LWN.net

Security updates have been issued by Debian (corosync and kernel), Fedora (checkpointctl, chromium, curl, and perl-Catalyst-Authentication-Credential-HTTP), SUSE (firefox, frr, kernel, rustup, vim, and wireshark), and Ubuntu (glibc and pam).

Version 6.0.0 of the RPM Package Manager has been released. Notable changes in this release include support for multiple OpenPGP signatures per package, the ability to update previously installed PGP keys, as well as support for RPM v4 and v6 packages. See the release notes for full details.

Computers were once relatively static devices; if a peripheral was presentat boot, it was unlikely to disappear while the system was operating.Those days are far behind us, though; devices can come and go at any time,often with no notice. That impermanence can create challenges for kernelcode, which may not be expecting resources it is managing to make an abruptexit. The revocableresource management patch set from Tzung-Bi Shih is meant to help withthe creation of more robust - and more secure - kernel subsystems in adynamic world.

Security updates have been issued by Debian (ffmpeg, jetty12, jetty9, jq, and pam), Fedora (curl, libssh, podman-tui, and prometheus-podman-exporter), Oracle (firefox, gnutls, kernel, and thunderbird), and SUSE (bluez, cairo, chromium, cmake, cups, firefox, frr, govulncheck-vulndb, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, mariadb, mybatis, ognl, python-h2, and rke2).

Linus has released 6.17-rc7 for testing."Let's keep the testing going, and we'll have the final 6.17 in aweek".

The Linux kernel generally wants to be in charge of the system as a whole;it runs on all of the available CPUs and controls access to them globally.Cong Wang has just come forward with a differentapproach: allowing each CPU to run its own kernel. The patch set is inan early form, but it gives a hint for what might be possible.

Greg Kroah-Hartman has announced the release of the 6.16.8, 6.12.48, 6.6.107, and 6.1.153 stable kernels; eachcontains an important set of fixes.

Blender 4.5 LTS was releasedon July 15, 2025, and will be supported through 2027. This is the lastfeature release of the 3D graphics-creation suite's 4.x series; itincludes quality-of-life improvements, including work to bring the Vulkan backend up topar with the default OpenGL backend. With 4.5 released, Blenderdevelopers are turning their attention toward Blender 5.0, planned forrelease later this year. It will introduce substantial changes,particularly in the GeometryNodes system, a central feature of Blender's proceduralworkflows.

Security updates have been issued by Debian (chromium, cjson, and firefox-esr), Fedora (expat, gh, scap-security-guide, and xen), Oracle (container-tools:rhel8, firefox, grub2, and mysql:8.4), SUSE (busybox, busybox-links, element-web, kernel, shadowsocks-v2ray-plugin, and yt-dlp), and Ubuntu (imagemagick, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-azure, linux-azure-5.15, linux-azure-fips, linux-ibm, linux-ibm-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-oracle-6.8, linux-realtime, and openjpeg2).

Time-slice extension is a proposed scheduler feature that would allow auser-space process to request to not be preempted for a short period whileit executes a critical section. It is an idea that has been circulatingfor years, but efforts to implement it becamemore serious in February of this year. The latest developer to make anattempt at time-slice extension is Thomas Gleixner, who has posted a new patch setwith a reworked API. Chances are good that this implementation is close towhat will actually be adopted by the kernel.

Version1.90.0 of the Rust language has been released. Changes includeswitching to the LLD linker by default,the addition of support for workspace publishing to cargo, and theusual set of stabilized APIs.

Security updates have been issued by AlmaLinux (gnutls, mysql:8.4, opentelemetry-collector, and python-cryptography), Debian (nextcloud-desktop), Fedora (chromium, firefox, forgejo, gitleaks, kernel, kernel-headers, lemonldap-ng, perl-Cpanel-JSON-XS, and python-pip), Red Hat (firefox and libxml2), Slackware (expat and mozilla), SUSE (avahi, bluez, cups, curl, firefox-esr, gdk-pixbuf, gstreamer, java-1_8_0-ibm, krb5, net-tools, podman, raptor, sevctl, tkimg, ucode-intel, and vim), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-fips, linux-azure-fips, linux-gcp-fips, and linux-gcp-6.14, linux-oracle, linux-oracle-6.14).

