LWN.net

Terence Eden reportsthat the UK's NationalHealth Service (NHS) is preparing to close almost all of its open-source repositories as aresponse to LLM tools, such as Anthropic's Mythos, becoming moresophisticated at finding security vulnerabilities. He does not, to putit mildly, agree with the decision:

Modern database and filesystems make pervasive use ofB-trees, which are treestructures optimized for storing sorted lists of keys and values on blockdevices.Dolt is an Apache 2.0-licensed project that makes clever use of avariant of a B-tree to support efficient version control for an entire database.The data structure it uses could well be of interest to other projects.

Security updates have been issued by AlmaLinux (fence-agents), Debian (chromium, dovecot, and kernel), Fedora (chromium, dotnet10.0, dotnet8.0, dotnet9.0, emacs, glow, jfrog-cli, openbao, pyp2spec, python3.6, rust-rustls-webpki, vhs, and xen), Oracle (grafana, grafana-pcp, PackageKit, sudo, vim, and xorg-x11-server), Red Hat (rhc), SUSE (avahi, bouncycastle, chromium, container-suseconnect, firewalld, gdk-pixbuf, grafana, java-25-openjdk, kernel, libixml11, libmozjs-140-0, libpng12-0, libsodium, libssh, mariadb, Mesa, ntfs-3g_ntfsprogs, openCryptoki, openexr, packagekit, prometheus-postgres_exporter, python-jwcrypto, python-mako, python-Pygments, python-pynacl, python311, python311-pyOpenSSL, python315, radare2, sed, and vim), and Ubuntu (kmod and zulucrypt).

Hyrum's Law states that anyobservable behavior of a system will eventually be depended upon bysomebody. The kernel community is currently contending with a cleardemonstration of that principle. The recent work to address some restartable-sequencesperformance problems in the 6.19 release maintained the documented APIin all respects, but that was not enough; Google's TCMalloclibrary, as it turns out, violates the documented API, prevents other codefrom using restartable features, and breaks with 6.19. But the kernel'sno-regressions rule is forcing developers to find a way to accommodateTCMalloc's behavior.

Version16.1 of the GNU Compiler Collection (GCC) has beenreleased.

Greg Kroah-Hartman has released the 7.0.3, 6.18.26, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254 stable kernels. The 7.0.3 and6.18.26 kernels only contain fixes needed for Xen users; the others,though, have backported fixes for the recently disclosed AEAD socket vulnerability. Kroah-Hartman advisesthat all users of the other kernel series must upgrade.

Security updates have been issued by AlmaLinux (buildah, firefox, gdk-pixbuf2, giflib, grafana, java-1.8.0-openjdk, java-21-openjdk, LibRaw, OpenEXR, PackageKit, pcs, python3.11, python3.12, python3.9, sudo, tigervnc, vim, xorg-x11-server, xorg-x11-server-Xwayland, yggdrasil, and yggdrasil-worker-package-manager), Debian (calibre, firefox-esr, and openjdk-17), Fedora (asterisk, binaryen, buildah, dokuwiki, lemonldap-ng, libexif, libgcrypt, miniupnpd, openvpn, podman, python3.9, rust-rpm-sequoia, skopeo, and xdg-dbus-proxy), Red Hat (buildah, gdk-pixbuf2, and nodejs:20), SUSE (dnsdist, libheif, openCryptoki, polkit, sed, and xen), and Ubuntu (linux-bluefield, python-marshmallow, and roundcube).

Inside this week's LWN.net Weekly Edition:

Security analysis firm Xint has disclosed a security bug in the Linux kernelthat allows for arbitrary 4-byte writes to the page cache, and which has beenpresent since 2017.The vulnerability hasbeen fixed in mainline kernels. A proof-of-concept script demonstrates how to use the flaw to corrupt a setuidbinary, which works onmultiple distributions, by requesting an AEAD-encrypted socket from user spaceand splicing a particular payload into it.A supplemental blogpost gives more details about the discovery and remediation.

