LWN.net

Version 2.43 of theGNU C Library has been released. Changes include support for the mseal() and openat2()system calls, experimental support for building with the Clang compiler,Unicode 17.0.0 support, a number of security fixes, and much more.

Filesystems seem to be one of those many areas where the problems are wellunderstood, but there is always somebody working toward a better solution.As a result, filesystem development in the Linux kernel continues at a fastpace even after all these years. In recent news, the EROFS filesystem ison the path to gain a useful page-cache-sharing feature, there is a newNTFS implementation on the horizon, and XFS may be about to get aninfrastructure for self healing.

Version1.5.0 of the GNU Guix package manager and the Guix System havebeen released. Notable improvements include the ability to run theGuix daemon without root privileges, support for 64-bit RISC-V, andexperimental support for the GNU Hurd kernel.

Greg Kroah-Hartman has released the 6.18.7 and 6.12.67 stable kernels. As always, eachcontains important fixes throughout the tree. Users are advised toupgrade.

Security updates have been issued by AlmaLinux (kernel), Debian (bind9, chromium, osslsigncode, and python-urllib3), Fedora (freerdp, ghostscript, hcloud, rclone, rust-rkyv0.7, rust-rkyv_derive0.7, and vsftpd), Mageia (avahi and harfbuzz), SUSE (alloy, avahi, busybox, cargo-c, corepack22, corepack24, curl, docker, dpdk, exiv2-0_26, ffmpeg-4, firefox, glib2, go1.24, go1.25, gpg2, haproxy, kernel, kernel-firmware, keylime, libpng16, librsvg, libsodium, libsoup, libsoup2, libtasn1, log4j, net-snmp, open-vm-tools, openldap2_5, ovmf, pgadmin4, php7, podman, python-filelock, python-marshmallow, python-pyasn1, python-tornado, python-urllib3, python-virtualenv, python3, python311-pyasn1, python311-weasyprint, rust1.91, rust1.92, util-linux, webkit2gtk3, and wireshark), and Ubuntu (libxml2 and pyasn1).

TheLinux Kernel Runtime Guard (LKRG) is a out-of-tree loadable kernel module thatattempts to detect and report violations of the kernel's internal invariants,such as might be caused by an in-progress security exploit or a rootkit.LKRG has been experimental since itsinitial release in 2018. In September2025, the projectannouncedthe 1.0 version. With the promises of stability that version brings, users might want moreinformation to decide whether to include it in their kernel.

ReactOS, an open-source projectto develop an operating system that is compatible with MicrosoftWindows NT applications and drivers, is celebrating 30years since the first commit to its source tree. In that timethere have been more than 88,000 commits from 301 contributors, for atotal of 14,929,578 lines of code. There is, of course, much left todo.

Version1.93.0 of the Rust programming language has been released. Notablechanges include in updated version of the bundled musl library,thread-local storage for the global allocator, some asm!improvements, and a number of newly stabilized APIs.

Security updates have been issued by AlmaLinux (gpsd), Debian (inetutils and modsecurity-crs), Fedora (cpp-httplib, curl, mariadb11.8, mingw-libtasn1, mingw-libxslt, mingw-python3, rclone, and rpki-client), Oracle (gimp, glib2, go-toolset:rhel8, golang, kernel, mariadb-devel:10.3, and thunderbird), Red Hat (buildah, go-toolset:rhel8, golang, grafana, kernel, kernel-rt, multiple packages, openssl, osbuild-composer, podman, and skopeo), Slackware (bind), SUSE (ffmpeg-4, libsodium, libvirt, net-snmp, open-vm-tools, ovmf, postgresql17, postgresql18, python-FontTools, python-weasyprint, and webkit2gtk3), and Ubuntu (glib2.0 and opencc).

Inside this week's LWN.net Weekly Edition:

As part of the process of writing man pages for the "new" mount API, which has been available in thekernel since 2019, Aleksa Sarai encountered a number of places where the fsconfig()system call-for configuring filesystems before mounting-needs to be cleaned up. In the 2025 Linux Plumbers Conference(LPC) session that he led, Sarai wanted to discuss some of the problems he found,including at least one with security implications. The idea of the sessionwas for him to describe the various bugs and ambiguities that he had found,but he also wanted attendees to raise other problems they had with thesystem call.

