Post Syndicated from jzb original https://lwn.net/Articles/1049769/

Security updates have been issued by AlmaLinux (kernel, kernel-rt, and webkit2gtk3), Fedora (abrt and mingw-libpng), Mageia (apache and libpng), Oracle (abrt, go-toolset:rhel8, kernel, sssd, and webkit2gtk3), Red Hat (kernel and kernel-rt), SUSE (gimp, gnutls, kubevirt, virt-api-container, virt-controller-container, virt-exportproxy-container, virt-exportserver-container, virt-handler-container, virt-launcher-container, virt-libguestfs-t, and postgresql13), and Ubuntu (gnupg2, python-apt, radare2, and webkit2gtk).

Post Syndicated from jzb original https://lwn.net/Articles/1049663/

Jon Seager, VP of engineering for Canonical, has announced
a plan to develop a universal Public Key Infrastructure tool called
upki:

Earlier this year, LWN featured an excellent article titled
“Linux’s missing CRL
infrastructure“. The article highlighted a number
of key issues surrounding traditional Public Key Infrastructure (PKI),
but critically noted how even the available measures are effectively
ignored by the majority of system-level software on Linux.

One of the motivators for the discussion is that the Online
Certificate Status Protocol (OCSP) will cease to be supported by Let’s
Encrypt. The remaining alternative is to use Certificate Revocation
Lists (CRLs), yet there is little or no support for managing (or even
querying) these lists in most Linux system utilities.

To solve this, I’m happy to share that in partnership with rustls
maintainers Dirkjan Ochtman
and Joe Birr-Pixton, we’re starting the
development of upki: a universal PKI tool. This project initially aims
to close the revocation gap through the combination of a new system
utility and eventual library support for common TLS/SSL libraries such
as OpenSSL, GnuTLS and rustls.

No code is available as of yet, but the announcement indicates that
upki will be available as an opt-in preview for
Ubuntu 26.04 LTS. Thanks to Dirjan Ochtman for the tip.

Post Syndicated from jzb original https://lwn.net/Articles/1049657/

Security updates have been issued by Debian (ffmpeg, krita, lasso, and libpng1.6), Fedora (abrt, cef, chromium, tinygltf, webkitgtk, and xkbcomp), Oracle (buildah, delve and golang, expat, python-kdcproxy, qt6-qtquick3d, qt6-qtsvg, sssd, thunderbird, and valkey), Red Hat (webkit2gtk3), and SUSE (git-bug, go1, and libpng12-0).

Post Syndicated from jzb original https://lwn.net/Articles/1049554/

Greg Kroah-Hartman has announced the release of the
6.17.11,
6.12.61,
6.6.119,
6.1.159,
5.15.197, and
5.10.247 stable kernels. Each contains important fixes throughout the tree; users of these kernels should upgrade.

Post Syndicated from jzb original https://lwn.net/Articles/1049417/

Security updates have been issued by AlmaLinux (buildah, firefox, gimp:2.8, go-toolset:rhel8, ipa, kea, kernel, kernel-rt, pcs, qt6-qtquick3d, qt6-qtsvg, systemd, and valkey), Debian (chromium and unbound), Fedora (alexvsbus, CuraEngine, fcgi, libcoap, python-kdcproxy, texlive-base, timg, and xpdf), Mageia (digikam, darktable, libraw, gnutls, python-django, unbound, webkit2, and xkbcomp), Oracle (bind, firefox, gimp:2.8, haproxy, ipa, java-25-openjdk, kea, kernel, libsoup3, libssh, libtiff, openssl, podman, qt6-qtsvg, squid, systemd, vim, and xorg-x11-server-Xwayland), Slackware (httpd and libpng), SUSE (chromedriver, kernel, and python-mistralclient), and Ubuntu (cups, linux-azure, linux-gcp, linux-gcp, linux-gke, linux-gkeop, linux-ibm-6.8, linux-iot, and mame).

Post Syndicated from jzb original https://lwn.net/Articles/1049299/

Version 3.23.0 of Alpine Linux has been released. Notable changes
in this release include an upgrade to version 3.0
of the Alpine
Package Keeper (apk), and replacing the linux-edge
package with linux-stable:

For years, linux-lts and linux-edge grew apart and developed their
own kernel configs, different architectures, etc.

Now linux-edge gets replaced with linux-stable which has the
identical configuration as linux-lts, but follows the stable releases
instead of the long-term releases (see https://kernel.org/).

The /usr
merge planned for this release has been postponed; a new timeline
for the change will be published later. See the release
notes for more information on this release.

Post Syndicated from jzb original https://lwn.net/Articles/1049199/

Andreas Schneider has announced
version 2.0 of the cmocka
unit-testing framework for C:

This release represents a major modernization effort, bringing
cmocka firmly into the “modern” C99 era while maintaining the
simplicity and ease of use that users have come to expect.

One of the most significant changes in cmocka 2.0 is the migration
to C99 standard integer types. The LargestIntegralType typedef has
been replaced with intmax_t and uintmax_t from
stdint.h, providing better type safety and portability across
different platforms. Additionally, we’ve adopted the bool type where
appropriate, making the code more expressive and self-documenting.

Using intmax_t and uintmax_t also allows to print
better error messages. So you can now find
e.g. assert_int_equal and assert_uint_equal.

cmocka 2.0 introduces a comprehensive set of type-specific
assertion macros, including `assert_uint_equal()`,
`assert_float_equal()`, and enhanced pointer assertions. The mocking
system has also been significantly improved with type-specific macros
like `will_return_int()` and `will_return_float()`. The same for
parameter checking etc.

LWN covered the
project early in its development in 2013. See the full list of new
features, enhancements, and bug fixes in cmocka 2.0 in the changelog.

Post Syndicated from jzb original https://lwn.net/Articles/1049251/

Security updates have been issued by AlmaLinux (expat and libxml2), Debian (openvpn and webkit2gtk), Fedora (gi-loadouts, kf6-kcoreaddons, kf6-kguiaddons, kf6-kjobwidgets, kf6-knotifications, kf6-kstatusnotifieritem, kf6-kunitconversion, kf6-kwidgetsaddons, kf6-kxmlgui, nanovna-saver, persepolis, python-ezdxf, python-pyside6, sigil, stb, syncplay, tinyproxy, torbrowser-launcher, ubertooth, and usd), Mageia (cups), SUSE (cups, gegl, icinga2, mozjs128, and Security), and Ubuntu (ghostscript, kernel, linux, linux-aws, linux-aws-5.15, linux-gcp-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-hwe, linux-kvm, linux-oracle, linux-aws-fips, linux-fips, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure-fips, linux-gcp, linux-gcp-4.15, linux-hwe, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-gcp-6.14, linux-raspi, linux-gcp-fips, linux-intel-iot-realtime, linux-realtime, linux-raspi, linux-raspi-realtime, linux-xilinx, and postgresql-14, postgresql-16, postgresql-17).

Post Syndicated from jzb original https://lwn.net/Articles/1047221/

Inside this week’s LWN.net Weekly Edition:

• Front: Rust in Debian; Python comprehensions; asynchronous Zig; BPF and io_uring; C safety; 6.18 statistics; just.
• Briefs: Landlock; Let’s Encrypt lifetimes; Last 5.4 kernel; TAB election; AlmaLinux 10.1; FreeBSD 15.0; NixOS 25.11; Django 6.0; Home Assistant 2025.12; PHP 8.5.0; Racket 9.0; Quotes; …
• Announcements: Newsletters, conferences, security updates, patches, and more.

Post Syndicated from jzb original https://lwn.net/Articles/1047715/

Over time, many Linux users wind up with a collection of aliases,
shell scripts, and makefiles to run simple commands (or a series of
commands) that are often used, but challenging to remember and
annoying to type out at length. The just command runner is a
Rust-based utility that just does one thing and does it well: it reads
recipes from a text file (aptly called a “justfile”), and runs the
commands from an invoked recipe. Rather than accumulating a library
of one-off shell scripts over time, just provides a cross-platform tool
with a framework and well-documented syntax for collecting and
documenting tasks that makes it useful for solo users and
collaborative projects.

Post Syndicated from jzb original https://lwn.net/Articles/1049103/

Security updates have been issued by Debian (containerd, mako, and xen), Fedora (forgejo, nextcloud, openbao, rclone, restic, and tigervnc), Oracle (firefox, kernel, libtiff, libxml2, and postgresql), SUSE (libecpg6, lightdm-kde-greeter, python-cbor2, python-mistralclient-doc, python315, and python39), and Ubuntu (kdeconnect, linux, linux-aws, linux-realtime, python-django, and unbound).

Post Syndicated from jzb original https://lwn.net/Articles/1049059/

Greg Kroah-Hartman has announced the release of the 5.4.302 stable kernel:

This is the LAST 5.4.y release. It is now end-of-life and should not
be used by anyone, anymore. As of this point in time, there are 1539
documented unfixed CVEs for this kernel branch, and that number will
only increase over time as more CVEs get assigned for kernel bugs.

For the curious, Kroah-Hartman has also provided
a list of the unfixed CVEs for 5.4.302.

Post Syndicated from jzb original https://lwn.net/Articles/1048976/

Let’s Encrypt has announced
that it will be reducing the validity period of its certificates from
90 days to 45 days by 2028:

Most users of Let’s Encrypt who automatically issue certificates
will not have to make any changes. However, you should verify that
your automation is compatible with certificates that have shorter
validity periods.

To ensure your ACME client renews on time, we recommend using ACME
Renewal Information (ARI). ARI is a feature we’ve introduced to help
clients know when they need to renew their certificates. Consult your
ACME client’s documentation on how to enable ARI, as it differs from
client to client. If you are a client developer, check out this
integration guide.

If your client doesn’t support ARI yet, ensure it runs on a
schedule that is compatible with 45-day certificates. For example,
renewing at a hardcoded interval of 60 days will no longer be
sufficient. Acceptable behavior includes renewing certificates at
approximately two thirds of the way through the current certificate’s
lifetime.

Manually renewing certificates is not recommended, as it will need
to be done more frequently with shorter certificate lifetimes.

Post Syndicated from jzb original https://lwn.net/Articles/1048975/

FreeBSD
15.0 has been released. Notable changes in this release include a new
method for installing
the base system using the pkg package manager, an update
to OpenZFS 2.4.0-rc4,
native support for the inotify(2)
interface, and the addition of Open Container Initiative (OCI) images
to FreeBSD’s release artifacts. See the release
notes for a full list of changes, hardware
notes for supported hardware, and check the errata
before installing or upgrading.

Post Syndicated from jzb original https://lwn.net/Articles/1048973/

Security updates have been issued by Fedora (gnutls, libpng, mingw-python3, python-spotipy, source-to-image, unbound, and webkitgtk), Mageia (libpng), SUSE (bash-git-prompt, gitea-tea, java-17-openjdk, java-21-openjdk, kernel, openssh, python, and shadowsocks-v2ray-plugin, v2ray-core), and Ubuntu (binutils, openjdk-17-crac, openjdk-21-crac, and openjdk-25-crac).

Post Syndicated from jzb original https://lwn.net/Articles/1048817/

Security updates have been issued by AlmaLinux (bind9.18, cups, gimp, ipa, kernel, libssh, mingw-expat, openssl, pcs, sssd, tigervnc, and valkey), Debian (gnome-shell-extension-gsconnect, mistral-dashboard, pagure, python-mistralclient, pytorch, qtbase-opensource-src, sogo, tryton-server, and unbound), Fedora (cef, drupal7, glib2, linux-firmware, migrate, pack, pgadmin4, rnp, and unbound), Slackware (libxslt), SUSE (cpp-httplib, curl, glib2, grub2, kernel, libcoap-devel, libcryptopp, libwireshark19, postgresql15, and postgresql17), and Ubuntu (edk2).

Post Syndicated from jzb original https://lwn.net/Articles/1048755/

Greg Kroah-Hartman has announced the release of the 6.17.10, 6.12.60, and 6.6.118 stable kernels. As usual, each
contains a number of important fixes throughout the tree. Users are
advised to upgrade.

Post Syndicated from jzb original https://lwn.net/Articles/1048208/

KDE’s Plasma team has announced
that KDE Plasma will drop X11 session support with Plasma 6.8:

The Plasma X11 session will be supported by KDE into early
2027.

We cannot provide a specific date, as we’re exploring the
possibility of shipping some extra bug-fix releases for Plasma
6.7. The exact timing of the last one will only be known when we get
closer to its actual release, which we expect will be sometime in
early 2027.

What if I still really need X11?

This is a perfect use case for long term support (LTS)
distributions shipping older versions of Plasma. For example,
AlmaLinux 9 includes the Plasma X11 session and will be supported
until sometime in 2032.

See the blog post for information on running X11 applications
(still supported), accessibility, gaming, and more.

Post Syndicated from jzb original https://lwn.net/Articles/1047763/

AlmaLinux 10.1 has been released. In
addition to providing binary compatibility with Red Hat Enterprise
Linux (RHEL) 10.1, the most notable feature in AlmaLinux 10.1 is
the addition of support
for Btrfs, which is not available in RHEL:

Btrfs support encompasses both kernel and userspace enablement, and it
is now possible to install AlmaLinux OS on a Btrfs filesystem from the
very beginning. Initial enablement was scoped to the installer and
storage management stack, and broader support within the AlmaLinux
software collection for Btrfs features is forthcoming.

In addition to Btrfs support, AlmaLinux OS 10.1 includes numerous
other improvements to serve our community. We have continued to extend
hardware support both by adding
drivers and by adding a secondary version of AlmaLinux OS and EPEL
to extend support of x86_64_v2 processors.

See the release
notes for a full list of changes.

Post Syndicated from jzb original https://lwn.net/Articles/1046841/

It is rarely newsworthy when a project or package picks up a new
dependency. However, changes in a core tool like Debian’s Advanced Package
Tool (APT) can have far-reaching effects. For example, Julian
Andres Klode’s declaration
that APT would require Rust in May 2026 means that a few of Debian’s
unofficial ports must either acquire a working Rust toolchain or
depend on an old version of APT. This has raised several questions
within the project, particularly about the ability of a single
maintainer to make changes that have widespread impact.