The GIMP project reports that GNOME contributor "balooii" has worked to package GIMP 0.54.1—released in 1996—as a Flatpak that will build and run on modern 64-bit Linux systems. This is a Motif-based version, and the same version that was used by Larry Ewing to create Tux.

While not likely to be useful for serious graphics work today, it should be interesting for users who would like to see what a 30-year-old version of GIMP was capable of.

Brian Tarricone has announced the first preview release of xfwl4, a Wayland compositor for the Xfce desktop environment.

After close to six months of work, I feel like it's ready to get some wider use, even though of course there will be bugs and missing features. Think of this as an alpha release. [...]

The end goal of xfwl4 is to behave as closely as possible to an Xfce desktop running on an X server. Ideally a user could switch between the two without even knowing there's a difference. In reality, of course, it won't be quite that seamless, and there's still more work to be done to get as close as possible to that ideal. This is a first solid cut at it, at the very least.

Security updates have been issued by AlmaLinux (389-ds:1.4, kernel, and kernel-rt), Debian (gst-libav1.0, gst-plugins-good1.0, imagemagick, kernel, libconfig-inifiles-perl, libgd-perl, libhttp-daemon-perl, mediawiki, pillow, and squid), Fedora (389-ds-base, alertmanager, ansible-core, buildah, chromium, erlang-cowboy, erlang-cowlib, erlang-gun, freerdp, kubernetes1.33, kubernetes1.34, kubernetes1.35, mingw-SDL2_image, ongres-scram, ongres-stringprep, openssl, perl-Config-IniFiles, perl-Crypt-PBKDF2, podman, postgresql-jdbc, python3.13, strongswan, webkitgtk, xdg-desktop-portal, and yt-dlp), Red Hat (osbuild-composer), SUSE (alloy, amazon-ssm-agent, ansible-core, apache-sshd, jpgpj, azure-storage-azcopy, chromedriver, containerized-data-importer, firefox, glibc, graphite2, inspektor-gadget, kubevirt, lemon, openvswitch, python-starlette, python311, python311-joserfc, python313, and tinyproxy), and Ubuntu (netatalk).

Systemd v261 has been released with a long list of changes, including a new cloud "Instance Metadata Service" (IMDS) subsystem, "boot secret" functionality for use on systems that lack a physical TPM, as well as support for the kernel's Live Update Orchestration (LUO) / Kexec Handover (KHO) systems when they are present and enabled. See the release notes for the full list of changes.

The Arch User Repository (AUR) has been subjected to a sustained attack recently. The attacker, or attackers, have spun up a series of new accounts then used them to adopt orphaned packages and push malicious updates that would install malware on users' systems. It is unclear how many users were compromised in the attack, but the maintainers were playing Whac-A-Mole for several days to respond to each newly compromised package. The project has turned off the AUR's new-user registration, for now, but it is unclear what its long-term response will be or if the AUR can be secured without major changes to its existing collaboration model.

Security updates have been issued by AlmaLinux (dracut), Debian (chromium, firefox-esr, and thunderbird), Fedora (chromium, firefox, nss, ocserv, ongres-scram, ongres-stringprep, perl-Archive-Tar, perl-GD, perl-HTTP-Daemon, perl-Net-Statsd, restic, singularity-ce, util-linux, and vorbis-tools), Mageia (gstreamer1.0-*, libupnp, luajit, opensc, and ruby-rack), SUSE (curl, dnsmasq, ffmpeg-4, frr, google-osconfig-agent, java-1_8_0-ibm, kernel, krb5, kubernetes-old, ldns, liburiparser1, openvswitch, rootlesskit, strongswan, traefik, and trivy), and Ubuntu (ldns, libheif, libnet-cidr-lite-perl, lxd, tomcat11, and vim).

Greg Kroah-Hartman has announced the release of the 7.1.1, 7.0.13, 6.18.36, 6.12.94, 6.6.143, 6.1.176, 5.15.210, and 5.10.259 stable kernels. As usual, each contains important fixes. Users are advised to upgrade.

The Software Freedom Conservancy (SFC) has announced the release of its recommendations for using LLM-backed generative AI systems for FOSS contributions. The recommendations were created by the SFC and volunteers from the free-software community.

The recommendations reflect the extremely difficult dilemmas that these systems pose for FOSS contributors. SFC and its volunteers understand that FOSS developers are approaching LLM-gen-AI from a variety of perspectives. The recommendations offer practical assistance to minimize the damage caused by using proprietary systems, whether FOSS contributors reject LLM-gen-AI or choose (voluntarily or by employer mandate) to use them.

