LWN.net

Version8.8.0 of the digiKam photo-management system has been released."This version delivers significant improvements in performance,stability, and user experience, with a particular focus on imageprocessing, color management, and workflow efficiency". Changesinclude an import/export feature for tag hierarchies, focus-pointvisualization for some camera models, automatic use of the monitor colorprofile, and a background-blur tool.

Security updates have been issued by AlmaLinux (.NET 8.0, firefox, kernel, kernel-rt, libssh, and perl-JSON-XS), Debian (ark and libphp-adodb), Fedora (chromium and gi-docgen), Mageia (quictls), Oracle (.NET 8.0, .NET 9.0, firefox, httpd, kernel, libsoup3, libssh, microcode_ctl, and webkit2gtk3), SUSE (go1.24, go1.25, krb5, python-ldap, and webkit2gtk3), and Ubuntu (gst-plugins-base1.0, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-intel-iot-realtime, linux-realtime, and python-ldap).

In September, a group of long-time maintainers of Ruby packaging toolsprojects had their GitHub privileges revoked by nonprofit corporation Ruby Centralin what many people are calling ahostile takeover. Ruby Central and its board members have issuedseveral public statements that have, so far, failed to satisfy many inthe Ruby community. In response, some of the former contributors toRubyGems are working on an alternative service called gem.coop. On October17, ownershipof the RubyGems andBundlerrepositories was handed over to the Ruby core team, even though those projects had never been part of core Rubypreviously. The takeover and subsequent events have raised a number ofquestions in the Ruby community.

Importing modules in Python is ubiquitous; most Python programs startwith at least a few import statements. But the performance impactof those imports can be large-and may be entirely wasted effort if thesymbols imported end up being unused. There are multiple ways to lazilyimport modules, including one in the standard library, but none of them arepart of the Python language itself. Thatmay soon change, if the recently proposedPEP810 ("Explicit lazyimports") is approved.

Security updates have been issued by Debian (imagemagick, incus, lxd, pgagent, svgpp, and sysstat), Fedora (chromium, complyctl, fetchmail, firefox, mbedtls, mingw-binutils, mingw-python3, mingw-qt5-qtsvg, mingw-qt6-qtsvg, python3.10, python3.11, python3.12, python3.9, runc, and suricata), Mageia (expat), Red Hat (firefox, kernel, qt5-qtbase, and qt6-qtbase), Slackware (stunnel), SUSE (chromium, coredns, ctdb, firefox, kernel, libexslt0, libpoppler-cpp2, ollama, openssl-1_1, pam, samba, and thunderbird), and Ubuntu (samba).

The 6.18-rc2 kernel prepatch is out.

Greg Kroah-Hartman has announced the release of the 6.17.4 6.12.54 6.6.113 6.1.157, and 5.15.195 stable kernels. As usual, eachcontains important fixes; users of those kernels are advised to upgrade.

The Ruby community has experienced some turbulenceof late after Ruby Central tookcontrol of the GitHub repositories for a number of projectsincluding RubyGemsand Bundler. Those projects have historically been developedseparately from Ruby itself. They are now being put under thecontrol of Ruby's core team, according to Ruby creator YukihiroMatsumoto (a.k.a. "Matz"):

Ruby libraries andapplications are distributed via a packaging format called a gem. RubyGems.org has been the centralhosting service for gems since about 2010. This article is part one ofa two-part series on the RubyGems.org takeover by Ruby Central. Understanding thehistory of RubyGems.org, and the contributor community behind it, isvital to making sense of the current powerstruggle between Ruby Central and members of the Rubycommunity who have maintained those services and tools for manyyears.

Security updates have been issued by AlmaLinux (kernel and libssh), Debian (firefox-esr and pgpool2), Mageia (varnish & lighttpd), Red Hat (python3, python3.11, python3.12, python3.9, and python39:3.9), SUSE (expat, gstreamer-plugins-rs, kernel, openssl1, pgadmin4, python311-ldap, and squid), and Ubuntu (dotnet8, dotnet9, dotnet10 and mupdf).

