LWN.net

Creating welcoming communities within open-source projects is a recurringtopic at conferences; those projects rely on contributions from others, somaking them welcome is important. The kernel has, rather infamouslyover the years, been an oft-cited example of an unwelcoming project, thoughthere have been (and are) multiple efforts to change that with varyingdegrees of success. Hans de Goede talked about such efforts within hiscorner of the kernel project in a talk (YouTube video) atOpenSource Summit Europe.

Security updates have been issued by Debian (cups, imagemagick, libcpanel-json-xs-perl, and libjson-xs-perl), Fedora (checkpointctl, chromium, civetweb, glycin, kernel, libssh, ruff, rust-secret-service, snapshot, and uv), Mageia (curl), Red Hat (kernel), SUSE (cups, curl, perl-Cpanel-JSON-XS, regionServiceClientConfigAzure, regionServiceClientConfigEC2, regionServiceClientConfigGCE, trivy, and xen), and Ubuntu (cups, node-cipher-base, and qemu).

The VMScapevulnerability is a Spectre variant that "allows a malicious KVM guest toleak sensitive information such as encryption/decryption keys from auserspace hypervisor such as QEMU". Greg Kroah-Hartman has announcedthe 6.16.7, 6.12.47, 6.6.106, 6.1.152, 5.15.193, and 5.10.244 stable kernels, which add amitigation for the hardware bug.

The Git source-code management system stores a lot of information aboutchanges to code - but it does not hold everything that might be of interestto a developer who needs to investigate a specific change in the future.Commits in a repository are the end result of a (sometimes extended)discussion; often, that discussion will result in changes to the code thatare not explained in the changelog. For some years now, many maintainershave followed the convention of applying a Link tag to commits that pointsback to the mailing-list posting of the change. Linus Torvalds has beenexpressing his dislike for this convention for a while, though, and itstime appears to be coming to an end.

Security updates have been issued by AlmaLinux (python3.12-cryptography), Debian (chromium, hsqldb1.8.0, and imagemagick), Fedora (bustle, cef, maturin, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-monitord, rust-monitord-exporter, rustup, tuigreet, and wireshark), Oracle (kernel, microcode_ctl, and python3.12-cryptography), Red Hat (httpd:2.4 and multiple packages), SUSE (coreutils, curl, dpkg, ffmpeg-4, glib2, gnutls, go1.23-openssl, go1.24-openssl, go1.25-openssl, grub2, ImageMagick, jbigkit, kernel, libxslt, Mesa, opensc, opera, perl-JSON-XS, polkit, postgresql16, protobuf, python311, python311-deepdiff, sqlite3, ucode-intel, and warewulf4), and Ubuntu (bind9 and libxml2).

The F-Droid project has someadvice for free-software projects on how to deal with takedownrequests.

Inside this week's LWN.net Weekly Edition:

There are a large number of ways to configure the 6.16Linux kernel. It has 32,468 different configuration options on x86_64,and a comparable number for other platforms. Exploring the ways the kernel canbe configured is sufficiently difficult that it requires specialized tools.These show thenumber of possible configurations that options can be combined in has6,550 digits. How has that number changed over the history of the kernel, andwhat does it mean for testing?

The openSUSE project has announcedthat the bcachefs filesystem will be disabled in its kernel builds startingwith 6.17; bcachefs users will have to make other arrangements. "Thecurrent 6.16.* is NOT affected. Neither is Slowroll (for now)."

At Akademy 2025, theKDE Project released analpha version of KDE Linux, adistribution built by the project to "include the bestimplementation of everything KDE has to offer, using the most advancedtechnologies". It is aimed at providing an operating systemsuitable for home use, business use, OEM installations, and more"eventually". For now there are many rough edges and missingfeatures that users should be aware of before taking the plunge; butit is an interesting look at the kind of complete Linux system thatKDE developers would like to see.

At OpenSource Summit Europe, LWN's Jonathan Corbet presented "Three Decades inKernelland"; the talk provides a look at how the kernel got towhere it is, what makes it successful, and what may be comingnext. The video of thetalk is now online for LWN readers who would like to check itout.

Security updates have been issued by Fedora (buildah, containers-common, glycin, loupe, podman, rust-matchers, and rust-tracing-subscriber), Red Hat (fence-agents, jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base, pki-deps:10.6, python-requests, python3.12-cryptography, redis:6, redis:7, and resource-agents), Slackware (libssh), SUSE (aide, cloud-init, iperf, java-1_8_0-openjdk, jq, kernel-devel, python-deepdiff, regionServiceClientConfigAzure, regionServiceClientConfigEC2, and regionServiceClientConfigGCE), and Ubuntu (gnutls28).

