LWN.net

Greg Kroah-Hartman has released the 6.18.6, 6.12.66, 6.6.121, and 6.1.161 stable kernels. As usual, eachhas important fixes throughout the tree; users are advised toupgrade.

While there are several rootkits that target Linux, they have so far not fullyembraced the open-source ethos typical of Linux software.Luckily, Matheus Alves has been working to remedythis lack by creatingan open-source rootkit called Singularity for Linux systems. Users who feeltheir computers are too secure can install the Singularity kernel module inorder to allow remote code execution, disable security features, and hide filesand processes from normal administrative tools. Despite its many features,Singularity is not currently known to be in use in the wild - instead, itprovides security researchers with a testbed to investigate new detection andevasion techniques.

Security updates have been issued by AlmaLinux (gnupg2), Debian (firefox-esr), Oracle (cups, gnupg2, libpq, net-snmp, postgresql, postgresql:15, postgresql:16, transfig, and vsftpd), Red Hat (firefox), SUSE (apache2, curl, firefox, gpg2, hawk2, libcryptopp-devel, openCryptoki, python310, python311-urllib3, rke2, squid, and tomcat), and Ubuntu (cpp-httplib, git, python-apt, and simgear).

The Project Zero blog has athree-part series describing a working, zero-click exploit forPixel9 devices.

Sjoerd Simons has publisheda blog post about running Debian on the OpenWrtOnerouter hardware:

Version14.0 of the Forgejo software forge has been released. Notablechanges in this release include several databaseimprovements, new options for approvingactions execution from pull requests, a newfile editor, and progress toward makingForgejo's web UI work without JavaScript.

Al Viro does not often stray outside of the core virtual filesystem area;when he does, it is usually worthy of note. Recently, he wandered intomemory management with this patchseries to the slab allocator and some of its users. Kernel developerswill often put considerable effort into small optimizations, but it isstill interesting to look at just how much effort has gone toward the purpose ofavoiding a single pointer dereference in some memory-allocation hot paths.

We have recently noticed that email from LWN.net seems to beblocked by MXroute. Unfortunately, the company also does not seem tohave a way for non-customers to report problems in mail delivery, sowe have no good way to get ourselves unblocked.As a result, readers who have subscribed to an LWN mailing listfrom a domain hosted with MXroute will probably not receive ourmailings. We have not yet unsubscribed addresses that are beingblocked by MXroute, but will soon if the problem persists. Pleaseaccept our apologies for the inconvenience; it is unfortunate that itis becoming so difficult to send legitimate email as a smallbusiness.

Security updates have been issued by Debian (chromium, gnupg2, and mongo-c-driver), Fedora (firefox, gpsd, linux-firmware, and seamonkey), Mageia (net-snmp), Oracle (kernel, podman, postgresql16, postgresql:13, postgresql:15, postgresql:16, and uek-kernel), Red Hat (libpq, net-snmp, and transfig), Slackware (libpng and mozilla), SUSE (avahi, bluez, capstone, curl, dpdk, firefox, firefox-esr, fluidsynth, glib2, kernel, kernel-devel, libmicrohttpd, libpcap, libpng16, libsoup, libsoup-3_0-0, libtasn1, libvirt, mcphost, openvswitch, ovmf, podman, poppler, python-tornado6, python311, qemu, rsync, and valkey), and Ubuntu (erlang, klibc, libpng1.6, and ruby-rack).

Inside this week's LWN.net Weekly Edition:

Paul Kehrer and Alex Gaynor, maintainers of the Python cryptography module, have put out some stronglyworded criticism of OpenSSL. Itcomes from a talk they gave at the OpenSSL conference in October 2025 (YouTube video). Thepost goes into a lot of detail about the problems with the OpenSSL codebase and testing, which has led the cryptography team toreconsider using the library. "The mistakes we see in OpenSSL'sdevelopment have become so significant that we believe substantial changesare required - either to OpenSSL, or to our reliance on it." They gofurther in the conclusion:

Lossless data compression is an important tool for reducing the storagerequirements of the world's ever-growing data sets. Yann Collet developedthe LZ4algorithm and designed the Zstandard (or Zstd)algorithm; he came to the 2025Open Source Summit Japan in Tokyo to talk about where data compressiongoes from here. It turns out that we have reached a point wheregeneral-purpose algorithms are only going to provide limited improvement;for significant increases in compression, while keeping computation costswithin reason for data-center use, turning to format-specific techniqueswill be needed.

