LWN.net

Matthew Garrett has posted a detailed followup toour recent article on the comingexpiration of Microsoft's Secure Boot signing key.

As of this writing, just over 4,000 non-merge changesets have been pulledinto the mainline repository during the 6.17 merge window. When he announcedthe merge-window opening, Linus Torvalds let it be known that, due to abusy personal schedule, he was likely to pull changes more quickly thanusual this time around; that has been borne out to some extent. Changesmerged so far are focused on core-kernel and filesystem work; read on forthe details.

Security updates have been issued by AlmaLinux (firefox, java-21-openjdk, kernel, thunderbird, and unbound), Debian (chromium and systemd), Fedora (libtiff), Oracle (java-21-openjdk, libtpms, nodejs:22, redis:7, thunderbird, and unbound), Red Hat (firefox, redis, and thunderbird), SUSE (apache2, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, java-11-openjdk, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestf, libarchive, nvidia-open-driver-G06-signed, redis, and rmt-server), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-gcp-6.14, linux-hwe-6.14, linux-oem-6.14, linux-raspi, linux-realtime, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux, linux-aws, linux-kvm, linux-aws, linux-lts-xenial, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-fips, linux-intel-iot-realtime, linux-realtime, linux-oracle, linux-oracle-6.8, linux-realtime, and sqlite3).

Inside this week's LWN.net Weekly Edition:

GitHub director of developer policy, Felix Reda, has publisheda blog post about a GitHub-commissioned study by Open Forum Europe, Fraunhofer ISI andthe European UniversityInstitute. The study finds, not surprisingly, "a profoundmismatch between the importance of open source maintenance and thepublic attention it receives"; it calls for a European sovereigntech fund (STF) modeled after Germany's Sovereign Tech Agency.

There are a lot of things people expect the Linux kernel to do correctly. Someof these are checked by testing or static analysis; a few are ensured byrun-time verification: checking a live property of a running Linux system. Forexample, the scheduler has a handful of different correctness properties thatcan bechecked in this way.Nam Cao posted apatch series that aims to extend the kinds of properties that the kernel'srun-timeverification system can check, by adding support forlinear temporal logic (LTL). The patch set has seen eleven revisions since thefirst version in March2025, and recently made it into the linux-nexttree, from where it seems likely to reach the mainline kernel soon.

In the first keynote atEuroPython 2025 in Prague,Savannah Bailey described her path to becoming a CPython core developer inNovember 2024. She started down that path a few years earlier and hertalk was meant to inspire others-not to slavishly follow hers,but to create their own. In the talk, entitled "You don't have to be a compiler engineerto work on Python", she had lots of ideas for those whomight be thinking about contributing and are wondering how to do so.

Security updates have been issued by AlmaLinux (firefox, icu, kernel-rt, libtpms, redis:6, redis:7, and sqlite), Fedora (chromium and cloud-init), Oracle (icu, java-1.8.0-openjdk, java-21-openjdk, kernel, nodejs:22, perl, and sqlite), SUSE (docker, java-1_8_0-openj9, libxml2, python-starlette, and thunderbird), and Ubuntu (cloud-init, linux-azure, linux-azure-5.4, linux-azure-fips, linux-raspi, linux-raspi-5.4, and perl).

The HeliumOS project has announcedthe release of HeliumOS10. It is relatively new image-based ("atomic")desktop distribution based on packages from CentOSStream andAlmaLinux, with a goal of providing 10 years ofsupport. HeliumOS10 uses the KDE Plasma Desktop, Zsh as itsdefault shell, and Btrfs as its default filesystem.

Priority inversion comes about when a low-priority task holds a resourcethat is also needed by a high-priority task, preventing the latter fromrunning. This problem is made much worse if the low-priority task isunable to gain access to the CPU and, as a result, cannot complete its workand free the resources it holds. Proxy execution is a potential solutionto this problem, but it is a complex solution that has been underdevelopment for several years; LWN first lookedat it in 2020. The 6.17 kernel is likely to contain an important stepforward for this long-running project.

Version 2.42 of the GNUC Library has been released. Changes include the addition of a number ofnew math functions, support for arbitrary baud rates in thetermios.h interface, support for SFrame-based stack tracing(described in this article), support formemory guard pages, and a handful ofsecurity fixes.

