LWN.net

Inside this week's LWN.net Weekly Edition:

As part of the process of writing man pages for the "new" mount API, which has been available in thekernel since 2019, Aleksa Sarai encountered a number of places where the fsconfig()system call-for configuring filesystems before mounting-needs to be cleaned up. In the 2025 Linux Plumbers Conference(LPC) session that he led, Sarai wanted to discuss some of the problems he found,including at least one with security implications. The idea of the sessionwas for him to describe the various bugs and ambiguities that he had found,but he also wanted attendees to raise other problems they had with thesystem call.

Version3.0.0 of the pandas dataanalysis and manipulation library for Python has beenreleased. Notable changes include a dedicatedstring type (str), new "copy-on-write" behavior, and much more. This release also removesa number of features that were deprecated in prior versions of pandas;developers are advised to upgrade to pandas2.3 and ensure code isworking without warnings before moving to3.0. See the releasenotes for the full changelog.

At the 39thChaos Communication Congress (39C3) in December, researchers LexiGroves ("49016") and Liam Wachter said that they had discovered anumber of flaws in popular implementations of OpenPGP email-encryption standard. They also released anaccompanying web site, gpg.fail, withdescriptions of the discoveries. Most of thosepresented were found in GNU PrivacyGuard (GPG), though the pair also discussed problems in age,Minisign, Sequoia, and the OpenPGPstandard (RFC 9580) itself. The discoveries have spurred some interestingdiscussions and as well as responses from GPG and Sequoiadevelopers.

Security updates have been issued by AlmaLinux (brotli and container-tools:rhel8), Debian (python-keystonemiddleware and python3.9), Fedora (cef, freerdp, golang-github-tetratelabs-wazero, and libpcap), Oracle (brotli, gpsd, kernel, and transfig), Red Hat (freerdp, golang, java-11-openjdk with Extended Lifecycle Support, libpng, libssh, mingw-libpng, and runc), SUSE (abseil-cpp, alloy, apache2, bind, cpp-httplib, curl, erlang, firefox, gpg2, grafana, haproxy, hauler, hawk2, libblkid-devel, libpng16, libraylib550, python-keystonemiddleware-doc, python-uv, python-weasyprint, squid, and tomcat), and Ubuntu (crawl and iperf3).

Konstantin Ryabitsev has put up ablog post about korgalore, a tool he has written to circumvent deliveryproblems experienced by kernel developers using the large, centralizedemail systems.

One would assume that most LWN readers stopped running network-accessibletelnet services some number of decades ago. For the rest of you, this security advisory fromSimon Josefsson is worthy of note:

Mozilla has announceda repository with FirefoxNightly channel packages for RPM-based Linux distributions such as CentOSStream, Fedora, and openSUSE. Mozilla has provided a Debian repositorysince 2023.Note that this repository only includes the nightly builds of Thefirefox-nightly package. Mozilla is not providing stablebuilds as RPMs at this time. However, the package will not conflictwith a distribution's regular firefox package; both packagescan be installed at the same time for those who wish to test thenightly builds. See the blog post for instructions on setting up therepository.

LWN has had a number of articles on immutable distributions,such as Bluefin and Bazzite, in recent years. These distributions have taken a variety of approaches, includingusingrpm-ostree, filesystem snapshots, andbootable container (bootc) images. But thoseapproaches, especially the latter, lead to extra complexity for a userattempting to install new software, instead of justusing the existing package manager.AshOS (Any Snapshot Hierarchical OS) is an experimental AGPL-3-licensed"meta-distribution" that tried a different approach more in line withtraditional package management. Although the project is no longer updated,it remains usable, and can still shed some light on a potential alternate path for usersworried about adopting bootc-based approaches.

Security updates have been issued by AlmaLinux (gpsd-minimal, jmc, kernel, kernel-rt, and net-snmp), Debian (apache-log4j2 and dcmtk), Fedora (exim, gpsd, mysql8.0, mysql8.4, python-biopython, and rust-lru), Mageia (firefox, nss and thunderbird), Oracle (container-tools:rhel8, gpsd-minimal, jmc, kernel, net-snmp, and uek-kernel), Red Hat (net-snmp), SUSE (chromium, go, harfbuzz-devel, kernel, libsoup, rust1.91, rust1.92, and thunderbird), and Ubuntu (apache2, avahi, and python-urllib3).

