LWN.net

Security updates have been issued by AlmaLinux (gstreamer1-plugins-bad-free and kernel), Arch Linux (bind and varnish), Debian (glibc and syslog-ng), Fedora (microcode_ctl, mozilla-ublock-origin, nodejs20, and nodejs22), Mageia (firefox, nss, rootcerts, open-vm-tools, sqlite3, and thunderbird), Oracle (gstreamer1-plugins-bad-free, kernel, libsoup, nodejs:22, php, php:8.2, php:8.3, python-tornado, redis, and redis:7), Red Hat (libsoup, pcs, and python-tornado), Slackware (mozilla), SUSE (bind, dnsdist, elemental-operator, govulncheck-vulndb, gstreamer-plugins-bad, jetty-annotations, jq, libnss_slurm2, libyelp0, mariadb, nvidia-open-driver-G06-signed, prometheus-blackbox_exporter, python-h11, python-httpcore, python-setuptools, python312, python39-setuptools, screen, sqlite3, umoci, and webkit2gtk3), and Ubuntu (cifs-utils, glibc, linux-aws, linux-intel-iotg-5.15, linux-nvidia-tegra-igx, linux-raspi, linux-aws-fips, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oracle, linux-raspi, linux-raspi-5.4, and net-tools).

Version10 of the AlmaLinux OS distribution has been released.

Srinivas Narayana led a remote session about extendingAgni to prove the correctness ofthe BPF verifier's handling of different execution paths as part of the Linux Storage,Filesystem, Memory Management, and BPF Summit. The problem of ensuring thecorrectness of path explorationis much more difficult than the problem ofensuring the correctness of arithmetic operations(which wasthe subject of the previous session), however. Narayana's plan totackle the problem makes use of a mixture of specialized techniques - and mayneed some assistance from the BPF developers to make it feasible at all.

Cory Doctorow wears many hats:digital activist, science-fiction author, journalist, and more. He hasalso written many books, both fiction and non-fiction, runs the Pluralistic blog, is a visitingprofessor, and is an advisor to the ElectronicFrontier Foundation (EFF); his Chokepoint Capitalismco-author, Rebecca Giblin, gave a 2023 keynotein Australia that we covered. Doctorow gave a rousing keynote onthe state of the "enshitternet"-today's internet-to kickoff the recently held PyCon US2025 in Pittsburgh, Pennsylvania.

Version25.05 of the NixOS distribution has been released. Changes includesupport for the COSMIC desktop environment (reviewed here in August), GNOME48, a6.12 kernel, and many new modules; see therelease notes for details. (Thanks to Pavel Roskin).

Security updates have been issued by AlmaLinux (gstreamer1-plugins-bad-free, libsoup, and python-tornado), Debian (libavif and pgbouncer), Red Hat (gstreamer1-plugins-bad-free, mingw-freetype and spice-client-win, and webkit2gtk3), SUSE (firefox, govulncheck-vulndb, and python310-setuptools), and Ubuntu (flask, intel-microcode, openjdk-17-crac, tika, and Tomcat).

The 6.14 kernel development cycle only brought in 11,003 non-mergechangesets, making it the slowest cycle since 4.0, which was released in2015. The 6.15 kernel, instead, brought in 14,612 changesets, making itthe busiest release since 6.7, released at the beginning of 2024. Thekernel development process, in other words, is back up to full speed. The6.15release happened on May25, so the time has come for theobligatory look at where the changes in this release came from.

Security updates have been issued by AlmaLinux (389-ds-base, ghostscript, grafana, kernel, and osbuild-composer), Debian (intel-microcode, kernel, libphp-adodb, and openssl), Fedora (dotnet8.0, ghostscript, iputils, nbdkit, open-vm-tools, thunderbird, and vyper), Mageia (chromium-browser-stable, glibc, iputils, microcode, nodejs, and zsync), Oracle (.NET 8.0, .NET 9.0, 389-ds-base, avahi, buildah, compat-openssl11, expat, firefox, ghostscript, gimp, git, grafana, gvisor-tap-vsock, libsoup, libxslt, mod_auth_openidc, nginx, nodejs:20, osbuild-composer, podman, skopeo, thunderbird, vim, webkit2gtk3, xdg-utils, xterm, and yelp), Red Hat (kernel, kernel-rt, libsoup, libsoup3, python-tornado, and ruby), Slackware (ffmpeg), SUSE (audiofile, firefox, glibc, govulncheck-vulndb, grafana, kernel, kind, kubo, libecpg6, postgresql13, postgresql14, python-Django, python-setuptools, python-tornado6, python311-Flask, python311-tornado6, python313, python36-setuptools, thunderbird, transfig, and xen), and Ubuntu (glib2.0, linux-bluefield, linux-ibm, linux-raspi, and openjdk-21-crac).

