Brief items
Security
LiteLLM on PyPI is compromised
This issue report describes a credential-stealing attack buried within LiteLLM 1.82.8 in the PyPI repository. It collects and exfiltrates a wide variety of information, including SSH keys, credentials for a number of cloud services, crypto wallets, and so on. Anybody who has installed this package has likely been compromised and needs to respond accordingly.
Update: see this
futuresearch article for some more information. "The release
contains a malicious .pth file (litellm_init.pth) that executes
automatically on every Python process startup when litellm is installed in
the environment.
"
Setting up a Tor Relay at National Taiwan Normal University (Tor Blog)
The Tor Blog has an interesting article about the non-technical side of setting up a Tor Relay. It documents how a computer science student at National Taiwan Normal University worked with the university system to set up a relay and provides a template for future attempts:
In Taiwan, anonymous networks do not lack technical documentation or ideological support. The real scarcity is experience from actually working through the real institutional system once. Especially in an environment where academic networks are highly centralized and outbound connectivity is tightly controlled, distributed anonymous infrastructure like Tor Relays is inherently difficult to sustain.
This implementation at National Taiwan Normal University was not meant to provide a final answer for anonymous networks. It was a concrete attempt made within real-world institutions. It may not immediately improve the performance or security of anonymous networks, and it was not intended to become a directly reproducible standard process. What it did achieve was leaving behind a clearly visible path of practice—one that can be understood, referenced, and built upon.
Kernel development
Kernel release status
The current development kernel is 7.0-rc5, released on March 22. Linus said: "It looks like things are starting to calm down - rc5 is smaller than the previous rc's this merge window, although it still tracks a bit larger than rc5s historically do."
This development cycle has brought in 13,213 non-merge changesets from 2,166 developers, 404 of whom are first-time kernel contributors. As a result, 7.0 will be the new record holder for the most contributors ever (and possibly for the most first-timers as well). The history so far looks like:
RC Date Commits v7.0-rc1 2026-02-22 12468 12468 v7.0-rc2 2026-03-01 434 434 v7.0-rc3 2026-03-08 537 537 v7.0-rc4 2026-03-15 544 544 v7.0-rc5 2026-03-22 391 391
Stable updates: 6.19.9 and 6.18.19 were released on March 19, followed by 6.19.10, 6.18.20, 6.12.78, 6.6.130, and 6.1.167 on March 25.
b4 v0.15.0 released
Version 0.15.0 of the b4 patch-management tool is out. Highlights in this release include the b4 review workflow manager for maintainers (covered briefly in this article), b4 dig, which can find the original mailing-list submission behind a commit, three-way-merge support in b4 shazam, and more. See the release notes for details.Down: Debunking zswap and zram myths
Chris Down has posted a detailed look at how the kernel's zswap and zram subsystems work — and how they differ.
Most people think of zswap and zram simply as two different flavours of the same thing: compressed swap. At a surface level, that's correct – both compress pages that would otherwise end up on disk – but they make fundamentally different bets about how the kernel should handle memory pressure, and picking the wrong one for your situation can actively make things worse than having no swap at all
Distributions
Google details new 24-hour process to sideload unverified Android apps (Ars Technica)
Ars Technica describes the ritual that will be required before a future Android device will deign to install apps from somewhere other than the Play Store. It is not for the impatient.
Here are the steps:
- Enable developer options by tapping the software build number in About Phone seven times
- In Settings > System, open Developer Options and scroll down to "Allow Unverified Packages."
- Flip the toggle and tap to confirm you are not being coerced
- Enter device unlock code
- Restart your device
- Wait 24 hours
- Return to the unverified packages menu at the end of the security delay
- Scroll past additional warnings and select either "Allow temporarily" (seven days) or "Allow indefinitely."
- Check the box confirming you understand the risks.
- You can now install unverified packages on the device by tapping the "Install anyway" option in the package manager.
Agama 19 released
Version 19 of the Agama installer for openSUSE and SUSE has been released. This release includes major changes in Agama's architectural design, organization of the web interface, and more.
We always wanted Agama to follow the schema [...] in which the core of the installer could be controlled through a consistent and simple programming interface (an API, in developers jargon). In that schema, the web-based user interface, the command-line tools and the unattended installation are built on top of that generic API.
But previous versions of Agama were full of quirks that didn't allow us to define an API that would match our quality standards as a solid foundation to build a simple but comprehensive installer. Agama 19 represents a quite significant architectural overhaul, needed to leave all those quirks behind and to define mechanisms that can be the cornerstone for any future development.
LWN last looked at Agama in September 2025.
