LWN.net

Version 0.15.0 of the b4 patch-management tool is out. Highlights in thisrelease include the b4 review workflow manager for maintainers(covered briefly in this article), b4dig, which can find the original mailing-list submission behind acommit, three-way-merge support in b4 shazam, and more. See the releasenotes for details.

Version19 of the Agama installer for openSUSE and SUSE has beenreleased. This release includes major changes in Agama's architecturaldesign, organization of the web interface, and more.

Members of the Manjaro Linux distribution's community have publisheda "Manjaro2.0Manifesto"that contains a list of complaints and a demand to restructure the project to providea clear separation between the community and Manjaro as a company. The manifestoasserts that the project's leadership is not acting in the best interests of thecommunity, which has caused developers to leave and innovation to stagnate. Italso demands a handover of the Manjaro trademark and other assets to ato-be-formed nonprofit association. The responses on the Manjaro forum showed widespread supportfor the manifesto; Philip Muller, project lead and CEO of the Manjarocompany, largely stayed out of the discussion. However, he surfacedon March19 to say he was "open to serious discussions", but onlyafter a nonprofit had actually been set up.

Security updates have been issued by AlmaLinux (capstone, glibc, grub2, kernel, libarchive, libpng, mysql, and python3.11), Debian (evolution-data-server, imagemagick, and snapd), Fedora (bpfman, chromium, cpp-httplib, dotnet10.0, openssh, polkit, and vim), Mageia (graphicsmagick, imagemagick, openssh, and perl-YAML-Syck), Oracle (capstone, grub2, kernel, mysql, and python-pyasn1), Red Hat (container-tools:rhel8, rhc, yggdrasil, and yggdrasil-worker-package-manager), SUSE (cargo1.92, cargo1.93, chromedriver, coturn, curl, freerdp, jq, kernel, libssh, php-composer2, python311-uv, python312, qemu, tomcat, util-linux, vim, and virtiofsd), and Ubuntu (exiv2, freerdp3, glance, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, and linux-aws-fips, linux-fips, linux-gcp-fips).

Ars Technica describesthe ritual that will be required before a future Android device willdeign to install apps from somewhere other than the Play Store. It is notfor the impatient.

Greg Kroah-Hartman has announced the release of the 6.19.9 and 6.18.19 stable kernels. As usual, eachhas important fixes throughout the tree; users are advised toupgrade.

Version1.7.0 ("Daffodil") of the Radicle peer-to-peer, local-first codecollaboration stack has been released. Some of the changes in thisrelease include improved I/O usage, the ability to block nodes at theconnection level, and clearer errors for radidupdates. See the release notes for a full list of changes and bugfixes.

The kernel project has a unique approach to tooling that avoids manycommonly used development systems that do not fit the community's scale andways of working. Another way of looking at the situation is that the kernelproject has often under-invested in tooling, and sometimes seems bent ondoing things the hard way. In recent times, though, the amount of effortthat has gone into development tools for the kernel has increased, withsome interesting results. Recent developments in this area include theSashiko code-review system, a patch-review manager built into b4, and a newattempt at a framework for the specification and verification of kernelAPIs.

Security updates have been issued by Debian (freetype), Fedora (aqualung, kiss-fft, libtasn1, mac, and vim), Red Hat (libarchive, osbuild-composer, and rhc), Slackware (expat), SUSE (ca-certificates-mozilla, chromium, cockpit, cockpit-machines, cockpit-podman, curl, docker, docker-compose, docker-stable, gnutls, gstreamer-rtsp-server, gstreamer-plugins-ugly, gstreamer- plugins-rs, gstreamer-plugins-libav, gstreamer-plugins-good, gstreamer-plugins- base, gstreamer-plugins-bad, gstreamer-docs, gstreamer-devtools, gstreamer, gvfs, helm, kernel, krb5-appl, libsoup, libxslt, libxml2, openssh, python-cryptography, python-django, python-pypdf2, python-simpleeval, python311, qemu, ruby4.0-rubygem-sprockets, ruby4.0-rubygem-thor, ruby4.0-rubygem-web-console, ruby4.0-rubygem-websocket-extensions, skaffold, smb4k, tomcat, ucode-intel, util-linux, virtiofsd, and zlib), and Ubuntu (bouncycastle, exiv2, freerdp3, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-aws-fips, python2.7, roundcube, and valkey).

