LWN.net

Safe, ergonomic interoperability between Rust and C/C++ was a popular topic atRustConf2025 in Seattle, Washington. Chandler Carruth gave a presentationabout the different approaches to interoperability in Rust andCarbon, theexperimental "(C++)++" language.His ultimate conclusion was thatwhile Rust's ability to interface with other languages is expanding over time,it wouldn't offer a complete solution to C++ interoperability anytime soon - and so there is room forCarbon to take a different approach to incrementally upgrading existing C++ projects.Hisslides are available for readers wishing to study his example code in moredetail.

Version143.0 of the Firefox browser has been released. Changes include theability to pin tabs by dragging them to the edge, previews in the camerapermissions dialog, improved fingerprinting protection, and (optional)automatic deletion of files downloaded in private browsing mode.

The Socket.dev blog describesthis week's attack on JavaScript packages in the npm repository.

Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (node-sha.js and python-django), Fedora (chromium, cups, exiv2, perl-Catalyst-Authentication-Credential-HTTP, perl-Catalyst-Plugin-Session, perl-Plack-Middleware-Session, and qemu), Red Hat (container-tools:rhel8, podman, and udisks2), SUSE (cargo-audit, cargo-c, cargo-packaging, and kernel-devel), and Ubuntu (libcpanel-json-xs-perl, libjson-xs-perl, rubygems, sqlite3, and vim).

Registration for the 2025 Linux Plumbers Conference (Tokyo,December11 to13) isnow open. LPC tickets often sell out quickly, so it would be best notto delay if you intend to attend.

Brooke Deuson is the developer behindTrafficking Free Tomorrow, a nonprofit organization thatproduces free software to help law enforcement combat human trafficking. She isa survivor of human trafficking herself.She spoke at RustConf 2025 about hermission, and why she chose to write her anti-trafficking software in Rust.Interestingly, it has nothing to do with Rust's lifetime-analysis-based memory-safety -instead, her choice was motivated by the difficulty she faces getting policedepartments to actually use her software. The fact that Rust is staticallylinked and capable of cross compilation by default makes deploying Rust softwarein those environments easier.

Version8.0.0 of Varnish Cachehas been released. In addition to a numberof changes to varnishd parameters, the ability to access someruntime parameters using the Varnish Configuration Language, and otherimprovements, 8.0.0 comes with big news; the project is forming anorganization called a foreningthat will set out formal governance for the project.The move also comes with a name change due to legal difficulties insecuring the Varnish Cache name:

The kernel runs in a special environment that makes it difficult to usemany of the development tools that are available to user-space developers.Kernel developers often respond by simply doing without, but the truth isthat they need good tools as much as anybody else. Three new tools for thetracking down of bugs have recently landed on the linux-kernel mailinglist; here is an overview.

Security updates have been issued by AlmaLinux (cups, kernel, and mysql-selinux and mysql8.4), Debian (cjson, jetty9, and shibboleth-sp), Fedora (bustle, cef, checkpointctl, chromium, civetweb, cups, forgejo, jupyterlab, kernel, libsixel, linenoise, maturin, niri, perl-Cpanel-JSON-XS, python-uv-build, ruff, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-matchers, rust-monitord, rust-monitord-exporter, rust-secret-service, rust-tracing-subscriber, rustup, tcpreplay, tuigreet, udisks2, uv, and xwayland-satellite), Oracle (cups, gdk-pixbuf2, kernel, mysql-selinux and mysql8.4, and php:8.2), Red Hat (kernel, kernel-rt, and multiple packages), Slackware (cups, kernel, and patch), and SUSE (busybox, busybox-links, chromedriver, chromium, cups-filters, curl, go1.25, jasper, java-11-openj9, java-17-openj9, java-1_8_0-openjdk, kernel, kernel-devel, kubo, libssh-config, orthanc-gdcm, python-aiohttp, python-eventlet, python-h2, and xen).

The 6.17-rc6 kernel prepatch is out fortesting. "But really, none of it is very large. So everything seems slated for anormal release in two weeks.Please do keep testing, so that we don't get complacent."

Creating welcoming communities within open-source projects is a recurringtopic at conferences; those projects rely on contributions from others, somaking them welcome is important. The kernel has, rather infamouslyover the years, been an oft-cited example of an unwelcoming project, thoughthere have been (and are) multiple efforts to change that with varyingdegrees of success. Hans de Goede talked about such efforts within hiscorner of the kernel project in a talk (YouTube video) atOpenSource Summit Europe.

