Linux Weekly News

Richard Hughes, creator and maintainer of the Linux Vendor Firmware Service (LVFS), has written a blog post about the sustainability plan he has put together for the service. He is calling for the vendors that use the service to help fund its development and maintenance going forward. The Linux Foundation is kindly paying for all the hosting costs of the LVFS, and Red Hat pays for all my time — but as LVFS grows and grows that's going to be less and less sustainable longer term. We're trying to find funding to hire additional resources as a "me replacement" so that there is backup and additional attention to LVFS (and so that I can go on holiday for two weeks without needing to take a laptop with me).

This year there will be a fair-use quota introduced, with different sponsorship levels having a different quota allowance. Nothing currently happens if the quota is exceeded, although there will be additional warnings asking the vendor to contribute. The "associate" (free) quota is also generous, with 50,000 monthly downloads and 50 monthly uploads. This means that almost all the 140 vendors on the LVFS should expect no changes.

(Thanks to Paul Wise.)

StarDict is a GPLv3-licensed cross-platform dictionary application. It includes dictionaries for a number of languages, and has a rich plugin ecosystem. It also has a glaring security problem: while running on X11, using Debian's default configuration, it will send a user's text selections over unencrypted HTTP to two remote servers.

The 6.17-rc1 prepatch was released by Linus Torvalds on August 10; the 6.17 merge window is now closed. There were 11,404 non-merge changesets pulled into the mainline this time around, a little over 7,000 of which came in after the first-half merge-window summary was written. As one would expect, quite a few changes and new features were included in that work.

Security updates have been issued by AlmaLinux (jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base and libxml2), Debian (distro-info-data, gnutls28, modsecurity-crs, and node-tmp), Fedora (chromium, incus, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, varnish, and xen), Red Hat (kernel, kernel-rt, and rhc), and SUSE (chromedriver, ffmpeg-4, go1.23, go1.24, go1.25, govulncheck-vulndb, himmelblau, iperf, keylime-ima-policy, net-tools, sqlite3, texmaker, tomcat, and zabbix).

Linus has released 6.17-rc1 and closed the merge window for this development cycle.

Anyway, the merge window did end up looking fairly healthy, despite me having to go through a couple of bisections for trouble spots (one during travels with a laptop - not optimal, but thankfully it was at least one of the "reliable symptoms that bisect right to the culprit" kind). The stats look pretty normal both in patch size and in number of commits.

In the end, 11,404 non-merge changesets found their way into the mainline during the merge window.

The Debian Project has released its latest stable version, Debian 13 ("trixie"), which will be supported through 2030. This release includes GNOME 48, KDE Plasma 6.3, Xfce 4.20, Linux 6.12, GCC 14.2, Python 3.13, and systemd 257.

This release contains over 14,100 new packages for a total count of 69,830 packages, while over 8,840 packages have been removed as "obsolete". 44,326 packages were updated in this release. The overall disk usage for "trixie" is 403,854,660 kB (403 GB), and is made up of 1,463,291,186 lines of code. [...]

With this broad selection of packages and its traditional wide architecture support, Debian once again stays true to its goal of being "The Universal Operating System". It is suitable for many different use cases: from desktop systems to netbooks; from development servers to cluster systems; and for database, web, and storage servers. At the same time, additional quality assurance efforts like automatic installation and upgrade tests for all packages in Debian's archive ensure that "trixie" fulfills the high expectations that users have of a stable Debian release.

Trixie adds riscv64 as an officially supported architecture, and drops i386 as a regular architecture. Users with i386 systems should not upgrade to trixie; the project recommends reinstalling them as amd64, or retiring the hardware. See the release notes and issues to be aware of before installing or upgrading to trixie.

CalyxOS is an Android distribution that claims a focus on privacy and security. So when an announcement from the project begins by saying "we want to assure you that we have no reason to believe the security of CalyxOS and its signing keys have been compromised", chances are that good things are not happening.

In this case, it would appear that Nicholas Merrill, one of the founders of the project, has left for unclear reasons, and CalyxOS is responding by pausing all releases — and security updates — while its release process, signing keys, and security protocols are reworked. The result will be no updates for "four to six months". The project is recommending that its users "should uninstall the OS" and wait for an all-clear signal. CalyxOS may have its work cut out for it when the time comes to try to convince those users to come back.

Debugging in Python is not like it is for some other languages, as there is no way to attach a debugger to a running program to try to diagnose its ills. Pablo Galindo Salgado noticed that when he started programming in Python ten years ago or so; it bugged him enough that he helped fill the hole. The results will be delivered in October with Python 3.14. At EuroPython 2025, he gave a characteristically fast-paced and humorous look at debugging and what will soon be possible for Python debugging—while comparing it all to medical diagnosis.

Security updates have been issued by AlmaLinux (gdk-pixbuf2, glibc, kernel, kernel-rt, libxml2, and opentelemetry-collector), Fedora (firefox, mingw-opencv, moby-engine, varnish, webkitgtk, xen, and yarnpkg), Oracle (firefox, gdk-pixbuf2, glibc, kernel, libblockdev, libxml2, python-requests, python3.12-setuptools, and qt5-qt3d), Red Hat (libxml2, pcs, and sudo), and SUSE (agama, chromium, dpkg, ghostscript, iperf, kubo, libIex-3_3-32, libpoppler-cpp2, libsoup, libtiff-devel-32bit, nginx, python-urllib3, ruby2.5, tgt, traefik, and traefik2).

