lwn.net

Members of the Manjaro Linux distribution's community have published a "Manjaro 2.0 Manifesto" that contains a list of complaints and a demand to restructure the project to provide a clear separation between the community and Manjaro as a company. The manifesto asserts that the project's leadership is not acting in the best interests of the community, which has caused developers to leave and innovation to stagnate. It also demands a handover of the Manjaro trademark and other assets to a to-be-formed nonprofit association. The responses on the Manjaro forum showed widespread support for the manifesto; Philip Müller, project lead and CEO of the Manjaro company, largely stayed out of the discussion. However, he surfaced on March 19 to say he was "open to serious discussions", but only after a nonprofit had actually been set up.

Security updates have been issued by AlmaLinux (capstone, glibc, grub2, kernel, libarchive, libpng, mysql, and python3.11), Debian (evolution-data-server, imagemagick, and snapd), Fedora (bpfman, chromium, cpp-httplib, dotnet10.0, openssh, polkit, and vim), Mageia (graphicsmagick, imagemagick, openssh, and perl-YAML-Syck), Oracle (capstone, grub2, kernel, mysql, and python-pyasn1), Red Hat (container-tools:rhel8, rhc, yggdrasil, and yggdrasil-worker-package-manager), SUSE (cargo1.92, cargo1.93, chromedriver, coturn, curl, freerdp, jq, kernel, libssh, php-composer2, python311-uv, python312, qemu, tomcat, util-linux, vim, and virtiofsd), and Ubuntu (exiv2, freerdp3, glance, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, and linux-aws-fips, linux-fips, linux-gcp-fips).

Ars Technica describes the ritual that will be required before a future Android device will deign to install apps from somewhere other than the Play Store. It is not for the impatient.

Here are the steps:

• Enable developer options by tapping the software build number in About Phone seven times
• In Settings > System, open Developer Options and scroll down to "Allow Unverified Packages."
• Flip the toggle and tap to confirm you are not being coerced
• Enter device unlock code
• Restart your device
• Wait 24 hours
• Return to the unverified packages menu at the end of the security delay
• Scroll past additional warnings and select either "Allow temporarily" (seven days) or "Allow indefinitely."
• Check the box confirming you understand the risks.
• You can now install unverified packages on the device by tapping the "Install anyway" option in the package manager.

Greg Kroah-Hartman has announced the release of the 6.19.9 and 6.18.19 stable kernels. As usual, each has important fixes throughout the tree; users are advised to upgrade.

Version 1.7.0 ("Daffodil") of the Radicle peer-to-peer, local-first code collaboration stack has been released. Some of the changes in this release include improved I/O usage, the ability to block nodes at the connection level, and clearer errors for rad id updates. See the release notes for a full list of changes and bug fixes.

The kernel project has a unique approach to tooling that avoids many commonly used development systems that do not fit the community's scale and ways of working. Another way of looking at the situation is that the kernel project has often under-invested in tooling, and sometimes seems bent on doing things the hard way. In recent times, though, the amount of effort that has gone into development tools for the kernel has increased, with some interesting results. Recent developments in this area include the Sashiko code-review system, a patch-review manager built into b4, and a new attempt at a framework for the specification and verification of kernel APIs.

Security updates have been issued by Debian (freetype), Fedora (aqualung, kiss-fft, libtasn1, mac, and vim), Red Hat (libarchive, osbuild-composer, and rhc), Slackware (expat), SUSE (ca-certificates-mozilla, chromium, cockpit, cockpit-machines, cockpit-podman, curl, docker, docker-compose, docker-stable, gnutls, gstreamer-rtsp-server, gstreamer-plugins-ugly, gstreamer- plugins-rs, gstreamer-plugins-libav, gstreamer-plugins-good, gstreamer-plugins- base, gstreamer-plugins-bad, gstreamer-docs, gstreamer-devtools, gstreamer, gvfs, helm, kernel, krb5-appl, libsoup, libxslt, libxml2, openssh, python-cryptography, python-django, python-pypdf2, python-simpleeval, python311, qemu, ruby4.0-rubygem-sprockets, ruby4.0-rubygem-thor, ruby4.0-rubygem-web-console, ruby4.0-rubygem-websocket-extensions, skaffold, smb4k, tomcat, ucode-intel, util-linux, virtiofsd, and zlib), and Ubuntu (bouncycastle, exiv2, freerdp3, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-aws-fips, python2.7, roundcube, and valkey).

