Support period lengthened for the 6.6, 6.12, and 6.18 kernels
The stated support periods for the 6.6, 6.12, and 6.18 kernels has been extended.
The 6.6 kernel will be supported with stable updates through the end of
2027 (for four years of support total), while 6.12 and 6.18 will get
updates through the end of 2028, for four and three years of support.

(Comment on this)

[$] No hardware memory isolation for BPF programs

On February 12, Yeoreum Yun posted a suggestion for an improvement to the security of the kernel's BPF implementation: use memory protection keys to prevent unauthorized access to memory by BPF programs. Yun wanted to put the topic on the list for discussion at the Linux Storage, Filesystem, Memory Management, and BPF Summit in May, but the lack of engagement makes that unlikely. They also have a patch set implementing some of the proposed changes, but has not yet shared that with the mailing list. Yun's proposal does not seem likely to be accepted in its current form, but the kernel has added hardware-based hardening options in the past, sometimes after substantial discussion.

(Comment on this)

MetaBrainz mourns the loss of Robert Kaye

The MetaBrainz Foundation has announced the unexpected passing of its founder and executive director, Robert Kaye:

Robert's vision and leadership shaped MetaBrainz and left a lasting mark on the music industry and open source movement. His contributions were significant and his loss is deeply felt across our global community.

The Board is actively overseeing a smooth leadership transition and has measures in place to ensure that MetaBrainz continues to operate without interruption. Further updates will be shared in due course.

(Comment on this)

[$] An effort to secure the Network Time Protocol

The Network Time Protocol (NTP) debuted in 1985; it is a universally used, open specification that is deeply important for all sorts of activities we take for granted. It also, despite a number of efforts, remains stubbornly unsecured. Ruben Nijveld presented work at FOSDEM 2026 to speed adoption of the thus-far largely ignored standard for securing NTP traffic: IETF's RFC-8915 that specifies Network Time Security (NTS) for NTP.

(Comment on this)

Security updates for Wednesday
Security updates have been issued by AlmaLinux (grafana and grafana-pcp), Debian (gnutls28), Fedora (chromium and yt-dlp), Oracle (389-ds-base, kernel, munge, and openssl), Red Hat (buildah, containernetworking-plugins, opentelemetry-collector, podman, runc, and skopeo), Slackware (mozilla), SUSE (chromium, cosign, firefox, freerdp, gimp, heroic-games-launcher, kernel, libopenssl-3-devel, libxml2, libxslt, mosquitto, openqa, os-autoinst, openqa-devel-container, openvswitch, phpunit, postgresql14, postgresql15, postgresql16, protobuf, python310, python311-PyPDF2, python36, snpguest, warewulf4, and weblate), and Ubuntu (curl, kernel, linux, linux-gcp, linux-gke, linux-gkeop, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia-tegra, linux-oracle, linux-xilinx-zynqmp, linux, linux-gkeop, linux-hwe-6.8, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-oracle, linux-raspi, linux-fips, linux-fips, linux-gcp-fips, linux-gcp, linux-gcp-6.8, linux-gke, linux-oracle-6.8, linux-gcp-fips, linux-ibm, linux-ibm-6.8, linux-intel-iot-realtime, linux-realtime, linux-raspi-realtime, linux-realtime, linux-realtime-6.8, and linux-xilinx).

(Comment on this)

Restarting LibreOffice Online
LibreOffice online is a web-based version of the LibreOffice suite that can be hosted on anybody's infrastructure. This project was put into stasis back in 2022, a move marked by some tension with Collabora, a major LibreOffice developer that has its own online offering. Now, the Document Foundation has announced a new effort to breathe life into this project.

We plan to reopen the repository for LibreOffice Online at The Document Foundation for contributions, but provide warnings about the state of the repository until TDF's team agrees that it's safe and usable – while at the same time encourage the community to join in with code, technologies and other contributions that can be used to move forward.

Meanwhile, this post from Michael Meeks suggests that the tension around online versions of LibreOffice has not abated.

