Linux Weekly News

Cary Coutant has announced a draft for version 4.3 of the Executable and Linking Format (ELF) object file format. The specification was formerly part of the Unix System V Release 4 (SVR4) gABI document:

The last published gABI documents were the Fourth Edition and a draft of Edition 4.1, both published in March 1997. The ELF portions of the document were updated several times between 1998 and 2015, published online [...]

I've published the last draft from 2015 as Version 4.2, and collected the several changes since then, along with new e_machine values, as Version 4.3.

The source for the draft is on GitHub in reStructuredText format, and Coutant has collected the mailing list discussions for changes in 4.3 as GitHub issues. Thanks to Jose E. Marchesi for the tip.

Security updates have been issued by AlmaLinux (httpd, kernel, and kernel-rt), Debian (python-eventlet and python-h2), Mageia (aide, gnutls, tomcat, and vim), Oracle (httpd, mod_http2, postgresql:15, python3.11, python3.12, python3.9, and udisks2), Red Hat (kernel, postgresql, postgresql:12, and postgresql:15), SUSE (dcmtk, jupyter-bqplot-jupyterlab, kured, libudisks2-0, munge, python-eventlet, python-future, python311-eventlet, rekor, traefik2, and ucode-intel), and Ubuntu (linux-aws, linux-azure-5.15, linux-gcp-6.8, linux-gke, linux-gkeop, linux-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-gke, linux-ibm-5.15, linux-kvm, and protobuf).

As a rule, if a package is shipped with a Debian release, users can count on it being available, and updated, for the entire life of the release. If package foo is included in the stable release—currently Debian 13 ("trixie")—a user can reasonably expect that it will continue to be available with security backports as long as that release is supported, though it may not be included in Debian 14 ("forky"). However, it is likely that the Guix package manager will soon be removed from the repositories for Debian 13 and Debian 12 ("bookworm", also called oldstable).

The FastCode site has a lengthy article on how large language models make open-source projects far more vulnerable to XZ-style attacks.

Open source maintainers, already overwhelmed by legitimate contributions, have no realistic way to counter this threat. How do you verify that a helpful contributor with months of solid commits isn't an LLM generated persona? How do you distinguish between genuine community feedback and AI created pressure campaigns? The same tools that make these attacks possible are largely inaccessible to volunteer maintainers. They lack the resources, skills, or time to deploy defensive processes and systems.

The detection problem becomes exponentially harder when LLMs can generate code that passes all existing security reviews, contribution histories that look perfectly normal, and social interactions that feel authentically human. Traditional code analysis tools will struggle against LLM generated backdoors designed specifically to evade detection. Meanwhile, the human intuition that spot social engineering attacks becomes useless when the "humans" are actually sophisticated language models.

Security updates have been issued by AlmaLinux (kernel, mod_http2, postgresql, postgresql:15, and python39:3.9), Debian (libsndfile), Mageia (ceph, glibc, and golang), Oracle (postgresql and python39:3.9), Red Hat (aide, postgresql:12, postgresql:13, postgresql:15, and postgresql:16), SUSE (git, govulncheck-vulndb, jetty-minimal, nginx, python-future, and ruby2.5), and Ubuntu (imagemagick).

The GNOME Foundation has announced that Steven Deobald will be leaving the position of Executive Director after just four months.

We are extremely grateful to Steven for all this and more. Despite these many positive achievements, Steven and the board have come to the conclusion that Steven is not the right fit for the Executive Director role at this time. We are therefore bidding Steven a fond farewell.

Arnd Bergmann started his Open Source Summit Europe 2025 talk with a clear statement of position: 32-bit systems are obsolete when it comes to use in any sort of new products. The only reason to work with them at this point is when there is existing hardware and software to support. Since Bergmann is the overall maintainer for architecture support in the kernel, he is frequently asked whether 32-bit support can be removed. So, he concluded, the time has come to talk more about that possibility.

Security updates have been issued by AlmaLinux (postgresql16, postgresql:16, python3.11, and thunderbird), Debian (firebird4.0, libcommons-lang3-java, mbedtls, nodejs, openvpn, and ruby-saml), Fedora (cef, chromium, docker-buildx, exiv2, firefox, rocm-rpp, and udisks2), Oracle (postgresql:16), Red Hat (fence-agents, firefox, gdk-pixbuf2, httpd, kernel, kernel-rt, libarchive, libxml2, multiple packages, postgresql, postgresql16, postgresql:15, postgresql:16, python3.11, python3.12, python39:3.9, and thunderbird), Slackware (udisks2), SUSE (go-sendxmpp, helm, ImageMagick, javamail, jq, kea, kernel, libarchive, libsoup, libssh, libxml2, openssl-3, postgresql14, postgresql15, python, python-future, systemd, and xz), and Ubuntu (open-vm-tools and python2.7).

Linus has released 6.17-rc4 for testing. "So it all looks fairly good. Please do keep testing, and we'll get 6.17 out in a timely manner and in good shape."

Linus Torvalds has quietly changed the maintainer status of bcachefs to "externally maintained", indicating that further changes are unlikely to enter the mainline anytime soon. This change also suggests, though, that the immediate removal of bcachefs from the mainline kernel is not in the cards.

