Linux Weekly News

Inside this week's LWN.net Weekly Edition:

• Front: Glibc security; How we lost the Internet; Encrypted DNS; 6.15 Development statistics; Filesystem stress-testing; BPF verifier; Network access from BPF; OSPM 2025.
• Briefs: AlmaLinux 10.0; FESCo decision overturned; NixOS 25.05; Pocket, Launchpad retired; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

The GNU C Library (glibc) is the core C library for most Linux distributions, so it is a crucial part of the open-source ecosystem—and an attractive target for any attackers looking to carry out supply-chain attacks. With that being the case, securing the project's infrastructure using industry best practices and improving the security of its development practices are a frequent topic among glibc developers. A recent discussion suggests that improvements are not happening as quickly as some would like.

Mahé Tardy led two sessions about some of the challenges that he, Kornilios Kourtis, and John Fastabend have run into in their work on Tetragon (Apache-licensed BPF-based security monitoring software) at the Linux Storage, Filesystem, Memory Management, and BPF Summit. The session prompted discussion about the feasibility of letting BPF programs send data over the network, as well as potential new kfuncs to let BPF firewalls send TCP reset packets. Tardy presented several possible ways that these could be accomplished.

Canonical's Launchpad software-collaboration platform that is used for Ubuntu development will be shutting down its hosted mailing lists at the end of October. The announcement recommends Discourse or Launchpad Answers as alternatives. Ubuntu's mailing lists are unaffected by the change.

The increasing sophistication of attackers has organizations realizing that perimeter-based security models are inadequate. Many are planning to transition their internal networks to a zero-trust architecture. This requires every communication on the network to be encrypted, authenticated, and authorized. This can be achieved in applications and services by using modern communication protocols. However, the world still depends on Domain Name System (DNS) services where encryption, while possible, is far from being the industry standard. To address this we, as part of a working group at Red Hat, worked on fully integrating encrypted DNS for Linux systems—not only while the system is running but also during the installation and boot process, including support for a custom certificate chain in the initial ramdisk. This integration is now available in CentOS Stream 9, 10, and the upcoming Fedora 43 release.

Security updates have been issued by AlmaLinux (gstreamer1-plugins-bad-free and kernel), Arch Linux (bind and varnish), Debian (glibc and syslog-ng), Fedora (microcode_ctl, mozilla-ublock-origin, nodejs20, and nodejs22), Mageia (firefox, nss, rootcerts, open-vm-tools, sqlite3, and thunderbird), Oracle (gstreamer1-plugins-bad-free, kernel, libsoup, nodejs:22, php, php:8.2, php:8.3, python-tornado, redis, and redis:7), Red Hat (libsoup, pcs, and python-tornado), Slackware (mozilla), SUSE (bind, dnsdist, elemental-operator, govulncheck-vulndb, gstreamer-plugins-bad, jetty-annotations, jq, libnss_slurm2, libyelp0, mariadb, nvidia-open-driver-G06-signed, prometheus-blackbox_exporter, python-h11, python-httpcore, python-setuptools, python312, python39-setuptools, screen, sqlite3, umoci, and webkit2gtk3), and Ubuntu (cifs-utils, glibc, linux-aws, linux-intel-iotg-5.15, linux-nvidia-tegra-igx, linux-raspi, linux-aws-fips, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oracle, linux-raspi, linux-raspi-5.4, and net-tools).

Version 10 of the AlmaLinux OS distribution has been released.

The goal of AlmaLinux OS is to support our community, and AlmaLinux OS 10 is the best example of that yet. With an unwavering eye on maintaining compatibility with Red Hat Enterprise Linux (RHEL), we have made small improvements to AlmaLinux OS 10 that target specific sections of our userbase.

See the release notes for details.

Srinivas Narayana led a remote session about extending Agni to prove the correctness of the BPF verifier's handling of different execution paths as part of the Linux Storage, Filesystem, Memory Management, and BPF Summit. The problem of ensuring the correctness of path exploration is much more difficult than the problem of ensuring the correctness of arithmetic operations (which was the subject of the previous session), however. Narayana's plan to tackle the problem makes use of a mixture of specialized techniques — and may need some assistance from the BPF developers to make it feasible at all.

Cory Doctorow wears many hats: digital activist, science-fiction author, journalist, and more. He has also written many books, both fiction and non-fiction, runs the Pluralistic blog, is a visiting professor, and is an advisor to the Electronic Frontier Foundation (EFF); his Chokepoint Capitalism co-author, Rebecca Giblin, gave a 2023 keynote in Australia that we covered. Doctorow gave a rousing keynote on the state of the "enshitternet"—today's internet—to kick off the recently held PyCon US 2025 in Pittsburgh, Pennsylvania.

Version 25.05 of the NixOS distribution has been released. Changes include support for the COSMIC desktop environment (reviewed here in August), GNOME 48, a 6.12 kernel, and many new modules; see the release notes for details. (Thanks to Pavel Roskin).

Security updates have been issued by AlmaLinux (gstreamer1-plugins-bad-free, libsoup, and python-tornado), Debian (libavif and pgbouncer), Red Hat (gstreamer1-plugins-bad-free, mingw-freetype and spice-client-win, and webkit2gtk3), SUSE (firefox, govulncheck-vulndb, and python310-setuptools), and Ubuntu (flask, intel-microcode, openjdk-17-crac, tika, and Tomcat).

