Linux Weekly News

Security updates have been issued by AlmaLinux (container-tools:rhel8, jq, kernel, podman, python-setuptools, socat, and thunderbird), Gentoo (Chromium, Google Chrome, Microsoft Edge. Opera, ClamAV, Git, NTP, REXML, and strongSwan), Oracle (buildah, gnome-remote-desktop, ipa, jq, kernel, podman, python-setuptools, ruby:3.3, socat, uek-kernel, and xorg-x11-server-Xwayland), SUSE (kernel), and Ubuntu (freerdp3, git, gnupg2, linux-aws, linux-oracle, linux-azure, linux-azure, linux-azure-6.11, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-ibm-5.15, linux-intel-iotg, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-kvm, linux-lowlatency, linux-oem-6.11, and onionshare).

Versions v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1 and v2.50.1 of the Git source-code management system have been released. "This is a set of coordinated security fix releases. Please update at your earliest convenience". See the announcement for details; many of the vulnerabilities have to do with tricks buried in untrusted repositories.

Version 140 of the Thunderbird mail client has been released. Notable features include "dark message mode" to adapt message content to dark mode, the ability to easily transfer desktop settings to the mobile Thunderbird client, experimental support for Microsoft Exchange, as well as global controls for message threading and sort order.

Thunderbird 140 is an extended-support release (ESR) which will be supported for 12 months. However, the Thunderbird project is trying to encourage users to adopt the Release channel for monthly updates instead. The project is staggering upgrades to 140 for existing Thunderbird users in order to catch any significant bugs before they are widely deployed, but users can upgrade manually via the Help > About menu. See the release notes for a full list of changes.

The kernel project, for many years, lacked a formal testing setup; it was often joked that testing was the project's main reason for keeping users around. While many types of kernel testing can only be done in the presence of specific hardware, there are other parts of the kernel that could be more widely tested. Over time, though, the kernel has gained two separate testing frameworks and a growing body of automated tests to go with them. These two frameworks — kselftests and KUnit — take different approaches to the testing problem; now this patch series from Thomas Weißschuh aims to bring them together.

Security updates have been issued by Debian (djvulibre and slurm-wlm), Red Hat (apache-commons-vfs, container-tools:rhel8, kernel, kernel-rt, podman, python3, rsync, socat, and sudo), SUSE (apache2, helm-mirror, incus, kernel, openssl-3, python-Django, and systemd), and Ubuntu (dcmtk, File::Find::Rule, ghostscript, jquery, and libssh).

The U-Boot universal bootloader project has announced the release of version 2025.07. It has multiple new features including "uthreads" (inspired by the "bthreads" coroutines in the barebox bootloader), exFAT support, new architecture and SoC support and improvements to existing platforms, cleanups, better testing, and more. Project leader Tom Rini took the opportunity to mention his efforts toward getting some help with the project and more formal governance: As this is a full release, and not just a release candidate I'm hoping for a few more people to read this and then read what I'm linking to as well. For the overall health of the project, and the community, I'm hoping to find a few people within the community that can help with overall organization and management. I would like to long term be able to move us to being under the Software Freedom Conservancy umbrella and that in turn means having a organizational structure that's not just a single person.

He also noted that there is a community meeting on July 8th, 2025 at 9am (GMT -06:00) on Google Meet.

The GNU project's Bourne Again SHell (Bash) has released version 5.3, with some significant new features, including some from the associated Readline 8.3 release, which provides command-line editing and other features for Bash and lots of other programs. Bash 5.3 has a "new form of command substitution that executes the command in the current shell execution context", pathname-completion sorting will be handled based on the GLOBSORT shell variable, generated completions can go to a shell variable instead of to stdout, the source code has been updated to C23, and more. Meanwhile: Readline has new features as well. There is a new option that allows case-insensitive searching, a new command that executes a named readline command, and a new command that exports possible word completions in a specified format for consumption by another process.

Niri is a relatively new Rust-based compositor for Wayland with a different take on tiling window management: windows are placed onscreen in an "infinite" row that can expand beyond the bounds of the visible workspace. It is not a full-blown desktop environment, but niri may be a suitable option for Linux users who want tiling features and the minimalism of a window manager for Wayland.

