Welcome to LWN.net
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
[$] Restartable sequences, TCMalloc, and Hyrum's Law
Hyrum's Law states that any observable behavior of a system will eventually be depended upon by somebody. The kernel community is currently contending with a clear demonstration of that principle. The recent work to address some restartable-sequences performance problems in the 6.19 release maintained the documented API in all respects, but that was not enough; Google's TCMalloc library, as it turns out, violates the documented API, prevents other code from using restartable features, and breaks with 6.19. But the kernel's no-regressions rule is forcing developers to find a way to accommodate TCMalloc's behavior.
[$] LWN.net Weekly Edition for April 30, 2026
Posted Apr 30, 2026 0:18 UTC (Thu)The LWN.net Weekly Edition for April 30, 2026 is available.
Inside this week's LWN.net Weekly Edition
- Front: Famfs; Python packaging council; Zig concurrency; pages and folios; Strawberry music manager; 7.1 merge window.
- Briefs: GnuPG 2.5.19; Copy Fail; Plasma security; Fedora 44; Ubuntu 26.04; Niri 26.04; pip 26.1; RIP Seth Nickell; RIP Tomáš Kalibera; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
[$] Python packaging council approved
The Python packaging world now has a formal
governance council, of the form described in PEP 772 ("Packaging
Council governance process"), which was approved
by the steering council on April 16. It has been over a year
since the PEP was first proposed in February 2025 and it has undergone
lengthy discussions in multiple postings to the Python discussion forum. The
packaging council will have "broad authority over packaging standards,
tools, and implementations
"; it will consist of five members who will
be elected in a vote that is likely to come in June—after PyCon US 2026 is held mid-May.
[$] Strawberry is ripe for managing music collections
There are dozens of music-player applications for Linux; the options range from bare-bones programs that only play local files to full-blown music-management projects with a full suite of tools for managing (and playing) a music collection. Strawberry is in the latter category; it has a bumper crop of features, including smart playlists, support for editing music metadata tags, the ability to organize music files, and more.
[$] The rest of the 7.1 merge window
By the time Linus Torvalds released 7.1-rc1 and closed the 7.1 merge window, 12,996 non-merge changesets had been pulled into the mainline repository; just over 9,000 of those arrived after the first-half summary was written. These changes were more driver-oriented than those seen earlier, but still also included many new features across the kernel as a whole.
[$] Zig explores structured concurrency
Version 0.16.0 of the Zig programming language was recently announced, and with it an expanded version of the new Io interface that we covered in December. The new interface is based on an idea called structured concurrency that makes writing correct concurrent applications easier. Zig's implementation of the idea is more explicit and verbose than other languages, however, which could offer an opportunity to explore the consequences of different designs.
[$] On pages and folios
The kernel coverage here at LWN often touches on memory-management topics and, as a result, tends to talk a lot about both pages and folios. As the folio transition in the kernel has moved forward, it has often become difficult to decide which term to use in writing that is meant to be both approachable and technically correct. As this work continues, it will be increasingly common to use "folio" rather than page. This article is intended to be a convenient reference for readers wanting to differentiate the two terms or understand the state of this transition.
[$] Famfs, FUSE, and BPF
The famfs filesystem first showed up on the mailing lists in early 2024; since then, it has been the topic of regular discussions at the Linux Storage, Filesystem, Memory Management and BPF (LSFMM+BPF) Summit. It has also, as result of those discussions, been through some significant changes since that initial posting. So it is not surprising that a suggestion that it needed to be rewritten yet again was not entirely well received. How much more rewriting will actually be needed is unclear, but more discussion appears certain.
LWN.net Weekly Edition for April 23, 2026
Posted Apr 23, 2026 0:11 UTC (Thu)The LWN.net Weekly Edition for April 23, 2026 is available.
Inside this week's LWN.net Weekly Edition
- Front: LLMs and Python bugs; scheduler regression; new Rust traits; dependency cooldowns; 7.1 merge window; Shor's algorithm; drama at The Document Foundation.
