LWN.net

Inside this week's LWN.net Weekly Edition:

We have received the sad news that Didier Spaier, maintainer of theblind-friendly Slackware-based Slint distribution, has recently passedaway. Philippe Delavalade, who posted the announcement to theSlint mailing list, said:

The Open Source Initiative (OSI) has announcedthat it will not be holding the 2026 spring board election. Instead,it will be creating a working group to "review and improve OSI'sboard member selection process" and provide recommendations bySeptember2026:

Phones running Linux are ubiquitous these days and it has been that waysince Android started working toward dominance in the smartphone market.Unfortunately, Android has slowly increased its freedom-unfriendliness andhas become something of a privacy nightmare. In a talk entitled "We needan open-source phone OS" at OpenSource Summit Japan 2025, Luca Weiss described the smartphone landscapeand gave an overview of postmarketOS as an alternative Linuxoperating system for mobile handsets.

PC Gamer has run anamusing review of the scx_horoscopescheduler for Linux, which uses astrology to optimize schedulingdecisions.

Creating fair governance models for open-source projects is noteasy; defining criteria for participants to receive membership andvoting rights is a particularly thorny problem for projects that haveelections for representative bodies. The FedoraCouncil, the project's top-level governance body, is wrestlingwith that conundrum now. This was triggered by a Fedora special-interestgroup (SIG) granting temporary membership to at least one person for thesole purpose of allowing them to vote in the most recent FedoraEngineering Steering Council (FESCo) election. That opened a large canof worms about what it means to be a contributor and how contributorscan be identified for voting purposes.

Security updates have been issued by AlmaLinux (java-1.8.0-openjdk), Debian (openssl), Fedora (assimp, chromium, curl, freerdp, gimp, and harfbuzz), Mageia (glibc, haproxy, iperf, and python-pyasn1), Red Hat (image-builder, openssl, and osbuild-composer), Slackware (mozilla), SUSE (avahi, cups, gio-branding-upstream, google-osconfig-agent, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel-firmware, libmatio-devel, libopenjp2-7, nodejs22, php8, python-python-multipart, python311-urllib3_1, qemu, and xen), and Ubuntu (ffmpeg, jaraco.context, openssl, and openssl, openssl1.0).

There is a new GnuPG update for a "critical security bug" in recentGnuPG releases.

GNU C Library maintainer Carlos O'Donell has announcedthat the project will be moving its core services away from Sourceware in favor of services hostedat the Linux Foundation.

The kernel's "kfunc" mechanism is a way of exporting kernel functions sothat they can be called directly from BPF programs. There are over 300kfuncs in current kernels, ranging in functionality from string processing(bpf_strnlen())to custom schedulers (scx_bpf_kick_cpu())and beyond. Sometimes these kfuncs need access to context information thatis not directly available to BPF programs, and which thus cannot be passedin as arguments. The implicitarguments patch set from Ihor Solodrai is the latest attempt to solvethis problem.

The Xfce team has announced thatit will be providing funding to Brian Tarricone to work on xfwl4,a Wayland compositor for Xfce:

Security updates have been issued by AlmaLinux (kernel, kernel-rt, python-urllib3, python3.11-urllib3, and python3.12-urllib3), Debian (imagemagick, openjdk-11, openjdk-17, and openjdk-21), Fedora (bind, bind-dyndb-ldap, chromium, ghostscript, glibc, mingw-glib2, mingw-harfbuzz, mingw-libsoup, mingw-openexr, and qownnotes), Mageia (kernel-linus), Red Hat (osbuild-composer), SUSE (go1.24-openssl, go1.25-openssl, govulncheck-vulndb, kernel, nodejs22, openCryptoki, openvswitch3, python-pyasn1, python311, and qemu), and Ubuntu (git-lfs, node-form-data, and screen).

The GNU Privacy Guard (GPG)project decided to break from the OpenPGP standard for emailencryption in 2023, and instead adopted its own homegrown LibrePGP specification. The GPG 2.4branch, the last one to adhere to OpenPGP, will be reaching the end oflife in mid-2026. The Fedora project is currently having a discussionabout how that affects the distribution, its users, and what to offeronce 2.4 is no longer receiving updates.

