[$] An overlayfs update
In a shortened session in the filesystem track at the 2026 Linux Storage,\
Filesystem, Memory Management, and BPF Summit, Amir Goldstein gave an
update on the overlayfs\
union filesystem. There are some new features over the last few years
that he wanted to mention, along with looking at the status of nesting
overlayfs layers. The composefs use case
that was [discussed at th … ⌘ Read more

Hundreds of AUR packages compromised
Hundreds of orphaned packages hosted by the Arch User Repository (AUR) have
been compromised by an attacker who has added a malicious npm\
package ( atomic-lockfile) that can exfiltrate sensitive
data. The project is currently working\
on cleaning up the mess. There is a [list of affected packages](htt … ⌘ Read more

Security updates for Friday
Security updates have been issued by AlmaLinux (.NET 10.0, .NET 8.0, .NET 9.0, bind, expat, httpd:2.4, kernel, kernel-rt, mod_http2, openssl, poppler, redis, redis:7, samba, and unbound), Debian (ironic, kernel-wedge, libinput, linux-base, and neutron), Fedora (kernel, openssl, vaultwarden, and vaultwarden-web), Mageia (erlang-hex_core, erlang-rebar3, gnupg2, and sqlite3), Red Hat (buildah, podman, and skopeo), SUSE (flannel, gdk-pixbuf-loader-libheif, gnutls, google-cloud-sap-age … ⌘ Read more

Homebrew 6.0.0 released
Version\
6.0.0 of the Homebrew
package-management system has been released. Notable changes in this
release include the introduction of tap trust to improve
supply-chain security, improvements in sandboxing on Linux, a number
of performance tweaks, and many other changes.

See the changelog
for a full list. LWN covered Ho … ⌘ Read more

[$] Automatic mTHP creation in 7.2
The Linux kernel has long tried to use huge pages as a way to improve
performance, sometimes with more success than others. The size of huge
pages has traditionally been imposed by the hardware, which typically only
offers a couple of relatively large options. In more recent times, though,
the use of multi-size transparent huge pages (mTHPs), with more flexible
sizing implemented in software, has been growing. If all goes well, the
7.2 development cycle will include the addition of [a new feature](h … ⌘ Read more

Security updates for Thursday
Security updates have been issued by AlmaLinux (.NET 10.0, .NET 8.0, .NET 9.0, podman, poppler, and postgresql-jdbc), Debian (chromium, jackson-core, libdbi-perl, and libinput), Fedora (httpd, rust, and xmlstarlet), Mageia (openssh, postfix, and roundcubemail), Oracle (frr, kernel, libyang, n, postgresql-jdbc, and unbound), Red Hat (.NET 10.0, .NET 8.0, .NET 9.0, redis, and redis:7), SUSE (agama-web-ui, cockpit, cosign, glibc, google-cloud-sap-agent, google-osconfig-agent, kan … ⌘ Read more

[$] LWN.net Weekly Edition for June 11, 2026
Inside this week’s LWN.net Weekly Edition:

• Front: Suspicious AI activity in Fedora; fork() + exec(); splice() + vmsplice(); BPF loop verification; fanotify; trusted publishing.

• Briefs: CA age bill; Bundler cooldowns; insecure code completion; Asahi and macOS 27 beta; Buildroot 2026.05; Ubuntu MATE; rsync 3.4.4; Quotes; …

• Announcements: Newsletters, conferences, securit … ⌘ Read more

Larson: Are insecure code completions a vulnerability?
Seth Larson, the Python Software Foundation’s security\
developer-in-residence, has written\
about the difficulty in classifying insecure code completion in
the PyCharm IDE using
its Full\
Line code completion plugin. … ⌘ Read more

[$] AI agent runs amok in Fedora and elsewhere
Agentic AI systems can be used to do a variety of things
autonomously on behalf of a human user: open or manage bugs, generate
code, submit pull-requests, and (apparently) even complain about\
rejection. In May, a Fedora developer discovered that an allegedly
rogue agent had been pestering the project in a number of ways:
reassigning bugs, fabricating unhelpful replies to bugs, and even
persuading maintainers to merge questionable code into the [Anaco … ⌘ Read more

Buildroot 2026.05 released
Version\
2026.05 of the Buildroot tool
has been released. Buildroot simplifies and automates the process of
building embedded Linux systems using cross-compilation. Notable
changes in this release include support for Arm Neoverse cores,
addition of XFS rootfs generation, as well as many package updates and
bug fixes. See the CHANGES
file f … ⌘ Read more

