lwn.net

Inside this week's LWN.net Weekly Edition:

• Front: Mailman 2 vulnerabilities; AI in Debian; __nonstring__; Cache-aware scheduling; Freezing filesystems; Socket-level storage; Debugging information; LWN in 2025.
• Briefs: Debian election; Kali Linux key; OpenBSD 7.7; Firefox 138.0; GCC 15.1; Meson 1.8.0; Valgrind 3.25.0; FSF review; OSI retrospective; Mastodon; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

Lance Albertson writes that the Oregon State University Open Source Lab, the home of many prominent free-software projects over the years, has run into financial trouble:

I am writing to inform you about a critical and time-sensitive situation facing the Open Source Lab. Over the past several years, we have been operating at a deficit due to a decline in corporate donations. While OSU's College of Engineering (CoE) has generously filled this gap, recent changes in university funding have led to a significant reduction in CoE's budget. As a result, our current funding model is no longer sustainable and CoE needs to find ways to cut programs.

Earlier this week, I was informed that unless we secure $250,000 in committed funds, the OSL will be forced to shut down later this year.

Many eyebrows were raised recently when three vulnerabilities were announced that allegedly impact GNU Mailman 2.1, since many folks assumed that it was no longer being supported. That's not quite the case. Even though version 3 of the GNU Mailman mailing-list manager has been available since 2015, and version 2 was declared (mostly) end of life (EOL) in 2020, there are still plenty of users and projects still using version 2.1.x. There is, as it turns out, a big difference between mostly EOL and actually EOL. For example: WebPros, the company behind the cPanel server and web-site-management platform, still maintains a port of Mailman 2.1.x to Python 3 for its customers and was quick to respond to reports of vulnerabilities. However, the company and upstream Mailman project dispute that the CVEs are valid.

Modern compilers perform a lot of optimizations, which can complicate debugging. Song Liu and Thierry Treyer spoke about a potential improvement to BPF Type Format (BTF) debugging information that could partially combat that problem at the 2025 Linux Storage, Filesystem, Memory-Management, and BPF Summit. They want to add information on selectively inlined functions to BTF in order to better support tracing tools. Treyer participated remotely.

The Free Software Foundation has announced the completion of the review of its board of directors; the process resulted in the reconfirmation of all five sitting board members.

The review examined board members Ian Kelling, Geoffrey Knauth, Henry Poole, Richard Stallman, and Gerald Sussman. The process generated detailed philosophical and policy discussions between board members and the FSF's global associate members on topics ranging from the firmness of the Free Software Definition, developments in machine learning, to the board's president position.

Just over six months ago, The Economist described the US economy as "the envy of the world". That headline would be unlikely to appear now. The economic boom referenced in that article feels like a distant memory, markets are falling, and uncertainty is at an all-time high. Like everybody else, LWN is affected by the current turbulence in the political and economic spheres; we expect to get through this period, but there will be some challenges.

Security updates have been issued by Debian (glibc and libraw), Fedora (digikam, icecat, mingw-LibRaw, perl, perl-Devel-Cover, and perl-PAR-Packer), Red Hat (ghostscript, kernel, and kernel-rt), Slackware (mozilla), SUSE (augeas, firefox, and java-11-openjdk), and Ubuntu (binutils, libxml2, and nodejs).

The LWN.net fediverse (Mastodon) feed has moved; we are now known as @LWN@lwn.net. The migration magic has shifted many of our followers over automatically but, if you follow that stream, you might want to make sure that you have shifted to the new source.

Version 1.8.0 of the Meson build system has been released. Notable changes in this release include the ability to run rustdoc for Rust projects, support for the c2y and gnu2y compiler options, and a new argument (android_exe_type) that makes it possible to use the same meson.build file for Android and non-Android systems.

Version 138.0 of the Firefox web browser has been released. Changes include some profile-management improvements, the ability to get weather-related suggestions in the address bar (US only), and some security fixes.

Tavian Barnes takes on the tedious process of waiting for configure scripts to run.

I paid good money for my 24 CPU cores, but ./configure can only manage to use 69% of one of them. As a result, this random project takes about 13.5× longer to configure the build than it does to actually do the build.

