LWN.net

Security updates have been issued by Debian (python-internetarchive and tiff), Fedora (nextcloud), Oracle (kernel, openssh, and squid), Red Hat (kernel, kernel-rt, and ncurses), SUSE (afterburn and chromium), and Ubuntu (open-vm-tools, ruby-rack, and tiff).

After marking bcachefs "externally maintained" in 6.17, Linus Torvalds hasremovedit entirely for 6.18. "It's now a DKMS module, making the in-kernelcode stale, so remove it to avoid any version confusion."

The 6.17 development cycle ended on September28 with the releaseof the 6.17 kernel. This cycle brought in 13,089 non-merge changesets, aslowdown from its predecessor but still within the normal bounds for recentkernels. The time has come for a look at where those changes came from,with a bit of a side trip into bug statistics.

The NixOS moderation team, which is theoretically in charge of ensuring that community participation on the project's repositories anddiscussion forum remains welcoming and useful, has releaseda joint resignation statement. This action was motivated by conflict with the project's steering committee (SC), which has repeatedly overridden the moderation team, leading the team members to decide that they could not continue acting as moderators. Arian Van Putten, speaking for the whole team, writes:

As with a mobile phone, a portable gaming device like the Steam Deck can containlots of personal information that the owner would like to keepsecret-especially given that such devices can do far more than gaming.Alberto Garcia worked with his colleagues at Igalia and people atValve, the company behind the Steam gaming platform, to comeup with a new tool to manage encrypted filesystems for SteamOS, which is a Linuxdistribution optimized for gaming. Garcia gave a talk about that tool, dirlock, at OpenSource Summit Europe, which was held in Amsterdam in late August.In the talk, he looked at the design process forthe encrypted-files feature, the alternatives considered, and why they madethe choices they did.

Security updates have been issued by AlmaLinux (avahi, cups, firefox, gnutls, golang, httpd, kernel, libtpms, mysql, opentelemetry-collector, php:8.2, podman, postgresql:13, postgresql:15, python3, python3.11, python3.12, python3.9, thunderbird, and udisks2), Debian (firefox-esr, gimp, nncp, node-tar-fs, and squid), Fedora (chromium, firebird, python-azure-keyvault-securitydomain, python-azure-mgmt-security, and python-microsoft-security-utilities-secret-masker), Red Hat (httpd:2.4, kernel, kernel-rt, and mod_http2), SUSE (aide, apache2-mod_security2, chromedriver, cloud-init, docker, gdk-pixbuf, git, google-osconfig-agent, govulncheck-vulndb, gstreamer-plugins-base, iperf, kernel, krb5, krita, luajit, net-tools, nvidia-open-driver-G06-signed, pam, postgresql17, python311, rust-keylime, sevctl, tor, tree-sitter-ruby, and udisks2), and Ubuntu (curl, ghostscript, inetutils, python2.7, and qtbase-opensource-src).

The F-Droid project has posted anurgent message regarding Google's plan to require developerregistration to install apps on Android devices.

Linus Torvalds has released the 6.17 kernel. He notes that the shortlog for the changes since -rc7 are pretty tame:

The openSUSE project is nearing the release of Leap16, itsfirst major release since openSUSELeap15in May 2018. This release brings some changes to thecore of the distribution aside from the usual software upgrades; YaST has been retired,SELinux has replaced AppArmor as the default mandatory access control(MAC) system, and more. If all goes according to plan, Leap16final should be released in early October, with planned supportthrough 2031.

Security updates have been issued by AlmaLinux (firefox, kernel, and thunderbird), Debian (ceph and thunderbird), Fedora (chromium, mingw-expat, python-deepdiff, python-orderly-set, python-pip, rust-az-cvm-vtpm, rust-az-snp-vtpm, rust-az-tdx-vtpm, and trustee-guest-components), Oracle (aide, kernel, and thunderbird), Red Hat (firefox, kernel, openssh, perl-YAML-LibYAML, and thunderbird), Slackware (expat), SUSE (jasper, libssh, openjpeg2, and python-pycares), and Ubuntu (linux-aws-6.14, linux-hwe-6.14, linux-azure, linux-hwe-6.8, linux-realtime-6.8, node-sha.js, and pcre2).

