GNU GRUB 2, mostly justreferred to as GRUB these days, is the most widely used boot loaderfor x86_64 Linux systems. It supports readingfrom a vast selection of filesystems, handles booting modern systemswith UEFI or legacy systems with a BIOS, and even allows users to customize the"splash" image displayed when a system boots. Alas, all of those features come witha price; GRUB has had a paradeof security vulnerabilities over the years. To mitigate some of thoseproblems, Ubuntucore developer and Canonical employee Julian Andres Klode has proposed removinga number of features from GRUB in Ubuntu26.10 to improve GRUB'ssecurity profile. His proposal has not been met with universal acclaim; many of thefeatures Klode would like to remove have vocal proponents.
On April 1, the Gentoo Linux project published a blog postannouncing that it was switching to GNU Hurd as its primarykernel as an April Fool's joke. While that is not true, the projecthas followed up with an announcementof a new Gentoo port to the Hurd:
Denver Gingerich of the Software Freedom Conservancy (SFC) has publishedan articleon the impact of the ban onthe sale of all new home routers not made in the United Statesissued by the Federal Communications Commission (FCC). The SFC, ofcourse, is the organizationbehind the OpenWrt One router.
The kernel provides a number of ways for processes to communicate with eachother, but they never quite seem to fit the bill for many users. There arecurrently a few proposals for interprocess communication (IPC) enhancementscirculating on the mailing lists. The most straightforward one adds a newsystem call for POSIX message queues that enables the addition of newfeatures. For those wanting an entirely new way to do interprocesscommunication, there is a proposal to add a new subsystem for that purposeto io_uring. Finally, the bus1 proposal has made a return after ten years.
Brian "bex" Exelbierd has publisheda blogpost exploring follow-up questions raised bythe recent debate about the use of the LLM-based reviewtool Sashikoin the memory-management subsystem. His main finding is that Sashiko reviews arebi-modal with regards to whether they contain reports about code not directlychanged by the patch set - most do not, but the ones that do often have severalsuch comments.
OpenSSH 10.3has been released. Among the many changes in this release are asecurity fix to address late validation of metacharacters in usernames, removal of bug compatibility for SSH implementations that donot support rekeying,and a fix to ensure that scp clears setuid/setgid bits from downloadedfiles when operating as root in legacy (-O) mode. See therelease announcement for a full list of new features, bug fixes, andpotentially incompatible changes.
Greg Kroah-Hartman has released the 6.19.11, 6.18.21,6.12.80, and 6.6.131 stable kernels, followed by a quickrelease of 6.6.132 with two patches reverted toaddress a problem building the rust core in 6.6.131. Each kernel containsimportant fixes; users are advised to upgrade.
Michael Meeks has posted anangry missive about changes at The Document Foundation. What hasreally happened is not entirely clear, but it seems to involve, at aminimum, the forced removal of all Collabora staff from the foundation.There has been a set of "thank you" notes to the people involved posted in thefoundation's forums. The Document Foundation's decision to restart LibreOffice Online almostcertainly plays into this as well.Details are fuzzy at best; we will be working at providing a clearerpicture, but that will take some time.
Pandoc is a document-conversion programthat can translate among a myriad of formats, including LaTeX, HTML, Office Open XML(docx), plain text, and Markdown. It is alsoextensible by writing Luafilters that can manipulate the document structure and perform arbitrarycomputations.Pandoc has appeared in various LWN articles over the years, such as my look at Typst and at the importance of free software to science in2025, but we have missed providing an overview of the tool. The February release of Pandoc3.9, which comes with the ability to compile the program to WebAssembly (Wasm), allowing Pandocto run in web browsers, will likely also be of interest.
Version0.0.6 of the Rust-based Servo webbrowser rendering engine has been released. This release boasts a longlist of new features, performance enhancements, improvements, and bugfixes. Some of the notable changes include layoutperformance improvements, a servo:config page for settingany preference, and developertools enhancements.
