LWN.net

Inside this week's LWN.net Weekly Edition:

The robustfutex kernel API is a way for a user-space program to ensure that thelocks it holds are properly cleaned up when it exits. But the API suffersfrom a number of different problems, as Andre Almeida described in a session in the"Gaming onLinux" microconference at the 2025 Linux Plumbers Conference in Tokyo.He had some ideas for a new API that would solve many of those problems,which he wanted to discuss with attendees; there is adifficult-to-trigger race condition that he wanted to talk about too.

Creating an ebook in EPUB format is easy,for certain values of "easy". All one really needs is a text editor, a few command-line utilities; also needed is a workingknowledge of XHTML, CSS, along with an understanding of the format'sstructure and required boilerplate. Creatinga well-formatted and attractive ebook is a bit harder. However, it can bemade easier with an application custom-made for the purpose. Sigil is an EPUB editor thatprovides the tooling authors and publishers may be looking for.

Version 26.2 of the LibreOfficeoffice suite has been released.

Security updates have been issued by Debian (thunderbird), Fedora (openqa, os-autoinst, python-jupytext, python-python-multipart, rust-sequoia-keystore-server, rust-sequoia-octopus-librnp, rust-sequoia-sq, rust-sequoia-sqv, and xen), Oracle (curl, kernel, net-snmp, python3, and python3.12), Red Hat (container-tools:rhel8, fence-agents, golang, golang-github-openprinting-ipp-usb, grafana, grafana-pcp, opentelemetry-collector, podman, python-s3transfer, python-wheel, and resource-agents), SUSE (alloy, chromium, cockpit-podman, cockpit-subscriptions, dpdk, elemental-register, elemental-toolkit, glib2, glibc, gpg2, ImageMagick, imagemagick, jasper, java-17-openjdk, java-21-openjdk, kernel, libheif, libmlt++, libpng16, libsodium, libsoup, libvirt, openssl-3, openvpn, php8, postgresql16, postgresql17 and postgresql18, protobuf, python-FontTools, python-fonttools, python-h2, python-python-multipart, python-urllib3, python-wheel, python311-PyNaCl, trivy, ucode-amd, udisks2, unbound, util-linux, wireshark, and xkbcomp), and Ubuntu (emacs, freerdp2, glibc, imagemagick, mysql-8.0, pagure, python-django, python-filelock, python-internetarchive, and python-keystonemiddleware).

Theteam behindTyr started 2025 with little to show in our quest toproduce a Rust GPU driver for Arm Mali hardware, and by the end of theyear, we were able to play SuperTuxKart (a 3D open-source racinggame) at the Linux Plumbers Conference (LPC). Our prototype was a jointeffort between Arm, Collabora, and Google; it ran well for the durationof the event, and the performance was more than adequate for players.Thankfully, we picked up steam at precisely the right moment: DaveAirlie justannounced in the Maintainers Summit that the DRM subsystemis only "about a year away" from disallowing new drivers written in Cand requiring the use of Rust. Now it is time to lay out apossible roadmap for 2026 in order to upstream all of this work.

Security updates have been issued by AlmaLinux (fence-agents, gcc-toolset-15-binutils, golang-github-openprinting-ipp-usb, iperf3, kernel, kernel-rt, openssl, osbuild-composer, php:8.2, python3, util-linux, and wireshark), Debian (clamav and xrdp), Fedora (gimp and openttd), Mageia (docker-containerd), Oracle (gimp:2.8, golang-github-openprinting-ipp-usb, grafana-pcp, image-builder, iperf3, kernel, openssl, osbuild-composer, php, php:8.2, php:8.3, python3.9, util-linux, and wireshark), SUSE (cockpit-subscriptions, elemental-register, elemental-toolkit, glibc, gpg2, logback, openssl-1_1, python-urllib3, ucode-amd, and unbound), and Ubuntu (inetutils, libpng1.6, mysql-8.0, mysql-8.4, openjdk-17, openjdk-17-crac, openjdk-21, openjdk-21-crac, openjdk-25, openjdk-25-crac, openjdk-8, openjdk-lts, and thunderbird).

Version 2.53.0 of the Gitsource-code management system has been released. Changes includedocumentation for the Git data model, the ability to choose the diffalgorithm to use with git blame, a new white-space error class,and more; see the announcement for details.