Distributions quote of the week
— Russ AllberyI am neither pro team maintenance nor anti team maintenance. I am in favor of doing the things that make it more rewarding to volunteer to work on Debian. For some people, particularly new contributors, that means having easy onboarding, a robust team of people who can teach you how to do things and answer your questions, and a place to contribute where you can feel useful quickly. We should therefore have lots of those opportunities. For some people, the reward in Debian comes from going off to quietly work in one's corner or think hard about a problem and solve it the way that you want to solve it while minimizing the coordination that one has to do with other people. So we should also provide appropriate opportunities to do that.
In other words, if we want more volunteers, we should try to maximize volunteer payment. We pay our volunteers not in money, but with mission and purpose, community, and collaboration, but also autonomy, control, and independence. Different types of compensation matter more to different people.
Sometimes we have to force a particular way of doing things in Debian because we have a serious problem and we don't have another way of solving it. In those cases, we have to suck it up and live with the consequences, which may include losing volunteers. But we should do that carefully and selectively. I'm not sure pushing universal team maintenance on people who don't want it qualifies as careful or selective.
Development
Firefox 149.0 released
Version 149.0 of the Firefox web browser has been released. Notable features in this release include a new split-view feature for viewing two web pages side-by-side, a built-in VPN for browser traffic only, and more.
GNOME 50 released
GNOME 50 has been
released. Notable changes in this release include enhancements to the
Orca screen-reader application, interface and performance improvements
for GNOME's file manager (Files), a "massive set of stability and
performance updates
" for its display-handling technologies, and
much more. See also the "What's new
for developers" article that covers changes of interest to GNOME
and GNOME application developers.
Krita 5.3.0 and 6.0.0 released
The Krita project has announced the release of Krita 5.3.0 and 6.0.0:
Krita 5.3/6.0 is the result of many years of work by the Krita developers. Some features have been rewritten from the ground up, others make their first appearance.
Enjoy the completely new text feature: on canvas editing, full opentype support, text flowing into shapes. It is now easier than ever to create vector-based panels for comic pages. Tools got extended: for instance, the fill tool now can close gaps. The liquify mode of the transform tool is much faster. There are new filters: a propagate colors filter and a reset transparent filter. Support for HDR painting has been improved. The recorder docker can now work in real time. There is improved support for file formats, like support for text objects in PSD files. And much, much, much more!
According to the announcement, the versions are almost functionally identical. However, the 6.0.0 release is the first based on Qt 6; it has more Wayland functionality but is considered experimental. It cautions that users should stick to 5.3.0 for real work. See the release notes for a full list of changes.
LibreQoS v2.0 released
Version 2.0 of the LibreQoS traffic-management and network operations platform has been released.
This release makes LibreQoS easier to operate, easier to understand, and much more useful for day-to-day network work. Now users can see more of what is happening across the network, troubleshoot subscriber issues with better tools, and work from a much stronger local WebUI.
This release includes many capabilities that reflect ideas and direction long championed by our late colleague, Dave Täht.
Dave's work helped shape the understanding of bufferbloat and the importance of latency under load across the networking community. His influence continues to guide both LibreQoS and the broader effort to improve Internet quality.
The project has also announced
the release of the LibreQoS Bufferbloat Test
v2, also dedicated to Täht. It runs in a user's browser to look at
"latency under load, jitter, loss, and what those things mean for
the kinds of traffic people actually care about: browsing, streaming,
video calls, audio calls, backups, and gaming
".
Radicle 1.7.0 released
Version 1.7.0 ("Daffodil") of the Radicle peer-to-peer, local-first code collaboration stack has been released. Some of the changes in this release include improved I/O usage, the ability to block nodes at the connection level, and clearer errors for rad id updates. See the release notes for a full list of changes and bug fixes.
Samba 4.24.0 released
Version 4.24.0 of the Samba SMB filesystem implementation has been released. There are a number of significant changes, including audit support for authentication information, remote password management, a number of Kerberos improvements, asynchronous-I/O rate limiting, and more.Development quote of the week
If we allow people to use LLMs to write code for a given project/platform, experience in that platform will potentially atrophy or under develop as contributors increasingly rely on out sourcing their applicable skills and decisions to "AI".— Tyler AndersonEven if you believe out sourcing the minutia of coding is a net positive, the "enshitification" principal in general should give you pause; as soon as the net developer skill for a project has degraded to a point of reliance, even somewhat, I think we can be confident those AI tools will NOT get less expensive.
I'd rather be independently less productive, than dependent on some MegaCorp(TM)'s good will to rent us back access to our brains at a fair price.
Page editor: Daroc Alden
Next page:
Announcements>>