Jon Seager, VP of engineering for Canonical, has announced a plan to develop a universal Public Key Infrastructure tool called upki:

Earlier this year, LWN featured an excellent article titled "Linux's missing CRL infrastructure". The article highlighted a number of key issues surrounding traditional Public Key Infrastructure (PKI), but critically noted how even the available measures are effectively ignored by the majority of system-level software on Linux.

One of the motivators for the discussion is that the Online Certificate Status Protocol (OCSP) will cease to be supported by Let's Encrypt. The remaining alternative is to use Certificate Revocation Lists (CRLs), yet there is little or no support for managing (or even querying) these lists in most Linux system utilities.

To solve this, I'm happy to share that in partnership with rustls maintainers Dirkjan Ochtman and Joe Birr-Pixton, we're starting the development of upki: a universal PKI tool. This project initially aims to close the revocation gap through the combination of a new system utility and eventual library support for common TLS/SSL libraries such as OpenSSL, GnuTLS and rustls.

No code is available as of yet, but the announcement indicates that upki will be available as an opt-in preview for Ubuntu 26.04 LTS. Thanks to Dirjan Ochtman for the tip.

Greg Kroah-Hartman has announced the release of the 6.17.11, 6.12.61, 6.6.119, 6.1.159, 5.15.197, and 5.10.247 stable kernels. Each contains important fixes throughout the tree; users of these kernels should upgrade.

Version 3.23.0 of Alpine Linux has been released. Notable changes in this release include an upgrade to version 3.0 of the Alpine Package Keeper (apk), and replacing the linux-edge package with linux-stable:

For years, linux-lts and linux-edge grew apart and developed their own kernel configs, different architectures, etc.

Now linux-edge gets replaced with linux-stable which has the identical configuration as linux-lts, but follows the stable releases instead of the long-term releases (see https://kernel.org/).

The /usr merge planned for this release has been postponed; a new timeline for the change will be published later. See the release notes for more information on this release.

Andreas Schneider has announced version 2.0 of the cmocka unit-testing framework for C:

This release represents a major modernization effort, bringing cmocka firmly into the "modern" C99 era while maintaining the simplicity and ease of use that users have come to expect.

One of the most significant changes in cmocka 2.0 is the migration to C99 standard integer types. The LargestIntegralType typedef has been replaced with intmax_t and uintmax_t from stdint.h, providing better type safety and portability across different platforms. Additionally, we've adopted the bool type where appropriate, making the code more expressive and self-documenting.

Using intmax_t and uintmax_t also allows to print better error messages. So you can now find e.g. assert_int_equal and assert_uint_equal.

cmocka 2.0 introduces a comprehensive set of type-specific assertion macros, including `assert_uint_equal()`, `assert_float_equal()`, and enhanced pointer assertions. The mocking system has also been significantly improved with type-specific macros like `will_return_int()` and `will_return_float()`. The same for parameter checking etc.

LWN covered the project early in its development in 2013. See the full list of new features, enhancements, and bug fixes in cmocka 2.0 in the changelog.

• Front: Rust in Debian; Python comprehensions; asynchronous Zig; BPF and io_uring; C safety; 6.18 statistics; just.
• Briefs: Landlock; Let's Encrypt lifetimes; Last 5.4 kernel; TAB election; AlmaLinux 10.1; FreeBSD 15.0; NixOS 25.11; Django 6.0; Home Assistant 2025.12; PHP 8.5.0; Racket 9.0; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

Over time, many Linux users wind up with a collection of aliases, shell scripts, and makefiles to run simple commands (or a series of commands) that are often used, but challenging to remember and annoying to type out at length. The just command runner is a Rust-based utility that just does one thing and does it well: it reads recipes from a text file (aptly called a "justfile"), and runs the commands from an invoked recipe. Rather than accumulating a library of one-off shell scripts over time, just provides a cross-platform tool with a framework and well-documented syntax for collecting and documenting tasks that makes it useful for solo users and collaborative projects.

