What technologies lwn.net is built with

[LWN  

.net News from the source](/)[](/)

*   [**Content**](#t)

    *   [Weekly Edition](/current/)

    *   [Archives](/Archives/)

    *   [Search](/Search/)

    *   [Kernel](/Kernel/)

    *   [Security](/Security/)

    *   [Events calendar](/Calendar/)

    *   [Unread comments](/Comments/unread)

    *   * * *

    *   [LWN FAQ](/op/FAQ.lwn)

    *   [Write for us](/op/AuthorGuide.lwn)

**User:**  **Password:**   

|

|

[**Subscribe**](/subscribe/) / [**Log in**](/Login/) / [**New account**](/Login/newaccount)

Welcome to LWN.net

==================

> LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See [the LWN FAQ](/op/FAQ.lwn) for more information, and please consider [subscribing](/subscribe/Info) to gain full access and support our activities.

\[$\] The burden of knowledge: dealing with open-source risks

-------------------------------------------------------------

\[Development\] Posted Mar 14, 2025 13:54 UTC (Fri) by jzb

Organizations relying on open-source software have a wide range of tools, scorecards, and methodologies to try to assess security, legal, and other risks inherent in their so-called supply chain. However, Max Mehl [argued recently](https://program.foss-backstage.de/fossback25/talk/9ZBSUM/) in a short talk at [FOSS Backstage](https://25.foss-backstage.de/) in Berlin (and online) that all of this objective information and data is insufficient to truly understand and address risk. Worse, this information doesn't provide options to improve the situation and encourages a passive mindset. Mehl, who works as part of the CTO group at [DB Systel](https://www.dbsystel.de/dbsystel-en/about-us/profile-3714990#3714990), encouraged better risk assessment using qualitative data and direct participation in open source.

[Full Story](/Articles/1013614/) ([comments: none](/Articles/1013614/#Comments))

\[$\] Warming up to frozen pages for networking

-----------------------------------------------

\[Kernel\] Posted Mar 13, 2025 15:01 UTC (Thu) by corbet

When the 6.14 kernel is released later this month, it will include the usual set of internal changes that users should never notice, with the possible exception of changes that bring performance improvements. One of those changes is [frozen pages](/Articles/1000654/), a memory-management optimization that should fly mostly under the radar. When Hannes Reinecke [reported a crash](/ml/all/[email protected]) in 6.14, though, frozen pages suddenly came into view. There is a workaround for this problem, but it seems there is a fair amount of work to be done that nobody had counted on to solve the problem properly.

[Full Story](/Articles/1013408/) ([comments: 4](/Articles/1013408/#Comments))

\[$\] LWN.net Weekly Edition for March 13, 2025

-----------------------------------------------

Posted Mar 13, 2025 0:15 UTC (Thu)

The LWN.net Weekly Edition for March 13, 2025 is available.

**Inside this week's LWN.net Weekly Edition**

*   [Front](/Articles/1013184/): PyPI terms of service; Zig 0.14; Matrix; Timer IDs and ABI; Module integrity checking; Capability analysis.

*   [Briefs](/Articles/1013186/): Path traversal; Below vulnerability; Ubuntu 25.04; Flang; Gstreamer 1.26.0; Framework Mono 6.14.0; Quotes; ...

*   [Announcements](/Articles/1013187/): Newsletters, conferences, security updates, patches, and more.

[Read more](/Articles/1013184/)

\[$\] New terms of service for PyPI

-----------------------------------

\[Development\] Posted Mar 12, 2025 17:22 UTC (Wed) by jake

On February 25, the [Python Software Foundation](https://www.python.org/psf-landing/) (PSF), which runs the [Python Package Index](https://pypi.org/) (PyPI), [announced](https://blog.pypi.org/posts/2025-02-25-terms-of-service/) new [terms of service](https://policies.python.org/pypi.org/Terms-of-Service/) (ToS) for the repository. That has led to some questions about the new ToS, and the process of coming up with them. For one thing, the previous [terms of use](https://policies.python.org/pypi.org/Terms-of-Use/) for the service were shorter and simpler, but there are other concerns with specific wording in the new agreement.