Curl creator Daniel Stenberg has written a blogpost explaining why the project is ending its bug-bountyprogram, which started in April 2019:

Security updates have been issued by AlmaLinux (gimp, glib2, go-toolset:rhel8, golang, java-17-openjdk, java-21-openjdk, kernel, net-snmp, pcs, and thunderbird), Debian (apache2, imagemagick, incus, inetutils, libuev, openjdk-17, php7.4, python3.9, shapelib, taglib, and zvbi), Fedora (mingw-glib2, mingw-harfbuzz, mingw-libsoup, mingw-openexr, pgadmin4, python3.11, python3.12, python3.9, and wireshark), Gentoo (Asterisk, Commons-BeanUtils, GIMP, inetutils, and Vim, gVim), Mageia (kernel), Oracle (glib2, java-17-openjdk, java-21-openjdk, and libpng), Red Hat (java-17-openjdk, java-21-openjdk, kernel, and kernel-rt), SUSE (azure-cli-core, bind, buildah, chromium, coredns, glib2, harfbuzz, kernel, kernel-firmware, libheif, libvirt, openCryptoki, openvswitch, podman, python, python-urllib3, rabbitmq-server, and vlang), and Ubuntu (cjson).

The 6.19-rc7 kernel prepatch is out fortesting.

Version 2.43 of theGNU C Library has been released. Changes include support for the mseal() and openat2()system calls, experimental support for building with the Clang compiler,Unicode 17.0.0 support, a number of security fixes, and much more.

Filesystems seem to be one of those many areas where the problems are wellunderstood, but there is always somebody working toward a better solution.As a result, filesystem development in the Linux kernel continues at a fastpace even after all these years. In recent news, the EROFS filesystem ison the path to gain a useful page-cache-sharing feature, there is a newNTFS implementation on the horizon, and XFS may be about to get aninfrastructure for self healing.

Version1.5.0 of the GNU Guix package manager and the Guix System havebeen released. Notable improvements include the ability to run theGuix daemon without root privileges, support for 64-bit RISC-V, andexperimental support for the GNU Hurd kernel.

Greg Kroah-Hartman has released the 6.18.7 and 6.12.67 stable kernels. As always, eachcontains important fixes throughout the tree. Users are advised toupgrade.

Security updates have been issued by AlmaLinux (kernel), Debian (bind9, chromium, osslsigncode, and python-urllib3), Fedora (freerdp, ghostscript, hcloud, rclone, rust-rkyv0.7, rust-rkyv_derive0.7, and vsftpd), Mageia (avahi and harfbuzz), SUSE (alloy, avahi, busybox, cargo-c, corepack22, corepack24, curl, docker, dpdk, exiv2-0_26, ffmpeg-4, firefox, glib2, go1.24, go1.25, gpg2, haproxy, kernel, kernel-firmware, keylime, libpng16, librsvg, libsodium, libsoup, libsoup2, libtasn1, log4j, net-snmp, open-vm-tools, openldap2_5, ovmf, pgadmin4, php7, podman, python-filelock, python-marshmallow, python-pyasn1, python-tornado, python-urllib3, python-virtualenv, python3, python311-pyasn1, python311-weasyprint, rust1.91, rust1.92, util-linux, webkit2gtk3, and wireshark), and Ubuntu (libxml2 and pyasn1).

TheLinux Kernel Runtime Guard (LKRG) is a out-of-tree loadable kernel module thatattempts to detect and report violations of the kernel's internal invariants,such as might be caused by an in-progress security exploit or a rootkit.LKRG has been experimental since itsinitial release in 2018. In September2025, the projectannouncedthe 1.0 version. With the promises of stability that version brings, users might want moreinformation to decide whether to include it in their kernel.

ReactOS, an open-source projectto develop an operating system that is compatible with MicrosoftWindows NT applications and drivers, is celebrating 30years since the first commit to its source tree. In that timethere have been more than 88,000 commits from 301 contributors, for atotal of 14,929,578 lines of code. There is, of course, much left todo.

Version1.93.0 of the Rust programming language has been released. Notablechanges include in updated version of the bundled musl library,thread-local storage for the global allocator, some asm!improvements, and a number of newly stabilized APIs.

Security updates have been issued by AlmaLinux (gpsd), Debian (inetutils and modsecurity-crs), Fedora (cpp-httplib, curl, mariadb11.8, mingw-libtasn1, mingw-libxslt, mingw-python3, rclone, and rpki-client), Oracle (gimp, glib2, go-toolset:rhel8, golang, kernel, mariadb-devel:10.3, and thunderbird), Red Hat (buildah, go-toolset:rhel8, golang, grafana, kernel, kernel-rt, multiple packages, openssl, osbuild-composer, podman, and skopeo), Slackware (bind), SUSE (ffmpeg-4, libsodium, libvirt, net-snmp, open-vm-tools, ovmf, postgresql17, postgresql18, python-FontTools, python-weasyprint, and webkit2gtk3), and Ubuntu (glib2.0 and opencc).

