Security updates for Monday
Security updates have been issued by Debian (erlang, fig2dev, shadow, wget, and zabbix), Fedora (chromium, jupyterlab, llama-cpp, prometheus-podman-exporter, python-notebook, python-pydantic-core, rpki-client, rust-adblock, rust-cookie_store, rust-gitui, rust-gstreamer, rust-icu_collections, rust-icu_locid, rust-icu_locid_transform, rust-icu_locid_transform_data, rust-icu_normalizer, rust-icu_normalizer_data, rust-icu_properties, rust-icu_properties_data, rust-icu_provider, rust-icu\ … ⌘ Read more
Kernel prepatch 6.15-rc3
The 6.15-rc3 kernel prepatch is out for
testing. “There’s absolutely nothing of huge note here as far as I can
tell. Just a fair number of small fixes all over the place”. ⌘ Read more
Three stable kernels
The
6.14.3,
6.13.12, and
6.12.24 stable kernel updates have been
released; each contains another set of important fixes. Note that the
6.13.x series ends with 6.13.12. ⌘ Read more
EU OS: A European Proposal for a Public Sector Linux Desktop (The New Stack)
The New Stack looks\
at EU OS, an attempt to create a desktop system for the European public
sector.
EU OS is not a brand-new Linux distribution in the traditional
sense. Instead, it is a proof-of-concept built atop Fedora’s
immutable KDE Plasma spin (Kinoite). EU OS takes a layered approach
to customization. The project’s vision is to provide a standard,
ad … ⌘ Read more
[$] The problem of unnecessary readahead
The final session in the memory-management track of the 2025 Linux Storage,
Filesystem, Memory-Management, and BPF Summit was a brief, last-minute
addition run by Kalesh Singh. The kernel’s readahead mechanism is
generally good for performance; it ensures that data is present by the time
an application gets around to asking for it. Sometimes, though, readahead
can go a little too far. ⌘ Read more
[$] Tracepoints for the VFS?
Adding tracepoints to some kernel subsystems has been controversial—or
disallowed—due to concerns about the user-space\
ABI that they might create. The virtual filesystem (VFS) layer has
long been one of the subsystems that has not allowed any tracepoints, but
that may be changing. At the 2025 Linux Storage, Filesystem, Memory
Management, and BPF Summit (LSFMM+BPF), Ted Ts’o led a discussion about
whether the ABI concerns are outweighed by the utility of tracepoints for … ⌘ Read more
Security updates for Friday
Security updates have been issued by Debian (graphicsmagick and libapache2-mod-auth-openidc), Fedora (giflib, mod_auth_openidc, mysql8.0, perl, perl-Devel-Cover, perl-PAR-Packer, perl-String-Compare-ConstantTime, rust-openssl, rust-openssl-sys, trunk, and workrave), Mageia (chromium-browser-stable and rust), Oracle (java-1.8.0-openjdk, java-17-openjdk, java-21-openjdk, kernel, libreoffice, and webkit2gtk3), Red Hat (gvisor-tap-vsock), SUSE (containerd, docker, docker-stable, forge … ⌘ Read more
Ubuntu 25.04 released
Version\
25.04 (“Plucky Puffin”) of the Ubuntu Linux distribution has been
released. This release includes Linux 6.14, GNOME 48, APT 3.0, and introduces a
Arm64\
desktop ISO to install Ubuntu Desktop on Arm64 systems. This is an
interim release, with support through January 2026. See the [release\
notes](h … ⌘ Read more
Tor Browser 14.5 released
Version\
14.5 of the Tor\
Browser has been released. Notable features in this release
include the addition of Connection Assist for the Android version of
the Tor Browser, and language support for Belarusian, Bulgarian, and
Portuguese for all versions of the browser.
Should Tor Browser fail to establish a direct connection to the Tor
network, Connection Assist will offer to find and try bridges for
y … ⌘ Read more
Security updates for Thursday
Security updates have been issued by Debian (chromium and libapache2-mod-auth-openidc), Oracle (expat, freetype, glibc, grub2, gvisor-tap-vsock, and kernel), Red Hat (grub2 and webkit2gtk3), and SUSE (apache2-mod_auth_openidc, cosign, gitoxide, govulncheck-vulndb, GraphicsMagick, haproxy, hauler, mozjs52, oci-cli, pam, perl-Data-Entropy, poppler, python-lxml-doc, python311-aiohttp, rekor, rubygem-rexml, and webkit2gtk3). ⌘ Read more
[$] LWN.net Weekly Edition for April 17, 2025
Inside this week’s LWN.net Weekly Edition:
Front: APT 3.0; Fedora 42; Lots more LSFMM+BPF coverage.
Briefs: CVE funding; Yelp vulnerability; Fedora 42; Manjaro 25.0; GCC 15; Pinta 3.0; Quotes; …
Announcements: Newsletters, conferences, security updates, patches, and more. ⌘ Read more
[$] What’s new in APT 3.0
Debian’s Advanced Package Tool (APT) is the suite of utilities that handle package
management on Debian and Debian-derived operating systems. APT recently received a
major upgrade to 3.0 just in time for inclusion in Debian 13
(“trixie”), which is planned for release sometime in 2025. The version bump is
warranted; the latest APT has user-interface improvements, switches to [Sequoia](https://sequoia-pgp.org/pr … ⌘ Read more
Catanzaro: Dangerous arbitrary file read vulnerability in Yelp
GNOME contributor Michael Catanzaro has written a blog\
post about a noteworthy vulnerability in GNOME’s help browser, Yelp.
