LWN.net

Security updates have been issued by Debian (smb4k), Fedora (direwolf, gh, usd, and webkitgtk), Slackware (libpcap and seamonkey), and SUSE (kepler).

Security updates have been issued by Debian (imagemagick and net-snmp), Fedora (delve, golang-github-google-wire, and golang-github-googlecloudplatform-cloudsql-proxy), and SUSE (podman, python3, and python36).

Version4.19.0 of the shadow-utilsproject has been released. Notable changes in this release includedisallowingsome usernames that were previously accepted with the--badname option, and removingsupport for escaped newlines in configuration files. Possibly moreinteresting is the announcement that the project is deprecating anumber of programs, hashing algorithms, and the ability toperiodically expire passwords:

Security updates have been issued by Debian (mediawiki), Fedora (duc, golang-github-projectdiscovery-mapcidr, and kustomize), Slackware (wget2), and SUSE (cheat, duc, flannel, go-sendxmpp, python311, python312, python313, and trivy).

Daniel Stenberg has written a blogpost about the decision to ban the use strcpy()in curl:

Security updates have been issued by Debian (openjpeg2, osslsigncode, php-dompdf, and python-django), Fedora (fluidsynth, golang-github-alecthomas-chroma-2, golang-github-evanw-esbuild, golang-github-jwt-5, and opentofu), Mageia (ceph and ruby-rack), and SUSE (anubis, apache2-mod_auth_openidc, dpdk22, kernel, libpng16, and python311-openapi-core).

Nate Graham looksback at how 2025 went for the KDE project.

Security updates have been issued by Debian (kodi, pgbouncer, and rails), Fedora (duc, fluidsynth, gdu, singularity-ce, and tkimg), Slackware (vim), and SUSE (buildah, duc, gnutls, python39, qemu, and webkit2gtk3).

Linus has released 6.19-rc3 for testing. "Another week, another -rc release.Except the past week has obviously been the holiday week, and this rcrelease is pretty small as a result. Very much as expected."

Graphite is an effort to unifyillustration, raster editing, desktop publishing, and animation in onebrowser-based application. The project has been in development since2021 and announced its first alpha release in 2022. According to creator Keavon Chambers, the project's mission is to become"the 2D counterpart to Blender", by bringing a node-based,non-destructive workflow to 2D graphics. The project, currently still inalpha, is a long way from complete; but it is worth testing for anyoneinvolved with open-source-graphics production. Currentbuilds, from September 2025, include vector-illustration tools, anode-based compositor, and early brush tooling, with broader pixel-based-and photo-editing work still in progress.

Security updates have been issued by Debian (gst-plugins-good1.0, postgresql-13, and python-urllib3), Fedora (chezmoi, docker-buildkit, ov, and subfinder), Oracle (httpd:2.4), Slackware (net), and SUSE (apache2, buildah, kernel, and mariadb).

The judge in the Vizio GPL-compliance lawsuit has ruled, in asummary judgment, that the GNU General Public License, version2,does not require the provision of signing keys needed to install modifiedsoftware on a device.

Once again there is a brand-new release under the tree from theRuby programming-language project: Ruby4.0has been released with many new features and improvements. Notablechanges include the experimental Ruby Boxfeature for in-process isolation of classes and modules, a newjust-in-time compiler called ZJIT, and improvements to Ruby'sparallel-execution mechanism (Ractor). There are a number of languagechanges as well. See the documentationfor Ruby4.0 for more.

Security updates have been issued by Fedora (httpd, retroarch, and roundcubemail), Oracle (container-tools:rhel8, grafana, httpd, kernel, python3.12, python39:3.9, thunderbird, and uek-kernel), and SUSE (cheat, go-sendxmpp, and kernel).

Inside this week's LWN.net Weekly Edition:

Another year has reached its conclusion. That can only mean one thing: thetime has come to take a look back at thepredictions we made in January and evaluate just how badly they turnedout. Much to our surprise, not all of our predictions were entirelyaccurate. It has been a wild year in the Linux community and beyond, tosay the least.

The systemdv259release was announced on December17, just three months afterv258. It is a more modest release but still includes a number ofimportant changes such as a new option for the run0 command(an alternative to sudo), ability to mount user home directories from the host in virtualmachines, as well as under-the-hood changes with dlopen()for library linking, the ability to compile systemd with musl libc,and more.

