVEs
Many eyebrows were raised recently when three vulnerabilities were announced
that allegedly impact GNU Mailman 2.1,
since many folks assumed that it was no longer being supported. That’s
not quite the case. Even though version 3 of
the GNU Mailman mailing-list manager has been available
since 2015, and version 2 was declared (mostly) end of life
(EOL) in 2020, there are still plenty of users and projects still
usi … ⌘ Read more
[$] Better debugging information for inlined kernel functions
Modern compilers perform a lot of optimizations, which can complicate debugging.
Song Liu and Thierry Treyer spoke about a potential improvement to
BPF Type Format (BTF) debugging information that could partially combat that
problem at the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit.
They want to add information on selectively inlined functions to BTF in order to
better support tracing tools.
Trey … ⌘ Read more
The conclusion of the FSF board review
The Free Software Foundation has announced
the completion of the review of its board of directors; the process
resulted in the reconfirmation of all five sitting board members.
The review examined board members Ian Kelling, Geoffrey Knauth,
Henry Poole, Richard Stallman, and Gerald Sussman. The process
generated detailed philosophical and policy discussions between
board members and the FSF’s global associate members on to … ⌘ Read more
How LWN is faring in 2025
Just over six years ago, The Economist described the US economy as “ the envy of the\
world”. That headline would be unlikely to appear now. The economic
boom referenced in that article feels like a distant memory, markets are
falling, and uncertainty is at an all-time high. Like everybody else, LWN
is affected by the current turbulence in the political and economic
spheres; we expect to get through this period, but there will be some
challenges. ⌘ Read more
Security updates for Wednesday
Security updates have been issued by Debian (glibc and libraw), Fedora (digikam, icecat, mingw-LibRaw, perl, perl-Devel-Cover, and perl-PAR-Packer), Red Hat (ghostscript, kernel, and kernel-rt), Slackware (mozilla), SUSE (augeas, firefox, and java-11-openjdk), and Ubuntu (binutils, libxml2, and nodejs). ⌘ Read more
LWN’s Mastodon migration
The LWN.net fediverse (Mastodon) feed has moved; we are now known as @LWN@lwn.net. The migration magic has
shifted many of our followers over automatically but, if you follow that
stream, you might want to make sure that you have shifted to the new
source. ⌘ Read more
Meson 1.8.0 released
Version 1.8.0
of the Meson build system has
been released. Notable changes in this release include the ability to
run rustdoc for Rust projects, support for the c2y and gnu2y
compiler options, and a new argument ( android_exe_type) that
makes it possible to use the same meson.build file for
Android and non-Android systems. ⌘ Read more
Firefox 138.0 released
Version\
138.0 of the Firefox web browser has been released. Changes include
some profile-management improvements, the ability to get weather-related
suggestions in the address bar (US only), and some security fixes. ⌘ Read more
Barnes: Parallel ./configure
Tavian Barnes takes on\
the tedious process of waiting for configure scripts to run.
I paid good money for my 24 CPU cores, but ./configure can only
manage to use 69% of one of them. As a result, this random project
takes about 13.5× longer to configure the build than it does to
actually do the build.The purpose of a ./configure script is basically to run the
compiler a bunch of times and check which runs succeeded. In this
way it … ⌘ Read more
[$] Cache awareness for the CPU scheduler
The kernel’s CPU scheduler has to balance a wide range of objectives. The
tasks in the system must be scheduled fairly, with latency for any given
task kept within bounds. All of the CPUs in the system should be kept busy
if there is enough work to do, but unneeded CPUs should be shut down to
reduce power consumption. A task should also run on the CPU that is most
likely to have cached the memory that task is using. [This patch\
series](https://lwn.net/ml/all/cover.1745199017.git.yu.c.chen@in … ⌘ Read more
Signing key change for Kali Linux
The Kali Linux distribution has announced
that software updates will soon start failing for all users:
This is not only you, this is for everyone, and this is entirely
our fault. We lost access to the signing key of the repository, so
we had to create a new one. At the same time, we froze the
repository (you might have noticed that there was no update since
Friday 18th), so nobody was impacted yet. But we’re going to
unfreez … ⌘ Read more
Security updates for Tuesday
Security updates have been issued by AlmaLinux (glibc, php:8.1, and thunderbird), Debian (libreoffice), Fedora (caddy), Mageia (chromium-browser-stable), Red Hat (php:8.1), SUSE (glow), and Ubuntu (kicad, linux-aws-5.15, linux-azure-nvidia, linux-gcp-5.15, mistral, python-mistral-lib, tomcat8, and trafficserver). ⌘ Read more
Valgrind-3.25.0 is available
Version 3.25.0 of the Valgrind
dynamic-analysis tool has been released. It has lots of new features,
including initial support for RISC-V on Linux, handling zstd-compressed
debug sections, integration of the Linux Test\
Project test suite, support for lots more Linux system calls, and more.