OzLabs is a collection of Australianfree-software developers that was, for most of its history, associated withIBM. Members of OzLabs have included Hugh Blemings, Michael Ellerman, BenHerrenschmidt, Greg Lehey, Paul Mackerras, Martin Pool, Stephen Rothwell,Rusty Russell, and Andrew Tridgell, among others. The OzLabs "about" page notes that, asof January 2026, the last remaining OzLabs members have departed IBM."This brought to a close the Ozlabs association with IBM". Thusends a quarter-century of development history.(Thanks to Jon Masters).

PostgreSQL contributor Robert Haas has publisheda blog post that breaks down code contributions to PostgreSQL in2025.

The io_uringsubsystem is more than an asynchronous I/O interface for Linux; it is,for all practical purposes, an independent system-call API. It has enabledhigh-performance applications, but it also brings challenges for code builtaround classic, Unix-style system calls. For example, the seccomp()sandboxing mechanism does not work with it, causing applications usingseccomp() to disable io_uring outright. Io_uring maintainer JensAxboe is seeking to improve that situation with a rapidly evolving patchseries adding a new restrictive mechanism to that subsystem.

Version11.0 of the Wine Windows compatibility layer is out. "Thisrelease represents a year of development effort, around6,300individual changes, and more than600 bug fixes." The most notablechanges in this release are support for the NTSync Linux kernel module(when available), and the completion of the Windows32-bit on Windows64-bit (WoW64) architecture that was announced as experimental in Wine9.0.

Greg Kroah-Hartman has released the 5.15.198, and 5.10.248 stable kernels. As usual, eachcontains important fixes throughout the tree; users are advised toupgrade.

Security updates have been issued by AlmaLinux (cups, libpq, libsoup3, podman, and postgresql16), Debian (ffmpeg, gpsd, python-urllib3, and thunderbird), Fedora (chromium, foomuuri, forgejo, freerdp, harfbuzz, libtpms, musescore, python-biopython, and python3.12), Mageia (gimp, libpng, nodejs, and python-urllib3), and SUSE (alloy, avahi, bind, chromedriver, chromium, cpp-httplib, docker, erlang, fluidsynth, freerdp, go-sendxmpp, govulncheck-vulndb, kernel, libwireshark19, NetworkManager-applet-l2tp, python, python311-virtualenv, thunderbird, and zk).

Linus has released 6.19-rc6 for testing."So we finally ended up with a slightly bigger rc than usual for thisstage in the release cycle, but it's not _that_ big, and things still seemquite stable and civilized."

Greg Kroah-Hartman has released the 6.18.6, 6.12.66, 6.6.121, and 6.1.161 stable kernels. As usual, eachhas important fixes throughout the tree; users are advised toupgrade.

While there are several rootkits that target Linux, they have so far not fullyembraced the open-source ethos typical of Linux software.Luckily, Matheus Alves has been working to remedythis lack by creatingan open-source rootkit called Singularity for Linux systems. Users who feeltheir computers are too secure can install the Singularity kernel module inorder to allow remote code execution, disable security features, and hide filesand processes from normal administrative tools. Despite its many features,Singularity is not currently known to be in use in the wild - instead, itprovides security researchers with a testbed to investigate new detection andevasion techniques.

Security updates have been issued by AlmaLinux (gnupg2), Debian (firefox-esr), Oracle (cups, gnupg2, libpq, net-snmp, postgresql, postgresql:15, postgresql:16, transfig, and vsftpd), Red Hat (firefox), SUSE (apache2, curl, firefox, gpg2, hawk2, libcryptopp-devel, openCryptoki, python310, python311-urllib3, rke2, squid, and tomcat), and Ubuntu (cpp-httplib, git, python-apt, and simgear).

The Project Zero blog has athree-part series describing a working, zero-click exploit forPixel9 devices.