Version3.0.0 of the pandas dataanalysis and manipulation library for Python has beenreleased. Notable changes include a dedicatedstring type (str), new "copy-on-write" behavior, and much more. This release also removesa number of features that were deprecated in prior versions of pandas;developers are advised to upgrade to pandas2.3 and ensure code isworking without warnings before moving to3.0. See the releasenotes for the full changelog.

At the 39thChaos Communication Congress (39C3) in December, researchers LexiGroves ("49016") and Liam Wachter said that they had discovered anumber of flaws in popular implementations of OpenPGP email-encryption standard. They also released anaccompanying web site, gpg.fail, withdescriptions of the discoveries. Most of thosepresented were found in GNU PrivacyGuard (GPG), though the pair also discussed problems in age,Minisign, Sequoia, and the OpenPGPstandard (RFC 9580) itself. The discoveries have spurred some interestingdiscussions and as well as responses from GPG and Sequoiadevelopers.

Security updates have been issued by AlmaLinux (brotli and container-tools:rhel8), Debian (python-keystonemiddleware and python3.9), Fedora (cef, freerdp, golang-github-tetratelabs-wazero, and libpcap), Oracle (brotli, gpsd, kernel, and transfig), Red Hat (freerdp, golang, java-11-openjdk with Extended Lifecycle Support, libpng, libssh, mingw-libpng, and runc), SUSE (abseil-cpp, alloy, apache2, bind, cpp-httplib, curl, erlang, firefox, gpg2, grafana, haproxy, hauler, hawk2, libblkid-devel, libpng16, libraylib550, python-keystonemiddleware-doc, python-uv, python-weasyprint, squid, and tomcat), and Ubuntu (crawl and iperf3).

Konstantin Ryabitsev has put up ablog post about korgalore, a tool he has written to circumvent deliveryproblems experienced by kernel developers using the large, centralizedemail systems.

One would assume that most LWN readers stopped running network-accessibletelnet services some number of decades ago. For the rest of you, this security advisory fromSimon Josefsson is worthy of note:

Mozilla has announceda repository with FirefoxNightly channel packages for RPM-based Linux distributions such as CentOSStream, Fedora, and openSUSE. Mozilla has provided a Debian repositorysince 2023.Note that this repository only includes the nightly builds of Thefirefox-nightly package. Mozilla is not providing stablebuilds as RPMs at this time. However, the package will not conflictwith a distribution's regular firefox package; both packagescan be installed at the same time for those who wish to test thenightly builds. See the blog post for instructions on setting up therepository.

LWN has had a number of articles on immutable distributions,such as Bluefin and Bazzite, in recent years. These distributions have taken a variety of approaches, includingusingrpm-ostree, filesystem snapshots, andbootable container (bootc) images. But thoseapproaches, especially the latter, lead to extra complexity for a userattempting to install new software, instead of justusing the existing package manager.AshOS (Any Snapshot Hierarchical OS) is an experimental AGPL-3-licensed"meta-distribution" that tried a different approach more in line withtraditional package management. Although the project is no longer updated,it remains usable, and can still shed some light on a potential alternate path for usersworried about adopting bootc-based approaches.

Security updates have been issued by AlmaLinux (gpsd-minimal, jmc, kernel, kernel-rt, and net-snmp), Debian (apache-log4j2 and dcmtk), Fedora (exim, gpsd, mysql8.0, mysql8.4, python-biopython, and rust-lru), Mageia (firefox, nss and thunderbird), Oracle (container-tools:rhel8, gpsd-minimal, jmc, kernel, net-snmp, and uek-kernel), Red Hat (net-snmp), SUSE (chromium, go, harfbuzz-devel, kernel, libsoup, rust1.91, rust1.92, and thunderbird), and Ubuntu (apache2, avahi, and python-urllib3).