Longtime PyPy developer Antonio Cuni has alengthyblog post that describes his talk at the recently completed 2025CPythonCore Dev Sprint, held at Arm in Cambridge, UK. The talk, entitled"Tracing JIT and real world Python - aka: what we can learn from PyPy" wasmeant to try to pass on some of his experiences "optimizing existingcode for PyPy at a high-frequency trading firm" to thedevelopers working on the CPython JIT compiler. His goal wasto raise awareness of some of the problems he encountered:

The file_operationsstructure in the kernel is a set of function pointers implementing, as thename would suggest, operations on files. A subsystem that manages objectswhich can be represented by a file descriptor will provide afile_operations structure providing implementations of the variousoperations that a user of the file descriptor may want to carry out. Themmap() method, in particular, is invoked when user space calls themmap()system call to map the object behind a file descriptor into its addressspace. That method, though, is currently on its way out in a multi-releaseprocess that started in 6.17.

The Fedora project has posted aproposal for a policy regarding the use of AI tools when developing forthe distribution.

The 6.16.9, 6.12.49, 6.6.108, and 6.1.154 stable kernels have been released.As usual, they all contain important fixes throughout the kernel tree.

Security updates have been issued by AlmaLinux (grub2 and kernel), Debian (chromium and libxslt), Fedora (chromium, expat, libssh, and webkitgtk), Oracle (avahi, firefox, ImageMagick, kernel, libtpms, and mysql), Red Hat (kernel), SUSE (bird3, expat, kernel, and tiff), and Ubuntu (dpkg, gnuplot, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-oracle, linux-raspi, linux-riscv-5.15, linux-xilinx-zynqmp, linux, linux-aws, linux-gcp, linux-gcp-6.14, linux-oracle, linux-realtime, linux-riscv, linux-riscv-6.14, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-azure-fips, linux-ibm, linux-ibm-6.8, linux-intel-iot-realtime, linux-realtime, linux-oem-6.14, linux-oracle-5.15, linux-realtime-6.14, and python-eventlet).

Version18 of the PostgreSQL database has been released. Notableimprovements in this release include "skip scan" lookups formulticolumn B-tree indexes, virtualgenerated columns, better text processing, oauthauthentication, and a new asynchronous I/O (AIO) subsystem to improveperformance:

Inside this week's LWN.net Weekly Edition:

Asynchronous Rust code has what Rain Paharia calls a "universal cancellationprotocol", meaning that any asynchronous code can be interrupted in the sameway. They claimthat this is both a useful feature when used deliberately, and a source oferrors when done by accident. They presentedabout this problem atRustConf2025, offering a handful of techniques to avoid introducing bugs intoasynchronous Rust code.

The CapabilityHardware Enhanced RISC Instructions (CHERI) project is a rethinking ofcomputer architecture in order to improve system security. Carl Shaw gavea presentation atLinuxSecurity Summit Europe (LSS EU) about CHERI and the efforts to getLinux running on it. He introduced capabilities,which are a mechanism for access control, and outlined theirhistory, which goes back many decades at this point, then looked morespecifically at the CHERI project and what it will take to apply thesecurity constraints of capabilities to an operating system like Linux.

Security updates have been issued by AlmaLinux (kernel and kernel-rt), Fedora (expat), Red Hat (kernel and multiple packages), SUSE (avahi, busybox, busybox-links, kernel, sevctl, tcpreplay, thunderbird, and tor), and Ubuntu (isc-kea, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-aws-6.8, linux-gcp-6.8, linux-aws-fips, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-realtime, python-pip, and rabbitmq-server).

The Open Source Security Foundation(OpenSSF) has put together a joint statement from many of the publicpackage repositories for various languages about the need for assistance inmaintaining these commons. Services such as PyPI for Python, crates.io for Rust, and many others areworking together to try to find ways to sustain these services in the faceof challenges from "automated CI systems, large-scale dependencyscanners, and ephemeral container builds" all downloading enormousamounts of package data, coupled with the rise of generative and agentic AI"driving a further explosion of machine-driven, often wasteful automatedusage, compounding the existing challenges". It is not a crisis, yet,they say, but it is headed in that direction.

A bug in a recent release of systemd's network manager causedheadaches for people managing systems that have a virtual LAN (VLAN)interface on a bridge; something one might want to do, for example,when configuring network interfaces for virtual machines. The bugaffected several Debian users when upgrading the systemd packagefrom v257.7-1 to v257.8-1. The updated package is part of the Debian13.1release, and the bug has snared enough users to cause a minorstir-due in no small part to the maintainer's response as muchas the bug itself.

Security updates have been issued by Debian (corosync and kernel), Fedora (checkpointctl, chromium, curl, and perl-Catalyst-Authentication-Credential-HTTP), SUSE (firefox, frr, kernel, rustup, vim, and wireshark), and Ubuntu (glibc and pam).

