LWN.net

Version146.0 of the Firefox web browser has been released. One feature ofparticular interest to Linux users is that Firefox now nativelysupports fractional scaled displays on Wayland. Firefox Labs has alsobeen made available to all users even if they opt out of telemetry orparticipating in studies. "This means more experimental featuresare now available to more people."This release also adds support for Module-Lattice-BasedKey-Encapsulation Mechanism (ML-KEM) for WebRTC. ML-KEM is"believed to be secure against attackers with large quantumcomputers". See the release notes for all changes.

Security updates have been issued by AlmaLinux (kernel, kernel-rt, and webkit2gtk3), Fedora (abrt and mingw-libpng), Mageia (apache and libpng), Oracle (abrt, go-toolset:rhel8, kernel, sssd, and webkit2gtk3), Red Hat (kernel and kernel-rt), SUSE (gimp, gnutls, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, and postgresql13), and Ubuntu (gnupg2, python-apt, radare2, and webkit2gtk).

TheInternet Engineering Task Force (IETF) is the standards body responsiblefor the TLS encryption standard - which your browser is using right nowto allow you to read LWN.net. As part of its work to keep TLS secure, the IETFhas been entertainingproposals to adopt "post-quantum" cryptography (that is,cryptography that is not known to be easily broken by a quantum computer) for TLSversion 1.3. Discussion of the proposal has exposed a large disagreement betweenparticipants who worried about weakened security and others who worried aboutweakened marketability.

Jon Seager, VP of engineering for Canonical, has announceda plan to develop a universal Public Key Infrastructure tool calledupki:

Security updates have been issued by Debian (ffmpeg, krita, lasso, and libpng1.6), Fedora (abrt, cef, chromium, tinygltf, webkitgtk, and xkbcomp), Oracle (buildah, delve and golang, expat, python-kdcproxy, qt6-qtquick3d, qt6-qtsvg, sssd, thunderbird, and valkey), Red Hat (webkit2gtk3), and SUSE (git-bug, go1, and libpng12-0).

As has been recently announced,nominations are open for the 2025 Linux Foundation Technical Advisory Board(TAB) elections. I am one of the TAB members whose term is coming to anend, but I have decided that, after 18years on the board, I will notbe seeking re-election; instead, I will step aside and make room for afresh voice. My time on the TAB has been rewarding, and I will be sad toleave; the TAB has an important role to play in the functioning of thekernel community.

Greg Kroah-Hartman has announced the release of the6.17.11,6.12.61,6.6.119,6.1.159,5.15.197, and5.10.247 stable kernels. Each contains important fixes throughout the tree; users of these kernels should upgrade.

Emma Smith and Kirill Podoprigora, two of Python's core developers, haveopened adiscussion about including Rust code in CPython, the reference implementation ofthe Python programming language. Initially, Rust would only be used for optionalextension modules, but they would like to see Rust become a required dependencyover time. The initial plan was to make Rust required by 2028, but Smith andPodoprigora indefinitely postponed that goal in response to concerns raised in the discussion.

Security updates have been issued by AlmaLinux (buildah, firefox, gimp:2.8, go-toolset:rhel8, ipa, kea, kernel, kernel-rt, pcs, qt6-qtquick3d, qt6-qtsvg, systemd, and valkey), Debian (chromium and unbound), Fedora (alexvsbus, CuraEngine, fcgi, libcoap, python-kdcproxy, texlive-base, timg, and xpdf), Mageia (digikam, darktable, libraw, gnutls, python-django, unbound, webkit2, and xkbcomp), Oracle (bind, firefox, gimp:2.8, haproxy, ipa, java-25-openjdk, kea, kernel, libsoup3, libssh, libtiff, openssl, podman, qt6-qtsvg, squid, systemd, vim, and xorg-x11-server-Xwayland), Slackware (httpd and libpng), SUSE (chromedriver, kernel, and python-mistralclient), and Ubuntu (cups, linux-azure, linux-gcp, linux-gcp, linux-gke, linux-gkeop, linux-ibm-6.8, linux-iot, and mame).