OzLabs is a collection of Australianfree-software developers that was, for most of its history, associated withIBM. Members of OzLabs have included Hugh Blemings, Michael Ellerman, BenHerrenschmidt, Greg Lehey, Paul Mackerras, Martin Pool, Stephen Rothwell,Rusty Russell, and Andrew Tridgell, among others. The OzLabs "about" page notes that, asof January 2026, the last remaining OzLabs members have departed IBM."This brought to a close the Ozlabs association with IBM". Thusends a quarter-century of development history.(Thanks to Jon Masters).

PostgreSQL contributor Robert Haas has publisheda blog post that breaks down code contributions to PostgreSQL in2025.

The io_uringsubsystem is more than an asynchronous I/O interface for Linux; it is,for all practical purposes, an independent system-call API. It has enabledhigh-performance applications, but it also brings challenges for code builtaround classic, Unix-style system calls. For example, the seccomp()sandboxing mechanism does not work with it, causing applications usingseccomp() to disable io_uring outright. Io_uring maintainer JensAxboe is seeking to improve that situation with a rapidly evolving patchseries adding a new restrictive mechanism to that subsystem.

Version11.0 of the Wine Windows compatibility layer is out. "Thisrelease represents a year of development effort, around6,300individual changes, and more than600 bug fixes." The most notablechanges in this release are support for the NTSync Linux kernel module(when available), and the completion of the Windows32-bit on Windows64-bit (WoW64) architecture that was announced as experimental in Wine9.0.

Greg Kroah-Hartman has released the 5.15.198, and 5.10.248 stable kernels. As usual, eachcontains important fixes throughout the tree; users are advised toupgrade.

Security updates have been issued by AlmaLinux (cups, libpq, libsoup3, podman, and postgresql16), Debian (ffmpeg, gpsd, python-urllib3, and thunderbird), Fedora (chromium, foomuuri, forgejo, freerdp, harfbuzz, libtpms, musescore, python-biopython, and python3.12), Mageia (gimp, libpng, nodejs, and python-urllib3), and SUSE (alloy, avahi, bind, chromedriver, chromium, cpp-httplib, docker, erlang, fluidsynth, freerdp, go-sendxmpp, govulncheck-vulndb, kernel, libwireshark19, NetworkManager-applet-l2tp, python, python311-virtualenv, thunderbird, and zk).

Linus has released 6.19-rc6 for testing."So we finally ended up with a slightly bigger rc than usual for thisstage in the release cycle, but it's not _that_ big, and things still seemquite stable and civilized."

Greg Kroah-Hartman has released the 6.18.6, 6.12.66, 6.6.121, and 6.1.161 stable kernels. As usual, eachhas important fixes throughout the tree; users are advised toupgrade.

While there are several rootkits that target Linux, they have so far not fullyembraced the open-source ethos typical of Linux software.Luckily, Matheus Alves has been working to remedythis lack by creatingan open-source rootkit called Singularity for Linux systems. Users who feeltheir computers are too secure can install the Singularity kernel module inorder to allow remote code execution, disable security features, and hide filesand processes from normal administrative tools. Despite its many features,Singularity is not currently known to be in use in the wild - instead, itprovides security researchers with a testbed to investigate new detection andevasion techniques.

Security updates have been issued by AlmaLinux (gnupg2), Debian (firefox-esr), Oracle (cups, gnupg2, libpq, net-snmp, postgresql, postgresql:15, postgresql:16, transfig, and vsftpd), Red Hat (firefox), SUSE (apache2, curl, firefox, gpg2, hawk2, libcryptopp-devel, openCryptoki, python310, python311-urllib3, rke2, squid, and tomcat), and Ubuntu (cpp-httplib, git, python-apt, and simgear).

The Project Zero blog has athree-part series describing a working, zero-click exploit forPixel9 devices.

Sjoerd Simons has publisheda blog post about running Debian on the OpenWrtOnerouter hardware:

Version14.0 of the Forgejo software forge has been released. Notablechanges in this release include several databaseimprovements, new options for approvingactions execution from pull requests, a newfile editor, and progress toward makingForgejo's web UI work without JavaScript.

Al Viro does not often stray outside of the core virtual filesystem area;when he does, it is usually worthy of note. Recently, he wandered intomemory management with this patchseries to the slab allocator and some of its users. Kernel developerswill often put considerable effort into small optimizations, but it isstill interesting to look at just how much effort has gone toward the purpose ofavoiding a single pointer dereference in some memory-allocation hot paths.

