lwn.net

Version 150 of the Firefox web browser has been released. Notable changes include local-network-access restrictions being turned on for all users, the ability to reorder, copy, delete, paste, and export pages from a PDF using Firefox's built-in viewer, as well as improvements in its split view feature, and more. See also the release notes for developers and list of security fixes in this release.

Security updates have been issued by AlmaLinux (freerdp, kernel, and kernel-rt), Debian (mupdf, opam, simpleeval, and xdg-dbus-proxy), Mageia (firefox, thunderbird and libtiff), Red Hat (containernetworking-plugins, gvisor-tap-vsock, nodejs22, nodejs:20, nodejs:22, perl-XML-Parser, python3.11, python3.9, runc, and skopeo), and SUSE (bind, buildah, cockpit-subscriptions, container-suseconnect, containerd, corosync, cosign, docker, dovecot24, flatpak, freeipmi, gegl, GraphicsMagick, helm, ImageMagick, kubernetes, kubernetes-old, libpng15, LibVNCServer, ncurses, nodejs22, opensc, openvswitch, patterns-glibc-hwcaps, podman, python, python310, python312, python315, rekor, rootlesskit, roundcubemail, and runc).

Git maintainer Junio Hamano has announced Git 2.54.0, which includes contributions from 137 people; 66 of those people are first-time contributors to the project. Changes include the addition of Git history rewriting, Git's web interface (gitweb) "has been taught to be mobile friendly", and much more. See the announcement for all improvements, additions, and bug fixes. Hamano is now taking a short break:

I will go offline for a couple of weeks starting this evening, hopefully after updating 'next' and possibly also pushing out the first batch of the new cycle. There is no designated interim maintainer this time, but I trust that the community can self organize during my absense, if the shape of the release and the tree turns out to be super bad ;-).

Robin Candau has announced the availability of a bit-for-bit reproducible container image for Arch Linux:

The bit-for-bit reproducibility of the image is confirmed by digest equality across builds (podman inspect --format '{{.Digest}}' <image>) and by running diffoci to compare builds. We provide documentation on how to reproduce this Docker image (as we did for the WSL image as well).

Building the base rootFS for the Docker image in a deterministic way was the main challenge, but it reuses the same process as for our WSL image (as both share the same rootFS build system).

[...] This represents another meaningful achievement in our "reproducible builds" efforts and we're already looking forward to the next step!

The Document Foundation (TDF) is the nonprofit entity behind the LibreOffice productivity suite. Most of the time, the software takes the spotlight, but that has changed in the past few weeks, and not for pleasant reasons. TDF has revoked foundation membership status from about 30 people who work for or have contracting status with Collabora. In response, Collabora has announced plans to focus on a "entirely new, cut-down, differentiated Collabora Office" project and reduce its involvement with LibreOffice. TDF's representatives claim that its actions were necessary to maintain the foundation's nonprofit status, while other community members assert that this is part of a power grab. The facts seem to indicate that there are legitimate issues to be addressed, but it is unclear that TDF needed to go so far as to disenfranchise all Collabora-affiliated contributors.

Debian Project secretary Kurt Roeckx has announced the Debian Project Leader (DPL) election results: the winner of the election is Sruthi Chandran. She will replace two-term DPL Andreas Tille.

Security updates have been issued by AlmaLinux (.NET 10.0, .NET 8.0, .NET 9.0, delve, freerdp, giflib, go-rpm-macros, libarchive, and openexr), Debian (gimp, imagemagick, luanti, mapserver, mupdf, opam, perl, pillow, postgresql-13, and tiff), Fedora (aqualung, awstats, curl, incus, mac, mbedtls, mingw-LibRaw, python-msal, python3.11, python3.12, python3.15, smb4k, stb, and usd), Gentoo (DTrace and FUSE), Mageia (gdk-pixbuf2.0, giflib, polkit-122, python-cairosvg, and rsync), Oracle (.NET 10.0, .NET 8.0, .NET 9.0, 389-ds-base, bind, freerdp, go-rpm-macros, kernel, libarchive, nodejs:20, openexr, perl:5.32, python, python3, squid:4, thunderbird, and uek-kernel), Slackware (tigervnc), and SUSE (aardvark-dns, avahi, bind, blender, Botan, bouncycastle, chromedriver, cpp-httplib-devel, flannel, gdk-pixbuf, GraphicsMagick, ignition, ImageMagick, jetty-annotations, jetty-minimal, kernel, kubo, leancrypto-devel, libcap, liblog4cxx-devel, libpng16-16, libraw, libraw-devel, NetworkManager, opam, openssl-3, openvswitch, openvswitch3, podman, polkit, python-cryptography, python-djangorestframework, python-Django, python-ecdsa, python311-Django, python311-jwcrypto, python311-Pillow, roundcubemail, skopeo, tempo-cli, and vim).