These recommendations are best practices (but not definitions or requirements) that SFC and its volunteers formulated after careful study of the growing LLM-gen-AI use among FOSS contributors. SFC will follow these recommendations with a series of supporting materials, including documents, online tutorials, public Q&As, podcasts, and other community engagement. We will routinely refine our recommendations and continue to support FOSS contributors as they navigate this difficult landscape.

Security updates have been issued by AlmaLinux (dracut, podman, postfix, rsync, xorg-x11-server, and xorg-x11-server-Xwayland), Debian (atril, firefox-esr, and nginx), Mageia (libcap, perl, and python-pillow), Oracle (firefox, gstreamer-plugins-base and gstreamer-plugins-good, httpd:2.4, kernel, libpng12, libpng15, libxml2, libxslt, opencryptoki, openssl, postfix, rsync, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), Slackware (bind, libidn, mozilla, and openssl), SUSE (alloy, docker, elemental-system-agent, glibc, grafana, helm, LibVNCServer, openssh8.4, perl-GD, perl-HTTP-Daemon, python-WebOb-doc, python311-google-adk, rustup, traefik2, wireshark, and xwayland), and Ubuntu (dolibarr, golang-go.crypto, graphite2, gst-plugins-bad1.0, kitty, libconfig-inifiles-perl, libnginx-mod-js, and webpy).

Inside this week's LWN.net Weekly Edition:

• Front: State of Fedora; mTHP creation; overlayfs; buffer-heads cleanup; 7.1 statistics.
• Briefs: curl summer of bliss; 7.1 kernel; AUR compromise; Fedora election; FairScan 2.0; Firefox 152.0; Homebrew 6.0.0; KDE Plasma 6.7; LWN topic list; Quotes; ...
• Announcements: Newsletters, conferences, security updates, patches, and more.

The results are in for Fedora's F44 election cycle for seats on the Fedora Council, Fedora Engineering Steering Committee, Fedora Mindshare Committee, and EPEL Steering Committee.

Miro Hrončok and Aleksandra Fedorova have won seats on the council. Neal Gompa, Fabio Valentini, Michel Lind, Maxwell G, and Simon de Vlieger have been elected to FESCo. Samyak Jain, Akashdeep Dhar, Luis Bazan, and Mat Holmes have all been elected to the Mindshare Committee. The four candidates for the EPEL committee, Carl George, Diego Hererra, Jonathan Wright, and Troy Dawson were all automatically elected as there were an equal number of candidates and seats open. Congratulations to all the winners.

The Python Software Foundation blog has a post with a summary of the security-related content at PyCon US 2026 with links to slides from important sessions. The recordings will be published to the PyCon US channel on YouTube, and the post will be updated with links to those videos as they are made available.

Version 2.0 of the FairScan document-scanning app for Android has been released. The headline feature for this release is the addition of optical-character-recognition (OCR) support using Tesseract to produce PDFs with searchable text from scans. FairScan developer Pierre-Yves Nicolas has written a detailed blog about adding the feature and explaining why it had not been added previously.

That looks nice, so why didn't FairScan have it before? That's because FairScan wasn't ready for it: I wouldn't be comfortable if FairScan was giving you wrong text half of the time. To get good results from an OCR engine, you need to provide it a readable image. If it's hard to read for a human, it's certainly also hard to read for an OCR engine.

Over the past year, I worked on different parts of FairScan's automatic processing to transform photos of documents into PDFs that are easy for humans to read:

• document detection
• perspective correction
• shadow reduction
• brightness and contrast enhancement

All this work on image processing helped FairScan produce clean PDFs and can now also contribute to making text recognition effective.

FairScan is available via Google Play or F-Droid.

Security updates have been issued by AlmaLinux (hplip, kernel, kernel-rt, libpng12, libpng15, libxml2, libxslt, mysql:8.0, mysql:8.4, opencryptoki, openssl, postfix, postgresql:15, rsync, and webkit2gtk3), Debian (asterisk, atril, gsasl, and libreoffice), Fedora (ack, bird, chromium, firefox, ldns, librabbitmq, nextcloud, nss, openslide, perl-Protocol-HTTP2, tig, vorbis-tools, and xen), Mageia (coturn, log4cxx, and python-tornado), SUSE (389-ds, buildah, container-suseconnect, distribution, editorconfig-core-c, elemental-system-agent, glib-networking, google-guest-agent, google-osconfig-agent, kernel, libcaca, libXpm, opensc, openssl-3, openvswitch, perl-Crypt-PBKDF2, python-python-dotenv, python311-aiosmtplib, python311-zeroconf, runc, shim, and sqlite3), and Ubuntu (ca-certificates, keystone, librabbitmq, linux, linux-aws, linux-kvm, linux-aws-hwe, linux-azure, linux-gcp, linux-hwe, linux-oracle, linux-azure, linux-azure, linux-gcp, linux-hwe, linux-oracle, linux-azure-6.8, linux-oracle-5.15, nova, openimageio, qemu, and squid).