I don’t normally blog about particular CVEs, but Yelp CVE-2025-3155 is
noteworthy because it is quite severe, public for several weeks now,
and not yet fixed upstream. In short, help files can rea … ⌘ Read more
[$] Parallel directory operations
Allowing directories to be modified in parallel was the topic of Jeff
Layton’s filesystem-track session at the 2025 Linux Storage, Filesystem,
Memory Management, and BPF Summit (LSFMM+BPF). There are certain use
cases, including for the NFS and Lustre filesystems, as mentioned in a patch set
referenced in the topic\
proposal, where contention in cre … ⌘ Read more
[$] Taking BPF programs beyond one-million instructions
The BPF verifier is not magic; it cannot solve the
halting problem. Therefore,
it has to err on the side of assuming that a program will run too long if it
cannot prove that the program will not.
The ultimate check on the size of a BPF program is the
one-million-instruction limit — the verifier will refuse to process more than
one-million instructions, no matter what a BPF program does. Alexei Starovoitov gave
a talk at the 2025 L … ⌘ Read more
CISA extends funding to the CVE program (BleepingComputer)
Sergiu Gatlan reports
that the US government has extended funding for the Common
Vulnerabilities and Exposures (CVE) program, following yesterday’s reports that funding
would run out as of April 16.
“The CVE Program is invaluable to cyber community and a priority of
CISA,” the U.S. cybersecurity agency told BleepingCompu … ⌘ Read more
[$] Improvements for the contiguous memory allocator
As a system runs, its memory becomes fragmented; it does not take long
before the allocation of large, physically contiguous memory ranges becomes
difficult or impossible. The contiguous memory\
allocator (CMA) is a kernel subsystem that attempts to address this
problem, but it has never worked as well as some would like. Two sessions
in the memory-management track at the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit looked at … ⌘ Read more
Security updates for Wednesday
Security updates have been issued by AlmaLinux (gvisor-tap-vsock, kernel, and kernel-rt), Fedora (chromium, dnf, dotnet9.0, golang, lemonldap-ng, mariadb10.11, perl-Crypt-URandom-Token, perl-DBIx-Class-EncodedColumn, php-tcpdf, podman-tui, and trunk), Red Hat (java-17-openjdk and kernel), Slackware (mozilla), SUSE (apache2-mod_auth_openidc, cosign, etcd, expat, flannel, kernel, libsqlite3-0, libvarnishapi3, mozjs52, Multi-Linux Manager 4.3: Server, Multi-Linux Manager 5.0: Server, … ⌘ Read more
[$] Topics from the virtual filesystem layer
In the first filesystem-track session at the 2025 Linux Storage,
Filesystem, Memory Management, and BPF Summit (LSFMM+BPF), virtual
filesystem (VFS) layer co-maintainer Christian Brauner had a few different
topics he wanted to talk about. Issues on the agenda
included iterating through anonymous mount namespaces, a needed feature
for ID-mapped mounts, the perennial unprivileged mounts topic, potentially
using hazard pointers for file reference counting, and Rust bindings. He
did not expect … ⌘ Read more
MITRE Warns CVE Program Faces Disruption (Security Week)
Security Week is one of several outlets reporting
that the funding for the CVE program at MITRE disappears as of
April 16.
Maintained by MITRE Corporation, a not-for-profit organization that
operates federal R&D centers, the CVE program is funded through
multiple channels, including the U.S. government, industry
partnerships, and international organizations.
… ⌘ Read more
Manjaro Linux 25.0 released
Version\
25.0 (“Zetar”) of the Arch-based Manjaro Linux
distribution is now available. This release includes Linux kernel 6.12,
GNOME 48, KDE 6.3, Xfce 4.18, and more. ⌘ Read more
Fedora Linux 42 released (Fedora Magazine)
The Fedora Project has announced
the release of Fedora Linux 42, with “what’s new” articles for Fedora Workstation
and Fedora KDE Plasma Desktop. There
is also a last-minute warning about the live media for the release:
We discovered a problem with the Live boot media at the last
minute, and sin … ⌘ Read more
[$] Don’t panic: Fedora 42 is here
Fedora Linux 42 has been released with many
incremental improvements and updates. In this development cycle, the KDE Plasma Desktop
has finally gotten a promotion from a spin to an\
edition, the new web-based\
user interface for the Anaconda installer makes its debut, and the
Wayland-ification of Fedora continues ap … ⌘ Read more
[$] Automatic tuning for weighted interleaving
It is common, on NUMA systems, to try to allocate all memory on the local
node, since it will be the fastest. That is not the only possible policy,
though; another is weighted interleaving,
which seeks to distribute allocations across memory controllers to maximize
the bandwidth utilization on each. Configuring such policies can be
challenging, though. At the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit, Joshua Hahn ran a session i … ⌘ Read more
Security updates for Tuesday
Security updates have been issued by AlmaLinux (glibc), Red Hat (kernel and kernel-rt), Slackware (perl), SUSE (haproxy, kernel, and webkit2gtk3), and Ubuntu (cimg, perl, protobuf, and webkit2gtk). ⌘ Read more
Pinta 3.0 released
Version\
3.0 of the Pinta
image editor has been released. The most notable change in this
release is that Pinta has been ported to GTK 4.0 and libadwaita. It
also includes a number of improvements, new effects, and bug fixes. ⌘ Read more
[$] In search of a stable BPF verifier
BPF is, famously, not part of the kernel’s promises of user-space stability. New
kernels can and do break existing BPF programs; the BPF developers try to
fix unintentional regressions as they happen, but the whole thing can be something of a bumpy
ride for users trying to deploy BPF programs across multiple kernel versions.