There have been many discussions in the free-software community about therole of large language models (LLMs) in software development. For the mostpart, though, those conversations have focused on whether projects shouldbe accepting code output by those models, and under what conditions. Butthere are other ways in which these systems might participate in thedevelopment process. Chris Mason recently started adiscussion on the Kernel Summit discussion list about how these modelscan be used to review patches, rather than create them.

Security updates have been issued by AlmaLinux (kernel and libsoup3), Debian (chromium and firefox-esr), Fedora (httpd), Oracle (cups, ImageMagick, kernel, and vim), Red Hat (libssh), Slackware (samba), SUSE (alloy, exim, firefox-esr, ImageMagick, kernel, libcryptopp-devel, libQt6Svg6, libsoup-3_0-0, libtiff-devel-32bit, lsd, python3-gi-docgen, python311-Authlib, qt6-base, samba, and squid), and Ubuntu (ffmpeg, linux-oracle-6.8, redict, redis, samba, and subversion).

Version13.0 of the Forgejo software forge has been released. Notablechanges in this release include contentmoderation features, ability to require2FA for users or administrators, and a migrationfeature for Pagure repositories. The last will be useful forFedora's moveto Forgejo as its new git forge. See the releasenotes for all changes in 13.0.

Inside this week's LWN.net Weekly Edition:

Boqun Feng spoke atKangrejos2025 about adding a frequently needed API for Rust driversthat need to handle interrupts: interrupt-aware spinlocks. Most drivers willneed to communicate information from interrupt handlers to main driver code, andthis exchange is frequently synchronized with the use of spinlocks. While hisfirst attempts ran into problems, Feng's ultimate solution could help prevent bugsin C code as well, by tracking the number of nested scopes that have disabledinterrupts. The patch set, which contains work from Feng and Lyude Paul, is still under review.

Linux Mint Debian Edition (LMDE) 7, based on Debian13("trixie"), has been released:

Security updates have been issued by AlmaLinux (kernel, kernel-rt, vim, and webkit2gtk3), Debian (distro-info-data, https-everywhere, and php-horde-css-parser), Fedora (inih, mingw-exiv2, mirrorlist-server, rust-maxminddb, rust-monitord-exporter, rust-prometheus, rust-prometheus_exporter, rust-protobuf, rust-protobuf-codegen, rust-protobuf-parse, and rust-protobuf-support), Mageia (fetchmail), Oracle (gnutls, kernel, vim, and webkit2gtk3), Red Hat (kernel, kernel-rt, and webkit2gtk3), Slackware (mozilla), SUSE (curl, libxslt, and net-tools), and Ubuntu (linux-azure-5.15, linux-azure-6.8, linux-azure-fips, linux-oracle, linux-oracle-6.14, and linux-raspi).

Greg Kroah-Hartman has announced the release of the 6.17.3, 6.12.53, 6.6.112, and 6.1.156 stable kernels. As usual, eachcontains important fixes throughout the kernel tree. Users of thesekernels are advised to upgrade.

The Free Software Foundation has announced the launchof the Librephone project, which is aimed at the creation of a fully-freeoperating system for mobile devices.

The 6.18 merge window has come to an end, bringing with it a total of 11,974non-merge commits, 3,499 of which came in after LWN'sfirst-half summary.The total is a little higher than the 6.17 merge window, which saw 11,404non-merge commits. There are once againa good number of changes and new features included in this release.

Version1.12 of Julia has been released. Highlights of the release includenewmulti-threading features, newtracing flags and macros, and an experimental--trim feature. See the releasenotes for a full list of new features, changes, andimprovements. LWN last covered Julia inJanuary.