Security updates for Wednesday
Security updates have been issued by AlmaLinux (poppler), Debian (dnsmasq, mistral, okular, openssl, poppler, and strongswan), Fedora (exim, firefox, pcs, putty, and xorg-x11-server), Mageia (freeciv, golang-x-net, jq, libssh, libxmp, libxpm, minetest, ruby-net-ssh, tor, and wireshark), SUSE (389-ds, ack, agama-web-ui, amazon-ssm-agent, avahi, dpkg, elemental-register, elemental-system-agent, elemental-toolkit, ggml-devel-9500, go1.25, go1.26, kernel, kubernetes1.23, kubernetes1.24, … ⌘ Read more

Future of Ubuntu MATE
Thomas Ward has published
an update about the future of the Ubuntu MATE project, which did not have a
26.04 release with the other Ubuntu flavors in
April:

There is a new team working on Ubuntu MATE who have stepped up to
help take over flavor management. They haven’t formally introduced
themselves yet, but I can safe … ⌘ Read more

[$] Eliminating long-lived credentials with trusted publishing
Trusted\
publishing is an authentication mechanism that relies on
short-lived credentials to reduce the risk of supply-chain attacks. At
the 2026 Open\
Source Summit North America, Mike Fiedler walked the audience
through why trusted publishing exists, how it works, and made the case
for its adoption. … ⌘ Read more

Asahi Linux warns users not to upgrade to macOS 27 beta
The Asahi Linux project,
which brings Linux support to Apple Arm-based Macs, has warned\
its users not to upgrade to the macOS 27 “Golden Gate”
beta.

Apple has changed how the boot picker and Startup Disk applications
detect valid OS boot volumes. When using either from macOS 27, your
Asahi partition will not be visible! We believe this to be a bug, and
have filed a report (FB2 … ⌘ Read more

[$] BPF loop verification with scalar evolution
The BPF verifier has, in the course of wrestling with the difficult problem of
statically analyzing loops, grown special support for many kinds of loops over its
history, but its fundamental approach to simple for loops has not
changed.
When it encounters a loop, it evaluates it, iteration by iteration, until reaching
an exit condition — a process that can cause the verifier to mistakenly hit the
limit on the number of allowed instructions where a better implementation
would not.
Edua … ⌘ Read more

Security updates for Tuesday
Security updates have been issued by AlmaLinux (bind and libyang), Debian (keystone and openssl), Fedora (mingw-objfw, objfw, sentencepiece, and tailscale), Mageia (packagekit and suricata), Oracle (bind, bind9.16, go-toolset:ol8, ImageMagick, kernel, samba, and vim), SUSE (apache-commons-lang3, apache-commons-text, apache-commons- configuration2, apache-commons-cli, apache-commons-io, apache-commons-codec, avahi, busybox, chromedriver, chromium, csync2, firewalld, frr, gleam, helm … ⌘ Read more

Linux App Summit 2026 (Heise)
Heise is carrying a\
report from the Linux App Summit, held in Berlin in May.

The slightly more than a dozen talks were symbolically framed
between the opening keynote by systemd creator Lennart Poettering
and the closing talk by Jorge Castro, initiator of the Universal
Blue project, from which the modern Linux systems Bluefin and
Bazzite emerged. Both Castro and Poettering ca … ⌘ Read more

Three stable kernels for Tuesday
Greg Kroah-Hartman has announced the release of the 7.0.12, 6.18.35, and 6.12.93 stable kernels. Each contains
important fixes throughout the tree. Users are advised to upgrade. ⌘ Read more

[$] An update on fanotify
In a filesystem-track session at the 2026 Linux Storage,\
Filesystem, Memory Management, and BPF Summit, Amir Goldstein updated
attendees on the fanotify
filesystem-event monitoring
subsystem. He wanted to describe changes that had come in the last year or
so, as well as upcoming features and some remaining challenges in his
efforts [to use fanotify for hierarchical\
storage management](https://lwn.net/Ar … ⌘ Read more

rsync 3.4.4 released with regression fixes
Andrew Tridgell has announced
the release of rsync 3.4.4 with
fixes for the regressions introduced in the 3.4.3 release. He also
notes there will be an rsync 3.5.0 soon, with many more security
updates:

As part of the 3.5.0 release update I have created a
rsync-security@lists.samba.org mailing list for anyone who is willing
to do testing of the 3.5.0 release. T … ⌘ Read more

