Linux Weekly News

The Linux kernel has to handle many different sources of data that should not be trusted: user space, network connections, and removable storage, to name a few. The kernel has to remain secure even if one of these sends garbled (or malicious) data. Benno Lossin has been working on an API for kernel Rust code that makes it harder to accidentally make decisions based on data from user space. That work is now on its fourth revision, and Lossin has asked kernel developers to experiment with it and see where problems remain, making this a good time to look at the proposed API.

During the opening of RustConf 2025 in Seattle, Washington, the Rust Foundation announced a new initiative to provide financial and administrative support to open-source Rust projects. The first project to benefit from the new Rust Innovation Lab is Rustls, an implementation of TLS in Rust. The foundation welcomes inquiries from other projects. Dr. Rebecca Rumbul, Executive Director of the Rust Foundation said:

Rustls is hopefully the first of many really good [...] projects that will find a home in the foundation.

Cary Coutant has announced a draft for version 4.3 of the Executable and Linking Format (ELF) object file format. The specification was formerly part of the Unix System V Release 4 (SVR4) gABI document:

The last published gABI documents were the Fourth Edition and a draft of Edition 4.1, both published in March 1997. The ELF portions of the document were updated several times between 1998 and 2015, published online [...]

I've published the last draft from 2015 as Version 4.2, and collected the several changes since then, along with new e_machine values, as Version 4.3.

The source for the draft is on GitHub in reStructuredText format, and Coutant has collected the mailing list discussions for changes in 4.3 as GitHub issues. Thanks to Jose E. Marchesi for the tip.

Security updates have been issued by AlmaLinux (httpd, kernel, and kernel-rt), Debian (python-eventlet and python-h2), Mageia (aide, gnutls, tomcat, and vim), Oracle (httpd, mod_http2, postgresql:15, python3.11, python3.12, python3.9, and udisks2), Red Hat (kernel, postgresql, postgresql:12, and postgresql:15), SUSE (dcmtk, jupyter-bqplot-jupyterlab, kured, libudisks2-0, munge, python-eventlet, python-future, python311-eventlet, rekor, traefik2, and ucode-intel), and Ubuntu (linux-aws, linux-azure-5.15, linux-gcp-6.8, linux-gke, linux-gkeop, linux-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-gke, linux-ibm-5.15, linux-kvm, and protobuf).

As a rule, if a package is shipped with a Debian release, users can count on it being available, and updated, for the entire life of the release. If package foo is included in the stable release—currently Debian 13 ("trixie")—a user can reasonably expect that it will continue to be available with security backports as long as that release is supported, though it may not be included in Debian 14 ("forky"). However, it is likely that the Guix package manager will soon be removed from the repositories for Debian 13 and Debian 12 ("bookworm", also called oldstable).

The FastCode site has a lengthy article on how large language models make open-source projects far more vulnerable to XZ-style attacks.

Open source maintainers, already overwhelmed by legitimate contributions, have no realistic way to counter this threat. How do you verify that a helpful contributor with months of solid commits isn't an LLM generated persona? How do you distinguish between genuine community feedback and AI created pressure campaigns? The same tools that make these attacks possible are largely inaccessible to volunteer maintainers. They lack the resources, skills, or time to deploy defensive processes and systems.

The detection problem becomes exponentially harder when LLMs can generate code that passes all existing security reviews, contribution histories that look perfectly normal, and social interactions that feel authentically human. Traditional code analysis tools will struggle against LLM generated backdoors designed specifically to evade detection. Meanwhile, the human intuition that spot social engineering attacks becomes useless when the "humans" are actually sophisticated language models.

Security updates have been issued by AlmaLinux (kernel, mod_http2, postgresql, postgresql:15, and python39:3.9), Debian (libsndfile), Mageia (ceph, glibc, and golang), Oracle (postgresql and python39:3.9), Red Hat (aide, postgresql:12, postgresql:13, postgresql:15, and postgresql:16), SUSE (git, govulncheck-vulndb, jetty-minimal, nginx, python-future, and ruby2.5), and Ubuntu (imagemagick).

The GNOME Foundation has announced that Steven Deobald will be leaving the position of Executive Director after just four months.

We are extremely grateful to Steven for all this and more. Despite these many positive achievements, Steven and the board have come to the conclusion that Steven is not the right fit for the Executive Director role at this time. We are therefore bidding Steven a fond farewell.

Arnd Bergmann started his Open Source Summit Europe 2025 talk with a clear statement of position: 32-bit systems are obsolete when it comes to use in any sort of new products. The only reason to work with them at this point is when there is existing hardware and software to support. Since Bergmann is the overall maintainer for architecture support in the kernel, he is frequently asked whether 32-bit support can be removed. So, he concluded, the time has come to talk more about that possibility.

Security updates have been issued by AlmaLinux (postgresql16, postgresql:16, python3.11, and thunderbird), Debian (firebird4.0, libcommons-lang3-java, mbedtls, nodejs, openvpn, and ruby-saml), Fedora (cef, chromium, docker-buildx, exiv2, firefox, rocm-rpp, and udisks2), Oracle (postgresql:16), Red Hat (fence-agents, firefox, gdk-pixbuf2, httpd, kernel, kernel-rt, libarchive, libxml2, multiple packages, postgresql, postgresql16, postgresql:15, postgresql:16, python3.11, python3.12, python39:3.9, and thunderbird), Slackware (udisks2), SUSE (go-sendxmpp, helm, ImageMagick, javamail, jq, kea, kernel, libarchive, libsoup, libssh, libxml2, openssl-3, postgresql14, postgresql15, python, python-future, systemd, and xz), and Ubuntu (open-vm-tools and python2.7).

Linus has released 6.17-rc4 for testing. "So it all looks fairly good. Please do keep testing, and we'll get 6.17 out in a timely manner and in good shape."