lwn.net

Jon Seager, VP engineering for Canonical, has posted an update on "what Canonical and Ubuntu will do (or not) to incorporate AI" that explains what part AI will play in the future of the company and its distribution.

The bottom line is that Canonical is ramping up its use of AI tools in a focused and principled manner that favours open weight models with license terms that feel most compatible with our values, combined with open source harnesses. AI features will be landing in Ubuntu throughout the next year as we feel that they're of sufficient maturity and quality, with a bias toward local inference by default.

AI features in Ubuntu features will come in two forms: first as a means of enhancing existing OS functionality with AI models in the background, and latterly in the form of "AI native" features and workflows for those who want them.

This year Canonical has begun a more deliberate push toward education and developing competence with AI tools. We are not setting shallow metrics on token usage, or percentages of code written with AI, but rather incentivising engineers to experiment and understand where AI tools add value. Rather than force a single early-choice AI stack, we're incentivising teams to each pick 'something different' and go deep, so we learn more as an org in the next six months.

Version 26.04 of the niri scrollable-tiling Wayland compositor has been released. The most notable change in this release, as the "most requested niri feature by far", is support for the blur effect using the Wayland protocol's ext-background-effect. This release also features optional configuration includes, screencasting support enhancements, and a number of improvements for input devices.

In short, background blur turned out to be a massive undertaking. Not because of the blur algorithm itself (by the way, if you want to learn about different blurs, including the widely used Dual Kawase, I highly recommend this blog post), but because window background effects in general required a lot of thinking and additions to the code, especially to make them as efficient as possible. This is one of the most complex niri features thus far.

LWN covered niri in July 2025.

Security updates have been issued by AlmaLinux (java-25-openjdk, kernel, osbuild-composer, thunderbird, webkit2gtk3, and wireshark), Debian (chromium, distro-info-data, libde265, mbedtls, and thunderbird), Fedora (awstats, bind9-next, bpfman, buildah, calibre, cef, chromium, composer, corosync, coturn, cups, curl, dnsdist, doctl, erlang, fido-device-onboard, flatpak-builder, freetype, glab, goose, jq, kea, libarchive, libcap, libcgif, libgsasl, libinput, libmicrohttpd, libpng, libpng12, libpng15, mapserver, mbedtls, micropython, minetest, mingw-exiv2, mingw-libpng, mingw-LibRaw, mingw-openexr, mingw-python3, moby-engine, mupdf, nginx, nginx-mod-brotli, nginx-mod-fancyindex, nginx-mod-headers-more, nginx-mod-modsecurity, nginx-mod-naxsi, nginx-mod-vts, opam, openbao, opensc, openssh, openssl, opkssh, perl-Net-CIDR-Lite, pgadmin4, pie, podman, pspp, pypy, python-biopython, python-cairosvg, python-cbor2, python-cryptography, python-flask-httpauth, python-msal, python-pillow, python-pydicom, python-tomli, python3-docs, python3.13, python3.14, python3.15, python3.9, rauc, roundcubemail, rpki-client, rust-sccache, skopeo, smb4k, stb, sudo, tcpflow, thunderbird, tigervnc, tinyproxy, trafficserver, trivy, usd, util-linux, vim, xdg-dbus-proxy, xorg-x11-server, xorg-x11-server-Xwayland, and yarnpkg), Oracle (buildah, golang, grafana, java-17-openjdk, and java-25-openjdk), and SUSE (chromium, cockpit-podman, coredns, corosync, cups, dnsdist, flatpak, freerdp2, frr, gdk-pixbuf, golang-github-prometheus-alertmanager, golang-github-prometheus-prometheus, google-guest-agent, haproxy, ignition, ImageMagick, kernel, kyverno, libcap, libminizip1, libpng16, librsvg, libXpm-devel, Mesa, opensc, openssl-3, ovmf-202602, PackageKit, podman, python-ecdsa, python-pillow, python311-Mako, sudo, thunderbird, tomcat, tomcat10, and vim).

Linus has released 7.1-rc1 and closed the merge window for this release.

Things look fairly normal, although we do have a few different projects to cull some old hardware support to help minimize maintenance burden: phasing out i486 support (configs deleted, code deletions to follow) and independently starting to remove some really old networking hardware support, and removing some SoC support that never went anywhere.

But we're more than making up for any stale code removal with all the new features and code added, so the diffstat still shows many more lines added than removed.

Werner Koch has announced the release of GnuPG 2.5.19. This release includes a few new options and a number of bug fixes, and comes with the reminder that the GnuPG 2.4 series will reach end-of-life soon

The main features in the 2.5 series are improvements for 64 bit Windows and the introduction of Kyber (aka ML-KEM or FIPS-203) as PQC encryption algorithm. Other than PQC support the 2.6 series will not differ a lot from 2.4 because the majority of changes are internal to make use of newer features from the supporting libraries.

Note that the old 2.4 series reaches end-of-life in just two months. Thus update to 2.5.19 in time. As always with GnuPG new versions are fully compatible with previous versions.

LWN recently covered Fedora's discussion about what to offer after GnuPG 2.4 is no longer supported.

