LWN.net

One recurring criticism of Rust has been that the language has no official specification. This is a barrier to adoption in some safety-conscious organizations, as well as to writing alternate language implementations. Now, the Rust project hasannouncedthat it will be adopting the Ferrocene Language Specification (FLS) developed by Ferrous Systems and maintaining it as part of the core project. While this may not satisfy die-hard standardization-process enthusiasts, it's a step toward removing another barrier to using Rust in safety-critical systems.

Arthur Cohen has posted a massive series of patches in four parts(part1,part2,part3,part4)upstreaming all of the recent work on the GCC Rust front end. Thesechanges include the Polonius borrow checker, the foreign-functioninterface, inline assembly support, if-let statement handling,multiple built-in derive macros, for loops, and more.

The 2024 Linux Storage, Filesystem, Memory-Management, and BPF Summitincluded a tense session on the use of Rustcode in the kernel's filesystem layer. The Rust topic returned in 2025 ina session run by Andreas Hindborg, with a scope that also covered thestorage and memory-management layers. A lot of progress has been made, andthe discussion was less adversarial this year, but there are still processissues that need to be worked out.

Security updates have been issued by Arch Linux (exim), Debian (exim4, ghostscript, and libcap2), Red Hat (container-tools:rhel8), SUSE (apache-commons-vfs2, argocd-cli, azure-cli-core, buildah, chromedriver, docker-stable, ed25519-java, kernel, kubernetes1.29-apiserver, kubernetes1.30-apiserver, kubernetes1.32-apiserver, libmbedcrypto7, microcode_ctl, php7, podman, proftpd, tomcat10, and webkit2gtk3), and Ubuntu (containerd, exim4, mariadb, opensaml, and org-mode).

Akamai has sent out apress release saying that it is now hosting the kernel.orgrepositories.

Inside this week's LWN.net Weekly Edition:

Version0.11 of the Neovim text editor has been released. Notable changesin this release include simpler Language Server Protocol (LSP) clientsetup, improved tree-sitter performance, better emoji support, andenhancements for Neovim's embedded terminal emulator. See the release notes fora full list of changes.

In a shortnote to the Reproducible Buildsmailing list, Debian developer Roland Clobus announced that liveimages for Debian 12.10 ("bookworm") are now 100% reproducible. See the reproduciblelive images and Debian Live todopages on the Debian wiki for more information on the images.

The folio transition is one of the mostfundamental kernel changes ever made; it can be thought of as being similarto replacing the foundation of a building while it remains open forbusiness. So it is not surprising that, for some years, the annual LinuxStorage, Filesystem, Memory-Management, and BPF Summit has included asession on the state of this transition. The 2025 Summit was no exception,with Matthew Wilcox updating the group on what has been accomplished, whatremains to be done, and where some of the significant problems are.

Security updates have been issued by Debian (nginx and ruby-rack), Fedora (expat and libxslt), Mageia (bluez, dcmtk, ffmpeg, and radare2), Red Hat (container-tools:rhel8, gvisor-tap-vsock, kernel, kernel-rt, libreoffice, and podman), SUSE (buildah, forgejo, gitleaks, google-guest-agent, google-osconfig-agent, govulncheck-vulndb, grafana, helm, libxslt, php8, python-gunicorn, and python-Jinja2), and Ubuntu (freerdp2 and varnish).

Boudhayan Bhattcharya has posted a lengthy articleabout the announcementthat the Freedesktop project is dropping OpenH264 from the Freedesktop SDK for Flatpakapplications and runtimes.Some Flatpak applications that depend on the Freedesktop runtimeversion 23.08 will lose H.264 playback support starting with therelease scheduled for April, unless application developers replace itwith the ffmpeg-full extension. The 24.08 runtime isunaffected, and future releases will include a newcodecs-extra extension to replace OpenH264 that includes FFmpeg with support for a number ofpatented codecs.

By the time that Linus Torvalds releasedthe 6.14 kernel, 11,003 non-merge changesets had been pulled into themainline, making this one of the smallest releases we have seen in sometime. Indeed, one must go back to the 4.0release, which happened almost exactly ten years ago, to find a releasewith fewer changesets than 6.14. Even so, "small" is relative, and 6.14contains a lot of significant changes.

Security updates have been issued by Debian (ruby-rack), Fedora (chromium, golang-github-openprinting-ipp-usb, OpenIPMI, and python-jinja2), Mageia (kernel, kernel-linus, and wpa_supplicant, hostapd), Red Hat (fence-agents, kernel, kernel-rt, libxml2, libxslt, and pcs), SUSE (cadvisor, docker, freetype2, nodejs-electron, php8, rsync, u-boot, warewulf4, webkit2gtk3, and zvbi), and Ubuntu (elfutils, python3.5, python3.8, ruby-rack, smartdns, and zvbi).

