LWN.net

Efforts to introduce malicious code into the open-source supplychain have been on the rise in recent years, and there is no indication that theywill abate anytime soon. These attacks are often found quickly, but not quicklyenough to prevent the compromised code from being automatically injected into otherprojects or code deployed by users where it can wreak havoc. One method of avoidingsupply-chain attacks is to add a delay of a few days before pulling upates in whatis known as a "dependency cooldown". That tactic is starting to find favor withusers and some language ecosystem package managers. While this practice isconsidered a reasonable response by many, others are complaining that thoseemploying dependency cooldowns are free-riding on the larger community by lettingothers take the risk.

In Rust, types either possess a constant size known at compile time, or adynamically calculated size known atrun time. That is fine for most purposes, but recent proposals for the languagehave shown the need for a more fine-grained hierarchy.RFC 3729 from David Wood and Remy Rakic would add a hierarchy oftraits to describe types with sizes known under different circumstances. Whilethe idea has been subject to discussion for many years, a growing number ofuse cases for the feature have come to light.

Version2.26.0 of the LilyPondmusic-engraving program has been released. Majorchanges include the ability to use the Cairo library to generateoutput and improvements in spacing between clefs and timesignatures. See the release notes for a full list of miscellaneousimprovements as well as what's new with musicaland specialistnotation.

Greg Kroah-Hartman has announced the release of the 7.0.1, 6.19.14, 6.18.24, and 6.12.83 stable kernels. As usual, eachcontains important fixes throughout the tree. Users are encouraged toupgrade.

Security updates have been issued by Debian (firefox-esr, flatpak, ngtcp2, ntfs-3g, packagekit, python-geopandas, simpleeval, strongswan, and xdg-dbus-proxy), Fedora (chromium, cups, curl, jq, opkssh, perl-Net-CIDR-Lite, python-cbor2, python-pillow, tinyproxy, xdg-dbus-proxy, and xorg-x11-server-Xwayland), Slackware (libXpm and mozilla), SUSE (botan, chromium, clamav, cockpit, cockpit-machines, cockpit-packages, cockpit-podman, cockpit-subscriptions, dovecot24, firefox, flatpak, freeipmi, gdk-pixbuf, glibc, gnome-remote-desktop, go1.25, go1.26, go1.26-openssl, google-cloud-sap-agent, gosec, graphicsmagick, haproxy, kernel, libpng16, libraw, libtasn1, libvncserver, ncurses, nebula, nodejs24, openssl-3, ovmf, pam, pcre2, perl-Authen-SASL, pgvector, plexus-utils, podman, python-cbor2, python-cryptography, python-django, python-gi-docgen, python-pypdf2, python-python-multipart, python311, python311-PyPDF2, python313, qemu, roundcubemail, rust1.94, sqlite3, strongswan, systemd, tar, tigervnc, util-linux, vim, webkit2gtk3, xorg-x11-server, xwayland, and zlib), and Ubuntu (commons-io, libcap2, ntfs-3g, and rapidjson).

There are a number of ongoing efforts to remove kernel code, mostly fromthe networking subsystem, as an alternative to dealing with the increase insecurity-bug reports from large language models. The proposed removalsinclude ISAand PCMCIA Ethernet drivers, a pairof PCI drivers, the ax25 and amateurradio subsystem, the ATM protocols and drivers,and the ISDNsubsystem.

ThisFirefox blog post reports that the Firefox150 release includesfixes for 271 vulnerabilities found by the Claude Mythos preview.

The Fedora Project has been wrestling with the question of who should be able to vote inFedora elections recently, with project membership being a major topic atthe Fedora Council face-to-face held in early February. Now theproject is considering a new contributor status, "Fedora Verified",and is lookingto get input on the idea from the community.

The open-source world is currently awash inreports of LLM-discovered bugs and vulnerabilities, which makes for a lot morework for maintainers, but many of the current crop are being reportedresponsibly with an eye toward minimizing that impact. A recent reporton an effort to systematically find bugs in Python extensionswritten in C has followed that approach. Hobbyist Daniel Diniz used ClaudeCode to find more than 500 bugs of various sorts across nearly a millionlines of code in 44 extensions; he has been working with maintainers to getfixes upstream and his methodology serves as a great example of how to keepthe human in the loop-and the maintainers out of burnout-when employing LLMs.

