Inside this week's LWN.net Weekly Edition:

• Front: Fighting human trafficking; End of 10; Link tags; Healthy subsystem communities; New kernel tools; Rust and Carbon; Typst.
• Briefs: Brief news items from throughout the community.
• Announcements: Newsletters, conferences, security updates, patches, and more.

Version 49 of the GNOME desktop environment has been released. Changes include new default video (Showtime) and PDF-viewing (Papers) applications, a number of calendar improvements, and updates to the Web, Maps, and Software applications.

Version 143.0 of the Firefox browser has been released. Changes include the ability to pin tabs by dragging them to the edge, previews in the camera permissions dialog, improved fingerprinting protection, and (optional) automatic deletion of files downloaded in private browsing mode.

The Socket.dev blog describes this week's attack on JavaScript packages in the npm repository.

A malicious update to @ctrl/tinycolor (2.2M weekly downloads) was detected on npm as part of a broader supply chain attack that impacted more than 40 packages spanning multiple maintainers.

The compromised versions include a function (NpmModule.updatePackage) that downloads a package tarball, modifies package.json, injects a local script (bundle.js), repacks the archive, and republishes it, enabling automatic trojanization of downstream packages.

There is some more information in this Krebs on Security article.

Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (node-sha.js and python-django), Fedora (chromium, cups, exiv2, perl-Catalyst-Authentication-Credential-HTTP, perl-Catalyst-Plugin-Session, perl-Plack-Middleware-Session, and qemu), Red Hat (container-tools:rhel8, podman, and udisks2), SUSE (cargo-audit, cargo-c, cargo-packaging, and kernel-devel), and Ubuntu (libcpanel-json-xs-perl, libjson-xs-perl, rubygems, sqlite3, and vim).

Registration for the 2025 Linux Plumbers Conference (Tokyo, December 11 to 13) is now open. LPC tickets often sell out quickly, so it would be best not to delay if you intend to attend.

The kernel runs in a special environment that makes it difficult to use many of the development tools that are available to user-space developers. Kernel developers often respond by simply doing without, but the truth is that they need good tools as much as anybody else. Three new tools for the tracking down of bugs have recently landed on the linux-kernel mailing list; here is an overview.

The 6.17-rc6 kernel prepatch is out for testing. "But really, none of it is very large. So everything seems slated for a normal release in two weeks. Please do keep testing, so that we don't get complacent."

The Git source-code management system stores a lot of information about changes to code — but it does not hold everything that might be of interest to a developer who needs to investigate a specific change in the future. Commits in a repository are the end result of a (sometimes extended) discussion; often, that discussion will result in changes to the code that are not explained in the changelog. For some years now, many maintainers have followed the convention of applying a Link tag to commits that points back to the mailing-list posting of the change. Linus Torvalds has been expressing his dislike for this convention for a while, though, and its time appears to be coming to an end.

The F-Droid project has some advice for free-software projects on how to deal with takedown requests.

As part of our legal resilience research, we spoke with a range of legal experts, software freedom advocates, and maintainers of mature FOSS infrastructure to understand how others manage these moments. In this article, we share what we learned, and how F-Droid is incorporating these lessons into its own approach.

Inside this week's LWN.net Weekly Edition:

• Front: Space Grade Linux; KDE's new distribution; Rug pulls and forks; Dependency tracker; Kernel configuration; Framework 12 laptop.
• Briefs: npm security; high-memory; Anaconda WebUI; OpenSUSE bcachefs; 32-bit Firefox; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

The openSUSE project has announced that the bcachefs filesystem will be disabled in its kernel builds starting with 6.17; bcachefs users will have to make other arrangements. "The current 6.16.* is NOT affected. Neither is Slowroll (for now)."

As a followup to his OSS Europe talk on the future of 32-bit support in the kernel, Arnd Bergmann has put together a detailed plan for the eventual removal of high-memory support, which he calls "one of the least popular features of the Linux kernel". The intent is "to gradually phase out highmem over the next 2 years for mainline kernels". This plan is posted as a prompt for a discussion to be held at the Kernel Summit in December, so chances are it will evolve considerably in the next few months.

The 6.16.6, 6.12.46, 6.6.105, 6.1.151, 5.15.192, 5.10.243, and 5.4.299 stable kernel updates have been released; each contains another set of important fixes.

Security updates have been issued by AlmaLinux (kernel and kernel-rt), Debian (openafs and qemu), Fedora (buildah, containers-common, podman, python-flask, and snapshot), Mageia (postgresql, python-django, and udisks2), Oracle (kernel and libxml2), Red Hat (apache-commons-beanutils, firefox, httpd, httpd:2.4, kernel, kernel-rt, mod_http2, qt5-qt3d, and thunderbird), Slackware (libxml2), SUSE (firebird, go1.25-openssl, ImageMagick, microcode_ctl, netty, netty-tcnative, and ovmf), and Ubuntu (libetpan and postgresql-14, postgresql-16, postgresql-17).

The Aikido blog describes an apparently ongoing series of phishing attacks against npm package maintainers, resulting in the uploading of compromised versions of heavily used packages:

All together, these packages have more than 2 billion downloads per week.

The packages were updated to contain a piece of code that would be executed on the client of a website, which silently intercepts crypto and web3 activity in the browser, manipulates wallet interactions, and rewrites payment destinations so that funds and approvals are redirected to attacker-controlled accounts without any obvious signs to the user.

Linus has released 6.17-rc5 for testing. "Things remain normal - both the diffstat and the commit counts look entirely sane". The announcement also contains a plea for maintainers to not overuse Link: tags when applying patches.

Like almost all human endeavors, open-source software development involves a range of power dynamics. Companies, developers, and users are all concerned with the power to influence the direction of the software — and, often, to profit from it. At the 2025 Open Source Summit Europe, Dawn Foster talked about how those dynamics can play out, with an eye toward a couple of tactics — rug pulls and forks — that are available to try to shift power in one direction or another.

Mozilla has announced that support for the Firefox browser on 32-bit systems ends with version 144. "For users who cannot transition immediately, Firefox ESR 140 will remain available — including 32-bit builds — and will continue to receive security updates until at least September 2026."

Deadlocks are a constant threat in concurrent settings with shared data; it is thus not surprising that the kernel project has long since developed tools to detect potential deadlocks so they can be fixed before they affect production users. Byungchul Park thinks that he has developed a better tool that can detect more deadlock-prone situations. At the 2025 Open Source Summit Europe, he presented an introduction to his dependency tracker (or "DEPT") tool and the kinds of problems it can detect.