Linux Weekly News

Python has recently seen a number of experiments to improve its parallel performance, including exposing subinterpreters as part of the standard library. These allow separate threads within the same Python process to run simultaneously, as long as any data sent between them is copied, rather than shared. PEP 795 ("Deep Immutability in Python") seeks to make efficient sharing of data between subinterpreters possible by allowing Python objects to be "frozen", so that they can be accessed from multiple subinterpreters without copying or synchronization. That task is more difficult than it seems, and the PEP prompted a good deal of skepticism from the Python community.

Security updates have been issued by AlmaLinux (cloud-init, fence-agents, git, kernel, and kernel-rt), Debian (openjdk-11), Fedora (firefox, golang, libinput, transfig, and yasm), Mageia (qtbase5, qtbase6), Red Hat (fence-agents, go-toolset:rhel8, golang, kernel, and python-setuptools), Slackware (mozilla), SUSE (cyradm, gstreamer-plugins-base, and xen), and Ubuntu (gdk-pixbuf, jq, linux-gcp, linux-gcp-6.8, linux-oracle, ruby-sinatra, thunderbird, and unbound).

Version 141.0 of the Firefox browser it out. Changes include "a local AI model" that can perform tab grouping, unit conversions in the address bar, and a change that many of us will find welcome: "On Linux, Firefox uses less memory and no longer requires a forced restart after an update has been applied by a package manager".

GNOME and Fedora contributor Michael Catanzaro has written a lengthy blog post about the future of Fedora Workstation as an image-based release and the need to enable Flathub by default. He writes that the Fedora Workstation of the future must be "safe and image-based by default", with applications provided through Flathub:

Flathub is drastically more popular than Fedora Flatpaks even among the most hardcore Fedora community members who participate in change proposal debate on Fedora Discussion. (At time of writing, nearly 80% of discussion participants favor filtering out Fedora Flatpaks.)

This is the most important point. Flathub has already won.

He notes that Fedora should not force users to install an image-based OS if they do not want to, and there will be a package-based version for users who prefer or require it: "so no need to panic".

Google has announced the existence of OSS Rebuild, an infrastructure for the creation and verification of reproducible builds of software projects.

Our aim with OSS Rebuild is to empower the security community to deeply understand and control their supply chains by making package consumption as transparent as using a source repository. Our rebuild platform unlocks this transparency by utilizing a declarative build process, build instrumentation, and network monitoring capabilities which, within the SLSA Build framework, produces fine-grained, durable, trustworthy security metadata. [...]

Our vision extends beyond any single ecosystem: We are committed to bringing supply chain transparency and security to all open source software development. Our initial support for the PyPI (Python), npm (JS/TS), and Crates.io (Rust) package registries—providing rebuild provenance for many of their most popular packages—is just the beginning of our journey.

The QUIC transport-layer network protocol is not exactly new; it was first covered here in 2013. Despite carrying a significant part of the traffic on the Internet, QUIC has been anything but quick when it comes to getting support into the Linux kernel. The pace might be picking up, though; Xin Long has posted the first set of patches intended to provide mainline support for this protocol.

Security updates have been issued by AlmaLinux (tomcat9), Debian (djvulibre, libcommons-fileupload-java, libowasp-esapi-java, and tomcat9), Fedora (cef, dpkg, mingw-gdk-pixbuf, and mingw-python3), Gentoo (Roundcube), Oracle (avahi, cloud-init, fence-agents, git, kernel, and valkey), Red Hat (wireshark), SUSE (afterburn, apache2, busybox, java-21-openjdk, kernel, kernel-livepatch-MICRO-6-0-RT_Update_10, lemon, libexslt0, libgcrypt, libxml2-2, php8, postgresql17, python, python-oslo.utils, python311, python312, python313, and sudo), and Ubuntu (drupal7, erlang, fdkaac, gobgp, jq, linux-aws, linux-aws-6.8, linux-gke, linux-gkeop, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle-6.8, linux-kvm, linux-oracle, and ruby-nokogiri).

At DebConf25 in Brest, France, the talk "When Free Software Communities Unite: Tails, Tor, and the Fight for Privacy" was delivered by a man who introduced himself only as intrigeri. He delivered an overview of the Tor Project, its mission, and the projects under the umbrella. He also spoke about how the organization depends on Debian, and plans for the software it delivers.

Security updates have been issued by AlmaLinux (java-1.8.0-openjdk), Debian (angular.js and batik), Fedora (chromium, pypy, screen, unbound, wine, and wine-mono), Mageia (djvulibre, quictls, and redis), Red Hat (avahi, gnome-remote-desktop, java-1.8.0-openjdk, java-11-openjdk with Extended Lifecycle Support, java-21-openjdk, kernel, kernel-rt, python-setuptools, redis, and valkey), SUSE (chromedriver, coreutils, cosign, docker, FastCGI, ffmpeg-4, fractal, gimp, glib2, ImageMagick, iputils, java-17-openjdk, java-24-openjdk, jq, kubelogin, kubernetes1.23, kubernetes1.24, kubernetes1.26, python-requests, python3, rmt-server, rustup, and thunderbird), and Ubuntu (apache2).

