Welcome to LWN.net
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
[$] Magic kernel functions for BPF
When programs written in BPF (the kernel's hot-loadable virtual-machine bytecode) call kernel functions (kfuncs), it may be useful for those functions to have additional information about the context in which those BPF programs are executing. Rather than requiring it to supply that information, it would be convenient to let the BPF verifier pass that information to the called function automatically. That is already possible, but a recent patch set from Ihor Solodrai would make it more ergonomic. It allows kernel developers to specify that a kfunc should be passed additional parameters inferred by the verifier, invisibly to the BPF program. The discussion included concerns that Solodrai's implementation was unnecessarily complex, however.
[$] Bootc for workstation use
The bootc project allows users to create a bootable Linux system image using the container tooling that many developers are already familiar with. It is an evolution of OSTree (now called libostree), which is used to create Fedora Silverblue and other image-based distributions. While creating custom images is still a job for experts, the container technology simplifies delivering heavily customized images to non-technical users.
[$] Toward fast, containerized, user-space filesystems
Filesystems are complex and performance-sensitive beasts. They can also present security concerns. Microkernel-based systems have long pushed filesystems into separate processes in order to contain any vulnerabilities that may be found there. Linux can do the same with the Filesystem in Userspace (FUSE) subsystem, but using FUSE brings a significant performance penalty. Darrick Wong is working on ways to eliminate that penalty, and he has a massive patch set showing how ext4 filesystems can be safely implemented in user space by unprivileged processes with good performance. This work has the potential to radically change how filesystems are managed on Linux systems.
[$] LWN.net Weekly Edition for November 6, 2025
Posted Nov 6, 2025 0:14 UTC (Thu)The LWN.net Weekly Edition for November 6, 2025 is available.
Inside this week's LWN.net Weekly Edition
- Front: Python thread safety; Namespace reference counting; Merigraf; Speeding up short reads; Julia 1.12; systemd security.
- Briefs: CHERIoT 1.0; Chromium XSLT; Arm KASLR; Bazzite; Devuan 6.0; Incus 6.18; LXQt 2.3.0; Rust 1.91.0; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
[$] A security model for systemd
Linux has many security features and tools that have evolved over
the years to address threats as they emerge and security gaps as they
are discovered. Linux security is all, as Lennart Poettering observed at the All Systems Go! conference held
in Berlin, somewhat random and not a "clean
"
design. To many observers, that may also appear to be the case for
systemd; however, Poettering said that he does have a vision for how
all of the security-related pieces of systemd are meant to fit
together. He wanted to use his talk to explain "how the individual
security-related parts of systemd actually fit together and why they
exist in the first place
".
[$] Julia 1.12 brings progress on standalone binaries and more
Julia is a modern programming language that is of particular interest to scientists due to its high performance combined with language features such as Lisp-style macros, an advanced type system, and multiple dispatch. We last looked at Julia in January on the occasion of its 1.11 release. Early in October Julia 1.12 appeared, bringing a handful of quality-of-life improvements for Julia programmers, most notably support, though still experimental and limited, for the creation of binaries.
[$] An explicit thread-safety proposal for Python
Python already has several ways to run programs concurrently — including asynchronous functions, threads, subinterpreters, and multiprocessing — but all of those options have drawbacks of one kind or another. PEP 703 ("Making the Global Interpreter Lock Optional in CPython") removed a major barrier to running Python threads in parallel, but also exposed Python programmers to the same tricky synchronization problems found in other languages supporting multithreaded programs. A new draft proposal by Mark Shannon, PEP 805 ("Safe Parallel Python"), suggests a way for the CPython runtime to cut down on concurrency bugs, making it more practical for Python programmers to use versions of the language without the global interpreter lock (GIL).
[$] Namespace reference counting and listns()
The kernel's namespaces feature is, among other things, a key part of the implementation of containers. Like much in the kernel, though, the namespace API evolved over time; there was no design at the outset. As a result, this API has some rough edges and missing features. Christian Brauner is working to straighten out the namespace situation somewhat with this daunting 72-part patch series that, among other things, adds a new system call to allow user space to query the namespaces present on the system.
[$] Mergiraf: syntax-aware merging for Git
The idea of automatic syntax-aware merging in version-control systems goes back to 2005 or earlier, but initial implementations were often language-specific and slow. Mergiraf is a merge-conflict resolver that uses a generic algorithm plus a small amount of language-specific knowledge to solve conflicts that Git's default strategy cannot. The project's contributors have been working on the tool for just under a year, but it already supports 33 languages, including C, Python, Rust, and even SystemVerilog.