Inside this week's LWN.net Weekly Edition:

As part of the process of writing man pages for the "new" mount API, which has been available in thekernel since 2019, Aleksa Sarai encountered a number of places where the fsconfig()system call-for configuring filesystems before mounting-needs to be cleaned up. In the 2025 Linux Plumbers Conference(LPC) session that he led, Sarai wanted to discuss some of the problems he found,including at least one with security implications. The idea of the sessionwas for him to describe the various bugs and ambiguities that he had found,but he also wanted attendees to raise other problems they had with thesystem call.

Version3.0.0 of the pandas dataanalysis and manipulation library for Python has beenreleased. Notable changes include a dedicatedstring type (str), new "copy-on-write" behavior, and much more. This release also removesa number of features that were deprecated in prior versions of pandas;developers are advised to upgrade to pandas2.3 and ensure code isworking without warnings before moving to3.0. See the releasenotes for the full changelog.

At the 39thChaos Communication Congress (39C3) in December, researchers LexiGroves ("49016") and Liam Wachter said that they had discovered anumber of flaws in popular implementations of OpenPGP email-encryption standard. They also released anaccompanying web site, gpg.fail, withdescriptions of the discoveries. Most of thosepresented were found in GNU PrivacyGuard (GPG), though the pair also discussed problems in age,Minisign, Sequoia, and the OpenPGPstandard (RFC 9580) itself. The discoveries have spurred some interestingdiscussions and as well as responses from GPG and Sequoiadevelopers.

Security updates have been issued by AlmaLinux (brotli and container-tools:rhel8), Debian (python-keystonemiddleware and python3.9), Fedora (cef, freerdp, golang-github-tetratelabs-wazero, and libpcap), Oracle (brotli, gpsd, kernel, and transfig), Red Hat (freerdp, golang, java-11-openjdk with Extended Lifecycle Support, libpng, libssh, mingw-libpng, and runc), SUSE (abseil-cpp, alloy, apache2, bind, cpp-httplib, curl, erlang, firefox, gpg2, grafana, haproxy, hauler, hawk2, libblkid-devel, libpng16, libraylib550, python-keystonemiddleware-doc, python-uv, python-weasyprint, squid, and tomcat), and Ubuntu (crawl and iperf3).

Konstantin Ryabitsev has put up ablog post about korgalore, a tool he has written to circumvent deliveryproblems experienced by kernel developers using the large, centralizedemail systems.

One would assume that most LWN readers stopped running network-accessibletelnet services some number of decades ago. For the rest of you, this security advisory fromSimon Josefsson is worthy of note:

Mozilla has announceda repository with FirefoxNightly channel packages for RPM-based Linux distributions such as CentOSStream, Fedora, and openSUSE. Mozilla has provided a Debian repositorysince 2023.Note that this repository only includes the nightly builds of Thefirefox-nightly package. Mozilla is not providing stablebuilds as RPMs at this time. However, the package will not conflictwith a distribution's regular firefox package; both packagescan be installed at the same time for those who wish to test thenightly builds. See the blog post for instructions on setting up therepository.

LWN has had a number of articles on immutable distributions,such as Bluefin and Bazzite, in recent years. These distributions have taken a variety of approaches, includingusingrpm-ostree, filesystem snapshots, andbootable container (bootc) images. But thoseapproaches, especially the latter, lead to extra complexity for a userattempting to install new software, instead of justusing the existing package manager.AshOS (Any Snapshot Hierarchical OS) is an experimental AGPL-3-licensed"meta-distribution" that tried a different approach more in line withtraditional package management. Although the project is no longer updated,it remains usable, and can still shed some light on a potential alternate path for usersworried about adopting bootc-based approaches.

Security updates have been issued by AlmaLinux (gpsd-minimal, jmc, kernel, kernel-rt, and net-snmp), Debian (apache-log4j2 and dcmtk), Fedora (exim, gpsd, mysql8.0, mysql8.4, python-biopython, and rust-lru), Mageia (firefox, nss and thunderbird), Oracle (container-tools:rhel8, gpsd-minimal, jmc, kernel, net-snmp, and uek-kernel), Red Hat (net-snmp), SUSE (chromium, go, harfbuzz-devel, kernel, libsoup, rust1.91, rust1.92, and thunderbird), and Ubuntu (apache2, avahi, and python-urllib3).

OzLabs is a collection of Australianfree-software developers that was, for most of its history, associated withIBM. Members of OzLabs have included Hugh Blemings, Michael Ellerman, BenHerrenschmidt, Greg Lehey, Paul Mackerras, Martin Pool, Stephen Rothwell,Rusty Russell, and Andrew Tridgell, among others. The OzLabs "about" page notes that, asof January 2026, the last remaining OzLabs members have departed IBM."This brought to a close the Ozlabs association with IBM". Thusends a quarter-century of development history.(Thanks to Jon Masters).

