• Front: OpenH264 in Fedora; Wallabag; Safety certification; 6.16 Merge window; Bounce buffering; Hardening repository problems; Device-initiated I/O; Faster networking; OSPM 2025; Free software in science.
• Briefs: Kea vulnerabilities; Alpine Linux 3.22.0; Fedora strategy; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

Outgoing Fedora Project Leader Matthew Miller has posted an update on Fedora's high-level plan through 2028:

[Fedora] Council members identified potential Initiatives that we believe are important to work on next. We came up with a list of thirteen — which is way more than we can handle at once. We previously set a limit of four Initiatives at a time. We decided to keep to that rule, and are planning to launch four initiatives in the next months

The initiatives are: making Fedora releases block on accessibility issues, experimenting with a "GitOps" workflow for packaging, migrating from Pagure to Forgejo, and "making sure Fedora Linux is ready for people who want to work on machine learning and AI development".

Cong Wang and Daniel Borkmann each led session at the 2025 Linux Storage, Filesystem, Memory Management, and BPF Summit about their respective plans to speed up networking in the Linux kernel. Both sessions described ways to remove unnecessary operations in the networking stack, but they focused on different areas. Wang spoke about using BPF to speed up socket operations, while Borkmann spoke about eliminating the overhead of networking operations on virtual machines.

Greg Kroah-Hartman has announced the release of the 6.15.1, 6.14.10, 6.12.32, 6.6.93, 6.1.141, 5.15.185, 5.10.238, and 5.4.294 stable kernels. As usual, each contains a set of important fixes.

This year's Linaro Connect in Lisbon, Portugal featured a number of talks about the use of open-source components in safety-critical systems. Kate Stewart gave a keynote on the topic on the first day of the conference. In it, she highlighted several projects that have been working to pursue safety certification and spoke about the importance of being able to trace software's origins to safety. In a talk on the second day, Roberto Bagnara shared his experience with working on one of those projects, the Xen hypervisor, to conform to a formal set of rules for safety-critical code.

Version 3.22.0 of the Alpine Linux distribution has been released. Notable changes in this release include the removal of the X11 session for KDE Plasma, a switch to systemd-efistub, and experimental support for user services with the OpenRC init system. See the release notes for a detailed list of changes.

Software patents and workarounds for them are, once again, causing headaches for open-source projects and users. This time around, Fedora users have been vulnerable to a serious flaw in the OpenH264 library for months—not for want of a fix, but because of the Rube Goldberg machine methodology of distributing the library to Fedora users. The software is open source under a two-clause BSD license; the RPMs are built and signed by Fedora, but the final product is distributed by Cisco, so the company can pick up the tab for license fees. Unfortunately, a breakdown in the process of handing RPMs to Cisco for distribution has left Fedora users vulnerable, and inaction on Fedora's part has left users unaware that they are at risk.

Mozilla has decided to throw in the towel on Pocket, a social-bookmarking service that it acquired in 2017. This has left many users scrambling for a replacement for Pocket before its shutdown in July. One possible option is wallabag, a self-hostable, MIT-licensed project for saving web content for later reading. It can import saved data from services like Pocket, share content on the web, export to various formats, and more. Even better, it puts users in control of their data long-term.

As of this writing, 5,546 non-merge changesets have been pulled into the mainline kernel repository for the 6.16 release. This is a bit less than half of the total commits for 6.15, so the merge window is well on its way. Read on for our summary of the first half of the 6.16 merge window.

The SUSE Security Team has published a detailed report about security vulnerabilities it discovered in the Kea DHCP server suite from the Internet Systems Consortium (ISC).

Since SUSE is also going to ship Kea DHCP in its products, we performed a routine review of its code base. Even before checking the network security of Kea, we stumbled over a range of local security issues, among them a local root exploit which is possible in many default installations of Kea on Linux and BSD distributions. [...]

This report is based on Kea release 2.6.1. Any source code references in this report relate to this version. Many systems still ship older releases of Kea, but we believe they are all affected as well by the issues described in this report.

The report details seven security issues including local-privilege-escalation and arbitrary file overwrite vulnerabilities. Security fixes for the vulnerabilities have been published in all of the currently supported release series of Kea: 2.4.2, 2.6.3, and the 2.7.9 development release were all released on May 28. Kea has assigned CVE-2025-32801, CVE-2025-32802, and CVE-2025-32803 to the vulnerabilities. Note that some of the CVEs cover multiple security flaws.