Julian Andres Klode has announced that theDebian APT package-management tool will acquire "hard Rustdependencies sometime after May 2026. "If you maintain a portwithout a working Rust toolchain, please ensure it has one within the next6 months, or sunset the port."
The idea of automatic syntax-aware merging in version-control systems goes back to2005 or earlier, but initial implementations wereoften language-specific and slow.Mergiraf is a merge-conflict resolver that uses a generic algorithm plus asmall amount of language-specific knowledgeto solve conflicts that Git's default strategy cannot.The project's contributors have been working on thetool for just under a year, but it alreadysupports 33 languages, including C,Python, Rust, and evenSystemVerilog.
Version1.91.0 of the Rust language has been released. Changes includepromoting aarch64-pc-windows-msvc to a tier-1 platform, a new lint ruleto catch dangling raw pointers from local variables, and a fair number ofnewly stabilized APIs.
The kernel's file-I/O subsystems have been highly optimized over the yearsin the hope of providing the best performance for a wide variety ofworkloads. There is, however, one workload type that suffers with currentkernels: applications that perform many short reads, in multiple processes,from the same file. Kiryl Shutsemau has been working on a patch totry to optimize this case, but the task is turning out to be harder thanone might expect.
The Universal Blueproject has announcedthe Fall update for the Fedora-based Bazzite gaming distribution. Thisrelease brings Bazzite up to Fedora43, includes support foradditional handheld gaming systems, as well as drivers for a number ofsteering wheel devices, and more.
Alejandro Colomar has announced the release of version 6.16 of the GNU/Linux man pages. This release includes new or rewritten man pages for fsconfig(), fsmount(), and fsopen(), as well as a number of newly documented interfaces in existing man pages. The release is also available as a PDF book.
ICANN's Security andStability Advisory Committee (SSAC) has announceda reporton "the critical role of Free and Open Source Software (FOSS)within the Domain Name System (DNS)". The report is aimed atpolicymakers and examines recent cybersecurity regulations in the US,UK, and EU as they apply to FOSS in the DNS system; it includesfindings and guidelines "to strengthen the FOSS ecosystem that iscritical to the secure and stable operation of the Internet". Fromthe report's summary:
A new class of attacks on Android phones, called "Pixnapping", was announced onOctober 13. It allows a malicious app to gather output rendered in avictim app, pixel-by-pixel, by exploiting a GPU side-channel. Depending onwhat the victim app displays, anything from sensitive email and chats totwo-factor authentication (2FA) codes could be captured-and shipped off toan attacker's site.
Debian's ftpmasterteam has been responsible for allowing new packages to enter Debian,removing old packages, and otherwise maintaining Debian's packagearchive for more than two decades. As of October26, the team isno more and its duties are being split between two new teams. The ArchiveOperations Team will focus on the infrastructure required tosupport the Debianarchives, and the DFSG, Licensing & NewPackages Team, which is responsible for reviewing packagesentering the newqueue. In time, this move could speed up processing of newpackages, as well as making the teams more sustainable, but only afternew members are recruited and trained. For now, the same folks aredoing the work but spread across two teams.
Greg Kroah-Hartman has announced the release of the 6.17.6, 6.12.56, 6.6.115, 6.1.158, 5.15.196, 5.10.246, and 5.4.301 stable kernels. As always, eachcontains important fixes throughout the tree. Users of these kernelsare advised to upgrade.
Security updates have been issued by Debian (gimp, python-authlib, and xorg-server), Fedora (chromium and git-lfs), Mageia (poppler and tomcat), Red Hat (kernel, kernel-rt, redis, and redis:6), SUSE (fetchmail, grafana, ImageMagick, kernel-devel, libluajit-5_1-2, proxy-helm, python-Authlib, and xen), and Ubuntu (linux-intel-iotg, linux-intel-iotg-5.15 and squid, squid3).