Version 3.23.0 of Alpine Linux has been released. Notable changesin this release include an upgrade to version3.0of the AlpinePackage Keeper (apk), and replacing the linux-edgepackage with linux-stable:

As of this writing, 4,124 non-merge commits have been pulled into themainline repository for the 6.19 kernel development cycle. That is arelatively small fraction of what can be expected this time around, but itcontains quite a bit of significant work, with changes to many core kernelsubsystems. Read on for a summary of the first part of the 6.19 mergewindow.

Dictionaries are ubiquitous in Python code; they are the data structure ofchoice for a wide variety of tasks. But dictionaries are mutable, whichmakes them problematic for sharing data in concurrent code. Python hasadded various concurrency features to the language over the last decade orso-async, free threading without the global interpreter lock(GIL), and independent subinterpreters-but users must work out their ownsolution for an immutable dictionary that can be safely shared byconcurrent code. There are existing modules that could be used, but a recent proposal, PEP 814 ("Add frozendictbuilt-in type"), looks to bring the feature to the language itself.

Andreas Schneider has announcedversion 2.0 of the cmockaunit-testing framework for C:

Security updates have been issued by AlmaLinux (expat and libxml2), Debian (openvpn and webkit2gtk), Fedora (gi-loadouts, kf6-kcoreaddons, kf6-kguiaddons, kf6-kjobwidgets, kf6-knotifications, kf6-kstatusnotifieritem, kf6-kunitconversion, kf6-kwidgetsaddons, kf6-kxmlgui, nanovna-saver, persepolis, python-ezdxf, python-pyside6, sigil, stb, syncplay, tinyproxy, torbrowser-launcher, ubertooth, and usd), Mageia (cups), SUSE (cups, gegl, icinga2, mozjs128, and Security), and Ubuntu (ghostscript, kernel, linux, linux-aws, linux-aws-5.15, linux-gcp-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-hwe, linux-kvm, linux-oracle, linux-aws-fips, linux-fips, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-fips, linux-gcp, linux-gcp-4.15, linux-hwe, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-gcp-6.14, linux-raspi, linux-gcp-fips, linux-intel-iot-realtime, linux-realtime, linux-raspi, linux-raspi-realtime, linux-xilinx, and postgresql-14, postgresql-16, postgresql-17).

Loris Cro has publisheda detailed YouTube video talking about the terminology used to discuss asynchronicity, concurrency, and parallelism in our recent article about Zig's new Io interface. Our article is not completely clear because it uses the term "asynchronous I/O" to refer to what should really be called "non-blocking I/O", and sometimes confuses asynchronicity for concurrency, among other errors of terminology, he says. Readers interested in precise details about Zig's approach and some of the motivation behind the design may find Cro's video interesting.

Inside this week's LWN.net Weekly Edition:

Version2025.12 of the Home Assistant home-automation system has been released.

The Django Python webframework project has announcedthe release of Django 6.0 including many new features, as can be seen inthe releasenotes. Some highlights include template partials for modularizingtemplates, a flexible task framework for running background tasks, amodernized email API, and a ContentSecurity Policy (CSP) feature that provides the ability to "easily configure and enforce browser-level security policies to protect against content injection".

Over time, many Linux users wind up with a collection of aliases,shell scripts, and makefiles to run simple commands (or a series ofcommands) that are often used, but challenging to remember andannoying to type out at length. The just command runner is aRust-based utility that just does one thing and does it well: it readsrecipes from a text file (aptly called a "justfile"), and runs thecommands from an invoked recipe. Rather than accumulating a libraryof one-off shell scripts over time, just provides a cross-platform toolwith a framework and well-documented syntax for collecting anddocumenting tasks that makes it useful for solo users andcollaborative projects.