Security updates have been issued by AlmaLinux (freerdp, git-lfs, golang-github-openprinting-ipp-usb, grafana, grafana-pcp, icu, ipa, iputils, krb5, libvpx, nodejs:22, osbuild-composer, perl, python-tornado, qt6-qtbase, sqlite, unbound, valkey, wireshark, and yggdrasil), Debian (libfastjson and php8.2), Fedora (glibc), Oracle (firefox, icu, perl, and unbound), Red Hat (389-ds-base, glib2, icu, libtpms, redis:6, redis:7, and yelp), SUSE (boost, forgejo-longterm, java-11-openj9, java-17-openj9, java-1_8_0-openj9, kernel, nginx, and salt), and Ubuntu (linux-xilinx-zynqmp, openjdk-8, openjdk-lts, poppler, and sqlite3).

Till Kamppeter, co-founder and lead of the OpenPrinting project, hasput out a call for sponsors after being laid off by Canonical:

The 6.16 development cycle was another busy one, with 14,639 non-mergechangesets pulled into the mainline - just 18commits short of thetotal for 6.15. The 6.16 release happenedon July27, as expected. Also as expected, LWN has put together itstraditional look at where the code for this release came from.

Fedora's qualityteam is looking to reduce the scope of test coverage and changethe project's release criteria to drop some features from the list ofrelease blockers. This is, in part, an exercise in getting rid ofcriteria, such as booting from optical media, that are less relevant. It is also a necessity, since the Red Hat team focusing on Fedoraquality assurance (QA) is only half the size it was a year ago.

Security updates have been issued by Debian (audiofile, libcaca, libetpan, libxml2, php7.4, snapcast, and thunderbird), Fedora (glibc, iputils, mingw-binutils, and thunderbird), Red Hat (kernel, kernel-rt, mod_auth_openidc, and mod_auth_openidc:2.3), SUSE (afterburn, apache2, atop, chromedriver, chromium, cloud-init, deepin-feature-enable, firefox, firefox-esr, grafana, grype-db, gstreamer-plugins-bad, javamail, jupyter-jupyterlab-templates, jupyter-nbdime, konsole, libetebase, libxmp, minio-client-20250721T052808Z, MozillaFirefox, MozillaFirefox-branding-SLE, opera, pdns-recursor, perl-Authen-SASL, polkit, python-Django, python3-pycares, python311-starlette, rpi-imager, ruby3.4-rubygem-thor, spdlog, thunderbird, varnish, viewvc, and xtrabackup), and Ubuntu (openjdk-21-crac).

The good folks at Linode still have not managed to fix whatever broke intheir data center, so we are running on an emergency backup server. Thingsseem to be working, but the occasional glitch is to be expected. Pleaseaccept our apologies for the extended downtime!Update: we're back on the regular production server, and all seemsstable now.

Linus has released the 6.16 kernel:

There is an inherent limit to the privacy of the publiccloud. While Linux can isolate virtual machines (VMs) from each other,nothing in the system's memory is ultimately out of reach for the host cloudprovider. To accommodate the most privacy-conscious clients, confidentialcomputing protects the memory of guests, even fromhypervisors. But the Linux cloud stack needs to be rethought in order to hostconfidential VMs, juggling two goals that are often at odds: performanceand security.

Security updates have been issued by AlmaLinux (git, kernel, nginx:1.24, and sudo), Fedora (dpkg, java-21-openjdk, java-25-openjdk, java-latest-openjdk, and valkey), Oracle (apache-commons-vfs, sudo, tigervnc, and xorg-x11-server), Red Hat (kernel, krb5, and openssh), SUSE (gnutls, ImageMagick, iputils, kernel-livepatch-MICRO-6-0-RT_Update_10, kubernetes1.18, libarchive, ovmf, python, and salt), and Ubuntu (iputils, linux-aws-6.14, linux-raspi, openjdk-21, and openjdk-24).

Version0.1 of the Waybackproject has been released:

The 6.15.8, 6.12.40, 6.6.100, and 6.1.147 stable kernels have been released.Each contains important fixes throughout the kernel tree, as usual.

People tend to put a lot of trust into their phones. Those devices haveaccess to no end of sensitive data about our lives - our movements,finances, communications, and more - so phones belonging to even relativelylow-profile people can be high-value targets. Android devices run freesoftware, at least at some levels, so it should be possible to ensure thatthey are working in their owners' interests. Off-the-shelf Androidinstallations tend to fall short of that goal. The GrapheneOS Android rebuild is an attemptto improve on that situation.

Security updates have been issued by Debian (chromium, firefox-esr, and mediawiki), Fedora (firefox), Oracle (git, kernel, redis, and sudo), Red Hat (aardvark-dns, firefox, kernel, and thunderbird), Slackware (httpd), SUSE (php7, php8, and salt), and Ubuntu (linux-raspi-realtime and ruby-rack).