Linus has released the 6.15 kernel, asexpected.

The seventh edition of the Power Management and Schedulingin the Linux Kernel Summit (known as "OSPM") took place on March 18-20,2025. Topics discussed on the second day include improvements to devicesuspend and resume, the status and future of sched_ext, the scx_lavdscheduler, improving the efficiency of load balancing, and hierarchicalconstant bandwidth server scheduling.

The BPF verifier is an increasingly complex and security-critical piece of code.When the kinds of people who are apt to work on BPF see a situation like that,they naturally question whether it's possible to use formal verification toensure that the implementation of the code in question is correct. SantoshNagarakatte led the first of two extra-long sessions in the BPF trackof the 2025 Linux Storage, Filesystem, Memory Management, and BPF Summitabout his team's work formally verifying the BPF verifier with acustom tool calledAgni.

Security updates have been issued by Fedora (dotnet9.0, dropbear, ghostscript, nbdkit, openssh, python-watchfiles, rpm-ostree, yelp, yelp-xsl, and zsync), Oracle (firefox and kernel), Red Hat (osbuild-composer), Slackware (aaa_glibc and mozilla), SUSE (chromedriver, open-vm-tools, postgresql14, python-cryptography, and thunderbird), and Ubuntu (linux-aws, linux-hwe-5.4, python, and sqlite3).

Mozilla has announcedthat it is shutting down Pocket, a bookmarking service acquired by Mozillain 2017, this coming July. "Pocket has helped millions save articlesand discover stories worth reading. But the way people use the web hasevolved, so we're channeling our resources into projects that better matchtheir browsing habits and online needs."

Our recent article on Home Assistantobserved that the project emphasizes installations using its own Linuxdistribution or within containers. The project has now made that emphasisrather stronger with thisannouncement of the deprecation of the "core" and "supervised"installation modes, which allowed Home Assistant to be installed as anordinary application on a Linux system.

The Fedora Council has ruled on the Fedora Engineering SteeringCouncil's (FESCo) decision last year to revoke Peter Robinson'sprovenpackager status. In a statementpublished to the fedora-devel-announce mailing list, the council hasannounced that it has overturned FESCo's decision:

Testing filesystems is a frequent topic atthe Linux Storage, Filesystem,Memory Management, and BPF Summit (LSFMM+BPF); the 2025 edition was noexception. Boris Burkov led a filesystem-track session to discussstress-testing filesystems-and running those tests for lengthy periods. Hereviewed what he has been doing when testing filesystems and wanted togather ideas for what could be done to catch more bugs before thefilesystems hit production.

Greg Kroah-Hartman has announced the release of the 6.14.8, 6.12.30, 6.6.92, 6.1.140, and 5.15.184 stable kernels. As usual, eachcontains a long list of important fixes throughout the kernel tree.

Security updates have been issued by AlmaLinux (kernel, kernel-rt, and webkit2gtk3), Fedora (mozilla-ublock-origin and sudo-rs), Oracle (.NET 8.0, compat-openssl10, grafana, osbuild-composer, redis:6, ruby:2.5, and webkit2gtk3), SUSE (dante, firefox-esr, gnuplot, govulncheck-vulndb, grype, postgresql13, postgresql14, postgresql15, postgresql16, postgresql17, python-tornado6, python314, thunderbird, ucode-intel, and xen), and Ubuntu (bind9, libfcgi-perl, linux-ibm-5.4, linux-oracle-5.4, postgresql-17, and Tomcat).

Inside this week's LWN.net Weekly Edition:

Shawn Webb has published a statusreport on work to provide basic support in FreeBSD for userland componentswritten in Rust.

In late March, version 78.0.1 of Setuptools - an importantPython packaging tool - was released. It was scarcely half an hour beforethe first bugreport came in, and it quickly became clear that the change was farmore disruptive than anticipated. Within only about five hours 78.0.2 waspublished to roll back the change, and multiple discussions werestarted about how to limit the damage caused by future breakingchanges. Nevertheless, many users still felt the response wasinadequate. Some previous Setuptools releases have also caused problems on a smaller but still notable scale, and hopefully the developers will be more cautious going forward. But there are also lessons here for the developers of Python package installers, ordinary Python developers and end users, and even Linux distribution maintainers.