PostgreSQL contributor Robert Haas has publisheda blog post that breaks down code contributions to PostgreSQL in2025.

The io_uringsubsystem is more than an asynchronous I/O interface for Linux; it is,for all practical purposes, an independent system-call API. It has enabledhigh-performance applications, but it also brings challenges for code builtaround classic, Unix-style system calls. For example, the seccomp()sandboxing mechanism does not work with it, causing applications usingseccomp() to disable io_uring outright. Io_uring maintainer JensAxboe is seeking to improve that situation with a rapidly evolving patchseries adding a new restrictive mechanism to that subsystem.

Version11.0 of the Wine Windows compatibility layer is out. "Thisrelease represents a year of development effort, around6,300individual changes, and more than600 bug fixes." The most notablechanges in this release are support for the NTSync Linux kernel module(when available), and the completion of the Windows32-bit on Windows64-bit (WoW64) architecture that was announced as experimental in Wine9.0.

Greg Kroah-Hartman has released the 5.15.198, and 5.10.248 stable kernels. As usual, eachcontains important fixes throughout the tree; users are advised toupgrade.

Security updates have been issued by AlmaLinux (cups, libpq, libsoup3, podman, and postgresql16), Debian (ffmpeg, gpsd, python-urllib3, and thunderbird), Fedora (chromium, foomuuri, forgejo, freerdp, harfbuzz, libtpms, musescore, python-biopython, and python3.12), Mageia (gimp, libpng, nodejs, and python-urllib3), and SUSE (alloy, avahi, bind, chromedriver, chromium, cpp-httplib, docker, erlang, fluidsynth, freerdp, go-sendxmpp, govulncheck-vulndb, kernel, libwireshark19, NetworkManager-applet-l2tp, python, python311-virtualenv, thunderbird, and zk).

Linus has released 6.19-rc6 for testing."So we finally ended up with a slightly bigger rc than usual for thisstage in the release cycle, but it's not _that_ big, and things still seemquite stable and civilized."

Greg Kroah-Hartman has released the 6.18.6, 6.12.66, 6.6.121, and 6.1.161 stable kernels. As usual, eachhas important fixes throughout the tree; users are advised toupgrade.

While there are several rootkits that target Linux, they have so far not fullyembraced the open-source ethos typical of Linux software.Luckily, Matheus Alves has been working to remedythis lack by creatingan open-source rootkit called Singularity for Linux systems. Users who feeltheir computers are too secure can install the Singularity kernel module inorder to allow remote code execution, disable security features, and hide filesand processes from normal administrative tools. Despite its many features,Singularity is not currently known to be in use in the wild - instead, itprovides security researchers with a testbed to investigate new detection andevasion techniques.

Security updates have been issued by AlmaLinux (gnupg2), Debian (firefox-esr), Oracle (cups, gnupg2, libpq, net-snmp, postgresql, postgresql:15, postgresql:16, transfig, and vsftpd), Red Hat (firefox), SUSE (apache2, curl, firefox, gpg2, hawk2, libcryptopp-devel, openCryptoki, python310, python311-urllib3, rke2, squid, and tomcat), and Ubuntu (cpp-httplib, git, python-apt, and simgear).

The Project Zero blog has athree-part series describing a working, zero-click exploit forPixel9 devices.

Sjoerd Simons has publisheda blog post about running Debian on the OpenWrtOnerouter hardware:

Version14.0 of the Forgejo software forge has been released. Notablechanges in this release include several databaseimprovements, new options for approvingactions execution from pull requests, a newfile editor, and progress toward makingForgejo's web UI work without JavaScript.

Al Viro does not often stray outside of the core virtual filesystem area;when he does, it is usually worthy of note. Recently, he wandered intomemory management with this patchseries to the slab allocator and some of its users. Kernel developerswill often put considerable effort into small optimizations, but it isstill interesting to look at just how much effort has gone toward the purpose ofavoiding a single pointer dereference in some memory-allocation hot paths.

We have recently noticed that email from LWN.net seems to beblocked by MXroute. Unfortunately, the company also does not seem tohave a way for non-customers to report problems in mail delivery, sowe have no good way to get ourselves unblocked.As a result, readers who have subscribed to an LWN mailing listfrom a domain hosted with MXroute will probably not receive ourmailings. We have not yet unsubscribed addresses that are beingblocked by MXroute, but will soon if the problem persists. Pleaseaccept our apologies for the inconvenience; it is unfortunate that itis becoming so difficult to send legitimate email as a smallbusiness.