Brief items
Security
GnuPG 2.5.19 released
Werner Koch has announced the release of GnuPG 2.5.19. This release includes a few new options and a number of bug fixes, and comes with the reminder that the GnuPG 2.4 series will reach end-of-life soon
The main features in the 2.5 series are improvements for 64 bit Windows and the introduction of Kyber (aka ML-KEM or FIPS-203) as PQC encryption algorithm. Other than PQC support the 2.6 series will not differ a lot from 2.4 because the majority of changes are internal to make use of newer features from the supporting libraries.
Note that the old 2.4 series reaches end-of-life in just two months. Thus update to 2.5.19 in time. As always with GnuPG new versions are fully compatible with previous versions.
LWN recently covered Fedora's discussion about what to offer after GnuPG 2.4 is no longer supported.
A security bug in AEAD sockets
Security analysis firm Xint has disclosed a security bug in the Linux kernel that allows for arbitrary 4-byte writes to the page cache, and which has been present since 2017. The vulnerability has been fixed in mainline kernels. A proof-of-concept script demonstrates how to use the flaw to corrupt a setuid binary, which works on multiple distributions, by requesting an AEAD-encrypted socket from user space and splicing a particular payload into it. A supplemental blog post gives more details about the discovery and remediation.
A core primitive underlying this bug is splice(): it transfers data between file descriptors and pipes without copying, passing page cache pages by reference. When a user splices a file into a pipe and then into an AF_ALG socket, the socket's input scatterlist holds direct references to the kernel's cached pages of that file. The pages are not duplicated; the scatterlist entries point at the same physical pages that back every read(), mmap(), and execve() of that file.
Security review of Plasma Login Manager (SUSE Security Team Blog)
SUSE's Security Team has published a detailed blog post on their recent review of the Plasma Login Manager version 6.6.2, which was forked from the SDDM display manager.
While most of the code remains the same, the new upstream added a privileged D-Bus helper called plasmaloginauthhelper, which suffers from defense-in-depth security issues.
[...] Based on the high severity of the defense-in-depth issues shown in this report, our assessment is that there is effectively no separation between root and the plasmalogin service user account.
At this time there is no bugfix available by upstream, but a security fix is planned for the next Plasma release on May 12. We have not been involved in upstream's bugfix process so far and have no knowledge about the approach that will be taken to address the issues from this report.
Security quote of the week
— Josh BressersSo this brings us to Linus's Law. It seems pretty clear now that nobody was in fact looking at the code. If they were, they would have found vulnerabilities in everything. But the number of people finding and reporting vulnerabilities was pretty small. It is hard to find security vulnerabilities as a human, but the whole point wasn't that a few very smart people were looking for bugs, the point was a sort of infinite monkey theorem of bug finding.
It would be easy to proclaim LLMs as our infinite eyeballs, but it's more complicated than that. While LLMs might be able to find vulnerabilities, the real challenge is going to be reporting and coordinating all of these new findings. Even without an LLM the disclosure process was always a thousand times more work than finding the security vulnerability.
The new version of Linus's Law should read something like
With enough LLMs, you're going to be disclosing this stuff forever
The next few years are going to be wild. Anyone telling you they know how to deal with this is full of crap. Nobody knows what to do and this is a human problem, we can't technology our way out of this.
Kernel development
Kernel release status
The current development kernel is 7.1-rc1, released on April 26. Linus remarked:
Things look fairly normal, although we do have a few different projects to cull some old hardware support to help minimize maintenance burden: phasing out i486 support (configs deleted, code deletions to follow) and independently starting to remove some really old networking hardware support, and removing some SoC support that never went anywhere.But we're more than making up for any stale code removal with all the new features and code added, so the diffstat still shows many more lines added than removed.
As of -rc1, the 7.1 development cycle has brought in 12,996 non-merge changesets from 2,011 developers:
RC Date Commits v7.1-rc1 2026-04-26 13963 13963
See the KSDB 7.1 page for lots more information.
