LWN.net

The 6.16.9, 6.12.49, 6.6.108, and 6.1.154 stable kernels have been released.As usual, they all contain important fixes throughout the kernel tree.

Security updates have been issued by AlmaLinux (grub2 and kernel), Debian (chromium and libxslt), Fedora (chromium, expat, libssh, and webkitgtk), Oracle (avahi, firefox, ImageMagick, kernel, libtpms, and mysql), Red Hat (kernel), SUSE (bird3, expat, kernel, and tiff), and Ubuntu (dpkg, gnuplot, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-oracle, linux-raspi, linux-riscv-5.15, linux-xilinx-zynqmp, linux, linux-aws, linux-gcp, linux-gcp-6.14, linux-oracle, linux-realtime, linux-riscv, linux-riscv-6.14, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-azure-fips, linux-ibm, linux-ibm-6.8, linux-intel-iot-realtime, linux-realtime, linux-oem-6.14, linux-oracle-5.15, linux-realtime-6.14, and python-eventlet).

Version18 of the PostgreSQL database has been released. Notableimprovements in this release include "skip scan" lookups formulticolumn B-tree indexes, virtualgenerated columns, better text processing, oauthauthentication, and a new asynchronous I/O (AIO) subsystem to improveperformance:

Inside this week's LWN.net Weekly Edition:

Asynchronous Rust code has what Rain Paharia calls a "universal cancellationprotocol", meaning that any asynchronous code can be interrupted in the sameway. They claimthat this is both a useful feature when used deliberately, and a source oferrors when done by accident. They presentedabout this problem atRustConf2025, offering a handful of techniques to avoid introducing bugs intoasynchronous Rust code.

The CapabilityHardware Enhanced RISC Instructions (CHERI) project is a rethinking ofcomputer architecture in order to improve system security. Carl Shaw gavea presentation atLinuxSecurity Summit Europe (LSS EU) about CHERI and the efforts to getLinux running on it. He introduced capabilities,which are a mechanism for access control, and outlined theirhistory, which goes back many decades at this point, then looked morespecifically at the CHERI project and what it will take to apply thesecurity constraints of capabilities to an operating system like Linux.

Security updates have been issued by AlmaLinux (kernel and kernel-rt), Fedora (expat), Red Hat (kernel and multiple packages), SUSE (avahi, busybox, busybox-links, kernel, sevctl, tcpreplay, thunderbird, and tor), and Ubuntu (isc-kea, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-aws-6.8, linux-gcp-6.8, linux-aws-fips, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-realtime, python-pip, and rabbitmq-server).

The Open Source Security Foundation(OpenSSF) has put together a joint statement from many of the publicpackage repositories for various languages about the need for assistance inmaintaining these commons. Services such as PyPI for Python, crates.io for Rust, and many others areworking together to try to find ways to sustain these services in the faceof challenges from "automated CI systems, large-scale dependencyscanners, and ephemeral container builds" all downloading enormousamounts of package data, coupled with the rise of generative and agentic AI"driving a further explosion of machine-driven, often wasteful automatedusage, compounding the existing challenges". It is not a crisis, yet,they say, but it is headed in that direction.

A bug in a recent release of systemd's network manager causedheadaches for people managing systems that have a virtual LAN (VLAN)interface on a bridge; something one might want to do, for example,when configuring network interfaces for virtual machines. The bugaffected several Debian users when upgrading the systemd packagefrom v257.7-1 to v257.8-1. The updated package is part of the Debian13.1release, and the bug has snared enough users to cause a minorstir-due in no small part to the maintainer's response as muchas the bug itself.

Security updates have been issued by Debian (corosync and kernel), Fedora (checkpointctl, chromium, curl, and perl-Catalyst-Authentication-Credential-HTTP), SUSE (firefox, frr, kernel, rustup, vim, and wireshark), and Ubuntu (glibc and pam).

Version 6.0.0 of the RPM Package Manager has been released. Notable changes in this release include support for multiple OpenPGP signatures per package, the ability to update previously installed PGP keys, as well as support for RPM v4 and v6 packages. See the release notes for full details.

Computers were once relatively static devices; if a peripheral was presentat boot, it was unlikely to disappear while the system was operating.Those days are far behind us, though; devices can come and go at any time,often with no notice. That impermanence can create challenges for kernelcode, which may not be expecting resources it is managing to make an abruptexit. The revocableresource management patch set from Tzung-Bi Shih is meant to help withthe creation of more robust - and more secure - kernel subsystems in adynamic world.