Greg Kroah-Hartman has announced the release of the 5.4.302 stable kernel:

This is the LAST 5.4.y release. It is now end-of-life and should not be used by anyone, anymore. As of this point in time, there are 1539 documented unfixed CVEs for this kernel branch, and that number will only increase over time as more CVEs get assigned for kernel bugs.

For the curious, Kroah-Hartman has also provided a list of the unfixed CVEs for 5.4.302.

Let's Encrypt has announced that it will be reducing the validity period of its certificates from 90 days to 45 days by 2028:

Most users of Let's Encrypt who automatically issue certificates will not have to make any changes. However, you should verify that your automation is compatible with certificates that have shorter validity periods.

To ensure your ACME client renews on time, we recommend using ACME Renewal Information (ARI). ARI is a feature we've introduced to help clients know when they need to renew their certificates. Consult your ACME client's documentation on how to enable ARI, as it differs from client to client. If you are a client developer, check out this integration guide.

If your client doesn't support ARI yet, ensure it runs on a schedule that is compatible with 45-day certificates. For example, renewing at a hardcoded interval of 60 days will no longer be sufficient. Acceptable behavior includes renewing certificates at approximately two thirds of the way through the current certificate's lifetime.

Manually renewing certificates is not recommended, as it will need to be done more frequently with shorter certificate lifetimes.

FreeBSD 15.0 has been released. Notable changes in this release include a new method for installing the base system using the pkg package manager, an update to OpenZFS 2.4.0-rc4, native support for the inotify(2) interface, and the addition of Open Container Initiative (OCI) images to FreeBSD's release artifacts. See the release notes for a full list of changes, hardware notes for supported hardware, and check the errata before installing or upgrading.

Greg Kroah-Hartman has announced the release of the 6.17.10, 6.12.60, and 6.6.118 stable kernels. As usual, each contains a number of important fixes throughout the tree. Users are advised to upgrade.

KDE's Plasma team has announced that KDE Plasma will drop X11 session support with Plasma 6.8:

The Plasma X11 session will be supported by KDE into early 2027.

We cannot provide a specific date, as we're exploring the possibility of shipping some extra bug-fix releases for Plasma 6.7. The exact timing of the last one will only be known when we get closer to its actual release, which we expect will be sometime in early 2027.

What if I still really need X11?

This is a perfect use case for long term support (LTS) distributions shipping older versions of Plasma. For example, AlmaLinux 9 includes the Plasma X11 session and will be supported until sometime in 2032.

See the blog post for information on running X11 applications (still supported), accessibility, gaming, and more.

AlmaLinux 10.1 has been released. In addition to providing binary compatibility with Red Hat Enterprise Linux (RHEL) 10.1, the most notable feature in AlmaLinux 10.1 is the addition of support for Btrfs, which is not available in RHEL:

Btrfs support encompasses both kernel and userspace enablement, and it is now possible to install AlmaLinux OS on a Btrfs filesystem from the very beginning. Initial enablement was scoped to the installer and storage management stack, and broader support within the AlmaLinux software collection for Btrfs features is forthcoming.

In addition to Btrfs support, AlmaLinux OS 10.1 includes numerous other improvements to serve our community. We have continued to extend hardware support both by adding drivers and by adding a secondary version of AlmaLinux OS and EPEL to extend support of x86_64_v2 processors.

See the release notes for a full list of changes.

It is rarely newsworthy when a project or package picks up a new dependency. However, changes in a core tool like Debian's Advanced Package Tool (APT) can have far-reaching effects. For example, Julian Andres Klode's declaration that APT would require Rust in May 2026 means that a few of Debian's unofficial ports must either acquire a working Rust toolchain or depend on an old version of APT. This has raised several questions within the project, particularly about the ability of a single maintainer to make changes that have widespread impact.