LWN.net

Lance Albertson writesthat the Oregon State University Open Source Lab, the home of manyprominent free-software projects over the years, has run into financialtrouble:

Many eyebrows were raised recently when three vulnerabilities were announcedthat allegedly impact GNUMailman 2.1,since many folks assumed that it was no longer being supported. That'snot quite the case. Even though version3 ofthe GNU Mailman mailing-list manager has been availablesince2015, and version2 was declared (mostly) end of life(EOL) in2020, there are still plenty of users and projects stillusing version2.1.x. There is, as it turns out, a big difference betweenmostly EOL and actually EOL. For example: WebPros, the company behind the cPanel server and web-site-managementplatform, still maintains a port ofMailman2.1.x to Python3 for its customers and wasquick to respond to reports of vulnerabilities. However, thecompany and upstream Mailman project dispute that the CVEs arevalid.

Modern compilers perform a lot of optimizations, which can complicate debugging.Song Liu and Thierry Treyer spoke about a potential improvement toBPF Type Format (BTF) debugging information that could partially combat thatproblem at the 2025 Linux Storage, Filesystem,Memory-Management, and BPF Summit.They want to add information on selectively inlined functions to BTF in order tobetter support tracing tools.Treyer participated remotely.

The Free Software Foundation has announcedthe completion of the review of its board of directors; the processresulted in the reconfirmation of all five sitting board members.

Just over six months ago, The Economist described the US economy as "the envy of theworld". That headline would be unlikely to appear now. The economicboom referenced in that article feels like a distant memory, markets arefalling, and uncertainty is at an all-time high. Like everybody else, LWNis affected by the current turbulence in the political and economicspheres; we expect to get through this period, but there will be somechallenges.

Security updates have been issued by Debian (glibc and libraw), Fedora (digikam, icecat, mingw-LibRaw, perl, perl-Devel-Cover, and perl-PAR-Packer), Red Hat (ghostscript, kernel, and kernel-rt), Slackware (mozilla), SUSE (augeas, firefox, and java-11-openjdk), and Ubuntu (binutils, libxml2, and nodejs).

The LWN.net fediverse (Mastodon) feed has moved; we are now known as @LWN@lwn.net. The migration magic hasshifted many of our followers over automatically but, if you follow thatstream, you might want to make sure that you have shifted to the newsource.

Version1.8.0of the Meson build system hasbeen released. Notable changes in this release include the ability torun rustdoc for Rust projects, support for the c2y and gnu2ycompiler options, and a new argument (android_exe_type) thatmakes it possible to use the same meson.build file forAndroid and non-Android systems.

Version138.0 of the Firefox web browser has been released. Changes includesome profile-management improvements, the ability to get weather-relatedsuggestions in the address bar (US only), and some security fixes.

Tavian Barnes takes onthe tedious process of waiting for configure scripts to run.

The kernel's CPU scheduler has to balance a wide range of objectives. Thetasks in the system must be scheduled fairly, with latency for any giventask kept within bounds. All of the CPUs in the system should be kept busyif there is enough work to do, but unneeded CPUs should be shut down toreduce power consumption. A task should also run on the CPU that is mostlikely to have cached the memory that task is using. This patchseries from Chen Yu aims to improve how the scheduler handles cachelocality for multi-threaded processes.

The Kali Linux distribution has announcedthat software updates will soon start failing for all users:

Security updates have been issued by AlmaLinux (glibc, php:8.1, and thunderbird), Debian (libreoffice), Fedora (caddy), Mageia (chromium-browser-stable), Red Hat (php:8.1), SUSE (glow), and Ubuntu (kicad, linux-aws-5.15, linux-azure-nvidia, linux-gcp-5.15, mistral, python-mistral-lib, tomcat8, and trafficserver).

Version 3.25.0 of the Valgrinddynamic-analysis tool has been released. It has lots of new features,including initial support for RISC-V on Linux, handling zstd-compresseddebug sections, integration of the Linux TestProject test suite, support for lots more Linux system calls, and more.It also has plenty of bug fixes, of course.

