Version 3.26.0 of the Valgrindmemory-profiling and debugging framework has been released. Notablechanges include updated support for the Linux TestProject (LTP) to version v20250930, many new Linux syscallwrappers, and the license for Valgrind has been changed from GPLv2 toGPLv3.
Linus has released 6.18-rc3 for testing."Things feel fairly normal, and in fact the numbers say it's been a bitcalmer than usual, but that's likely just the usual fluctuation in pullrequest timing rather than anything else".
Security updates have been issued by AlmaLinux (webkit2gtk3), Debian (bind9, chromium, python-internetarchive, and tryton-sao), Fedora (dokuwiki and php-php81_bc-strftime), Mageia (firefox, nss & rootcerts and thunderbird), Slackware (openssl), SUSE (bleachbit, chromium, kernel, mozilla-nss, and python311-uv), and Ubuntu (fetchmail, golang-go.crypto, and linux-oracle-5.4).
Open-source foundations and projects that have charity status inthe US may want to see if GoFundMe has created a profilefor them without permission. The company has operated since 2010 as aself-service fundraising platform; individuals or groups could createpages to raise money for all manner of causes. In June, the company announcedthat it would expand its offerings to "manage all aspects ofcharitable giving" for users through its platform. That seems toinclude creating profiles for nonprofit organizations without theirinvolvement. After pushback, the company saidon October23 that it would be removing the pages. It has notanswered more fundamental questions about how it planned to disbursefunds to nonprofits that had no awareness of the GoFundMe pages in thefirst place.
Greg Kroah-Hartman has released the 6.17.5, 6.12.55, and 6.6.114 stable kernels. As usual, eachcontains important fixes throughout the tree; users are advised toupgrade.
The Spectre class of hardware vulnerabilities truly is a gift that keeps ongiving. New variants are still being discovered in current CPUs nearlyeight years after the disclosure of thisproblem, and developers are still working to minimize the performance coststhat come from defending against it. The masked user-space accessmechanism is a case in point: it reduces the cost of defending against somespeculative attacks, but it brought some challenges of its own that areonly now being addressed.
The Fedora Council has approvedan AI-assistedcontributions policy. This follows severalweeks of discussion, some of which was covered by LWN onOctober1. The final policy contains substantial differences fromthe initialproposal, and now requires disclosure of AI tools "when thesignificant part of the contribution is taken from a tool withoutchanges".
KDE Plasma6.5 has been released. Notable newfeatures include automatic light-to-dark theme switching based ontime of day, support for the experimental Wayland picture-in-picture protocol,as well as a number of usabilityand accessibilityimprovements. See the completechangelog for a list of the new features, enhancements,and bug fixes.
DebugFS is the kernel's anything-goes, no-rules interface: whenever a kerneldeveloper needs quick access to internal details of the kernel to debug aproblem, or to implement an experimental control interface,they can expose them via DebugFS. This is possible because DebugFS is not subjectto the normal rules for user-space-interface stability, nor to the rules aboutexposing sensitive kernel information. Supporting DebugFS in Rust drivers is animportant step toward being able to debug real drivers on real hardware. MatthewMaurer spoke atKangrejos2025 about his recently mergedDebugFS bindings for Rust.
Version9.0.0 of the Valkey distributed key-value database has beenreleased. Notable features of this release include Multipath TCP(MPTCP) support, new filters forclient commands, multi-databasesupport for cluster mode and much more. See the Valkey9.0.0RC1release notes for a full list of new features in this majorrelease.According to a recent blog post, thisrelease includes major improvements to performance and scaling ofValkey clusters to more than 2,000 nodes and one billion requests persecond. Valkey began as afork of the Redis key-value database in March2024, but hasevolved separately since then.
The Git source-code management system is a foundational tool upon whichmuch of the free-software community is based. For many people, Git simplyworks, though perhaps in quirky ways, so the activity of its developmentcommunity may not often appear on their radar. There is a lot happening inthe Git world at the moment, though, as the project works toward a 3.0release sometime in 2026. Topics of interest in the Git community includethe SHA-256 transition, the introduction of code written in Rust, and howthe project should view contributions created with the assistance of largelanguage models.
Version8.8.0 of the digiKam photo-management system has been released."This version delivers significant improvements in performance,stability, and user experience, with a particular focus on imageprocessing, color management, and workflow efficiency". Changesinclude an import/export feature for tag hierarchies, focus-pointvisualization for some camera models, automatic use of the monitor colorprofile, and a background-blur tool.
In September, a group of long-time maintainers of Ruby packaging toolsprojects had their GitHub privileges revoked by nonprofit corporation Ruby Centralin what many people are calling ahostile takeover. Ruby Central and its board members have issuedseveral public statements that have, so far, failed to satisfy many inthe Ruby community. In response, some of the former contributors toRubyGems are working on an alternative service called gem.coop. On October17, ownershipof the RubyGems andBundlerrepositories was handed over to the Ruby core team, even though those projects had never been part of core Rubypreviously. The takeover and subsequent events have raised a number ofquestions in the Ruby community.
