Linux Weekly News

The European Commission has opened a "call for evidence" to help shape its European Open Digital Ecosystem Strategy. The commission is looking to reduce its dependence on software from non-EU countries:

The EU faces a significant problem of dependence on non-EU countries in the digital sphere. This reduces users' choice, hampers EU companies' competitiveness and can raise supply chain security issues as it makes it difficult to control our digital infrastructure (both physical and software components), potentially creating vulnerabilities including in critical sectors. In the last few years, it has been widely acknowledged that open source – which is a public good to be freely used, modified, and redistributed – has the strong potential to underpin a diverse portfolio of high-quality and secure digital solutions that are valid alternatives to proprietary ones. By doing so, it increases user agency, helps regain control and boost the resilience of our digital infrastructure.

The feedback period runs until midnight (Brussels time) February 3, 2026. The commission seeks input from all interested stakeholders, "in particular the European open-source community (including individual contributors, open-source companies and foundations), public administrations, specialised business sectors, the ICT industry, academia and research institutions".

At the 2025 Linux Plumbers Conference (LPC), held in Tokyo in mid-December, Changwoo Min led a session on what he has learned while developing the "latency-criticality aware virtual deadline" (LAVD) scheduler, which is aimed at gaming workloads. The session was part of the Gaming on Linux microconference, which is a new entrant into LPC; organizers hope to see it return next year in Prague and, presumably, beyond. LAVD uses the extensible scheduler class (sched_ext) and has the primary goal of minimizing stuttering in games; it is implemented in a combination of BPF and Rust.

Last year we revived the tradition of publishing a timeline of notable events from the previous year. Since that seemed to go over well, we decided we should continue the practice and look back on some of the most noteworthy events and releases of 2025.

The IPFire project, an open-source firewall Linux distribution, has released version 2.29 - Core Update 199. Notable changes in this release include an update to Linux 6.12.58, support for WiFi 6 and 7 features on wireless access points, as well as native support for link-local discovery protocol (LLDP) and Cisco discovery protocol (CDP).

Android Authority reports that Google will be reducing the frequency of releases of code to the Android Open Source Project to only twice per year.

A spokesperson for Google offered some additional context on this decision, stating that it helps simplify development, eliminates the complexity of managing multiple code branches, and allows them to deliver more stable and secure code to Android platform developers. The spokesperson also reiterated that Google's commitment to AOSP is unchanged and that this new release schedule helps the company build a more robust and secure foundation for the Android ecosystem.

The release schedule for security patches is unchanged.

Security updates have been issued by AlmaLinux (resource-agents, ruby:3.3, thunderbird, and xorg-x11-server), Fedora (libpcap), Red Hat (brotli), Slackware (libsodium), SUSE (dcmtk, govulncheck-vulndb, libpcap, mozjs60, qemu, rsync, and usbmuxd), and Ubuntu (glib2.0 and linux-raspi, linux-raspi-5.4).

The nature and role of the Linux Foundation's Technical Advisory Board (TAB) is not well-understood, though a recent LWN article shed some light on its role and history. At the 2025 Linux Plumbers Conference (LPC), the TAB held a question and answer session to address whatever it was the community wanted to know (video). Those questions ended up covering the role of large language models in kernel development, what it is like to be on the TAB, how the TAB can help grease the wheels of corporate bureaucracy, and more.

Aleksa Sarai, as the maintainer of the runc container runtime, faces a constant battle against security problems. Recently, runc has seen another instance of a security vulnerability that can be traced back to the difficulty of handling file paths on Linux. Sarai spoke at the 2025 Linux Plumbers Conference (slides; video) about some of the problems runc has had with path-traversal vulnerabilities, and to ask people to please use libpathrs, the library that he has been developing for safe path traversal.

Version 26.0 ("Anh-Linh") of the Arch-based Manjaro Linux distribution has been released. Manjaro 26.0 includes Linux 6.18, GNOME 49, KDE Plasma 6.5, Xfce 4.20, and more.

