LWN.net

Greg Kroah-Hartman has announced the release of the 6.19.8, 6.18.18, and 6.12.77 stable kernels. Each of thesekernels includes a number of important fixes; users are advised toupgrade.

Reddit user "Ok_Lingonberry3296" has posted theresults of an extensive investigation into the companies that arepushing US state legislatures to enact age-verification bills.

Qualys has sent out asomewhat breathless advisory describing a number of vulnerabilities inthe AppArmor security module, which is used in a number of Debian-baseddistributions (among others).

In 2019, researchers published a way toidentify which file-backed pageswere being accessed on a system using timing information from the page cache,leading to a handful of unpleasant consequences and a change to the design ofthemincore() system call. Discussion at the timeled to a number of ad-hoc patches to address theproblem. The lack of new page-cache attacks suggested that attempts to fixthings in a piecemeal fashion had succeeded. Now, however, Sudheendra Raghav Neela,Jonas Juffinger, Lukas Maar, and Daniel Gruss havefound a new set ofholes in the Linux kernel's page-cache-timing protections that allowthe same general class of attack.

Security updates have been issued by Debian (chromium, kernel, and multipart), Fedora (dnf5, dr_libs, easyrpg-player, libmaxminddb, python3.12, strongswan, task, and udisks2), Oracle (.NET 10.0, .NET 8.0, .NET 9.0, gnutls, ImageMagick, kernel, libvpx, mingw-libpng, nginx:1.26, python3.11, and uek-kernel), Red Hat (delve, git-lfs, mingw-libpng, osbuild-composer, and rhc-worker-playbook), SUSE (cjson, curl, dnsdist, libsoup2, postgresql16, postgresql17, postgresql18, python-lxml_html_clean, python-pypdf2, python36, and thunderbird), and Ubuntu (dotnet8, dotnet9, dotnet10, freetype, golang-github-go-git-go-git, golang-golang-x-net, openssh, python-cryptography, sudo, and util-linux).

One of the first changes merged for the upcoming 7.0 release was nullfs,an empty filesystem that cannot actually contain any files. One mightlogically wonder why the kernel would need such a thing. It turns out,though, that there are places where a null filesystem can come in handy.For 7.0, nullfs will be used to make life a bit easier for initprograms; future releases will likely use nullfs to increase the isolationof kernel threads from the init process.

Sasha Levin has announced the release of the 6.19.7 and 6.18.17 stable kernels. As usual, eachcontains important fixes throughout the tree; users are advised toupgrade.

Security updates have been issued by AlmaLinux (gimp, git-lfs, grafana-pcp, kernel, mysql8.4, nfs-utils, opentelemetry-collector, osbuild-composer, postgresql:16, and python3.12), Debian (imagemagick and netty), Fedora (dr_libs and python-lxml-html-clean), Slackware (libarchive and libxml2), SUSE (busybox, coredns, firefox, freerdp, ghostty, gnutls, go1.25, go1.26, GraphicsMagick, grype, helm, helm3, ImageMagick, perl-Compress-Raw-Zlib, python, python311-lxml_html_clean, python311-PyPDF2, tomcat11, and traefik), and Ubuntu (curl, gimp, and libpng).

Inside this week's LWN.net Weekly Edition:

A recently enacted law in California imposes an age-verification requirement onoperating-system providers beginning next year. The language of the DigitalAge Assurance Act does not restrict its requirements to proprietary or commercialoperating systems; projects like Debian, FreeBSD, Fedora, and others seem to be onthe hook just as much as Apple or Microsoft. There is some hope that the law will beamended, but there is no guarantee that it will be. This means that the developercommunities behind Linux distributions are having to discuss whether and how tocomply with the law with little time and even less legal guidance.

Igalia has announcedthe Moonforge Linuxdistribution, based on OpenEmbeddedand Yocto.

There has been ongoing discussion in theInternet Engineering Task Force (IETF)about how to protect internet traffic against future quantum computers. So far,that work has focused on key exchange as the most urgent problem; now,a new IETF working group is looking at adopting post-quantum cryptographyfor authentication and certificate transparency as well. The main challenge todoing so is the increased size ofcertificates - around 40 times larger. The techniques that the working group is investigatingto reduce that overhead could have efficiency benefits for traditionalcertificates as well.

