Welcome to LWN.net
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
[$] Eliminating long-lived credentials with trusted publishing
Trusted publishing is an authentication mechanism that relies on short-lived credentials to reduce the risk of supply-chain attacks. At the 2026 Open Source Summit North America, Mike Fiedler walked the audience through why trusted publishing exists, how it works, and made the case for its adoption. It is not a silver bullet against all attacks, but it does offer protection against theft of long-lived credentials used to publish to package registries.
[$] BPF loop verification with scalar evolution
The BPF verifier has, in the course of wrestling with the difficult problem of statically analyzing loops, grown special support for many kinds of loops over its history, but its fundamental approach to simple for loops has not changed. When it encounters a loop, it evaluates it, iteration by iteration, until reaching an exit condition — a process that can cause the verifier to mistakenly hit the limit on the number of allowed instructions where a better implementation would not. Eduard Zingerman spoke at the 2026 Linux Storage, Filesystem, Memory-Management, and BPF Summit about his in-progress work on improving the verifier's treatment of loops, especially nested loops.
[$] An update on fanotify
In a filesystem-track session at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit, Amir Goldstein updated attendees on the fanotify filesystem-event monitoring subsystem. He wanted to describe changes that had come in the last year or so, as well as upcoming features and some remaining challenges in his efforts to use fanotify for hierarchical storage management (HSM). Fanotify is the user-space API for monitoring files, directories, and filesystems for events of various sorts (e.g. opening or deleting a file).
[$] Moving beyond fork() + exec()
Since the earliest days of Unix, two of the core process-oriented system calls have been fork(), which creates a child process as a copy of the parent, and exec(), which runs a new program in the place of the current one. In Linux kernels, those system calls are better known as clone() and execve(), but the core functionality remains the same. While there is elegance to this process-creation model, there are shortcomings as well. A recent proposal from Li Chen to add "spawn templates" to the kernel will not be accepted in its current form, but it may point the way toward a new process-creation primitive in the future.
[$] Splicing out vmsplice()
The splice() and vmsplice() system calls are meant to improve performance for certain data-movement tasks by minimizing (or avoiding altogether) system calls and the copying of data. They also have a long history of security problems. The recent flood of LLM-discovered vulnerabilities has drawn attention, once again, to splice() and vmsplice(); as a result, they may end up being removed altogether.
[$] LWN.net Weekly Edition for June 4, 2026
Posted Jun 4, 2026 1:31 UTC (Thu)The LWN.net Weekly Edition for June 4, 2026 is available.
Inside this week's LWN.net Weekly Edition
- Front: MeshCore; x32 ABI; Open-source security; Package-manager metadata; More LSFMM+BPF coverage; Loadable crypto module.
- Briefs: Lightwell; jqwik protestware; RedHat package compromise; DistroWatch; Fedora election; Rust 1.96.0; rsync; Vim Classic 8.3; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
[$] Open-source security is not a solo activity
Over time, many open-source maintainers face the same problem: they lack the time to do all of the work that their project needs, and no one else is stepping up to provide adequate help. Maintainers, though, are often reluctant to throw in the towel. The result is suboptimal all around; the maintainer is stressed out, project quality suffers, and users face security risks that they may not be fully aware of. At the 2026 Open Source Summit North America, Robin Bender Ginn spoke about this problem, when it might be time for maintainers to pass the torch, and the responsibilities of users.
[$] BPF in the agentic era
Alexei Starovoitov gave "less of a presentation, more of a scream of
realization
" at the BPF track of the 2026
Linux Storage, Filesystem,
Memory-Management, and BPF Summit. He shared a set of ideas for how BPF could
change to avoid being swept away by the sea-change in programming represented by modern
large language models (LLMs) and the coding agents based on them.
In a follow-up session, the discussion covered
more problems with how coding agents use tools like bpftrace, and the current deluge of
patches in need of review in the BPF subsystem.
[$] Caching for extended attributes
Extended attributes (xattrs) provide a way to attach key/value metadata to inodes—files, directories, and the like—in a filesystem. As with many Linux filesystems, the FUSE filesystem supports xattrs. In a filesystem-track session at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit, FUSE maintainer Miklos Szeredi led a discussion about caching xattrs in kernel memory; he would like to create some common infrastructure that could be used by FUSE and shared with other filesystems.
[$] Trying to make sense of package-manager metadata
Package managers for operating systems and programming languages have been around for decades. Each package manager, and its accompanying packaging format, has been shaped by the needs of its respective ecosystem, but there is a growing need to make use of package metadata for more than software management: for example, in vulnerability scans, software bills of materials (SBOMs), and more. On May 19, Damián Vicino spoke at the Open Source Summit North America 2026 about his experiences in the past year trying to make sense of the varied metadata provided by more than 20 package managers.
