The Arch Linux project has posted an update about recent service outages that have affected its infrastructure:

The Arch Linux Project is currently experiencing an ongoing denial of service attack that primarily impacts our main webpage, the Arch User Repository (AUR), and the Forums.

We are aware of the problems that this creates for our end users and will continue to actively work with our hosting provider to mitigate the attack. We are also evaluating DDoS protection providers while carefully considering factors including cost, security, and ethical standards.

The post contains information on workarounds to use during the service disruption, and notes that Arch is not sharing technical details about the attack or mitigation while the attack is still ongoing.

Tobias Heider has written an article that explains changes that are coming for Ubuntu's generic Arm64 desktop ISO images in the 25.10 release. The current solution, Heider says, depends on GRUB features that are unavailable in secure boot mode and require adding device-specific logic to multiple packages. The new solution, called stubble, is derived from systemd-stub:

A bundled stubble image contains stubble itself, a Linux kernel, a HWID lookup table to map devices to device trees and multiple device trees. When grub loads this "kernel", stubble executes first, reads the SMBIOS table to generate HWIDs, looks for a match in the embeeded lookup table and loads a matching device tree before passing control to the actual Linux kernel.

The elegance in this approach lies in how it interacts with the rest of the system. Integrating stubble happens entirely at build time in the kernel package. The stubble package is a build dependency for the kernel. After building the kernel itself, we bundle it with stubble and our DTBs and ship the combined binary instead. The resulting stubble + kernel + dtb bundle can be loaded by grub like any other Ubuntu kernel. No further changes in grub or other packages are necessary to make it work.

Greg Kroah-Hartman has announced the release of the 6.16.2, 6.15.11, and 6.12.43 stable kernels. He notes that this is the last release in the 6.15.y series, and recommends that users move to the 6.16.y kernel branch at this time.

Version 25.8 of the LibreOffice open-source office suite has been released. Notable changes include several new functions in the Calc spreadsheet application, ability to export to the PDF 2.0 format, better PowerPoint font compatibility with Impress, and significant performance improvements. For a full list of changes, see the release notes on the Document Foundation wiki.

After more than two years of development, the Debian Project has released its new stable version, Debian 13 ("trixie"). The release comes with the usual bounty of upgraded packages and more than 14,000 new packages; it also debuts Advanced Package Tool (APT) 3.0 as the default package manager and makes 64-bit RISC-V a supported architecture. There are few surprises with trixie, which is exactly what many Linux users are hoping for—a free operating system that just works as expected.

Security updates have been issued by Debian (webkit2gtk), Fedora (firefox and libarchive), Red Hat (python3.11-setuptools and python3.12-setuptools), Slackware (mozilla), SUSE (apache2-mod_security2, cairo-devel, cflow, docker, glibc, go1.25, govulncheck-vulndb, gstreamer-0_10-plugins-base, jq, kernel, libarchive, libssh, libxslt, openbao, python-urllib3, systemd, and xz), and Ubuntu (apache2, libssh, libxml2, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm-5.15, linux-intel-iot-realtime, linux-intel-iotg-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-oracle-5.15, linux-realtime, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-realtime, linux-aws-fips, linux-fips, linux-gcp-fips, linux-fips, linux-aws-fips, linux-gcp-fips, linux-ibm-6.8, tomcat10, and webkit2gtk).

The Python Package Index (PyPI) has announced that it is now checking for expired domains to try to prevent domain-resurrection attacks. In this type of attack, a malicious user buys an expired domain and uses it to take over an account by resetting the password associated with the email used with PyPI. Since June, PyPI has unverified more than 1,800 email addresses after their associated domains entered expiration phases.

After an initial bulk check period that took place in April 2025, PyPI will check daily for any domains in use for status changes, and update its internal database with the most recent status.

If a domain registration enters the redemption period, that's an indicator to PyPI that the previously verified email destinations may not be trusted, and will un-verify a previously-verified email address. PyPI will not issue a password reset request to addresses that have become unverified.

PyPI recommends that users add a second verified email address "from another notable domain (e.g. Gmail)" to their account, if they do not have one already.

Mitchell Hashimoto has written a blog post about "fully embracing the GObject type system" with a rewrite of the GTK version of Ghostty:

In addition to memory management [improvements], we can now more easily create custom GTK widgets. This let us fully embrace modern GTK UI technologies such as Blueprint. For example, here is our terminal window Blueprint file. This has already led to more easily introducing GUI features like a new GTK titlebar tabs option, an animated border on bell, etc.

The rewrite is now the default if one builds Ghostty from source, and will be included in the 1.2 release that is expected in the next few weeks. LWN covered Ghostty in January.

The purpose of the Filesystem Hierarchy Standard (FHS) is to provide a specification for filesystem layout; it specifies the location for files and directories on a Linux system to simplify application development for multiple distributions. In its heyday it had some success at this, but the standard has been frozen in time since 2015, and much has changed since then. There is a slow-moving effort to revive the FHS and create a FHS 4.0, but a recent discussion among Fedora developers also raised the possibility of standardizing on the suggestions in systemd's file-hierarchy documentation, which has now been added to the Linux Userspace API (UAPI) Group's specifications.

NGINX has announced the preview release of the nginx-acme module, which adds native support to NGINX for the Automatic Certificate Management Environment (ACME) protocol:

NGINX's native support for ACME brings a variety of benefits that simplify and enhance the overall SSL/TLS certificate management process. Being able to configure ACME directly using NGINX directives drastically reduces manual errors and eliminates much of the ongoing overhead traditionally associated with managing SSL/TLS certificates. It also reduces reliance on external tools like Certbot, creating a more secure and streamlined workflow with fewer vulnerabilities and a smaller attack surface.