Security updates have been issued by AlmaLinux (kernel, kernel-rt, libvpx, nfs-utils, nginx:1.26, osbuild-composer, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, and python-pyasn1), Debian (imagemagick), Fedora (perl-Crypt-SysRandom-XS and systemd), Mageia (yt-dlp), Oracle (delve, gimp, git-lfs, go-rpm-macros, image-builder, kernel, libpng, libvpx, mysql8.4, nfs-utils, osbuild-composer, postgresql16, postgresql:12, postgresql:13, postgresql:15, postgresql:16, python-pyasn1, python3, python3.12, python3.9, and thunderbird), SUSE (python-aiohttp, python-maturin, python311-pymongo, rclone, and util-linux), and Ubuntu (linux-nvidia, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, and python-geopandas).

The advent of lazy imports in the Python language is upon us, now that PEP 810 ("Explicit lazyimports") was accepted by the steeringcouncil and the feature will appear in the upcoming Python 3.15 releasein October. There are a number of good reasons,performance foremost, for wanting to defer spending-perhaps wasting-thetime to do an import before a needed symbol is used. However, there arealso good reasons not to want that behavior, at least in some cases. Thetension between those two positions is what led to an earlier PEP rejection,but it is also playing into a recent discussion of the API used to controllazy imports.

Reuters is reportingthat private-equity firm EQT may be looking to sell SUSE:

Debian is the latest in an ever-growing list of projects to wrestle (again)with the question of LLM-generated contributions; the latest debate stared inmid-February, afterLucas Nussbaum opened adiscussion with a draft general resolution (GR) on whether Debian shouldaccept AI-assisted contributions. It seems to have, mostly, subsided without a GRbeing put forward or any decisions being made, but the conversation was illuminatingnonetheless.

Security updates have been issued by Debian (imagemagick), Fedora (chromium, matrix-synapse, mingw-zlib, perl-Net-CIDR, polkit, and rust-pythonize), Mageia (coturn, firefox, and thunderbird), Oracle (delve, git-lfs, gnutls, go-rpm-macros, image-builder, kernel, libsoup, nfs-utils, nginx:1.24, osbuild-composer, postgresql, thunderbird, udisks2, and valkey), Red Hat (grafana, image-builder, and opentelemetry-collector), SUSE (c3p0 and mchange-commons, corepack24, go1, ImageMagick, python-Flask, tomcat, tomcat10, tomcat11, virtiofsd, and weblate), and Ubuntu (apache2 and yara).

Python has aunique approach to static typing. Python programs can contain typeannotations, and even access those annotations at run time, but the annotationsaren't evaluated by default. Instead, it is up to external programs to ascribemeaning to those annotations. The annotations themselves can be arbitrary Pythonexpressions, but in practice usually involve using helpers from the built-intyping module, the meanings of which external type-checkers mostlyagree upon. Yet the type system implicitly defined by the typing moduleand common type-checkers is insufficiently powerful to model all of the kinds ofdynamic metaprogramming found in real-world Python programs.PEP 827 ("Type Manipulation")aims to add additionalcapabilities to Python's type system to fix this, butdiscussionof the PEP has been of mixed sentiment.

Version9.0.0 of the digiKam photo-management system has beenreleased. "This major version introduces groundbreakingimprovements in performance, usability, and workflow efficiency, witha strong focus on modernizing the user interface, enhancing metadatamanagement, and expanding support for new camera models and fileformats." Some of the changes include anew survey tool, more advanced search and sorting options, as wellas bulkediting of geolocation coordinates.

