Welcome to LWN.net
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
[$] Vibe-coded ext4 for OpenBSD
A number of projects have been struggling with the question of which submissions created by large language models (LLMs), if any, should be accepted into their code base. This discussion has been further muddied by efforts to use LLM-driven reimplemention as a way to remove copyleft restrictions from a body of existing code, as recently happened with the Python chardet module. In this context, an attempt to introduce an LLM-generated implementation of the Linux ext4 filesystem into OpenBSD was always going to create some fireworks, but that project has its own, clearly defined reasons for looking askance at such submissions.
[$] LWN.net Weekly Edition for March 26, 2026
Posted Mar 26, 2026 0:41 UTC (Thu)The LWN.net Weekly Edition for March 26, 2026 is available.
Inside this week's LWN.net Weekly Edition
- Front: Security collaboration; Manjaro governance; kernel development tools; PHP licensing; kernel direct map patches; sleepable BPF.
- Briefs: LiteLLM compromise; Tor in Taiwan; b4 v0.15.0; 24-hour sideloading; Agama 19; Firefox 149.0; GNOME 50; Krita 5.3.0 and 6.0.0; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
[$] Collaboration for battling security incidents
The keynote for Sun Security Con 2026 (SunSecCon) was given by Farzan Karimi on how incident handling can go awry because of a lack of collaboration between the "good guys"—which stands in contrast to how attackers collaboratively operate. He provided some "war stories" where security incident handling had benefited from collaboration and others where it was hampered by its lack. SunSecCon was held in conjunction with SCALE 23x in Pasadena in early March.
[$] More efficient removal of pages from the direct map
The kernel's direct map provides code running in kernel mode with direct access to all physical memory installed in the system — on 64-bit systems, at least. It obviously makes life easier for kernel developers, but the direct map also brings some problems of its own, most of which are security-related. Interest in removing at least some pages from the direct map has been simmering for years; a couple of patch sets under discussion show some use cases for memory that has been removed from the direct map, and how such memory might be efficiently managed.
[$] A PHP license change is imminent
PHP's licensing has been a source of confusion for some time. The project is, currently, using two licenses that cover different parts of the code base: PHP v3.01 for the bulk of the code and Zend v2.0 for code in the Zend directory. Much has changed since the project settled on those licenses in 2006, and the need for custom licensing seems to have passed. An effort to simplify PHP's licensing, led by Ben Ramsey, is underway; if successful, the existing licenses will be deprecated and replaced by the BSD three-clause license. The PHP community is now voting on the license update RFC through April 4, 2026.
[$] Tracking when BPF programs may sleep
BPF programs can run in both sleepable and non-sleepable (atomic) contexts. Currently, sleepable BPF programs are not allowed to enter an atomic context. Puranjay Mohan has a new patch set that changes that. The patch set would let BPF programs called in sleepable contexts temporarily acquire locks that cause the programs to transition to an atomic context. BPF maintainer Alexei Starovoitov objected to parts of the implementation, however, so acceptance of the patch depends on whether Mohan is willing and able to straighten it out.
[$] A truce in the Manjaro governance struggle
Members of the Manjaro Linux distribution's community have published
a "Manjaro 2.0 Manifesto"
that contains a list of complaints and a demand to restructure the project to provide
a clear separation between the community and Manjaro as a company. The manifesto
asserts that the project's leadership is not acting in the best interests of the
community, which has caused developers to leave and innovation to stagnate. It
also demands a handover of the Manjaro trademark and other assets to a
to-be-formed nonprofit association. The responses on the Manjaro forum showed widespread support
for the manifesto; Philip Müller, project lead and CEO of the Manjaro
company, largely stayed out of the discussion. However, he surfaced
on March 19 to say he was "open to serious discussions
", but only
after a nonprofit had actually been set up.
[$] Development tools: Sashiko, b4 review, and API specification
The kernel project has a unique approach to tooling that avoids many commonly used development systems that do not fit the community's scale and ways of working. Another way of looking at the situation is that the kernel project has often under-invested in tooling, and sometimes seems bent on doing things the hard way. In recent times, though, the amount of effort that has gone into development tools for the kernel has increased, with some interesting results. Recent developments in this area include the Sashiko code-review system, a patch-review manager built into b4, and a new attempt at a framework for the specification and verification of kernel APIs.