Greg Kroah-Hartman has announced the release of the 6.19.13, 6.18.23, 6.12.82, 6.6.135, 6.1.169, 5.15.203, and 5.10.253 stable kernels. Each contains a number of important fixes throughout the tree; users are advised to upgrade.

Shor's algorithm is the main practical example of an algorithm that runs more quickly on a quantum computer than a classical computer — at least in theory. Shor's algorithm allows large numbers to be factored into their component prime factors quickly. In reality, existing quantum computers do not have nearly enough memory to factor interesting numbers using Shor's algorithm, despite decades of research. A new paper provides a major step in that direction, however. While still impractical on today's quantum computers, the recent discovery cuts the amount of memory needed to attack 256-bit elliptic-curve cryptography by a factor of 20. More interesting, however, is that the researchers chose to publish a zero-knowledge proof demonstrating that they know a quantum circuit that shows these improvements, rather than publishing the actual knowledge of how to do it.

One of the more significant changes in the 7.0 kernel release is to use the lazy-preemption mode by default in the CPU scheduler. The scheduler developers have wanted to reduce the number of preemption modes for years, and lazy preemption looks like a step toward that goal. But then there came this report from Salvatore Dipietro that lazy preemption caused a 50% performance regression on a PostgreSQL benchmark. Investigation showed that the situation is not actually so grave, but the episode highlights just how sensitive some workloads can be to configuration changes; there may be surprises in store for other users as well.

Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, freerdp, libarchive, and thunderbird), Debian (chromium, openssh, and thunderbird), Fedora (aurorae, bluedevil, breeze-gtk, buildah, cockpit, extra-cmake-modules, flatpak-kcm, grub2-breeze-theme, kactivitymanagerd, kcm_wacomtablet, kde-cli-tools, kde-gtk-config, kdecoration, kdeplasma-addons, kf6, kf6-attica, kf6-baloo, kf6-bluez-qt, kf6-breeze-icons, kf6-frameworkintegration, kf6-kapidox, kf6-karchive, kf6-kauth, kf6-kbookmarks, kf6-kcalendarcore, kf6-kcmutils, kf6-kcodecs, kf6-kcolorscheme, kf6-kcompletion, kf6-kconfig, kf6-kconfigwidgets, kf6-kcontacts, kf6-kcoreaddons, kf6-kcrash, kf6-kdav, kf6-kdbusaddons, kf6-kdeclarative, kf6-kded, kf6-kdesu, kf6-kdnssd, kf6-kdoctools, kf6-kfilemetadata, kf6-kglobalaccel, kf6-kguiaddons, kf6-kholidays, kf6-ki18n, kf6-kiconthemes, kf6-kidletime, kf6-kimageformats, kf6-kio, kf6-kirigami, kf6-kitemmodels, kf6-kitemviews, kf6-kjobwidgets, kf6-knewstuff, kf6-knotifications, kf6-knotifyconfig, kf6-kpackage, kf6-kparts, kf6-kpeople, kf6-kplotting, kf6-kpty, kf6-kquickcharts, kf6-krunner, kf6-kservice, kf6-kstatusnotifieritem, kf6-ksvg, kf6-ktexteditor, kf6-ktexttemplate, kf6-ktextwidgets, kf6-kunitconversion, kf6-kuserfeedback, kf6-kwallet, kf6-kwidgetsaddons, kf6-kwindowsystem, kf6-kxmlgui, kf6-modemmanager-qt, kf6-networkmanager-qt, kf6-prison, kf6-purpose, kf6-qqc2-desktop-style, kf6-solid, kf6-sonnet, kf6-syndication, kf6-syntax-highlighting, kf6-threadweaver, kgamma, kglobalacceld, kinfocenter, kmenuedit, knighttime, kpipewire, krdp, kscreen, kscreenlocker, ksshaskpass, ksystemstats, kwayland, kwayland-integration, kwin, kwin-x11, kwrited, layer-shell-qt, libexif, libkscreen, libksysguard, libplasma, nix, ocean-sound-theme, oxygen-sounds, pam-kwallet, plasma-activities, plasma-activities-stats, plasma-breeze, plasma-browser-integration, plasma-desktop, plasma-dialer, plasma-discover, plasma-disks, plasma-drkonqi, plasma-firewall, plasma-integration, plasma-keyboard, plasma-login-manager, plasma-milou, plasma-mobile, plasma-nano, plasma-nm, plasma-oxygen, plasma-pa, plasma-print-manager, plasma-sdk, plasma-setup, plasma-systemmonitor, plasma-systemsettings, plasma-thunderbolt, plasma-vault, plasma-welcome, plasma-workspace, plasma-workspace-wallpapers, plasma-workspace-x11, plasma5support, plymouth-kcm, plymouth-theme-breeze, podman, polkit-kde, powerdevil, qqc2-breeze-style, sddm-kcm, skopeo, spacebar, spectacle, thunderbird, and xdg-desktop-portal-kde), Mageia (cockpit-338), Oracle (capstone, cockpit, firefox, fontforge, freerdp, golang-github-openprinting-ipp-usb, kernel, nghttp2, nodejs:20, nodejs:24, openexr, and squid), Red Hat (gnutls, libarchive, libpng, libpng12, libpng15, libtiff, libvpx, libxslt, multiple packages, python, python3, python3.11, python3.12, and python3.9), Slackware (libxml2), SUSE (apache-pdfbox, azure-storage-azcopy, corosync, cups, freerdp, iproute2, libsdb2_4_2, libtpms, NetworkManager, openssl-1_1, ovmf, plexus-utils, python, python-CairoSVG, python-jwcrypto, python-PyJWT, python-pyOpenSSL, python-urllib3, python3, python314, rust1.93, shim, smc-tools, terraform-provider-local, terraform-provider-random, terraform-provider-tls, thunderbird, tiff, util-linux, and vim), and Ubuntu (libowasp-esapi-java, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gke, linux-gkeop, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux, linux-realtime, linux-aws-fips, linux-fips, linux-gcp-fips, linux-fips, linux-gcp-fips, linux-gcp, linux-gcp-6.17, linux-hwe-5.15, linux-intel-iot-realtime, linux-realtime, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-nvidia-tegra, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-realtime, linux-realtime-6.8, linux-realtime-6.17, ofono, and ruby-rack).

Version 1.95.0 of the Rust language has been released. Changes include the addition of a cfg_select! macro, the capability to use if let guards to allow conditionals based on pattern matching, and many newly stabilized APIs. See the release notes for a full list of changes.

Version 15.0 of the Forgejo code-collaboration platform has been released. Changes include repository-specific access tokens, a number of improvements to Forgejo Actions, user-interface enhancements, and more. Forgejo 15.0 is considered a long-term-support (LTS) release, and will be supported through July 15, 2027. The previous LTS, version 11.0, will reach end of life on July 16, 2026. See the announcement and release notes for a full list of changes.

The 7.1 merge window opened on April 12 with the release of the 7.0 kernel. Since then, 3,855 non-merge changesets have been pulled into the mainline repository for the next release. This merge window is thus just getting started, but there has still been a fair amount of interesting work moving into the mainline.

Version 26.04 of the KDE Gear collection of applications has been released. Notable changes include improvements in the Merkuro Calendar schedule view and event editor, support for threads in the NeoChat Matrix chat client, as well as the ability to add keyboard shortcuts in the Dolphin file manager "to nearly any option in any menu, plugin or extension". See the changelog for a full list of updates, enhancements, and bug fixes.

