Post Syndicated from corbet original https://lwn.net/Articles/1038325/

Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (node-sha.js and python-django), Fedora (chromium, cups, exiv2, perl-Catalyst-Authentication-Credential-HTTP, perl-Catalyst-Plugin-Session, perl-Plack-Middleware-Session, and qemu), Red Hat (container-tools:rhel8, podman, and udisks2), SUSE (cargo-audit, cargo-c, cargo-packaging, and kernel-devel), and Ubuntu (libcpanel-json-xs-perl, libjson-xs-perl, rubygems, sqlite3, and vim).

Post Syndicated from corbet original https://lwn.net/Articles/1038271/

Registration for the 2025 Linux Plumbers Conference (Tokyo,
December 11 to 13) is
now open. LPC tickets often sell out quickly, so it would be best not
to delay if you intend to attend.

Post Syndicated from corbet original https://lwn.net/Articles/1037390/

The kernel runs in a special environment that makes it difficult to use
many of the development tools that are available to user-space developers.
Kernel developers often respond by simply doing without, but the truth is
that they need good tools as much as anybody else. Three new tools for the
tracking down of bugs have recently landed on the linux-kernel mailing
list; here is an overview.

Post Syndicated from corbet original https://lwn.net/Articles/1038074/

The 6.17-rc6 kernel prepatch is out for
testing. “But really, none of it is very large. So everything seems slated for a
normal release in two weeks.

Please do keep testing, so that we don’t get complacent.“

Post Syndicated from corbet original https://lwn.net/Articles/1037069/

The Git source-code management system stores a lot of information about
changes to code — but it does not hold everything that might be of interest
to a developer who needs to investigate a specific change in the future.
Commits in a repository are the end result of a (sometimes extended)
discussion; often, that discussion will result in changes to the code that
are not explained in the changelog. For some years now, many maintainers
have followed the convention of applying a Link tag to commits that points
back to the mailing-list posting of the change. Linus Torvalds has been
expressing his dislike for this convention for a while, though, and its
time appears to be coming to an end.

Post Syndicated from corbet original https://lwn.net/Articles/1037703/

The F-Droid project has some
advice for free-software projects on how to deal with takedown
requests.

As part of our legal resilience research, we spoke with a range of
legal experts, software freedom advocates, and maintainers of
mature FOSS infrastructure to understand how others manage these
moments. In this article, we share what we learned, and how F-Droid
is incorporating these lessons into its own approach.

Post Syndicated from corbet original https://lwn.net/Articles/1036683/

Inside this week’s LWN.net Weekly Edition:

• Front: Space Grade Linux; KDE’s new distribution; Rug pulls and forks; Dependency tracker; Kernel configuration; Framework 12 laptop.
• Briefs: npm security; high-memory; Anaconda WebUI; OpenSUSE bcachefs; 32-bit Firefox; Quotes; …
• Announcements: Newsletters, conferences, security updates, patches, and more.

Post Syndicated from corbet original https://lwn.net/Articles/1037496/

The openSUSE project has announced
that the bcachefs filesystem will be disabled in its kernel builds starting
with 6.17; bcachefs users will have to make other arrangements. “The
current 6.16.* is NOT affected. Neither is Slowroll (for now).“

Post Syndicated from corbet original https://lwn.net/Articles/1037391/

As a followup to his OSS Europe talk on the
future of 32-bit support in the kernel, Arnd Bergmann has put together
a
detailed plan for the eventual removal of high-memory support, which he
calls “one of the least popular features of the Linux kernel“. The
intent is “to gradually phase out highmem over the next 2 years for
mainline kernels“. This plan is posted as a prompt for a discussion to
be held at the Kernel Summit in December, so chances are it will evolve
considerably in the next few months.

Post Syndicated from corbet original https://lwn.net/Articles/1037359/

The 6.16.6,
6.12.46,
6.6.105,
6.1.151,
5.15.192,
5.10.243,
and 5.4.299
stable kernel updates have been released; each contains another set of
important fixes.

Post Syndicated from corbet original https://lwn.net/Articles/1037308/

Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (openafs and qemu), Fedora (buildah, containers-common, podman, python-flask, and snapshot), Mageia (postgresql, python-django, and udisks2), Oracle (kernel and libxml2), Red Hat (apache-commons-beanutils, firefox, httpd, httpd:2.4, kernel, kernel-rt, mod_http2, qt5-qt3d, and thunderbird), Slackware (libxml2), SUSE (firebird, go1.25-openssl, ImageMagick, microcode_ctl, netty, netty-tcnative, and ovmf), and Ubuntu (libetpan and postgresql-14, postgresql-16, postgresql-17).