- Briefs: Firefox zero-days; kernel code removal; reproduceible Arch; Debian election; Firefox 150; Forgejo 15.0; Git 2.54.0; KDE Gear 26.04; LillyPond 2.26.0; Rust 1.95.0; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
Dependency-cooldown discussions warm up
Efforts to introduce malicious code into the open-source supply chain have been on the rise in recent years, and there is no indication that they will abate anytime soon. These attacks are often found quickly, but not quickly enough to prevent the compromised code from being automatically injected into other projects or code deployed by users where it can wreak havoc. One method of avoiding supply-chain attacks is to add a delay of a few days before pulling upates in what is known as a "dependency cooldown". That tactic is starting to find favor with users and some language ecosystem package managers. While this practice is considered a reasonable response by many, others are complaining that those employing dependency cooldowns are free-riding on the larger community by letting others take the risk.
GCC 16.1 released
Version 16.1 of the GNU Compiler Collection (GCC) has been released.
The C++ frontend now defaults to the GNU C++20 dialect and the corresponding parts of the standard library are no longer experimental. Several C++26 features receive experimental support, including Reflection (-freflection), Contracts, expansion statements and std::simd.
Other changes include the introduction of an experimental compiler frontend for the Algol68 language, ability to output GCC diagnostics in HTML form, and more.
Seven new stable kernels for Thursday
Greg Kroah-Hartman has released the 7.0.3, 6.18.26, 6.12.85, 6.6.137, 6.1.170, 5.15.204, and 5.10.254 stable kernels. The 7.0.3 and 6.18.26 kernels only contain fixes needed for Xen users; the others, though, have backported fixes for the recently disclosed AEAD socket vulnerability. Kroah-Hartman advises that all users of the other kernel series must upgrade.
Security updates for Thursday
Security updates have been issued by AlmaLinux (buildah, firefox, gdk-pixbuf2, giflib, grafana, java-1.8.0-openjdk, java-21-openjdk, LibRaw, OpenEXR, PackageKit, pcs, python3.11, python3.12, python3.9, sudo, tigervnc, vim, xorg-x11-server, xorg-x11-server-Xwayland, yggdrasil, and yggdrasil-worker-package-manager), Debian (calibre, firefox-esr, and openjdk-17), Fedora (asterisk, binaryen, buildah, dokuwiki, lemonldap-ng, libexif, libgcrypt, miniupnpd, openvpn, podman, python3.9, rust-rpm-sequoia, skopeo, and xdg-dbus-proxy), Red Hat (buildah, gdk-pixbuf2, and nodejs:20), SUSE (dnsdist, libheif, openCryptoki, polkit, sed, and xen), and Ubuntu (linux-bluefield, python-marshmallow, and roundcube).
A security bug in AEAD sockets
Security analysis firm Xint has disclosed a security bug in the Linux kernel that allows for arbitrary 4-byte writes to the page cache, and which has been present since 2017. The vulnerability has been fixed in mainline kernels. A proof-of-concept script demonstrates how to use the flaw to corrupt a setuid binary, which works on multiple distributions, by requesting an AEAD-encrypted socket from user space and splicing a particular payload into it. A supplemental blog post gives more details about the discovery and remediation.
A core primitive underlying this bug is splice(): it transfers data between file descriptors and pipes without copying, passing page cache pages by reference. When a user splices a file into a pipe and then into an AF_ALG socket, the socket's input scatterlist holds direct references to the kernel's cached pages of that file. The pages are not duplicated; the scatterlist entries point at the same physical pages that back every read(), mmap(), and execve() of that file.
Security review of Plasma Login Manager (SUSE Security Team Blog)
SUSE's Security Team has published a detailed blog post on their recent review of the Plasma Login Manager version 6.6.2, which was forked from the SDDM display manager.
While most of the code remains the same, the new upstream added a privileged D-Bus helper called plasmaloginauthhelper, which suffers from defense-in-depth security issues.
[...] Based on the high severity of the defense-in-depth issues shown in this report, our assessment is that there is effectively no separation between root and the plasmalogin service user account.
At this time there is no bugfix available by upstream, but a security fix is planned for the next Plasma release on May 12. We have not been involved in upstream's bugfix process so far and have no knowledge about the approach that will be taken to address the issues from this report.
