LWN.net

Linus has released 6.19-rc1, perhaps a bitearlier than expected.

Ariadne Conill isexploring a capability-based approach to privilege escalation on Linuxsystems.

The ability to write kernel code in Rust was explicitly added as anexperiment - if things did not go well, Rust would be removed again. Atthe 2025 Maintainers Summit, a session was held to evaluate the state ofthat experiment, and to decide whether the time had come to declare theresult to be a success. The (arguably unsurprising) conclusion was thatthe experiment is indeed a success, but there were some interesting pointsmade along the way.

Greg Kroah-Hartman has released the 6.18.1, 6.17.12, and 6.12.62 stablekernels. Each contains important fixes; users of those kernelsare advised to upgrade.

One of the key components in the kernel's development process is thelinux-next repository. Every day, a large number of branches, eachcontaining commits intended for the next kernel development cycle, ispulled into linux-next and integrated. If there are conflicts betweenbranches, the linux-next process will reveal them. In theory, many othertypes of problems can be found as well. Some developers feel thatlinux-next does not work as well as it could, though. At the 2025Maintainers Summit, Mark Brown, who helps to keep linux-next going, led asession on how it could be made to work more effectively.

KDE has announced therelease of KDEGear25.12. This release adds more"extractors" to the Itinerary travel-assistantapplication, improved Git support in the Kate text editor, better PDFexport in Konqueror, andmuch more. See the changelogfor all new features, improvements, and bug fixes.

Security updates have been issued by AlmaLinux (firefox, luksmeta, mysql, mysql:8.0, mysql:8.4, tomcat, and wireshark), Debian (chromium, kernel, and tzdata), Fedora (brotli, dr_libs, perl-Alien-Brotli, python-urllib3, singularity-ce, wireshark, and yarnpkg), Oracle (firefox, grafana, lasso, libsoup3, luksmeta, ruby, ruby:3.3, tomcat, and wireshark), Slackware (mozilla), SUSE (container-suseconnect, kubernetes-client, libpoppler-cpp2, postgresql14, postgresql15, and python3), and Ubuntu (c-ares, keystone, linux, linux-aws, linux-aws-5.15, linux-azure, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux-azure, linux-azure-4.15, linux-oracle,, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-hwe-6.8, linux-oracle-6.8, linux-raspi, linux-realtime, linux-intel-iot-realtime, and python-urllib3).

Version 24.04 LTS of the Ubuntu-based Pop!_OS distribution hasbeen released with the COSMIC Desktop Environment:

Version1.92.0 of Rust has been released. This release includes a numberof stabilized APIs, emits unwind tables by default on Linux, validatesinput to #[macro_export], and much more. See the separaterelease notes for Rust,Cargo,and Clippy.

The first topic of discussion at the 2025 Maintainers Summit has been inthe air for a while: what role - if any - should machine-learning-basedtools have in the kernel development process? While there has been a fairamount of controversy around these tools, and concerns remain, it seemsthat the kernel community, or at least its high-level maintainership, iscomfortable with these tools becoming a significant part of the developmentprocess.

Security updates have been issued by Debian (ffmpeg, firefox-esr, libsndfile, and rear), Fedora (httpd, perl-CGI-Simple, and tinyproxy), Oracle (firefox, kernel, libsoup, mysql8.4, tigervnc, tomcat, tomcat9, and uek-kernel), SUSE (alloy, curl, dovecot24, fontforge, glib2, himmelblau, java-17-openjdk, java-21-openjdk, kernel, krb5, lasso, libvirt, mozjs128, mysql-connector-java, nvidia-open-driver-G07-signed-check, openssh, poppler, postgresql17, postgresql18, python-cbor2, python-Django, python310, python311-Django, runc, strongswan, tomcat11, and xwayland), and Ubuntu (binutils, libpng1.6, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-hwe-6.14, linux-raspi, linux, linux-aws, linux-gcp, linux-realtime, and qtbase-opensource-src).

Inside this week's LWN.net Weekly Edition:

Let's Encrypt has publisheda retrospective that covers the decade since it published its firstpublicly trusted certificate in September 2015:

Greg Kroah-Hartman is writinga series of blog posts about Linux becoming a CertificateNumbering Authority (CNA):

Linux containers have made it reasonably easy to develop, distribute, anddeploy server applications along with all the distribution dependencies that theyneed. For example, anyone can deploy and run a Debian-based PostgreSQL container on a FedoraLinux host. Distrobox is a project that is designed tobring the cross-distribution compatibility to the desktop and allow users tomix-and-match Linux distributions without fussing with dual-booting, virtualmachines, or multiple computers. It is an ideal way to installadditional software on image-based systems, such as Fedora's Atomic Desktopsor Bazzite, and alsoprovides a convenient way to move a development environment orfavorite applications to a new system.