Version 1.25 of Go has been released. Notable changes include support for generating debug information in the DWARF 5 format, "container awareness" when setting the maximum number of CPUs to be used, and a new testing/synctest package with support for testing concurrent code. See the release notes for a comprehensive list of changes in 1.25.

Version 2.0 of Syncthing, a continuous file synchronization utility, has been released. Notable changes in 2.0 include multiple connections for synchronizing metadata and file data, a new logging format, as well as a switch from LevelDB to SQLite for Syncthing's backend. This the first release in the 2.0 series, and the release notes advise users to "expect some rough edges and keep a sense of adventure".

Security updates have been issued by Debian (apache2, kernel, linux-6.1, openjdk-17, and pgpool2), Fedora (glib2, matrix-synapse, openjpeg, python3-docs, and python3.13), Oracle (gdk-pixbuf2, glibc, java-1.8.0-openjdk, kernel, libxml2, python-requests, python3.11-setuptools, and thunderbird), SUSE (amber-cli, apache-commons-lang3, eclipse-jgit, go1.23, go1.24, govulncheck-vulndb, grub2, icinga2, kubernetes1.23, libgcrypt, python3, python313, sccache, slurm, tiff, and webkit2gtk3), and Ubuntu (linux-oracle).

The Arch Linux project is especially well-known in the Linux community for two things: its rolling-release model and the quality of the documentation in the ArchWiki. No matter which Linux distribution one uses, the odds are that eventually the ArchWiki's documentation will prove useful. The Debian project recognized this and has sought to improve its own documentation game by inviting ArchWiki maintainers Jakub Klinkovský and Vladimir Lavallade to DebConf25 in Brest, France, to speak about how Arch manages its wiki. The talk has already borne fruit with the launch of an effort to revamp the Debian wiki.

Debian's GNU/Hurd team has announced the release of Debian GNU/Hurd 2025:

This is a snapshot of Debian "sid" at the time of the stable Debian "Trixie" release (August 2025), so it is mostly based on the same sources. It is not an official Debian release, but it is an official Debian GNU/Hurd port release. [...]

Debian GNU/Hurd is currently available for the i386 and amd64 architectures with about 72% of the Debian archive, and more to come!

See the FAQ and configuration guide for more on the GNU/Hurd port.

The Debian Project has released its latest stable version, Debian 13 ("trixie"), which will be supported through 2030. This release includes GNOME 48, KDE Plasma 6.3, Xfce 4.20, Linux 6.12, GCC 14.2, Python 3.13, and systemd 257.

This release contains over 14,100 new packages for a total count of 69,830 packages, while over 8,840 packages have been removed as "obsolete". 44,326 packages were updated in this release. The overall disk usage for "trixie" is 403,854,660 kB (403 GB), and is made up of 1,463,291,186 lines of code. [...]

With this broad selection of packages and its traditional wide architecture support, Debian once again stays true to its goal of being "The Universal Operating System". It is suitable for many different use cases: from desktop systems to netbooks; from development servers to cluster systems; and for database, web, and storage servers. At the same time, additional quality assurance efforts like automatic installation and upgrade tests for all packages in Debian's archive ensure that "trixie" fulfills the high expectations that users have of a stable Debian release.

Trixie adds riscv64 as an officially supported architecture, and drops i386 as a regular architecture. Users with i386 systems should not upgrade to trixie; the project recommends reinstalling them as amd64, or retiring the hardware. See the release notes and issues to be aware of before installing or upgrading to trixie.

The AlmaLinux project has announced the availability of packages to enable native NVIDIA driver support, including CUDA and Secure Boot, for AlmaLinux 9 and 10.

When AlmaLinux started just 5 years ago, this wouldn't have been possible. With NVIDIA's open source version of their graphics drivers things have changed. This open source version is slowly becoming the flagship driver, with new products being added exclusively to it. With the help of some incredible people in the open source ecosystem and the AlmaLinux community, we were able to do something that has yet to be done in the EL ecosystem - ship Secure Boot signed, open source, NVIDIA kernel modules.

Full documentation is available on the AlmaLinux wiki.

There is a great deal of misunderstanding, and some misinformation, about the Trusted Platform Module (TPM); to combat this, Debian developer Jonathan McDowell would like to clear the air and help users understand what it is good for, as well as what it's not. At DebConf25 in Brest, France, he delivered a talk about TPMs that explained what they are, why people might be interested in using them, and how users might do so on a Debian system.

Version 0.10.0 of the Tuba fediverse client has been released. Notable changes in this release include a new post composer, an in-app web browser, search history, and many other refinements. See this thread for more details and highlights.

Security updates have been issued by AlmaLinux (kernel and python3.12-setuptools), Fedora (perl-Crypt-CBC and unbound), Gentoo (FontForge, GPL Ghostscript, Mozilla Network Security Service (NSS), and PAM), Oracle (gdk-pixbuf2, jq, kernel, mod_security, ncurses, python-requests, and python3-setuptools), Red Hat (python-requests and socat), SUSE (docker, kernel-livepatch-MICRO-6-0-RT_Update_2, kernel-livepatch-MICRO-6-0-RT_Update_4, kernel-livepatch-MICRO-6-0-RT_Update_5, kernel-livepatch-MICRO-6-0-RT_Update_6, kernel-livepatch-MICRO-6-0-RT_Update_7, kernel-livepatch-MICRO-6-0_Update_2, kernel-livepatch-MICRO-6-0_Update_4, kernel-livepatch-MICRO-6-0_Update_5, kernel-livepatch-MICRO-6-0_Update_6, kubeshark-cli, libgcrypt, pam-config, perl, python-requests, python311, and python313), and Ubuntu (linux-raspi).