Security updates have been issued by AlmaLinux (.NET 8.0, avahi, buildah, compat-openssl10, compat-openssl11, expat, firefox, gimp, git, grafana, libsoup, libxslt, mod_auth_openidc, nginx, nodejs:22, osbuild-composer, php, redis, redis:7, skopeo, thunderbird, vim, webkit2gtk3, xterm, and yelp), Arch Linux (dropbear, freetype2, go, nodejs, nodejs-lts-iron, nodejs-lts-jod, python-django, webkit2gtk, webkit2gtk-4.1, webkitgtk-6.0, and wpewebkit), Debian (mongo-c-driver), Fedora (openssh, perl-Mojolicious, thunderbird, yelp, and yelp-xsl), Red Hat (firefox, java-1.8.0-openjdk, java-11-openjdk with Extended Lifecycle Support, java-21-ibm-semeru-certified-jdk, java-21-openjdk, kernel, libxslt, ruby, ruby:3.1, ruby:3.3, unbound, and webkit2gtk3), SUSE (glib2, grub2, kernel, libwebp, openssh, and s390-tools), and Ubuntu (linux, linux-azure, linux-azure-6.11, linux-gcp, linux-gcp-6.11, linux-hwe-6.11, linux-oem-6.11, linux-raspi, linux-realtime, linux-azure, linux-azure-5.15, linux-nvidia-tegra, linux-azure, linux-azure-6.8, linux-oem-6.8, linux-azure, linux-kvm, linux-azure-fips, linux-azure-nvidia, linux-gcp, linux-gcp-6.8, linux-gkeop, linux-gke, linux-intel-iot-realtime, linux-realtime, linux-raspi-realtime, mariadb-10.6, and postgresql-12, postgresql-14, postgresql-16).

Ihor Solodrai has been working on the BPF subsystem's continuous-integration(CI) testing for the last six months. At the 2025 Linux Storage, Filesystem,Memory-Management, and BPF Summit, he remotely sharedan update on his work, and solicited feedback on how the tests could be furtherimproved. Much of the work he's done has been specific to the BPF subsystem, butsome is more generic and could potentially be of use to other subsystems. Healso shared some general lessons learned from working on the BPF CI tests.

Despite careful planning and months of warning, Debian developer MoZhou has acknowledged that the project needs more time to grapple withthe questions around AI models and the Debian Free Software Guidelines(DFSG). For now, he has withdrawn his proposed General Resolution (GR)that would have required the original training data for AI models tobe released in order to be considered DFSG-compliant-though thedebates on the topic continue.

Red Hat has announcedthe release of Red Hat Enterprise Linux (RHEL) 10. A blog postaccompanying the release provides details on some of the more notablefeatures, such as encrypted DNS, a developer preview of RHEL10for RISC-V,and imagemode for RHEL using bootc.

Security updates have been issued by Debian (firefox-esr, openjdk-11, openjdk-17, and wireless-regdb), Fedora (iputils, open-vm-tools, sfnt2woff-zopfli, and woff), Red Hat (postgresql:12), SUSE (apache2-mod_auth_openidc, brltty, helm, python-maturin, and rubygem-rack), and Ubuntu (linux-azure-fips).

Roland Shoemaker has published a blog post about arecent security audit of the cryptography packages shipped as part ofthe Go standard library. The audit, performed by the Trail of Bits security firm,uncovered one low-severity vulnerability in the legacy Go+BoringCryptointegration, as well as a handful of informational findings.

The seventh edition of the Power Management and Schedulingin the Linux Kernel (known as "OSPM") Summit took place on March 18-20,2025. It was organized by Juri Lelli, Frauke Jager, Tommaso Cucinotta, andLorenzo Pieralisi, and was hosted by Linutronix at Alte Fabrik,Uhldingen-Muhlhofen, Germany. The event was sponsored by Linutronix, Arm,and the Scuola Superiore Sant'Anna in Pisa.