Security updates have been issued by Debian (ffmpeg, jetty12, jetty9, jq, and pam), Fedora (curl, libssh, podman-tui, and prometheus-podman-exporter), Oracle (firefox, gnutls, kernel, and thunderbird), and SUSE (bluez, cairo, chromium, cmake, cups, firefox, frr, govulncheck-vulndb, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, mariadb, mybatis, ognl, python-h2, and rke2).

Linus has released 6.17-rc7 for testing."Let's keep the testing going, and we'll have the final 6.17 in aweek".

The Linux kernel generally wants to be in charge of the system as a whole;it runs on all of the available CPUs and controls access to them globally.Cong Wang has just come forward with a differentapproach: allowing each CPU to run its own kernel. The patch set is inan early form, but it gives a hint for what might be possible.

Greg Kroah-Hartman has announced the release of the 6.16.8, 6.12.48, 6.6.107, and 6.1.153 stable kernels; eachcontains an important set of fixes.

Blender 4.5 LTS was releasedon July 15, 2025, and will be supported through 2027. This is the lastfeature release of the 3D graphics-creation suite's 4.x series; itincludes quality-of-life improvements, including work to bring the Vulkan backend up topar with the default OpenGL backend. With 4.5 released, Blenderdevelopers are turning their attention toward Blender 5.0, planned forrelease later this year. It will introduce substantial changes,particularly in the GeometryNodes system, a central feature of Blender's proceduralworkflows.

Security updates have been issued by Debian (chromium, cjson, and firefox-esr), Fedora (expat, gh, scap-security-guide, and xen), Oracle (container-tools:rhel8, firefox, grub2, and mysql:8.4), SUSE (busybox, busybox-links, element-web, kernel, shadowsocks-v2ray-plugin, and yt-dlp), and Ubuntu (imagemagick, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-azure, linux-azure-5.15, linux-azure-fips, linux-ibm, linux-ibm-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-oracle-6.8, linux-realtime, and openjpeg2).

Time-slice extension is a proposed scheduler feature that would allow auser-space process to request to not be preempted for a short period whileit executes a critical section. It is an idea that has been circulatingfor years, but efforts to implement it becamemore serious in February of this year. The latest developer to make anattempt at time-slice extension is Thomas Gleixner, who has posted a new patch setwith a reworked API. Chances are good that this implementation is close towhat will actually be adopted by the kernel.

Version1.90.0 of the Rust language has been released. Changes includeswitching to the LLD linker by default,the addition of support for workspace publishing to cargo, and theusual set of stabilized APIs.

Security updates have been issued by AlmaLinux (gnutls, mysql:8.4, opentelemetry-collector, and python-cryptography), Debian (nextcloud-desktop), Fedora (chromium, firefox, forgejo, gitleaks, kernel, kernel-headers, lemonldap-ng, perl-Cpanel-JSON-XS, and python-pip), Red Hat (firefox and libxml2), Slackware (expat and mozilla), SUSE (avahi, bluez, cups, curl, firefox-esr, gdk-pixbuf, gstreamer, java-1_8_0-ibm, krb5, net-tools, podman, raptor, sevctl, tkimg, ucode-intel, and vim), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-fips, linux-azure-fips, linux-gcp-fips, and linux-gcp-6.14, linux-oracle, linux-oracle-6.14).

The Universal Blue project has announced the release of BluefinLTS,an image-based distribution similar to Bluefin that usesCentOSStream10 and EPEL instead of Fedora as its base:

Version7.0 of the Tails portableoperating system has been released. This is the first version of Tailsbased on Linux 6.12.43, Debian13("trixie") and GNOME48. It uses zstd instead ofxz to compress the USB and ISO images to deliver afaster start time on most computers. The release is dedicated to the memory of Lunar, "atraveling companion for Tails, a Tor volunteer, Free Software hacker,and community organizer":

Inside this week's LWN.net Weekly Edition:

Version 49 of the GNOME desktopenvironment has been released. Changes include new default video(Showtime) and PDF-viewing (Papers) applications, a number of calendarimprovements, and updates to the Web, Maps, and Software applications.

Ian Jackson has published a blogpost summarizing the tag2upload service'sfirst month of handling uploads for the upcoming Debian14 ("forky") release:

Version2.15.0 of libxml2 hasbeen released. Notable changes include the disabling of Pythonbindings by default, using Doxygen to generate API documentation, aswell as bringing HTML serialization and handling of characterencodings more in line with the HTML5 specification.Nick Wellnhofer has also announcedthat he is stepping down as libxml2 maintainer, and Ivan Chavero hasvolunteeredto take over. LWN covered libxml2 inJune.

