LWN.net

Security updates have been issued by AlmaLinux (go-toolset:rhel8, kernel, and kernel-rt), Fedora (chromium), Oracle (libxml2), Red Hat (go-toolset:rhel8, golang, kernel, kernel-rt, openjpeg2, rsync, and tigervnc), and SUSE (apache-commons-lang3, chromedriver, fractal, framework_tool, go1.23-openssl, go1.24-openssl, grub2, gstreamer-devtools, gstreamer-plugins-rs, jasper, libavif, lighttpd, nginx, podman, postgresql13, postgresql14, postgresql15, postgresql16, python311-pypdf, ruby2.5, rust-keylime, tiff, tomcat, tomcat10, and tomcat11).

The second 6.17 kernel prepatch is out fortesting. "So it's been a very calm week, and this is one of the smallerrc2 releases we've had lately. I'm definitely not complaining, since I'vebeen jetlagged much of the week, but I have this suspicion that it justmeans that next week will see more noise."

Mitchell Hashimoto has written a blogpost about "fully embracing the GObject type system" with arewrite of the GTK version of Ghostty:

Greg Kroah-Hartman has announced the release of the6.16.1,6.15.10,6.12.42,6.6.102, and6.1.148 stable kernels. Get them while they'rehot!

The purpose of the FilesystemHierarchy Standard (FHS) is to provide a specification forfilesystem layout; it specifies the location for files and directorieson a Linux system to simplify application development for multipledistributions. In its heyday it had some success at this, but thestandard has been frozen in time since 2015, and much has changedsince then. There is a slow-moving effortto revive the FHS and create a FHS4.0, but a recent discussionamong Fedora developers also raised the possibility of standardizingon the suggestions in systemd's file-hierarchydocumentation, which has now been added to the Linux Userspace API(UAPI) Group's specifications.

Security updates have been issued by AlmaLinux (kernel and webkit2gtk3), Debian (aide and postgresql-13), Fedora (libtiff, mupdf, and pandoc), SUSE (cairo, chromium, gstreamer-plugins-base, ImageMagick, iputils, kubernetes1.23, kubernetes1.26, matrix-synapse, Mesa, pgadmin4, python3, qemu, and rz-pm), and Ubuntu (aide).

One might imagine that managing a page full of zeroes would be a relativelystraightforward task; there is, after all, no data of note that must bepreserved there. The management of the huge zero folio in the kernel,though, shows that life is often not as simple as it seems. Tradeoffsbetween conflicting objectives have driven the design of this corefunctionality in different directions over the years, but much of theassociated complexity may be about to go away.

Security updates have been issued by AlmaLinux (kernel, python3.11-setuptools, thunderbird, and toolbox), Debian (chromium), Fedora (open62541 and perl-Authen-SASL), Oracle (git, kernel, konsole, and webkit2gtk3), SUSE (framework-inputmodule-control and poppler), and Ubuntu (apache2, mysql-8.0, mysql-8.4, node-qs, request-tracker5, and ruby-sidekiq).

Inside this week's LWN.net Weekly Edition:

NGINX has announcedthe preview release of the nginx-acmemodule, which adds native support to NGINX for the AutomaticCertificate Management Environment (ACME) protocol:

Version 1.25 of Go hasbeen released. Notable changes include support for generating debuginformation in the DWARF5 format,"container awareness"when setting the maximum number of CPUs to be used, and a new testing/synctestpackage with support for testing concurrent code. See the release notes for a comprehensivelist of changes in 1.25.

Version2.0 of Syncthing, acontinuous file synchronization utility, has been released. Notablechanges in 2.0 include multiple connections for synchronizing metadataand file data, a new logging format, as well as a switch from LevelDBto SQLite for Syncthing's backend. This the first release in the 2.0series, and the release notes advise users to "expect some roughedges and keep a sense of adventure".