[Full Story](/Articles/1012954/) ([comments: 5](/Articles/1012954/#Comments))

\[$\] Zig's 0.14 release inches the project toward stability

------------------------------------------------------------

\[Development\] Posted Mar 12, 2025 14:49 UTC (Wed) by daroc

The [Zig](https://ziglang.org/) project has [announced](https://ziglang.org/download/0.14.0/release-notes.html) the release of the 0.14 version of the language, including changes from more than 250 contributors. Zig is a low-level, memory-unsafe programming language that aims to compete with C instead of depending on it. Even though the language has not yet had a stable release, there are a number of projects using it as an alternative to C with better metaprogramming. While the project's release schedule has been a bit inconsistent, with the release of version 0.14 being [delayed](https://ziglang.org/news/0.14.0-delayed/) several times, the release contains a number of new convenience features, broader architecture support, and the next steps toward removing Zig's dependency on LLVM.

[Full Story](/Articles/1012809/) ([comments: 22](/Articles/1012809/#Comments))

\[$\] The road to mainstream Matrix

-----------------------------------

\[Development\] Posted Mar 11, 2025 15:27 UTC (Tue) by jzb

[Matrix](https://en.wikipedia.org/wiki/Matrix_\(protocol\)) provides an open network for secure, decentralized communication. It has enjoyed some success over the last few years as an IRC replacement and real-time chat for a number of open-source projects. But adoption by a subset of open-source developers is a far cry from the mainstream adoption that Matthew Hodgson, Matrix project lead and CEO of [Element](https://element.io/) (the company that created Matrix), would like to see. At FOSDEM 2025, he discussed the history of Matrix, its missteps in chasing mainstream adoption, its current status, as well as some of the wishlist features for taking Matrix into the mainstream.

[Full Story](/Articles/1009932/) ([comments: 50](/Articles/1009932/#Comments))

\[$\] Capability analysis for the kernel

----------------------------------------

\[Kernel\] Posted Mar 10, 2025 14:42 UTC (Mon) by corbet

One of the advantages of the Rust type system is its ability to encapsulate requirements about the state of the program in the type system; often, this state includes which locks must be held to be able to carry out specific operations. C lacks the ability to express these requirements, but there would be obvious benefits if that kind of feature could be grafted onto the language. The Clang compiler has made some strides in that direction with its [thread-safety analysis](https://clang.llvm.org/docs/ThreadSafetyAnalysis.html) feature; two developers have been independently working to take advantage of that work for the kernel.

[Full Story](/Articles/1012990/) ([comments: 23](/Articles/1012990/#Comments))

\[$\] Hash-based module integrity checking

------------------------------------------

\[Kernel\] Posted Mar 7, 2025 15:44 UTC (Fri) by daroc

On January 20, Thomas Weißschuh shared a new [patch set](https://lwn.net/ml/all/[email protected]/) implementing an alternate method for checking the integrity of loadable kernel modules. This mechanism, which checks module integrity based on hashes computed at build time instead of using cryptographic signatures, could enable reproducible kernel builds in more contexts. Several distributions have already expressed interest in the patch set if Weißschuh can get it into the kernel.

[Full Story](/Articles/1012946/) ([comments: 29](/Articles/1012946/#Comments))

\[$\] Timer IDs, CRIU, and ABI challenges

-----------------------------------------

\[Kernel\] Posted Mar 6, 2025 14:24 UTC (Thu) by corbet

The kernel project has usually been willing to make fundamental internal changes if they lead to a better kernel in the end. The project also, though, goes out of its way to avoid breaking interfaces that have been exposed to user space, even if programs come to rely on behavior that was never documented. Sometimes, those two principles come into conflict, leading to a situation where fixing problems within the kernel is either difficult or impossible. This sort of situation has been impeding performance improvements in the kernel's POSIX timers implementation for some time, but it appears that a solution has been found.

[Full Story](/Articles/1012490/) ([comments: 12](/Articles/1012490/#Comments))

LWN.net Weekly Edition for March 6, 2025

----------------------------------------

Posted Mar 6, 2025 0:15 UTC (Thu)

The LWN.net Weekly Edition for March 6, 2025 is available.

**Inside this week's LWN.net Weekly Edition**

*   [Front](/Articles/1012147/): Firefox forks; Bend and Vine; FineIBT; Guard pages; Fedora's Flatpak packaging; Zotero.

*   [Briefs](/Articles/1012149/): LFS 12.3; FerretDB 2.0; Firefox; Fish 4.0; Incus 6.10; Thunderbird 136.0; Xen 4.20; Quotes; ...

*   [Announcements](/Articles/1012150/): Newsletters, conferences, security updates, patches, and more.

