Linux Weekly News

Security updates have been issued by Debian (gst-plugins-good1.0, postgresql-13, and python-urllib3), Fedora (chezmoi, docker-buildkit, ov, and subfinder), Oracle (httpd:2.4), Slackware (net), and SUSE (apache2, buildah, kernel, and mariadb).

The judge in the Vizio GPL-compliance lawsuit has ruled, in a summary judgment, that the GNU General Public License, version 2, does not require the provision of signing keys needed to install modified software on a device.

Read as a whole, the Agreements require Vizio to make the source code available in such a manner that the source code can be readily obtained and modified by Plaintiff or other third parties. While source code is defined to include "the scripts used to control compilation and installation," this does not mean that Vizio must allow users to reinstall the software, modified or otherwise, back onto its smart TVs in a manner that preserves all features of the original program and/or ensures the smart TVs continue to function properly. Rather, in the context of the Agreements, the disputed language means that Vizio must provide the source code in a manner that allows the source code to be obtained and revised by Plaintiff or others for use in other applications.

As the Software Freedom Conservancy, the plaintiff in the case, has pointed out, the judge has ruled against a claim that was never actually made.

SFC has never held the position, nor do we today hold the position, that any version of the GPL (even including GPLv3!) require "that the device continues to function properly" after a user installs their modified version of the copyleft components.

Linus Torvalds, meanwhile, has posted his own take on the ruling that has, as one might imagine, sparked an extended discussion as well.

Once again there is a brand-new release under the tree from the Ruby programming-language project: Ruby 4.0 has been released with many new features and improvements. Notable changes include the experimental Ruby Box feature for in-process isolation of classes and modules, a new just-in-time compiler called ZJIT, and improvements to Ruby's parallel-execution mechanism (Ractor). There are a number of language changes as well. See the documentation for Ruby 4.0 for more.

Security updates have been issued by Fedora (httpd, retroarch, and roundcubemail), Oracle (container-tools:rhel8, grafana, httpd, kernel, python3.12, python39:3.9, thunderbird, and uek-kernel), and SUSE (cheat, go-sendxmpp, and kernel).

Inside this week's LWN.net Weekly Edition:

• Front: 2025 retrospective; Dirk and Linus talk; successful open-source documentation projects; verifier-state pruning in BPF; Linux 32-bit timeline; BPF state visualizer; systemd v259.
• Briefs: linux-next maintainer; 2025 TAB; Git in Debian; Elementary OS 8.1; Qubes OS 4.3.0; GDB 17.1; Incus 6.20; systemd v259; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

Another year has reached its conclusion. That can only mean one thing: the time has come to take a look back at the predictions we made in January and evaluate just how badly they turned out. Much to our surprise, not all of our predictions were entirely accurate. It has been a wild year in the Linux community and beyond, to say the least.

The systemd v259 release was announced on December 17, just three months after v258. It is a more modest release but still includes a number of important changes such as a new option for the run0 command (an alternative to sudo), ability to mount user home directories from the host in virtual machines, as well as under-the-hood changes with dlopen() for library linking, the ability to compile systemd with musl libc, and more.

Security updates have been issued by AlmaLinux (container-tools:rhel8, grafana, opentelemetry-collector, and thunderbird), Red Hat (kernel), and SUSE (cheat, libsoup, mariadb, mozjs52, python310, python315, qemu, rsync, and zk).

Version 8.1 of elementary OS has been released. Notable changes in this release include making the Wayland session the default, changes to window management and multitasking, as well as a number of accessibility improvements. The 8.1 release is the first to be made available for Arm64 devices, which should allow users to run elementary on Apple M-series hardware or other Arm devices that can load UEFI-supporting firmware, such as some Raspberry Pi models. See the blog post for a full list of changes.

Arnd Bergmann began his 2025 Linux Plumbers Conference session on the future of 32-bit support in the Linux kernel by saying that it was to be a followup to his September talk on the same topic. The focus this time, though, was on the kernel's "high memory" abstraction, and when it could be removed. It seems that the kernel community will need to support 32-bit systems for some time yet, even if it might be possible to remove some functionality, including support for large amounts of memory on those systems, more quickly.