Inside this week's LWN.net Weekly Edition:

Richard van der Hoff, a member of the team that runs the Matrix.org homeserver,has writtena detailed blog post about diagnosing and fixing a problem where Matrix roomswould simply stop working:

Providing security updates for a Linux distribution, such asDebian, involves a lot of work behind the scenes-and requiresmuch more than simply shipping the latest code. On July 15, at DebConf25 in Brest, France,Samuel Henrique walked through the process of providing securityupdates to users; he discussed how Debian learns about securityvulnerabilities, decides on the best response, and the process ofsending out updates to keep its users safe. He also provided guidanceon how others could get involved.

The Home Assistant project has publishedan update on improvements in its Android app, and plans for upcoming releases:

Michael Prokop has posted alengthy list of changes coming in the Debian "trixie" release, due inearly August. "As usual with major upgrades, there are some things tobe aware of, and hereby I'm starting my public notes on trixie that mightbe worth for other folks. My focus is primarily on server systems andlooking at things from a sysadmin perspective."

Python has recently seen a number of experiments to improve its parallelperformance, including exposingsubinterpreters as part of the standard library. These allowseparate threads within the same Python process to run simultaneously, as longas any data sent between them is copied, rather than shared.PEP795 ("Deep Immutability in Python")seeks to make efficient sharing of data between subinterpreters possible byallowing Python objects to be "frozen", so that they can be accessed frommultiple subinterpreters without copying or synchronization.That task is more difficult than itseems, and the PEP prompted a good deal of skepticism from the Python community.

Security updates have been issued by AlmaLinux (cloud-init, fence-agents, git, kernel, and kernel-rt), Debian (openjdk-11), Fedora (firefox, golang, libinput, transfig, and yasm), Mageia (qtbase5, qtbase6), Red Hat (fence-agents, go-toolset:rhel8, golang, kernel, and python-setuptools), Slackware (mozilla), SUSE (cyradm, gstreamer-plugins-base, and xen), and Ubuntu (gdk-pixbuf, jq, linux-gcp, linux-gcp-6.8, linux-oracle, ruby-sinatra, thunderbird, and unbound).

Version141.0 of the Firefox browser is out. Changes include "a local AImodel" that can perform tab grouping, unit conversions in the addressbar, and a change that many of us will find welcome: "On Linux, Firefoxuses less memory and no longer requires a forced restart after an updatehas been applied by a package manager".

GNOME and Fedora contributor Michael Catanzaro has written alengthy blogpost about the future of Fedora Workstation as an image-basedrelease and the need to enable Flathub by default. He writes that theFedora Workstation of the future must be "safe and image-based bydefault", with applications provided through Flathub:

Google has announcedthe existence of OSS Rebuild, an infrastructure for the creation andverification of reproducible builds of software projects.

The QUIC transport-layer network protocol is not exactly new; it was firstcovered here in 2013. Despite carrying asignificant part of the traffic on the Internet, QUIC has been anything butquick when it comes to getting support into the Linux kernel. The pacemight be picking up, though; Xin Long has posted the first set ofpatches intended to provide mainline support for this protocol.

Security updates have been issued by AlmaLinux (tomcat9), Debian (djvulibre, libcommons-fileupload-java, libowasp-esapi-java, and tomcat9), Fedora (cef, dpkg, mingw-gdk-pixbuf, and mingw-python3), Gentoo (Roundcube), Oracle (avahi, cloud-init, fence-agents, git, kernel, and valkey), Red Hat (wireshark), SUSE (afterburn, apache2, busybox, java-21-openjdk, kernel, kernel-livepatch-MICRO-6-0-RT_Update_10, lemon, libexslt0, libgcrypt, libxml2-2, php8, postgresql17, python, python-oslo.utils, python311, python312, python313, and sudo), and Ubuntu (drupal7, erlang, fdkaac, gobgp, jq, linux-aws, linux-aws-6.8, linux-gke, linux-gkeop, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle-6.8, linux-kvm, linux-oracle, and ruby-nokogiri).

At DebConf25 in Brest,France, thetalk "When Free Software Communities Unite: Tails, Tor, and theFight for Privacy" was delivered by a man who introduced himself onlyas intrigeri. He delivered an overview of the Tor Project, its mission, andthe projects under the umbrella. He also spoke about how theorganization depends on Debian, and plans for the software itdelivers.

Security updates have been issued by AlmaLinux (java-1.8.0-openjdk), Debian (angular.js and batik), Fedora (chromium, pypy, screen, unbound, wine, and wine-mono), Mageia (djvulibre, quictls, and redis), Red Hat (avahi, gnome-remote-desktop, java-1.8.0-openjdk, java-11-openjdk with Extended Lifecycle Support, java-21-openjdk, kernel, kernel-rt, python-setuptools, redis, and valkey), SUSE (chromedriver, coreutils, cosign, docker, FastCGI, ffmpeg-4, fractal, gimp, glib2, ImageMagick, iputils, java-17-openjdk, java-24-openjdk, jq, kubelogin, kubernetes1.23, kubernetes1.24, kubernetes1.26, python-requests, python3, rmt-server, rustup, and thunderbird), and Ubuntu (apache2).

