LWN.net

Paul Kehrer and Alex Gaynor, maintainers of the Python cryptography module, have put out some stronglyworded criticism of OpenSSL. Itcomes from a talk they gave at the OpenSSL conference in October 2025 (YouTube video). Thepost goes into a lot of detail about the problems with the OpenSSL codebase and testing, which has led the cryptography team toreconsider using the library. "The mistakes we see in OpenSSL'sdevelopment have become so significant that we believe substantial changesare required - either to OpenSSL, or to our reliance on it." They gofurther in the conclusion:

Lossless data compression is an important tool for reducing the storagerequirements of the world's ever-growing data sets. Yann Collet developedthe LZ4algorithm and designed the Zstandard (or Zstd)algorithm; he came to the 2025Open Source Summit Japan in Tokyo to talk about where data compressiongoes from here. It turns out that we have reached a point wheregeneral-purpose algorithms are only going to provide limited improvement;for significant increases in compression, while keeping computation costswithin reason for data-center use, turning to format-specific techniqueswill be needed.

The Debian GNOME team would like to remove the GTK2 graphicstoolkit, which has been unmaintained upstream for more than fiveyears, and ship Debian14 ("forky") without it. As one mightexpect, however, there are those who would like to find a way to keepit. Despite its age and declared obsolescence, quite a few Debianpackages still depend on GTK2. Many of those applications areunlikely to be updated, and users are not eager to give themup. Discussion about how to handle this is ongoing; it seems likelythat Debian developers will find some way to continue supportingapplications that require GTK2, but users may have to lookoutside official Debian repositories.

Version1.6.0 of the Radicle peer-to-peer, local-first code collaborationstack has been released. Notable changes in this release includesupport for systemdcredentials, use of Rust's clap crate forparsing command-line arguments, and more. LWN covered the project in March2024.

Security updates have been issued by AlmaLinux (sssd), Debian (linux-6.1 and python-parsl), Fedora (chezmoi, complyctl, composer, and firefox), Oracle (kernel), Red Hat (buildah, libpq, podman, postgresql, postgresql16, postgresql:13, postgresql:15, and postgresql:16), SUSE (avahi, curl, ffmpeg-4, ffmpeg-7, firefox, istioctl, k6, kubelogin, libmicrohttpd, libpcap-devel, libpng16, libtasn1-6-32bit, matio, ovmf, python-tornado6, python311-Authlib, and teleport), and Ubuntu (angular.js, python-urllib3, and webkit2gtk).

Quality-of-service (QoS) mechanisms attempt to prioritize some processes (ornetwork traffic, disk I/O, etc.) over others in order to meet a system'sperformance goals. This is a difficult topic to handle in the world of Linux,where workloads, hardware, and user expectations vary wildly. Qais Yousef spokeat the 2025 Linux Plumbers Conference, alongside his collaborators John Stultz,Steven Rostedt, and Vincent Guittot, about their plans for introducing ahigh-level QoS API for Linux in a way that leaves end users in control of itsconfiguration. The talk focused specifically on a QoS mechanism for thescheduler, to prioritize access to CPU resources differently for different kindsof processes.(slides;video)

Version147.0 of the Firefox web browser has been released. Notablechanges in this release include support for the XDG BaseDirectory specification, enabling localnetwork access restrictions for users with enhancedtracking protection (ETP) set to "Strict", and a fix that improvesFirefox's rendering with GNOME on fractionally scaleddisplays. Firefox147 also includes a number of securityfixes, including several sandbox-escape vulnerabilities.

Security updates have been issued by AlmaLinux (mariadb10.11, mariadb:10.11, mariadb:10.3, mariadb:10.5, and tar), Debian (net-snmp), Fedora (coturn, NetworkManager-l2tp, openssh, and tuxanci), Mageia (libtasn1), Oracle (buildah, cups, httpd, kernel, libpq, libsoup, libsoup3, mariadb:10.11, mariadb:10.3, openssl, and podman), SUSE (cpp-httplib, ImageMagick, libtasn1, python-cbor2, util-linux, valkey, and wget2), and Ubuntu (google-guest-agent, linux-iot, and python-urllib3).

In open-source circles there are many situations, such as bugreports, demos, and tutorials, when one might want to provide aplay-by-play of a session in one's terminal. The asciinema project provides a set oftools to do just that. Its tools let users record, edit, and shareterminal sessions in a text-based format that has quite a fewadvantages compared to making and sharing videos of terminal sessions. Forexample, it is easy to use, offers the ability to search text fromrecorded sessions, and allows users to copy and paste directly fromthe recording.