[Read more](/Articles/1012147/)

Security updates for Friday

---------------------------

\[Security\] Posted Mar 14, 2025 12:56 UTC (Fri) by daroc

Security updates have been issued by **Fedora** (iniparser, thunderbird, trafficserver, and xorg-x11-server), **Mageia** (opensc), **Oracle** (.NET 8.0, .NET 9.0, gcc, kernel, and libxml2), **Red Hat** (firefox, grub2, and krb5), **Slackware** (libxslt), **SUSE** (amazon-ssm-agent, bsdtar, build, ffmpeg-4, forgejo-runner, kernel, python, python3, python313, rubygem-rack-1\_6, and tailscale), and **Ubuntu** (linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15).

[Full Story](/Articles/1014183/) ([comments: none](/Articles/1014183/#Comments))

Choi: announcing Casual Make

----------------------------

\[Development\] Posted Mar 13, 2025 18:10 UTC (Thu) by jzb

Charles Choi has [announced](http://yummymelon.com/devnull/announcing-casual-make.html) the release of the [Casual Make](https://github.com/kickingvegas/casual/blob/main/docs/make-mode.org): a menu-driven interface, implemented as part of the [Casual](https://github.com/kickingvegas/casual?tab=readme-ov-file#casual) suite of tools, for [Makefile Mode](https://www.emacswiki.org/emacs/MakefileMode) in GNU Emacs.

> Emacs supports makefile editing with make-mode which has a mix of useful and half-baked (though thankfully obsoleted in 30.1) commands. It is from this substrate that I'm happy to announce the next Casual user interface: [Casual Make](https://github.com/kickingvegas/casual/blob/main/docs/make-mode.org).

> 

> Of particular note to Casual Make is its attention to authoring and identifying automatic variables whose arcane syntax is un-memorizable. Want to know what $> means? Just select it in the makefile and use the . binding in the Casual Make menu to identify what it does in the mini-buffer.

Casual Make is part of [Casual 2.4.0](https://github.com/kickingvegas/casual/releases/tag/2.4.0), released on March 12 and is available from [MELPA](https://melpa.org/#/casual). The 2.4.0 update to Casual also includes documentation in the Info format for the first time.

[Comments (none posted)](/Articles/1014065/#Comments)

Seven new stable kernels

------------------------

\[Kernel\] Posted Mar 13, 2025 14:53 UTC (Thu) by jake

Greg Kroah-Hartman has announced the release of the [6.13.7](/Articles/1014044/), [6.12.19](/Articles/1014045/), [6.6.83](/Articles/1014046/), [6.1.131](/Articles/1014047/), [5.15.179](/Articles/1014048/), [5.10.235](/Articles/1014049/), and [5.4.291](/Articles/1014050/) stable kernels. They all contain a relatively large number of important fixes throughout the kernel tree.

[Comments (none posted)](/Articles/1014043/)

Security updates for Thursday

-----------------------------

\[Security\] Posted Mar 13, 2025 14:47 UTC (Thu) by jake

Security updates have been issued by **Debian** (chromium), **Fedora** (ffmpeg, qt6-qtwebengine, tigervnc, and xorg-x11-server-Xwayland), **Red Hat** (fence-agents and libxml2), **SUSE** (amazon-ssm-agent, ark, chromium, fake-gcs-server, gerbera, google-guest-agent, google-osconfig-agent, grafana, kernel, libtinyxml2-10, podman, python311, python312, restic, ruby3.4-rubygem-rack, and thunderbird), and **Ubuntu** (jinja2, linux-azure, linux-azure-4.15, linux-lts-xenial, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, netatalk, python3.5, python3.8, rar, unrar-nonfree, and xorg-server, xwayland).

[Full Story](/Articles/1014042/) ([comments: none](/Articles/1014042/#Comments))

Traversal-resistant file APIs (The Go Blog)

-------------------------------------------

\[Security\] Posted Mar 12, 2025 17:13 UTC (Wed) by jzb

Damien Neil has written an [article](https://go.dev/blog/osroot) for the Go Blog about [path traversal vulnerabilities](https://owasp.org/www-community/attacks/Path_Traversal) and the [os.Root](https://pkg.go.dev/os#Root) API added in [Go 1.24](https://tip.golang.org/doc/go1.24) to help prevent them.

> Root permits relative path components and symlinks that do not escape the root. For example, root.Open("a/../b") is permitted. Filenames are resolved using the semantics of the local platform: On Unix systems, this will follow any symlink in "a" (so long as that link does not escape the root); while on Windows systems this will open "b" (even if "a" does not exist).

