LWN.net

Greg Kroah-Hartman has announced the 6.19.4 and 6.18.14 stable kernels. Shortly after6.19.4 was released Kris Karas reported "getting a repeatable Oops right when networking is initialized, likely when nft is loading itsruleset"; the problem did not appear to be present in 6.18.14. Usersof nftables may wish to hold off on upgrades to 6.19.4 for now. Wewill provide updates as they are available.Update: Kroah-Hartman has released the 6.19.5 and 6.18.15 kernels with a fix for theregression in 6.19.4 and 6.18.14. All users of netfilter are advisedto upgrade to those versions.

Security updates have been issued by AlmaLinux (389-ds-base, buildah, firefox, freerdp, golang-github-openprinting-ipp-usb, grafana-pcp, kernel, libpng15, munge, nodejs:20, nodejs:22, podman, protobuf, python-pyasn1, runc, and skopeo), Debian (chromium, nss, and python-django), Fedora (firefox, freerdp, gh, libmaxminddb, nss, python3.15, and udisks2), Oracle (buildah, firefox, freerdp, kernel, libpng, podman, python-pyasn1, skopeo, and valkey), Red Hat (container-tools:rhel8), SUSE (autogen, chromium, cockpit, cockpit-machines-348, cockpit-packages, cockpit-repos, cockpit-subscriptions, crun, docker, docker-compose, docker-stable, erlang, freerdp, frr, glib2, gpg2, kernel, kernel-firmware, libsodium, libsoup, libsoup2, openvswitch, python, python-pyasn1, python-urllib3, python-urllib3_1, python3, qemu, redis7, regclient, and ucode-intel), and Ubuntu (linux-aws, linux-aws-6.8, linux-ibm, linux-ibm-6.8, linux-xilinx, python-authlib, and ruby-rack).

The International Image InteroperabilityFramework, or IIIF ("triple-eye eff"), is a small set of standards thatform a basis for serving, displaying, and reusing image data on the web. Itconsists of a number of API definitions that compose with each other toachieve a standard for providing, for example, presentations ofhigh-resolution images at multiple zoom levels, as well as bundling multiple imagestogether. Presentations may include metadata about details like authorship,dates, references to other representations of the same work, copyrightinformation, bibliographic identifiers, etc. Presentations can be furthergrouped into collections, and metadata can be added in the form oftranscriptions, annotations, or captions. IIIF is most popular withcultural-heritage organizations, such as libraries, universities, andarchives.

Security updates have been issued by AlmaLinux (freerdp), Debian (firefox-esr and libstb), Fedora (389-ds-base, chromium, firefox, munge, opentofu, python3-docs, python3.14, and vim), Oracle (buildah, containernetworking-plugins, gimp, grafana, grafana-pcp, kernel, podman, runc, and skopeo), Red Hat (go-toolset:rhel8, golang, golang-github-openprinting-ipp-usb, grafana, grafana-pcp, mariadb:10.11, podman, and skopeo), SUSE (cacti, docker-stable, expat, firefox-esr, freerdp, freerdp2, libjxl, libsoup-2_4-1, python-tornado, python-urllib3_1, python3, python311-Django4, python312, python313, python39, and redis), and Ubuntu (ceph, mongodb, protobuf, and rlottie).

Inside this week's LWN.net Weekly Edition:

The stated support periods for the 6.6, 6.12, and 6.18 kernels has been extended.The 6.6 kernel will be supported with stable updates through the end of2027 (for four years of support total), while 6.12 and 6.18 will getupdates through the end of 2028, for four and three years of support.

On February12, Yeoreum Yun posted asuggestionfor an improvement to the security of the kernel's BPF implementation: usememory protection keys to prevent unauthorized access to memory by BPFprograms.Yun wanted to put the topic on the list for discussion at the LinuxStorage, Filesystem, Memory Management, and BPF Summit in May, but thelack of engagement makes that unlikely. They also have a patch set implementingsome of the proposed changes, but has not yet shared that with the mailing list.Yun's proposal does not seem likely to be accepted in itscurrent form, but the kernel hasadded hardware-based hardening options in thepast, sometimes after substantial discussion.

The Network TimeProtocol (NTP) debuted in 1985; it is a universally used, openspecification that is deeply important for all sorts of activities wetake for granted. It also, despite a number of efforts, remainsstubbornly unsecured. Ruben Nijveld presented work at FOSDEM 2026 tospeed adoption of the thus-far largely ignored standard for securingNTP traffic: IETF's RFC-8915 that specifies Network TimeSecurity (NTS) for NTP.