Linus has released 6.16-rc7 for testing.

The Arch Linux project has sent out anadvisory warning that a set of malicious packages, containing a remoteaccess trojan, were uploaded to the Arch User Repository (AUR). Theaffected packages were librewolf-fix-bin, firefox-patch-bin, andzen-browser-patched-bin. "We strongly encourage users that may haveinstalled one of these packages to remove them from their system and totake the necessary measures in order to ensure they were notcompromised."

Intel has announced theabrupt end of its Clear Linux cloud-oriented distribution:

The interfaces between C and Rust in the kernel have grown over time; anynon-trivial Rust driver will use a number of these. Tasks like allocating memory,dealing with immovable structures, and interacting with locks are necessary forhandling most devices. There are also many subsystem-specific bindings, but thefocus this time will be on an overview of the bindings that all kernel Rust codecan be expected to use.

Security updates have been issued by AlmaLinux (cloud-init, glib2, glibc, kernel, and tomcat), Debian (chromium), Fedora (luajit, minidlna, nginx-mod-modsecurity, python-asteval, rust-sequoia-octopus-librnp, and vim), Oracle (cloud-init, glib2, glibc, java-17-openjdk, kernel, python311-olamkit, tomcat, and tomcat9), SUSE (apache-commons-lang3, bind, coreutils, ffmpeg, gnutls, gstreamer-plugins-good, kubernetes1.25, kubernetes1.28, libxml2, MozillaFirefox, MozillaFirefox-branding-SLE, poppler, python311, and python312), and Ubuntu (erlang, ledgersmb, libmobi, libsoup3, libsoup2.4, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-oem-6.8, linux, linux-gcp, linux-raspi, linux-realtime, linux-aws, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-6.8, linux-azure-nvidia, linux-hwe-6.8, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-intel-iot-realtime, linux-realtime, linux-intel-iotg-5.15, linux-oem-6.14, linux-raspi, linux-realtime, php7.0, php7.2, php8.1, php8.3, php8.4, python-aiohttp, and rails).

The6.15.7,6.12.39,6.6.99,6.1.146,5.15.189,5.10.240, and5.4.296 stable kernels have all beenreleased; each contains another set of important fixes.

Version 12.0 ofthe Forgejo software forge has been released. Changes include a number ofuser-interface improvements, a mechanism to keep forks in sync with theirupstream, and more; see the releasenotes for the full list.

Decades after its creation, the Linux CPU scheduler remains an areaof active development; it is difficult to find a time slice to cover everyinteresting scheduler change. In an attempt to catch up, the time has cometo round-robin through a few patches that have been circulating recently.The work at hand focuses on a new attempt at time-slice extension, thecreation of a deadline server for sched_ext tasks, and keeping tasks onisolated CPUs from being surprised by LRU batching.

Security updates have been issued by AlmaLinux (emacs, java-17-openjdk, kernel, kernel-rt, microcode_ctl, python3.11-setuptools, python3.12-setuptools, and socat), Debian (gnutls28), Fedora (vim), Red Hat (java-1.8.0-ibm), Slackware (bind), SUSE (docker, erlang, erlang26, ggml-devel-5889, gnuplot, kernel, kubernetes1.27, libQt6Concurrent6, mailman3, and transfig), and Ubuntu (apache2, bind9, linux-iot, linux-lowlatency-hwe-6.11, and linux-raspi, linux-raspi-5.4).

Inside this week's LWN.net Weekly Edition:

Version 0.50.0 of Hyprland, a compositor for Wayland, has beenreleased. Changes include a new render-scheduling option that "candrastically improve FPS on underpowered devices, while coming at noperformance or latency cost when the system is doing alright", anoption to exclude applications from screen sharing, a new test suite, andmore.

Linux users who have Secure Bootenabled on their systems knowingly or unknowingly rely on a key fromMicrosoft that is set to expire in September. After that point, Microsoftwill no longer use that key to sign the shimfirst-stage UEFI bootloader that is used by Linux distributions to boot thekernel with Secure Boot. But the replacement key, which has been availablesince 2023, may not be installed on many systems; worse yet, it may requirethe hardware vendor to issue an update for the system firmware, which mayor may not happen. It seems that the vast majority of systems will not belost in the shuffle, but it may require extra work from distributors andusers.