Version150 of the Firefox web browser has been released. Notable changesinclude local-network-accessrestrictions being turned on for all users, the ability toreorder, copy, delete, paste, and export pages from a PDF usingFirefox's built-in viewer, as well as improvements in its splitview feature, and more. See also the releasenotes for developers and listof security fixes in this release. (Update: Mozilla seems to have removed the local-network-access restrictions information since the release was published yesterday.)

Security updates have been issued by AlmaLinux (freerdp, kernel, and kernel-rt), Debian (mupdf, opam, simpleeval, and xdg-dbus-proxy), Mageia (firefox, thunderbird and libtiff), Red Hat (containernetworking-plugins, gvisor-tap-vsock, nodejs22, nodejs:20, nodejs:22, perl-XML-Parser, python3.11, python3.9, runc, and skopeo), and SUSE (bind, buildah, cockpit-subscriptions, container-suseconnect, containerd, corosync, cosign, docker, dovecot24, flatpak, freeipmi, gegl, GraphicsMagick, helm, ImageMagick, kubernetes, kubernetes-old, libpng15, LibVNCServer, ncurses, nodejs22, opensc, openvswitch, patterns-glibc-hwcaps, podman, python, python310, python312, python315, rekor, rootlesskit, roundcubemail, and runc).

Git maintainer Junio Hamano has announcedGit 2.54.0, which includes contributions from 137 people; 66 of thosepeople are first-time contributors to the project. Changes include theaddition of Git history rewriting, Git's web interface (gitweb)"has been taught to be mobile friendly", and much more. See theannouncement for all improvements, additions, and bug fixes. Hamanois now taking a short break:

Robin Candau has announcedthe availability of a bit-for-bit reproducible container image forArch Linux:

The Document Foundation (TDF) isthe nonprofit entity behind the LibreOffice productivity suite. Most of thetime, the software takes the spotlight, but that has changed in the past few weeks, andnot for pleasant reasons. TDF has revokedfoundation membership status from about 30 people who work for or havecontracting status with Collabora. Inresponse, Collabora has announcedplans to focus on a "entirely new, cut-down, differentiated Collabora Office"project and reduce its involvement with LibreOffice. TDF's representatives claim thatits actions were necessary to maintain the foundation's nonprofit status, while othercommunity members assert that this is part of a power grab. The facts seem toindicate that there are legitimate issues to be addressed, but it is unclearthat TDF needed to go so far as to disenfranchise all Collabora-affiliated contributors.

Debian Project secretary Kurt Roeckx has announced the DebianProject Leader (DPL) election results:the winner of the election is Sruthi Chandran. She will replacetwo-term DPL Andreas Tille.

Security updates have been issued by AlmaLinux (.NET 10.0, .NET 8.0, .NET 9.0, delve, freerdp, giflib, go-rpm-macros, libarchive, and openexr), Debian (gimp, imagemagick, luanti, mapserver, mupdf, opam, perl, pillow, postgresql-13, and tiff), Fedora (aqualung, awstats, curl, incus, mac, mbedtls, mingw-LibRaw, python-msal, python3.11, python3.12, python3.15, smb4k, stb, and usd), Gentoo (DTrace and FUSE), Mageia (gdk-pixbuf2.0, giflib, polkit-122, python-cairosvg, and rsync), Oracle (.NET 10.0, .NET 8.0, .NET 9.0, 389-ds-base, bind, freerdp, go-rpm-macros, kernel, libarchive, nodejs:20, openexr, perl:5.32, python, python3, squid:4, thunderbird, and uek-kernel), Slackware (tigervnc), and SUSE (aardvark-dns, avahi, bind, blender, Botan, bouncycastle, chromedriver, cpp-httplib-devel, flannel, gdk-pixbuf, GraphicsMagick, ignition, ImageMagick, jetty-annotations, jetty-minimal, kernel, kubo, leancrypto-devel, libcap, liblog4cxx-devel, libpng16-16, libraw, libraw-devel, NetworkManager, opam, openssl-3, openvswitch, openvswitch3, podman, polkit, python-cryptography, python-djangorestframework, python-Django, python-ecdsa, python311-Django, python311-jwcrypto, python311-Pillow, roundcubemail, skopeo, tempo-cli, and vim).

