Linux Weekly News

Chris Down has posted a detailed look at how the kernel's zswap and zram subsystems work — and how they differ.

Most people think of zswap and zram simply as two different flavours of the same thing: compressed swap. At a surface level, that's correct – both compress pages that would otherwise end up on disk – but they make fundamentally different bets about how the kernel should handle memory pressure, and picking the wrong one for your situation can actively make things worse than having no swap at all

The Krita project has announced the release of Krita 5.3.0 and 6.0.0:

Krita 5.3/6.0 is the result of many years of work by the Krita developers. Some features have been rewritten from the ground up, others make their first appearance.

Enjoy the completely new text feature: on canvas editing, full opentype support, text flowing into shapes. It is now easier than ever to create vector-based panels for comic pages. Tools got extended: for instance, the fill tool now can close gaps. The liquify mode of the transform tool is much faster. There are new filters: a propagate colors filter and a reset transparent filter. Support for HDR painting has been improved. The recorder docker can now work in real time. There is improved support for file formats, like support for text objects in PSD files. And much, much, much more!

According to the announcement, the versions are almost functionally identical. However, the 6.0.0 release is the first based on Qt 6; it has more Wayland functionality but is considered experimental. It cautions that users should stick to 5.3.0 for real work. See the release notes for a full list of changes.

Security updates have been issued by Debian (strongswan and vlc), Fedora (cmake, giflib, and python-diskcache), SUSE (curl, docker-stable, freeciv, freerdp, freerdp2, freetype2, go1.25-openssl, go1.26-openssl, GraphicsMagick, gvfs, harfbuzz, kernel, lemon, libpng16, librsvg, libsodium, libsoup, net-snmp, protobuf, python-Authlib, python-maturin, python-tornado6, python310, python311-pypdf, python311-PyPDF2, python314, python39, rust-keylime, strongswan, systemd, ucode-intel, util-linux, and vim), and Ubuntu (gvfs, linux-aws-6.8, linux-azure, linux-azure, linux-azure-4.15, linux-azure-fips, linux-hwe-5.4, linux-ibm, linux-intel-iot-realtime, linux-nvidia-tegra-igx, linux-realtime-6.17, pyopenssl, rust-sized-chunks, strongswan, systemd, and tiff).

BPF programs can run in both sleepable and non-sleepable (atomic) contexts. Currently, sleepable BPF programs are not allowed to enter an atomic context. Puranjay Mohan has a new patch set that changes that. The patch set would let BPF programs called in sleepable contexts temporarily acquire locks that cause the programs to transition to an atomic context. BPF maintainer Alexei Starovoitov objected to parts of the implementation, however, so acceptance of the patch depends on whether Mohan is willing and able to straighten it out.

Linus has released 7.0-rc5 for testing. "It looks like things are starting to calm down - rc5 is smaller than the previous rc's this merge window, although it still tracks a bit larger than rc5s historically do."

Security updates have been issued by AlmaLinux (gimp:2.8, grub2, kernel, libarchive, libvpx, nginx, opencryptoki, python3.12, vim, yggdrasil, and yggdrasil-worker-package-manager), Debian (chromium, freeciv, libvirt, libyaml-syck-perl, mapserver, ruby-rack, spip, and webkit2gtk), Fedora (chromium, cpp-httplib, glib2, libsoup3, localsearch, openssh, python-scitokens, python-ujson, python3.6, scitokens-cpp, uxplay, wordpress, and xen), Mageia (expat), Red Hat (osbuild-composer), SUSE (Announcement ID: SUSE-SU-2026:0940-1 Release Date: 2026-03-20T13:41:23Z Rating: important References:, Announcement ID: SUSE-SU-2026:0941-1 Release Date: 2026-03-20T13:41:30Z Rating: important References:, Announcement ID: SUSE-SU-2026:0943-1 Release Date: 2026-03-20T13:41:33Z Rating: important References:, Announcement ID: SUSE-SU-2026:0944-1 Release Date: 2026-03-20T13:41:37Z Rating: important References:, Announcement ID: SUSE-SU-2026:0945-1 Release Date: 2026-03-20T13:41:40Z Rating: important References:, chromium, docker, go1.25-openssl, GraphicsMagick, helm, mumble, python311, python311-pyasn1, python313, runc, sqlite3, and tempo-cli), and Ubuntu (debian-goodies and libnet-cidr-perl).

Version 0.15.0 of the b4 patch-management tool is out. Highlights in this release include the b4 review workflow manager for maintainers (covered briefly in this article), b4 dig, which can find the original mailing-list submission behind a commit, three-way-merge support in b4 shazam, and more. See the release notes for details.

Version 19 of the Agama installer for openSUSE and SUSE has been released. This release includes major changes in Agama's architectural design, organization of the web interface, and more.

We always wanted Agama to follow the schema [...] in which the core of the installer could be controlled through a consistent and simple programming interface (an API, in developers jargon). In that schema, the web-based user interface, the command-line tools and the unattended installation are built on top of that generic API.

But previous versions of Agama were full of quirks that didn't allow us to define an API that would match our quality standards as a solid foundation to build a simple but comprehensive installer. Agama 19 represents a quite significant architectural overhaul, needed to leave all those quirks behind and to define mechanisms that can be the cornerstone for any future development.

LWN last looked at Agama in September 2025.

Members of the Manjaro Linux distribution's community have published a "Manjaro 2.0 Manifesto" that contains a list of complaints and a demand to restructure the project to provide a clear separation between the community and Manjaro as a company. The manifesto asserts that the project's leadership is not acting in the best interests of the community, which has caused developers to leave and innovation to stagnate. It also demands a handover of the Manjaro trademark and other assets to a to-be-formed nonprofit association. The responses on the Manjaro forum showed widespread support for the manifesto; Philip Müller, project lead and CEO of the Manjaro company, largely stayed out of the discussion. However, he surfaced on March 19 to say he was "open to serious discussions", but only after a nonprofit had actually been set up.