Post Syndicated from corbet original https://lwn.net/Articles/1037167/

The Aikido blog describes
an apparently ongoing series of phishing attacks against npm package
maintainers, resulting in the uploading of compromised versions of heavily
used packages:

All together, these packages have more than 2 billion downloads per
week.

The packages were updated to contain a piece of code that would be
executed on the client of a website, which silently intercepts
crypto and web3 activity in the browser, manipulates wallet
interactions, and rewrites payment destinations so that funds and
approvals are redirected to attacker-controlled accounts without
any obvious signs to the user.

Post Syndicated from corbet original https://lwn.net/Articles/1037072/

Linus has released 6.17-rc5 for testing.
“Things remain normal – both the diffstat and the commit counts look
entirely sane“. The announcement also contains a plea for maintainers
to not overuse Link: tags when applying patches.

Post Syndicated from corbet original https://lwn.net/Articles/1036465/

Like almost all human endeavors, open-source software development involves
a range of power dynamics. Companies, developers, and users are all
concerned with the power to influence the direction of the software — and,
often, to profit from it. At the 2025 Open
Source Summit Europe, Dawn Foster talked about how those dynamics can
play out, with an eye toward a couple of tactics — rug pulls and forks — that
are available to try to shift power in one direction or another.

Post Syndicated from corbet original https://lwn.net/Articles/1036856/

Mozilla has announced
that support for the Firefox browser on 32-bit systems ends with
version 144. “For users who cannot transition immediately, Firefox
ESR 140 will remain available — including 32-bit builds — and will continue
to receive security updates until at least September 2026.“

Post Syndicated from corbet original https://lwn.net/Articles/1036222/

Deadlocks are a constant threat in concurrent settings with shared
data; it is thus not surprising that the kernel project has long since
developed tools to detect potential deadlocks so they can be fixed before
they affect production users. Byungchul Park thinks that he has developed
a better tool that can detect more deadlock-prone situations. At the 2025 Open
Source Summit Europe, he presented an introduction to his dependency
tracker (or “DEPT”) tool and the kinds of problems it can detect.

Post Syndicated from corbet original https://lwn.net/Articles/1035384/

Inside this week’s LWN.net Weekly Edition:

• Front: Maintaining curl; GNOME governance; Guix in Debian; Tracking untrusted data in the kernel; 32-Bit support; systemd v258.
• Briefs: bcachefs maintenance; Linux from Scratch 12.4; Elf spec; Niri 25.08; Python documentary; GNOME executive director; Quotes; …
• Announcements: Newsletters, conferences, security updates, patches, and more.

Post Syndicated from corbet original https://lwn.net/Articles/1036635/

Version
2025.9 of the Home Assistant home automation system has been released.
Changes include a new experimental dashboard that is eventually meant to
become the default, a number of tile-card improvements, a reworked
automation editor, several new integrations, and more.

Post Syndicated from corbet original https://lwn.net/Articles/1036373/

The FastCode site has a
lengthy article on how large language models make open-source projects
far more vulnerable to XZ-style attacks.

Open source maintainers, already overwhelmed by legitimate
contributions, have no realistic way to counter this threat. How do
you verify that a helpful contributor with months of solid commits
isn’t an LLM generated persona? How do you distinguish between
genuine community feedback and AI created pressure campaigns? The
same tools that make these attacks possible are largely
inaccessible to volunteer maintainers. They lack the resources,
skills, or time to deploy defensive processes and systems.

The detection problem becomes exponentially harder when LLMs can
generate code that passes all existing security reviews,
contribution histories that look perfectly normal, and social
interactions that feel authentically human. Traditional code
analysis tools will struggle against LLM generated backdoors
designed specifically to evade detection. Meanwhile, the human
intuition that spot social engineering attacks becomes useless when
the “humans” are actually sophisticated language models.

Post Syndicated from corbet original https://lwn.net/Articles/1036369/

Security updates have been issued by AlmaLinux (kernel, mod_http2, postgresql, postgresql:15, and python39:3.9), Debian (libsndfile), Mageia (ceph, glibc, and golang), Oracle (postgresql and python39:3.9), Red Hat (aide, postgresql:12, postgresql:13, postgresql:15, and postgresql:16), SUSE (git, govulncheck-vulndb, jetty-minimal, nginx, python-future, and ruby2.5), and Ubuntu (imagemagick).