Brief items
Security
10 Years of Let's Encrypt Certificates
Let's Encrypt has published a retrospective that covers the decade since it published its first publicly trusted certificate in September 2015:
In March 2016, we issued our one millionth certificate. Just two years later, in September 2018, we were issuing a million certificates every day. In 2020 we reached a billion total certificates issued and as of late 2025 we're frequently issuing ten million certificates per day. We're now on track to reach a billion active sites, probably sometime in the coming year.
Addressing Linux's missing PKI infrastructure
Jon Seager, VP of engineering for Canonical, has announced a plan to develop a universal Public Key Infrastructure tool called upki:
Earlier this year, LWN featured an excellent article titled "Linux's missing CRL infrastructure". The article highlighted a number of key issues surrounding traditional Public Key Infrastructure (PKI), but critically noted how even the available measures are effectively ignored by the majority of system-level software on Linux.
One of the motivators for the discussion is that the Online Certificate Status Protocol (OCSP) will cease to be supported by Let's Encrypt. The remaining alternative is to use Certificate Revocation Lists (CRLs), yet there is little or no support for managing (or even querying) these lists in most Linux system utilities.
To solve this, I'm happy to share that in partnership with rustls maintainers Dirkjan Ochtman and Joe Birr-Pixton, we're starting the development of upki: a universal PKI tool. This project initially aims to close the revocation gap through the combination of a new system utility and eventual library support for common TLS/SSL libraries such as OpenSSL, GnuTLS and rustls.
No code is available as of yet, but the announcement indicates that upki will be available as an opt-in preview for Ubuntu 26.04 LTS. Thanks to Dirjan Ochtman for the tip.
Kernel development
Kernel release status
The 6.19 merge window is open; it can be expected to close on December 14. See this article for a summary of changes pulled during the first half of this merge window.Stable updates: 6.17.11, 6.12.61, 6.6.119, 6.1.159, 5.15.197, and 5.10.247 were released on December 7.
The (successful) end of the kernel Rust experiment
The topic of the Rust experiment was just discussed at the annual Maintainers Summit. The consensus among the assembled developers is that Rust in the kernel is no longer experimental — it is now a core part of the kernel and is here to stay. So the "experimental" tag will be coming off. Congratulations are in order for all of the Rust for Linux team.(Stay tuned for details in our Maintainers Summit coverage.)
Kroah-Hartman: Linux CVEs, more than you ever wanted to know
Greg Kroah-Hartman is writing a series of blog posts about Linux becoming a Certificate Numbering Authority (CNA):
It's been almost 2 full years since Linux became a CNA (Certificate Numbering Authority) which meant that we (i.e. the kernel.org community) are now responsible for issuing all CVEs for the Linux kernel. During this time, we've become one of the largest creators of CVEs by quantity, going from nothing to number 3 in 2024 to number 1 in 2025. Naturally, this has caused some questions about how we are both doing all of this work, and how people can keep track of it.
So far, Kroah-Hartman has published the introductory post, as well as a detailed post about kernel version numbers that is well worth reading.
Distributions
Alpine Linux 3.23.0 released
Version 3.23.0 of Alpine Linux has been released. Notable changes in this release include an upgrade to version 3.0 of the Alpine Package Keeper (apk), and replacing the linux-edge package with linux-stable:
For years, linux-lts and linux-edge grew apart and developed their own kernel configs, different architectures, etc.
Now linux-edge gets replaced with linux-stable which has the identical configuration as linux-lts, but follows the stable releases instead of the long-term releases (see https://kernel.org/).
The /usr merge planned for this release has been postponed; a new timeline for the change will be published later. See the release notes for more information on this release.
Development
cmocka 2.0 released
Andreas Schneider has announced version 2.0 of the cmocka unit-testing framework for C:
This release represents a major modernization effort, bringing cmocka firmly into the "modern" C99 era while maintaining the simplicity and ease of use that users have come to expect.
One of the most significant changes in cmocka 2.0 is the migration to C99 standard integer types. The LargestIntegralType typedef has been replaced with intmax_t and uintmax_t from stdint.h, providing better type safety and portability across different platforms. Additionally, we've adopted the bool type where appropriate, making the code more expressive and self-documenting.
Using intmax_t and uintmax_t also allows to print better error messages. So you can now find e.g. assert_int_equal and assert_uint_equal.
cmocka 2.0 introduces a comprehensive set of type-specific assertion macros, including `assert_uint_equal()`, `assert_float_equal()`, and enhanced pointer assertions. The mocking system has also been significantly improved with type-specific macros like `will_return_int()` and `will_return_float()`. The same for parameter checking etc.
LWN covered the project early in its development in 2013. See the full list of new features, enhancements, and bug fixes in cmocka 2.0 in the changelog.
Firefox 146 released
Version
146.0 of the Firefox web browser has been released. One feature of
particular interest to Linux users is that Firefox now natively
supports fractional scaled displays on Wayland. Firefox Labs has also
been made available to all users even if they opt out of telemetry or
participating in studies. "This means more experimental features
are now available to more people.
"
This release also adds support for Module-Lattice-Based
Key-Encapsulation Mechanism (ML-KEM) for WebRTC. ML-KEM is
"believed to be secure against attackers with large quantum
computers
". See the release notes for all changes.
Development quote of the week
— Ross GradyForking Calibre in protest over an optional plugin (one among jillions) that enables some kind of AI integration is a thing that people can absolutely do.
But it will be a profoundly wasted opportunity if the forkers don't actually do anything useful, such as improving the "ehh, good enough for 2007, I guess" user experience.
Miscellaneous
The 2024 Free Software Awards winners
The Free Software Foundation has announced the recipients of its 2024 (even though 2025 is almost over) Free Software Awards. Andy Wingo won the award for the advancement of free software, Alx Sa is the outstanding new free-software contributor, and Govdirectory takes the award for projects of social benefit.Cro provides commentary on LWN's Zig asynchronicity article
Loris Cro has published a detailed YouTube video talking about the terminology used to discuss asynchronicity, concurrency, and parallelism in our recent article about Zig's new Io interface. Our article is not completely clear because it uses the term "asynchronous I/O" to refer to what should really be called "non-blocking I/O", and sometimes confuses asynchronicity for concurrency, among other errors of terminology, he says. Readers interested in precise details about Zig's approach and some of the motivation behind the design may find Cro's video interesting.
Page editor: Daroc Alden
Next page:
Announcements>>