lwn.net

Version 0.10.0 of the Tuba fediverse client has been released. Notable changes in this release include a new post composer, an in-app web browser, search history, and many other refinements. See this thread for more details and highlights.

For eight years, Masahiro Yamada has been the sole maintainer of the kernel's build and configuration systems — two complex pieces of infrastructure that many people interact with, but few truly understand. Yamada has just stepped down from that position. Maintenance of the build system will be taken up by Nathan Chancellor and Nicolas Schier (in the "odd fixes" capacity), while the configuration system is now entirely unmaintained.

Thanks are due to Yamada for all that work, and to Chancellor and Schier for stepping up. Hopefully a way will be found to better support these important subsystems in the near future.

Security updates have been issued by AlmaLinux (kernel and python3.12-setuptools), Fedora (perl-Crypt-CBC and unbound), Gentoo (FontForge, GPL Ghostscript, Mozilla Network Security Service (NSS), and PAM), Oracle (gdk-pixbuf2, jq, kernel, mod_security, ncurses, python-requests, and python3-setuptools), Red Hat (python-requests and socat), SUSE (docker, kernel-livepatch-MICRO-6-0-RT_Update_2, kernel-livepatch-MICRO-6-0-RT_Update_4, kernel-livepatch-MICRO-6-0-RT_Update_5, kernel-livepatch-MICRO-6-0-RT_Update_6, kernel-livepatch-MICRO-6-0-RT_Update_7, kernel-livepatch-MICRO-6-0_Update_2, kernel-livepatch-MICRO-6-0_Update_4, kernel-livepatch-MICRO-6-0_Update_5, kernel-livepatch-MICRO-6-0_Update_6, kubeshark-cli, libgcrypt, pam-config, perl, python-requests, python311, and python313), and Ubuntu (linux-raspi).

Proxmox Virtual Environment 9.0, based on Debian 13 ("trixie"), has been released. Notable new features include snapshots for thick-provisioned LVM shared storage, affinity rules for high availability (HA) clusters, and a modernized mobile web interface for managing Proxmox systems. See the release notes and known issues for more details about the release.

The use of huge pages can significantly increase the performance of many workloads by reducing both memory-management overhead in the kernel and pressure on the system's translation lookaside buffer (TLB). The addition of transparent huge pages (THP) for the 2.6.38 kernel release in 2011 caused the kernel to allocate huge pages automatically to make their benefits available to all workloads without any effort needed on the user-space side. But it turns out that use of huge pages can make some workloads slower as the result of internal memory fragmentation, so the THP feature is often disabled. Two patch sets aimed at better targeting the use of transparent huge pages are currently working their way through the review process.

The call for topics for the 2025 Maintainers Summit has been posted. The Summit, to be held in Tokyo on December 10, will involve around 30 developers gathered to discuss development-process issues for the kernel. Anybody who is interested in attending is encouraged to post a nomination along with the topic they would like to discuss. Nominations and topics are best sent before September 10.

The call for topics for the Kernel Summit, which runs as a Linux Plumbers Conference track, is also out.

Antonio Cuni, who is a longtime Python performance engineer and PyPy developer, gave a presentation at EuroPython 2025 about "Myths and fairy tales around Python performance" on the first day of the conference in Prague. As might be guessed from the title, he thinks that much of the conventional wisdom about Python performance is misleading at best. With lots of examples, he showed where the real problems that he sees lie. He has come to the conclusion that memory management will ultimately limit what can be done about Python performance, but he has an early-stage project called SPy that might be a way toward a super-fast Python.

Security updates have been issued by AlmaLinux (python-requests), Fedora (mingw-libxslt), Red Hat (gdk-pixbuf2, jq, kernel, mod_security, ncurses, nodejs:22, opentelemetry-collector, python-setuptools, python3-setuptools, python3.12-setuptools, qt5-qt3d, redis, redis:6, redis:7, sqlite, and unbound), SUSE (apache2, cairo, chromium, djvulibre, govulncheck-vulndb, grub2, java-11-openjdk, java-17-openjdk, liblua5_5-5, nvidia-open-driver-G06-signed, python, python310, python314, python39, redis, sqlite3, and systemd), and Ubuntu (apport, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-aws-fips, linux-azure-fips, linux-fips, linux-gcp-fips, linux-azure, and linux-oracle).

A pair of packages containing fortune "cookies" that were deemed offensive have been removed from the upcoming Debian 13 ("trixie") release. This has, of course, led to a lengthy discussion and debate about what does, or does not, belong in the distribution. It may also lead to a general resolution (GR) to decide whether Debian's code of conduct (CoC) applies to the contents of packages.

Security updates have been issued by AlmaLinux (java-21-openjdk, kernel, libxml2, and lz4), Debian (exempi, ruby-graphql, and sope), Fedora (binutils, chromium, gdk-pixbuf2, libsoup3, poppler, and reposurgeon), Mageia (glib2.0 and wxgtk), Oracle (jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base and libxml2), Red Hat (kernel, pandoc, pcs, qemu-kvm, redis, and rsync), SUSE (chromedriver, coreutils, cosign, docker, gdk-pixbuf-devel, glib2, gnutls, grub2, gstreamer-plugins-base, helm, ignition, java-21-openjdk, jbigkit, jq, kernel, kubernetes1.28, kwctl, libxml2, nvidia-open-driver-G06-signed, opensc, pam-config, protobuf, python310, tgt, and valkey), and Ubuntu (linux-iot).

