Linux Weekly News

The Socket.dev blog describes this week's attack on JavaScript packages in the npm repository.

A malicious update to @ctrl/tinycolor (2.2M weekly downloads) was detected on npm as part of a broader supply chain attack that impacted more than 40 packages spanning multiple maintainers.

The compromised versions include a function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local script (bundle.js), repacks the archive, and republishes it, enabling automatic trojanization of downstream packages.

There is some more information in this Krebs on Security article.

Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (node-sha.js and python-django), Fedora (chromium, cups, exiv2, perl-Catalyst-Authentication-Credential-HTTP, perl-Catalyst-Plugin-Session, perl-Plack-Middleware-Session, and qemu), Red Hat (container-tools:rhel8, podman, and udisks2), SUSE (cargo-audit, cargo-c, cargo-packaging, and kernel-devel), and Ubuntu (libcpanel-json-xs-perl, libjson-xs-perl, rubygems, sqlite3, and vim).

Registration for the 2025 Linux Plumbers Conference (Tokyo, December 11 to 13) is now open. LPC tickets often sell out quickly, so it would be best not to delay if you intend to attend.

Brooke Deuson is the developer behind Trafficking Free Tomorrow, a nonprofit organization that produces free software to help law enforcement combat human trafficking. She is a survivor of human trafficking herself. She spoke at RustConf 2025 about her mission, and why she chose to write her anti-trafficking software in Rust. Interestingly, it has nothing to do with Rust's lifetime-analysis-based memory-safety — instead, her choice was motivated by the difficulty she faces getting police departments to actually use her software. The fact that Rust is statically linked and capable of cross compilation by default makes deploying Rust software in those environments easier.

Version 8.0.0 of Varnish Cache has been released. In addition to a number of changes to varnishd parameters, the ability to access some runtime parameters using the Varnish Configuration Language, and other improvements, 8.0.0 comes with big news; the project is forming an organization called a forening that will set out formal governance for the project.

The move also comes with a name change due to legal difficulties in securing the Varnish Cache name:

The new association and the new project will be named "The Vinyl Cache Project", and this release 8.0.0, will be the last under the "Varnish Cache" name. The next release, in March will be under the new name, and will include compatility scripts, to make the transition as smooth as possible for everybody.

I want to make it absolutely clear that this is 100% a mess of my making: I should have insisted on a firm written agreement about the name sharing, but I did not.

I will also state for the record, that there are no hard feelings between Varnish Software and the FOSS project.

Varnish Software has always been, and still is, an important and valued contributor to the FOSS project, but sometimes even friends can make a mess of a situation.

The kernel runs in a special environment that makes it difficult to use many of the development tools that are available to user-space developers. Kernel developers often respond by simply doing without, but the truth is that they need good tools as much as anybody else. Three new tools for the tracking down of bugs have recently landed on the linux-kernel mailing list; here is an overview.

Security updates have been issued by AlmaLinux (cups, kernel, and mysql-selinux and mysql8.4), Debian (cjson, jetty9, and shibboleth-sp), Fedora (bustle, cef, checkpointctl, chromium, civetweb, cups, forgejo, jupyterlab, kernel, libsixel, linenoise, maturin, niri, perl-Cpanel-JSON-XS, python-uv-build, ruff, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-matchers, rust-monitord, rust-monitord-exporter, rust-secret-service, rust-tracing-subscriber, rustup, tcpreplay, tuigreet, udisks2, uv, and xwayland-satellite), Oracle (cups, gdk-pixbuf2, kernel, mysql-selinux and mysql8.4, and php:8.2), Red Hat (kernel, kernel-rt, and multiple packages), Slackware (cups, kernel, and patch), and SUSE (busybox, busybox-links, chromedriver, chromium, cups-filters, curl, go1.25, jasper, java-11-openj9, java-17-openj9, java-1_8_0-openjdk, kernel, kernel-devel, kubo, libssh-config, orthanc-gdcm, python-aiohttp, python-eventlet, python-h2, and xen).

The 6.17-rc6 kernel prepatch is out for testing. "But really, none of it is very large. So everything seems slated for a normal release in two weeks. Please do keep testing, so that we don't get complacent."

Creating welcoming communities within open-source projects is a recurring topic at conferences; those projects rely on contributions from others, so making them welcome is important. The kernel has, rather infamously over the years, been an oft-cited example of an unwelcoming project, though there have been (and are) multiple efforts to change that with varying degrees of success. Hans de Goede talked about such efforts within his corner of the kernel project in a talk (YouTube video) at Open Source Summit Europe.