The Universal Blue project has announced the release of BluefinLTS,an image-based distribution similar to Bluefin that usesCentOSStream10 and EPEL instead of Fedora as its base:

Version7.0 of the Tails portableoperating system has been released. This is the first version of Tailsbased on Linux 6.12.43, Debian13("trixie") and GNOME48. It uses zstd instead ofxz to compress the USB and ISO images to deliver afaster start time on most computers. The release is dedicated to the memory of Lunar, "atraveling companion for Tails, a Tor volunteer, Free Software hacker,and community organizer":

Inside this week's LWN.net Weekly Edition:

Version 49 of the GNOME desktopenvironment has been released. Changes include new default video(Showtime) and PDF-viewing (Papers) applications, a number of calendarimprovements, and updates to the Web, Maps, and Software applications.

Ian Jackson has published a blogpost summarizing the tag2upload service'sfirst month of handling uploads for the upcoming Debian14 ("forky") release:

Version2.15.0 of libxml2 hasbeen released. Notable changes include the disabling of Pythonbindings by default, using Doxygen to generate API documentation, aswell as bringing HTML serialization and handling of characterencodings more in line with the HTML5 specification.Nick Wellnhofer has also announcedthat he is stepping down as libxml2 maintainer, and Ivan Chavero hasvolunteeredto take over. LWN covered libxml2 inJune.

Typst is a program for documenttypesetting. It is especially well-suited to technical materialincorporating elements such as mathematics, tables, and floatingfigures. It produces high-quality results, comparable to the gold standard,LaTeX, with a simpler markupsystem and easier customization, all while compiling documentsmore quickly. Typst is free software, Apache-2.0 licensed, and is written in Rust.

Systemdv258 has been released with a long list of new features andchanges; slice units now have basic workload management features,quotas for tmpfs have been added, the "systemctlstart"command now has a verbose (-v) option, and more. This releasealso, finally, completely removes support for control groups v1support. LWN coveredsome of systemd v258's features and changes in August.

In October, consumer versions of Windows10 willstop receiving security updates. Many users who would ordinarily moveto the next version are blocked by Windows11's hardwarerequirements unless they are willing to buy a newer PC. The "End of 10" campaign is an effort toconvince those users to switch to Linux rather than sticking with anend-of-life operating system or buying a new Windows system. AtAkademy2025, Dr. Joseph DeVeaugh-Geiss,Bettina Louis, Carolina Silva Rode, and Nicole Teale discussed theirwork on the campaign, its progress so far, and what's next.

Security updates have been issued by AlmaLinux (container-tools:rhel8, kernel, and podman), Debian (node-sha.js), Fedora (firefox, kea, and perl-JSON-XS), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk), Oracle (kernel, libarchive, podman, and python-cryptography), Red Hat (multiple packages, mysql:8.4, and python3.11), SUSE (expat, java-1_8_0-ibm, krb5, libavif, net-tools, nginx, nvidia-open-driver-G06-signed, onefetch, pcp, rabbitmq-server313, raptor, and vim), and Ubuntu (libyang2, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-aws-fips, linux-fips, linux-gcp-fips, and python-xmltodict).

Safe, ergonomic interoperability between Rust and C/C++ was a popular topic atRustConf2025 in Seattle, Washington. Chandler Carruth gave a presentationabout the different approaches to interoperability in Rust andCarbon, theexperimental "(C++)++" language.His ultimate conclusion was thatwhile Rust's ability to interface with other languages is expanding over time,it wouldn't offer a complete solution to C++ interoperability anytime soon - and so there is room forCarbon to take a different approach to incrementally upgrading existing C++ projects.Hisslides are available for readers wishing to study his example code in moredetail.

Version143.0 of the Firefox browser has been released. Changes include theability to pin tabs by dragging them to the edge, previews in the camerapermissions dialog, improved fingerprinting protection, and (optional)automatic deletion of files downloaded in private browsing mode.

The Socket.dev blog describesthis week's attack on JavaScript packages in the npm repository.

Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (node-sha.js and python-django), Fedora (chromium, cups, exiv2, perl-Catalyst-Authentication-Credential-HTTP, perl-Catalyst-Plugin-Session, perl-Plack-Middleware-Session, and qemu), Red Hat (container-tools:rhel8, podman, and udisks2), SUSE (cargo-audit, cargo-c, cargo-packaging, and kernel-devel), and Ubuntu (libcpanel-json-xs-perl, libjson-xs-perl, rubygems, sqlite3, and vim).

Registration for the 2025 Linux Plumbers Conference (Tokyo,December11 to13) isnow open. LPC tickets often sell out quickly, so it would be best notto delay if you intend to attend.

