LWN.net

Kernel prepatch 7.0-rc4

corbet — Sun, 15 Mar 2026 22:37:28 +0000

Linus has released 7.0-rc4 for testing.

Then Thursday hit with the networking pull. And then on Friday everybody else decided to send in their work for the week, with a few more trickling in over the weekend. End result: what had for a short few days looked like a nice calm week turned into another "bigger than usual" release candidate.
To be fair, that "almost everything comes in at the end of the week" is 100% normal, and none of this is surprising. I was admittedly hoping that things would start to calm down, but that was not to be.
I no longer really believe that it was the one extra week we had last release cycle: I'm starting to suspect it's the psychological result of "hey, new major number", and people are just being a bit more active as a result.

Stable kernels for Friday the 13th

jzb — Fri, 13 Mar 2026 18:26:09 +0000

Greg Kroah-Hartman has announced the release of the 6.19.8, 6.18.18, and 6.12.77 stable kernels. Each of these kernels includes a number of important fixes; users are advised to upgrade.

An investigation of the forces behind the age-verification bills

corbet — Fri, 13 Mar 2026 14:09:58 +0000

Reddit user "Ok_Lingonberry3296" has posted the results of an extensive investigation into the companies that are pushing US state legislatures to enact age-verification bills.

I've been pulling public records on the wave of "age verification" bills moving through US state legislatures. IRS 990 filings, Senate lobbying disclosures, state ethics databases, campaign finance records, corporate registries, WHOIS lookups, Wayback Machine archives. What started as curiosity about who was pushing these bills turned into documenting a coordinated influence operation that, from a privacy standpoint, is building surveillance infrastructure at the operating system level while the company behind it faces zero new requirements for its own platforms.

(See also this article for a look at the California law.)

A set of AppArmor vulnerabilities

corbet — Fri, 13 Mar 2026 14:02:32 +0000

Qualys has sent out a somewhat breathless advisory describing a number of vulnerabilities in the AppArmor security module, which is used in a number of Debian-based distributions (among others).

This "CrackArmor" advisory exposes a confused-deputy flaw allowing unprivileged users to manipulate security profiles via pseudo-files, bypass user-namespace restrictions, and execute arbitrary code within the kernel. These flaws facilitate local privilege escalation to root through complex interactions with tools like Sudo and Postfix, alongside denial-of-service attacks via stack exhaustion and Kernel Address Space Layout Randomization (KASLR) bypasses via out-of-bounds reads.

[$] More timing side-channels for the page cache

daroc — Fri, 13 Mar 2026 13:59:14 +0000

In 2019, researchers published a way to identify which file-backed pages were being accessed on a system using timing information from the page cache, leading to a handful of unpleasant consequences and a change to the design of the mincore() system call. Discussion at the time led to a number of ad-hoc patches to address the problem. The lack of new page-cache attacks suggested that attempts to fix things in a piecemeal fashion had succeeded. Now, however, Sudheendra Raghav Neela, Jonas Juffinger, Lukas Maar, and Daniel Gruss have found a new set of holes in the Linux kernel's page-cache-timing protections that allow the same general class of attack.

Security updates for Friday

jzb — Fri, 13 Mar 2026 13:09:10 +0000

Security updates have been issued by Debian (chromium, kernel, and multipart), Fedora (dnf5, dr_libs, easyrpg-player, libmaxminddb, python3.12, strongswan, task, and udisks2), Oracle (.NET 10.0, .NET 8.0, .NET 9.0, gnutls, ImageMagick, kernel, libvpx, mingw-libpng, nginx:1.26, python3.11, and uek-kernel), Red Hat (delve, git-lfs, mingw-libpng, osbuild-composer, and rhc-worker-playbook), SUSE (cjson, curl, dnsdist, libsoup2, postgresql16, postgresql17, postgresql18, python-lxml_html_clean, python-pypdf2, python36, and thunderbird), and Ubuntu (dotnet8, dotnet9, dotnet10, freetype, golang-github-go-git-go-git, golang-golang-x-net, openssh, python-cryptography, sudo, and util-linux).

[$] Practical uses for a null filesystem

corbet — Thu, 12 Mar 2026 14:58:09 +0000

One of the first changes merged for the upcoming 7.0 release was [email protected]/">nullfs, an empty filesystem that cannot actually contain any files. One might logically wonder why the kernel would need such a thing. It turns out, though, that there are places where a null filesystem can come in handy. For 7.0, nullfs will be used to make life a bit easier for init programs; future releases will likely use nullfs to increase the isolation of kernel threads from the init process.

Two stable kernels for Thursday

jzb — Thu, 12 Mar 2026 13:19:12 +0000

Sasha Levin has announced the release of the 6.19.7 and 6.18.17 stable kernels. As usual, each contains important fixes throughout the tree; users are advised to upgrade.