Security updates have been issued by AlmaLinux (bind, bind9.16, bind9.18, cockpit, fence-agents, firefox, fontforge, git-lfs, grafana, grafana-pcp, kernel, nghttp2, nginx, nginx:1.24, nginx:1.26, nodejs:20, nodejs:22, nodejs:24, pcs, perl-XML-Parser, perl:5.32, resource-agents, squid:4, thunderbird, and vim), Debian (incus, lxd, and python3.9), Fedora (cef, composer, erlang, libpng, micropython, mingw-openexr, moby-engine, NetworkManager-ssh, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, pypy, python-cairosvg, python-flask-httpauth, and python3.15), Mageia (kernel, kmod-virtualbox, kmod-xtables-addons and kernel-linus), Oracle (\cockpit, bind, bind9.16, bind9.18, firefox, git-lfs, go-toolset:ol8, grafana, grafana-pcp, grub2, kea, kernel, libtiff, nghttp2, nginx, nginx:1.24, nginx:1.26, nodejs22, nodejs24, nodejs:22, nodejs:24, perl-XML-Parser, python3.9, thunderbird, uek-kernel, and vim), Red Hat (delve, go-toolset:rhel8, golang, golang-github-openprinting-ipp-usb, osbuild-composer, and rhc), SUSE (bind, Botan, cockpit, cockpit-subscriptions, expat, flatpak, glibc, goshs, himmelblau, kea, kernel, kubo, libpng16, libssh, log4j, mariadb, Mesa, netty, netty-tcnative, nfs-utils, nghttp2, nodejs20, openssl-3, pam, pcre2, python, python310, python311, python311-aiohttp, python311-rfc3161-client, python313, python36, rubygem-bundler, sqlite3, sudo, tigervnc, tomcat, tomcat10, tomcat11, util-linux, vim, and webkit2gtk3), and Ubuntu (dotnet8, dotnet9, dotnet10, frr, and linux-azure, linux-azure-4.15).

Inside this week's LWN.net Weekly Edition:

• Front: LLM security reports; OpenWrt One build system; Vim forks; removing read-only THPs; 7.0 statistics; MusicBrainz Picard.
• Briefs: OpenSSL 4.0.0; Relicensing; Servo; Zig 0.16.0; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

OnlyOffice CEO Lev Bannov has recently claimed that the Euro-Office fork of the OnlyOffice suite violates the GNU Affero General Public License version 3 (AGPLv3). Krzysztof Siewicz of the Free Software Foundation (FSF) has published an article on the FSF's position on adding terms to the AGPLv3. In short, Siewicz concludes that OnlyOffice has added restrictions to the license that are not compatible with the AGPLv3, and those restrictions can be removed by recipients of the code.

We urge OnlyOffice to clarify the situation by making it unambiguous that OnlyOffice is licensed under the AGPLv3, and that users who already received copies of the software are allowed to remove any further restrictions. Additionally, if they intend to continue to use the AGPLv3 for future releases, they should state clearly that the program is licensed under the AGPLv3 and make sure they remove any further restrictions from their program documentation and source code. Confusing users by attaching further restrictions to any of the FSF's family of GNU General Public Licenses is not in line with free software.

Many people dislike the proliferation of Large Language Models (LLMs) in recent years, and so make an understandable attempt to avoid them. That may not be possible in general, but there are two new forks of Vim that seek to provide an editing environment with no LLM-generated code. EVi focuses on being a modern Vim without LLM-assisted contributions, while Vim Classic focuses on providing a long-term maintenance version of Vim 8. While both are still in their early phases, the projects look to be on track to provide stable alternatives — as long as enough people are interested.

Security updates have been issued by AlmaLinux (capstone, cockpit, firefox, git-lfs, golang-github-openprinting-ipp-usb, kea, kernel, nghttp2, nodejs24, openexr, perl-XML-Parser, rsync, squid, and vim), Debian (imagemagick, systemd, and thunderbird), Slackware (libexif and xorg), SUSE (bind, clamav, firefox, freerdp2, giflib, go1.25, go1.26, helm, ignition, libpng16, libssh, oci-cli, rust1.92, strongswan, sudo, xorg-x11-server, and xwayland), and Ubuntu (rust-tar and rustc, rustc-1.76, rustc-1.77, rustc-1.78, rustc-1.79, rustc-1.80).