LWN.net

Debian packagers have a great deal of latitude when it comes to theconfiguration of the software they package; they may opt, for example,to disable defaultfeatures in software that they feel are a securityhazard. However, packagers are expected to ensure that their packagescomply with Debian Policy,regardless of the upstream's preferences. If a packager fails tocomply with the policy, the Debian TechnicalCommittee (TC) can step in to override them, which it hasdone in the case of a recent systemd change that broke severalprograms that depend on a world-writable /run/lockdirectory.

Greg Kroah-Hartman has announced the release of the 6.17.2, 6.16.12, 6.12.52, and 6.6.111 stable kernels. They each contain arelatively small set of important fixes. In addition: "Note, this is the LAST 6.16.y kernel release, this branch is nowend-of-life. Please move to the 6.17.y branch at this point in time."

Security updates have been issued by AlmaLinux (compat-libtiff3, iputils, kernel, open-vm-tools, and vim), Debian (asterisk, ghostscript, kernel, linux-6.1, and tiff), Fedora (cef, chromium, cri-o1.31, cri-o1.32, cri-o1.33, cri-o1.34, docker-buildx, log4cxx, mingw-poppler, openssl, podman-tui, prometheus-podman-exporter, python-socketio, python3.10, python3.11, python3.12, python3.9, skopeo, and valkey), Mageia (open-vm-tools), Red Hat (compat-libtiff3, kernel, kernel-rt, vim, and webkit2gtk3), and SUSE (distrobuilder, docker-stable, expat, forgejo, forgejo-longterm, gitea-tea, go1.25, haproxy, headscale, open-vm-tools, openssl-3, podman, podofo, ruby3.4-rubygem-rack, and weblate).

Linus has released 6.18-rc1 and closed themerge window for this development cycle. "This was one of the goodmerge windows where I didn't end up having to bisect any particular problemon [any] of the machines I was testing. Let's hope that success mostlytranslates to the bigger picture too."

At the LinuxSecurity Summit Europe (LSS EU), Scott Constable and SebastianOsterlund gave a talk on an enhancement to a control-flowintegrity (CFI)protection that was added to the kernel several years ago. The "FineIBT: Fine-grain Control-flowEnforcement with Indirect Branch Tracking" mechanism was merged forLinux 6.2 in early 2023 to harden the kernel against CFI attacks of varioussorts, but needed some fixes andenhancements more recently. The talk looked at the CFI vulnerabilityproblem, FineIBT, and an enhanced version that is hoped to be able to unifyall of the disparate hardware and software mitigations to address bothregular and speculative CFI vulnerabilities.

Security updates have been issued by Debian (redis and valkey), Fedora (docker-buildkit, ibus-bamboo, pgadmin4, webkitgtk, and wordpress), Mageia (kernel-linus, kmod-virtualbox & kmod-xtables-addons, and microcode), Oracle (compat-libtiff3 and udisks2), Red Hat (rsync), Slackware (python3), SUSE (chromium, cJSON, digger-cli, glow, go1.24, go1.25, go1.25-openssl, grafana, libexslt0, libruby3_4-3_4, pgadmin4, python311-python-socketio, and squid), and Ubuntu (dpdk, libhtp, vim, and webkit2gtk).

Despite its increasing popularity, the Rust programming language is stillsupported by a single compiler, the LLVM-based rustc. At the 2025 GNU ToolsCauldron, Pierre-Emmanuel Patry said that a lot of people are waitingfor a GCC-based Rust compiler before jumping into the language. Patry, whois working on just that compiler (known as "gccrs"), provided an update onthe status of that project and what is coming next.

Sudden increases in the size of Fedora's initramfsfiles have prompted the project to fast-track a proposal to increasethe default size of the /boot partition for new installs ofFedora43 and later. The project has also walked back a fewchanges that have contributed to larger initramfs files, but theever-increasing size of firmware means that the need for more room isunavoidable. The Fedora Engineering Steering Council (FESCo) hasapproved a last-minute changejust before the final freeze for Fedora43 to increase thedefault size of the /boot partition from 1GB to 2GB; thiswill leave plenty of space for kernels and initramfs images if a useris installing from scratch, but it is of no help for users upgradingfrom Fedora42.