It also has plenty of bug fixes, of course. ⌘ Read more
OSI publishes election retrospective
The Open Source Initiative (OSI) has quietly published
“takeaways” from its internal retrospective on the recent board
of directors election as an update
to the March blog\
post that announced the new members of the board. The election was
controversial, in part, due to poor communication and OSI changing the
election rules and disqualifying sever … ⌘ Read more
[$] Inline socket-local storage for BPF
Martin Lau gave a talk in the BPF track of the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit about a performance problem
plaguing the networking subsystem, and some potential ways to fix it. He works on
BPF programs that need to store socket-local data; amid other improvements to
the networking and BPF subsystems, retrieving that data has become a noticeable
bottleneck for his use case. His proposed fix prompted a good deal of discussion
about how the data should be laid out … ⌘ Read more
Security updates for Monday
Security updates have been issued by AlmaLinux (thunderbird), Debian (distro-info-data, imagemagick, kernel, libsoup2.4, and poppler), Fedora (chromium, java-1.8.0-openjdk, java-1.8.0-openjdk-portable, java-17-openjdk, java-17-openjdk-portable, java-latest-openjdk, pgadmin4, thunderbird, and xz), Mageia (haproxy and libxml2), Oracle (bluez, firefox, gnutls, libtasn1, libxslt, mod_auth_openidc:2.3, ruby:3.1, thunderbird, and xmlrpc-c), Red Hat (delve and golang, glibc, mod_auth_o … ⌘ Read more
Kernel prepatch 6.15-rc4
The 6.15-rc4 kernel prepatch is out for
testing. “So let’s see if this rc ends up avoiding any silly issues -
things certainly look pretty normal, and there were no hurried last-minute
changes this week due to system upgrades”. ⌘ Read more
OpenBSD 7.7 released
The OpenBSD\
7.7 release is available. There is, as usual, a long list of changes;
see the full changelog
for lots of details. ⌘ Read more
[$] Debian debates AI models and the DFSG
The Debian project is discussing a General Resolution (GR) that
would, if approved, clarify that AI models must include training data
to be compliant with the Debian\
Free Software Guidelines (DFSG) and be distributed by Debian as
free software. While GR discussions are sometimes contentious, the
discussion around the proposal from Debian developer Mo Zhou has
been anything but—there seems to be
consensus that AI models are not DFSG-comp … ⌘ Read more
GCC 15.1 released
Version 15.1 of the GNU
Compiler Collection has been released. Changes include implementing the
C23 dialect by default, a number of new C++26 features, experimental
support for unsigned integers in Fortran, a new COBOL front end, and
more. See the GCC 15\
changes page for details. ⌘ Read more
Security updates for Friday
Security updates have been issued by AlmaLinux (thunderbird), Debian (libbpf), Fedora (golang-github-openprinting-ipp-usb, ImageMagick, mingw-libsoup, mingw-poppler, and pgbouncer), SUSE (glib2, govulncheck-vulndb, libsoup-2_4-1, libxml2-2, mozjs60, ruby2.5, and thunderbird), and Ubuntu (linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-iot, linux-aws-fips, … ⌘ Read more
Debian Project Leader Election 2025 results
The Debian Project Leader election results
have been announced. Andreas
Tille has been re-elected and will serve another term through
April 2026. LWN looked at the election and\
candidates in early April. ⌘ Read more
[$] Some nonstring turbulence
New compiler releases often bring with them new warnings; those warnings
are usually welcome, since they help developers find problems before they
turn into nasty bugs. Adapting to new warnings can also create disruption
in the development process, though, especially when an important developer
upgrades to a new compiler at an unfortunate time. This is just the
scenario that played out with the [6.15-rc3\
kernel release](https://lwn.net/ml/all/CAHk-=wgjZ4fzDKogXwhPXVMA7OmZf9k0o1oB2FJmv-C1e=typA@mail. … ⌘ Read more
[$] Freezing filesystems for suspend
Sometimes worms have a tendency to multiply once their can is opened.
James Bottomley recently encountered that situation; he led a session in
the filesystem track at the 2025 Linux Storage, Filesystem, Memory
Management, and BPF Summit (LSFMM+BPF) to discuss filesystem behavior with
respect to suspending and resuming the system. As he noted in his topic\
proposal, he came at the problem because he need … ⌘ Read more
Security updates for Thursday
Security updates have been issued by Debian (haproxy and openrazer), Fedora (c-ares and mingw-poppler), Red Hat (thunderbird), SUSE (epiphany, ffmpeg-6, gopass, and libsoup-3_0-0), and Ubuntu (erlang, haproxy, libapache2-mod-auth-openidc, libarchive, linux, linux-aws, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, … ⌘ Read more
[$] LWN.net Weekly Edition for April 24, 2025
Inside this week’s LWN.net Weekly Edition:
Front: Owen Le Blanc and MCC; UID/GID drift; DMA for UIO; More LSFMM+BPF 2025 coverage.
