|
Mon, 06 Apr 2026 01:01:46 +0000 |
|
Linus has released 7.0-rc7 for testing.
"Things look set for a final release next weekend, but please keep
testing. The Easter bunny is watching ".
|
|
Sun, 05 Apr 2026 13:55:57 +0000 |
|
LWN recently reported on the Trivy
compromise that led, in turn, to the compromise of the LiteLLM system; that
article made the point that the extent of the problem was likely rather
larger than was known. The Next Web now reports
that the Trivy attack was used to compromise a wide range of European
Commission systems.
The European Union's computer emergency response team said on
Thursday that a supply chain attack on an open-source security
scanner gave hackers the keys to the European Commission's cloud
infrastructure, resulting in the theft and public leak of
approximately 92 gigabytes of compressed data including the
personal information and email contents of staff across dozens of
EU institutions.
|
|
Fri, 03 Apr 2026 15:12:34 +0000 |
|
GNU GRUB 2, mostly just
referred to as GRUB these days, is the most widely used boot loader
for x86_64 Linux systems. It supports reading
from a vast selection of filesystems, handles booting modern systems
with UEFI or legacy systems with a BIOS, and even allows users to customize the
"splash" image displayed when a system boots. Alas, all of those features come with
a price; GRUB has had a parade
of security vulnerabilities over the years. To mitigate some of those
problems, Ubuntu
core developer and Canonical employee Julian Andres Klode has proposed removing
a number of features from GRUB in Ubuntu 26.10 to improve GRUB's
security profile. His proposal has not been met with universal acclaim; many of the
features Klode would like to remove have vocal proponents.
|
|
Fri, 03 Apr 2026 14:12:56 +0000 |
|
On April 1, the Gentoo Linux project published a blog post
announcing that it was switching to GNU Hurd as its primary
kernel as an April Fool's joke. While that is not true, the project
has followed up with an announcement
of a new Gentoo port to the Hurd:
Our crack team has been working hard to port Gentoo to the Hurd and
can now share that they've succeeded, though it remains still in a
heavily experimental stage. You can try Gentoo GNU/Hurd using a
pre-prepared disk image. The easiest way to do this is with QEMU
[...]
We have developed scripts to build this image locally and
conveniently work on further development of the Hurd port. Release
media like stages and automated image builds are future goals, as is
feature parity on x86-64. Further contributions are welcome,
encouraged, and needed. Be patient, expect to get your hands dirty,
anticipate breakage, and have fun!
Oh, and Gentoo GNU/Hurd also works on real hardware!
Text for the April Fool's post is available at the bottom of the
real announcement.
|
|
Fri, 03 Apr 2026 13:24:27 +0000 |
|
Security updates have been issued by AlmaLinux (freerdp, grafana, kernel, rsync, and thunderbird), Debian (chromium, inetutils, and libpng1.6), Fedora (bind9-next, nginx-mod-modsecurity, and openbao), Mageia (firefox, nss and thunderbird), Red Hat (container-tools:rhel8), SUSE (conftest, dnsdist, ignition, libsoup, libsoup2, LibVNCServer, libXvnc-devel, opensc, ovmf-202602, perl-Crypt-URandom, python-tornado, python311-ecdsa, python311-Pygments, python315, tar, and wireshark), and Ubuntu (cairo, jpeg-xl, linux, linux-aws, linux-aws-6.17, linux-gcp, linux-gcp-6.17,
linux-hwe-6.17, linux-realtime, linux, linux-aws, linux-aws-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-ibm,
linux-lowlatency, linux-nvidia, linux-raspi, linux-fips, linux-fips, linux-aws-fips, linux-fips, linux-aws-fips, linux-gcp-fips, and linux-realtime, linux-realtime-6.8, linux-raspi-realtime).
|
|
Thu, 02 Apr 2026 20:21:14 +0000 |
|
Denver Gingerich of the Software Freedom Conservancy (SFC) has published
an article
on the impact of the ban on
the sale of all new home routers not made in the United States
issued by the Federal Communications Commission (FCC). The SFC, of
course, is the organization
behind the OpenWrt One router.
Since software updates to already-FCC-approved devices do not
require a new FCC approval, it appears the FCC is trying to move
beyond its usual authorization procedures to restrict what
manufacturers are allowed to push to existing routers. However, the
FCC notably does not restrict software changes made by owners of
routers in the U.S. In particular, there is no indication that updates
people make to their own routers, using software they have sourced
themselves, would run afoul of any past or present FCC rule.
As a result, we do not believe that this new FCC decision affects
whether and how people can run OpenWrt or other user-selected firmware
updates on routers they have already purchased. Not only is this an
important right in relation to our ownership and control of our own
devices, it also ensures that people can keep their routers secure for
far longer than the manufacturer may choose to provide security
updates, by allowing them to install up-to-date community software
that supports routers for 10, 15, or even more years after their
initial release date, as OpenWrt does for many devices.
He also notes that, as the OpenWrt One is already FCC-approved,
there should be no impact on its availability in the US. The SFC has
asked the FCC for clarification and plans to provide updates when they
receive a reply.
|
|
Thu, 02 Apr 2026 15:07:35 +0000 |
|
The kernel provides a number of ways for processes to communicate with each
other, but they never quite seem to fit the bill for many users. There are
currently a few proposals for interprocess communication (IPC) enhancements
circulating on the mailing lists. The most straightforward one adds a new
system call for POSIX message queues that enables the addition of new
features. For those wanting an entirely new way to do interprocess
communication, there is a proposal to add a new subsystem for that purpose
to io_uring. Finally, the bus1 proposal has made a return after ten years.
|
|
Thu, 02 Apr 2026 13:27:33 +0000 |
|
Brian "bex" Exelbierd has published
a blog
post exploring follow-up questions raised by
the recent debate about the use of the LLM-based review
tool Sashiko
in the memory-management subsystem. His main finding is that Sashiko reviews are
bi-modal with regards to whether they contain reports about code not directly
changed by the patch set — most do not, but the ones that do often have several
such comments.
Hypothesis 1: Reviewers are getting told about bugs they didn't create.
Sashiko's review protocol explicitly instructs the LLM to read surrounding code,
not just the diff. That's good review practice — but it means the tool might
flag pre-existing bugs in code the patch author merely touched, putting those
problems in their inbox.
Hypothesis 2: The same pre-existing bugs surface repeatedly. If a known
issue in a subsystem doesn't get fixed between review runs, every patch touching
nearby code could trigger the same finding. That would create a steady drip of
duplicate noise across the mailing list.
I pulled data from Sashiko's public API and tested both.
|
|
Thu, 02 Apr 2026 13:18:23 +0000 |
|
OpenSSH 10.3
has been released. Among the many changes in this release are a
security fix to address late validation of metacharacters in user
names, removal of bug compatibility for SSH implementations that do
not support rekeying,
and a fix to ensure that scp clears setuid/setgid bits from downloaded
files when operating as root in legacy (-O) mode. See the
release announcement for a full list of new features, bug fixes, and
potentially incompatible changes.
|
|
Thu, 02 Apr 2026 13:17:07 +0000 |
|
Security updates have been issued by AlmaLinux (python3.11, python3.12, squid, and thunderbird), Debian (gst-plugins-bad1.0 and gst-plugins-ugly1.0), Fedora (bpfman, crun, gnome-remote-desktop, polkit, python3.14, rust-rustls-webpki, rust-sccache, rust-scx_layered, rust-scx_rustland, rust-scx_rusty, and scap-security-guide), Oracle (freerdp, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free, kernel, libxslt, python3.11, python3.12, squid, and thunderbird), SUSE (389-ds, busybox, chromium, cosign, curl, docker-compose, exiv2, expat, firefox, freerdp, freerdp2, gstreamer-plugins-ugly, harfbuzz, heroic-games-launcher, ImageMagick, kea, keylime, libjxl, librsvg, libsodium, libsoup, net-snmp, net-tools, netty, nghttp2, poppler, postgresql13, postgresql16, postgresql17, postgresql18, protobuf, python-black, python-orjson, python-pyasn1, python-pyOpenSSL, python-tornado, python-tornado6, python311-nltk, thunderbird, tomcat10, tomcat11, vim, and xen), and Ubuntu (kernel, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-raspi, linux-raspi, linux-raspi-realtime, rust-cargo-c, rust-tar, and undertow).
|
|
Thu, 02 Apr 2026 12:55:57 +0000 |
|
Greg Kroah-Hartman has released the 6.19.11, 6.18.21,
6.12.80, and 6.6.131 stable kernels, followed by a quick
release of 6.6.132 with two patches reverted to
address a problem building the rust core in 6.6.131. Each kernel contains
important fixes; users are advised to upgrade.
|
|
Thu, 02 Apr 2026 00:39:21 +0000 |
|
Inside this week's LWN.net Weekly Edition:
- Front: LiteLLM compromise; systemd controversy; LLM kernel review; OpenBSD and vibe-coding; Rust trait-solver; Pandoc.
- Briefs: Rspamd 4.0.0; telnyx vulnerability; Fedora forge; SystemRescue 13.00; Servo 0.0.6; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
|
|
Wed, 01 Apr 2026 19:46:40 +0000 |
|
Michael Meeks has posted an
angry missive about changes at The Document Foundation. What has
really happened is not entirely clear, but it seems to involve, at a
minimum, the forced removal of all Collabora staff from the foundation.
There has been a set of "thank you" notes to the people involved posted in the
foundation's forums. The Document Foundation's decision to restart LibreOffice Online almost
certainly plays into this as well.
Details are fuzzy at best; we will be working at providing a clearer
picture, but that will take some time.
|
|
Wed, 01 Apr 2026 14:41:07 +0000 |
|
Pandoc is a document-conversion program
that can translate among a myriad of formats, including LaTeX, HTML, Office Open XML
(docx), plain text, and Markdown. It is also
extensible by writing Lua
filters that can manipulate the document structure and perform arbitrary
computations.
Pandoc has appeared in various LWN articles over the years, such as my look at Typst and at the importance of free software to science in
2025, but we have missed providing an overview of the tool. The February release of Pandoc
3.9, which comes with the ability to compile the program to WebAssembly (Wasm), allowing Pandoc
to run in web browsers, will likely also be of interest.
|
|
Wed, 01 Apr 2026 14:25:27 +0000 |
|
|