Efforts to introduce malicious code into the open-source supply chain have been on the rise in recent years, and there is no indication that they will abate anytime soon. These attacks are often found quickly, but not quickly enough to prevent the compromised code from being automatically injected into other projects or code deployed by users where it can wreak havoc. One method of avoiding supply-chain attacks is to add a delay of a few days before pulling upates in what is known as a "dependency cooldown". That tactic is starting to find favor with users and some language ecosystem package managers. While this practice is considered a reasonable response by many, others are complaining that those employing dependency cooldowns are free-riding on the larger community by letting others take the risk.

Version 2.26.0 of the LilyPond music-engraving program has been released. Major changes include the ability to use the Cairo library to generate output and improvements in spacing between clefs and time signatures. See the release notes for a full list of miscellaneous improvements as well as what's new with musical and specialist notation.

Greg Kroah-Hartman has announced the release of the 7.0.1, 6.19.14, 6.18.24, and 6.12.83 stable kernels. As usual, each contains important fixes throughout the tree. Users are encouraged to upgrade.

Note that the 6.19.x series ends with 6.19.14.

Security updates have been issued by Debian (firefox-esr, flatpak, ngtcp2, ntfs-3g, packagekit, python-geopandas, simpleeval, strongswan, and xdg-dbus-proxy), Fedora (chromium, cups, curl, jq, opkssh, perl-Net-CIDR-Lite, python-cbor2, python-pillow, tinyproxy, xdg-dbus-proxy, and xorg-x11-server-Xwayland), Slackware (libXpm and mozilla), SUSE (botan, chromium, clamav, cockpit, cockpit-machines, cockpit-packages, cockpit-podman, cockpit-subscriptions, dovecot24, firefox, flatpak, freeipmi, gdk-pixbuf, glibc, gnome-remote-desktop, go1.25, go1.26, go1.26-openssl, google-cloud-sap-agent, gosec, graphicsmagick, haproxy, kernel, libpng16, libraw, libtasn1, libvncserver, ncurses, nebula, nodejs24, openssl-3, ovmf, pam, pcre2, perl-Authen-SASL, pgvector, plexus-utils, podman, python-cbor2, python-cryptography, python-django, python-gi-docgen, python-pypdf2, python-python-multipart, python311, python311-PyPDF2, python313, qemu, roundcubemail, rust1.94, sqlite3, strongswan, systemd, tar, tigervnc, util-linux, vim, webkit2gtk3, xorg-x11-server, xwayland, and zlib), and Ubuntu (commons-io, libcap2, ntfs-3g, and rapidjson).

The Fedora Project has been wrestling with the question of who should be able to vote in Fedora elections recently, with project membership being a major topic at the Fedora Council face-to-face held in early February. Now the project is considering a new contributor status, "Fedora Verified", and is looking to get input on the idea from the community.

What are the proposed benefits? The primary motivation behind "Fedora Verified" is to build trust-based recognition that grants elevated, privileged rights within the project. Most notably, this status would determine eligibility for strategic governance activities, such as:

• Voting in Fedora community elections.
• Running for leadership or decision-making roles within the project (i.e., Fedora Council, FESCo, Mindshare Committee, EPEL Steering Committee).
• (Potential, unplanned) Accessing specific shared project resources or educational opportunities (e.g., Red Hat training credits).

The blog post includes a list of proposed baseline metrics for "Verified" status as well as open questions to be decided. A survey on the topic will be open until May 5.