Brief items
Security
CBP Tapped Into the Online Advertising Ecosystem To Track Peoples’ Movements (404 Media)
This 404 Media article looks at how the US Customs and Border Protection agency (CBP) is using location data from phones to track the location of people of interest.
Specifically, CBP says the data was in part sourced via real-time bidding, or RTB. Whenever an advertisement is displayed inside an app, a near instantaneous bidding process happens with companies vying to have their advert served to a certain demographic. A side effect of this is that surveillance firms, or rogue advertising companies working on their behalf, can observe this process and siphon information about mobile phones, including their location. All of this is essentially invisible to an ordinary phone user, but happens constantly.
We should note that the minimal advertising shown on LWN is not delivered via this bidding system.
Garrett: To update blobs or not to update blobs
Matthew Garrett examines the factors that go into the decision about whether to install a firmware update or not.
I trust my CPU vendor. I don't trust my CPU vendor because I want to, I trust my CPU vendor because I have no choice. I don't think it's likely that my CPU vendor has designed a CPU that identifies when I'm generating cryptographic keys and biases the RNG output so my keys are significantly weaker than they look, but it's not literally impossible. I generate keys on it anyway, because what choice do I have? At some point I will buy a new laptop because Electron will no longer fit in 32GB of RAM and I will have to make the same affirmation of trust, because the alternative is that I just don't have a computer.
Kernel development
Kernel release status
The current development kernel is 7.0-rc2, released on March 1. Linus said:
So I'm not super-happy with how big this is, but I'm hoping it's just the random timing noise we see every once in a while where I just happen to get more pull requests one week, only for the next week to then be quieter.
This release, as of -rc2, has brought in 11,960 non-merge changes from 1,957 developers, 339 of whom are first-time kernel contributors. The release history looks like:
RC Date Commits v7.0-rc1 2026-02-22 12468 12468 v7.0-rc2 2026-03-01 434 434
This -rc2 does indeed contain just over 100 more commits than 6.19-rc2 did. See the (subscriber-only) KSDB 7.0 page for a lot more details.
Stable updates: 6.19.4 and 6.18.14 were released on February 26, followed one day later by 6.19.5 and 6.18.15 to fix a regression. The 6.19.6, 6.18.16, 6.12.75, 6.6.128, 6.1.165, 5.15.202, and 5.10.252 updates were released on March 4.
Høiland-Jørgensen: The inner workings of TCP zero-copy
Toke Høiland-Jørgensen has posted an overview of how zero-copy networking works in the Linux kernel.
Since the memory is being copied directly from userspace to the network device, the userspace application has to keep it around unmodified, until it has finished sending. The sendmsg() syscall itself is asynchronous, and will return without waiting for this. Instead, once the memory buffers are no longer needed by the stack, the kernel will return a notification to userspace that the buffers can be reused.
Quote of the week
I will again note that LTS kernels have been created using machine learning "AI" models composed of neural networks as early as 2018 to find kernel commits containing bug fixes that should be backported to the stable branches. Given that people seem to be throwing around "AI slop" without defining precisely what they mean by "AI", if we are sloppy about banning all code that has ever been built using AI-assisted tooling, you'd have to start shipping the Linux kernel back to the version used in Debian 8 "Jessie".— Ted Ts'o
Distributions
Motorola announces a partnership with the GrapheneOS Foundation
Motorola has announced that it will be working with the GrapheneOS Foundation, a producer of a security-enhanced Android distribution. "Together, Motorola and the GrapheneOS Foundation will work to strengthen smartphone security and collaborate on future devices engineered with GrapheneOS compatibility.". LWN looked at GrapheneOS last July.
Distributions quote of the week
— Russ AllberyWriting meaningless slop requires no creativity; writing really bad code requires human ingenuity.
procmail is still in the archive, for heaven's sake. [1]
I too am concerned about the potential degradation in quality of free software given the *volume* of bad code that people can generate using LLM agents, but the objectively worst software in the archive is the product of human ingenuity and I am dubious that's going to change.
Making rules that require us to make all sorts of guesswork judgments and that are effectively unenforceable in practice (no one is required to inform us if they use LLMs) strikes me as a recipe for endless future arguments, which doesn't seem very likely to improve the average quality of Debian packages. Or the experience of being a Debian Developer.
If we think software is bad, we should remove the software because it's bad. I am quite dubious that investigations into the software development tools used by upstream are going to give us much additional information on top of the sorts of metrics we already have readily available (bug rates, CVEs, user complaints, unexplained behavior changes between releases, regressions, lack of necessary feature development, etc.).
[1] For those who don't know the reference, this is not intended as a slam against procmail's functionality or against the people who have worked to keep it viable all these years, but is a reference to procmail's notoriously, uh, unique coding style and carefully (?) hand-coded security-critical string manipulation in C.
Development
Gram 1.0 released
Version
1.0 of Gram, an "opinionated fork of the Zed code editor
",
has been released. Gram removes telemetry, AI features, collaboration
features, and more. It adds built-in documentation, support for
additional languages, and tab-completion features similar to the Supertab
plugin for Vim. The mission statement for
the project explains:
At first, I tried to build some other efforts I found online to make Zed work without the AI features just so I could check it out, but didn't manage to get them to work. At some point, the curiosity turned into spite. I became determined to not only get the editor to run without all of the misfeatures, but to make it a full-blown fork of the project. Independent of corporate control, in the spirit of Vim and the late Bram Moolenaar who could have added subscription fees and abusive license agreements had he so wanted, but instead gave his work as a gift to the world and asked only for donations to a good cause close to his heart in return.
This is the result. Feel free to build it and see if it works for you. There is no license agreement or subscription beyond the open source license of the code (GPLv3). It is yours now, to do with as you please.
According to a blog post on the site, the plan for the editor is to diverge from Zed and proceed slowly.
groff 1.24.0 released
Version 1.24.0 of the groff text-formatting system has been released. Improvements include the ability to insert hyperlinks between man pages, a new polygon command for the pic preprocessor, various PDF-output improvements, and more.Texinfo 7.3 released
Version 7.3 of Texinfo, the GNU documentation-formatting system, has been released. It contains a number of new features, performance improvements, and enhancements.
Development quote of the week
community: In software company writing, this means either "people who will do work for my company for free" or "people who will pick up after me after I move fast and break things."— Don Marti
Page editor: Daroc Alden
Next page:
Announcements>>