Security updates have been issued by Debian (containerd, mako, and xen), Fedora (forgejo, nextcloud, openbao, rclone, restic, and tigervnc), Oracle (firefox, kernel, libtiff, libxml2, and postgresql), SUSE (libecpg6, lightdm-kde-greeter, python-cbor2, python-mistralclient-doc, python315, and python39), and Ubuntu (kdeconnect, linux, linux-aws, linux-realtime, python-django, and unbound).

Greg Kroah-Hartman has announced the release of the 5.4.302 stable kernel:

Let's Encrypt has announcedthat it will be reducing the validity period of its certificates from90 days to 45 days by 2028:

FreeBSD15.0 has been released. Notable changes in this release include a newmethod for installingthe base system using the pkg package manager, an updateto OpenZFS2.4.0-rc4,native support for the inotify(2)interface, and the addition of Open Container Initiative (OCI) imagesto FreeBSD's release artifacts. See the releasenotes for a full list of changes, hardwarenotes for supported hardware, and check the erratabefore installing or upgrading.

The designers of theZig programming language have been working to find asuitable design for asynchronous code for some time.Zig is a carefully minimalist language, and itsinitial design forasynchronous I/O did not fit well with its otherfeatures. Now, the project hasannounced (in a Zig SHOWTIME video) a new approach to asynchronous I/O thatpromises to solve thefunction coloring problem, and allows writing code that will executecorrectly using either synchronous or asynchronous I/O.

Security updates have been issued by Fedora (gnutls, libpng, mingw-python3, python-spotipy, source-to-image, unbound, and webkitgtk), Mageia (libpng), SUSE (bash-git-prompt, gitea-tea, java-17-openjdk, java-21-openjdk, kernel, openssh, python, and shadowsocks-v2ray-plugin, v2ray-core), and Ubuntu (binutils, openjdk-17-crac, openjdk-21-crac, and openjdk-25-crac).

There are many possible programmer mistakes that are not caught by theminimal checks specified by the C language; among those is passing an arrayof the wrong size to a function. A recent attempt to add some safetyaround array parameters within the crypto layer involved the use of someclever tricks, but it turns out that clever tricks are unnecessary in thiscase. There is an obscure C feature that can cause this checking tohappen, and it is already in use in a few places within the kernel.

Linus Torvalds releasedthe 6.18 kernel as expected on November30, closing the last fulldevelopment cycle of 2025. It was another busy cycle, featuring a recordnumber of developers. The time has come for a look at where the code camefrom for this kernel release, but also for the year-long long-term-supportcycle which has also reached its conclusion with this release.

Security updates have been issued by AlmaLinux (bind9.18, cups, gimp, ipa, kernel, libssh, mingw-expat, openssl, pcs, sssd, tigervnc, and valkey), Debian (gnome-shell-extension-gsconnect, mistral-dashboard, pagure, python-mistralclient, pytorch, qtbase-opensource-src, sogo, tryton-server, and unbound), Fedora (cef, drupal7, glib2, linux-firmware, migrate, pack, pgadmin4, rnp, and unbound), Slackware (libxslt), SUSE (cpp-httplib, curl, glib2, grub2, kernel, libcoap-devel, libcryptopp, libwireshark19, postgresql15, and postgresql17), and Ubuntu (edk2).

Greg Kroah-Hartman has announced the release of the 6.17.10, 6.12.60, and 6.6.118 stable kernels. As usual, eachcontains a number of important fixes throughout the tree. Users areadvised to upgrade.

Linus has released the 6.18 kernel, as expected.

Version25.11 of the NixOS distribution has been released. "The 25.11release was made possible due to the efforts of 2742 contributors, whoauthored 59430 commits since the previous release". Changes include7,002 new packages, GNOME49, LLVM21, a new COSMIC desktopenvironment beta, firewalld support, and more; see therelease notes for details.

The prizrak.me blog is carrying an introduction to theLandlock security module.

