Brief items
Security
An update on upki
In December 2025, Canonical announced a plan to develop a universal Public Key Infrastructure called upki. Jon Seager has published an update about the project with instructions on trying it out.
In the few weeks since we announced upki, the core revocation engine has been established and is now functional, the CRLite mirroring tool is working and a production deployment in Canonical's datacentres is ongoing. We're now preparing for an alpha release and remain on track for an opt-in preview for Ubuntu 26.04 LTS.
An update to the malicious crate notification policy (Rust Blog)
Adam Harvey, on behalf of the crates.io team has published a blog post to inform users of a change in their practice of publishing information about malicious Rust crates:
The crates.io team will no longer publish a blog post each time a malicious crate is detected or reported. In the vast majority of cases to date, these notifications have involved crates that have no evidence of real world usage, and we feel that publishing these blog posts is generating noise, rather than signal.
We will always publish a RustSec advisory when a crate is removed for containing malware. You can subscribe to the RustSec advisory RSS feed to receive updates.
Crates that contain malware and are seeing real usage or exploitation will still get both a blog post and a RustSec advisory. We may also notify via additional communication channels (such as social media) if we feel it is warranted.
Security quotes of the week
— Kevin BeaumontToday in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there's over 2m of them and it's about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
— Tristram OatenPSA: If you block the `claude` user on GitHub, you'll get a warning every time you view a repo with that user in its commit history.
Now, the moment you look at a repo, you can immediately adjust your expectations.
In the latest OpenSSL security release on January 27, 2026, twelve new zero-day vulnerabilities (meaning unknown to the maintainers at time of disclosure) were announced. Our AI system is responsible for the original discovery of all twelve, each found and responsibly disclosed to the OpenSSL team during the fall and winter of 2025. Of those, 10 were assigned CVE-2025 identifiers and 2 received CVE-2026 identifiers. Adding the 10 to the three we already found in the Fall 2025 release, AISLE is credited for surfacing 13 of 14 OpenSSL CVEs assigned in 2025, and 15 total across both releases. This is a historically unusual concentration for any single research team, let alone an AI-driven one.— Stanislav FortThese weren't trivial findings either. They included CVE-2025-15467, a stack buffer overflow in CMS message parsing that's potentially remotely exploitable without valid key material, and exploits for which have been quickly developed online. OpenSSL rated it HIGH severity; NIST's CVSS v3 score is 9.8 out of 10 (CRITICAL, an extremely rare severity rating for such projects). Three of the bugs had been present since 1998-2000, for over a quarter century having been missed by intense machine and human effort alike. One predated OpenSSL itself, inherited from Eric Young's original SSLeay implementation in the 1990s. All of this in a codebase that has been fuzzed for millions of CPU-hours and audited extensively for over two decades by teams including Google's.
Kernel development
Kernel release status
The 7.0 merge window remains open; it can be expected to close on February 22.Stable updates: 6.12.71 was released on February 12. 6.19.1, 6.18.11, 6.12.72, and 6.6.125 came out on February 16, followed a few milliseconds later by 6.19.2, 6.18.12, 6.12.73, and 6.6.126, which reverted one bad commit.
The relatively small 6.19.3, 6.18.13, 6.12.74, 6.6.127, 6.1.164, 5.15.201, and 5.10.251 updates are in the review process; they are due on February 19.
Distributions
An Asahi Linux progress report
The Asahi Linux project, which is working to implement support for Linux on Apple CPUs, has published a detailed 6.19 progress report.
We've made incredible progress upstreaming patches over the past 12 months. Our patch set has shrunk from 1232 patches with 6.13.8, to 858 as of 6.18.8. Our total delta in terms of lines of code has also shrunk, from 95,000 lines to 83,000 lines for the same kernel versions. Hmm, a 15% reduction in lines of code for a 30% reduction in patches seems a bit wrong…Not all patches are created equal. Some of the upstreamed patches have been small fixes, others have been thousands of lines. All of them, however, pale in comparison to the GPU driver.
