Linux Weekly News

Security updates have been issued by Debian (binwalk, glib2.0, libgd2, paramiko, and python-apt), Fedora (chromium, python3.13, python3.14, qt6-qtdeclarative, and usd), Mageia (ffmpeg, firefox, nspr, nss, and thunderbird), Oracle (kernel, mysql, mysql:8.0, mysql:8.4, ruby:3.3, wireshark, and xorg-x11-server), Red Hat (expat, mingw-expat, and rsync), SUSE (binutils, curl, glib2, gnutls, go1.24, go1.25, keylime, libmicrohttpd, libssh, openexr, postgresql15, python311, and xkbcomp), and Ubuntu (libsoup3, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-azure-6.14, linux-azure, linux-azure-6.8, linux-azure-fips, linux-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-kvm, linux-oem-6.14, linux-raspi, and linux-realtime, linux-realtime-6.8).

Version 8.16.0 of the calibre ebook-management software, released on December 4, includes a "Discuss with AI" feature that can be used to query various AI/LLM services or local models about books, and ask for recommendations on what to read next. The feature has sparked discussion among human users of calibre as well, and more than a few are upset about the intrusion of AI into the software. After much pushback, it looks as though users will get the ability to hide the feature from calibre's user interface, but LLM-driven features are here to stay and more will likely be added over time.

Vojtěch Polášek has announced an unofficial effort to create a Fedora-based distribution designed for visually impaired users:

My ultimate vision for this project is "NO VOJTUX NEEDED!" because I believe Fedora should eventually be fully accessible out of the box. We aren't there yet, which is where Vojtux comes in to fill the gap. [...]

Key Features:
-Speaks out of the box: When the live desktop is ready, Orca starts automatically. After installation, it is configured so that it starts on the login screen and also after logging in.
-Batteries included: Comes with LIOS , Ocrdesktop, Tesseract, Audacity, and command-line tools like Git and Curl. There are also many preconfigured keyboard shortcuts.

See the repository for instructions on getting the image.

Despite depending heavily on tools, the kernel project often seems to under-invest in the development of those tools. There has been progress in that area, though. At the 2025 Maintainers Summit, Konstantin Ryabitsev, who is (among other things) the author of b4, led a session on ways in which the kernel's tools could be improved to make the development process more efficient and accessible.

Security updates have been issued by AlmaLinux (firefox, grafana, kernel, libsoup3, mysql8.4, and wireshark), Debian (ruby-git, ruby-sidekiq, thunderbird, and vlc), Fedora (apptainer, chromium, firefox, golangci-lint, libpng, and xkbcomp), Mageia (golang), SUSE (binutils, chromium, firefox, gegl, go1.25, govulncheck-vulndb, hauler, kernel, keylime, libpng12, pgadmin4, postgresql16, python, python-Django, python-django, python3, python311, rhino, thunderbird, unbound, and xkbcomp), and Ubuntu (usbmuxd).

Linus Torvalds released 6.19-rc1 and closed the 6.19 merge window on December 14 (Japan time), after having pulled 12,314 non-merge commits into the mainline. Over 8,000 of those commits came in after our first 6.19 merge-window summary was written. The second part of the merge window was focused on drivers, but brought in a number of other changes as well.

Linus has released 6.19-rc1, perhaps a bit earlier than expected.

So it's Sunday afternoon in the part of the world where I am now, so if somebody was looking at trying to limbo under the merge window timing with one last pull request and is taken by surprise by the slightly unusual timing of the rc1 release, that failed.

Teaching moment, or random capricious acts? You be the judge.

Ariadne Conill is exploring a capability-based approach to privilege escalation on Linux systems.

Inspired by the object-capability model, I've been working on a project named capsudo. Instead of treating privilege escalation as a temporary change of identity, capsudo reframes it as a mediated interaction with a service called capsudod that holds specific authority, which may range from full root privileges to a narrowly scoped set of capabilities depending on how it is deployed.

The ability to write kernel code in Rust was explicitly added as an experiment — if things did not go well, Rust would be removed again. At the 2025 Maintainers Summit, a session was held to evaluate the state of that experiment, and to decide whether the time had come to declare the result to be a success. The (arguably unsurprising) conclusion was that the experiment is indeed a success, but there were some interesting points made along the way.

Greg Kroah-Hartman has released the 6.18.1, 6.17.12, and 6.12.62 stable kernels. Each contains important fixes; users of those kernels are advised to upgrade.

One of the key components in the kernel's development process is the linux-next repository. Every day, a large number of branches, each containing commits intended for the next kernel development cycle, is pulled into linux-next and integrated. If there are conflicts between branches, the linux-next process will reveal them. In theory, many other types of problems can be found as well. Some developers feel that linux-next does not work as well as it could, though. At the 2025 Maintainers Summit, Mark Brown, who helps to keep linux-next going, led a session on how it could be made to work more effectively.