Importing modules in Python is ubiquitous; most Python programs startwith at least a few import statements. But the performance impactof those imports can be large-and may be entirely wasted effort if thesymbols imported end up being unused. There are multiple ways to lazilyimport modules, including one in the standard library, but none of them arepart of the Python language itself. Thatmay soon change, if the recently proposedPEP810 ("Explicit lazyimports") is approved.
Greg Kroah-Hartman has announced the release of the 6.17.4 6.12.54 6.6.113 6.1.157, and 5.15.195 stable kernels. As usual, eachcontains important fixes; users of those kernels are advised to upgrade.
The Ruby community has experienced some turbulenceof late after Ruby Central tookcontrol of the GitHub repositories for a number of projectsincluding RubyGemsand Bundler. Those projects have historically been developedseparately from Ruby itself. They are now being put under thecontrol of Ruby's core team, according to Ruby creator YukihiroMatsumoto (a.k.a. "Matz"):
Ruby libraries andapplications are distributed via a packaging format called a gem. RubyGems.org has been the centralhosting service for gems since about 2010. This article is part one ofa two-part series on the RubyGems.org takeover by Ruby Central. Understanding thehistory of RubyGems.org, and the contributor community behind it, isvital to making sense of the current powerstruggle between Ruby Central and members of the Rubycommunity who have maintained those services and tools for manyyears.
Security updates have been issued by AlmaLinux (kernel and libssh), Debian (firefox-esr and pgpool2), Mageia (varnish & lighttpd), Red Hat (python3, python3.11, python3.12, python3.9, and python39:3.9), SUSE (expat, gstreamer-plugins-rs, kernel, openssl1, pgadmin4, python311-ldap, and squid), and Ubuntu (dotnet8, dotnet9, dotnet10 and mupdf).
There have been many discussions in the free-software community about therole of large language models (LLMs) in software development. For the mostpart, though, those conversations have focused on whether projects shouldbe accepting code output by those models, and under what conditions. Butthere are other ways in which these systems might participate in thedevelopment process. Chris Mason recently started adiscussion on the Kernel Summit discussion list about how these modelscan be used to review patches, rather than create them.
Security updates have been issued by AlmaLinux (kernel and libsoup3), Debian (chromium and firefox-esr), Fedora (httpd), Oracle (cups, ImageMagick, kernel, and vim), Red Hat (libssh), Slackware (samba), SUSE (alloy, exim, firefox-esr, ImageMagick, kernel, libcryptopp-devel, libQt6Svg6, libsoup-3_0-0, libtiff-devel-32bit, lsd, python3-gi-docgen, python311-Authlib, qt6-base, samba, and squid), and Ubuntu (ffmpeg, linux-oracle-6.8, redict, redis, samba, and subversion).
Version13.0 of the Forgejo software forge has been released. Notablechanges in this release include contentmoderation features, ability to require2FA for users or administrators, and a migrationfeature for Pagure repositories. The last will be useful forFedora's moveto Forgejo as its new git forge. See the releasenotes for all changes in 13.0.
Boqun Feng spoke atKangrejos2025 about adding a frequently needed API for Rust driversthat need to handle interrupts: interrupt-aware spinlocks. Most drivers willneed to communicate information from interrupt handlers to main driver code, andthis exchange is frequently synchronized with the use of spinlocks. While hisfirst attempts ran into problems, Feng's ultimate solution could help prevent bugsin C code as well, by tracking the number of nested scopes that have disabledinterrupts. The patch set, which contains work from Feng and Lyude Paul, is still under review.
Security updates have been issued by AlmaLinux (kernel, kernel-rt, vim, and webkit2gtk3), Debian (distro-info-data, https-everywhere, and php-horde-css-parser), Fedora (inih, mingw-exiv2, mirrorlist-server, rust-maxminddb, rust-monitord-exporter, rust-prometheus, rust-prometheus_exporter, rust-protobuf, rust-protobuf-codegen, rust-protobuf-parse, and rust-protobuf-support), Mageia (fetchmail), Oracle (gnutls, kernel, vim, and webkit2gtk3), Red Hat (kernel, kernel-rt, and webkit2gtk3), Slackware (mozilla), SUSE (curl, libxslt, and net-tools), and Ubuntu (linux-azure-5.15, linux-azure-6.8, linux-azure-fips, linux-oracle, linux-oracle-6.14, and linux-raspi).
Greg Kroah-Hartman has announced the release of the 6.17.3, 6.12.53, 6.6.112, and 6.1.156 stable kernels. As usual, eachcontains important fixes throughout the kernel tree. Users of thesekernels are advised to upgrade.
The Free Software Foundation has announced the launchof the Librephone project, which is aimed at the creation of a fully-freeoperating system for mobile devices.
