LWN.net

Matthieu Clemenceau has publisheda status update from the Foundations Team on Ubuntu25.04 (Plucky Puffin) development to the UbuntuDiscourse forum. This includes updates on Ubuntu's adoptionof Dracut as an alternative to initramfs-tools, a move toa single ISO for arm64 devices rather than device-specific images, andreverting the planned O3 optimization flags for Plucky Puffin.

On January 20, Thomas Weischuh shared a newpatch set implementing an alternate method for checking the integrity ofloadable kernel modules. This mechanism, which checks module integrity basedon hashes computed at build time instead of using cryptographic signatures,could enable reproducible kernel builds in more contexts. Several distributionshave already expressed interest in the patch set if Weischuh can get itinto the kernel.

Security updates have been issued by Debian (chromium), Fedora (firefox and man2html), Mageia (erlang, ffmpeg, and vim), Oracle (doxygen, firefox, python-jinja2, squid, and webkit2gtk3), Red Hat (nodejs:18), SUSE (emacs, go1.23, go1.24, and pcp), and Ubuntu (ansible, firefox, linux-azure, linux-nvidia, and python-django).

The kernel project has usually been willing to make fundamental internalchanges if they lead to a better kernel in the end. The project also,though, goes out of its way to avoid breaking interfaces that have beenexposed to user space, even if programs come to rely on behavior that wasnever documented. Sometimes, those two principles come into conflict,leading to a situation where fixing problems within the kernel is eitherdifficult or impossible. This sort of situation has been impedingperformance improvements in the kernel's POSIX timers implementation forsome time, but it appears that a solution has been found.

Security updates have been issued by Debian (firefox-esr), Fedora (firefox and vim), Red Hat (firefox), Slackware (mozilla), SUSE (firefox, firefox-esr, kernel, and podman), and Ubuntu (gpac, kernel, linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-hwe-5.15, and redis).

Inside this week's LWN.net Weekly Edition:

The Google Bug Hunters blog has adetailed description of how a vulnerability in AMD's microcode-patchingfunctionality was discovered and exploited; the authors have also releaseda set of tools to assist with this kind of research in the future.

Version2.0.0 of FerretDB has beenreleased. FerretDBis an open-source alternative to MongoDB, which switched to a non-openlicense in 2018, built on top of PostgreSQL. This releaseutilizes the DocumentDBPostgreSQL extension for better performance, adds vectorsearch, and replication.

Functional programming languages have a long association with graphs. In the1990s, it was even thought that parallel graph-reductionarchitectures could make functional programming languages much faster than theirimperative counterparts. Alas, that prediction mostly failed to materialize.Even though graphs are still used as a theoretical formalism in order to defineand optimize functional languages (such as Haskell'sspineless tagless graph-machine), they are still mostly compiled down to the same oldnon-parallel assembly code that every other language uses. Now, twoprojects -Bend andVine - have sprung up attempting to change that, and prove thatparallel graph reduction can be a useful technique for real programs.

The Xen Project has announcedthe release of Xen 4.20. This release adds support forAMDZen5 CPUs, improved compliance with the MISRA C standard,work on PCI-passthrough on Arm, and more. Xen4.20 also removessupport for XeonPhi CPUs, which were discontinuedin 2018. See the featurelist and releasenotes for more information.

Version136.0 of the Thunderbird Desktop mail client has beenreleased. The release includes a quick toggle for adapting messages todark mode, and a new "Appearance" setting to control message threadingand sorting order globally, as well as a number of bug fixes. See thesecurityadvisory for a full list of security vulnerabilities addressed inThunderbird 136.0.

Version12.3 of Linux FromScratch (LFS) has been released, along with Beyond LinuxFrom Scratch (BLFS) 12.3. LFS provides step-by-step instructionson building a customized Linux system entirely from source, and BLFShelps to extend an LFS installation into a more usable system. Notablechanges in this release include toolchain updates to GNU Binutils2.44, GNU C Library (glibc) 2.41, and Linux 6.13.2. The Changeloghas a full list of changes since the previous stable release.