Version144.0 of the Firefox browser has been released. Changes this timeinclude improvements to tab-group and profile management, strongerencryption for stored passwords, a "search image with Google Lens"operation, and "Perplexity, an AI-powered answer engine built into thebrowser".

The Free Software Foundation's Licensing and Compliance Labconcerns itself with many aspects of software licensing, Krzysztof Siewiczsaid at the beginning of his 2025 GNU ToolsCauldron session. These include supporting projects that are facinglicensing challenges, collecting copyright assignments, and addressing GPLviolations. In this session, though, there was really only one topic thatthe audience wanted to know about: the interaction between free-softwarelicensing and large language models (LLMs).

Security updates have been issued by Debian (ghostscript and libfcgi), Fedora (qt5-qtsvg), Red Hat (kernel, perl-FCGI, perl-FCGI:0.78, and vim), SUSE (bluez, curl, podman, postgresql14, python-xmltodict, and udisks2), and Ubuntu (linux-azure, linux-azure-5.4, linux-azure-fips, linux-oracle, and subversion).

Debian packagers have a great deal of latitude when it comes to theconfiguration of the software they package; they may opt, for example,to disable defaultfeatures in software that they feel are a securityhazard. However, packagers are expected to ensure that their packagescomply with Debian Policy,regardless of the upstream's preferences. If a packager fails tocomply with the policy, the Debian TechnicalCommittee (TC) can step in to override them, which it hasdone in the case of a recent systemd change that broke severalprograms that depend on a world-writable /run/lockdirectory.

Greg Kroah-Hartman has announced the release of the 6.17.2, 6.16.12, 6.12.52, and 6.6.111 stable kernels. They each contain arelatively small set of important fixes. In addition: "Note, this is the LAST 6.16.y kernel release, this branch is nowend-of-life. Please move to the 6.17.y branch at this point in time."

Security updates have been issued by AlmaLinux (compat-libtiff3, iputils, kernel, open-vm-tools, and vim), Debian (asterisk, ghostscript, kernel, linux-6.1, and tiff), Fedora (cef, chromium, cri-o1.31, cri-o1.32, cri-o1.33, cri-o1.34, docker-buildx, log4cxx, mingw-poppler, openssl, podman-tui, prometheus-podman-exporter, python-socketio, python3.10, python3.11, python3.12, python3.9, skopeo, and valkey), Mageia (open-vm-tools), Red Hat (compat-libtiff3, kernel, kernel-rt, vim, and webkit2gtk3), and SUSE (distrobuilder, docker-stable, expat, forgejo, forgejo-longterm, gitea-tea, go1.25, haproxy, headscale, open-vm-tools, openssl-3, podman, podofo, ruby3.4-rubygem-rack, and weblate).

Linus has released 6.18-rc1 and closed themerge window for this development cycle. "This was one of the goodmerge windows where I didn't end up having to bisect any particular problemon [any] of the machines I was testing. Let's hope that success mostlytranslates to the bigger picture too."

At the LinuxSecurity Summit Europe (LSS EU), Scott Constable and SebastianOsterlund gave a talk on an enhancement to a control-flowintegrity (CFI)protection that was added to the kernel several years ago. The "FineIBT: Fine-grain Control-flowEnforcement with Indirect Branch Tracking" mechanism was merged forLinux 6.2 in early 2023 to harden the kernel against CFI attacks of varioussorts, but needed some fixes andenhancements more recently. The talk looked at the CFI vulnerabilityproblem, FineIBT, and an enhanced version that is hoped to be able to unifyall of the disparate hardware and software mitigations to address bothregular and speculative CFI vulnerabilities.

Security updates have been issued by Debian (redis and valkey), Fedora (docker-buildkit, ibus-bamboo, pgadmin4, webkitgtk, and wordpress), Mageia (kernel-linus, kmod-virtualbox & kmod-xtables-addons, and microcode), Oracle (compat-libtiff3 and udisks2), Red Hat (rsync), Slackware (python3), SUSE (chromium, cJSON, digger-cli, glow, go1.24, go1.25, go1.25-openssl, grafana, libexslt0, libruby3_4-3_4, pgadmin4, python311-python-socketio, and squid), and Ubuntu (dpdk, libhtp, vim, and webkit2gtk).