Sjoerd Simons has publisheda blog post about running Debian on the OpenWrtOnerouter hardware:

Version14.0 of the Forgejo software forge has been released. Notablechanges in this release include several databaseimprovements, new options for approvingactions execution from pull requests, a newfile editor, and progress toward makingForgejo's web UI work without JavaScript.

Al Viro does not often stray outside of the core virtual filesystem area;when he does, it is usually worthy of note. Recently, he wandered intomemory management with this patchseries to the slab allocator and some of its users. Kernel developerswill often put considerable effort into small optimizations, but it isstill interesting to look at just how much effort has gone toward the purpose ofavoiding a single pointer dereference in some memory-allocation hot paths.

We have recently noticed that email from LWN.net seems to beblocked by MXroute. Unfortunately, the company also does not seem tohave a way for non-customers to report problems in mail delivery, sowe have no good way to get ourselves unblocked.As a result, readers who have subscribed to an LWN mailing listfrom a domain hosted with MXroute will probably not receive ourmailings. We have not yet unsubscribed addresses that are beingblocked by MXroute, but will soon if the problem persists. Pleaseaccept our apologies for the inconvenience; it is unfortunate that itis becoming so difficult to send legitimate email as a smallbusiness.

Security updates have been issued by Debian (chromium, gnupg2, and mongo-c-driver), Fedora (firefox, gpsd, linux-firmware, and seamonkey), Mageia (net-snmp), Oracle (kernel, podman, postgresql16, postgresql:13, postgresql:15, postgresql:16, and uek-kernel), Red Hat (libpq, net-snmp, and transfig), Slackware (libpng and mozilla), SUSE (avahi, bluez, capstone, curl, dpdk, firefox, firefox-esr, fluidsynth, glib2, kernel, kernel-devel, libmicrohttpd, libpcap, libpng16, libsoup, libsoup-3_0-0, libtasn1, libvirt, mcphost, openvswitch, ovmf, podman, poppler, python-tornado6, python311, qemu, rsync, and valkey), and Ubuntu (erlang, klibc, libpng1.6, and ruby-rack).

Inside this week's LWN.net Weekly Edition:

Paul Kehrer and Alex Gaynor, maintainers of the Python cryptography module, have put out some stronglyworded criticism of OpenSSL. Itcomes from a talk they gave at the OpenSSL conference in October 2025 (YouTube video). Thepost goes into a lot of detail about the problems with the OpenSSL codebase and testing, which has led the cryptography team toreconsider using the library. "The mistakes we see in OpenSSL'sdevelopment have become so significant that we believe substantial changesare required - either to OpenSSL, or to our reliance on it." They gofurther in the conclusion:

Lossless data compression is an important tool for reducing the storagerequirements of the world's ever-growing data sets. Yann Collet developedthe LZ4algorithm and designed the Zstandard (or Zstd)algorithm; he came to the 2025Open Source Summit Japan in Tokyo to talk about where data compressiongoes from here. It turns out that we have reached a point wheregeneral-purpose algorithms are only going to provide limited improvement;for significant increases in compression, while keeping computation costswithin reason for data-center use, turning to format-specific techniqueswill be needed.

The Debian GNOME team would like to remove the GTK2 graphicstoolkit, which has been unmaintained upstream for more than fiveyears, and ship Debian14 ("forky") without it. As one mightexpect, however, there are those who would like to find a way to keepit. Despite its age and declared obsolescence, quite a few Debianpackages still depend on GTK2. Many of those applications areunlikely to be updated, and users are not eager to give themup. Discussion about how to handle this is ongoing; it seems likelythat Debian developers will find some way to continue supportingapplications that require GTK2, but users may have to lookoutside official Debian repositories.

Version1.6.0 of the Radicle peer-to-peer, local-first code collaborationstack has been released. Notable changes in this release includesupport for systemdcredentials, use of Rust's clap crate forparsing command-line arguments, and more. LWN covered the project in March2024.

