lwn.net

[$] The NNCPNET email network
Running a modern mail server is a complicated business. In part, this complication is caused by the series of incrementally developed practices designed to combat the huge flood of spam that dominates modern email communication. An unfortunate side effect is that it prevents people from running their own mail servers, concentrating people on a few big providers. NNCPNET is a suite of software written by John Goerzen based on the node-to-node copy (NNCP) protocol that aims to make running one's own mail servers as easy as it once was. While the default configurations communicates only with other NNCPNET servers, there is a public relay that connects the system to the broader internet mail ecosystem.
More malware uploaded to Arch Linux AUR (Linuxiac)
Linuxiac reports that another malicious package has been uploaded to the Arch User Repository (AUR). This time around the package was google-chrome-stable, which installed a remote-access trojan along with Google Chrome.
The good news—if you can call it that—is that the google-chrome-stable package was available on the AUR only for a few hours before the malware hidden inside was discovered. Still, it did get a few upvotes, which suggests at least some users ended up installing it.The Arch Linux project had to warn users about a similar attack less than a month ago when a user uploaded three browser packages that also installed a malicious script identified as a remote-access trojan.
Security updates for Friday
[$] A look at the SilverBullet note-taking application
SilverBullet is a MIT-licensed note-taking application, designed to run as a self-hosted web server. Started in 2022, the project is approaching its 2.0 release, making this a good time to explore the features it offers. SilverBullet stores notes as plain Markdown files, and provides a Lua scripting API to customize the application's appearance and behavior.
Garrett: Secure boot certificate rollover is real but probably won't hurt you
The upshot is that nobody actually enforces these expiry dates - here's the reference code that disables it. In a year's time we'll have gone past the expiration date for 'Microsoft Windows UEFI Driver Publisher' and everything will still be working, and a few months later 'Microsoft Windows Production PCA 2011' will also expire and systems will keep booting Windows despite being signed with a now-expired certificate. This isn't a Y2K scenario where everything keeps working because people have done a huge amount of work - it's a situation where everything keeps working even if nobody does any work.
[$] 6.17 Merge window, part 1
Security updates for Thursday
[$] LWN.net Weekly Edition for July 31, 2025
- Front: Becoming a Python contributor; Graphene OS; Fedora quality team; 6.16 Development statistics; Proxy execution; Run-time verification; Confidential VMs.
- Briefs: HeliumOS 10; European Tech Funding; GNU C Library 2.42; OpenPrinting; Wayback 0.1
- Announcements: Newsletters, conferences, security updates, patches, and more.
We need a European Sovereign Tech Fund (GitHub blog)
GitHub director of developer policy, Felix Reda, has published a blog post about a GitHub-commissioned study by Open Forum Europe, Fraunhofer ISI and the European University Institute. The study finds, not surprisingly, "a profound mismatch between the importance of open source maintenance and the public attention it receives"; it calls for a European sovereign tech fund (STF) modeled after Germany's Sovereign Tech Agency.
The study proposes two alternative institutional setups for the EU-STF: either the creation of a centralized EU institution (the moonshot model), or a consortium of EU member states that provide the initial funding and apply for additional resources from the EU budget (the pragmatic model). In both cases, to make the fund a success, the minimum contribution from the upcoming EU multiannual budget should be no less than €350 million. This would not be enough to meet the open source maintenance need, but it could form the basis for leveraging industry and national government co-financing that would make a lasting impact.The European Union is currently starting negotiations for its 2028-2034 budget, the Multiannual Financial Framework; GitHub and others hope to persuade EU legislators to include a European STF in that framework.
[$] Extending run-time verification for the kernel
There are a lot of things people expect the Linux kernel to do correctly. Some of these are checked by testing or static analysis; a few are ensured by run-time verification: checking a live property of a running Linux system. For example, the scheduler has a handful of different correctness properties that can be checked in this way. Nam Cao posted a patch series that aims to extend the kinds of properties that the kernel's run-time verification system can check, by adding support for linear temporal logic (LTL). The patch set has seen eleven revisions since the first version in March 2025, and recently made it into the linux-next tree, from where it seems likely to reach the mainline kernel soon.
[$] On becoming a Python contributor
Security updates for Wednesday
HeliumOS 10 released
The HeliumOS project has announced the release of HeliumOS 10. It is relatively new image-based ("atomic") desktop distribution based on packages from CentOS Stream and AlmaLinux, with a goal of providing 10 years of support. HeliumOS 10 uses the KDE Plasma Desktop, Zsh as its default shell, and Btrfs as its default filesystem.
[$] A proxy-execution baby step
GNU C Library 2.42 released
Security updates for Tuesday
Help for OpenPrinting needed
Till Kamppeter, co-founder and lead of the OpenPrinting project, has put out a call for sponsors after being laid off by Canonical:
I want to continue doing OpenPrinting for a living, and need a way to do so. I am currently working with the Linux Foundation to make OpenPrinting an [organization] which can receive sponsor funding. So now I am looking for sponsors.
Even greater would be, if independent of this somebody could hire me to continue OpenPrinting...
[$] Some 6.16 development statistics
[$] Smaller Fedora quality team proposes cuts
Fedora's quality team is looking to reduce the scope of test coverage and change the project's release criteria to drop some features from the list of release blockers. This is, in part, an exercise in getting rid of criteria, such as booting from optical media, that are less relevant. It is also a necessity, since the Red Hat team focusing on Fedora quality assurance (QA) is only half the size it was a year ago.