Version 6.0.0 of the RPM Package Manager has been released. Notable changes in this release include support for multiple OpenPGP signatures per package, the ability to update previously installed PGP keys, as well as support for RPM v4 and v6 packages. See the release notes for full details.

Computers were once relatively static devices; if a peripheral was presentat boot, it was unlikely to disappear while the system was operating.Those days are far behind us, though; devices can come and go at any time,often with no notice. That impermanence can create challenges for kernelcode, which may not be expecting resources it is managing to make an abruptexit. The revocableresource management patch set from Tzung-Bi Shih is meant to help withthe creation of more robust - and more secure - kernel subsystems in adynamic world.

Security updates have been issued by Debian (ffmpeg, jetty12, jetty9, jq, and pam), Fedora (curl, libssh, podman-tui, and prometheus-podman-exporter), Oracle (firefox, gnutls, kernel, and thunderbird), and SUSE (bluez, cairo, chromium, cmake, cups, firefox, frr, govulncheck-vulndb, kernel, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, mariadb, mybatis, ognl, python-h2, and rke2).

Linus has released 6.17-rc7 for testing."Let's keep the testing going, and we'll have the final 6.17 in aweek".

The Linux kernel generally wants to be in charge of the system as a whole;it runs on all of the available CPUs and controls access to them globally.Cong Wang has just come forward with a differentapproach: allowing each CPU to run its own kernel. The patch set is inan early form, but it gives a hint for what might be possible.

Greg Kroah-Hartman has announced the release of the 6.16.8, 6.12.48, 6.6.107, and 6.1.153 stable kernels; eachcontains an important set of fixes.

Blender 4.5 LTS was releasedon July 15, 2025, and will be supported through 2027. This is the lastfeature release of the 3D graphics-creation suite's 4.x series; itincludes quality-of-life improvements, including work to bring the Vulkan backend up topar with the default OpenGL backend. With 4.5 released, Blenderdevelopers are turning their attention toward Blender 5.0, planned forrelease later this year. It will introduce substantial changes,particularly in the GeometryNodes system, a central feature of Blender's proceduralworkflows.

Security updates have been issued by Debian (chromium, cjson, and firefox-esr), Fedora (expat, gh, scap-security-guide, and xen), Oracle (container-tools:rhel8, firefox, grub2, and mysql:8.4), SUSE (busybox, busybox-links, element-web, kernel, shadowsocks-v2ray-plugin, and yt-dlp), and Ubuntu (imagemagick, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-azure, linux-azure-5.15, linux-azure-fips, linux-ibm, linux-ibm-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-oracle-6.8, linux-realtime, and openjpeg2).

Time-slice extension is a proposed scheduler feature that would allow auser-space process to request to not be preempted for a short period whileit executes a critical section. It is an idea that has been circulatingfor years, but efforts to implement it becamemore serious in February of this year. The latest developer to make anattempt at time-slice extension is Thomas Gleixner, who has posted a new patch setwith a reworked API. Chances are good that this implementation is close towhat will actually be adopted by the kernel.

Version1.90.0 of the Rust language has been released. Changes includeswitching to the LLD linker by default,the addition of support for workspace publishing to cargo, and theusual set of stabilized APIs.

Security updates have been issued by AlmaLinux (gnutls, mysql:8.4, opentelemetry-collector, and python-cryptography), Debian (nextcloud-desktop), Fedora (chromium, firefox, forgejo, gitleaks, kernel, kernel-headers, lemonldap-ng, perl-Cpanel-JSON-XS, and python-pip), Red Hat (firefox and libxml2), Slackware (expat and mozilla), SUSE (avahi, bluez, cups, curl, firefox-esr, gdk-pixbuf, gstreamer, java-1_8_0-ibm, krb5, net-tools, podman, raptor, sevctl, tkimg, ucode-intel, and vim), and Ubuntu (linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-fips, linux-azure-fips, linux-gcp-fips, and linux-gcp-6.14, linux-oracle, linux-oracle-6.14).

The Universal Blue project has announced the release of BluefinLTS,an image-based distribution similar to Bluefin that usesCentOSStream10 and EPEL instead of Fedora as its base:

Version7.0 of the Tails portableoperating system has been released. This is the first version of Tailsbased on Linux 6.12.43, Debian13("trixie") and GNOME48. It uses zstd instead ofxz to compress the USB and ISO images to deliver afaster start time on most computers. The release is dedicated to the memory of Lunar, "atraveling companion for Tails, a Tor volunteer, Free Software hacker,and community organizer":

Inside this week's LWN.net Weekly Edition:

Version 49 of the GNOME desktopenvironment has been released. Changes include new default video(Showtime) and PDF-viewing (Papers) applications, a number of calendarimprovements, and updates to the Web, Maps, and Software applications.

