Brief items
Security
Security quote of the week
— Peter SerwyloTrust is not earned by verifying a developers legal identity. There is no way to verify whether an app published to the Play Store is harmful or not, regardless of whether their identity has been verified with Google.
Trust is earned by transparency. F-Droid users are able to verify with certainty the source code which was used to build an app they are about to install.
The way in which F-Droid builds free software from source and then distributes it to end users without needing to involve Google, is akin to how most Linux distributions have been distributing software for decades. These distributions mechanisms have stood the test of time, are regarded as extremely secure and trustworthy, and are used by most of the modern computing infrastructure across the globe.
Nobody has suggested that Linux distributions need to be made safer for end users by having a central authority verify each app developer. It should be no different for mobile operating systems.
Kernel development
Kernel release status
The current development kernel is 6.17-rc1, released on September 21. Linus said: "Let's keep the testing going, and we'll have the final 6.17 in a week".
Stable updates: 6.16.8, 6.12.48, 6.6.107, and 6.1.153 were released on September 19.
Distributions
Bluefin LTS released
The Universal Blue project has announced the release of Bluefin LTS, an image-based distribution similar to Bluefin that uses CentOS Stream 10 and EPEL instead of Fedora as its base:
Bluefin LTS ships with Linux 6.12.0, which is the kernel for the lifetime of release. An optional hwe branch with new kernels is available, offering the same modern kernel you'll find in Bluefin and Bluefin GTS. Both vanilla and HWE ISOs are available, and you can always choose to switch back and forth after installation. [...]
Bluefin LTS provides a backported GNOME desktop so that you are not left behind. This is an important thing for us. James has been diligently working on GNOME backports with the upstream CentOS community, and we feel bringing modern GNOME desktops to an LTS makes sense.
RPM 6.0.0 released
Version 6.0.0 of the RPM Package Manager has been released. Notable changes in this release include support for multiple OpenPGP signatures per package, the ability to update previously installed PGP keys, as well as support for RPM v4 and v6 packages. See the release notes for full details.
Tails 7.0 released
Version
7.0 of the Tails portable
operating system has been released. This is the first version of Tails
based on Linux 6.12.43, Debian 13
("trixie") and GNOME 48. It uses zstd instead of
xz to compress the USB and ISO images to deliver a
faster start time on most computers. The release is dedicated to the memory of Lunar, "a
traveling companion for Tails, a Tor volunteer, Free Software hacker,
and community organizer
":
Lunar has always been by our side throughout Tails' history. From the first baby steps of the project that eventually became Tails, to the merge with Tor, he's provided sensible technical suggestions, out-of-the-box product design ideas, outreach support, and caring organizational advice.
Outside of Tor, Lunar worked on highly successful Free Software projects such as the Debian project, the Linux distribution on which Tails is based, and the Reproducible Builds project, which helps us verify the integrity of Tails releases.
See the changelog for a full list of fixes, upgraded applications, and removals. LWN covered Tails Project team leader intrigeri's DebConf25 talk in July.
Distributions quote of the week
ZFS support in Linux distributions varies. The broader Linux community questions the compatibility between the GPL and the CDDL and in response, distributions have added and removed installer ZFS support. Intellectual property attorneys who have considered CDDL/GPL compatibility often say "it's an interesting question," which is lawyerese for "$500 an hour and the hearing's gonna be lit."— Michael Lucas
Development
Rust 1.90.0 released
Version 1.90.0 of the Rust language has been released. Changes include switching to the LLD linker by default, the addition of support for workspace publishing to cargo, and the usual set of stabilized APIs.Open Infrastructure is Not Free: A Joint Statement on Sustainable Stewardship
The Open Source Security Foundation (OpenSSF) has put together a joint statement from many of the public package repositories for various languages about the need for assistance in maintaining these commons. Services such as PyPI for Python, crates.io for Rust, and many others are working together to try to find ways to sustain these services in the face of challenges from "automated CI systems, large-scale dependency scanners, and ephemeral container builds" all downloading enormous amounts of package data, coupled with the rise of generative and agentic AI "
driving a further explosion of machine-driven, often wasteful automated usage, compounding the existing challenges". It is not a crisis, yet, they say, but it is headed in that direction.
Despite serving billions (perhaps even trillions) of downloads each month (largely driven by commercial-scale consumption), many of these services are funded by a small group of benefactors. Sometimes they are supported by commercial vendors, such as Sonatype (Maven Central), GitHub (npm) or Microsoft (NuGet). At other times, they are supported by nonprofit foundations that rely on grants, donations, and sponsorships to cover their maintenance, operation, and staffing.Regardless of the operating model, the pattern remains the same: a small number of organizations absorb the majority of infrastructure costs, while the overwhelming majority of large-scale users, including commercial entities that generate demand and extract economic value, consume these services without contributing to their sustainability.
Development quotes of the week
— Mahad KalamOne could argue that Slack is free to stop providing us the nonprofit offer at any time, but in my opinion, a six month grace period is the bare minimum for a massive hike like this, if not more. Essentially, Salesforce (a $230 billion company) is strong-arming a small nonprofit for teens, by providing less than a week to pony up a pretty massive sum of money, or risk cutting off all our communications. That's absurd.
The small amount of notice has also been catastrophic for the programs that we run. Dozens of our staff and volunteers are now scrambling to update systems, rebuild integrations and migrate years of institutional knowledge. The opportunity cost of this forced migration is simply staggering.
Anyway, we're moving to Mattermost. This experience has taught us that owning your data is incredibly important, and if you're a small business especially, then I'd advise you move away too.
This is not useful. This is not contributing. It's just burning maintainer time sorting through AI hallucinations. We have enough mediocre code to review that comes from actual humans who are actually trying to learn about Mesa and help out. We don't need to add AI shit to the merge request pile. If you don't understand the patch well enough to be able to describe what it does and why it makes things faster, don't submit it.— Faith EkstrandSo now we're making it really clear: If you submit the merge request, you're responsible for the code change as if you typed it yourself. You don't get to claim ignorance and "because the AI said so". It's your responsibility to do due diligence to make sure it's correct and to accurately describe the change in the commit message.
Page editor: Daroc Alden
Next page:
Announcements>>