Linux Weekly News

Security updates have been issued by Debian (emacs and openh264), Fedora (rpm-ostree), Mageia (dcmtk, libcap, openssh, and proftpd), Red Hat (emacs, kernel, and pki-servlet-engine), Slackware (emacs), SUSE (chromium, ffmpeg-4, ffmpeg-7, gnutls, libiniparser-devel, procps, socat, vim, xorg-x11-server, and xwayland), and Ubuntu (binutils, libsndfile, libxmltok, and php5).

Inside this week's LWN.net Weekly Edition:

• Front: Tail calls in CPython; BPF cancellation; Slabs, sheaves, and barns; Atomic block writes; Large filesystem block sizes; EPEL 10 for older CPUs; pytest-mh; Open-source battery.
• Briefs: DMA discussion; Armbian 25.2; Gentoo qcow2; Aqualung 2.0; Emacs 30.1; Rust 1.85.0; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

FOSDEM 2025 featured the usual talks about open-source software, but, as always, the conference also offered the opportunity to discover some more exotic and less software-centric topics. That's how I learned about the Flow Battery Research Collective (FBRC), which is building what will eventually become an open-source home battery. Daniel Fernández Pinto represented the collective at FOSDEM with his talk "Building an Open-Source Battery for Stationary Storage" in the "Energy: Accelerating the Transition through Open Source" developer room (devroom).

The Gentoo Linux project has announced the availability of qcow2 images for amd64 (x86_64) and arm64 (aarch64), and plans to "eventually" offer images for the riscv64 and loongarch64 architectures.

The images, updated weekly, include an EFI boot partition and a fully functional Gentoo installation; either with no network activated but a password-less root login on the console ("no root pw"), or with network activated, all accounts initially locked, but cloud-init running on boot ("cloud-init").

One of the often-requested LWN site features that has languished the longest on our to-do list is full-text RSS feeds. We are happy to announce that, finally, there is a set of such feeds available; the full set can be seen on our feeds page. This is a subscriber-only feature, and it works by creating a unique fetch URL for each user. We will, of course, be counting on our readers to not share those URLs.

Another feature we have had requests for is to automatically present the site in dark-mode colors when a reader's browser has been configured to prefer it. That feature, too, is now available. In this case, we had to think about the interaction between automatic selection and the color customization that the site has long had. The conclusion we reached is that, if custom colors have been configured for an account, they will win out over the automatic selection. There is a new preference in the customization area to change this default if desired.

Both of these features — and the other enhancements we have made recently — were enabled by the support of LWN's subscribers. By making it possible to bring in new staff last year, you created the space to improve the site experience while keeping up with the writing. We thank all of you for your support.

Version 25.2 of the Armbian Linux distribution for single-board computers (SBCs) has been released. Notable changes in this release include support for many new SBCs, an upgrade to Linux kernel 6.12.x, and more. See the changelog for a complete list.

The Faster CPython project has been working to speed up the Python interpreter for the past several years. Now, Ken Jin, a member of the project, has merged a new set of changes that have been benchmarked as improving performance by 10% for some architectures. The only change is switching from using computed goto statements to using tail calls as part of the implementation of Python's bytecode interpreter — but that change allows modern compilers to generate significantly better code.

Security updates have been issued by Fedora (crun, gnutls, libtasn1, and openssl), Mageia (emacs, gnutls, iniparser, kernel, kmod-virtualbox, kmod-xtables-addons, kernel-linus, krb5, libxml2, and vim), Slackware (tigervnc and xorg), SUSE (libprotobuf-lite28_3_0 and Maven), and Ubuntu (dropbear, kernel, libxml2, linux, linux-lowlatency, linux-lowlatency-hwe-6.8, linux, linux-lts-xenial, linux-aws-5.4 linux-raspi-5.4, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, ProFTPD, python-virtualenv, rails, and xorg-server, xwayland).

The conversation around the merging of a set of Rust abstractions for the kernel's DMA-mapping layer has mostly settled after Linus Torvalds made it clear that the code would be accepted. One other consequence of this decision, though, is that Christoph Hellwig has quietly stepped down from the maintenance of the DMA-mapping code. Marek Szyprowski will be the maintainer of that layer going forward. Hellwig has maintained that code for many years; his contributions will be missed.

The Linux kernel supports attaching BPF programs to many operations. This is generally safe because the BPF verifier ensures that BPF programs can't misuse kernel resources, run indefinitely, or otherwise escape their boundaries. There is continuing tension, however, between trying to expand the capabilities of BPF programs and ensuring that the verifier can handle every edge case. On February 14, Juntong Deng shared a proof-of-concept patch set that adds some run-time checks to BPF to make it possible in the future to interrupt a running BPF program.