Security updates have been issued by Debian (cups, imagemagick, libcpanel-json-xs-perl, and libjson-xs-perl), Fedora (checkpointctl, chromium, civetweb, glycin, kernel, libssh, ruff, rust-secret-service, snapshot, and uv), Mageia (curl), Red Hat (kernel), SUSE (cups, curl, perl-Cpanel-JSON-XS, regionServiceClientConfigAzure, regionServiceClientConfigEC2, regionServiceClientConfigGCE, trivy, and xen), and Ubuntu (cups, node-cipher-base, and qemu).

The VMScapevulnerability is a Spectre variant that "allows a malicious KVM guest toleak sensitive information such as encryption/decryption keys from auserspace hypervisor such as QEMU". Greg Kroah-Hartman has announcedthe 6.16.7, 6.12.47, 6.6.106, 6.1.152, 5.15.193, and 5.10.244 stable kernels, which add amitigation for the hardware bug.

The Git source-code management system stores a lot of information aboutchanges to code - but it does not hold everything that might be of interestto a developer who needs to investigate a specific change in the future.Commits in a repository are the end result of a (sometimes extended)discussion; often, that discussion will result in changes to the code thatare not explained in the changelog. For some years now, many maintainershave followed the convention of applying a Link tag to commits that pointsback to the mailing-list posting of the change. Linus Torvalds has beenexpressing his dislike for this convention for a while, though, and itstime appears to be coming to an end.

Security updates have been issued by AlmaLinux (python3.12-cryptography), Debian (chromium, hsqldb1.8.0, and imagemagick), Fedora (bustle, cef, maturin, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-monitord, rust-monitord-exporter, rustup, tuigreet, and wireshark), Oracle (kernel, microcode_ctl, and python3.12-cryptography), Red Hat (httpd:2.4 and multiple packages), SUSE (coreutils, curl, dpkg, ffmpeg-4, glib2, gnutls, go1.23-openssl, go1.24-openssl, go1.25-openssl, grub2, ImageMagick, jbigkit, kernel, libxslt, Mesa, opensc, opera, perl-JSON-XS, polkit, postgresql16, protobuf, python311, python311-deepdiff, sqlite3, ucode-intel, and warewulf4), and Ubuntu (bind9 and libxml2).

The F-Droid project has someadvice for free-software projects on how to deal with takedownrequests.

Inside this week's LWN.net Weekly Edition:

There are a large number of ways to configure the 6.16Linux kernel. It has 32,468 different configuration options on x86_64,and a comparable number for other platforms. Exploring the ways the kernel canbe configured is sufficiently difficult that it requires specialized tools.These show thenumber of possible configurations that options can be combined in has6,550 digits. How has that number changed over the history of the kernel, andwhat does it mean for testing?

The openSUSE project has announcedthat the bcachefs filesystem will be disabled in its kernel builds startingwith 6.17; bcachefs users will have to make other arrangements. "Thecurrent 6.16.* is NOT affected. Neither is Slowroll (for now)."

At Akademy 2025, theKDE Project released analpha version of KDE Linux, adistribution built by the project to "include the bestimplementation of everything KDE has to offer, using the most advancedtechnologies". It is aimed at providing an operating systemsuitable for home use, business use, OEM installations, and more"eventually". For now there are many rough edges and missingfeatures that users should be aware of before taking the plunge; butit is an interesting look at the kind of complete Linux system thatKDE developers would like to see.

At OpenSource Summit Europe, LWN's Jonathan Corbet presented "Three Decades inKernelland"; the talk provides a look at how the kernel got towhere it is, what makes it successful, and what may be comingnext. The video of thetalk is now online for LWN readers who would like to check itout.

Security updates have been issued by Fedora (buildah, containers-common, glycin, loupe, podman, rust-matchers, and rust-tracing-subscriber), Red Hat (fence-agents, jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base, pki-deps:10.6, python-requests, python3.12-cryptography, redis:6, redis:7, and resource-agents), Slackware (libssh), SUSE (aide, cloud-init, iperf, java-1_8_0-openjdk, jq, kernel-devel, python-deepdiff, regionServiceClientConfigAzure, regionServiceClientConfigEC2, and regionServiceClientConfigGCE), and Ubuntu (gnutls28).

As a followup to his OSS Europe talk on thefuture of 32-bit support in the kernel, Arnd Bergmann has put togetheradetailed plan for the eventual removal of high-memory support, which hecalls "one of the least popular features of the Linux kernel". Theintent is "to gradually phase out highmem over the next 2 years formainline kernels". This plan is posted as a prompt for a discussion tobe held at the Kernel Summit in December, so chances are it will evolveconsiderably in the next few months.

The 6.16.6,6.12.46,6.6.105,6.1.151,5.15.192,5.10.243,and 5.4.299stable kernel updates have been released; each contains another set ofimportant fixes.

