Brief items
Security
Security quotes of the week
Attackers know what works and that's what they go for. To see what works, look at any survey of attacks, for example the OWASP Top Ten. Rowhammer is at position 26,672 in that list, right next to Spectre and Meltdown and Zenbleed and using a reflection in someone's eyeball in a selfie that shows a reflection on a window that has a reflection on a glass-encased wall image that has a reflection of a monitor that displays a password.— Peter GutmannThere's no point worrying about Mission-Impossible attacks when all an attacker has to do is buy the account credentials from an exploit broker or something similar. Cool attacks and countermeasures are fun to talk about, but if you want to make the system more secure you need to fix the things that actually matter.
For most people, phones are an essential part of daily life. If you leave yours at home when you attend a protest, you won't be able to film police violence. Or coordinate with your friends and figure out where to meet. Or use a navigation app to get to the protest in the first place.— Bruce Schneier (worth reading in full)Threat modeling is all about trade-offs. Understanding yours depends not only on the technology and its capabilities but also on your personal goals. Are you trying to keep your head down and survive—or get out? Are you wanting to protest legally? Are you doing more, maybe throwing sand into the gears of an authoritarian government, or even engaging in active resistance? The more you are doing, the more technology you need—and the more technology will be used against you. There are no simple answers, only choices.
Kernel development
Kernel release status
The 6.17 kernel is out, released on September 28. Linus commented:
It's not exciting, which is all good. I think the biggest patch in there is some locking fixes for some bluetooth races that could cause use-after-free situations. Whee - that's about as exciting as it gets.Other than that, there' the usual driver fixlets (GPU and networking dominate as usual, but "dominate" is still pretty small), there's some minor random other driver updates, some filesystem noise, and core kernel and mm.
And some selftest updates.
Significant features in this release include better control over x86 Spectre mitigations, live patching support on 64-bit Arm platforms, a number of pidfd improvements, the removal of special support for uniprocessor systems, initial support for proxy execution, experimental large-folio support in the Btrfs filesystem, the file_getattr() and file_setattr() system calls, and support for the DualPI2 congestion-control protocol.
See the LWN merge-window summaries (part 1, part 2) for more information. In addition, KernelNewbies has a look at the changes that went into 6.17.
Stable updates: 6.16.9, 6.12.49, 6.6.108, and 6.1.154 were released on September 25.
The 6.16.10, 6.12.50 6.6.109, 6.1.155, 5.15.194, 5.10.245, and 5.4.300 updates are in the review process; they are due on October 2.
Bcachefs removed from the mainline kernel
After marking bcachefs "externally maintained" in 6.17, Linus Torvalds has removed it entirely for 6.18. "It's now a DKMS module, making the in-kernel code stale, so remove it to avoid any version confusion."
Quote of the week
The mainline kernel is for mainline development. Not for random experiments that make the world a worse place.— Linus TorvaldsAnd yes, we're open source, and that very much means that anybody is more than welcome to try to prove me wrong.
If it turns out that [big-endian] RISC-V becomes a real thing that is relevant and actually finds a place in the RISC-V ecosystem, then _of_course_ we should support it at that point in the mainline kernel.
But I really do think that it actually makes RISC-V only worse, and that we should *not* actively help the fragmentation.
Distributions
Alpine Linux plans /usr merge
The Alpine Linux project has announced plans to change its base filesystem hierarchy:
In the future, /lib, /bin, and /sbin will be symbolic links to their /usr counterparts, and every package shall be installed under the /usr paths. For now, /usr/bin and /usr/sbin will continue to be independent paths, but that might change if the Filesystem Hierarchy Standard (FHS) gets updated.
The merge will take place in the upcoming Alpine 3.23 release planned for November; non-merged systems will be considered unsupported when 3.22 is at its end of life in May 2027.
F-Droid and Google's Developer Registration Decree
The F-Droid project has posted an urgent message regarding Google's plan to require developer registration to install apps on Android devices.
The F-Droid project cannot require that developers register their apps through Google, but at the same time, we cannot "take over" the application identifiers for the open-source apps we distribute, as that would effectively seize exclusive distribution rights to those applications.If it were to be put into effect, the developer registration decree will end the F-Droid project and other free/open-source app distribution sources as we know them today, and the world will be deprived of the safety and security of the catalog of thousands of apps that can be trusted and verified by any and all. F-Droid's myriad users will be left adrift, with no means to install — or even update their existing installed — applications.
Fedora considers an AI-tool policy
The Fedora project has posted a proposal for a policy regarding the use of AI tools when developing for the distribution.
You are responsible for your contributions. AI-generated content must be treated as a suggestion, not as final code or text. It is your responsibility to review, test, and understand everything you submit. Submitting unverified or low-quality machine-generated content (sometimes called "AI slop") creates an unfair review burden on the community and is not an acceptable contribution.
NixOS moderation team resigns
The NixOS moderation team, which is theoretically in charge of ensuring that community participation on the project's repositories and discussion forum remains welcoming and useful, has released a joint resignation statement. This action was motivated by conflict with the project's steering committee (SC), which has repeatedly overridden the moderation team, leading the team members to decide that they could not continue acting as moderators. Arian Van Putten, speaking for the whole team, writes:
The SC has also shown, in private and public conversations, their lack of understanding of basic principles of community management and open communication. They have mistaken quiet and a lack of controversy for success and peace. They have consistently become upset when there is criticism, and gone quiet on crucial issues in between. We have some fundamental conflicts in this community, which absolutely require discussion. Meanwhile, discussion with the SC has only become less effective.
We think that the goal of moderation should not be to avoid difficult conversations - it's to navigate those difficult conversations in ways that remain safe and constructive. We believe we've made considerable progress as a community on making those conversations happen, and we believe they need to happen more for the project to grow, not be suppressed. We thank everyone for the growth that we have seen, and for their efforts to avoid personal focus in discussion, especially recently.
The NixOS project has had problems with community moderation stretching back more than a year. With the next steering council election coming up soon, it will be interesting to see whether the community selects a council that feels differently or not.
OpenSUSE Leap 16 released
The openSUSE Leap 16 release is now available.
This major version update of our fixed-release community-Linux distribution has a fresh software stack and introduces an unmatched maintenance- and security-support cycle, a new installer and simplified migration options.
See our look at this release for more information.
Distributions quote of the week
— Aleksandra FedorovaThe job and the value of the Fedora Project is not just to run in front of RHEL technologically and make we sure we adopt all the latest technologies, but also to work as a place where Red Hat can hear what the FOSS community has to say about them.
Yes, the policy is written to build a compromise between people willing to adopt AI as fast as possible and the people concerned that fast adoption might destroy things we have in place while not providing a good replacement [...]
As it is wrong to attribute the first point of view to "evil corporate interests", the same way it is wrong to claim that the second point of view is only provided by "nay-sayers" and can be simply ignored.
Development
Cuni: Tracing JITs in the real world @ CPython Core Dev Sprint
Longtime PyPy developer Antonio Cuni has a lengthy blog post that describes his talk at the recently completed 2025 CPython Core Dev Sprint, held at Arm in Cambridge, UK. The talk, entitled "Tracing JIT and real world Python — aka: what we can learn from PyPy" was meant to try to pass on some of his experiences "optimizing existing code for PyPy at a high-frequency trading firm" to the developers working on the CPython JIT compiler. His goal was to raise awareness of some of the problems he encountered:
Until now CPython's performance has been particularly predictable, there are well established "performance tricks" to make code faster, and generally speaking you can mostly reason about the speed of a given piece of code "locally".Adding a JIT completely changes how we reason about performance of a given program, for two reasons:
- JITted code can be very fast if your code conforms to the heuristics applied by the JIT compiler, but unexpectedly slow(-ish) otherwise;
- the speed of a given piece of code might depend heavily on what happens elsewhere in the program, making it much harder to reason about performance locally.
The end result is that modifying a line of code can significantly impact seemingly unrelated code. This effect becomes more pronounced as the JIT becomes more sophisticated.
Cuni also gave a talk on Python performance, which LWN covered, at EuroPython 2025 in July.
PostgreSQL 18 released
Version 18 of the PostgreSQL database has been released. Notable improvements in this release include "skip scan" lookups for multicolumn B-tree indexes, virtual generated columns, better text processing, oauth authentication, and a new asynchronous I/O (AIO) subsystem to improve performance:
AIO lets PostgreSQL issue multiple I/O requests concurrently instead of waiting for each to finish in sequence. This expands existing readahead and improves overall throughput. AIO operations supported in PostgreSQL 18 include sequential scans, bitmap heap scans, and vacuum. Benchmarking has demonstrated performance gains of up to 3x in certain scenarios.
There are, of course, many other improvements and changes; see the release notes for full details.
Radicle 1.5.0 released
Version 1.5.0 of the Radicle peer-to-peer Git collaboration platform has been released. This release includes better support for bare repositories, structured logging, and improvements in the output of rad patch show:The previous output would differentiate "updates", where the original author creates a new revision, and "revisions", where another author creates a revision. This could be confusing since updates are also revisions. Instead, the output shows a timeline of the root of the patch and each new revision, without any differentiation. The revision identifiers, head commit of the revision, and author are still printed as per usual.
LWN covered Radicle in March 2024.
Development quote of the week
It's only better if <vendor name> submits better quality patches (no evidence for that yet) or submits the patches more promptly than others (which clearly has not happened here), and offers review commentary etc at a higher standard and more frequently than a non-employee maintainer would be able to do (there's no evidence for that so far either, given you're trying to stall this patchset). Your claim seems to have no merit as there is no proof that you'd do a better job.— Conor Dooley
It always saddens me when I hear about drama and crisis in open source ecosystems. Even ones I'm not using, depending on, or involved in. All of us are injured when parts of our world is fighting, or acting in malicious or duplicitous ways.— Lars Wirzenius
Page editor: Daroc Alden
Next page:
Announcements>>