The Indico event-management tool hasbeen in development at CERN for twodecades at this point. The MIT-licensed web application helps organizeconferences, meetings, workshops, and so on; it runs on Python and uses the Flask web framework. Two software engineers on the project, DominicHollis and Tomas Roun, came to EuroPython2025 in Prague to talk aboutIndico, its history, and some metrics about its community. There is a bit of aconnection between Indico and the conference: in 2006 and 2007,the tool was used to manage EuroPython.

Security updates have been issued by Debian (apache2, kernel, linux-6.1, openjdk-17, and pgpool2), Fedora (glib2, matrix-synapse, openjpeg, python3-docs, and python3.13), Oracle (gdk-pixbuf2, glibc, java-1.8.0-openjdk, kernel, libxml2, python-requests, python3.11-setuptools, and thunderbird), SUSE (amber-cli, apache-commons-lang3, eclipse-jgit, go1.23, go1.24, govulncheck-vulndb, grub2, icinga2, kubernetes1.23, libgcrypt, python3, python313, sccache, slurm, tiff, and webkit2gtk3), and Ubuntu (linux-oracle).

BPF programs are loaded directly into the kernel.Even though the verifier protects the kernel from certain kinds ofmisbehavior in BPF programs, some people are still justifiably concerned aboutadding unsigned code to their kernel. A fully correct BPF program can still beused to expose sensitive data, for example.To remedy this, Blaise Boscaccy and KP Singhhave both shared patch sets that add ways to verify cryptographicsignatures of BPF programs, allowing users to configure their kernels to loadonly pre-approved BPF programs. This work follows on from thediscussion at theLinux Storage, Filesystem, Memory-Management, and BPF Summit (LSFMM+BPF)in April and Boscaccy'searlier proposal of a Linux Security Module (LSM) to accomplish the same goal.There arestill some fundamental disagreements over the best approach to signing BPFprograms, however.

The Arch Linux project isespecially well-known in the Linux community for two things: itsrolling-release model and the quality of the documentation in the ArchWiki. Nomatter which Linux distribution one uses, the odds are that eventuallythe ArchWiki's documentation will prove useful. The Debian projectrecognized this and has sought to improve its own documentation gameby inviting ArchWiki maintainers Jakub Klinkovsky and VladimirLavallade to DebConf25 inBrest, France, to speak about how Arch manages its wiki. The talk hasalready borne fruit with the launch of an effort to revamp the Debianwiki.

Version 1.3.0 ofthe Radicle distributed software forge system has been released. Changesthis time around include canonicalreferences, a new radicle-protocol crate, better log rotation,and more. (LWN looked at Radicle in 2024).

Security updates have been issued by AlmaLinux (kernel, kernel-rt, and python-requests), Debian (ca-certificates-java), Fedora (chromium, clash-meta, mingw-python3, openjpeg, php-adodb, and toolbox), Mageia (kernel and kernel-linus), SUSE (chromium, ImageMagick, libgcrypt, libssh, libxml2, opensc, postgresql14, and postgresql16), and Ubuntu (dnsmasq, linux-gcp-6.8, linux-raspi, linux-oracle-6.14, and openjdk-17).

Debian's GNU/Hurdteam has announcedthe release of Debian GNU/Hurd2025:

Richard Hughes, creator and maintainer of the Linux Vendor Firmware Service (LVFS), haswritten a blogpost about the sustainabilityplan he has put together for the service. He is calling for thevendors that use the service to help fund its development and maintenancegoing forward.

StarDict is aGPLv3-licensed cross-platform dictionary application. It includes dictionariesfor a number of languages, and has a rich plugin ecosystem. It also has aglaring security problem: while running on X11, using Debian's default configuration,it will send a user's text selections over unencrypted HTTP to two remote servers.

The 6.17-rc1 prepatch was released byLinus Torvalds on August10; the 6.17 merge window is now closed.There were 11,404 non-merge changesets pulled into the mainline this timearound, a little over 7,000 of which came in after the first-half merge-window summary waswritten. As one would expect, quite a few changes and new features wereincluded in that work.