Security updates have been issued by AlmaLinux (kernel, ruby, and thunderbird), Debian (libsodium and ruby-rmagick), Fedora (gnupg2 and proxychains-ng), Oracle (gcc-toolset-14-binutils, rsync, tar, and thunderbird), Red Hat (buildah, mariadb, mariadb10.11, podman, and tar), SUSE (alloy, apache2, buildah, erlang26, glib2, ImageMagick, kernel, libsoup, pgadmin4, python-tornado6, python3, python312, python313, qemu, webkit2gtk3, and xen), and Ubuntu (webkit2gtk).

The calendar has flipped over to 2026; a new year has begun. That means the moment we all dread has arrived: it is time for LWN to put out a set of lame predictions for what may happen in the coming year. Needless to say, we do not know any more than anybody else, but that doesn't stop us from making authoritative-sounding pronouncements anyway.

Version 1.30 of the GNU ddrescue data recovery tool has been released. Notable changes in this release include improvements to automatic recovery of a drive with a dead head, addition of a --no-sweep option to disable reading of skipped areas, and more.

Security updates have been issued by AlmaLinux (tar), Debian (curl and gimp), Fedora (doctl, gitleaks, gnupg2, grpcurl, nginx, nginx-mod-brotli, nginx-mod-fancyindex, nginx-mod-headers-more, nginx-mod-modsecurity, nginx-mod-naxsi, nginx-mod-vts, and usd), Mageia (cups), Red Hat (container-tools:rhel8, go-toolset:rhel8, grafana, and skopeo), and SUSE (dirmngr, fluidsynth, gnu-recutils, libmatio-devel, python311-marshmallow, python312-Django6, rsync, and thunderbird).

The 6.19-rc4 kernel prepatch is out for testing.

So this rc is still a bit smaller than usual, but it's not _much_ smaller, and I think next week is likely going to be more or less back to normal.

Which is all exactly as expected, and nothing here looks particularly odd. I'll make an rc8 this release just because of the time lost to the holidays, not because it looks like we'd have any particular issues pending (knock wood).

Greg Kroah-Hartman has written an overview of how the kernel's security team works.

The members of the security team contain a handful of core kernel developers that have experience dealing with security bugs, and represent different major subsystems of the kernel. They do this work as individuals, and specifically can NOT tell their employer, or anyone else, anything that is discussed on the security alias before it is resolved. This arrangement has allowed the kernel security team to remain independent and continue to operate across the different governments that the members operate in, and it looks to become the normal way project security teams work with the advent of the European Union's new CRA law coming into effect.

Greg Kroah-Hartman has announced the release of the 6.18.3 stable kernel. As always, this update contains important fixes; users of this kernel are advised to upgrade.

Security updates have been issued by Debian (smb4k), Fedora (direwolf, gh, usd, and webkitgtk), Slackware (libpcap and seamonkey), and SUSE (kepler).

Security updates have been issued by Debian (imagemagick and net-snmp), Fedora (delve, golang-github-google-wire, and golang-github-googlecloudplatform-cloudsql-proxy), and SUSE (podman, python3, and python36).

Version 4.19.0 of the shadow-utils project has been released. Notable changes in this release include disallowing some usernames that were previously accepted with the --badname option, and removing support for escaped newlines in configuration files. Possibly more interesting is the announcement that the project is deprecating a number of programs, hashing algorithms, and the ability to periodically expire passwords:

Scientific research shows that periodic password expiration leads to predictable password patterns, and that even in a theoretical scenario where that wouldn't happen the gains in security are mathematically negligible (paper link).

Modern security standards, such as NIST SP 800-63B-4 in the USA, prohibit periodic password expiration. [...]

To align with these, we're deprecating the ability to periodically expire passwords. The specifics and long-term roadmap are currently being discussed, and we invite feedback from users, particularly from those in regulated environments. See #1432.

The release announcement notes that the features will remain functional "for a significant period" to minimize disruption.

Security updates have been issued by Debian (mediawiki), Fedora (duc, golang-github-projectdiscovery-mapcidr, and kustomize), Slackware (wget2), and SUSE (cheat, duc, flannel, go-sendxmpp, python311, python312, python313, and trivy).