LWN.net

The Open Source Initiative(OSI) has announcedthe results of its recent board of directors election. Ruth Suehle andMcCoy Smith are new to the board, while Carlo Piana will serve anotherterm. The results, however, seem tainted in the eyes of someparticipants and observers. The election has been plagued by misstepsfrom the beginning. It has culminated with the exclusion of threecandidates for failing to meet a requirement to sign the OSI board agreement, which was added after the election was over and before results were tallied or announced.

As a system runs and its memory becomes fragmented, allocating large,physically contiguous regions of memory becomes increasingly difficult.Much effort over the years has gone into avoiding the need to make suchallocations whenever possible, but there are times when they simply cannotbe avoided. The kernel's contiguous memoryallocator (CMA) subsystem attempts to make such allocations possible,but it has never been a perfect solution. Suren Baghdasaryan is is tryingto improve that situation with the guaranteedcontiguous memory allocator patch set, which includes work from MinchanKim as well.

Julien Malka hascalled for the NixOS project to use build-reproducibility to detect when a program has a maintainer-generated tarball that results in a different artifact than building from source. There are good reasons for projects to release maintainer-generated tarballs, but since the materials included in them are usually documentation, extra build scripts, and so on, it makes sense to check that they don't influence the final build output. While this would not have stopped last year's XZ backdoor, it would have made it harder to hide.

Brendan Jackman has been working to try to get ahead of the next hardware CPUvulnerabilitybefore it gets discovered. In January, he posted the second version ofa patch set that introducesaddress-space isolation (ASI) as a way ofpreventing future CPU vulnerabilities from leaking importantinformation. The core concept is to ensure that data that is not currentlyneeded is not present in memory, so that speculative execution cannot leak it.The work is nowhere near ready to be incorporated into the mainlinekernel - not least of all because it has a large performance impact in itscurrent form - but it is likely to once again be a topic of discussion at the2025Linux Filesystem, Memory Management, and BPF Summit.

Raspberry Pi hasannounced rpi-image-gen,a tool to create custom software images for its devices.

The Asahi Linux project, working to support Linux on Apple hardware, haspublished aprogress report to coincide with the 6.14 kernel release.

Security updates have been issued by Debian (chromium), Fedora (fluent-bit, openssh, php, and webkitgtk), Mageia (freerdp), Oracle (libreoffice and webkit2gtk3), Red Hat (kernel-rt), Slackware (libarchive), SUSE (apptainer, gitea-tea, libxml2, tomcat, webkit2gtk3, and wpa_supplicant), and Ubuntu (libxslt and pam-pkcs11).

As the 2025 LinuxStorage, Filesystem, Memory-Management, and BPF Summit (LSFMM+BPF)approaches, the density of memory-management patches on the mailing listshas increased. Included among those are patches aimed at improving thereliability and performance of huge-page allocation, implementing pagepromotion on tiered-memory systems, adding a different approach todeduplicating memory, and replacing the BPF memory allocator. Read on foran overview of each.

Security updates have been issued by Debian (php7.4, python-django, and python3.9), Fedora (bluez, iwd, libell, and radare2), Mageia (chromium-browser-stable, mosquitto, tomcat, tomcat packages, and vim), Oracle (firefox, grub2, python3, thunderbird, and webkit2gtk3), Red Hat (fence-agents, php:7.4, and python-jinja2), SUSE (assimp-devel, crane, ffmpeg-4, freetype2, helm, kernel, kured, python-Django, python-Jinja2, python311-Django4, and tomcat), and Ubuntu (alpine, djoser, libxslt, postgresql-9.5, and valkey).

Inside this week's LWN.net Weekly Edition:

GNOME 48 ("Bengaluru")has been released. As usual, this release includes a number of newfeatures and enhancements including support for shortcuts in the Orcascreen reader on Wayland, new fonts, addition of image editing toImageViewer, and more.

Modern CPUs all have multiple hardware vulnerabilities that the kernel needs to mitigate;the 6.13 kernel has workarounds for 14 security-sensitive CPU bugs just on x86_64.Several of those have multiple variants,or multiple mitigations that apply on different microarchitectures. There aredifferent kernel command-line options for each of these mitigations, which leadsto a confusing situation for users trying to figure out how to configure theirsystems. David Kaplan recently posteda patch set that adds a single, unified command-line option for controllingmitigations andsimplifies the logic for detecting, configuring, andapplying them as well.If it is merged, the patch set couldmake it much easier for users to navigate the complicated web of CPUvulnerabilities and their mitigations.

