LWN.net

The Tor project has announcedthe oniux utility which provides Tor network isolation, using Linuxnamespaces, for third-party applications.

Security updates have been issued by Debian (open-vm-tools), Fedora (dnsdist), Gentoo (Node.js and Tracker miners), Red Hat (kernel and xdg-utils), SUSE (audiofile, go1.22-openssl, go1.24, grub2, kernel-devel, openssl-1_1, openssl-3, and python311-Django), and Ubuntu (ruby-rack).

Inside this week's LWN.net Weekly Edition:

At the Linux ApplicationSummit (LAS) in April, Sebastian Wick said that, by many metrics, Flatpak is doing great. The Flatpakapplication-packaging format is popular with upstream developers, andwith many users. More and more applications are being published in theFlathub application store, and theformat is even being adopted by Linux distributions likeFedora. However, he worried that work on the Flatpak project itselfhad stagnated, and that there were too few developers able to reviewand merge code beyond basic maintenance.

Version5.5.0 of the Podman container-management tool has beenreleased. Notable features include the addition of a podmanmachinecp command to copy files into a running PodmanVM, a podmanartifactextract command to copycontents of an OCIartifact to disk, and a --mount=artifact option to mountOCI artifacts into containers. See the release announcement for a fulllist of improvements and bug fixes.

Fromservers in a data center to desktop computers, many devicescommunicating on a network will eventually have to filter networktraffic, whether it's for security or performance reasons. As a result,this is a domain where a lot of work is put into improving performance:a tiny performance improvement can have considerable gains.Bpfilter is aproject that allows for packet filtering to easily be done with BPF, which canbe faster than other mechanisms.

Security updates have been issued by AlmaLinux (emacs, firefox, gnutls, java-17-openjdk, java-21-openjdk, osbuild-composer, python39:3.9, and thunderbird), Arch Linux (screen), Debian (varnish), Fedora (chromium), Gentoo (Atop, FreeType, and Spidermonkey), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk and postgresql15, postgresql13), Oracle (389-ds-base, emacs, firefox, kernel, libsoup, libtiff, mod_auth_openidc:2.3, nodejs:20, nodejs:22, osbuild-composer, python39:3.9, qemu-kvm, ruby, ruby:3.1, ruby:3.3, and thunderbird), Red Hat (.NET 8.0, .NET 9.0, avahi, buildah, corosync, delve and golang, exiv2, expat, firefox, ghostscript, gimp, git, grafana, gvisor-tap-vsock, java-21-openjdk, kernel, kernel-rt, libarchive, libjpeg-turbo, libsoup, libsoup3, libxslt, mod_auth_openidc, nginx, nginx:1.22, nginx:1.24, nodejs22, nodejs:20, nodejs:22, opentelemetry-collector, osbuild-composer, perl, php, php:8.2, php:8.3, podman, python-jinja2, redis, redis:7, rhc, ruby:2.5, skopeo, sqlite, thunderbird, tomcat, tomcat9, valkey, vim, xorg-x11-server-Xwayland, xterm, xz, yelp, and yggdrasil), Slackware (screen), SUSE (apparmor, dirmngr, gimp, golang-github-prometheus-node_exporter, java-11-openj9, java-17-openj9, java-21-openj9, libxmp-devel, python311-Django4, rabbitmq-server313, rke2, and transfig), and Ubuntu (abseil and open-vm-tools).

BPF arenas are areas of memory where the verifier can safely relax its checking ofpointers, allowing programmers to write arbitrary data structures in BPF. EmilTsalapatis reported on how his team has used arenas in writingsched_ext schedulers at the 2025 Linux Storage, Filesystem,Memory-Management, and BPF Summit. His biggest complaint was about the fact thatkernel pointers can't be stored in BPF arenas - something that the BPFdevelopers hope to address, although there are some implementation problems thatmust be sorted out first.

Nextcloud provides anopen-source collaboration platform called Nextcloud Hub, which includes file-sharing and syncingfeatures. The company has writtena blog post explaining that Google has revoked a critical permissionfrom the Nextcloud Files app for Android that allows it to sync filesto Nextcloud Hub.

Security updates have been issued by Debian (libeconf and rubygems), Fedora (libxmp), Gentoo (glibc), Oracle (java-1.8.0-openjdk, kernel, libxslt, and virtuoso-opensource), SUSE (augeas, git-lfs, kanidm, and tomcat10), and Ubuntu (linux-lts-xenial).