Linus has released the 6.14 kernel, a bitlater than expected:

The adoption of open-source software in governments has had its ups anddowns. While open source seems like a "no-brainer", it turns out thatgovernments can be surprisingly resistant to using FOSS for a variety ofreasons. Federico Gonzalez Waite spoke in the Open Government track at SCALE 22x in Pasadena,California to recount his experiencesworking with and for the Mexican government. He led multiple projectsto switch away from proprietary, often predatory, software companies withsome success-and failure.

Security updates have been issued by Debian (libxslt, mercurial, and webkit2gtk), Fedora (chromium, dotnet8.0, ffmpeg, jupyterlab, and kitty), Mageia (expat and libxslt), Red Hat (pcs), SUSE (apptainer, chromium, kernel, libarchive, mercurial, python311, radare2, xorg-x11-server, and zvbi), and Ubuntu (golang-github-cli-go-gh-v2 and nltk).

Greg Kroah-Hartman has announced the release of the 6.13.8, 6.12.20, and 6.6.84 stable kernels. Each contains anumber of important fixes throughout the kernel tree; users of thoseseries should upgrade.

The Open Source Initiative(OSI) has announcedthe results of its recent board of directors election. Ruth Suehle andMcCoy Smith are new to the board, while Carlo Piana will serve anotherterm. The results, however, seem tainted in the eyes of someparticipants and observers. The election has been plagued by misstepsfrom the beginning. It has culminated with the exclusion of threecandidates for failing to meet a requirement to sign the OSI board agreement, which was added after the election was over and before results were tallied or announced.

As a system runs and its memory becomes fragmented, allocating large,physically contiguous regions of memory becomes increasingly difficult.Much effort over the years has gone into avoiding the need to make suchallocations whenever possible, but there are times when they simply cannotbe avoided. The kernel's contiguous memoryallocator (CMA) subsystem attempts to make such allocations possible,but it has never been a perfect solution. Suren Baghdasaryan is is tryingto improve that situation with the guaranteedcontiguous memory allocator patch set, which includes work from MinchanKim as well.

Julien Malka hascalled for the NixOS project to use build-reproducibility to detect when a program has a maintainer-generated tarball that results in a different artifact than building from source. There are good reasons for projects to release maintainer-generated tarballs, but since the materials included in them are usually documentation, extra build scripts, and so on, it makes sense to check that they don't influence the final build output. While this would not have stopped last year's XZ backdoor, it would have made it harder to hide.

Brendan Jackman has been working to try to get ahead of the next hardware CPUvulnerabilitybefore it gets discovered. In January, he posted the second version ofa patch set that introducesaddress-space isolation (ASI) as a way ofpreventing future CPU vulnerabilities from leaking importantinformation. The core concept is to ensure that data that is not currentlyneeded is not present in memory, so that speculative execution cannot leak it.The work is nowhere near ready to be incorporated into the mainlinekernel - not least of all because it has a large performance impact in itscurrent form - but it is likely to once again be a topic of discussion at the2025Linux Filesystem, Memory Management, and BPF Summit.

Raspberry Pi hasannounced rpi-image-gen,a tool to create custom software images for its devices.

The Asahi Linux project, working to support Linux on Apple hardware, haspublished aprogress report to coincide with the 6.14 kernel release.

Security updates have been issued by Debian (chromium), Fedora (fluent-bit, openssh, php, and webkitgtk), Mageia (freerdp), Oracle (libreoffice and webkit2gtk3), Red Hat (kernel-rt), Slackware (libarchive), SUSE (apptainer, gitea-tea, libxml2, tomcat, webkit2gtk3, and wpa_supplicant), and Ubuntu (libxslt and pam-pkcs11).

As the 2025 LinuxStorage, Filesystem, Memory-Management, and BPF Summit (LSFMM+BPF)approaches, the density of memory-management patches on the mailing listshas increased. Included among those are patches aimed at improving thereliability and performance of huge-page allocation, implementing pagepromotion on tiered-memory systems, adding a different approach todeduplicating memory, and replacing the BPF memory allocator. Read on foran overview of each.

Security updates have been issued by Debian (php7.4, python-django, and python3.9), Fedora (bluez, iwd, libell, and radare2), Mageia (chromium-browser-stable, mosquitto, tomcat, tomcat packages, and vim), Oracle (firefox, grub2, python3, thunderbird, and webkit2gtk3), Red Hat (fence-agents, php:7.4, and python-jinja2), SUSE (assimp-devel, crane, ffmpeg-4, freetype2, helm, kernel, kured, python-Django, python-Jinja2, python311-Django4, and tomcat), and Ubuntu (alpine, djoser, libxslt, postgresql-9.5, and valkey).

Inside this week's LWN.net Weekly Edition:

GNOME 48 ("Bengaluru")has been released. As usual, this release includes a number of newfeatures and enhancements including support for shortcuts in the Orcascreen reader on Wayland, new fonts, addition of image editing toImageViewer, and more.

Modern CPUs all have multiple hardware vulnerabilities that the kernel needs to mitigate;the 6.13 kernel has workarounds for 14 security-sensitive CPU bugs just on x86_64.Several of those have multiple variants,or multiple mitigations that apply on different microarchitectures. There aredifferent kernel command-line options for each of these mitigations, which leadsto a confusing situation for users trying to figure out how to configure theirsystems. David Kaplan recently posteda patch set that adds a single, unified command-line option for controllingmitigations andsimplifies the logic for detecting, configuring, andapplying them as well.If it is merged, the patch set couldmake it much easier for users to navigate the complicated web of CPUvulnerabilities and their mitigations.

Version 7.1of PeerTube, a tool forsharing videos online, has been released. Notable features in thisrelease include improved support for the Podcast 2.0 standard, betterplayback stability, and a new view protocol enabled by default toallow PeerTube to handle more simultaneous viewers. See the releasenotes for more details.

/e/OS is aprivacy-centric, open-source mobile operating system thathas primarily been targeted at mobile phones, with only a fewcommunity supported images available for tablet devices. In December,Murena-a company that sells devices with /e/OSpreinstalled-announcedthat /e/OS now officially supports tablets as well, starting with thePixel tablet. The user experience is close enough tomainstream alternatives to make it attractive, but there are someunder-the-hood problems that may give users pause.

A security company called Fenrisk has posted an overview of a pairof claimed successful supply-chain attacks on the Fedora and openSUSEdistributions.

Security updates have been issued by Debian (tzdata), Fedora (expat and tigervnc), Red Hat (kernel, kernel-rt, thunderbird, and webkit2gtk3), SUSE (dcmtk), and Ubuntu (restrictedpython and uriparser).

If all goes according to plan, the Ubuntu project will soon bereplacing many of the traditional GNU utilities with implementationswritten in Rust, such as those created by the uutils project, which we covered inFebruary. Wholesale replacement of core utilities at the heart of aLinux distribution is no small matter, which is why Canonical's VP ofengineering, Jon Seager, has released oxidizr. Itis a command-line utility that helps users easily enable or disablethe Rust-based utilities to test their suitability. Seager is callingfor help with testing and for users to provide feedback with theirexperiences ahead of a possible switch for Ubuntu25.10, an interim releasescheduled for October2025. So far, responses from the Ubuntucommunity seem positive if slightly skeptical of such a majorchange.

Security updates have been issued by Debian (freetype and rails), Fedora (mosquitto and python-django4.2), Mageia (libarchive, libreoffice, php, and quictls), Red Hat (webkit2gtk3), SUSE (erlang, nethack, python312, and wpa_supplicant), and Ubuntu (freetype and plantuml).

The long-awaited GIMP3.0 release is now available. Major changes in 3.0 include nondestructiveediting for most commonlyused filters, improved text creation,better colorspace management, and an update to GTK3.

Version12.00 of the SystemRescue live Linuxsystem has been released. SystemRescue is an Arch Linux based bootable toolkit for repairing systems in the event of acrash. Notable changes in this release include an update to Linux6.12.19, support for bcachefs, and a number of updated diskutilities. See the packagelist for a complete list of software included in this release.

One of the many important tasks that the kernel's memory-managementsubsystem must handle is keeping track of how pages of memory are mappedinto the address spaces of the processes running on the system. As long asmappings to a given page exist, that page must be kept in place. As itturns out, tracking these mappings is harder than it seems it should be,and the move to folios within the memory-management subsystem is addingsome complexities of its own. As a follow-up to the "mapcount madness" session that he ran atthe 2024 Linux Storage, Filesystem,Memory-Management, and BPF summit, David Hildenbrand has posted a patch seriesintended to improve the handling of mapping counts for folios - but exactaccounting remains elusive in some situations.