Inside this week's LWN.net Weekly Edition:

Cindy Cohn is the executive director of the Electronic Frontier Foundation (EFF) andshe gave the Saturday morning keynote at SCALE 23x in Pasadenaabout some of the work she and others have done to help protect onlinerights, especially digital privacy. The talk recounted some of the historyof the court cases that the organization has brought over the years to tryto dial back privacy invasions. One underlying theme was therole that attendees can play in protecting our rights, hearkening back toearlier efforts by the technical community.

Version 4.24.0 of the Samba SMB filesystem implementation has beenreleased. There are a number of significant changes, including auditsupport for authentication information, remote password management, anumber of Kerberos improvements, asynchronous-I/O rate limiting, and more.

GNOME50 has beenreleased. Notable changes in this release include enhancements to theOrca screen-reader application, interface and performance improvementsfor GNOME's file manager (Files), a "massive set of stability andperformance updates" for its display-handling technologies, andmuch more. See also the "What's newfor developers" article that covers changes of interest to GNOMEand GNOME application developers.

Qualys has discovereda local-privilege escalation (LPE) vulnerability affecting UbuntuDesktop 24.04 and later:

Fedora AsahiRemix43 isnow available:

The kernel's asynchronousio_uring interface maintains two shared ring buffers:a submission queue for sending requests to the kernel, and a completion queuecontaining the results of those requests. Even with shared memory removing muchof the overhead of communicating with user space, there is still some overheadwhenever the kernel must switch to user space to give it the opportunity toprocess completion requests andqueue up any subsequent work items. Apatch set from Pavel Begunkov minimizes this overhead by lettingprogrammers extend the io_uring event loop with a BPF program that can enqueueadditional work in response to completion events. The patch set hasbeen in development for a long time, but hasfinally been accepted.

Security updates have been issued by AlmaLinux (.NET 10.0, .NET 9.0, compat-openssl11, container-tools:rhel8, grub2, and libvpx), Debian (ansible, gst-plugins-base1.0, and nodejs), Fedora (chromium, forgejo, and systemd), Oracle (container-tools:rhel8, grub2, kernel, libpng, libvpx, nginx, opencryptoki, python3.12, and vim), Red Hat (firefox, python-wheel, python3.12-wheel, and thunderbird), SUSE (389-ds, chromium, clamav, container-suseconnect, curl, freerdp, gvfs, kea, kubernetes, ruby4.0-rubygem-minitar, ruby4.0-rubygem-multi_xml, ruby4.0-rubygem-nokogiri, ruby4.0-rubygem-puma, ruby4.0-rubygem-rack, ruby4.0-rubygem-rack-session, ruby4.0-rubygem-rails, ruby4.0-rubygem-rails-html-sanitizer, ruby4.0-rubygem-railties, ruby4.0-rubygem-rubyzip, vim, and xen), and Ubuntu (flask, libssh, linux-aws-5.15, linux-gcp-5.15, linux-gke, linux-hwe-5.15, linux-intel-iotg-5.15, linux-lowlatency-hwe-5.15, linux-oracle-5.15, linux-gcp-6.17, linux-realtime, linux-realtime, linux-realtime, linux-realtime-6.8, snapd, and vim).

Roman Gushchin has announced theexistence of an LLM-driven patch-review system named Sashiko. It automatically creates reviewsfor all patches sent to the linux-kernel mailing list (and some others).

The Free Software Foundation Europe (FSFE) is reportingthat payment provider Nexi has terminated its contract without priornotice, which means that a number of FSFE supporters' recurringpayments have been halted:

Fedora Project Leader (FPL) Jef Spaleta has issueda "modest proposal" for a technology-innovation-lifecycle process that would provide more formal structure for adopting technologies inFedora. The idea is to spur innovation in the project without having an adverseimpact on stability or the release process. Spaleta's proposal issomewhat light on details, particularly as far as specific examples ofwhich projects would benefit; however, the reception so far is mostlypositive and some think that it could make Fedora more "competitive" by being theplace where open-source projects come to grow.

Security updates have been issued by Fedora (mingw-openexr, vim, and yarnpkg), Oracle (freerdp), Red Hat (389-ds-base, container-tools:rhel8, libpng, libpng15, nginx, nginx:1.24, nginx:1.26, opencryptoki, python3, python3.11, python3.12, and python3.9), SUSE (ruby4.0-rubygem-activestorage, ruby4.0-rubygem-activesupport, ruby4.0-rubygem-glogalid, ruby4.0-rubygem-grpc, ruby4.0-rubygem-jquery-rails, ruby4.0-rubygem-loofah, and rubygem4.0-rubygem-fluentd), and Ubuntu (curl, linux, linux-aws, linux-aws-6.17, linux-gcp, linux-hwe-6.17, linux-oracle, linux-oracle-6.17, linux, linux-aws, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-gcp, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-oracle, linux-xilinx-zynqmp, linux-fips, linux-aws-fips, linux-gcp-fips, linux-gcp, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, python-cryptography, and roundcube).