The kernel's swap subsystem is a complex and often unloved beast. It isalso a critical component in the memory-management subsystem and has asignificant impact on the performance of the system as a whole. At the2025 Linux Storage, Filesystem, Memory-Management and BPF Summit, KairuiSong outlined a plan to simplify andoptimize the kernel's swap code. A first installmentof that work, written with help from Chris Li, was merged for the 6.18release. This article will catch up with the 6.18 work, setting the stagefor a future look at the changes that are yet to be merged.

Security updates have been issued by AlmaLinux (iperf3, kernel, and php), Debian (ceph, pillow, pyasn1, python-django, and python-tornado), Fedora (bind9-next, cef, chromium, fontforge, java-21-openjdk, java-25-openjdk, java-latest-openjdk, mingw-python-urllib3, mingw-python-wheel, nodejs20, nodejs22, nodejs24, opencc, openssl, python-wheel, and qownnotes), Red Hat (binutils, gcc-toolset-13-binutils, gcc-toolset-14-binutils, gcc-toolset-15-binutils, java-1.8.0-openjdk, and java-25-openjdk), Slackware (expat), SUSE (bind, cacti, cacti-spine, chromedriver, chromium, dirmngr, fontforge-20251009, glib2, golang-github-prometheus-prometheus, govulncheck-vulndb, icinga2, ImageMagick, kernel, logback, openCryptoki, openssl-1_1, python311-djangorestframework, python311-pypdf, python314, python315, qemu, and xen), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm and linux-aws-fips, linux-fips, linux-gcp-fips).

The 6.19-rc8 kernel prepatch is out fortesting. "So things all look good, and unless something odd happenswe'll have a final 6.19 next weekend."

A few years ago, the only way to compile Rust code was using the rustc compilerwith LLVM as a backend. Since then, several projects, includingMutabah's Rust Compiler (mrustc), GCC's Rustsupport (gccrs),rust_codegen_gcc, andCranelift have made enormous progresson diversifying Rust's compiler implementations. The most recent such project,Eurydice, has amore ambitious goal: converting Rust code to clean C code. This is especiallyuseful in high-assurance software, where existing verification and compliancetools expect C. Until such tools can be updated to work with Rust, Eurydice couldprovide a smoother transition for these projects, as well as a stepping-stonefor environments that have a C compiler but no working Rust compiler. Eurydicehas been used to compile some post-quantum-cryptography routines from Rust to C,for example.

Daniel Stenberg, the recipient of last year's Award for Excellence in OpenSource from the European Open Source Academy, presentedthat award to this year's recipient: Greg Kroah-Hartman.

The6.18.8,6.12.68, and6.6.122 stable kernel updates have beenreleased; each contains another set of important fixes.

Security updates have been issued by AlmaLinux (curl, gimp:2.8, glibc, grafana, grafana-pcp, kernel, osbuild-composer, php:8.3, python-urllib3, python3.11, and python3.12), Debian (chromium), Mageia (ceph, gpsd, libxml2, openjdk, openssl, and xen), SUSE (abseil-cpp, assertj-core, coredns, freerdp, java-11-openjdk, java-25-openjdk, libxml2, openssl-1_0_0, openssl-1_1, python, python-filelock, and python311-sse-starlette), and Ubuntu (kernel, linux, linux-aws, linux-aws-hwe, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-fips, linux-fips, linux-fips, and texlive-bin).

Jeff Mahoney, whoholds a vice-president position at SUSE, has posted a detailedproposal for improving the governance of the openSUSE project.

The extensible scheduler class (sched_ext)allows the installation of a custom CPU scheduler built as a set of BPFprograms. Its merging for the 6.12 kernel release moved the kernel awayfrom the "one scheduler fits all" approach that had been taken until then;now any system can have its own scheduler optimized for its workloads.Within any given machine, though, it's still "one scheduler fits all"; onlyone scheduler can be loaded for the system as a whole. The sched_extsub-scheduler patch series from Tejun Heo aims to change that situationby allowing multiple CPU schedulers to run on a single system.