Security updates have been issued by AlmaLinux (container-tools:rhel8, grafana, opentelemetry-collector, and thunderbird), Red Hat (kernel), and SUSE (cheat, libsoup, mariadb, mozjs52, python310, python315, qemu, rsync, and zk).

Version8.1 of elementary OS has been released. Notable changes in thisrelease include making the Wayland session the default, changes towindow management and multitasking, as well as a number ofaccessibility improvements. The 8.1 release is the first to be madeavailable for Arm64 devices, which should allow users to runelementary on Apple M-series hardware or other Arm devices that canload UEFI-supporting firmware, such as some Raspberry Pi models. Seethe blog post for a full list of changes.

Arnd Bergmann began his 2025 LinuxPlumbers Conference session on the future of 32-bit support in theLinux kernel by saying that it was to be a followup to his September talk on the same topic. Thefocus this time, though, was on the kernel's "high memory" abstraction, andwhen it could be removed. It seems that the kernel community will need tosupport 32-bit systems for some time yet, even if it might be possible toremove some functionality, including support for large amounts of memory onthose systems, more quickly.

The BPF verifier works, on a theoretical level, by considering every possiblepath that a BPF program could take. As a practical matter, however, it needs todo that in a reasonable amount of time. At the2025 Linux Plumbers Conference, Mahe Tardy and Paul Chaignongave a detailed explanation(slides;video) ofthe main mechanism that it uses to accomplish that: state pruning. They focusedon two optimizations that help reduce the number of paths the verifier needs tocheck, and discussed some of the complications the optimizations introduced to the verifier'scode.

Security updates have been issued by AlmaLinux (binutils, curl, gcc-toolset-13-binutils, git-lfs, httpd, httpd:2.4, keylime, libssh, mod_md, openssh, php:8.3, podman, python3.12, python3.9, python39:3.9, skopeo, tomcat, tomcat9, and webkit2gtk3), Fedora (mingw-glib2, mingw-libsoup, and mingw-python3), Mageia (roundcubemail), Oracle (git-lfs and mod_md), and SUSE (glib2, kernel, mariadb, and qemu).

Version6.20 of the Incus container and virtual-machine management systemhas been released. Notable changes in this release include a newstandalonecommand to add IncusOS servers to a cluster,qcow2-formattedvolumes for clustered LVM, and reverseDNS records in OVN. See the announcement for a full list ofchanges.

Version 17.1 of the GDB debugger is out. Changes include shadow-stacksupport, info threads improvements, a number of Python APIimprovements, and more, including: "Warnings and error messages nowstart with an emoji (warning sign, or cross mark) if supported by the hostcharset. Configurable." See theNEWS file for more information.

Version 4.3.0 of the security-oriented Qubes OS distribution has beenreleased. Changes include more recent distribution templates, preloadeddisposable virtual machines, and the reintroduction of the Qubes WindowsTools set. See therelease notes for more information.

Ian Jackson (along with Sean Whitton) has posted a manifesto and statusupdate to the effect that, since Git repositories have become thepreferred method to distribute source, that is how Debian should bedistributing its source packages.

At OpenSource Summit Japan 2025, Erin McKean talked about the challenges toproducing good project documentation, along with some tooling that can helpguide the process toward success. It is a problem that many projectsstruggle with and one that her employer, Google, gained a lot of experiencewith from its now-concluded Season of Docsinitiative. Through that program, more than 200 case studies ofdocumentation projects were gathered that were mined for common problemsand solutions, which led to the tools and techniques that McKean described.

John Paul Adrian Glaubitz has announcedthat loong64 is now an official architecture for Debian, and will bepart of the Debian14 ("forky") release "if everything goesalong as planned". This is a bit more than two years after the initialbootstrap of the architecture.