Version 7.1of PeerTube, a tool forsharing videos online, has been released. Notable features in thisrelease include improved support for the Podcast 2.0 standard, betterplayback stability, and a new view protocol enabled by default toallow PeerTube to handle more simultaneous viewers. See the releasenotes for more details.

/e/OS is aprivacy-centric, open-source mobile operating system thathas primarily been targeted at mobile phones, with only a fewcommunity supported images available for tablet devices. In December,Murena-a company that sells devices with /e/OSpreinstalled-announcedthat /e/OS now officially supports tablets as well, starting with thePixel tablet. The user experience is close enough tomainstream alternatives to make it attractive, but there are someunder-the-hood problems that may give users pause.

A security company called Fenrisk has posted an overview of a pairof claimed successful supply-chain attacks on the Fedora and openSUSEdistributions.

Security updates have been issued by Debian (tzdata), Fedora (expat and tigervnc), Red Hat (kernel, kernel-rt, thunderbird, and webkit2gtk3), SUSE (dcmtk), and Ubuntu (restrictedpython and uriparser).

If all goes according to plan, the Ubuntu project will soon bereplacing many of the traditional GNU utilities with implementationswritten in Rust, such as those created by the uutils project, which we covered inFebruary. Wholesale replacement of core utilities at the heart of aLinux distribution is no small matter, which is why Canonical's VP ofengineering, Jon Seager, has released oxidizr. Itis a command-line utility that helps users easily enable or disablethe Rust-based utilities to test their suitability. Seager is callingfor help with testing and for users to provide feedback with theirexperiences ahead of a possible switch for Ubuntu25.10, an interim releasescheduled for October2025. So far, responses from the Ubuntucommunity seem positive if slightly skeptical of such a majorchange.

Security updates have been issued by Debian (freetype and rails), Fedora (mosquitto and python-django4.2), Mageia (libarchive, libreoffice, php, and quictls), Red Hat (webkit2gtk3), SUSE (erlang, nethack, python312, and wpa_supplicant), and Ubuntu (freetype and plantuml).

The long-awaited GIMP3.0 release is now available. Major changes in 3.0 include nondestructiveediting for most commonlyused filters, improved text creation,better colorspace management, and an update to GTK3.

Version12.00 of the SystemRescue live Linuxsystem has been released. SystemRescue is an Arch Linux based bootable toolkit for repairing systems in the event of acrash. Notable changes in this release include an update to Linux6.12.19, support for bcachefs, and a number of updated diskutilities. See the packagelist for a complete list of software included in this release.

One of the many important tasks that the kernel's memory-managementsubsystem must handle is keeping track of how pages of memory are mappedinto the address spaces of the processes running on the system. As long asmappings to a given page exist, that page must be kept in place. As itturns out, tracking these mappings is harder than it seems it should be,and the move to folios within the memory-management subsystem is addingsome complexities of its own. As a follow-up to the "mapcount madness" session that he ran atthe 2024 Linux Storage, Filesystem,Memory-Management, and BPF summit, David Hildenbrand has posted a patch seriesintended to improve the handling of mapping counts for folios - but exactaccounting remains elusive in some situations.

Security updates have been issued by Debian (opensaml and php8.2), Fedora (chromium, ctk, dcmtk, expat, ffmpeg, firefox, fscrypt, gdcm, InsightToolkit, kitty, libssh2, libxml2, linux-firmware, man2html, nextcloud, OpenImageIO, php, podman-tui, python-django, python-django5, python-gunicorn, python-jinja2, python-spotipy, python3.6, qt6-qtwebengine, thunderbird, tigervnc, vim, vyper, xen, xorg-x11-server, and xorg-x11-server-Xwayland), Mageia (freetype2, ghostscript, and man2html), Oracle (kernel and krb5), Red Hat (grub2, libreoffice, mysql:8.0, pcs, thunderbird, tigervnc, webkit2gtk3, and xorg-x11-server), Slackware (expat, freetype, and php), SUSE (amazon-ssm-agent, chromedriver, ed25519-java, google-cloud-sap-agent, google-guest-agent, govulncheck-vulndb, libexslt0, libzvbi-chains0, php8, restic, rubygem-rack, subversion, tomcat, and tomcat10), and Ubuntu (freetype, resteasy, and xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04).

Linus has released the seventh (andprobably last) prepatch for the 6.14 release. "Things continue to lookquite calm, and I expect to release the final 6.14 next weekend unlesssomething very surprising happens".