Security updates have been issued by AlmaLinux (java-25-openjdk, openssl, and python3.9), Debian (gimp, libmatio, pyasn1, and python-django), Fedora (perl-HarfBuzz-Shaper, python-tinycss2, and weasyprint), Mageia (glib2.0), Oracle (curl, fence-agents, gcc-toolset-15-binutils, glibc, grafana, java-1.8.0-openjdk, kernel, mariadb, osbuild-composer, perl, php:8.2, python-urllib3, python3.11, python3.11-urllib3, python3.12, and python3.12-urllib3), SUSE (alloy, avahi, bind, buildah, busybox, container-suseconnect, coredns, gdk-pixbuf, gimp, go1.24, go1.24-openssl, go1.25, helm, kernel, kubernetes, libheif, libpcap, libpng16, openjpeg2, openssl-1_0_0, openssl-1_1, openssl-3, php8, python-jaraco.context, python-marshmallow, python-pyasn1, python-urllib3, python-virtualenv, python311, python313, rabbitmq-server, xen, zli, and zot-registry), and Ubuntu (containerd, containerd-app and wlc).

Inside this week's LWN.net Weekly Edition:

We have received the sad news that Didier Spaier, maintainer of theblind-friendly Slackware-based Slint distribution, has recently passedaway. Philippe Delavalade, who posted the announcement to theSlint mailing list, said:

The Open Source Initiative (OSI) has announcedthat it will not be holding the 2026 spring board election. Instead,it will be creating a working group to "review and improve OSI'sboard member selection process" and provide recommendations bySeptember2026:

Phones running Linux are ubiquitous these days and it has been that waysince Android started working toward dominance in the smartphone market.Unfortunately, Android has slowly increased its freedom-unfriendliness andhas become something of a privacy nightmare. In a talk entitled "We needan open-source phone OS" at OpenSource Summit Japan 2025, Luca Weiss described the smartphone landscapeand gave an overview of postmarketOS as an alternative Linuxoperating system for mobile handsets.

PC Gamer has run anamusing review of the scx_horoscopescheduler for Linux, which uses astrology to optimize schedulingdecisions.

Creating fair governance models for open-source projects is noteasy; defining criteria for participants to receive membership andvoting rights is a particularly thorny problem for projects that haveelections for representative bodies. The FedoraCouncil, the project's top-level governance body, is wrestlingwith that conundrum now. This was triggered by a Fedora special-interestgroup (SIG) granting temporary membership to at least one person for thesole purpose of allowing them to vote in the most recent FedoraEngineering Steering Council (FESCo) election. That opened a large canof worms about what it means to be a contributor and how contributorscan be identified for voting purposes.

Security updates have been issued by AlmaLinux (java-1.8.0-openjdk), Debian (openssl), Fedora (assimp, chromium, curl, freerdp, gimp, and harfbuzz), Mageia (glibc, haproxy, iperf, and python-pyasn1), Red Hat (image-builder, openssl, and osbuild-composer), Slackware (mozilla), SUSE (avahi, cups, gio-branding-upstream, google-osconfig-agent, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel-firmware, libmatio-devel, libopenjp2-7, nodejs22, php8, python-python-multipart, python311-urllib3_1, qemu, and xen), and Ubuntu (ffmpeg, jaraco.context, openssl, and openssl, openssl1.0).

There is a new GnuPG update for a "critical security bug" in recentGnuPG releases.

GNU C Library maintainer Carlos O'Donell has announcedthat the project will be moving its core services away from Sourceware in favor of services hostedat the Linux Foundation.

The kernel's "kfunc" mechanism is a way of exporting kernel functions sothat they can be called directly from BPF programs. There are over 300kfuncs in current kernels, ranging in functionality from string processing(bpf_strnlen())to custom schedulers (scx_bpf_kick_cpu())and beyond. Sometimes these kfuncs need access to context information thatis not directly available to BPF programs, and which thus cannot be passedin as arguments. The implicitarguments patch set from Ihor Solodrai is the latest attempt to solvethis problem.

