LWN.net

Organizations relying on open-source software have a wide range oftools, scorecards, and methodologies to try to assess security, legal,and other risks inherent intheir so-called supply chain. However, Max Mehl arguedrecently in a short talk at FOSS Backstage in Berlin (andonline) that all ofthis objective information and data is insufficient to trulyunderstand and address risk. Worse, this information doesn't provideoptions to improve the situation and encourages a passive mindset. Mehl, who works as part of the CTO group at DBSystel, encouraged better risk assessment usingqualitative data and direct participation in open source.

Security updates have been issued by Fedora (iniparser, thunderbird, trafficserver, and xorg-x11-server), Mageia (opensc), Oracle (.NET 8.0, .NET 9.0, gcc, kernel, and libxml2), Red Hat (firefox, grub2, and krb5), Slackware (libxslt), SUSE (amazon-ssm-agent, bsdtar, build, ffmpeg-4, forgejo-runner, kernel, python, python3, python313, rubygem-rack-1_6, and tailscale), and Ubuntu (linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15).

Charles Choi has announcedthe release of the CasualMake: a menu-driven interface, implemented as part of the Casualsuite of tools, for MakefileMode in GNU Emacs.

When the 6.14 kernel is released later this month, it will include theusual set of internal changes that users should never notice, with thepossible exception of changes that bring performance improvements. One ofthose changes is frozen pages, amemory-management optimization that should fly mostly under the radar.When Hannes Reinecke reported acrash in 6.14, though, frozen pages suddenly came into view. There is aworkaround for this problem, but it seems there is a fairamount of work to be done that nobody had counted on to solve the problemproperly.

Greg Kroah-Hartman has announced the release of the 6.13.7, 6.12.19, 6.6.83, 6.1.131, 5.15.179, 5.10.235, and 5.4.291 stable kernels. They all contain arelatively large number of important fixes throughout the kernel tree.

Security updates have been issued by Debian (chromium), Fedora (ffmpeg, qt6-qtwebengine, tigervnc, and xorg-x11-server-Xwayland), Red Hat (fence-agents and libxml2), SUSE (amazon-ssm-agent, ark, chromium, fake-gcs-server, gerbera, google-guest-agent, google-osconfig-agent, grafana, kernel, libtinyxml2-10, podman, python311, python312, restic, ruby3.4-rubygem-rack, and thunderbird), and Ubuntu (jinja2, linux-azure, linux-azure-4.15, linux-lts-xenial, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, netatalk, python3.5, python3.8, rar, unrar-nonfree, and xorg-server, xwayland).

Inside this week's LWN.net Weekly Edition:

On February 25, the PythonSoftware Foundation (PSF), which runs the Python Package Index (PyPI), announcednew termsof service (ToS) for the repository. That has led to some questionsabout the new ToS, and the process of coming up with them. For one thing, the previous termsof use for the service were shorter and simpler, but there are otherconcerns with specific wording in the new agreement.

Damien Neil has written an article for the Go Blog about pathtraversal vulnerabilities and the os.Root API added in Go 1.24 to help preventthem.

The Zig project hasannounced the release of the 0.14 version of the language,including changes from more than 250 contributors. Zig is a low-level,memory-unsafe programming language that aims to compete with C instead ofdepending on it. Even though the language has not yet had a stable release,there are a number of projects using it as an alternative to C with bettermetaprogramming.While the project's releaseschedule has been a bit inconsistent, with the release of version 0.14 beingdelayedseveral times, the release contains a number of new convenience features,broader architecture support, and the next steps toward removing Zig'sdependency on LLVM.

The SUSE Security Team blog has a post with adetailed analysis of a vulnerability (CVE-2025-27591)in the belowtool for recording and displaying system data.

The LLVM project's Fortran compiler, which has for many years gone by the name "flang-new", will now simply be "flang", starting from LLVM's 20.1.0 release on March 4. Theannouncement, which includes details about the history of flang, comes after a long period of development and discussion. The community has considered renaming flang several times before now, but has always held off out of a feeling that the compiler was not yet ready. Now, the members of the project believe that flang has become stable and complete enough to earn its name.

Version1.26.0 of the GStreamer cross-platform multimedia framework hasbeen released. Notable changes in this release include support for theH.266Versatile Video Coding (VVC) codec, Low Complexity EnhancementVideo Coding (LCEVC) support, closed caption improvements, and JPEG XS image codecsupport.

