Ubuntu 26.04 ("Resolute Raccoon") LTS has been released on schedule.

This release brings a significant uplift in security, performance, and usability across desktop, server, and cloud environments. Ubuntu 26.04 LTS introduces TPM-backed full-disk encryption, expanded use of memory-safe components, improved application permission controls, and Livepatch support for Arm systems, helping reduce downtime and strengthen system resilience. [...]

The newest Edubuntu, Kubuntu, Lubuntu, Ubuntu Budgie, Ubuntu Cinnamon, Ubuntu Kylin, Ubuntu Studio, Ubuntu Unity, and Xubuntu are also being released today. For more details on these, read their individual release notes under the Official flavors section:

https://documentation.ubuntu.com/release-notes/26.04/#official-flavors

Maintenance updates will be provided for 5 years for Ubuntu Desktop, Ubuntu Server, Ubuntu Cloud, Ubuntu WSL, and Ubuntu Core. All the remaining flavors will be supported for 3 years.

See the release notes for a list of changes, system requirements, and more.

The famfs filesystem first showed up on the mailing lists in early 2024; since then, it has been the topic of regular discussions at the Linux Storage, Filesystem, Memory Management and BPF (LSFMM+BPF) Summit. It has also, as result of those discussions, been through some significant changes since that initial posting. So it is not surprising that a suggestion that it needed to be rewritten yet again was not entirely well received. How much more rewriting will actually be needed is unclear, but more discussion appears certain.

Security updates have been issued by AlmaLinux (kernel and osbuild-composer), Debian (cpp-httplib, firefox-esr, gimp, and packagekit), Fedora (chromium, composer, libcap, pgadmin4, pie, python3-docs, python3.14, and sudo), Mageia (gvfs), Oracle (.NET 8.0, delve, freerdp, giflib, ImageMagick, kernel, OpenEXR, and osbuild-composer), SUSE (erlang, giflib, google-guest-agent, GraphicsMagick, ignition, imagemagick, kea, kernel, kissfft, libraw, libssh, ocaml-patch, opam, openCryptoki, openexr, openssl-1_1, tomcat, tomcat10, tomcat11, and tor), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux-aws, linux-aws-6.17, linux-hwe-6.17, linux-oracle, linux-oracle-6.17, linux-azure, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-oracle-5.15, linux-azure-5.4, linux-azure-fips, linux-fips, linux-aws-fips, linux-azure-fips, linux-gcp-fips, linux-hwe-6.8, linux-ibm-6.8, linux-raspi, linux-oracle, linux-oracle-6.8, linux-raspi, linux-raspi-5.4, linux-raspi-realtime, packagekit, python-tornado, ruby-rack-session, slurm-llnl, and strongswan).

The 7.0.1, 6.19.14, 6.18.24, and 6.12.83 stable kernels have been released; each contains another set of important fixes. Note that the 6.19.x line ends with 6.19.14.

Inside this week's LWN.net Weekly Edition:

• Front: LLMs and Python bugs; scheduler regression; new Rust traits; dependency cooldowns; 7.1 merge window; Shor's algorithm; drama at The Document Foundation.
• Briefs: Firefox zero-days; kernel code removal; reproduceible Arch; Debian election; Firefox 150; Forgejo 15.0; Git 2.54.0; KDE Gear 26.04; LillyPond 2.26.0; Rust 1.95.0; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

Efforts to introduce malicious code into the open-source supply chain have been on the rise in recent years, and there is no indication that they will abate anytime soon. These attacks are often found quickly, but not quickly enough to prevent the compromised code from being automatically injected into other projects or code deployed by users where it can wreak havoc. One method of avoiding supply-chain attacks is to add a delay of a few days before pulling upates in what is known as a "dependency cooldown". That tactic is starting to find favor with users and some language ecosystem package managers. While this practice is considered a reasonable response by many, others are complaining that those employing dependency cooldowns are free-riding on the larger community by letting others take the risk.

In Rust, types either possess a constant size known at compile time, or a dynamically calculated size known at run time. That is fine for most purposes, but recent proposals for the language have shown the need for a more fine-grained hierarchy. RFC 3729 from David Wood and Rémy Rakic would add a hierarchy of traits to describe types with sizes known under different circumstances. While the idea has been subject to discussion for many years, a growing number of use cases for the feature have come to light.