The SUSE Security Team has publishedan article detailing several securityissues it has uncovered with GNU Screen. This includesa local root exploit when Screen is shipped setuid-root, as it is insome Linux and BSD distributions. The security team also reports problemsin coordinating disclosure with the upstream Screen project.

The Guix project has announcedthat it is migrating all of its Git repositories, as well as bugtracking and patch tracking, from Savannah to the Codeberg Git forge.

The announcementof the openSUSE Leap 16.0 beta contained something of asurprise-along with the usual set of changes and updates, itinformed the community of the retirement of "the traditional YaSTstack" from Leap. The YaST ("Yet another Setup Tool")installation and configuration utility has been a core part of theopenSUSE distribution since its inceptionin 2005, and part of SUSE Linux since 1996. It will not, immediately,be removed from the openSUSETumbleweed rolling-releasedistribution, but its future is uncertain and its fate is up to the largercommunity to decide.

Security updates have been issued by Debian (libbson-xs-perl, postgresql-13, redis, and simplesamlphp), Fedora (chromium, deluge, epiphany, golang-github-nats-io-nkeys, libxmp, nodejs22, perl-Compress-Raw-Lzma, php-adodb, python-h11, and xz), Gentoo (firefox, NVIDIA Drivers, Orc, PAM, and thunderbird), Mageia (libreoffice, python-django, and transfig), Red Hat (emacs, firefox, python39:3.9, and thunderbird), SUSE (bird3, freetype2, ldap-proxy, libmosquitto1, and ruby3.4-rubygem-rack), and Ubuntu (linux, linux-aws, linux-kvm, linux-aws, and linux-fips).

Linus has released 6.15-rc6 for testing.

Those of us who have spent our lives playing with computers naturally seethe appeal of deploying them though the home for both data acquisition andautomation. But many of us who have watched the evolution of thetechnology industry are increasingly unwilling to entrust criticalhousehold functions to cloud-based servers run by companies that may nothave our best interests at heart. The Apache-licensed Home Assistant project offers awelcome alternative: locally controlled automation with free software.This two-part series covers roughly a year of Home Assistant use, startingwith a set of overall observations about the project.

Lance Albertson writes that theOregon State University Open Source Lab has been funded for the nextyear, following his announcement in Aprilthat the future of OSL was in jeopardy. OSL is now focusing onbecoming self-sustainable long term.

Greg Kroah-Hartman has announced the release of the6.14.6,6.12.28,6.6.90,6.1.138, and5.15.182 stable kernel versions.

Security updates have been issued by Debian (fossil, libapache2-mod-auth-openidc, and request-tracker4), Fedora (thunderbird), Mageia (firefox and thunderbird), SUSE (389-ds, apparmor, cargo-c, chromium, go1.24, govulncheck-vulndb, java-1_8_0-openjdk, kanidm, libsoup, mozjs102, openssl-1_1, openssl-3, python-Django, sccache, tealdeer, tomcat, transfig, wasm-bindgen, and wireshark), and Ubuntu (libreoffice and python-h11).

The GNOME Foundation has announcedthe hiring of Steven Deobald as its new executive director.

The famfsfilesystem is meant to provide a shared-memory filesystem for large datasets that are accessed for computations by multiple systems. It wasdeveloped by John Groves, who led a combined filesystem andmemory-management session atthe 2025 Linux Storage, Filesystem, MemoryManagement, and BPF Summit (LSFMM+BPF) to discuss it. The session was afollow-up to the famfs session at last year'ssummit, but it was also meant to discuss whether the kernel's direct-access (DAX)mechanism, which is used by famfs, could be replaced in the filesystemby using other kernel features.

Security updates have been issued by Debian (chromium, libapache2-mod-auth-openidc, mariadb-10.5, and openssh), Red Hat (osbuild-composer), Slackware (mariadb), SUSE (apache2-mod_auth_openidc, glib2, ImageMagick, libsoup, libsoup2, libva, openvpn, sqlite3, and weblate), and Ubuntu (libsoup3, php-horde-css-parser, and python-django).

Lukas Fittl writes in detailon the pganalyze blog about the asynchronous I/O capability coming with thePostgreSQL18 release.

Inside this week's LWN.net Weekly Edition:

Version2025.5 of the Home Assistant home automation system has been released.With this release, the project is celebrating twomillion activeinstallations. Changes include improvements to the backup system, Z-WaveLong Range support, a number of new integrations, and more.

