We have received the sad news that Didier Spaier, maintainer of the blind-friendly Slackware-based Slint distribution, has recently passed away. Philippe Delavalade, who posted the announcement to the Slint mailing list, said:

Early 2015, I asked on the slackware list if brltty could be added in the installer; Didier answered promptly that he could do it on slint. Afterwards, he worked hard so that slint became as accessible as possible for visually impaired people.

You all know that all these years, he tried and succeeded to answer as quickly as possible to our issues and questions.

He will be irreplaceable.

The Open Source Initiative (OSI) has announced that it will not be holding the 2026 spring board election. Instead, it will be creating a working group to "review and improve OSI's board member selection process" and provide recommendations by September 2026:

The public election process was designed to gather community priorities and improve board member selection, while final appointments remained with the board.

Over time, that nuance has become a source of understandable confusion for community members. Many reasonably expected elections to function as elections normally do, and in fact, the board has generally adopted the electorate's recommendations. When a process feels unclear, trust suffers. When trust suffers, engagement becomes harder. This is especially problematic for an organization whose mission depends on legitimacy and credibility. [...]

OSI tried its experiment for the right reasons, but a variety of factors resulted in "elections" that are performatively democratic while being gameable and representative of only a small group, and we've learned from the results. Now we are making space to align our director selection process with our bylaws, to rebuild trust, and to develop better, more durable and truly representative participation in which the global stakeholder community can be heard.

LWN covered the previous OSI election in March 2025.

Creating fair governance models for open-source projects is not easy; defining criteria for participants to receive membership and voting rights is a particularly thorny problem for projects that have elections for representative bodies. The Fedora Council, the project's top-level governance body, is wrestling with that conundrum now. This was triggered by a Fedora special-interest group (SIG) granting temporary membership to at least one person for the sole purpose of allowing them to vote in the most recent Fedora Engineering Steering Council (FESCo) election. That opened a large can of worms about what it means to be a contributor and how contributors can be identified for voting purposes.

Security updates have been issued by AlmaLinux (java-1.8.0-openjdk), Debian (openssl), Fedora (assimp, chromium, curl, freerdp, gimp, and harfbuzz), Mageia (glibc, haproxy, iperf, and python-pyasn1), Red Hat (image-builder, openssl, and osbuild-composer), Slackware (mozilla), SUSE (avahi, cups, gio-branding-upstream, google-osconfig-agent, java-11-openjdk, java-17-openjdk, java-21-openjdk, kernel-firmware, libmatio-devel, libopenjp2-7, nodejs22, php8, python-python-multipart, python311-urllib3_1, qemu, and xen), and Ubuntu (ffmpeg, jaraco.context, openssl, and openssl, openssl1.0).

The Xfce team has announced that it will be providing funding to Brian Tarricone to work on xfwl4, a Wayland compositor for Xfce:

Xfwl4 will not be based on the existing xfwm4 code. Instead, it will be written from scratch in rust, using smithay building blocks.

The first attempt at creating an Xfce Wayland compositor involved modifying the existing xfwm4 code to support both X11 and Wayland in parallel. However, this approach turned out to be the wrong path forward for several reasons:

• Xfwm4 is architected in a way that makes it very difficult to put the window management behavior behind generic interfaces that don't include X11 specifics.
• Refactoring Xfwm4 is risky, since it might introduce new bugs to X11. Having two parallel code bases will allow for rapid development and experimentation with the Wayland compositor, with zero risk to break xfwm4.
• Some X11 window management concepts just aren't available or supported by Wayland protocols at this time, and dealing with those differences can be difficult in an X11-first code base.
• Using the existing codebase would require us to use C and wlroots, even if a better alternative is available.

Work has already commenced on the project, and the project hopes to share a development release in mid-2026.

Security updates have been issued by AlmaLinux (kernel, kernel-rt, python-urllib3, python3.11-urllib3, and python3.12-urllib3), Debian (imagemagick, openjdk-11, openjdk-17, and openjdk-21), Fedora (bind, bind-dyndb-ldap, chromium, ghostscript, glibc, mingw-glib2, mingw-harfbuzz, mingw-libsoup, mingw-openexr, and qownnotes), Mageia (kernel-linus), Red Hat (osbuild-composer), SUSE (go1.24-openssl, go1.25-openssl, govulncheck-vulndb, kernel, nodejs22, openCryptoki, openvswitch3, python-pyasn1, python311, and qemu), and Ubuntu (git-lfs, node-form-data, and screen).