The Debian GNOME team would like to remove the GTK2 graphicstoolkit, which has been unmaintained upstream for more than fiveyears, and ship Debian14 ("forky") without it. As one mightexpect, however, there are those who would like to find a way to keepit. Despite its age and declared obsolescence, quite a few Debianpackages still depend on GTK2. Many of those applications areunlikely to be updated, and users are not eager to give themup. Discussion about how to handle this is ongoing; it seems likelythat Debian developers will find some way to continue supportingapplications that require GTK2, but users may have to lookoutside official Debian repositories.

Version1.6.0 of the Radicle peer-to-peer, local-first code collaborationstack has been released. Notable changes in this release includesupport for systemdcredentials, use of Rust's clap crate forparsing command-line arguments, and more. LWN covered the project in March2024.

Security updates have been issued by AlmaLinux (sssd), Debian (linux-6.1 and python-parsl), Fedora (chezmoi, complyctl, composer, and firefox), Oracle (kernel), Red Hat (buildah, libpq, podman, postgresql, postgresql16, postgresql:13, postgresql:15, and postgresql:16), SUSE (avahi, curl, ffmpeg-4, ffmpeg-7, firefox, istioctl, k6, kubelogin, libmicrohttpd, libpcap-devel, libpng16, libtasn1-6-32bit, matio, ovmf, python-tornado6, python311-Authlib, and teleport), and Ubuntu (angular.js, python-urllib3, and webkit2gtk).

Quality-of-service (QoS) mechanisms attempt to prioritize some processes (ornetwork traffic, disk I/O, etc.) over others in order to meet a system'sperformance goals. This is a difficult topic to handle in the world of Linux,where workloads, hardware, and user expectations vary wildly. Qais Yousef spokeat the 2025 Linux Plumbers Conference, alongside his collaborators John Stultz,Steven Rostedt, and Vincent Guittot, about their plans for introducing ahigh-level QoS API for Linux in a way that leaves end users in control of itsconfiguration. The talk focused specifically on a QoS mechanism for thescheduler, to prioritize access to CPU resources differently for different kindsof processes.(slides;video)

Version147.0 of the Firefox web browser has been released. Notablechanges in this release include support for the XDG BaseDirectory specification, enabling localnetwork access restrictions for users with enhancedtracking protection (ETP) set to "Strict", and a fix that improvesFirefox's rendering with GNOME on fractionally scaleddisplays. Firefox147 also includes a number of securityfixes, including several sandbox-escape vulnerabilities.

Security updates have been issued by AlmaLinux (mariadb10.11, mariadb:10.11, mariadb:10.3, mariadb:10.5, and tar), Debian (net-snmp), Fedora (coturn, NetworkManager-l2tp, openssh, and tuxanci), Mageia (libtasn1), Oracle (buildah, cups, httpd, kernel, libpq, libsoup, libsoup3, mariadb:10.11, mariadb:10.3, openssl, and podman), SUSE (cpp-httplib, ImageMagick, libtasn1, python-cbor2, util-linux, valkey, and wget2), and Ubuntu (google-guest-agent, linux-iot, and python-urllib3).

In open-source circles there are many situations, such as bugreports, demos, and tutorials, when one might want to provide aplay-by-play of a session in one's terminal. The asciinema project provides a set oftools to do just that. Its tools let users record, edit, and shareterminal sessions in a text-based format that has quite a fewadvantages compared to making and sharing videos of terminal sessions. Forexample, it is easy to use, offers the ability to search text fromrecorded sessions, and allows users to copy and paste directly fromthe recording.

Security updates have been issued by Debian (chromium and sogo), Fedora (chromium, foomuuri, libpng, libsodium, mariadb10.11, musescore, nginx, python-pdfminer, python-urllib3, python3.12, seamonkey, wasmedge, and wget2), Mageia (curl, libpcap, sodium, wget2, and zlib), Slackware (lcms2), SUSE (chromedriver, chromium, noopenh264, coredns, curl, dcmtk, fontforge, gdk-pixbuf-loader-libheif, gimp, kernel, libheif, libpng16, libsoup-2_4-1, libvirt, mariadb, php8, poppler, python-filelock, python-tornado6, python311-aiohttp, qemu, sssd, and traefik), and Ubuntu (libheif, libtasn1-6, linux-azure-nvidia, linux-kvm, linux-raspi, linux-raspi-realtime, and php7.2, php7.4, php8.1, php8.3, php8.4).

The 2026 edition of the Linux Storage, Filesystem, Memory Management, andBPF Summit will be held May4-6 in Zagreb, Croatia. The call forproposals has gone out for anybody who would like to attend thisinvitation-only meeting. "We are asking that you please let us know youwant to be invited by February 20, 2026".

The6.18.5,6.12.65,6.6.120, and6.1.160stable updates have been released. They all contain a small patchset fixing a scheduling regression associated with idle balancing; the6.6.120 and 6.1.60 updates also contain a large set of other importantfixes.

