lwn.net

The x32 ABI was meant to be the best of both worlds, providing the expanded registers and instruction set of the x86-64 architecture while preserving the lower memory use of 32-bit systems. The Linux kernel has supported x32 since the 3.4 release in 2012. The initial excitement around x32 did not last, though, and kernel developers are considering removing that support — and not for the first time. Even the most unloved features tend to have a few users, though, making removal hard.

StepSecurity is reporting that a number of npm packages in the @redhat-cloud-services scope include malware that runs automatically on every npm install:

The payload is a multi-stage credential harvester that sweeps GitHub Actions secrets along with AWS, GCP, Azure, Kubernetes, HashiCorp Vault, npm, and CircleCI tokens, and it is purpose-built to evade detection, including an explicit attempt to bypass StepSecurity Harden-Runner.

StepSecurity analyzed @redhat-cloud-services/host-inventory-client@5.0.3 in full. Its index.js, executed at install time, is 4.2 MB, a file that should weigh a few kilobytes, with the real payload buried under three separate layers of obfuscation. The malware is also a self-propagating worm: using stolen npm tokens and npm's bypass_2fa parameter, it republishes backdoored versions of other packages on its own, even against accounts protected by two-factor authentication, so every infected machine can seed the next wave with no attacker involvement. All affected packages were published via GitHub Actions OIDC from the RedHatInsights/javascript-clients repository, indicating the upstream CI/CD pipeline itself was compromised. Analysis of the remaining packages is ongoing.

A blog post from SafeDep has additional analysis about the incident. We did not find an advisory from Red Hat on this yet.

The Fedora Project has published interviews with candidates running for the open seats on the Fedora Council, Fedora Engineering Steering Committee, Fedora Mindshare Committee, and EPEL Steering Committee. Voting is open through Friday, June 12 at 23:59 UTC.

Security updates have been issued by AlmaLinux (.NET 10.0, .NET 9.0, firefox, flatpak, httpd, and thunderbird), Debian (chromium, corosync, cyborg, dovecot, exim4, git-lfs, imagemagick, kernel, keystone, linux-6.1, php-twig, python-aiohttp, sentry-python, swift, and symfony), Fedora (chromium, djvulibre, docker-compose, giflib, haveged, libsoup3, libssh2, mingw-objfw, netatalk, nginx, nginx-mod-brotli, nginx-mod-fancyindex, nginx-mod-headers-more, nginx-mod-modsecurity, nginx-mod-naxsi, nginx-mod-vts, objfw, pdns, perl-Crypt-PasswdMD5, perl-libwww-perl, python-urllib3, suricata, and xrdp), Mageia (perl-Template-Toolkit and vim), Oracle (.NET 8.0, cockpit, firefox, flatpak, freerdp, kernel, and libexif), Red Hat (containernetworking-plugins, libsoup, libsoup3, multiple packages, php:8.2, php:8.3, podman, rhc, and skopeo), SUSE (amazon-ecs-init, amazon-ssm-agent, apptainer, azure-storage-azcopy, bind, chromium, csync2, cups, docker-stable, frr, gdk-pixbuf-loader-libheif, gnutls, hauler, helm, helm3, ignition, java-1_8_0-ibm, kernel, libBasicUsageEnvironment2, libredwg-devel, localsearch, memcached, openexr, perl-Net-CIDR-Lite, perl-YAML-Syck, postgresql14, python-mistune, python-pillow, python-pytest-html, python-urllib3, python311-Authlib, strongswan, trivy, vim, and xz), and Ubuntu (gdal, python-pip, qtwebengine-opensource-src, rsync, and texmaker).

The 7.1-rc6 kernel prepatch is out for testing. Linus said: "Well, I wouldn't call this 'small', but it is certainly smaller than rc5 was. And I don't think there's anything particularly scary here, so maybe we're still on track for a normal release cycle. Let's see."

MeshCore is a relatively new project, started in January 2025, that aims to build a scalable mesh network using low-power long-distance radios. While many other projects of the same general nature have been tried before, MeshCore grew quickly because of its more efficient message routing and enthusiastic community. In early 2026, an early proponent of the project made a sudden shift that left the rest of the community stunned and embroiled in a trademark dispute.