The Xfce team has announced thatit will be providing funding to Brian Tarricone to work on xfwl4,a Wayland compositor for Xfce:

Security updates have been issued by AlmaLinux (kernel, kernel-rt, python-urllib3, python3.11-urllib3, and python3.12-urllib3), Debian (imagemagick, openjdk-11, openjdk-17, and openjdk-21), Fedora (bind, bind-dyndb-ldap, chromium, ghostscript, glibc, mingw-glib2, mingw-harfbuzz, mingw-libsoup, mingw-openexr, and qownnotes), Mageia (kernel-linus), Red Hat (osbuild-composer), SUSE (go1.24-openssl, go1.25-openssl, govulncheck-vulndb, kernel, nodejs22, openCryptoki, openvswitch3, python-pyasn1, python311, and qemu), and Ubuntu (git-lfs, node-form-data, and screen).

The GNU Privacy Guard (GPG)project decided to break from the OpenPGP standard for emailencryption in 2023, and instead adopted its own homegrown LibrePGP specification. The GPG 2.4branch, the last one to adhere to OpenPGP, will be reaching the end oflife in mid-2026. The Fedora project is currently having a discussionabout how that affects the distribution, its users, and what to offeronce 2.4 is no longer receiving updates.

Curl creator Daniel Stenberg has written a blogpost explaining why the project is ending its bug-bountyprogram, which started in April 2019:

Security updates have been issued by AlmaLinux (gimp, glib2, go-toolset:rhel8, golang, java-17-openjdk, java-21-openjdk, kernel, net-snmp, pcs, and thunderbird), Debian (apache2, imagemagick, incus, inetutils, libuev, openjdk-17, php7.4, python3.9, shapelib, taglib, and zvbi), Fedora (mingw-glib2, mingw-harfbuzz, mingw-libsoup, mingw-openexr, pgadmin4, python3.11, python3.12, python3.9, and wireshark), Gentoo (Asterisk, Commons-BeanUtils, GIMP, inetutils, and Vim, gVim), Mageia (kernel), Oracle (glib2, java-17-openjdk, java-21-openjdk, and libpng), Red Hat (java-17-openjdk, java-21-openjdk, kernel, and kernel-rt), SUSE (azure-cli-core, bind, buildah, chromium, coredns, glib2, harfbuzz, kernel, kernel-firmware, libheif, libvirt, openCryptoki, openvswitch, podman, python, python-urllib3, rabbitmq-server, and vlang), and Ubuntu (cjson).

The 6.19-rc7 kernel prepatch is out fortesting.

Version 2.43 of theGNU C Library has been released. Changes include support for the mseal() and openat2()system calls, experimental support for building with the Clang compiler,Unicode 17.0.0 support, a number of security fixes, and much more.

Filesystems seem to be one of those many areas where the problems are wellunderstood, but there is always somebody working toward a better solution.As a result, filesystem development in the Linux kernel continues at a fastpace even after all these years. In recent news, the EROFS filesystem ison the path to gain a useful page-cache-sharing feature, there is a newNTFS implementation on the horizon, and XFS may be about to get aninfrastructure for self healing.

Version1.5.0 of the GNU Guix package manager and the Guix System havebeen released. Notable improvements include the ability to run theGuix daemon without root privileges, support for 64-bit RISC-V, andexperimental support for the GNU Hurd kernel.

Greg Kroah-Hartman has released the 6.18.7 and 6.12.67 stable kernels. As always, eachcontains important fixes throughout the tree. Users are advised toupgrade.

Security updates have been issued by AlmaLinux (kernel), Debian (bind9, chromium, osslsigncode, and python-urllib3), Fedora (freerdp, ghostscript, hcloud, rclone, rust-rkyv0.7, rust-rkyv_derive0.7, and vsftpd), Mageia (avahi and harfbuzz), SUSE (alloy, avahi, busybox, cargo-c, corepack22, corepack24, curl, docker, dpdk, exiv2-0_26, ffmpeg-4, firefox, glib2, go1.24, go1.25, gpg2, haproxy, kernel, kernel-firmware, keylime, libpng16, librsvg, libsodium, libsoup, libsoup2, libtasn1, log4j, net-snmp, open-vm-tools, openldap2_5, ovmf, pgadmin4, php7, podman, python-filelock, python-marshmallow, python-pyasn1, python-tornado, python-urllib3, python-virtualenv, python3, python311-pyasn1, python311-weasyprint, rust1.91, rust1.92, util-linux, webkit2gtk3, and wireshark), and Ubuntu (libxml2 and pyasn1).