Stable updates: 7.0.1, 6.19.14, 6.18.24, and 6.12.83 were released on April 22, followed by 7.0.2, 6.18.25, 6.12.84, and 6.6.136 on April 27. Note that 6.19.14 will be the last of the 6.19 updates.
Distributions
Fedora Linux 44 has been released
The Fedora Project has announced the release of Fedora Linux 44. There are "what's new" articles for Fedora Workstation, Fedora KDE Plasma Desktop, and Fedora Atomic Desktops. The Fedora Asahi Remix for Apple Silicon Macs, based on Fedora 44, is also available. See the Fedora Spins page for a full list of alternative desktop options.
Fedora Linux 44 Workstation ships with the latest GNOME release, GNOME 50. This comes with a long list of refinements to your desktop, including everything from accessibility to color management and remote desktop. Many of the applications that are installed by default on Fedora Workstation have also seen improvements, from Document Viewer to File Manager and Calendar. To learn more about these and other changes, you can read the GNOME 50 release notes.
KDE Plasma Desktop: If you are a KDE user, you should also notice a couple of very obvious changes. Fedora KDE Plasma Desktop 44 is based on the latest Plasma 6.6, which includes the new Plasma Login Manager and Plasma Setup to provide a more cohesive and integrated experience from the moment the computer is powered on for the first time. The installation process has been simplified, enabling you to easily set up Fedora KDE Plasma Desktop for a computer for a friend or a loved one.
The release notes include important changes between Fedora 43 and Fedora 44 for desktop users, developers, and system administrators.
Ubuntu 26.04 LTS released
Ubuntu 26.04 ("Resolute Raccoon") LTS has been released on schedule.
This release brings a significant uplift in security, performance, and usability across desktop, server, and cloud environments. Ubuntu 26.04 LTS introduces TPM-backed full-disk encryption, expanded use of memory-safe components, improved application permission controls, and Livepatch support for Arm systems, helping reduce downtime and strengthen system resilience. [...]
The newest Edubuntu, Kubuntu, Lubuntu, Ubuntu Budgie, Ubuntu Cinnamon, Ubuntu Kylin, Ubuntu Studio, Ubuntu Unity, and Xubuntu are also being released today. For more details on these, read their individual release notes under the Official flavors section:
https://documentation.ubuntu.com/release-notes/26.04/#official-flavors
Maintenance updates will be provided for 5 years for Ubuntu Desktop, Ubuntu Server, Ubuntu Cloud, Ubuntu WSL, and Ubuntu Core. All the remaining flavors will be supported for 3 years.
See the release notes for a list of changes, system requirements, and more.
The future of AI in Ubuntu
Jon Seager, VP engineering for Canonical, has posted
an update on "what Canonical and Ubuntu will do (or not) to
incorporate AI
" that explains what part AI will play in the future
of the company and its distribution.
The bottom line is that Canonical is ramping up its use of AI tools in a focused and principled manner that favours open weight models with license terms that feel most compatible with our values, combined with open source harnesses. AI features will be landing in Ubuntu throughout the next year as we feel that they're of sufficient maturity and quality, with a bias toward local inference by default.
AI features in Ubuntu features will come in two forms: first as a means of enhancing existing OS functionality with AI models in the background, and latterly in the form of "AI native" features and workflows for those who want them.
This year Canonical has begun a more deliberate push toward education and developing competence with AI tools. We are not setting shallow metrics on token usage, or percentages of code written with AI, but rather incentivising engineers to experiment and understand where AI tools add value. Rather than force a single early-choice AI stack, we're incentivising teams to each pick 'something different' and go deep, so we learn more as an org in the next six months.
Distributions quote of the week
— Simo SorceFedora is not 100% of my focus, in fact it is definitely less than 50%, so the problem I have with discourse is that I am never going to find the time to "go to a website" to read stuff. If it does not hit my inbox it may as well not exist. Mail is the collector of all the information I need to keep tabs on because it is neutral, independent and centrally aggregated in the only place I can pay attention to.
