Post Syndicated from corbet original https://lwn.net/Articles/1024387/

The open-source mobile app Organic
Maps is used by millions of people on both the Android and iOS
platforms. In addition to featuring offline maps (generated from OpenStreetMap cartography) and
turn-by-turn navigation, it also promises its users greater privacy
than proprietary options. However, controversial decisions taken by the
project’s leaders, feelings of disenfranchisement among contributors, and
even accusations of embezzlement have precipitated a divide in the
community, leading to a new fork called CoMaps.

Post Syndicated from corbet original https://lwn.net/Articles/1025226/

The Python Software Foundation blog is carrying a
set of detailed summaries from the 2025 Python Language Summit:

The Python Language Summit 2025 occurred on May 14th in Pittsburgh,
Pennsylvania. Core developers and special guests from around the
world gathered in one room for an entire day of presentations and
discussions about the future of the Python programming language.

Topics covered include making breaking changes less painful, free-threaded
Python, interaction with Rust, and challenges faced by the Steering
Council.

Post Syndicated from corbet original https://lwn.net/Articles/1023924/

Inside this week’s LWN.net Weekly Edition:

• Front: Nyxt; Cyber Resilience Act; Unwanted file descriptors; Core-dump API; 6.16 Merge window; Uniprocessor configurations; Smatch; FUSE zero-copy; iov_iter; Fedora documentation.
• Briefs: Android tracking; /e/OS 3.0; FreeBSD laptops; Ubuntu X11 support; Netdev 0x19; OIN anniversary; Quotes; …
• Announcements: Newsletters, conferences, security updates, patches, and more.

Post Syndicated from corbet original https://lwn.net/Articles/1024844/

The “Local Mess” GitHub
repository is dedicated to the disclosure of an Android tracking
exploit used by (at least) Meta and Yandex.

While there are subtle differences in the way Meta and Yandex
bridge web and mobile contexts and identifiers, both of them
essentially misuse the unvetted access to localhost sockets. The
Android OS allows any installed app with the INTERNET permission to
open a listening socket on the loopback interface
(127.0.0.1). Browsers running on the same device also access this
interface without user consent or platform mediation. This allows
JavaScript embedded on web pages to communicate with native Android
apps and share identifiers and browsing habits, bridging ephemeral
web identifiers to long-lived mobile app IDs using standard Web
APIs.

This backdoor, the use of which has evidently stopped since its disclosure,
allow tracking of users across sites regardless of cookie policies or use of
incognito browser modes.

Post Syndicated from corbet original https://lwn.net/Articles/1023575/

The Linux kernel famously scales from the smallest of systems to massive
servers with thousands of CPUs. It was not always that way, though; the
initial version of the kernel could only manage a single processor. That
limitation was lifted, obviously, but single-processor machines have always
been treated specially in the scheduler. That longstanding situation may
soon come to an end, though, if this patch
series from Ingo Molnar makes it upstream.

Post Syndicated from corbet original https://lwn.net/Articles/1024718/

The Open Invention Network (OIN) is celebrating
its 20th anniversary.

The central feature of the OIN community is a patent cross-license
that covers core Open Source functionality and expands in parallel
with the growth of Open Source technology. As growth in Open Source
has accelerated, OIN has proactively expanded the scope of the OIN
license’s benefit by including more than 4,500 software components
and platforms in its Linux System definition, which comprises the
list of Open Source code and associated functionality in OIN’s
patent cross-license.

LWN’s first look at OIN was this article by
Pamela Jones in late 2005.

Post Syndicated from corbet original https://lwn.net/Articles/1024714/

The
6.15.2,
6.14.11, and
6.12.33
stable kernel updates have been released; each contains a relatively small
set of important fixes.

Note that this is the end of the line for the 6.14.x updates; Greg
Kroah-Hartman explains the timing of this move:

If you notice, this has happened a bit more “early” than previous
end-of-life announcements. Normally, after -rc1 is out there is a
TON of stable patches happening due to the changes that come into
the merge-window that were marked for stable backports but didn’t
get into Linus’s release before -final. As some people have
objected to this large influx being added to a stable kernel that
is just about to go end-of-life, let’s try marking this end-of-life
a bit earlier to see how it goes.

Post Syndicated from corbet original https://lwn.net/Articles/1024713/

Security updates have been issued by Debian (python-django), Fedora (krb5), Mageia (cockpit, golang, kernel, and kernel-linus), SUSE (augeas, go1.23, go1.24, iputils, libwebp, transfig, and xen), and Ubuntu (amd64-microcode, apport, linux-azure, linux-azure, linux-azure-4.15, linux-azure-fips, linux-raspi, systemd, and tomcat).

Post Syndicated from corbet original https://lwn.net/Articles/1024494/

Linus has released 6.16-rc1 and closed the
merge window for this release.

I think we had a fairly normal merge window, although I did get the
feeling that there were a few more “late straggler” pull requests
than usual. Not to a huge degree, but there was definitely an
upward bump at the end of the second week.

But on the whole, all the stats look pretty normal.

Post Syndicated from corbet original https://lwn.net/Articles/1024160/

The 6.16 kernel will include a number of changes to how the kernel handles
the processing of core dumps for crashed processes. Christian Brauner explained
his reasons for doing this work as: “Because I’m a clown and also I had
it with all the CVEs because we provide a **** API for userspace“. The
handling of core dumps has indeed been a constant source of
vulnerabilities; with luck, the 6.16 work will result in rather fewer of
them in the future.

Post Syndicated from corbet original https://lwn.net/Articles/1023085/

One of the more obscure features provided by Unix-domain sockets is the
ability to pass a file descriptor from one process to another. This
feature is often used to provide access to a specific file or network
connection to a process running in a relatively unprivileged context. But
what if the recipient doesn’t want a new file descriptor? A feature
added for the 6.16 release makes it possible to refuse that offer.

Post Syndicated from corbet original https://lwn.net/Articles/1022979/

Inside this week’s LWN.net Weekly Edition:

• Front: OpenH264 in Fedora; Wallabag; Safety certification; 6.16 Merge window; Bounce buffering; Hardening repository problems; Device-initiated I/O; Faster networking; OSPM 2025; Free software in science.
• Briefs: Kea vulnerabilities; Alpine Linux 3.22.0; Fedora strategy; Quotes; …
• Announcements: Newsletters, conferences, security updates, patches, and more.

Post Syndicated from corbet original https://lwn.net/Articles/1023625/

Security updates have been issued by AlmaLinux (varnish), Debian (asterisk and roundcube), Fedora (systemd), Mageia (golang), Red Hat (ghostscript, perl-CPAN, python36:3.6, and rsync), SUSE (govulncheck-vulndb, libsoup-2_4-1, and postgresql, postgresql16, postgresql17), and Ubuntu (mariadb, open-vm-tools, php-twig, and python-tornado).

Post Syndicated from corbet original https://lwn.net/Articles/1023502/

Kees Cook’s “hardening
fixes” pull request for the 6.16 merge window looked like a
straightforward exercise; it only contained four commits. So just about
everybody was surprised when it resulted in Cook being temporarily blocked
from his kernel.org account among fears of malicious activity. When the
dust settled, though, the red alert was canceled. It turns out,
surprisingly, that Git is a tool with which one can inflict substantial
self-harm in a moment of inattention.

Post Syndicated from corbet original https://lwn.net/Articles/1022054/

The seventh edition of the Power Management and Scheduling
in the Linux Kernel Summit (known as “OSPM”) took place on March 18-20,
2025. Topics discussed on the third (and final) day include proxy
execution, energy-aware scheduling, the deadline scheduler, and an
evaluation of the kernel’s EEVDF scheduler.

Post Syndicated from corbet original https://lwn.net/Articles/1022655/

As the end of the 1990s approached, a lot of kernel-development effort was
going into improving support for 32-bit systems
with shockingly large amounts of memory installed. This being the 1990s,
having more than 1GB of memory in such a system was deemed to be shocking.
Many of the compromises made to support such inconceivably large systems
have remained in the kernel to this day. One of those compromises —
bounce buffering of I/O requests in the block layer — has finally been
eased out for the 6.16 release, more than a quarter-century after its
introduction.

Post Syndicated from corbet original https://lwn.net/Articles/1022134/

Inside this week’s LWN.net Weekly Edition:

• Front: Glibc security; How we lost the Internet; Encrypted DNS; 6.15 Development statistics; Filesystem stress-testing; BPF verifier; Network access from BPF; OSPM 2025.
• Briefs: AlmaLinux 10.0; FESCo decision overturned; NixOS 25.05; Pocket, Launchpad retired; Quotes; …
• Announcements: Newsletters, conferences, security updates, patches, and more.

Post Syndicated from corbet original https://lwn.net/Articles/1022744/

Version
10 of the AlmaLinux OS distribution has been released.

The goal of AlmaLinux OS is to support our community, and AlmaLinux
OS 10 is the best example of that yet. With an unwavering eye on
maintaining compatibility with Red Hat Enterprise Linux (RHEL), we
have made small improvements to AlmaLinux OS 10 that target
specific sections of our userbase.

See the
release notes for details.

Post Syndicated from corbet original https://lwn.net/Articles/1022704/

Version
25.05 of the NixOS distribution has been released. Changes include
support for the COSMIC desktop environment (reviewed here in August), GNOME 48, a
6.12 kernel, and many new modules; see the
release notes for details. (Thanks to Pavel Roskin).

Post Syndicated from corbet original https://lwn.net/Articles/1022703/

Security updates have been issued by AlmaLinux (gstreamer1-plugins-bad-free, libsoup, and python-tornado), Debian (libavif and pgbouncer), Red Hat (gstreamer1-plugins-bad-free, mingw-freetype and spice-client-win, and webkit2gtk3), SUSE (firefox, govulncheck-vulndb, and python310-setuptools), and Ubuntu (flask, intel-microcode, openjdk-17-crac, tika, and Tomcat).