The Python packaging world now has a formalgovernance council, of the form described in PEP772 ("PackagingCouncil governance process"), which was approvedby the steering council on April16. It has been over a yearsince the PEP was first proposed in February2025 and it has undergonelengthy discussions in multiple postings to the Python discussion forum. Thepackaging council will have "broad authority over packaging standards,tools, and implementations"; it will consist of five members who willbe elected in a vote that is likely to come in June-after PyCon US 2026 is held mid-May.

SUSE's Security Team has published a detailedblog post on their recent review of the PlasmaLogin Manager version 6.6.2,which was forked from the SDDM displaymanager.

Security updates have been issued by AlmaLinux (firefox, gdk-pixbuf2, java-17-openjdk, libxml2, python3, python3.11, python3.12, sudo, and webkit2gtk3), Debian (dnsdist, node-tar, pdns, pdns-recursor, and policykit-1), Fedora (chromium, edk2, and vim), Oracle (firefox, gdk-pixbuf2, go-toolset:rhel8, libpng12, LibRaw, libxml2, python, python3, python3.11, python3.12, python3.12-wheel, vim, webkit2gtk3, xorg-x11-server, xorg-x11-server-Xwayland, yggdrasil, and yggdrasil-worker-package-manager), Red Hat (container-tools:rhel8, delve, git-lfs, go-rpm-macros, grafana, grafana-pcp, osbuild-composer, and rhc), SUSE (bouncycastle, clamav, container-suseconnect, dovecot22, erlang, firefox, fontforge, freerdp2, ghostscript, giflib, gnome-remote-desktop, go1.25, go1.26, google-guest-agent, haproxy, ignition, ImageMagick, kernel, libcap, libpng16, libraw, librsvg, mariadb, openexr, pocketbase, protobuf, python-Pillow, python-requests, qemu, rust1.94, sudo, tomcat, tomcat10, tomcat11, webkit2gtk3, and xen), and Ubuntu (dotnet10, dovecot, linux-nvidia-lowlatency, node-follow-redirects, openssh, packagekit, python-cryptography, python-tornado, ruby-rack-session, ujson, and wheel).

LWN has received the sad news that Seth Nickell passed away, onApril 16, from his father, Eric Nickell:

The Fedora Project has announcedthe release of FedoraLinux44. There are "what's new"articles for FedoraWorkstation, FedoraKDEPlasmaDesktop, and FedoraAtomic Desktops. The Fedora Asahi Remix for Apple Silicon Macs,based on Fedora44, is alsoavailable. See the Fedora Spins page for a full list of alternative desktop options.

There are dozens of music-player applications for Linux; the options rangefrom bare-bones programs that only play local files to full-blownmusic-management projects with a full suite of tools for managing (and playing)a music collection. Strawberryis in the latter category; it has a bumper crop of features, including smartplaylists, support for editing music metadata tags, the ability to organize musicfiles, and more.

We have received the sad news that Toma Kalibera, a member of theRProject core team, haspassed awayafter a short illness.

FOSDEM's organizers have announcedthat all of the video recordings "worth publishing" from FOSDEM2026 are now available.

Security updates have been issued by Debian (openjdk-21 and webkit2gtk), Fedora (botan3, chromium, cockpit, firefox, flatpak, gum, libarchive, libcoap, mingw-python3, ngtcp2, nss, openssh, openssl, openvpn, PackageKit, python3-docs, python3.11, python3.12, python3.13, python3.14, vim, and xrdp), Oracle (firefox, gdk-pixbuf2, java-1.8.0-openjdk, java-21-openjdk, python3.12, python3.9, sudo, and tigervnc), Red Hat (tigervnc and xorg-x11-server-Xwayland), Slackware (mpg123 and proftpd), SUSE (emacs, firefox, fontforge, freeciv, freerdp, libngtcp2-16, libsystemd0, and strongswan), and Ubuntu (authd, clamav, glance, haproxy, jq, lcms2, nginx, nltk, ntfs-3g, packagekit, pillow, strongswan, and vim).

