Feed lwn LWN.net

Favorite IconLWN.net

Link https://lwn.net/
Feed http://lwn.net/headlines/rss
Updated 2025-08-28 20:15
Seven stable kernels for Thursday
Greg Kroah-Hartman has announced the release of the 6.16.4, 6.12.44, 6.6.103, 6.1.149, 5.15.190, 5.10.241, and 5.4.297 stable Linux kernels. Each onecontains important fixes.
[$] Changing GNOME technical governance?
The GNOME project, which recently celebrated its28th birthday, has never had a formal technical governance; progresshas been driven by individuals and groups that advocated for-and workedtoward-a particular goal in an ad hoc fashion. Longtime GNOME contributorEmmanuele Bassi would like to see that change by adding cross-project teamsand a steering committee for the project; to that end, he gave a talk (YouTubevideo) at GUADEC 2025in late July on his idea to establish some technical governance for theproject. He also put together a blogpost with his notes from the talk. The audience reaction wasfavorable, so he has followed up on the GNOME discussion forum with an RFC ongovernance to try to move the effort along.
Security updates for Thursday
Security updates have been issued by AlmaLinux (aide, firefox, kernel, and mod_http2), Debian (chromium and unbound), Fedora (mod_auth_openidc), Oracle (fence-agents and kernel), SUSE (ignition, jetty-minimal, kernel, libmozjs-128-0, matrix-synapse, postgresql13, postgresql15, postgresql16, and postgresql17), and Ubuntu (kernel).
[$] LWN.net Weekly Edition for August 28, 2025
Inside this week's LWN.net Weekly Edition:
Rosenzweig: Dissecting the Apple M1 GPU, the end
Alyssa Rosenzweig has written a blog postabout her work to help ship a "great driver" for the Apple M1GPU that supports OpenGL, Vulkan, and enables gaming with Proton.
[$] The tangled web of XSLT browser support
The ExtensibleStylesheet Language Transformations (XSLT) language is used by webbrowsers to style XML content to make it easily readable; XSLT is part of theHTML livingstandard that is maintained by the Web Hypertext Application TechnologyWorking Group (WHATWG). Only a small fraction of web sites servecontent that requires web browsers to support XSLT, in part becausemajor browser implementations have neglected the technology over the past 25years. Now, it seems, they would like to rid themselves of itentirely. A planto disable XSLT in Blink (Chrome's rendering engine) and a pull request bya Google Chrome developer to remove mentions of the specification fromthe HTML standard have been met with opposition, but arguments infavor of XSLT have proven ineffective.
GhostBSD 25.02 released
The GhostBSD project has released version 25.02 of theFreeBSD-based desktop operating system. This release brings GhostBSDup to date with FreeBSD14.3,includes enhancements for the Software Station package managementapplication, and introduces an "OS X-like" desktop environmentbased on GNUstep called Gershwin:
[$] The need to reliably preserve our community history
The Internet is a wonderful thing; it allows anybody to look upinformation of interest. Included in all of that is the history of thefree-software development community; how we got to where we are says a lotabout why things are the way they are and what might come next. So thetakeover of Groklaw rings a loud alarm; we have been reminded that historystored on the Internet is an ephemeral thing and cannot be expected toremain available forever.
Security updates for Wednesday
Security updates have been issued by Debian (node-cipher-base), Fedora (keylime-agent-rust and libtiff), Oracle (aide, kernel, mod_http2, pam, pki-deps:10.6, python-cryptography, python3, python3.12, and thunderbird), SUSE (cheat, ffmpeg, firebird, govulncheck-vulndb, postgresql17, tomcat, tomcat10, tomcat11, ucode-intel-20250812, and v2ray-core), and Ubuntu (binutils, gst-plugins-base1.0, gst-plugins-good1.0, and linux-raspi-realtime).