Security updates for Monday
Security updates have been issued by AlmaLinux (bind, bind9.16, frr, kernel, kernel-rt, libexif, mysql, php, and unbound), Debian (apache2, chromium, glibc, gsasl, jackson-core, libxml2, nginx, request-tracker4, request-tracker5, tomcat10, tomcat11, and tomcat9), Fedora (chromium, firefox, haveged, keylime, libinput, libssh2, nasm, perl-CryptX, rust, thunderbird, and webkitgtk), Mageia (cockpit, golang-x-crypto, golang-x-sys-devel, kernel, kmod-virtualbox, kmod-xtables-addons, kernel-linus, … ⌘ Read more

Kernel prepatch 7.1-rc7
The 7.1-rc7 kernel prepatch is out for
testing. Linus said: “Anyway, as things look now this is the last
rc. Something can obviously always come up and force us to change that, but
please give rc7 a whirl and keep testing for one more week.” ⌘ Read more

[$] Moving beyond fork() + exec()
Since the earliest days of Unix, two of the core process-oriented system
calls have been fork(), which creates a child process as a copy of
the parent, and exec(), which runs a new program in the place of
the current one. In Linux kernels, those system calls are better known as
clone()
and execve(),
but the core functionality remains the same. While there is elegance to
this process-cr … ⌘ Read more

Ruby’s Bundler adds a cooldown feature
Version\
4.0.13 of Ruby’s Bundler
package-manager has added\
dependency cooldowns in order to help mitigate the effect of
supply-chain attacks:

Most supply-chain attacks against RubyGems exploit a narrow window:
an account is compromised, a malicious version ships, and any
bundle install in the minutes that follow resolves
str … ⌘ Read more

Security updates for Friday
Security updates have been issued by AlmaLinux (kernel), Debian (dovecot, exim4, frr, and haveged), Fedora (cockpit, freeipa, jpegxl, libre, nextcloud, perl-Cpanel-JSON-XS, perl-Crypt-Argon2, perl-Dist-Build, perl-ExtUtils-Builder, perl-ExtUtils-Builder-Compiler, perl-HTTP-Tiny, perl-libwww-perl, python-starlette, rubygem-yard, rust-sequoia-cert-store, rust-sequoia-chameleon-gnupg, rust-sequoia-octopus-librnp, rust-sequoia-sop, rust-sequoia-sq, rust-sequoia-wot, samba, and transmission), **Red … ⌘ Read more

Dave Airlie on Linux Kernel Maintenance (SE Radio)
The Software Engineering Radio podcast has put up an\
interview with graphics maintainer Dave Airlie. Much of what is in
there will not be news to LWN readers, but it is an interesting overview of
the life of a large-subsystem maintainer.

I was talking to a few of the Rust people, and I thought: these are
very young people, these are a group of people in their 20s, maybe
30s, they are a you … ⌘ Read more

[$] Splicing out vmsplice()
The splice()
and vmsplice()
system calls are meant to improve performance for certain data-movement
tasks by minimizing (or avoiding altogether) system calls and the copying
of data. They also have a long history of security problems. The recent
flood of LLM-discovered vulnerabilities has drawn attention, once again, to
splice() and vmsplice(); as a result, they may end up
being removed a … ⌘ Read more

One step forward, two steps back on CA age bill (EFF Deeplinks Blog)
The EFF has a blog\
post looking at a new bill in California that would exempt
open-source operating systems from the Digital Age Assurance Act
passed last year, but has problems of its own:

While the open source exemption, if passed, would improve the law, the
remaining amendments proposed by AB 1856 would require all web
browsers and w … ⌘ Read more

Security updates for Thursday
Security updates have been issued by AlmaLinux (.NET 10.0, compat-openssl10, compat-openssl11, delve, expat, httpd:2.4, libexif, mod_http2, openssl, ruby4.0, samba, thunderbird, unbound, and vim), Debian (ceph and sudo), Fedora (libsoup3, pie, roundcubemail, and xorg-x11-server-Xwayland), Mageia (lxc), Oracle (expat, gnutls, kernel, php:8.2, thunderbird, and uek-kernel), Slackware (httpd, net, proftpd, tigervnc, and xorg), SUSE (apache-sshd, apptainer, atril, bind, busybox, c … ⌘ Read more

[$] LWN.net Weekly Edition for June 4, 2026
Inside this week’s LWN.net Weekly Edition:

• Front: MeshCore; x32 ABI; Open-source security; Package-manager metadata; More LSFMM+BPF coverage; Loadable crypto module.