Security updates have been issued by AlmaLinux (delve, git-lfs, and postgresql16), Fedora (cef, chezmoi, chromium, coturn, erlang-hex_core, firefox, gh, gimp, k9s, keylime, keylime-agent-rust, libsixel, microcode_ctl, nextcloud, nss, perl-Crypt-URandom, pgadmin4, php-zumba-json-serializer, postgresql16-anonymizer, prometheus, python-asyncmy, python3.10, python3.11, python3.9, staticcheck, valkey, and vim), SUSE (chromedriver, chromium, coredns, expat, freetype2-devel, gitea-tea, go1.24-openssl, go1.25-openssl, grpc, gstreamer-rtsp-server, gstreamer-plugins-ugly,, helm, jetty-annotations, kubeshark-cli, libaec, libblkid-devel, libsoup, libxml2, libxslt, NetworkManager-applet-strongswan, podman, python-joserfc, python-Markdown, python-pypdf2, python-tornado, python-uv, python311-Django, python311-joserfc, python311-nltk, roundcubemail, and valkey), and Ubuntu (python3.4, python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12, python3.13, python3.14).

Linus has released 7.0-rc3 for testing."So it's still pretty early in the release cycle, and it just feels abit busier than I'd like. But nothing particularly stands out or looksbad."

Geoff Huston looks at the networktime protocol, and efforts to secure it, in detail.

In early February, members of the Fedora Council met in Tirana,Albania to discuss and set the strategic direction for the Fedora Project. Thecouncil has publishedsummaries from its strategy summit, and Fedora Project Leader (FPL) Jef Spaleta,as well as some of the council members, held a video meeting to discuss outcomes fromthe summit on February25. Topics included a plan to experiment with Open Collective to raisefunds for specific Fedora projects, tools to build image-based editions, andmore. Spaleta also explained his model for Fedora governance.

Version25.12.0 of the OpenWrt router distribution is available; this releasehas been dedicated to the memory of Dave Taht. Changes include a switch tothe apk package manager, the integration of the attendedsysupgrade method, and support for a long list of new targets.

Security updates have been issued by Debian (chromium), Fedora (freerdp, libsixel, opensips, and yt-dlp), Mageia (python-django, rsync, and vim), Red Hat (go-rpm-macros and osbuild-composer), SUSE (7zip, assertj-core, autogen, c3p0, cockpit-machines, cockpit, cockpit-repos, containerized-data-importer, cpp-httplib, docker, docker-stable, expat, firefox, gnutls, go1.25-openssl, golang-github-prometheus-prometheus, haproxy, ImageMagick, incus, kernel, kubevirt, libsoup, libsoup2, mchange-commons, ocaml, openCryptoki, openvpn, php-composer2, postgresql14, postgresql15, python-Authlib, python-azure-core, python-nltk, python-urllib3_1, python311-Django4, python311-pillow-heif, python311-PyPDF2, python313, python313-Django6, qemu, rhino, roundcubemail, ruby4.0-rubygem-rack, sdbootutil, and wicked2nm), and Ubuntu (less, nss, python-bleach, qtbase-opensource-src, and zutty).

Version1.94.0 of the Rust language has been released. Changes include arraywindows (an iterator for slices), some Cargo enhancements, and a numberof newly stabilized APIs.

The grith.ai blog reportson an LLM prompt-injection vulnerability that led to 4,000 installations ofa compromised version of the Cline utility.

Chardetis a Python module that attempts to determine which character set was usedto encode a text string. It was originally written by Mark Pilgrim, who isalso the author of a number of Python books; the 1.0 release happened in2006. For many years, this module has been under the maintainership ofDan Blanchard. Chardet has always been licensed under the LGPL, but, withthe 7.0.0release, Blanchard changed the terms to the permissive MIT license.That has led to an extensive (and ongoing) discussion on when code can berelicensed against the wishes of its original author, and whether using alarge language model to rewrite code is a legitimate way to strip copyleftrequirements from code.

Peter Korsgaard has announced version 2026.02 of Buildroot, a tool for generatingembedded Linux systems through cross-compilation. Notable changesinclude added support for HPPA, use of the 6.19.x kernel headers bydefault, better SBOM generation, and more.

Sasha Levin has announced the release of the 6.12.76, 6.6.129, and 6.1.166 stable kernels. These releasesaddress a regression reportedby Peter Schneider; Levin said that an upgrade is only necessary forthose who have observed a build failure with the 6.12.75, 6.6.128, or6.1.165 kernels.