[$] Shadow-stack control in clone3()
Shadow stacks are a control-flow-integrity feature designed to defendagainst exploits that manipulate a thread's call stack. The kernel firstgained support for hardware-implemented shadowstacks, for the x86 architecture, in the 6.6 release; 64-bit Armsupport followed in 6.13. This feature does not give user space muchcontrol over the allocation of shadow stacks for new threads, though; a patchseries from Mark Brown may, after many attempts, finally be aboutto change that situation.
Security updates for Tuesday
Security updates have been issued by Debian (ffmpeg, firebird3.0, and luajit), Fedora (chromium, python3-docs, and python3.13), Oracle (aide, firefox, glibc, libxml2, and tomcat), Red Hat (aide, git, kernel, kernel-rt, libarchive, pam, python-cryptography, python3, python3.12, and webkit2gtk3), SUSE (cmake3, ffmpeg-4, kernel, kubernetes1.18, libqt4, minikube, net-tools, pam, postgresql16, proftpd, python-urllib3, python311, python312, python36, tomcat10, tomcat11, and webkit2gtk3), and Ubuntu (nginx).
New restrictions on Android app sideloading
Google has announceda new set of restrictions on the ability of users to install apps on theirown devices:
PyCon US 2025 recap and recordings
The PyCon team has announcedthat all PyCon US 2025 recordings are now available on itsYouTube channel.
[$] Linux's missing CRL infrastructure
In July 2024,Let's Encrypt, the nonprofit TLS certificate authority (CA),announcedthat it would be ending support for theonline certificate status protocol(OCSP), which is used to determine when a server's signing certificate has beenrevoked. This prevents a compromised key from being used to impersonate a webserver.The organization cited privacy concerns, and recommended that peoplerely oncertificate revocation lists (CRLs)instead. On August6, Let's Encryptfollowed through and disabled its OCSP service. This poses aproblem for Linux systems that must now rely on CRLs because, unlike on otheroperating systems, there is no standardized way for Linux programs to share aCRL cache.
Report: the state of commercial open source
The Linux Foundation, in cooperation with a couple of other groups, has announcedthe publication on the intersection of businesses and commercialopen-source software (deemed "COSS"). Everything, it seems, is great, andCOSS companies make a lot of money for their investors.
Security updates for Monday
Security updates have been issued by AlmaLinux (kernel and tomcat9), Debian (iperf3, mupdf, qemu, thunderbird, and unbound), Fedora (glab, kubernetes1.31, kubernetes1.32, kubernetes1.33, and toolbox), Oracle (kernel and tomcat9), Red Hat (firefox, kernel, kernel-rt, and squid), SUSE (abseil-cpp-devel, aide, flake-pilot, gdk-pixbuf, glibc, go-sendxmpp, ImageMagick, jetty-annotations, jupyter-bqplot-jupyterlab, libtiff-devel-32bit, pam, pdns-recursor, ruby3.4-rubygem-activerecord, rust-keylime, terragrunt, and thunderbird), and Ubuntu (linux-azure and linux-azure-fips).
Kernel prepatch 6.17-rc3
Linus has released 6.17-rc3 (called"3.17-rc3" in the email, but the tag in the repository is correct) fortesting. "Anyway, things seem fairly normal for this phase in therelease cycle, nothing stands out. Please keep testing,"
Stable kernel 6.16.3
The 6.16.3 stable kernel update has beenreleased. It contains a set of ext4 filesystem fixes that are probably agood thing for any 6.16 ext4 user to have.
FFmpeg 8.0 released
Version 8.0 of the FFmpegaudio and video toolkit has been released.
[$] The "impossibly small" Microdot web framework
The Microdotweb framework is quite small, as its name would imply; it supports bothstandard CPython and MicroPython,so it can be used on systems ranging from internet-of-things (IoT) devicesall the way up to large, cloudy servers. It was developed by MiguelGrinberg, who gave a presentation about it at EuroPython2025. His namemay sound familiar from his well-known FlaskMega-Tutorial, which has introduced many to the Flask lightweight Python-basedweb framework. It should come as no surprise, then, that Microdot isinspired by its rather larger cousin, so Flask enthusiasts will find muchto like in Microdot-and will come up to speed quickly should their needs turntoward smaller systems.