The BPF verifier works, on a theoretical level, by considering every possible path that a BPF program could take. As a practical matter, however, it needs to do that in a reasonable amount of time. At the 2025 Linux Plumbers Conference, Mahé Tardy and Paul Chaignon gave a detailed explanation (slides; video) of the main mechanism that it uses to accomplish that: state pruning. They focused on two optimizations that help reduce the number of paths the verifier needs to check, and discussed some of the complications the optimizations introduced to the verifier's code.

Security updates have been issued by AlmaLinux (binutils, curl, gcc-toolset-13-binutils, git-lfs, httpd, httpd:2.4, keylime, libssh, mod_md, openssh, php:8.3, podman, python3.12, python3.9, python39:3.9, skopeo, tomcat, tomcat9, and webkit2gtk3), Fedora (mingw-glib2, mingw-libsoup, and mingw-python3), Mageia (roundcubemail), Oracle (git-lfs and mod_md), and SUSE (glib2, kernel, mariadb, and qemu).

Version 6.20 of the Incus container and virtual-machine management system has been released. Notable changes in this release include a new standalone command to add IncusOS servers to a cluster, qcow2-formatted volumes for clustered LVM, and reverse DNS records in OVN. See the announcement for a full list of changes.

Version 17.1 of the GDB debugger is out. Changes include shadow-stack support, info threads improvements, a number of Python API improvements, and more, including: "Warnings and error messages now start with an emoji (warning sign, or cross mark) if supported by the host charset. Configurable." See the NEWS file for more information.

Version 4.3.0 of the security-oriented Qubes OS distribution has been released. Changes include more recent distribution templates, preloaded disposable virtual machines, and the reintroduction of the Qubes Windows Tools set. See the release notes for more information.

Ian Jackson (along with Sean Whitton) has posted a manifesto and status update to the effect that, since Git repositories have become the preferred method to distribute source, that is how Debian should be distributing its source packages.

Everyone who interacts with Debian source code should be able to do so entirely in git.

That means, more specifically:

1. All examination and edits to the source should be performed via normal git operations.
2. Source code should be transferred and exchanged as git data, not tarballs. git should be the canonical form everywhere.
3. Upstream git histories should be re-published, traceably, as part of formal git releases published by Debian.
4. No-one should have to learn about Debian Source Packages, which are bizarre, and have been obsoleted by modern version control.

This is very ambitious, but we have come a long way!

At Open Source Summit Japan 2025, Erin McKean talked about the challenges to producing good project documentation, along with some tooling that can help guide the process toward success. It is a problem that many projects struggle with and one that her employer, Google, gained a lot of experience with from its now-concluded Season of Docs initiative. Through that program, more than 200 case studies of documentation projects were gathered that were mined for common problems and solutions, which led to the tools and techniques that McKean described.

John Paul Adrian Glaubitz has announced that loong64 is now an official architecture for Debian, and will be part of the Debian 14 ("forky") release "if everything goes along as planned". This is a bit more than two years after the initial bootstrap of the architecture.

So far, we have manually built and imported an initial set of 112 packages with the help of the packages in Debian Ports. This was enough to create an initial chroot and set up the first buildd which is now churning through the build queue. Over night, the currently single buildd instance already built and uploaded 300 new packages.

Security updates have been issued by Debian (chromium, dropbear, mediawiki, php8.4, python-mechanize, rails, roundcube, usbmuxd, and wordpress), Fedora (cef, chromium, fonttools, gobuster, gosec, mingw-libpng, moby-engine, mqttcli, nextcloud, pgadmin4, python-unicodedata2, uriparser, and util-linux), Mageia (php and webkit2), Oracle (binutils, curl, gcc-toolset-13-binutils, gimp, git-lfs, kernel, openssh, php:8.3, podman, python-kdcproxy, python3.12, python3.9, skopeo, and webkit2gtk3), Red Hat (rsync), Slackware (php), SUSE (alloy, busybox, chromedriver, chromium, coredns-for-k8s, duc, firefox, kernel-devel, libpng16, libruby3_4-3_4, mariadb, netty, php8, python311-tornado6, rsync, taglib, and xen), and Ubuntu (linux-oracle-5.4, linux-raspi, linux-realtime-6.14, and linux-xilinx).

The 6.19-rc2 kernel prepatch is out for testing. "I obviously expect next week to be even quieter, with people being distracted by the holidays. So let's all enjoy taking a little break, but maybe break the boredom with some early rc testing?"