Keynote sessions at Open Source Summit events tend not to allow much time for detailed talks, and the 2025 Open Source Summit Europe did not diverge from that pattern. Even so, Daniel Stenberg, the maintainer of the curl project, managed to cram a lot into the 15 minutes given to him. Like the maintainers of many other projects, Stenberg is feeling some stress, and the problems appear to be getting worse over time.

The next release of systemd has been percolating for an unusually long time. Systemd releases are usually about six months apart, but v257 came out in December 2024, and v258 just now seems to be nearing the finish line; the third release candidate for v258 was published on August 20 (release notes). Now is a good time to dig in and take a look at some of the new features, enhancements, and removals coming soon to systemd. These include new workload-management features, a concept for multiple home-directory environments, and the final, once-and-for-all removal of support for control groups version 1.

Security updates have been issued by AlmaLinux (aide, fence-agents, firefox, kernel-rt, python-cryptography, and thunderbird), Debian (golang-github-gin-contrib-cors, libxml2, and udisks2), Fedora (chromium), Oracle (postgresql16, postgresql:16, python3.11, and thunderbird), Red Hat (lz4 and mpfr), SUSE (chromium, docker, dpkg, firefox, gdk-pixbuf, git, git, git-lfs, obs-scm-bridge, python-PyYAML, gnutls, kernel, libarchive, libxml2, net-tools, netty, perl-Crypt-CBC, polkit, postgresql14, postgresql15, sqlite3, thunderbird, tomcat10, and udisks2), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-raspi, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.14, linux-gcp, linux-hwe-6.14, linux-raspi, linux-realtime, linux-realtime-6.14, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-gke, linux-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-gke, linux-kvm, linux-oem-6.14, linux-realtime, linux-intel-iot-realtime, linux-realtime, linux-raspi-realtime, openldap, and udisks2).

Attendees at EuroPython had the chance to preview part of Python: The Documentary during a keynote panel. The full film, created by CultRepo, is now available on YouTube:

This is the story of the world's most beloved programming language: Python. What began as a side project in Amsterdam during the 1990s became the software powering artificial intelligence, data science and some of the world's biggest companies. But Python's future wasn't certain; at one point it almost disappeared.

This 90-minute documentary features Guido van Rossum, Travis Oliphant, Barry Warsaw, and many more, and they tell the story of Python's rise, its community-driven evolution, the conflicts that almost tore it apart, and the language's impact on... well... everything.

The video of the keynote is also available.

Greg Kroah-Hartman has announced the release of the 6.16.4, 6.12.44, 6.6.103, 6.1.149, 5.15.190, 5.10.241, and 5.4.297 stable Linux kernels. Each one contains important fixes.

The GNOME project, which recently celebrated its 28th birthday, has never had a formal technical governance; progress has been driven by individuals and groups that advocated for—and worked toward—a particular goal in an ad hoc fashion. Longtime GNOME contributor Emmanuele Bassi would like to see that change by adding cross-project teams and a steering committee for the project; to that end, he gave a talk (YouTube video) at GUADEC 2025 in late July on his idea to establish some technical governance for the project. He also put together a blog post with his notes from the talk. The audience reaction was favorable, so he has followed up on the GNOME discussion forum with an RFC on governance to try to move the effort along.

Security updates have been issued by AlmaLinux (aide, firefox, kernel, and mod_http2), Debian (chromium and unbound), Fedora (mod_auth_openidc), Oracle (fence-agents and kernel), SUSE (ignition, jetty-minimal, kernel, libmozjs-128-0, matrix-synapse, postgresql13, postgresql15, postgresql16, and postgresql17), and Ubuntu (kernel).

Inside this week's LWN.net Weekly Edition:

• Front: Groklaw takeover; CRL cache sharing; browsers and XSLT; Microdot; restartable sequences; shadow-stack control
• Briefs: Android restrictions; Arch services; GhostBSD 25.02; FFmpeg 8.0; PyCon videos; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

Alyssa Rosenzweig has written a blog post about her work to help ship a "great driver" for the Apple M1 GPU that supports OpenGL, Vulkan, and enables gaming with Proton.

We've succeeded beyond my dreams. The challenges I chased, I have tackled. The drivers are fully upstream in Mesa. Performance isn't too bad. With the Vulkan on Apple myth busted, conformant Vulkan is now coming to macOS via LunarG's KosmicKrisp project building on my work.

Satisfied, I am now stepping away from the Apple ecosystem. My friends in the Asahi Linux orbit will carry the torch from here.

Rosenzweig indicates her next project will be working on Intel's Xe-HPG graphics architecture. LWN covered her talk on Apple M1/M2 GPU drivers in October 2024.

The Extensible Stylesheet Language Transformations (XSLT) language is used by web browsers to style XML content to make it easily readable; XSLT is part of the HTML living standard that is maintained by the Web Hypertext Application Technology Working Group (WHATWG). Only a small fraction of web sites serve content that requires web browsers to support XSLT, in part because major browser implementations have neglected the technology over the past 25 years. Now, it seems, they would like to rid themselves of it entirely. A plan to disable XSLT in Blink (Chrome's rendering engine) and a pull request by a Google Chrome developer to remove mentions of the specification from the HTML standard have been met with opposition, but arguments in favor of XSLT have proven ineffective.