[Comments (1 posted)](/Articles/1013876/)

Below: local privilege escalation (SUSE security team blog)

-----------------------------------------------------------

\[Security\] Posted Mar 12, 2025 14:47 UTC (Wed) by jzb

The SUSE Security Team blog has a [post](https://security.opensuse.org/2025/03/12/below-world-writable-log-dir.html) with a detailed analysis of a vulnerability ([CVE-2025-27591](https://www.cve.org/CVERecord?id=CVE-2025-27591)) in the [below](https://github.com/facebookincubator/below?tab=readme-ov-file) tool for recording and displaying system data.

> In January 2025, Below was packaged and submitted to openSUSE Tumbleweed. Below runs as a systemd service with root privileges. The SUSE security team monitors additions and changes to systemd service unit files in openSUSE Tumbleweed, and through this we noticed problematic log directory permissions applied in Below's code.

[Comments (none posted)](/Articles/1013842/)

The LLVM project stabilizes its Fortran compiler

------------------------------------------------

\[Development\] Posted Mar 12, 2025 14:15 UTC (Wed) by daroc

The LLVM project's Fortran compiler, which has for many years gone by the name "flang-new", will now simply be "flang", starting from LLVM's 20.1.0 release on March 4. The [announcement](https://blog.llvm.org/posts/2025-03-11-flang-new/), which includes details about the history of flang, comes after a long period of development and discussion. The community has considered renaming flang several times before now, but has always held off out of a feeling that the compiler was not yet ready. Now, the members of the project believe that flang has become stable and complete enough to earn its name.

> We are almost 10 years from the first announcement of what would become LLVM Flang. In the LLVM monorepo alone there have been close to 10,000 commits from around 400 different contributors. Undoubtedly more in Classic Flang before that.

[Comments (1 posted)](/Articles/1013844/#Comments)

GStreamer 1.26.0 released

-------------------------

\[Development\] Posted Mar 12, 2025 13:38 UTC (Wed) by jzb

[Version 1.26.0](https://gstreamer.freedesktop.org/releases/1.26/) of the GStreamer cross-platform multimedia framework has been released. Notable changes in this release include support for the [H.266 Versatile Video Coding](https://en.wikipedia.org/wiki/Versatile_Video_Coding) (VVC) codec, [Low Complexity Enhancement Video Coding](https://en.wikipedia.org/wiki/LCEVC) (LCEVC) support, closed caption improvements, and [JPEG XS](https://en.wikipedia.org/wiki/JPEG_XS) image codec support.

[Comments (11 posted)](/Articles/1013840/)

Security updates for Wednesday

------------------------------

\[Security\] Posted Mar 12, 2025 13:09 UTC (Wed) by jzb

Security updates have been issued by **Debian** (libmodbus), **Fedora** (thunderbird and vyper), **Mageia** (firefox, nss, python-django, python-jinja2, and thunderbird, thunderbird-l10n), **Oracle** (bind, kernel, rsync, and tigervnc), **Red Hat** (.NET 8.0, .NET 9.0, and libxml2), **SUSE** (iniparser and kernel), and **Ubuntu** (dotnet8, dotnet9, freerdp2, jinja2, libreoffice, linux, linux-hwe, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-kvm, linux-oracle, linux-kvm, and opensc).

[Full Story](/Articles/1013838/) ([comments: none](/Articles/1013838/#Comments))

Framework Mono 6.14.0 released

------------------------------

\[Development\] Posted Mar 11, 2025 14:41 UTC (Tue) by jzb

Version 6.14.0 of [Framework Mono](https://gitlab.winehq.org/mono/mono/-/blob/main/README.md?ref_type=heads) has been [announced](https://www.winehq.org/news/2025030801).

> This is the first release of Framework Mono from its new home at WineHQ. It includes work from the past 5 years that was never included in a stable release because no stable branch had been created in that time. Highlights are native support for ARM64 on macOS and many improvements to windows forms for X11.

See the [release notes](https://gitlab.winehq.org/mono/mono/-/releases/mono-6.14.0) for a full list of new features and plans for future releases.

[Comments (5 posted)](/Articles/1013723/)

[\--> More news items](/Articles/?offset=10)

Copyright © 2025, Eklektix, Inc.  

Comments and public postings are copyrighted by their creators.  

Linux is a registered trademark of Linus Torvalds
🏳️Welcome to LWN.net [LWN.net]

lwn.net
