Linux Weekly News

The Arch Linux project has posted an update about recent service outages that have affected its infrastructure:

The Arch Linux Project is currently experiencing an ongoing denial of service attack that primarily impacts our main webpage, the Arch User Repository (AUR), and the Forums.

We are aware of the problems that this creates for our end users and will continue to actively work with our hosting provider to mitigate the attack. We are also evaluating DDoS protection providers while carefully considering factors including cost, security, and ethical standards.

The post contains information on workarounds to use during the service disruption, and notes that Arch is not sharing technical details about the attack or mitigation while the attack is still ongoing.

The restartable sequences feature, which was added to the 4.18 kernel in 2018, exists to enable better performance in certain types of threaded applications. While there are users for restartable sequences, they tend to be relatively specialized code; this is not a tool that most application developers reach for. Over time, though, the use of restartable sequences has grown, and it looks to grow further as the feature is tied to new capabilities provided by the kernel. As restartable sequences become less of a niche feature, though, some problems have turned up; fixing one of them may involve an ABI change visible in user space.

Security updates have been issued by AlmaLinux (libarchive, mingw-sqlite, pki-deps:10.6, and tomcat), Debian (chromium and firefox-esr), Fedora (python3.6 and suricata), Oracle (go-toolset:rhel8, kernel, libarchive, mingw-sqlite, tomcat, and xterm), Red Hat (kernel), Slackware (mozilla), SUSE (aws-efs-utils, docker-machine-driver-kvm2, nova, pluto, polaris, and python310), and Ubuntu (ceph, gcc-10, gcc-11, gcc-12, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gkeop, linux-ibm, linux-ibm-6.8, linux-hwe-6.14, linux-oem-6.14, linux-ibm, linux-intel-iotg, linux-oracle, linux-raspi, linux-iot, poppler, and tiff).

Inside this week's LWN.net Weekly Edition:

• Front: Debian; CPython; huge zero folio; kexec handover; FHS; Koka programming language
• Briefs: PyPI domain checks; Firefox 142.0; Git v2.51; Ghostty; LibreOffice 25.8; Zig 0.15.1; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

The Zig project has announced version 0.15.1 of the language. The release, much like the last one, includes incremental progress toward the goal of completely dropping LLVM and improving compile time, as well as a handful of breaking changes as the language team wrestles with past API design. The biggest change this time around is to the standard library Reader and Writer interfaces, which have been completely rearranged in the name of performance and reducing unneeded copies.

All existing std.io readers and writers are deprecated in favor of the newly provided std.Io.Reader and std.Io.Writer which are non-generic and have the buffer above the vtable - in other words the buffer is in the interface, not the implementation. This means that although Reader and Writer are no longer generic, they are still transparent to optimization; all of the interface functions have a concrete hot path operating on the buffer, and only make vtable calls when the buffer is full.

These changes are extremely breaking. I am sorry for that, but I have carefully examined the situation and acquired confidence that this is the direction that Zig needs to go. I hope you will strap in your seatbelt and come along for the ride; it will be worth it.

Tobias Heider has written an article that explains changes that are coming for Ubuntu's generic Arm64 desktop ISO images in the 25.10 release. The current solution, Heider says, depends on GRUB features that are unavailable in secure boot mode and require adding device-specific logic to multiple packages. The new solution, called stubble, is derived from systemd-stub:

A bundled stubble image contains stubble itself, a Linux kernel, a HWID lookup table to map devices to device trees and multiple device trees. When grub loads this "kernel", stubble executes first, reads the SMBIOS table to generate HWIDs, looks for a match in the embeeded lookup table and loads a matching device tree before passing control to the actual Linux kernel.

The elegance in this approach lies in how it interacts with the rest of the system. Integrating stubble happens entirely at build time in the kernel package. The stubble package is a build dependency for the kernel. After building the kernel itself, we bundle it with stubble and our DTBs and ship the combined binary instead. The resulting stubble + kernel + dtb bundle can be loaded by grub like any other Ubuntu kernel. No further changes in grub or other packages are necessary to make it work.

Greg Kroah-Hartman has announced the release of the 6.16.2, 6.15.11, and 6.12.43 stable kernels. He notes that this is the last release in the 6.15.y series, and recommends that users move to the 6.16.y kernel branch at this time.

Ken Jin welcomed EuroPython 2025 attendees to his talk entitled "Building a new tail-calling interpreter for Python", but noted that the title really should be: "Measuring the performance of compilers and interpreters is really hard". Jin's efforts to switch the CPython interpreter to use tail calls, which can be optimized as regular jumps, initially seemed to produce an almost miraculous performance improvement. As his modified title suggests, the actual improvement was rather smaller; there is still some performance improvement and there are other benefits from the change.

Version 25.8 of the LibreOffice open-source office suite has been released. Notable changes include several new functions in the Calc spreadsheet application, ability to export to the PDF 2.0 format, better PowerPoint font compatibility with Impress, and significant performance improvements. For a full list of changes, see the release notes on the Document Foundation wiki.

After more than two years of development, the Debian Project has released its new stable version, Debian 13 ("trixie"). The release comes with the usual bounty of upgraded packages and more than 14,000 new packages; it also debuts Advanced Package Tool (APT) 3.0 as the default package manager and makes 64-bit RISC-V a supported architecture. There are few surprises with trixie, which is exactly what many Linux users are hoping for—a free operating system that just works as expected.

Security updates have been issued by Debian (webkit2gtk), Fedora (firefox and libarchive), Red Hat (python3.11-setuptools and python3.12-setuptools), Slackware (mozilla), SUSE (apache2-mod_security2, cairo-devel, cflow, docker, glibc, go1.25, govulncheck-vulndb, gstreamer-0_10-plugins-base, jq, kernel, libarchive, libssh, libxslt, openbao, python-urllib3, systemd, and xz), and Ubuntu (apache2, libssh, libxml2, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm-5.15, linux-intel-iot-realtime, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle-5.15, linux-realtime, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-realtime, linux-aws-fips, linux-fips, linux-gcp-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-ibm-6.8, tomcat10, and webkit2gtk).

The Python Package Index (PyPI) has announced that it is now checking for expired domains to try to prevent domain-resurrection attacks. In this type of attack, a malicious user buys an expired domain and uses it to take over an account by resetting the password associated with the email used with PyPI. Since June, PyPI has unverified more than 1,800 email addresses after their associated domains entered expiration phases.

After an initial bulk check period that took place in April 2025, PyPI will check daily for any domains in use for status changes, and update its internal database with the most recent status.

If a domain registration enters the redemption period, that's an indicator to PyPI that the previously verified email destinations may not be trusted, and will un-verify a previously-verified email address. PyPI will not issue a password reset request to addresses that have become unverified.

PyPI recommends that users add a second verified email address "from another notable domain (e.g. Gmail)" to their account, if they do not have one already.

Version 142.0 of the firefox browser has been released. Changes include a new link preview feature (with optional "AI-generated key points"), and a "flexible exception list" for the strict tracking protection feature that allows relaxing specific protections on sites that otherwise will not work properly.

Statically typed programming languages can help catch mismatches between the kinds of values a program is intended to manipulate, and the values it actually manipulates. While there have been many bytes spent on discussions of whether this is worth the effort, some programming language designers believe that the type checking in current languages does not go far enough. Koka, an experimental functional programming language, extends its type system with an effect system that tracks the side-effects a program will have in the course of producing a value.

Security updates have been issued by AlmaLinux (golang, openjpeg2, toolbox, and xterm), Debian (libxslt, mbedtls, openjdk-17, and webkit2gtk), Fedora (apptainer, mingw-gstreamer1, mingw-gstreamer1-plugins-bad-free, mingw-gstreamer1-plugins-base, mingw-gstreamer1-plugins-good, rust-h2, and uv), Oracle (golang, kernel, and openjpeg2), Red Hat (kernel and xterm), SUSE (389-ds, cairo, container-suseconnect, kernel, lua51-luajit, postgresql13, and trivy), and Ubuntu (linux, linux-aws, linux-aws-6.14, linux-gcp, linux-gcp-6.14, linux-oracle, linux-oracle-6.14, linux-raspi, linux-realtime and openldap).

The JetBrains blog presents the results of the eighth annual Python Developers Survey, carried out in partnership with the Python Software Foundation.

This year, 51% of all surveyed Python developers are involved in data exploration and processing, with pandas and NumPy being the tools most commonly used for this.

Many of us in the Python pundit space have talked about Python as being divided into thirds: One-third web development, one-third data science and pure science, and one-third as a catch-all bin.

We need to rethink that positioning now that one of those thirds is overwhelmingly the most significant portion of Python.

The Git distributed version-control system has release version 2.51, with "506 non-merge commits since v2.50.1, contributed by 91 people, 21 of which are new faces". It brings multiple new features, some of which are highlighted in a post on the GitHub blog. It includes some performance improvements for multi-pack indexes (MIDXs), a way to import and export stash entries so they can be migrated more easily, and smaller pack files: Git 2.51 takes the spirit of that change and goes a step further by introducing a new way to collect objects when repacking, called "path walk". Instead of walking objects in revision order with Git emitting objects with their corresponding path names along the way, the path walk approach emits all objects from a given path at the same time. This approach avoids the name-hash heuristic altogether and can look for deltas within groups of objects that are known to be at the same path.

As a result, Git can generate packs using the path walk approach that are often significantly smaller than even those generated with the new name hash function described above. Its timings are competitive even with generating packs using the existing revision order traversal.

Rebooting a computer ordinarily brings an abrupt end to any state built up by the old system; the new kernel starts from scratch. There are, however, people who would like to be able to reboot their systems without disrupting the workloads running therein. Various developers are currently partway through the project of adding this capability, in the form of "kexec handover" and the "live update orchestrator", to the kernel.

Security updates have been issued by AlmaLinux (go-toolset:rhel8, kernel, and kernel-rt), Fedora (chromium), Oracle (libxml2), Red Hat (go-toolset:rhel8, golang, kernel, kernel-rt, openjpeg2, rsync, and tigervnc), and SUSE (apache-commons-lang3, chromedriver, fractal, framework_tool, go1.23-openssl, go1.24-openssl, grub2, gstreamer-devtools, gstreamer-plugins-rs, jasper, libavif, lighttpd, nginx, podman, postgresql13, postgresql14, postgresql15, postgresql16, python311-pypdf, ruby2.5, rust-keylime, tiff, tomcat, tomcat10, and tomcat11).

The second 6.17 kernel prepatch is out for testing. "So it's been a very calm week, and this is one of the smaller rc2 releases we've had lately. I'm definitely not complaining, since I've been jetlagged much of the week, but I have this suspicion that it just means that next week will see more noise."