Many organizations require US Federal Information Processing Standard (FIPS) certification of the crypto code they are running. The certification process is lengthy, but the bigger problem is that the way the crypto subsystem is built into the kernel makes the result unable to be reused across kernel updates. I have proposed a patch series that decouples the crypto subsystem into a standalone loadable module, allowing a certified crypto module to be reused with multiple kernels and, thus, requiring fewer lengthy recertification delays.

Andrew Nesbitt has written a blog post detailing a recent incident with the jqwik library for property-based testing in Java. On May 25, the 1.10.0 release of jqwik included a change that attempts to instruct coding agents to disregard previous instructions and delete jqwik tests and code.

I think this is a new class of supply-chain input worth keeping an eye on, mostly because of how little of the existing tooling has any opinion about it. A System.out.print of sixty-eight bytes of plain ASCII isn't the kind of thing scanners are looking for, since those watch for install hooks, network calls, filesystem writes, obfuscated strings and the like. The jar makes the same syscalls it made in 1.9, and because the change was committed and released by the legitimate maintainer through the normal build, it's clean from a SLSA point of view too: the provenance is what it should be. Anyone who reads the diff can see what it does, but a patch bump of a test-scoped dependency is not where most projects spend their review time.

Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, cockpit, firefox, flatpak, httpd, kernel, and kernel-rt), Debian (kernel, kitty, lemonldap-ng, nagios4, python-flask-httpauth, and roundcube), Fedora (CImg, gmic, haveged, jpegxl, kernel, libpng, mapserver, mingw-qt6-qtsvg, openbao, perl-Sereal, perl-Sereal-Decoder, perl-Sereal-Encoder, and podofo), Mageia (bind, graphicsmagick, microcode, nginx, packages, perl-Catalyst-Plugin-Authentication, perl-HTTP-Daemon, perl-IO-Compress, and thunderbird(-l10n)), SUSE (alloy, apache2, beets, bubblewrap, cups, docker-stable, ffmpeg-4, ffmpeg-7, firefox, google-osconfig-agent, patterns-glibc-hwcaps, podman, samba, thunderbird, trivy, xdg-desktop-portal, and xz), and Ubuntu (apache2, libreoffice, multipart, openjdk-17, openjdk-17-crac, openjdk-21, openjdk-21-crac, openjdk-25, openjdk-25-crac, openjdk-26, openjdk-8, openjdk-lts, php8.1, php8.3, php8.4, php8.5, pyopenssl, python-pip, qtsvg-opensource-src, sed, and vim).

Version 1.96.0 of the Rust programming language has been released. Changes include a new set of Copy-implementing Range types, assertions with pattern matching, a number of stabilized APIs, and two Cargo vulnerability fixes.

Gentoo developer Michał Górny has written a lengthy article explaining the philosophy and purpose of the Gentoo Linux distribution, in response to a thread on Mastodon:

Gentoo is a source-first distribution, which means the primary method of installing software is to build it from source. Of course, that doesn't mean manually building stuff, following some kind of how-to: finding all the dependencies, installing them manually, going through a series of magical incantations, and eventually ending up no better than if we were installing a binary package. The package manager takes care of all the necessary steps and more, making package installs easy; well, at least unless something fails. But I'm digressing...

[...] We try to build a friendly and welcoming community around Gentoo, and we truly want using Gentoo be an enjoyable experience. We want it to be a system that doesn't betray you.

In a filesystem-track session at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit, Amir Goldstein wanted to discuss his proposed documentation on adding new filesystems to the kernel. There are a number of unmaintained and untestable filesystems already in the kernel, which are a burden to VFS-layer developers who are trying to make sweeping changes, such as switching to folios and the "new" mount API. Goldstein's document is an attempt to head off the addition of filesystems that may increase that burden down the road.

IBM has sent out a press release touting a claimed $5 billion investment into an operation called Project Lightwell:

Project Lightwell will establish a trusted enterprise clearinghouse combined with a global force of engineers to identify and fix vulnerabilities at scale. The clearinghouse will serve as a security coordination layer, using advanced AI capabilities to validate and test fixes across an unprecedented volume of open source code. These capabilities will be offered through commercial subscriptions, allowing enterprises to integrate secure patches directly into their existing software supply chains with enterprise-grade validation and lifecycle management.