Linus has released 6.16-rc7 for testing.

Nothing really stands out - the biggest patches in here are for some documentation and self-tests or tooling, not actual kernel code changes.

So unlike the week before, it all feels very trivial and I think we're in good shape. Knock wood,

The Arch Linux project has sent out an advisory warning that a set of malicious packages, containing a remote access trojan, were uploaded to the Arch User Repository (AUR). The affected packages were librewolf-fix-bin, firefox-patch-bin, and zen-browser-patched-bin. "We strongly encourage users that may have installed one of these packages to remove them from their system and to take the necessary measures in order to ensure they were not compromised."

Intel has announced the abrupt end of its Clear Linux cloud-oriented distribution:

After years of innovation and community collaboration, we're ending support for Clear Linux OS. Effective immediately, Intel will no longer provide security patches, updates, or maintenance for Clear Linux OS, and the Clear Linux OS GitHub repository will be archived in read-only mode. So, if you're currently using Clear Linux OS, we strongly recommend planning your migration to another actively maintained Linux distribution as soon as possible to ensure ongoing security and stability.

The interfaces between C and Rust in the kernel have grown over time; any non-trivial Rust driver will use a number of these. Tasks like allocating memory, dealing with immovable structures, and interacting with locks are necessary for handling most devices. There are also many subsystem-specific bindings, but the focus this time will be on an overview of the bindings that all kernel Rust code can be expected to use.

Security updates have been issued by AlmaLinux (cloud-init, glib2, glibc, kernel, and tomcat), Debian (chromium), Fedora (luajit, minidlna, nginx-mod-modsecurity, python-asteval, rust-sequoia-octopus-librnp, and vim), Oracle (cloud-init, glib2, glibc, java-17-openjdk, kernel, python311-olamkit, tomcat, and tomcat9), SUSE (apache-commons-lang3, bind, coreutils, ffmpeg, gnutls, gstreamer-plugins-good, kubernetes1.25, kubernetes1.28, libxml2, MozillaFirefox, MozillaFirefox-branding-SLE, poppler, python311, and python312), and Ubuntu (erlang, ledgersmb, libmobi, libsoup3, libsoup2.4, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-oem-6.8, linux, linux-gcp, linux-raspi, linux-realtime, linux-aws, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-6.8, linux-azure-nvidia, linux-hwe-6.8, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-intel-iot-realtime, linux-realtime, linux-intel-iotg-5.15, linux-oem-6.14, linux-raspi, linux-realtime, php7.0, php7.2, php8.1, php8.3, php8.4, python-aiohttp, and rails).

The 6.15.7, 6.12.39, 6.6.99, 6.1.146, 5.15.189, 5.10.240, and 5.4.296 stable kernels have all been released; each contains another set of important fixes.

Version 12.0 of the Forgejo software forge has been released. Changes include a number of user-interface improvements, a mechanism to keep forks in sync with their upstream, and more; see the release notes for the full list.

Decades after its creation, the Linux CPU scheduler remains an area of active development; it is difficult to find a time slice to cover every interesting scheduler change. In an attempt to catch up, the time has come to round-robin through a few patches that have been circulating recently. The work at hand focuses on a new attempt at time-slice extension, the creation of a deadline server for sched_ext tasks, and keeping tasks on isolated CPUs from being surprised by LRU batching.

Security updates have been issued by AlmaLinux (emacs, java-17-openjdk, kernel, kernel-rt, microcode_ctl, python3.11-setuptools, python3.12-setuptools, and socat), Debian (gnutls28), Fedora (vim), Red Hat (java-1.8.0-ibm), Slackware (bind), SUSE (docker, erlang, erlang26, ggml-devel-5889, gnuplot, kernel, kubernetes1.27, libQt6Concurrent6, mailman3, and transfig), and Ubuntu (apache2, bind9, linux-iot, linux-lowlatency-hwe-6.11, and linux-raspi, linux-raspi-5.4).

Inside this week's LWN.net Weekly Edition:

• Front: Python JIT; Anubis; Secure Boot certificate expiration; SFrame; Exported symbols; Python packaging in Fedora.
• Briefs: Parrot 6.4; SPI report; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

Version 0.50.0 of Hyprland, a compositor for Wayland, has been released. Changes include a new render-scheduling option that "can drastically improve FPS on underpowered devices, while coming at no performance or latency cost when the system is doing alright", an option to exclude applications from screen sharing, a new test suite, and more.