Security updates for Friday
Security updates have been issued by AlmaLinux (tomcat), Debian (squid), Fedora (matrix-synapse, rust-slab, socat, and webkitgtk), SUSE (firefox-esr, gdk-pixbuf, gdk-pixbuf-devel, govulncheck-vulndb, rust-keylime, and wicked2nm), and Ubuntu (linux-nvidia, linux-oracle, linux-oracle-6.8, php7.0, php7.2, php7.4, python3.13, python3.12, python3.11, python3.10, python3.9, python3.8, python3.7, python3.6, python3.5, python3.4, and ruby-webrick).
Arch Linux recent service outages
The Arch Linux project has posted anupdate about recent serviceoutages that have affected its infrastructure:
[$] Bringing restartable sequences out of the niche
The restartable sequences feature, whichwas added to the 4.18 kernel in 2018, exists to enable better performancein certain types of threaded applications. While there are users forrestartable sequences, they tend to be relatively specialized code; this isnot a tool that most application developers reach for. Over time, though,the use of restartable sequences has grown, and it looks to grow further asthe feature is tied to new capabilities provided by the kernel. Asrestartable sequences become less of a niche feature, though, some problemshave turned up; fixing one of them may involve an ABI change visible inuser space.
Security updates for Thursday
Security updates have been issued by AlmaLinux (libarchive, mingw-sqlite, pki-deps:10.6, and tomcat), Debian (chromium and firefox-esr), Fedora (python3.6 and suricata), Oracle (go-toolset:rhel8, kernel, libarchive, mingw-sqlite, tomcat, and xterm), Red Hat (kernel), Slackware (mozilla), SUSE (aws-efs-utils, docker-machine-driver-kvm2, nova, pluto, polaris, and python310), and Ubuntu (ceph, gcc-10, gcc-11, gcc-12, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gkeop, linux-ibm, linux-ibm-6.8, linux-hwe-6.14, linux-oem-6.14, linux-ibm, linux-intel-iotg, linux-oracle, linux-raspi, linux-iot, poppler, and tiff).
[$] LWN.net Weekly Edition for August 21, 2025
Inside this week's LWN.net Weekly Edition:
Zig version 0.15.1
The Zig project hasannounced version 0.15.1 of the language. The release, much like thelast one, includes incremental progress toward the goal of completely dropping LLVM and improving compile time, as well as a handful of breaking changes as the language team wrestles with past API design. The biggest change this time around is to the standard library Reader and Writer interfaces, which have been completely rearranged in the name of performance and reducing unneeded copies.
Adding stubble to Ubuntu's generic Arm64 Desktop ISOs
Tobias Heider has writtenan article that explains changes that are coming for Ubuntu's genericArm64 desktop ISO images in the 25.10 release. The current solution,Heider says, depends on GRUB features that are unavailable in secureboot mode and require adding device-specific logic to multiplepackages. The new solution, called stubble,is derived from systemd-stub:
Three stable kernels for Wednesday
Greg Kroah-Hartman has announced the release of the 6.16.2, 6.15.11, and 6.12.43 stable kernels. He notes thatthis is the last release in the 6.15.y series, and recommends thatusers move to the 6.16.y kernel branch at this time.
[$] Python, tail calls, and performance
Ken Jin welcomed EuroPython2025 attendees tohis talk entitled "Building a new tail-calling interpreter for Python", butnoted that the title really should be: "Measuring the performance ofcompilers and interpreters is really hard". Jin's efforts to switch the CPython interpreter to use tail calls,which can be optimized as regular jumps,initially seemed to produce an almost miraculous performance improvement.As his modified title suggests, the actual improvementwas rather smaller; there is still some performance improvement andthere are other benefits from the change.