Security updates have been issued by Debian (libmodbus), Fedora (thunderbird and vyper), Mageia (firefox, nss, python-django, python-jinja2, and thunderbird, thunderbird-l10n), Oracle (bind, kernel, rsync, and tigervnc), Red Hat (.NET 8.0, .NET 9.0, and libxml2), SUSE (iniparser and kernel), and Ubuntu (dotnet8, dotnet9, freerdp2, jinja2, libreoffice, linux, linux-hwe, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-kvm, linux-oracle, linux-kvm, and opensc).

Matrixprovides an open network for secure, decentralized communication. Ithas enjoyed some success over the last few years as an IRC replacementand real-time chat for a number of open-source projects. But adoptionby a subset of open-source developers is a far cry from the mainstreamadoption that Matthew Hodgson, Matrix project lead and CEO of Element (the company that createdMatrix), would like to see. At FOSDEM2025, he discussed thehistory of Matrix, its missteps in chasing mainstream adoption, itscurrent status, as well as some of the wishlist features for takingMatrix into the mainstream.

Version 6.14.0 of FrameworkMono has been announced.

Security updates have been issued by Debian (libaws, ruby2.7, and squid), Fedora (bigloo, emacs, neovim, python-jinja2, rizin, and tree-sitter), Oracle (kernel), Red Hat (grub2, kernel, kernel-rt, and libxml2), SUSE (iniparser, kernel, krb5, libxkbfile, and u-boot), and Ubuntu (gnuchess, openjdk-17-crac, openjdk-21-crac, and openvpn).

The Python project's recent switch to a tail-calling interpreter may not provide as large a speed advantage as initially thought. A blog post from Nelson Elhage gives the details. In short, switching to a tail-call-based interpreter accidentally works around an unfixed regression in LLVM 19. On other compilers, the performance benefit (while still present) is more moderate.

One of the advantages of the Rust type system is its ability to encapsulaterequirements about the state of the program in the type system;often, this state includes which locks must be held to be able to carry outspecific operations. Clacks the ability to express theserequirements, but there would be obvious benefits if that kind of featurecould be grafted onto the language. The Clang compiler has made somestrides in that direction with its thread-safetyanalysis feature; two developers have been independently working totake advantage of that work for the kernel.

Security updates have been issued by Debian (openvpn and thunderbird), Fedora (buildah, chromium, podman-tui, python-spotipy, qt6-qtwebengine, and vim), Mageia (chromium-browser-stable and gpac), Oracle (krb5), Red Hat (firefox, kernel, kernel-rt, libxml2, and pcs), SUSE (buildah, chromedriver, chromium, firefox, go1.23, go1.24, grype, python, python311-GitPython, ruby3.4-rubygem-rack, thunderbird, and xen), and Ubuntu (xorg-server, xorg-server-hwe-16.04, xorg-server-hwe-18.04).

Linus has released 6.14-rc6 for testing."This release remains on track, nothing special to report".

The 6.6.82 stable kernel has beenreleased. "All i386 users of the 6.6 kernel series must upgrade (asthey skipped the last release.) All other arches can skip this one as itshould not affect them."

Greg Kroah-Hartman has announced the release of four more stable kernels:6.13.6,6.12.18,6.6.81, and6.1.130.Unlike a normal release, Kroah-Hartman did not call for all users toupdate their kernels. Specifically, the 6.6.81 kernel is currently broken oni386 systems, and users should wait for 6.6.82.

Matthieu Clemenceau has publisheda status update from the Foundations Team on Ubuntu25.04 (Plucky Puffin) development to the UbuntuDiscourse forum. This includes updates on Ubuntu's adoptionof Dracut as an alternative to initramfs-tools, a move toa single ISO for arm64 devices rather than device-specific images, andreverting the planned O3 optimization flags for Plucky Puffin.

On January 20, Thomas Weischuh shared a newpatch set implementing an alternate method for checking the integrity ofloadable kernel modules. This mechanism, which checks module integrity basedon hashes computed at build time instead of using cryptographic signatures,could enable reproducible kernel builds in more contexts. Several distributionshave already expressed interest in the patch set if Weischuh can get itinto the kernel.

Security updates have been issued by Debian (chromium), Fedora (firefox and man2html), Mageia (erlang, ffmpeg, and vim), Oracle (doxygen, firefox, python-jinja2, squid, and webkit2gtk3), Red Hat (nodejs:18), SUSE (emacs, go1.23, go1.24, and pcp), and Ubuntu (ansible, firefox, linux-azure, linux-nvidia, and python-django).