Security updates have been issued by Debian (opensaml and php8.2), Fedora (chromium, ctk, dcmtk, expat, ffmpeg, firefox, fscrypt, gdcm, InsightToolkit, kitty, libssh2, libxml2, linux-firmware, man2html, nextcloud, OpenImageIO, php, podman-tui, python-django, python-django5, python-gunicorn, python-jinja2, python-spotipy, python3.6, qt6-qtwebengine, thunderbird, tigervnc, vim, vyper, xen, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (freetype2, ghostscript, and man2html), Oracle (kernel and krb5), Red Hat (grub2, libreoffice, mysql:8.0, pcs, thunderbird, tigervnc, webkit2gtk3, and xorg-x11-server), Slackware (expat, freetype, and php), SUSE (amazon-ssm-agent, chromedriver, ed25519-java, google-cloud-sap-agent, google-guest-agent, govulncheck-vulndb, libexslt0, libzvbi-chains0, php8, restic, rubygem-rack, subversion, tomcat, and tomcat10), and Ubuntu (freetype, resteasy, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04).

Linus has released the seventh (andprobably last) prepatch for the 6.14 release. "Things continue to lookquite calm, and I expect to release the final 6.14 next weekend unlesssomething very surprising happens".

Version2.49.0 of the Git source-code management system has beenreleased. This release comprises 460 non-merge commits since 2.48.0,with contributions from 89 people, including 24 newcontributors. There is a long list of improvements and bug fixes; seethe highlightsblog from GitHub's Taylor Blau for some of the more interestingfeatures.

Organizations relying on open-source software have a wide range oftools, scorecards, and methodologies to try to assess security, legal,and other risks inherent intheir so-called supply chain. However, Max Mehl arguedrecently in a short talk at FOSS Backstage in Berlin (andonline) that all ofthis objective information and data is insufficient to trulyunderstand and address risk. Worse, this information doesn't provideoptions to improve the situation and encourages a passive mindset. Mehl, who works as part of the CTO group at DBSystel, encouraged better risk assessment usingqualitative data and direct participation in open source.

Security updates have been issued by Fedora (iniparser, thunderbird, trafficserver, and xorg-x11-server), Mageia (opensc), Oracle (.NET 8.0, .NET 9.0, gcc, kernel, and libxml2), Red Hat (firefox, grub2, and krb5), Slackware (libxslt), SUSE (amazon-ssm-agent, bsdtar, build, ffmpeg-4, forgejo-runner, kernel, python, python3, python313, rubygem-rack-1_6, and tailscale), and Ubuntu (linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15).

Charles Choi has announcedthe release of the CasualMake: a menu-driven interface, implemented as part of the Casualsuite of tools, for MakefileMode in GNU Emacs.

When the 6.14 kernel is released later this month, it will include theusual set of internal changes that users should never notice, with thepossible exception of changes that bring performance improvements. One ofthose changes is frozen pages, amemory-management optimization that should fly mostly under the radar.When Hannes Reinecke reported acrash in 6.14, though, frozen pages suddenly came into view. There is aworkaround for this problem, but it seems there is a fairamount of work to be done that nobody had counted on to solve the problemproperly.

Greg Kroah-Hartman has announced the release of the 6.13.7, 6.12.19, 6.6.83, 6.1.131, 5.15.179, 5.10.235, and 5.4.291 stable kernels. They all contain arelatively large number of important fixes throughout the kernel tree.

Security updates have been issued by Debian (chromium), Fedora (ffmpeg, qt6-qtwebengine, tigervnc, and xorg-x11-server-Xwayland), Red Hat (fence-agents and libxml2), SUSE (amazon-ssm-agent, ark, chromium, fake-gcs-server, gerbera, google-guest-agent, google-osconfig-agent, grafana, kernel, libtinyxml2-10, podman, python311, python312, restic, ruby3.4-rubygem-rack, and thunderbird), and Ubuntu (jinja2, linux-azure, linux-azure-4.15, linux-lts-xenial, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, netatalk, python3.5, python3.8, rar, unrar-nonfree, and xorg-server, xwayland).

Inside this week's LWN.net Weekly Edition:

On February 25, the PythonSoftware Foundation (PSF), which runs the Python Package Index (PyPI), announcednew termsof service (ToS) for the repository. That has led to some questionsabout the new ToS, and the process of coming up with them. For one thing, the previous termsof use for the service were shorter and simpler, but there are otherconcerns with specific wording in the new agreement.

Damien Neil has written an article for the Go Blog about pathtraversal vulnerabilities and the os.Root API added in Go 1.24 to help preventthem.