Linux Weekly News

The Internet is a wonderful thing; it allows anybody to look up information of interest. Included in all of that is the history of the free-software development community; how we got to where we are says a lot about why things are the way they are and what might come next. So the takeover of Groklaw rings a loud alarm; we have been reminded that history stored on the Internet is an ephemeral thing and cannot be expected to remain available forever.

Security updates have been issued by Debian (node-cipher-base), Fedora (keylime-agent-rust and libtiff), Oracle (aide, kernel, mod_http2, pam, pki-deps:10.6, python-cryptography, python3, python3.12, and thunderbird), SUSE (cheat, ffmpeg, firebird, govulncheck-vulndb, postgresql17, tomcat, tomcat10, tomcat11, ucode-intel-20250812, and v2ray-core), and Ubuntu (binutils, gst-plugins-base1.0, gst-plugins-good1.0, and linux-raspi-realtime).

Shadow stacks are a control-flow-integrity feature designed to defend against exploits that manipulate a thread's call stack. The kernel first gained support for hardware-implemented shadow stacks, for the x86 architecture, in the 6.6 release; 64-bit Arm support followed in 6.13. This feature does not give user space much control over the allocation of shadow stacks for new threads, though; a patch series from Mark Brown may, after many attempts, finally be about to change that situation.

Security updates have been issued by Debian (ffmpeg, firebird3.0, and luajit), Fedora (chromium, python3-docs, and python3.13), Oracle (aide, firefox, glibc, libxml2, and tomcat), Red Hat (aide, git, kernel, kernel-rt, libarchive, pam, python-cryptography, python3, python3.12, and webkit2gtk3), SUSE (cmake3, ffmpeg-4, kernel, kubernetes1.18, libqt4, minikube, net-tools, pam, postgresql16, proftpd, python-urllib3, python311, python312, python36, tomcat10, tomcat11, and webkit2gtk3), and Ubuntu (nginx).

Google has announced a new set of restrictions on the ability of users to install apps on their own devices:

Starting next year, Android will require all apps to be registered by verified developers in order to be installed by users on certified Android devices. This creates crucial accountability, making it much harder for malicious actors to quickly distribute another harmful app after we take the first one down. Think of it like an ID check at the airport, which confirms a traveler's identity but is separate from the security screening of their bags; we will be confirming who the developer is, not reviewing the content of their app or where it came from.

The PyCon team has announced that all PyCon US 2025 recordings are now available on its YouTube channel.

We had an amazing and diverse group of community members join us for PyCon US 2025, attending from 58 different countries! By the numbers, we welcomed a total attendance of 2,225 Pythonistas to the David L. Lawrence Convention Center. We couldn't be more grateful for all who supported the Python ecosystem and helped make PyCon US 2025 a huge success.

See the LWN conference index for coverage of some of the talks from PyCon US 2025.

In July 2024, Let's Encrypt, the nonprofit TLS certificate authority (CA), announced that it would be ending support for the online certificate status protocol (OCSP), which is used to determine when a server's signing certificate has been revoked. This prevents a compromised key from being used to impersonate a web server. The organization cited privacy concerns, and recommended that people rely on certificate revocation lists (CRLs) instead. On August 6, Let's Encrypt followed through and disabled its OCSP service. This poses a problem for Linux systems that must now rely on CRLs because, unlike on other operating systems, there is no standardized way for Linux programs to share a CRL cache.

The Linux Foundation, in cooperation with a couple of other groups, has announced the publication on the intersection of businesses and commercial open-source software (deemed "COSS"). Everything, it seems, is great, and COSS companies make a lot of money for their investors.

Even more encouraging, COSS project communities continue along healthy growth paths after the company receives venture funding. In essence, highly valued COSS companies tend to cultivate more vibrant, diverse, and integral open source ecosystems, reinforcing the idea that business value and community value are tightly coupled in successful COSS models.

Security updates have been issued by AlmaLinux (kernel and tomcat9), Debian (iperf3, mupdf, qemu, thunderbird, and unbound), Fedora (glab, kubernetes1.31, kubernetes1.32, kubernetes1.33, and toolbox), Oracle (kernel and tomcat9), Red Hat (firefox, kernel, kernel-rt, and squid), SUSE (abseil-cpp-devel, aide, flake-pilot, gdk-pixbuf, glibc, go-sendxmpp, ImageMagick, jetty-annotations, jupyter-bqplot-jupyterlab, libtiff-devel-32bit, pam, pdns-recursor, ruby3.4-rubygem-activerecord, rust-keylime, terragrunt, and thunderbird), and Ubuntu (linux-azure and linux-azure-fips).

Linus has released 6.17-rc3 (called "3.17-rc3" in the email, but the tag in the repository is correct) for testing. "Anyway, things seem fairly normal for this phase in the release cycle, nothing stands out. Please keep testing,"

The 6.16.3 stable kernel update has been released. It contains a set of ext4 filesystem fixes that are probably a good thing for any 6.16 ext4 user to have.