Fil-C is a memory-safe implementation of C and C++ that aims to let C code -complete with pointer arithmetic, unions, and other features that are oftencited as a problem for memory-safe languages - run safely, unmodified.Its dedication to being "fanaticallycompatible" makes it an attractive choice for retrofitting memory-safetyinto existing applications. Despite the project's relative youth and singleactive contributor, Fil-C is capable of compiling anentire memory-safe Linux user space (based onLinux From Scratch),albeit with some modifications to the more complex programs. It also featuresmemory-safe signal handling and a concurrent garbage collector.
The Fedora Project has announced the release of Fedora Linux43,with "what's new" articles for FedoraWorkstation, FedoraKDE Plasma Desktop, and FedoraAtomic Desktops.
BPF lets users load programs into a running kernel.Even though BPF programs are checked by the verifier toensure that they stay inside certain limits, some users would still like to ensurethat only approved BPF programs are loaded. KP Singh'spatches adding that capability to the kernel were acceptedin version 6.18, but not everyone issatisfied with his implementation. Blaise Boscaccy, who has been working to geta version of BPF code signing with better auditabilityinto the kernel for some time, posteda patch set on top of Singh's changes that alters the loading process tonot invoke security module hooksuntil the entire loading process is complete.The discussion on the patchset is the continuation of along-running disagreement overthe interface for signed BPF programs.
The Python Software Foundation, earlier this year, successfully obtained a$1.5million grant from the US National Science Foundation "toaddress structural vulnerabilities in Python and PyPI". The actualgrant came with some strings attached though, in the form of a requirementnot to pursue diversity, equity, and inclusion programs. So the Foundationhas withdrawnthe proposal rather than agree to terms that run counter to its ownmission.
Version0.3.0 of Rust Coreutils, part of the uutils project, has beenreleased. This release adds safe directory traversal for severalutilities, better error handling, and performanceimprovements. The project has upgraded its test suite reference fromGNU coreutils 9.7 to 9.8, and added 16 new tests. It includes a fixfor the date bugthat affected automatic updates in Ubuntu25.10.
Version 3.26.0 of the Valgrindmemory-profiling and debugging framework has been released. Notablechanges include updated support for the Linux TestProject (LTP) to version v20250930, many new Linux syscallwrappers, and the license for Valgrind has been changed from GPLv2 toGPLv3.
Linus has released 6.18-rc3 for testing."Things feel fairly normal, and in fact the numbers say it's been a bitcalmer than usual, but that's likely just the usual fluctuation in pullrequest timing rather than anything else".
Security updates have been issued by AlmaLinux (webkit2gtk3), Debian (bind9, chromium, python-internetarchive, and tryton-sao), Fedora (dokuwiki and php-php81_bc-strftime), Mageia (firefox, nss & rootcerts and thunderbird), Slackware (openssl), SUSE (bleachbit, chromium, kernel, mozilla-nss, and python311-uv), and Ubuntu (fetchmail, golang-go.crypto, and linux-oracle-5.4).
Open-source foundations and projects that have charity status inthe US may want to see if GoFundMe has created a profilefor them without permission. The company has operated since 2010 as aself-service fundraising platform; individuals or groups could createpages to raise money for all manner of causes. In June, the company announcedthat it would expand its offerings to "manage all aspects ofcharitable giving" for users through its platform. That seems toinclude creating profiles for nonprofit organizations without theirinvolvement. After pushback, the company saidon October23 that it would be removing the pages. It has notanswered more fundamental questions about how it planned to disbursefunds to nonprofits that had no awareness of the GoFundMe pages in thefirst place.
Greg Kroah-Hartman has released the 6.17.5, 6.12.55, and 6.6.114 stable kernels. As usual, eachcontains important fixes throughout the tree; users are advised toupgrade.
The Spectre class of hardware vulnerabilities truly is a gift that keeps ongiving. New variants are still being discovered in current CPUs nearlyeight years after the disclosure of thisproblem, and developers are still working to minimize the performance coststhat come from defending against it. The masked user-space accessmechanism is a case in point: it reduces the cost of defending against somespeculative attacks, but it brought some challenges of its own that areonly now being addressed.
The Fedora Council has approvedan AI-assistedcontributions policy. This follows severalweeks of discussion, some of which was covered by LWN onOctober1. The final policy contains substantial differences fromthe initialproposal, and now requires disclosure of AI tools "when thesignificant part of the contribution is taken from a tool withoutchanges".