Security updates have been issued by Debian (libreoffice), Fedora (exim and fscrypt), Red Hat (kernel), Slackware (mozilla), SUSE (docker, firefox, and podman), and Ubuntu (linux, linux-lowlatency, linux-lowlatency-hwe-5.15, linux, linux-lowlatency, linux-lowlatency-hwe-6.8, linux, linux-oem-6.11, linux-aws, linux-aws-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux-aws, linux-gcp, linux-hwe-6.11, linux-oracle, linux-raspi, linux-realtime, linux-aws, linux-gkeop, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, and linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop).

Mozilla's actions have been rubbing many Firefox fans thewrong way as of late, and inspiring them to look for alternatives.There are many choices for users who are looking for a browser thatisn't part of the Chrome monoculture but is full-featured and suitablefor day-to-day use. For those who are willing to stay in the Firefox"family" there are a number of good options that have taken vastlydifferent approaches. This includes GNU IceCat, Floorp, LibreWolf, and Zen.

Version136.0 of the Firefox browser has been released. Changes include a newvertical tab layout, an automatic attempt to upgrade HTTP connections toHTTPS, support for AMD GPUs on Linux, an Arm64 port for Linux, and more.

Version 6.10 of the Incus container-management system has been released.New features include better Let's Encrypt support, API-wide filtering,IOMMU support in virtual machines, and more. See thisannouncement for details.

Security updates have been issued by AlmaLinux (kernel), Mageia (x11-server), Red Hat (emacs and webkit2gtk3), SUSE (ffmpeg-7, govulncheck-vulndb, kernel, and skopeo), and Ubuntu (cmark-gfm, erlang, krb5, linux-gcp-6.8, linux-raspi, linux-kvm, lucene-solr, postgresql-12, postgresql-14, postgresql-16, raptor2, spip, tomcat7, and wpa).

Mozilla has issuedan update to its terms of use (TOU) that were announcedon February26. It has removed a reference in the TOU toMozilla's Acceptable Use Policy "because it seems to be causingmore confusion than clarity", and has revised the TOU "to moreclearly reflect the limited scope of how Mozilla interacts with userdata". The new language says:

One of the many new features packed into the 6.13 kernel release was guardpages, a hardening mechanism that makes it possible to inject zero-accesspages into a process's address space in an efficient way. That featureonly supports anonymous (user-space data) pages, though. To make guardpages more widely useful, Lorenzo Stoakes has put together a patchset enabling the feature for file-backed pages as well; in the process,he examined and resolved a long list of potential problems that extendingthe feature could encounter. One potential problem was not on his list,though.

Security updates have been issued by Debian (ffmpeg, kernel, linux-6.1, mariadb-10.5, proftpd-dfsg, and xorg-server), Fedora (chromium, cutter-re, iniparser, nodejs22, rizin, webkitgtk, wireshark, xen, and xorg-x11-server), Mageia (binutils and ffmpeg), Oracle (emacs and kernel), Red Hat (emacs and webkit2gtk3), SUSE (azure-cli, bsdtar, gnutls, govulncheck-vulndb, libX11, libxkbfile, libxml2, nodejs-electron, openssh8.4, ovmf, phpMyAdmin, python, python-azure-identity, python311-jupyter-server, tiff, trivy, u-boot, and wireshark), and Ubuntu (opennds and Ruby SAML).

The 6.14-rc5 kernel prepatch is out fortesting. "Nothing looks particularly big or worrisome".

Differences of opinion, as well as outright disputes, betweenupstream open-source projects and Linux distribution packagers overpackaging practices are nothing new. It is rarer, though, for thosedisputes to boil over to threats of legal action-but adisagreement between the OpenBroadcaster Software (OBS) Studio project and Fedora packagersreached that point in mid-February. After escalation to a higherauthority, things have been worked out to the satisfaction of the OBSproject, but some lingering questions remain. How Fedora shouldprioritize Flatpak repositories,how to handle conflicts between upstreams and Fedora packagers, andthe mechanics of removing or retiring Flatpaks all remain openquestions.