By some appearances, at least, the kernel community has been relatively insulated from the onslaught of AI-driven software-development tools. There has not been a flood of vibe-coded memory-management patches — yet. But kernel development is, in the end, software development, and these tools threaten to change many aspects of how software development is done. In a world where companies are actively pushing their developers to use these tools, it is not surprising that the topic is increasingly prominent in kernel circles as well. There are currently a number of ongoing discussions about how tools based on large language models (LLMs) fit into the kernel-development community.

The release of Rust 1.89 has been announced. Changes this time include support for inferring the length of certain arrays, lint messages suggesting how to clarify potentially confusing uses of lifetime elision in function signatures, and improvements to the C ABI. The full changelog is also available.

Security updates have been issued by AlmaLinux (glibc, kernel, libxml2, python-requests, and python-setuptools), Debian (chromium), Fedora (chromium, firefox, gdk-pixbuf2, iputils, libsoup3, libssh, perl, perl-Devel-Cover, perl-PAR-Packer, polymake, and poppler), Gentoo (Composer and Spreadsheet-ParseExcel), Oracle (glibc, kernel, libxml2, python-setuptools, sqlite, and virt:rhel and virt-devel:rhel), Red Hat (libxml2), SUSE (grub2, libarchive, libgcrypt, and python311), and Ubuntu (cifs-utils and poppler).

Inside this week's LWN.net Weekly Edition:

• Front: Don't fear the TPM; Python performance; Offensive Debian packages; NNCPNET; 6.17 Merge window; Transparent huge pages; SilverBullet.
• Briefs: AUR malware; Secure boot; kbuild and kconfig maintenanec; GPU drivers; NVIDIA on AlmaLinux; Proxmox 9.0; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

The AlmaLinux project has announced the availability of packages to enable native NVIDIA driver support, including CUDA and Secure Boot, for AlmaLinux 9 and 10.

When AlmaLinux started just 5 years ago, this wouldn't have been possible. With NVIDIA's open source version of their graphics drivers things have changed. This open source version is slowly becoming the flagship driver, with new products being added exclusively to it. With the help of some incredible people in the open source ecosystem and the AlmaLinux community, we were able to do something that has yet to be done in the EL ecosystem - ship Secure Boot signed, open source, NVIDIA kernel modules.

Full documentation is available on the AlmaLinux wiki.

Daniel Almeida continues his look at graphics drivers on the Collabora blog.

The starting point is to understand that a kernel-mode GPU driver connects a much larger UMD (user-mode driver) to the actual GPU. The UMD will actually implement APIs like Vulkan, OpenGL, OpenCL, and others. These APIs, in turn, will be used by actual programs to describe their workload to the GPU. This includes allocating and using not only the geometry and textures, but also the shaders being used to process said data into the final result. This means that a key aspect of GPU drivers is actually allocating GPU memory to house data related to the current scene being drawn so that it can actually be operated on by the hardware.

There is a great deal of misunderstanding, and some misinformation, about the Trusted Platform Module (TPM); to combat this, Debian developer Jonathan McDowell would like to clear the air and help users understand what it is good for, as well as what it's not. At DebConf25 in Brest, France, he delivered a talk about TPMs that explained what they are, why people might be interested in using them, and how users might do so on a Debian system.

Version 0.10.0 of the Tuba fediverse client has been released. Notable changes in this release include a new post composer, an in-app web browser, search history, and many other refinements. See this thread for more details and highlights.

For eight years, Masahiro Yamada has been the sole maintainer of the kernel's build and configuration systems — two complex pieces of infrastructure that many people interact with, but few truly understand. Yamada has just stepped down from that position. Maintenance of the build system will be taken up by Nathan Chancellor and Nicolas Schier (in the "odd fixes" capacity), while the configuration system is now entirely unmaintained.

Thanks are due to Yamada for all that work, and to Chancellor and Schier for stepping up. Hopefully a way will be found to better support these important subsystems in the near future.

Security updates have been issued by AlmaLinux (kernel and python3.12-setuptools), Fedora (perl-Crypt-CBC and unbound), Gentoo (FontForge, GPL Ghostscript, Mozilla Network Security Service (NSS), and PAM), Oracle (gdk-pixbuf2, jq, kernel, mod_security, ncurses, python-requests, and python3-setuptools), Red Hat (python-requests and socat), SUSE (docker, kernel-livepatch-MICRO-6-0-RT_Update_2, kernel-livepatch-MICRO-6-0-RT_Update_4, kernel-livepatch-MICRO-6-0-RT_Update_5, kernel-livepatch-MICRO-6-0-RT_Update_6, kernel-livepatch-MICRO-6-0-RT_Update_7, kernel-livepatch-MICRO-6-0_Update_2, kernel-livepatch-MICRO-6-0_Update_4, kernel-livepatch-MICRO-6-0_Update_5, kernel-livepatch-MICRO-6-0_Update_6, kubeshark-cli, libgcrypt, pam-config, perl, python-requests, python311, and python313), and Ubuntu (linux-raspi).

Proxmox Virtual Environment 9.0, based on Debian 13 ("trixie"), has been released. Notable new features include snapshots for thick-provisioned LVM shared storage, affinity rules for high availability (HA) clusters, and a modernized mobile web interface for managing Proxmox systems. See the release notes and known issues for more details about the release.