As a followup to his OSS Europe talk on thefuture of 32-bit support in the kernel, Arnd Bergmann has put togetheradetailed plan for the eventual removal of high-memory support, which hecalls "one of the least popular features of the Linux kernel". Theintent is "to gradually phase out highmem over the next 2 years formainline kernels". This plan is posted as a prompt for a discussion tobe held at the Kernel Summit in December, so chances are it will evolveconsiderably in the next few months.

The 6.16.6,6.12.46,6.6.105,6.1.151,5.15.192,5.10.243,and 5.4.299stable kernel updates have been released; each contains another set ofimportant fixes.

Fedora's Community Blog has a shortupdate on the progress of Fedora's new installer with a web-basedinterface. The new installer was introduced for the Workstationedition in FedoraLinux42, it is now approved to beincluded in all Fedora spins and the KDE edition forFedora43. Final deprecation of the GTK-based installer is setfor Fedora45. LWN covered the installerchanges in April.

A new project, targeting Linux for the proverbial final frontier-outerspace-was the subject of a talk (YouTube video) atthe Embedded Linux Conference, which was held as part of OpenSource Summit Europe in Amsterdam in late August. Ramon Rocheintroduced Space GradeLinux (SGL), which is currently incubating as a special interest group(SIG) of the Embedding Linux in SafetyApplications (ELISA) project. The idea is to create a distributionwith a base layer that can be used for off-planet missions of varioussorts, along with other layers that can be used to customize it fordifferent space-based use cases.

Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (openafs and qemu), Fedora (buildah, containers-common, podman, python-flask, and snapshot), Mageia (postgresql, python-django, and udisks2), Oracle (kernel and libxml2), Red Hat (apache-commons-beanutils, firefox, httpd, httpd:2.4, kernel, kernel-rt, mod_http2, qt5-qt3d, and thunderbird), Slackware (libxml2), SUSE (firebird, go1.25-openssl, ImageMagick, microcode_ctl, netty, netty-tcnative, and ovmf), and Ubuntu (libetpan and postgresql-14, postgresql-16, postgresql-17).

The Aikido blog describesan apparently ongoing series of phishing attacks against npm packagemaintainers, resulting in the uploading of compromised versions of heavilyused packages:

Framework Computer is a US-basedcomputer manufacturer with a line of Linux-supported, modular, easilyrepairable and upgradeable laptops. In February, the company announceda new model, the FrameworkLaptop12,an "entry-level" 12.2-inch convertible notebook that can beused as a laptop or tablet. The systems were made available for pre-orderin April, I received mine in mid-August. Since then, I have beenputting it through its paces with Debian13 ("trixie") andFedoraLinux42. It's a good choice for users who want aLinux-friendly, lightweight, 2-in-1device-if they are willing to make a few concessions on storagecapacity, RAM, and CPU/GPU choices.

Security updates have been issued by Debian (chromium, libhtp, modsecurity-apache, shibboleth-sp, and wireless-regdb), Fedora (chromium, kea, tcpreplay, and yq), Mageia (rootcerts, nspr, nss & firefox and thunderbird), Red Hat (python3), and SUSE (7zip, chromedriver, go1.25, libQt5Pdf5, libsixel-bash-completion, libsoup2, libwireshark18, netty, rav1e, and trivy).

Linus has released 6.17-rc5 for testing."Things remain normal - both the diffstat and the commit counts lookentirely sane". The announcement also contains a plea for maintainersto not overuse Link: tags when applying patches.

Like almost all human endeavors, open-source software development involvesa range of power dynamics. Companies, developers, and users are allconcerned with the power to influence the direction of the software - and,often, to profit from it. At the 2025 OpenSource Summit Europe, Dawn Foster talked about how those dynamics canplay out, with an eye toward a couple of tactics - rug pulls and forks - thatare available to try to shift power in one direction or another.

Security updates have been issued by Fedora (udisks2), Oracle (httpd:2.4 and kernel), Red Hat (python-requests), and SUSE (chromium, gn, dcmtk, firefox, himmelblau, nginx, perl-Authen-SASL, perl-Crypt-URandom, postgresql15, python-Django, and python-maturin).

Mozilla has announcedthat support for the Firefox browser on 32-bit systems ends withversion144. "For users who cannot transition immediately, FirefoxESR 140 will remain available - including 32-bit builds - and will continueto receive security updates until at least September 2026."

Greg Kroah-Hartman has announced the release of the 6.16.5, 6.12.45, 6.6.104, 6.1.150, 5.15.191, 5.10.242, and 5.4.298 stable kernels. Each containsimportant fixes throughout the kernel tree; users should upgrade.

Deadlocks are a constant threat in concurrent settings with shareddata; it is thus not surprising that the kernel project has long sincedeveloped tools to detect potential deadlocks so they can be fixed beforethey affect production users. Byungchul Park thinks that he has developeda better tool that can detect more deadlock-prone situations. At the 2025 OpenSource Summit Europe, he presented an introduction to his dependencytracker (or "DEPT") tool and the kinds of problems it can detect.