Briefs: EU OS; RISC-V Fedora; Ubuntu 25.04; NLnet funding; Template strings; Tor Browser 14.5; Quotes; …
Announcements: Newsletters, conferences, security updates, patches, and more. ⌘ Read more
[$] Addressing UID/GID drift in rpm-ostree and bootc
The Fedora Project is looking for solutions to an interesting
problem with its image-based editions and spins, such as the Atomic Desktops
or CoreOS, that are
created with rpm-ostree or bootc. If a package that
is part of a image-based version has a user or group created
dynamically on installation, and it owns files instal … ⌘ Read more
NLnet announces funding for 42 FOSS projects
The NLnet Foundation has announced
the projects that have received funding from its October call
for grant proposals from the Next\
Generation Internet (NGI) Zero Commons Fund.
The selected projects all contribute, one way or another, to the
mission of the Commons Fund: reclaiming the … ⌘ Read more
[$] VFS write barriers
In the filesystem track at the 2025 Linux Storage, Filesystem, Memory
Management, and BPF Summit (LSFMM+BPF), Amir Goldstein wanted to resume
discussing
a feature that he had briefly introduced at the end of a 2023 summit session: filesystem “write
barriers”. The idea is to have an operation that would wait for any
in-flight write()
system calls, but not block any new write() calls as bigger
hammers, such as freezi … ⌘ Read more
Security updates for Wednesday
Security updates have been issued by AlmaLinux (bluez, expat, and postgresql:12), Fedora (chromium, golang, LibRaw, moodle, openiked, ruby, and trafficserver), Red Hat (bluez, expat, gnutls, libtasn1, libxslt, mod_auth_openidc, mod_auth_openidc:2.3, ruby:3.1, thunderbird, and xmlrpc-c), and Ubuntu (linux, linux-aws, linux-gcp, linux-hwe-6.11, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oem-6.11, linux-oracle, linux-raspi, linux-realtime, linux-azure, linux-azure-6.11, linux-gc … ⌘ Read more
[$] Code signing for BPF programs
The Linux kernel can be configured so that
kernel modules must be signed or
otherwise authenticated to be loaded
into the kernel. Some BPF developers want that to be an option for BPF programs
as well — after all, if those are going to run as part of the kernel,
they should be subject to the same code-signing requirements. Blaise Boscaccy
and Cong Wang presented two different visions for how BPF code signing could
work at the 2025 Linux Storage, Filesystem, Memory … ⌘ Read more
[$] DMA addresses for UIO
The Userspace\
I/O (UIO) subsystem was first added to the kernel by
Hans J. Koch for the 2.6.32 release in 2007. Its purpose is to facilitate
the writing of drivers (mostly) in user space; to that end, it provides
access to a number of resources that user-space code normally cannot touch.
One piece that is missing, though, is DMA addresses. [A proposal to\
fill that gap](https://lwn.net/ml/all/20250410-uio-dma-v … ⌘ Read more
Security updates for Tuesday
Security updates have been issued by AlmaLinux (java-1.8.0-openjdk, kernel, libxslt, mod_auth_openidc:2.3, and webkit2gtk3), Fedora (c-ares, giflib, jupyterlab, perl, perl-Devel-Cover, perl-PAR-Packer, prometheus-podman-exporter, python-notebook, python-pydantic-core, rpki-client, ruby, rust-adblock, rust-cookie_store, rust-gitui, rust-gstreamer, rust-icu_collections, rust-icu_locid, rust-icu_locid_transform, rust-icu_locid_transform_data, rust-icu_normalizer, rust-icu_normalizer_data … ⌘ Read more
[$] Indirect calls in BPF
Anton Protopopov kicked off the BPF track on
the second day of the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit with a discussion about permitting
indirect calls in BPF. He also spoke about his continuing work on
static keys, a topic which is related because the implementation of indirect
jumps and static keys in the verifier use some of the same mechanisms for
tracking indirect control-flow.
Although some design work remains to be done, it may soon be … ⌘ Read more
RISC-V images for Fedora Linux 42
The Fedora Project’s RISC-V\
special-interest group (SIG) has announced
the availability of Fedora Linux 42 images for supported\
RISC-V boards, as well as QEMU
and container images. The SIG is working toward making RISC-V a
primary arc … ⌘ Read more
Template strings accepted for Python 3.14
The Python Steering Council
accepted PEP 750
(” Template Strings”) on April 10. LWN
covered the discussion around the proposal, including the
substantial revisions to the idea that were needed for it
to be accepted. Template strings (t-strings) are a new kind of string that produces
structured data instead o … ⌘ Read more
[$] Owen Le Blanc: creator of the first Linux distribution
Ask a Linux enthusiast who created the Linux kernel, and odds are they will have
no trouble naming Linus Torvalds—but many would be stumped if asked what the
first Linux distribution was, and who created it. Some might guess Slackware, or its predecessor, Softlanding Linux\
System (SLS); both were arguably more influential but arrived just a bit
later. The first honest-to-goodness distribut … ⌘ Read more