Shung-Hsi Yu and Daniel Xu had two different approaches to fixing the problem
that they presented at the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit. ⌘ Read more
[$] The state of the memory-management development process, 2025 edition
Andrew Morton, the lead maintainer for the kernel’s memory-management
subsystem, tends to be quiet during the Linux Storage, Filesystem,
Memory-Management, and BPF Summit, preferring to let the developers work
things out on their own. That changes, though, when he leads the
traditional development-process session in the memory-management track. At
the 2025 gathering, this discussion covered a number of ways in which the
process could be improved, but did not une … ⌘ Read more
Security updates for Monday
Security updates have been issued by Debian (glib2.0, jinja2, kernel, mediawiki, perl, subversion, twitter-bootstrap3, twitter-bootstrap4, and wpa), Fedora (c-ares, chromium, condor, corosync, cri-tools1.29, exim, firefox, matrix-synapse, nextcloud, openvpn, perl-Data-Entropy, suricata, upx, varnish, webkitgtk, yarnpkg, and zabbix), Mageia (giflib, gnupg2, graphicsmagick, and poppler), Oracle (delve and golang, go-toolset:ol8, grub2, and webkit2gtk3), Red Hat (kernel and kernel-rt), **S … ⌘ Read more
Kernel prepatch 6.15-rc2
Linus has released 6.15-rc2 for testing.
“Nothing particularly stands out to me, but it’s early in the release
yet, so let’s see how it goes.” ⌘ Read more
[$] Managing multiple sources of page-hotness data
Knowing how frequently accessed a page of memory is (its “hotness”) is a
key input to many memory-management heuristics. Jonathan Cameron, in a
memory-management track at the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit, pointed out that the number of sources
of that kind of data is growing over time. He wanted to explore the
questions of what commonality exists between data from those sources, and
whether it makes sense to aggregate them all somehow. ⌘ Read more
[$] Inlining kfuncs into BPF programs
Eduard Zingerman presented a daring proposal that “makes sense if you think
about it a bit” at the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit. He wants to inline
performance-sensitive kernel functions
into the BPF programs that call them. His
prototype does not yet address all of the design problems inherent in that idea,
but it did spark a lengthy discussion about the feasibility of his proposal. ⌘ Read more
Security updates for Friday
Security updates have been issued by AlmaLinux (delve and golang and go-toolset:rhel8), Debian (webkit2gtk), Fedora (openvpn, thunderbird, uboot-tools, and zabbix), SUSE (expat, fontforge, govulncheck-vulndb, and kernel), and Ubuntu (haproxy and libsoup2.4, libsoup3). ⌘ Read more
[$] Atomic writes for ext4
Building on the discussion in the two previous sessions on untorn (or
atomic) writes, for buffered I/O and for XFS using direct I/O, Ojaswin Mujoo
remotely led a
session on support for the feature on ext4. That took place in the combined storage and
filesystem track at the
2025 Linux Storage, Filesystem, Memory Management, and BPF Summit. Part of
the support for the feature is already in the upstream kernel, with more
coming. But
ther … ⌘ Read more
Malcolm: 6 usability improvements in GCC 15
Over on the Red Hat Developer site, David Malcolm has an article\
about improvements in GCC 15, specifically focusing on the diagnostic
information that the compiler emits. This includes ASCII art with a “⚠️”
warning emoji to display the execution path when it detects a problem (like
an infinite loop in one of his examples), better C++ template errors,
machine-readable diagnostics using [Static\
Analysis R … ⌘ Read more
[$] Management of volatile CXL devices
Compute\
Express Link (CXL) memory is not like the ordinary RAM that one might
install into a computer; it can come and go at any time and is often not
present when the kernel is booting. That complicates the management of
this memory. During the memory-management track of the 2025 Linux Storage,
Filesystem, Memory-Management, and BPF Summit, Gregory Price ran a session
on the challenges posed by CXL and how they might be addressed. ⌘ Read more
Eight new stable kernels
Greg Kroah-Hartman has announced the release of eight stable kernels: 6.14.2, 6.13.11, 6.12.23, 6.6.87, 6.1.134, 5.15.180, 5.10.236, and 5.4.292. These all contain a large
assortment of important kernel fixes throughou … ⌘ Read more
[$] Preparing DAMON for future memory-management problems
The Data Access\
MONitor (DAMON) subsystem provides access to detailed memory-management
statistics, along with a set of tools for implementing policies based on
those statistics. An update on DAMON by its primary author, SeongJae Park,
has been a fixture of the Linux Storage, Filesystem, Memory-Management, and
BPF Summit for some years. The 2025 Summit was no exception; Park led two
sessions on recent and future DAMON developme … ⌘ Read more
Security updates for Thursday
Security updates have been issued by AlmaLinux (tomcat and webkit2gtk3), Debian (chromium), Fedora (ghostscript), Mageia (atop, docker-containerd, and xz), Red Hat (go-toolset:rhel8), SUSE (apache2-mod_auth_openidc, apparmor, etcd, expat, firefox, kernel, libmozjs-128-0, and libpoppler-cpp2), and Ubuntu (dino-im, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp,
linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-l … ⌘ Read more
[$] LWN.net Weekly Edition for April 10, 2025
Inside this week’s LWN.net Weekly Edition:
Front: Debian project leader election; 6.15 Merge window; Lots of LSFMM coverage; Joplin.
