Brief items
Security
Security quote of the week
The question isn't "why does Signal use AWS?" It's to look at the infrastructural requirements of any global, real-time, mass comms platform and ask how it is that we got to a place where there's no realistic alternative to AWS and the other hyperscalers.— Meredith Whittaker
Kernel development
Kernel release status
The current development kernel is 6.18-rc3, released on October 26. Linus said: "Things feel fairly normal, and in fact the numbers say it's been a bit calmer than usual, but that's likely just the usual fluctuation in pull request timing rather than anything else".
Stable updates: 6.17.5, 6.12.55, and 6.6.114 were released on October 23, followed by 6.17.6, 6.12.56, 6.6.115, 6.1.158, 5.15.196, 5.10.246, and 5.4.301 on October 29.
GNU/Linux man pages 6.16 released
Alejandro Colomar has announced the release of version 6.16 of the GNU/Linux man pages. This release includes new or rewritten man pages for fsconfig(), fsmount(), and fsopen(), as well as a number of newly documented interfaces in existing man pages. The release is also available as a PDF book.
Distributions
Btrfs support coming to AlmaLinux 10.1
The AlmaLinux project has announced that the upcoming 10.1 release will include support for Btrfs:
Btrfs support encompasses both kernel and userspace enablement, and it is now possible to install AlmaLinux OS with a Btrfs filesystem from the very beginning. Initial enablement was scoped to the installer and storage management stack, and broader support within the AlmaLinux software collection for Btrfs features is forthcoming.
Btrfs support in AlmaLinux OS did not happen in isolation. This was proposed and scoped in RFC 0005, and has been built upon prior efforts by the Fedora Btrfs SIG in Fedora Linux and the CentOS Hyperscale SIG in CentOS Stream.
AlmaLinux OS is designed to be binary compatible with Red Hat Enterprise Linux (RHEL); Btrfs, however, has never been supported in RHEL. A technology preview of Btrfs in RHEL 6 and 7 ended with the filesystem being dropped from RHEL 8 and onward. AlmaLinux OS 10.1 is currently in beta.
Fedora Linux 43 released (Fedora Magazine)
The Fedora Project has announced the release of Fedora Linux 43, with "what's new" articles for Fedora Workstation, Fedora KDE Plasma Desktop, and Fedora Atomic Desktops.
For those of you installing fresh Fedora Linux 43 Spins, you may be greeted with the new Anaconda WebUI. This was the default installer interface for Fedora Workstation 42, and now it's the default installer UI for the Spins as well.
If you are a GNOME desktop user, you'll also notice that the GNOME is now Wayland-only in Fedora Linux 43. GNOME upstream has deprecated X11 support, and has disabled it as a compile time default in GNOME 49. Upstream GNOME plans to fully remove X11 support in GNOME 50.
See the release notes for a full list of changes in Fedora 43.
Date bug affects Ubuntu 25.10 automatic updates
The Ubuntu Project has announced that a bug in the Rust-based uutils version of the date command shipped with Ubuntu 25.10 broke automatic updates:
Some Ubuntu 25.10 systems have been unable to automatically check for available software updates. Affected machines include cloud deployments, container images, Ubuntu Desktop and Ubuntu Server installs.
The announcement includes remediation instructions for those affected by the bug. Systems with the rust-coreutils package version 0.2.2-0ubuntu2 or earlier have the bug, it is fixed in 0.2.2-0ubuntu2.1 or later. It does not impact manual updates using the apt command or other utilities.
Ubuntu embarked on a project to "oxidize" the distribution by switching to uutils and sudo-rs for the 25.10 release, and to see if the Rust-based utilities would be suitable for the long-term-release slated for next April. LWN covered that project in March.
Distributions quote of the week
— Marc Prud'hommeauxIt bears reminding that "sideload" is a made-up term. Putting software on your computer is simply called "installing", regardless of whether that computer is in your pocket or on your desk. This could perhaps be further precised as "direct installing", in case you need to make a distinction between obtaining software the old-fashioned way versus going through a rent-seeking intermediary marketplace like the Google Play Store or the Apple App Store.
Regardless, the term "sideload" was coined to insinuate that there is something dark and sinister about the process, as if the user were making an end-run around safeguards that are designed to keep you protected and secure. But if we reluctantly accept that "sideloading" is a term that has wriggled its way into common parlance, then we should at least use a consistent definition for it. Wikipedia's summary definition is:
the transfer of apps from web sources that are not vendor-approved
By this definition, Google's statement that "sideloading is not going away" is simply false. The vendor — Google, in the case of Android certified devices — will, in point of fact, be approving the source. The supplicant app developer must register with Google, pay a fee, provide government identification, agree to non-negotiable (and ever-changing) terms and conditions, enumerate all their current and future application identifiers, upload evidence of their private signing key, and then hope and wait for Google's approval.
Development
ICANN report: DNS runs on FOSS
ICANN's Security and
Stability Advisory Committee (SSAC) has announced
a report
on "the critical role of Free and Open Source Software (FOSS)
within the Domain Name System (DNS)
". The report is aimed at
policymakers and examines recent cybersecurity regulations in the US,
UK, and EU as they apply to FOSS in the DNS system; it includes
findings and guidelines "to strengthen the FOSS ecosystem that is
critical to the secure and stable operation of the Internet
". From
the report's summary:
This ecosystem depends on a global network of maintainers and contributors who are often unpaid volunteers. While many are unpaid volunteers, the DNS space is unique in also relying on a handful of long-lived maintenance organizations. This creates a model based on community collaboration rather than the commercial contracts that define a traditional software supply chain, which introduces unique risks related to financial sustainability for the maintenance organizations and maintainer burnout for volunteers.
These unique characteristics mean that regulatory frameworks designed for proprietary software may not be well-suited for FOSS and therefore could have severe unintended consequences to the stability of critical Internet infrastructure.
Thanks to SSAC member Maarten Aertsen for the tip.
Python Software Foundation withdraws security-related grant proposal
The Python Software Foundation, earlier this year, successfully obtained a $1.5 million grant from the US National Science Foundation "to address structural vulnerabilities in Python and PyPI". The actual grant came with some strings attached though, in the form of a requirement not to pursue diversity, equity, and inclusion programs. So the Foundation has withdrawn the proposal rather than agree to terms that run counter to its own mission.
We're disappointed to have been put in the position where we had to make this decision, because we believe our proposed project would offer invaluable advances to the Python and greater open source community, protecting millions of PyPI users from attempted supply-chain attacks. The proposed project would create new tools for automated proactive review of all packages uploaded to PyPI, rather than the current process of reactive-only review.
Rust Coreutils 0.3.0 released
Version 0.3.0 of Rust Coreutils, part of the uutils project, has been released. This release adds safe directory traversal for several utilities, better error handling, and performance improvements. The project has upgraded its test suite reference from GNU coreutils 9.7 to 9.8, and added 16 new tests. It includes a fix for the date bug that affected automatic updates in Ubuntu 25.10.
Tor Browser 15.0 released
Version 15.0 of the Tor Browser has been released:
This is our first stable release based on Firefox ESR 140, incorporating a year's worth of changes that have been shipped upstream in Firefox. As part of this process, we've also completed our annual ESR transition audit, where we reviewed and addressed around 200 Bugzilla issues for changes in Firefox that may negatively affect the privacy and security of Tor Browser users. Our final reports from this audit are now available in the tor-browser-spec repository on our GitLab instance.
This release inherits the vertical tabs feature, unified search button, as well as other new features and usability improvements in Firefox that have passed the Tor Project's audit.
Typst 0.14 released
Version 0.14 of the Typst document processor has been released.
If you need to comply with accessibility-related regulations, Typst 0.14 has your back. Typst now generates accessible documents by default, with opt-in support for stricter checks. For those working with complex illustrations, PDFs are now supported as a native image format. In case you're typesetting a book, the new character-level justification will give your layout the final touch. And if you're building a website or blog, many improvements to Typst's HTML export are waiting for you.
LWN looked at Typst in September.
Valgrind 3.26.0 released
Version 3.26.0 of the Valgrind memory-profiling and debugging framework has been released. Notable changes include updated support for the Linux Test Project (LTP) to version v20250930, many new Linux syscall wrappers, and the license for Valgrind has been changed from GPLv2 to GPLv3.
Development quote of the week
— Paul TagliamonteI've written down a new rule (no name, sorry) that I'll be repeating to myself and those around me. "If you can replace 'DNS' with 'key value store mapping a name to an ip' and it still makes sense, it was not, in fact, DNS." Feel free to repeat it along with me.
Sure, the "It's always DNS" meme is funny the first few hundred times you see it – but what's less funny is when critical thinking ends because a DNS query is involved. DNS failures are often the first observable problem because it's one of the first things that needs to be done. DNS is fairly complicated, implementation-dependent, and at times – frustrating to debug – but it is not the operational hazard it's made out to be. It's at best a shallow take, and at worst actively holding teams back from understanding their true operational risks.
Page editor: Daroc Alden
Next page:
Announcements>>