On her blog, Julia Evans writes aboutimproving Git documentation, including a new datamodel man page she wrote with MarieLeBlanc Flanagan, and updates to the pages for several other Git sub-commands(add, checkout, push, and pull). Aspart of the process, she asked Git users to describe problems they had run intoin the documentation, which helped guide the changes that she made.

The READ_ONCE() and WRITE_ONCE() macros are heavily usedwithin the kernel; there are nearly 8,000 call sites forREAD_ONCE(). They are key to the implementation of many lockless algorithms and can be necessary for sometypes of device-memory access. So one might think that, as theamount of Rust code in the kernel increases, there would be a place forRust versions of these macros as well. The truth of the matter, though, isthat the Rust community seems to want to take a different approach toconcurrent data access.

Security updates have been issued by Debian (pdfminer and vlc), Red Hat (kernel, kernel-rt, and microcode_ctl), Slackware (libtasn1), SUSE (apptainer, curl, ImageMagick, libpcap, libvirt, libwget4, php8, podman, python311-cbor2, qemu, and rsync), and Ubuntu (gnupg, gnupg2, gpsd, libsodium, and python-tornado).

The Fedora Project has announcedthe results of the Fedora43 election cycle. Five seats were openon the Fedora EngineeringSteering Committee (FESCo), and the winnersare Kevin Fenzi, Zbigniew Jdrzejewski-Szmek, Timothee Ravier, DaveCantrell, and Mairin Duffy.

Gentoo Linux has published a 2025project retrospective that looks at how the community has evolved,changes to the distribution, infrastructure, and finances for theGentoo Foundation.

TheSoftware Freedom Conservancy (SFC) issuingVIZIO over smart TVs thatinclude software licensed under the GPL and LGPL (including the Linux kernel,FFmpeg, systemd, and others).VIZIO didn't provide the source code along with the device, and on request theyonly provided some of it. Unlike a typical lawsuit about enforcing the GPL, theSFC isn't suing as a copyright holder; it's suing asa normal owner of the TVin question. This approach opens some important legal questions, and after yearsof pre-trial maneuvering (most recently resulting ina ruling related to signing keys thatis the subject of a separate article),we might finally obtain some answers when the case goesto trial on January12. As things stand, it seems likely that the judge inthe case will rule that that the GPL-enforcement lawsuits can be a matter ofcontract law, not just copyright law, which would be a major change to how GPLenforcement works.

On December 24 2025, Linus Torvalds posted a stronglyworded message celebrating a ruling inthe ongoing GPL-compliance lawsuit filedagainst VIZIO by the Software Freedom Conservancy (SFC). This case andTorvalds's response have put a spotlight on an old debate over the extentto which the source-code requirements of the GNUGeneral Public License (version2) extend to keys and other dataneeded to successfully install modified software on a device. It is worthlooking at whether this requirement exists, the subtleties ininterpretation that cloud the issue, and the extent to which, if any, theSFC is demanding that information.

Greg Kroah-Hartman has released the 6.18.4 and 6.12.64 stable kernels. As always, eachcontains important fixes throughout the tree. Users are advised toupgrade.

Security updates have been issued by AlmaLinux (gcc-toolset-14-binutils, gcc-toolset-15-binutils, httpd, kernel, libpng, mariadb, mingw-libpng, poppler, python3.12, and ruby:3.3), Debian (foomuuri and libsodium), Fedora (python-pdfminer and wget2), Oracle (audiofile, bind, gcc-toolset-15-binutils, libpng, mariadb, mariadb10.11, mariadb:10.11, mariadb:10.5, mingw-libpng, poppler, and python3.12), Red Hat (git-lfs, kernel, libpng, libpq, mariadb:10.3, osbuild-composer, postgresql, postgresql:13, and postgresql:15), Slackware (curl), SUSE (c-ares-devel, capstone, curl, gpsd, ImageMagick, libpcap, log4j, python311-filelock, and python314), and Ubuntu (libcaca, libxslt, and net-snmp).

Inside this week's LWN.net Weekly Edition:

The European Commission has openeda "callfor evidence" to help shape its European Open Digital EcosystemStrategy. The commission is looking to reduce its dependence onsoftware from non-EU countries:

At the 2025 Linux PlumbersConference (LPC), held in Tokyo in mid-December, Changwoo Min led a session on whathe has learned while developing the"latency-criticalityaware virtual deadline" (LAVD) scheduler, which is aimed at gamingworkloads. The session was part of the Gamingon Linux microconference, which is a new entrant into LPC; organizershope to see it return next year inPrague and, presumably, beyond. LAVD uses the extensible scheduler class (sched_ext) and hasthe primary goal of minimizing stutteringin games;it is implemented in a combination of BPF and Rust.