Fedora's Community Blog has a shortupdate on the progress of Fedora's new installer with a web-basedinterface. The new installer was introduced for the Workstationedition in FedoraLinux42, it is now approved to beincluded in all Fedora spins and the KDE edition forFedora43. Final deprecation of the GTK-based installer is setfor Fedora45. LWN covered the installerchanges in April.

A new project, targeting Linux for the proverbial final frontier-outerspace-was the subject of a talk (YouTube video) atthe Embedded Linux Conference, which was held as part of OpenSource Summit Europe in Amsterdam in late August. Ramon Rocheintroduced Space GradeLinux (SGL), which is currently incubating as a special interest group(SIG) of the Embedding Linux in SafetyApplications (ELISA) project. The idea is to create a distributionwith a base layer that can be used for off-planet missions of varioussorts, along with other layers that can be used to customize it fordifferent space-based use cases.

Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (openafs and qemu), Fedora (buildah, containers-common, podman, python-flask, and snapshot), Mageia (postgresql, python-django, and udisks2), Oracle (kernel and libxml2), Red Hat (apache-commons-beanutils, firefox, httpd, httpd:2.4, kernel, kernel-rt, mod_http2, qt5-qt3d, and thunderbird), Slackware (libxml2), SUSE (firebird, go1.25-openssl, ImageMagick, microcode_ctl, netty, netty-tcnative, and ovmf), and Ubuntu (libetpan and postgresql-14, postgresql-16, postgresql-17).

The Aikido blog describesan apparently ongoing series of phishing attacks against npm packagemaintainers, resulting in the uploading of compromised versions of heavilyused packages:

Framework Computer is a US-basedcomputer manufacturer with a line of Linux-supported, modular, easilyrepairable and upgradeable laptops. In February, the company announceda new model, the FrameworkLaptop12,an "entry-level" 12.2-inch convertible notebook that can beused as a laptop or tablet. The systems were made available for pre-orderin April, I received mine in mid-August. Since then, I have beenputting it through its paces with Debian13 ("trixie") andFedoraLinux42. It's a good choice for users who want aLinux-friendly, lightweight, 2-in-1device-if they are willing to make a few concessions on storagecapacity, RAM, and CPU/GPU choices.

Security updates have been issued by Debian (chromium, libhtp, modsecurity-apache, shibboleth-sp, and wireless-regdb), Fedora (chromium, kea, tcpreplay, and yq), Mageia (rootcerts, nspr, nss & firefox and thunderbird), Red Hat (python3), and SUSE (7zip, chromedriver, go1.25, libQt5Pdf5, libsixel-bash-completion, libsoup2, libwireshark18, netty, rav1e, and trivy).

Linus has released 6.17-rc5 for testing."Things remain normal - both the diffstat and the commit counts lookentirely sane". The announcement also contains a plea for maintainersto not overuse Link: tags when applying patches.

Like almost all human endeavors, open-source software development involvesa range of power dynamics. Companies, developers, and users are allconcerned with the power to influence the direction of the software - and,often, to profit from it. At the 2025 OpenSource Summit Europe, Dawn Foster talked about how those dynamics canplay out, with an eye toward a couple of tactics - rug pulls and forks - thatare available to try to shift power in one direction or another.

Security updates have been issued by Fedora (udisks2), Oracle (httpd:2.4 and kernel), Red Hat (python-requests), and SUSE (chromium, gn, dcmtk, firefox, himmelblau, nginx, perl-Authen-SASL, perl-Crypt-URandom, postgresql15, python-Django, and python-maturin).

Mozilla has announcedthat support for the Firefox browser on 32-bit systems ends withversion144. "For users who cannot transition immediately, FirefoxESR 140 will remain available - including 32-bit builds - and will continueto receive security updates until at least September 2026."

Greg Kroah-Hartman has announced the release of the 6.16.5, 6.12.45, 6.6.104, 6.1.150, 5.15.191, 5.10.242, and 5.4.298 stable kernels. Each containsimportant fixes throughout the kernel tree; users should upgrade.

Deadlocks are a constant threat in concurrent settings with shareddata; it is thus not surprising that the kernel project has long sincedeveloped tools to detect potential deadlocks so they can be fixed beforethey affect production users. Byungchul Park thinks that he has developeda better tool that can detect more deadlock-prone situations. At the 2025 OpenSource Summit Europe, he presented an introduction to his dependencytracker (or "DEPT") tool and the kinds of problems it can detect.

