Many eyebrows were raised recently when three vulnerabilities were announced that allegedly impact GNU Mailman 2.1, since many folks assumed that it was no longer being supported. That's not quite the case. Even though version 3 of the GNU Mailman mailing-list manager has been available since 2015, and version 2 was declared (mostly) end of life (EOL) in 2020, there are still plenty of users and projects still using version 2.1.x. There is, as it turns out, a big difference between mostly EOL and actually EOL. For example: WebPros, the company behind the cPanel server and web-site-management platform, still maintains a port of Mailman 2.1.x to Python 3 for its customers and was quick to respond to reports of vulnerabilities. However, the company and upstream Mailman project dispute that the CVEs are valid.

Modern compilers perform a lot of optimizations, which can complicate debugging. Song Liu and Thierry Treyer spoke about a potential improvement to BPF Type Format (BTF) debugging information that could partially combat that problem at the 2025 Linux Storage, Filesystem, Memory-Management, and BPF Summit. They want to add information on selectively inlined functions to BTF in order to better support tracing tools. Treyer participated remotely.

The Free Software Foundation has announced the completion of the review of its board of directors; the process resulted in the reconfirmation of all five sitting board members.

The review examined board members Ian Kelling, Geoffrey Knauth, Henry Poole, Richard Stallman, and Gerald Sussman. The process generated detailed philosophical and policy discussions between board members and the FSF's global associate members on topics ranging from the firmness of the Free Software Definition, developments in machine learning, to the board's president position.

The LWN.net fediverse (Mastodon) feed has moved; we are now known as @LWN@lwn.net. The migration magic has shifted many of our followers over automatically but, if you follow that stream, you might want to make sure that you have shifted to the new source.

Version 1.8.0 of the Meson build system has been released. Notable changes in this release include the ability to run rustdoc for Rust projects, support for the c2y and gnu2y compiler options, and a new argument (android_exe_type) that makes it possible to use the same meson.build file for Android and non-Android systems.

Version 138.0 of the Firefox web browser has been released. Changes include some profile-management improvements, the ability to get weather-related suggestions in the address bar (US only), and some security fixes.

Tavian Barnes takes on the tedious process of waiting for configure scripts to run.

I paid good money for my 24 CPU cores, but ./configure can only manage to use 69% of one of them. As a result, this random project takes about 13.5× longer to configure the build than it does to actually do the build.

The purpose of a ./configure script is basically to run the compiler a bunch of times and check which runs succeeded. In this way it can test whether particular headers, functions, struct fields, etc. exist, which lets people write portable software. This is an embarrassingly parallel problem, but Autoconf can't parallelize it, and neither can CMake, neither can Meson, etc., etc.

(Thanks to Paul Wise).

The kernel's CPU scheduler has to balance a wide range of objectives. The tasks in the system must be scheduled fairly, with latency for any given task kept within bounds. All of the CPUs in the system should be kept busy if there is enough work to do, but unneeded CPUs should be shut down to reduce power consumption. A task should also run on the CPU that is most likely to have cached the memory that task is using. This patch series from Chen Yu aims to improve how the scheduler handles cache locality for multi-threaded processes.

The Kali Linux distribution has announced that software updates will soon start failing for all users:

This is not only you, this is for everyone, and this is entirely our fault. We lost access to the signing key of the repository, so we had to create a new one. At the same time, we froze the repository (you might have noticed that there was no update since Friday 18th), so nobody was impacted yet. But we're going to unfreeze the repository this week, and it's now signed with the new key.

The announcement includes instructions for how to recover from the problem.

Version 3.25.0 of the Valgrind dynamic-analysis tool has been released. It has lots of new features, including initial support for RISC-V on Linux, handling zstd-compressed debug sections, integration of the Linux Test Project test suite, support for lots more Linux system calls, and more. It also has plenty of bug fixes, of course.