Brooke Deuson is the developer behindTrafficking Free Tomorrow, a nonprofit organization thatproduces free software to help law enforcement combat human trafficking. She isa survivor of human trafficking herself.She spoke at RustConf 2025 about hermission, and why she chose to write her anti-trafficking software in Rust.Interestingly, it has nothing to do with Rust's lifetime-analysis-based memory-safety -instead, her choice was motivated by the difficulty she faces getting policedepartments to actually use her software. The fact that Rust is staticallylinked and capable of cross compilation by default makes deploying Rust softwarein those environments easier.

Version8.0.0 of Varnish Cachehas been released. In addition to a numberof changes to varnishd parameters, the ability to access someruntime parameters using the Varnish Configuration Language, and otherimprovements, 8.0.0 comes with big news; the project is forming anorganization called a foreningthat will set out formal governance for the project.The move also comes with a name change due to legal difficulties insecuring the Varnish Cache name:

The kernel runs in a special environment that makes it difficult to usemany of the development tools that are available to user-space developers.Kernel developers often respond by simply doing without, but the truth isthat they need good tools as much as anybody else. Three new tools for thetracking down of bugs have recently landed on the linux-kernel mailinglist; here is an overview.

Security updates have been issued by AlmaLinux (cups, kernel, and mysql-selinux and mysql8.4), Debian (cjson, jetty9, and shibboleth-sp), Fedora (bustle, cef, checkpointctl, chromium, civetweb, cups, forgejo, jupyterlab, kernel, libsixel, linenoise, maturin, niri, perl-Cpanel-JSON-XS, python-uv-build, ruff, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-matchers, rust-monitord, rust-monitord-exporter, rust-secret-service, rust-tracing-subscriber, rustup, tcpreplay, tuigreet, udisks2, uv, and xwayland-satellite), Oracle (cups, gdk-pixbuf2, kernel, mysql-selinux and mysql8.4, and php:8.2), Red Hat (kernel, kernel-rt, and multiple packages), Slackware (cups, kernel, and patch), and SUSE (busybox, busybox-links, chromedriver, chromium, cups-filters, curl, go1.25, jasper, java-11-openj9, java-17-openj9, java-1_8_0-openjdk, kernel, kernel-devel, kubo, libssh-config, orthanc-gdcm, python-aiohttp, python-eventlet, python-h2, and xen).

The 6.17-rc6 kernel prepatch is out fortesting. "But really, none of it is very large. So everything seems slated for anormal release in two weeks.Please do keep testing, so that we don't get complacent."

Creating welcoming communities within open-source projects is a recurringtopic at conferences; those projects rely on contributions from others, somaking them welcome is important. The kernel has, rather infamouslyover the years, been an oft-cited example of an unwelcoming project, thoughthere have been (and are) multiple efforts to change that with varyingdegrees of success. Hans de Goede talked about such efforts within hiscorner of the kernel project in a talk (YouTube video) atOpenSource Summit Europe.

Security updates have been issued by Debian (cups, imagemagick, libcpanel-json-xs-perl, and libjson-xs-perl), Fedora (checkpointctl, chromium, civetweb, glycin, kernel, libssh, ruff, rust-secret-service, snapshot, and uv), Mageia (curl), Red Hat (kernel), SUSE (cups, curl, perl-Cpanel-JSON-XS, regionServiceClientConfigAzure, regionServiceClientConfigEC2, regionServiceClientConfigGCE, trivy, and xen), and Ubuntu (cups, node-cipher-base, and qemu).

The VMScapevulnerability is a Spectre variant that "allows a malicious KVM guest toleak sensitive information such as encryption/decryption keys from auserspace hypervisor such as QEMU". Greg Kroah-Hartman has announcedthe 6.16.7, 6.12.47, 6.6.106, 6.1.152, 5.15.193, and 5.10.244 stable kernels, which add amitigation for the hardware bug.

The Git source-code management system stores a lot of information aboutchanges to code - but it does not hold everything that might be of interestto a developer who needs to investigate a specific change in the future.Commits in a repository are the end result of a (sometimes extended)discussion; often, that discussion will result in changes to the code thatare not explained in the changelog. For some years now, many maintainershave followed the convention of applying a Link tag to commits that pointsback to the mailing-list posting of the change. Linus Torvalds has beenexpressing his dislike for this convention for a while, though, and itstime appears to be coming to an end.

Security updates have been issued by AlmaLinux (python3.12-cryptography), Debian (chromium, hsqldb1.8.0, and imagemagick), Fedora (bustle, cef, maturin, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-monitord, rust-monitord-exporter, rustup, tuigreet, and wireshark), Oracle (kernel, microcode_ctl, and python3.12-cryptography), Red Hat (httpd:2.4 and multiple packages), SUSE (coreutils, curl, dpkg, ffmpeg-4, glib2, gnutls, go1.23-openssl, go1.24-openssl, go1.25-openssl, grub2, ImageMagick, jbigkit, kernel, libxslt, Mesa, opensc, opera, perl-JSON-XS, polkit, postgresql16, protobuf, python311, python311-deepdiff, sqlite3, ucode-intel, and warewulf4), and Ubuntu (bind9 and libxml2).

