Brief items
Security
A 0-click exploit chain for the Pixel 9 (Project Zero)
The Project Zero blog has a three-part series describing a working, zero-click exploit for Pixel 9 devices.
Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to be decoded before the message is opened by the user. One such feature is audio transcription. Incoming SMS and RCS audio attachments received by Google Messages are now automatically decoded with no user interaction. As a result, audio decoders are now in the 0-click attack surface of most Android phones.
The blog entry does not question the wisdom of directly exposing audio decoders to external attackers, but it does provide a lot of detail showing how it can go wrong. The first part looks at compromising the codec; part two extends the exploit to the kernel, and part three looks at the implications:
It is alarming that it took 139 days for a vulnerability exploitable in a 0-click context to get patched on any Android device, and it took Pixel 54 days longer. The vulnerability was public for 82 days before it was patched by Pixel.
Remote authentication bypass in telnetd
One would assume that most LWN readers stopped running network-accessible telnet services some number of decades ago. For the rest of you, this security advisory from Simon Josefsson is worthy of note:
The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter.If the client supplies a carefully crafted USER environment value being the string "-f root", and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes.
Security quote of the week
— Bruce Schneier and J.B. BranchAt the time of [Aaron] Swartz's prosecution, vast amounts of research were funded by taxpayers, conducted at public institutions and intended to advance public understanding. But access to that research was, and still is, locked behind expensive paywalls. People are unable to read work they helped fund without paying private journals and research websites.
Swartz considered this hoarding of knowledge to be neither accidental nor inevitable. It was the result of legal, economic and political choices. His actions challenged those choices directly. And for that, the government treated him as a criminal.
Today's AI arms race involves a far more expansive, profit-driven form of information appropriation. The tech giants ingest vast amounts of copyrighted material: books, journalism, academic papers, art, music and personal writing. This data is scraped at industrial scale, often without consent, compensation or transparency, and then used to train large AI models.
AI companies then sell their proprietary systems, built on public and private knowledge, back to the people who funded it. But this time, the government's response has been markedly different. There are no criminal prosecutions, no threats of decades-long prison sentences. Lawsuits proceed slowly, enforcement remains uncertain and policymakers signal caution, given AI's perceived economic and strategic importance. Copyright infringement is reframed as an unfortunate but necessary step toward "innovation."
Kernel development
Kernel release status
The current development kernel is 6.19-rc6, released on January 18. Linus remarked: "So we finally ended up with a slightly bigger rc than usual for this stage in the release cycle, but it's not _that_ big, and things still seem quite stable and civilized."
Stable updates: 6.18.6, 6.12.66, 6.6.121, and 6.1.161 were released on January 17, followed by 5.15.198, and 5.10.248 on January 19.
The end of OzLabs
OzLabs is a collection of Australian free-software developers that was, for most of its history, associated with IBM. Members of OzLabs have included Hugh Blemings, Michael Ellerman, Ben Herrenschmidt, Greg Lehey, Paul Mackerras, Martin Pool, Stephen Rothwell, Rusty Russell, and Andrew Tridgell, among others. The OzLabs "about" page notes that, as of January 2026, the last remaining OzLabs members have departed IBM. "This brought to a close the Ozlabs association with IBM". Thus ends a quarter-century of development history.
(Thanks to Jon Masters).
Ryabitsev: Tracking kernel development with korgalore
Konstantin Ryabitsev has put up a blog post about korgalore, a tool he has written to circumvent delivery problems experienced by kernel developers using the large, centralized email systems.
We cannot fix email delivery, but we can sidestep it entirely. Public-inbox archives like lore.kernel.org store all mailing list traffic in git repositories. In its simplest configuration, korgalore can shallow-clone these repositories directly and upload any new messages straight to your mailbox using the provider's API.
Distributions
Running Debian on the OpenWrt One (Collabora Blog)
Sjoerd Simons has published a blog post about running Debian on the OpenWrt One router hardware:
With openwrt-one-debian, you can now install and run a full Debian system leveraging the OpenWrt One's NVMe storage, enabling everything from custom services and containers to development tools and lightweight server workloads, all on open hardware.
This project provides a rust-based flasher to install Debian on the OpenWrt One, opening the door to standard Debian tooling, packages, and workflows. For developers and power users, it transforms the OpenWrt One from a network appliance into a compact, general-purpose Linux system.
See the GitHub repository for the code and latest build. LWN reviewed the device in November 2024, and covered Denver Gingerich's talk at SCALE 22x about the making of the router in March 2025.
Distributions quote of the week
— Jonathan DowlandOver time the aspect of Debian that has mattered to me most is the community, and how welcoming and awesome some of it is. This is something to be treasured.
On the other hand, this stands in stark contrast to the subtext of just about any intra-project communication I see now. We are not civil, kind, or patient with each other.
I think this is a serious problem. More so than most technical matters du jour.
Development
Mozilla introduces Firefox Nightly RPM package repository
Mozilla has announced a repository with Firefox Nightly channel packages for RPM-based Linux distributions such as CentOS Stream, Fedora, and openSUSE. Mozilla has provided a Debian repository since 2023.
Note that this repository only includes the nightly builds of The firefox-nightly package. Mozilla is not providing stable builds as RPMs at this time. However, the package will not conflict with a distribution's regular firefox package; both packages can be installed at the same time for those who wish to test the nightly builds. See the blog post for instructions on setting up the repository.
Forgejo 14.0 released
Version 14.0 of the Forgejo software forge has been released. Notable changes in this release include several database improvements, new options for approving actions execution from pull requests, a new file editor, and progress toward making Forgejo's web UI work without JavaScript.
Pandas 3.0 released
Version 3.0.0 of the pandas data analysis and manipulation library for Python has been released. Notable changes include a dedicated string type (str), new "copy-on-write" behavior, and much more. This release also removes a number of features that were deprecated in prior versions of pandas; developers are advised to upgrade to pandas 2.3 and ensure code is working without warnings before moving to 3.0. See the release notes for the full changelog.
Haas: Who contributed to PostgreSQL development in 2025?
PostgreSQL contributor Robert Haas has published a blog post that breaks down code contributions to PostgreSQL in 2025.
I calculate that, in 2025, there were 266 people who were the principal author of at least one PostgreSQL commit. 66% of the new lines of code where contributed by one of 26 people, and 90% of the lines of new code were contributed by one of 67 people.
Contributions to the project seem to be on the upswing; in his analysis of development in 2024, there were 229 people who were the primary authors of a commit, and 66% of new lines of code were contributed by one of 18 people. The raw data is also available.
Wine 11.0 released
Version
11.0 of the Wine Windows compatibility layer is out. "This
release represents a year of development effort, around 6,300
individual changes, and more than 600 bug fixes.
" The most notable
changes in this release are support for the NTSync Linux kernel module
(when available), and the completion of the Windows 32-bit on Windows 64-bit (WoW64) architecture that was announced as experimental in Wine 9.0.
Page editor: Daroc Alden
Next page:
Announcements>>