The MetaBrainz Foundation has announced the unexpected passing ofits founder and executive director, Robert Kaye:

Security updates have been issued by AlmaLinux (grafana and grafana-pcp), Debian (gnutls28), Fedora (chromium and yt-dlp), Oracle (389-ds-base, kernel, munge, and openssl), Red Hat (buildah, containernetworking-plugins, opentelemetry-collector, podman, runc, and skopeo), Slackware (mozilla), SUSE (chromium, cosign, firefox, freerdp, gimp, heroic-games-launcher, kernel, libopenssl-3-devel, libxml2, libxslt, mosquitto, openqa, os-autoinst, openqa-devel-container, openvswitch, phpunit, postgresql14, postgresql15, postgresql16, protobuf, python310, python311-PyPDF2, python36, snpguest, warewulf4, and weblate), and Ubuntu (curl, kernel, linux, linux-gcp, linux-gke, linux-gkeop, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia-tegra, linux-oracle, linux-xilinx-zynqmp, linux, linux-gkeop, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-raspi, linux-fips, linux-fips, linux-gcp-fips, linux-gcp, linux-gcp-6.8, linux-gke, linux-oracle-6.8, linux-gcp-fips, linux-ibm, linux-ibm-6.8, linux-intel-iot-realtime, linux-realtime, linux-raspi-realtime, linux-realtime, linux-realtime-6.8, and linux-xilinx).

LibreOffice online is a web-based version of the LibreOffice suite that canbe hosted on anybody's infrastructure. This project was put into stasis back in 2022, a move marked bysome tension with Collabora, a major LibreOffice developer that has its own online offering. Now,the Document Foundation has announceda new effort to breathe life into this project.

Version5.4.0 of GNU awk(gawk) has been released. This is a major release with a change ingawk's default regular-expression matcher: it now uses MinRXas the default regular-expression engine.

Version148 of Firefox has been released. The most notable change in thisrelease is the addition of a "Block AI enhancements" option thatallows turning off "new or current AI enhancements in Firefox, orpop-ups about them" with a single toggle.With this release, Firefox now supports the TrustedTypes API to help prevent cross-site scripting attacks as well asthe SanitizerAPI that provides new methods for HTML manipulation. See the releasenotes for developers for changes that may affect web developers orthose who create Firefox add-ons.

The facilities provided by the kernel for the management of processes haveevolved considerably in the last few years, driven mostly by the advent ofthe pidfd API. A pidfd is a filedescriptor that refers to a process; unlike a process ID, a pidfd is anunambiguous handle for a process; that makes it a safer, more deterministicway of operating on processes. Christian Brauner, who has driven much ofthe pidfd-related work, is proposingtwo new flags for the clone3()system call, one of which changes the kernel's security model in asomewhat controversial way.

Security updates have been issued by AlmaLinux (kernel, kernel-rt, and munge), Debian (openssl), Mageia (gegl), Oracle (firefox, freerdp, gnupg2, golang-github-openprinting-ipp-usb, grafana, grafana-pcp, java-11-openjdk, kernel, libpng15, munge, nodejs:20, nodejs:22, protobuf, and uek-kernel), SUSE (libpng12, libpng16, and openQA, openQA-devel-container, os-autoinst), and Ubuntu (gimp, libssh, and linux-azure).

Version11.1.0 of the GNU Octave scientific programming language has beenreleased.

The 7.0 merge windowclosed on February 22 with 11,588 non-merge commits total,3,893 of which came in afterthe article covering the first half of the mergewindow. The changes in the second half were weighted toward bug fixes overnew features, which is usual. There were still a handful of surprises, however, including89 separate tiny code-cleanup changes from different people for the rtl8723bsdriver, a number thatsurprisedGreg Kroah-Hartman. It's unusual for a WiFi-chip driver to receive that muchattention, especially a staging driver that is not yet ready for general use.

Over on the Collabora blog, Marius Vlad has an overviewof Weston 15.0, which was released on February 19. Weston is thereference implementation of a Wayland compositor. The newrelease comes with a new shell that can be programmed using the Lua language, a new, experimental Vulkanrenderer, smoother media playback, color-management additions, and more.

