lwn.net

Version 25.12.0 of the OpenWrt router distribution is available; this release has been dedicated to the memory of Dave Täht. Changes include a switch to the apk package manager, the integration of the attended sysupgrade method, and support for a long list of new targets.

Security updates have been issued by Debian (chromium), Fedora (freerdp, libsixel, opensips, and yt-dlp), Mageia (python-django, rsync, and vim), Red Hat (go-rpm-macros and osbuild-composer), SUSE (7zip, assertj-core, autogen, c3p0, cockpit-machines, cockpit, cockpit-repos, containerized-data-importer, cpp-httplib, docker, docker-stable, expat, firefox, gnutls, go1.25-openssl, golang-github-prometheus-prometheus, haproxy, ImageMagick, incus, kernel, kubevirt, libsoup, libsoup2, mchange-commons, ocaml, openCryptoki, openvpn, php-composer2, postgresql14, postgresql15, python-Authlib, python-azure-core, python-nltk, python-urllib3_1, python311-Django4, python311-pillow-heif, python311-PyPDF2, python313, python313-Django6, qemu, rhino, roundcubemail, ruby4.0-rubygem-rack, sdbootutil, and wicked2nm), and Ubuntu (less, nss, python-bleach, qtbase-opensource-src, and zutty).

Version 1.94.0 of the Rust language has been released. Changes include array windows (an iterator for slices), some Cargo enhancements, and a number of newly stabilized APIs.

The grith.ai blog reports on an LLM prompt-injection vulnerability that led to 4,000 installations of a compromised version of the Cline utility.

For the next eight hours, every developer who installed or updated Cline got OpenClaw - a separate AI agent with full system access - installed globally on their machine without consent. Approximately 4,000 downloads occurred before the package was pulled.

The interesting part is not the payload. It is how the attacker got the npm token in the first place: by injecting a prompt into a GitHub issue title, which an AI triage bot read, interpreted as an instruction, and executed.

Chardet is a Python module that attempts to determine which character set was used to encode a text string. It was originally written by Mark Pilgrim, who is also the author of a number of Python books; the 1.0 release happened in 2006. For many years, this module has been under the maintainership of Dan Blanchard. Chardet has always been licensed under the LGPL, but, with the 7.0.0 release, Blanchard changed the terms to the permissive MIT license. That has led to an extensive (and ongoing) discussion on when code can be relicensed against the wishes of its original author, and whether using a large language model to rewrite code is a legitimate way to strip copyleft requirements from code.

Peter Korsgaard has announced version 2026.02 of Buildroot, a tool for generating embedded Linux systems through cross-compilation. Notable changes include added support for HPPA, use of the 6.19.x kernel headers by default, better SBOM generation, and more.

Again a very active cycle with more than 1500 changes from 97 unique contributors. I'm once again very happy to see so many "new" people next to the "oldtimers".

See the changelog for full details. Thanks to Julien Olivain for pointing us to the announcement.

Sasha Levin has announced the release of the 6.12.76, 6.6.129, and 6.1.166 stable kernels. These releases address a regression reported by Peter Schneider; Levin said that an upgrade is only necessary for those who have observed a build failure with the 6.12.75, 6.6.128, or 6.1.165 kernels.

The multi-generational LRU (MGLRU) is an alternative memory-management algorithm that was merged for the 6.1 kernel in late 2022. It brought a promise of much-improved performance and simplified code. Since then, though, progress on MGLRU has stalled, and it still is not enabled on many systems. As the 2026 Linux Storage, Filesystem, Memory-Management and BPF Summit (LSFMM+BPF) approaches, several memory-management developers have indicated a desire to talk about the future of MGLRU. While some developers are looking for ways to improve the subsystem, another has called for it to be removed entirely.

Security updates have been issued by AlmaLinux (go-rpm-macros, libpng, thunderbird, udisks2, and valkey), Fedora (coturn, php-zumba-json-serializer, valkey, and yt-dlp), Red Hat (delve, go-rpm-macros, grafana, grafana-pcp, image-builder, osbuild-composer, and postgresql), Slackware (nvi), SUSE (firefox, glibc, haproxy, kernel, kubevirt, libsoup, libsoup2, libxslt, mozilla-nss, ocaml, python, python-Django, python-pip, util-linux, virtiofsd, wicked2nm,suse-migration-services,suse-migration- sle16-activation,SLES16-Migration,SLES16-SAP_Migration, and wireshark), and Ubuntu (gimp, linux-aws, linux-lts-xenial, linux-aws-fips, linux-azure, linux-azure-fips, linux-fips, nss, postgresql-14, postgresql-16, postgresql-17, and qemu).

Inside this week's LWN.net Weekly Edition:

• Front: Python's bitwise-inversion operator; atomic buffered I/O; keeping open source open; Magit and Majutsu; IIIF; free software and free tools.
• Briefs: Ad tracking; firmware updates; TCP zero-copy; Motorola GrapheneOS phones; Gram 1.0; groff 1.24.0; Texinfo 7.3; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

Sasha Levin has announced the release of the 6.19.6, 6.18.16, 6.12.75, 6.6.128, 6.1.165, 5.15.202, and 5.10.252 stable kernels. Each contains important fixes throughout the tree; users of these kernels are advised to upgrade.