Security updates have been issued by Debian (chromium, dropbear, mediawiki, php8.4, python-mechanize, rails, roundcube, usbmuxd, and wordpress), Fedora (cef, chromium, fonttools, gobuster, gosec, mingw-libpng, moby-engine, mqttcli, nextcloud, pgadmin4, python-unicodedata2, uriparser, and util-linux), Mageia (php and webkit2), Oracle (binutils, curl, gcc-toolset-13-binutils, gimp, git-lfs, kernel, openssh, php:8.3, podman, python-kdcproxy, python3.12, python3.9, skopeo, and webkit2gtk3), Red Hat (rsync), Slackware (php), SUSE (alloy, busybox, chromedriver, chromium, coredns-for-k8s, duc, firefox, kernel-devel, libpng16, libruby3_4-3_4, mariadb, netty, php8, python311-tornado6, rsync, taglib, and xen), and Ubuntu (linux-oracle-5.4, linux-raspi, linux-realtime-6.14, and linux-xilinx).

The 6.19-rc2 kernel prepatch is out fortesting. "I obviously expect next week to be even quieter, with peoplebeing distracted by the holidays. So let's all enjoy taking a little break,but maybe break the boredom with some early rc testing?"

The 2025 election for members of the Linux Foundation Technical AdvisoryBoard hasconcluded; the winners are Greg Kroah-Hartman, Steven Rostedt, JuliaLawall, David Hildenbrand, and Ted Ts'o.

The FreeBSD Foundation has a blogpost about the progress it has made in 2025 on the Laptop Support& Usability Project for FreeBSD. The foundation committed$750,000 to the project in 2025 and has made progress on graphicsdrivers, Wi-Fi4 and 5 support, audio improvements, sleep states,and more.

The BPF verifier is complicated. It needs tocheck every possible path that aBPF program's execution could take. The fact that its determination of whether aBPF program is safe is based on the whole lifetime of the program, instead ofsimple local factors, means that the cause of a verificationfailure is not always obvious. Ihor Solodrai and Jordan Rome gave a presentation(slides)at the2025 Linux Plumbers Conference in Tokyo aboutthe BPF verifier visualizer that they have been buildingto make diagnosing verification failures easier.

Security updates have been issued by Debian (roundcube), Fedora (checkpointctl, containernetworking-plugins, mingw-libpng, NetworkManager, php, python3-docs, python3.13, and webkitgtk), Oracle (kernel, keylime, and libssh), and SUSE (apache2, clair, colord, flannel, gnutls, golang-github-prometheus-alertmanager, grafana, grub2, helm, ImageMagick, libpng16, netty, openssl-3, postgresql13, postgresql14, postgresql15, python36, salt, uyuni-tools, and venv-salt-minion).

Stephen Rothwell, who has maintained the kernel's linux-next integrationtree from its inception, has announced hisretirement from that role:

Linus Torvalds is famously averse to presenting prepared talks, but thewider community is always interested in what he has to say about thecondition of the Linux kernel. So, for some time now, his appearances havebeen in the form of an informal conversation with Dirk Hohndel. At the2025 Open Source Summit Japan, the pair followed that tradition for the29th time. Topics covered include the state of the development process,what Torvalds actually does, and how machine-learning tools might fit intothe kernel project.

Systemdv259 has been released. Notable changes include a new"--empower" option for run0 that provides elevatedprivileges to a user without switching to root, ability to propagate auser's home directory into a VM with systemd-vmspawn, andmore. Support for System V service scripts has been deprecated, andwill be removed in v260. See the release notes for other changes,feature removals, and deprecated features.

Greg Kroah-Hartman has announced the release of the 6.18.2, 6.17.13, and 6.12.63 stable kernels. As always, eachcontains important fixes throughout the tree. He notes that6.17.13 is the last release of the 6.17.y kernel; users areadvised to move to the 6.18.y kernel branch.

Security updates have been issued by AlmaLinux (kernel, keylime, mysql:8.4, and tomcat), Debian (c-ares and webkit2gtk), Fedora (brotli, cups, golang-github-facebook-time, nebula, NetworkManager, perl-Alien-Brotli, python-django4.2, python-django5, and vips), Red Hat (binutils, buildah, curl, go-toolset:rhel8, golang, grafana, multiple packages, php:8.3, podman, python3.12, python39:3.9, ruby:3.3, and skopeo), SUSE (buildah, cups, firefox, glib2, grub2, helm, icinga-php-library, icingaweb2, ImageMagick, imagemagick, kernel, libpng12, libpng16, mariadb, openssl-3, poppler, python39, usbmuxd, webkit2gtk3, wireshark, and xkbcomp), and Ubuntu (linux-azure-fips).