Version 26.1 ofthe pip package installer for Python has been released. Richard Sihas published a blogpost that looks at some of the highlights of 26.1 includingdependency cooldowns, experimental support for pylock (pylock.toml)files, and resolverimprovements that will move pip closer to the goal of removing itslegacy resolver. The release also includes several security fixes anddrops support for Python3.9.

By the time Linus Torvalds released 7.1-rc1and closed the 7.1 merge window, 12,996 non-merge changesets had beenpulled into the mainline repository; just over 9,000 of those arrived afterthe first-half summary was written. Thesechanges were more driver-oriented than those seen earlier, but still alsoincluded many new features across the kernel as a whole.

Greg Kroah-Hartman has announced the release of the 7.0.2, 6.18.25, 6.12.84, and 6.6.136 stable kernels. As usual, eachcontains important fixes throughout; users are advised to upgrade.

David Steele, maintainer of the popular pgBackRest backup and restore project forPostgreSQL, has archivedthe project and announced that it is no longer being maintained.

Version 0.16.0 of the Zig programming language wasrecently announced, and withit an expanded version of the new Io interface that wecovered in December.The new interface is based on an idea called structured concurrency that makes writingcorrect concurrent applications easier. Zig's implementation ofthe idea is more explicit and verbose than other languages, however, which couldoffer an opportunity to explore the consequences of different designs.

Jon Seager, VP engineering for Canonical, has postedan update on "what Canonical and Ubuntu will do (or not) toincorporate AI" that explains what part AI will play in the futureof the company and its distribution.

Version 26.04of the niri scrollable-tiling Wayland compositor has been released. The mostnotable change in this release, as the "most requested niri feature by far",is support for the blur effect using the Wayland protocol's ext-background-effect. Thisrelease also features optional configurationincludes, screencasting support enhancements, and a number of improvements forinput devices.

Security updates have been issued by AlmaLinux (java-25-openjdk, kernel, osbuild-composer, thunderbird, webkit2gtk3, and wireshark), Debian (chromium, distro-info-data, libde265, mbedtls, and thunderbird), Fedora (awstats, bind9-next, bpfman, buildah, calibre, cef, chromium, composer, corosync, coturn, cups, curl, dnsdist, doctl, erlang, fido-device-onboard, flatpak-builder, freetype, glab, goose, jq, kea, libarchive, libcap, libcgif, libgsasl, libinput, libmicrohttpd, libpng, libpng12, libpng15, mapserver, mbedtls, micropython, minetest, mingw-exiv2, mingw-libpng, mingw-LibRaw, mingw-openexr, mingw-python3, moby-engine, mupdf, nginx, nginx-mod-brotli, nginx-mod-fancyindex, nginx-mod-headers-more, nginx-mod-modsecurity, nginx-mod-naxsi, nginx-mod-vts, opam, openbao, opensc, openssh, openssl, opkssh, perl-Net-CIDR-Lite, pgadmin4, pie, podman, pspp, pypy, python-biopython, python-cairosvg, python-cbor2, python-cryptography, python-flask-httpauth, python-msal, python-pillow, python-pydicom, python-tomli, python3-docs, python3.13, python3.14, python3.15, python3.9, rauc, roundcubemail, rpki-client, rust-sccache, skopeo, smb4k, stb, sudo, tcpflow, thunderbird, tigervnc, tinyproxy, trafficserver, trivy, usd, util-linux, vim, xdg-dbus-proxy, xorg-x11-server, xorg-x11-server-Xwayland, and yarnpkg), Oracle (buildah, golang, grafana, java-17-openjdk, and java-25-openjdk), and SUSE (chromium, cockpit-podman, coredns, corosync, cups, dnsdist, flatpak, freerdp2, frr, gdk-pixbuf, golang-github-prometheus-alertmanager, golang-github-prometheus-prometheus, google-guest-agent, haproxy, ignition, ImageMagick, kernel, kyverno, libcap, libminizip1, libpng16, librsvg, libXpm-devel, Mesa, opensc, openssl-3, ovmf-202602, PackageKit, podman, python-ecdsa, python-pillow, python311-Mako, sudo, thunderbird, tomcat, tomcat10, and vim).