[$] The long path toward optimizing short reads
The kernel's file-I/O subsystems have been highly optimized over the years in the hope of providing the best performance for a wide variety of workloads. There is, however, one workload type that suffers with current kernels: applications that perform many short reads, in multiple processes, from the same file. Kiryl Shutsemau has been working on a patch to try to optimize this case, but the task is turning out to be harder than one might expect.
Public-inbox 2.0.0 released
Version 2.0.0 of public-inbox, the mail archiving system behind
lore.kernel.org and LWN's email archive, has been released. "This
release includes several new features and fixes; mostly around improved
integration between inboxes and coderepos for solver. Portability and
reliability is also improved, especially in the internal process management
of lei.
"
Pytest 9.0.0 released
Version 9.0.0 of pytest has been released. Notable changes in this release include the addition of subtests, native support for TOML configuration files, and a new strict mode. See the changelog for a complete list of new features, enhancements, and bug fixes.
Security updates for Monday
Security updates have been issued by AlmaLinux (galera and mariadb, kernel, kernel-rt, mingw-libtiff, redis:7, tigervnc, and xorg-x11-server-Xwayland), Fedora (bind, bind-dyndb-ldap, bpfman, chromium, dolphin-emu, dotnet9.0, golang-github-openprinting-ipp-usb, kea, libnbd, luksmeta, python-cloudpickle, python-pydantic, python-pydantic-core, python-uv-build, ruby, ruff, rust-get-size-derive2, rust-get-size2, rust-regex, rust-regex-automata, rust-reqsign, rust-reqsign-aws-v4, rust-reqsign-command-execute-tokio, rust-reqsign-core, rust-reqsign-file-read-tokio, rust-reqsign-http-send-reqwest, singularity-ce, uv, xen, and xorg-x11-server-Xwayland), Mageia (libxml2, libxslt, opencontainers-runc, and xen), Oracle (bind, galera and mariadb, libsoup, linux-firmware, mariadb:10.5, mingw-libtiff, osbuild-composer, qt5-qt3d, tigervnc, and xorg-x11-server-Xwayland), SUSE (chromium, erlang, google-osconfig-agent, govulncheck-vulndb, java-11-openjdk, java-17-openjdk, java-1_8_0-openj9, opentofu, python-djangorestframework-simplejwt, python311-Django, python315, squid, thunderbird, tiff, tomcat, tomcat11, and xen), and Ubuntu (linux-fips, linux-hwe-6.14, and linux-nvidia-tegra, linux-nvidia-tegra-5.15, linux-nvidia-tegra-igx, linux-raspi).
Kernel prepatch 6.18-rc5
The 6.18-rc5 kernel prepatch is out for
testing. "In other words: it all looks just the way I like it at this
point: small and boring.
"
About KeePassXC's code quality control (KeePassXC blog)
The KeePassXC project has recently updated its contribution policy and README to note its policy around contributions created with generative AI tools. The project's use of those tools, such as GitHub Copilot, have raised a number of questions and concerns, which the project has responded to:
There are no AI features inside KeePassXC and there never will be!
The use of Copilot for drafting pull requests is reserved for very simple and focused tasks with a small handful of changes, such as simple bugfixes or UI changes. We use it sparingly (mostly because it's not very good at complex tasks) and only where we think it offers a benefit. Copilot is good at helping developers plan complex changes by reviewing the code base and writing suggestions in markdown, as well as boilerplate tasks such as test development. Copilot can mess up, and we catch that in our standard review process (e.g., by committing a full directory of rubbish, which we identified and fixed). You can review our copilot instructions. Would we ever let AI rewrite our crypto stack? No. Would we let it refactor and rewrite large parts of the application? No. Would we ask it to fix a regression or add more test cases? Yes, sometimes.
Emphasis in the original. See the full post to learn more about the project's processes and pull requests that have been created with AI assistance.
A proposed kernel policy for LLM-generated contributions
The kernel community is currently reviewing a
proposed policy for contributors who are using large language models to
assist in the creation of their patches; the primary focus is on disclosure
of the use of those tools. "The goal here is to clarify community
expectations around tools. This lets everyone become more productive while
also maintaining high degrees of trust between submitters and
reviewers.