Greg Kroah-Hartman has announced the release of the 6.19.13, 6.18.23, 6.12.82, 6.6.135, 6.1.169, 5.15.203, and 5.10.253 stable kernels. Each contains anumber of important fixes throughout the tree; users are advised toupgrade.

Shor's algorithm is the main practical example of an algorithm that runs morequickly on a quantum computer than a classical computer - at least in theory.Shor's algorithm allows large numbers to be factoredinto their component prime factors quickly.In reality, existing quantum computers do not have nearlyenough memory to factor interesting numbers using Shor's algorithm, despitedecades of research.A new paper provides a major stepin that direction, however. While still impractical on today's quantumcomputers, the recent discoverycuts the amount of memory needed to attack 256-bit elliptic-curve cryptographyby a factor of 20. More interesting, however, is that the researchers chose topublish a zero-knowledge proof demonstrating that they know a quantum circuitthat shows these improvements, rather than publishing the actualknowledge of how to do it.

One of the more significant changes in the 7.0 kernel release is to use the lazy-preemption mode by default in the CPUscheduler. The scheduler developers have wanted to reduce the number ofpreemption modes for years, and lazy preemption looks like a step towardthat goal. But then there came this reportfrom Salvatore Dipietro that lazy preemption caused a 50% performanceregression on a PostgreSQL benchmark. Investigation showed that thesituation is not actually so grave, but the episode highlights just howsensitive some workloads can be to configuration changes; there may besurprises in store for other users as well.

Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, freerdp, libarchive, and thunderbird), Debian (chromium, openssh, and thunderbird), Fedora (aurorae, bluedevil, breeze-gtk, buildah, cockpit, extra-cmake-modules, flatpak-kcm, grub2-breeze-theme, kactivitymanagerd, kcm_wacomtablet, kde-cli-tools, kde-gtk-config, kdecoration, kdeplasma-addons, kf6, kf6-attica, kf6-baloo, kf6-bluez-qt, kf6-breeze-icons, kf6-frameworkintegration, kf6-kapidox, kf6-karchive, kf6-kauth, kf6-kbookmarks, kf6-kcalendarcore, kf6-kcmutils, kf6-kcodecs, kf6-kcolorscheme, kf6-kcompletion, kf6-kconfig, kf6-kconfigwidgets, kf6-kcontacts, kf6-kcoreaddons, kf6-kcrash, kf6-kdav, kf6-kdbusaddons, kf6-kdeclarative, kf6-kded, kf6-kdesu, kf6-kdnssd, kf6-kdoctools, kf6-kfilemetadata, kf6-kglobalaccel, kf6-kguiaddons, kf6-kholidays, kf6-ki18n, kf6-kiconthemes, kf6-kidletime, kf6-kimageformats, kf6-kio, kf6-kirigami, kf6-kitemmodels, kf6-kitemviews, kf6-kjobwidgets, kf6-knewstuff, kf6-knotifications, kf6-knotifyconfig, kf6-kpackage, kf6-kparts, kf6-kpeople, kf6-kplotting, kf6-kpty, kf6-kquickcharts, kf6-krunner, kf6-kservice, kf6-kstatusnotifieritem, kf6-ksvg, kf6-ktexteditor, kf6-ktexttemplate, kf6-ktextwidgets, kf6-kunitconversion, kf6-kuserfeedback, kf6-kwallet, kf6-kwidgetsaddons, kf6-kwindowsystem, kf6-kxmlgui, kf6-modemmanager-qt, kf6-networkmanager-qt, kf6-prison, kf6-purpose, kf6-qqc2-desktop-style, kf6-solid, kf6-sonnet, kf6-syndication, kf6-syntax-highlighting, kf6-threadweaver, kgamma, kglobalacceld, kinfocenter, kmenuedit, knighttime, kpipewire, krdp, kscreen, kscreenlocker, ksshaskpass, ksystemstats, kwayland, kwayland-integration, kwin, kwin-x11, kwrited, layer-shell-qt, libexif, libkscreen, libksysguard, libplasma, nix, ocean-sound-theme, oxygen-sounds, pam-kwallet, plasma-activities, plasma-activities-stats, plasma-breeze, plasma-browser-integration, plasma-desktop, plasma-dialer, plasma-discover, plasma-disks, plasma-drkonqi, plasma-firewall, plasma-integration, plasma-keyboard, plasma-login-manager, plasma-milou, plasma-mobile, plasma-nano, plasma-nm, plasma-oxygen, plasma-pa, plasma-print-manager, plasma-sdk, plasma-setup, plasma-systemmonitor, plasma-systemsettings, plasma-thunderbolt, plasma-vault, plasma-welcome, plasma-workspace, plasma-workspace-wallpapers, plasma-workspace-x11, plasma5support, plymouth-kcm, plymouth-theme-breeze, podman, polkit-kde, powerdevil, qqc2-breeze-style, sddm-kcm, skopeo, spacebar, spectacle, thunderbird, and xdg-desktop-portal-kde), Mageia (cockpit-338), Oracle (capstone, cockpit, firefox, fontforge, freerdp, golang-github-openprinting-ipp-usb, kernel, nghttp2, nodejs:20, nodejs:24, openexr, and squid), Red Hat (gnutls, libarchive, libpng, libpng12, libpng15, libtiff, libvpx, libxslt, multiple packages, python, python3, python3.11, python3.12, and python3.9), Slackware (libxml2), SUSE (apache-pdfbox, azure-storage-azcopy, corosync, cups, freerdp, iproute2, libsdb2_4_2, libtpms, NetworkManager, openssl-1_1, ovmf, plexus-utils, python, python-CairoSVG, python-jwcrypto, python-PyJWT, python-pyOpenSSL, python-urllib3, python3, python314, rust1.93, shim, smc-tools, terraform-provider-local, terraform-provider-random, terraform-provider-tls, thunderbird, tiff, util-linux, and vim), and Ubuntu (libowasp-esapi-java, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gke, linux-gkeop, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux, linux-realtime, linux-aws-fips, linux-fips, linux-gcp-fips, linux-fips, linux-gcp-fips, linux-gcp, linux-gcp-6.17, linux-hwe-5.15, linux-intel-iot-realtime, linux-realtime, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-nvidia-tegra, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-realtime, linux-realtime-6.8, linux-realtime-6.17, ofono, and ruby-rack).

