Linux Weekly News

Version 0.1 of the Wayback project has been released:

Wayback is an X11 compatibility layer that allows for running full X11-only desktop environments using Wayland. It is essentially an X11 server backed by Wayland, leveraging wlroots and Xwayland. Our goal is for Wayback to eventually be a completely drop-in replacement to the Xorg binary, thus reducing maintenance burden for distro maintainers.

Ever since Wayback was announced on June 28, we have been making lots of progress to get it as stable and functional as possible, and while this is a preview release it is already daily-driveable by users with simple requirements, as long as they don't mind bugs.

The release is considered alpha-quality and is missing a number of features, including multi-monitor support and DPMS, but adventurous users can find the code here.

The 6.15.8, 6.12.40, 6.6.100, and 6.1.147 stable kernels have been released. Each contains important fixes throughout the kernel tree, as usual.

People tend to put a lot of trust into their phones. Those devices have access to no end of sensitive data about our lives — our movements, finances, communications, and more — so phones belonging to even relatively low-profile people can be high-value targets. Android devices run free software, at least at some levels, so it should be possible to ensure that they are working in their owners' interests. Off-the-shelf Android installations tend to fall short of that goal. The GrapheneOS Android rebuild is an attempt to improve on that situation.

Security updates have been issued by Debian (chromium, firefox-esr, and mediawiki), Fedora (firefox), Oracle (git, kernel, redis, and sudo), Red Hat (aardvark-dns, firefox, kernel, and thunderbird), Slackware (httpd), SUSE (php7, php8, and salt), and Ubuntu (linux-raspi-realtime and ruby-rack).

Inside this week's LWN.net Weekly Edition:

• Front: Debian's security processes; Tor; Immutability for Python; CPU scheduler; QUIC; Rust abstractions.
• Briefs: Brief news items from throughout the community.
• Announcements: Newsletters, conferences, security updates, patches, and more.

Richard van der Hoff, a member of the team that runs the Matrix.org homeserver, has written a detailed blog post about diagnosing and fixing a problem where Matrix rooms would simply stop working:

We know that there are plenty of users out there who will have been affected by the problem, and found themselves unable to communicate as a result. We very much share your frustration, and we'd like to apologise for the disruption to service.

With that said, we're glad that we were able to get to the bottom of most of the problem, and get the lost data restored within a relatively short time. If nothing else, hopefully this blog post will be of use to future generations faced with Postgres index corruption!

Providing security updates for a Linux distribution, such as Debian, involves a lot of work behind the scenes—and requires much more than simply shipping the latest code. On July 15, at DebConf25 in Brest, France, Samuel Henrique walked through the process of providing security updates to users; he discussed how Debian learns about security vulnerabilities, decides on the best response, and the process of sending out updates to keep its users safe. He also provided guidance on how others could get involved.

The Home Assistant project has published an update on improvements in its Android app, and plans for upcoming releases:

In our latest update of the Android app 2025.7.1, we've added a couple of useful features. Including a new basic invite flow, which will be shared between Android and iOS, adding a good layer of consistency between our most-used companion apps. The idea is to make it much more seamless to add new users or set up new devices (no need to type the URL in your Android Automotive device!).

We've also made My Links work better. If you're unfamiliar with My Links, they're those cool links (that anyone can make) that bring you right to an integration, blueprint, add-on, or settings page. They have always worked great on desktop, but up until recently, they were a bit clunky to use on mobile. Now you can get to the link's destination with a single click.

LWN looked at Home Assistant in May.

Michael Prokop has posted a lengthy list of changes coming in the Debian "trixie" release, due in early August. "As usual with major upgrades, there are some things to be aware of, and hereby I'm starting my public notes on trixie that might be worth for other folks. My focus is primarily on server systems and looking at things from a sysadmin perspective."

Python has recently seen a number of experiments to improve its parallel performance, including exposing subinterpreters as part of the standard library. These allow separate threads within the same Python process to run simultaneously, as long as any data sent between them is copied, rather than shared. PEP 795 ("Deep Immutability in Python") seeks to make efficient sharing of data between subinterpreters possible by allowing Python objects to be "frozen", so that they can be accessed from multiple subinterpreters without copying or synchronization. That task is more difficult than it seems, and the PEP prompted a good deal of skepticism from the Python community.

Security updates have been issued by AlmaLinux (cloud-init, fence-agents, git, kernel, and kernel-rt), Debian (openjdk-11), Fedora (firefox, golang, libinput, transfig, and yasm), Mageia (qtbase5, qtbase6), Red Hat (fence-agents, go-toolset:rhel8, golang, kernel, and python-setuptools), Slackware (mozilla), SUSE (cyradm, gstreamer-plugins-base, and xen), and Ubuntu (gdk-pixbuf, jq, linux-gcp, linux-gcp-6.8, linux-oracle, ruby-sinatra, thunderbird, and unbound).

Version 141.0 of the Firefox browser is out. Changes include "a local AI model" that can perform tab grouping, unit conversions in the address bar, and a change that many of us will find welcome: "On Linux, Firefox uses less memory and no longer requires a forced restart after an update has been applied by a package manager".

GNOME and Fedora contributor Michael Catanzaro has written a lengthy blog post about the future of Fedora Workstation as an image-based release and the need to enable Flathub by default. He writes that the Fedora Workstation of the future must be "safe and image-based by default", with applications provided through Flathub:

Flathub is drastically more popular than Fedora Flatpaks even among the most hardcore Fedora community members who participate in change proposal debate on Fedora Discussion. (At time of writing, nearly 80% of discussion participants favor filtering out Fedora Flatpaks.)

This is the most important point. Flathub has already won.

He notes that Fedora should not force users to install an image-based OS if they do not want to, and there will be a package-based version for users who prefer or require it: "so no need to panic".

Google has announced the existence of OSS Rebuild, an infrastructure for the creation and verification of reproducible builds of software projects.

Our aim with OSS Rebuild is to empower the security community to deeply understand and control their supply chains by making package consumption as transparent as using a source repository. Our rebuild platform unlocks this transparency by utilizing a declarative build process, build instrumentation, and network monitoring capabilities which, within the SLSA Build framework, produces fine-grained, durable, trustworthy security metadata. [...]

Our vision extends beyond any single ecosystem: We are committed to bringing supply chain transparency and security to all open source software development. Our initial support for the PyPI (Python), npm (JS/TS), and Crates.io (Rust) package registries—providing rebuild provenance for many of their most popular packages—is just the beginning of our journey.

The QUIC transport-layer network protocol is not exactly new; it was first covered here in 2013. Despite carrying a significant part of the traffic on the Internet, QUIC has been anything but quick when it comes to getting support into the Linux kernel. The pace might be picking up, though; Xin Long has posted the first set of patches intended to provide mainline support for this protocol.

Security updates have been issued by AlmaLinux (tomcat9), Debian (djvulibre, libcommons-fileupload-java, libowasp-esapi-java, and tomcat9), Fedora (cef, dpkg, mingw-gdk-pixbuf, and mingw-python3), Gentoo (Roundcube), Oracle (avahi, cloud-init, fence-agents, git, kernel, and valkey), Red Hat (wireshark), SUSE (afterburn, apache2, busybox, java-21-openjdk, kernel, kernel-livepatch-MICRO-6-0-RT_Update_10, lemon, libexslt0, libgcrypt, libxml2-2, php8, postgresql17, python, python-oslo.utils, python311, python312, python313, and sudo), and Ubuntu (drupal7, erlang, fdkaac, gobgp, jq, linux-aws, linux-aws-6.8, linux-gke, linux-gkeop, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oracle, linux-oracle-6.8, linux-kvm, linux-oracle, and ruby-nokogiri).

At DebConf25 in Brest, France, the talk "When Free Software Communities Unite: Tails, Tor, and the Fight for Privacy" was delivered by a man who introduced himself only as intrigeri. He delivered an overview of the Tor Project, its mission, and the projects under the umbrella. He also spoke about how the organization depends on Debian, and plans for the software it delivers.

Security updates have been issued by AlmaLinux (java-1.8.0-openjdk), Debian (angular.js and batik), Fedora (chromium, pypy, screen, unbound, wine, and wine-mono), Mageia (djvulibre, quictls, and redis), Red Hat (avahi, gnome-remote-desktop, java-1.8.0-openjdk, java-11-openjdk with Extended Lifecycle Support, java-21-openjdk, kernel, kernel-rt, python-setuptools, redis, and valkey), SUSE (chromedriver, coreutils, cosign, docker, FastCGI, ffmpeg-4, fractal, gimp, glib2, ImageMagick, iputils, java-17-openjdk, java-24-openjdk, jq, kubelogin, kubernetes1.23, kubernetes1.24, kubernetes1.26, python-requests, python3, rmt-server, rustup, and thunderbird), and Ubuntu (apache2).

Linus has released 6.16-rc7 for testing.

Nothing really stands out - the biggest patches in here are for some documentation and self-tests or tooling, not actual kernel code changes.

So unlike the week before, it all feels very trivial and I think we're in good shape. Knock wood,

The Arch Linux project has sent out an advisory warning that a set of malicious packages, containing a remote access trojan, were uploaded to the Arch User Repository (AUR). The affected packages were librewolf-fix-bin, firefox-patch-bin, and zen-browser-patched-bin. "We strongly encourage users that may have installed one of these packages to remove them from their system and to take the necessary measures in order to ensure they were not compromised."