Security updates have been issued by AlmaLinux (kernel-rt and openssl), Debian (ca-certificates, chromium, gegl, glib2.0, libvpx, modsecurity-crs, nova, and pillow), Fedora (chromium, mingw-libpng, mupdf, python-pyasn1, python-PyMuPDF, python-uv-build, python3.13, qpdfview, rust-ambient-id, uv, and zathura-pdf-mupdf), Mageia (freerdp, gnutls, and libvpx), Red Hat (butane and grafana-pcp), SUSE (chromedriver, chromium, cockpit-repos, firefox, kernel, libpng16, postgresql16, postgresql17, postgresql18, python, python311-nltk, snpguest, ucode-intel-20260210, vexctl, and xen), and Ubuntu (djvulibre, evolution-data-server, linux-lowlatency, linux-xilinx, and u-boot).

The Ladybird browser project has announced a move tothe Rust programming language:

The PostgreSQL project has beenchugging along for decades; in that time, it has become a thriving open-sourceproject, and its participants have learned a thing or two about what works inattracting new contributors. At FOSDEM2026, PostgreSQL contributor ClaireGiordano shared some of the lessons learned and where the project is stillstruggling. The lessons might be of interest to others who are thinking abouthow their own projects can evolve.

Linus has released 7.0-rc1 and closed themerge window for this development cycle. "You all know the drill bynow: two weeks have passed, and the kernel merge window is closed."

The closed-source chat platform Discordannounced on February9 that it would soon require some users to verify theirages in order to access some content - although the company quicklyadded thatthe "vast majority" of users would not have to. That reassurance has tocontend with the fact that the UK and other countries are implementingincreasingly strict age requirements for social media. Discord's ageverification would be done with an AI age-judgingmodel or with a government photo ID. A surprising number of open-sourceprojects use Discord for support or project communications, and some of thoseprojects are now looking for open-source alternatives. Mastodon, for example,has moved discussion to Zulip. There are some alternatives out there, allwith their own pros and cons, that communities may want to consider if they wantto switch away from Discord.

Dianne Skoll, creator and maintainer of the command-line calendarand alarm program Remind, hasannouncedthe release of TheBook of Remind. As the name suggests, it is a step-by-stepguide to learning how to use Remind, and a useful supplement to the extensiveremind(1)man page. The book is free to download.

Security updates have been issued by AlmaLinux (grafana), Debian (gegl, inetutils, libvpx, nova, and python-django), Fedora (azure-cli, chromium, microcode_ctl, python-azure-core, python3.14, and roundcubemail), Red Hat (grafana and osbuild-composer), SUSE (apptainer, dnsdist, istioctl, libsoup, openCryptoki, python-nltk, python311, python313, rclone, and thunderbird), and Ubuntu (libvpx, linux-azure, linux-azure-5.4, linux-azure-fips, and linux-intel-iotg).

Greg Kroah-Hartman has announced the 6.19.3, 6.18.13, 6.12.74, 6.6.127, 6.1.164, 5.15.201, and 5.10.251 stable kernels. As usual, eachincludes important fixes and users are advised to upgrade.

The kernel's unloved but performance-critical swapping subsystem has beenundergoing multiple rounds of improvement in recent times. Recent articleshave described the addition of the swaptable as a new way of representing the state of the swap cache, and the removal of the swap map as the way oftracking swap space. Work in this area is not done, though; this series fromNhat Pham addresses a number of swap-related problems by replacing thenew swap table structures with a single, virtual swap space.

Douglas DeMaio has announcedthat Jeff Mahoney's new governanceproposal for openSUSE, which was published in January,is moving forward. The new structure would have three governancebodies: a new technical steering committee (TSC), a community and marketing committee (CMC), as well as the existing openSUSEboard.

Security updates have been issued by AlmaLinux (edk2, glibc, gnupg2, golang, grafana, nodejs:24, and php), Debian (gimp and kernel), Fedora (fvwm3), Mageia (microcode and vim), Oracle (edk2, glibc, kernel, nodejs:24, and php), Red Hat (python-s3transfer), SUSE (abseil-cpp, avahi, azure-cli-core, fontforge, go1.24, go1.25, golang-github-prometheus-prometheus, libpcap, libsoup2, libxml2-16, mupdf, nodejs22, openCryptoki, openjpeg2, patch, python-aiohttp, python-Brotli, python-pip, python311-asgiref, rust1.93, and traefik), and Ubuntu (inetutils, libssh, linux-gcp, linux-gke, linux-hwe-6.8, linux-lowlatency-hwe-6.8, linux-intel-iotg-5.15, linux-xilinx-zynqmp, linux-lowlatency, linux-nvidia-lowlatency, and trafficserver).