Linus has released 7.1-rc1 and closed themerge window for this release.

Werner Koch has announcedthe release of GnuPG2.5.19. This release includes a few new optionsand a number of bug fixes, and comes with the reminder that theGnuPG2.4 series will reach end-of-life soon

The kernel coverage here at LWN often touches on memory-management topicsand, as a result, tends to talk a lot about both pages and folios. As thefolio transition in the kernel has moved forward, it has often becomedifficult to decide which term to use in writing that is meant to be bothapproachable and technically correct. As this work continues, it will beincreasingly common to use "folio" rather than page. This article isintended to be a convenient reference for readers wanting to differentiatethe two terms or understand the state of this transition.

Security updates have been issued by Fedora (anaconda, dnf5, firefox, flatpak-builder, libexif, minetest, nss, plasma-setup, python-blivet, rpki-client, and xorg-x11-server), Oracle (bind, kernel, osbuild-composer, thunderbird, webkit2gtk3, and wireshark), Red Hat (java-25-openjdk), SUSE (cacti, cacti, cacti-spine, cockpit-machines, cockpit-podman, cockpit-tukit, csync2, flannel, gdk-pixbuf, go1.25-openssl, go1.26-openssl, haproxy, kernel, libcap, libpng16, libtree-sitter0_26, libvirt, ncurses, ntfs-3g_ntfsprogs, openssl-1_1, openssl-3, openvswitch, perl, python-pyOpenSSL, python311, rclone, sudo, and tomcat), and Ubuntu (gst-plugins-bad1.0, jq, libopenmpt, linux-ibm, linux-ibm-5.15, and php-league-commonmark).

Ubuntu 26.04 ("Resolute Raccoon") LTS has been releasedon schedule.

The famfs filesystem first showed up on themailing lists in early 2024; since then, it has been the topic ofregular discussions at the Linux Storage, Filesystem, Memory Management andBPF (LSFMM+BPF) Summit. It has also, as result of those discussions, beenthrough some significant changes since that initial posting. So it is notsurprising that a suggestion that it needed to be rewritten yet again wasnot entirely well received. How much more rewriting will actually beneeded is unclear, but more discussion appears certain.

Security updates have been issued by AlmaLinux (kernel and osbuild-composer), Debian (cpp-httplib, firefox-esr, gimp, and packagekit), Fedora (chromium, composer, libcap, pgadmin4, pie, python3-docs, python3.14, and sudo), Mageia (gvfs), Oracle (.NET 8.0, delve, freerdp, giflib, ImageMagick, kernel, OpenEXR, and osbuild-composer), SUSE (erlang, giflib, google-guest-agent, GraphicsMagick, ignition, imagemagick, kea, kernel, kissfft, libraw, libssh, ocaml-patch, opam, openCryptoki, openexr, openssl-1_1, tomcat, tomcat10, tomcat11, and tor), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-aws, linux-aws-6.17, linux-hwe-6.17, linux-oracle, linux-oracle-6.17, linux-azure, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-oracle-5.15, linux-azure-5.4, linux-azure-fips, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-hwe-6.8, linux-ibm-6.8, linux-raspi, linux-oracle, linux-oracle-6.8, linux-raspi, linux-raspi-5.4, linux-raspi-realtime, packagekit, python-tornado, ruby-rack-session, slurm-llnl, and strongswan).

Inside this week's LWN.net Weekly Edition:

Efforts to introduce malicious code into the open-source supplychain have been on the rise in recent years, and there is no indication that theywill abate anytime soon. These attacks are often found quickly, but not quicklyenough to prevent the compromised code from being automatically injected into otherprojects or code deployed by users where it can wreak havoc. One method of avoidingsupply-chain attacks is to add a delay of a few days before pulling upates in whatis known as a "dependency cooldown". That tactic is starting to find favor withusers and some language ecosystem package managers. While this practice isconsidered a reasonable response by many, others are complaining that thoseemploying dependency cooldowns are free-riding on the larger community by lettingothers take the risk.