Security updates have been issued by AlmaLinux (libpq, postgresql:13, postgresql:15, and postgresql:16), Debian (nodejs and php-nesbot-carbon), Mageia (neomutt), Red Hat (python3.11-urllib3 and tuned), SUSE (crun, ovmf, pam_pkcs11, qemu, and webkit2gtk3), and Ubuntu (iniparser, libcap2, linux, linux-hwe, linux, linux-hwe-5.4, linux, linux-lowlatency, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-ibm-5.4, linux-azure, linux-azure-fde, linux-gkeop, linux-nvidia, linux-oracle, linux-azure-5.15, linux-azure-fde-5.15, linux-oracle-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-kvm, linux-lowlatency-hwe-5.15, and linux-xilinx-zynqmp).

Version 2.0 of the Aqualung gapless music player has been released. Aqualung supports playback of a wide range of audio formats, ripping CDs to WAV, FLAC, Ogg Vorbis, or MP3, and subscribing to podcasts via RSS or Atom feeds. The primary change in this release is the migration from GTK2 to GTK3, and dropping support for custom skins as a result.

The kernel's slab allocator is responsible for the allocation of small (usually sub-page) chunks of memory. For many workloads, the speed of object allocation and freeing is one of the key factors in overall performance, so it is not surprising that a lot of effort has gone into optimizing the slab allocator over time. Now that the kernel is down to a single slab allocator, the memory-management developers have free rein to add complexity to it; the latest move in that direction is the per-CPU sheaves patch set from slab maintainer Vlastimil Babka.

The AlmaLinux project has published a request for comments (RFC) on rebuilding Fedora's Extra Packages for Enterprise Linux (EPEL), which provides additional software for Red Hat Enterprise Linux (RHEL) and its derivatives, to support older x86_64 hardware that is not supported by EPEL 10. While this may sound simple on the surface, the proposed rebuild carries a few potential risks that the AlmaLinux and EPEL contributors would like to avoid. The AlmaLinux Engineering Steering Committee (ALESCo) is currently considering feedback and will vote on the RFC in March.

The Emacs extensible text editor (among other things) has made a security release to address two vulnerabilities. Emacs 30.1 has fixes for CVE-2025-1244, which is a shell-command-injection flaw in the man.el man page browser and for CVE-2024-53920, which is a code-execution vulnerability in the flymake syntax-checking mode. LWN covered the flymake problems back in December.

Security updates have been issued by AlmaLinux (bind, bind9.18, libpq, mysql, postgresql, postgresql:15, and postgresql:16), Debian (fort-validator, gnutls28, krb5, libxml2, and python-werkzeug), Fedora (chromium, openssh, proftpd, python3.8, vaultwarden, and vim), Oracle (bind, bind9.16, bind9.18, libpq, libsoup, mysql, mysql:8.0, nodejs:18, nodejs:22, postgresql, postgresql:13, postgresql:15, and postgresql:16), Red Hat (mysql, mysql:8.0, and python3), SUSE (chromedriver, dcmtk, grub2, java-1_8_0-ibm, java-23-openjdk, luanti, openssh, postgresql14, postgresql15, postgresql16, postgresql17, proftpd, radare2, and webkit2gtk3), and Ubuntu (intel-microcode, netty, and nginx).

The 6.14-rc4 kernel prepatch is out for testing. "This continues to be the right kind of 'boring' release: nothing in particular stands out in rc4".

The pytest-mh project is a plugin that provides a multi-host test framework for the popular pytest unit-testing framework and test runner. Work on pytest-mh started in 2023 to solve a multitude of issues that cropped up for developers and testers when testing the SSSD project, which is a client for enterprise identity management. I was not happy with the state of testing of the SSSD project and wanted to create something that would increase test readability, remove duplication, eliminate errors, and provide multi-host testing capabilities, while having the flexibility to build a new API around it. Finally, I also wanted something that can be used by anyone to test their projects as well.

Greg Kroah-Hartman has released another four stable kernels: 6.13.4, 6.12.16, 6.6.79, and 6.1.129. As usual, all users are advised to upgrade.

Security updates have been issued by AlmaLinux (bind, bind9.16, and mysql:8.0), Debian (chromium, djoser, libtasn1-6, and postgresql-13), Fedora (python3.12 and vim), Red Hat (libpq, postgresql, postgresql:13, postgresql:15, and postgresql:16), Slackware (ark), SUSE (brise, chromium, emacs, google-osconfig-agent, grafana, grub2, helm, kernel, openssh, openssl-1_1, ovmf, postgresql13, postgresql14, postgresql15, and postgresql17), and Ubuntu (gnutls28, libtasn1-6, openssl, python3.10, python3.12, python3.8, and webkit2gtk).