Security updates have been issued by Debian (chromium and sogo), Fedora (chromium, foomuuri, libpng, libsodium, mariadb10.11, musescore, nginx, python-pdfminer, python-urllib3, python3.12, seamonkey, wasmedge, and wget2), Mageia (curl, libpcap, sodium, wget2, and zlib), Slackware (lcms2), SUSE (chromedriver, chromium, noopenh264, coredns, curl, dcmtk, fontforge, gdk-pixbuf-loader-libheif, gimp, kernel, libheif, libpng16, libsoup-2_4-1, libvirt, mariadb, php8, poppler, python-filelock, python-tornado6, python311-aiohttp, qemu, sssd, and traefik), and Ubuntu (libheif, libtasn1-6, linux-azure-nvidia, linux-kvm, linux-raspi, linux-raspi-realtime, and php7.2, php7.4, php8.1, php8.3, php8.4).

The 2026 edition of the Linux Storage, Filesystem, Memory Management, andBPF Summit will be held May4-6 in Zagreb, Croatia. The call forproposals has gone out for anybody who would like to attend thisinvitation-only meeting. "We are asking that you please let us know youwant to be invited by February 20, 2026".

The6.18.5,6.12.65,6.6.120, and6.1.160stable updates have been released. They all contain a small patchset fixing a scheduling regression associated with idle balancing; the6.6.120 and 6.1.60 updates also contain a large set of other importantfixes.

On her blog, Julia Evans writes aboutimproving Git documentation, including a new datamodel man page she wrote with MarieLeBlanc Flanagan, and updates to the pages for several other Git sub-commands(add, checkout, push, and pull). Aspart of the process, she asked Git users to describe problems they had run intoin the documentation, which helped guide the changes that she made.

The READ_ONCE() and WRITE_ONCE() macros are heavily usedwithin the kernel; there are nearly 8,000 call sites forREAD_ONCE(). They are key to the implementation of many lockless algorithms and can be necessary for sometypes of device-memory access. So one might think that, as theamount of Rust code in the kernel increases, there would be a place forRust versions of these macros as well. The truth of the matter, though, isthat the Rust community seems to want to take a different approach toconcurrent data access.

Security updates have been issued by Debian (pdfminer and vlc), Red Hat (kernel, kernel-rt, and microcode_ctl), Slackware (libtasn1), SUSE (apptainer, curl, ImageMagick, libpcap, libvirt, libwget4, php8, podman, python311-cbor2, qemu, and rsync), and Ubuntu (gnupg, gnupg2, gpsd, libsodium, and python-tornado).

The Fedora Project has announcedthe results of the Fedora43 election cycle. Five seats were openon the Fedora EngineeringSteering Committee (FESCo), and the winnersare Kevin Fenzi, Zbigniew Jdrzejewski-Szmek, Timothee Ravier, DaveCantrell, and Mairin Duffy.

Gentoo Linux has published a 2025project retrospective that looks at how the community has evolved,changes to the distribution, infrastructure, and finances for theGentoo Foundation.

TheSoftware Freedom Conservancy (SFC) issuingVIZIO over smart TVs thatinclude software licensed under the GPL and LGPL (including the Linux kernel,FFmpeg, systemd, and others).VIZIO didn't provide the source code along with the device, and on request theyonly provided some of it. Unlike a typical lawsuit about enforcing the GPL, theSFC isn't suing as a copyright holder; it's suing asa normal owner of the TVin question. This approach opens some important legal questions, and after yearsof pre-trial maneuvering (most recently resulting ina ruling related to signing keys thatis the subject of a separate article),we might finally obtain some answers when the case goesto trial on January12. As things stand, it seems likely that the judge inthe case will rule that that the GPL-enforcement lawsuits can be a matter ofcontract law, not just copyright law, which would be a major change to how GPLenforcement works.

On December 24 2025, Linus Torvalds posted a stronglyworded message celebrating a ruling inthe ongoing GPL-compliance lawsuit filedagainst VIZIO by the Software Freedom Conservancy (SFC). This case andTorvalds's response have put a spotlight on an old debate over the extentto which the source-code requirements of the GNUGeneral Public License (version2) extend to keys and other dataneeded to successfully install modified software on a device. It is worthlooking at whether this requirement exists, the subtleties ininterpretation that cloud the issue, and the extent to which, if any, theSFC is demanding that information.