Security updates have been issued by Debian (dropbear, firefox-esr, intel-microcode, net-tools, openafs, thunderbird, and xrdp), Fedora (chromium, micropython, syslog-ng, webkitgtk, and xen), Mageia (dropbear and openssh), Oracle (.NET 9.0, kernel, libjpeg-turbo, and yelp and yelp-xsl), Red Hat (compat-openssl11, git-lfs, grafana, kernel, and osbuild and osbuild-composer), Slackware (mozilla), SUSE (cargo-c, gimp, iputils-20240905, kernel, libraw, microcode_ctl, openssh, pnpm, python311-cramjam, python311-httptools, python311-jwcrypto, python311-loguru, python311-mechanize, python311-nltk, python311-oauthlib, python311-py7zr, python311-pycapnp, python311-pyspnego, python311-pywayland, python311-suds, python311-treq, python311-ujson, python311-waitress, ruby3.4-rubygem-actionmailer, ruby3.4-rubygem-actiontext, ruby3.4-rubygem-activerecord, ruby3.4-rubygem-activestorage, ruby3.4-rubygem-fluentd, ruby3.4-rubygem-globalid, ruby3.4-rubygem-jquery-rails, ruby3.4-rubygem-kramdown, ruby3.4-rubygem-loofah, ruby3.4-rubygem-multi_xml, ruby3.4-rubygem-puma, ruby3.4-rubygem-rails, ruby3.4-rubygem-rails-html-sanitizer, ruby3.4-rubygem-sprockets, ruby3.4-rubygem-web-console, ruby3.4-rubygem-websocket-extensions, ucode-intel-20250512, and valkey), and Ubuntu (dotnet8, dotnet9, linux, linux-aws, linux-aws-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-oracle, linux, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-fips, linux-gcp, linux-gcp-5.15, linux-gcp-fips, linux-gke, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-realtime, and linux-xilinx-zynqmp).

The 6.15-rc7 kernel prepatch is out fortesting. "So while I wish we hadn't had some of the excitement of lastweek, on the whole it all still looks pretty solid, and unless somethingstrange happens I'll do the final 6.15 release next weekend."

The6.14.7,6.12.29,6.6.91,6.1.139, and5.15.183stable kernel updates have been released; each contains another set ofimportant fixes.

The first article in this series providedan overview of Home Assistant,its community, and its capabilities. It was deliberately short ondescriptions of interesting things that can be done with Home Assistant,though - the reasons why one might actually want to use this program. Inthis closing article, we'll look at how Home Assistant was used to solvesome real problems.

The Asahi Linuxproject, which supports Linux on Apple Silicon Macs, has published aprogress report ahead of the 6.15 kernel's release.

Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, kernel, kernel-rt, redis:6, and yelp and yelp-xsl), Debian (chromium), Red Hat (compat-openssl11, kernel, and thunderbird), and SUSE (nbdkit, open-vm-tools, and rustup).

The Electronic Frontier Foundation has posted a somewhat belated memorialfor John Young, the founder of Cryptome.

To commemorate the tenth anniversary of the 1.0 releaseof the Rust language,version1.87.0 was announced live today at the 10 Years of Rustcelebration in Utrecht, Netherlands. Notable changesinclude the addition of anonymous pipes to the standard library andthe ability for inline assembly (asm!) to jump to labeledblocks within Rust code.

Leon Romanovsky began his session at the 2025 Linux Storage, Filesystem,Memory Management, and BPF Summit (LSFMM+BPF) by explaining that the improved DMA-mapping API that he has beenworking on is a group effort. He, Chaitanya Kulkarni, Christoph Hellwig,Jason Gunthorpe, and others are proposing to modernize the API and to"make it more suitable for current kernels". He told the assembledstorage and filesystem developers that the progress on the proposal hasstalled, but that it was the basis for further work in various areas, so hehoped to find a way to move forward with it.

The Tor project has announcedthe oniux utility which provides Tor network isolation, using Linuxnamespaces, for third-party applications.

Security updates have been issued by Debian (open-vm-tools), Fedora (dnsdist), Gentoo (Node.js and Tracker miners), Red Hat (kernel and xdg-utils), SUSE (audiofile, go1.22-openssl, go1.24, grub2, kernel-devel, openssl-1_1, openssl-3, and python311-Django), and Ubuntu (ruby-rack).

Inside this week's LWN.net Weekly Edition:

At the Linux ApplicationSummit (LAS) in April, Sebastian Wick said that, by many metrics, Flatpak is doing great. The Flatpakapplication-packaging format is popular with upstream developers, andwith many users. More and more applications are being published in theFlathub application store, and theformat is even being adopted by Linux distributions likeFedora. However, he worried that work on the Flatpak project itselfhad stagnated, and that there were too few developers able to reviewand merge code beyond basic maintenance.