Security updates for Thursday

jzb — Thu, 12 Mar 2026 13:11:32 +0000

Security updates have been issued by AlmaLinux (gimp, git-lfs, grafana-pcp, kernel, mysql8.4, nfs-utils, opentelemetry-collector, osbuild-composer, postgresql:16, and python3.12), Debian (imagemagick and netty), Fedora (dr_libs and python-lxml-html-clean), Slackware (libarchive and libxml2), SUSE (busybox, coredns, firefox, freerdp, ghostty, gnutls, go1.25, go1.26, GraphicsMagick, grype, helm, helm3, ImageMagick, perl-Compress-Raw-Zlib, python, python311-lxml_html_clean, python311-PyPDF2, tomcat11, and traefik), and Ubuntu (curl, gimp, and libpng).

[$] LWN.net Weekly Edition for March 12, 2026

jzb — Thu, 12 Mar 2026 00:08:50 +0000

Inside this week's LWN.net Weekly Edition:

Front: Chardet; Linux and age verification; Debian AI; Python lazy imports; Python type-system PEP; PQC HTTPS certificates; MGLRU; Fedora strategy.
Briefs: LLM vulnerability; NTP security; OpenWrt 25.12.0; SUSE sale; Buildroot 2026.02; digiKam 9.0.0; Rust 1.94.0; Quotes; ...
Announcements: Newsletters, conferences, security updates, patches, and more.

[$] California's Digital Age Assurance Act and Linux distributions

jzb — Wed, 11 Mar 2026 17:35:20 +0000

A recently enacted law in California imposes an age-verification requirement on operating-system providers beginning next year. The language of the Digital Age Assurance Act does not restrict its requirements to proprietary or commercial operating systems; projects like Debian, FreeBSD, Fedora, and others seem to be on the hook just as much as Apple or Microsoft. There is some hope that the law will be amended, but there is no guarantee that it will be. This means that the developer communities behind Linux distributions are having to discuss whether and how to comply with the law with little time and even less legal guidance.

Introducing Moonforge: a Yocto-based Linux OS (Igalia Blog)

jzb — Wed, 11 Mar 2026 16:46:06 +0000

Igalia has announced the Moonforge Linux distribution, based on OpenEmbedded and Yocto.

Moonforge is an operating system framework for Linux devices that simplifies the process of building and maintaining custom operating systems.

It provides a curated collection of Yocto layers and configuration files that help developers generate immutable, maintainable, and easily updatable operating system images.

The goal is to offer the best possible developer experience for teams building embedded Linux products. Moonforge handles the complex aspects of operating system creation, such as system integration, security, updates, and infrastructure, so developers can focus on building and deploying their applications or devices.

[$] HTTPS certificates in the age of quantum computing

daroc — Wed, 11 Mar 2026 13:26:54 +0000

There has been ongoing discussion in the Internet Engineering Task Force (IETF) about how to protect internet traffic against future quantum computers. So far, that work has focused on key exchange as the most urgent problem; now, a new IETF working group is looking at adopting post-quantum cryptography for authentication and certificate transparency as well. The main challenge to doing so is the increased size of certificates — around 40 times larger. The techniques that the working group is investigating to reduce that overhead could have efficiency benefits for traditional certificates as well.

Security updates for Wednesday

jzb — Wed, 11 Mar 2026 13:09:03 +0000

Security updates have been issued by AlmaLinux (kernel, kernel-rt, libvpx, nfs-utils, nginx:1.26, osbuild-composer, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, and python-pyasn1), Debian (imagemagick), Fedora (perl-Crypt-SysRandom-XS and systemd), Mageia (yt-dlp), Oracle (delve, gimp, git-lfs, go-rpm-macros, image-builder, kernel, libpng, libvpx, mysql8.4, nfs-utils, osbuild-composer, postgresql16, postgresql:12, postgresql:13, postgresql:15, postgresql:16, python-pyasn1, python3, python3.12, python3.9, and thunderbird), SUSE (python-aiohttp, python-maturin, python311-pymongo, rclone, and util-linux), and Ubuntu (linux-nvidia, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, and python-geopandas).

[$] Disabling Python's lazy imports from the command line

jake — Tue, 10 Mar 2026 22:17:12 +0000

The advent of lazy imports in the Python language is upon us, now that PEP 810 ("Explicit lazy imports") was accepted by the steering council and the feature will appear in the upcoming Python 3.15 release in October. There are a number of good reasons, performance foremost, for wanting to defer spending—perhaps wasting—the time to do an import before a needed symbol is used. However, there are also good reasons not to want that behavior, at least in some cases. The tension between those two positions is what led to an earlier PEP rejection, but it is also playing into a recent discussion of the API used to control lazy imports.