Inside this week's LWN.net Weekly Edition:

The "More Accurate Explicit Congestion Notification" (AccECN) mechanism isdefined by thisRFC draft. The Linux kernel has been gaining support for AccECN withTCP over the last few releases; the 7.0 release will enable it by defaultfor general use. AccECN is a subtle change to how TCP works, but it hasthe potential to improve how traffic flows over both public and privatenetworks.

Justin Wheeler writes in FedoraMagazine that Fedora is now available in Syria once again:

The Asahi Linux project, which is working to implement support for Linux onApple CPUs, has published a detailed 6.19progress report.

Adam Harvey, on behalf of the crates.ioteam has published a blogpost to inform users of a change in their practice of publishinginformation about malicious Rust crates:

Security updates have been issued by Debian (ceph, gimp, gnutls28, and libpng1.6), Fedora (freerdp, libpng, libssh, mingw-libpng, mingw-libsoup, mingw-python3, pgadmin4, python-pillow, thunderbird, and vim), Mageia (postgresql15), Red Hat (python-urllib3), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, frr, gpg2, kubernetes, kubernetes-old, libsodium, libsoup-2_4-1, libssh, libtasn1, libxml2, nodejs22, openCryptoki, openssl-3, and python311-pip), and Ubuntu (frr, linux-aws, linux-aws-6.8, linux-gkeop, linux-nvidia, linux-nvidia-6.8, linux-oracle, linux-oracle-6.8, linux-aws-fips, linux-fips, linux-gcp-5.15, linux-kvm, linux-oracle, linux-oracle-5.15, linux-gcp-fips, linux-nvidia, linux-nvidia-tegra-igx, linux-oem-6.17, linux-realtime, linux-raspi-realtime, nova, and pillow).

Various forms of tools, colloquially known as "AI", have beenrapidly pervading all aspects of open-source development. Manydevelopers are embracing LLM tools for code creation and review. Some project maintainers complain about suffering from a deluge of slop-laden pullrequests, as well as fabricated bug and securityreports. Too many projects are reeling from scraperbot attacks thateffectively DDoS important infrastructure. But an AI bot flaming anopen-source maintainer was not on our bingo card for 2026; that seemeda bit too far-fetched. However, it appears that is just what happenedrecently after a project rejected a bot-driven pull request.

Version6.6.0 of KDE's Plasma desktop environment has beenreleased. Notable additions in this release include the ability tocreate global themes for Plasma, an "extract text" feature in the Spectacle screenshotutility, accessibility improvements, and a new on-screen keyboard. Seethe changelogfor a full list of new features, enhancements, and bug fixes.The release is dedicated to the memory of Bjorn Balazs, a KDEcontributor who passed away in September 2025. "Bjorn's drive tohelp people achieve the privacy and control over technology that hebelieved they deserved is the stuff FLOSS legends are made of."

In December 2025, Canonical announced a plan todevelop a universal Public Key Infrastructure called upki. Jon Seager has publishedan update about the project with instructions on trying itout.

Security updates have been issued by AlmaLinux (gimp, go-toolset:rhel8, and golang), Debian (roundcube), Fedora (gnupg2, libpng, and rsync), Mageia (dcmtk and usbmuxd), Oracle (gcc-toolset-14-binutils, gimp, gnupg2, go-toolset:ol8, golang, kernel, and openssl), Slackware (libssh, lrzip, and mozilla), SUSE (abseil-cpp, chromium, curl, elemental-toolkit, elemental-operator, expat, freerdp, iperf, libnvidia-container, libsoup, libxml2, net-snmp, openCryptoki, openssl-3, patch, protobuf, python-urllib3, python-xmltodict, python311, screen, systemd, and util-linux), and Ubuntu (alsa-lib, gnutls28, and linux-aws, linux-oracle).

The curl project has found AI-powered tools to be a mixed bag whenit comes to security reports. At FOSDEM2026, curl creator andlead developer Daniel Stenberg used his keynote session to discuss hisexperience receiving a slew of low-quality reports and, at the sametime, realizing that large language model (LLM) tools can sometimesfind flaws that other tools have missed.

Greg-Kroah Hartman has released the 6.19.2, 6.18.12, 6.12.73, and 6.6.126 stable kernels. These kernelseach contain a single change; Kroah-Hartman has reverted oneproblematic commit that prevents some systems from booting. "If thelast stable release worked just fine, no need to upgrade."