LWN.net Weekly Edition for March 19, 2026
Posted Mar 19, 2026 0:00 UTC (Thu)The LWN.net Weekly Edition for March 19, 2026 is available.
Inside this week's LWN.net Weekly Edition
- Front: Privacy battles; page-cache-timing protections; null filesystems; Fedora Sandbox; safer kmalloc(); BPF in io_uring.
- Briefs: AppArmor vulnerabilities; snapd vulnerability; Sashiko; DPL election; Fedora Asahi 43; GIMP 3.2; Marknote 1.5; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
Cindy Cohn on privacy battles old and new
Cindy Cohn is the executive director of the Electronic Frontier Foundation (EFF) and she gave the Saturday morning keynote at SCALE 23x in Pasadena about some of the work she and others have done to help protect online rights, especially digital privacy. The talk recounted some of the history of the court cases that the organization has brought over the years to try to dial back privacy invasions. One underlying theme was the role that attendees can play in protecting our rights, hearkening back to earlier efforts by the technical community.
The forge is our new home (Fedora Community Blog)
Tomáš Hrčka has announced that the Forgejo-based Fedora Forge is now a fully operational collaborative-development platform; it is ready for use by the larger Fedora community, which means the homegrown Pagure platform's days are numbered:
While pagure.io has been a vital part of our community for many years, the time has come to retire our homegrown forge and transition to this powerful new tool.
The final cutover is planned for Flock to Fedora 2026. We strongly encourage teams to migrate their projects well before the conference to ensure a smooth transition. The pagure.io migration is only the first step in a broader infrastructure modernization effort. By the 2027 Fedora 46 release, we plan to retire all remaining Pagure instances across the project, including the package source repositories on src.fedoraproject.org. Getting familiar with Fedora Forge now will help ensure your team is ready as the rest of the Fedora ecosystem transitions.
There is a migration guide for Fedora community members that own projects hosted on Pagure and need to move to the new forge.
Security updates for Thursday
Security updates have been issued by Debian (awstats, firefox-esr, and nss), Fedora (chromium, dotnet10.0, dotnet8.0, dotnet9.0, freerdp, and wireshark), Mageia (graphicsmagick and xen), Oracle (mysql:8.4 and nginx), Red Hat (podman), Slackware (bind and tigervnc), SUSE (azure-storage-azcopy, firefox-esr, giflib, glances-common, govulncheck-vulndb, grafana, kernel, libpng16, libsoup, mumble, net-snmp, perl-Crypt-URandom, pgvector-devel, pnpm, postgresql17, Prometheus, protobuf, python-cbor2, python-Jinja2, python-simpleeval, python311-dynaconf, python311-pydicom, python313-PyMuPDF, salt, snpguest, systemd, and vim), and Ubuntu (bind9, linux-azure, linux-azure, linux-azure-6.17, linux-azure-6.8, and mbedtls).
Setting up a Tor Relay at National Taiwan Normal University (Tor Blog)
The Tor Blog has an interesting article about the non-technical side of setting up a Tor Relay. It documents how a computer science student at National Taiwan Normal University worked with the university system to set up a relay and provides a template for future attempts:
In Taiwan, anonymous networks do not lack technical documentation or ideological support. The real scarcity is experience from actually working through the real institutional system once. Especially in an environment where academic networks are highly centralized and outbound connectivity is tightly controlled, distributed anonymous infrastructure like Tor Relays is inherently difficult to sustain.
This implementation at National Taiwan Normal University was not meant to provide a final answer for anonymous networks. It was a concrete attempt made within real-world institutions. It may not immediately improve the performance or security of anonymous networks, and it was not intended to become a directly reproducible standard process. What it did achieve was leaving behind a clearly visible path of practice—one that can be understood, referenced, and built upon.
LibreQoS v2.0 released
Version 2.0 of the LibreQoS traffic-management and network operations platform has been released.