In Rust, types either possess a constant size known at compile time, or adynamically calculated size known atrun time. That is fine for most purposes, but recent proposals for the languagehave shown the need for a more fine-grained hierarchy.RFC 3729 from David Wood and Remy Rakic would add a hierarchy oftraits to describe types with sizes known under different circumstances. Whilethe idea has been subject to discussion for many years, a growing number ofuse cases for the feature have come to light.

Version2.26.0 of the LilyPondmusic-engraving program has been released. Majorchanges include the ability to use the Cairo library to generateoutput and improvements in spacing between clefs and timesignatures. See the release notes for a full list of miscellaneousimprovements as well as what's new with musicaland specialistnotation.

Greg Kroah-Hartman has announced the release of the 7.0.1, 6.19.14, 6.18.24, and 6.12.83 stable kernels. As usual, eachcontains important fixes throughout the tree. Users are encouraged toupgrade.Note that the 6.19.x series ends with 6.19.14.

Security updates have been issued by Debian (firefox-esr, flatpak, ngtcp2, ntfs-3g, packagekit, python-geopandas, simpleeval, strongswan, and xdg-dbus-proxy), Fedora (chromium, cups, curl, jq, opkssh, perl-Net-CIDR-Lite, python-cbor2, python-pillow, tinyproxy, xdg-dbus-proxy, and xorg-x11-server-Xwayland), Slackware (libXpm and mozilla), SUSE (botan, chromium, clamav, cockpit, cockpit-machines, cockpit-packages, cockpit-podman, cockpit-subscriptions, dovecot24, firefox, flatpak, freeipmi, gdk-pixbuf, glibc, gnome-remote-desktop, go1.25, go1.26, go1.26-openssl, google-cloud-sap-agent, gosec, graphicsmagick, haproxy, kernel, libpng16, libraw, libtasn1, libvncserver, ncurses, nebula, nodejs24, openssl-3, ovmf, pam, pcre2, perl-Authen-SASL, pgvector, plexus-utils, podman, python-cbor2, python-cryptography, python-django, python-gi-docgen, python-pypdf2, python-python-multipart, python311, python311-PyPDF2, python313, qemu, roundcubemail, rust1.94, sqlite3, strongswan, systemd, tar, tigervnc, util-linux, vim, webkit2gtk3, xorg-x11-server, xwayland, and zlib), and Ubuntu (commons-io, libcap2, ntfs-3g, and rapidjson).

There are a number of ongoing efforts to remove kernel code, mostly fromthe networking subsystem, as an alternative to dealing with the increase insecurity-bug reports from large language models. The proposed removalsinclude ISAand PCMCIA Ethernet drivers, a pairof PCI drivers, the ax25 and amateurradio subsystem, the ATM protocols and drivers,and the ISDNsubsystem.

ThisFirefox blog post reports that the Firefox150 release includesfixes for 271 vulnerabilities found by the Claude Mythos preview.

The Fedora Project has been wrestling with the question of who should be able to vote inFedora elections recently, with project membership being a major topic atthe Fedora Council face-to-face held in early February. Now theproject is considering a new contributor status, "Fedora Verified",and is lookingto get input on the idea from the community.

The open-source world is currently awash inreports of LLM-discovered bugs and vulnerabilities, which makes for a lot morework for maintainers, but many of the current crop are being reportedresponsibly with an eye toward minimizing that impact. A recent reporton an effort to systematically find bugs in Python extensionswritten in C has followed that approach. Hobbyist Daniel Diniz used ClaudeCode to find more than 500 bugs of various sorts across nearly a millionlines of code in 44 extensions; he has been working with maintainers to getfixes upstream and his methodology serves as a great example of how to keepthe human in the loop-and the maintainers out of burnout-when employing LLMs.

Version150 of the Firefox web browser has been released. Notable changesinclude local-network-accessrestrictions being turned on for all users, the ability toreorder, copy, delete, paste, and export pages from a PDF usingFirefox's built-in viewer, as well as improvements in its splitview feature, and more. See also the releasenotes for developers and listof security fixes in this release. (Update: Mozilla seems to have removed the local-network-access restrictions information since the release was published yesterday.)

