Welcome to LWN.net
Headlines for September 9, 2025
npm debug and chalk packages compromised (Aikido)
The Aikido blog describes an apparently ongoing series of phishing attacks against npm package maintainers, resulting in the uploading of compromised versions of heavily used packages:
All together, these packages have more than 2 billion downloads per week.The packages were updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.
[$] Testing the 2-in-1 Framework 12 Laptop
Framework Computer is a US-based
computer manufacturer with a line of Linux-supported, modular, easily
repairable and upgradeable laptops. In February, the company announced
a new model, the Framework Laptop 12,
an "entry-level
" 12.2-inch convertible notebook that can be
used as a laptop or tablet. The systems were made available for pre-order
in April, I received mine in mid-August. Since then, I have been
putting it through its paces with Debian 13 ("trixie") and
Fedora Linux 42. It's a good choice for users who want a
Linux-friendly, lightweight, 2-in-1
device—if they are willing to make a few concessions on storage
capacity, RAM, and CPU/GPU choices.
Security updates for Monday
Security updates have been issued by Debian (chromium, libhtp, modsecurity-apache, shibboleth-sp, and wireless-regdb), Fedora (chromium, kea, tcpreplay, and yq), Mageia (rootcerts, nspr, nss & firefox and thunderbird), Red Hat (python3), and SUSE (7zip, chromedriver, go1.25, libQt5Pdf5, libsixel-bash-completion, libsoup2, libwireshark18, netty, rav1e, and trivy).
Kernel prepatch 6.17-rc5
Linus has released 6.17-rc5 for testing.
"Things remain normal - both the diffstat and the commit counts look
entirely sane
". The announcement also contains a plea for maintainers
to not overuse Link: tags when applying patches.
[$] Rug pulls, forks, and open-source feudalism
Like almost all human endeavors, open-source software development involves a range of power dynamics. Companies, developers, and users are all concerned with the power to influence the direction of the software — and, often, to profit from it. At the 2025 Open Source Summit Europe, Dawn Foster talked about how those dynamics can play out, with an eye toward a couple of tactics — rug pulls and forks — that are available to try to shift power in one direction or another.
Security updates for Friday
Security updates have been issued by Fedora (udisks2), Oracle (httpd:2.4 and kernel), Red Hat (python-requests), and SUSE (chromium, gn, dcmtk, firefox, himmelblau, nginx, perl-Authen-SASL, perl-Crypt-URandom, postgresql15, python-Django, and python-maturin).
No more 32-bit Firefox support
Mozilla has announced
that support for the Firefox browser on 32-bit systems ends with
version 144. "For users who cannot transition immediately, Firefox
ESR 140 will remain available — including 32-bit builds — and will continue
to receive security updates until at least September 2026.
"
Seven new stable kernels
Greg Kroah-Hartman has announced the release of the 6.16.5, 6.12.45, 6.6.104, 6.1.150, 5.15.191, 5.10.242, and 5.4.298 stable kernels. Each contains important fixes throughout the kernel tree; users should upgrade.
[$] The dependency tracker for complex deadlock detection
Deadlocks are a constant threat in concurrent settings with shared data; it is thus not surprising that the kernel project has long since developed tools to detect potential deadlocks so they can be fixed before they affect production users. Byungchul Park thinks that he has developed a better tool that can detect more deadlock-prone situations. At the 2025 Open Source Summit Europe, he presented an introduction to his dependency tracker (or "DEPT") tool and the kinds of problems it can detect.
Security updates for Thursday
Security updates have been issued by AlmaLinux (httpd:2.4, kernel, pam, postgresql:12, and python3.12), Debian (clamav and node-cipher-base), Fedora (exiv2 and libsixel), Oracle (httpd, kernel, pam, postgresql:12, postgresql:13, postgresql:15, and udisks2), SUSE (gimp, libmupen64plus-devel, munge, nvidia-open-driver-G06-signed, ovmf, postgresql15, python-aiohttp, python-Django, rav1e, redis, and ruby2.5), and Ubuntu (ffmpeg, kdepim, kf5-messagelib, kmail, kmail-account-wizard, linux-azure, linux-azure-6.8, linux-azure-nvidia, php7.0, php7.2, php7.4, protobuf, python-django, ruby2.5, ruby2.7, ruby3.0, ruby3.2, ruby3.3, and rubygems).
[$] LWN.net Weekly Edition for September 4, 2025
Posted Sep 4, 2025 0:04 UTC (Thu)The LWN.net Weekly Edition for September 4, 2025 is available.
Inside this week's LWN.net Weekly Edition
- Front: Maintaining curl; GNOME governance; Guix in Debian; Tracking untrusted data in the kernel; 32-Bit support; systemd v258.
- Briefs: bcachefs maintenance; Linux from Scratch 12.4; ELF spec; Niri 25.08; Python documentary; GNOME executive director; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
Home Assistant 2025.9 released
Version 2025.9 of the Home Assistant home automation system has been released. Changes include a new experimental dashboard that is eventually meant to become the default, a number of tile-card improvements, a reworked automation editor, several new integrations, and more.
Niri 25.08 released
Version 25.08 of the niri scrollable-tiling Wayland compositor has been released. Notable changes include xwayland-satellite integration, modal exit confirmation, and the introduction of basic support for screen readers:
A series of posts by fireborn earlier this year on the screen reader situation in Linux got me curious: how does one support screen readers in a Wayland compositor? The documentation is unfortunately scarce and difficult to find. Thankfully, @DataTriny from the AccessKit project came across my issue, pointed me at the right protocols, and answered a lot of my questions.
So, as of this release, niri has basic support for screen readers! We implement the org.freedesktop.a11y.KeyboardMonitor D-Bus interface for Orca to listen and grab keyboard keys, and we expose the main niri UI elements via AccessKit. [...]
The current screen reader support and further considerations are documented on the new Accessibility wiki page.
LWN covered niri in July.
Linux From Scratch 12.4 released
Version 12.4 of Linux From Scratch (LFS) and Beyond Linux From Scratch (BLFS) have been released. LFS provides step-by-step instructions on building a customized Linux system entirely from source, and BLFS helps to extend an LFS installation into a more usable system. Notable changes in this release include updates to GNU Binutils 2.45, GCC 15.2, GNU C Library (glibc) 2.42, and Linux 6.15.1. See the Changelog for all updates since 12.3.
[$] Tracking trust with Rust in the kernel
The Linux kernel has to handle many different sources of data that should not be trusted: user space, network connections, and removable storage, to name a few. The kernel has to remain secure even if one of these sends garbled (or malicious) data. Benno Lossin has been working on an API for kernel Rust code that makes it harder to accidentally make decisions based on data from user space. That work is now on its fourth revision, and Lossin has asked kernel developers to experiment with it and see where problems remain, making this a good time to look at the proposed API.
Announcing the Rust Innovation Lab
During the opening of RustConf 2025 in Seattle, Washington, the Rust Foundation announced a new initiative to provide financial and administrative support to open-source Rust projects. The first project to benefit from the new Rust Innovation Lab is Rustls, an implementation of TLS in Rust. The foundation welcomes inquiries from other projects. Dr. Rebecca Rumbul, Executive Director of the Rust Foundation said:
Rustls is hopefully the first of many really good [...] projects that will find a home in the foundation.
New ELF specification for public review
Cary Coutant has announced a draft for version 4.3 of the Executable and Linking Format (ELF) object file format. The specification was formerly part of the Unix System V Release 4 (SVR4) gABI document:
The last published gABI documents were the Fourth Edition and a draft of Edition 4.1, both published in March 1997. The ELF portions of the document were updated several times between 1998 and 2015, published online [...]
I've published the last draft from 2015 as Version 4.2, and collected the several changes since then, along with new e_machine values, as Version 4.3.
The source for the draft is on GitHub in reStructuredText format, and Coutant has collected the mailing list discussions for changes in 4.3 as GitHub issues. Thanks to Jose E. Marchesi for the tip.
Security updates for Wednesday
Security updates have been issued by AlmaLinux (httpd, kernel, and kernel-rt), Debian (python-eventlet and python-h2), Mageia (aide, gnutls, tomcat, and vim), Oracle (httpd, mod_http2, postgresql:15, python3.11, python3.12, python3.9, and udisks2), Red Hat (kernel, postgresql, postgresql:12, and postgresql:15), SUSE (dcmtk, jupyter-bqplot-jupyterlab, kured, libudisks2-0, munge, python-eventlet, python-future, python311-eventlet, rekor, traefik2, and ucode-intel), and Ubuntu (linux-aws, linux-azure-5.15, linux-gcp-6.8, linux-gke, linux-gkeop, linux-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-raspi, linux-gke, linux-ibm-5.15, linux-kvm, and protobuf).
[$] Removing Guix from Debian
As a rule, if a package is shipped with a Debian release, users can count on it being available, and updated, for the entire life of the release. If package foo is included in the stable release—currently Debian 13 ("trixie")—a user can reasonably expect that it will continue to be available with security backports as long as that release is supported, though it may not be included in Debian 14 ("forky"). However, it is likely that the Guix package manager will soon be removed from the repositories for Debian 13 and Debian 12 ("bookworm", also called oldstable).
The hidden vulnerabilities of open source (FastCode)
The FastCode site has a lengthy article on how large language models make open-source projects far more vulnerable to XZ-style attacks.
Open source maintainers, already overwhelmed by legitimate contributions, have no realistic way to counter this threat. How do you verify that a helpful contributor with months of solid commits isn't an LLM generated persona? How do you distinguish between genuine community feedback and AI created pressure campaigns? The same tools that make these attacks possible are largely inaccessible to volunteer maintainers. They lack the resources, skills, or time to deploy defensive processes and systems.The detection problem becomes exponentially harder when LLMs can generate code that passes all existing security reviews, contribution histories that look perfectly normal, and social interactions that feel authentically human. Traditional code analysis tools will struggle against LLM generated backdoors designed specifically to evade detection. Meanwhile, the human intuition that spot social engineering attacks becomes useless when the "humans" are actually sophisticated language models.