lwn.net

The Debian project has the concept of essential packages, which provide the bare minimum functionality considered absolutely necessary (or "essential") for a system to function. Packages tagged as essential, and the packages that are required by the set of essential packages, are always installed as part of a Debian system. However, Debian's packaging rules do not require developers to explicitly declare dependencies on that set of packages (the essential set) but they can simply rely on the fact that those will always be present. That means that changing the essential set, as the project may wish to do occasionally, is more complicated than it should be. This came to light recently when a Debian developer asked what might be required to remove mawk to slim down the project's container images.

The SUSE Security Team has announced the removal of the Deepin Desktop from openSUSE due to violations of the project's packaging policy.

The discovery of the bypass of the security whitelistings via the deepin-feature-enable package marks a turning point in our assessment of Deepin. We don't believe that the openSUSE Deepin packager acted with bad intent when he implemented the "license agreement" dialog to bypass our whitelisting restrictions. The dialog itself makes the security concerns we have transparent, so this does not happen in a sneaky way, at least not towards users. It was not discussed with us, however, and it violates openSUSE packaging policies. Beyond the security aspect, this also affects general packaging quality assurance: the D-Bus configuration files and Polkit policies installed by the deepin-feature-enable package are unknown to the package manager and won't be cleaned up upon package removal, for example. Such bypasses are not deemed acceptable by us.

The combination of these factors led us to the decision to remove the Deepin desktop completely from openSUSE Tumbleweed and from the future Leap 16.0 release. In openSUSE Leap 15.6 we will remove the offending deepin-feature-enable package only. It is a difficult decision given that the Deepin desktop has a considerable number of users. We firmly believe the Deepin packaging and security assessment in openSUSE needs a reboot, however, ideally involving new people that can help get the Deepin packages into shape, establish a relationship with Deepin upstream and keep an eye on bugfixes, thus avoiding fruitless follow-up reviews that just waste our time. In such a new setup we would be willing to have a look at all the sensitive Deepin components again one by one.

The announcement goes into detail about the bypass of openSUSE packaging policy and the history of security reviews of Deepin components. It also offers guidance on continuing to use Deepin Desktop on openSUSE.

Security updates have been issued by Fedora (incus and nodejs20), Red Hat (freetype, kernel, kernel-rt, libsoup, libtiff, redis, redis:6, and thunderbird), SUSE (apparmor, chromium, grafana, ImageMagick, java-11-openjdk, java-17-openjdk, libsoup, libsoup2, libxslt, opensaml, rabbitmq-server, rubygem-rack-1_6, sqlite3, and thunderbird), and Ubuntu (kernel, libfcgi, libraw, libsoup2.4, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-gcp, linux-gcp-6.11, linux-hwe-6.11, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oracle, linux-raspi, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-azure, linux-azure-4.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-azure, linux-azure-6.11, linux-azure-6.8, linux-azure-fips, linux-intel-iot-realtime, linux-realtime, linux-oem-6.11, linux-raspi, linux-realtime, python, python-scrapy, and ruby-carrierwave).

Willy Tarreau and William Lallemand have posted an extensive white paper examining the landscape of the available SSL implementations.

OpenSSL 3.0 performs significantly worse than alternative SSL libraries, forcing organizations to provision more hardware just to maintain existing throughput. This raises important questions about performance, energy efficiency, and operational costs.

Examining alternatives—BoringSSL, LibreSSL, WolfSSL, and AWS-LC—reveals a landscape of trade-offs. Each offers different approaches to API compatibility, performance optimization, and QUIC support. For developers navigating the modern SSL ecosystem, understanding these trade-offs is crucial for optimizing performance, maintaining compatibility, and future-proofing their infrastructure.

On the 50th anniversary of the USENIX organization, its flagship Annual Technical Conference (ATC) is coming to an end.

For the past two decades, as more USENIX conferences have joined the USENIX calendar by focusing on specific topics that grew out of ATC itself, attendance at ATC has steadily decreased to the point where there is no longer a critical mass of researchers and practitioners joining us. Thus, after many years of experiments to adapt this conference to the ever-changing tech landscape and community, the USENIX Board of Directors has made the difficult decision to sunset USENIX ATC.

Many important technologies first saw the light of day at this event.

Version 1.0.0 of Mission Center, a system-monitoring application, has been released. Notable changes in this release include the addition of SMART data for SATA and NVMe devices, display of per-process network usage, as well as a redesigned Apps Page that provides more information about applications and processes. Mission Center's backend application for obtaining system data has been renamed from the Gatherer to Magpie, and is now available as a standalone executable and libraries that can be used by other applications.

Linux systems can have large filesystems; trying to keep up with the stream of fanotify filesystem-monitoring notifications for them can be a struggle. Fanotify is one of a few ways to monitor accesses to filesystems provided by the kernel. Song Liu led a discussion on how to improve in-kernel filtering of fanotify events to a joint session of the filesystem and BPF tracks at the 2025 Linux Storage, Filesystem, Memory-Management, and BPF Summit. He wants to combine the best parts of a few different approaches to efficiently filter filesystem events.

In a combined filesystem and memory-management session at the 2025 Linux Storage, Filesystem, Memory Management, and BPF Summit (LSFMM+BPF), Joanne Koong led a discussion on improving the writeback performance for the Filesystem in Userspace (FUSE) layer. Writeback is how data that is written to the filesystem is actually flushed to the disk; it is the process of writing dirty pages from the page cache to storage. The current FUSE implementation allocates unmovable memory, then copies the dirty data to it before initiating writeback, which is slow; Koong wanted to change that behavior. Since the session, she has posted a patch set that has been applied by FUSE maintainer Miklos Szeredi.

Security updates have been issued by Fedora (chromium and kappanhang), Red Hat (osbuild-composer and thunderbird), SUSE (chromedriver), and Ubuntu (c-ares, corosync, mysql-8.0, mysql-8.4, openjdk-17, openjdk-21, openjdk-24, openjdk-8, and openjdk-lts).

AUTOSEL is a tool that is used to find kernel patches that should be considered for backporting into the stable releases. Sasha Levin has announced a new and completely rewritten version of AUTOSEL for those who would like to play with it.

Unlike the previous version that relied on word statistics and older neural network techniques, AUTOSEL leverages modern large language models and embedding technology to provide significantly more accurate recommendations.

The disclosure of the Spectre class of hardware vulnerabilities created a lot of pain for kernel developers (and many others). That pain was especially acutely felt in the BPF community. While an attacker might have to painfully search the kernel code base for exploitable code, an attacker using BPF can simply write and load their own speculation gadgets, which is a much more efficient way of operating. The BPF community reacted by, among other things, disallowing the loading of programs that may include speculation gadgets. Luis Gerhorst would like to change that situation with this patch series that takes a more direct approach to the problem.

The 6.12.27 and 6.1.137 stable kernels have been released to fix build problems in their predecessors. Only those who are having build troubles with 6.12.26 or 6.1.136 need to upgrade.

Security updates have been issued by Debian (ansible, containerd, and vips), Fedora (chromium, java-17-openjdk, nodejs-bash-language-server, nodejs-pnpm, ntpd-rs, redis, rust-hickory-proto, thunderbird, and valkey), Mageia (apache-mod_auth_openidc, fcgi, graphicsmagick, kernel-linus, pam, poppler, and tomcat), Red Hat (firefox, libsoup, nodejs:20, redis:6, rsync, webkit2gtk3, xmlrpc-c, and yelp), and SUSE (audiofile, ffmpeg, firefox, libsoup-2_4-1, libsoup-3_0-0, libva, libxml2, and thunderbird).

Linus has released 6.15-rc5 for testing. "So it all feels like things are just continuing to go well this release. Let's hope I didn't jinx it by saying so."

At the 2025 Linux Storage, Filesystem, Memory Management, and BPF Summit (LSFMM+BPF) Kanchan Joshi and Keith Busch led a combined storage and filesystem session on data placement, which concerns how the data on a storage device is actually written. In a discussion that hearkened back to previous summits, the idea is to give hints to enterprise-class SSDs to help them make better choices on where the data should go; hinting was most recently discussed at the summit in 2023. If SSDs can group data with similar lifetimes together, it can lead to longer life for the devices, but there is a need to work out the details.

Security updates have been issued by Debian (chromium, nodejs, openjdk-17, and thunderbird), Fedora (firefox, golang-github-nvidia-container-toolkit, and thunderbird), Mageia (kernel), Oracle (ghostscript, glibc, kernel, libxslt, php:8.1, and thunderbird), SUSE (cmctl, firefox-esr, govulncheck-vulndb, java-21-openjdk, libxml2, poppler, python-h11, and redis), and Ubuntu (docker.io, ghostscript, linux-xilinx-zynqmp, and micropython).

The 6.14.5, 6.12.26, 6.6.89, 6.1.136, 5.15.181, 5.10.237, and 5.4.293 stable kernel updates have all been released; each contains another set of important fixes.

After a somewhat tumultuous switch to the Server Side Public License (SSPL) in March 2024, Redis has backtracked and is now offering Redis under the Affero GPLv3 (AGPLv3) starting with Redis 8, CEO Rowan Trollope announced. The change back to an open-source license was led by Redis creator Salvatore "antirez" Sanfillipo, who also contributed the new Vector Sets feature for the release. He said: I'll be honest: I truly wanted the code I wrote for the new Vector Sets data type to be released under an open source license. Writing open source software is too rooted in me: I rarely wrote anything else in my career. I'm too old to start now. This may be childish, but I wrote Vector Sets with a huge amount of enthusiasm exactly because I knew Redis (and my new work) was going to be open source again.

I understand that the core of our work is to improve Redis, to continue building a good system, useful, simple, able to change with the requirements of the software stack. Yet, returning back to an open source license is the basis for such efforts to be coherent with the Redis project, to be accepted by the user base, and to contribute to a human collective effort that is larger than any single company. So, honestly, while I can't take credit for the license switch, I hope I contributed a little bit to it, because today I'm happy. I'm happy that Redis is open source software again, under the terms of the AGPLv3 license.

Since last year's license switch, though, the Valkey project has sprung up as a fork under the original 3-clause BSD license.

The Document Foundation is celebrating the 20th anniversary of the ratification of the Open Document Format (ODF) as an OASIS standard.

Two decades after its approval in 2005, ODF is the only open standard for office documents, promoting digital independence, interoperability and content transparency worldwide. [...]

To celebrate this milestone, from today The Document Foundation will be publishing a series of presentations and documents on its blog that illustrate the unique features of ODF, tracing its history from the development and standardisation process through the activities of the Technical Committee for the submission of version 1.3 to ISO and the standardisation of version 1.4.

The out-of-memory (OOM) killer has long been a scary and controversial part of the Linux kernel. It is summoned from some dark place when the system as a whole (or, more recently, any given control group) is running so low on memory that further allocations are not possible; its job is to kill off processes until a sufficient amount of memory has been freed. Roman Gushchin has found a way to make the OOM killer even scarier: adding the ability to load custom OOM killers in BPF.