Brief items
Security
Shadow-utils 4.19.0 released
Version 4.19.0 of the shadow-utils project has been released. Notable changes in this release include disallowing some usernames that were previously accepted with the --badname option, and removing support for escaped newlines in configuration files. Possibly more interesting is the announcement that the project is deprecating a number of programs, hashing algorithms, and the ability to periodically expire passwords:
Scientific research shows that periodic password expiration leads to predictable password patterns, and that even in a theoretical scenario where that wouldn't happen the gains in security are mathematically negligible (paper link).
Modern security standards, such as NIST SP 800-63B-4 in the USA, prohibit periodic password expiration. [...]
To align with these, we're deprecating the ability to periodically expire passwords. The specifics and long-term roadmap are currently being discussed, and we invite feedback from users, particularly from those in regulated environments. See #1432.
The release announcement notes that the features will remain
functional "for a significant period
" to minimize
disruption.
Kernel development
Kernel release status
The current development kernel is 6.19-rc4, released on January 4. Linus said:
So this rc is still a bit smaller than usual, but it's not _much_ smaller, and I think next week is likely going to be more or less back to normal.Which is all exactly as expected, and nothing here looks particularly odd. I'll make an rc8 this release just because of the time lost to the holidays, not because it looks like we'd have any particular issues pending (knock wood).
Previously, 6.19-rc3 was released on December 28.
Stable updates: 6.18.3 was released on January 2.
The 6.18.4 and 6.12.64 updates are in the review process; they are due on January 8.
Kroah-Hartman: Linux kernel security work
Greg Kroah-Hartman has written an overview of how the kernel's security team works.
The members of the security team contain a handful of core kernel developers that have experience dealing with security bugs, and represent different major subsystems of the kernel. They do this work as individuals, and specifically can NOT tell their employer, or anyone else, anything that is discussed on the security alias before it is resolved. This arrangement has allowed the kernel security team to remain independent and continue to operate across the different governments that the members operate in, and it looks to become the normal way project security teams work with the advent of the European Union's new CRA law coming into effect.
Distributions
Google will now only release Android source code twice a year (Android Authority)
Android Authority reports that Google will be reducing the frequency of releases of code to the Android Open Source Project to only twice per year.
A spokesperson for Google offered some additional context on this decision, stating that it helps simplify development, eliminates the complexity of managing multiple code branches, and allows them to deliver more stable and secure code to Android platform developers. The spokesperson also reiterated that Google's commitment to AOSP is unchanged and that this new release schedule helps the company build a more robust and secure foundation for the Android ecosystem.
The release schedule for security patches is unchanged.
IPFire 2.29 Core Update 199 released
The IPFire project, an open-source firewall Linux distribution, has released version 2.29 - Core Update 199. Notable changes in this release include an update to Linux 6.12.58, support for WiFi 6 and 7 features on wireless access points, as well as native support for link-local discovery protocol (LLDP) and Cisco discovery protocol (CDP).
Manjaro 26.0 released
Version 26.0 ("Anh-Linh") of the Arch-based Manjaro Linux distribution has been released. Manjaro 26.0 includes Linux 6.18, GNOME 49, KDE Plasma 6.5, Xfce 4.20, and more.
Distributions quote of the fortnight
— Jakub JelenWe are keeping the Fedora version of GnuPG on the 2.4 branch as said above intentionally. The 2.5 [branch] started as mostly [an] experiment implementing the LibrePGP standard, which is not compatible with anything else (IETF's OpenPGP) and would likely result in users shooting themselves into their feet. I also synced couple of patches over the last years with FreePG project, which is trying to maintain the version 2.4 in a compatible manner:
https://gitlab.com/freepg/gnupg
Updating to 2.5 would result in new users generating incompatible LibrePGP keys, which I do not think is a good idea to do now for all Fedora users. I am hoping we will have some better solution by the time the 2.4 version will reach EOL, but I can not anticipate what it is going to be.
Development
Stenberg: No strcpy either
Daniel Stenberg has written a blog post about the decision to ban the use strcpy() in curl:
The main challenge with strcpy is that when using it we do not specify the length of the target buffer nor of the source string. [...]
To make sure that the size checks cannot be separated from the copy itself we introduced a string copy replacement function the other day that takes the target buffer, target size, source buffer and source string length as arguments and only if the copy can be made and the null terminator also fits there, the operation is done.
GNU ddrescue 1.30 released
Version 1.30 of the GNU ddrescue data recovery tool has been released. Notable changes in this release include improvements to automatic recovery of a drive with a dead head, addition of a --no-sweep option to disable reading of skipped areas, and more.
Graham: [KDE] Highlights from 2025
Nate Graham looks back at how 2025 went for the KDE project.
Today Plasma is the default desktop environment in a bunch of the hottest new gaming-focused distros, including Bazzite, CachyOS, Garuda, Nobara, and of course SteamOS on Valve's gaming devices. Fedora's Plasma edition was also promoted to co-equal status with the GNOME edition, and Asahi Linux — the single practical option for Linux on newer Macs — only supports KDE Plasma. Parrot Linux recently switched to Plasma by default, too. And Plasma remains the default on old standbys like EndeavourOS, Manjaro, NixOS, OpenMandriva, Slackware and TuxedoOS — which ships on all devices sold by Tuxedo Computers!
Ruby 4.0 released
Once again there is a brand-new release under the tree from the Ruby programming-language project: Ruby 4.0 has been released with many new features and improvements. Notable changes include the experimental Ruby Box feature for in-process isolation of classes and modules, a new just-in-time compiler called ZJIT, and improvements to Ruby's parallel-execution mechanism (Ractor). There are a number of language changes as well. See the documentation for Ruby 4.0 for more.
Development quote of the fortnight
— Alex BandThere's a lot of AI-slop bashing, and sure, we now definitely need a policy too to protect ourselves from it becoming a time sink. But I think we shouldn't forget the often good intentions that are behind these contributions. There is an educational aspect here as well, especially for a younger generation of software developers who think AI gives them programming powers beyond their wildest dreams.
We honestly welcome contributions, but as guardians of our code base we often feel that the timing doesn't quite line up with our planning, the design choices don't quite match the existing or desired architecture, and now, with AI, it becomes easier than ever to put a lot of code on our doorstep to review. Contributors may feel they're doing something good, without considering the consequences on the receiving end.
So, I think our contributing guidelines should start with "Before you start coding, talk to us first."
Miscellaneous
A partial ruling in the Vizio GPL suit
The judge in the Vizio GPL-compliance lawsuit has ruled, in a summary judgment, that the GNU General Public License, version 2, does not require the provision of signing keys needed to install modified software on a device.
Read as a whole, the Agreements require Vizio to make the source code available in such a manner that the source code can be readily obtained and modified by Plaintiff or other third parties. While source code is defined to include "the scripts used to control compilation and installation," this does not mean that Vizio must allow users to reinstall the software, modified or otherwise, back onto its smart TVs in a manner that preserves all features of the original program and/or ensures the smart TVs continue to function properly. Rather, in the context of the Agreements, the disputed language means that Vizio must provide the source code in a manner that allows the source code to be obtained and revised by Plaintiff or others for use in other applications.
As the Software Freedom Conservancy, the plaintiff in the case, has pointed out, the judge has ruled against a claim that was never actually made.
SFC has never held the position, nor do we today hold the position, that any version of the GPL (even including GPLv3!) require "that the device continues to function properly" after a user installs their modified version of the copyleft components.
Linus Torvalds, meanwhile, has posted his own take on the ruling that has, as one might imagine, sparked an extended discussion as well.
Page editor: Daroc Alden
Next page:
Announcements>>