Version2.49.0 of the Git source-code management system has beenreleased. This release comprises 460 non-merge commits since 2.48.0,with contributions from 89 people, including 24 newcontributors. There is a long list of improvements and bug fixes; seethe highlightsblog from GitHub's Taylor Blau for some of the more interestingfeatures.

Organizations relying on open-source software have a wide range oftools, scorecards, and methodologies to try to assess security, legal,and other risks inherent intheir so-called supply chain. However, Max Mehl arguedrecently in a short talk at FOSS Backstage in Berlin (andonline) that all ofthis objective information and data is insufficient to trulyunderstand and address risk. Worse, this information doesn't provideoptions to improve the situation and encourages a passive mindset. Mehl, who works as part of the CTO group at DBSystel, encouraged better risk assessment usingqualitative data and direct participation in open source.

Security updates have been issued by Fedora (iniparser, thunderbird, trafficserver, and xorg-x11-server), Mageia (opensc), Oracle (.NET 8.0, .NET 9.0, gcc, kernel, and libxml2), Red Hat (firefox, grub2, and krb5), Slackware (libxslt), SUSE (amazon-ssm-agent, bsdtar, build, ffmpeg-4, forgejo-runner, kernel, python, python3, python313, rubygem-rack-1_6, and tailscale), and Ubuntu (linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15).

Charles Choi has announcedthe release of the CasualMake: a menu-driven interface, implemented as part of the Casualsuite of tools, for MakefileMode in GNU Emacs.

When the 6.14 kernel is released later this month, it will include theusual set of internal changes that users should never notice, with thepossible exception of changes that bring performance improvements. One ofthose changes is frozen pages, amemory-management optimization that should fly mostly under the radar.When Hannes Reinecke reported acrash in 6.14, though, frozen pages suddenly came into view. There is aworkaround for this problem, but it seems there is a fairamount of work to be done that nobody had counted on to solve the problemproperly.

Greg Kroah-Hartman has announced the release of the 6.13.7, 6.12.19, 6.6.83, 6.1.131, 5.15.179, 5.10.235, and 5.4.291 stable kernels. They all contain arelatively large number of important fixes throughout the kernel tree.

Security updates have been issued by Debian (chromium), Fedora (ffmpeg, qt6-qtwebengine, tigervnc, and xorg-x11-server-Xwayland), Red Hat (fence-agents and libxml2), SUSE (amazon-ssm-agent, ark, chromium, fake-gcs-server, gerbera, google-guest-agent, google-osconfig-agent, grafana, kernel, libtinyxml2-10, podman, python311, python312, restic, ruby3.4-rubygem-rack, and thunderbird), and Ubuntu (jinja2, linux-azure, linux-azure-4.15, linux-lts-xenial, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, netatalk, python3.5, python3.8, rar, unrar-nonfree, and xorg-server, xwayland).

Inside this week's LWN.net Weekly Edition:

On February 25, the PythonSoftware Foundation (PSF), which runs the Python Package Index (PyPI), announcednew termsof service (ToS) for the repository. That has led to some questionsabout the new ToS, and the process of coming up with them. For one thing, the previous termsof use for the service were shorter and simpler, but there are otherconcerns with specific wording in the new agreement.

Damien Neil has written an article for the Go Blog about pathtraversal vulnerabilities and the os.Root API added in Go 1.24 to help preventthem.

The Zig project hasannounced the release of the 0.14 version of the language,including changes from more than 250 contributors. Zig is a low-level,memory-unsafe programming language that aims to compete with C instead ofdepending on it. Even though the language has not yet had a stable release,there are a number of projects using it as an alternative to C with bettermetaprogramming.While the project's releaseschedule has been a bit inconsistent, with the release of version 0.14 beingdelayedseveral times, the release contains a number of new convenience features,broader architecture support, and the next steps toward removing Zig'sdependency on LLVM.

The SUSE Security Team blog has a post with adetailed analysis of a vulnerability (CVE-2025-27591)in the belowtool for recording and displaying system data.

The LLVM project's Fortran compiler, which has for many years gone by the name "flang-new", will now simply be "flang", starting from LLVM's 20.1.0 release on March 4. Theannouncement, which includes details about the history of flang, comes after a long period of development and discussion. The community has considered renaming flang several times before now, but has always held off out of a feeling that the compiler was not yet ready. Now, the members of the project believe that flang has become stable and complete enough to earn its name.

Version1.26.0 of the GStreamer cross-platform multimedia framework hasbeen released. Notable changes in this release include support for theH.266Versatile Video Coding (VVC) codec, Low Complexity EnhancementVideo Coding (LCEVC) support, closed caption improvements, and JPEG XS image codecsupport.

