lwn.net

Security updates have been issued by Fedora (buildah, containers-common, glycin, loupe, podman, rust-matchers, and rust-tracing-subscriber), Red Hat (fence-agents, jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base, pki-deps:10.6, python-requests, python3.12-cryptography, redis:6, redis:7, and resource-agents), Slackware (libssh), SUSE (aide, cloud-init, iperf, java-1_8_0-openjdk, jq, kernel-devel, python-deepdiff, regionServiceClientConfigAzure, regionServiceClientConfigEC2, and regionServiceClientConfigGCE), and Ubuntu (gnutls28).

As a followup to his OSS Europe talk on the future of 32-bit support in the kernel, Arnd Bergmann has put together a detailed plan for the eventual removal of high-memory support, which he calls "one of the least popular features of the Linux kernel". The intent is "to gradually phase out highmem over the next 2 years for mainline kernels". This plan is posted as a prompt for a discussion to be held at the Kernel Summit in December, so chances are it will evolve considerably in the next few months.

The 6.16.6, 6.12.46, 6.6.105, 6.1.151, 5.15.192, 5.10.243, and 5.4.299 stable kernel updates have been released; each contains another set of important fixes.

Fedora's Community Blog has a short update on the progress of Fedora's new installer with a web-based interface. The new installer was introduced for the Workstation edition in Fedora Linux 42, it is now approved to be included in all Fedora spins and the KDE edition for Fedora 43. Final deprecation of the GTK-based installer is set for Fedora 45. LWN covered the installer changes in April.

A new project, targeting Linux for the proverbial final frontier—outer space—was the subject of a talk (YouTube video) at the Embedded Linux Conference, which was held as part of Open Source Summit Europe in Amsterdam in late August. Ramón Roche introduced Space Grade Linux (SGL), which is currently incubating as a special interest group (SIG) of the Embedding Linux in Safety Applications (ELISA) project. The idea is to create a distribution with a base layer that can be used for off-planet missions of various sorts, along with other layers that can be used to customize it for different space-based use cases.

Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (openafs and qemu), Fedora (buildah, containers-common, podman, python-flask, and snapshot), Mageia (postgresql, python-django, and udisks2), Oracle (kernel and libxml2), Red Hat (apache-commons-beanutils, firefox, httpd, httpd:2.4, kernel, kernel-rt, mod_http2, qt5-qt3d, and thunderbird), Slackware (libxml2), SUSE (firebird, go1.25-openssl, ImageMagick, microcode_ctl, netty, netty-tcnative, and ovmf), and Ubuntu (libetpan and postgresql-14, postgresql-16, postgresql-17).

The Aikido blog describes an apparently ongoing series of phishing attacks against npm package maintainers, resulting in the uploading of compromised versions of heavily used packages:

All together, these packages have more than 2 billion downloads per week.

The packages were updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.

Framework Computer is a US-based computer manufacturer with a line of Linux-supported, modular, easily repairable and upgradeable laptops. In February, the company announced a new model, the Framework Laptop 12, an "entry-level" 12.2-inch convertible notebook that can be used as a laptop or tablet. The systems were made available for pre-order in April, I received mine in mid-August. Since then, I have been putting it through its paces with Debian 13 ("trixie") and Fedora Linux 42. It's a good choice for users who want a Linux-friendly, lightweight, 2-in-1 device—if they are willing to make a few concessions on storage capacity, RAM, and CPU/GPU choices.

Security updates have been issued by Debian (chromium, libhtp, modsecurity-apache, shibboleth-sp, and wireless-regdb), Fedora (chromium, kea, tcpreplay, and yq), Mageia (rootcerts, nspr, nss & firefox and thunderbird), Red Hat (python3), and SUSE (7zip, chromedriver, go1.25, libQt5Pdf5, libsixel-bash-completion, libsoup2, libwireshark18, netty, rav1e, and trivy).

Linus has released 6.17-rc5 for testing. "Things remain normal - both the diffstat and the commit counts look entirely sane". The announcement also contains a plea for maintainers to not overuse Link: tags when applying patches.

Like almost all human endeavors, open-source software development involves a range of power dynamics. Companies, developers, and users are all concerned with the power to influence the direction of the software — and, often, to profit from it. At the 2025 Open Source Summit Europe, Dawn Foster talked about how those dynamics can play out, with an eye toward a couple of tactics — rug pulls and forks — that are available to try to shift power in one direction or another.

Security updates have been issued by Fedora (udisks2), Oracle (httpd:2.4 and kernel), Red Hat (python-requests), and SUSE (chromium, gn, dcmtk, firefox, himmelblau, nginx, perl-Authen-SASL, perl-Crypt-URandom, postgresql15, python-Django, and python-maturin).

Mozilla has announced that support for the Firefox browser on 32-bit systems ends with version 144. "For users who cannot transition immediately, Firefox ESR 140 will remain available — including 32-bit builds — and will continue to receive security updates until at least September 2026."

Greg Kroah-Hartman has announced the release of the 6.16.5, 6.12.45, 6.6.104, 6.1.150, 5.15.191, 5.10.242, and 5.4.298 stable kernels. Each contains important fixes throughout the kernel tree; users should upgrade.

Deadlocks are a constant threat in concurrent settings with shared data; it is thus not surprising that the kernel project has long since developed tools to detect potential deadlocks so they can be fixed before they affect production users. Byungchul Park thinks that he has developed a better tool that can detect more deadlock-prone situations. At the 2025 Open Source Summit Europe, he presented an introduction to his dependency tracker (or "DEPT") tool and the kinds of problems it can detect.

Security updates have been issued by AlmaLinux (httpd:2.4, kernel, pam, postgresql:12, and python3.12), Debian (clamav and node-cipher-base), Fedora (exiv2 and libsixel), Oracle (httpd, kernel, pam, postgresql:12, postgresql:13, postgresql:15, and udisks2), SUSE (gimp, libmupen64plus-devel, munge, nvidia-open-driver-G06-signed, ovmf, postgresql15, python-aiohttp, python-Django, rav1e, redis, and ruby2.5), and Ubuntu (ffmpeg, kdepim, kf5-messagelib, kmail, kmail-account-wizard, linux-azure, linux-azure-6.8, linux-azure-nvidia, php7.0, php7.2, php7.4, protobuf, python-django, ruby2.5, ruby2.7, ruby3.0, ruby3.2, ruby3.3, and rubygems).

Inside this week's LWN.net Weekly Edition:

• Front: Maintaining curl; GNOME governance; Guix in Debian; Tracking untrusted data in the kernel; 32-Bit support; systemd v258.
• Briefs: bcachefs maintenance; Linux from Scratch 12.4; Elf spec; Niri 25.08; Python documentary; GNOME executive director; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

Version 2025.9 of the Home Assistant home automation system has been released. Changes include a new experimental dashboard that is eventually meant to become the default, a number of tile-card improvements, a reworked automation editor, several new integrations, and more.

Version 25.08 of the niri scrollable-tiling Wayland compositor has been released. Notable changes include xwayland-satellite integration, modal exit confirmation, and the introduction of basic support for screen readers:

A series of posts by fireborn earlier this year on the screen reader situation in Linux got me curious: how does one support screen readers in a Wayland compositor? The documentation is unfortunately scarce and difficult to find. Thankfully, @DataTriny from the AccessKit project came across my issue, pointed me at the right protocols, and answered a lot of my questions.

So, as of this release, niri has basic support for screen readers! We implement the org.freedesktop.a11y.KeyboardMonitor D-Bus interface for Orca to listen and grab keyboard keys, and we expose the main niri UI elements via AccessKit. [...]

The current screen reader support and further considerations are documented on the new Accessibility wiki page.

LWN covered niri in July.

Version 12.4 of Linux From Scratch (LFS) and Beyond Linux From Scratch (BLFS) have been released. LFS provides step-by-step instructions on building a customized Linux system entirely from source, and BLFS helps to extend an LFS installation into a more usable system. Notable changes in this release include updates to GNU Binutils 2.45, GCC 15.2, GNU C Library (glibc) 2.42, and Linux 6.15.1. See the Changelog for all updates since 12.3.