Anton Protopopov led a short discussion at the 2025 Linux Storage, Filesystem,Memory-Management, and BPF Summit about amount of memory usedby hash tables in BPF programs. He thinks that the current memory layout isinefficient, and wants to split the structure that holds table entries into twovariants for different kinds of maps. When that proposal proveduncontroversial, he also took the chance to talk about a bug in BPF's callinstruction.

The Debian project has the concept of essentialpackages, which provide the bare minimum functionality consideredabsolutely necessary (or "essential") for a system tofunction. Packages tagged as essential, and the packages that arerequired by the set of essential packages, are always installed aspart of a Debian system. However, Debian's packaging rules do notrequire developers to explicitly declare dependencies on that set ofpackages (the essential set) but they can simply rely on the fact that thosewill always be present. That means that changing the essential set, asthe project may wish to do occasionally, is more complicated than itshould be. This came to light recently when a Debian developer askedwhat might be required to remove mawk to slim downthe project's container images.

The SUSE Security Team has announced the removal of the DeepinDesktop from openSUSE due to violations of the project's packagingpolicy.

Security updates have been issued by Fedora (incus and nodejs20), Red Hat (freetype, kernel, kernel-rt, libsoup, libtiff, redis, redis:6, and thunderbird), SUSE (apparmor, chromium, grafana, ImageMagick, java-11-openjdk, java-17-openjdk, libsoup, libsoup2, libxslt, opensaml, rabbitmq-server, rubygem-rack-1_6, sqlite3, and thunderbird), and Ubuntu (kernel, libfcgi, libraw, libsoup2.4, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-gcp, linux-gcp-6.11, linux-hwe-6.11, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oracle, linux-raspi, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-azure, linux-azure-4.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-azure, linux-azure-6.11, linux-azure-6.8, linux-azure-fips, linux-intel-iot-realtime, linux-realtime, linux-oem-6.11, linux-raspi, linux-realtime, python, python-scrapy, and ruby-carrierwave).

Willy Tarreau and William Lallemand have posted an extensive whitepaper examining the landscape of the available SSL implementations.

On the 50th anniversary of the USENIX organization, its flagship AnnualTechnical Conference (ATC) is comingto an end.

Version1.0.0 of Mission Center, a system-monitoring application, has beenreleased. Notable changes in this release include the addition ofSMART data for SATA and NVMe devices, display of per-processnetwork usage, as well as a redesigned Apps Page that providesmore information about applications and processes. Mission Center'sbackend application for obtaining system data has been renamed fromthe Gatherer to Magpie, and isnow available as a standalone executable and libraries that can beused by other applications.

Linux systems can have large filesystems; trying to keep up with thestream offanotify filesystem-monitoring notifications for them can be a struggle.Fanotify is one of a few ways to monitor accesses to filesystems provided by the kernel.Song Liu led a discussionon how to improve in-kernel filtering of fanotify events to a jointsession of the filesystem and BPF tracks at the 2025 Linux Storage, Filesystem,Memory-Management, and BPF Summit. He wants to combine the best parts of a fewdifferent approaches to efficiently filter filesystem events.

In a combined filesystem and memory-management session at the 2025 Linux Storage, Filesystem, MemoryManagement, and BPF Summit (LSFMM+BPF), Joanne Koong led a discussion onimproving the writeback performance for the Filesystem inUserspace (FUSE) layer. Writeback is how data that is written to thefilesystem is actually flushed to the disk; it is the process of writingdirty pages from the page cache to storage. The current FUSEimplementation allocates unmovable memory, then copies the dirty data to itbefore initiating writeback, which is slow; Koong wanted to change thatbehavior. Since the session, she has posted apatch set that has been appliedby FUSE maintainer Miklos Szeredi.

Security updates have been issued by Fedora (chromium and kappanhang), Red Hat (osbuild-composer and thunderbird), SUSE (chromedriver), and Ubuntu (c-ares, corosync, mysql-8.0, mysql-8.4, openjdk-17, openjdk-21, openjdk-24, openjdk-8, and openjdk-lts).

AUTOSEL is a tool that is used to find kernel patches that should beconsidered for backporting into the stable releases. Sasha Levin has announced a new and completelyrewritten version of AUTOSEL for those who would like to play with it.

The disclosure of the Spectreclass of hardware vulnerabilities created a lot of pain for kerneldevelopers (and many others). That pain was especially acutely felt in theBPF community. While an attacker might have to painfully search the kernelcode base for exploitable code, an attacker using BPF can simply write andload their own speculation gadgets, which is a much more efficient way ofoperating. The BPF community reacted by, among other things, disallowingthe loading of programs that may include speculation gadgets. LuisGerhorst would like to change that situation with this patchseries that takes a more direct approach to the problem.

