(Thanks to Jon Masters).

PostgreSQL contributor Robert Haas has published a blog post that breaks down code contributions to PostgreSQL in 2025.

I calculate that, in 2025, there were 266 people who were the principal author of at least one PostgreSQL commit. 66% of the new lines of code where contributed by one of 26 people, and 90% of the lines of new code were contributed by one of 67 people.

Contributions to the project seem to be on the upswing; in his analysis of development in 2024, there were 229 people who were the primary authors of a commit, and 66% of new lines of code were contributed by one of 18 people. The raw data is also available.

Version 11.0 of the Wine Windows compatibility layer is out. "This release represents a year of development effort, around 6,300 individual changes, and more than 600 bug fixes." The most notable changes in this release are support for the NTSync Linux kernel module (when available), and the completion of the Windows 32-bit on Windows 64-bit (WoW64) architecture that was announced as experimental in Wine 9.0.

Greg Kroah-Hartman has released the 6.18.6, 6.12.66, 6.6.121, and 6.1.161 stable kernels. As usual, each has important fixes throughout the tree; users are advised to upgrade.

While there are several rootkits that target Linux, they have so far not fully embraced the open-source ethos typical of Linux software. Luckily, Matheus Alves has been working to remedy this lack by creating an open-source rootkit called Singularity for Linux systems. Users who feel their computers are too secure can install the Singularity kernel module in order to allow remote code execution, disable security features, and hide files and processes from normal administrative tools. Despite its many features, Singularity is not currently known to be in use in the wild — instead, it provides security researchers with a testbed to investigate new detection and evasion techniques.

Over the past few years, several AI-powered features have been added to mobile phones that allow users to better search and understand their messages. One effect of this change is increased 0-click attack surface, as efficient analysis often requires message media to be decoded before the message is opened by the user. One such feature is audio transcription. Incoming SMS and RCS audio attachments received by Google Messages are now automatically decoded with no user interaction. As a result, audio decoders are now in the 0-click attack surface of most Android phones.

The blog entry does not question the wisdom of directly exposing audio decoders to external attackers, but it does provide a lot of detail showing how it can go wrong. The first part looks at compromising the codec; part two extends the exploit to the kernel, and part three looks at the implications:

It is alarming that it took 139 days for a vulnerability exploitable in a 0-click context to get patched on any Android device, and it took Pixel 54 days longer. The vulnerability was public for 82 days before it was patched by Pixel.

Sjoerd Simons has published a blog post about running Debian on the OpenWrt One router hardware:

With openwrt-one-debian, you can now install and run a full Debian system leveraging the OpenWrt One's NVMe storage, enabling everything from custom services and containers to development tools and lightweight server workloads, all on open hardware.

This project provides a rust-based flasher to install Debian on the OpenWrt One, opening the door to standard Debian tooling, packages, and workflows. For developers and power users, it transforms the OpenWrt One from a network appliance into a compact, general-purpose Linux system.

See the GitHub repository for the code and latest build. LWN reviewed the device in November 2024, and covered Denver Gingerich's talk at SCALE 22x about the making of the router in March 2025.

Version 14.0 of the Forgejo software forge has been released. Notable changes in this release include several database improvements, new options for approving actions execution from pull requests, a new file editor, and progress toward making Forgejo's web UI work without JavaScript.

We have recently noticed that email from LWN.net seems to be blocked by MXroute. Unfortunately, the company also does not seem to have a way for non-customers to report problems in mail delivery, so we have no good way to get ourselves unblocked.

As a result, readers who have subscribed to an LWN mailing list from a domain hosted with MXroute will probably not receive our mailings. We have not yet unsubscribed addresses that are being blocked by MXroute, but will soon if the problem persists. Please accept our apologies for the inconvenience; it is unfortunate that it is becoming so difficult to send legitimate email as a small business.

• Front: SFC v. VIZIO; GPLv2 requirements; Debian and GTK 2; OpenZL; kernel scheduler QoS; Rust concurrent data access; Asciinema.
• Briefs: OpenSSL and Python; LSFMM+BPF 2026; Fedora elections; Gentoo retrospective; EU lawmaking; Git data model; Firefox 147; Radicle 1.6.0; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

First, we will no longer require OpenSSL implementations for new functionality. Where we deem it desirable, we will add new APIs that are only on LibreSSL/BoringSSL/AWS-LC. Concretely, we expect to add ML-KEM and ML-DSA APIs that are only available with LibreSSL/BoringSSL/AWS-LC, and not with OpenSSL.

Second, we currently statically link a copy of OpenSSL in our wheels (binary artifacts). We are beginning the process of looking into what would be required to change our wheels to link against one of the OpenSSL forks.

If we are able to successfully switch to one of OpenSSL's forks for our binary wheels, we will begin considering the circumstances under which we would drop support for OpenSSL entirely.

The Debian GNOME team would like to remove the GTK 2 graphics toolkit, which has been unmaintained upstream for more than five years, and ship Debian 14 ("forky") without it. As one might expect, however, there are those who would like to find a way to keep it. Despite its age and declared obsolescence, quite a few Debian packages still depend on GTK 2. Many of those applications are unlikely to be updated, and users are not eager to give them up. Discussion about how to handle this is ongoing; it seems likely that Debian developers will find some way to continue supporting applications that require GTK 2, but users may have to look outside official Debian repositories.