Security updates have been issued by AlmaLinux (abrt and kernel), Debian (libpng1.6, libsoup2.4, pdns-recursor, webkit2gtk, and wordpress), Fedora (imhex, libwebsockets, lunasvg, python3-docs, and python3.14), Mageia (python3 and webkit2), Red Hat (abrt, firefox, mysql8.4, and postgresql:15), Slackware (mozilla), SUSE (gegl, gnutls, go1.24, go1.25, libpng16-16, openssh, postgresql13, python-Jinja2, and sssd), and Ubuntu (fonttools and netty).

The topic of the Rust experiment was just discussed at the annualMaintainers Summit. The consensus among the assembled developers is thatRust in the kernel is no longer experimental - it is now a core part of thekernel and is here to stay. So the "experimental" tag will be coming off.Congratulations are in order for all of the Rust for Linux team.(Stay tuned for details in our Maintainers Summit coverage.)

The Free Software Foundation has announcedthe recipients of its 2024 (even though 2025 is almost over) Free SoftwareAwards. Andy Wingo won the award for the advancement of free software, AlxSa is the outstanding new free-software contributor, and Govdirectory takesthe award for projects of social benefit.

One of the things that has historically stood between Linux and thefabled "year of the Linux desktop" is its lack of support for videogames. Many users who would have happily abandoned Windows have,reluctantly, stayed for the video games or had to deal with dualbooting. In the past few years, though, Linux support forgames-including those that only have Windows versions-hasimproved dramatically, if one is willing to put the piecestogether. Bazzite, an image-basedFedora derivative, is a project that aims to let users play games anduse the Linux desktop with almost no assembly required.

Version146.0 of the Firefox web browser has been released. One feature ofparticular interest to Linux users is that Firefox now nativelysupports fractional scaled displays on Wayland. Firefox Labs has alsobeen made available to all users even if they opt out of telemetry orparticipating in studies. "This means more experimental featuresare now available to more people."This release also adds support for Module-Lattice-BasedKey-Encapsulation Mechanism (ML-KEM) for WebRTC. ML-KEM is"believed to be secure against attackers with large quantumcomputers". See the release notes for all changes.

Security updates have been issued by AlmaLinux (kernel, kernel-rt, and webkit2gtk3), Fedora (abrt and mingw-libpng), Mageia (apache and libpng), Oracle (abrt, go-toolset:rhel8, kernel, sssd, and webkit2gtk3), Red Hat (kernel and kernel-rt), SUSE (gimp, gnutls, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, and postgresql13), and Ubuntu (gnupg2, python-apt, radare2, and webkit2gtk).

TheInternet Engineering Task Force (IETF) is the standards body responsiblefor the TLS encryption standard - which your browser is using right nowto allow you to read LWN.net. As part of its work to keep TLS secure, the IETFhas been entertainingproposals to adopt "post-quantum" cryptography (that is,cryptography that is not known to be easily broken by a quantum computer) for TLSversion 1.3. Discussion of the proposal has exposed a large disagreement betweenparticipants who worried about weakened security and others who worried aboutweakened marketability.

Jon Seager, VP of engineering for Canonical, has announceda plan to develop a universal Public Key Infrastructure tool calledupki:

Security updates have been issued by Debian (ffmpeg, krita, lasso, and libpng1.6), Fedora (abrt, cef, chromium, tinygltf, webkitgtk, and xkbcomp), Oracle (buildah, delve and golang, expat, python-kdcproxy, qt6-qtquick3d, qt6-qtsvg, sssd, thunderbird, and valkey), Red Hat (webkit2gtk3), and SUSE (git-bug, go1, and libpng12-0).

As has been recently announced,nominations are open for the 2025 Linux Foundation Technical Advisory Board(TAB) elections. I am one of the TAB members whose term is coming to anend, but I have decided that, after 18years on the board, I will notbe seeking re-election; instead, I will step aside and make room for afresh voice. My time on the TAB has been rewarding, and I will be sad toleave; the TAB has an important role to play in the functioning of thekernel community.

Greg Kroah-Hartman has announced the release of the6.17.11,6.12.61,6.6.119,6.1.159,5.15.197, and5.10.247 stable kernels. Each contains important fixes throughout the tree; users of these kernels should upgrade.