Discourse can be the most beautiful thing but fails at the most important thing, I need information to come to me, not the other way around.
For as long as the email bridge works reasonably well I can still follow some of the discussions, but as other noted there has been a duplication of tags and stuff, so I probably am blind to a large part of the discussions there .. too bad.
Development
All FOSDEM 2026 videos are online
FOSDEM's organizers have announced
that all of the video recordings "worth publishing
" from FOSDEM 2026 are now available.
Videos are linked from the individual schedule pages for the talks and the full schedule page. They are also available, organised by room, at video.fosdem.org/2026.
LWN's coverage of talks from FOSDEM 2026 can be found on our conference index.
Niri 26.04 released
Version 26.04
of the niri scrollable-tiling Wayland compositor has been released. The most
notable change in this release, as the "most requested niri feature by far
",
is support for the blur effect using the Wayland protocol's ext-background-effect. This
release also features optional configuration
includes, screencasting support enhancements, and a number of improvements for
input devices.
In short, background blur turned out to be a massive undertaking. Not because of the blur algorithm itself (by the way, if you want to learn about different blurs, including the widely used Dual Kawase, I highly recommend this blog post), but because window background effects in general required a lot of thinking and additions to the code, especially to make them as efficient as possible. This is one of the most complex niri features thus far.
LWN covered niri in July 2025.
pgBackRest is no longer maintained
David Steele, maintainer of the popular pgBackRest backup and restore project for PostgreSQL, has archived the project and announced that it is no longer being maintained.
After a lot of thought, I have decided to stop working on pgBackRest. I did not come to this decision lightly. pgBackRest has been my passion project for the last thirteen years, and I was fortunate to have corporate sponsorship for much of this time, but there were also many late nights and weekends as I worked to make pgBackRest the project it is today, aided by numerous contributors. Every open-source developer knows exactly what I mean and how much of your life gets devoted to a special project.
Since Crunchy Data was sold, I have been maintaining pgBackRest and looking for a position that would allow me to continue the work, but so far I have not been successful. Likewise, my efforts to secure sponsorship have also fallen far short of what I need to make the project viable.
pip 26.1 released
Version 26.1 of the pip package installer for Python has been released. Richard Si has published a blog post that looks at some of the highlights of 26.1 including dependency cooldowns, experimental support for pylock (pylock.toml) files, and resolver improvements that will move pip closer to the goal of removing its legacy resolver. The release also includes several security fixes and drops support for Python 3.9.
Development quote of the week
The question is not how fast someone can create software. The question is how long after creating the software will someone support it.— Jeff Johnson
Miscellaneous
Remembering Seth Nickell
LWN has received the sad news that Seth Nickell passed away, on April 16, from his father, Eric Nickell:
Many of you knew Seth from his work in the GNOME Usability Project, but his roots in that community trace back to his high school years. As a father of a high school junior, I remember being terrified when he flashed the hard drive of a computer he purchased for himself with this weird "Linux" thing. And I was a bit awed by the college application essay he wrote about open source and Linus Torvalds.
It was his interest in packet radio that drew him into working with the Linux AX.25 HOWTO as a high schooler, and from there to his focus on making the Linux desktop work for everyone.
The family plans to share news of a memorial at a later time. He will be deeply missed.
In Memoriam: Tomáš Kalibera
We have received the sad news that Tomáš Kalibera, a member of the R Project core team, has passed away after a short illness.
A friend who knew him well wrote to me: he was very happy, and his work fulfilled him. That is, perhaps, the best thing one can say about a life in open source — that the work mattered, that it reached millions, and that the person who did it found meaning in it.
Kalibera was mentioned in this 2019 article about C programs passing strings to Fortran subroutines. He will be greatly missed.
Page editor: Daroc Alden
Next page:
Announcements>>