Despite its increasing popularity, the Rust programming language is stillsupported by a single compiler, the LLVM-based rustc. At the 2025 GNU ToolsCauldron, Pierre-Emmanuel Patry said that a lot of people are waitingfor a GCC-based Rust compiler before jumping into the language. Patry, whois working on just that compiler (known as "gccrs"), provided an update onthe status of that project and what is coming next.

Sudden increases in the size of Fedora's initramfsfiles have prompted the project to fast-track a proposal to increasethe default size of the /boot partition for new installs ofFedora43 and later. The project has also walked back a fewchanges that have contributed to larger initramfs files, but theever-increasing size of firmware means that the need for more room isunavoidable. The Fedora Engineering Steering Council (FESCo) hasapproved a last-minute changejust before the final freeze for Fedora43 to increase thedefault size of the /boot partition from 1GB to 2GB; thiswill leave plenty of space for kernels and initramfs images if a useris installing from scratch, but it is of no help for users upgradingfrom Fedora42.

Ubuntu25.10, "Questing Quokka", has been released. This release includesLinux6.17, GNOME49, GCC15, Python3.13.7,Rust1.85, and more. This release also features Rust-basedimplementations of sudo and coreutils; LWN covered the switch to theRust-based tools in March. The 25.10 version of Ubuntu flavorsEdubuntu, Kubuntu, Lubuntu, Ubuntu Budgie, Ubuntu Cinnamon, UbuntuKylin, Ubuntu MATE, Ubuntu Studio, and Xubuntu have alsobeen released.

Security updates have been issued by AlmaLinux (gnutls, kernel, kernel-rt, and open-vm-tools), Debian (chromium, python-django, and redis), Fedora (chromium, insight, mirrorlist-server, oci-seccomp-bpf-hook, rust-maxminddb, rust-prometheus, rust-prometheus_exporter, rust-protobuf, rust-protobuf-codegen, rust-protobuf-parse, rust-protobuf-support, turbo-attack, and yarnpkg), Oracle (iputils, kernel, open-vm-tools, redis, and valkey), Red Hat (perl-File-Find-Rule and perl-File-Find-Rule-Perl), SUSE (expat, ImageMagick, matrix-synapse, python-xmltodict, redis, redis7, and valkey), and Ubuntu (fort-validator and imagemagick).

Inside this week's LWN.net Weekly Edition:

Firefox has long had support for multiple profilesto store personal information such as bookmarks, passwords, and userpreferences. However, Firefox did not make profiles particularlydiscoverable or easy to manage. That is about to change; Mozilla hasannouncedthat it is launching a profile-management feature that will make iteasier to create and switch between profiles. According to the supportpage for the feature, it will be rolled out to users graduallybeginning on October 14.

TheRust for Linux project has been good for Rust, Tyler Mandry, one of theco-leads of Rust's language-design team, said. Hegave a talk atKangrejos2025 covering upcoming Rust language features and thankingthe Rust for Linux developers for helping drive them forward. Afterward, Benno Lossin and Xiangfei Dingwent into more detail about their work on the three most important languagefeatures for kernel development: field projections, in-place initialization, and arbitrary self types.

Security updates have been issued by Fedora (apptainer, civetweb, mod_http2, openssl, pandoc, and pandoc-cli), Oracle (kernel), Red Hat (gstreamer1-plugins-bad-free, iputils, kernel, open-vm-tools, and podman), SUSE (cairo, firefox, ghostscript, gimp, gstreamer-plugins-rs, libxslt, logback, openssl-1_0_0, openssl-1_1, python-xmltodict, and rubygem-puma), and Ubuntu (gst-plugins-base1.0, linux-aws-6.8, linux-aws-fips, linux-azure, linux-azure-nvidia, linux-gke, linux-nvidia-tegra-igx, and linux-raspi).