(Comment on this)

GNU Awk 5.4.0 released

Version 5.4.0 of GNU awk (gawk) has been released. This is a major release with a change in gawk's default regular-expression matcher: it now uses MinRX as the default regular-expression engine.

This matcher is fully POSIX compliant, which the current GNU matchers are not. In particular it follows POSIX rules for finding the longest leftmost submatches. It is also more strict as to regular expression syntax, but primarily in a few corner cases that normal, correct, regular expression usage should not encounter.

Because regular expression matching is such a fundamental part of awk/gawk, the original GNU matchers are still included in gawk. In order to use them, give a value to the GAWK_GNU_MATCHERS environment variable before invoking gawk.

[...] The original GNU matchers will eventually be removed from gawk. So, please take the time to notice and report any issues in the MinRX matcher, so that they can be ironed out sooner rather than later.

See the release announcement for additional changes.

(Comment on this)

Firefox 148.0 released

Version 148 of Firefox has been released. The most notable change in this release is the addition of a "Block AI enhancements" option that allows turning off "new or current AI enhancements in Firefox, or pop-ups about them" with a single toggle.

With this release, Firefox now supports the Trusted Types API to help prevent cross-site scripting attacks as well as the Sanitizer API that provides new methods for HTML manipulation. See the release notes for developers for changes that may affect web developers or those who create Firefox add-ons.

(Comment on this)

[$] As ye clone(), so shall ye AUTOREAP
The facilities provided by the kernel for the management of processes have
evolved considerably in the last few years, driven mostly by the advent of
the pidfd API. A pidfd is a file
descriptor that refers to a process; unlike a process ID, a pidfd is an
unambiguous handle for a process; that makes it a safer, more deterministic
way of operating on processes. Christian Brauner, who has driven much of
the pidfd-related work, is proposing
two new flags for the clone3()
system call, one of which changes the kernel's security model in a
somewhat controversial way.

(Comment on this)

Security updates for Tuesday
Security updates have been issued by AlmaLinux (kernel, kernel-rt, and munge), Debian (openssl), Mageia (gegl), Oracle (firefox, freerdp, gnupg2, golang-github-openprinting-ipp-usb, grafana, grafana-pcp, java-11-openjdk, kernel, libpng15, munge, nodejs:20, nodejs:22, protobuf, and uek-kernel), SUSE (libpng12, libpng16, and openQA, openQA-devel-container, os-autoinst), and Ubuntu (gimp, libssh, and linux-azure).

(Comment on this)

GNU Octave 11.1.0 released
Version 11.1.0 of the GNU Octave scientific programming language has been released.

This major release contains many new and improved functions. Among other things, it brings better support for classdef objects and arrays, broadcasting for special matrix types (like sparse, diagonal, or permutation matrices), updates for Matlab compatibility (notably support for the nanflag, vecdim and other parameters for many basic math and statistics functions), and performance improvements in many functions.

See the release notes for details.

(Comment on this)

[$] The second half of the 7.0 merge window

The 7.0 merge window closed on February 22 with 11,588 non-merge commits total, 3,893 of which came in after the article covering the first half of the merge window. The changes in the second half were weighted toward bug fixes over new features, which is usual. There were still a handful of surprises, however, including 89 separate tiny code-cleanup changes from different people for the rtl8723bs driver, a number that surprised Greg Kroah-Hartman. It's unusual for a WiFi-chip driver to receive that much attention, especially a staging driver that is not yet ready for general use.

(Comment on this)

Vlad: Weston 15.0 is here: Lua shells, Vulkan rendering, and a smoother display stack
Over on the Collabora blog, Marius Vlad has an overview
of Weston 15.0, which was released on February 19. Weston is the
reference implementation of a Wayland compositor. The new
release comes with a new shell that can be programmed using the Lua language, a new, experimental Vulkan
renderer, smoother media playback, color-management additions, and more.

