Linux Weekly News

Roman Gushchin has announced the existence of an LLM-driven patch-review system named Sashiko. It automatically creates reviews for all patches sent to the linux-kernel mailing list (and some others).

In my measurement, Sashiko was able to find 53% of bugs based on a completely unfiltered set of 1,000 recent upstream issues using "Fixes:" tags (using Gemini 3.1 Pro). Some might say that 53% is not that impressive, but 100% of these issues were missed by human reviewers.

Sashiko is built on Chris Mason's review prompts (covered here in October 2025), but the implementation has evolved considerably.

The Free Software Foundation Europe (FSFE) is reporting that payment provider Nexi has terminated its contract without prior notice, which means that a number of FSFE supporters' recurring payments have been halted:

Over the past few months, our former payment provider Nexi S.p.A. ("Nexi") requested access to private data, which we understood to be specifically the usernames and passwords of our supporters. We have refused this request. All our attempts to clarify Nexi's request, or to understand how their need for such information was necessary and legal, were met with what we consider to be vague and unsatisfactory explanations relating to a general need for risk analysis.

[...] The decisions that Nexi has made are incomprehensible to us. Over the last months, as part of a security audit that Nexi claimed to be conducting, we have provided them with large amounts of the FSFE's financial documentation, which even included private information of our executive staff. We have answered all of their questions. But we have to draw a line when private companies like Nexi demand access to the sensitive and private data of our supporters.

According to the blog post, more than 450 supporters have been affected by this. The FSFE's donation pages have been updated with its new payment provider.

Fedora Project Leader (FPL) Jef Spaleta has issued a "modest proposal" for a technology-innovation-lifecycle process that would provide more formal structure for adopting technologies in Fedora. The idea is to spur innovation in the project without having an adverse impact on stability or the release process. Spaleta's proposal is somewhat light on details, particularly as far as specific examples of which projects would benefit; however, the reception so far is mostly positive and some think that it could make Fedora more "competitive" by being the place where open-source projects come to grow.

Security updates have been issued by Fedora (mingw-openexr, vim, and yarnpkg), Oracle (freerdp), Red Hat (389-ds-base, container-tools:rhel8, libpng, libpng15, nginx, nginx:1.24, nginx:1.26, opencryptoki, python3, python3.11, python3.12, and python3.9), SUSE (ruby4.0-rubygem-activestorage, ruby4.0-rubygem-activesupport, ruby4.0-rubygem-glogalid, ruby4.0-rubygem-grpc, ruby4.0-rubygem-jquery-rails, ruby4.0-rubygem-loofah, and rubygem4.0-rubygem-fluentd), and Ubuntu (curl, linux, linux-aws, linux-aws-6.17, linux-gcp, linux-hwe-6.17, linux-oracle, linux-oracle-6.17, linux, linux-aws, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-gcp, linux-gkeop, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-oracle, linux-xilinx-zynqmp, linux-fips, linux-aws-fips, linux-gcp-fips, linux-gcp, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, python-cryptography, and roundcube).

Version 1.5 of Marknote, a Markdown-based note-management application, has been released. Notable features in this release include Source Mode for working directly with Markdown instead of the WYSIWYG interface, internal wiki-style links for notes, as well as simpler management of notes and notebooks.

Kurt Roeckx has announced that Debian has moved to the campaigning period for the 2026 Debian Project Leader (DPL) election. This year there is only one candidate, Sruthi Chandran, so Debian voters will have a choice between Chandran as DPL or "None of the above". The campaign period will run through April 3, and the voting period will run from April 4 to April 17. Chandran has not yet posted a platform for the 2026 election, but her 2024 platform is available on the Debian wiki.

