European Commission issues call for evidence on open source
The European Commission has https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/16213-European-Open-Digital-Ecosystems_en
a "call
for evidence" to help shape its European Open Digital Ecosystem
Strategy. The commission is looking to reduce its dependence on
software from non-EU countries:
The EU faces a significant problem of dependence on non-EU countries
in the digital sphere. This reduces users' choice, hampers EU
companies' competitiveness and can raise supply chain security issues
as it makes it difficult to control our digital infrastructure (both
physical and software components), potentially creating
vulnerabilities including in critical sectors. In the last few years,
it has been widely acknowledged that open source – which is a public
good to be freely used, modified, and redistributed – has the strong
potential to underpin a diverse portfolio of high-quality and secure
digital solutions that are valid alternatives to proprietary ones. By
doing so, it increases user agency, helps regain control and boost the
resilience of our digital infrastructure.
The feedback period runs until midnight (Brussels time)
February 3, 2026. The commission seeks input from all interested
stakeholders, "in particular the European open-source community
(including individual contributors, open-source companies and
foundations), public administrations, specialised business sectors,
the ICT industry, academia and research institutions".
[$] Lessons from creating a gaming-oriented scheduler
At the 2025 Linux Plumbers
Conference (LPC), held in Tokyo in mid-December, Changwoo Min led a https://lpc.events/event/19/contributions/2150/
on what
he has learned while developing the
aware virtual deadline" (LAVD) scheduler, which is aimed at gaming
workloads. The session was part of the Gaming
on Linux microconference, which is a new entrant into LPC; organizers
hope to see it return next year in
Prague and, presumably, beyond. LAVD uses the https://lwn.net/Articles/922405/
(sched_ext) and has
the primary goal of minimizing https://www.gameslearningsociety.org/what-is-game-stuttering/
in games;
it is implemented in a combination of BPF and Rust.
[$] 2025 Linux and free software timeline
https://lwn.net/Articles/1004204/
we
revived the tradition of https://lwn.net/op/TimelineIdx.lwn
of
notable events from the previous year. Since that seemed to go over
well, we decided we should continue the practice and look back on some
of the most noteworthy events and releases of 2025.
IPFire 2.29 Core Update 199 released
, an
open-source firewall Linux distribution, has released version
2.29 - Core Update 199. Notable changes in this release include an
update to Linux 6.12.58, support for WiFi 6 and 7 features on
wireless access points, as well as native support for link-local
discovery protocol (LLDP) and Cisco discovery protocol (CDP).
Google will now only release Android source code twice a year (Android Authority)
Android Authority https://www.androidauthority.com/aosp-source-code-schedule-3630018/
that Google will be reducing the frequency of releases of code to the
Android Open Source Project to only twice per year.
A spokesperson for Google offered some additional context on this
decision, stating that it helps simplify development, eliminates
the complexity of managing multiple code branches, and allows them
to deliver more stable and secure code to Android platform
developers. The spokesperson also reiterated that Google's
commitment to AOSP is unchanged and that this new release schedule
helps the company build a more robust and secure foundation for the
Android ecosystem.
The release schedule for security patches is unchanged.
Security updates for Wednesday
Security updates have been issued by AlmaLinux (resource-agents, ruby:3.3, thunderbird, and xorg-x11-server), Fedora (libpcap), Red Hat (brotli), Slackware (libsodium), SUSE (dcmtk, govulncheck-vulndb, libpcap, mozjs60, qemu, rsync, and usbmuxd), and Ubuntu (glib2.0 and linux-raspi, linux-raspi-5.4).
[$] Questions for the Technical Advisory Board
The nature and role of the Linux Foundation's Technical Advisory Board (TAB) is
not well-understood, though
https://lwn.net/Articles/1049035/
shed some light on its
role and
history. At the 2025
Linux Plumbers Conference (LPC), the TAB held a question and
answer session to address whatever it was the community wanted to know
(https://www.youtube.com/watch?v=1_4TlTgpRrE
).
Those questions ended up covering the role of large language models in kernel
development, what it is like to be on the TAB, how the TAB can help grease the
wheels of corporate bureaucracy, and more.
[$] The difficulty of safe path traversal
Aleksa Sarai, as the maintainer of the
https://github.com/opencontainers/runc?tab=readme-ov-file#runc
, faces a
constant battle against security problems. Recently, runc has seen
another
instance of a security vulnerability that can be traced back to the difficulty
of handling file paths on Linux. Sarai spoke at the 2025
;
about
some of the problems runc has had with path-traversal vulnerabilities, and to
ask people to please use
libpathrs, the library that he has been developing for
safe path traversal.