Security updates for Wednesday
Security updates have been issued by AlmaLinux (firefox, gdk-pixbuf2, java-17-openjdk, libxml2, python3, python3.11, python3.12, sudo, and webkit2gtk3), Debian (dnsdist, node-tar, pdns, pdns-recursor, and policykit-1), Fedora (chromium, edk2, and vim), Oracle (firefox, gdk-pixbuf2, go-toolset:rhel8, libpng12, LibRaw, libxml2, python, python3, python3.11, python3.12, python3.12-wheel, vim, webkit2gtk3, xorg-x11-server, xorg-x11-server-Xwayland, yggdrasil, and yggdrasil-worker-package-manager), Red Hat (container-tools:rhel8, delve, git-lfs, go-rpm-macros, grafana, grafana-pcp, osbuild-composer, and rhc), SUSE (bouncycastle, clamav, container-suseconnect, dovecot22, erlang, firefox, fontforge, freerdp2, ghostscript, giflib, gnome-remote-desktop, go1.25, go1.26, google-guest-agent, haproxy, ignition, ImageMagick, kernel, libcap, libpng16, libraw, librsvg, mariadb, openexr, pocketbase, protobuf, python-Pillow, python-requests, qemu, rust1.94, sudo, tomcat, tomcat10, tomcat11, webkit2gtk3, and xen), and Ubuntu (dotnet10, dovecot, linux-nvidia-lowlatency, node-follow-redirects, openssh, packagekit, python-cryptography, python-tornado, ruby-rack-session, ujson, and wheel).
Remembering Seth Nickell
LWN has received the sad news that Seth Nickell passed away, on April 16, from his father, Eric Nickell:
Many of you knew Seth from his work in the GNOME Usability Project, but his roots in that community trace back to his high school years. As a father of a high school junior, I remember being terrified when he flashed the hard drive of a computer he purchased for himself with this weird "Linux" thing. And I was a bit awed by the college application essay he wrote about open source and Linus Torvalds.
It was his interest in packet radio that drew him into working with the Linux AX.25 HOWTO as a high schooler, and from there to his focus on making the Linux desktop work for everyone.
The family plans to share news of a memorial at a later time. He will be deeply missed.
Fedora Linux 44 has been released
The Fedora Project has announced the release of Fedora Linux 44. There are "what's new" articles for Fedora Workstation, Fedora KDE Plasma Desktop, and Fedora Atomic Desktops. The Fedora Asahi Remix for Apple Silicon Macs, based on Fedora 44, is also available. See the Fedora Spins page for a full list of alternative desktop options.
Fedora Linux 44 Workstation ships with the latest GNOME release, GNOME 50. This comes with a long list of refinements to your desktop, including everything from accessibility to color management and remote desktop. Many of the applications that are installed by default on Fedora Workstation have also seen improvements, from Document Viewer to File Manager and Calendar. To learn more about these and other changes, you can read the GNOME 50 release notes.
KDE Plasma Desktop: If you are a KDE user, you should also notice a couple of very obvious changes. Fedora KDE Plasma Desktop 44 is based on the latest Plasma 6.6, which includes the new Plasma Login Manager and Plasma Setup to provide a more cohesive and integrated experience from the moment the computer is powered on for the first time. The installation process has been simplified, enabling you to easily set up Fedora KDE Plasma Desktop for a computer for a friend or a loved one.
The release notes include important changes between Fedora 43 and Fedora 44 for desktop users, developers, and system administrators.
In Memoriam: Tomáš Kalibera
We have received the sad news that Tomáš Kalibera, a member of the R Project core team, has passed away after a short illness.
A friend who knew him well wrote to me: he was very happy, and his work fulfilled him. That is, perhaps, the best thing one can say about a life in open source — that the work mattered, that it reached millions, and that the person who did it found meaning in it.
Kalibera was mentioned in this 2019 article about C programs passing strings to Fortran subroutines. He will be greatly missed.
All FOSDEM 2026 videos are online
FOSDEM's organizers have announced
that all of the video recordings "worth publishing
" from FOSDEM 2026 are now available.
Videos are linked from the individual schedule pages for the talks and the full schedule page. They are also available, organised by room, at video.fosdem.org/2026.
LWN's coverage of talks from FOSDEM 2026 can be found on our conference index.