After a year's worth of development since GIMP 3.0 was released, the team behind the open-source image editor has released GIMP 3.2. It comes as part of the plan to release GIMP more frequently, rather than wait six or seven years between releases. The release comes with lots of new features (as can be seen in more detail in the release notes), including 20 new brushes for the MyPaint Brush tool, an "overwrite" paint mode, new and upgraded file formats, UI improvements in a variety of places, such as the on-canvas text editor, and new non-destructive layers:

• You can now use Link Layers to incorporate external image as part of your compositions, easily scaling, rotating, and transforming them without losing quality or sharpness. The link layer's content is updated when the source file is modified
• The Path tool can now create Vector Layers, which lets you draw shapes with adjustable fill and stroke settings.

A pull request that touches over 8,000 files, changing over 20,000 lines of code in the process, is (fortunately) not something that happens every day. It did happen at the end of the 7.0 merge window, though, when Linus Torvalds merged an extensive set of changes by Kees Cook to the venerable kmalloc() API (and its users). As a result of that work, though, the kernel has a new set of type-safe memory-allocation functions, with a last-minute bonus change to make the API a little easier to use.

Security updates have been issued by AlmaLinux (.NET 10.0, .NET 8.0, .NET 9.0, delve, git-lfs, gnutls, kernel, mingw-libpng, nfs-utils, opentelemetry-collector, python3.11, python3.12, python3.9, and vim), Debian (chromium, gimp, kernel, linux-6.1, and wireless-regdb), Fedora (alertmanager, chromium, freerdp, glab, golang-github-openprinting-ipp-usb, gst-devtools, gst-editing-services, gstreamer1, gstreamer1-doc, gstreamer1-plugin-libav, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, gstreamer1-plugins-ugly-free, gstreamer1-rtsp-server, insight, pcs, pgadmin4, python-gstreamer1, python3.10, python3.11, python3.6, qgis, SDL2_sound, SDL3_sound, systemd, and wireshark), Mageia (python-nltk, tomcat, and vim), Oracle (.NET 10.0, .NET 8.0, .NET 9.0, compat-openssl11, dtrace, python3.12, and vim), Red Hat (buildah, git-lfs, golang-github-openprinting-ipp-usb, opentelemetry-collector, podman, and runc), and SUSE (amazon-ssm-agent, busybox, clamav, firefox, giflib-devel-32bit, glibc, heroic-games-launcher, himmelblau, kubelogin, libpng15, libsoup, libsoup2, mingw32-binutils, mingw64-binutils, osc, obs-scm-bridge, python, python-black, python3, qemu, ruby4.0-rubygem-actioncable, ruby4.0-rubygem-actiontext, ruby4.0-rubygem-activejob, ruby4.0-rubygem-activemodel, tomcat, and tomcat10).

Linus has released 7.0-rc4 for testing.

Then Thursday hit with the networking pull. And then on Friday everybody else decided to send in their work for the week, with a few more trickling in over the weekend. End result: what had for a short few days looked like a nice calm week turned into another "bigger than usual" release candidate.

To be fair, that "almost everything comes in at the end of the week" is 100% normal, and none of this is surprising. I was admittedly hoping that things would start to calm down, but that was not to be.

I no longer really believe that it was the one extra week we had last release cycle: I'm starting to suspect it's the psychological result of "hey, new major number", and people are just being a bit more active as a result.

Greg Kroah-Hartman has announced the release of the 6.19.8, 6.18.18, and 6.12.77 stable kernels. Each of these kernels includes a number of important fixes; users are advised to upgrade.

Reddit user "Ok_Lingonberry3296" has posted the results of an extensive investigation into the companies that are pushing US state legislatures to enact age-verification bills.

I've been pulling public records on the wave of "age verification" bills moving through US state legislatures. IRS 990 filings, Senate lobbying disclosures, state ethics databases, campaign finance records, corporate registries, WHOIS lookups, Wayback Machine archives. What started as curiosity about who was pushing these bills turned into documenting a coordinated influence operation that, from a privacy standpoint, is building surveillance infrastructure at the operating system level while the company behind it faces zero new requirements for its own platforms.

(See also this article for a look at the California law.)

Qualys has sent out a somewhat breathless advisory describing a number of vulnerabilities in the AppArmor security module, which is used in a number of Debian-based distributions (among others).