The kernel coverage here at LWN often touches on memory-management topics and, as a result, tends to talk a lot about both pages and folios. As the folio transition in the kernel has moved forward, it has often become difficult to decide which term to use in writing that is meant to be both approachable and technically correct. As this work continues, it will be increasingly common to use "folio" rather than page. This article is intended to be a convenient reference for readers wanting to differentiate the two terms or understand the state of this transition.

Security updates have been issued by Fedora (anaconda, dnf5, firefox, flatpak-builder, libexif, minetest, nss, plasma-setup, python-blivet, rpki-client, and xorg-x11-server), Oracle (bind, kernel, osbuild-composer, thunderbird, webkit2gtk3, and wireshark), Red Hat (java-25-openjdk), SUSE (cacti, cacti, cacti-spine, cockpit-machines, cockpit-podman, cockpit-tukit, csync2, flannel, gdk-pixbuf, go1.25-openssl, go1.26-openssl, haproxy, kernel, libcap, libpng16, libtree-sitter0_26, libvirt, ncurses, ntfs-3g_ntfsprogs, openssl-1_1, openssl-3, openvswitch, perl, python-pyOpenSSL, python311, rclone, sudo, and tomcat), and Ubuntu (gst-plugins-bad1.0, jq, libopenmpt, linux-ibm, linux-ibm-5.15, and php-league-commonmark).

Ubuntu 26.04 ("Resolute Raccoon") LTS has been released on schedule.

This release brings a significant uplift in security, performance, and usability across desktop, server, and cloud environments. Ubuntu 26.04 LTS introduces TPM-backed full-disk encryption, expanded use of memory-safe components, improved application permission controls, and Livepatch support for Arm systems, helping reduce downtime and strengthen system resilience. [...]

The newest Edubuntu, Kubuntu, Lubuntu, Ubuntu Budgie, Ubuntu Cinnamon, Ubuntu Kylin, Ubuntu Studio, Ubuntu Unity, and Xubuntu are also being released today. For more details on these, read their individual release notes under the Official flavors section:

https://documentation.ubuntu.com/release-notes/26.04/#official-flavors

Maintenance updates will be provided for 5 years for Ubuntu Desktop, Ubuntu Server, Ubuntu Cloud, Ubuntu WSL, and Ubuntu Core. All the remaining flavors will be supported for 3 years.

See the release notes for a list of changes, system requirements, and more.

The famfs filesystem first showed up on the mailing lists in early 2024; since then, it has been the topic of regular discussions at the Linux Storage, Filesystem, Memory Management and BPF (LSFMM+BPF) Summit. It has also, as result of those discussions, been through some significant changes since that initial posting. So it is not surprising that a suggestion that it needed to be rewritten yet again was not entirely well received. How much more rewriting will actually be needed is unclear, but more discussion appears certain.

Security updates have been issued by AlmaLinux (kernel and osbuild-composer), Debian (cpp-httplib, firefox-esr, gimp, and packagekit), Fedora (chromium, composer, libcap, pgadmin4, pie, python3-docs, python3.14, and sudo), Mageia (gvfs), Oracle (.NET 8.0, delve, freerdp, giflib, ImageMagick, kernel, OpenEXR, and osbuild-composer), SUSE (erlang, giflib, google-guest-agent, GraphicsMagick, ignition, imagemagick, kea, kernel, kissfft, libraw, libssh, ocaml-patch, opam, openCryptoki, openexr, openssl-1_1, tomcat, tomcat10, tomcat11, and tor), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-aws, linux-aws-6.17, linux-hwe-6.17, linux-oracle, linux-oracle-6.17, linux-azure, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-oracle-5.15, linux-azure-5.4, linux-azure-fips, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-hwe-6.8, linux-ibm-6.8, linux-raspi, linux-oracle, linux-oracle-6.8, linux-raspi, linux-raspi-5.4, linux-raspi-realtime, packagekit, python-tornado, ruby-rack-session, slurm-llnl, and strongswan).

Inside this week's LWN.net Weekly Edition:

• Front: LLMs and Python bugs; scheduler regression; new Rust traits; dependency cooldowns; 7.1 merge window; Shor's algorithm; drama at The Document Foundation.
• Briefs: Firefox zero-days; kernel code removal; reproduceible Arch; Debian election; Firefox 150; Forgejo 15.0; Git 2.54.0; KDE Gear 26.04; LillyPond 2.26.0; Rust 1.95.0; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

Efforts to introduce malicious code into the open-source supply chain have been on the rise in recent years, and there is no indication that they will abate anytime soon. These attacks are often found quickly, but not quickly enough to prevent the compromised code from being automatically injected into other projects or code deployed by users where it can wreak havoc. One method of avoiding supply-chain attacks is to add a delay of a few days before pulling upates in what is known as a "dependency cooldown". That tactic is starting to find favor with users and some language ecosystem package managers. While this practice is considered a reasonable response by many, others are complaining that those employing dependency cooldowns are free-riding on the larger community by letting others take the risk.