There is a fair amount of unhappiness on the Internet about the announcementfrom Mozilla about a new "terms ofuse" agreement and an updatedprivacy notice for the Firefox browser.

Security updates have been issued by Debian (emacs, freerdp2, and gst-plugins-good1.0), Fedora (java-17-openjdk, python3.6, and xorg-x11-server-Xwayland), Mageia (radare2), SUSE (libX11, openvswitch3, postgresql13, procps, ruby2.5, webkit2gtk3, and xorg-x11-server), and Ubuntu (git, linux-aws, linux-aws, linux-aws-6.8, linux-aws, linux-oracle, linux-oracle-5.4, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, and linux-oem-6.11).

Paul McKenney has put together a series ofarticles on how to improve one's ability to give a good talk at atechnical conference.

Version 4.0 of the Fishshell has been released. Improvements include a better key-bindingmechanism, the ability to tie abbreviations to a specific command,selective ignoring of commands in the history, some scripting improvements,and more. See therelease notes for details.

Zotero is anopen-source reference management tool designed for collecting,organizing, and citing research materials. It is particularly usefulfor those writing research papers, theses, or books that require abibliography in standard formats like APAStyle, ChicagoStyle, or MLAFormat. Zotero stores bibliographic metadata, annotations, and userdata and integrates with word processors like LibreOffice, MicrosoftWord, and Google Docs to produce in-text citations andbibliographies. The core features of Zotero include metadata extraction,tagging, full-text indexing, and cloud synchronization formulti-device access, and Zotero has a plugin system toallow anyone to expand its capabilities. The most recent majorrelease, Zotero7, addedsupport for reading EPUBs, brought user-interface improvementsincluding a dark mode, performance improvements, and more.

Intel's indirectbranch tracking (IBT) is a hardware-implemented control-flow-integritymechanism that makes it harder for an attacker to gain control of thesystem by way of a corrupted indirect branch. FineIBT is a softwareextension to IBT that is meant to improve its protection. Recently,though, Jennifer Miller reported a novel way to bypassFineIBT by taking advantage of how the kernel's system-call entry point isconstructed. In response, Peter Zijlstra is working on some FineIBTenhancements to close that hole and make IBT more secure in general.

The 6.13.5, 6.12.17, and 6.6.80 stable kernels have been released. Asusual, they contain important fixes all over the kernel tree; users ofthose series should upgrade.

Security updates have been issued by Debian (emacs and openh264), Fedora (rpm-ostree), Mageia (dcmtk, libcap, openssh, and proftpd), Red Hat (emacs, kernel, and pki-servlet-engine), Slackware (emacs), SUSE (chromium, ffmpeg-4, ffmpeg-7, gnutls, libiniparser-devel, procps, socat, vim, xorg-x11-server, and xwayland), and Ubuntu (binutils, libsndfile, libxmltok, and php5).

Inside this week's LWN.net Weekly Edition:

FOSDEM 2025 featured the usual talksabout open-source software, but, as always, the conference also offered theopportunity to discover some more exotic and less software-centrictopics. That's how I learned about the FlowBattery Research Collective (FBRC), which is building what willeventually become an open-source home battery.Daniel Fernandez Pinto represented the collective atFOSDEM with his talk "Buildingan Open-Source Battery for Stationary Storage" in the "Energy: Acceleratingthe Transition through Open Source" developer room (devroom).

The Gentoo Linux project hasannouncedthe availability of qcow2 images for amd64 (x86_64) and arm64(aarch64), and plans to "eventually" offer images for theriscv64 and loongarch64 architectures.