Inside this week's LWN.net Weekly Edition:

• Front: Privacy battles; page-cache-timing protections; null filesystems; Fedora Sandbox; safer kmalloc(); BPF in io_uring.
• Briefs: AppArmor vulnerabilities; snapd vulnerability; Sashiko; DPL election; Fedora Asahi 43; GIMP 3.2; Marknote 1.5; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

Cindy Cohn is the executive director of the Electronic Frontier Foundation (EFF) and she gave the Saturday morning keynote at SCALE 23x in Pasadena about some of the work she and others have done to help protect online rights, especially digital privacy. The talk recounted some of the history of the court cases that the organization has brought over the years to try to dial back privacy invasions. One underlying theme was the role that attendees can play in protecting our rights, hearkening back to earlier efforts by the technical community.

Version 4.24.0 of the Samba SMB filesystem implementation has been released. There are a number of significant changes, including audit support for authentication information, remote password management, a number of Kerberos improvements, asynchronous-I/O rate limiting, and more.

GNOME 50 has been released. Notable changes in this release include enhancements to the Orca screen-reader application, interface and performance improvements for GNOME's file manager (Files), a "massive set of stability and performance updates" for its display-handling technologies, and much more. See also the "What's new for developers" article that covers changes of interest to GNOME and GNOME application developers.

Qualys has discovered a local-privilege escalation (LPE) vulnerability affecting Ubuntu Desktop 24.04 and later:

This flaw (CVE-2026-3888) allows an unprivileged local attacker to escalate privileges to full root access through the interaction of two standard system components: snap-confine and systemd-tmpfiles.

More details are available in the security advisory. Canonical has published updated packages as well as instructions for verifying if a system is vulnerable and how to upgrade if so.

Fedora Asahi Remix 43 is now available:

This release incorporates all the exciting improvements brought by Fedora Linux 43. Notably, package management is significantly upgraded with RPM 6.0 and the new DNF5 backend for PackageKit for Plasma Discover and GNOME Software ahead of Fedora Linux 44. It also continues to provide extensive device support. This includes newly added support for the Mac Pro, microphones in M2 Pro/Max MacBooks, and 120Hz refresh rate for the built-in displays for MacBook Pro 14/16 models.

The kernel's asynchronous io_uring interface maintains two shared ring buffers: a submission queue for sending requests to the kernel, and a completion queue containing the results of those requests. Even with shared memory removing much of the overhead of communicating with user space, there is still some overhead whenever the kernel must switch to user space to give it the opportunity to process completion requests and queue up any subsequent work items. A patch set from Pavel Begunkov minimizes this overhead by letting programmers extend the io_uring event loop with a BPF program that can enqueue additional work in response to completion events. The patch set has been in development for a long time, but has finally been accepted.