Version5.5.0 of the Podman container-management tool has beenreleased. Notable features include the addition of a podmanmachinecp command to copy files into a running PodmanVM, a podmanartifactextract command to copycontents of an OCIartifact to disk, and a --mount=artifact option to mountOCI artifacts into containers. See the release announcement for a fulllist of improvements and bug fixes.

Fromservers in a data center to desktop computers, many devicescommunicating on a network will eventually have to filter networktraffic, whether it's for security or performance reasons. As a result,this is a domain where a lot of work is put into improving performance:a tiny performance improvement can have considerable gains.Bpfilter is aproject that allows for packet filtering to easily be done with BPF, which canbe faster than other mechanisms.

Security updates have been issued by AlmaLinux (emacs, firefox, gnutls, java-17-openjdk, java-21-openjdk, osbuild-composer, python39:3.9, and thunderbird), Arch Linux (screen), Debian (varnish), Fedora (chromium), Gentoo (Atop, FreeType, and Spidermonkey), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk and postgresql15, postgresql13), Oracle (389-ds-base, emacs, firefox, kernel, libsoup, libtiff, mod_auth_openidc:2.3, nodejs:20, nodejs:22, osbuild-composer, python39:3.9, qemu-kvm, ruby, ruby:3.1, ruby:3.3, and thunderbird), Red Hat (.NET 8.0, .NET 9.0, avahi, buildah, corosync, delve and golang, exiv2, expat, firefox, ghostscript, gimp, git, grafana, gvisor-tap-vsock, java-21-openjdk, kernel, kernel-rt, libarchive, libjpeg-turbo, libsoup, libsoup3, libxslt, mod_auth_openidc, nginx, nginx:1.22, nginx:1.24, nodejs22, nodejs:20, nodejs:22, opentelemetry-collector, osbuild-composer, perl, php, php:8.2, php:8.3, podman, python-jinja2, redis, redis:7, rhc, ruby:2.5, skopeo, sqlite, thunderbird, tomcat, tomcat9, valkey, vim, xorg-x11-server-Xwayland, xterm, xz, yelp, and yggdrasil), Slackware (screen), SUSE (apparmor, dirmngr, gimp, golang-github-prometheus-node_exporter, java-11-openj9, java-17-openj9, java-21-openj9, libxmp-devel, python311-Django4, rabbitmq-server313, rke2, and transfig), and Ubuntu (abseil and open-vm-tools).

BPF arenas are areas of memory where the verifier can safely relax its checking ofpointers, allowing programmers to write arbitrary data structures in BPF. EmilTsalapatis reported on how his team has used arenas in writingsched_ext schedulers at the 2025 Linux Storage, Filesystem,Memory-Management, and BPF Summit. His biggest complaint was about the fact thatkernel pointers can't be stored in BPF arenas - something that the BPFdevelopers hope to address, although there are some implementation problems thatmust be sorted out first.

Nextcloud provides anopen-source collaboration platform called Nextcloud Hub, which includes file-sharing and syncingfeatures. The company has writtena blog post explaining that Google has revoked a critical permissionfrom the Nextcloud Files app for Android that allows it to sync filesto Nextcloud Hub.

Security updates have been issued by Debian (libeconf and rubygems), Fedora (libxmp), Gentoo (glibc), Oracle (java-1.8.0-openjdk, kernel, libxslt, and virtuoso-opensource), SUSE (augeas, git-lfs, kanidm, and tomcat10), and Ubuntu (linux-lts-xenial).

The SUSE Security Team has publishedan article detailing several securityissues it has uncovered with GNU Screen. This includesa local root exploit when Screen is shipped setuid-root, as it is insome Linux and BSD distributions. The security team also reports problemsin coordinating disclosure with the upstream Screen project.

The Guix project has announcedthat it is migrating all of its Git repositories, as well as bugtracking and patch tracking, from Savannah to the Codeberg Git forge.

The announcementof the openSUSE Leap 16.0 beta contained something of asurprise-along with the usual set of changes and updates, itinformed the community of the retirement of "the traditional YaSTstack" from Leap. The YaST ("Yet another Setup Tool")installation and configuration utility has been a core part of theopenSUSE distribution since its inceptionin 2005, and part of SUSE Linux since 1996. It will not, immediately,be removed from the openSUSETumbleweed rolling-releasedistribution, but its future is uncertain and its fate is up to the largercommunity to decide.