Daniel Stenberg, the recipient of last year's Award for Excellence in Open Source from the European Open Source Academy, presented that award to this year's recipient: Greg Kroah-Hartman.

It's impossible to overstate the importance of the work Greg has done on Linux. In software, innovation grabs headlines, but stability saves lives and livelihoods. Every Android phone, every web server, every critical system running Linux depends on Greg's meticulous work. He ensures that when hospitals, banks, governments, and individuals rely on Linux, it doesn't fail them. His work represents the highest form of service: unglamorous, relentless, and essential.

The 6.18.8, 6.12.68, and 6.6.122 stable kernel updates have been released; each contains another set of important fixes.

Security updates have been issued by AlmaLinux (curl, gimp:2.8, glibc, grafana, grafana-pcp, kernel, osbuild-composer, php:8.3, python-urllib3, python3.11, and python3.12), Debian (chromium), Mageia (ceph, gpsd, libxml2, openjdk, openssl, and xen), SUSE (abseil-cpp, assertj-core, coredns, freerdp, java-11-openjdk, java-25-openjdk, libxml2, openssl-1_0_0, openssl-1_1, python, python-filelock, and python311-sse-starlette), and Ubuntu (kernel, linux, linux-aws, linux-aws-hwe, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-fips, linux-fips, linux-fips, and texlive-bin).

Jeff Mahoney, who holds a vice-president position at SUSE, has posted a detailed proposal for improving the governance of the openSUSE project.

It's meant to be a way to move from governance by volume or persistence toward governance by legitimacy, transparency, and process - so that disagreements can be resolved fairly and the project can keep moving forward. Introducing structure and predictability means it easier for newcomers to the project to participate without needing to understand decades of accumulated history. It potentially could provide a clearer roadmap for developers to find a place to contribute.

The stated purpose is to start a discussion; this is openSUSE, so he is likely to succeed.

The extensible scheduler class (sched_ext) allows the installation of a custom CPU scheduler built as a set of BPF programs. Its merging for the 6.12 kernel release moved the kernel away from the "one scheduler fits all" approach that had been taken until then; now any system can have its own scheduler optimized for its workloads. Within any given machine, though, it's still "one scheduler fits all"; only one scheduler can be loaded for the system as a whole. The sched_ext sub-scheduler patch series from Tejun Heo aims to change that situation by allowing multiple CPU schedulers to run on a single system.

Security updates have been issued by AlmaLinux (java-25-openjdk, openssl, and python3.9), Debian (gimp, libmatio, pyasn1, and python-django), Fedora (perl-HarfBuzz-Shaper, python-tinycss2, and weasyprint), Mageia (glib2.0), Oracle (curl, fence-agents, gcc-toolset-15-binutils, glibc, grafana, java-1.8.0-openjdk, kernel, mariadb, osbuild-composer, perl, php:8.2, python-urllib3, python3.11, python3.11-urllib3, python3.12, and python3.12-urllib3), SUSE (alloy, avahi, bind, buildah, busybox, container-suseconnect, coredns, gdk-pixbuf, gimp, go1.24, go1.24-openssl, go1.25, helm, kernel, kubernetes, libheif, libpcap, libpng16, openjpeg2, openssl-1_0_0, openssl-1_1, openssl-3, php8, python-jaraco.context, python-marshmallow, python-pyasn1, python-urllib3, python-virtualenv, python311, python313, rabbitmq-server, xen, zli, and zot-registry), and Ubuntu (containerd, containerd-app and wlc).

Inside this week's LWN.net Weekly Edition:

• Front: PostmarketOS; LKRG 1.0; Fedora elections; EROFS, NTFS, and XFS; Fedora and GPG 2.5; BPF kfuncs.
• Briefs: curl bounties; GPG security; Guix 1.5.0; ReactOS turns 30; glibc 2.43; Rust 1.93; Xfwl4; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

PC Gamer has run an amusing review of the scx_horoscope scheduler for Linux, which uses astrology to optimize scheduling decisions.

The scheduler is full of bizarre features, like its ability to perform real planetary calculations based on accurate geocentric planetary positions, lunar phase scheduling (the full moon gives a 1.4x boost to tasking, apparently) and "zodiac-based task classification".

That latter feature is easily one of my favourite bits. Specific planetary bodies "rule" over specific system tasks, so the Sun is in charge of critical system processes, the Moon (tied to emotions, of course) rules over interactive tasks, and Jupiter is assigned to memory-heavy applications, among others.

There is a new GnuPG update for a "critical security bug" in recent GnuPG releases.

A crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack buffer overflow in gpg-agent during the PKDECRYPT--kem=CMS handling. This can easily be used for a DoS but, worse, the memory corruption can very likley also be used to mount a remote code execution attack. The bug was introduced while changing an internal API to the FIPS required KEM API.