The Open Source Initiative (OSI) has quietly published"takeaways" from its internal retrospective on the recent boardof directors election as an updateto the March blogpost that announced the new members of the board. The election wascontroversial, in part, due to poor communication and OSI changing theelection rules and disqualifying several candidates after the electionfinished. LWN coveredthe election and results in March. The update commits to improvementsin communication and candidate selection:

Martin Lau gave a talk in the BPF track of the 2025 Linux Storage, Filesystem,Memory-Management, and BPF Summit about a performance problemplaguing the networking subsystem, and some potential ways to fix it. He works onBPF programs that need to store socket-local data; amid other improvements tothe networking and BPF subsystems, retrieving that data has become a noticeablebottleneck for his use case. His proposed fix prompted a good deal of discussionabout how the data should be laid out.

Security updates have been issued by AlmaLinux (thunderbird), Debian (distro-info-data, imagemagick, kernel, libsoup2.4, and poppler), Fedora (chromium, java-1.8.0-openjdk, java-1.8.0-openjdk-portable, java-17-openjdk, java-17-openjdk-portable, java-latest-openjdk, pgadmin4, thunderbird, and xz), Mageia (haproxy and libxml2), Oracle (bluez, firefox, gnutls, libtasn1, libxslt, mod_auth_openidc:2.3, ruby:3.1, thunderbird, and xmlrpc-c), Red Hat (delve and golang, glibc, mod_auth_openidc, mod_auth_openidc:2.3, and thunderbird), SUSE (augeas, chromedriver, cifs-utils, govulncheck-vulndb, java-11-openjdk, java-21-openjdk, kyverno, libraw, opentofu, runc, subfinder, and valkey), and Ubuntu (jupyter-notebook and libxml2).

The 6.15-rc4 kernel prepatch is out fortesting. "So let's see if this rc ends up avoiding any silly issues -things certainly look pretty normal, and there were no hurried last-minutechanges this week due to system upgrades".

The OpenBSD7.7 release is available. There is, as usual, a long list of changes;see the full changelogfor lots of details.

The Debian project is discussing a General Resolution (GR) thatwould, if approved, clarify that AI models must include training datato be compliant with the DebianFree Software Guidelines (DFSG) and be distributed by Debian asfree software. While GR discussions are sometimes contentious, thediscussion around the proposal from Debian developer MoZhou hasbeen anything but-there seems to beconsensus that AI models are not DFSG-compliant if they lack trainingdata. There are, however, some questions about the exact language andquestions about the impact the GR will have on existing packages inthe Debian archive.

Version 15.1 of the GNUCompiler Collection has been released. Changes include implementing theC23 dialect by default, a number of new C++26 features, experimentalsupport for unsigned integers in Fortran, a new COBOL front end, andmore. See the GCC15changes page for details.

The 6.14.4,6.12.25,6.6.88, and6.1.135stable kernel updates have been released; each contains another set ofimportant fixes.

Security updates have been issued by AlmaLinux (thunderbird), Debian (libbpf), Fedora (golang-github-openprinting-ipp-usb, ImageMagick, mingw-libsoup, mingw-poppler, and pgbouncer), SUSE (glib2, govulncheck-vulndb, libsoup-2_4-1, libxml2-2, mozjs60, ruby2.5, and thunderbird), and Ubuntu (linux, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-iot, linux-aws-fips, linux-azure-fips, linux-fips, linux-gcp-fips, linux-hwe-6.8, linux-ibm-5.4, linux-oracle-5.15, openssh, and php-twig).

The Debian Project Leader election resultshave been announced. AndreasTille has been re-elected and will serve another term throughApril2026. LWN looked at the election andcandidates in early April.

New compiler releases often bring with them new warnings; those warningsare usually welcome, since they help developers find problems before theyturn into nasty bugs. Adapting to new warnings can also create disruptionin the development process, though, especially when an important developerupgrades to a new compiler at an unfortunate time. This is just thescenario that played out with the 6.15-rc3kernel release and the implementation of-Wunterminated-string-initialization in GCC15.