Manjaro 26.0 released
26.0 ("Anh-Linh") of the Arch-based https://manjaro.org/
distribution has been
released. Manjaro 26.0 includes Linux 6.18, GNOME 49,
KDE Plasma 6.5, Xfce 4.20, and https://forum.manjaro.org/t/stable-update-2026-01-04-manjaro-26-0-mesa-firefox-libreoffice-cosmic/184517
.
Security updates for Tuesday
Security updates have been issued by AlmaLinux (kernel, ruby, and thunderbird), Debian (libsodium and ruby-rmagick), Fedora (gnupg2 and proxychains-ng), Oracle (gcc-toolset-14-binutils, rsync, tar, and thunderbird), Red Hat (buildah, mariadb, mariadb10.11, podman, and tar), SUSE (alloy, apache2, buildah, erlang26, glib2, ImageMagick, kernel, libsoup, pgadmin4, python-tornado6, python3, python312, python313, qemu, webkit2gtk3, and xen), and Ubuntu (webkit2gtk).
[$] Predictions for the new year
The calendar has flipped over to 2026; a new year has begun. That means
the moment we all dread has arrived: it is time for LWN to put out a set of
lame predictions for what may happen in the coming year. Needless to say,
we do not know any more than anybody else, but that doesn't stop us from
making authoritative-sounding pronouncements anyway.
GNU ddrescue 1.30 released
Version 1.30 of the GNU
ddrescue data recovery tool has been released. Notable changes in
this release include improvements to automatic recovery of a drive
with a dead head, addition of a --no-sweep option to disable
reading of skipped areas, and more.
Security updates for Monday
Security updates have been issued by AlmaLinux (tar), Debian (curl and gimp), Fedora (doctl, gitleaks, gnupg2, grpcurl, nginx, nginx-mod-brotli, nginx-mod-fancyindex, nginx-mod-headers-more, nginx-mod-modsecurity, nginx-mod-naxsi, nginx-mod-vts, and usd), Mageia (cups), Red Hat (container-tools:rhel8, go-toolset:rhel8, grafana, and skopeo), and SUSE (dirmngr, fluidsynth, gnu-recutils, libmatio-devel, python311-marshmallow, python312-Django6, rsync, and thunderbird).
Kernel prepatch 6.19-rc4
The https://lwn.net/Articles/1052731/
kernel prepatch is out for
testing.
So this rc is still a bit smaller than usual, but it's not _much_
smaller, and I think next week is likely going to be more or less
back to normal.
Which is all exactly as expected, and nothing here looks
particularly odd. I'll make an rc8 this release just because of the
time lost to the holidays, not because it looks like we'd have any
particular issues pending (knock wood).
Kroah-Hartman: Linux kernel security work
Greg Kroah-Hartman has written an
overview of how the kernel's security team works.
The members of the security team contain a handful of core kernel
developers that have experience dealing with security bugs, and
represent different major subsystems of the kernel. They do this
work as individuals, and specifically can NOT tell their employer,
or anyone else, anything that is discussed on the security alias
before it is resolved. This arrangement has allowed the kernel
security team to remain independent and continue to operate across
the different governments that the members operate in, and it looks
to become the normal way project security teams work with the
advent of the European Union's new CRA law coming into effect.
6.18.3 stable kernel released
Greg Kroah-Hartman has announced the release of the https://lwn.net/Articles/1052590/
stable kernel. As always, this
update contains important fixes; users of this kernel are advised to
upgrade.
Security updates for Friday
Security updates have been issued by Debian (smb4k), Fedora (direwolf, gh, usd, and webkitgtk), Slackware (libpcap and seamonkey), and SUSE (kepler).
Security updates for Thursday
Security updates have been issued by Debian (imagemagick and net-snmp), Fedora (delve, golang-github-google-wire, and golang-github-googlecloudplatform-cloudsql-proxy), and SUSE (podman, python3, and python36).
Shadow-utils 4.19.0 released
4.19.0 of the https://github.com/shadow-maint/shadow?tab=readme-ov-file#shadow-utils
project has been released. Notable changes in this release include
some usernames that were previously accepted with the
--badname option, and removing
support for escaped newlines in configuration files. Possibly more
interesting is the announcement that the project is deprecating a
number of programs, hashing algorithms, and the ability to
periodically expire passwords:
Scientific research shows that periodic password expiration
leads to predictable password patterns, and that even in a
theoretical scenario where that wouldn't happen the gains in
security are mathematically negligible (paper
link).