• Briefs: Lightwell; jqwik protestware; RedHat package compromise; DistroWatch; Fedora election; Rust 1.96.0; rsync; Vim Classic 8.3; Quotes; …

• Announcements: Newsletters, conferences, security updates, patch … ⌘ Read more

[$] Open-source security is not a solo activity
Over time, many open-source maintainers face the same problem: they
lack the time to do all of the work that their project needs, and no
one else is stepping up to provide adequate help. Maintainers, though,
are often reluctant to throw in the towel. The result is suboptimal
all around; the maintainer is stressed out, project quality suffers,
and users face security risks that they may not be fully aware of. At
the 2026 [Open\
Source Summit North America](https://events.linuxfoundation. … ⌘ Read more

[$] BPF in the agentic era
Alexei Starovoitov gave “less of a presentation, more of a scream of
realization” at the BPF track of the 2026
Linux Storage, Filesystem,\
Memory-Management, and BPF Summit. He shared a set of ideas for how BPF could
change to avoid being swept away by the sea-change in programming represented by modern
large language models (LLMs) and the coding agents based on them.
In a follow-up session, the discussion covered
more problems with how coding agents use tools … ⌘ Read more

Tridgell: rsync and outrage
Andrew Tridgell has written a blog\
post responding to complaints that he has begun using LLM tools in
his work maintaining rsync:

Like many developers of open source packages I’ve been hit by a
flood of security reports lately in my role as the rsync
maintainer. Many of those reports are AI generated (not all though,
there are some notable ones with very careful and high quality manual
analysis).

As t … ⌘ Read more

Security updates for Wednesday
Security updates have been issued by Debian (php-twig), Fedora (hplip, python-wsgidav, roundcubemail, and xorg-x11-server), Oracle (compat-openssl10, httpd:2.4, and kernel), Red Hat (osbuild-composer), SUSE (busybox, cloudflared, cockpit, cups, ffmpeg-4, gnutls, google-osconfig-agent, helm, hplip, kernel, kubelogin, libjxl, libsoup, libunbound8, LibVNCServer-devel, mapserver, nvidia-open-driver-G06-signed, nvidia-open-driver-G07-signed, openssh, python-idna, qemu, rqlite, shadowsocks … ⌘ Read more

[$] Caching for extended attributes
Extended\
attributes (xattrs) provide a way to attach key/value metadata to
inodes—files, directories, and the like—in a filesystem. As with many
Linux filesystems, the FUSE filesystem
supports xattrs. In a filesystem-track session at the 2026 Linux Storage,\
Filesystem, Memory Management, and BPF Summit, FUSE maintainer Miklos
Szeredi led a discussion a … ⌘ Read more

[$] Trying to make sense of package-manager metadata
Package managers for operating systems and programming languages have been
around for decades. Each package manager, and its accompanying packaging format,
has been shaped by the needs of its respective ecosystem, but there is a growing
need to make use of package metadata for more than software management: for
example, in vulnerability scans, software bills of materials (SBOMs), and more. On
May 19, Damián Vicino spoke at the [Open Source Summit North America](https://events.linux … ⌘ Read more

Vim Classic 8.3 released
Version\
8.3 of Vim Classic has been
released. This is the first release of the Vim fork since the project
was announced
in March.

This release is based on Vim 8.2.0148, with a number of bug fixes
and patches conservatively backported from future versions of Vim
upstream. We elected to clean up this version of Vim, prepare it for a
release, and imagine an alternate history wh … ⌘ Read more

Security updates for Tuesday
Security updates have been issued by AlmaLinux (php:8.2 and php:8.3), Debian (gst-plugins-good1.0, symfony, and yelp), Fedora (dovecot, freeipa, hplip, libpng, perl-Catalyst-Plugin-Authentication, postfix, samba, unbound, and vim), Mageia (assimp, libcaca, sdl2_sound, and tar), Slackware (kernel), SUSE (alloy, apache-commons-lang3, apache-commons-text,, apache2, bubblewrap, busybox, chromium, cups, docker-stable, ffmpeg-8, google-osconfig-agent, gsasl, ignition, java-26-openjdk, k … ⌘ Read more

Ombredanne: An AI agent ported our codebase from Python to Rust
Over on the AboutCode blog, lead
maintainer Philippe Ombredanne writes
about an agentic LLM system porting the ScanCode\
Toolkit to Rust. In the process, the LLM (or the people behind it)
infringed the ScanCode trademark, stripped copyright and license notices,
“and started an outreach campaign, without ev … ⌘ Read more