The purpose of a ./configure script is basically to run the compiler a bunch of times and check which runs succeeded. In this way it can test whether particular headers, functions, struct fields, etc. exist, which lets people write portable software. This is an embarrassingly parallel problem, but Autoconf can't parallelize it, and neither can CMake, neither can Meson, etc., etc.

(Thanks to Paul Wise).

The kernel's CPU scheduler has to balance a wide range of objectives. The tasks in the system must be scheduled fairly, with latency for any given task kept within bounds. All of the CPUs in the system should be kept busy if there is enough work to do, but unneeded CPUs should be shut down to reduce power consumption. A task should also run on the CPU that is most likely to have cached the memory that task is using. This patch series from Chen Yu aims to improve how the scheduler handles cache locality for multi-threaded processes.

The Kali Linux distribution has announced that software updates will soon start failing for all users:

This is not only you, this is for everyone, and this is entirely our fault. We lost access to the signing key of the repository, so we had to create a new one. At the same time, we froze the repository (you might have noticed that there was no update since Friday 18th), so nobody was impacted yet. But we're going to unfreeze the repository this week, and it's now signed with the new key.

The announcement includes instructions for how to recover from the problem.

Security updates have been issued by AlmaLinux (glibc, php:8.1, and thunderbird), Debian (libreoffice), Fedora (caddy), Mageia (chromium-browser-stable), Red Hat (php:8.1), SUSE (glow), and Ubuntu (kicad, linux-aws-5.15, linux-azure-nvidia, linux-gcp-5.15, mistral, python-mistral-lib, tomcat8, and trafficserver).

Version 3.25.0 of the Valgrind dynamic-analysis tool has been released. It has lots of new features, including initial support for RISC-V on Linux, handling zstd-compressed debug sections, integration of the Linux Test Project test suite, support for lots more Linux system calls, and more. It also has plenty of bug fixes, of course.

The Open Source Initiative (OSI) has quietly published "takeaways" from its internal retrospective on the recent board of directors election as an update to the March blog post that announced the new members of the board. The election was controversial, in part, due to poor communication and OSI changing the election rules and disqualifying several candidates after the election finished. LWN covered the election and results in March. The update commits to improvements in communication and candidate selection:

What this election exposed was the need for the organization to also assess whether candidates were fully eligible to run and prepared to be seated on the board before voting begins. This is something we will add to the election timeline next year. While we have not finished figuring out all of the requirements for that assessment, part of it will be asking candidates to sign a Candidate Agreement at nomination time. We also have some ideas on ways for potential candidates to have more information even before submitting a nomination.

In a related note, there is a petition asking OSI to publish the "complete, unaltered" results of the board of directors election. Thanks to Josh Triplett for the tip on the petition.

Martin Lau gave a talk in the BPF track of the 2025 Linux Storage, Filesystem, Memory-Management, and BPF Summit about a performance problem plaguing the networking subsystem, and some potential ways to fix it. He works on BPF programs that need to store socket-local data; amid other improvements to the networking and BPF subsystems, retrieving that data has become a noticeable bottleneck for his use case. His proposed fix prompted a good deal of discussion about how the data should be laid out.

Security updates have been issued by AlmaLinux (thunderbird), Debian (distro-info-data, imagemagick, kernel, libsoup2.4, and poppler), Fedora (chromium, java-1.8.0-openjdk, java-1.8.0-openjdk-portable, java-17-openjdk, java-17-openjdk-portable, java-latest-openjdk, pgadmin4, thunderbird, and xz), Mageia (haproxy and libxml2), Oracle (bluez, firefox, gnutls, libtasn1, libxslt, mod_auth_openidc:2.3, ruby:3.1, thunderbird, and xmlrpc-c), Red Hat (delve and golang, glibc, mod_auth_openidc, mod_auth_openidc:2.3, and thunderbird), SUSE (augeas, chromedriver, cifs-utils, govulncheck-vulndb, java-11-openjdk, java-21-openjdk, kyverno, libraw, opentofu, runc, subfinder, and valkey), and Ubuntu (jupyter-notebook and libxml2).

The 6.15-rc4 kernel prepatch is out for testing. "So let's see if this rc ends up avoiding any silly issues - things certainly look pretty normal, and there were no hurried last-minute changes this week due to system upgrades".

The OpenBSD 7.7 release is available. There is, as usual, a long list of changes; see the full changelog for lots of details.