Version3.14.0 of the Python language has been released. There are a lot ofchanges this time around, including official support for free threading, template string literals, and much more; seethe announcement for details.

Paul McKenney gave a remote presentation atKangrejos2025 following up on thetalk he gave last year about thelifetime-end-pointer-zapping problem: certain common patterns for multithreaded code aretechnically undefined behavior, and changes to the C and C++ specificationswill be needed to correct that. Those changes could also impact code that usesunsafe Rust, such as the kernel's Rust bindings. Progress on the problem has been slow,but McKenney believes that a solution is near at hand.

Systemdv258 was released on September17 after more than nine monthsof development. LWN has already covered some of thefeatures and changes being readied for v258 before it was final. Nowthat the release is out, it is time to look at more of what came inv258, including a sandbox shell, new boot options, service-level diskquotas, and enhancements to systemd-resolved.

Taylor Blau has posted anextensive set of notes from the recently concluded Git Contributor'sSummit. Covered topics include the SHA-256 transition, Rust, Change-IDheaders, Git3.0, and many more. The note are also available onGoogle Docs for those who prefer that format.

Security updates have been issued by Fedora (chromium), Red Hat (kernel, open-vm-tools, and postgresql), SUSE (chromedriver and chromium), and Ubuntu (haproxy and pam-u2f).

Version 2025.10 of the U-Boot boot loaderhas been released with new features, including Python tooling improvements,cleanups for implicit header inclusions, better support for numerous Armplatforms, support for new RISC-V platforms, better documentation, andmore. Maintainer Tom Rini also reports on some project news:

At the time of writing, there have been 9,099 commits in the 6.18 merge window,8,475 non-merges and 624 merges. Thechanges so far include core-kernel, graphics, and networking work, among others.There are no big surprises, but several items that were discussed at this year'sLFSMM+BPF Summit have now been merged.

Support for BPF in the kernel has been tied to the LLVM toolchain since theadvent of extended BPF. There has been a growing effort to add BPF supportto the GNU toolchain as well, though. At the 2025 GNU Tools Cauldron, thedevelopers involved got together with representatives of the kernelcommunity to talk about the state of that work and what needs to happennext.

The 6.17.1, 6.16.11, 6.12.51, and 6.6.110 stable kernels have been released.This time around, they contain a relatively small number of important fixesin various parts of the kernel.

Security updates have been issued by AlmaLinux (kernel), Debian (dovecot, git, log4cxx, and openssl), Fedora (containernetworking-plugins, firebird, firefox, jupyterlab, mupdf, and thunderbird), Oracle (ipa), Red Hat (container-tools:rhel8, firefox, gnutls, kernel, kernel-rt, multiple packages, mysql, mysql:8.0, nginx, podman, and thunderbird), Slackware (fetchmail), SUSE (afterburn, chromium, firefox, haproxy, libvmtools-devel, logback, python311-Django, python311-Django4, and redis), and Ubuntu (linux-gcp, linux-gcp-6.14, linux-oem-6.14, linux-nvidia-tegra-igx, linux-oracle, mysql-8.0, poppler, and squid).

OpenSSH 10.1 hasbeen released. Along with "a minor security fix" and some other bugfixes, this release disallows control characters in user names passed viathe command line, adds better logging around certificate refusals, and anew RefuseConnection server configuration option.

Despite its name, the RobotOperating System (ROS) is not an operating system; it isa software development kit (SDK) that provides building blocks forrobotic applications. One of the main goals of ROS is to present acommon API that abstracts away the details of particular hardwaredrivers or algorithms to make development easier; developers can focuson what a robot should do rather than the low-level details ofspecific controllers. The latest release of ROS, KiltedKaiju, features improvements to the middleware layer that is usedto deliver data between components.