Modern security standards, such as NIST SP 800-63B-4 in the USA,
prohibit periodic password expiration. [...]
To align with these, we're deprecating the ability to
periodically expire passwords. The specifics and long-term
roadmap are currently being discussed, and we invite feedback
from users, particularly from those in regulated environments.
See https://github.com/shadow-maint/shadow/pull/1432
.
The release announcement notes that the features will remain
functional "for a significant period" to minimize
disruption.
Security updates for Wednesday
Security updates have been issued by Debian (mediawiki), Fedora (duc, golang-github-projectdiscovery-mapcidr, and kustomize), Slackware (wget2), and SUSE (cheat, duc, flannel, go-sendxmpp, python311, python312, python313, and trivy).
Thunderbird 145 released
145 of the Thunderbird email client has been released. Notable
changes in this release include enabling DNS over HTTPS, support for
Microsoft Exchange via Exchange Web Services, and quite a few bug
fixes. As of 145, the project is no longer shipping 32-bit binaries
for Linux on x86.
Rust 1.91.0 released
1.91.0 of the Rust language has been released. Changes include
promoting aarch64-pc-windows-msvc to a tier-1 platform, a new lint
to catch dangling raw pointers from local variables, and a fair number of
newly stabilized APIs.
Security updates for Monday
Security updates have been issued by Debian (imagemagick, incus, lxd, pgagent, svgpp, and sysstat), Fedora (chromium, complyctl, fetchmail, firefox, mbedtls, mingw-binutils, mingw-python3, mingw-qt5-qtsvg, mingw-qt6-qtsvg, python3.10, python3.11, python3.12, python3.9, runc, and suricata), Mageia (expat), Red Hat (firefox, kernel, qt5-qtbase, and qt6-qtbase), Slackware (stunnel), SUSE (chromium, coredns, ctdb, firefox, kernel, libexslt0, libpoppler-cpp2, ollama, openssl-1_1, pam, samba, and thunderbird), and Ubuntu (samba).
[$] An unstable Debian stable update
A bug in a recent release of systemd's network manager caused
headaches for people managing systems that have a virtual LAN (VLAN)
interface on a bridge; something one might want to do, for example,
when configuring network interfaces for virtual machines. The bug
affected several Debian users when upgrading the https://packages.debian.org/trixie/systemd
package
from v257.7-1 to v257.8-1. The updated package is part of the https://www.debian.org/News/2025/20250906
release, and the bug has snared enough users to cause a minor
stir—due in no small part to the maintainer's response as much
as the bug itself.
[$] Typst: a possible LaTeX replacement
is a program for document
typesetting. It is especially well-suited to technical material
incorporating elements such as mathematics, tables, and floating
figures. It produces high-quality results, comparable to the gold standard,
https://www.latex-project.org/
, with a simpler markup
system and easier customization, all while compiling documents
more quickly. Typst is free software, Apache-2.0 licensed, and is written in Rust.
[$] KDE launches its own distribution (again)
At https://akademy.kde.org/2025/
, the
KDE Project https://floss.social/@kde/115157115844689060
an
alpha version of https://kde.org/linux/
, a
distribution built by the project to "include the best
implementation of everything KDE has to offer, using the most advanced
technologies". It is aimed at providing an operating system
suitable for home use, business use, OEM installations, and more
"eventually". For now there are many rough edges and missing
features that users should be aware of before taking the plunge; but
it is an interesting look at the kind of complete Linux system that
KDE developers would like to see.
npm debug and chalk packages compromised (Aikido)
The Aikido blog https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
an apparently ongoing series of phishing attacks against NPM package
maintainers, resulting in the uploading of compromised versions of heavily
used packages:
All together, these packages have more than 2 billion downloads per
week.
The packages were updated to contain a piece of code that would be
executed on the client of a website, which silently intercepts
crypto and web3 activity in the browser, manipulates wallet
interactions, and rewrites payment destinations so that funds and
approvals are redirected to attacker-controlled accounts without
any obvious signs to the user.