Ubuntu25.10, "Questing Quokka", has been released. This release includesLinux6.17, GNOME49, GCC15, Python3.13.7,Rust1.85, and more. This release also features Rust-basedimplementations of sudo and coreutils; LWN covered the switch to theRust-based tools in March. The 25.10 version of Ubuntu flavorsEdubuntu, Kubuntu, Lubuntu, Ubuntu Budgie, Ubuntu Cinnamon, UbuntuKylin, Ubuntu MATE, Ubuntu Studio, and Xubuntu have alsobeen released.

Security updates have been issued by AlmaLinux (gnutls, kernel, kernel-rt, and open-vm-tools), Debian (chromium, python-django, and redis), Fedora (chromium, insight, mirrorlist-server, oci-seccomp-bpf-hook, rust-maxminddb, rust-prometheus, rust-prometheus_exporter, rust-protobuf, rust-protobuf-codegen, rust-protobuf-parse, rust-protobuf-support, turbo-attack, and yarnpkg), Oracle (iputils, kernel, open-vm-tools, redis, and valkey), Red Hat (perl-File-Find-Rule and perl-File-Find-Rule-Perl), SUSE (expat, ImageMagick, matrix-synapse, python-xmltodict, redis, redis7, and valkey), and Ubuntu (fort-validator and imagemagick).

Inside this week's LWN.net Weekly Edition:

Firefox has long had support for multiple profilesto store personal information such as bookmarks, passwords, and userpreferences. However, Firefox did not make profiles particularlydiscoverable or easy to manage. That is about to change; Mozilla hasannouncedthat it is launching a profile-management feature that will make iteasier to create and switch between profiles. According to the supportpage for the feature, it will be rolled out to users graduallybeginning on October 14.

TheRust for Linux project has been good for Rust, Tyler Mandry, one of theco-leads of Rust's language-design team, said. Hegave a talk atKangrejos2025 covering upcoming Rust language features and thankingthe Rust for Linux developers for helping drive them forward. Afterward, Benno Lossin and Xiangfei Dingwent into more detail about their work on the three most important languagefeatures for kernel development: field projections, in-place initialization, and arbitrary self types.

Security updates have been issued by Fedora (apptainer, civetweb, mod_http2, openssl, pandoc, and pandoc-cli), Oracle (kernel), Red Hat (gstreamer1-plugins-bad-free, iputils, kernel, open-vm-tools, and podman), SUSE (cairo, firefox, ghostscript, gimp, gstreamer-plugins-rs, libxslt, logback, openssl-1_0_0, openssl-1_1, python-xmltodict, and rubygem-puma), and Ubuntu (gst-plugins-base1.0, linux-aws-6.8, linux-aws-fips, linux-azure, linux-azure-nvidia, linux-gke, linux-nvidia-tegra-igx, and linux-raspi).

Version3.14.0 of the Python language has been released. There are a lot ofchanges this time around, including official support for free threading, template string literals, and much more; seethe announcement for details.

Paul McKenney gave a remote presentation atKangrejos2025 following up on thetalk he gave last year about thelifetime-end-pointer-zapping problem: certain common patterns for multithreaded code aretechnically undefined behavior, and changes to the C and C++ specificationswill be needed to correct that. Those changes could also impact code that usesunsafe Rust, such as the kernel's Rust bindings. Progress on the problem has been slow,but McKenney believes that a solution is near at hand.

Systemdv258 was released on September17 after more than nine monthsof development. LWN has already covered some of thefeatures and changes being readied for v258 before it was final. Nowthat the release is out, it is time to look at more of what came inv258, including a sandbox shell, new boot options, service-level diskquotas, and enhancements to systemd-resolved.

Taylor Blau has posted anextensive set of notes from the recently concluded Git Contributor'sSummit. Covered topics include the SHA-256 transition, Rust, Change-IDheaders, Git3.0, and many more. The note are also available onGoogle Docs for those who prefer that format.