Sometimes worms have a tendency to multiply once their can is opened.James Bottomley recently encountered that situation; he led a session inthe filesystem track at the 2025 Linux Storage, Filesystem, MemoryManagement, and BPF Summit (LSFMM+BPF) to discuss filesystem behavior withrespect to suspending and resuming the system. As he noted in his topicproposal, he came at the problem because he needed a way toresynchronize the contents of efivarfsafter a system resume and thought there should be an API available to use.But, as the resulting thread shows, the filesystem freeze and thaw code hadnever been used by the system-wide suspend and resume code. Due to ascheduling mixup, though, several of us missed Bottomley's session,including Luis Chamberlain who has been working on hooking those two piecesup; what follows is largely from a second session that Chamberlain led,with some background information from the topic-proposal discussion and anemail exchange with Bottomley.

Security updates have been issued by Debian (haproxy and openrazer), Fedora (c-ares and mingw-poppler), Red Hat (thunderbird), SUSE (epiphany, ffmpeg-6, gopass, and libsoup-3_0-0), and Ubuntu (erlang, haproxy, libapache2-mod-auth-openidc, libarchive, linux, linux-aws, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-oracle, linux-raspi, linux, linux-aws, linux-azure, linux-azure-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux-aws-6.8, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-fips, linux-gcp, linux-gke, linux-gkeop, linux-gcp-6.8, linux-ibm-5.15, linux-intel-iot-realtime, linux-realtime, linux-intel-iotg-5.15, linux-realtime, perl, and yelp, yelp-xsl).

Inside this week's LWN.net Weekly Edition:

The Fedora Project is looking for solutions to an interestingproblem with its image-based editions and spins, such as the Atomic Desktopsor CoreOS, that arecreated with rpm-ostree or bootc. If a package thatis part of a image-based version has a user or group createddynamically on installation, and it owns files installed on thesystem, the system may be subject to user ID (UID) and group ID (GID) "drift"on updates. This "UID/GID drift" may come about when a new image withupdates is generated, and therefore files may have the wrongownership. This can have side-effects ranging from mildly inconvenient toserious. No solutions have been adopted just yet, but there are a fewideas on how to deal with the problem.

The NLnet Foundation has announcedthe projects that have received funding from its October callfor grant proposals from the NextGeneration Internet (NGI) Zero Commons Fund.

In the filesystem track at the 2025 Linux Storage, Filesystem, MemoryManagement, and BPF Summit (LSFMM+BPF), Amir Goldstein wanted to resumediscussinga feature that he had briefly introduced at the end of a 2023 summit session: filesystem "writebarriers". The idea is to have an operation that would wait for anyin-flight write()system calls, but not block any new write() calls as biggerhammers, such as freezing the filesystem,would do. His prototype implementation is used by a hierarchicalstorage management (HSM) system to create a crash-consistentchange log, but there may be other use cases to consider. He wantedto discuss implementation options and the possibility of providing anAPI for user-space applications.

Security updates have been issued by AlmaLinux (bluez, expat, and postgresql:12), Fedora (chromium, golang, LibRaw, moodle, openiked, ruby, and trafficserver), Red Hat (bluez, expat, gnutls, libtasn1, libxslt, mod_auth_openidc, mod_auth_openidc:2.3, ruby:3.1, thunderbird, and xmlrpc-c), and Ubuntu (linux, linux-aws, linux-gcp, linux-hwe-6.11, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oem-6.11, linux-oracle, linux-raspi, linux-realtime, linux-azure, linux-azure-6.11, linux-gcp-6.8, and matrix-synapse).

The Linux kernel can be configured so thatkernel modules must be signed orotherwise authenticated to be loadedinto the kernel. Some BPF developers want that to be an option for BPF programsas well - after all, if those are going to run as part of the kernel,they should be subject to the same code-signing requirements. Blaise Boscaccyand Cong Wang presented two different visions for how BPF code signing couldwork at the 2025 Linux Storage, Filesystem, Memory-Management, and BPF Summit.