We have recently noticed that email from LWN.net seems to beblocked by MXroute. Unfortunately, the company also does not seem tohave a way for non-customers to report problems in mail delivery, sowe have no good way to get ourselves unblocked.As a result, readers who have subscribed to an LWN mailing listfrom a domain hosted with MXroute will probably not receive ourmailings. We have not yet unsubscribed addresses that are beingblocked by MXroute, but will soon if the problem persists. Pleaseaccept our apologies for the inconvenience; it is unfortunate that itis becoming so difficult to send legitimate email as a smallbusiness.

Security updates have been issued by Debian (chromium, gnupg2, and mongo-c-driver), Fedora (firefox, gpsd, linux-firmware, and seamonkey), Mageia (net-snmp), Oracle (kernel, podman, postgresql16, postgresql:13, postgresql:15, postgresql:16, and uek-kernel), Red Hat (libpq, net-snmp, and transfig), Slackware (libpng and mozilla), SUSE (avahi, bluez, capstone, curl, dpdk, firefox, firefox-esr, fluidsynth, glib2, kernel, kernel-devel, libmicrohttpd, libpcap, libpng16, libsoup, libsoup-3_0-0, libtasn1, libvirt, mcphost, openvswitch, ovmf, podman, poppler, python-tornado6, python311, qemu, rsync, and valkey), and Ubuntu (erlang, klibc, libpng1.6, and ruby-rack).

Inside this week's LWN.net Weekly Edition:

Paul Kehrer and Alex Gaynor, maintainers of the Python cryptography module, have put out some stronglyworded criticism of OpenSSL. Itcomes from a talk they gave at the OpenSSL conference in October 2025 (YouTube video). Thepost goes into a lot of detail about the problems with the OpenSSL codebase and testing, which has led the cryptography team toreconsider using the library. "The mistakes we see in OpenSSL'sdevelopment have become so significant that we believe substantial changesare required - either to OpenSSL, or to our reliance on it." They gofurther in the conclusion:

Lossless data compression is an important tool for reducing the storagerequirements of the world's ever-growing data sets. Yann Collet developedthe LZ4algorithm and designed the Zstandard (or Zstd)algorithm; he came to the 2025Open Source Summit Japan in Tokyo to talk about where data compressiongoes from here. It turns out that we have reached a point wheregeneral-purpose algorithms are only going to provide limited improvement;for significant increases in compression, while keeping computation costswithin reason for data-center use, turning to format-specific techniqueswill be needed.

The Debian GNOME team would like to remove the GTK2 graphicstoolkit, which has been unmaintained upstream for more than fiveyears, and ship Debian14 ("forky") without it. As one mightexpect, however, there are those who would like to find a way to keepit. Despite its age and declared obsolescence, quite a few Debianpackages still depend on GTK2. Many of those applications areunlikely to be updated, and users are not eager to give themup. Discussion about how to handle this is ongoing; it seems likelythat Debian developers will find some way to continue supportingapplications that require GTK2, but users may have to lookoutside official Debian repositories.

Version1.6.0 of the Radicle peer-to-peer, local-first code collaborationstack has been released. Notable changes in this release includesupport for systemdcredentials, use of Rust's clap crate forparsing command-line arguments, and more. LWN covered the project in March2024.

Security updates have been issued by AlmaLinux (sssd), Debian (linux-6.1 and python-parsl), Fedora (chezmoi, complyctl, composer, and firefox), Oracle (kernel), Red Hat (buildah, libpq, podman, postgresql, postgresql16, postgresql:13, postgresql:15, and postgresql:16), SUSE (avahi, curl, ffmpeg-4, ffmpeg-7, firefox, istioctl, k6, kubelogin, libmicrohttpd, libpcap-devel, libpng16, libtasn1-6-32bit, matio, ovmf, python-tornado6, python311-Authlib, and teleport), and Ubuntu (angular.js, python-urllib3, and webkit2gtk).

