LWN.net

The Alpine Linux account on fosstodon.org reports that all systems hosted at Linode, including its GitLab instance, "are suspended at the moment due to some billing issue". They are working to get it resolved, but in the meantime all of their services appear to be down.

Update: Alpine Linux's servers are back online.

For a number of years, users submitting bugs reports against GNOME packages in Fedora have received an auto-reply saying that the reports were not actively monitored; users were encouraged to file bugs with GNOME upstream instead. However, that practice seems to be in conflict with the Fedora Engineering Steering Committee (FESCo) policy that package maintainers "deal with reported bugs in a timely manner". On April 28, FESCo discussed the disconnect between practice and policy; so far, it has only opted to tweak the wording of the automatic response.

Version 5.0.0 of the NetHack dungeon-exploration game, a distant relative of Rogue and Hack, has been released. NetHack's code is now compliant with the C99 standard, and the release includes more than 3,100 bug fixes and changes, detailed in doc/fixes5-0-0.txt (may contain game spoilers). Saved games from previous versions will not work with NetHack 5.0.0.

Security updates have been issued by AlmaLinux (kernel, libcap, libtiff, sudo, and thunderbird), Debian (dovecot, imagemagick, incus, kernel, libexif, linux-6.1, openjdk-25, pyasn1, python-aiohttp, and thunderbird), Fedora (chromium, firefox, GitPython, glibc, insight, krb5, nano, nss, openssh, openvpn, perl-CryptX, python3.14, rust-openssl, rust-openssl-sys, rust-sequoia-git, and xen), Oracle (dtrace, fence-agents, grafana-pcp, libcap, libtiff, sudo, and xorg-x11-server-Xwayland), Red Hat (buildah, fence-agents, firefox, java-11-openjdk with Extended Lifecycle Support, LibRaw, nodejs24, nodejs:24, openssh, python-pyasn1, resource-agents, thunderbird, tigervnc, xorg-x11-server, and xorg-x11-server-Xwayland), Slackware (mozilla), and SUSE (avahi, curl, freeipmi, freerdp, google-guest-agent, google-osconfig-agent, gvim, helm, himmelblau, java-1_8_0-openjdk, kernel, krb5-appl-clients, libsodium, libssh, libtiff-devel-32bit, ntfs-3g_ntfsprogs, openCryptoki, openexr, ovmf, PackageKit, python-jwcrypto, python-Mako, python-PyNaCl, python311, python311-pypdf, sed, trivy, and vim).

The second 7.1 kernel prepatch is out for testing. "It's not small, and while it's a bit early to say for sure, I do suspect we're seeing the same continued pattern of more patches than usual - probably due to AI tooling - that we saw in 7.0."

Terence Eden reports that the UK's National Health Service (NHS) is preparing to close almost all of its open-source repositories as a response to LLM tools, such as Anthropic's Mythos, becoming more sophisticated at finding security vulnerabilities. He does not, to put it mildly, agree with the decision:

The majority of code repos published by the NHS are not meaningfully affected by any advance in security scanning. They're mostly data sets, internal tools, guidance, research tools, front-end design and the like. There is nothing in them which could realistically lead to a security incident.

When I was working at NHSX during the pandemic, we were so confident of the safety and necessity of open source, we made sure the Covid Contact Tracing app was open sourced the minute it was available to the public. That was a nationally mandated app, installed on millions of phones, subject to intense scrutiny from hostile powers - and yet, despite publishing the code, architecture and documentation, the open source code caused zero security incidents.

Furthermore, this new guidance is in direct contradiction to the UK's Tech Code of Practice point 3 "Be open and use open source" which insists on code being open.

Modern database and filesystems make pervasive use of B-trees, which are tree structures optimized for storing sorted lists of keys and values on block devices. Dolt is an Apache 2.0-licensed project that makes clever use of a variant of a B-tree to support efficient version control for an entire database. The data structure it uses could well be of interest to other projects.

Security updates have been issued by AlmaLinux (fence-agents), Debian (chromium, dovecot, and kernel), Fedora (chromium, dotnet10.0, dotnet8.0, dotnet9.0, emacs, glow, jfrog-cli, openbao, pyp2spec, python3.6, rust-rustls-webpki, vhs, and xen), Oracle (grafana, grafana-pcp, PackageKit, sudo, vim, and xorg-x11-server), Red Hat (rhc), SUSE (avahi, bouncycastle, chromium, container-suseconnect, firewalld, gdk-pixbuf, grafana, java-25-openjdk, kernel, libixml11, libmozjs-140-0, libpng12-0, libsodium, libssh, mariadb, Mesa, ntfs-3g_ntfsprogs, openCryptoki, openexr, packagekit, prometheus-postgres_exporter, python-jwcrypto, python-mako, python-Pygments, python-pynacl, python311, python311-pyOpenSSL, python315, radare2, sed, and vim), and Ubuntu (kmod and zulucrypt).

Hyrum's Law states that any observable behavior of a system will eventually be depended upon by somebody. The kernel community is currently contending with a clear demonstration of that principle. The recent work to address some restartable-sequences performance problems in the 6.19 release maintained the documented API in all respects, but that was not enough; Google's TCMalloc library, as it turns out, violates the documented API, prevents other code from using restartable features, and breaks with 6.19. But the kernel's no-regressions rule is forcing developers to find a way to accommodate TCMalloc's behavior.

Version 16.1 of the GNU Compiler Collection (GCC) has been released.

The C++ frontend now defaults to the GNU C++20 dialect and the corresponding parts of the standard library are no longer experimental. Several C++26 features receive experimental support, including Reflection (-freflection), Contracts, expansion statements and std::simd.

Other changes include the introduction of an experimental compiler frontend for the Algol68 language, ability to output GCC diagnostics in HTML form, and more.

Greg Kroah-Hartman has released the 7.0.3, 6.18.26, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254 stable kernels. The 7.0.3 and 6.18.26 kernels only contain fixes needed for Xen users; the others, though, have backported fixes for the recently disclosed AEAD socket vulnerability. Kroah-Hartman advises that all users of the other kernel series must upgrade.

Security updates have been issued by AlmaLinux (buildah, firefox, gdk-pixbuf2, giflib, grafana, java-1.8.0-openjdk, java-21-openjdk, LibRaw, OpenEXR, PackageKit, pcs, python3.11, python3.12, python3.9, sudo, tigervnc, vim, xorg-x11-server, xorg-x11-server-Xwayland, yggdrasil, and yggdrasil-worker-package-manager), Debian (calibre, firefox-esr, and openjdk-17), Fedora (asterisk, binaryen, buildah, dokuwiki, lemonldap-ng, libexif, libgcrypt, miniupnpd, openvpn, podman, python3.9, rust-rpm-sequoia, skopeo, and xdg-dbus-proxy), Red Hat (buildah, gdk-pixbuf2, and nodejs:20), SUSE (dnsdist, libheif, openCryptoki, polkit, sed, and xen), and Ubuntu (linux-bluefield, python-marshmallow, and roundcube).

Inside this week's LWN.net Weekly Edition:

• Front: Famfs; Python packaging council; Zig concurrency; pages and folios; Strawberry music manager; 7.1 merge window.
• Briefs: GnuPG 2.5.19; Copy Fail; Plasma security; Fedora 44; Ubuntu 26.04; Niri 26.04; pip 26.1; RIP Seth Nickell; RIP Tomáš Kalibera; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

Security analysis firm Xint has disclosed a security bug in the Linux kernel that allows for arbitrary 4-byte writes to the page cache, and which has been present since 2017. The vulnerability has been fixed in mainline kernels. A proof-of-concept script demonstrates how to use the flaw to corrupt a setuid binary, which works on multiple distributions, by requesting an AEAD-encrypted socket from user space and splicing a particular payload into it. A supplemental blog post gives more details about the discovery and remediation.

A core primitive underlying this bug is splice(): it transfers data between file descriptors and pipes without copying, passing page cache pages by reference. When a user splices a file into a pipe and then into an AF_ALG socket, the socket's input scatterlist holds direct references to the kernel's cached pages of that file. The pages are not duplicated; the scatterlist entries point at the same physical pages that back every read(), mmap(), and execve() of that file.

The Python packaging world now has a formal governance council, of the form described in PEP 772 ("Packaging Council governance process"), which was approved by the steering council on April 16. It has been over a year since the PEP was first proposed in February 2025 and it has undergone lengthy discussions in multiple postings to the Python discussion forum. The packaging council will have "broad authority over packaging standards, tools, and implementations"; it will consist of five members who will be elected in a vote that is likely to come in June—after PyCon US 2026 is held mid-May.