Security updates have been issued by Debian (cups, imagemagick, libcpanel-json-xs-perl, and libjson-xs-perl), Fedora (checkpointctl, chromium, civetweb, glycin, kernel, libssh, ruff, rust-secret-service, snapshot, and uv), Mageia (curl), Red Hat (kernel), SUSE (cups, curl, perl-Cpanel-JSON-XS, regionServiceClientConfigAzure, regionServiceClientConfigEC2, regionServiceClientConfigGCE, trivy, and xen), and Ubuntu (cups, node-cipher-base, and qemu).

The VMScape vulnerability is a Spectre variant that "allows a malicious KVM guest to leak sensitive information such as encryption/decryption keys from a userspace hypervisor such as QEMU". Greg Kroah-Hartman has announced the 6.16.7, 6.12.47, 6.6.106, 6.1.152, 5.15.193, and 5.10.244 stable kernels, which add a mitigation for the hardware bug.

The Git source-code management system stores a lot of information about changes to code — but it does not hold everything that might be of interest to a developer who needs to investigate a specific change in the future. Commits in a repository are the end result of a (sometimes extended) discussion; often, that discussion will result in changes to the code that are not explained in the changelog. For some years now, many maintainers have followed the convention of applying a Link tag to commits that points back to the mailing-list posting of the change. Linus Torvalds has been expressing his dislike for this convention for a while, though, and its time appears to be coming to an end.

Security updates have been issued by AlmaLinux (python3.12-cryptography), Debian (chromium, hsqldb1.8.0, and imagemagick), Fedora (bustle, cef, maturin, rust-busd, rust-crypto-auditing-agent, rust-crypto-auditing-client, rust-crypto-auditing-event-broker, rust-monitord, rust-monitord-exporter, rustup, tuigreet, and wireshark), Oracle (kernel, microcode_ctl, and python3.12-cryptography), Red Hat (httpd:2.4 and multiple packages), SUSE (coreutils, curl, dpkg, ffmpeg-4, glib2, gnutls, go1.23-openssl, go1.24-openssl, go1.25-openssl, grub2, ImageMagick, jbigkit, kernel, libxslt, Mesa, opensc, opera, perl-JSON-XS, polkit, postgresql16, protobuf, python311, python311-deepdiff, sqlite3, ucode-intel, and warewulf4), and Ubuntu (bind9 and libxml2).

The F-Droid project has some advice for free-software projects on how to deal with takedown requests.

As part of our legal resilience research, we spoke with a range of legal experts, software freedom advocates, and maintainers of mature FOSS infrastructure to understand how others manage these moments. In this article, we share what we learned, and how F-Droid is incorporating these lessons into its own approach.

Inside this week's LWN.net Weekly Edition:

• Front: Space Grade Linux; KDE's new distribution; Rug pulls and forks; Dependency tracker; Kernel configuration; Framework 12 laptop.
• Briefs: npm security; high-memory; Anaconda WebUI; OpenSUSE bcachefs; 32-bit Firefox; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

There are a large number of ways to configure the 6.16 Linux kernel. It has 32,468 different configuration options on x86_64, and a comparable number for other platforms. Exploring the ways the kernel can be configured is sufficiently difficult that it requires specialized tools. These show the number of possible configurations that options can be combined in has 6,550 digits. How has that number changed over the history of the kernel, and what does it mean for testing?

The openSUSE project has announced that the bcachefs filesystem will be disabled in its kernel builds starting with 6.17; bcachefs users will have to make other arrangements. "The current 6.16.* is NOT affected. Neither is Slowroll (for now)."

At Akademy 2025, the KDE Project released an alpha version of KDE Linux, a distribution built by the project to "include the best implementation of everything KDE has to offer, using the most advanced technologies". It is aimed at providing an operating system suitable for home use, business use, OEM installations, and more "eventually". For now there are many rough edges and missing features that users should be aware of before taking the plunge; but it is an interesting look at the kind of complete Linux system that KDE developers would like to see.

At Open Source Summit Europe, LWN's Jonathan Corbet presented "Three Decades in Kernelland"; the talk provides a look at how the kernel got to where it is, what makes it successful, and what may be coming next. The video of the talk is now online for LWN readers who would like to check it out.

Security updates have been issued by Fedora (buildah, containers-common, glycin, loupe, podman, rust-matchers, and rust-tracing-subscriber), Red Hat (fence-agents, jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base, pki-deps:10.6, python-requests, python3.12-cryptography, redis:6, redis:7, and resource-agents), Slackware (libssh), SUSE (aide, cloud-init, iperf, java-1_8_0-openjdk, jq, kernel-devel, python-deepdiff, regionServiceClientConfigAzure, regionServiceClientConfigEC2, and regionServiceClientConfigGCE), and Ubuntu (gnutls28).