In Rust, types either possess a constant size known at compile time, or a dynamically calculated size known at run time. That is fine for most purposes, but recent proposals for the language have shown the need for a more fine-grained hierarchy. RFC 3729 from David Wood and Rémy Rakic would add a hierarchy of traits to describe types with sizes known under different circumstances. While the idea has been subject to discussion for many years, a growing number of use cases for the feature have come to light.

Version 2.26.0 of the LilyPond music-engraving program has been released. Major changes include the ability to use the Cairo library to generate output and improvements in spacing between clefs and time signatures. See the release notes for a full list of miscellaneous improvements as well as what's new with musical and specialist notation.

Greg Kroah-Hartman has announced the release of the 7.0.1, 6.19.14, 6.18.24, and 6.12.83 stable kernels. As usual, each contains important fixes throughout the tree. Users are encouraged to upgrade.

Security updates have been issued by Debian (firefox-esr, flatpak, ngtcp2, ntfs-3g, packagekit, python-geopandas, simpleeval, strongswan, and xdg-dbus-proxy), Fedora (chromium, cups, curl, jq, opkssh, perl-Net-CIDR-Lite, python-cbor2, python-pillow, tinyproxy, xdg-dbus-proxy, and xorg-x11-server-Xwayland), Slackware (libXpm and mozilla), SUSE (botan, chromium, clamav, cockpit, cockpit-machines, cockpit-packages, cockpit-podman, cockpit-subscriptions, dovecot24, firefox, flatpak, freeipmi, gdk-pixbuf, glibc, gnome-remote-desktop, go1.25, go1.26, go1.26-openssl, google-cloud-sap-agent, gosec, graphicsmagick, haproxy, kernel, libpng16, libraw, libtasn1, libvncserver, ncurses, nebula, nodejs24, openssl-3, ovmf, pam, pcre2, perl-Authen-SASL, pgvector, plexus-utils, podman, python-cbor2, python-cryptography, python-django, python-gi-docgen, python-pypdf2, python-python-multipart, python311, python311-PyPDF2, python313, qemu, roundcubemail, rust1.94, sqlite3, strongswan, systemd, tar, tigervnc, util-linux, vim, webkit2gtk3, xorg-x11-server, xwayland, and zlib), and Ubuntu (commons-io, libcap2, ntfs-3g, and rapidjson).

There are a number of ongoing efforts to remove kernel code, mostly from the networking subsystem, as an alternative to dealing with the increase in security-bug reports from large language models. The proposed removals include ISA and PCMCIA Ethernet drivers, a pair of PCI drivers, the ax25 and amateur radio subsystem, the ATM protocols and drivers, and the ISDN subsystem.

Remove the amateur radio (AX.25, NET/ROM, ROSE) protocol implementation and all associated hamradio device drivers from the kernel tree. This set of protocols has long been a huge bug/syzbot magnet, and since nobody stepped up to help us deal with the influx of the AI-generated bug reports we need to move it out of tree to protect our sanity.

This Firefox blog post reports that the Firefox 150 release includes fixes for 271 vulnerabilities found by the Claude Mythos preview.

Elite security researchers find bugs that fuzzers can't largely by reasoning through the source code. This is effective, but time-consuming and bottlenecked on scarce human expertise. Computers were completely incapable of doing this a few months ago, and now they excel at it. We have many years of experience picking apart the work of the world's best security researchers, and Mythos Preview is every bit as capable. So far we've found no category or complexity of vulnerability that humans can find that this model can't.

This can feel terrifying in the immediate term, but it's ultimately great news for defenders. A gap between machine-discoverable and human-discoverable bugs favors the attacker, who can concentrate many months of costly human effort to find a single bug. Closing this gap erodes the attacker's long-term advantage by making all discoveries cheap.

The Fedora Project has been wrestling with the question of who should be able to vote in Fedora elections recently, with project membership being a major topic at the Fedora Council face-to-face held in early February. Now the project is considering a new contributor status, "Fedora Verified", and is looking to get input on the idea from the community.

What are the proposed benefits? The primary motivation behind "Fedora Verified" is to build trust-based recognition that grants elevated, privileged rights within the project. Most notably, this status would determine eligibility for strategic governance activities, such as:

• Voting in Fedora community elections.
• Running for leadership or decision-making roles within the project (i.e., Fedora Council, FESCo, Mindshare Committee, EPEL Steering Committee).
• (Potential, unplanned) Accessing specific shared project resources or educational opportunities (e.g., Red Hat training credits).

The blog post includes a list of proposed baseline metrics for "Verified" status as well as open questions to be decided. A survey on the topic will be open until May 5.

The open-source world is currently awash in reports of LLM-discovered bugs and vulnerabilities, which makes for a lot more work for maintainers, but many of the current crop are being reported responsibly with an eye toward minimizing that impact. A recent report on an effort to systematically find bugs in Python extensions written in C has followed that approach. Hobbyist Daniel Diniz used Claude Code to find more than 500 bugs of various sorts across nearly a million lines of code in 44 extensions; he has been working with maintainers to get fixes upstream and his methodology serves as a great example of how to keep the human in the loop—and the maintainers out of burnout—when employing LLMs.