Security updates have been issued by AlmaLinux (freerdp, kernel, and kernel-rt), Debian (mupdf, opam, simpleeval, and xdg-dbus-proxy), Mageia (firefox, thunderbird and libtiff), Red Hat (containernetworking-plugins, gvisor-tap-vsock, nodejs22, nodejs:20, nodejs:22, perl-XML-Parser, python3.11, python3.9, runc, and skopeo), and SUSE (bind, buildah, cockpit-subscriptions, container-suseconnect, containerd, corosync, cosign, docker, dovecot24, flatpak, freeipmi, gegl, GraphicsMagick, helm, ImageMagick, kubernetes, kubernetes-old, libpng15, LibVNCServer, ncurses, nodejs22, opensc, openvswitch, patterns-glibc-hwcaps, podman, python, python310, python312, python315, rekor, rootlesskit, roundcubemail, and runc).

Git maintainer Junio Hamano has announcedGit 2.54.0, which includes contributions from 137 people; 66 of thosepeople are first-time contributors to the project. Changes include theaddition of Git history rewriting, Git's web interface (gitweb)"has been taught to be mobile friendly", and much more. See theannouncement for all improvements, additions, and bug fixes. Hamanois now taking a short break:

Robin Candau has announcedthe availability of a bit-for-bit reproducible container image forArch Linux:

The Document Foundation (TDF) isthe nonprofit entity behind the LibreOffice productivity suite. Most of thetime, the software takes the spotlight, but that has changed in the past few weeks, andnot for pleasant reasons. TDF has revokedfoundation membership status from about 30 people who work for or havecontracting status with Collabora. Inresponse, Collabora has announcedplans to focus on a "entirely new, cut-down, differentiated Collabora Office"project and reduce its involvement with LibreOffice. TDF's representatives claim thatits actions were necessary to maintain the foundation's nonprofit status, while othercommunity members assert that this is part of a power grab. The facts seem toindicate that there are legitimate issues to be addressed, but it is unclearthat TDF needed to go so far as to disenfranchise all Collabora-affiliated contributors.

Debian Project secretary Kurt Roeckx has announced the DebianProject Leader (DPL) election results:the winner of the election is Sruthi Chandran. She will replacetwo-term DPL Andreas Tille.

Security updates have been issued by AlmaLinux (.NET 10.0, .NET 8.0, .NET 9.0, delve, freerdp, giflib, go-rpm-macros, libarchive, and openexr), Debian (gimp, imagemagick, luanti, mapserver, mupdf, opam, perl, pillow, postgresql-13, and tiff), Fedora (aqualung, awstats, curl, incus, mac, mbedtls, mingw-LibRaw, python-msal, python3.11, python3.12, python3.15, smb4k, stb, and usd), Gentoo (DTrace and FUSE), Mageia (gdk-pixbuf2.0, giflib, polkit-122, python-cairosvg, and rsync), Oracle (.NET 10.0, .NET 8.0, .NET 9.0, 389-ds-base, bind, freerdp, go-rpm-macros, kernel, libarchive, nodejs:20, openexr, perl:5.32, python, python3, squid:4, thunderbird, and uek-kernel), Slackware (tigervnc), and SUSE (aardvark-dns, avahi, bind, blender, Botan, bouncycastle, chromedriver, cpp-httplib-devel, flannel, gdk-pixbuf, GraphicsMagick, ignition, ImageMagick, jetty-annotations, jetty-minimal, kernel, kubo, leancrypto-devel, libcap, liblog4cxx-devel, libpng16-16, libraw, libraw-devel, NetworkManager, opam, openssl-3, openvswitch, openvswitch3, podman, polkit, python-cryptography, python-djangorestframework, python-Django, python-ecdsa, python311-Django, python311-jwcrypto, python311-Pillow, roundcubemail, skopeo, tempo-cli, and vim).