Security updates have been issued by AlmaLinux (httpd:2.4, kernel, pam, postgresql:12, and python3.12), Debian (clamav and node-cipher-base), Fedora (exiv2 and libsixel), Oracle (httpd, kernel, pam, postgresql:12, postgresql:13, postgresql:15, and udisks2), SUSE (gimp, libmupen64plus-devel, munge, nvidia-open-driver-G06-signed, ovmf, postgresql15, python-aiohttp, python-Django, rav1e, redis, and ruby2.5), and Ubuntu (ffmpeg, kdepim, kf5-messagelib, kmail, kmail-account-wizard, linux-azure, linux-azure-6.8, linux-azure-nvidia, php7.0, php7.2, php7.4, protobuf, python-django, ruby2.5, ruby2.7, ruby3.0, ruby3.2, ruby3.3, and rubygems).

Inside this week's LWN.net Weekly Edition:

Version2025.9 of the Home Assistant home automation system has been released.Changes include a new experimental dashboard that is eventually meant tobecome the default, a number of tile-card improvements, a reworkedautomation editor, several new integrations, and more.

Version25.08 of the niri scrollable-tiling Wayland compositor has beenreleased. Notable changes include xwayland-satelliteintegration, modal exit confirmation, and the introduction of basicsupport for screen readers:

Version12.4 of Linux From Scratch (LFS) and Beyond Linux From Scratch(BLFS) have been released. LFSprovides step-by-step instructions on building a customized Linuxsystem entirely from source, and BLFS helps to extend an LFSinstallation into a more usable system. Notable changes in thisrelease include updates to GNU Binutils 2.45, GCC 15.2, GNU C Library(glibc) 2.42, and Linux 6.15.1. See the Changelogfor all updates since 12.3.

The Linux kernel has to handle many different sources of data that should notbe trusted: user space, network connections, and removable storage, to name afew. The kernel has to remain secure even if one of these sends garbled (ormalicious) data. Benno Lossin has been working on an API for kernel Rust codethat makes it harder to accidentally make decisions based on data from user space. That workis now on itsfourth revision, and Lossin has asked kernel developers to experiment withit and see where problems remain, making this a good time to look at the proposed API.

During the opening of RustConf 2025 in Seattle, Washington,the Rust Foundation announced a new initiative to provide financial and administrative support to open-source Rust projects. The first project to benefit from the new Rust Innovation Lab isRustls, an implementation of TLS in Rust. The foundation welcomes inquiries from other projects. Dr. Rebecca Rumbul, Executive Director of the Rust Foundation said:

Cary Coutant has announceda draft for version 4.3 of theExecutable and Linking Format (ELF) object file format. Thespecification was formerly part of the Unix SystemV Release 4 (SVR4) gABI document:

Security updates have been issued by AlmaLinux (httpd, kernel, and kernel-rt), Debian (python-eventlet and python-h2), Mageia (aide, gnutls, tomcat, and vim), Oracle (httpd, mod_http2, postgresql:15, python3.11, python3.12, python3.9, and udisks2), Red Hat (kernel, postgresql, postgresql:12, and postgresql:15), SUSE (dcmtk, jupyter-bqplot-jupyterlab, kured, libudisks2-0, munge, python-eventlet, python-future, python311-eventlet, rekor, traefik2, and ucode-intel), and Ubuntu (linux-aws, linux-azure-5.15, linux-gcp-6.8, linux-gke, linux-gkeop, linux-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-gke, linux-ibm-5.15, linux-kvm, and protobuf).

As a rule, if a package is shipped with a Debian release, users cancount on it being available, and updated, for the entirelife of the release. If package foo is included in the stablerelease-currently Debian13("trixie")-a user canreasonably expect that it will continue to be available with securitybackports as long as that release is supported, though it may not beincluded in Debian14 ("forky"). However, it is likely that theGuix package manager will soonbe removed from the repositories for Debian13 andDebian12 ("bookworm", also called oldstable).

The FastCode site has alengthy article on how large language models make open-source projectsfar more vulnerable to XZ-style attacks.

Security updates have been issued by AlmaLinux (kernel, mod_http2, postgresql, postgresql:15, and python39:3.9), Debian (libsndfile), Mageia (ceph, glibc, and golang), Oracle (postgresql and python39:3.9), Red Hat (aide, postgresql:12, postgresql:13, postgresql:15, and postgresql:16), SUSE (git, govulncheck-vulndb, jetty-minimal, nginx, python-future, and ruby2.5), and Ubuntu (imagemagick).

The GNOME Foundation has announcedthat Steven Deobald will be leaving the position of Executive Directorafter just four months.

Arnd Bergmann started his OpenSource Summit Europe 2025 talk with a clear statement of position: 32-bitsystems are obsolete when it comes to use in any sort of new products. Theonly reason to work with them at this point is when there is existinghardware and software to support. Since Bergmann is the overall maintainerfor architecture support in the kernel, he is frequently asked whether32-bit support can be removed. So, he concluded, the time has come to talkmore about that possibility.