Version 2.26.0 of the LilyPond music-engraving program has been released. Major changes include the ability to use the Cairo library to generate output and improvements in spacing between clefs and time signatures. See the release notes for a full list of miscellaneous improvements as well as what's new with musical and specialist notation.

Greg Kroah-Hartman has announced the release of the 7.0.1, 6.19.14, 6.18.24, and 6.12.83 stable kernels. As usual, each contains important fixes throughout the tree. Users are encouraged to upgrade.

Note that the 6.19.x series ends with 6.19.14.

Security updates have been issued by Debian (firefox-esr, flatpak, ngtcp2, ntfs-3g, packagekit, python-geopandas, simpleeval, strongswan, and xdg-dbus-proxy), Fedora (chromium, cups, curl, jq, opkssh, perl-Net-CIDR-Lite, python-cbor2, python-pillow, tinyproxy, xdg-dbus-proxy, and xorg-x11-server-Xwayland), Slackware (libXpm and mozilla), SUSE (botan, chromium, clamav, cockpit, cockpit-machines, cockpit-packages, cockpit-podman, cockpit-subscriptions, dovecot24, firefox, flatpak, freeipmi, gdk-pixbuf, glibc, gnome-remote-desktop, go1.25, go1.26, go1.26-openssl, google-cloud-sap-agent, gosec, graphicsmagick, haproxy, kernel, libpng16, libraw, libtasn1, libvncserver, ncurses, nebula, nodejs24, openssl-3, ovmf, pam, pcre2, perl-Authen-SASL, pgvector, plexus-utils, podman, python-cbor2, python-cryptography, python-django, python-gi-docgen, python-pypdf2, python-python-multipart, python311, python311-PyPDF2, python313, qemu, roundcubemail, rust1.94, sqlite3, strongswan, systemd, tar, tigervnc, util-linux, vim, webkit2gtk3, xorg-x11-server, xwayland, and zlib), and Ubuntu (commons-io, libcap2, ntfs-3g, and rapidjson).

There are a number of ongoing efforts to remove kernel code, mostly from the networking subsystem, as an alternative to dealing with the increase in security-bug reports from large language models. The proposed removals include ISA and PCMCIA Ethernet drivers, a pair of PCI drivers, the ax25 and amateur radio subsystem, the ATM protocols and drivers, and the ISDN subsystem.

Remove the amateur radio (AX.25, NET/ROM, ROSE) protocol implementation and all associated hamradio device drivers from the kernel tree. This set of protocols has long been a huge bug/syzbot magnet, and since nobody stepped up to help us deal with the influx of the AI-generated bug reports we need to move it out of tree to protect our sanity.

This Firefox blog post reports that the Firefox 150 release includes fixes for 271 vulnerabilities found by the Claude Mythos preview.

Elite security researchers find bugs that fuzzers can't largely by reasoning through the source code. This is effective, but time-consuming and bottlenecked on scarce human expertise. Computers were completely incapable of doing this a few months ago, and now they excel at it. We have many years of experience picking apart the work of the world's best security researchers, and Mythos Preview is every bit as capable. So far we've found no category or complexity of vulnerability that humans can find that this model can't.

This can feel terrifying in the immediate term, but it's ultimately great news for defenders. A gap between machine-discoverable and human-discoverable bugs favors the attacker, who can concentrate many months of costly human effort to find a single bug. Closing this gap erodes the attacker's long-term advantage by making all discoveries cheap.

The Fedora Project has been wrestling with the question of who should be able to vote in Fedora elections recently, with project membership being a major topic at the Fedora Council face-to-face held in early February. Now the project is considering a new contributor status, "Fedora Verified", and is looking to get input on the idea from the community.

What are the proposed benefits? The primary motivation behind "Fedora Verified" is to build trust-based recognition that grants elevated, privileged rights within the project. Most notably, this status would determine eligibility for strategic governance activities, such as:

• Voting in Fedora community elections.
• Running for leadership or decision-making roles within the project (i.e., Fedora Council, FESCo, Mindshare Committee, EPEL Steering Committee).
• (Potential, unplanned) Accessing specific shared project resources or educational opportunities (e.g., Red Hat training credits).