Greg Kroah-Hartman has released the 6.18.4 and 6.12.64 stable kernels. As always, eachcontains important fixes throughout the tree. Users are advised toupgrade.

Security updates have been issued by AlmaLinux (gcc-toolset-14-binutils, gcc-toolset-15-binutils, httpd, kernel, libpng, mariadb, mingw-libpng, poppler, python3.12, and ruby:3.3), Debian (foomuuri and libsodium), Fedora (python-pdfminer and wget2), Oracle (audiofile, bind, gcc-toolset-15-binutils, libpng, mariadb, mariadb10.11, mariadb:10.11, mariadb:10.5, mingw-libpng, poppler, and python3.12), Red Hat (git-lfs, kernel, libpng, libpq, mariadb:10.3, osbuild-composer, postgresql, postgresql:13, and postgresql:15), Slackware (curl), SUSE (c-ares-devel, capstone, curl, gpsd, ImageMagick, libpcap, log4j, python311-filelock, and python314), and Ubuntu (libcaca, libxslt, and net-snmp).

Inside this week's LWN.net Weekly Edition:

The European Commission has openeda "callfor evidence" to help shape its European Open Digital EcosystemStrategy. The commission is looking to reduce its dependence onsoftware from non-EU countries:

At the 2025 Linux PlumbersConference (LPC), held in Tokyo in mid-December, Changwoo Min led a session on whathe has learned while developing the"latency-criticalityaware virtual deadline" (LAVD) scheduler, which is aimed at gamingworkloads. The session was part of the Gamingon Linux microconference, which is a new entrant into LPC; organizershope to see it return next year inPrague and, presumably, beyond. LAVD uses the extensible scheduler class (sched_ext) and hasthe primary goal of minimizing stutteringin games;it is implemented in a combination of BPF and Rust.

Last year werevived the tradition of publishing a timeline ofnotable events from the previous year. Since that seemed to go overwell, we decided we should continue the practice and look back on someof the most noteworthy events and releases of 2025.

The IPFire project, anopen-source firewall Linux distribution, has released version2.29 - Core Update 199. Notable changes in this release include anupdate to Linux 6.12.58, support for WiFi6 and 7 features onwireless access points, as well as native support for link-localdiscovery protocol (LLDP) and Cisco discovery protocol (CDP).

Android Authority reportsthat Google will be reducing the frequency of releases of code to theAndroid Open Source Project to only twice per year.

Security updates have been issued by AlmaLinux (resource-agents, ruby:3.3, thunderbird, and xorg-x11-server), Fedora (libpcap), Red Hat (brotli), Slackware (libsodium), SUSE (dcmtk, govulncheck-vulndb, libpcap, mozjs60, qemu, rsync, and usbmuxd), and Ubuntu (glib2.0 and linux-raspi, linux-raspi-5.4).

The nature and role of the Linux Foundation's Technical Advisory Board (TAB) isnot well-understood, thougha recent LWN article shed some light on itsrole andhistory. At the 2025Linux Plumbers Conference (LPC), the TAB held a question andanswer session to address whatever it was the community wanted to know(video).Those questions ended up covering the role of large language models in kerneldevelopment, what it is like to be on the TAB, how the TAB can help grease thewheels of corporate bureaucracy, and more.

Aleksa Sarai, as the maintainer of therunc container runtime, faces aconstant battle against security problems. Recently, runc has seenanotherinstance of a security vulnerability that can be traced back to the difficultyof handling file paths on Linux. Sarai spoke at the 2025Linux Plumbers Conference(slides;video)aboutsome of the problems runc has had with path-traversal vulnerabilities, and toask people to please uselibpathrs, the library that he has been developing forsafe path traversal.

Version26.0 ("Anh-Linh") of the Arch-based Manjaro Linux distribution has beenreleased. Manjaro26.0 includes Linux6.18, GNOME49,KDEPlasma6.5, Xfce4.20, and more.

Security updates have been issued by AlmaLinux (kernel, ruby, and thunderbird), Debian (libsodium and ruby-rmagick), Fedora (gnupg2 and proxychains-ng), Oracle (gcc-toolset-14-binutils, rsync, tar, and thunderbird), Red Hat (buildah, mariadb, mariadb10.11, podman, and tar), SUSE (alloy, apache2, buildah, erlang26, glib2, ImageMagick, kernel, libsoup, pgadmin4, python-tornado6, python3, python312, python313, qemu, webkit2gtk3, and xen), and Ubuntu (webkit2gtk).

