The Servo project has announced the first release of servo as a crate for use as a library.

As you can see from the version number, this release is not a 1.0 release. In fact, we still haven't finished discussing what 1.0 means for Servo. Nevertheless, the increased version number reflects our growing confidence in Servo's embedding API and its ability to meet some users' needs.

In the meantime we also decided to offer a long-term support (LTS) version of Servo, since breaking changes in the regular monthly releases are expected and some embedders might prefer doing major upgrades on a scheduled half-yearly basis while still receiving security updates and (hopefully!) some migration guides. For more details on the LTS release, see the respective section in the Servo book.

The Free Software Foundation has published a short article on relicensing versus license compatibility.

The FSF's Licensing and Compliance Lab receives many questions and license violation reports related to projects that had their license changed by a downstream distributor, or that are combined from two or more programs under different licenses. We collaborated with Yoni Rabkin, an experienced and long time FSF licensing volunteer, on an updated version of his article to provide the free software community with a general explanation on how the GNU General Public License (GNU GPL) is intended to work in such situations.

• Front: TPM attacks; arithmetic overflow protection; Ubuntu GRUB changes; kernel IPC proposals; fre:ac; Scuttlebutt.
• Briefs: Nix vulnerability; OpenSSH 10.3; Sashiko reviews; FreeBSD testing; Gentoo GNU/Hurd; SFC on router ban; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

It has been a little while since LWN last surveyed tools for managing a digital music collection. In the intervening decades, many Linux users have moved on to music streaming services, found them wanting, and are looking to curate their own collection once again. There are plenty of choices when it comes to ripping, managing, and playing digital audio; so many, in fact, that it can be a bit daunting. After years of tinkering, I've found a few tools that work well for managing my digital library: the first I'd like to cover is the fre:ac free audio encoder for ripping music from CDs and converting between audio formats.

The NixOS project has announced a critical vulnerability in many versions of the Nix package manager's daemon. The flaw was introduced as part of a fix for a prior vulnerability in 2024. According to the advisory, all default configurations of NixOS and systems building untrusted derivations are impacted.

A bug in the fix for CVE-2024-27297 allowed for arbitrary overwrites of files writable by the Nix process orchestrating the builds (typically the Nix daemon running as root in multi-user installations) by following symlinks during fixed-output derivation output registration. This affects sandboxed Linux builds - sandboxed macOS builds are unaffected. The location of the temporary output used for the output copy was located inside the build chroot. A symlink, pointing to an arbitrary location in the filesystem, could be created by the derivation builder at that path. During output registration, the Nix process (running in the host mount namespace) would follow that symlink and overwrite the destination with the derivation's output contents.

In multi-user installations, this allows all users able to submit builds to the Nix daemon (allowed-users - defaulting to all users) to gain root privileges by modifying sensitive files.

Recently, the FreeBSD Foundation has been making progress on improving the operating system's support for modern laptop hardware. The foundation is now looking to expand testing to encompass a wider range of hardware; it has announced a laptop integration testing project to allow the community to easily test FreeBSD's compatibility with laptops and submit the results.

With limited access to testing systems, there's only so much we can do! We hope to work together with volunteers from the community who want FreeBSD to work well on their laptops.

While we expect device hardware and software enumeration to be a fully automated process, we feel that manually-submitted comments about personal experience with FreeBSD are equally valuable. We plan to highlight this commentary on our "matrix of compatibility" webpage for each tested laptop.

We are striving to make it as easy as possible to submit your results. You won't have to worry about environment setup, submission formatting, or any repo-specific details!

See the project repository and testing instructions for more.

Greg Kroah-Hartman has released the 6.6.133 stable kernel. This reverts a backporting mistake that removed file descriptor checks which led to kernel panics if the fgetxattr, flistxattr, fremovexattr, or fsetxattr functions were called from user space with a file descriptor that did not reference an open file.

GNU GRUB 2, mostly just referred to as GRUB these days, is the most widely used boot loader for x86_64 Linux systems. It supports reading from a vast selection of filesystems, handles booting modern systems with UEFI or legacy systems with a BIOS, and even allows users to customize the "splash" image displayed when a system boots. Alas, all of those features come with a price; GRUB has had a parade of security vulnerabilities over the years. To mitigate some of those problems, Ubuntu core developer and Canonical employee Julian Andres Klode has proposed removing a number of features from GRUB in Ubuntu 26.10 to improve GRUB's security profile. His proposal has not been met with universal acclaim; many of the features Klode would like to remove have vocal proponents.

On April 1, the Gentoo Linux project published a blog post announcing that it was switching to GNU Hurd as its primary kernel as an April Fool's joke. While that is not true, the project has followed up with an announcement of a new Gentoo port to the Hurd:

Our crack team has been working hard to port Gentoo to the Hurd and can now share that they've succeeded, though it remains still in a heavily experimental stage. You can try Gentoo GNU/Hurd using a pre-prepared disk image. The easiest way to do this is with QEMU [...]

We have developed scripts to build this image locally and conveniently work on further development of the Hurd port. Release media like stages and automated image builds are future goals, as is feature parity on x86-64. Further contributions are welcome, encouraged, and needed. Be patient, expect to get your hands dirty, anticipate breakage, and have fun!

Oh, and Gentoo GNU/Hurd also works on real hardware!

Text for the April Fool's post is available at the bottom of the real announcement.

Denver Gingerich of the Software Freedom Conservancy (SFC) has published an article on the impact of the ban on the sale of all new home routers not made in the United States issued by the Federal Communications Commission (FCC). The SFC, of course, is the organization behind the OpenWrt One router.

Since software updates to already-FCC-approved devices do not require a new FCC approval, it appears the FCC is trying to move beyond its usual authorization procedures to restrict what manufacturers are allowed to push to existing routers. However, the FCC notably does not restrict software changes made by owners of routers in the U.S. In particular, there is no indication that updates people make to their own routers, using software they have sourced themselves, would run afoul of any past or present FCC rule.

As a result, we do not believe that this new FCC decision affects whether and how people can run OpenWrt or other user-selected firmware updates on routers they have already purchased. Not only is this an important right in relation to our ownership and control of our own devices, it also ensures that people can keep their routers secure for far longer than the manufacturer may choose to provide security updates, by allowing them to install up-to-date community software that supports routers for 10, 15, or even more years after their initial release date, as OpenWrt does for many devices.

He also notes that, as the OpenWrt One is already FCC-approved, there should be no impact on its availability in the US. The SFC has asked the FCC for clarification and plans to provide updates when they receive a reply.

OpenSSH 10.3 has been released. Among the many changes in this release are a security fix to address late validation of metacharacters in user names, removal of bug compatibility for SSH implementations that do not support rekeying, and a fix to ensure that scp clears setuid/setgid bits from downloaded files when operating as root in legacy (-O) mode. See the release announcement for a full list of new features, bug fixes, and potentially incompatible changes.

Greg Kroah-Hartman has released the 6.19.11, 6.18.21, 6.12.80, and 6.6.131 stable kernels, followed by a quick release of 6.6.132 with two patches reverted to address a problem building the rust core in 6.6.131. Each kernel contains important fixes; users are advised to upgrade.