Security updates have been issued by AlmaLinux (jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base and libxml2), Debian (distro-info-data, gnutls28, modsecurity-crs, and node-tmp), Fedora (chromium, incus, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, varnish, and xen), Red Hat (kernel, kernel-rt, and rhc), and SUSE (chromedriver, ffmpeg-4, go1.23, go1.24, go1.25, govulncheck-vulndb, himmelblau, iperf, keylime-ima-policy, net-tools, sqlite3, texmaker, tomcat, and zabbix).

Linus has released 6.17-rc1 and closed themerge window for this development cycle.

The Debian Project has released its latest stable version, Debian13("trixie"), which will be supported through 2030. This releaseincludes GNOME48, KDEPlasma6.3, Xfce4.20,Linux6.12, GCC14.2, Python3.13, andsystemd257.

CalyxOS is an Android distribution thatclaims a focus on privacy and security. So when anannouncement from the project begins by saying "we want to assureyou that we have no reason to believe the security of CalyxOS and itssigning keys have been compromised", chances are that good things arenot happening.In this case, it would appear that Nicholas Merrill, one of the founders ofthe project, has left for unclear reasons, and CalyxOS is responding bypausing all releases - and security updates - while its release process,signing keys, and security protocols are reworked. The result will be noupdates for "four to six months". The project is recommending thatits users "should uninstall the OS" and wait for an all-clearsignal. CalyxOS may have its work cut out for it when the time comes totry to convince those users to come back.

Debugging in Python is not like it is for some other languages, as there isno way to attach a debugger to a running program to try to diagnose itsills. Pablo Galindo Salgado noticed that when he started programming inPython ten years ago or so; it bugged him enough that he helped fill the hole. The results will be delivered in October with Python3.14.At EuroPython2025, hegave a characteristically fast-paced and humorous look at debugging andwhat will soon be possible for Python debugging-while comparing it all tomedical diagnosis.

Security updates have been issued by AlmaLinux (gdk-pixbuf2, glibc, kernel, kernel-rt, libxml2, and opentelemetry-collector), Fedora (firefox, mingw-opencv, moby-engine, varnish, webkitgtk, xen, and yarnpkg), Oracle (firefox, gdk-pixbuf2, glibc, kernel, libblockdev, libxml2, python-requests, python3.12-setuptools, and qt5-qt3d), Red Hat (libxml2, pcs, and sudo), and SUSE (agama, chromium, dpkg, ghostscript, iperf, kubo, libIex-3_3-32, libpoppler-cpp2, libsoup, libtiff-devel-32bit, nginx, python-urllib3, ruby2.5, tgt, traefik, and traefik2).

By some appearances, at least, the kernel community has been relativelyinsulated from the onslaught of AI-driven software-development tools.There has not been a flood of vibe-coded memory-management patches - yet.But kernel development is, in the end, software development, and thesetools threaten to change many aspects of how software development is done.In a world where companies are actively pushing their developers to usethese tools, it is not surprising that the topic is increasingly prominentin kernel circles as well. There are currently a number of ongoingdiscussions about how tools based on large language models (LLMs) fit intothe kernel-development community.

The release of Rust 1.89 has beenannounced. Changes this time includesupport for inferring the length of certain arrays, lint messages suggesting how to clarify potentially confusing uses of lifetime elision in function signatures, and improvements to the C ABI. Thefull changelog is also available.

Security updates have been issued by AlmaLinux (glibc, kernel, libxml2, python-requests, and python-setuptools), Debian (chromium), Fedora (chromium, firefox, gdk-pixbuf2, iputils, libsoup3, libssh, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, and poppler), Gentoo (Composer and Spreadsheet-ParseExcel), Oracle (glibc, kernel, libxml2, python-setuptools, sqlite, and virt:rhel and virt-devel:rhel), Red Hat (libxml2), SUSE (grub2, libarchive, libgcrypt, and python311), and Ubuntu (cifs-utils and poppler).