Toward the bottom, it does also mention sharing vulnerability information with upstream projects.

The kernel's memory-management subsystem is currently partway through a multi-year project to replace the page structure (which represents a page of physical memory) with memory descriptors. At the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit, Vishal Moola ran a fast-paced session in the memory-management track to describe the current state of that work and what is likely to happen next.

Security updates have been issued by AlmaLinux (firefox, gdk-pixbuf2, glibc, gnutls, kernel, libexif, mysql8.4, postgresql16, postgresql18, python3.14, ruby:3.3, and ruby:4.0), Debian (krb5, roundcube, starlette, unbound, and varnish), Fedora (kernel, nginx, nginx-mod-brotli, nginx-mod-fancyindex, nginx-mod-headers-more, nginx-mod-js-challenge, nginx-mod-modsecurity, nginx-mod-naxsi, nginx-mod-vts, perl-Imager, poppler, python-uv-build, rrdtool, rust-astral-tokio-tar, rust-astral_async_http_range_reader, rust-astral_async_zip, uv, and xen), Oracle (.NET 10.0, .NET 9.0, glibc, ruby:3.3, and thunderbird), Red Hat (.NET 10.0, .NET 8.0, .NET 9.0, containernetworking-plugins, gvisor-tap-vsock, podman, runc, and skopeo), SUSE (agama, alloy, bubblewrap, cockpit, cups, dnsmasq, emacs, glibc, gnutls, go1.25, go1.25-openssl, go1.26, go1.26-openssl, google-guest-agent, hplip, ibus-rime, librime, kernel, libarchive, libzypp, nginx, openexr, openssh, php7, postgresql14, postgresql15, postgresql16, python311-pytest-html, redis, redis7, rsync, tree-sitter, valkey, xen, and yq), and Ubuntu (cableswig, commons-beanutils, dnsmasq, ffmpeg, foomuuri, gst-plugins-good1.0, libcaca, libgcrypt20, mediawiki, memcached, papers, postorius, tgt, and tika).

Inside this week's LWN.net Weekly Edition:

• Front: Dirk and Linus talk; BPF and GCC; private memory modes; BPF page-cache policies; major page faults; LLM kernel review; tiered-memory support; transparent huge pages; page mappings; Model Openness Tool.
• Briefs: Stenberg security stress; GTK PDF problems; Morton 2004 keynote; OpenBSD 7.9; Bambu's AGPLv3 violations; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

The Linux Foundation will be hosting a live interview with LWN co-founder Jonathan Corbet. The event will take place on Tuesday, June 2 at 8:00AM Pacific daylight time (UTC-7). Registration is open for those who would like to attend.

Many large language models (LLMs) are described as open source, but if one looks a bit deeper it turns out that is not actually so; the model may be free to download, it may be "open weight", but it does not fit the Open Source Initiative (OSI) Open Source Definition (OSD). Assessing the actual openness of models is not easy, as Arnaud Le Hors explained in his talk about the Model Openness Tool (MOT) at Open Source Summit North America 2026. The tool is designed to help users of LLMs understand to what degree a model is (or is not) open, and to combat the openwashing that is prevalent with LLMs.

I recently presented a brief tribute to Andrew Morton at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit; it included a suggestion that reading (or re-reading) his 2004 Ottawa Linux Symposium keynote would be instructive. This talk, given immediately after the Kernel Summit session that decided to fundamentally change the kernel's development model, tells a lot about how the kernel project got to where it is today. The text of that speech was hosted on Groklaw, and has since been replaced by crypto spam, which is rather less useful. In the hopes of preserving this seminal moment, the transcript has been rescued thanks to the Wayback Machine and is presented here.

The mapcount field was created to track the number of mappings (page-table entries) that refer to the given page. Among other things, a mapcount of zero means that the page has no references and can be reclaimed. Maintaining mapcount has become increasingly challenging and expensive as the memory-management system has grown in complexity, so Hildenbrand has been looking for ways to get rid of it. This session was, he said, maybe one of the last times he will have to bring up this topic.