Running a modern mail server is a complicated business. In part, this complication is caused by the series of incrementally developed practices designed to combat the huge flood of spam that dominates modern email communication. An unfortunate side effect is that it prevents people from running their own mail servers, concentrating people on a few big providers. NNCPNET is a suite of software written by John Goerzen based on the node-to-node copy (NNCP) protocol that aims to make running one's own mail servers as easy as it once was. While the default configurations communicates only with other NNCPNET servers, there is a public relay that connects the system to the broader internet mail ecosystem.

Linuxiac reports that another malicious package has been uploaded to the Arch User Repository (AUR). This time around the package was google-chrome-stable, which installed a remote-access trojan along with Google Chrome.

The good news—if you can call it that—is that the google-chrome-stable package was available on the AUR only for a few hours before the malware hidden inside was discovered. Still, it did get a few upvotes, which suggests at least some users ended up installing it.

The Arch Linux project had to warn users about a similar attack less than a month ago when a user uploaded three browser packages that also installed a malicious script identified as a remote-access trojan.

Security updates have been issued by AlmaLinux (firefox and thunderbird), Debian (libcommons-lang-java, node-form-data, redis, and sope), Fedora (chromium), Mageia (slurm), Oracle (apache-commons-beanutils, firefox, kernel, redis:6, and thunderbird), Red Hat (kernel, kernel-rt, libxml2, and redis), SUSE (chromium, docker, ffmpeg-7, gnutls, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, libgcrypt, rav1e, and sccache), and Ubuntu (linux-lowlatency, linux-lowlatency-hwe-6.8).

Greg Kroah-Hartman has released the 6.15.9, 6.12.41, and 6.6.101 stable kernels.

SilverBullet is a MIT-licensed note-taking application, designed to run as a self-hosted web server. Started in 2022, the project is approaching its 2.0 release, making this a good time to explore the features it offers. SilverBullet stores notes as plain Markdown files, and provides a Lua scripting API to customize the application's appearance and behavior.

Matthew Garrett has posted a detailed followup to our recent article on the coming expiration if Microsoft's Secure Boot signing key.

The upshot is that nobody actually enforces these expiry dates - here's the reference code that disables it. In a year's time we'll have gone past the expiration date for 'Microsoft Windows UEFI Driver Publisher' and everything will still be working, and a few months later 'Microsoft Windows Production PCA 2011' will also expire and systems will keep booting Windows despite being signed with a now-expired certificate. This isn't a Y2K scenario where everything keeps working because people have done a huge amount of work - it's a situation where everything keeps working even if nobody does any work.

As of this writing, just over 4,000 non-merge changesets have been pulled into the mainline repository during the 6.17 merge window. When he announced the merge-window opening, Linus Torvalds let it be known that, due to a busy personal schedule, he was likely to pull changes more quickly than usual this time around; that has been borne out to some extent. Changes merged so far are focused on core-kernel and filesystem work; read on for the details.

Security updates have been issued by AlmaLinux (firefox, java-21-openjdk, kernel, thunderbird, and unbound), Debian (chromium and systemd), Fedora (libtiff), Oracle (java-21-openjdk, libtpms, nodejs:22, redis:7, thunderbird, and unbound), Red Hat (firefox, redis, and thunderbird), SUSE (apache2, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, java-11-openjdk, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestf, libarchive, nvidia-open-driver-G06-signed, redis, and rmt-server), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-gcp-6.14, linux-hwe-6.14, linux-oem-6.14, linux-raspi, linux-realtime, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux, linux-aws, linux-kvm, linux-aws, linux-lts-xenial, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-fips, linux-intel-iot-realtime, linux-realtime, linux-oracle, linux-oracle-6.8, linux-realtime, and sqlite3).

Inside this week's LWN.net Weekly Edition:

• Front: Becoming a Python contributor; Graphene OS; Fedora quality team; 6.16 Development statistics; Proxy execution; Run-time verification; Confidential VMs.
• Briefs: HeliumOS 10; European Tech Funding; GNU C Library 2.42; OpenPrinting; Wayback 0.1
• Announcements: Newsletters, conferences, security updates, patches, and more.

GitHub director of developer policy, Felix Reda, has published a blog post about a GitHub-commissioned study by Open Forum Europe, Fraunhofer ISI and the European University Institute. The study finds, not surprisingly, "a profound mismatch between the importance of open source maintenance and the public attention it receives"; it calls for a European sovereign tech fund (STF) modeled after Germany's Sovereign Tech Agency.

The study proposes two alternative institutional setups for the EU-STF: either the creation of a centralized EU institution (the moonshot model), or a consortium of EU member states that provide the initial funding and apply for additional resources from the EU budget (the pragmatic model). In both cases, to make the fund a success, the minimum contribution from the upcoming EU multiannual budget should be no less than €350 million. This would not be enough to meet the open source maintenance need, but it could form the basis for leveraging industry and national government co-financing that would make a lasting impact.

The European Union is currently starting negotiations for its 2028-2034 budget, the Multiannual Financial Framework; GitHub and others hope to persuade EU legislators to include a European STF in that framework.