Briefs: Firefox hardening; OpenSSH 10.0; Supply chain security; FreeDOS 1.4; OpenSSL 3.5.0; Rust 1.86.0; Quotes; …
Announcements: Newsletters, conferences, security updates, patches, and more. ⌘ Read more
Hardening the Firefox frontend
Tom Schuster, Frederik Braun, and Christoph Kerschbaumer have
published an article
on the Firefox Security team’s Attack & Defense
blog that explains recent work to harden Firefox’s frontend code.
We have rewritten over 600 JavaScript event handlers to mitigate XSS
and other injection attacks in the main Firefox user interface. This
mitigation will ship in … ⌘ Read more
[$] An update on torn-write protection
In a combined storage and filesystem track session at the
2025 Linux Storage, Filesystem, Memory Management, and BPF Summit, John
Garry continued the theme of “untorn” (or atomic) writes that started in the previous session. It was also
an update on where things have gone for untorn writes since his session at last year’s summit. Beyond that,
he looked at some of the plans and challenges for the feature in the future. ⌘ Read more
[$] Debian Project Leader election 2025 edition
Four candidates have stepped up to run in the 2025 Debian Project\
Leader (DPL) election. Andreas\
Tille, who is in his first term as DPL, is running again. Sruthi\
Chandran, Gianfranco\
Costamagna, and Julian Andres\
Klode are the o … ⌘ Read more
[$] A new type of spinlock for the BPF subsystem
The 6.15 merge window saw the inclusion of a new type of lock for BPF programs:
a resilient queued spinlock that Kumar Kartikeya Dwivedi has been working on
for some time. Eventually, he hopes to convert all of the spinlocks currently
used in the BPF subsystem to his new lock.
He gave a remote presentation about the design of the lock at the
2025 Linux Storage, Filesystem,
Memory-Management, and BPF summit. ⌘ Read more
[$] Improving hot-page detection and promotion
Tiered-memory systems feature multiple types of memory with varying
performance characteristics; on such systems, good performance depends on
keeping the most frequently used data in the fastest memory. Identifying
that data and placing it properly is a challenge that has kept developers
busy for years. Bharata Rao, presenting remotely during a
memory-management-track session at the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit, led a discussion on [a potential soluti … ⌘ Read more
[$] Two approaches to better kernel samepage merging
The kernel\
samepage merging (KSM) subsystem works by finding pages in memory with
the same contents, then replacing the duplicated copies with a single,
shared copy. KSM can improve memory utilization in a system, but has some
problems as well. In two memory-management-track sessions at the 2025
Linux Storage, Filesystem, Memory-Management, and BPF Summit, Mathieu
Desnoyers and Sourav Panda proposed improvements to KSM to
make it … ⌘ Read more
OpenSSH 10.0 released
OpenSSH\
10.0 has been released. Support for the DSA signature algorithm,
which was disabled by default beginning in 2015, has been
removed. Other notable changes include using the post-quantum algorithm mlkem768x25519-sha256
for key agreement by default, support for systemd-style socket
activation in Portable OpenSSH … ⌘ Read more
Security updates for Wednesday
Security updates have been issued by Debian (lemonldap-ng, libbssolv-perl, and phpmyadmin), Fedora (augeas, mariadb10.11, and thunderbird), Oracle (gimp, libxslt, python3.11, python3.12, tomcat, and xorg-x11-server), Red Hat (expat, grafana, opentelemetry-collector, and webkit2gtk3), SUSE (azure-cli-core, doomsday, kernel, and poppler), and Ubuntu (dotnet8, dotnet9, erlang, and poppler). ⌘ Read more
OpenSSL 3.5.0 released
Version\
3.5.0 of OpenSSL has been released. This release adds support for
server-side QUIC ( RFC 9000), a
new configuration option ( no-tls-deprecated-ec) that disables
support for TLS groups deprecated in RFC 8422, and more. ⌘ Read more
FreeDOS 1.4 released
Version\
1.4 of FreeDOS has been
released. This is the first stable release since 2022, and
includes improvements to the Fdisk hard-disk-management program, and
reliability updates for the mTCP set of TCP/IP applications for
DOS.