Security updates have been issued by AlmaLinux (capstone, glibc, grub2, kernel, libarchive, libpng, mysql, and python3.11), Debian (evolution-data-server, imagemagick, and snapd), Fedora (bpfman, chromium, cpp-httplib, dotnet10.0, openssh, polkit, and vim), Mageia (graphicsmagick, imagemagick, openssh, and perl-YAML-Syck), Oracle (capstone, grub2, kernel, mysql, and python-pyasn1), Red Hat (container-tools:rhel8, rhc, yggdrasil, and yggdrasil-worker-package-manager), SUSE (cargo1.92, cargo1.93, chromedriver, coturn, curl, freerdp, jq, kernel, libssh, php-composer2, python311-uv, python312, qemu, tomcat, util-linux, vim, and virtiofsd), and Ubuntu (exiv2, freerdp3, glance, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, and linux-aws-fips, linux-fips, linux-gcp-fips).

Ars Technica describes the ritual that will be required before a future Android device will deign to install apps from somewhere other than the Play Store. It is not for the impatient.

Here are the steps:

• Enable developer options by tapping the software build number in About Phone seven times
• In Settings > System, open Developer Options and scroll down to "Allow Unverified Packages."
• Flip the toggle and tap to confirm you are not being coerced
• Enter device unlock code
• Restart your device
• Wait 24 hours
• Return to the unverified packages menu at the end of the security delay
• Scroll past additional warnings and select either "Allow temporarily" (seven days) or "Allow indefinitely."
• Check the box confirming you understand the risks.
• You can now install unverified packages on the device by tapping the "Install anyway" option in the package manager.

Greg Kroah-Hartman has announced the release of the 6.19.9 and 6.18.19 stable kernels. As usual, each has important fixes throughout the tree; users are advised to upgrade.

Version 1.7.0 ("Daffodil") of the Radicle peer-to-peer, local-first code collaboration stack has been released. Some of the changes in this release include improved I/O usage, the ability to block nodes at the connection level, and clearer errors for rad id updates. See the release notes for a full list of changes and bug fixes.

The kernel project has a unique approach to tooling that avoids many commonly used development systems that do not fit the community's scale and ways of working. Another way of looking at the situation is that the kernel project has often under-invested in tooling, and sometimes seems bent on doing things the hard way. In recent times, though, the amount of effort that has gone into development tools for the kernel has increased, with some interesting results. Recent developments in this area include the Sashiko code-review system, a patch-review manager built into b4, and a new attempt at a framework for the specification and verification of kernel APIs.

Security updates have been issued by Debian (freetype), Fedora (aqualung, kiss-fft, libtasn1, mac, and vim), Red Hat (libarchive, osbuild-composer, and rhc), Slackware (expat), SUSE (ca-certificates-mozilla, chromium, cockpit, cockpit-machines, cockpit-podman, curl, docker, docker-compose, docker-stable, gnutls, gstreamer-rtsp-server, gstreamer-plugins-ugly, gstreamer- plugins-rs, gstreamer-plugins-libav, gstreamer-plugins-good, gstreamer-plugins- base, gstreamer-plugins-bad, gstreamer-docs, gstreamer-devtools, gstreamer, gvfs, helm, kernel, krb5-appl, libsoup, libxslt, libxml2, openssh, python-cryptography, python-django, python-pypdf2, python-simpleeval, python311, qemu, ruby4.0-rubygem-sprockets, ruby4.0-rubygem-thor, ruby4.0-rubygem-web-console, ruby4.0-rubygem-websocket-extensions, skaffold, smb4k, tomcat, ucode-intel, util-linux, virtiofsd, and zlib), and Ubuntu (bouncycastle, exiv2, freerdp3, linux-aws, linux-aws-5.4, linux-gcp-5.4, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-aws-fips, python2.7, roundcube, and valkey).

Inside this week's LWN.net Weekly Edition:

• Front: Privacy battles; page-cache-timing protections; null filesystems; Fedora Sandbox; safer kmalloc(); BPF in io_uring.
• Briefs: AppArmor vulnerabilities; snapd vulnerability; Sashiko; DPL election; Fedora Asahi 43; GIMP 3.2; Marknote 1.5; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

Cindy Cohn is the executive director of the Electronic Frontier Foundation (EFF) and she gave the Saturday morning keynote at SCALE 23x in Pasadena about some of the work she and others have done to help protect online rights, especially digital privacy. The talk recounted some of the history of the court cases that the organization has brought over the years to try to dial back privacy invasions. One underlying theme was the role that attendees can play in protecting our rights, hearkening back to earlier efforts by the technical community.

Version 4.24.0 of the Samba SMB filesystem implementation has been released. There are a number of significant changes, including audit support for authentication information, remote password management, a number of Kerberos improvements, asynchronous-I/O rate limiting, and more.

GNOME 50 has been released. Notable changes in this release include enhancements to the Orca screen-reader application, interface and performance improvements for GNOME's file manager (Files), a "massive set of stability and performance updates" for its display-handling technologies, and much more. See also the "What's new for developers" article that covers changes of interest to GNOME and GNOME application developers.

Qualys has discovered a local-privilege escalation (LPE) vulnerability affecting Ubuntu Desktop 24.04 and later:

This flaw (CVE-2026-3888) allows an unprivileged local attacker to escalate privileges to full root access through the interaction of two standard system components: snap-confine and systemd-tmpfiles.

More details are available in the security advisory. Canonical has published updated packages as well as instructions for verifying if a system is vulnerable and how to upgrade if so.