LibreOffice 25.8 released
Version25.8 of the LibreOffice open-source office suite has beenreleased. Notable changes include several new functions in the Calcspreadsheet application, ability to export to the PDF 2.0 format, better PowerPoint font compatibility with Impress, and significantperformance improvements. For a full list of changes, see the releasenotes on the Document Foundation wiki.
[$] Lucky 13: a look at Debian trixie
After more than two years of development, the Debian Project has released its new stable version, Debian13 ("trixie"). The release comes with the usual bounty ofupgraded packages and more than 14,000 new packages; it also debuts Advanced Package Tool(APT)3.0 as the default package manager and makes 64-bitRISC-V a supported architecture. There are few surprises with trixie,which is exactly what many Linux users are hoping for-a freeoperating system that just works as expected.
Security updates for Wednesday
Security updates have been issued by Debian (webkit2gtk), Fedora (firefox and libarchive), Red Hat (python3.11-setuptools and python3.12-setuptools), Slackware (mozilla), SUSE (apache2-mod_security2, cairo-devel, cflow, docker, glibc, go1.25, govulncheck-vulndb, gstreamer-0_10-plugins-base, jq, kernel, libarchive, libssh, libxslt, openbao, python-urllib3, systemd, and xz), and Ubuntu (apache2, libssh, libxml2, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm-5.15, linux-intel-iot-realtime, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle-5.15, linux-realtime, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-realtime, linux-aws-fips, linux-fips, linux-gcp-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-ibm-6.8, tomcat10, and webkit2gtk).
Preventing domain-resurrection attacks (PyPI blog)
The Python Package Index (PyPI) has announced that it is nowchecking for expired domains to try to prevent domain-resurrectionattacks. In this type of attack, a malicious user buys an expireddomain and uses it to take over an account by resetting the passwordassociated with the email used with PyPI. Since June, PyPI hasunverified more than 1,800 email addresses after their associateddomains entered expiration phases.
Firefox 142.0 released
Version142.0 of the firefox browser has been released. Changes include a newlink preview feature (with optional "AI-generated key points"), anda "flexible exception list" for the stricttracking protection feature that allows relaxing specific protectionson sites that otherwise will not work properly.
[$] The Koka programming language
Statically typed programming languages can help catch mismatches between the kinds ofvalues a program is intended to manipulate, and the values it actually manipulates.While there have been many bytes spent on discussions of whether this is worththe effort, some programming language designers believe that the type checkingin current languagesdoes not go far enough.Koka, anexperimental functional programming language, extends its type systemwith aneffect system that tracks the side-effects a program will have in thecourse of producing a value.
Security updates for Tuesday
Security updates have been issued by AlmaLinux (golang, openjpeg2, toolbox, and xterm), Debian (libxslt, mbedtls, openjdk-17, and webkit2gtk), Fedora (apptainer, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, rust-h2, and uv), Oracle (golang, kernel, and openjpeg2), Red Hat (kernel and xterm), SUSE (389-ds, cairo, container-suseconnect, kernel, lua51-luajit, postgresql13, and trivy), and Ubuntu (linux, linux-aws, linux-aws-6.14, linux-gcp, linux-gcp-6.14, linux-oracle, linux-oracle-6.14, linux-raspi, linux-realtime and openldap).
The State of Python 2025
The JetBrains blog presents theresults of the eighth annual Python Developers Survey, carried out inpartnership with the Python Software Foundation.
Git v2.51 released
The Git distributed version-controlsystem has released version 2.51, with "506 non-merge commits sincev2.50.1, contributed by 91 people, 21 of which are new faces". Itbrings multiple new features, some of which are highlighted in a poston the GitHub blog. It includes some performance improvements for multi-pack indexes(MIDXs), a way to import and export stash entries so they can be migratedmore easily, and smaller pack files:
[$] Kexec handover and the live update orchestrator
Rebooting a computer ordinarily brings an abrupt end to any state built upby the old system; the new kernel starts from scratch. There are, however,people who would like to be able to reboot their systems withoutdisrupting the workloads running therein. Various developers are currentlypartway through the project of adding this capability, in the form of"kexec handover" and the "live update orchestrator", to the kernel.
