The Open Source Initiative (OSI) has announced that it will not be holding the 2026 spring board election. Instead, it will be creating a working group to "review and improve OSI's board member selection process" and provide recommendations by September 2026: The public election process was designed to gather community priorities and improve board member selection, while final appointments remained with the board. Over time, that nuance has become a source of understandable confusion for community members. Many reasonably expected elections to function as elections normally do, and in fact, the board has generally adopted the electorate's recommendations. When a process feels unclear, trust suffers. When trust suffers, engagement becomes harder. This is especially problematic for an organization whose mission depends on legitimacy and credibility. [...] OSI tried its experiment for the right reasons, but a variety of factors resulted in "elections" that are performatively democratic wh
Phones running Linux are ubiquitous these days and it has been that way since Android started working toward dominance in the smartphone market. Unfortunately, Android has slowly increased its freedom-unfriendliness and has become something of a privacy nightmare. In a talk entitled "We need an open-source phone OS" at Open Source Summit Japan 2025, Luca Weiss described the smartphone landscape and gave an overview of postmarketOS as an alternative Linux operating system for mobile handsets.
PC Gamer has run an amusing review of the scx_horoscope scheduler for Linux, which uses astrology to optimize scheduling decisions. The scheduler is full of bizarre features, like its ability to perform real planetary calculations based on accurate geocentric planetary positions, lunar phase scheduling (the full moon gives a 1.4x boost to tasking, apparently) and "zodiac-based task classification". That latter feature is easily one of my favourite bits. Specific planetary bodies "rule" over specific system tasks, so the Sun is in charge of critical system processes, the Moon (tied to emotions, of course) rules over interactive tasks, and Jupiter is assigned to memory-heavy applications, among others.
Creating fair governance models for open-source projects is not easy; defining criteria for participants to receive membership and voting rights is a particularly thorny problem for projects that have elections for representative bodies. The Fedora Council, the project's top-level governance body, is wrestling with that conundrum now. This was triggered by a Fedora special-interest group (SIG) granting temporary membership to at least one person for the sole purpose of allowing them to vote in the most recent Fedora Engineering Steering Council (FESCo) election. That opened a large can of worms about what it means to be a contributor and how contributors can be identified for voting purposes.
There is a new GnuPG update for a "critical security bug" in recent GnuPG releases. A crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack buffer overflow in gpg-agent during the PKDECRYPT--kem=CMS handling. This can easily be used for a DoS but, worse, the memory corruption can very likley also be used to mount a remote code execution attack. The bug was introduced while changing an internal API to the FIPS required KEM API. Only versions 2.5.13 through 2.5.16 are affected.
GNU C Library maintainer Carlos O'Donell has announced that the project will be moving its core services away from Sourceware in favor of services hosted at the Linux Foundation. While it was clear to the GNU Toolchain leadership that requirements were coming to improve the toolchain cyber-security posture, these requirements were not clear to all project developers. As part of receiving this feedback we have worked to document and define a secure development policy for glibc and at a higher level the GNU Toolchain. While Sourceware has started making some critical technical changes, the GNU Toolchain still faces serious, systemic concerns about securing a global, highly available service and building a sustainable, diverse sponsorship model. This has been a long-running discussion; see this 2022 article for some background.
The kernel's "kfunc" mechanism is a way of exporting kernel functions so that they can be called directly from BPF programs. There are over 300 kfuncs in current kernels, ranging in functionality from string processing (bpf_strnlen()) to custom schedulers (scx_bpf_kick_cpu()) and beyond. Sometimes these kfuncs need access to context information that is not directly available to BPF programs, and which thus cannot be passed in as arguments. The implicit arguments patch set from Ihor Solodrai is the latest attempt to solve this problem.
The Xfce team has announced that it will be providing funding to Brian Tarricone to work on xfwl4, a Wayland compositor for Xfce: Xfwl4 will not be based on the existing xfwm4 code. Instead, it will be written from scratch in rust, using smithay building blocks. The first attempt at creating an Xfce Wayland compositor involved modifying the existing xfwm4 code to support both X11 and Wayland in parallel. However, this approach turned out to be the wrong path forward for several reasons: Xfwm4 is architected in a way that makes it very difficult to put the window management behavior behind generic interfaces that don't include X11 specifics. Refactoring Xfwm4 is risky, since it might introduce new bugs to X11. Having two parallel code bases will allow for rapid development and experimentation with the Wayland compositor, with zero risk to break xfwm4. Some X11 window management concepts just aren't available or supported by Wayland protocols at this time, and dealing with those differen
Security updates have been issued by AlmaLinux (kernel, kernel-rt, python-urllib3, python3.11-urllib3, and python3.12-urllib3), Debian (imagemagick, openjdk-11, openjdk-17, and openjdk-21), Fedora (bind, bind-dyndb-ldap, chromium, ghostscript, glibc, mingw-glib2, mingw-harfbuzz, mingw-libsoup, mingw-openexr, and qownnotes), Mageia (kernel-linus), Red Hat (osbuild-composer), SUSE (go1.24-openssl, go1.25-openssl, govulncheck-vulndb, kernel, nodejs22, openCryptoki, openvswitch3, python-pyasn1, python311, and qemu), and Ubuntu (git-lfs, node-form-data, and screen).
The GNU Privacy Guard (GPG) project decided to break from the OpenPGP standard for email encryption in 2023, and instead adopted its own homegrown LibrePGP specification. The GPG 2.4 branch, the last one to adhere to OpenPGP, will be reaching the end of life in mid-2026. The Fedora project is currently having a discussion about how that affects the distribution, its users, and what to offer once 2.4 is no longer receiving updates.
Curl creator Daniel Stenberg has written a blog post explaining why the project is ending its bug-bounty program, which started in April 2019: The never-ending slop submissions take a serious mental toll to manage and sometimes also a long time to debunk. Time and energy that is completely wasted while also hampering our will to live. I have also started to get the feeling that a lot of the security reporters submit reports with a bad faith attitude. These "helpers" try too hard to twist whatever they find into something horribly bad and a critical vulnerability, but they rarely actively contribute to actually improve curl. They can go to extreme efforts to argue and insist on their specific current finding, but not to write a fix or work with the team on improving curl long-term etc. I don't think we need more of that. There are these three bad trends combined that makes us take this step: the mind-numbing AI slop, humans doing worse than ever and the apparent will to poke holes rathe
The 6.19-rc7 kernel prepatch is out for testing. So normally this would be the last rc of the release, but as I've mentioned every rc (because I really want people to be aware and be able to plan for things) this release we'll have an rc8 due to the holiday season. And while some of the early rc's were smaller than usual and it didn't seem necessary, right now I'm quite happy I made that call. Not because there's anything particularly scary here - the release seems to be going fairly smoothly - but because this rc7 really is larger than things normally are and should be at this point. Along with the usual fixes, this -rc also includes a new document describing the process to replace the kernel project leadership should that become necessary in the absence of an arranged transition. The plan largely follows what was decided at the Maintainers Summit in December.
Version 2.43 of the GNU C Library has been released. Changes include support for the mseal() and openat2() system calls, experimental support for building with the Clang compiler, Unicode 17.0.0 support, a number of security fixes, and much more.
Linux News