Typst is a program for documenttypesetting. It is especially well-suited to technical materialincorporating elements such as mathematics, tables, and floatingfigures. It produces high-quality results, comparable to the gold standard,LaTeX, with a simpler markupsystem and easier customization, all while compiling documentsmore quickly. Typst is free software, Apache-2.0 licensed, and is written in Rust.

Systemdv258 has been released with a long list of new features andchanges; slice units now have basic workload management features,quotas for tmpfs have been added, the "systemctlstart"command now has a verbose (-v) option, and more. This releasealso, finally, completely removes support for control groups v1support. LWN coveredsome of systemd v258's features and changes in August.

In October, consumer versions of Windows10 willstop receiving security updates. Many users who would ordinarily moveto the next version are blocked by Windows11's hardwarerequirements unless they are willing to buy a newer PC. The "End of 10" campaign is an effort toconvince those users to switch to Linux rather than sticking with anend-of-life operating system or buying a new Windows system. AtAkademy2025, Dr. Joseph DeVeaugh-Geiss,Bettina Louis, Carolina Silva Rode, and Nicole Teale discussed theirwork on the campaign, its progress so far, and what's next.

Security updates have been issued by AlmaLinux (container-tools:rhel8, kernel, and podman), Debian (node-sha.js), Fedora (firefox, kea, and perl-JSON-XS), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk), Oracle (kernel, libarchive, podman, and python-cryptography), Red Hat (multiple packages, mysql:8.4, and python3.11), SUSE (expat, java-1_8_0-ibm, krb5, libavif, net-tools, nginx, nvidia-open-driver-G06-signed, onefetch, pcp, rabbitmq-server313, raptor, and vim), and Ubuntu (libyang2, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-aws-fips, linux-fips, linux-gcp-fips, and python-xmltodict).

Safe, ergonomic interoperability between Rust and C/C++ was a popular topic atRustConf2025 in Seattle, Washington. Chandler Carruth gave a presentationabout the different approaches to interoperability in Rust andCarbon, theexperimental "(C++)++" language.His ultimate conclusion was thatwhile Rust's ability to interface with other languages is expanding over time,it wouldn't offer a complete solution to C++ interoperability anytime soon - and so there is room forCarbon to take a different approach to incrementally upgrading existing C++ projects.Hisslides are available for readers wishing to study his example code in moredetail.

Version143.0 of the Firefox browser has been released. Changes include theability to pin tabs by dragging them to the edge, previews in the camerapermissions dialog, improved fingerprinting protection, and (optional)automatic deletion of files downloaded in private browsing mode.

The Socket.dev blog describesthis week's attack on JavaScript packages in the npm repository.

Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (node-sha.js and python-django), Fedora (chromium, cups, exiv2, perl-Catalyst-Authentication-Credential-HTTP, perl-Catalyst-Plugin-Session, perl-Plack-Middleware-Session, and qemu), Red Hat (container-tools:rhel8, podman, and udisks2), SUSE (cargo-audit, cargo-c, cargo-packaging, and kernel-devel), and Ubuntu (libcpanel-json-xs-perl, libjson-xs-perl, rubygems, sqlite3, and vim).

Registration for the 2025 Linux Plumbers Conference (Tokyo,December11 to13) isnow open. LPC tickets often sell out quickly, so it would be best notto delay if you intend to attend.

Brooke Deuson is the developer behindTrafficking Free Tomorrow, a nonprofit organization thatproduces free software to help law enforcement combat human trafficking. She isa survivor of human trafficking herself.She spoke at RustConf 2025 about hermission, and why she chose to write her anti-trafficking software in Rust.Interestingly, it has nothing to do with Rust's lifetime-analysis-based memory-safety -instead, her choice was motivated by the difficulty she faces getting policedepartments to actually use her software. The fact that Rust is staticallylinked and capable of cross compilation by default makes deploying Rust softwarein those environments easier.

Version8.0.0 of Varnish Cachehas been released. In addition to a numberof changes to varnishd parameters, the ability to access someruntime parameters using the Varnish Configuration Language, and otherimprovements, 8.0.0 comes with big news; the project is forming anorganization called a foreningthat will set out formal governance for the project.The move also comes with a name change due to legal difficulties insecuring the Varnish Cache name:

The kernel runs in a special environment that makes it difficult to usemany of the development tools that are available to user-space developers.Kernel developers often respond by simply doing without, but the truth isthat they need good tools as much as anybody else. Three new tools for thetracking down of bugs have recently landed on the linux-kernel mailinglist; here is an overview.