The multi-generational LRU (MGLRU) is analternative memory-management algorithm that was merged for the 6.1 kernelin late 2022. It brought a promise of much-improved performance andsimplified code. Since then, though, progress on MGLRU has stalled, and itstill is not enabled on many systems. As the 2026 Linux Storage,Filesystem, Memory-Management and BPF Summit (LSFMM+BPF) approaches,several memory-management developers have indicated a desire to talk aboutthe future of MGLRU. While some developers are looking for ways to improvethe subsystem, another has called for it to be removed entirely.

Security updates have been issued by AlmaLinux (go-rpm-macros, libpng, thunderbird, udisks2, and valkey), Fedora (coturn, php-zumba-json-serializer, valkey, and yt-dlp), Red Hat (delve, go-rpm-macros, grafana, grafana-pcp, image-builder, osbuild-composer, and postgresql), Slackware (nvi), SUSE (firefox, glibc, haproxy, kernel, kubevirt, libsoup, libsoup2, libxslt, mozilla-nss, ocaml, python, python-Django, python-pip, util-linux, virtiofsd, wicked2nm,suse-migration-services,suse-migration- sle16-activation,SLES16-Migration,SLES16-SAP_Migration, and wireshark), and Ubuntu (gimp, linux-aws, linux-lts-xenial, linux-aws-fips, linux-azure, linux-azure-fips, linux-fips, nss, postgresql-14, postgresql-16, postgresql-17, and qemu).

Inside this week's LWN.net Weekly Edition:

Sasha Levin has announced the release of the 6.19.6, 6.18.16, 6.12.75, 6.6.128, 6.1.165, 5.15.202, and 5.10.252 stable kernels. Each containsimportant fixes throughout the tree; users of these kernels areadvised to upgrade.

Security updates have been issued by AlmaLinux (container-tools:rhel8, firefox, go-rpm-macros, kernel, kernel-rt, mingw-fontconfig, nginx:1.24, thunderbird, and valkey), Debian (gimp), Fedora (apt, avr-binutils, keylime, keylime-agent-rust, perl-Crypt-URandom, python-apt, and rsync), Red Hat (go-rpm-macros and yggdrasil-worker-package-manager), Slackware (python3), SUSE (busybox, cosign, cups, docker, evolution-data-server, freerdp, glibc, gnome-remote-desktop, go1.24-openssl, go1.25-openssl, govulncheck-vulndb, libpng16, libsoup, libssh, libxml2, patch, postgresql14, postgresql15, postgresql16, postgresql17, postgresql18, python, python311, rust-keylime, smc-tools, tracker-miners, and zlib), and Ubuntu (curl, imagemagick, intel-microcode, linux, linux-aws, linux-kvm, linux-aws, linux-aws-5.15, linux-gcp-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle-5.15, linux-aws-fips, and linux-raspi, linux-raspi-5.4).

Jujutsu is an increasingly popular Git-compatible version-control system. It hasa focus on simplifying Git's conceptual model to produce a smoother, clearer command-lineexperience. Some people already have a preferred replacement for Git's usualcommand-line interface, though:Magit, an Emacs package for working with Gitrepositories that also tries to make the interface morediscoverable.Now, a handful of people are working to implement a Magit-style interface for Jujutsu:Majutsu.

This404 Media article looks at how the US Customs and Border Protectionagency (CBP) is using location data from phones to track the location ofpeople of interest.

One of the contradictions of the modern open-source movement isthat projects which respect user freedoms often rely on proprietarytools that do not: communities often turn to non-free software forcode hosting, communication, and more. At Configuration ManagementCamp (CfgMgmtCamp) 2026, Jan Ainali spokeabout the need for open-source projects to adopt open tools; he hoped to persuade new and mature projects to switch to openalternatives, even if just one tool, to reduce their dependencies ontech giants and support community-driven infrastructure.

Matthew Garrett examinesthe factors that go into the decision about whether to install afirmware update or not.

Security updates have been issued by AlmaLinux (containernetworking-plugins, gnutls, kernel, libpng, and skopeo), Debian (firefox-esr, php8.2, and spip), Fedora (erlang and python-pillow), Red Hat (go-toolset:rhel8, golang, and yggdrasil), SUSE (cups, fluidsynth, gvfs, haproxy, libsoup, libsoup-3_0-0, mozilla-nss, python-azure-core, and shim), and Ubuntu (git and mailman).