KDE Plasma6.5 has been released. Notable newfeatures include automatic light-to-dark theme switching based ontime of day, support for the experimental Wayland picture-in-picture protocol,as well as a number of usabilityand accessibilityimprovements. See the completechangelog for a list of the new features, enhancements,and bug fixes.
DebugFS is the kernel's anything-goes, no-rules interface: whenever a kerneldeveloper needs quick access to internal details of the kernel to debug aproblem, or to implement an experimental control interface,they can expose them via DebugFS. This is possible because DebugFS is not subjectto the normal rules for user-space-interface stability, nor to the rules aboutexposing sensitive kernel information. Supporting DebugFS in Rust drivers is animportant step toward being able to debug real drivers on real hardware. MatthewMaurer spoke atKangrejos2025 about his recently mergedDebugFS bindings for Rust.
Version9.0.0 of the Valkey distributed key-value database has beenreleased. Notable features of this release include Multipath TCP(MPTCP) support, new filters forclient commands, multi-databasesupport for cluster mode and much more. See the Valkey9.0.0RC1release notes for a full list of new features in this majorrelease.According to a recent blog post, thisrelease includes major improvements to performance and scaling ofValkey clusters to more than 2,000 nodes and one billion requests persecond. Valkey began as afork of the Redis key-value database in March2024, but hasevolved separately since then.
The Git source-code management system is a foundational tool upon whichmuch of the free-software community is based. For many people, Git simplyworks, though perhaps in quirky ways, so the activity of its developmentcommunity may not often appear on their radar. There is a lot happening inthe Git world at the moment, though, as the project works toward a 3.0release sometime in 2026. Topics of interest in the Git community includethe SHA-256 transition, the introduction of code written in Rust, and howthe project should view contributions created with the assistance of largelanguage models.
Version8.8.0 of the digiKam photo-management system has been released."This version delivers significant improvements in performance,stability, and user experience, with a particular focus on imageprocessing, color management, and workflow efficiency". Changesinclude an import/export feature for tag hierarchies, focus-pointvisualization for some camera models, automatic use of the monitor colorprofile, and a background-blur tool.
In September, a group of long-time maintainers of Ruby packaging toolsprojects had their GitHub privileges revoked by nonprofit corporation Ruby Centralin what many people are calling ahostile takeover. Ruby Central and its board members have issuedseveral public statements that have, so far, failed to satisfy many inthe Ruby community. In response, some of the former contributors toRubyGems are working on an alternative service called gem.coop. On October17, ownershipof the RubyGems andBundlerrepositories was handed over to the Ruby core team, even though those projects had never been part of core Rubypreviously. The takeover and subsequent events have raised a number ofquestions in the Ruby community.
Importing modules in Python is ubiquitous; most Python programs startwith at least a few import statements. But the performance impactof those imports can be large-and may be entirely wasted effort if thesymbols imported end up being unused. There are multiple ways to lazilyimport modules, including one in the standard library, but none of them arepart of the Python language itself. Thatmay soon change, if the recently proposedPEP810 ("Explicit lazyimports") is approved.
Greg Kroah-Hartman has announced the release of the 6.17.4 6.12.54 6.6.113 6.1.157, and 5.15.195 stable kernels. As usual, eachcontains important fixes; users of those kernels are advised to upgrade.
The Ruby community has experienced some turbulenceof late after Ruby Central tookcontrol of the GitHub repositories for a number of projectsincluding RubyGemsand Bundler. Those projects have historically been developedseparately from Ruby itself. They are now being put under thecontrol of Ruby's core team, according to Ruby creator YukihiroMatsumoto (a.k.a. "Matz"):
Ruby libraries andapplications are distributed via a packaging format called a gem. RubyGems.org has been the centralhosting service for gems since about 2010. This article is part one ofa two-part series on the RubyGems.org takeover by Ruby Central. Understanding thehistory of RubyGems.org, and the contributor community behind it, isvital to making sense of the current powerstruggle between Ruby Central and members of the Rubycommunity who have maintained those services and tools for manyyears.
LWN.net