The F-Droid project has someadvice for free-software projects on how to deal with takedownrequests.

Inside this week's LWN.net Weekly Edition:

There are a large number of ways to configure the 6.16Linux kernel. It has 32,468 different configuration options on x86_64,and a comparable number for other platforms. Exploring the ways the kernel canbe configured is sufficiently difficult that it requires specialized tools.These show thenumber of possible configurations that options can be combined in has6,550 digits. How has that number changed over the history of the kernel, andwhat does it mean for testing?

The openSUSE project has announcedthat the bcachefs filesystem will be disabled in its kernel builds startingwith 6.17; bcachefs users will have to make other arrangements. "Thecurrent 6.16.* is NOT affected. Neither is Slowroll (for now)."

At Akademy 2025, theKDE Project released analpha version of KDE Linux, adistribution built by the project to "include the bestimplementation of everything KDE has to offer, using the most advancedtechnologies". It is aimed at providing an operating systemsuitable for home use, business use, OEM installations, and more"eventually". For now there are many rough edges and missingfeatures that users should be aware of before taking the plunge; butit is an interesting look at the kind of complete Linux system thatKDE developers would like to see.

At OpenSource Summit Europe, LWN's Jonathan Corbet presented "Three Decades inKernelland"; the talk provides a look at how the kernel got towhere it is, what makes it successful, and what may be comingnext. The video of thetalk is now online for LWN readers who would like to check itout.

Security updates have been issued by Fedora (buildah, containers-common, glycin, loupe, podman, rust-matchers, and rust-tracing-subscriber), Red Hat (fence-agents, jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base, pki-deps:10.6, python-requests, python3.12-cryptography, redis:6, redis:7, and resource-agents), Slackware (libssh), SUSE (aide, cloud-init, iperf, java-1_8_0-openjdk, jq, kernel-devel, python-deepdiff, regionServiceClientConfigAzure, regionServiceClientConfigEC2, and regionServiceClientConfigGCE), and Ubuntu (gnutls28).

As a followup to his OSS Europe talk on thefuture of 32-bit support in the kernel, Arnd Bergmann has put togetheradetailed plan for the eventual removal of high-memory support, which hecalls "one of the least popular features of the Linux kernel". Theintent is "to gradually phase out highmem over the next 2 years formainline kernels". This plan is posted as a prompt for a discussion tobe held at the Kernel Summit in December, so chances are it will evolveconsiderably in the next few months.

The 6.16.6,6.12.46,6.6.105,6.1.151,5.15.192,5.10.243,and 5.4.299stable kernel updates have been released; each contains another set ofimportant fixes.

Fedora's Community Blog has a shortupdate on the progress of Fedora's new installer with a web-basedinterface. The new installer was introduced for the Workstationedition in FedoraLinux42, it is now approved to beincluded in all Fedora spins and the KDE edition forFedora43. Final deprecation of the GTK-based installer is setfor Fedora45. LWN covered the installerchanges in April.

A new project, targeting Linux for the proverbial final frontier-outerspace-was the subject of a talk (YouTube video) atthe Embedded Linux Conference, which was held as part of OpenSource Summit Europe in Amsterdam in late August. Ramon Rocheintroduced Space GradeLinux (SGL), which is currently incubating as a special interest group(SIG) of the Embedding Linux in SafetyApplications (ELISA) project. The idea is to create a distributionwith a base layer that can be used for off-planet missions of varioussorts, along with other layers that can be used to customize it fordifferent space-based use cases.

Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (openafs and qemu), Fedora (buildah, containers-common, podman, python-flask, and snapshot), Mageia (postgresql, python-django, and udisks2), Oracle (kernel and libxml2), Red Hat (apache-commons-beanutils, firefox, httpd, httpd:2.4, kernel, kernel-rt, mod_http2, qt5-qt3d, and thunderbird), Slackware (libxml2), SUSE (firebird, go1.25-openssl, ImageMagick, microcode_ctl, netty, netty-tcnative, and ovmf), and Ubuntu (libetpan and postgresql-14, postgresql-16, postgresql-17).

The Aikido blog describesan apparently ongoing series of phishing attacks against npm packagemaintainers, resulting in the uploading of compromised versions of heavilyused packages: