Welcome to LWN.net

[Development] Posted Jun 11, 2026 14:49 UTC (Thu) by jzb

Version 6.0.0 of the Homebrew package-management system has been released. Notable changes in this release include the introduction of tap trust to improve supply-chain security, improvements in sandboxing on Linux, a number of performance tweaks, and many other changes.

See the changelog for a full list. LWN covered Homebrew in November 2025.

Comments (none posted)

[Kernel] Posted Jun 11, 2026 14:33 UTC (Thu) by corbet

The Linux kernel has long tried to use huge pages as a way to improve performance, sometimes with more success than others. The size of huge pages has traditionally been imposed by the hardware, which typically only offers a couple of relatively large options. In more recent times, though, the use of multi-size transparent huge pages (mTHPs), with more flexible sizing implemented in software, has been growing. If all goes well, the 7.2 development cycle will include the addition of a new feature, contributed by Nico Pache, to make the use of mTHPs even more transparent.

Full Story (comments: none)

[Security] Posted Jun 11, 2026 13:08 UTC (Thu) by jzb

Security updates have been issued by AlmaLinux (.NET 10.0, .NET 8.0, .NET 9.0, podman, poppler, and postgresql-jdbc), Debian (chromium, jackson-core, libdbi-perl, and libinput), Fedora (httpd, rust, and xmlstarlet), Mageia (openssh, postfix, and roundcubemail), Oracle (frr, kernel, libyang, n, postgresql-jdbc, and unbound), Red Hat (.NET 10.0, .NET 8.0, .NET 9.0, redis, and redis:7), SUSE (agama-web-ui, cockpit, cosign, glibc, google-cloud-sap-agent, google-osconfig-agent, kanidm, kernel, kubernetes, kubernetes1.23, kubernetes1.24, kubernetes1.25, kubernetes1.27, kubernetes1.28, libpodofo-devel, libyang, NetworkManager-libreswan, openCryptoki, python311-pypdf, rclone, steampipe, wicked, and xen), and Ubuntu (exim4, libcrypt-saltedhash-perl, libhttp-daemon-perl, samba, and uriparser).

Full Story (comments: none)

[Security] Posted Jun 10, 2026 16:43 UTC (Wed) by jzb

Seth Larson, the Python Software Foundation's security developer-in-residence, has written about the difficulty in classifying insecure code completion in the PyCharm IDE using its Full Line code completion plugin. Larson discovered that the plugin, which uses a local "deep learning module" to offer code completions, suggests code that would lead to severe vulnerabilities. He was unsure whether it warranted a CVE or not, however:

I reported this behavior to JetBrains for "Full Line Code Completion" v253.29346.142 and clearly their support staff weren't certain whether this defect was a security vulnerability or not either. When I asked to publish a blog post about this behavior after they confirmed this report wasn't a "direct security vulnerability" (which I agree with) but then was asked not to publicize my report and referred to PyCharm's Coordinated Disclosure Policy so... which is it? Security vulnerability or not?

I ended up waiting the 90 days anyway and I didn't hear back with any substantive update from the development team. I double-checked again today using "Full Line Code Completion" v261.24374.152 and the behavior is identical, suggesting the same insecure code for both contexts.

This isn't meant to be a specific dig at PyCharm or JetBrains, I have no-doubt that examples like this exist in every code generation model available.

Comments (2 posted)

[Distributions] Posted Jun 10, 2026 14:35 UTC (Wed) by jzb

Agentic AI systems can be used to do a variety of things autonomously on behalf of a human user: open or manage bugs, generate code, submit pull-requests, and (apparently) even complain about rejection. In May, a Fedora developer discovered that an allegedly rogue agent had been pestering the project in a number of ways: reassigning bugs, fabricating unhelpful replies to bugs, and even persuading maintainers to merge questionable code into the Anaconda installer. It also submitted a number of pull requests (PRs), some accepted, to several upstream projects. The Fedora account associated with the agent has had its group privileges revoked and the messes have been mopped up, but the motive behind the agent's actions is still a mystery.

Full Story (comments: 21)

[Distributions] Posted Jun 10, 2026 14:03 UTC (Wed) by jzb

Version 2026.05 of the Buildroot tool has been released. Buildroot simplifies and automates the process of building embedded Linux systems using cross-compilation. Notable changes in this release include support for Arm Neoverse cores, addition of XFS rootfs generation, as well as many package updates and bug fixes. See the CHANGES file for the full list.

Comments (none posted)

[Security] Posted Jun 10, 2026 13:09 UTC (Wed) by jzb

Security updates have been issued by AlmaLinux (poppler), Debian (dnsmasq, mistral, okular, openssl, poppler, and strongswan), Fedora (exim, firefox, pcs, putty, and xorg-x11-server), Mageia (freeciv, golang-x-net, jq, libssh, libxmp, libxpm, minetest, ruby-net-ssh, tor, and wireshark), SUSE (389-ds, ack, agama-web-ui, amazon-ssm-agent, avahi, dpkg, elemental-register, elemental-system-agent, elemental-toolkit, ggml-devel-9500, go1.25, go1.26, kernel, kubernetes1.23, kubernetes1.24, kubernetes1.26, libsoup, mariadb, netty, netty-tcnative, NetworkManager, nginx, perl-CryptX, perl-XML-LibXML, podofo, polkit, python-Django, python-requests, samba, strongswan, vim, and xen), and Ubuntu (cyborg, gdk-pixbuf, golang-golang-x-net-dev, nginx, node-lodash, openssl, openssl, openssl1.0, qemu, tomcat9, tomcat10, and vim).

Full Story (comments: none)

[Distributions] Posted Jun 9, 2026 18:00 UTC (Tue) by jzb

Thomas Ward has published an update about the future of the Ubuntu MATE project, which did not have a 26.04 release with the other Ubuntu flavors in April:

There is a new team working on Ubuntu MATE who have stepped up to help take over flavor management. They haven't formally introduced themselves yet, but I can safely say that other developers HAVE stepped up for the future of the MATE flavor, despite its prior team lead having stepped down.

[...] Ultimately, this means that they are working to cover the missed items and gaps, and may quite possibly have a 26.10 release in October of 2026, which I believe they most likely are targeting.

This also means that bugs in the MATE environment and in packages they normally would have shipped had they have a 26.04 release are still going to get attention and fixes. So, effectively, nothing has changed. The only difference is that there was no 26.04 installer image released.

For those looking to install a MATE desktop on a "clean" install of Ubuntu 26.04, Ward suggests installing Ubuntu Server and then installing the ubuntu-mate-desktop package.

Comments (5 posted)

[Security] Posted Jun 9, 2026 17:50 UTC (Tue) by jzb

Trusted publishing is an authentication mechanism that relies on short-lived credentials to reduce the risk of supply-chain attacks. At the 2026 Open Source Summit North America, Mike Fiedler walked the audience through why trusted publishing exists, how it works, and made the case for its adoption. It is not a silver bullet against all attacks, but it does offer protection against theft of long-lived credentials used to publish to package registries.

Full Story (comments: 25)

[Distributions] Posted Jun 9, 2026 14:30 UTC (Tue) by jzb

The Asahi Linux project, which brings Linux support to Apple Arm-based Macs, has warned its users not to upgrade to the macOS 27 "Golden Gate" beta.

Apple has changed how the boot picker and Startup Disk applications detect valid OS boot volumes. When using either from macOS 27, your Asahi partition will not be visible! We believe this to be a bug, and have filed a report (FB22994760).

If you have already upgraded to the beta and noticed that your Asahi partition has disappeared, do not stress. Your Asahi partition is still there, and you have not lost any data.

The Asahi Linux installer has been patched to prevent use with macOS 27 for now, but any users already bitten by the change will need to use macOS 26 to restore access to Asahi Linux.

Comments (none posted)

[Kernel] Posted Jun 9, 2026 13:37 UTC (Tue) by daroc

The BPF verifier has, in the course of wrestling with the difficult problem of statically analyzing loops, grown special support for many kinds of loops over its history, but its fundamental approach to simple for loops has not changed. When it encounters a loop, it evaluates it, iteration by iteration, until reaching an exit condition — a process that can cause the verifier to mistakenly hit the limit on the number of allowed instructions where a better implementation would not. Eduard Zingerman spoke at the 2026 Linux Storage, Filesystem, Memory-Management, and BPF Summit about his in-progress work on improving the verifier's treatment of loops, especially nested loops.

Full Story (comments: 1)

[Security] Posted Jun 9, 2026 13:03 UTC (Tue) by jzb

Security updates have been issued by AlmaLinux (bind and libyang), Debian (keystone and openssl), Fedora (mingw-objfw, objfw, sentencepiece, and tailscale), Mageia (packagekit and suricata), Oracle (bind, bind9.16, go-toolset:ol8, ImageMagick, kernel, samba, and vim), SUSE (apache-commons-lang3, apache-commons-text, apache-commons- configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec, avahi, busybox, chromedriver, chromium, csync2, firewalld, frr, gleam, helm, kernel-devel, keybase-client, libmozjs-140-0, libopenvswitch-3_7-0, libsoup, memcached, mutt, openjpeg2, ovmf, perl-HTML-Parser, perl-Net-CIDR-Set, perl-Protocol-HTTP2, postgresql-jdbc, postgresql17, python-CairoSVG, python-Flask, python-pip, python-pyOpenSSL, python-python-multipart, python-Twisted, python-urllib3, python-urllib3_1, python-uv, python311, rsync, tomcat, and tree-sitter), and Ubuntu (alsa-lib, cups, inetutils, isc-kea, jpeg-xl, libnet-cidr-lite-perl, netatalk, netty, nginx, node-shell-quote, php-twig, pillow, poppler, rsync, strongswan, systemd, and transmission).

Full Story (comments: none)

[Distributions] Posted Jun 9, 2026 12:52 UTC (Tue) by corbet

Heise is carrying a report from the Linux App Summit, held in Berlin in May.

The slightly more than a dozen talks were symbolically framed between the opening keynote by systemd creator Lennart Poettering and the closing talk by Jorge Castro, initiator of the Universal Blue project, from which the modern Linux systems Bluefin and Bazzite emerged. Both Castro and Poettering call for a fundamental rethink of how Linux operating systems are delivered but pursue different approaches.

Comments (1 posted)

[Kernel] Posted Jun 9, 2026 11:44 UTC (Tue) by jzb

Greg Kroah-Hartman has announced the release of the 7.0.12, 6.18.35, and 6.12.93 stable kernels. Each contains important fixes throughout the tree. Users are advised to upgrade.

Comments (none posted)

[Kernel] Posted Jun 8, 2026 15:35 UTC (Mon) by jake

In a filesystem-track session at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit, Amir Goldstein updated attendees on the fanotify filesystem-event monitoring subsystem. He wanted to describe changes that had come in the last year or so, as well as upcoming features and some remaining challenges in his efforts to use fanotify for hierarchical storage management (HSM). Fanotify is the user-space API for monitoring files, directories, and filesystems for events of various sorts (e.g. opening or deleting a file).

Full Story (comments: none)

[Development] Posted Jun 8, 2026 14:23 UTC (Mon) by jzb

Andrew Tridgell has announced the release of rsync 3.4.4 with fixes for the regressions introduced in the 3.4.3 release. He also notes there will be an rsync 3.5.0 soon, with many more security updates:

As part of the 3.5.0 release update I have created a rsync-security@lists.samba.org mailing list for anyone who is willing to do testing of the 3.5.0 release. The idea is to try to reduce the chance of more regressions by expanding the set of testers of this release. I have seeded it with people who were involved in past rsync security issues. If you want to join this list then the easiest way would be for you to be vouched for by someone on the distros@vs.openwall.org list or someone else I already trust.

My apologies for the regressions in the 3.4.3 release and I hope future security updates for rsync will have less issues. The greatly expanded test suite in rsync 3.5 combined with the rsync-security mailing list should help.

Comments (none posted)

[Security] Posted Jun 8, 2026 13:32 UTC (Mon) by jzb

Security updates have been issued by AlmaLinux (bind, bind9.16, frr, kernel, kernel-rt, libexif, mysql, php, and unbound), Debian (apache2, chromium, glibc, gsasl, jackson-core, libxml2, nginx, request-tracker4, request-tracker5, tomcat10, tomcat11, and tomcat9), Fedora (chromium, firefox, haveged, keylime, libinput, libssh2, nasm, perl-CryptX, rust, thunderbird, and webkitgtk), Mageia (cockpit, golang-x-crypto, golang-x-sys-devel, kernel, kmod-virtualbox, kmod-xtables-addons, kernel-linus, perl-DBIx-Class-EncodedColumn, perl-Crypt-URandom-Token, xdg-dbus-proxy, and xmlrpc-c), Slackware (samba), and SUSE (7zip, amazon-ssm-agent, ansible-13, ansible-core, assimp-devel, bind, cacti, chromium, dpkg, epiphany, erlang27, evince, ffmpeg-4, freerdp, frr, git-bug, google-guest-agent, grafana, hauler, ignition, jq, kanidm, kernel, keybase-client, libjxl, libmariadbd-devel, libmozjs-115-0, libopenbabel8, libsoup2, mariadb, mcphost, networkmanager, openssh, perl-HTTP-Daemon, perl-HTTP-Tiny, perl-IO-Compress, perl-Sereal-Decoder, perl-xml-libxml, postgresql18, python-pyopenssl, python311-pip, tomcat, tomcat10, tomcat11, tor, trivy, unbound, uriparser, vifm, weblate, xorg-x11-server, and yq).

Full Story (comments: none)

[Kernel] Posted Jun 8, 2026 0:28 UTC (Mon) by corbet

The 7.1-rc7 kernel prepatch is out for testing. Linus said: "Anyway, as things look now this is the last rc. Something can obviously always come up and force us to change that, but please give rc7 a whirl and keep testing for one more week."

Comments (none posted)

[Kernel] Posted Jun 5, 2026 14:06 UTC (Fri) by corbet

Since the earliest days of Unix, two of the core process-oriented system calls have been fork(), which creates a child process as a copy of the parent, and exec(), which runs a new program in the place of the current one. In Linux kernels, those system calls are better known as clone() and execve(), but the core functionality remains the same. While there is elegance to this process-creation model, there are shortcomings as well. A recent proposal from Li Chen to add "spawn templates" to the kernel will not be accepted in its current form, but it may point the way toward a new process-creation primitive in the future.

Full Story (comments: 115)