Discussion ofa memory-management patch set intended to clean up a helper function forhandling huge pages spiraled into something else entirely after it was posted on March19.Memory-management maintainer Andrew Mortonproposed making changes to the subsystem's review process, to requirepatch authors to respond to feedback from Sashiko,therecently released LLM-based kernel patch review system. Othersub-maintainers, particularly Lorenzo Stoakes, objected. Theresulting discussion about how and when to adopt Sashiko is potentially relevantto many other parts of the kernel.
In early March, Dylan M. Taylor submitted a pull request to add a fieldto store a user's birth date in systemd's JSON user records. This was done to allowapplications to store the date to facilitate compliance with age-attestation and-verification laws. It was to be expected that some members of the community wouldobject; the actual response, however, has been shockingly hostile. Some of this hasbeen fueled by a misinformation campaign that has targeted the systemd project andTaylor specifically, resulting in Taylor being doxxed and receiving deaththreats. Such behavior is not just problematic; it is also deeply misguided given theactual nature of the changes.
There is ablog post on sockpuppet.org arguing that we are not prepared for theupcoming flood of high-quality, LLM-generated vulnerability reports andexploits.
SystemRescue 13.00 has been released. TheSystemRescue distribution is a live boot system-rescue toolkit, basedon Arch Linux, for repairing systems in the event of a crash. Thisrelease includes the 6.18.20 LTS kernel, updates bcachefs tools andkernel module to 1.37.3, and manyupgraded packages. See the step-by-step guide forinstructions on performing common operations such as recovering files,creating disk clones, and resetting lost passwords.
Version4.0.0 of the Rspamdspam-filtering system has been released. Notable new features includeHTML fuzzy phishing detection, support for up to eight flags with fuzzyhashes, and more. See the changelog for more onimprovements, breaking changes, and bug fixes.
Rust's compiler team has been working on a long-term project torewrite the trait solver - the part of the compiler that determines whichconcrete function should be called when a programmer uses a trait method that isimplemented for multiple types. The rewrite is intended to simplifyfuture changes to the trait system, fix a handful of tricky soundness bugs, andprovide faster compile times. It's also nearly finished, with a relativelysmall number of remaining blocking bugs.
LiteLLMis a gateway library providing access to a number of large language models(LLMs); it is popular and widely used. On March24, the word went outthat the version of LiteLLM found in the PythonPackage Index (PyPI) repository had beencompromised with information-stealing malware and downloaded thousands oftimes, sparking concern across the net. This may look like just anothersupply-chain attack - and it is - but the way it came about reveals justhow many weak links there are in the software supply chains that we alldepend on.
Greg Kroah-Hartman has announced the release of the 6.12.79 stable kernel. This releaseonly reverts a patchthat caused a regression on the LoongArch platform; users whocould not build 6.12.78 on LoongArch need to upgrade.
Toma Hrka has announcedthat the Forgejo-based Fedora Forge is now afully operational collaborative-development platform; it is ready foruse by the larger Fedora community, which means the homegrown Pagure platform's days are numbered:
A number of projects have been struggling with the question of whichsubmissions created by large language models (LLMs), if any, should beaccepted into their code base. This discussion has been further muddied byefforts to use LLM-driven reimplemention as a way to remove copyleftrestrictions from a body of existing code, as recently happened with the Python chardet module. Inthis context, an attempt to introduce an LLM-generated implementation ofthe Linux ext4 filesystem into OpenBSD was always going to create somefireworks, but that project has its own, clearly defined reasons forlooking askance at such submissions.
The keynote for Sun Security Con2026 (SunSecCon) was given by Farzan Karimi on how incident handlingcan go awry because of a lack of collaboration between the "goodguys"-which stands in contrast to how attackers collaboratively operate.He provided some "war stories" where security incident handling hadbenefited from collaboration and others where it was hampered by its lack.SunSecCon was held in conjunction with SCALE 23x in Pasadenain early March.