Security updates have been issued by Debian (krita and tryton-server), Oracle (bind9.18, ipa, kernel, libssh, redis, redis:7, sqlite, sssd, and vim), Slackware (cups), SUSE (containerd, cups, curl, dovecot24, git-bug, gitea-tea, glib2, grub2, himmelblau, java-25-openjdk, kernel, libmicrohttpd, libvirt, pnpm, powerpc-utils, python311, python313, redis, rnp, runc, sssd, tomcat11, unbound, and xwayland), and Ubuntu (cups, libxml2, openvpn, and webkit2gtk).

Security updates have been issued by Debian (kdeconnect, libssh, and samba), Fedora (7zip, docker-buildkit, and docker-buildx), Oracle (bind, buildah, cups, delve and golang, expat, firefox, gimp, go-rpm-macros, haproxy, kernel, lasso, libsoup, libtiff, mingw-expat, openssl, podman, python-kdcproxy, qt5-qt3d, runc, squid, thunderbird, tigervnc, valkey, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (buildah, cloudflared, containerd, expat, firefox, gnutls, helm, kernel, libxslt, mysql-connector-java, ongres-scram, openbao, openexr, openssh, podman, python311, python312, ruby2.5, rubygem-rack, runc, samba, sssd, tiff, unbound, and yelp), and Ubuntu (edk2, ffmpeg, h2o, python3.13, rust-openssl, and valkey).

KDE's Plasma team has announcedthat KDE Plasma will drop X11 session support with Plasma6.8:

Security updates have been issued by AlmaLinux (bind, binutils, delve and golang, expat, firefox, haproxy, kernel, libsoup3, libssh, libtiff, openssh, openssl, pam, podman, python-kdcproxy, shadow-utils, squid, thunderbird, vim, xorg-x11-server-Xwayland, and zziplib), Debian (cups-filters, libsdl2, linux-6.1, net-snmp, pdfminer, rails, and tryton-sao), Fedora (chromium, docker-buildkit, docker-buildx, and sudo-rs), Gentoo (librnp), Mageia (webkit2), SUSE (amazon-ssm-agent, buildah, curl, dpdk, fontforge-20251009, kernel, libIex-3_4-33, librnp0, python311, rclone, and sssd), and Ubuntu (linux, linux-aws, linux-aws-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-aws-6.14, linux-oracle-6.14, linux-aws-fips, linux-fips, linux-gcp-fips, linux-realtime, linux-realtime-6.8, mupdf, openjdk-17, openjdk-8, and openjdk-lts).

Security updates have been issued by AlmaLinux (buildah, firefox, go-rpm-macros, kernel, kernel-rt, podman, and thunderbird), Debian (erlang, python-gevent, and r-cran-gh), Fedora (buildah, chromium, k9s, kubernetes1.33, kubernetes1.34, podman, python-mkdocs-include-markdown-plugin, and webkitgtk), Gentoo (Chromium, Google Chrome, Microsoft Edge. Opera, qtsvg, redict, redis, UDisks, and WebKitGTK+), Mageia (cups-filters and ruby-rack), Oracle (kernel and libssh), Red Hat (.NET 8.0, tigervnc, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (act, bind, cups-filters, govulncheck-vulndb, grub2, libebml, python39, and tcpreplay), and Ubuntu (linux-raspi, linux-raspi-realtime, openjdk-21, openjdk-25, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, python3.5, python3.4, and runc-app, runc-stable).

AlmaLinux 10.1 has been released. Inaddition to providing binary compatibility with Red Hat EnterpriseLinux (RHEL)10.1, the most notable feature in AlmaLinux10.1 isthe addition of supportfor Btrfs, which is not available in RHEL:

It is rarely newsworthy when a project or package picks up a newdependency. However, changes in a core tool like Debian's Advanced PackageTool (APT) can have far-reaching effects. For example, JulianAndres Klode's declarationthat APT would require Rust in May 2026 means that a few of Debian'sunofficial ports must either acquire a working Rust toolchain ordepend on an old version of APT. This has raised several questionswithin the project, particularly about the ability of a singlemaintainer to make changes that have widespread impact.