Security updates have been issued by Debian (thunderbird and xmedcon), Fedora (darktable, mbedtls, sudo, and yarnpkg), Mageia (catdoc and php), Red Hat (java-1.8.0-ibm, kernel, python-setuptools, python3, python3.11, python3.12, python3.9, socat, sudo, tigervnc, webkit2gtk3, webkitgtk4, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (alloy, apache-commons-fileupload, apache2-mod_security2, assimp-devel, chromedriver, clamav, clustershell, corepack22, ctdb, curl, dpkg, erlang-rabbitmq-client, ffmpeg-4, firefox, firefox-esr, flake-pilot, fractal, gdm, ggml-devel-5699, gio-branding-upstream, git-lfs, glib2, glibc, go1.23, go1.24, govulncheck-vulndb, gpg2, grafana, grype, helm, himmelblau, icu, jgit, jq, jupyter-bqplot-jupyterlab, jupyter-jupyterlab-templates, jupyter-matplotlib, jupyter-nbclassic, jupyter-nbdime, jupyter-panel, jupyter-plotly, keylime-ima-policy, kubernetes1.30-apiserver, kubernetes1.31-apiserver, kubernetes1.32-apiserver, libbd_btrfs-devel, libetebase-devel, libmozjs-128-0, libprotobuf-lite31_1_0, libQt5Bootstrap-devel-static-32bit, libsoup, libsoup-2_4-1, libsoup-3_0-0, libspdlog1_15, libssh, libssh-config, libsystemd0, libtpms-devel, libwireshark18, libwx_gtk2u_adv-suse16_0_0, mirrorsorcerer, moarvm, nix, nodejs-electron, nova, oci-cli, opa, openbao, ovmf-202505, pam, pam_pkcs11, perl, perl-32bit, perl-CryptX, perl-File-Find-Rule, perl-YAML-LibYAML, podman, polaris, postgresql-jdbc, pure-ftpd, python-furo-doc, python-requests, python310, python311, python311-Django, python311-Django4, python311-jupyter-core, python311-Pillow, python311-pydata-sphinx-theme, python311-requests, python311-salt, python311-urllib3, python312, python313, python314, python39, radare2, redis, samba, SDL, SDL2, sudo, teleport, thunderbird, tomcat, tomcat10, tomcat11, traefik, traefik2, valkey, velociraptor, vim, xorg-x11-server, and xwayland), and Ubuntu (linux-ibm, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-6.11, and linux-oem-6.14).

The 6.16-rc5 kernel prepatch has been released. Quoth Linus: "Please keep testing, but this all feels fairly regular for this phase of the release".

The 6.15.5, 6.12.36, 6.6.96, and 6.1.143 stable kernels have been released; each contains another set of important fixes.

The pedalboard library for Python is aimed at audio processing of various sorts, from converting between formats to adding audio effects. The maintainer of pedalboard, Peter Sobot, gave a talk about audio in Python at PyCon US 2025, which was held in Pittsburgh, Pennsylvania in May. He started from the basics of digital audio and then moved into working with pedalboard. There were, as might be guessed, audio examples in the talk, along with some visual information; interested readers may want to view the YouTube video of the presentation.

Security updates have been issued by AlmaLinux (.NET 9.0, container-tools:rhel8, ghostscript, git-lfs, grafana-pcp, pandoc, perl-FCGI:0.78, ruby:2.5, ruby:3.3, tigervnc, and varnish:6), Debian (jpeg-xl and mediawiki), Fedora (darktable, guacamole-server, mingw-gdk-pixbuf, and yarnpkg), Oracle (gimp, kernel, libsoup, python-tornado, python3.12, and thunderbird), Slackware (php), SUSE (libgepub), and Ubuntu (libtpms, linux-aws-5.15, linux-intel-iot-realtime, and linux-bluefield).

Collin Richards has announced version 0.0.1 of tmux-rs, a port of the tmux terminal multiplexer to Rust.

For the [past] 6 months or so I've been quietly porting tmux from C to Rust. I've recently reached a big milestone: the code base is now 100% (unsafe) Rust. I'd like to share the process of porting the original codebase from ~67,000 lines of C code to ~81,000 lines of Rust (excluding comments and empty lines). You might be asking: why did you rewrite tmux in Rust? And yeah, I don't really have a good reason. It's a hobby project. Like gardening, but with more segfaults.

Richards says that the next goal for the project is to convert it to safe Rust. It is currently "not very difficult to get it to crash", but he wanted to share the project with other Rust fans now. The project is available on GitHub.

The kernel project makes a strong promise to its users: the kernel ABI will not be changed in ways that break user-space code. The occasional failure notwithstanding, kernel developers do try to live up to that promise. They are handicapped by one little problem, though: there is no description of what the kernel ABI is, and no comprehensive way to test whether a given change breaks it. The kernel API specification framework proposed (in its second revision) by Sasha Levin addresses some of those concerns, but the solution is incomplete and does not come for free.

Security updates have been issued by AlmaLinux (.NET 9.0, aardvark-dns, apache-commons-beanutils, bootc, buildah, corosync, delve and golang, exiv2, expat, firefox, ghostscript, git, git-lfs, gnutls, grafana, grafana-pcp, grub2, gstreamer1, gstreamer1-plugins-bad-free, gstreamer1-plugins-ugly-free, and gstreamer1-rtsp-server, gstreamer1-plugins-base, gstreamer1-plugins-good, gvisor-tap-vsock, iptraf-ng, java-21-openjdk, kernel, keylime-agent-rust, krb5, libarchive, libblockdev, libsoup3, libtasn1, libvpx, libxslt, microcode_ctl, mod_auth_openidc, nodejs22, nodejs:20, openjpeg2, osbuild and osbuild-composer, perl-FCGI, perl-Module-ScanDeps, perl-YAML-LibYAML, php, php:8.2, php:8.3, podman, protobuf, python-jinja2, python-requests, python3.11, python3.12, python3.12-cryptography, python3.9, rpm-ostree, rsync, rust-bootupd, skopeo, thunderbird, tigervnc, tomcat, tomcat9, webkit2gtk3, xdg-utils, xorg-x11-server, and xorg-x11-server-Xwayland), Debian (ring), Mageia (libarchive and rootcerts, nss & firefox), Oracle (.NET 9.0, corosync, firefox, osbuild-composer, pam, python3, python3.11, python3.12, python3.9, skopeo, sudo, and thunderbird), Red Hat (microcode_ctl, pam, php, thunderbird, tigervnc, xorg-x11-server, xorg-x11-server and xorg-x11-server-Xwayland, and xorg-x11-server-Xwayland), SUSE (clamav, icu, libgepub, libsoup, python-requests, tomcat, and xorg-x11-server), and Ubuntu (clamav, logback, mongo-c-driver, pcs, and python-flask-cors).

Inside this week's LWN.net Weekly Edition:

• Front: Kernel features from Python; i686 in Fedora; Kernel development with LLMs; Rust drivers; Load balancing with machine learning; Transparent huge pages.
• Briefs: Bcachefs removal; Coccinelle for Rust; Netdev Foundation; Oracle Linux 10; GNU HHIS 5.0; Rust 1.88.0; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

Debian's Bananas team has put out a call for people with Apple M1 or M2 systems to help test Debian on those machines:

The Bananas Team has set up an installer at with images for GNOME, KDE and console installations. While we'd like to build an actual Debian installer sooner or later (we may need a heads-up from the Debian Images team for that), at this time we only provide an asahi-type installer, which installs both the "bootloader" and the OS partitions to disk from the network (as opposed to only installing the bootloader and then letting you install Debian using a d-i USB stick). We haven't forked Trixie from Testing yet, so what you'll get is Debian Testing quite deep into the freeze.

The Netdev Foundation, which is "a user-led effort under the supervision of the Linux Foundation, focused on financially supporting Linux networking development", has announced its existence.

The initial motivation was to move the NIPA testing outside of Meta, so that more people can help and contribute. But there should be sufficient budget to sponsor more projects.

(NIPA is Netdev Infrastructure for Patch Automation).

Every release of the Linux kernel has lots of new features, many of which are accessible from user space. Usually, though, the GNU C Library (glibc) and tools that access the Linux user-space API lag behind the kernel releases. Geoffrey Thomas showed how Python programs can access these new kernel features as soon as the kernel is released in his "What's New in the Linux Kernel... from Python" talk at PyCon US 2025. While he had two examples of accessing new kernel features, the real goal of the talk was to demonstrate how to go about connecting Python to the Linux kernel.