Security updates for Friday
Security updates have been issued by AlmaLinux (aide, fence-agents, firefox, kernel-rt, python-cryptography, and thunderbird), Debian (golang-github-gin-contrib-cors, libxml2, and udisks2), Fedora (chromium), Oracle (postgresql16, postgresql:16, python3.11, and thunderbird), Red Hat (lz4 and mpfr), SUSE (chromium, docker, dpkg, firefox, gdk-pixbuf, git, git, git-lfs, obs-scm-bridge, python-PyYAML, gnutls, kernel, kernel-livepatch-MICRO-6-0-RT_Update_2, kernel-livepatch-MICRO-6-0-RT_Update_3, kernel-livepatch-MICRO-6-0-RT_Update_4, kernel-livepatch-MICRO-6-0-RT_Update_5, kernel-livepatch-MICRO-6-0-RT_Update_6, kernel-livepatch-MICRO-6-0-RT_Update_7, kernel-livepatch-MICRO-6-0-RT_Update_8, kernel-livepatch-MICRO-6-0_Update_10, kernel-livepatch-MICRO-6-0_Update_2, kernel-livepatch-MICRO-6-0_Update_3, kernel-livepatch-MICRO-6-0_Update_4, kernel-livepatch-MICRO-6-0_Update_5, kernel-livepatch-MICRO-6-0_Update_6, kernel-livepatch-MICRO-6-0_Update_7, kernel-livepatch-MICRO-6-0_Update_8, kernel-livepatch-MICRO-6-0_Update_9, libarchive, libxml2, net-tools, netty, perl-Crypt-CBC, polkit, postgresql14, postgresql15, sqlite3, thunderbird, tomcat10, and udisks2), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop,
linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15,
linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia,
linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx,
linux-oracle, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-hwe-6.14, linux-raspi,
linux-realtime, linux-realtime-6.14, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-lowlatency,
linux-lowlatency-hwe-6.8, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-gke, linux-hwe-6.8, linux-nvidia, linux-nvidia-6.8,
linux-nvidia-lowlatency, linux-raspi, linux-gke, linux-kvm, linux-oem-6.14, linux-realtime, linux-intel-iot-realtime, linux-realtime, linux-raspi-realtime, openldap, and udisks2).
[$] Shadow-stack control in clone3()
Shadow stacks are a control-flow-integrity feature designed to defend
against exploits that manipulate a thread's call stack. The kernel first
gained support for hardware-implemented shadow
stacks, for the x86 architecture, in the 6.6 release; 64-bit Arm
support followed in 6.13. This feature does not give user space much
control over the allocation of shadow stacks for new threads, though; a patch
series from Mark Brown may, after many attempts, finally be about
to change that situation.
Security updates for Monday
Security updates have been issued by AlmaLinux (kernel and tomcat9), Debian (iperf3, mupdf, qemu, thunderbird, and unbound), Fedora (glab, kubernetes1.31, kubernetes1.32, kubernetes1.33, and toolbox), Oracle (kernel and tomcat9), Red Hat (firefox, kernel, kernel-rt, and squid), SUSE (abseil-cpp-devel, aide, flake-pilot, gdk-pixbuf, glibc, go-sendxmpp, ImageMagick, jetty-annotations, jupyter-bqplot-jupyterlab, libtiff-devel-32bit, pam, pdns-recursor, ruby3.4-rubygem-activerecord, rust-keylime, terragrunt, and thunderbird), and Ubuntu (linux-azure and linux-azure-fips).
Security updates for Thursday
Security updates have been issued by AlmaLinux (libarchive, mingw-sqlite, pki-deps:10.6, and tomcat), Debian (chromium and firefox-esr), Fedora (python3.6 and suricata), Oracle (go-toolset:rhel8, kernel, libarchive, mingw-sqlite, tomcat, and xterm), Red Hat (kernel), Slackware (mozilla), SUSE (aws-efs-utils, docker-machine-driver-kvm2, nova, pluto, polaris, and python310), and Ubuntu (ceph, gcc-10, gcc-11, gcc-12, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gkeop, linux-ibm,
linux-ibm-6.8, linux-hwe-6.14, linux-oem-6.14, linux-ibm, linux-intel-iotg, linux-oracle, linux-raspi, linux-iot, poppler, and tiff).
Kernel prepatch 6.17-rc2
The https://lwn.net/Articles/1034157/
is out for
testing. "So it's been a very calm week, and this is one of the smaller
rc2 releases we've had lately. I'm definitely not complaining, since I've
been jetlagged much of the week, but I have this suspicion that it just
means that next week will see more noise."
Radicle 1.3.0 released
https://radicle.xyz/2025/08/12/radicle-1.3.0
of
the Radicle distributed software forge system has been released. Changes
this time around include canonical
references, a new radicle-protocol crate, better log rotation,
and more. (LWN https://lwn.net/Articles/966869/
in 2024).