Security updates have been issued by Fedora (chromium), Red Hat (kernel, open-vm-tools, and postgresql), SUSE (chromedriver and chromium), and Ubuntu (haproxy and pam-u2f).

Version 2025.10 of the U-Boot boot loaderhas been released with new features, including Python tooling improvements,cleanups for implicit header inclusions, better support for numerous Armplatforms, support for new RISC-V platforms, better documentation, andmore. Maintainer Tom Rini also reports on some project news:

At the time of writing, there have been 9,099 commits in the 6.18 merge window,8,475 non-merges and 624 merges. Thechanges so far include core-kernel, graphics, and networking work, among others.There are no big surprises, but several items that were discussed at this year'sLFSMM+BPF Summit have now been merged.

Support for BPF in the kernel has been tied to the LLVM toolchain since theadvent of extended BPF. There has been a growing effort to add BPF supportto the GNU toolchain as well, though. At the 2025 GNU Tools Cauldron, thedevelopers involved got together with representatives of the kernelcommunity to talk about the state of that work and what needs to happennext.

The 6.17.1, 6.16.11, 6.12.51, and 6.6.110 stable kernels have been released.This time around, they contain a relatively small number of important fixesin various parts of the kernel.

Security updates have been issued by AlmaLinux (kernel), Debian (dovecot, git, log4cxx, and openssl), Fedora (containernetworking-plugins, firebird, firefox, jupyterlab, mupdf, and thunderbird), Oracle (ipa), Red Hat (container-tools:rhel8, firefox, gnutls, kernel, kernel-rt, multiple packages, mysql, mysql:8.0, nginx, podman, and thunderbird), Slackware (fetchmail), SUSE (afterburn, chromium, firefox, haproxy, libvmtools-devel, logback, python311-Django, python311-Django4, and redis), and Ubuntu (linux-gcp, linux-gcp-6.14, linux-oem-6.14, linux-nvidia-tegra-igx, linux-oracle, mysql-8.0, poppler, and squid).

OpenSSH 10.1 hasbeen released. Along with "a minor security fix" and some other bugfixes, this release disallows control characters in user names passed viathe command line, adds better logging around certificate refusals, and anew RefuseConnection server configuration option.

Despite its name, the RobotOperating System (ROS) is not an operating system; it isa software development kit (SDK) that provides building blocks forrobotic applications. One of the main goals of ROS is to present acommon API that abstracts away the details of particular hardwaredrivers or algorithms to make development easier; developers can focuson what a robot should do rather than the low-level details ofspecific controllers. The latest release of ROS, KiltedKaiju, features improvements to the middleware layer that is usedto deliver data between components.

Security updates have been issued by AlmaLinux (idm:DL1), Debian (gegl and haproxy), Fedora (ffmpeg, firefox, freeipa, python-pip, rust-astral-tokio-tar, sqlite, uv, webkitgtk, and xen), Oracle (idm:DL1, ipa, kernel, perl-JSON-XS, and python3), Red Hat (git), SUSE (curl, frr, jupyter-jupyterlab, and libsuricata8_0_1), and Ubuntu (linux-aws, linux-lts-xenial, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-azure, linux-azure-6.8, linux-fips, linux-gcp-fips, and linux-intel-iot-realtime, linux-realtime).

The Free Software Foundation has announcedthe selection of Ian Kelling as the organization's president.

The GNU Tools Cauldron is almost entirely focused on user-space tools, butkernel developers need a solid toolchain too. In what appears to be adeveloping tradition (started in 2024),some kernel developers attended the 2025 Cauldron for thesecond year in a row to discuss their needs with the assembled toolchaindevelopers. Topics covered in this year's gathering include Rust, betterBPF typeformat (BTF) support, SFrame, and more.

Greg Kroah-Hartman has announced the release of the 6.16.10, 6.12.50, 6.6.109, 6.1.155, 5.15.194, 5.10.245, and 5.4.300 stable kernels. All of these kernelshave lots of important fixes throughout the kernel tree.

Security updates have been issued by AlmaLinux (perl-JSON-XS), Debian (chromium and openssl), Fedora (bird, dnsdist, firefox, mapserver, ntpd-rs, python-nh3, rust-ammonia, skopeo, sqlite, thunderbird, and xen), Oracle (perl-JSON-XS), Red Hat (kernel, kernel-rt, and libvpx), SUSE (afterburn, cairo, docker-stable, firefox, nginx, python-Django, snpguest, and warewulf4), and Ubuntu (libmspack, libxslt, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-oracle, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-hwe-6.14, linux-realtime, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-oracle, linux, linux-aws, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux, linux-kvm, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-hwe-6.8, linux-kvm, linux-oracle-5.15, linux-oracle-6.14, linux-raspi, linux-raspi-realtime, linux-realtime, linux-realtime-6.8, linux-realtime-6.14, and python-django).

Inside this week's LWN.net Weekly Edition:

The Alpine Linux project has announcedplans to change its base filesystem hierarchy:

The Fedora Council began a process to create a policy on AI-assistedcontributions in 2024, starting with a survey to ask the communityits opinions about AI and using AI technologies in Fedora. OnSeptember25, Jason Brooks publisheda draft policy for discussion; so far, in keeping with the spirit ofcompromise, it has something to make everyone unhappy. For some it istoo AI-friendly, while others have complained that it holds Fedoraback from experimenting with AI tooling.

Security updates have been issued by AlmaLinux (kernel, kernel-rt, mysql:8.0, and openssh), Debian (libcommons-lang-java, libcommons-lang3-java, libcpanel-json-xs-perl, libjson-xs-perl, libxml2, open-vm-tools, and u-boot), Fedora (bird, dnsdist, mapserver, ntpd-rs, python-nh3, and rust-ammonia), Oracle (kernel and mysql:8.0), Red Hat (cups, postgresql:12, and postgresql:13), SUSE (cJSON-devel, gimp, kernel-devel, kubecolor, open-vm-tools, openssl-1_1, openssl-3, and ruby3.4-rubygem-rack), and Ubuntu (linux-azure-5.15 and openssl, openssl1.0).

The openSUSELeap 16 release is now available.

Version 1.5.0of the Radicle peer-to-peer Git collaboration platform has beenreleased. This release includes better support for bare repositories,structured logging, and improvements in the output of rad patchshow:

Klint is a Rust compiler extensiondeveloped by Gary Guo to run somekernel-specific lint rules, which may also be useful for embedded systemdevelopment. He spoke about hisrecent work on the project atKangrejos 2025. The next day, Alejandra Gonzalezled a discussion about Rust's normal linter,Clippy. The two tools offer complementary approaches to analyzing Rustkernel code, although both need some additional direction and support fromkernel developers to reach their full potential.

Security updates have been issued by Debian (python-internetarchive and tiff), Fedora (nextcloud), Oracle (kernel, openssh, and squid), Red Hat (kernel, kernel-rt, and ncurses), SUSE (afterburn and chromium), and Ubuntu (open-vm-tools, ruby-rack, and tiff).

After marking bcachefs "externally maintained" in 6.17, Linus Torvalds hasremovedit entirely for 6.18. "It's now a DKMS module, making the in-kernelcode stale, so remove it to avoid any version confusion."

The 6.17 development cycle ended on September28 with the releaseof the 6.17 kernel. This cycle brought in 13,089 non-merge changesets, aslowdown from its predecessor but still within the normal bounds for recentkernels. The time has come for a look at where those changes came from,with a bit of a side trip into bug statistics.

