The SUSE Security Team has announced the removal of the Deepin
Desktop from openSUSE due to violations of the project's packaging
policy.
The discovery of the bypass of the security whitelistings via the
deepin-feature-enable package marks a turning point in our assessment
of Deepin. We don't believe that the openSUSE Deepin packager acted
with bad intent when he implemented the "license agreement" dialog to
bypass our whitelisting restrictions. The dialog itself makes the
security concerns we have transparent, so this does not happen in a
sneaky way, at least not towards users. It was not discussed with us,
however, and it violates openSUSE packaging policies. Beyond the
security aspect, this also affects general packaging quality
assurance: the D-Bus configuration files and Polkit policies installed
by the deepin-feature-enable package are unknown to the package
manager and won't be cleaned up upon package removal, for
example. Such bypasses are not deemed acceptable by us.
Security updates have been issued by Fedora (incus and nodejs20), Red Hat (freetype, kernel, kernel-rt, libsoup, libtiff, redis, redis:6, and thunderbird), SUSE (apparmor, chromium, grafana, ImageMagick, java-11-openjdk, java-17-openjdk, libsoup, libsoup2, libxslt, opensaml, rabbitmq-server, rubygem-rack-1_6, sqlite3, and thunderbird), and Ubuntu (kernel, libfcgi, libraw, libsoup2.4, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-gcp, linux-gcp-6.11, linux-hwe-6.11, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oracle, linux-raspi, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-azure, linux-azure-4.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-azure, linux-azure-6.11, linux-azure-6.8, linux-azure-fips, linux-intel-iot-realtime, linux-realtime, linux-oem-6.11, linux-raspi, linux-realtime, python, python-scrapy, and ruby-carrierwave).
Willy Tarreau and William Lallemand have posted
an extensive white
paper examining the landscape of the available SSL implementations.
OpenSSL 3.0 performs significantly worse than alternative SSL
libraries, forcing organizations to provision more hardware just to
maintain existing throughput. This raises important questions about
performance, energy efficiency, and operational costs.
Examining alternatives—BoringSSL, LibreSSL, WolfSSL, and
AWS-LC—reveals a landscape of trade-offs. Each offers different
approaches to API compatibility, performance optimization, and QUIC
support. For developers navigating the modern SSL ecosystem,
understanding these trade-offs is crucial for optimizing
performance, maintaining compatibility, and future-proofing their
infrastructure.
On the 50th anniversary of the USENIX organization, its flagship Annual
Technical Conference (ATC) is
coming
to an end.
For the past two decades, as more USENIX conferences have joined
the USENIX calendar by focusing on specific topics that grew out of
ATC itself, attendance at ATC has steadily decreased to the point
where there is no longer a critical mass of researchers and
practitioners joining us. Thus, after many years of experiments to
adapt this conference to the ever-changing tech landscape and
community, the USENIX Board of Directors has made the difficult
decision to sunset USENIX ATC.
Many important technologies first saw the light of day at this event.
Version
1.0.0 of Mission Center, a system-monitoring application, has been
released. Notable changes in this release include the addition of
SMART data for SATA and NVMe devices, display of per-process
network usage, as well as a redesigned Apps Page that provides
more information about applications and processes. Mission Center's
backend application for obtaining system data has been renamed from
the Gatherer to Magpie, and is
now available as a standalone executable and libraries that can be
used by other applications.
Linux systems can have large filesystems; trying to keep up with the
stream of
fanotify filesystem-monitoring notifications for them can be a struggle.
Fanotify is one of a few ways to monitor accesses to filesystems provided by the kernel.
Song Liu led a discussion
on how to improve in-kernel filtering of fanotify events to a joint
session of the filesystem and BPF tracks at the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit. He wants to combine the best parts of a few
different approaches to efficiently filter filesystem events.
In a combined filesystem and memory-management session at
the 2025 Linux Storage, Filesystem, Memory
Management, and BPF Summit (LSFMM+BPF), Joanne Koong led a discussion on
improving the writeback performance for the
Filesystem in
Userspace (FUSE) layer. Writeback is how data that is written to the
filesystem is actually flushed to the disk; it is the process of writing
dirty pages from the page cache to storage. The current FUSE
implementation allocates unmovable memory, then copies the dirty data to it
before initiating writeback, which is slow; Koong wanted to change that
behavior. Since the session, she has
posted a
patch set that has been
applied
by FUSE maintainer Miklos Szeredi.
Security updates have been issued by Fedora (chromium and kappanhang), Red Hat (osbuild-composer and thunderbird), SUSE (chromedriver), and Ubuntu (c-ares, corosync, mysql-8.0, mysql-8.4, openjdk-17, openjdk-21, openjdk-24, openjdk-8, and openjdk-lts).
AUTOSEL is a tool that is used to find kernel patches that should be
considered for backporting into the stable releases. Sasha Levin has
announced a new and completely
rewritten version of AUTOSEL for those who would like to play with it.
Unlike the previous version that relied on word statistics and
older neural network techniques, AUTOSEL leverages modern large
language models and embedding technology to provide significantly
more accurate recommendations.
The disclosure of the
Spectre
class of hardware vulnerabilities created a lot of pain for kernel
developers (and many others). That pain was especially acutely felt in the
BPF community. While an attacker might have to painfully search the kernel
code base for exploitable code, an attacker using BPF can simply write and
load their own speculation gadgets, which is a much more efficient way of
operating. The BPF community reacted by, among other things, disallowing
the loading of programs that may include speculation gadgets. Luis
Gerhorst would like to change that situation with
this patch
series that takes a more direct approach to the problem.