Hughes: LVFS Sustainability Plan
Richard Hughes, creator and maintainer of the https://fwupd.org/
(LVFS), has
written a blog
post about the sustainability
plan he has put together for the service. He is calling for the
vendors that use the service to help fund its development and maintenance
going forward.
The Linux Foundation is kindly paying for all the hosting costs of the LVFS, and Red Hat pays for all my time — but as LVFS grows and grows that's going to be less and less sustainable longer term. We're trying to find funding to hire additional resources as a "me replacement" so that there is backup and additional attention to LVFS (and so that I can go on holiday for two weeks without needing to take a laptop with me).
This year there will be a fair-use quota introduced, with different sponsorship levels having a different quota allowance. Nothing currently happens if the quota is exceeded, although there will be additional warnings asking the vendor to contribute. The "associate" (free) quota is also generous, with 50,000 monthly downloads and 50 monthly uploads. This means that almost all the 140 vendors on the LVFS should expect no changes.
(Thanks to Paul Wise.)
Security updates for Monday
Security updates have been issued by AlmaLinux (jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base and libxml2), Debian (distro-info-data, gnutls28, modsecurity-crs, and node-tmp), Fedora (chromium, incus, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, varnish, and xen), Red Hat (kernel, kernel-rt, and rhc), and SUSE (chromedriver, ffmpeg-4, go1.23, go1.24, go1.25, govulncheck-vulndb, himmelblau, iperf, keylime-ima-policy, net-tools, sqlite3, texmaker, tomcat, and zabbix).
Debian 13 ("trixie") released
The Debian Project has released its latest stable version, https://www.debian.org/News/2025/20250809
("trixie"), which will be supported through 2030. This release
includes GNOME 48, KDE Plasma 6.3, Xfce 4.20,
Linux 6.12, GCC 14.2, Python 3.13, and
systemd 257.
This release contains over 14,100 new packages for a total count of
69,830 packages, while over 8,840 packages have been removed as
"obsolete". 44,326 packages were updated in this release. The overall
disk usage for "trixie" is 403,854,660 kB (403 GB), and is made up of
1,463,291,186 lines of code. [...]
With this broad selection of packages and its traditional wide
architecture support, Debian once again stays true to its goal of
being "The Universal Operating System". It is suitable for many
different use cases: from desktop systems to netbooks; from
development servers to cluster systems; and for database, web, and
storage servers. At the same time, additional quality assurance
efforts like automatic installation and upgrade tests for all packages
in Debian's archive ensure that "trixie" fulfills the high
expectations that users have of a stable Debian release.
Trixie adds riscv64 as an officially supported architecture, and
drops i386 as a regular architecture. Users with i386 systems should
not upgrade to trixie; the project recommends reinstalling them as
amd64, or retiring the hardware. See the release
notes and issues
to be aware of before installing or upgrading to trixie.
Some turbulence at CalyxOS
is an Android distribution that
claims a focus on privacy and security. So when an
announcement from the project begins by saying "we want to assure
you that we have no reason to believe the security of CalyxOS and its
signing keys have been compromised", chances are that good things are
not happening.
In this case, it would appear that Nicholas Merrill, one of the founders of
the project, has left for unclear reasons, and CalyxOS is responding by
pausing all releases — and security updates — while its release process,
signing keys, and security protocols are reworked. The result will be no
updates for "four to six months". The project is recommending that
its users "should uninstall the OS" and wait for an all-clear
signal. CalyxOS may have its work cut out for it when the time comes to
try to convince those users to come back.
Rust 1.89 released
The release of Rust 1.89 has been
https://blog.rust-lang.org/2025/08/07/Rust-1.89.0/
. Changes this time include
support for inferring the length of certain arrays, lint messages suggesting how to clarify potentially confusing uses of lifetime elision in function signatures, and improvements to the C ABI. The
https://releases.rs/docs/1.89.0/
is also available.
[$] LWN.net Weekly Edition for August 7, 2025
Inside this week's LWN.net Weekly Edition:
https://lwn.net/Articles/1032016/
: Don't fear the TPM; Python performance; Offensive Debian packages; NNCPNET; 6.17 Merge window; Transparent huge pages; SilverBullet.
https://lwn.net/Articles/1032018/
: AUR malware; Secure boot; kbuild and kconfig maintenanec; GPU drivers; NVIDIA on AlmaLinux; Proxmox 9.0; Quotes; ...
https://lwn.net/Articles/1032019/
: Newsletters, conferences, security updates, patches, and more.
Almeida: a brief introduction on how GPU drivers work
Daniel Almeida continues
his look at graphics drivers on the Collabora blog.