[$] Representing the true signatures of kernel functions
Optimizing compilers can, under some circumstances, infer when a parameter to a
function is not needed, and remove it. This is all well and good until the
kernel’s tracing or BPF subsystems need information on how to call the function
or where its arguments are stored.
Alan Maguire and Yonghong Song spoke at the 2026
Linux\
Storage, Filesystem, Memory-Management, and BPF Summit about their work on
recording information regarding c … ⌘ Read more

Seven stable kernels for the first day of June
Greg Kroah-Hartman has announced the release of the 7.0.11, 6.18.34, 6.12.92, 6.6.142, 6.1.175, 5.15.209, and 5.10.258 stable kernels. As usual, each
contains important fixes throughout the tree. Users are advised to
upgrade. ⌘ Read more

DistroWatch turns 25
The DistroWatch site is celebrating its\
25th anniversary. “All in all, it has been an incredible ride. Many
of you who read these pages regularly know that downloading and testing
distributions is a highly addictive pastime. I have been an avid
distro-hopper for the last 25 years and I don’t see myself abandoning this
activity for many more years to come.” Congratulations to Ladislav
Bodnar and all the others who have kept that resource going for so long. ⌘ Read more

[$] Reconsidering x32 — again
The x32 ABI was meant
to be the best of both worlds, providing the expanded registers and
instruction set of the x86-64 architecture while preserving the lower
memory use of 32-bit systems. The Linux kernel has supported x32 since the
3.4 release in 2012. The initial excitement around x32 did not last,
though, and kernel developers are considering removing that support — and
not for the first time. Even the most unloved features tend to have a few
users, though, m … ⌘ Read more

Multiple redhat-cloud-services npm packages compromised (StepSecurity Blog)
StepSecurity is reporting
that a number of npm packages in the @redhat-cloud-services
scope include malware that runs automatically on every npm install:

The payload is a multi-stage credential harvester that sweeps
GitHub Actions secrets along with AWS, GCP, Azure, Kubernetes,
HashiCorp Vault, npm, and CircleCI tokens, and it is purpose-built to
evade det … ⌘ Read more

Fedora F44 election interviews published
The Fedora Project has published
interviews with candidates running for the open seats on the Fedora\
Council, Fedora Engineering\
Steering Committee, Fedora\
Mindshare Committee, and [EPEL\
Steering Committee](https://docs.fedoraproject.org/en-US/epel/epel-policy-steerin … ⌘ Read more

Security updates for Monday
Security updates have been issued by AlmaLinux (.NET 10.0, .NET 9.0, firefox, flatpak, httpd, and thunderbird), Debian (chromium, corosync, cyborg, dovecot, exim4, git-lfs, imagemagick, kernel, keystone, linux-6.1, php-twig, python-aiohttp, sentry-python, swift, and symfony), Fedora (chromium, djvulibre, docker-compose, giflib, haveged, libsoup3, libssh2, mingw-objfw, netatalk, nginx, nginx-mod-brotli, nginx-mod-fancyindex, nginx-mod-headers-more, nginx-mod-modsecurity, nginx-mod-naxsi, nginx-m … ⌘ Read more

Kernel prepatch 7.1-rc6
The 7.1-rc6 kernel prepatch is out for
testing. Linus said: “Well, I wouldn’t call this ‘small’, but it is
certainly smaller than rc5 was. And I don’t think there’s anything
particularly scary here, so maybe we’re still on track for a normal release
cycle. Let’s see.” ⌘ Read more

[$] A trademark dispute over MeshCore
MeshCore is a relatively new project, started in January 2025, that aims
to build a scalable mesh network using low-power long-distance radios. While
many other projects of the same general nature have been tried before, MeshCore
grew quickly because of its more efficient message routing and enthusiastic
community. In early 2026, an early proponent of the project made a sudden shift
that left the rest of the community stunned and embroile … ⌘ Read more

[$] A loadable crypto module for FIPS certification
Many organizations require US Federal Information Processing Standard (FIPS)
certification of the crypto code they are running. The certification
process is lengthy, but the bigger problem is that the way the crypto
subsystem is built into the kernel makes the result unable to be reused
across kernel updates. I have proposed a patch\
series tha … ⌘ Read more

Nesbitt: Protestware for coding agents
Andrew Nesbitt has written a blog\
post detailing a recent incident with the jqwik library for property-based testing
in Java. On May 25, the 1.10.0 release of jqwik included a change
that attempts to instruct coding agents to disregard previous
instructions and delete jqwik tests and code.

I think this is a new class of supply-chain input worth ke … ⌘ Read more