The blog post includes a list of proposed baseline metrics for "Verified" status as well as open questions to be decided. A survey on the topic will be open until May 5.

The open-source world is currently awash in reports of LLM-discovered bugs and vulnerabilities, which makes for a lot more work for maintainers, but many of the current crop are being reported responsibly with an eye toward minimizing that impact. A recent report on an effort to systematically find bugs in Python extensions written in C has followed that approach. Hobbyist Daniel Diniz used Claude Code to find more than 500 bugs of various sorts across nearly a million lines of code in 44 extensions; he has been working with maintainers to get fixes upstream and his methodology serves as a great example of how to keep the human in the loop—and the maintainers out of burnout—when employing LLMs.

Version 150 of the Firefox web browser has been released. Notable changes include local-network-access restrictions being turned on for all users, the ability to reorder, copy, delete, paste, and export pages from a PDF using Firefox's built-in viewer, as well as improvements in its split view feature, and more. See also the release notes for developers and list of security fixes in this release.

(Update: Mozilla seems to have removed the local-network-access restrictions information since the release was published yesterday.)

Security updates have been issued by AlmaLinux (freerdp, kernel, and kernel-rt), Debian (mupdf, opam, simpleeval, and xdg-dbus-proxy), Mageia (firefox, thunderbird and libtiff), Red Hat (containernetworking-plugins, gvisor-tap-vsock, nodejs22, nodejs:20, nodejs:22, perl-XML-Parser, python3.11, python3.9, runc, and skopeo), and SUSE (bind, buildah, cockpit-subscriptions, container-suseconnect, containerd, corosync, cosign, docker, dovecot24, flatpak, freeipmi, gegl, GraphicsMagick, helm, ImageMagick, kubernetes, kubernetes-old, libpng15, LibVNCServer, ncurses, nodejs22, opensc, openvswitch, patterns-glibc-hwcaps, podman, python, python310, python312, python315, rekor, rootlesskit, roundcubemail, and runc).

Git maintainer Junio Hamano has announced Git 2.54.0, which includes contributions from 137 people; 66 of those people are first-time contributors to the project. Changes include the addition of Git history rewriting, Git's web interface (gitweb) "has been taught to be mobile friendly", and much more. See the announcement for all improvements, additions, and bug fixes. Hamano is now taking a short break:

I will go offline for a couple of weeks starting this evening, hopefully after updating 'next' and possibly also pushing out the first batch of the new cycle. There is no designated interim maintainer this time, but I trust that the community can self organize during my absense, if the shape of the release and the tree turns out to be super bad ;-).

See this GitHub blog entry for highlights from this release.

Robin Candau has announced the availability of a bit-for-bit reproducible container image for Arch Linux:

The bit-for-bit reproducibility of the image is confirmed by digest equality across builds (podman inspect --format '{{.Digest}}' <image>) and by running diffoci to compare builds. We provide documentation on how to reproduce this Docker image (as we did for the WSL image as well).

Building the base rootFS for the Docker image in a deterministic way was the main challenge, but it reuses the same process as for our WSL image (as both share the same rootFS build system).

[...] This represents another meaningful achievement in our "reproducible builds" efforts and we're already looking forward to the next step!

The Document Foundation (TDF) is the nonprofit entity behind the LibreOffice productivity suite. Most of the time, the software takes the spotlight, but that has changed in the past few weeks, and not for pleasant reasons. TDF has revoked foundation membership status from about 30 people who work for or have contracting status with Collabora. In response, Collabora has announced plans to focus on a "entirely new, cut-down, differentiated Collabora Office" project and reduce its involvement with LibreOffice. TDF's representatives claim that its actions were necessary to maintain the foundation's nonprofit status, while other community members assert that this is part of a power grab. The facts seem to indicate that there are legitimate issues to be addressed, but it is unclear that TDF needed to go so far as to disenfranchise all Collabora-affiliated contributors.

Debian Project secretary Kurt Roeckx has announced the Debian Project Leader (DPL) election results: the winner of the election is Sruthi Chandran. She will replace two-term DPL Andreas Tille.