Only versions 2.5.13 through 2.5.16 are affected.

GNU C Library maintainer Carlos O'Donell has announced that the project will be moving its core services away from Sourceware in favor of services hosted at the Linux Foundation.

While it was clear to the GNU Toolchain leadership that requirements were coming to improve the toolchain cyber-security posture, these requirements were not clear to all project developers. As part of receiving this feedback we have worked to document and define a secure development policy for glibc and at a higher level the GNU Toolchain. While Sourceware has started making some critical technical changes, the GNU Toolchain still faces serious, systemic concerns about securing a global, highly available service and building a sustainable, diverse sponsorship model.

This has been a long-running discussion; see this 2022 article for some background.

The kernel's "kfunc" mechanism is a way of exporting kernel functions so that they can be called directly from BPF programs. There are over 300 kfuncs in current kernels, ranging in functionality from string processing (bpf_strnlen()) to custom schedulers (scx_bpf_kick_cpu()) and beyond. Sometimes these kfuncs need access to context information that is not directly available to BPF programs, and which thus cannot be passed in as arguments. The implicit arguments patch set from Ihor Solodrai is the latest attempt to solve this problem.

The 6.19-rc7 kernel prepatch is out for testing.

So normally this would be the last rc of the release, but as I've mentioned every rc (because I really want people to be aware and be able to plan for things) this release we'll have an rc8 due to the holiday season.

And while some of the early rc's were smaller than usual and it didn't seem necessary, right now I'm quite happy I made that call. Not because there's anything particularly scary here - the release seems to be going fairly smoothly - but because this rc7 really is larger than things normally are and should be at this point.

Along with the usual fixes, this -rc also includes a new document describing the process to replace the kernel project leadership should that become necessary in the absence of an arranged transition. The plan largely follows what was decided at the Maintainers Summit in December.

Version 2.43 of the GNU C Library has been released. Changes include support for the mseal() and openat2() system calls, experimental support for building with the Clang compiler, Unicode 17.0.0 support, a number of security fixes, and much more.

Filesystems seem to be one of those many areas where the problems are well understood, but there is always somebody working toward a better solution. As a result, filesystem development in the Linux kernel continues at a fast pace even after all these years. In recent news, the EROFS filesystem is on the path to gain a useful page-cache-sharing feature, there is a new NTFS implementation on the horizon, and XFS may be about to get an infrastructure for self healing.

Version 1.93.0 of the Rust programming language has been released. Notable changes include in updated version of the bundled musl library, thread-local storage for the global allocator, some asm! improvements, and a number of newly stabilized APIs.

Inside this week's LWN.net Weekly Edition:

• Front: Singularity; fsconfig(); io_uring restrictions; GPG vulnerabilities; slab allocator; AshOS.
• Briefs: Pixel exploit; telnetd exploit; OzLabs; korgalore; Firefox Nightly RPMs; Forgejo 14.0; Pandas 3.0; Wine 11.0; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

Konstantin Ryabitsev has put up a blog post about korgalore, a tool he has written to circumvent delivery problems experienced by kernel developers using the large, centralized email systems.

We cannot fix email delivery, but we can sidestep it entirely. Public-inbox archives like lore.kernel.org store all mailing list traffic in git repositories. In its simplest configuration, korgalore can shallow-clone these repositories directly and upload any new messages straight to your mailbox using the provider's API.

One would assume that most LWN readers stopped running network-accessible telnet services some number of decades ago. For the rest of you, this security advisory from Simon Josefsson is worthy of note:

The telnetd server invokes /usr/bin/login (normally running as root) passing the value of the USER environment variable received from the client as the last parameter.

If the client supplies a carefully crafted USER environment value being the string "-f root", and passes the telnet(1) -a or --login parameter to send this USER environment to the server, the client will be automatically logged in as root bypassing normal authentication processes.

OzLabs is a collection of Australian free-software developers that was, for most of its history, associated with IBM. Members of OzLabs have included Hugh Blemings, Michael Ellerman, Ben Herrenschmidt, Greg Lehey, Paul Mackerras, Martin Pool, Stephen Rothwell, Rusty Russell, and Andrew Tridgell, among others. The OzLabs "about" page notes that, as of January 2026, the last remaining OzLabs members have departed IBM. "This brought to a close the Ozlabs association with IBM". Thus ends a quarter-century of development history.

(Thanks to Jon Masters).

The io_uring subsystem is more than an asynchronous I/O interface for Linux; it is, for all practical purposes, an independent system-call API. It has enabled high-performance applications, but it also brings challenges for code built around classic, Unix-style system calls. For example, the seccomp() sandboxing mechanism does not work with it, causing applications using seccomp() to disable io_uring outright. Io_uring maintainer Jens Axboe is seeking to improve that situation with a rapidly evolving patch series adding a new restrictive mechanism to that subsystem.