Version1.5 of Marknote, a Markdown-based note-management application, has been released. Notablefeatures in this release include Source Mode for working directly withMarkdown instead of the WYSIWYG interface, internal wiki-style linksfor notes, as well as simpler management of notes and notebooks.

Kurt Roeckx has announcedthat Debian has moved to the campaigning period for the 2026 DebianProject Leader (DPL) election. This year there is only one candidate,Sruthi Chandran, so Debian voters will have a choice between Chandranas DPL or "None of the above". The campaign period will run throughApril3, and the voting period will run from April4 toApril17. Chandran has not yet posted a platform for the 2026election, but her 2024platform is available on the Debian wiki.

After a year's worth of development since GIMP 3.0 was released,the team behind the open-source image editor has releasedGIMP 3.2. It comes as part of the planto release GIMP more frequently, rather than wait six or seven yearsbetween releases. The release comes with lots of new features (as canbe seen in more detail in the release notes),including 20 new brushes for the MyPaint Brush tool, an "overwrite" paintmode, new and upgraded file formats, UI improvements in a variety ofplaces, such as the on-canvas text editor, and new non-destructive layers:

A pull request that touches over 8,000 files, changing over 20,000 lines ofcode in the process, is (fortunately) not something that happens every day.It did happen at the end of the 7.0 merge window, though, when LinusTorvalds mergedan extensive set of changes by Kees Cook to the venerable kmalloc() API (andits users). As a result of that work, though, the kernel has a new set oftype-safe memory-allocation functions, with a last-minute bonus change tomake the API a little easier to use.

Security updates have been issued by AlmaLinux (.NET 10.0, .NET 8.0, .NET 9.0, delve, git-lfs, gnutls, kernel, mingw-libpng, nfs-utils, opentelemetry-collector, python3.11, python3.12, python3.9, and vim), Debian (chromium, gimp, kernel, linux-6.1, and wireless-regdb), Fedora (alertmanager, chromium, freerdp, glab, golang-github-openprinting-ipp-usb, gst-devtools, gst-editing-services, gstreamer1, gstreamer1-doc, gstreamer1-plugin-libav, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, gstreamer1-plugins-ugly-free, gstreamer1-rtsp-server, insight, pcs, pgadmin4, python-gstreamer1, python3.10, python3.11, python3.6, qgis, SDL2_sound, SDL3_sound, systemd, and wireshark), Mageia (python-nltk, tomcat, and vim), Oracle (.NET 10.0, .NET 8.0, .NET 9.0, compat-openssl11, dtrace, python3.12, and vim), Red Hat (buildah, git-lfs, golang-github-openprinting-ipp-usb, opentelemetry-collector, podman, and runc), and SUSE (amazon-ssm-agent, busybox, clamav, firefox, giflib-devel-32bit, glibc, heroic-games-launcher, himmelblau, kubelogin, libpng15, libsoup, libsoup2, mingw32-binutils, mingw64-binutils, osc, obs-scm-bridge, python, python-black, python3, qemu, ruby4.0-rubygem-actioncable, ruby4.0-rubygem-actiontext, ruby4.0-rubygem-activejob, ruby4.0-rubygem-activemodel, tomcat, and tomcat10).

Linus has released 7.0-rc4 for testing.

Greg Kroah-Hartman has announced the release of the 6.19.8, 6.18.18, and 6.12.77 stable kernels. Each of thesekernels includes a number of important fixes; users are advised toupgrade.

Reddit user "Ok_Lingonberry3296" has posted theresults of an extensive investigation into the companies that arepushing US state legislatures to enact age-verification bills.

Qualys has sent out asomewhat breathless advisory describing a number of vulnerabilities inthe AppArmor security module, which is used in a number of Debian-baseddistributions (among others).