Greg Kroah-Hartman has announced the release of the6.17.9,6.12.59, and6.6.117 stable kernels. As usual, he advisesusers of stable kernels to upgrade.

Security updates have been issued by Fedora (calibre, chromium, cri-o1.32, cri-o1.33, cri-o1.34, dotnet10.0, dovecot, gnutls, gopass, gopass-hibp, gopass-jsonapi, kubernetes1.31, kubernetes1.32, kubernetes1.33, kubernetes1.34, and linux-firmware), Mageia (ffmpeg, kernel, kmod-xtables-addons & kmod-virtualbox, kernel-linus, konsole, and redis), Red Hat (bind and bind-dyndb-ldap and kernel), SUSE (act, alloy, amazon-ssm-agent, ansible-12, ansible-core, blender, chromium, cups-filters, curl, elfutils, expat, firefox, glib2, grub2, helm, kernel, libipa_hbac-devel, libxslt, nvidia-container-toolkit, ongres-scram, openexr, podman, poppler, runc, samba, sssd, thunderbird, and tomcat), and Ubuntu (cups-filters, linux, linux-aws, linux-gcp, linux-hwe-6.14, linux-oracle, linux-realtime, linux-oem-6.14, and linux-realtime-6.14).

Linus has released 6.18-rc7, probably thelast -rc before the 6.18 release.

The Racket programming languageproject has released Racketversion 9.0. Racket is a descendant of Scheme, so it is part of the Lisp family of languages. The headline feature in the release is parallelthreads, which adds to the concurrency tools in the language: "WhileRacket has had green threads for some time, and supports parallelism viafutures and places, we feel parallel threads is a major addition."Other new features include the black-boxwrapper to prevent the compiler from optimizing calculations away, the decompile-linkletfunction to map linkletsback to an s-expression, theaddition of Weibulldistributions to the math library, and more.

The Oracle blog has alengthy article on enhancements to GCC to help detect overflows offlexible array members (FAMs) in C programs.

The call forcandidates for the 2025 election for the Linux Foundation TechnicalAdvisory Board has been posted.

Unpacking Python iterables of various sorts, such as dictionaries or lists,is useful in a number of contexts, including for function arguments, butthere has long been a call for extending that capability to comprehensions. PEP798 ("Unpacking inComprehensions") was first proposed in June 2025 to fill that gap. In earlyNovember, the steering council acceptedthe PEP, which means that the feature will be coming to Python3.15 inOctober2026. It may be something of a niche feature, but it is aninconsistency that has been apparent for a while-to the point that some Python programmersassume that it is already present in the language.

Version8.5.0 of the PHP language has been released. Changes include a new"|>" operator that, for some reason, makes these two linesequivalent:

Security updates have been issued by AlmaLinux (delve and golang), Debian (webkit2gtk), Oracle (expat and thunderbird), Red Hat (kernel), Slackware (openvpn), SUSE (chromium, grub2, and kernel), and Ubuntu (cups-filters, imagemagick, and libcupsfilters).

In July, Collabora announcedthe Rust-based TyrGPU driver for Arm MaliGPUs. Daniel Almeida has posted an updateon progress with a prototype of the driver running on a Rock 5B boardwith the Rockchip RK3588 system-on-chip:

BPF allows programs uploaded from user space to be run, safely, within thekernel. The io_uring subsystem, too, can be thought of as a way of loadingprograms in the kernel, though the programs in question are mostly asequence of I/O-related system calls. It has sometimes seemed inevitablethat io_uring would, like many other parts of the kernel, gain BPFcapabilities as a way of providing more flexibility to user space. Thathas not yet happened, but there are currently two patch sets underconsideration that take different approaches to the problem.