Emma Smith and Kirill Podoprigora, two of Python's core developers, haveopened adiscussion about including Rust code in CPython, the reference implementation ofthe Python programming language. Initially, Rust would only be used for optionalextension modules, but they would like to see Rust become a required dependencyover time. The initial plan was to make Rust required by 2028, but Smith andPodoprigora indefinitely postponed that goal in response to concerns raised in the discussion.

Security updates have been issued by AlmaLinux (buildah, firefox, gimp:2.8, go-toolset:rhel8, ipa, kea, kernel, kernel-rt, pcs, qt6-qtquick3d, qt6-qtsvg, systemd, and valkey), Debian (chromium and unbound), Fedora (alexvsbus, CuraEngine, fcgi, libcoap, python-kdcproxy, texlive-base, timg, and xpdf), Mageia (digikam, darktable, libraw, gnutls, python-django, unbound, webkit2, and xkbcomp), Oracle (bind, firefox, gimp:2.8, haproxy, ipa, java-25-openjdk, kea, kernel, libsoup3, libssh, libtiff, openssl, podman, qt6-qtsvg, squid, systemd, vim, and xorg-x11-server-Xwayland), Slackware (httpd and libpng), SUSE (chromedriver, kernel, and python-mistralclient), and Ubuntu (cups, linux-azure, linux-gcp, linux-gcp, linux-gke, linux-gkeop, linux-ibm-6.8, linux-iot, and mame).

Version 3.23.0 of Alpine Linux has been released. Notable changesin this release include an upgrade to version3.0of the AlpinePackage Keeper (apk), and replacing the linux-edgepackage with linux-stable:

As of this writing, 4,124 non-merge commits have been pulled into themainline repository for the 6.19 kernel development cycle. That is arelatively small fraction of what can be expected this time around, but itcontains quite a bit of significant work, with changes to many core kernelsubsystems. Read on for a summary of the first part of the 6.19 mergewindow.

Dictionaries are ubiquitous in Python code; they are the data structure ofchoice for a wide variety of tasks. But dictionaries are mutable, whichmakes them problematic for sharing data in concurrent code. Python hasadded various concurrency features to the language over the last decade orso-async, free threading without the global interpreter lock(GIL), and independent subinterpreters-but users must work out their ownsolution for an immutable dictionary that can be safely shared byconcurrent code. There are existing modules that could be used, but a recent proposal, PEP 814 ("Add frozendictbuilt-in type"), looks to bring the feature to the language itself.

Andreas Schneider has announcedversion 2.0 of the cmockaunit-testing framework for C:

Security updates have been issued by AlmaLinux (expat and libxml2), Debian (openvpn and webkit2gtk), Fedora (gi-loadouts, kf6-kcoreaddons, kf6-kguiaddons, kf6-kjobwidgets, kf6-knotifications, kf6-kstatusnotifieritem, kf6-kunitconversion, kf6-kwidgetsaddons, kf6-kxmlgui, nanovna-saver, persepolis, python-ezdxf, python-pyside6, sigil, stb, syncplay, tinyproxy, torbrowser-launcher, ubertooth, and usd), Mageia (cups), SUSE (cups, gegl, icinga2, mozjs128, and Security), and Ubuntu (ghostscript, kernel, linux, linux-aws, linux-aws-5.15, linux-gcp-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-hwe, linux-kvm, linux-oracle, linux-aws-fips, linux-fips, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-fips, linux-gcp, linux-gcp-4.15, linux-hwe, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-gcp-6.14, linux-raspi, linux-gcp-fips, linux-intel-iot-realtime, linux-realtime, linux-raspi, linux-raspi-realtime, linux-xilinx, and postgresql-14, postgresql-16, postgresql-17).

Loris Cro has publisheda detailed YouTube video talking about the terminology used to discuss asynchronicity, concurrency, and parallelism in our recent article about Zig's new Io interface. Our article is not completely clear because it uses the term "asynchronous I/O" to refer to what should really be called "non-blocking I/O", and sometimes confuses asynchronicity for concurrency, among other errors of terminology, he says. Readers interested in precise details about Zig's approach and some of the motivation behind the design may find Cro's video interesting.

Inside this week's LWN.net Weekly Edition:

Version2025.12 of the Home Assistant home-automation system has been released.

The Django Python webframework project has announcedthe release of Django 6.0 including many new features, as can be seen inthe releasenotes. Some highlights include template partials for modularizingtemplates, a flexible task framework for running background tasks, amodernized email API, and a ContentSecurity Policy (CSP) feature that provides the ability to "easily configure and enforce browser-level security policies to protect against content injection".