Version1.95.0 of the Rust language has been released. Changes include theaddition of a cfg_select!macro, the capability to use if let guards to allow conditionals based on patternmatching, and many newly stabilized APIs. See the releasenotes for a full list of changes.

Version15.0 of the Forgejocode-collaboration platform has been released. Changes includerepository-specific access tokens, a number of improvements to ForgejoActions, user-interface enhancements, and more. Forgejo 15.0 isconsidered a long-term-support (LTS) release, and will be supportedthrough July 15, 2027. The previous LTS, version 11.0, will reach endof life on July 16, 2026. See the announcement and releasenotes for a full list of changes.

The 7.1 merge window opened on April 12 with the releaseof the 7.0 kernel. Since then, 3,855 non-merge changesets have beenpulled into the mainline repository for the next release. This mergewindow is thus just getting started, but there has still been a fair amountof interesting work moving into the mainline.

Version 26.04 ofthe KDEGear collection of applications has been released. Notable changesinclude improvements in the MerkuroCalendar schedule view and event editor, support for threads in the NeoChat Matrix chat client, as well asthe ability to add keyboard shortcuts in the Dolphin file manager "to nearly anyoption in any menu, plugin or extension". See the changelog fora full list of updates, enhancements, and bug fixes.

Security updates have been issued by AlmaLinux (bind, bind9.16, bind9.18, cockpit, fence-agents, firefox, fontforge, git-lfs, grafana, grafana-pcp, kernel, nghttp2, nginx, nginx:1.24, nginx:1.26, nodejs:20, nodejs:22, nodejs:24, pcs, perl-XML-Parser, perl:5.32, resource-agents, squid:4, thunderbird, and vim), Debian (incus, lxd, and python3.9), Fedora (cef, composer, erlang, libpng, micropython, mingw-openexr, moby-engine, NetworkManager-ssh, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, pypy, python-cairosvg, python-flask-httpauth, and python3.15), Mageia (kernel, kmod-virtualbox, kmod-xtables-addons and kernel-linus), Oracle (\cockpit, bind, bind9.16, bind9.18, firefox, git-lfs, go-toolset:ol8, grafana, grafana-pcp, grub2, kea, kernel, libtiff, nghttp2, nginx, nginx:1.24, nginx:1.26, nodejs22, nodejs24, nodejs:22, nodejs:24, perl-XML-Parser, python3.9, thunderbird, uek-kernel, and vim), Red Hat (delve, go-toolset:rhel8, golang, golang-github-openprinting-ipp-usb, osbuild-composer, and rhc), SUSE (bind, Botan, cockpit, cockpit-subscriptions, expat, flatpak, glibc, goshs, himmelblau, kea, kernel, kubo, libpng16, libssh, log4j, mariadb, Mesa, netty, netty-tcnative, nfs-utils, nghttp2, nodejs20, openssl-3, pam, pcre2, python, python310, python311, python311-aiohttp, python311-rfc3161-client, python313, python36, rubygem-bundler, sqlite3, sudo, tigervnc, tomcat, tomcat10, tomcat11, util-linux, vim, and webkit2gtk3), and Ubuntu (dotnet8, dotnet9, dotnet10, frr, and linux-azure, linux-azure-4.15).

Inside this week's LWN.net Weekly Edition:

OnlyOffice CEO Lev Bannov has recentlyclaimed that the Euro-Office fork of theOnlyOffice suite violates the GNU Affero General Public Licenseversion3 (AGPLv3). Krzysztof Siewicz of the Free SoftwareFoundation (FSF) has publishedan article on the FSF's position on adding terms to the AGPLv3. Inshort, Siewicz concludes that OnlyOffice has added restrictions tothe license that are not compatible with the AGPLv3, and thoserestrictions can be removed by recipients of the code.

Many people dislike the proliferation of Large Language Models (LLMs) in recentyears, and so make an understandable attempt to avoid them.That may not be possible in general, but there are two new forks ofVim that seek to provide an editingenvironment with no LLM-generated code. EVi focuses on being a modern Vimwithout LLM-assisted contributions, while Vim Classic focuses on providing a long-term maintenanceversion of Vim 8. While both are still in their early phases,the projects look to be on track to provide stable alternatives - as long asenough people are interested.

Security updates have been issued by AlmaLinux (capstone, cockpit, firefox, git-lfs, golang-github-openprinting-ipp-usb, kea, kernel, nghttp2, nodejs24, openexr, perl-XML-Parser, rsync, squid, and vim), Debian (imagemagick, systemd, and thunderbird), Slackware (libexif and xorg), SUSE (bind, clamav, firefox, freerdp2, giflib, go1.25, go1.26, helm, ignition, libpng16, libssh, oci-cli, rust1.92, strongswan, sudo, xorg-x11-server, and xwayland), and Ubuntu (rust-tar and rustc, rustc-1.76, rustc-1.77, rustc-1.78, rustc-1.79, rustc-1.80).

The Zig project has announced version0.16.0 of the Zig programming language.

Part of the "fun" that comes with curating a self-hosted music library is taggingmusic so that it has accurate and uniform metadata, such as the band names, album titles,cover images, and so on. This can be a tedious endeavor, but there are quite a fewopen-source tools to make this process easier. One of the best, or at least myfavorite, is MusicBrainz Picard. It isa cross-platform music-tagging application that pulls information from thewell-curated, crowdsourced MusicBrainzdatabase project and writes it to almost any audio file format.

Version 4.0.0 of the OpenSSL cryptographic library has been released. Thisrelease includes support for a number of new cryptographic algorithms andhas a number of incompatible changes as well; see the announcement for thedetails.

Security updates have been issued by Debian (gdk-pixbuf, gst-plugins-bad1.0, and xdg-dbus-proxy), Fedora (chromium, deepin-image-viewer, dtk6gui, dtkgui, efl, elementary-photos, entangle, flatpak, freeimage, geeqie, gegl04, gthumb, ImageMagick, kf5-kimageformats, kf5-libkdcraw, kf6-kimageformats, kstars, libkdcraw, libpasraw, LibRaw, luminance-hdr, nomacs, OpenImageIO, OpenImageIO2.5, photoqt, python-cryptography, rawtherapee, shotwell, siril, swayimg, vips, and webkitgtk), Red Hat (firefox and podman), Slackware (libarchive), SUSE (expat, glibc, GraphicsMagick, libcap-devel, libpng16, libtpms, nodejs24, openssl-1_0_0, openssl-1_1, openssl-3, openvswitch, polkit, python-requests, python311-biopython, python312, python39, and tigervnc), and Ubuntu (corosync, kvmtool, libxml-parser-perl, linux-azure, linux-azure, linux-azure-6.17, linux-azure, linux-azure-6.8, policykit-1, redis, lua5.1, lua-cjson, lua-bitop, rustc, vim, and xdg-dbus-proxy).