Security updates have been issued by AlmaLinux (container-tools:rhel8, firefox, go-rpm-macros, kernel, kernel-rt, mingw-fontconfig, nginx:1.24, thunderbird, and valkey), Debian (gimp), Fedora (apt, avr-binutils, keylime, keylime-agent-rust, perl-Crypt-URandom, python-apt, and rsync), Red Hat (go-rpm-macros and yggdrasil-worker-package-manager), Slackware (python3), SUSE (busybox, cosign, cups, docker, evolution-data-server, freerdp, glibc, gnome-remote-desktop, go1.24-openssl, go1.25-openssl, govulncheck-vulndb, libpng16, libsoup, libssh, libxml2, patch, postgresql14, postgresql15, postgresql16, postgresql17, postgresql18, python, python311, rust-keylime, smc-tools, tracker-miners, and zlib), and Ubuntu (curl, imagemagick, intel-microcode, linux, linux-aws, linux-kvm, linux-aws, linux-aws-5.15, linux-gcp-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle-5.15, linux-aws-fips, and linux-raspi, linux-raspi-5.4).

Jujutsu is an increasingly popular Git-compatible version-control system. It has a focus on simplifying Git's conceptual model to produce a smoother, clearer command-line experience. Some people already have a preferred replacement for Git's usual command-line interface, though: Magit, an Emacs package for working with Git repositories that also tries to make the interface more discoverable. Now, a handful of people are working to implement a Magit-style interface for Jujutsu: Majutsu.

This 404 Media article looks at how the US Customs and Border Protection agency (CBP) is using location data from phones to track the location of people of interest.

Specifically, CBP says the data was in part sourced via real-time bidding, or RTB. Whenever an advertisement is displayed inside an app, a near instantaneous bidding process happens with companies vying to have their advert served to a certain demographic. A side effect of this is that surveillance firms, or rogue advertising companies working on their behalf, can observe this process and siphon information about mobile phones, including their location. All of this is essentially invisible to an ordinary phone user, but happens constantly.

We should note that the minimal advertising shown on LWN is not delivered via this bidding system.

One of the contradictions of the modern open-source movement is that projects which respect user freedoms often rely on proprietary tools that do not: communities often turn to non-free software for code hosting, communication, and more. At Configuration Management Camp (CfgMgmtCamp) 2026, Jan Ainali spoke about the need for open-source projects to adopt open tools; he hoped to persuade new and mature projects to switch to open alternatives, even if just one tool, to reduce their dependencies on tech giants and support community-driven infrastructure.

Matthew Garrett examines the factors that go into the decision about whether to install a firmware update or not.

I trust my CPU vendor. I don't trust my CPU vendor because I want to, I trust my CPU vendor because I have no choice. I don't think it's likely that my CPU vendor has designed a CPU that identifies when I'm generating cryptographic keys and biases the RNG output so my keys are significantly weaker than they look, but it's not literally impossible. I generate keys on it anyway, because what choice do I have? At some point I will buy a new laptop because Electron will no longer fit in 32GB of RAM and I will have to make the same affirmation of trust, because the alternative is that I just don't have a computer.

Security updates have been issued by AlmaLinux (containernetworking-plugins, gnutls, kernel, libpng, and skopeo), Debian (firefox-esr, php8.2, and spip), Fedora (erlang and python-pillow), Red Hat (go-toolset:rhel8, golang, and yggdrasil), SUSE (cups, fluidsynth, gvfs, haproxy, libsoup, libsoup-3_0-0, mozilla-nss, python-azure-core, and shim), and Ubuntu (git and mailman).

There are many applications that need to be able to write multi-block chunks of data to disk with the assurance that the operation will either complete successfully or fail altogether — that the write will not be partially completed (or "torn"), in other words. For years, kernel developers have worked on providing atomic writes as a way of satisfying that need; see, for example, sessions from the Linux Storage, Filesystem, Memory Management, and BPF (LSFMM+BPF) Summit from 2023, 2024, and 2025 (twice). While atomic direct I/O is now supported by some filesystems, atomic buffered I/O still is not. Filling that gap seems certain to be a 2026 LSFMM+BPF topic but, thanks to an early discussion, the shape of a solution might already be coming into focus.

Toke Høiland-Jørgensen has posted an overview of how zero-copy networking works in the Linux kernel.

Since the memory is being copied directly from userspace to the network device, the userspace application has to keep it around unmodified, until it has finished sending. The sendmsg() syscall itself is asynchronous, and will return without waiting for this. Instead, once the memory buffers are no longer needed by the stack, the kernel will return a notification to userspace that the buffers can be reused.

Version 7.3 of Texinfo, the GNU documentation-formatting system, has been released. It contains a number of new features, performance improvements, and enhancements.