One of Weston's fundamental pillars has always been making the most efficient use of display hardware. Over time, all the work we did to track and offload as much work as possible to this efficient fixed-function hardware has come at the cost of eating CPU time. In the last couple of release cycles, we've focused really hard on improving performance on even the most low-end of devices, so not only do we make the most efficient use of the GPU and display hardware, but we're also really kind on your CPU now. As part of that and to improve our tooling, Weston 15 now comes with support for the Perfetto profiler.

(Comment on this)

Security updates for Monday
Security updates have been issued by AlmaLinux (kernel-rt and openssl), Debian (ca-certificates, chromium, gegl, glib2.0, libvpx, modsecurity-crs, nova, and pillow), Fedora (chromium, mingw-libpng, mupdf, python-pyasn1, python-PyMuPDF, python-uv-build, python3.13, qpdfview, rust-ambient-id, uv, and zathura-pdf-mupdf), Mageia (freerdp, gnutls, and libvpx), Red Hat (butane and grafana-pcp), SUSE (chromedriver, chromium, cockpit-repos, firefox, kernel, libpng16, postgresql16, postgresql17, postgresql18, python, python311-nltk, snpguest, ucode-intel-20260210, vexctl, and xen), and Ubuntu (djvulibre, evolution-data-server, linux-lowlatency, linux-xilinx, and u-boot).

(Comment on this)

The Ladybird browser project shifts to Rust
The Ladybird browser project has announced a move to the Rust programming language:

When we originally evaluated Rust back in 2024, we rejected it because it's not great at C++ style OOP. The web platform object model inherits a lot of 1990s OOP flavor, with garbage collection, deep inheritance hierarchies, and so on. Rust's ownership model is not a natural fit for that.

But after another year of treading water, it's time to make the pragmatic choice. Rust has the ecosystem and the safety guarantees we need. Both Firefox and Chromium have already begun introducing Rust into their codebases, and we think it's the right choice for Ladybird too.

Large language models are being used to translate existing code.

(Comment on this)

[$] Lessons on attracting new contributors from 30 years of PostgreSQL

The PostgreSQL project has been chugging along for decades; in that time, it has become a thriving open-source project, and its participants have learned a thing or two about what works in attracting new contributors. At FOSDEM 2026, PostgreSQL contributor Claire Giordano shared some of the lessons learned and where the project is still struggling. The lessons might be of interest to others who are thinking about how their own projects can evolve.

(Comment on this)

Kernel prepatch 7.0-rc1
Linus has released 7.0-rc1 and closed the
merge window for this development cycle. "You all know the drill by
now: two weeks have passed, and the kernel merge window is closed."

(Comment on this)

[$] Open-source Discord alternatives

The closed-source chat platform Discord announced on February 9 that it would soon require some users to verify their ages in order to access some content — although the company quickly added that the "vast majority" of users would not have to. That reassurance has to contend with the fact that the UK and other countries are implementing increasingly strict age requirements for social media. Discord's age verification would be done with an AI age-judging model or with a government photo ID. A surprising number of open-source projects use Discord for support or project communications, and some of those projects are now looking for open-source alternatives. Mastodon, for example, has moved discussion to Zulip. There are some alternatives out there, all with their own pros and cons, that communities may want to consider if they want to switch away from Discord.

(Comment on this)

The Book of Remind

Dianne Skoll, creator and maintainer of the command-line calendar and alarm program Remind, has announced the release of The Book of Remind. As the name suggests, it is a step-by-step guide to learning how to use Remind, and a useful supplement to the extensive remind(1) man page. The book is free to download.

(Comment on this)

Security updates for Friday
Security updates have been issued by AlmaLinux (grafana), Debian (gegl, inetutils, libvpx, nova, and python-django), Fedora (azure-cli, chromium, microcode_ctl, python-azure-core, python3.14, and roundcubemail), Red Hat (grafana and osbuild-composer), SUSE (apptainer, dnsdist, istioctl, libsoup, openCryptoki, python-nltk, python311, python313, rclone, and thunderbird), and Ubuntu (libvpx, linux-azure, linux-azure-5.4, linux-azure-fips, and linux-intel-iotg).

(Comment on this)