Welcome to LWN.net
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
[$] The long path toward optimizing short reads
The kernel's file-I/O subsystems have been highly optimized over the years in the hope of providing the best performance for a wide variety of workloads. There is, however, one workload type that suffers with current kernels: applications that perform many short reads, in multiple processes, from the same file. Kiryl Shutsemau has been working on a patch to try to optimize this case, but the task is turning out to be harder than one might expect.
[$] LWN.net Weekly Edition for October 30, 2025
Posted Oct 30, 2025 0:08 UTC (Thu)The LWN.net Weekly Edition for October 30, 2025 is available.
Inside this week's LWN.net Weekly Edition
- Front: Pixnapping attack; Fil-C; Debian ftpmasters; GoFundMe complaints; Safer user-space access.
- Briefs: Man pages 6.16; Btrfs on AlmaLinux; Fedora Linux 43; ICANN report; PSF grants; Rust Coreutils 0.3.0; Tor Browser 15.0; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
[$] Retrieving pixels from Android phones with Pixnapping
A new class of attacks on Android phones, called "Pixnapping", was announced on October 13. It allows a malicious app to gather output rendered in a victim app, pixel-by-pixel, by exploiting a GPU side-channel. Depending on what the victim app displays, anything from sensitive email and chats to two-factor authentication (2FA) codes could be captured—and shipped off to an attacker's site.
[$] Debian splits ftpmaster team
Debian's ftpmaster team has been responsible for allowing new packages to enter Debian, removing old packages, and otherwise maintaining Debian's package archive for more than two decades. As of October 26, the team is no more and its duties are being split between two new teams. The Archive Operations Team will focus on the infrastructure required to support the Debian archives, and the DFSG, Licensing & New Packages Team, which is responsible for reviewing packages entering the new queue. In time, this move could speed up processing of new packages, as well as making the teams more sustainable, but only after new members are recruited and trained. For now, the same folks are doing the work but spread across two teams.
[$] Fil-C: A memory-safe C implementation
Fil-C is a memory-safe implementation of C and C++ that aims to let C code —
complete with pointer arithmetic, unions, and other features that are often
cited as a problem for memory-safe languages — run safely, unmodified.
Its dedication to being "fanatically
compatible
" makes it an attractive choice for retrofitting memory-safety
into existing applications. Despite the project's relative youth and single
active contributor, Fil-C is capable of compiling an
entire memory-safe Linux user space (based on
Linux From Scratch),
albeit with some modifications to the more complex programs. It also features
memory-safe signal handling and a concurrent garbage collector.
[$] BPF signing LSM hook change rejected
BPF lets users load programs into a running kernel. Even though BPF programs are checked by the verifier to ensure that they stay inside certain limits, some users would still like to ensure that only approved BPF programs are loaded. KP Singh's patches adding that capability to the kernel were accepted in version 6.18, but not everyone is satisfied with his implementation. Blaise Boscaccy, who has been working to get a version of BPF code signing with better auditability into the kernel for some time, posted a patch set on top of Singh's changes that alters the loading process to not invoke security module hooks until the entire loading process is complete. The discussion on the patch set is the continuation of a long-running disagreement over the interface for signed BPF programs.
[$] GoFundMe to delete unwanted open-source foundation pages
Open-source foundations and projects that have charity status in
the US may want to see if GoFundMe has created a profile
for them without permission. The company has operated since 2010 as a
self-service fundraising platform; individuals or groups could create
pages to raise money for all manner of causes. In June, the company announced
that it would expand its offerings to "manage all aspects of
charitable giving
" for users through its platform. That seems to
include creating profiles for nonprofit organizations without their
involvement. After pushback, the company said
on October 23 that it would be removing the pages. It has not
answered more fundamental questions about how it planned to disburse
funds to nonprofits that had no awareness of the GoFundMe pages in the
first place.
[$] Safer speculation-free user-space access
The Spectre class of hardware vulnerabilities truly is a gift that keeps on giving. New variants are still being discovered in current CPUs nearly eight years after the disclosure of this problem, and developers are still working to minimize the performance costs that come from defending against it. The masked user-space access mechanism is a case in point: it reduces the cost of defending against some speculative attacks, but it brought some challenges of its own that are only now being addressed.