The Tor Blog has an interesting articleabout the non-technical side of setting up a Tor Relay. It documents how acomputer science student at National Taiwan Normal University worked with theuniversity system to set up a relay and provides a template for futureattempts:
The kernel's direct map provides code running in kernel mode with directaccess to all physical memory installed in the system - on 64-bit systems,at least. It obviously makes life easier for kernel developers, but thedirect map also brings some problems of its own, most of which aresecurity-related. Interest in removing at least some pages from the directmap has been simmering for years; a couple of patch sets under discussion show some use cases for memory that has been removed from thedirect map, and how such memory might be efficiently managed.
Greg Kroah-Hartman has announced the release of the 6.19.10, 6.18.20, 6.12.78, 6.6.130, and6.1.167 stable kernels. Each contains importantfixes throughout the tree. Users are advised to upgrade.
Version149.0 of the Firefox web browser has been released. Notablefeatures in this release include a new split-view feature for viewingtwo web pages side-by-side, a built-inVPN for browser traffic only, and more.
PHP's licensing has been a source of confusion for some time. The project is,currently, using two licenses that cover different parts of the code base: PHP v3.01 for thebulk of the code and Zend v2.0 for codein the Zend directory. Much has changedsince the project settled on those licenses in 2006, and the need for customlicensing seems to have passed. An effort to simplify PHP's licensing, led byBen Ramsey, is underway; if successful, the existing licenses will be deprecatedand replaced by the BSDthree-clause license. The PHP community is now voting on the licenseupdate RFC through April4, 2026.
This issuereport describes a credential-stealing attack buried within LiteLLM1.82.8 in the PyPI repository. It collects and exfiltrates a wide varietyof information, including SSH keys, credentials for a number of cloudservices, crypto wallets, and so on. Anybody who has installed thispackage has likely been compromised and needs to respond accordingly.Update: see thisfuturesearch article for some more information. "The releasecontains a malicious .pth file (litellm_init.pth) that executesautomatically on every Python process startup when litellm is installed inthe environment."
BPF programs can run in both sleepable and non-sleepable (atomic) contexts.Currently, sleepable BPF programs are not allowed to enter an atomic context.Puranjay Mohan has anew patch set that changes that. The patch set would let BPF programs calledin sleepable contexts temporarily acquire locks that cause the programs totransition to an atomic context. BPF maintainer AlexeiStarovoitov objected to parts of the implementation, however, so acceptance ofthe patch depends on whether Mohan is willing and able to straighten it out.
Linus has released 7.0-rc5 for testing."It looks like things are starting to calm down - rc5 is smaller thanthe previous rc's this merge window, although it still tracks a bit largerthan rc5s historically do."
Version 0.15.0 of the b4 patch-management tool is out. Highlights in thisrelease include the b4 review workflow manager for maintainers(covered briefly in this article), b4dig, which can find the original mailing-list submission behind acommit, three-way-merge support in b4 shazam, and more. See the releasenotes for details.
Version19 of the Agama installer for openSUSE and SUSE has beenreleased. This release includes major changes in Agama's architecturaldesign, organization of the web interface, and more.
Members of the Manjaro Linux distribution's community have publisheda "Manjaro2.0Manifesto"that contains a list of complaints and a demand to restructure the project to providea clear separation between the community and Manjaro as a company. The manifestoasserts that the project's leadership is not acting in the best interests of thecommunity, which has caused developers to leave and innovation to stagnate. Italso demands a handover of the Manjaro trademark and other assets to ato-be-formed nonprofit association. The responses on the Manjaro forum showed widespread supportfor the manifesto; Philip Muller, project lead and CEO of the Manjarocompany, largely stayed out of the discussion. However, he surfacedon March19 to say he was "open to serious discussions", but onlyafter a nonprofit had actually been set up.
LWN.net