Linux Weekly News

Mitchell Hashimoto has written a blog post about "fully embracing the GObject type system" with a rewrite of the GTK version of Ghostty:

In addition to memory management [improvements], we can now more easily create custom GTK widgets. This let us fully embrace modern GTK UI technologies such as Blueprint. For example, here is our terminal window Blueprint file. This has already led to more easily introducing GUI features like a new GTK titlebar tabs option, an animated border on bell, etc.

The rewrite is now the default if one builds Ghostty from source, and will be included in the 1.2 release that is expected in the next few weeks. LWN covered Ghostty in January.

Greg Kroah-Hartman has announced the release of the 6.16.1, 6.15.10, 6.12.42, 6.6.102, and 6.1.148 stable kernels. Get them while they're hot!

The purpose of the Filesystem Hierarchy Standard (FHS) is to provide a specification for filesystem layout; it specifies the location for files and directories on a Linux system to simplify application development for multiple distributions. In its heyday it had some success at this, but the standard has been frozen in time since 2015, and much has changed since then. There is a slow-moving effort to revive the FHS and create a FHS 4.0, but a recent discussion among Fedora developers also raised the possibility of standardizing on the suggestions in systemd's file-hierarchy documentation, which has now been added to the Linux Userspace API (UAPI) Group's specifications.

Security updates have been issued by AlmaLinux (kernel and webkit2gtk3), Debian (aide and postgresql-13), Fedora (libtiff, mupdf, and pandoc), SUSE (cairo, chromium, gstreamer-plugins-base, ImageMagick, iputils, kubernetes1.23, kubernetes1.26, matrix-synapse, Mesa, pgadmin4, python3, qemu, and rz-pm), and Ubuntu (aide).

One might imagine that managing a page full of zeroes would be a relatively straightforward task; there is, after all, no data of note that must be preserved there. The management of the huge zero folio in the kernel, though, shows that life is often not as simple as it seems. Tradeoffs between conflicting objectives have driven the design of this core functionality in different directions over the years, but much of the associated complexity may be about to go away.

Security updates have been issued by AlmaLinux (kernel, python3.11-setuptools, thunderbird, and toolbox), Debian (chromium), Fedora (open62541 and perl-Authen-SASL), Oracle (git, kernel, konsole, and webkit2gtk3), SUSE (framework-inputmodule-control and poppler), and Ubuntu (apache2, mysql-8.0, mysql-8.4, node-qs, request-tracker5, and ruby-sidekiq).

Inside this week's LWN.net Weekly Edition:

• Front: Indico; Arch Linux wiki; StarDict; Python debugging; LLM assistants for kernel development; 6.17 Merge window; Signed BPF programs.
• Briefs: CalyxOS; ACME on NGINX; Debian 13; LVFS sustainability; Go 1.25; Radicle 1.3.0; Rust 1.89; Syncthing 2.0; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

NGINX has announced the preview release of the nginx-acme module, which adds native support to NGINX for the Automatic Certificate Management Environment (ACME) protocol:

NGINX's native support for ACME brings a variety of benefits that simplify and enhance the overall SSL/TLS certificate management process. Being able to configure ACME directly using NGINX directives drastically reduces manual errors and eliminates much of the ongoing overhead traditionally associated with managing SSL/TLS certificates. It also reduces reliance on external tools like Certbot, creating a more secure and streamlined workflow with fewer vulnerabilities and a smaller attack surface.

Version 1.25 of Go has been released. Notable changes include support for generating debug information in the DWARF 5 format, "container awareness" when setting the maximum number of CPUs to be used, and a new testing/synctest package with support for testing concurrent code. See the release notes for a comprehensive list of changes in 1.25.

Version 2.0 of Syncthing, a continuous file synchronization utility, has been released. Notable changes in 2.0 include multiple connections for synchronizing metadata and file data, a new logging format, as well as a switch from LevelDB to SQLite for Syncthing's backend. This the first release in the 2.0 series, and the release notes advise users to "expect some rough edges and keep a sense of adventure".

The Indico event-management tool has been in development at CERN for two decades at this point. The MIT-licensed web application helps organize conferences, meetings, workshops, and so on; it runs on Python and uses the Flask web framework. Two software engineers on the project, Dominic Hollis and Tomas Roun, came to EuroPython 2025 in Prague to talk about Indico, its history, and some metrics about its community. There is a bit of a connection between Indico and the conference: in 2006 and 2007, the tool was used to manage EuroPython.

Security updates have been issued by Debian (apache2, kernel, linux-6.1, openjdk-17, and pgpool2), Fedora (glib2, matrix-synapse, openjpeg, python3-docs, and python3.13), Oracle (gdk-pixbuf2, glibc, java-1.8.0-openjdk, kernel, libxml2, python-requests, python3.11-setuptools, and thunderbird), SUSE (amber-cli, apache-commons-lang3, eclipse-jgit, go1.23, go1.24, govulncheck-vulndb, grub2, icinga2, kubernetes1.23, libgcrypt, python3, python313, sccache, slurm, tiff, and webkit2gtk3), and Ubuntu (linux-oracle).

BPF programs are loaded directly into the kernel. Even though the verifier protects the kernel from certain kinds of misbehavior in BPF programs, some people are still justifiably concerned about adding unsigned code to their kernel. A fully correct BPF program can still be used to expose sensitive data, for example. To remedy this, Blaise Boscaccy and KP Singh have both shared patch sets that add ways to verify cryptographic signatures of BPF programs, allowing users to configure their kernels to load only pre-approved BPF programs. This work follows on from the discussion at the Linux Storage, Filesystem, Memory-Management, and BPF Summit (LSFMM+BPF) in April and Boscaccy's earlier proposal of a Linux Security Module (LSM) to accomplish the same goal. There are still some fundamental disagreements over the best approach to signing BPF programs, however.

The Arch Linux project is especially well-known in the Linux community for two things: its rolling-release model and the quality of the documentation in the ArchWiki. No matter which Linux distribution one uses, the odds are that eventually the ArchWiki's documentation will prove useful. The Debian project recognized this and has sought to improve its own documentation game by inviting ArchWiki maintainers Jakub Klinkovský and Vladimir Lavallade to DebConf25 in Brest, France, to speak about how Arch manages its wiki. The talk has already borne fruit with the launch of an effort to revamp the Debian wiki.

Version 1.3.0 of the Radicle distributed software forge system has been released. Changes this time around include canonical references, a new radicle-protocol crate, better log rotation, and more. (LWN looked at Radicle in 2024).

Security updates have been issued by AlmaLinux (kernel, kernel-rt, and python-requests), Debian (ca-certificates-java), Fedora (chromium, clash-meta, mingw-python3, openjpeg, php-adodb, and toolbox), Mageia (kernel and kernel-linus), SUSE (chromium, ImageMagick, libgcrypt, libssh, libxml2, opensc, postgresql14, and postgresql16), and Ubuntu (dnsmasq, linux-gcp-6.8, linux-raspi, linux-oracle-6.14, and openjdk-17).

Debian's GNU/Hurd team has announced the release of Debian GNU/Hurd 2025:

This is a snapshot of Debian "sid" at the time of the stable Debian "Trixie" release (August 2025), so it is mostly based on the same sources. It is not an official Debian release, but it is an official Debian GNU/Hurd port release. [...]

Debian GNU/Hurd is currently available for the i386 and amd64 architectures with about 72% of the Debian archive, and more to come!

See the FAQ and configuration guide for more on the GNU/Hurd port.

Richard Hughes, creator and maintainer of the Linux Vendor Firmware Service (LVFS), has written a blog post about the sustainability plan he has put together for the service. He is calling for the vendors that use the service to help fund its development and maintenance going forward. The Linux Foundation is kindly paying for all the hosting costs of the LVFS, and Red Hat pays for all my time — but as LVFS grows and grows that's going to be less and less sustainable longer term. We're trying to find funding to hire additional resources as a "me replacement" so that there is backup and additional attention to LVFS (and so that I can go on holiday for two weeks without needing to take a laptop with me).

This year there will be a fair-use quota introduced, with different sponsorship levels having a different quota allowance. Nothing currently happens if the quota is exceeded, although there will be additional warnings asking the vendor to contribute. The "associate" (free) quota is also generous, with 50,000 monthly downloads and 50 monthly uploads. This means that almost all the 140 vendors on the LVFS should expect no changes.

(Thanks to Paul Wise.)

StarDict is a GPLv3-licensed cross-platform dictionary application. It includes dictionaries for a number of languages, and has a rich plugin ecosystem. It also has a glaring security problem: while running on X11, using Debian's default configuration, it will send a user's text selections over unencrypted HTTP to two remote servers.

The 6.17-rc1 prepatch was released by Linus Torvalds on August 10; the 6.17 merge window is now closed. There were 11,404 non-merge changesets pulled into the mainline this time around, a little over 7,000 of which came in after the first-half merge-window summary was written. As one would expect, quite a few changes and new features were included in that work.