Inside this week's LWN.net Weekly Edition:

The AlmaLinux project has announcedthe availability of packages to enable native NVIDIA driver support,including CUDA and Secure Boot, for AlmaLinux9 and 10.

Daniel Almeida continueshis look at graphics drivers on the Collabora blog.

There is a great deal of misunderstanding, and some misinformation, about theTrustedPlatform Module (TPM); to combat this, Debian developer JonathanMcDowell would like to clear the air and help users understand what itis good for, as well as what it's not. At DebConf25 in Brest, France,he delivered atalk about TPMs that explained what they are, why people might beinterested in using them, and how users might do so on a Debiansystem.

Version0.10.0 of the Tubafediverse client has been released. Notable changes in this releaseinclude a new post composer, an in-app web browser, search history,and many other refinements. See this thread formore details and highlights.

For eight years, Masahiro Yamada has been the sole maintainer of thekernel's build and configuration systems - two complex pieces ofinfrastructure that many people interact with, but few truly understand.Yamada has just steppeddown from that position. Maintenance of the build system will be takenup by Nathan Chancellor and Nicolas Schier (in the "odd fixes" capacity),while the configuration system is now entirely unmaintained.Thanks are due to Yamada for all that work, and to Chancellor and Schierfor stepping up. Hopefully a way will be found to better support theseimportant subsystems in the near future.

Security updates have been issued by AlmaLinux (kernel and python3.12-setuptools), Fedora (perl-Crypt-CBC and unbound), Gentoo (FontForge, GPL Ghostscript, Mozilla Network Security Service (NSS), and PAM), Oracle (gdk-pixbuf2, jq, kernel, mod_security, ncurses, python-requests, and python3-setuptools), Red Hat (python-requests and socat), SUSE (docker, kernel-livepatch-MICRO-6-0-RT_Update_2, kernel-livepatch-MICRO-6-0-RT_Update_4, kernel-livepatch-MICRO-6-0-RT_Update_5, kernel-livepatch-MICRO-6-0-RT_Update_6, kernel-livepatch-MICRO-6-0-RT_Update_7, kernel-livepatch-MICRO-6-0_Update_2, kernel-livepatch-MICRO-6-0_Update_4, kernel-livepatch-MICRO-6-0_Update_5, kernel-livepatch-MICRO-6-0_Update_6, kubeshark-cli, libgcrypt, pam-config, perl, python-requests, python311, and python313), and Ubuntu (linux-raspi).

Proxmox Virtual Environment 9.0, based on Debian13("trixie"), has been released. Notablenew features include snapshots for thick-provisioned LVM sharedstorage, affinity rules for high availability (HA) clusters, and amodernized mobile web interface for managing Proxmox systems. See thereleasenotes and knownissues for more details about the release.

The use of huge pages can significantly increase the performance of manyworkloads by reducing both memory-management overhead in the kernel andpressure on the system's translation lookaside buffer (TLB). The additionof transparent huge pages (THP) for the 2.6.38 kernel release in 2011caused the kernel to allocate huge pages automatically to make theirbenefits available to all workloads without any effort needed on theuser-space side. But it turns out that use of huge pages can make someworkloads slower as the result of internal memory fragmentation, so the THPfeature is often disabled. Two patch sets aimed at better targeting theuse of transparent huge pages are currently working their way through thereview process.

The call for topics forthe 2025 Maintainers Summit has been posted. The Summit, to be held inTokyo on December10, will involve around 30 developers gathered todiscuss development-process issues for the kernel. Anybody who isinterested in attending is encouraged to post a nomination along with thetopic they would like to discuss. Nominations and topics are best sentbefore September10.The call for topics for the Kernel Summit, which runs as a Linux Plumbers Conference track, is alsoout.