Security updates for Monday
Security updates have been issued by AlmaLinux (go-toolset:rhel8, kernel, and kernel-rt), Fedora (chromium), Oracle (libxml2), Red Hat (go-toolset:rhel8, golang, kernel, kernel-rt, openjpeg2, rsync, and tigervnc), and SUSE (apache-commons-lang3, chromedriver, fractal, framework_tool, go1.23-openssl, go1.24-openssl, grub2, gstreamer-devtools, gstreamer-plugins-rs, jasper, libavif, lighttpd, nginx, podman, postgresql13, postgresql14, postgresql15, postgresql16, python311-pypdf, ruby2.5, rust-keylime, tiff, tomcat, tomcat10, and tomcat11).
Kernel prepatch 6.17-rc2
The second 6.17 kernel prepatch is out fortesting. "So it's been a very calm week, and this is one of the smallerrc2 releases we've had lately. I'm definitely not complaining, since I'vebeen jetlagged much of the week, but I have this suspicion that it justmeans that next week will see more noise."
Hashimoto: We rewrote the Ghostty GTK application
Mitchell Hashimoto has written a blogpost about "fully embracing the GObject type system" with arewrite of the GTK version of Ghostty:
Five Friday stable kernels
Greg Kroah-Hartman has announced the release of the6.16.1,6.15.10,6.12.42,6.6.102, and6.1.148 stable kernels. Get them while they'rehot!
[$] Finding a successor to the FHS
The purpose of the FilesystemHierarchy Standard (FHS) is to provide a specification forfilesystem layout; it specifies the location for files and directorieson a Linux system to simplify application development for multipledistributions. In its heyday it had some success at this, but thestandard has been frozen in time since 2015, and much has changedsince then. There is a slow-moving effortto revive the FHS and create a FHS4.0, but a recent discussionamong Fedora developers also raised the possibility of standardizingon the suggestions in systemd's file-hierarchydocumentation, which has now been added to the Linux Userspace API(UAPI) Group's specifications.
Security updates for Friday
Security updates have been issued by AlmaLinux (kernel and webkit2gtk3), Debian (aide and postgresql-13), Fedora (libtiff, mupdf, and pandoc), SUSE (cairo, chromium, gstreamer-plugins-base, ImageMagick, iputils, kubernetes1.23, kubernetes1.26, matrix-synapse, Mesa, pgadmin4, python3, qemu, and rz-pm), and Ubuntu (aide).
[$] Simpler management of the huge zero folio
One might imagine that managing a page full of zeroes would be a relativelystraightforward task; there is, after all, no data of note that must bepreserved there. The management of the huge zero folio in the kernel,though, shows that life is often not as simple as it seems. Tradeoffsbetween conflicting objectives have driven the design of this corefunctionality in different directions over the years, but much of theassociated complexity may be about to go away.
Security updates for Thursday
Security updates have been issued by AlmaLinux (kernel, python3.11-setuptools, thunderbird, and toolbox), Debian (chromium), Fedora (open62541 and perl-Authen-SASL), Oracle (git, kernel, konsole, and webkit2gtk3), SUSE (framework-inputmodule-control and poppler), and Ubuntu (apache2, mysql-8.0, mysql-8.4, node-qs, request-tracker5, and ruby-sidekiq).
[$] LWN.net Weekly Edition for August 14, 2025
Inside this week's LWN.net Weekly Edition:
NGINX adds native support for ACME protocol
NGINX has announcedthe preview release of the nginx-acmemodule, which adds native support to NGINX for the AutomaticCertificate Management Environment (ACME) protocol:
Go 1.25 released
Version 1.25 of Go hasbeen released. Notable changes include support for generating debuginformation in the DWARF5 format,"container awareness"when setting the maximum number of CPUs to be used, and a new testing/synctestpackage with support for testing concurrent code. See the release notes for a comprehensivelist of changes in 1.25.
12345678910...