Inside this week's LWN.net Weekly Edition:

After three years of development, Linux hardware provider System76has declaredthe COSMIC desktopenvironment stable. It shipped COSMIC Epoch1 as part of thelong-awaited Pop!_OS24.04LTSrelease on December11, just in time for Linux enthusiasts tohave something to tinker with over the end-of-year holidays. With thestable release out the door, it seemed like a good time to check backin on COSMIC and see how it has evolved since the first alpha. For a firststable release of a new desktop environment, COSMIC shows a lot ofpromise and room to grow.

The Asahi Linux project has publishedits progress report following the release of Linux 6.18. This timearound the project reports progress on many fronts, includingmicrophone support for M2 Pro/Max MacBooks, work queued for Linux 6.19to support USB3 via the USB-C ports, and work to improve the AsahiLinux installation experience. The project is also enabling asadditional System Management Controller (SMC) drivers, which meansthat "the myriad voltage, current, temperature and power sensorscontrolled by the SMC will be readable using the standard hwmoninterfaces".

The Civil Infrastructure Platform(CIP) first launched in that form in April 2016, so it has atenth-anniversary celebration in its near future. At the 2025 OpenSource Summit Japan, Yoshitake Kobayashi talked about the goals of thisproject and where it is headed in the future. Supporting a Linux systemfor even one year is a challenging task; maintaining that support for adecade or more is rather more so, and a changing regulatory environmentcomplicates the task further.

Security updates have been issued by Debian (node-url-parse), Fedora (assimp, conda-build, mod_md, util-linux, and webkitgtk), Oracle (firefox), SUSE (chromium, librsvg, poppler, python311, qemu, strongswan, webkit2gtk3, wireshark, and xen), and Ubuntu (linux-azure, linux-azure-5.4, linux-azure-5.15, linux-azure-fips, and linux-raspi, linux-raspi-realtime, linux-xilinx).

Mozilla has announceda new CEO, Anthony Enzor-DeMeo. Prior to becoming CEO, Enzor-DeMeo wasgeneral manager of Firefox and led its "vision, strategy, andbusiness performance". He has publisheda blog post about taking over from interim CEO Laura Chambers, andhis plans for Mozilla and Firefox:

The final part of the 2025 Maintainers Summit was devoted to the kernel'sdevelopment process itself. There were two sessions, one on continuity andsuccession planning, and the traditional discussion, led by Linus Torvalds,on any pain points that the community is experiencing. There was not a lotthat developers were unhappy about, and there are now more explicit plans inthe works to provide a process should Torvalds abruptly become unable tofill his role.

Security updates have been issued by Debian (binwalk, glib2.0, libgd2, paramiko, and python-apt), Fedora (chromium, python3.13, python3.14, qt6-qtdeclarative, and usd), Mageia (ffmpeg, firefox, nspr, nss, and thunderbird), Oracle (kernel, mysql, mysql:8.0, mysql:8.4, ruby:3.3, wireshark, and xorg-x11-server), Red Hat (expat, mingw-expat, and rsync), SUSE (binutils, curl, glib2, gnutls, go1.24, go1.25, keylime, libmicrohttpd, libssh, openexr, postgresql15, python311, and xkbcomp), and Ubuntu (libsoup3, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-azure-6.14, linux-azure, linux-azure-6.8, linux-azure-fips, linux-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-kvm, linux-oem-6.14, linux-raspi, and linux-realtime, linux-realtime-6.8).

Version8.16.0 of the calibreebook-management software, released on December4, includes a"Discuss with AI" feature that can be used to query various AI/LLMservices or local models about books, and ask for recommendations onwhat to read next. The feature has sparked discussion among humanusers of calibre as well, and more than a few are upset about theintrusion of AI into the software. After much pushback, it looks asthough users will get the ability to hide the feature from calibre's userinterface, but LLM-driven features are here to stay and more willlikely be added over time.

Vojtch Polaek has announcedan unofficial effort to create a Fedora-based distribution designedfor visually impaired users:

Despite depending heavily on tools, the kernel project often seems tounder-invest in the development of those tools. There has been progress inthat area, though. At the 2025 Maintainers Summit, Konstantin Ryabitsev,who is (among other things) the author of b4, led a session on waysin which the kernel's tools could be improved to make the developmentprocess more efficient and accessible.