KDE has announced the release of KDE Gear 25.12. This release adds more "extractors" to the Itinerary travel-assistant application, improved Git support in the Kate text editor, better PDF export in Konqueror, and much more. See the changelog for all new features, improvements, and bug fixes.

Security updates have been issued by AlmaLinux (firefox, luksmeta, mysql, mysql:8.0, mysql:8.4, tomcat, and wireshark), Debian (chromium, kernel, and tzdata), Fedora (brotli, dr_libs, perl-Alien-Brotli, python-urllib3, singularity-ce, wireshark, and yarnpkg), Oracle (firefox, grafana, lasso, libsoup3, luksmeta, ruby, ruby:3.3, tomcat, and wireshark), Slackware (mozilla), SUSE (container-suseconnect, kubernetes-client, libpoppler-cpp2, postgresql14, postgresql15, and python3), and Ubuntu (c-ares, keystone, linux, linux-aws, linux-aws-5.15, linux-azure, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux-azure, linux-azure-4.15, linux-oracle,, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-hwe-6.8, linux-oracle-6.8, linux-raspi, linux-realtime, linux-intel-iot-realtime, and python-urllib3).

Version 24.04 LTS of the Ubuntu-based Pop!_OS distribution has been released with the COSMIC Desktop Environment:

Today is special not only in that it's the culmination of over three years of work, but even more so in that System76 has built a complete desktop environment for the open source community. We're proud of this contribution to the open source ecosystem. COSMIC is built on the ethos that the best open source projects enable people to not only use them, but to build with them. COSMIC is modular and composable. It's the flagship experience for Pop!_OS in its own way, and can be adapted by anyone that wants to build their own unique user experience for Linux.

In addition to the COSMIC desktop environment, Pop!_OS is now available for Arm computers with the 24.04 LTS release, and the distribution has added hybrid graphics support for better battery life. LWN covered an alpha version of COSMIC in August 2024.

Version 1.92.0 of Rust has been released. This release includes a number of stabilized APIs, emits unwind tables by default on Linux, validates input to #[macro_export], and much more. See the separate release notes for Rust, Cargo, and Clippy.

The first topic of discussion at the 2025 Maintainers Summit has been in the air for a while: what role — if any — should machine-learning-based tools have in the kernel development process? While there has been a fair amount of controversy around these tools, and concerns remain, it seems that the kernel community, or at least its high-level maintainership, is comfortable with these tools becoming a significant part of the development process.

Security updates have been issued by Debian (ffmpeg, firefox-esr, libsndfile, and rear), Fedora (httpd, perl-CGI-Simple, and tinyproxy), Oracle (firefox, kernel, libsoup, mysql8.4, tigervnc, tomcat, tomcat9, and uek-kernel), SUSE (alloy, curl, dovecot24, fontforge, glib2, himmelblau, java-17-openjdk, java-21-openjdk, kernel, krb5, lasso, libvirt, mozjs128, mysql-connector-java, nvidia-open-driver-G07-signed-check, openssh, poppler, postgresql17, postgresql18, python-cbor2, python-Django, python310, python311-Django, runc, strongswan, tomcat11, and xwayland), and Ubuntu (binutils, libpng1.6, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-hwe-6.14, linux-raspi, linux, linux-aws, linux-gcp, linux-realtime, and qtbase-opensource-src).

Inside this week's LWN.net Weekly Edition:

• Front: Rust in CPython; Python frozendict; Bazzite; IETF post-quantum disagreement; Distrobox; 6.19 merge window; Leaving the TAB.
• Briefs: Let's Encrypt retrospective; PKI infrastructure; Rust in kernel to stay; CNA series; Alpine 3.23.0; cmocka 2.0; Firefox 146; 2024 Free Software Awards; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

Let's Encrypt has published a retrospective that covers the decade since it published its first publicly trusted certificate in September 2015:

In March 2016, we issued our one millionth certificate. Just two years later, in September 2018, we were issuing a million certificates every day. In 2020 we reached a billion total certificates issued and as of late 2025 we're frequently issuing ten million certificates per day. We're now on track to reach a billion active sites, probably sometime in the coming year.

Greg Kroah-Hartman is writing a series of blog posts about Linux becoming a Certificate Numbering Authority (CNA):

It's been almost 2 full years since Linux became a CNA (Certificate Numbering Authority) which meant that we (i.e. the kernel.org community) are now responsible for issuing all CVEs for the Linux kernel. During this time, we've become one of the largest creators of CVEs by quantity, going from nothing to number 3 in 2024 to number 1 in 2025. Naturally, this has caused some questions about how we are both doing all of this work, and how people can keep track of it.

So far, Kroah-Hartman has published the introductory post, as well as a detailed post about kernel version numbers that is well worth reading.