The starting point is to understand that a kernel-mode GPU driver
connects a much larger UMD (user-mode driver) to the actual
GPU. The UMD will actually implement APIs like Vulkan, OpenGL,
OpenCL, and others. These APIs, in turn, will be used by actual
programs to describe their workload to the GPU. This includes
allocating and using not only the geometry and textures, but also
the shaders being used to process said data into the final
result. This means that a key aspect of GPU drivers is actually
allocating GPU memory to house data related to the current scene
being drawn so that it can actually be operated on by the hardware.
A kbuild and kconfig maintainer change
For eight years, Masahiro Yamada has been the sole maintainer of the
kernel's build and configuration systems — two complex pieces of
infrastructure that many people interact with, but few truly understand.
Yamada has just stepped
down from that position. Maintenance of the build system will be taken
up by Nathan Chancellor and Nicolas Schier (in the "odd fixes" capacity),
while the configuration system is now entirely unmaintained.
Thanks are due to Yamada for all that work, and to Chancellor and Schier
for stepping up. Hopefully a way will be found to better support these
important subsystems in the near future.
[$] 6.17 Merge window, part 1
As of this writing, just over 4,000 non-merge changesets have been pulled
into the mainline repository during the 6.17 merge window. When he https://lwn.net/ml/all/CAHk-=wh0kuQE+tWMEPJqCR48F4Tip2EeYQU-mi+2Fx_Oa1Ehbw@mail.gmail.com/
the merge-window opening, Linus Torvalds let it be known that, due to a
busy personal schedule, he was likely to pull changes more quickly than
usual this time around; that has been borne out to some extent. Changes
merged so far are focused on core-kernel and filesystem work; read on for
the details.
Security updates for Thursday
Security updates have been issued by AlmaLinux (firefox, java-21-openjdk, kernel, thunderbird, and unbound), Debian (chromium and systemd), Fedora (libtiff), Oracle (java-21-openjdk, libtpms, nodejs:22, redis:7, thunderbird, and unbound), Red Hat (firefox, redis, and thunderbird), SUSE (apache2, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, java-11-openjdk, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestf, libarchive, nvidia-open-driver-G06-signed, redis, and rmt-server), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-gcp-6.14, linux-hwe-6.14, linux-oem-6.14, linux-raspi, linux-realtime, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux, linux-aws, linux-kvm, linux-aws, linux-lts-xenial, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-fips, linux-intel-iot-realtime, linux-realtime, linux-oracle, linux-oracle-6.8, linux-realtime, and sqlite3).
We need a European Sovereign Tech Fund (GitHub blog)
GitHub director of developer policy, Felix Reda, has published
a blog post about a GitHub-commissioned https://eu-stf.openforumeurope.org/
and
Institute. The study finds, not surprisingly, "a profound
mismatch between the importance of open source maintenance and the
public attention it receives"; it calls for a European sovereign
tech fund (STF) modeled after Germany's https://www.sovereign.tech/
.
The study proposes two alternative institutional setups for the
EU-STF: either the creation of a centralized EU institution (the
moonshot model), or a consortium of EU member states that provide the
initial funding and apply for additional resources from the EU budget
(the pragmatic model). In both cases, to make the fund a success, the
minimum contribution from the upcoming EU multiannual budget should be
no less than €350 million. This would not be enough to meet the open
source maintenance need, but it could form the basis for leveraging
industry and national government co-financing that would make a
lasting impact.
The European Union is currently starting negotiations for its
2028-2034 budget, the Multiannual
Financial Framework; GitHub and others hope to persuade EU legislators to
include a European STF in that framework.
[$] Extending run-time verification for the kernel
There are a lot of things people expect the Linux kernel to do correctly. Some
of these are checked by testing or static analysis; a few are ensured by
run-time verification: checking a live property of a running Linux system. For
example, the scheduler has a handful of different correctness properties that
can be
checked in this way.
Nam Cao posted a
patch series that aims to extend the kinds of properties that the kernel's
verification system can check, by adding support for
linear temporal logic (LTL). The patch set has seen eleven revisions since the
first version in March 2025, and recently made it into the linux-next
tree, from where it seems likely to reach the mainline kernel soon.
Four small stable kernel updates
The https://lwn.net/Articles/1029838/
stable kernel updates have been
released, each contains a single AMD-related fix. "Only users of AMD
x86-based processors need to upgrade, all others may skip this
release".
