Let's Encrypt has announced that it intends to end support "as soon as possible" for the Online Certificate Status Protocol (OCSP) over privacy concerns. OCSP was developed as a lighter-weight alternative to Certificate Revocation Lists (CRLs) that did not involve downloading the entire CRL in order to check whether a certificate was valid. Let's Encrypt will continue supporting OCSP as long as it is a requirement for Microsoft's Trusted Root Program, but hopes to discontinue it soon:

We plan to end support for OCSP primarily because it represents a considerable risk to privacy on the Internet. When someone visits a website using a browser or other software that checks for certificate revocation via OCSP, the Certificate Authority (CA) operating the OCSP responder immediately becomes aware of which website is being visited from that visitor's particular IP address. Even when a CA intentionally does not retain this information, as is the case with Let's Encrypt, CAs could be legally compelled to collect it. CRLs do not have this issue.

People using Let's Encrypt as their CA should, for the most part, not need to change their setups. All modern browsers support CRLs, so end-users shouldn't notice an impact either.

LWN has covered BPF since its initial introduction to Linux, usually through the lens of the newest developments; this can make it hard to view the whole picture. BPF provides a way to extend a running kernel, without having to recompile and reboot. It does this in a safe way, so that malicious BPF programs cannot crash a running kernel, thanks to the BPF verifier. So how does the verifier actually work, what are its limits, and how has it changed since the early days of BPF?

The Next Generation Internet (NGI) project, an initiative of the EU's European Commission (EC), provides funding in the form of grants for a wide variety of open-source software, including Redox, Briar, SourceHut, and many more. But the NGI project is not among those that would be funded under the current draft budget for 2025, as The Register reports. More than 60 organizations have signed on to an open letter asking the EC to reconsider:

We find this transformation incomprehensible, moreover when NGI has proven efficient and economical to support free software as a whole, from the smallest to the most established initiatives. This ecosystem diversity backs the strength of European technological innovation, and maintaining the NGI initiative to provide structural support to software projects at the heart of worldwide innovation is key to enforce the sovereignty of a European infrastructure. Contrary to common perception, technical innovations often originate from European rather than North American programming communities, and are mostly initiated by small-scaled organizations.

The NumPy project released version 2.0.0 on June 16, the first major release of the widely used Python-based numeric-computing library since 2006. The release has been planned for some time, as an opportunity to clean up NumPy's API. As with most NumPy updates, there are performance improvements to several individual functions. There are only a few new features, but several backward-incompatible changes, including a change to NumPy's numeric-promotion rules. Changes to the Python API require relatively minor changes to Python code using the library, but the changes to the C API may be more difficult to adapt to. In both cases, the official migration guide describes what needs to be adapted to the new version.

Redox has received a grant to work on implementing POSIX-compatible signals. The draft design calls for them to be implemented nearly completely in user space.

So far, the signals project has been going according to plan, and hopefully, POSIX support for signals will be mostly complete by the end of summer, with in-kernel improvements to process management. After that, work on the userspace process manager will begin, possibly including new kernel performance and/or functionality improvements to facilitate this.

On June 25, Matthew Wilcox posted a second version of a patch set introducing a new data structure called rosebush, which "is a resizing, scalable, cache-aware, RCU optimised hash table." The kernel already has generic hash tables, though, including rhashtable. Wilcox believes that the design of rhashtable is not the best choice for performance, and has written rosebush as an alternative for use in the directory-entry cache (dcache) — the filesystem cache used to speed up file-name lookup.

Since the disagreements that led to Eelco Dolstra stepping down from the NixOS Foundation board, there have been a number of projects forked from or inspired by Nix that have stepped up to compete with it. Two months on, some of these projects are now well-established enough to look at what they have to offer and how they compare to each other. Overall, users have a number of good options to choose from, whether they're seeking a compatible replacement for Nix (the configuration language and package manager) or NixOS (the Linux distribution), or something that takes the same ideas in a different direction.

The PSP security protocol (PSP) is a way to transparently encrypt packets by efficiently offloading encryption and decryption to the network interface cards (NICs) that Google uses for connections inside its data centers. The protocol is similar to IPsec, in that it allows for wrapping arbitrary traffic in a layer of encryption. The difference is that PSP is encapsulated in UDP, and designed from the beginning to reduce the amount of state that NICs have to track in order to send and receive encrypted traffic, allowing for more simultaneous connections. Jakub Kicinski wants to add support for the protocol to the Linux kernel.

ISO releases new C++ language standards on a three-year cadence; now that it's been more than a year since the finalization of C++23, we have a good idea of what features could be adopted for C++26 — although proposals can still be submitted until January 2025. Of particular interest is the addition of support for hazard pointers and user-space read-copy-update (RCU). Even though C++26 is not yet a standard, many of the proposed features are already available to experiment with in GCC or Clang.

Greg Kroah-Hartman has announced the release of seven more stable kernels. Versions 6.9.8, 6.6.37, 6.1.97, 5.15.162, 5.10.221, 5.4.279, and 4.19.317 are now available.

On May 7, Kees Cook sent a proposal to the linux-kernel mailing list, asking for the kernel developers to start working on a way to mitigate unintentional arithmetic overflow, which has been a source of many bugs. This is not the first time Cook has made a request along these lines; he sent a related patch set in January 2024. Several core developers objected to the plan for different reasons. After receiving their feedback, Cook modified his approach to tackle the problem in a series of smaller steps.

The Free Software Foundation Europe has submitted a joint position to the European Commission (EC), claiming that Apple has failed to comply with the EU's Digital Markets Act (DMA). This is the law that requires Apple to support alternative application stores on the devices it makes.

Apple's unfair behaviour against Free Software highlights the critical need to monitor the implementation of the DMA. The FSFE collaborated with F-Droid, the AppFair project, and other interoperability experts to scrutinize Apple's DMA compliance, and it's impact on Free Software. Since then, we coordinated several expert workshops with stakeholders, discussed with regulators in FOSDEM, had official meetings with the EC's DMA team, and submitted a comprehensive position to the EC detailing several problematic elements in the Apple compliance that will harm the Free Software.

With the Rust-for-Linux project starting to gain some ground, it is worth looking at other operating systems that use Rust in their kernels. There are many attempts to use Rust for operating system development, but Redox may be the most complete. Redox is an MIT-licensed microkernel and corresponding user space, designed around concepts taken from Plan 9. While nowhere near being usable as a replacement for Linux, it already provides a graphical user interface and the ability to run many POSIX programs.

Unison is a MIT-licensed programming language, in development since 2013, that explores the ramifications of making code immutable and stored in a database, instead of a set of text files. Unison supports a greatly simplified model for distributed programming — one that describes the configuration of and communication between programs in the same language as the programs themselves. Along the way, it introduces a new approach to interfacing with programming languages, which is tailored to its design.

The 6.9.6, 6.6.35, 6.1.95, and 5.10.220 stable kernels have all been released; as usual, users are advised to update immediately.