There are many applications that need to be able to write multi-blockchunks of data to disk with the assurance that the operation will eithercomplete successfully or fail altogether - that the write will not bepartially completed (or "torn"), in other words. For years, kerneldevelopers have worked on providing atomic writes as a way of satisfyingthat need; see, for example, sessions from the Linux Storage, Filesystem,Memory Management, and BPF (LSFMM+BPF) Summit from 2023, 2024,and 2025 (twice). While atomic direct I/O is now supported by some filesystems, atomicbuffered I/O still is not. Fillingthat gap seems certain to be a 2026 LSFMM+BPF topic but, thanks to an earlydiscussion, the shape of a solution might already be coming into focus.

Toke Hoiland-Jorgensen has posted anoverview of how zero-copy networking works in the Linux kernel.

Version 7.3 of Texinfo, the GNU documentation-formatting system, has been released. It contains a number of new features, performance improvements, and enhancements.

The free and open-source software (FOSS) movements have always beenabout giving freedom and power to individuals and organizations;throughout that history, though, there have also been actors tryingto exploit FOSS to their own advantage. At Configuration ManagementCamp (CfgMgmtCamp) 2026 in Ghent, Belgium, Richard Fontana describedthe "exploitation paradox" of open source: the recurringpattern of crises when actors exploit loopholes to restrict freedomsor gain the upper hand over others in the community. He also talkedabout the attempts to close those loopholes as well as the need tolook beyond licenses as a means of keeping freedom alive.

Motorola has announcedthat it will be working with the GrapheneOS Foundation, a producer of asecurity-enhanced Android distribution. "Together, Motorola and theGrapheneOS Foundation will work to strengthen smartphone security andcollaborate on future devices engineered with GrapheneOScompatibility.". LWN looked atGrapheneOS last July.

Version1.0 of Gram, an "opinionated fork of the Zed code editor",has been released. Gram removes telemetry, AI features, collaborationfeatures, and more. It adds built-in documentation, support foradditional languages, and tab-completion features similar to the Supertabplugin for Vim. The mission statement forthe project explains:

Security updates have been issued by Debian (lxd, orthanc, and thunderbird), Fedora (cef, chromium, gimp, nextcloud, pgadmin4, python-django4.2, python-django5, python3-docs, python3.12, python3.13, and python3.9), Oracle (container-tools:rhel8 and mingw-fontconfig), Slackware (gvfs, mozilla, and telnet), SUSE (avahi, cockpit-356, cockpit-podman, cockpit-podman-120, containerized-data-importer, digger-cli, docker, evolution-data-server, expat, firefox, freerdp2, gimp, glib2, glibc, go1, google-guest-agent, google-osconfig-agent, gosec, gpg2, heroic-games-launcher, ImageMagick, kernel, kernel-firmware, kubevirt, libIex-3_4-33, libjxl-devel, libpng16, libsodium, libsoup, libsoup2, libssh, libudisks2-0, libwireshark19, protobuf, python-pyasn1, python-urllib3, python311, python311-Flask, rust-keylime, thunderbird, ucode-intel, and valkey), and Ubuntu (git).

The 7.0-rc2 kernel prepatch is out fortesting. According to Linus:

Version 1.24.0 of the groff text-formatting system has been released.Improvements include the ability to insert hyperlinks between man pages, anew polygon command for the pic preprocessor, variousPDF-output improvements, and more.

The Python bitwise-inversion (or complement) operator, "~", behavespretty much as expected when it is applied to integers-it toggles everybit, from oneto zero and vice versa. It might be expected that applying theoperator to a non-integer, a boolfor example, would raise a TypeError, but, because thebool type is really an intin disguise, the complement operator is allowed, at least for now. Fornearly 15years (and perhaps longer), there have been discussions about theoddity of that behavior and whether it should be changed. Eventually,that resulted in the "feature" being deprecated, producing a warning, with removal slated forPython3.16 (due October 2027). That has led to some reconsideration and thedeprecation may itself be deprecated.