Quality-of-service (QoS) mechanisms attempt to prioritize some processes (ornetwork traffic, disk I/O, etc.) over others in order to meet a system'sperformance goals. This is a difficult topic to handle in the world of Linux,where workloads, hardware, and user expectations vary wildly. Qais Yousef spokeat the 2025 Linux Plumbers Conference, alongside his collaborators John Stultz,Steven Rostedt, and Vincent Guittot, about their plans for introducing ahigh-level QoS API for Linux in a way that leaves end users in control of itsconfiguration. The talk focused specifically on a QoS mechanism for thescheduler, to prioritize access to CPU resources differently for different kindsof processes.(slides;video)

Version147.0 of the Firefox web browser has been released. Notablechanges in this release include support for the XDG BaseDirectory specification, enabling localnetwork access restrictions for users with enhancedtracking protection (ETP) set to "Strict", and a fix that improvesFirefox's rendering with GNOME on fractionally scaleddisplays. Firefox147 also includes a number of securityfixes, including several sandbox-escape vulnerabilities.

Security updates have been issued by AlmaLinux (mariadb10.11, mariadb:10.11, mariadb:10.3, mariadb:10.5, and tar), Debian (net-snmp), Fedora (coturn, NetworkManager-l2tp, openssh, and tuxanci), Mageia (libtasn1), Oracle (buildah, cups, httpd, kernel, libpq, libsoup, libsoup3, mariadb:10.11, mariadb:10.3, openssl, and podman), SUSE (cpp-httplib, ImageMagick, libtasn1, python-cbor2, util-linux, valkey, and wget2), and Ubuntu (google-guest-agent, linux-iot, and python-urllib3).

In open-source circles there are many situations, such as bugreports, demos, and tutorials, when one might want to provide aplay-by-play of a session in one's terminal. The asciinema project provides a set oftools to do just that. Its tools let users record, edit, and shareterminal sessions in a text-based format that has quite a fewadvantages compared to making and sharing videos of terminal sessions. Forexample, it is easy to use, offers the ability to search text fromrecorded sessions, and allows users to copy and paste directly fromthe recording.

Security updates have been issued by Debian (chromium and sogo), Fedora (chromium, foomuuri, libpng, libsodium, mariadb10.11, musescore, nginx, python-pdfminer, python-urllib3, python3.12, seamonkey, wasmedge, and wget2), Mageia (curl, libpcap, sodium, wget2, and zlib), Slackware (lcms2), SUSE (chromedriver, chromium, noopenh264, coredns, curl, dcmtk, fontforge, gdk-pixbuf-loader-libheif, gimp, kernel, libheif, libpng16, libsoup-2_4-1, libvirt, mariadb, php8, poppler, python-filelock, python-tornado6, python311-aiohttp, qemu, sssd, and traefik), and Ubuntu (libheif, libtasn1-6, linux-azure-nvidia, linux-kvm, linux-raspi, linux-raspi-realtime, and php7.2, php7.4, php8.1, php8.3, php8.4).

The 2026 edition of the Linux Storage, Filesystem, Memory Management, andBPF Summit will be held May4-6 in Zagreb, Croatia. The call forproposals has gone out for anybody who would like to attend thisinvitation-only meeting. "We are asking that you please let us know youwant to be invited by February 20, 2026".

The6.18.5,6.12.65,6.6.120, and6.1.160stable updates have been released. They all contain a small patchset fixing a scheduling regression associated with idle balancing; the6.6.120 and 6.1.60 updates also contain a large set of other importantfixes.

On her blog, Julia Evans writes aboutimproving Git documentation, including a new datamodel man page she wrote with MarieLeBlanc Flanagan, and updates to the pages for several other Git sub-commands(add, checkout, push, and pull). Aspart of the process, she asked Git users to describe problems they had run intoin the documentation, which helped guide the changes that she made.

The READ_ONCE() and WRITE_ONCE() macros are heavily usedwithin the kernel; there are nearly 8,000 call sites forREAD_ONCE(). They are key to the implementation of many lockless algorithms and can be necessary for sometypes of device-memory access. So one might think that, as theamount of Rust code in the kernel increases, there would be a place forRust versions of these macros as well. The truth of the matter, though, isthat the Rust community seems to want to take a different approach toconcurrent data access.