This version was much smoother because Jerome Shidel, our
distribution manager, had an idea after FreeDOS 1.3 that we could have
a rolling test release that collected all of the changes that people
mak … ⌘ Read more
[$] Taking notes with Joplin
Joplin is an open-source
note-taking application designed to handle taking many kinds of notes,
whether it is managing code snippets, writing documentation, jotting
down lecture notes, or drafting a novel. Joplin has Markdown support,
a plugin system for extensibility, and accepts multimedia content,
allowing users to attach images, videos, and audio files to their
notes. It can provide synchronization of content across devices using
end-to-end encryption, or users can opt to sti … ⌘ Read more
[$] Using large folios for text areas
Quite a bit of work has been done in recent years to allow the kernel to
make more use of large folios. That progress has not yet reached the
handling of text (executable code) areas, though. During the
memory-management track of the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit, Ryan Roberts ran a session on how that
situation might be improved. It would be a relatively small and contained
operation, but can give a measurable performance improvement. ⌘ Read more
[$] Per-CPU memory for user space
The kernel makes extensive use of per-CPU data as a way to avoid contention
between processors and improve scalability. Using the same technique in
user space is harder, though, since there is little control over which CPU
a process may be running on at any given time. That hasn’t stopped Mathieu
Desnoyers from trying, though; in the memory-management track of the 2025
Linux Storage, Filesystem, Memory-Management, and BPF Summit, he presented
a proposal for how user-space per-CPU memory could work. ⌘ Read more
Security updates for Tuesday
Security updates have been issued by AlmaLinux (gimp, libxslt, python3.11, python3.12, and tomcat), Debian (ghostscript and libnet-easytcp-perl), Fedora (openvpn, perl-Data-Entropy, and webkitgtk), Red Hat (python-jinja2), SUSE (giflib, pam, and xen), and Ubuntu (apache2, binutils, expat, fis-gtm, linux-azure, linux-azure-6.8, linux-nvidia-lowlatency, linux-azure, linux-azure-fde, linux-azure-5.15, linux-azure-fde-5.15, linux-azure-fips, linux-gcp-fips, linux-hwe-5.4, linux-nvidia, … ⌘ Read more
[$] An update on pahole
Pahole (originally “Poke-a-hole”) is a Swiss Army knife for exploring and
editing debug information. Pahole is also currently involved
in the kernel’s build process to rearrange the information
produced by various compilers into a form useful to the BPF verifier, although
there are plans to render it unnecessary.
Pahole maintainer Arnaldo Carvalho de Melo shared some status
updates about the project at the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF summit. Interested readers can find his slides … ⌘ Read more
Fifty Years of Open Source Software Supply Chain Security (Queue)
ACM Queue looks at\
the security problem in the light of a report on Multics security that
was published in 1974.
We are all struggling with a massive shift that has happened in the
past 10 or 20 years in the software industry. For decades, software
reuse was only a lofty goal. Now it’s very real. Modern
programming environments such as Go, Node, and Rust have made it
trivial to reuse work by others, but our … ⌘ Read more
[$] Three ways to rework the swap subsystem
The kernel’s swap subsystem is complex and highly optimized — though not
always optimized for today’s workloads. In three adjacent sessions during
the memory-management track of the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit, Kairui Song, Nhat Pham, and Usama Arif
all talked about some of the problems that they are trying to solve in the
Linux swap subsystem. In the first two cases, the solutions take the form of
an additional layer of indirection in the kernel’s swap … ⌘ Read more
[$] The rest of the 6.15 merge window
Linus Torvalds released 6.15-rc1 and
closed the 6.15 merge window on April 6. By that time, 12,633
non-merge changesets had found their way into his repository; that is
substantially more than were merged during the entire 6.14
development cycle. Just under 6,000 of those changesets were merged after
the first-half merge-window summary was
written. ⌘ Read more
Five new stable kernels
The 6.14.1, 6.13.10, 6.12.22, 6.6.86, and 6.1.133 stable kernels have all been
released. They contain a relatively small collection of important fixes
across the kernel tree. ⌘ Read more
Security updates for Monday
Security updates have been issued by Debian (abseil, atop, jetty9, ruby-saml, tomcat10, trafficserver, xz-utils, and zfs-linux), Fedora (chromium, condor, containernetworking-plugins, cri-tools1.29, crosswords-puzzle-sets-xword-dl, exim, ghostscript, matrix-synapse, upx, varnish, and yarnpkg), Gentoo (XZ Utils), Mageia (augeas, corosync, nss & firefox, and thunderbird), Oracle (container-tools:ol8, firefox, freetype, and kernel), Red Hat (firefox), SUSE (chromium, gn, firefox-es … ⌘ Read more
Kernel prepatch 6.15-rc1
Linus has released 6.15-rc1 and closed the
merge window for this release. “As expected, this was one of the bigger
merge windows, almost certainly just because we had some pent-up
development due to the previous releases being impacted by the holiday
season. That said, while it’s bigger than normal, it’s not some kind of
record-breaking thing.”. In the end, 12.633 non-merge changesets were
pulled into the mainline during this merge window. ⌘ Read more
[$] The state of guest_memfd
A typical cloud-computing host will share some of its memory with each
guest that it runs. The host retains its access to that memory, though,
meaning that it can readily dig through that memory in search of data that
the guest would prefer to keep private. The guest_memfd subsystem removes (most of) the
host’s access to guest memory, making the guest’s data more secure. In the
memory-management track of the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Su … ⌘ Read more
[$] The future of ZONE_DEVICE
Alistair Popple started his session at the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit by proclaiming that ZONE_DEVICE
is “the ugly stepchild” of the kernel’s memory-management subsystem.
Ugly or not, the ability to manage memory that is attached to a peripheral
device rather than a CPU is increasingly important on current hardware.
