Brief items
Security
Landlock-ing Linux (prizrak.me)
The prizrak.me blog is carrying an introduction to the Landlock security module.
Landlock shines when an application has a predictable set of files or directories it needs. For example, a web server could restrict itself to accessing only /var/www/html and /tmp.Unlike SELinux or AppArmor, Landlock policies don't require administrator involvement or system-wide configuration. Developers can embed policies directly in application code, making sandboxing a natural part of the development process.
Let's Encrypt to reduce certificate lifetimes
Let's Encrypt has announced that it will be reducing the validity period of its certificates from 90 days to 45 days by 2028:
Most users of Let's Encrypt who automatically issue certificates will not have to make any changes. However, you should verify that your automation is compatible with certificates that have shorter validity periods.
To ensure your ACME client renews on time, we recommend using ACME Renewal Information (ARI). ARI is a feature we've introduced to help clients know when they need to renew their certificates. Consult your ACME client's documentation on how to enable ARI, as it differs from client to client. If you are a client developer, check out this integration guide.
If your client doesn't support ARI yet, ensure it runs on a schedule that is compatible with 45-day certificates. For example, renewing at a hardcoded interval of 60 days will no longer be sufficient. Acceptable behavior includes renewing certificates at approximately two thirds of the way through the current certificate's lifetime.
Manually renewing certificates is not recommended, as it will need to be done more frequently with shorter certificate lifetimes.
Improving GCC Buffer Overflow Detection for C Flexible Array Members (Oracle)
The Oracle blog has a lengthy article on enhancements to GCC to help detect overflows of flexible array members (FAMs) in C programs.
We describe here two new GNU extensions which specify size information for FAMs. These are a new attribute, "counted_by" and a new builtin function, "__builtin_counted_by_ref". Both extensions can be used in GNU C applications to specify size information for FAMs, improving the buffer overflow detection for FAMs in general.
This work has been covered on LWN as well.
Kernel development
Kernel release status
The 6.18 kernel was released on November 30; in the announcement Linus said:
So I'll have to admit that I'd have been happier with slightly less bugfixing noise in this last week of the release, but while there's a few more fixes than I would hope for, there was nothing that made me feel like this needs more time to cook. So 6.18 is tagged and pushed out.
Headline changes in this release include the ability to manage namespaces with file handles, support for the AccECN congestion-control protocol, initial support for signing of BPF programs, improved memory management with sheaves, the Rust binder driver, better control over transparent huge pages, and a lot more. This release also saw the removal of the bcachefs filesystem.
See the LWN merge-window summaries (part 1, part 2) and the KernelNewbies 6.18 page for more information.
Stable updates: 6.17.9, 6.12.59, and 6.6.117 were released on November 24, followed by 6.17.10, 6.12.60, and 6.6.118 on December 1.
On December 3, 5.4.302 was released as the final update in the 5.4.x series:
This is the LAST 5.4.y release. It is now end-of-life and should not be used by anyone, anymore. As of this point in time, there are 1539 documented unfixed CVEs for this kernel branch, and that number will only increase over time as more CVEs get assigned for kernel bugs.
For the curious, Kroah-Hartman has also provided a list of the unfixed CVEs for 5.4.302.
The 6.17.11, 6.12.61, 6.6.119, 6.1.159, 5.15.197, and 5.10.247 updates are in the review process; they are due on December 5.
The 2025 Linux Foundation Technical Advisory Board election
The call for candidates for the 2025 election for the Linux Foundation Technical Advisory Board has been posted.
The TAB exists to provide advice from the kernel community to the Linux Foundation and holds a seat on the LF's board of directors; it also serves to facilitate interactions both within the community and with outside entities. Over the last year, the TAB has overseen the organization of the Linux Plumbers Conference, advised on the setup of the kernel CVE numbering authority, worked behind the scenes to help resolve a number of contentious community discussions, worked with the Linux Foundation on community conference planning, and more.
Nominations close on December 13.
Racing karts on a Rust GPU kernel driver (Collabora blog)
In July, Collabora announced the Rust-based Tyr GPU driver for Arm Mali GPUs. Daniel Almeida has posted an update on progress with a prototype of the driver running on a Rock 5B board with the Rockchip RK3588 system-on-chip:
The Tyr prototype has progressed from basic GPU job execution to running GNOME, Weston, and full-screen 3D games like SuperTuxKart, demonstrating a functional, high-performance Rust driver that matches C-driver performance and paves the way for eventual upstream integration! [...]
Tyr is not ready to be used as a daily-driver, and it will still take time to replicate this upstream, although it is now clear that we will surely get there. And as a mere prototype, it has a lot of shortcuts that we would not have in an upstream version, even though it can run on top of an unmodified (i.e., upstream) version of Mesa.
That said, this prototype can serve as an experimental driver and as a testbed for all the Rust abstraction work taking place upstream. It will let us experiment with different design decisions and gather data on what truly contributes to the project's objective.
There is also a video on YouTube of the prototype in action.
Quote of the week
It has now been 0 days since a AI-hallucinated "security report" was sent to the kernel security team.— Greg Kroah-HartmanRight now we seem to be averaging about 1 per week, not bad overall probably compared to other projects.
Distributions
AlmaLinux 10.1 released
AlmaLinux 10.1 has been released. In addition to providing binary compatibility with Red Hat Enterprise Linux (RHEL) 10.1, the most notable feature in AlmaLinux 10.1 is the addition of support for Btrfs, which is not available in RHEL:
Btrfs support encompasses both kernel and userspace enablement, and it is now possible to install AlmaLinux OS on a Btrfs filesystem from the very beginning. Initial enablement was scoped to the installer and storage management stack, and broader support within the AlmaLinux software collection for Btrfs features is forthcoming.
In addition to Btrfs support, AlmaLinux OS 10.1 includes numerous other improvements to serve our community. We have continued to extend hardware support both by adding drivers and by adding a secondary version of AlmaLinux OS and EPEL to extend support of x86_64_v2 processors.
See the release notes for a full list of changes.
FreeBSD 15.0 released
FreeBSD 15.0 has been released. Notable changes in this release include a new method for installing the base system using the pkg package manager, an update to OpenZFS 2.4.0-rc4, native support for the inotify(2) interface, and the addition of Open Container Initiative (OCI) images to FreeBSD's release artifacts. See the release notes for a full list of changes, hardware notes for supported hardware, and check the errata before installing or upgrading.
NixOS 25.11 released
Version 25.11 of the NixOS distribution has been released. "The 25.11 release was made possible due to the efforts of 2742 contributors, who authored 59430 commits since the previous release". Changes include 7,002 new packages, GNOME 49, LLVM 21, a new COSMIC desktop environment beta, firewalld support, and more; see the release notes for details.
Distributions quote of the week
— Tom StellardI've run for FESCO 4 times and lost 2 (technically 3, but I was still given a spot once because someone resigned their term early). I am in favor of having more newcomers in FESCO, and I understand that it's not fun to run and lose and it can be hard to put yourself out there and risk embarrassment.
However, I don't think we should change the voting rules. To me it defeats the purpose of having an election if we are going to change the rules to get the outcome that we want rather than the outcome that the voters want. In this case, you might as well just have FESCO itself choose the new members and drop the voting altogether.
For me, the best way to get more newcomers is to speak directly to the voters. Either by advocating for specific newcomers on the list or by providing more detailed information about the current makeup of FESCO and how long each person has served.
Ultimately, if the voters continue voting the same people into FESCO, they must be happy with the results, so why try to subvert the will of the voters in this case?
Development
Django 6.0 released
The Django Python web framework project has announced the release of Django 6.0 including many new features, as can be seen in the release notes. Some highlights include template partials for modularizing templates, a flexible task framework for running background tasks, a modernized email API, and a Content Security Policy (CSP) feature that provides the ability to "easily configure and enforce browser-level security policies to protect against content injection".
Home Assistant 2025.12 released
Version 2025.12 of the Home Assistant home-automation system has been released.
This month, we're unveiling Home Assistant Labs, a brand-new space where you can preview features before they go mainstream. And what better way to kick it off than with Winter mode? ❄️ Enable it and watch snowflakes drift across your dashboard. It's completely unnecessary, utterly delightful, and exactly the kind of thing we love to build. ❄️But that's just the beginning. We've been working on making automations more intuitive over the past releases, and this release finally delivers purpose-specific triggers and conditions. Instead of thinking in (numeric) states, you can now simply say "When a light turns on" or "If the climate is heating". It's automation building the way our mind works, as it should be.
KDE Plasma 6.8 will be Wayland-only
KDE's Plasma team has announced that KDE Plasma will drop X11 session support with Plasma 6.8:
The Plasma X11 session will be supported by KDE into early 2027.
We cannot provide a specific date, as we're exploring the possibility of shipping some extra bug-fix releases for Plasma 6.7. The exact timing of the last one will only be known when we get closer to its actual release, which we expect will be sometime in early 2027.
What if I still really need X11?
This is a perfect use case for long term support (LTS) distributions shipping older versions of Plasma. For example, AlmaLinux 9 includes the Plasma X11 session and will be supported until sometime in 2032.
See the blog post for information on running X11 applications (still supported), accessibility, gaming, and more.
PHP 8.5.0 released
Version 8.5.0 of the PHP language has been released. Changes include a new "|>" operator that, for some reason, makes these two lines equivalent:
$result = strlen("Hello world");
$result = "Hello world" |> strlen(...);
Other changes include a new function attribute, "#[\NoDiscard]" to indicate that the return value should be used, attributes on constants, and more; see the migration guide for details.
Racket 9.0 released
The Racket programming language project has released Racket version 9.0. Racket is a descendant of Scheme, so it is part of the Lisp family of languages. The headline feature in the release is parallel threads, which adds to the concurrency tools in the language: "While Racket has had green threads for some time, and supports parallelism via futures and places, we feel parallel threads is a major addition." Other new features include the black-box wrapper to prevent the compiler from optimizing calculations away, the decompile-linklet function to map linklets back to an s-expression, the addition of Weibull distributions to the math library, and more.
Page editor: Daroc Alden
Next page:
Announcements>>