The 6.18 merge window has come to an end, bringing with it a total of 11,974non-merge commits, 3,499 of which came in after LWN'sfirst-half summary.The total is a little higher than the 6.17 merge window, which saw 11,404non-merge commits. There are once againa good number of changes and new features included in this release.
Version1.12 of Julia has been released. Highlights of the release includenewmulti-threading features, newtracing flags and macros, and an experimental--trim feature. See the releasenotes for a full list of new features, changes, andimprovements. LWN last covered Julia inJanuary.
Version144.0 of the Firefox browser has been released. Changes this timeinclude improvements to tab-group and profile management, strongerencryption for stored passwords, a "search image with Google Lens"operation, and "Perplexity, an AI-powered answer engine built into thebrowser".
The Free Software Foundation's Licensing and Compliance Labconcerns itself with many aspects of software licensing, Krzysztof Siewiczsaid at the beginning of his 2025 GNU ToolsCauldron session. These include supporting projects that are facinglicensing challenges, collecting copyright assignments, and addressing GPLviolations. In this session, though, there was really only one topic thatthe audience wanted to know about: the interaction between free-softwarelicensing and large language models (LLMs).
Security updates have been issued by Debian (ghostscript and libfcgi), Fedora (qt5-qtsvg), Red Hat (kernel, perl-FCGI, perl-FCGI:0.78, and vim), SUSE (bluez, curl, podman, postgresql14, python-xmltodict, and udisks2), and Ubuntu (linux-azure, linux-azure-5.4, linux-azure-fips, linux-oracle, and subversion).
Debian packagers have a great deal of latitude when it comes to theconfiguration of the software they package; they may opt, for example,to disable defaultfeatures in software that they feel are a securityhazard. However, packagers are expected to ensure that their packagescomply with Debian Policy,regardless of the upstream's preferences. If a packager fails tocomply with the policy, the Debian TechnicalCommittee (TC) can step in to override them, which it hasdone in the case of a recent systemd change that broke severalprograms that depend on a world-writable /run/lockdirectory.
Greg Kroah-Hartman has announced the release of the 6.17.2, 6.16.12, 6.12.52, and 6.6.111 stable kernels. They each contain arelatively small set of important fixes. In addition: "Note, this is the LAST 6.16.y kernel release, this branch is nowend-of-life. Please move to the 6.17.y branch at this point in time."
Linus has released 6.18-rc1 and closed themerge window for this development cycle. "This was one of the goodmerge windows where I didn't end up having to bisect any particular problemon [any] of the machines I was testing. Let's hope that success mostlytranslates to the bigger picture too."
At the LinuxSecurity Summit Europe (LSS EU), Scott Constable and SebastianOsterlund gave a talk on an enhancement to a control-flowintegrity (CFI)protection that was added to the kernel several years ago. The "FineIBT: Fine-grain Control-flowEnforcement with Indirect Branch Tracking" mechanism was merged forLinux 6.2 in early 2023 to harden the kernel against CFI attacks of varioussorts, but needed some fixes andenhancements more recently. The talk looked at the CFI vulnerabilityproblem, FineIBT, and an enhanced version that is hoped to be able to unifyall of the disparate hardware and software mitigations to address bothregular and speculative CFI vulnerabilities.
Security updates have been issued by Debian (redis and valkey), Fedora (docker-buildkit, ibus-bamboo, pgadmin4, webkitgtk, and wordpress), Mageia (kernel-linus, kmod-virtualbox & kmod-xtables-addons, and microcode), Oracle (compat-libtiff3 and udisks2), Red Hat (rsync), Slackware (python3), SUSE (chromium, cJSON, digger-cli, glow, go1.24, go1.25, go1.25-openssl, grafana, libexslt0, libruby3_4-3_4, pgadmin4, python311-python-socketio, and squid), and Ubuntu (dpdk, libhtp, vim, and webkit2gtk).
Despite its increasing popularity, the Rust programming language is stillsupported by a single compiler, the LLVM-based rustc. At the 2025 GNU ToolsCauldron, Pierre-Emmanuel Patry said that a lot of people are waitingfor a GCC-based Rust compiler before jumping into the language. Patry, whois working on just that compiler (known as "gccrs"), provided an update onthe status of that project and what is coming next.
Sudden increases in the size of Fedora's initramfsfiles have prompted the project to fast-track a proposal to increasethe default size of the /boot partition for new installs ofFedora43 and later. The project has also walked back a fewchanges that have contributed to larger initramfs files, but theever-increasing size of firmware means that the need for more room isunavoidable. The Fedora Engineering Steering Council (FESCo) hasapproved a last-minute changejust before the final freeze for Fedora43 to increase thedefault size of the /boot partition from 1GB to 2GB; thiswill leave plenty of space for kernels and initramfs images if a useris installing from scratch, but it is of no help for users upgradingfrom Fedora42.
LWN.net