The GNU Privacy Guard (GPG) project decided to break from the OpenPGP standard for email encryption in 2023, and instead adopted its own homegrown LibrePGP specification. The GPG 2.4 branch, the last one to adhere to OpenPGP, will be reaching the end of life in mid-2026. The Fedora project is currently having a discussion about how that affects the distribution, its users, and what to offer once 2.4 is no longer receiving updates.

Curl creator Daniel Stenberg has written a blog post explaining why the project is ending its bug-bounty program, which started in April 2019:

The never-ending slop submissions take a serious mental toll to manage and sometimes also a long time to debunk. Time and energy that is completely wasted while also hampering our will to live.

I have also started to get the feeling that a lot of the security reporters submit reports with a bad faith attitude. These "helpers" try too hard to twist whatever they find into something horribly bad and a critical vulnerability, but they rarely actively contribute to actually improve curl. They can go to extreme efforts to argue and insist on their specific current finding, but not to write a fix or work with the team on improving curl long-term etc. I don't think we need more of that.

There are these three bad trends combined that makes us take this step: the mind-numbing AI slop, humans doing worse than ever and the apparent will to poke holes rather than to help.

Stenberg writes that he still expects "the best and our most valued security reporters" to continue informing the project when security vulnerabilities are discovered. The program will officially end on January 31, 2026.

Security updates have been issued by AlmaLinux (gimp, glib2, go-toolset:rhel8, golang, java-17-openjdk, java-21-openjdk, kernel, net-snmp, pcs, and thunderbird), Debian (apache2, imagemagick, incus, inetutils, libuev, openjdk-17, php7.4, python3.9, shapelib, taglib, and zvbi), Fedora (mingw-glib2, mingw-harfbuzz, mingw-libsoup, mingw-openexr, pgadmin4, python3.11, python3.12, python3.9, and wireshark), Gentoo (Asterisk, Commons-BeanUtils, GIMP, inetutils, and Vim, gVim), Mageia (kernel), Oracle (glib2, java-17-openjdk, java-21-openjdk, and libpng), Red Hat (java-17-openjdk, java-21-openjdk, kernel, and kernel-rt), SUSE (azure-cli-core, bind, buildah, chromium, coredns, glib2, harfbuzz, kernel, kernel-firmware, libheif, libvirt, openCryptoki, openvswitch, podman, python, python-urllib3, rabbitmq-server, and vlang), and Ubuntu (cjson).

Version 1.5.0 of the GNU Guix package manager and the Guix System have been released. Notable improvements include the ability to run the Guix daemon without root privileges, support for 64-bit RISC-V, and experimental support for the GNU Hurd kernel.

The release comes with ISO-9660 installation images, virtual machine images, and with tarballs to install the package manager on top of your GNU/Linux distro, either from source or from binaries—check out the download page. Guix users can update by running guix pull.

It's been 3 years since the previous release. That's a lot of time, reflecting both the fact that, as a rolling release, users continuously get new features and update by running guix pull; but it also shows a lack of processes, something that we had to address before another release could be made.

During that time, Guix received about 71,338 commits by 744 people, which include many new features.

LWN last looked at Guix in February 2024.

Greg Kroah-Hartman has released the 6.18.7 and 6.12.67 stable kernels. As always, each contains important fixes throughout the tree. Users are advised to upgrade.

Security updates have been issued by AlmaLinux (kernel), Debian (bind9, chromium, osslsigncode, and python-urllib3), Fedora (freerdp, ghostscript, hcloud, rclone, rust-rkyv0.7, rust-rkyv_derive0.7, and vsftpd), Mageia (avahi and harfbuzz), SUSE (alloy, avahi, busybox, cargo-c, corepack22, corepack24, curl, docker, dpdk, exiv2-0_26, ffmpeg-4, firefox, glib2, go1.24, go1.25, gpg2, haproxy, kernel, kernel-firmware, keylime, libpng16, librsvg, libsodium, libsoup, libsoup2, libtasn1, log4j, net-snmp, open-vm-tools, openldap2_5, ovmf, pgadmin4, php7, podman, python-filelock, python-marshmallow, python-pyasn1, python-tornado, python-urllib3, python-virtualenv, python3, python311-pyasn1, python311-weasyprint, rust1.91, rust1.92, util-linux, webkit2gtk3, and wireshark), and Ubuntu (libxml2 and pyasn1).

ReactOS, an open-source project to develop an operating system that is compatible with Microsoft Windows NT applications and drivers, is celebrating 30 years since the first commit to its source tree. In that time there have been more than 88,000 commits from 301 contributors, for a total of 14,929,578 lines of code. There is, of course, much left to do.