One of the often-requested LWN site features that has languished thelongest on our to-do list is full-text RSS feeds. We are happy to announcethat, finally, there is a set of such feeds available; the full set can beseen on our feeds page. This is asubscriber-only feature, and it works by creating a unique fetch URL foreach user. We will, of course, be counting on our readers to not sharethose URLs.Another feature we have had requests for is to automatically present thesite in dark-mode colors when a reader's browser has been configured toprefer it. That feature, too, is now available. In this case, we had tothink about the interaction between automatic selection and the colorcustomization that the site has long had. The conclusion we reached isthat, if custom colors have been configured for an account, they will winout over the automatic selection. There is a new preference in the customization area to change thisdefault if desired.Both of these features - and the other enhancements we have made recently -were enabled by the support of LWN's subscribers. By making it possible tobring in new staff last year, you created the space to improve the siteexperience while keeping up with the writing. We thank all of you for yoursupport.

Version25.2 of the Armbian Linuxdistribution for single-board computers (SBCs) has been released. Notablechanges in this release include support for many new SBCs, an upgradeto Linux kernel 6.12.x, and more. See the changelogfor a complete list.

TheFaster CPython project has been working to speed up the Python interpreterfor the past several years. Now, Ken Jin, a member of the project, has merged anew set of changes thathave beenbenchmarked as improving performance by 10% for some architectures.The only change is switching from using computed goto statements to usingtail calls as part of the implementation of Python's bytecode interpreter - but that change allowsmodern compilers to generate significantly better code.

Security updates have been issued by Fedora (crun, gnutls, libtasn1, and openssl), Mageia (emacs, gnutls, iniparser, kernel, kmod-virtualbox, kmod-xtables-addons, kernel-linus, krb5, libxml2, and vim), Slackware (tigervnc and xorg), SUSE (libprotobuf-lite28_3_0 and Maven), and Ubuntu (dropbear, kernel, libxml2, linux, linux-lowlatency, linux-lowlatency-hwe-6.8, linux, linux-lts-xenial, linux-aws-5.4 linux-raspi-5.4, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, ProFTPD, python-virtualenv, rails, and xorg-server, xwayland).

The conversation around the merging of a set of Rust abstractions for thekernel's DMA-mapping layer has mostly settled after Linus Torvalds made it clear that the code would beaccepted. One other consequence of this decision, though, is thatChristoph Hellwig has quietly stepped down from themaintenance of the DMA-mapping code. Marek Szyprowski will be themaintainer of that layer going forward. Hellwig has maintained that codefor many years; his contributions will be missed.

The Linux kernel supports attaching BPF programs to many operations.This is generally safe because the BPF verifier ensuresthat BPF programs can't misuse kernel resources, run indefinitely, or otherwiseescape their boundaries. There is continuing tension, however, between tryingto expand the capabilities of BPF programs and ensuring that the verifier canhandle every edge case. On February14, Juntong Dengshared a proof-of-concept patch set thatadds some run-time checks to BPF to make it possible in the future to interrupta running BPF program.

Security updates have been issued by AlmaLinux (libpq, postgresql:13, postgresql:15, and postgresql:16), Debian (nodejs and php-nesbot-carbon), Mageia (neomutt), Red Hat (python3.11-urllib3 and tuned), SUSE (crun, ovmf, pam_pkcs11, qemu, and webkit2gtk3), and Ubuntu (iniparser, libcap2, linux, linux-hwe, linux, linux-hwe-5.4, linux, linux-lowlatency, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-ibm-5.4, linux-azure, linux-azure-fde, linux-gkeop, linux-nvidia, linux-oracle, linux-azure-5.15, linux-azure-fde-5.15, linux-oracle-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-kvm, linux-lowlatency-hwe-5.15, and linux-xilinx-zynqmp).

Version2.0 of the Aqualunggapless music player has been released. Aqualung supports playback ofa wide range of audio formats, ripping CDs to WAV, FLAC, Ogg Vorbis,or MP3, and subscribing to podcasts via RSS or Atom feeds. The primarychange in this release is the migrationfrom GTK2 to GTK3, and dropping support for custom skins as aresult.