Future of Ubuntu MATE
Thomas Ward has published an update about the future of the Ubuntu MATE project, which did not have a 26.04 release with the other Ubuntu flavors in April:
There is a new team working on Ubuntu MATE who have stepped up to help take over flavor management. They haven't formally introduced themselves yet, but I can safely say that other developers HAVE stepped up for the future of the MATE flavor, despite its prior team lead having stepped down.
[...] Ultimately, this means that they are working to cover the missed items and gaps, and may quite possibly have a 26.10 release in October of 2026, which I believe they most likely are targeting.
This also means that bugs in the MATE environment and in packages they normally would have shipped had they have a 26.04 release are still going to get attention and fixes. So, effectively, nothing has changed. The only difference is that there was no 26.04 installer image released.
For those looking to install a MATE desktop on a "clean" install of Ubuntu 26.04, Ward suggests installing Ubuntu Server and then installing the ubuntu-mate-desktop package.
Asahi Linux warns users not to upgrade to macOS 27 beta
The Asahi Linux project, which brings Linux support to Apple Arm-based Macs, has warned its users not to upgrade to the macOS 27 "Golden Gate" beta.
Apple has changed how the boot picker and Startup Disk applications detect valid OS boot volumes. When using either from macOS 27, your Asahi partition will not be visible! We believe this to be a bug, and have filed a report (FB22994760).
If you have already upgraded to the beta and noticed that your Asahi partition has disappeared, do not stress. Your Asahi partition is still there, and you have not lost any data.
The Asahi Linux installer has been patched to prevent use with macOS 27 for now, but any users already bitten by the change will need to use macOS 26 to restore access to Asahi Linux.
Security updates for Tuesday
Security updates have been issued by AlmaLinux (bind and libyang), Debian (keystone and openssl), Fedora (mingw-objfw, objfw, sentencepiece, and tailscale), Mageia (packagekit and suricata), Oracle (bind, bind9.16, go-toolset:ol8, ImageMagick, kernel, samba, and vim), SUSE (apache-commons-lang3, apache-commons-text, apache-commons- configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec, avahi, busybox, chromedriver, chromium, csync2, firewalld, frr, gleam, helm, kernel-devel, keybase-client, libmozjs-140-0, libopenvswitch-3_7-0, libsoup, memcached, mutt, openjpeg2, ovmf, perl-HTML-Parser, perl-Net-CIDR-Set, perl-Protocol-HTTP2, postgresql-jdbc, postgresql17, python-CairoSVG, python-Flask, python-pip, python-pyOpenSSL, python-python-multipart, python-Twisted, python-urllib3, python-urllib3_1, python-uv, python311, rsync, tomcat, and tree-sitter), and Ubuntu (alsa-lib, cups, inetutils, isc-kea, jpeg-xl, libnet-cidr-lite-perl, netatalk, netty, nginx, node-shell-quote, php-twig, pillow, poppler, rsync, strongswan, systemd, and transmission).
Linux App Summit 2026 (Heise)
Heise is carrying a report from the Linux App Summit, held in Berlin in May.
The slightly more than a dozen talks were symbolically framed between the opening keynote by systemd creator Lennart Poettering and the closing talk by Jorge Castro, initiator of the Universal Blue project, from which the modern Linux systems Bluefin and Bazzite emerged. Both Castro and Poettering call for a fundamental rethink of how Linux operating systems are delivered but pursue different approaches.
Three stable kernels for Tuesday
Greg Kroah-Hartman has announced the release of the 7.0.12, 6.18.35, and 6.12.93 stable kernels. Each contains important fixes throughout the tree. Users are advised to upgrade.
rsync 3.4.4 released with regression fixes
Andrew Tridgell has announced the release of rsync 3.4.4 with fixes for the regressions introduced in the 3.4.3 release. He also notes there will be an rsync 3.5.0 soon, with many more security updates:
As part of the 3.5.0 release update I have created a rsync-security@lists.samba.org mailing list for anyone who is willing to do testing of the 3.5.0 release. The idea is to try to reduce the chance of more regressions by expanding the set of testers of this release. I have seeded it with people who were involved in past rsync security issues. If you want to join this list then the easiest way would be for you to be vouched for by someone on the distros@vs.openwall.org list or someone else I already trust.
My apologies for the regressions in the 3.4.3 release and I hope future security updates for rsync will have less issues. The greatly expanded test suite in rsync 3.5 combined with the rsync-security mailing list should help.