Last year werevived the tradition of publishing a timeline ofnotable events from the previous year. Since that seemed to go overwell, we decided we should continue the practice and look back on someof the most noteworthy events and releases of 2025.

The IPFire project, anopen-source firewall Linux distribution, has released version2.29 - Core Update 199. Notable changes in this release include anupdate to Linux 6.12.58, support for WiFi6 and 7 features onwireless access points, as well as native support for link-localdiscovery protocol (LLDP) and Cisco discovery protocol (CDP).

Android Authority reportsthat Google will be reducing the frequency of releases of code to theAndroid Open Source Project to only twice per year.

Security updates have been issued by AlmaLinux (resource-agents, ruby:3.3, thunderbird, and xorg-x11-server), Fedora (libpcap), Red Hat (brotli), Slackware (libsodium), SUSE (dcmtk, govulncheck-vulndb, libpcap, mozjs60, qemu, rsync, and usbmuxd), and Ubuntu (glib2.0 and linux-raspi, linux-raspi-5.4).

The nature and role of the Linux Foundation's Technical Advisory Board (TAB) isnot well-understood, thougha recent LWN article shed some light on itsrole andhistory. At the 2025Linux Plumbers Conference (LPC), the TAB held a question andanswer session to address whatever it was the community wanted to know(video).Those questions ended up covering the role of large language models in kerneldevelopment, what it is like to be on the TAB, how the TAB can help grease thewheels of corporate bureaucracy, and more.

Aleksa Sarai, as the maintainer of therunc container runtime, faces aconstant battle against security problems. Recently, runc has seenanotherinstance of a security vulnerability that can be traced back to the difficultyof handling file paths on Linux. Sarai spoke at the 2025Linux Plumbers Conference(slides;video)aboutsome of the problems runc has had with path-traversal vulnerabilities, and toask people to please uselibpathrs, the library that he has been developing forsafe path traversal.

Version26.0 ("Anh-Linh") of the Arch-based Manjaro Linux distribution has beenreleased. Manjaro26.0 includes Linux6.18, GNOME49,KDEPlasma6.5, Xfce4.20, and more.

Security updates have been issued by AlmaLinux (kernel, ruby, and thunderbird), Debian (libsodium and ruby-rmagick), Fedora (gnupg2 and proxychains-ng), Oracle (gcc-toolset-14-binutils, rsync, tar, and thunderbird), Red Hat (buildah, mariadb, mariadb10.11, podman, and tar), SUSE (alloy, apache2, buildah, erlang26, glib2, ImageMagick, kernel, libsoup, pgadmin4, python-tornado6, python3, python312, python313, qemu, webkit2gtk3, and xen), and Ubuntu (webkit2gtk).

The calendar has flipped over to 2026; a new year has begun. That meansthe moment we all dread has arrived: it is time for LWN to put out a set oflame predictions for what may happen in the coming year. Needless to say,we do not know any more than anybody else, but that doesn't stop us frommaking authoritative-sounding pronouncements anyway.

Version 1.30 of the GNUddrescue data recovery tool has been released. Notable changes inthis release include improvements to automatic recovery of a drivewith a dead head, addition of a --no-sweep option to disablereading of skipped areas, and more.

Security updates have been issued by AlmaLinux (tar), Debian (curl and gimp), Fedora (doctl, gitleaks, gnupg2, grpcurl, nginx, nginx-mod-brotli, nginx-mod-fancyindex, nginx-mod-headers-more, nginx-mod-modsecurity, nginx-mod-naxsi, nginx-mod-vts, and usd), Mageia (cups), Red Hat (container-tools:rhel8, go-toolset:rhel8, grafana, and skopeo), and SUSE (dirmngr, fluidsynth, gnu-recutils, libmatio-devel, python311-marshmallow, python312-Django6, rsync, and thunderbird).

The 6.19-rc4 kernel prepatch is out fortesting.

Greg Kroah-Hartman has written anoverview of how the kernel's security team works.

Greg Kroah-Hartman has announced the release of the 6.18.3 stable kernel. As always, thisupdate contains important fixes; users of this kernel are advised toupgrade.

Security updates have been issued by Debian (smb4k), Fedora (direwolf, gh, usd, and webkitgtk), Slackware (libpcap and seamonkey), and SUSE (kepler).

Security updates have been issued by Debian (imagemagick and net-snmp), Fedora (delve, golang-github-google-wire, and golang-github-googlecloudplatform-cloudsql-proxy), and SUSE (podman, python3, and python36).