Security updates have been issued by AlmaLinux (cups, kernel, and mysql-selinux and mysql8.4), Debian (cjson, jetty9, and shibboleth-sp), Fedora (bustle, cef, checkpointctl, chromium, civetweb, cups, forgejo, jupyterlab, kernel, libsixel, linenoise, maturin, niri, perl-Cpanel-JSON-XS, python-uv-build, ruff, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-matchers, rust-monitord, rust-monitord-exporter, rust-secret-service, rust-tracing-subscriber, rustup, tcpreplay, tuigreet, udisks2, uv, and xwayland-satellite), Oracle (cups, gdk-pixbuf2, kernel, mysql-selinux and mysql8.4, and php:8.2), Red Hat (kernel, kernel-rt, and multiple packages), Slackware (cups, kernel, and patch), and SUSE (busybox, busybox-links, chromedriver, chromium, cups-filters, curl, go1.25, jasper, java-11-openj9, java-17-openj9, java-1_8_0-openjdk, kernel, kernel-devel, kubo, libssh-config, orthanc-gdcm, python-aiohttp, python-eventlet, python-h2, and xen).

The 6.17-rc6 kernel prepatch is out fortesting. "But really, none of it is very large. So everything seems slated for anormal release in two weeks.Please do keep testing, so that we don't get complacent."

Creating welcoming communities within open-source projects is a recurringtopic at conferences; those projects rely on contributions from others, somaking them welcome is important. The kernel has, rather infamouslyover the years, been an oft-cited example of an unwelcoming project, thoughthere have been (and are) multiple efforts to change that with varyingdegrees of success. Hans de Goede talked about such efforts within hiscorner of the kernel project in a talk (YouTube video) atOpenSource Summit Europe.

Security updates have been issued by Debian (cups, imagemagick, libcpanel-json-xs-perl, and libjson-xs-perl), Fedora (checkpointctl, chromium, civetweb, glycin, kernel, libssh, ruff, rust-secret-service, snapshot, and uv), Mageia (curl), Red Hat (kernel), SUSE (cups, curl, perl-Cpanel-JSON-XS, regionServiceClientConfigAzure, regionServiceClientConfigEC2, regionServiceClientConfigGCE, trivy, and xen), and Ubuntu (cups, node-cipher-base, and qemu).

The VMScapevulnerability is a Spectre variant that "allows a malicious KVM guest toleak sensitive information such as encryption/decryption keys from auserspace hypervisor such as QEMU". Greg Kroah-Hartman has announcedthe 6.16.7, 6.12.47, 6.6.106, 6.1.152, 5.15.193, and 5.10.244 stable kernels, which add amitigation for the hardware bug.

The Git source-code management system stores a lot of information aboutchanges to code - but it does not hold everything that might be of interestto a developer who needs to investigate a specific change in the future.Commits in a repository are the end result of a (sometimes extended)discussion; often, that discussion will result in changes to the code thatare not explained in the changelog. For some years now, many maintainershave followed the convention of applying a Link tag to commits that pointsback to the mailing-list posting of the change. Linus Torvalds has beenexpressing his dislike for this convention for a while, though, and itstime appears to be coming to an end.

Security updates have been issued by AlmaLinux (python3.12-cryptography), Debian (chromium, hsqldb1.8.0, and imagemagick), Fedora (bustle, cef, maturin, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-monitord, rust-monitord-exporter, rustup, tuigreet, and wireshark), Oracle (kernel, microcode_ctl, and python3.12-cryptography), Red Hat (httpd:2.4 and multiple packages), SUSE (coreutils, curl, dpkg, ffmpeg-4, glib2, gnutls, go1.23-openssl, go1.24-openssl, go1.25-openssl, grub2, ImageMagick, jbigkit, kernel, libxslt, Mesa, opensc, opera, perl-JSON-XS, polkit, postgresql16, protobuf, python311, python311-deepdiff, sqlite3, ucode-intel, and warewulf4), and Ubuntu (bind9 and libxml2).

The F-Droid project has someadvice for free-software projects on how to deal with takedownrequests.

Inside this week's LWN.net Weekly Edition:

There are a large number of ways to configure the 6.16Linux kernel. It has 32,468 different configuration options on x86_64,and a comparable number for other platforms. Exploring the ways the kernel canbe configured is sufficiently difficult that it requires specialized tools.These show thenumber of possible configurations that options can be combined in has6,550 digits. How has that number changed over the history of the kernel, andwhat does it mean for testing?

The openSUSE project has announcedthat the bcachefs filesystem will be disabled in its kernel builds startingwith 6.17; bcachefs users will have to make other arrangements. "Thecurrent 6.16.* is NOT affected. Neither is Slowroll (for now)."