Popple hoped to cover some of the challenges with ZONE_DEVICE and
find ways to make the stepchild a bit more attractive, if not bring it into
the fa … ⌘ Read more
[$] Supporting untorn buffered writes
At last year’s
Linux Storage, Filesystem,
Memory-Management, and BPF Summit (LSFMM+BPF), there was a discussion about atomic writes that was
accompanied by patches to support the feature in the block layer, and for
direct I/O on XFS. That
work was merged, but another piece of that discussion concerned adding the
feature for buffered I/O, in part because the PostgreSQL database currently
has to jump through hoops to ensure that its writes are not “torn”
(partial … ⌘ Read more
[$] A strange BPF error message
Yonghong Song brought a story about tracking down the cause of a strange verifier error
message to the 2025 Linux Storage, Filesystem, Memory-Management, and BPF
Summit. He then presented some possible ways to improve Clang’s user experience for
anyone running into the same class of error in the future. Toward the end of his
allotted time, he also discussed the problems with optimizations that change the
signature of functions — a problem that José Marchesi had also brought up in
[the previous session] … ⌘ Read more
Security updates for Friday
Security updates have been issued by AlmaLinux (firefox), Debian (atop and thunderbird), Fedora (webkitgtk), Mageia (microcode), Oracle (expat), SUSE (apparmor, assimp-devel, aws-efs-utils, expat, firefox, ghostscript, go1.23, gotosocial, govulncheck-vulndb, GraphicsMagick, headscale, libmozjs-128-0, libsaml-devel, openvpn, perl-Data-Entropy, and xz), and Ubuntu (gnupg2, kernel, linux-azure-fips, linux-iot, openvpn, ruby-saml, and xz-utils). ⌘ Read more
[$] Page allocation for address-space isolation
Address-space isolation may well be, as Brendan Jackman said at the
beginning of his memory-management-track session at the 2025 Linux Storage,
Filesystem, Memory-Management, and BPF Summit, “some security
bullshit”. But it also holds the potential to protect the kernel from
a wide range of vulnerabilities, both known and unknown, while reducing the
impact of existing mitigations. Implementing address-space isolation with
reasonable performance, though, is going to require some signific … ⌘ Read more
[$] Better hugetlb page-table walking
The kernel must often step through the page tables of one or more processes
to carry out various operations. This “page-table walking” tends to be
performed by ad-hoc (duplicated) code all over the kernel. Oscar Salvador
used a memory-management-track session at the 2025 Linux Storage,
Filesystem, Memory-Management, and BPF Summit to talk about strategies to
unify the kernel’s page-table walking code just a little bit by making
hugetlb pages look more like ordinary pages. ⌘ Read more
Rust 1.86.0 released
Version\
1.86.0 of the Rust language has been released. Changes include support
for trait upcasting, the ability to index multiple elements of HashMaps and
slices mutably, and a number of stabilized APIs. ⌘ Read more
Security updates for Thursday
Security updates have been issued by AlmaLinux (expat), Debian (chromium, commons-vfs, firefox-esr, php-horde-editor, php-horde-imp, and thunderbird), Fedora (corosync, firefox, nextcloud, and suricata), Mageia (curl and upx), Oracle (emacs, fence-agents, freetype, kernel, libreoffice, libxml2, nginx:1.24, podman, python-jinja2, and tigervnc), Red Hat (firefox and python-jinja2), SUSE (assimp, ffmpeg-4, firefox, ghostscript, GraphicsMagick, libxslt, and tomcat), and Ubuntu … ⌘ Read more
[$] LWN.net Weekly Edition for April 3, 2025
Inside this week’s LWN.net Weekly Edition:
Front: Calibre 8.0; Fedora reproducibility; OpenWrt One; 6.15 Merge Window; LSFMM+BPF coverage including BPF in GCC, Rust merging process, and more.
Briefs: Ubuntu namespaces; New FPL; PorteuX 2.0; Firefox 137.0; GCC Rust; Rockbox 4.0; Rust specification; Thundermail; Dave Täht RIP; Quotes; …
Announcements: Newsletters, confer … ⌘ Read more
[$] Catching up with calibre
Saying that calibre is
ebook-management software undersells the application by a fair
margin. Calibre is an open-source Swiss Army knife for ebooks that can
be used for everything from creating ebooks, converting ebooks from
obscure formats to modern formats like EPUB, to serving up an ebook
library over the web. The most recent major release, calibre 8.0,
brings a better text-to-speech engine, a tool for creating audio
overlays w … ⌘ Read more
[$] An update on GCC BPF support
José Marchesi and David Faust kicked off the BPF track at the 2025 Linux Storage,
Filesystem, Memory-Management, and BPF Summit with an extra-long session on what
they have been doing to support compiling to BPF in GCC. Overall, the project is slowly working
toward full support for BPF, with most of the self-tests now passing using
Faust’s in-progress patches. However, the progress toward that goal has turned up
a number of problems with how Clang supports BPF that needed to be discussed at
length to … ⌘ Read more
Thunderbird plans “Thundermail” email and other services
Ryan Sipes has announced
efforts to expand Thunderbird’s offerings with web services to
“enhance the experience of using Thunderbird”.
The Why for offering these services is simple. Thunderbird loses users
each day to rich ecosystems that are both clients and services, such
as Gmail and Office365. These ecosystems have both hard vendor
lock-ins (through interoperability issues with 3rd-pary clients) … ⌘ Read more
Introducing Fedora Project Leader Jef Spaleta
Outgoing Fedora Project Leader (FPL) Matthew Miller has announced
his successor, Jef Spaleta.