It's been such a long journey that many of our contributors today, including myself, were not alive during this event. Yet our mission to deliver "your favorite Windows apps and drivers in an open-source environment you can trust" continues to bring people together. [...]

We're continuing to move ReactOS forward. Behind the scenes there are several out-of-tree projects in development. Some of these exciting projects include a new build environment for developers (RosBE), a new NTFS driver, a new ATA driver, multi-processor (SMP) support, support for class 3 UEFI systems, kernel and usermode address space layout randomization (ASLR), and support for modern GPU drivers built on WDDM.

Security updates have been issued by AlmaLinux (gpsd), Debian (inetutils and modsecurity-crs), Fedora (cpp-httplib, curl, mariadb11.8, mingw-libtasn1, mingw-libxslt, mingw-python3, rclone, and rpki-client), Oracle (gimp, glib2, go-toolset:rhel8, golang, kernel, mariadb-devel:10.3, and thunderbird), Red Hat (buildah, go-toolset:rhel8, golang, grafana, kernel, kernel-rt, multiple packages, openssl, osbuild-composer, podman, and skopeo), Slackware (bind), SUSE (ffmpeg-4, libsodium, libvirt, net-snmp, open-vm-tools, ovmf, postgresql17, postgresql18, python-FontTools, python-weasyprint, and webkit2gtk3), and Ubuntu (glib2.0 and opencc).

Version 3.0.0 of the pandas data analysis and manipulation library for Python has been released. Notable changes include a dedicated string type (str), new "copy-on-write" behavior, and much more. This release also removes a number of features that were deprecated in prior versions of pandas; developers are advised to upgrade to pandas 2.3 and ensure code is working without warnings before moving to 3.0. See the release notes for the full changelog.

At the 39th Chaos Communication Congress (39C3) in December, researchers Lexi Groves ("49016") and Liam Wachter said that they had discovered a number of flaws in popular implementations of OpenPGP email-encryption standard. They also released an accompanying web site, gpg.fail, with descriptions of the discoveries. Most of those presented were found in GNU Privacy Guard (GPG), though the pair also discussed problems in age, Minisign, Sequoia, and the OpenPGP standard (RFC 9580) itself. The discoveries have spurred some interesting discussions and as well as responses from GPG and Sequoia developers.

Security updates have been issued by AlmaLinux (brotli and container-tools:rhel8), Debian (python-keystonemiddleware and python3.9), Fedora (cef, freerdp, golang-github-tetratelabs-wazero, and libpcap), Oracle (brotli, gpsd, kernel, and transfig), Red Hat (freerdp, golang, java-11-openjdk with Extended Lifecycle Support, libpng, libssh, mingw-libpng, and runc), SUSE (abseil-cpp, alloy, apache2, bind, cpp-httplib, curl, erlang, firefox, gpg2, grafana, haproxy, hauler, hawk2, libblkid-devel, libpng16, libraylib550, python-keystonemiddleware-doc, python-uv, python-weasyprint, squid, and tomcat), and Ubuntu (crawl and iperf3).

Mozilla has announced a repository with Firefox Nightly channel packages for RPM-based Linux distributions such as CentOS Stream, Fedora, and openSUSE. Mozilla has provided a Debian repository since 2023.

Note that this repository only includes the nightly builds of The firefox-nightly package. Mozilla is not providing stable builds as RPMs at this time. However, the package will not conflict with a distribution's regular firefox package; both packages can be installed at the same time for those who wish to test the nightly builds. See the blog post for instructions on setting up the repository.

Security updates have been issued by AlmaLinux (gpsd-minimal, jmc, kernel, kernel-rt, and net-snmp), Debian (apache-log4j2 and dcmtk), Fedora (exim, gpsd, mysql8.0, mysql8.4, python-biopython, and rust-lru), Mageia (firefox, nss and thunderbird), Oracle (container-tools:rhel8, gpsd-minimal, jmc, kernel, net-snmp, and uek-kernel), Red Hat (net-snmp), SUSE (chromium, go, harfbuzz-devel, kernel, libsoup, rust1.91, rust1.92, and thunderbird), and Ubuntu (apache2, avahi, and python-urllib3).

PostgreSQL contributor Robert Haas has published a blog post that breaks down code contributions to PostgreSQL in 2025.

I calculate that, in 2025, there were 266 people who were the principal author of at least one PostgreSQL commit. 66% of the new lines of code where contributed by one of 26 people, and 90% of the lines of new code were contributed by one of 67 people.

Contributions to the project seem to be on the upswing; in his analysis of development in 2024, there were 229 people who were the primary authors of a commit, and 66% of new lines of code were contributed by one of 18 people. The raw data is also available.