The UserspaceI/O (UIO) subsystem was first added to the kernel byHans J. Koch for the 2.6.32 release in 2007. Its purpose is to facilitatethe writing of drivers (mostly) in user space; to that end, it providesaccess to a number of resources that user-space code normally cannot touch.One piece that is missing, though, is DMA addresses. A proposal tofill that gap from Bastien Curutchet is running into some opposition,though.

Security updates have been issued by AlmaLinux (java-1.8.0-openjdk, kernel, libxslt, mod_auth_openidc:2.3, and webkit2gtk3), Fedora (c-ares, giflib, jupyterlab, perl, perl-Devel-Cover, perl-PAR-Packer, prometheus-podman-exporter, python-notebook, python-pydantic-core, rpki-client, ruby, rust-adblock, rust-cookie_store, rust-gitui, rust-gstreamer, rust-icu_collections, rust-icu_locid, rust-icu_locid_transform, rust-icu_locid_transform_data, rust-icu_normalizer, rust-icu_normalizer_data, rust-icu_properties, rust-icu_properties_data, rust-icu_provider, rust-icu_provider_macros, rust-idna, rust-idna_adapter, rust-litemap, rust-ron, rust-sequoia-openpgp, rust-sequoia-openpgp1, rust-tinystr, rust-url, rust-utf16_iter, rust-version-ranges, rust-write16, rust-writeable, rust-zerovec, rust-zip, thunderbird, and uv), SUSE (erlang, erlang26, and govulncheck-vulndb), and Ubuntu (mosquitto).

Anton Protopopov kicked off the BPF track onthe second day of the 2025 Linux Storage, Filesystem,Memory-Management, and BPF Summit with a discussion about permittingindirect calls in BPF. He also spoke about his continuing work onstatic keys, a topic which is related because the implementation of indirectjumps and static keys in the verifier use some of the same mechanisms fortracking indirect control-flow.Although some design work remains to be done, it may soon bepossible to make indirect calls in BPF without any extra work compared to normalC.

The Fedora Project's RISC-Vspecial-interest group (SIG) has announcedthe availability of FedoraLinux42 images for supportedRISC-V boards, as well as QEMUand container images. The SIG is working toward making RISC-V aprimary architecture for Fedora, and has made significant progress inthe past year.

The Python Steering Councilaccepted PEP 750("Template Strings") on April 10. LWNcovered the discussion around the proposal, including thesubstantial revisions to the idea that were needed for itto be accepted. Template strings (t-strings) are a new kind of string that producesstructured data instead of a raw string, allowing library authors to build their own customtemplate-handling logic.Since the approval happened before the cutoff for new features (May 6),support for template strings will be included in Python 3.14, scheduled for October 2025.

Ask a Linux enthusiast who created the Linux kernel, and odds are they will haveno trouble naming Linus Torvalds-but many would be stumped if asked what thefirst Linux distribution was, and who created it. Some might guess Slackware, or its predecessor, Softlanding LinuxSystem (SLS); both were arguably more influential but arrived just a bitlater. The first honest-to-goodness distribution with a proper installer was MCCInterimLinux,created by Owen LeBlanc, released publicly in early1992. I recentlyreached out to LeBlanc to learn more about his work on the distribution, whathe has been doing since, and his thoughts on Linux in2025.

Security updates have been issued by Debian (erlang, fig2dev, shadow, wget, and zabbix), Fedora (chromium, jupyterlab, llama-cpp, prometheus-podman-exporter, python-notebook, python-pydantic-core, rpki-client, rust-adblock, rust-cookie_store, rust-gitui, rust-gstreamer, rust-icu_collections, rust-icu_locid, rust-icu_locid_transform, rust-icu_locid_transform_data, rust-icu_normalizer, rust-icu_normalizer_data, rust-icu_properties, rust-icu_properties_data, rust-icu_provider, rust-icu_provider_macros, rust-idna, rust-idna_adapter, rust-litemap, rust-ron, rust-sequoia-openpgp, rust-sequoia-openpgp1, rust-tinystr, rust-url, rust-utf16_iter, rust-version-ranges, rust-write16, rust-writeable, rust-zerovec, rust-zip, uv, and webkitgtk), Slackware (libxml2 and zsh), SUSE (argocd-cli, chromium, coredns, ffmpeg-6, and firefox), and Ubuntu (imagemagick).