On June 15 at Fedora's Flock conference, held in Prague, Fedora Project Leader (FPL) Jef Spaleta delivered a short "State of Fedora" keynote that provided a bit of insight into the status of the project. Topics included the overall growth for Fedora usage, ways to increase contributions, and an alarming decline in the number of active packagers working on the project.

Version 152.0 of the Firefox web browser has been released. Notable changes in this release include a brand-new look for the Firefox Settings interface, the ability to disable tracker blocking in private browsing tabs, a feature to mute browser sound from the address bar, experimental support for the JPEG XL image format, and more.

Version 6.7 of KDE's Plasma desktop has been released. Notable changes in this release include per-screen virtual desktops, faster desktop switching, introduction of the Union theming system as a tech preview, as well as many other improvements and bug fixes. The release is dedicated to Eric Laffoon, a longtime KDE supporter, who passed away in May.

See the KDE wiki for a full list of new features, and the Changelog for a list of all commits in this release.

Security updates have been issued by AlmaLinux (mod_http2, postfix, and webkit2gtk3), Debian (bird2, libgd-perl, and libreoffice), Fedora (7zip, ack, hugo, and perl-Mojo-JWT), Mageia (atril, evince, xreader, emacs, lcms2, libgcrypt, libinput, libsndfile, putty, and sudo), Red Hat (openssl and osbuild-composer), SUSE (cheat, chromedriver, containerized-data-importer, cyrus-imapd, freeipmi, graphicsmagick, java-11-openj9, java-17-openj9, kitty, kubevirt, kubevirt-1.6, libcaca, libopenssl-3-devel, librav1e0_8, neonmodem, opensc, openssh, openssl-1_0_0, openssl-1_1, openssl-3, perl-HTTP-Daemon, perl-XML-LibXML, python-python-dotenv, python311-paramiko, python311-PyJWT, python311-starlette, python311-tornado6, qemu, restic, and trivy), and Ubuntu (adsys, cups, fastnetmon, freerdp2, freerdp3, mesa, nginx, rsync, ruby2.3, ruby2.5, and tmux).

Daniel Stenberg has announced that curl will not be accepting vulnerability reports from July 1 through August 3, unless the submitter has a paid support contract. He is calling it the "curl summer of bliss".

As previously mentioned, we have been under a huge pressure for the last four months or so. Now we need some rest. We do not expect this deluge to be over.

[...] If you and your Open Source projects also want to participate in the summer of bliss 2026: just do it and let us know! I would of course encourage you to do so. To take care of yourself as a top priority.

The project's issue and pull-request trackers on GitHub will remain open. The planned release date for curl 8.22.0 has been pushed back two weeks to September 2, 2026.

Security updates have been issued by AlmaLinux (.NET 9.0), Debian (apache2, chromium, jpeg-xl, librabbitmq, and openssl), Fedora (apptainer, bind9-next, chezmoi, chromium, collectd, composer, dnsdist, gh, python-django5, python-python-multipart, varnish, varnish-modules, vmod-querystring, vmod-uuid, weasyprint, and xorg-x11-server-Xwayland), Mageia (cups, expat, libpng, libssh, memcached, nghttp2, openimageio, packages, proftpd, and radare2), Oracle (.NET 10.0, .NET 8.0, .NET 9.0, and firefox), Red Hat (postfix and valkey), and SUSE (afl, alloy, ansible-core, apache-pdfbox, chromedriver, chromium, cpp-httplib-devel, dpkg, elemental-operator, elemental-toolkit, enc, erlang, ffmpeg-7, firewalld, git-bug, golang-github-prometheus-prometheus, grafana, GraphicsMagick, graphite2, kernel, kernel-devel, lcms2, ldns, libsoup, libyang, libzypp, logback, mariadb, NetworkManager, openssh, openvswitch, perl-GD, perl-XML-LibXML, polkit, postgresql-jdbc, postgresql18, python, python-django, python-M2Crypto-doc, python-Pygments, python-pygments, python-requests, python313-Django6, qemu, rpcbind, samba, strongswan, tmux, uriparser, and xdg-dbus-proxy).