The NixOS moderation team, which is theoretically in charge of ensuring that community participation on the project's repositories anddiscussion forum remains welcoming and useful, has releaseda joint resignation statement. This action was motivated by conflict with the project's steering committee (SC), which has repeatedly overridden the moderation team, leading the team members to decide that they could not continue acting as moderators. Arian Van Putten, speaking for the whole team, writes:

As with a mobile phone, a portable gaming device like the Steam Deck can containlots of personal information that the owner would like to keepsecret-especially given that such devices can do far more than gaming.Alberto Garcia worked with his colleagues at Igalia and people atValve, the company behind the Steam gaming platform, to comeup with a new tool to manage encrypted filesystems for SteamOS, which is a Linuxdistribution optimized for gaming. Garcia gave a talk about that tool, dirlock, at OpenSource Summit Europe, which was held in Amsterdam in late August.In the talk, he looked at the design process forthe encrypted-files feature, the alternatives considered, and why they madethe choices they did.

Security updates have been issued by AlmaLinux (avahi, cups, firefox, gnutls, golang, httpd, kernel, libtpms, mysql, opentelemetry-collector, php:8.2, podman, postgresql:13, postgresql:15, python3, python3.11, python3.12, python3.9, thunderbird, and udisks2), Debian (firefox-esr, gimp, nncp, node-tar-fs, and squid), Fedora (chromium, firebird, python-azure-keyvault-securitydomain, python-azure-mgmt-security, and python-microsoft-security-utilities-secret-masker), Red Hat (httpd:2.4, kernel, kernel-rt, and mod_http2), SUSE (aide, apache2-mod_security2, chromedriver, cloud-init, docker, gdk-pixbuf, git, google-osconfig-agent, govulncheck-vulndb, gstreamer-plugins-base, iperf, kernel, krb5, krita, luajit, net-tools, nvidia-open-driver-G06-signed, pam, postgresql17, python311, rust-keylime, sevctl, tor, tree-sitter-ruby, and udisks2), and Ubuntu (curl, ghostscript, inetutils, python2.7, and qtbase-opensource-src).

The F-Droid project has posted anurgent message regarding Google's plan to require developerregistration to install apps on Android devices.

Linus Torvalds has released the 6.17 kernel. He notes that the shortlog for the changes since -rc7 are pretty tame:

The openSUSE project is nearing the release of Leap16, itsfirst major release since openSUSELeap15in May 2018. This release brings some changes to thecore of the distribution aside from the usual software upgrades; YaST has been retired,SELinux has replaced AppArmor as the default mandatory access control(MAC) system, and more. If all goes according to plan, Leap16final should be released in early October, with planned supportthrough 2031.

Security updates have been issued by AlmaLinux (firefox, kernel, and thunderbird), Debian (ceph and thunderbird), Fedora (chromium, mingw-expat, python-deepdiff, python-orderly-set, python-pip, rust-az-cvm-vtpm, rust-az-snp-vtpm, rust-az-tdx-vtpm, and trustee-guest-components), Oracle (aide, kernel, and thunderbird), Red Hat (firefox, kernel, openssh, perl-YAML-LibYAML, and thunderbird), Slackware (expat), SUSE (jasper, libssh, openjpeg2, and python-pycares), and Ubuntu (linux-aws-6.14, linux-hwe-6.14, linux-azure, linux-hwe-6.8, linux-realtime-6.8, node-sha.js, and pcre2).

Longtime PyPy developer Antonio Cuni has alengthyblog post that describes his talk at the recently completed 2025CPythonCore Dev Sprint, held at Arm in Cambridge, UK. The talk, entitled"Tracing JIT and real world Python - aka: what we can learn from PyPy" wasmeant to try to pass on some of his experiences "optimizing existingcode for PyPy at a high-frequency trading firm" to thedevelopers working on the CPython JIT compiler. His goal wasto raise awareness of some of the problems he encountered:

The file_operationsstructure in the kernel is a set of function pointers implementing, as thename would suggest, operations on files. A subsystem that manages objectswhich can be represented by a file descriptor will provide afile_operations structure providing implementations of the variousoperations that a user of the file descriptor may want to carry out. Themmap() method, in particular, is invoked when user space calls themmap()system call to map the object behind a file descriptor into its addressspace. That method, though, is currently on its way out in a multi-releaseprocess that started in 6.17.