In 2019, researchers published a way toidentify which file-backed pageswere being accessed on a system using timing information from the page cache,leading to a handful of unpleasant consequences and a change to the design ofthemincore() system call. Discussion at the timeled to a number of ad-hoc patches to address theproblem. The lack of new page-cache attacks suggested that attempts to fixthings in a piecemeal fashion had succeeded. Now, however, Sudheendra Raghav Neela,Jonas Juffinger, Lukas Maar, and Daniel Gruss havefound a new set ofholes in the Linux kernel's page-cache-timing protections that allowthe same general class of attack.

Security updates have been issued by Debian (chromium, kernel, and multipart), Fedora (dnf5, dr_libs, easyrpg-player, libmaxminddb, python3.12, strongswan, task, and udisks2), Oracle (.NET 10.0, .NET 8.0, .NET 9.0, gnutls, ImageMagick, kernel, libvpx, mingw-libpng, nginx:1.26, python3.11, and uek-kernel), Red Hat (delve, git-lfs, mingw-libpng, osbuild-composer, and rhc-worker-playbook), SUSE (cjson, curl, dnsdist, libsoup2, postgresql16, postgresql17, postgresql18, python-lxml_html_clean, python-pypdf2, python36, and thunderbird), and Ubuntu (dotnet8, dotnet9, dotnet10, freetype, golang-github-go-git-go-git, golang-golang-x-net, openssh, python-cryptography, sudo, and util-linux).

One of the first changes merged for the upcoming 7.0 release was nullfs,an empty filesystem that cannot actually contain any files. One mightlogically wonder why the kernel would need such a thing. It turns out,though, that there are places where a null filesystem can come in handy.For 7.0, nullfs will be used to make life a bit easier for initprograms; future releases will likely use nullfs to increase the isolationof kernel threads from the init process.

Sasha Levin has announced the release of the 6.19.7 and 6.18.17 stable kernels. As usual, eachcontains important fixes throughout the tree; users are advised toupgrade.

Security updates have been issued by AlmaLinux (gimp, git-lfs, grafana-pcp, kernel, mysql8.4, nfs-utils, opentelemetry-collector, osbuild-composer, postgresql:16, and python3.12), Debian (imagemagick and netty), Fedora (dr_libs and python-lxml-html-clean), Slackware (libarchive and libxml2), SUSE (busybox, coredns, firefox, freerdp, ghostty, gnutls, go1.25, go1.26, GraphicsMagick, grype, helm, helm3, ImageMagick, perl-Compress-Raw-Zlib, python, python311-lxml_html_clean, python311-PyPDF2, tomcat11, and traefik), and Ubuntu (curl, gimp, and libpng).

Inside this week's LWN.net Weekly Edition:

A recently enacted law in California imposes an age-verification requirement onoperating-system providers beginning next year. The language of the DigitalAge Assurance Act does not restrict its requirements to proprietary or commercialoperating systems; projects like Debian, FreeBSD, Fedora, and others seem to be onthe hook just as much as Apple or Microsoft. There is some hope that the law will beamended, but there is no guarantee that it will be. This means that the developercommunities behind Linux distributions are having to discuss whether and how tocomply with the law with little time and even less legal guidance.

Igalia has announcedthe Moonforge Linuxdistribution, based on OpenEmbeddedand Yocto.

There has been ongoing discussion in theInternet Engineering Task Force (IETF)about how to protect internet traffic against future quantum computers. So far,that work has focused on key exchange as the most urgent problem; now,a new IETF working group is looking at adopting post-quantum cryptographyfor authentication and certificate transparency as well. The main challenge todoing so is the increased size ofcertificates - around 40 times larger. The techniques that the working group is investigatingto reduce that overhead could have efficiency benefits for traditionalcertificates as well.

Security updates have been issued by AlmaLinux (kernel, kernel-rt, libvpx, nfs-utils, nginx:1.26, osbuild-composer, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, and python-pyasn1), Debian (imagemagick), Fedora (perl-Crypt-SysRandom-XS and systemd), Mageia (yt-dlp), Oracle (delve, gimp, git-lfs, go-rpm-macros, image-builder, kernel, libpng, libvpx, mysql8.4, nfs-utils, osbuild-composer, postgresql16, postgresql:12, postgresql:13, postgresql:15, postgresql:16, python-pyasn1, python3, python3.12, python3.9, and thunderbird), SUSE (python-aiohttp, python-maturin, python311-pymongo, rclone, and util-linux), and Ubuntu (linux-nvidia, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, and python-geopandas).