Antonio Cuni, whois a longtime Python performance engineer and PyPy developer, gave a presentation at EuroPython2025 about "Myths and fairy tales around Python performance" onthe first day of the conference in Prague. As might be guessed from thetitle, he thinks that much of the conventional wisdom about Pythonperformance is misleading at best. With lots of examples, he showed wherethe real problems that he sees lie. He has come to the conclusion that memorymanagement will ultimately limit what can be done about Python performance,but he has anearly-stage project called SPy thatmight be a way toward a super-fast Python.

Security updates have been issued by AlmaLinux (python-requests), Fedora (mingw-libxslt), Red Hat (gdk-pixbuf2, jq, kernel, mod_security, ncurses, nodejs:22, opentelemetry-collector, python-setuptools, python3-setuptools, python3.12-setuptools, qt5-qt3d, redis, redis:6, redis:7, sqlite, and unbound), SUSE (apache2, cairo, chromium, djvulibre, govulncheck-vulndb, grub2, java-11-openjdk, java-17-openjdk, liblua5_5-5, nvidia-open-driver-G06-signed, python, python310, python314, python39, redis, sqlite3, and systemd), and Ubuntu (apport, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-aws-fips, linux-azure-fips, linux-fips, linux-gcp-fips, linux-azure, and linux-oracle).

A pair of packages containing fortune "cookies" that weredeemed offensive have been removed from the upcoming Debian13("trixie") release. This has, of course, led to a lengthy discussionand debate about what does, or does not, belong in thedistribution. It may also lead to a general resolution (GR) to decidewhether Debian's codeof conduct (CoC) applies to the contents of packages.

Security updates have been issued by AlmaLinux (java-21-openjdk, kernel, libxml2, and lz4), Debian (exempi, ruby-graphql, and sope), Fedora (binutils, chromium, gdk-pixbuf2, libsoup3, poppler, and reposurgeon), Mageia (glib2.0 and wxgtk), Oracle (jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base and libxml2), Red Hat (kernel, pandoc, pcs, qemu-kvm, redis, and rsync), SUSE (chromedriver, coreutils, cosign, docker, gdk-pixbuf-devel, glib2, gnutls, grub2, gstreamer-plugins-base, helm, ignition, java-21-openjdk, jbigkit, jq, kernel, kubernetes1.28, kwctl, libxml2, nvidia-open-driver-G06-signed, opensc, pam-config, protobuf, python310, tgt, and valkey), and Ubuntu (linux-iot).

Running a modern mail server is acomplicated business. In part, thiscomplication is caused by the series of incrementally developed practicesdesigned to combat the huge flood of spam that dominates modern emailcommunication. An unfortunate side effect is that it prevents people fromrunning their own mail servers, concentrating people on a few big providers.NNCPNET is a suite of software written by John Goerzen based on thenode-to-node copy (NNCP)protocol that aims to make running one's own mail servers as easy as it oncewas. While the default configurations communicates only with otherNNCPNET servers, there is a public relay that connects the system to the broaderinternet mail ecosystem.

Linuxiac reportsthat another malicious package has been uploaded to the Arch UserRepository (AUR). This time around the package wasgoogle-chrome-stable, which installed a remote-access trojan along with Google Chrome.

Security updates have been issued by AlmaLinux (firefox and thunderbird), Debian (libcommons-lang-java, node-form-data, redis, and sope), Fedora (chromium), Mageia (slurm), Oracle (apache-commons-beanutils, firefox, kernel, redis:6, and thunderbird), Red Hat (kernel, kernel-rt, libxml2, and redis), SUSE (chromium, docker, ffmpeg-7, gnutls, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libgcrypt, rav1e, and sccache), and Ubuntu (linux-lowlatency, linux-lowlatency-hwe-6.8).

Greg Kroah-Hartman has released the6.15.9,6.12.41, and6.6.101 stable kernels.

SilverBullet is a MIT-licensed note-taking application, designed to run as aself-hosted web server. Started in 2022, the project is approachingits 2.0 release, making this a good time to explore the features it offers.SilverBullet stores notes as plainMarkdown files, and provides aLuascripting API to customize the application's appearance and behavior.