Over time, many Linux users wind up with a collection of aliases,shell scripts, and makefiles to run simple commands (or a series ofcommands) that are often used, but challenging to remember andannoying to type out at length. The just command runner is aRust-based utility that just does one thing and does it well: it readsrecipes from a text file (aptly called a "justfile"), and runs thecommands from an invoked recipe. Rather than accumulating a libraryof one-off shell scripts over time, just provides a cross-platform toolwith a framework and well-documented syntax for collecting anddocumenting tasks that makes it useful for solo users andcollaborative projects.

Security updates have been issued by Debian (containerd, mako, and xen), Fedora (forgejo, nextcloud, openbao, rclone, restic, and tigervnc), Oracle (firefox, kernel, libtiff, libxml2, and postgresql), SUSE (libecpg6, lightdm-kde-greeter, python-cbor2, python-mistralclient-doc, python315, and python39), and Ubuntu (kdeconnect, linux, linux-aws, linux-realtime, python-django, and unbound).

Greg Kroah-Hartman has announced the release of the 5.4.302 stable kernel:

Let's Encrypt has announcedthat it will be reducing the validity period of its certificates from90 days to 45 days by 2028:

FreeBSD15.0 has been released. Notable changes in this release include a newmethod for installingthe base system using the pkg package manager, an updateto OpenZFS2.4.0-rc4,native support for the inotify(2)interface, and the addition of Open Container Initiative (OCI) imagesto FreeBSD's release artifacts. See the releasenotes for a full list of changes, hardwarenotes for supported hardware, and check the erratabefore installing or upgrading.

The designers of theZig programming language have been working to find asuitable design for asynchronous code for some time.Zig is a carefully minimalist language, and itsinitial design forasynchronous I/O did not fit well with its otherfeatures. Now, the project hasannounced (in a Zig SHOWTIME video) a new approach to asynchronous I/O thatpromises to solve thefunction coloring problem, and allows writing code that will executecorrectly using either synchronous or asynchronous I/O.

Security updates have been issued by Fedora (gnutls, libpng, mingw-python3, python-spotipy, source-to-image, unbound, and webkitgtk), Mageia (libpng), SUSE (bash-git-prompt, gitea-tea, java-17-openjdk, java-21-openjdk, kernel, openssh, python, and shadowsocks-v2ray-plugin, v2ray-core), and Ubuntu (binutils, openjdk-17-crac, openjdk-21-crac, and openjdk-25-crac).

There are many possible programmer mistakes that are not caught by theminimal checks specified by the C language; among those is passing an arrayof the wrong size to a function. A recent attempt to add some safetyaround array parameters within the crypto layer involved the use of someclever tricks, but it turns out that clever tricks are unnecessary in thiscase. There is an obscure C feature that can cause this checking tohappen, and it is already in use in a few places within the kernel.

Linus Torvalds releasedthe 6.18 kernel as expected on November30, closing the last fulldevelopment cycle of 2025. It was another busy cycle, featuring a recordnumber of developers. The time has come for a look at where the code camefrom for this kernel release, but also for the year-long long-term-supportcycle which has also reached its conclusion with this release.

Security updates have been issued by AlmaLinux (bind9.18, cups, gimp, ipa, kernel, libssh, mingw-expat, openssl, pcs, sssd, tigervnc, and valkey), Debian (gnome-shell-extension-gsconnect, mistral-dashboard, pagure, python-mistralclient, pytorch, qtbase-opensource-src, sogo, tryton-server, and unbound), Fedora (cef, drupal7, glib2, linux-firmware, migrate, pack, pgadmin4, rnp, and unbound), Slackware (libxslt), SUSE (cpp-httplib, curl, glib2, grub2, kernel, libcoap-devel, libcryptopp, libwireshark19, postgresql15, and postgresql17), and Ubuntu (edk2).

Greg Kroah-Hartman has announced the release of the 6.17.10, 6.12.60, and 6.6.118 stable kernels. As usual, eachcontains a number of important fixes throughout the tree. Users areadvised to upgrade.

Linus has released the 6.18 kernel, as expected.

Version25.11 of the NixOS distribution has been released. "The 25.11release was made possible due to the efforts of 2742 contributors, whoauthored 59430 commits since the previous release". Changes include7,002 new packages, GNOME49, LLVM21, a new COSMIC desktopenvironment beta, firewalld support, and more; see therelease notes for details.