Alpine Linux 3.22.0 released
3.22.0 of the Alpine Linux distribution has been released. Notable
changes in this release include the removal of the X11 session for KDE
Plasma, a switch to systemd-efistub, and experimental support
for user
services with the https://github.com/OpenRC/openrc?tab=readme-ov-file#openrc-readme
init system. See the release
notes for a detailed list of changes.
[$] Hardening fixes lead to hard questions
Kees Cook's "hardening
fixes" pull request for the 6.16 merge window looked like a
straightforward exercise; it only contained four commits. So just about
everybody was surprised when it resulted in Cook being temporarily blocked
from his kernel.org account among fears of malicious activity. When the
dust settled, though, the red alert was canceled. It turns out,
surprisingly, that Git is a tool with which one can inflict substantial
self-harm in a moment of inattention.
Local vulnerabilities in Kea DHCP
The SUSE Security Team has published a detailed
report about security vulnerabilities it discovered in the https://www.isc.org/kea/
(ISC).
Since SUSE is also going to ship Kea DHCP in its products, we
performed a routine review of its code base. Even before checking the
network security of Kea, we stumbled over a range of local security
issues, among them a local root exploit which is possible in many
default installations of Kea on Linux and BSD distributions. [...]
This report is based on Kea release 2.6.1. Any source code
references in this report relate to this version. Many systems still
ship older releases of Kea, but we believe they are all affected as
well by the issues described in this report.
The report details seven security issues including
vulnerabilities. Security fixes for the vulnerabilities have been
published in all of the currently supported release series of Kea: https://downloads.isc.org/isc/kea/2.4.2/Kea-2.4.2-ReleaseNotes.txt
,
https://downloads.isc.org/isc/kea/2.6.3/Kea-2.6.3-ReleaseNotes.txt
,
and the https://downloads.isc.org/isc/kea/2.7.9/Kea-2.7.9-ReleaseNotes.txt
development release were all released on May 28. Kea has assigned https://nvd.nist.gov/vuln/detail/CVE-2025-32801
,
https://nvd.nist.gov/vuln/detail/CVE-2025-32802
,
and https://nvd.nist.gov/vuln/detail/CVE-2025-32803
to the vulnerabilities. Note that some of the CVEs
cover multiple security flaws.
The 6.15 kernel has been released
Linus has https://lwn.net/Articles/1022493/
the 6.15 kernel, as
expected.
So this was delayed by a couple of hours because of a last-minute
bug report resulting in one new feature being disabled at the
eleventh hour, but 6.15 is out there now.
Significant changes in 6.15 include https://lwn.net/Articles/1012490/
to make
checkpoint/restore operations more reliable, the https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6092c5016005
to read status information from a pidfd after the process in question has
been reaped, the https://lwn.net/Articles/992991/
special pidfd value, nested
ID-mapped mounts, zero-copy network-data reception via io_uring, The ability
to read epoll events via io_uring, resilient
queued spinlocks for BPF programs, https://lwn.net/Articles/1011366/
allowing them to be
placed in file-backed memory areas and for user space to detect their
presence, the once-controversial fwctl
subsystem, the optional sealing of some
system mappings, and much more.
See the LWN merge-window summaries (https://lwn.net/Articles/1015414/
for
more information.
Home Assistant deprecates the "core" and "supervised" installation modes
https://lwn.net/Articles/1017720/
observed that the project emphasizes installations using its own Linux
distribution or within containers. The project has now made that emphasis
rather stronger with this
announcement of the deprecation of the "core" and "supervised"
installation modes, which allowed Home Assistant to be installed as an
ordinary application on a Linux system.
These are advanced installation methods, with only a small
percentage of the community opting to use them. If you are using
these methods, you can continue to do so (you can even continue to
update your system), but in six months time, you will no longer be
supported, which I'll explain the impacts of in the next
section. References to these installation methods will be removed
from our documentation after our next release (2025.6).
Support for 32-bit Arm and x86 architectures has also been deprecated.
[$] Faster firewalls with bpfilter
From
servers in a data center to desktop computers, many devices
communicating on a network will eventually have to filter network
traffic, whether it's for security or performance reasons. As a result,
this is a domain where a lot of work is put into improving performance:
a tiny performance improvement can have considerable gains.
Bpfilter is a
project that allows for packet filtering to easily be done with BPF, which can
be faster than other mechanisms.