The 6.15-rc3 kernel prepatch is out fortesting. "There's absolutely nothing of huge note here as far as I cantell. Just a fair number of small fixes all over the place".

The6.14.3,6.13.12, and6.12.24 stable kernel updates have beenreleased; each contains another set of important fixes. Note that the6.13.x series ends with 6.13.12.

The New Stack looksat EU OS, an attempt to create a desktop system for the European publicsector.

The final session in the memory-management track of the 2025 Linux Storage,Filesystem, Memory-Management, and BPF Summit was a brief, last-minuteaddition run by Kalesh Singh. The kernel's readahead mechanism isgenerally good for performance; it ensures that data is present by the timean application gets around to asking for it. Sometimes, though, readaheadcan go a little too far.

Adding tracepoints to some kernel subsystems has been controversial-ordisallowed-due to concerns about the user-spaceABI that they might create. The virtual filesystem (VFS) layer haslong been one of the subsystems that has not allowed any tracepoints, butthat may be changing. At the 2025 Linux Storage, Filesystem, MemoryManagement, and BPF Summit (LSFMM+BPF), Ted Ts'o led a discussion aboutwhether the ABI concerns are outweighed by the utility of tracepoints forthe VFS.

Security updates have been issued by Debian (graphicsmagick and libapache2-mod-auth-openidc), Fedora (giflib, mod_auth_openidc, mysql8.0, perl, perl-Devel-Cover, perl-PAR-Packer, perl-String-Compare-ConstantTime, rust-openssl, rust-openssl-sys, trunk, and workrave), Mageia (chromium-browser-stable and rust), Oracle (java-1.8.0-openjdk, java-17-openjdk, java-21-openjdk, kernel, libreoffice, and webkit2gtk3), Red Hat (gvisor-tap-vsock), SUSE (containerd, docker, docker-stable, forgejo, GraphicsMagick, libmozjs-115-0, perl-32bit, poppler, subfinder, and thunderbird), and Ubuntu (erlang and ruby2.3, ruby2.5).

Version25.04 ("Plucky Puffin") of the Ubuntu Linux distribution has beenreleased. This release includes Linux 6.14, GNOME 48, APT 3.0, and introduces aArm64desktop ISO to install Ubuntu Desktop on Arm64 systems. This is aninterim release, with support through January2026. See the releasenotes for a detailed list of new features and changes.

Version14.5 of the TorBrowser has been released. Notable features in this releaseinclude the addition of Connection Assist for the Android version ofthe Tor Browser, and language support for Belarusian, Bulgarian, andPortuguese for all versions of the browser.

The kernel's memory controller works within the control-group mechanism toenforce memory-usage limits on groups of processes. This component hasoften had performance problems, so there is continual interest inoptimizing it. Shakeel Butt led a session during the memory-managementtrack of the 2025 Linux Storage, Filesystem, Memory-Management, and BPFSummit to look at the current state of the memory controller and what canbe done to reduce its overhead.

Security updates have been issued by Debian (chromium and libapache2-mod-auth-openidc), Oracle (expat, freetype, glibc, grub2, gvisor-tap-vsock, and kernel), Red Hat (grub2 and webkit2gtk3), and SUSE (apache2-mod_auth_openidc, cosign, gitoxide, govulncheck-vulndb, GraphicsMagick, haproxy, hauler, mozjs52, oci-cli, pam, perl-Data-Entropy, poppler, python-lxml-doc, python311-aiohttp, rekor, rubygem-rexml, and webkit2gtk3).