Linus Torvalds released the 7.0 kernel asexpected on April12, ending a relatively busy development cycle. The7.0 release brings a large number of interesting changes; see the LWNmerge-window summaries (part1, part2) for all the details. Here,instead, comes our traditional look at where those changes came from andwho supported that work.

The OpenWrt One is arouter powered by the open-source firmware from the OpenWrt project; it was also thesubject of a keynote at SCALE in 2025given by Denver Gingerich of the Software Freedom Conservancy (SFC),which played a big role in developing the router. Gingerich returned tothe conference in2026 to talk about the build system used by the OpenWrt One, which isfocused on creating the needed binaries, naturally, but doing so in a waythat makes it easy to comply with the licenses of the underlying code.That makes good sense for a project of this sort-and for a talk given bythe director of compliance at SFC.

The Servo project has announcedthe first release of servo as a crate for use as alibrary.

Security updates have been issued by AlmaLinux (fontforge, freerdp, libtiff, nginx, nodejs22, and openssh), Debian (bind9, chromium, firefox-esr, flatpak, gdk-pixbuf, inetutils, mediawiki, and webkit2gtk), Fedora (corosync, libcap, libmicrohttpd, libpng, mingw-exiv2, mupdf, pdns-recursor, polkit, trafficserver, trivy, vim, and yarnpkg), Mageia (libpng12, openssl, python-django, python-tornado, squid, and tomcat), Red Hat (rhc), Slackware (openssl), SUSE (chromedriver, chromium, cockpit, cockpit-machines, cockpit-podman, cockpit-tukit, crun, firefox, fontforge-20251009, glibc, go1, helm3, libopenssl-3-devel, libpng16, libradcli10, libtasn1, nghttp2, openssl-1_0_0, openssl-1_1, ovmf, perl-XML-Parser, python-cryptography, python-Flask-HTTPAuth, python311-Django4, python313-Django6, python315, sudo, systemd, tar, tekton-cli, tigervnc, util-linux, and zlib), and Ubuntu (mongodb, qemu, and retroarch).

Linus has released the 7.0 kernel after abusy nine-week development cycle.

The6.19.12,6.18.22,6.12.81,6.6.134, and6.1.168stable kernel updates have been released; each contains another set ofimportant fixes.

Things do not always go the way kernel developers think they will. Whenthe kernel gained support for the creation of read-only transparent hugepages for the page cache in 2019, the developer of that feature, Song Liu,added aKconfig file entry promising that support for writable hugepages would arrive "in the next few release cycles". Over six yearslater, that promise is still present, but it will never be fulfilled.Instead, the read-only option will soon be removed, reflecting how the coreof the memory-subsystem has changed underneath this particular feature.

Security updates have been issued by AlmaLinux (container-tools:rhel8, fontforge, freerdp, go-toolset:rhel8, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good, kernel, kernel-rt, libtasn1, mariadb:10.11, mysql:8.4, nginx:1.24, openssh, pcs, python-jinja2, python3.9, ruby:3.1, vim, virt:rhel and virt-devel:rhel, and xmlrpc-c), Debian (libyaml-syck-perl and openssh), Fedora (cockpit, crun, dnsdist, doctl, fido-device-onboard, libcgif, libpng12, libpng15, mbedtls, opensc, and util-linux), Red Hat (git-lfs, go-toolset:rhel8, grafana, grafana-pcp, and rhc), Slackware (libpng), SUSE (389-ds, aws-c-event-stream, bind, cockpit, cockpit-repos, corepack24, dcmtk, dnsdist, docker-compose, expat, firefox, firefox-esr, gnome-online-accounts, gvfs, gnutls, jupyter-jupyterlab-templates, kea, libIex-3_4-33, libpng16, mapserver, perl-XML-Parser, postgresql13, postgresql16, python-Pillow, python311-lupa, thunderbird, tigervnc, and tomcat10), and Ubuntu (linux-azure-fips, linux-hwe, linux-intel-iot-realtime, linux-nvidia-tegra-5.15, openssl, openssl1.0, and python-django).