The calendar has flipped over to 2026; a new year has begun. That meansthe moment we all dread has arrived: it is time for LWN to put out a set oflame predictions for what may happen in the coming year. Needless to say,we do not know any more than anybody else, but that doesn't stop us frommaking authoritative-sounding pronouncements anyway.

Version 1.30 of the GNUddrescue data recovery tool has been released. Notable changes inthis release include improvements to automatic recovery of a drivewith a dead head, addition of a --no-sweep option to disablereading of skipped areas, and more.

Security updates have been issued by AlmaLinux (tar), Debian (curl and gimp), Fedora (doctl, gitleaks, gnupg2, grpcurl, nginx, nginx-mod-brotli, nginx-mod-fancyindex, nginx-mod-headers-more, nginx-mod-modsecurity, nginx-mod-naxsi, nginx-mod-vts, and usd), Mageia (cups), Red Hat (container-tools:rhel8, go-toolset:rhel8, grafana, and skopeo), and SUSE (dirmngr, fluidsynth, gnu-recutils, libmatio-devel, python311-marshmallow, python312-Django6, rsync, and thunderbird).

The 6.19-rc4 kernel prepatch is out fortesting.

Greg Kroah-Hartman has written anoverview of how the kernel's security team works.

Greg Kroah-Hartman has announced the release of the 6.18.3 stable kernel. As always, thisupdate contains important fixes; users of this kernel are advised toupgrade.

Security updates have been issued by Debian (smb4k), Fedora (direwolf, gh, usd, and webkitgtk), Slackware (libpcap and seamonkey), and SUSE (kepler).

Security updates have been issued by Debian (imagemagick and net-snmp), Fedora (delve, golang-github-google-wire, and golang-github-googlecloudplatform-cloudsql-proxy), and SUSE (podman, python3, and python36).

Version4.19.0 of the shadow-utilsproject has been released. Notable changes in this release includedisallowingsome usernames that were previously accepted with the--badname option, and removingsupport for escaped newlines in configuration files. Possibly moreinteresting is the announcement that the project is deprecating anumber of programs, hashing algorithms, and the ability toperiodically expire passwords:

Security updates have been issued by Debian (mediawiki), Fedora (duc, golang-github-projectdiscovery-mapcidr, and kustomize), Slackware (wget2), and SUSE (cheat, duc, flannel, go-sendxmpp, python311, python312, python313, and trivy).

Daniel Stenberg has written a blogpost about the decision to ban the use strcpy()in curl:

Security updates have been issued by Debian (openjpeg2, osslsigncode, php-dompdf, and python-django), Fedora (fluidsynth, golang-github-alecthomas-chroma-2, golang-github-evanw-esbuild, golang-github-jwt-5, and opentofu), Mageia (ceph and ruby-rack), and SUSE (anubis, apache2-mod_auth_openidc, dpdk22, kernel, libpng16, and python311-openapi-core).

Nate Graham looksback at how 2025 went for the KDE project.

Security updates have been issued by Debian (kodi, pgbouncer, and rails), Fedora (duc, fluidsynth, gdu, singularity-ce, and tkimg), Slackware (vim), and SUSE (buildah, duc, gnutls, python39, qemu, and webkit2gtk3).

Linus has released 6.19-rc3 for testing. "Another week, another -rc release.Except the past week has obviously been the holiday week, and this rcrelease is pretty small as a result. Very much as expected."

Graphite is an effort to unifyillustration, raster editing, desktop publishing, and animation in onebrowser-based application. The project has been in development since2021 and announced its first alpha release in 2022. According to creator Keavon Chambers, the project's mission is to become"the 2D counterpart to Blender", by bringing a node-based,non-destructive workflow to 2D graphics. The project, currently still inalpha, is a long way from complete; but it is worth testing for anyoneinvolved with open-source-graphics production. Currentbuilds, from September 2025, include vector-illustration tools, anode-based compositor, and early brush tooling, with broader pixel-based-and photo-editing work still in progress.

Security updates have been issued by Debian (gst-plugins-good1.0, postgresql-13, and python-urllib3), Fedora (chezmoi, docker-buildkit, ov, and subfinder), Oracle (httpd:2.4), Slackware (net), and SUSE (apache2, buildah, kernel, and mariadb).

The judge in the Vizio GPL-compliance lawsuit has ruled, in asummary judgment, that the GNU General Public License, version2,does not require the provision of signing keys needed to install modifiedsoftware on a device.