This release makes LibreQoS easier to operate, easier to understand, and much more useful for day-to-day network work. Now users can see more of what is happening across the network, troubleshoot subscriber issues with better tools, and work from a much stronger local WebUI.
This release includes many capabilities that reflect ideas and direction long championed by our late colleague, Dave Täht.
Dave's work helped shape the understanding of bufferbloat and the importance of latency under load across the networking community. His influence continues to guide both LibreQoS and the broader effort to improve Internet quality.
The project has also announced
the release of the LibreQoS Bufferbloat Test
v2, also dedicated to Täht. It runs in a user's browser to look at
"latency under load, jitter, loss, and what those things mean for
the kinds of traffic people actually care about: browsing, streaming,
video calls, audio calls, backups, and gaming
".
Five new stable kernels
Greg Kroah-Hartman has announced the release of the 6.19.10, 6.18.20, 6.12.78, 6.6.130, and 6.1.167 stable kernels. Each contains important fixes throughout the tree. Users are advised to upgrade.
Security updates for Wednesday
Security updates have been issued by Debian (chromium), Fedora (chromium, containernetworking-plugins, musescore, and python-multipart), Mageia (perl-XML-Parser, roundcubemail, trilead-ssh2, vim, and webkit2), Oracle (389-ds:1.4, gimp:2.8, glibc, gnutls, kernel, libarchive, nginx:1.24, opencryptoki, python3, uek-kernel, vim, yggdrasil, and yggdrasil-worker-package-manager), Red Hat (delve, osbuild-composer, and skopeo), Slackware (mozilla), SUSE (dpkg, go1.26-openssl, gstreamer-plugins-ugly, kernel, libssh, ovmf, python-pyasn1, python-tornado6, python311, salt, sqlite3, and systemd), and Ubuntu (linux-aws-fips, linux-azure, linux-azure-fips, linux-fips, linux-gcp-fips, linux-iot, linux-kvm, pjproject, and redis).
Firefox 149.0 released
Version 149.0 of the Firefox web browser has been released. Notable features in this release include a new split-view feature for viewing two web pages side-by-side, a built-in VPN for browser traffic only, and more.
LiteLLM on PyPI is compromised
This issue report describes a credential-stealing attack buried within LiteLLM 1.82.8 in the PyPI repository. It collects and exfiltrates a wide variety of information, including SSH keys, credentials for a number of cloud services, crypto wallets, and so on. Anybody who has installed this package has likely been compromised and needs to respond accordingly.
Update: see this
futuresearch article for some more information. "The release
contains a malicious .pth file (litellm_init.pth) that executes
automatically on every Python process startup when litellm is installed in
the environment.
"
Down: Debunking zswap and zram myths
Chris Down has posted a detailed look at how the kernel's zswap and zram subsystems work — and how they differ.
Most people think of zswap and zram simply as two different flavours of the same thing: compressed swap. At a surface level, that's correct – both compress pages that would otherwise end up on disk – but they make fundamentally different bets about how the kernel should handle memory pressure, and picking the wrong one for your situation can actively make things worse than having no swap at all
Krita 5.3.0 and 6.0.0 released
The Krita project has announced the release of Krita 5.3.0 and 6.0.0:
Krita 5.3/6.0 is the result of many years of work by the Krita developers. Some features have been rewritten from the ground up, others make their first appearance.
Enjoy the completely new text feature: on canvas editing, full opentype support, text flowing into shapes. It is now easier than ever to create vector-based panels for comic pages. Tools got extended: for instance, the fill tool now can close gaps. The liquify mode of the transform tool is much faster. There are new filters: a propagate colors filter and a reset transparent filter. Support for HDR painting has been improved. The recorder docker can now work in real time. There is improved support for file formats, like support for text objects in PSD files. And much, much, much more!
According to the announcement, the versions are almost functionally identical. However, the 6.0.0 release is the first based on Qt 6; it has more Wayland functionality but is considered experimental. It cautions that users should stick to 5.3.0 for real work. See the release notes for a full list of changes.