The kernel's slab allocator is responsible for the allocation of small(usually sub-page) chunks of memory. For many workloads, the speed ofobject allocation and freeing is one of the key factors in overallperformance, so it is not surprising that a lot of effort has gone intooptimizing the slab allocator over time. Now that the kernel is down to a single slab allocator, thememory-management developers have free rein to add complexity to it; thelatest move in that direction is the per-CPUsheaves patch set from slab maintainer Vlastimil Babka.

The AlmaLinux project has publisheda request for comments (RFC) on rebuilding Fedora's Extra Packages forEnterprise Linux (EPEL), which provides additional software forRed Hat Enterprise Linux (RHEL) and its derivatives, to support olderx86_64 hardware that is not supported by EPEL10. While this maysound simple on the surface, the proposed rebuild carries a fewpotential risks that the AlmaLinux and EPEL contributors would like toavoid. The AlmaLinuxEngineering Steering Committee (ALESCo) is currently consideringfeedback and will vote on the RFC in March.

The Emacs extensible texteditor (among other things) has made a security release to address twovulnerabilities. Emacs 30.1 has fixes for CVE-2025-1244,which is a shell-command-injection flaw in the man.el man page browser andfor CVE-2024-53920,which is a code-execution vulnerability in the flymakesyntax-checking mode. LWN covered theflymake problems back in December.

Security updates have been issued by AlmaLinux (bind, bind9.18, libpq, mysql, postgresql, postgresql:15, and postgresql:16), Debian (fort-validator, gnutls28, krb5, libxml2, and python-werkzeug), Fedora (chromium, openssh, proftpd, python3.8, vaultwarden, and vim), Oracle (bind, bind9.16, bind9.18, libpq, libsoup, mysql, mysql:8.0, nodejs:18, nodejs:22, postgresql, postgresql:13, postgresql:15, and postgresql:16), Red Hat (mysql, mysql:8.0, and python3), SUSE (chromedriver, dcmtk, grub2, java-1_8_0-ibm, java-23-openjdk, luanti, openssh, postgresql14, postgresql15, postgresql16, postgresql17, proftpd, radare2, and webkit2gtk3), and Ubuntu (intel-microcode, netty, and nginx).

The 6.14-rc4 kernel prepatch is out fortesting. "This continues to be the right kind of 'boring' release:nothing in particular stands out in rc4".

The pytest-mhproject is a plugin that provides a multi-host test framework for thepopular pytestunit-testing framework and test runner. Work on pytest-mhstarted in 2023 to solve a multitude of issues thatcropped up for developers and testers when testing the SSSD project, which is a client forenterprise identity management. I was not happy with the state oftesting of the SSSD project and wanted to create something that wouldincrease test readability, remove duplication, eliminate errors, andprovide multi-host testing capabilities, while having the flexibilityto build a new API around it. Finally, I also wanted something thatcan be used by anyone to test their projects as well.

Greg Kroah-Hartman has released another four stable kernels:6.13.4,6.12.16,6.6.79, and6.1.129. As usual, all users are advised to upgrade.

Security updates have been issued by AlmaLinux (bind, bind9.16, and mysql:8.0), Debian (chromium, djoser, libtasn1-6, and postgresql-13), Fedora (python3.12 and vim), Red Hat (libpq, postgresql, postgresql:13, postgresql:15, and postgresql:16), Slackware (ark), SUSE (brise, chromium, emacs, google-osconfig-agent, grafana, grub2, helm, kernel, openssh, openssl-1_1, ovmf, postgresql13, postgresql14, postgresql15, and postgresql17), and Ubuntu (gnutls28, libtasn1-6, openssl, python3.10, python3.12, python3.8, and webkit2gtk).

At the end of January we ran this articleon the discussions around a set of Rust bindings for the kernel'sDMA-mapping layer. Many pixels have been expended on the topic sinceacross the net, most recently in thissprawling email thread. Linus Torvalds has now madehis feelings known on the topic: