Linux Weekly News

Creating welcoming communities within open-source projects is a recurring topic at conferences; those projects rely on contributions from others, so making them welcome is important. The kernel has, rather infamously over the years, been an oft-cited example of an unwelcoming project, though there have been (and are) multiple efforts to change that with varying degrees of success. Hans de Goede talked about such efforts within his corner of the kernel project in a talk (YouTube video) at Open Source Summit Europe.

Security updates have been issued by Debian (cups, imagemagick, libcpanel-json-xs-perl, and libjson-xs-perl), Fedora (checkpointctl, chromium, civetweb, glycin, kernel, libssh, ruff, rust-secret-service, snapshot, and uv), Mageia (curl), Red Hat (kernel), SUSE (cups, curl, perl-Cpanel-JSON-XS, regionServiceClientConfigAzure, regionServiceClientConfigEC2, regionServiceClientConfigGCE, trivy, and xen), and Ubuntu (cups, node-cipher-base, and qemu).

The VMScape vulnerability is a Spectre variant that "allows a malicious KVM guest to leak sensitive information such as encryption/decryption keys from a userspace hypervisor such as QEMU". Greg Kroah-Hartman has announced the 6.16.7, 6.12.47, 6.6.106, 6.1.152, 5.15.193, and 5.10.244 stable kernels, which add a mitigation for the hardware bug.

The Git source-code management system stores a lot of information about changes to code — but it does not hold everything that might be of interest to a developer who needs to investigate a specific change in the future. Commits in a repository are the end result of a (sometimes extended) discussion; often, that discussion will result in changes to the code that are not explained in the changelog. For some years now, many maintainers have followed the convention of applying a Link tag to commits that points back to the mailing-list posting of the change. Linus Torvalds has been expressing his dislike for this convention for a while, though, and its time appears to be coming to an end.

Security updates have been issued by AlmaLinux (python3.12-cryptography), Debian (chromium, hsqldb1.8.0, and imagemagick), Fedora (bustle, cef, maturin, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-monitord, rust-monitord-exporter, rustup, tuigreet, and wireshark), Oracle (kernel, microcode_ctl, and python3.12-cryptography), Red Hat (httpd:2.4 and multiple packages), SUSE (coreutils, curl, dpkg, ffmpeg-4, glib2, gnutls, go1.23-openssl, go1.24-openssl, go1.25-openssl, grub2, ImageMagick, jbigkit, kernel, libxslt, Mesa, opensc, opera, perl-JSON-XS, polkit, postgresql16, protobuf, python311, python311-deepdiff, sqlite3, ucode-intel, and warewulf4), and Ubuntu (bind9 and libxml2).

The F-Droid project has some advice for free-software projects on how to deal with takedown requests.

As part of our legal resilience research, we spoke with a range of legal experts, software freedom advocates, and maintainers of mature FOSS infrastructure to understand how others manage these moments. In this article, we share what we learned, and how F-Droid is incorporating these lessons into its own approach.

Inside this week's LWN.net Weekly Edition:

• Front: Space Grade Linux; KDE's new distribution; Rug pulls and forks; Dependency tracker; Kernel configuration; Framework 12 laptop.
• Briefs: npm security; high-memory; Anaconda WebUI; OpenSUSE bcachefs; 32-bit Firefox; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

There are a large number of ways to configure the 6.16 Linux kernel. It has 32,468 different configuration options on x86_64, and a comparable number for other platforms. Exploring the ways the kernel can be configured is sufficiently difficult that it requires specialized tools. These show the number of possible configurations that options can be combined in has 6,550 digits. How has that number changed over the history of the kernel, and what does it mean for testing?

The openSUSE project has announced that the bcachefs filesystem will be disabled in its kernel builds starting with 6.17; bcachefs users will have to make other arrangements. "The current 6.16.* is NOT affected. Neither is Slowroll (for now)."

At Akademy 2025, the KDE Project released an alpha version of KDE Linux, a distribution built by the project to "include the best implementation of everything KDE has to offer, using the most advanced technologies". It is aimed at providing an operating system suitable for home use, business use, OEM installations, and more "eventually". For now there are many rough edges and missing features that users should be aware of before taking the plunge; but it is an interesting look at the kind of complete Linux system that KDE developers would like to see.

At Open Source Summit Europe, LWN's Jonathan Corbet presented "Three Decades in Kernelland"; the talk provides a look at how the kernel got to where it is, what makes it successful, and what may be coming next. The video of the talk is now online for LWN readers who would like to check it out.

Security updates have been issued by Fedora (buildah, containers-common, glycin, loupe, podman, rust-matchers, and rust-tracing-subscriber), Red Hat (fence-agents, jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base, pki-deps:10.6, python-requests, python3.12-cryptography, redis:6, redis:7, and resource-agents), Slackware (libssh), SUSE (aide, cloud-init, iperf, java-1_8_0-openjdk, jq, kernel-devel, python-deepdiff, regionServiceClientConfigAzure, regionServiceClientConfigEC2, and regionServiceClientConfigGCE), and Ubuntu (gnutls28).

As a followup to his OSS Europe talk on the future of 32-bit support in the kernel, Arnd Bergmann has put together a detailed plan for the eventual removal of high-memory support, which he calls "one of the least popular features of the Linux kernel". The intent is "to gradually phase out highmem over the next 2 years for mainline kernels". This plan is posted as a prompt for a discussion to be held at the Kernel Summit in December, so chances are it will evolve considerably in the next few months.

The 6.16.6, 6.12.46, 6.6.105, 6.1.151, 5.15.192, 5.10.243, and 5.4.299 stable kernel updates have been released; each contains another set of important fixes.

Fedora's Community Blog has a short update on the progress of Fedora's new installer with a web-based interface. The new installer was introduced for the Workstation edition in Fedora Linux 42, it is now approved to be included in all Fedora spins and the KDE edition for Fedora 43. Final deprecation of the GTK-based installer is set for Fedora 45. LWN covered the installer changes in April.

A new project, targeting Linux for the proverbial final frontier—outer space—was the subject of a talk (YouTube video) at the Embedded Linux Conference, which was held as part of Open Source Summit Europe in Amsterdam in late August. Ramón Roche introduced Space Grade Linux (SGL), which is currently incubating as a special interest group (SIG) of the Embedding Linux in Safety Applications (ELISA) project. The idea is to create a distribution with a base layer that can be used for off-planet missions of various sorts, along with other layers that can be used to customize it for different space-based use cases.

Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (openafs and qemu), Fedora (buildah, containers-common, podman, python-flask, and snapshot), Mageia (postgresql, python-django, and udisks2), Oracle (kernel and libxml2), Red Hat (apache-commons-beanutils, firefox, httpd, httpd:2.4, kernel, kernel-rt, mod_http2, qt5-qt3d, and thunderbird), Slackware (libxml2), SUSE (firebird, go1.25-openssl, ImageMagick, microcode_ctl, netty, netty-tcnative, and ovmf), and Ubuntu (libetpan and postgresql-14, postgresql-16, postgresql-17).

The Aikido blog describes an apparently ongoing series of phishing attacks against npm package maintainers, resulting in the uploading of compromised versions of heavily used packages:

All together, these packages have more than 2 billion downloads per week.

The packages were updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.

Framework Computer is a US-based computer manufacturer with a line of Linux-supported, modular, easily repairable and upgradeable laptops. In February, the company announced a new model, the Framework Laptop 12, an "entry-level" 12.2-inch convertible notebook that can be used as a laptop or tablet. The systems were made available for pre-order in April, I received mine in mid-August. Since then, I have been putting it through its paces with Debian 13 ("trixie") and Fedora Linux 42. It's a good choice for users who want a Linux-friendly, lightweight, 2-in-1 device—if they are willing to make a few concessions on storage capacity, RAM, and CPU/GPU choices.

Security updates have been issued by Debian (chromium, libhtp, modsecurity-apache, shibboleth-sp, and wireless-regdb), Fedora (chromium, kea, tcpreplay, and yq), Mageia (rootcerts, nspr, nss & firefox and thunderbird), Red Hat (python3), and SUSE (7zip, chromedriver, go1.25, libQt5Pdf5, libsixel-bash-completion, libsoup2, libwireshark18, netty, rav1e, and trivy).