The kernel project has usually been willing to make fundamental internalchanges if they lead to a better kernel in the end. The project also,though, goes out of its way to avoid breaking interfaces that have beenexposed to user space, even if programs come to rely on behavior that wasnever documented. Sometimes, those two principles come into conflict,leading to a situation where fixing problems within the kernel is eitherdifficult or impossible. This sort of situation has been impedingperformance improvements in the kernel's POSIX timers implementation forsome time, but it appears that a solution has been found.

Security updates have been issued by Debian (firefox-esr), Fedora (firefox and vim), Red Hat (firefox), Slackware (mozilla), SUSE (firefox, firefox-esr, kernel, and podman), and Ubuntu (gpac, kernel, linux, linux-aws, linux-gcp, linux-gcp-5.15, linux-gke, linux-hwe-5.15, and redis).

Inside this week's LWN.net Weekly Edition:

The Google Bug Hunters blog has adetailed description of how a vulnerability in AMD's microcode-patchingfunctionality was discovered and exploited; the authors have also releaseda set of tools to assist with this kind of research in the future.

Version2.0.0 of FerretDB has beenreleased. FerretDBis an open-source alternative to MongoDB, which switched to a non-openlicense in 2018, built on top of PostgreSQL. This releaseutilizes the DocumentDBPostgreSQL extension for better performance, adds vectorsearch, and replication.

Functional programming languages have a long association with graphs. In the1990s, it was even thought that parallel graph-reductionarchitectures could make functional programming languages much faster than theirimperative counterparts. Alas, that prediction mostly failed to materialize.Even though graphs are still used as a theoretical formalism in order to defineand optimize functional languages (such as Haskell'sspineless tagless graph-machine), they are still mostly compiled down to the same oldnon-parallel assembly code that every other language uses. Now, twoprojects -Bend andVine - have sprung up attempting to change that, and prove thatparallel graph reduction can be a useful technique for real programs.

The Xen Project has announcedthe release of Xen 4.20. This release adds support forAMDZen5 CPUs, improved compliance with the MISRA C standard,work on PCI-passthrough on Arm, and more. Xen4.20 also removessupport for XeonPhi CPUs, which were discontinuedin 2018. See the featurelist and releasenotes for more information.

Version136.0 of the Thunderbird Desktop mail client has beenreleased. The release includes a quick toggle for adapting messages todark mode, and a new "Appearance" setting to control message threadingand sorting order globally, as well as a number of bug fixes. See thesecurityadvisory for a full list of security vulnerabilities addressed inThunderbird 136.0.

Version12.3 of Linux FromScratch (LFS) has been released, along with Beyond LinuxFrom Scratch (BLFS) 12.3. LFS provides step-by-step instructionson building a customized Linux system entirely from source, and BLFShelps to extend an LFS installation into a more usable system. Notablechanges in this release include toolchain updates to GNU Binutils2.44, GNU C Library (glibc) 2.41, and Linux 6.13.2. The Changeloghas a full list of changes since the previous stable release.

Security updates have been issued by Debian (libreoffice), Fedora (exim and fscrypt), Red Hat (kernel), Slackware (mozilla), SUSE (docker, firefox, and podman), and Ubuntu (linux, linux-lowlatency, linux-lowlatency-hwe-5.15, linux, linux-lowlatency, linux-lowlatency-hwe-6.8, linux, linux-oem-6.11, linux-aws, linux-aws-6.8, linux-oracle, linux-oracle-6.8, linux-raspi, linux-aws, linux-gcp, linux-hwe-6.11, linux-oracle, linux-raspi, linux-realtime, linux-aws, linux-gkeop, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, and linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop).

Mozilla's actions have been rubbing many Firefox fans thewrong way as of late, and inspiring them to look for alternatives.There are many choices for users who are looking for a browser thatisn't part of the Chrome monoculture but is full-featured and suitablefor day-to-day use. For those who are willing to stay in the Firefox"family" there are a number of good options that have taken vastlydifferent approaches. This includes GNU IceCat, Floorp, LibreWolf, and Zen.

Version136.0 of the Firefox browser has been released. Changes include a newvertical tab layout, an automatic attempt to upgrade HTTP connections toHTTPS, support for AMD GPUs on Linux, an Arm64 port for Linux, and more.

Version 6.10 of the Incus container-management system has been released.New features include better Let's Encrypt support, API-wide filtering,IOMMU support in virtual machines, and more. See thisannouncement for details.