"
Security updates for Friday
Security updates have been issued by AlmaLinux (bind, bind9.16, libsoup, mariadb:10.5, and sssd), Debian (chromium, keystone, and swift), Fedora (apptainer, buildah, chromium, fcitx5, fcitx5-anthy, fcitx5-chewing, fcitx5-chinese-addons, fcitx5-configtool, fcitx5-hangul, fcitx5-kkc, fcitx5-libthai, fcitx5-m17n, fcitx5-qt, fcitx5-rime, fcitx5-sayura, fcitx5-skk, fcitx5-table-extra, fcitx5-unikey, fcitx5-zhuyin, GeographicLib, libime, mbedtls, mingw-poppler, mupen64plus, python-starlette, webkitgtk, and xen), Mageia (dcmtk, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, libvpx, and sqlite3), Oracle (bind, bind9.16, kernel, libsoup, libsoup3, osbuild-composer, qt6-qtsvg, sssd, and valkey), Red Hat (kernel and kernel-rt), SUSE (bind, gpg2, ImageMagick, python-Django, and runc), and Ubuntu (linux-azure, linux-azure-4.15, linux-fips, linux-aws-fips, inux-gcp-fips, linux-gcp, linux-gcp-6.8, linux-gke, linux-intel-iot-realtime, linux-realtime, linux-raspi-5.4, and linux-realtime, linux-realtime-6.8).
Mastodon 4.5 released
Version 4.5 of the Mastodon decentralized social-media platform has been released. Notable features in this release include quote posts, native emoji support, as well as enhanced moderation and blocking features for server administrators. The project also has a post detailing new features in 4.5 for developers of clients and other software that interacts with Mastodon.
Freedesktop.org now hosts the Filesystem Hierarchy Standard
The future of the Filesystem Hierarchy Standard (FHS) has been under discussion for some time; now,
Neal Gompa has announced
that the FHS is "hosted and stewarded
" by Freedesktop.org.
For those who are unaware, the Filesystem Hierarchy Standard (FHS) is the definition for POSIX operating systems to organize system and user data. It is broadly adopted by Linux, BSD, and other operating systems that follow POSIX-like conventions.
See this page for the specification's new home.
Security updates for Thursday
Security updates have been issued by Debian (unbound), Fedora (deepin-qt5integration, deepin-qt5platform-plugins, dtkcore, dtkgui, dtklog, dtkwidget, fcitx-qt5, fcitx5-qt, fontforge, gammaray, golang-github-openprinting-ipp-usb, kddockwidgets, keepassxc, kf5-akonadi-server, kf5-frameworkintegration, kf5-kwayland, plasma-integration, python-qt5, qadwaitadecorations, qt5, qt5-qt3d, qt5-qtbase, qt5-qtcharts, qt5-qtconnectivity, qt5-qtdatavis3d, qt5-qtdeclarative, qt5-qtdoc, qt5-qtgamepad, qt5-qtgraphicaleffects, qt5-qtimageformats, qt5-qtlocation, qt5-qtmultimedia, qt5-qtnetworkauth, qt5-qtquickcontrols, qt5-qtquickcontrols2, qt5-qtremoteobjects, qt5-qtscript, qt5-qtscxml, qt5-qtsensors, qt5-qtserialbus, qt5-qtserialport, qt5-qtspeech, qt5-qtsvg, qt5-qttools, qt5-qttranslations, qt5-qtvirtualkeyboard, qt5-qtwayland, qt5-qtwebchannel, qt5-qtwebengine, qt5-qtwebkit, qt5-qtwebsockets, qt5-qtwebview, qt5-qtx11extras, qt5-qtxmlpatterns, qt5ct, and xorg-x11-server), Mageia (binutils, gstreamer1.0-plugins-bad, libsoup, libsoup3, mediawiki, net-tools, and tigervnc, x11-server, and x11-server-xwayland), Red Hat (tigervnc), SUSE (aws-efs-utils, fetchmail, flake-pilot, ImageMagick, java-1_8_0-ibm, java-1_8_0-openjdk, kernel-devel, kubecolor, OpenSMTPD, sccache, tiff, and zellij), and Ubuntu (linux, linux-aws, linux-aws-6.14, linux-gcp, linux-gcp-6.14, linux-oem-6.14, linux-oracle, linux-oracle-6.14, linux-raspi, linux-realtime, linux, linux-aws, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-ibm-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-lowlatency, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-oracle-6.8, linux-realtime-6.14, poppler, python-django, and various linux-* packages).