Security updates have been issued by AlmaLinux (httpd:2.4, kernel, pam, postgresql:12, and python3.12), Debian (clamav and node-cipher-base), Fedora (exiv2 and libsixel), Oracle (httpd, kernel, pam, postgresql:12, postgresql:13, postgresql:15, and udisks2), SUSE (gimp, libmupen64plus-devel, munge, nvidia-open-driver-G06-signed, ovmf, postgresql15, python-aiohttp, python-Django, rav1e, redis, and ruby2.5), and Ubuntu (ffmpeg, kdepim, kf5-messagelib, kmail, kmail-account-wizard, linux-azure, linux-azure-6.8, linux-azure-nvidia, php7.0, php7.2, php7.4, protobuf, python-django, ruby2.5, ruby2.7, ruby3.0, ruby3.2, ruby3.3, and rubygems).

Inside this week's LWN.net Weekly Edition:

Version2025.9 of the Home Assistant home automation system has been released.Changes include a new experimental dashboard that is eventually meant tobecome the default, a number of tile-card improvements, a reworkedautomation editor, several new integrations, and more.

Version25.08 of the niri scrollable-tiling Wayland compositor has beenreleased. Notable changes include xwayland-satelliteintegration, modal exit confirmation, and the introduction of basicsupport for screen readers:

Version12.4 of Linux From Scratch (LFS) and Beyond Linux From Scratch(BLFS) have been released. LFSprovides step-by-step instructions on building a customized Linuxsystem entirely from source, and BLFS helps to extend an LFSinstallation into a more usable system. Notable changes in thisrelease include updates to GNU Binutils 2.45, GCC 15.2, GNU C Library(glibc) 2.42, and Linux 6.15.1. See the Changelogfor all updates since 12.3.

The Linux kernel has to handle many different sources of data that should notbe trusted: user space, network connections, and removable storage, to name afew. The kernel has to remain secure even if one of these sends garbled (ormalicious) data. Benno Lossin has been working on an API for kernel Rust codethat makes it harder to accidentally make decisions based on data from user space. That workis now on itsfourth revision, and Lossin has asked kernel developers to experiment withit and see where problems remain, making this a good time to look at the proposed API.

During the opening of RustConf 2025 in Seattle, Washington,the Rust Foundation announced a new initiative to provide financial and administrative support to open-source Rust projects. The first project to benefit from the new Rust Innovation Lab isRustls, an implementation of TLS in Rust. The foundation welcomes inquiries from other projects. Dr. Rebecca Rumbul, Executive Director of the Rust Foundation said:

Cary Coutant has announceda draft for version 4.3 of theExecutable and Linking Format (ELF) object file format. Thespecification was formerly part of the Unix SystemV Release 4 (SVR4) gABI document:

Security updates have been issued by AlmaLinux (httpd, kernel, and kernel-rt), Debian (python-eventlet and python-h2), Mageia (aide, gnutls, tomcat, and vim), Oracle (httpd, mod_http2, postgresql:15, python3.11, python3.12, python3.9, and udisks2), Red Hat (kernel, postgresql, postgresql:12, and postgresql:15), SUSE (dcmtk, jupyter-bqplot-jupyterlab, kured, libudisks2-0, munge, python-eventlet, python-future, python311-eventlet, rekor, traefik2, and ucode-intel), and Ubuntu (linux-aws, linux-azure-5.15, linux-gcp-6.8, linux-gke, linux-gkeop, linux-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-gke, linux-ibm-5.15, linux-kvm, and protobuf).

As a rule, if a package is shipped with a Debian release, users cancount on it being available, and updated, for the entirelife of the release. If package foo is included in the stablerelease-currently Debian13("trixie")-a user canreasonably expect that it will continue to be available with securitybackports as long as that release is supported, though it may not beincluded in Debian14 ("forky"). However, it is likely that theGuix package manager will soonbe removed from the repositories for Debian13 andDebian12 ("bookworm", also called oldstable).

The FastCode site has alengthy article on how large language models make open-source projectsfar more vulnerable to XZ-style attacks.

Security updates have been issued by AlmaLinux (kernel, mod_http2, postgresql, postgresql:15, and python39:3.9), Debian (libsndfile), Mageia (ceph, glibc, and golang), Oracle (postgresql and python39:3.9), Red Hat (aide, postgresql:12, postgresql:13, postgresql:15, and postgresql:16), SUSE (git, govulncheck-vulndb, jetty-minimal, nginx, python-future, and ruby2.5), and Ubuntu (imagemagick).

The GNOME Foundation has announcedthat Steven Deobald will be leaving the position of Executive Directorafter just four months.