LWN.net Weekly Edition for October 23, 2025
Posted Oct 23, 2025 0:12 UTC (Thu)The LWN.net Weekly Edition for October 23, 2025 is available.
Inside this week's LWN.net Weekly Edition
- Front: Git 3.0 topics; Lazy imports for Python; RubyGems; LLMs for patch review; DebugFS.
- Briefs: Fedora AI policy; OpenBSD 7.8; DigiKam 8.8.0; Forgejo 13.0; KDE Plasma 6.5; RubyGems; Valkey 9.0.0; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
DebugFS on Rust
DebugFS is the kernel's anything-goes, no-rules interface: whenever a kernel developer needs quick access to internal details of the kernel to debug a problem, or to implement an experimental control interface, they can expose them via DebugFS. This is possible because DebugFS is not subject to the normal rules for user-space-interface stability, nor to the rules about exposing sensitive kernel information. Supporting DebugFS in Rust drivers is an important step toward being able to debug real drivers on real hardware. Matthew Maurer spoke at Kangrejos 2025 about his recently merged DebugFS bindings for Rust.
Rust 1.91.0 released
Version 1.91.0 of the Rust language has been released. Changes include promoting aarch64-pc-windows-msvc to a tier-1 platform, a new lint to catch dangling raw pointers from local variables, and a fair number of newly stabilized APIs.
Bazzite Fall update released
The Universal Blue project has announced the Fall update for the Fedora-based Bazzite gaming distribution. This release brings Bazzite up to Fedora 43, includes support for additional handheld gaming systems, as well as drivers for a number of steering wheel devices, and more.
Security updates for Thursday
Security updates have been issued by AlmaLinux (java-21-openjdk and libtiff), Debian (pdns-recursor and xorg-server), Fedora (bind, bind-dyndb-ldap, dtk6core, dtk6gui, dtk6log, dtk6widget, fcitx5-qt, fluidsynth, gammaray, kddockwidgets, LabPlot, mingw-qt6-qt3d, mingw-qt6-qt5compat, mingw-qt6-qtactiveqt, mingw-qt6-qtbase, mingw-qt6-qtcharts, mingw-qt6-qtdeclarative, mingw-qt6-qtimageformats, mingw-qt6-qtlocation, mingw-qt6-qtmultimedia, mingw-qt6-qtpositioning, mingw-qt6-qtscxml, mingw-qt6-qtsensors, mingw-qt6-qtserialport, mingw-qt6-qtshadertools, mingw-qt6-qtsvg, mingw-qt6-qttools, mingw-qt6-qttranslations, mingw-qt6-qtwebchannel, mingw-qt6-qtwebsockets, nheko, python-pyqt6, qt-creator, qt6, qt6-qt3d, qt6-qt5compat, qt6-qtbase, qt6-qtcharts, qt6-qtcoap, qt6-qtconnectivity, qt6-qtdatavis3d, qt6-qtdeclarative, qt6-qtgrpc, qt6-qthttpserver, qt6-qtimageformats, qt6-qtlanguageserver, qt6-qtlocation, qt6-qtlottie, qt6-qtmqtt, qt6-qtmultimedia, qt6-qtnetworkauth, qt6-qtopcua, qt6-qtpositioning, qt6-qtquick3d, qt6-qtquick3dphysics, qt6-qtquicktimeline, qt6-qtremoteobjects, qt6-qtscxml, qt6-qtsensors, qt6-qtserialbus, qt6-qtserialport, qt6-qtshadertools, qt6-qtspeech, qt6-qtsvg, qt6-qttools, qt6-qttranslations, qt6-qtvirtualkeyboard, qt6-qtwayland, qt6-qtwebchannel, qt6-qtwebengine, qt6-qtwebsockets, qt6-qtwebview, unbound, xorg-x11-server-Xwayland, and zeal), Oracle (kernel and libtiff), Red Hat (redis:6), Slackware (tigervnc and xorg), SUSE (java-21-openjdk, java-25-openjdk, strongswan, and xorg-x11-server), and Ubuntu (amd64-microcode, binutils, and xorg-server, xwayland).
GNU/Linux man pages 6.16 released
Alejandro Colomar has announced the release of version 6.16 of the GNU/Linux man pages. This release includes new or rewritten man pages for fsconfig(), fsmount(), and fsopen(), as well as a number of newly documented interfaces in existing man pages. The release is also available as a PDF book.