The advent of lazy imports in the Python language is upon us, now that PEP 810 ("Explicit lazyimports") was accepted by the steeringcouncil and the feature will appear in the upcoming Python 3.15 releasein October. There are a number of good reasons,performance foremost, for wanting to defer spending-perhaps wasting-thetime to do an import before a needed symbol is used. However, there arealso good reasons not to want that behavior, at least in some cases. Thetension between those two positions is what led to an earlier PEP rejection,but it is also playing into a recent discussion of the API used to controllazy imports.

Reuters is reportingthat private-equity firm EQT may be looking to sell SUSE:

Debian is the latest in an ever-growing list of projects to wrestle (again)with the question of LLM-generated contributions; the latest debate stared inmid-February, afterLucas Nussbaum opened adiscussion with a draft general resolution (GR) on whether Debian shouldaccept AI-assisted contributions. It seems to have, mostly, subsided without a GRbeing put forward or any decisions being made, but the conversation was illuminatingnonetheless.

Security updates have been issued by Debian (imagemagick), Fedora (chromium, matrix-synapse, mingw-zlib, perl-Net-CIDR, polkit, and rust-pythonize), Mageia (coturn, firefox, and thunderbird), Oracle (delve, git-lfs, gnutls, go-rpm-macros, image-builder, kernel, libsoup, nfs-utils, nginx:1.24, osbuild-composer, postgresql, thunderbird, udisks2, and valkey), Red Hat (grafana, image-builder, and opentelemetry-collector), SUSE (c3p0 and mchange-commons, corepack24, go1, ImageMagick, python-Flask, tomcat, tomcat10, tomcat11, virtiofsd, and weblate), and Ubuntu (apache2 and yara).

Python has aunique approach to static typing. Python programs can contain typeannotations, and even access those annotations at run time, but the annotationsaren't evaluated by default. Instead, it is up to external programs to ascribemeaning to those annotations. The annotations themselves can be arbitrary Pythonexpressions, but in practice usually involve using helpers from the built-intyping module, the meanings of which external type-checkers mostlyagree upon. Yet the type system implicitly defined by the typing moduleand common type-checkers is insufficiently powerful to model all of the kinds ofdynamic metaprogramming found in real-world Python programs.PEP 827 ("Type Manipulation")aims to add additionalcapabilities to Python's type system to fix this, butdiscussionof the PEP has been of mixed sentiment.

Version9.0.0 of the digiKam photo-management system has beenreleased. "This major version introduces groundbreakingimprovements in performance, usability, and workflow efficiency, witha strong focus on modernizing the user interface, enhancing metadatamanagement, and expanding support for new camera models and fileformats." Some of the changes include anew survey tool, more advanced search and sorting options, as wellas bulkediting of geolocation coordinates.

Security updates have been issued by AlmaLinux (delve, git-lfs, and postgresql16), Fedora (cef, chezmoi, chromium, coturn, erlang-hex_core, firefox, gh, gimp, k9s, keylime, keylime-agent-rust, libsixel, microcode_ctl, nextcloud, nss, perl-Crypt-URandom, pgadmin4, php-zumba-json-serializer, postgresql16-anonymizer, prometheus, python-asyncmy, python3.10, python3.11, python3.9, staticcheck, valkey, and vim), SUSE (chromedriver, chromium, coredns, expat, freetype2-devel, gitea-tea, go1.24-openssl, go1.25-openssl, grpc, gstreamer-rtsp-server, gstreamer-plugins-ugly,, helm, jetty-annotations, kubeshark-cli, libaec, libblkid-devel, libsoup, libxml2, libxslt, NetworkManager-applet-strongswan, podman, python-joserfc, python-Markdown, python-pypdf2, python-tornado, python-uv, python311-Django, python311-joserfc, python311-nltk, roundcubemail, and valkey), and Ubuntu (python3.4, python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12, python3.13, python3.14).

Linus has released 7.0-rc3 for testing."So it's still pretty early in the release cycle, and it just feels abit busier than I'd like. But nothing particularly stands out or looksbad."

Geoff Huston looks at the networktime protocol, and efforts to secure it, in detail.

In early February, members of the Fedora Council met in Tirana,Albania to discuss and set the strategic direction for the Fedora Project. Thecouncil has publishedsummaries from its strategy summit, and Fedora Project Leader (FPL) Jef Spaleta,as well as some of the council members, held a video meeting to discuss outcomes fromthe summit on February25. Topics included a plan to experiment with Open Collective to raisefunds for specific Fedora projects, tools to build image-based editions, andmore. Spaleta also explained his model for Fedora governance.