Some of you may remember Jef’s passionate voice in the early Fedora
community. He got involved all the way back in the days of fedora.us,
before Red Hat got involved. Jef served on the Fedora Board from July
2007 through the end of 2008. This was the critical time after Fedora
Extras and Fedora Core merged int … ⌘ Read more
PorteuX 2.0 released
Version\
2.0 of PorteuX, a distribution based on Slackware Linux, has been
released. This release adds the ability to test experimental Wayland
sessions for the Cinnamon, LXQt, and Xfce desktops. PorteuX 2.0
updates the Linux kernel to 6.14 and includes many package updates and
bug fixes. Users have the choice of PorteuX stable or its rolling release
called current. See the [install.txt](https://github. … ⌘ Read more
[$] Approaches to reducing TLB pressure
The CPU’s translation lookaside buffer (TLB) caches the results of
virtual-address translations, significantly speeding memory accesses. TLB
misses are expensive, so a lot of thought goes into using the TLB as
efficiently as possible. Reducing pressure on the TLB was the topic of Rik
van Riel’s memory-management-track session at the 2025 Linux Storage,
Filesystem, Memory-Management, and BPF Summit. Some approaches were
considered, but the session was short on firm conclusions. ⌘ Read more
Rockbox 4.0 released
For those of you who still have dedicated audio players: version 4.0 of
Rockbox, a replacement firmware for many players, has been released.
This release brings support for a number of new devices, updated codecs, a
number of user-interface improvements, some new games, and more. (LWN last
reviewed Rockbox in 2010 — and looked at
the ill-fated Android port that year as
well). ⌘ Read more
Security updates for Wednesday
Security updates have been issued by Debian (firefox-esr, jetty9, openjpeg2, and tomcat9), Fedora (dokuwiki, firefox, php-kissifrot-php-ixr, php-phpseclib3, and rust-zincati), Red Hat (kernel and pki-core), Slackware (mozilla), SUSE (apparmor, atop, docker, docker-stable, firefox, govulncheck-vulndb, libmodsecurity3, openvpn, upx, and warewulf4), and Ubuntu (inspircd, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-ibm,
linux-lowlatency, linux-lowlatency-hwe-6.8, linu … ⌘ Read more
[$] Slab allocator: sheaves and any-context allocations
The kernel’s slab allocator is charged with providing small objects on
demand; its performance and reliability are crucial for the functioning of
the system as a whole. At the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit, two adjacent sessions in the
memory-management track dug into current work on the slab allocator. The
first focused on the new sheaves feature, while the second discussed a set
of allocation functions that are safe to call in any context. ⌘ Read more
From the LibreQoS site comes the sad\
news that Dave Täht has passed away. Among many other things, he bears
a lot of credit for our networks functioning as well as they do. “We’re
incredibly grateful to have Dave as our friend, mentor, and as someone who
continuously inspired us – showing us that we could do better for each
other in the world, and leverage … ⌘ Read more
[$] Updates on storage standards
As he has in some previous editions of the Linux Storage, Filesystem,
Memory-Management, and BPF Summit (LSFMM+BPF), Fred Knight gave an update
on the status of various storage standards this year. In it, he looked at
changes to the NVM Express (NVMe)
standards in some detail. He also updated attendees on the fairly small
changes that have come to the SCSI ( T10)
and ATA ( T13) standards over the last few
years. ⌘ Read more
[$] Memory persistence over kexec
The kernel’s kexec\
mechanism allows one kernel to directly boot a new one; it can be
thought of as a sort of kernel equivalent to the execve()
system call. Kexec has a number of uses, including booting a special kernel
to perform dumps after a crash. Normally, one does not expect user-space
processes to survive booting into a new kernel, but that has not stopped
developers from trying to im … ⌘ Read more
Firefox 137.0 released
Version\
137.0 of the Firefox browser has been released. Changes include the
rollout of tab\
groups, a number of search-bar changes, and the ability to add signatures
to PDF files. ⌘ Read more
Security updates for Tuesday
Security updates have been issued by AlmaLinux (freetype, grub2, kernel, kernel-rt, and python-jinja2), Debian (freetype, linux-6.1, suricata, tzdata, and varnish), Fedora (mingw-libxslt and qgis), Mageia (elfutils, mercurial, and zvbi), Oracle (grafana, kernel, libxslt, nginx:1.22, and postgresql:12), Red Hat (opentelemetry-collector), SUSE (corosync, opera, and restic), and Ubuntu (aom, libtar, mariadb, ovn, php7.4, php8.1, php8.3, rabbitmq-server, and webkit2gtk). ⌘ Read more
[$] Improving the merging of anonymous VMAs
The virtual memory area (VMA), represented by struct\
vm_area_struct, is one of the core abstractions of the kernel’s
memory-management subsystem; a VMA represents a portion of a process’s
address space with the same characteristics. A memory-mapped file will be
represented by (at least) one VMA, as will the process’s stack or a region
of anonymous memory. Efficiently managing VMAs and the logic around them
i … ⌘ Read more
[$] A herd of migration discussions
Migration is the act of moving data from one location in physical
memory to another. The kernel may migrate pages for many reasons,
including defragmentation, improving NUMA locality, moving data to or from
memory hosted on a peripheral device, or freeing a range of
memory for other uses. Given the importance of migration to the
memory-management subsystem, there is a lot of interest in improving its
performance and removing impediments to its success. Several sessions in
the memory-management trac … ⌘ Read more
[$] Fedora change aims for 99% package reproducibility
The effort to ensure that open-source software is reproducible has been
gathering steam over the years, and gaining traction with major Linux
distributions. Debian, for example, has been working toward reproducible\
builds for more than a decade; it can now
produce [official\
live CDs](https://wiki.debian.org/ReproducibleInst … ⌘ Read more
Security updates for Monday
Security updates have been issued by Debian (amd64-microcode, flatpak, intel-microcode, libdata-entropy-perl, librabbitmq, and vim), Fedora (augeas, containerd, crosswords-puzzle-sets-xword-dl, libssh2, libxml2, nodejs-nodemon, and webkitgtk), Red Hat (libreoffice and python-jinja2), SUSE (389-ds, apparmor, corosync, docker, docker-stable, erlang26, exim, ffmpeg-4, govulncheck-vulndb, istioctl, matrix-synapse, mercurial, openvpn, python3, rke2, and skopeo), and Ubuntu (ansible, linux, l … ⌘ Read more
Four stable kernel updates
Greg Kroah-Hartman announced the release of four stable kernels on March 28: 6.13.9, 6.12.21, 6.1.132, and 6.6.85. Users are advised to upgrade. ⌘ Read more
Edmundson: a modern Plasma Login Manager
KDE contributor David Edmundson has published
a blog post about improving KDE Plasma’s login experience by
replacing SDDM
with a new Plasma Login Manager.