The GPU driver is 21,000 lines by itself, discounting the downstream Rust abstractions we are still carrying. It is almost double the size of the DCP driver and thrice the size of the ISP/webcam driver, its two closest rivals. And upstreaming work has now begun.
Debian DFSG Team announces new dashboard and queue processes
Reinhard Tartler of Debian's new DFSG, Licensing & New Packages Team, or simply "DFSG Team", has announced that the team is now operational and is deploying new tooling to improve the NEW queue experience for Debian developers and maintainers.
Our primary and immediate goal is simple: get the queue down.
We are currently settling in and refining our processes to ensure stability and consistency. While our focus right now is on clearing the backlog, our long-term vision is to enable all Debian Developers to meaningfully contribute to DFSG reviewing activities, distributing the workload and knowledge more effectively across the project.
The announcement includes information on the new dashboard for packages in the NEW queue, the rationale for the new tooling, and an introduction to the members of the team.
New delegation for Debian's data protection team
Debian Project Leader (DPL) Andreas Tille has announced a new delegation for Debian's data protection team:
Following the end of the previous delegation, Debian was left without an active Data Protection team. This situation has understandably drawn external attention and highlighted the importance of having a clearly identified point of contact for data protection matters within the project.
I am therefore very pleased to announce that new volunteers have stepped forward, allowing us to re-establish the Debian Data Protection team with a fresh delegation.
Tille had put out a call for volunteers in January after all previous members of the team had stepped down. He has appointed Aigars Mahinovs, Andrew M.A. Cater, Bart Martens, Emmanuel Arias, Gunnar Wolf, Kiran S Kunjumon, and Salvo Tomaselli as the new members of the team. The team provides a central coordination and advisory function around Debian's data handling, retention, dealing with deletion requests, and more.
Fedora now available in Syria
Justin Wheeler writes in Fedora Magazine that Fedora is now available in Syria once again:
Last week, the Fedora Infrastructure Team lifted the IP range block on IP addresses in Syria. This action restores download access to Fedora Linux deliverables, such as ISOs. It also restores access from Syria to Fedora Linux RPM repositories, the Fedora Account System, and Fedora build systems. Users can now access the various applications and services that make up the Fedora Project. This change follows a recent update to the Fedora Export Control Policy. Today, anyone connecting to the public Internet from Syria should once again be able to access Fedora.
[...] Opening the firewall to Syria took seconds. However, months of conversations and hidden work occurred behind the scenes to make this happen.
Distributions quote of the week
— James CalligerosDespite repeated polite requests to not ask us for specific feature ETAs, the questions kept coming. In an effort to try and curtail this, we toyed with setting a "minimum" date for the feature and simply doubling it every time the question was asked. This very quickly led to the date being after the predicted heat death of the universe. We fell back on a tried and tested response pioneered by id Software; DP Alt Mode will be done when it's done.
And, well, it's done. Kind of.
In December, Sven gave a talk at 39C3 recounting the Asahi story so far, our reverse engineering process, and what the immediate future looks like for us. At the end, he revealed that the slide deck had been running on an M1 MacBook Air, connected to the venue's AV system via a USB-C to HDMI adapter!
Development
Plasma 6.6.0 released
Version 6.6.0 of KDE's Plasma desktop environment has been released. Notable additions in this release include the ability to create global themes for Plasma, an "extract text" feature in the Spectacle screenshot utility, accessibility improvements, and a new on-screen keyboard. See the changelog for a full list of new features, enhancements, and bug fixes.
The release is dedicated to the memory of Björn Balazs, a KDE
contributor who passed away in September 2025. "Björn's drive to
help people achieve the privacy and control over technology that he
believed they deserved is the stuff FLOSS legends are made of.
"
Vim 9.2 released
Version 9.2 of the Vim text editor has been released. "Vim 9.2 brings significant enhancements to the Vim9 scripting language, improved diff mode, comprehensive completion features, and platform-specific improvements including experimental Wayland support." Also included is a new interactive tutor mode.
Page editor: Daroc Alden
Next page:
Announcements>>