The 6.14 kernel development cycle only brought in 11,003 non-merge changesets, making it the slowest cycle since 4.0, which was released in 2015. The 6.15 kernel, instead, brought in 14,612 changesets, making it the busiest release since 6.7, released at the beginning of 2024. The kernel development process, in other words, is back up to full speed. The 6.15 release happened on May 25, so the time has come for the obligatory look at where the changes in this release came from.

Security updates have been issued by AlmaLinux (389-ds-base, ghostscript, grafana, kernel, and osbuild-composer), Debian (intel-microcode, kernel, libphp-adodb, and openssl), Fedora (dotnet8.0, ghostscript, iputils, nbdkit, open-vm-tools, thunderbird, and vyper), Mageia (chromium-browser-stable, glibc, iputils, microcode, nodejs, and zsync), Oracle (.NET 8.0, .NET 9.0, 389-ds-base, avahi, buildah, compat-openssl11, expat, firefox, ghostscript, gimp, git, grafana, gvisor-tap-vsock, libsoup, libxslt, mod_auth_openidc, nginx, nodejs:20, osbuild-composer, podman, skopeo, thunderbird, vim, webkit2gtk3, xdg-utils, xterm, and yelp), Red Hat (kernel, kernel-rt, libsoup, libsoup3, python-tornado, and ruby), Slackware (ffmpeg), SUSE (audiofile, firefox, glibc, govulncheck-vulndb, grafana, kernel, kind, kubo, libecpg6, postgresql13, postgresql14, python-Django, python-setuptools, python-tornado6, python311-Flask, python311-tornado6, python313, python36-setuptools, thunderbird, transfig, and xen), and Ubuntu (glib2.0, linux-bluefield, linux-ibm, linux-raspi, and openjdk-21-crac).

Linus has released the 6.15 kernel, as expected.

So this was delayed by a couple of hours because of a last-minute bug report resulting in one new feature being disabled at the eleventh hour, but 6.15 is out there now.

Significant changes in 6.15 include smarter timer-ID assignment to make checkpoint/restore operations more reliable, the ability to read status information from a pidfd after the process in question has been reaped, the PIDFD_SELF special pidfd value, nested ID-mapped mounts, zero-copy network-data reception via io_uring, The ability to read epoll events via io_uring, resilient queued spinlocks for BPF programs, guard-page enhancements allowing them to be placed in file-backed memory areas and for user space to detect their presence, the once-controversial fwctl subsystem, the optional sealing of some system mappings, and much more.

See the LWN merge-window summaries (part 1, part 2) and the in-progress KernelNewbies 6.15 page for more information.

The seventh edition of the Power Management and Scheduling in the Linux Kernel Summit (known as "OSPM") took place on March 18-20, 2025. Topics discussed on the second day include improvements to device suspend and resume, the status and future of sched_ext, the scx_lavd scheduler, improving the efficiency of load balancing, and hierarchical constant bandwidth server scheduling.

The BPF verifier is an increasingly complex and security-critical piece of code. When the kinds of people who are apt to work on BPF see a situation like that, they naturally question whether it's possible to use formal verification to ensure that the implementation of the code in question is correct. Santosh Nagarakatte led the first of two extra-long sessions in the BPF track of the 2025 Linux Storage, Filesystem, Memory Management, and BPF Summit about his team's work formally verifying the BPF verifier with a custom tool called Agni.

Security updates have been issued by Fedora (dotnet9.0, dropbear, ghostscript, nbdkit, openssh, python-watchfiles, rpm-ostree, yelp, yelp-xsl, and zsync), Oracle (firefox and kernel), Red Hat (osbuild-composer), Slackware (aaa_glibc and mozilla), SUSE (chromedriver, open-vm-tools, postgresql14, python-cryptography, and thunderbird), and Ubuntu (linux-aws, linux-hwe-5.4, python, and sqlite3).

Mozilla has announced that it is shutting down Pocket, a bookmarking service acquired by Mozilla in 2017, this coming July. "Pocket has helped millions save articles and discover stories worth reading. But the way people use the web has evolved, so we're channeling our resources into projects that better match their browsing habits and online needs."

Our recent article on Home Assistant observed that the project emphasizes installations using its own Linux distribution or within containers. The project has now made that emphasis rather stronger with this announcement of the deprecation of the "core" and "supervised" installation modes, which allowed Home Assistant to be installed as an ordinary application on a Linux system.

These are advanced installation methods, with only a small percentage of the community opting to use them. If you are using these methods, you can continue to do so (you can even continue to update your system), but in six months time, you will no longer be supported, which I'll explain the impacts of in the next section. References to these installation methods will be removed from our documentation after our next release (2025.6).

Support for 32-bit Arm and x86 architectures has also been deprecated.

The Fedora Council has ruled on the Fedora Engineering Steering Council's (FESCo) decision last year to revoke Peter Robinson's provenpackager status. In a statement published to the fedora-devel-announce mailing list, the council has announced that it has overturned FESCo's decision:

FESCo didn't have a specific policy for dealing with a request to remove Proven Packager rights. In addition, the FESCo process was handled entirely in private. The contributor didn't receive a formal notification or warning from FESCo, and felt blindsided by the official decision when and how it was announced. The Fedora Council would like to extend our sincerest apology on behalf of the Fedora Project to them.

LWN covered the story in December 2024.