It’s worth stressing nothing is official or set in stone yet,
whilst it has come up in previous Plasma online meetings and in the
2023 Akademy. I’m posting this whilst starting a more o … ⌘ Read more
[$] Making the OpenWrt One
In a keynote on the final day of SCALE 22x, Denver
Gingerich said that he wanted to talk “a little bit about a router and
also the big picture around that router”. Gingerich is the director of
compliance at the Software Freedom\
Conservancy (SFC), which is the organization behind the OpenWrt One router that
LWN looked at back in November. The
router is, of cour … ⌘ Read more
[$] The first part of the 6.15 merge window
As of this writing, 6,653 non-merge changesets have been pulled into the
mainline kernel repository for the 6.15 release. This merge window is thus
well underway. A number of significant changes have been merged so far;
read on for our summary of the first half of the 6.15 merge window. ⌘ Read more
Security updates for Friday
Security updates have been issued by Debian (mercurial and opensaml), Fedora (augeas, mingw-libxslt, and nodejs-nodemon), Mageia (chromium-browser-stable), Red Hat (grafana, kernel, kernel-rt, opentelemetry-collector, and podman), SUSE (apache-commons-vfs2, python3, and python36), and Ubuntu (ghostscript, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-gkeop,
linux-ibm, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15,
linux-nvidia, linux-oracle, linux-orac … ⌘ Read more
Bypassing Ubuntu’s user-namespace restrictions
Ubuntu 23.10 and 24.04 LTS introduced a feature using AppArmor to
restrict access to user namespaces. Qualys has reported
three ways to bypass AppArmor’s restrictions and enable local users to
gain full administrative capabilities within a user namespace. Ubuntu
has followed up with a post
that expla … ⌘ Read more
Rust adopting Ferrocene Language Specification
One recurring criticism of Rust has been that the language has no official specification. This is a barrier to adoption in some safety-conscious organizations, as well as to writing alternate language implementations. Now, the Rust project has
announced
that it will be adopting the
Ferrocene Language Specification (FLS) developed by
Ferrous Systems and maintaining … ⌘ Read more
A burst of progress on the GCC Rust front end
Arthur Cohen has posted a massive series of patches in four parts
( part 1,
part 2,
part 3,
part 4)
upstreaming all of the recent work on the GCC Rust front end. These
changes include the Po … ⌘ Read more
[$] A process for handling Rust code in the core kernel
The 2024 Linux Storage, Filesystem, Memory-Management, and BPF Summit
included a tense session on the use of Rust
code in the kernel’s filesystem layer. The Rust topic returned in 2025 in
a session run by Andreas Hindborg, with a scope that also covered the
storage and memory-management layers. A lot of progress has been made, and
the discussion was less adversarial this year, but there are still process
issues that need to be worked out. ⌘ Read more
Security updates for Thursday
Security updates have been issued by Arch Linux (exim), Debian (exim4, ghostscript, and libcap2), Red Hat (container-tools:rhel8), SUSE (apache-commons-vfs2, argocd-cli, azure-cli-core, buildah, chromedriver, docker-stable, ed25519-java, kernel, kubernetes1.29-apiserver, kubernetes1.30-apiserver, kubernetes1.32-apiserver, libmbedcrypto7, microcode_ctl, php7, podman, proftpd, tomcat10, and webkit2gtk3), and Ubuntu (containerd, exim4, mariadb, opensaml, and org-mode). ⌘ Read more
A new home for kernel.org
Akamai has sent out a\
press release saying that it is now hosting the kernel.org
repositories.
The Linux kernel is massive — approximately 28 million lines of
code. Since 2005, more than 13,500 developers from more than 1,300
different companies have contributed to the Linux
kernel. Additionally, there are many kernel versions, and
developers updat … ⌘ Read more