Security updates have been issued by AlmaLinux (kernel), Mageia (x11-server), Red Hat (emacs and webkit2gtk3), SUSE (ffmpeg-7, govulncheck-vulndb, kernel, and skopeo), and Ubuntu (cmark-gfm, erlang, krb5, linux-gcp-6.8, linux-raspi, linux-kvm, lucene-solr, postgresql-12, postgresql-14, postgresql-16, raptor2, spip, tomcat7, and wpa).

Mozilla has issuedan update to its terms of use (TOU) that were announcedon February26. It has removed a reference in the TOU toMozilla's Acceptable Use Policy "because it seems to be causingmore confusion than clarity", and has revised the TOU "to moreclearly reflect the limited scope of how Mozilla interacts with userdata". The new language says:

One of the many new features packed into the 6.13 kernel release was guardpages, a hardening mechanism that makes it possible to inject zero-accesspages into a process's address space in an efficient way. That featureonly supports anonymous (user-space data) pages, though. To make guardpages more widely useful, Lorenzo Stoakes has put together a patchset enabling the feature for file-backed pages as well; in the process,he examined and resolved a long list of potential problems that extendingthe feature could encounter. One potential problem was not on his list,though.

Security updates have been issued by Debian (ffmpeg, kernel, linux-6.1, mariadb-10.5, proftpd-dfsg, and xorg-server), Fedora (chromium, cutter-re, iniparser, nodejs22, rizin, webkitgtk, wireshark, xen, and xorg-x11-server), Mageia (binutils and ffmpeg), Oracle (emacs and kernel), Red Hat (emacs and webkit2gtk3), SUSE (azure-cli, bsdtar, gnutls, govulncheck-vulndb, libX11, libxkbfile, libxml2, nodejs-electron, openssh8.4, ovmf, phpMyAdmin, python, python-azure-identity, python311-jupyter-server, tiff, trivy, u-boot, and wireshark), and Ubuntu (opennds and Ruby SAML).

The 6.14-rc5 kernel prepatch is out fortesting. "Nothing looks particularly big or worrisome".

Differences of opinion, as well as outright disputes, betweenupstream open-source projects and Linux distribution packagers overpackaging practices are nothing new. It is rarer, though, for thosedisputes to boil over to threats of legal action-but adisagreement between the OpenBroadcaster Software (OBS) Studio project and Fedora packagersreached that point in mid-February. After escalation to a higherauthority, things have been worked out to the satisfaction of the OBSproject, but some lingering questions remain. How Fedora shouldprioritize Flatpak repositories,how to handle conflicts between upstreams and Fedora packagers, andthe mechanics of removing or retiring Flatpaks all remain openquestions.

There is a fair amount of unhappiness on the Internet about the announcementfrom Mozilla about a new "terms ofuse" agreement and an updatedprivacy notice for the Firefox browser.

Security updates have been issued by Debian (emacs, freerdp2, and gst-plugins-good1.0), Fedora (java-17-openjdk, python3.6, and xorg-x11-server-Xwayland), Mageia (radare2), SUSE (libX11, openvswitch3, postgresql13, procps, ruby2.5, webkit2gtk3, and xorg-x11-server), and Ubuntu (git, linux-aws, linux-aws, linux-aws-6.8, linux-aws, linux-oracle, linux-oracle-5.4, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, and linux-oem-6.11).

Paul McKenney has put together a series ofarticles on how to improve one's ability to give a good talk at atechnical conference.

Version 4.0 of the Fishshell has been released. Improvements include a better key-bindingmechanism, the ability to tie abbreviations to a specific command,selective ignoring of commands in the history, some scripting improvements,and more. See therelease notes for details.

Zotero is anopen-source reference management tool designed for collecting,organizing, and citing research materials. It is particularly usefulfor those writing research papers, theses, or books that require abibliography in standard formats like APAStyle, ChicagoStyle, or MLAFormat. Zotero stores bibliographic metadata, annotations, and userdata and integrates with word processors like LibreOffice, MicrosoftWord, and Google Docs to produce in-text citations andbibliographies. The core features of Zotero include metadata extraction,tagging, full-text indexing, and cloud synchronization formulti-device access, and Zotero has a plugin system toallow anyone to expand its capabilities. The most recent majorrelease, Zotero7, addedsupport for reading EPUBs, brought user-interface improvementsincluding a dark mode, performance improvements, and more.