Ian Jackson has published a blogpost summarizing the tag2upload service'sfirst month of handling uploads for the upcoming Debian14 ("forky") release:

Version2.15.0 of libxml2 hasbeen released. Notable changes include the disabling of Pythonbindings by default, using Doxygen to generate API documentation, aswell as bringing HTML serialization and handling of characterencodings more in line with the HTML5 specification.Nick Wellnhofer has also announcedthat he is stepping down as libxml2 maintainer, and Ivan Chavero hasvolunteeredto take over. LWN covered libxml2 inJune.

Typst is a program for documenttypesetting. It is especially well-suited to technical materialincorporating elements such as mathematics, tables, and floatingfigures. It produces high-quality results, comparable to the gold standard,LaTeX, with a simpler markupsystem and easier customization, all while compiling documentsmore quickly. Typst is free software, Apache-2.0 licensed, and is written in Rust.

Systemdv258 has been released with a long list of new features andchanges; slice units now have basic workload management features,quotas for tmpfs have been added, the "systemctlstart"command now has a verbose (-v) option, and more. This releasealso, finally, completely removes support for control groups v1support. LWN coveredsome of systemd v258's features and changes in August.

In October, consumer versions of Windows10 willstop receiving security updates. Many users who would ordinarily moveto the next version are blocked by Windows11's hardwarerequirements unless they are willing to buy a newer PC. The "End of 10" campaign is an effort toconvince those users to switch to Linux rather than sticking with anend-of-life operating system or buying a new Windows system. AtAkademy2025, Dr. Joseph DeVeaugh-Geiss,Bettina Louis, Carolina Silva Rode, and Nicole Teale discussed theirwork on the campaign, its progress so far, and what's next.

Security updates have been issued by AlmaLinux (container-tools:rhel8, kernel, and podman), Debian (node-sha.js), Fedora (firefox, kea, and perl-JSON-XS), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk), Oracle (kernel, libarchive, podman, and python-cryptography), Red Hat (multiple packages, mysql:8.4, and python3.11), SUSE (expat, java-1_8_0-ibm, krb5, libavif, net-tools, nginx, nvidia-open-driver-G06-signed, onefetch, pcp, rabbitmq-server313, raptor, and vim), and Ubuntu (libyang2, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-aws-fips, linux-fips, linux-gcp-fips, and python-xmltodict).

Safe, ergonomic interoperability between Rust and C/C++ was a popular topic atRustConf2025 in Seattle, Washington. Chandler Carruth gave a presentationabout the different approaches to interoperability in Rust andCarbon, theexperimental "(C++)++" language.His ultimate conclusion was thatwhile Rust's ability to interface with other languages is expanding over time,it wouldn't offer a complete solution to C++ interoperability anytime soon - and so there is room forCarbon to take a different approach to incrementally upgrading existing C++ projects.Hisslides are available for readers wishing to study his example code in moredetail.

Version143.0 of the Firefox browser has been released. Changes include theability to pin tabs by dragging them to the edge, previews in the camerapermissions dialog, improved fingerprinting protection, and (optional)automatic deletion of files downloaded in private browsing mode.

The Socket.dev blog describesthis week's attack on JavaScript packages in the npm repository.

Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (node-sha.js and python-django), Fedora (chromium, cups, exiv2, perl-Catalyst-Authentication-Credential-HTTP, perl-Catalyst-Plugin-Session, perl-Plack-Middleware-Session, and qemu), Red Hat (container-tools:rhel8, podman, and udisks2), SUSE (cargo-audit, cargo-c, cargo-packaging, and kernel-devel), and Ubuntu (libcpanel-json-xs-perl, libjson-xs-perl, rubygems, sqlite3, and vim).

Registration for the 2025 Linux Plumbers Conference (Tokyo,December11 to13) isnow open. LPC tickets often sell out quickly, so it would be best notto delay if you intend to attend.

Brooke Deuson is the developer behindTrafficking Free Tomorrow, a nonprofit organization thatproduces free software to help law enforcement combat human trafficking. She isa survivor of human trafficking herself.She spoke at RustConf 2025 about hermission, and why she chose to write her anti-trafficking software in Rust.Interestingly, it has nothing to do with Rust's lifetime-analysis-based memory-safety -instead, her choice was motivated by the difficulty she faces getting policedepartments to actually use her software. The fact that Rust is staticallylinked and capable of cross compilation by default makes deploying Rust softwarein those environments easier.