TheLinux Kernel Runtime Guard (LKRG) is a out-of-tree loadable kernel module thatattempts to detect and report violations of the kernel's internal invariants,such as might be caused by an in-progress security exploit or a rootkit.LKRG has been experimental since itsinitial release in 2018. In September2025, the projectannouncedthe 1.0 version. With the promises of stability that version brings, users might want moreinformation to decide whether to include it in their kernel.

ReactOS, an open-source projectto develop an operating system that is compatible with MicrosoftWindows NT applications and drivers, is celebrating 30years since the first commit to its source tree. In that timethere have been more than 88,000 commits from 301 contributors, for atotal of 14,929,578 lines of code. There is, of course, much left todo.

Version1.93.0 of the Rust programming language has been released. Notablechanges include in updated version of the bundled musl library,thread-local storage for the global allocator, some asm!improvements, and a number of newly stabilized APIs.

Security updates have been issued by AlmaLinux (gpsd), Debian (inetutils and modsecurity-crs), Fedora (cpp-httplib, curl, mariadb11.8, mingw-libtasn1, mingw-libxslt, mingw-python3, rclone, and rpki-client), Oracle (gimp, glib2, go-toolset:rhel8, golang, kernel, mariadb-devel:10.3, and thunderbird), Red Hat (buildah, go-toolset:rhel8, golang, grafana, kernel, kernel-rt, multiple packages, openssl, osbuild-composer, podman, and skopeo), Slackware (bind), SUSE (ffmpeg-4, libsodium, libvirt, net-snmp, open-vm-tools, ovmf, postgresql17, postgresql18, python-FontTools, python-weasyprint, and webkit2gtk3), and Ubuntu (glib2.0 and opencc).

Inside this week's LWN.net Weekly Edition:

As part of the process of writing man pages for the "new" mount API, which has been available in thekernel since 2019, Aleksa Sarai encountered a number of places where the fsconfig()system call-for configuring filesystems before mounting-needs to be cleaned up. In the 2025 Linux Plumbers Conference(LPC) session that he led, Sarai wanted to discuss some of the problems he found,including at least one with security implications. The idea of the sessionwas for him to describe the various bugs and ambiguities that he had found,but he also wanted attendees to raise other problems they had with thesystem call.

Version3.0.0 of the pandas dataanalysis and manipulation library for Python has beenreleased. Notable changes include a dedicatedstring type (str), new "copy-on-write" behavior, and much more. This release also removesa number of features that were deprecated in prior versions of pandas;developers are advised to upgrade to pandas2.3 and ensure code isworking without warnings before moving to3.0. See the releasenotes for the full changelog.

At the 39thChaos Communication Congress (39C3) in December, researchers LexiGroves ("49016") and Liam Wachter said that they had discovered anumber of flaws in popular implementations of OpenPGP email-encryption standard. They also released anaccompanying web site, gpg.fail, withdescriptions of the discoveries. Most of thosepresented were found in GNU PrivacyGuard (GPG), though the pair also discussed problems in age,Minisign, Sequoia, and the OpenPGPstandard (RFC 9580) itself. The discoveries have spurred some interestingdiscussions and as well as responses from GPG and Sequoiadevelopers.

Security updates have been issued by AlmaLinux (brotli and container-tools:rhel8), Debian (python-keystonemiddleware and python3.9), Fedora (cef, freerdp, golang-github-tetratelabs-wazero, and libpcap), Oracle (brotli, gpsd, kernel, and transfig), Red Hat (freerdp, golang, java-11-openjdk with Extended Lifecycle Support, libpng, libssh, mingw-libpng, and runc), SUSE (abseil-cpp, alloy, apache2, bind, cpp-httplib, curl, erlang, firefox, gpg2, grafana, haproxy, hauler, hawk2, libblkid-devel, libpng16, libraylib550, python-keystonemiddleware-doc, python-uv, python-weasyprint, squid, and tomcat), and Ubuntu (crawl and iperf3).

Konstantin Ryabitsev has put up ablog post about korgalore, a tool he has written to circumvent deliveryproblems experienced by kernel developers using the large, centralizedemail systems.

One would assume that most LWN readers stopped running network-accessibletelnet services some number of decades ago. For the rest of you, this security advisory fromSimon Josefsson is worthy of note: