LWN.net

The Python bitwise-inversion (or complement) operator, "~", behaves pretty much as expected when it is applied to integers—it toggles every bit, from one to zero and vice versa. It might be expected that applying the operator to a non-integer, a bool for example, would raise a TypeError, but, because the bool type is really an int in disguise, the complement operator is allowed, at least for now. For nearly 15 years (and perhaps longer), there have been discussions about the oddity of that behavior and whether it should be changed. Eventually, that resulted in the "feature" being deprecated, producing a warning, with removal slated for Python 3.16 (due October 2027). That has led to some reconsideration and the deprecation may itself be deprecated.

Greg Kroah-Hartman has announced the 6.19.4 and 6.18.14 stable kernels. Shortly after 6.19.4 was released Kris Karas reported "getting a repeatable Oops right when networking is initialized, likely when nft is loading its ruleset"; the problem did not appear to be present in 6.18.14. Users of nftables may wish to hold off on upgrades to 6.19.4 for now. We will provide updates as they are available.

Update: Kroah-Hartman has released the 6.19.5 and 6.18.15 kernels with a fix for the regression in 6.19.4 and 6.18.14. All users of netfilter are advised to upgrade to those versions.

Security updates have been issued by AlmaLinux (389-ds-base, buildah, firefox, freerdp, golang-github-openprinting-ipp-usb, grafana-pcp, kernel, libpng15, munge, nodejs:20, nodejs:22, podman, protobuf, python-pyasn1, runc, and skopeo), Debian (chromium, nss, and python-django), Fedora (firefox, freerdp, gh, libmaxminddb, nss, python3.15, and udisks2), Oracle (buildah, firefox, freerdp, kernel, libpng, podman, python-pyasn1, skopeo, and valkey), Red Hat (container-tools:rhel8), SUSE (autogen, chromium, cockpit, cockpit-machines-348, cockpit-packages, cockpit-repos, cockpit-subscriptions, crun, docker, docker-compose, docker-stable, erlang, freerdp, frr, glib2, gpg2, kernel, kernel-firmware, libsodium, libsoup, libsoup2, openvswitch, python, python-pyasn1, python-urllib3, python-urllib3_1, python3, qemu, redis7, regclient, and ucode-intel), and Ubuntu (linux-aws, linux-aws-6.8, linux-ibm, linux-ibm-6.8, linux-xilinx, python-authlib, and ruby-rack).

The International Image Interoperability Framework, or IIIF ("triple-eye eff"), is a small set of standards that form a basis for serving, displaying, and reusing image data on the web. It consists of a number of API definitions that compose with each other to achieve a standard for providing, for example, presentations of high-resolution images at multiple zoom levels, as well as bundling multiple images together. Presentations may include metadata about details like authorship, dates, references to other representations of the same work, copyright information, bibliographic identifiers, etc. Presentations can be further grouped into collections, and metadata can be added in the form of transcriptions, annotations, or captions. IIIF is most popular with cultural-heritage organizations, such as libraries, universities, and archives.

Security updates have been issued by AlmaLinux (freerdp), Debian (firefox-esr and libstb), Fedora (389-ds-base, chromium, firefox, munge, opentofu, python3-docs, python3.14, and vim), Oracle (buildah, containernetworking-plugins, gimp, grafana, grafana-pcp, kernel, podman, runc, and skopeo), Red Hat (go-toolset:rhel8, golang, golang-github-openprinting-ipp-usb, grafana, grafana-pcp, mariadb:10.11, podman, and skopeo), SUSE (cacti, docker-stable, expat, firefox-esr, freerdp, freerdp2, libjxl, libsoup-2_4-1, python-tornado, python-urllib3_1, python3, python311-Django4, python312, python313, python39, and redis), and Ubuntu (ceph, mongodb, protobuf, and rlottie).

Inside this week's LWN.net Weekly Edition:

• Front: New flags for clone3(); Discord replacements; virtual swap spaces; BPF memory protection keys; PostgreSQL's lessons in attracting contributors; 7.0 merge window; Network Time Security.
• Briefs: OpenSUSE governance; Firefox 148.0; GNU Awk 5.4.0; GNU Octave 11.1.0; Rust in Ladybird; LibreOffice Online; Weston 15.0; RIP Robert Kaye; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

The stated support periods for the 6.6, 6.12, and 6.18 kernels has been extended. The 6.6 kernel will be supported with stable updates through the end of 2027 (for four years of support total), while 6.12 and 6.18 will get updates through the end of 2028, for four and three years of support.

On February 12, Yeoreum Yun posted a suggestion for an improvement to the security of the kernel's BPF implementation: use memory protection keys to prevent unauthorized access to memory by BPF programs. Yun wanted to put the topic on the list for discussion at the Linux Storage, Filesystem, Memory Management, and BPF Summit in May, but the lack of engagement makes that unlikely. They also have a patch set implementing some of the proposed changes, but has not yet shared that with the mailing list. Yun's proposal does not seem likely to be accepted in its current form, but the kernel has added hardware-based hardening options in the past, sometimes after substantial discussion.

The Network Time Protocol (NTP) debuted in 1985; it is a universally used, open specification that is deeply important for all sorts of activities we take for granted. It also, despite a number of efforts, remains stubbornly unsecured. Ruben Nijveld presented work at FOSDEM 2026 to speed adoption of the thus-far largely ignored standard for securing NTP traffic: IETF's RFC-8915 that specifies Network Time Security (NTS) for NTP.

The MetaBrainz Foundation has announced the unexpected passing of its founder and executive director, Robert Kaye:

Robert's vision and leadership shaped MetaBrainz and left a lasting mark on the music industry and open source movement. His contributions were significant and his loss is deeply felt across our global community.

The Board is actively overseeing a smooth leadership transition and has measures in place to ensure that MetaBrainz continues to operate without interruption. Further updates will be shared in due course.

Security updates have been issued by AlmaLinux (grafana and grafana-pcp), Debian (gnutls28), Fedora (chromium and yt-dlp), Oracle (389-ds-base, kernel, munge, and openssl), Red Hat (buildah, containernetworking-plugins, opentelemetry-collector, podman, runc, and skopeo), Slackware (mozilla), SUSE (chromium, cosign, firefox, freerdp, gimp, heroic-games-launcher, kernel, libopenssl-3-devel, libxml2, libxslt, mosquitto, openqa, os-autoinst, openqa-devel-container, openvswitch, phpunit, postgresql14, postgresql15, postgresql16, protobuf, python310, python311-PyPDF2, python36, snpguest, warewulf4, and weblate), and Ubuntu (curl, kernel, linux, linux-gcp, linux-gke, linux-gkeop, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia-tegra, linux-oracle, linux-xilinx-zynqmp, linux, linux-gkeop, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-raspi, linux-fips, linux-fips, linux-gcp-fips, linux-gcp, linux-gcp-6.8, linux-gke, linux-oracle-6.8, linux-gcp-fips, linux-ibm, linux-ibm-6.8, linux-intel-iot-realtime, linux-realtime, linux-raspi-realtime, linux-realtime, linux-realtime-6.8, and linux-xilinx).

LibreOffice online is a web-based version of the LibreOffice suite that can be hosted on anybody's infrastructure. This project was put into stasis back in 2022, a move marked by some tension with Collabora, a major LibreOffice developer that has its own online offering. Now, the Document Foundation has announced a new effort to breathe life into this project.

We plan to reopen the repository for LibreOffice Online at The Document Foundation for contributions, but provide warnings about the state of the repository until TDF's team agrees that it's safe and usable – while at the same time encourage the community to join in with code, technologies and other contributions that can be used to move forward.

Meanwhile, this post from Michael Meeks suggests that the tension around online versions of LibreOffice has not abated.

Version 5.4.0 of GNU awk (gawk) has been released. This is a major release with a change in gawk's default regular-expression matcher: it now uses MinRX as the default regular-expression engine.

This matcher is fully POSIX compliant, which the current GNU matchers are not. In particular it follows POSIX rules for finding the longest leftmost submatches. It is also more strict as to regular expression syntax, but primarily in a few corner cases that normal, correct, regular expression usage should not encounter.

Because regular expression matching is such a fundamental part of awk/gawk, the original GNU matchers are still included in gawk. In order to use them, give a value to the GAWK_GNU_MATCHERS environment variable before invoking gawk.

[...] The original GNU matchers will eventually be removed from gawk. So, please take the time to notice and report any issues in the MinRX matcher, so that they can be ironed out sooner rather than later.

See the release announcement for additional changes.

Version 148 of Firefox has been released. The most notable change in this release is the addition of a "Block AI enhancements" option that allows turning off "new or current AI enhancements in Firefox, or pop-ups about them" with a single toggle.

With this release, Firefox now supports the Trusted Types API to help prevent cross-site scripting attacks as well as the Sanitizer API that provides new methods for HTML manipulation. See the release notes for developers for changes that may affect web developers or those who create Firefox add-ons.

The facilities provided by the kernel for the management of processes have evolved considerably in the last few years, driven mostly by the advent of the pidfd API. A pidfd is a file descriptor that refers to a process; unlike a process ID, a pidfd is an unambiguous handle for a process; that makes it a safer, more deterministic way of operating on processes. Christian Brauner, who has driven much of the pidfd-related work, is proposing two new flags for the clone3() system call, one of which changes the kernel's security model in a somewhat controversial way.