Security updates have been issued by AlmaLinux (.NET 10.0, .NET 9.0, compat-openssl11, container-tools:rhel8, grub2, and libvpx), Debian (ansible, gst-plugins-base1.0, and nodejs), Fedora (chromium, forgejo, and systemd), Oracle (container-tools:rhel8, grub2, kernel, libpng, libvpx, nginx, opencryptoki, python3.12, and vim), Red Hat (firefox, python-wheel, python3.12-wheel, and thunderbird), SUSE (389-ds, chromium, clamav, container-suseconnect, curl, freerdp, gvfs, kea, kubernetes, ruby4.0-rubygem-minitar, ruby4.0-rubygem-multi_xml, ruby4.0-rubygem-nokogiri, ruby4.0-rubygem-puma, ruby4.0-rubygem-rack, ruby4.0-rubygem-rack-session, ruby4.0-rubygem-rails, ruby4.0-rubygem-rails-html-sanitizer, ruby4.0-rubygem-railties, ruby4.0-rubygem-rubyzip, vim, and xen), and Ubuntu (flask, libssh, linux-aws-5.15, linux-gcp-5.15, linux-gke, linux-hwe-5.15, linux-intel-iotg-5.15, linux-lowlatency-hwe-5.15, linux-oracle-5.15, linux-gcp-6.17, linux-realtime, linux-realtime, linux-realtime, linux-realtime-6.8, snapd, and vim).

Roman Gushchin has announced the existence of an LLM-driven patch-review system named Sashiko. It automatically creates reviews for all patches sent to the linux-kernel mailing list (and some others).

In my measurement, Sashiko was able to find 53% of bugs based on a completely unfiltered set of 1,000 recent upstream issues using "Fixes:" tags (using Gemini 3.1 Pro). Some might say that 53% is not that impressive, but 100% of these issues were missed by human reviewers.

Sashiko is built on Chris Mason's review prompts (covered here in October 2025), but the implementation has evolved considerably.

The Free Software Foundation Europe (FSFE) is reporting that payment provider Nexi has terminated its contract without prior notice, which means that a number of FSFE supporters' recurring payments have been halted:

Over the past few months, our former payment provider Nexi S.p.A. ("Nexi") requested access to private data, which we understood to be specifically the usernames and passwords of our supporters. We have refused this request. All our attempts to clarify Nexi's request, or to understand how their need for such information was necessary and legal, were met with what we consider to be vague and unsatisfactory explanations relating to a general need for risk analysis.

[...] The decisions that Nexi has made are incomprehensible to us. Over the last months, as part of a security audit that Nexi claimed to be conducting, we have provided them with large amounts of the FSFE's financial documentation, which even included private information of our executive staff. We have answered all of their questions. But we have to draw a line when private companies like Nexi demand access to the sensitive and private data of our supporters.

According to the blog post, more than 450 supporters have been affected by this. The FSFE's donation pages have been updated with its new payment provider.

Fedora Project Leader (FPL) Jef Spaleta has issued a "modest proposal" for a technology-innovation-lifecycle process that would provide more formal structure for adopting technologies in Fedora. The idea is to spur innovation in the project without having an adverse impact on stability or the release process. Spaleta's proposal is somewhat light on details, particularly as far as specific examples of which projects would benefit; however, the reception so far is mostly positive and some think that it could make Fedora more "competitive" by being the place where open-source projects come to grow.

Security updates have been issued by Fedora (mingw-openexr, vim, and yarnpkg), Oracle (freerdp), Red Hat (389-ds-base, container-tools:rhel8, libpng, libpng15, nginx, nginx:1.24, nginx:1.26, opencryptoki, python3, python3.11, python3.12, and python3.9), SUSE (ruby4.0-rubygem-activestorage, ruby4.0-rubygem-activesupport, ruby4.0-rubygem-glogalid, ruby4.0-rubygem-grpc, ruby4.0-rubygem-jquery-rails, ruby4.0-rubygem-loofah, and rubygem4.0-rubygem-fluentd), and Ubuntu (curl, linux, linux-aws, linux-aws-6.17, linux-gcp, linux-hwe-6.17, linux-oracle, linux-oracle-6.17, linux, linux-aws, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-gcp, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-oracle, linux-xilinx-zynqmp, linux-fips, linux-aws-fips, linux-gcp-fips, linux-gcp, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, python-cryptography, and roundcube).

Version 1.5 of Marknote, a Markdown-based note-management application, has been released. Notable features in this release include Source Mode for working directly with Markdown instead of the WYSIWYG interface, internal wiki-style links for notes, as well as simpler management of notes and notebooks.