[$] The mystery of the Mailman 2 CVEs
Many eyebrows were raised recently when three vulnerabilities were announced
that allegedly impact https://www.gnu.org/software/mailman/
2.1,
since many folks assumed that it was no longer being supported. That's
not quite the case. Even though https://wiki.list.org/DEV/Mailman%203.0
of
the GNU Mailman mailing-list manager has been available
since 2015, and version 2 was declared (mostly) end of life
(EOL) in 2020, there are still plenty of users and projects still
using version 2.1.x. There is, as it turns out, a big difference between
mostly EOL and actually EOL. For example: https://www.webpros.com/
server and web-site-management
platform, still maintains a port of
Mailman 2.1.x to Python 3 for its customers and was
quick to respond to reports of vulnerabilities. However, the
company and upstream Mailman project dispute that the CVEs are
valid.
Kernel prepatch 6.15-rc4
The https://lwn.net/Articles/1019111/
kernel prepatch is out for
testing. "So let's see if this rc ends up avoiding any silly issues -
things certainly look pretty normal, and there were no hurried last-minute
changes this week due to system upgrades".
Debian Project Leader Election 2025 results
The Debian Project Leader https://www.debian.org/vote/2025/vote_001
have been https://lwn.net/ml/debian-vote/aAqvGJWS2oXfUL_4%40roeckx.be/
. Andreas
Tille has been re-elected and will serve another term through
April 2026. LWN looked at the election and
candidates in early April.
[$] Some __nonstring__ turbulence
New compiler releases often bring with them new warnings; those warnings
are usually welcome, since they help developers find problems before they
turn into nasty bugs. Adapting to new warnings can also create disruption
in the development process, though, especially when an important developer
upgrades to a new compiler at an unfortunate time. This is just the
scenario that played out with the 6.15-rc3
kernel release and the implementation of
-Wunterminated-string-initialization in GCC 15.
[$] Freezing filesystems for suspend
Sometimes worms have a tendency to multiply once their can is opened.
James Bottomley recently encountered that situation; he led a session in
the filesystem track at the 2025 Linux Storage, Filesystem, Memory
Management, and BPF Summit (LSFMM+BPF) to discuss filesystem behavior with
respect to suspending and resuming the system. As he noted in his topic
proposal, he came at the problem because he needed a way to
resynchronize the contents of https://www.kernel.org/doc/html/latest/filesystems/efivarfs.html
after a system resume and thought there should be an API available to use.
But, as the resulting thread shows, the filesystem freeze and thaw code had
never been used by the system-wide suspend and resume code. Due to a
scheduling mixup, though, several of us missed Bottomley's session,
including Luis Chamberlain who has been working on hooking those two pieces
up; what follows is largely from a second session that Chamberlain led,
with some background information from the topic-proposal discussion and an
email exchange with Bottomley.
Security updates for Thursday
Security updates have been issued by Debian (haproxy and openrazer), Fedora (c-ares and mingw-poppler), Red Hat (thunderbird), SUSE (epiphany, ffmpeg-6, gopass, and libsoup-3_0-0), and Ubuntu (erlang, haproxy, libapache2-mod-auth-openidc, libarchive, linux, linux-aws, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-oracle, linux-raspi, linux, linux-aws, linux-azure, linux-azure-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-aws-6.8, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-fips, linux-gcp, linux-gke, linux-gkeop, linux-gcp-6.8, linux-ibm-5.15, linux-intel-iot-realtime, linux-realtime, linux-intel-iotg-5.15, linux-realtime, perl, and yelp, yelp-xsl).
[$] LWN.net Weekly Edition for April 24, 2025
Inside this week's LWN.net Weekly Edition:
https://lwn.net/Articles/1017842/
: Owen Le Blanc and MCC; UID/GID drift; DMA for UIO; More LSFMM+BPF 2025 coverage.
https://lwn.net/Articles/1017844/
: EU OS; RISC-V Fedora; Ubuntu 25.04; NLnet funding; Template strings; Tor Browser 14.5; Quotes; ...
https://lwn.net/Articles/1017845/
: Newsletters, conferences, security updates, patches, and more.
[$] Addressing UID/GID drift in rpm-ostree and bootc
The Fedora Project is looking for solutions to an interesting
problem with its image-based editions and spins, such as the https://fedoraproject.org/atomic-desktops/
or https://fedoraproject.org/coreos/
, that are
created with https://coreos.github.io/rpm-ostree/
. If a package that
is part of a image-based version has a user or group created
dynamically on installation, and it owns files installed on the
system, the system may be subject to user ID (UID) and group ID (GID) "drift"
on updates. This "UID/GID drift" may come about when a new image with
updates is generated, and therefore files may have the wrong
ownership. This can have side-effects ranging from mildly inconvenient to
serious. No solutions have been adopted just yet, but there are a few
ideas on how to deal with the problem.