Security updates have been issued by Debian (libmodbus), Fedora (thunderbird and vyper), Mageia (firefox, nss, python-django, python-jinja2, and thunderbird, thunderbird-l10n), Oracle (bind, kernel, rsync, and tigervnc), Red Hat (.NET 8.0, .NET 9.0, and libxml2), SUSE (iniparser and kernel), and Ubuntu (dotnet8, dotnet9, freerdp2, jinja2, libreoffice, linux, linux-hwe, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-kvm, linux-oracle, linux-kvm, and opensc).

Matrixprovides an open network for secure, decentralized communication. Ithas enjoyed some success over the last few years as an IRC replacementand real-time chat for a number of open-source projects. But adoptionby a subset of open-source developers is a far cry from the mainstreamadoption that Matthew Hodgson, Matrix project lead and CEO of Element (the company that createdMatrix), would like to see. At FOSDEM2025, he discussed thehistory of Matrix, its missteps in chasing mainstream adoption, itscurrent status, as well as some of the wishlist features for takingMatrix into the mainstream.

Version 6.14.0 of FrameworkMono has been announced.

Security updates have been issued by Debian (libaws, ruby2.7, and squid), Fedora (bigloo, emacs, neovim, python-jinja2, rizin, and tree-sitter), Oracle (kernel), Red Hat (grub2, kernel, kernel-rt, and libxml2), SUSE (iniparser, kernel, krb5, libxkbfile, and u-boot), and Ubuntu (gnuchess, openjdk-17-crac, openjdk-21-crac, and openvpn).

The Python project's recent switch to a tail-calling interpreter may not provide as large a speed advantage as initially thought. A blog post from Nelson Elhage gives the details. In short, switching to a tail-call-based interpreter accidentally works around an unfixed regression in LLVM 19. On other compilers, the performance benefit (while still present) is more moderate.

One of the advantages of the Rust type system is its ability to encapsulaterequirements about the state of the program in the type system;often, this state includes which locks must be held to be able to carry outspecific operations. Clacks the ability to express theserequirements, but there would be obvious benefits if that kind of featurecould be grafted onto the language. The Clang compiler has made somestrides in that direction with its thread-safetyanalysis feature; two developers have been independently working totake advantage of that work for the kernel.

Security updates have been issued by Debian (openvpn and thunderbird), Fedora (buildah, chromium, podman-tui, python-spotipy, qt6-qtwebengine, and vim), Mageia (chromium-browser-stable and gpac), Oracle (krb5), Red Hat (firefox, kernel, kernel-rt, libxml2, and pcs), SUSE (buildah, chromedriver, chromium, firefox, go1.23, go1.24, grype, python, python311-GitPython, ruby3.4-rubygem-rack, thunderbird, and xen), and Ubuntu (xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04).

Linus has released 6.14-rc6 for testing."This release remains on track, nothing special to report".

The 6.6.82 stable kernel has beenreleased. "All i386 users of the 6.6 kernel series must upgrade (asthey skipped the last release.) All other arches can skip this one as itshould not affect them."

Greg Kroah-Hartman has announced the release of four more stable kernels:6.13.6,6.12.18,6.6.81, and6.1.130.Unlike a normal release, Kroah-Hartman did not call for all users toupdate their kernels. Specifically, the 6.6.81 kernel is currently broken oni386 systems, and users should wait for 6.6.82.

Matthieu Clemenceau has publisheda status update from the Foundations Team on Ubuntu25.04 (Plucky Puffin) development to the UbuntuDiscourse forum. This includes updates on Ubuntu's adoptionof Dracut as an alternative to initramfs-tools, a move toa single ISO for arm64 devices rather than device-specific images, andreverting the planned O3 optimization flags for Plucky Puffin.

On January 20, Thomas Weischuh shared a newpatch set implementing an alternate method for checking the integrity ofloadable kernel modules. This mechanism, which checks module integrity basedon hashes computed at build time instead of using cryptographic signatures,could enable reproducible kernel builds in more contexts. Several distributionshave already expressed interest in the patch set if Weischuh can get itinto the kernel.

Security updates have been issued by Debian (chromium), Fedora (firefox and man2html), Mageia (erlang, ffmpeg, and vim), Oracle (doxygen, firefox, python-jinja2, squid, and webkit2gtk3), Red Hat (nodejs:18), SUSE (emacs, go1.23, go1.24, and pcp), and Ubuntu (ansible, firefox, linux-azure, linux-nvidia, and python-django).