The idea of using large language models (LLMs) to discover security problems isnot new. Google's Project Zeroinvestigatedthe feasibility of using LLMs for security research in 2024. At the time, theyfound that models could identify real problems, but required a good deal ofstructure and hand-holding to do so on small benchmark problems. In February2026, Anthropicpublished a reportclaiming that the company's most recent LLM at that point in time, Claude Opus 4.6, had discoveredreal-world vulnerabilities in critical open-source software, including the Linuxkernel, with far less scaffolding. On April7, Anthropic announced a new experimental model that issupposedly even better; which they havepartnered with the Linux Foundationto supply to some open-source developers with access to the tool for security reviews.LLMs seem to have progressed significantly in the last few months, a changewhich is being noticed in the open-source community.

The Free Software Foundation has publisheda short article on relicensing versus license compatibility.

Security updates have been issued by Debian (firefox-esr, postgresql-13, and tiff), Fedora (bind, bind-dyndb-ldap, cef, opensc, python-biopython, python-pydicom, and roundcubemail), Slackware (mozilla), SUSE (ckermit, cockpit-repos, dnsdist, expat, freerdp, git-cliff, gnutls, heroic-games-launcher, libeverest, openssl-1_1, openssl-3, polkit, python-poetry, python-requests, python311-social-auth-app-django, and SDL2_image-devel), and Ubuntu (dogtag-pki, gdk-pixbuf, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-raspi, linux-xilinx-zynqmp, linux-aws-6.8, linux-gcp-6.8, linux-hwe-6.8, linux-ibm-6.8, linux-lowlatency-hwe-6.8, linux-fips, linux-aws-fips, linux-gcp-fips, linux-oracle, linux-oracle-6.17, linux-raspi, linux-realtime, openssl, and squid).

Inside this week's LWN.net Weekly Edition:

It has been a little while since LWN last surveyed tools for managing a digitalmusic collection. In the intervening decades, many Linux users have moved on tomusic streaming services, found them wanting, and are looking to curate their owncollection once again. There are plenty of choices when it comes toripping, managing, and playing digital audio; so many, in fact, that it can be abit daunting. After years of tinkering, I've found a few tools that work well formanaging my digital library: the first I'd like to cover is the fre:ac free audio encoder for ripping music fromCDs and converting between audio formats.

On March 31, Kees Cook shareda patch set that represents the culmination of more than a year of worktoward eliminating the possibility of silent, unintentional integer overflow inthe kernel. Linus Torvalds wasnot pleased with the approach, leading to a detailed discussion about themeaning of "safe" integer operations and the design of APIs for handling integeroverflows. Eventually, the developers involved reached a consensus for adifferent API that should make handling overflow errors in the kernel much lessof a hassle.

The NixOS project has announceda critical vulnerability in many versions of the Nix packagemanager's daemon. The flaw was introduced as part of a fix for aprior vulnerability in 2024. According to the advisory,all default configurations of NixOS and systems building untrusted derivationsare impacted.

Security updates have been issued by Debian (openssl), Fedora (corosync, goose, kea, pspp, and rauc), Mageia (python-pygments, roundcubemail, and tigervnc), SUSE (bind, gimp, google-cloud-sap-agent, govulncheck-vulndb, ignition, ImageMagick, python, python-PyJWT, and python-pyOpenSSL), and Ubuntu (adsys, juju-core, lxd, python-django, and salt).

Not many people live on sailboats. Things may be better these days, butback in 2014 sailboat dwellers hadto contend with lag-prone,intermittent, low-bandwidth internet connections. Dominic Tarrdecidedto fix the problem of keeping up with his friends by developing a delay-tolerant,fully distributed social-media protocol calledScuttlebutt. Nearly twelveyears later, the protocol has gained a number of users who have their own,non-sailboat-related reasons to prefer a censorship-resistant,offline-first social-media system.