Security updates for Monday
Security updates have been issued by AlmaLinux (bind, bind9.16, frr, kernel, kernel-rt, libexif, mysql, php, and unbound), Debian (apache2, chromium, glibc, gsasl, jackson-core, libxml2, nginx, request-tracker4, request-tracker5, tomcat10, tomcat11, and tomcat9), Fedora (chromium, firefox, haveged, keylime, libinput, libssh2, nasm, perl-CryptX, rust, thunderbird, and webkitgtk), Mageia (cockpit, golang-x-crypto, golang-x-sys-devel, kernel, kmod-virtualbox, kmod-xtables-addons, kernel-linus, perl-DBIx-Class-EncodedColumn, perl-Crypt-URandom-Token, xdg-dbus-proxy, and xmlrpc-c), Slackware (samba), and SUSE (7zip, amazon-ssm-agent, ansible-13, ansible-core, assimp-devel, bind, cacti, chromium, dpkg, epiphany, erlang27, evince, ffmpeg-4, freerdp, frr, git-bug, google-guest-agent, grafana, hauler, ignition, jq, kanidm, kernel, keybase-client, libjxl, libmariadbd-devel, libmozjs-115-0, libopenbabel8, libsoup2, mariadb, mcphost, networkmanager, openssh, perl-HTTP-Daemon, perl-HTTP-Tiny, perl-IO-Compress, perl-Sereal-Decoder, perl-xml-libxml, postgresql18, python-pyopenssl, python311-pip, tomcat, tomcat10, tomcat11, tor, trivy, unbound, uriparser, vifm, weblate, xorg-x11-server, and yq).
Kernel prepatch 7.1-rc7
The 7.1-rc7 kernel prepatch is out for
testing. Linus said: "Anyway, as things look now this is the last
rc. Something can obviously always come up and force us to change that, but
please give rc7 a whirl and keep testing for one more week.
"
Ruby's Bundler adds a cooldown feature
Version 4.0.13 of Ruby's Bundler package-manager has added dependency cooldowns in order to help mitigate the effect of supply-chain attacks:
Most supply-chain attacks against RubyGems exploit a narrow window: an account is compromised, a malicious version ships, and any bundle install in the minutes that follow resolves straight to it. Bundler 4.0.13 introduces cooldown, a time-based filter that refuses to resolve to a version until it has been public for at least N days. Releases too new to have been scrutinized are passed over in favor of ones that have aged past the window.
The feature was designed in the open, drawing on how other ecosystems approach the same problem. It is opt-in, and complements rather than replaces existing defenses like mandatory 2FA and trusted publishing.
LWN covered dependency cooldowns in April, and the takeover of RubyGems and Bundler in October 2025.
Security updates for Friday
Security updates have been issued by AlmaLinux (kernel), Debian (dovecot, exim4, frr, and haveged), Fedora (cockpit, freeipa, jpegxl, libre, nextcloud, perl-Cpanel-JSON-XS, perl-Crypt-Argon2, perl-Dist-Build, perl-ExtUtils-Builder, perl-ExtUtils-Builder-Compiler, perl-HTTP-Tiny, perl-libwww-perl, python-starlette, rubygem-yard, rust-sequoia-cert-store, rust-sequoia-chameleon-gnupg, rust-sequoia-octopus-librnp, rust-sequoia-sop, rust-sequoia-sq, rust-sequoia-wot, samba, and transmission), Red Hat (image-builder), Slackware (dnsmasq and libinput), SUSE (evince, glibc, google-guest-agent, hplip, ignition, LibVNCServer, libzypp, libsolv, python-Pillow, salt, thunderbird, and vim), and Ubuntu (apache2, linux, linux-aws, linux-aws-5.15, linux-aws-fips, linux-fips, linux-gcp, linux-gcp-5.15, linux-gcp-fips, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iot-realtime, linux-intel-iotg, linux-kvm, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle, linux-raspi, linux-realtime, linux, linux-aws, linux-aws-fips, linux-azure, linux-azure-5.4, linux-azure-fips, linux-bluefield, linux-fips, linux-gcp, linux-gcp-5.4, linux-gcp-fips, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux, linux-azure, linux-azure-4.15, linux-azure-fips, linux-fips, linux-gcp-4.15, linux-gcp-fips, linux-kvm, linux-oracle, linux-aws-5.4, linux-hwe-5.4, linux-azure-fips, linux-fips, linux-raspi, linux-raspi-5.4, nano, postfix, robocode, tomcat6, tomcat7, and yard).