Arnd Bergmann started his OpenSource Summit Europe 2025 talk with a clear statement of position: 32-bitsystems are obsolete when it comes to use in any sort of new products. Theonly reason to work with them at this point is when there is existinghardware and software to support. Since Bergmann is the overall maintainerfor architecture support in the kernel, he is frequently asked whether32-bit support can be removed. So, he concluded, the time has come to talkmore about that possibility.

Security updates have been issued by AlmaLinux (postgresql16, postgresql:16, python3.11, and thunderbird), Debian (firebird4.0, libcommons-lang3-java, mbedtls, nodejs, openvpn, and ruby-saml), Fedora (cef, chromium, docker-buildx, exiv2, firefox, rocm-rpp, and udisks2), Oracle (postgresql:16), Red Hat (fence-agents, firefox, gdk-pixbuf2, httpd, kernel, kernel-rt, libarchive, libxml2, multiple packages, postgresql, postgresql16, postgresql:15, postgresql:16, python3.11, python3.12, python39:3.9, and thunderbird), Slackware (udisks2), SUSE (go-sendxmpp, helm, ImageMagick, javamail, jq, kea, kernel, libarchive, libsoup, libssh, libxml2, openssl-3, postgresql14, postgresql15, python, python-future, systemd, and xz), and Ubuntu (open-vm-tools and python2.7).

Linus has released 6.17-rc4 for testing."So it all looks fairly good.Please do keep testing, and we'll get 6.17 out in a timely manner andin good shape."

Linus Torvalds has quietly changedthe maintainer status of bcachefs to "externally maintained",indicating that further changes are unlikely to enter the mainline anytimesoon. This change also suggests, though, that the immediate removal ofbcachefs from the mainline kernel is not in the cards.

Keynote sessions at Open Source Summit events tend not to allow much time fordetailed talks, and the 2025 OpenSource Summit Europe did not diverge from that pattern. Even so,Daniel Stenberg, the maintainer of the curlproject, managed to cram a lot into the 15minutes given to him.Like the maintainers of many other projects, Stenberg is feeling somestress, and the problems appear to be getting worse over time.

The next release of systemd has been percolating for an unusuallylong time. Systemd releases are usually about six months apart, butv257 came out inDecember2024, and v258 just now seems to be nearing the finishline; the third release candidate for v258 was published onAugust20 (releasenotes). Now is a good time to dig in and take a look at some ofthe new features, enhancements, and removals coming soon tosystemd. These include new workload-management features, a concept formultiple home-directory environments, and the final, once-and-for-allremoval of support for controlgroups version1.

Security updates have been issued by AlmaLinux (aide, fence-agents, firefox, kernel-rt, python-cryptography, and thunderbird), Debian (golang-github-gin-contrib-cors, libxml2, and udisks2), Fedora (chromium), Oracle (postgresql16, postgresql:16, python3.11, and thunderbird), Red Hat (lz4 and mpfr), SUSE (chromium, docker, dpkg, firefox, gdk-pixbuf, git, git, git-lfs, obs-scm-bridge, python-PyYAML, gnutls, kernel, libarchive, libxml2, net-tools, netty, perl-Crypt-CBC, polkit, postgresql14, postgresql15, sqlite3, thunderbird, tomcat10, and udisks2), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-hwe-6.14, linux-raspi, linux-realtime, linux-realtime-6.14, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-gke, linux-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-gke, linux-kvm, linux-oem-6.14, linux-realtime, linux-intel-iot-realtime, linux-realtime, linux-raspi-realtime, openldap, and udisks2).

Attendees at EuroPython had the chance to preview part ofPython: The Documentary during akeynote panel. The full film, created by CultRepo, is now available on YouTube:

Greg Kroah-Hartman has announced the release of the 6.16.4, 6.12.44, 6.6.103, 6.1.149, 5.15.190, 5.10.241, and 5.4.297 stable Linux kernels. Each onecontains important fixes.

The GNOME project, which recently celebrated its28th birthday, has never had a formal technical governance; progresshas been driven by individuals and groups that advocated for-and workedtoward-a particular goal in an ad hoc fashion. Longtime GNOME contributorEmmanuele Bassi would like to see that change by adding cross-project teamsand a steering committee for the project; to that end, he gave a talk (YouTubevideo) at GUADEC 2025in late July on his idea to establish some technical governance for theproject. He also put together a blogpost with his notes from the talk. The audience reaction wasfavorable, so he has followed up on the GNOME discussion forum with an RFC ongovernance to try to move the effort along.

Security updates have been issued by AlmaLinux (aide, firefox, kernel, and mod_http2), Debian (chromium and unbound), Fedora (mod_auth_openidc), Oracle (fence-agents and kernel), SUSE (ignition, jetty-minimal, kernel, libmozjs-128-0, matrix-synapse, postgresql13, postgresql15, postgresql16, and postgresql17), and Ubuntu (kernel).