At the 2025 Linux Plumbers Conference in Tokyo, Stephen Brennan gave apresentation on the debuginfoformat, which contains the symbols and other information needed fordebugging, along with some alternatives. Debuginfo files are large and, hebelieves, are a bit scary to customers because of the "debug" in their name.By rethinking debuginfo and the tools that use it, he hopes thatfree-software developers "can add new, interesting capabilities to toolsthat we are already using or build new interesting tools".

Greg Kroah-Hartman has announced the release of the 6.19.1, 6.18.11, 6.12.72, and 6.6.125 stable kernels. As always, eachcontains important fixes throughout the tree; users of these kernelsare advised to upgrade.

Security updates have been issued by Debian (chromium, pdns-recursor, python-django, and wireshark), Fedora (gnutls, linux-sgx, mingw-expat, nginx, nginx-mod-brotli, nginx-mod-fancyindex, nginx-mod-headers-more, nginx-mod-modsecurity, nginx-mod-naxsi, nginx-mod-vts, p11-kit, python-aiohttp, vim, and xen), Red Hat (kernel, kernel-rt, python-s3transfer, python-urllib3, and resource-agents), SUSE (aaa_base, abseil-cpp, build-20260202, cargo-auditable, cargo-c, chromedriver, cockpit, cockpit-packages, cockpit-subscriptions, curl, elemental-toolkit, elemental-operator, gnome-remote-desktop, go1.24, go1.25, gpg2, haproxy, himmelblau, htmldoc, ImageMagick, iperf, java-1_8_0-openjdk, kernel, krb5, kubevirt, libowncloudsync-devel, libpng16-16, libsodium, libsoup, libsoup2, micropython, net-snmp, opencryptoki, openjfx, openssl1, ovmf, postgresql14, postgresql15, postgresql16, protobuf, python-aiohttp, python-brotli, python-maturin, python-pip, python-urllib3, python310, python311, python-rpm-macros, python311-cryptography, python314, screen, systemd, u-boot, util-linux, and vim), and Ubuntu (dotnet8, dotnet10, expat, freerdp2, freerdp3, and python-aiohttp).

Version 9.2 of theVim text editor has been released. "Vim 9.2 brings significantenhancements to the Vim9 scripting language, improved diff mode,comprehensive completion features, and platform-specific improvementsincluding experimental Wayland support." Also included is a newinteractive tutor mode.

Debian Project Leader (DPL) Andreas Tille has announceda new delegation for Debian's data protection team:

The merge window for Linux 7.0 has opened, and with itcomes a number of interesting improvements and enhancements. At the time ofwriting, there have been 7,695 non-merge commits accepted. The 7.0 release isnot special,according to the kernel's versioning scheme - just the releasethat comes after 6.19. Humans love symbolism and round numbers, though, so itmay feel like something of a milestone.

At FOSDEM 2026 PetyaKangalova, a senior tech partnership and engagement manager for the Humanitarian OpenStreetMapTeam (HOT) spoke about howthe project helps people map their surroundings to assist indisaster response and humanitarian aid. The project hasdeveloped a stack of technology to help volunteers collectively map anarea and add in local knowledge metadata. "One of the core thingsthat we believe is that when we speak about disaster response orpeople having access to data is that they really need accessibletechnology that's free and open for anyone to use."

Security updates have been issued by AlmaLinux (firefox, gcc-toolset-14-binutils, nodejs:20, nodejs:22, nodejs:24, php:7.4, and python3.12), Debian (haproxy, nginx, postgresql-15, and postgresql-17), Fedora (libssh), Oracle (glib2, libsoup, nodejs:20, nodejs:22, and php:7.4), SUSE (assimp, gnutls, helm, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libmunge2, libsodium, libsoup, micropython, munge, openCryptoki, python-azure-core, rust-keylime, rustup, sccache, snpguest, tcpreplay, xorg-x11-server, xrdp, and zabbix), and Ubuntu (dnsdist, dotnet8, dotnet9, dotnet10, haproxy, libpng1.6, linux-aws-5.15, linux-azure, linux-azure-fips, linux-oracle, linux-oracle-5.4, munge, nginx, and node-dottie).

Web sites are being increasingly beset by AI scraperbots - a problem that we havewritten about before, and which has slowlyramped up to an occasional de-facto DDoS attack. This has not goneuncontested, however: web site operators from around the world have been working oninventive countermeasures. These solutions target the problem posed by scraperbots in different ways;iocaine, a MIT-licensed nonsense generator, is designedto make scraped text less useful by poisoning it with fake data. The hope is tomake running scraperbots not economically viable, and thereby address theproblem at its root instead of playing an eternal game of Whac-A-Mole.