ICANN report: DNS runs on FOSS
ICANN's Security and
Stability Advisory Committee (SSAC) has announced
a report
on "the critical role of Free and Open Source Software (FOSS)
within the Domain Name System (DNS)
". The report is aimed at
policymakers and examines recent cybersecurity regulations in the US,
UK, and EU as they apply to FOSS in the DNS system; it includes
findings and guidelines "to strengthen the FOSS ecosystem that is
critical to the secure and stable operation of the Internet
". From
the report's summary:
This ecosystem depends on a global network of maintainers and contributors who are often unpaid volunteers. While many are unpaid volunteers, the DNS space is unique in also relying on a handful of long-lived maintenance organizations. This creates a model based on community collaboration rather than the commercial contracts that define a traditional software supply chain, which introduces unique risks related to financial sustainability for the maintenance organizations and maintainer burnout for volunteers.
These unique characteristics mean that regulatory frameworks designed for proprietary software may not be well-suited for FOSS and therefore could have severe unintended consequences to the stability of critical Internet infrastructure.
Thanks to SSAC member Maarten Aertsen for the tip.
Tor Browser 15.0 released
Version 15.0 of the Tor Browser has been released:
This is our first stable release based on Firefox ESR 140, incorporating a year's worth of changes that have been shipped upstream in Firefox. As part of this process, we've also completed our annual ESR transition audit, where we reviewed and addressed around 200 Bugzilla issues for changes in Firefox that may negatively affect the privacy and security of Tor Browser users. Our final reports from this audit are now available in the tor-browser-spec repository on our GitLab instance.
This release inherits the vertical tabs feature, unified search button, as well as other new features and usability improvements in Firefox that have passed the Tor Project's audit.
Seven stable kernels for Wednesday
Greg Kroah-Hartman has announced the release of the 6.17.6, 6.12.56, 6.6.115, 6.1.158, 5.15.196, 5.10.246, and 5.4.301 stable kernels. As always, each contains important fixes throughout the tree. Users of these kernels are advised to upgrade.
Security updates for Wednesday
Security updates have been issued by Debian (gimp, python-authlib, and xorg-server), Fedora (chromium and git-lfs), Mageia (poppler and tomcat), Red Hat (kernel, kernel-rt, redis, and redis:6), SUSE (fetchmail, grafana, ImageMagick, kernel-devel, libluajit-5_1-2, proxy-helm, python-Authlib, and xen), and Ubuntu (linux-intel-iotg, linux-intel-iotg-5.15 and squid, squid3).
Fedora Linux 43 released (Fedora Magazine)
The Fedora Project has announced the release of Fedora Linux 43, with "what's new" articles for Fedora Workstation, Fedora KDE Plasma Desktop, and Fedora Atomic Desktops.
For those of you installing fresh Fedora Linux 43 Spins, you may be greeted with the new Anaconda WebUI. This was the default installer interface for Fedora Workstation 42, and now it's the default installer UI for the Spins as well.
If you are a GNOME desktop user, you'll also notice that the GNOME is now Wayland-only in Fedora Linux 43. GNOME upstream has deprecated X11 support, and has disabled it as a compile time default in GNOME 49. Upstream GNOME plans to fully remove X11 support in GNOME 50.
See the release notes for a full list of changes in Fedora 43.
Security updates for Tuesday
Security updates have been issued by AlmaLinux (kernel, kernel-rt, libtiff, squid:4, and thunderbird), Debian (strongswan and webkit2gtk), Fedora (pcre2, qt5-qtbase, squid, unbound, and xen), Mageia (icu and libtpms), Oracle (java-1.8.0-openjdk, java-17-openjdk, java-21-openjdk, kernel, squid:4, and thunderbird), Red Hat (libtiff, squid, squid:4, and webkit2gtk3), SUSE (cmake, dracut-saltboot, erlang, exim, expat, ffmpeg-4, firefox, golang-github-prometheus-alertmanager, haproxy, java-11-openjdk, kernel, libxslt, multi-linux-manager, openssl-3, podman, rabbitmq-server, spacewalk-web, strongswan, and wireshark), and Ubuntu (gst-plugins-good1.0, linux-aws-5.15, radare2, ruby2.3, ruby2.5, ruby2.7, and strongswan).