This "CrackArmor" advisory exposes a confused-deputy flaw allowing unprivileged users to manipulate security profiles via pseudo-files, bypass user-namespace restrictions, and execute arbitrary code within the kernel. These flaws facilitate local privilege escalation to root through complex interactions with tools like Sudo and Postfix, alongside denial-of-service attacks via stack exhaustion and Kernel Address Space Layout Randomization (KASLR) bypasses via out-of-bounds reads.

In 2019, researchers published a way to identify which file-backed pages were being accessed on a system using timing information from the page cache, leading to a handful of unpleasant consequences and a change to the design of the mincore() system call. Discussion at the time led to a number of ad-hoc patches to address the problem. The lack of new page-cache attacks suggested that attempts to fix things in a piecemeal fashion had succeeded. Now, however, Sudheendra Raghav Neela, Jonas Juffinger, Lukas Maar, and Daniel Gruss have found a new set of holes in the Linux kernel's page-cache-timing protections that allow the same general class of attack.

Security updates have been issued by Debian (chromium, kernel, and multipart), Fedora (dnf5, dr_libs, easyrpg-player, libmaxminddb, python3.12, strongswan, task, and udisks2), Oracle (.NET 10.0, .NET 8.0, .NET 9.0, gnutls, ImageMagick, kernel, libvpx, mingw-libpng, nginx:1.26, python3.11, and uek-kernel), Red Hat (delve, git-lfs, mingw-libpng, osbuild-composer, and rhc-worker-playbook), SUSE (cjson, curl, dnsdist, libsoup2, postgresql16, postgresql17, postgresql18, python-lxml_html_clean, python-pypdf2, python36, and thunderbird), and Ubuntu (dotnet8, dotnet9, dotnet10, freetype, golang-github-go-git-go-git, golang-golang-x-net, openssh, python-cryptography, sudo, and util-linux).

One of the first changes merged for the upcoming 7.0 release was nullfs, an empty filesystem that cannot actually contain any files. One might logically wonder why the kernel would need such a thing. It turns out, though, that there are places where a null filesystem can come in handy. For 7.0, nullfs will be used to make life a bit easier for init programs; future releases will likely use nullfs to increase the isolation of kernel threads from the init process.

Sasha Levin has announced the release of the 6.19.7 and 6.18.17 stable kernels. As usual, each contains important fixes throughout the tree; users are advised to upgrade.

Security updates have been issued by AlmaLinux (gimp, git-lfs, grafana-pcp, kernel, mysql8.4, nfs-utils, opentelemetry-collector, osbuild-composer, postgresql:16, and python3.12), Debian (imagemagick and netty), Fedora (dr_libs and python-lxml-html-clean), Slackware (libarchive and libxml2), SUSE (busybox, coredns, firefox, freerdp, ghostty, gnutls, go1.25, go1.26, GraphicsMagick, grype, helm, helm3, ImageMagick, perl-Compress-Raw-Zlib, python, python311-lxml_html_clean, python311-PyPDF2, tomcat11, and traefik), and Ubuntu (curl, gimp, and libpng).

Inside this week's LWN.net Weekly Edition:

• Front: Chardet; Linux and age verification; Debian AI; Python lazy imports; Python type-system PEP; PQC HTTPS certificates; MGLRU; Fedora strategy.
• Briefs: LLM vulnerability; NTP security; OpenWrt 25.12.0; SUSE sale; Buildroot 2026.02; digiKam 9.0.0; Rust 1.94.0; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

A recently enacted law in California imposes an age-verification requirement on operating-system providers beginning next year. The language of the Digital Age Assurance Act does not restrict its requirements to proprietary or commercial operating systems; projects like Debian, FreeBSD, Fedora, and others seem to be on the hook just as much as Apple or Microsoft. There is some hope that the law will be amended, but there is no guarantee that it will be. This means that the developer communities behind Linux distributions are having to discuss whether and how to comply with the law with little time and even less legal guidance.