The 6.12.27 and 6.1.137 stable kernels have been released tofix build problems in their predecessors. Only those who are havingbuild troubles with 6.12.26 or 6.1.136 need to upgrade.

Security updates have been issued by Debian (ansible, containerd, and vips), Fedora (chromium, java-17-openjdk, nodejs-bash-language-server, nodejs-pnpm, ntpd-rs, redis, rust-hickory-proto, thunderbird, and valkey), Mageia (apache-mod_auth_openidc, fcgi, graphicsmagick, kernel-linus, pam, poppler, and tomcat), Red Hat (firefox, libsoup, nodejs:20, redis:6, rsync, webkit2gtk3, xmlrpc-c, and yelp), and SUSE (audiofile, ffmpeg, firefox, libsoup-2_4-1, libsoup-3_0-0, libva, libxml2, and thunderbird).

Linus has released 6.15-rc5 for testing."So it all feels like things are just continuing to go well thisrelease. Let's hope I didn't jinx it by saying so."

At the 2025 Linux Storage, Filesystem, MemoryManagement, and BPF Summit (LSFMM+BPF) Kanchan Joshi and Keith Busch led acombined storage and filesystem session on data placement, which concernshow the data on a storage device is actually written. In a discussionthat hearkened back to previous summits, the idea is to give hints to enterprise-classSSDs to help them make better choices on where the data should go; hintingwas most recently discussed at the summit in 2023. If SSDs cangroup data with similar lifetimes together, it can lead to longer life forthe devices, but there is a need to work out the details.

Security updates have been issued by Debian (chromium, nodejs, openjdk-17, and thunderbird), Fedora (firefox, golang-github-nvidia-container-toolkit, and thunderbird), Mageia (kernel), Oracle (ghostscript, glibc, kernel, libxslt, php:8.1, and thunderbird), SUSE (cmctl, firefox-esr, govulncheck-vulndb, java-21-openjdk, libxml2, poppler, python-h11, and redis), and Ubuntu (docker.io, ghostscript, linux-xilinx-zynqmp, and micropython).

The6.14.5,6.12.26,6.6.89,6.1.136,5.15.181,5.10.237, and5.4.293stable kernel updates have all been released; each contains another set ofimportant fixes.

After a somewhat tumultuous switch to theServer Side Public License (SSPL) in March 2024, Redis has backtrackedand is now offering Redis under theAffero GPLv3 (AGPLv3) starting with Redis8, CEO Rowan Trollopeannounced. The change back to an open-source license was led by Redis creator Salvatore"antirez" Sanfillipo, who also contributed the new Vector Sets feature forthe release. He said:

The DocumentFoundation is celebratingthe 20th anniversary of the ratification of the Open Document Format(ODF) as an OASISstandard.

The out-of-memory (OOM) killer has long been a scary and controversial partof the Linux kernel. It is summoned from some dark place when the systemas a whole (or, more recently, any given control group) is running so lowon memory that further allocations are not possible; its job is to kill offprocesses until a sufficient amount of memory has been freed. RomanGushchin has found a way to make the OOM killer even scarier: adding theability to loadcustom OOM killers in BPF.

Security updates have been issued by Debian (expat, fig2dev, firefox-esr, golang-github-gorilla-csrf, jinja2, libxml2, nagvis, qemu, request-tracker4, request-tracker5, u-boot, and vips), Fedora (firefox, giflib, and thunderbird), Mageia (imagemagick), Red Hat (thunderbird), SUSE (amber-cli, libjxl, and redis), and Ubuntu (h2o, poppler, and postgresql-10).

Inside this week's LWN.net Weekly Edition:

Lance Albertson writesthat the Oregon State University Open Source Lab, the home of manyprominent free-software projects over the years, has run into financialtrouble:

Many eyebrows were raised recently when three vulnerabilities were announcedthat allegedly impact GNUMailman 2.1,since many folks assumed that it was no longer being supported. That'snot quite the case. Even though version3 ofthe GNU Mailman mailing-list manager has been availablesince2015, and version2 was declared (mostly) end of life(EOL) in2020, there are still plenty of users and projects stillusing version2.1.x. There is, as it turns out, a big difference betweenmostly EOL and actually EOL. For example: WebPros, the company behind the cPanel server and web-site-managementplatform, still maintains a port ofMailman2.1.x to Python3 for its customers and wasquick to respond to reports of vulnerabilities. However, thecompany and upstream Mailman project dispute that the CVEs arevalid.