Security updates have been issued by AlmaLinux (sssd), Debian (linux-6.1 and python-parsl), Fedora (chezmoi, complyctl, composer, and firefox), Oracle (kernel), Red Hat (buildah, libpq, podman, postgresql, postgresql16, postgresql:13, postgresql:15, and postgresql:16), SUSE (avahi, curl, ffmpeg-4, ffmpeg-7, firefox, istioctl, k6, kubelogin, libmicrohttpd, libpcap-devel, libpng16, libtasn1-6-32bit, matio, ovmf, python-tornado6, python311-Authlib, and teleport), and Ubuntu (angular.js, python-urllib3, and webkit2gtk).

Quality-of-service (QoS) mechanisms attempt to prioritize some processes (ornetwork traffic, disk I/O, etc.) over others in order to meet a system'sperformance goals. This is a difficult topic to handle in the world of Linux,where workloads, hardware, and user expectations vary wildly. Qais Yousef spokeat the 2025 Linux Plumbers Conference, alongside his collaborators John Stultz,Steven Rostedt, and Vincent Guittot, about their plans for introducing ahigh-level QoS API for Linux in a way that leaves end users in control of itsconfiguration. The talk focused specifically on a QoS mechanism for thescheduler, to prioritize access to CPU resources differently for different kindsof processes.(slides;video)

Version147.0 of the Firefox web browser has been released. Notablechanges in this release include support for the XDG BaseDirectory specification, enabling localnetwork access restrictions for users with enhancedtracking protection (ETP) set to "Strict", and a fix that improvesFirefox's rendering with GNOME on fractionally scaleddisplays. Firefox147 also includes a number of securityfixes, including several sandbox-escape vulnerabilities.

Security updates have been issued by AlmaLinux (mariadb10.11, mariadb:10.11, mariadb:10.3, mariadb:10.5, and tar), Debian (net-snmp), Fedora (coturn, NetworkManager-l2tp, openssh, and tuxanci), Mageia (libtasn1), Oracle (buildah, cups, httpd, kernel, libpq, libsoup, libsoup3, mariadb:10.11, mariadb:10.3, openssl, and podman), SUSE (cpp-httplib, ImageMagick, libtasn1, python-cbor2, util-linux, valkey, and wget2), and Ubuntu (google-guest-agent, linux-iot, and python-urllib3).

In open-source circles there are many situations, such as bugreports, demos, and tutorials, when one might want to provide aplay-by-play of a session in one's terminal. The asciinema project provides a set oftools to do just that. Its tools let users record, edit, and shareterminal sessions in a text-based format that has quite a fewadvantages compared to making and sharing videos of terminal sessions. Forexample, it is easy to use, offers the ability to search text fromrecorded sessions, and allows users to copy and paste directly fromthe recording.

Security updates have been issued by Debian (chromium and sogo), Fedora (chromium, foomuuri, libpng, libsodium, mariadb10.11, musescore, nginx, python-pdfminer, python-urllib3, python3.12, seamonkey, wasmedge, and wget2), Mageia (curl, libpcap, sodium, wget2, and zlib), Slackware (lcms2), SUSE (chromedriver, chromium, noopenh264, coredns, curl, dcmtk, fontforge, gdk-pixbuf-loader-libheif, gimp, kernel, libheif, libpng16, libsoup-2_4-1, libvirt, mariadb, php8, poppler, python-filelock, python-tornado6, python311-aiohttp, qemu, sssd, and traefik), and Ubuntu (libheif, libtasn1-6, linux-azure-nvidia, linux-kvm, linux-raspi, linux-raspi-realtime, and php7.2, php7.4, php8.1, php8.3, php8.4).

The 2026 edition of the Linux Storage, Filesystem, Memory Management, andBPF Summit will be held May4-6 in Zagreb, Croatia. The call forproposals has gone out for anybody who would like to attend thisinvitation-only meeting. "We are asking that you please let us know youwant to be invited by February 20, 2026".

The6.18.5,6.12.65,6.6.120, and6.1.160stable updates have been released. They all contain a small patchset fixing a scheduling regression associated with idle balancing; the6.6.120 and 6.1.60 updates also contain a large set of other importantfixes.

On her blog, Julia Evans writes aboutimproving Git documentation, including a new datamodel man page she wrote with MarieLeBlanc Flanagan, and updates to the pages for several other Git sub-commands(add, checkout, push, and pull). Aspart of the process, she asked Git users to describe problems they had run intoin the documentation, which helped guide the changes that she made.

The READ_ONCE() and WRITE_ONCE() macros are heavily usedwithin the kernel; there are nearly 8,000 call sites forREAD_ONCE(). They are key to the implementation of many lockless algorithms and can be necessary for sometypes of device-memory access. So one might think that, as theamount of Rust code in the kernel increases, there would be a place forRust versions of these macros as well. The truth of the matter, though, isthat the Rust community seems to want to take a different approach toconcurrent data access.

Security updates have been issued by Debian (pdfminer and vlc), Red Hat (kernel, kernel-rt, and microcode_ctl), Slackware (libtasn1), SUSE (apptainer, curl, ImageMagick, libpcap, libvirt, libwget4, php8, podman, python311-cbor2, qemu, and rsync), and Ubuntu (gnupg, gnupg2, gpsd, libsodium, and python-tornado).

The Fedora Project has announcedthe results of the Fedora43 election cycle. Five seats were openon the Fedora EngineeringSteering Committee (FESCo), and the winnersare Kevin Fenzi, Zbigniew Jdrzejewski-Szmek, Timothee Ravier, DaveCantrell, and Mairin Duffy.

Gentoo Linux has published a 2025project retrospective that looks at how the community has evolved,changes to the distribution, infrastructure, and finances for theGentoo Foundation.

TheSoftware Freedom Conservancy (SFC) issuingVIZIO over smart TVs thatinclude software licensed under the GPL and LGPL (including the Linux kernel,FFmpeg, systemd, and others).VIZIO didn't provide the source code along with the device, and on request theyonly provided some of it. Unlike a typical lawsuit about enforcing the GPL, theSFC isn't suing as a copyright holder; it's suing asa normal owner of the TVin question. This approach opens some important legal questions, and after yearsof pre-trial maneuvering (most recently resulting ina ruling related to signing keys thatis the subject of a separate article),we might finally obtain some answers when the case goesto trial on January12. As things stand, it seems likely that the judge inthe case will rule that that the GPL-enforcement lawsuits can be a matter ofcontract law, not just copyright law, which would be a major change to how GPLenforcement works.

On December 24 2025, Linus Torvalds posted a stronglyworded message celebrating a ruling inthe ongoing GPL-compliance lawsuit filedagainst VIZIO by the Software Freedom Conservancy (SFC). This case andTorvalds's response have put a spotlight on an old debate over the extentto which the source-code requirements of the GNUGeneral Public License (version2) extend to keys and other dataneeded to successfully install modified software on a device. It is worthlooking at whether this requirement exists, the subtleties ininterpretation that cloud the issue, and the extent to which, if any, theSFC is demanding that information.

Greg Kroah-Hartman has released the 6.18.4 and 6.12.64 stable kernels. As always, eachcontains important fixes throughout the tree. Users are advised toupgrade.

Security updates have been issued by AlmaLinux (gcc-toolset-14-binutils, gcc-toolset-15-binutils, httpd, kernel, libpng, mariadb, mingw-libpng, poppler, python3.12, and ruby:3.3), Debian (foomuuri and libsodium), Fedora (python-pdfminer and wget2), Oracle (audiofile, bind, gcc-toolset-15-binutils, libpng, mariadb, mariadb10.11, mariadb:10.11, mariadb:10.5, mingw-libpng, poppler, and python3.12), Red Hat (git-lfs, kernel, libpng, libpq, mariadb:10.3, osbuild-composer, postgresql, postgresql:13, and postgresql:15), Slackware (curl), SUSE (c-ares-devel, capstone, curl, gpsd, ImageMagick, libpcap, log4j, python311-filelock, and python314), and Ubuntu (libcaca, libxslt, and net-snmp).

Inside this week's LWN.net Weekly Edition:

The European Commission has openeda "callfor evidence" to help shape its European Open Digital EcosystemStrategy. The commission is looking to reduce its dependence onsoftware from non-EU countries: