Brief items
Security
Some turbulence at CalyxOS
CalyxOS is an Android distribution that claims a focus on privacy and security. So when an announcement from the project begins by saying "we want to assure you that we have no reason to believe the security of CalyxOS and its signing keys have been compromised", chances are that good things are not happening.
In this case, it would appear that Nicholas Merrill, one of the founders of
the project, has left for unclear reasons, and CalyxOS is responding by
pausing all releases — and security updates — while its release process,
signing keys, and security protocols are reworked. The result will be no
updates for "four to six months
". The project is recommending that
its users "should uninstall the OS
" and wait for an all-clear
signal. CalyxOS may have its work cut out for it when the time comes to
try to convince those users to come back.
NGINX adds native support for ACME protocol
NGINX has announced the preview release of the nginx-acme module, which adds native support to NGINX for the Automatic Certificate Management Environment (ACME) protocol:
NGINX's native support for ACME brings a variety of benefits that simplify and enhance the overall SSL/TLS certificate management process. Being able to configure ACME directly using NGINX directives drastically reduces manual errors and eliminates much of the ongoing overhead traditionally associated with managing SSL/TLS certificates. It also reduces reliance on external tools like Certbot, creating a more secure and streamlined workflow with fewer vulnerabilities and a smaller attack surface.
Security quotes of the week
In this blog, we share a new finding in the XZ Utils saga: several Docker images built around the time of the compromise contain the backdoor.— Binarly REsearchAt first glance, this might not seem alarming: if the distribution packages were backdoored, then any Docker images based on them would be infected as well. However, what we discovered is that some of these compromised images are still publicly available on Docker Hub. And even more troubling, other images have been built on top of these infected base images, making them transitively infected.
The article contains "steps you can take to figure out if it's a scam," but omits the first and most fundamental piece of advice: If the hacker had incriminating video about you, they would show you a clip. Just a taste, not the worst bits so you had to worry about how bad it could be, but something. If the hacker doesn't show you any video, they don't have any video. Everything else is window dressing.— Bruce Schneier
Imagine how much Texas schools could do with an extra $90/student/year – how much more usefully that money could be spent if it were turned over to teachers. But instead, Rep [Ryan] Guillen wants to put "AI in schools" in the form of drones equipped with pepper-spray, flash bangs, and "lances" that can be smashed into people at 100mph.— Cory DoctorowThe problem with AI in schools isn't that students are using AI to do their homework. It's that schools have been turned into reward-hacking AIs by a system that hates the idea of an educated populace almost as much as it hates the idea of unionized teachers who are empowered to teach our kids.
Kernel development
Kernel release status
The current development kernel is 6.17-rc1, released on August 10. Linus said:
Anyway, the merge window did end up looking fairly healthy, despite me having to go through a couple of bisections for trouble spots (one during travels with a laptop - not optimal, but thankfully it was at least one of the "reliable symptoms that bisect right to the culprit" kind). The stats look pretty normal both in patch size and in number of commits.
In the end, 11,404 non-merge changesets found their way into the mainline during the merge window.
Stable updates: none have been released in the last week. The 6.16.1, 6.15.10, 6.12.42, 6.6.102, and 6.1.148 updates are in the review process; they are due on August 14.
Quote of the week
I freely confess that I am not yet seeing an option that brings us much joy, at least for values of "joy" that include actual incorporation of AI/ML source-code output into the Linux kernel.— Paul McKenney
Distributions
Debian 13 ("trixie") released
The Debian Project has released its latest stable version, Debian 13 ("trixie"), which will be supported through 2030. This release includes GNOME 48, KDE Plasma 6.3, Xfce 4.20, Linux 6.12, GCC 14.2, Python 3.13, and systemd 257.
This release contains over 14,100 new packages for a total count of 69,830 packages, while over 8,840 packages have been removed as "obsolete". 44,326 packages were updated in this release. The overall disk usage for "trixie" is 403,854,660 kB (403 GB), and is made up of 1,463,291,186 lines of code. [...]
With this broad selection of packages and its traditional wide architecture support, Debian once again stays true to its goal of being "The Universal Operating System". It is suitable for many different use cases: from desktop systems to netbooks; from development servers to cluster systems; and for database, web, and storage servers. At the same time, additional quality assurance efforts like automatic installation and upgrade tests for all packages in Debian's archive ensure that "trixie" fulfills the high expectations that users have of a stable Debian release.
Trixie adds riscv64 as an officially supported architecture, and drops i386 as a regular architecture. Users with i386 systems should not upgrade to trixie; the project recommends reinstalling them as amd64, or retiring the hardware. See the release notes and issues to be aware of before installing or upgrading to trixie.
Debian GNU/Hurd 2025 released
Debian's GNU/Hurd team has announced the release of Debian GNU/Hurd 2025:
This is a snapshot of Debian "sid" at the time of the stable Debian "Trixie" release (August 2025), so it is mostly based on the same sources. It is not an official Debian release, but it is an official Debian GNU/Hurd port release. [...]
Debian GNU/Hurd is currently available for the i386 and amd64 architectures with about 72% of the Debian archive, and more to come!
See the FAQ and configuration guide for more on the GNU/Hurd port.
Hughes: LVFS Sustainability Plan
Richard Hughes, creator and maintainer of the Linux Vendor Firmware Service (LVFS), has written a blog post about the sustainability plan he has put together for the service. He is calling for the vendors that use the service to help fund its development and maintenance going forward.The Linux Foundation is kindly paying for all the hosting costs of the LVFS, and Red Hat pays for all my time — but as LVFS grows and grows that's going to be less and less sustainable longer term. We're trying to find funding to hire additional resources as a "me replacement" so that there is backup and additional attention to LVFS (and so that I can go on holiday for two weeks without needing to take a laptop with me).This year there will be a fair-use quota introduced, with different sponsorship levels having a different quota allowance. Nothing currently happens if the quota is exceeded, although there will be additional warnings asking the vendor to contribute. The "associate" (free) quota is also generous, with 50,000 monthly downloads and 50 monthly uploads. This means that almost all the 140 vendors on the LVFS should expect no changes.
(Thanks to Paul Wise.)
Distributions quote of the week
— Juan J. MartínezYou know, sometimes it feels like all computer things are getting constantly worse and it feels very demotivating.
But not all of it. I just smoothly upgraded Debian to the latest release, like I have done many times, and it is still fantastic.
A reminder that there are still good things out there.
Development
Go 1.25 released
Version 1.25 of Go has been released. Notable changes include support for generating debug information in the DWARF 5 format, "container awareness" when setting the maximum number of CPUs to be used, and a new testing/synctest package with support for testing concurrent code. See the release notes for a comprehensive list of changes in 1.25.
Radicle 1.3.0 released
Version 1.3.0 of the Radicle distributed software forge system has been released. Changes this time around include canonical references, a new radicle-protocol crate, better log rotation, and more. (LWN looked at Radicle in 2024).Rust 1.89 released
The release of Rust 1.89 has been announced. Changes this time include support for inferring the length of certain arrays, lint messages suggesting how to clarify potentially confusing uses of lifetime elision in function signatures, and improvements to the C ABI. The full changelog is also available.
Syncthing 2.0 released
Version
2.0 of Syncthing, a
continuous file synchronization utility, has been released. Notable
changes in 2.0 include multiple connections for synchronizing metadata
and file data, a new logging format, as well as a switch from LevelDB
to SQLite for Syncthing's backend. This is the first release in the 2.0
series, and the release notes advise users to "expect some rough
edges and keep a sense of adventure
".
Development quotes of the week
I wish that `pip` had a search, like Debian's `apt search`. I wish that command-line package managers (example: apt, yum, pip, npm) project leaders would get together and exchange good ideas on user experience...— Jonathan Rogivue
— Dries BuytaertThe most critical tasks in Open Source are often the least glamorous. Fixing bugs, patching vulnerabilities, updating third-party dependencies, improving accessibility, and maintaining documentation rarely make headlines, but without them, innovation cannot stand on a stable base. These tasks are also the most likely to be underfunded because they do not directly generate revenue for companies, require sustained effort, and are less appealing for volunteers.
Governments already maintain roads, bridges, and utilities, infrastructure that is essential but not always profitable or exciting for the private sector. Digital infrastructure deserves the same treatment. Public investment can keep these core systems healthy, while innovation and feature direction remain in the hands of the communities and companies that know the technology best.
Page editor: Daroc Alden
Next page:
Announcements>>