Welcome to LWN.net
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
[$] California's Digital Age Assurance Act and Linux distributions
A recently enacted law in California imposes an age-verification requirement on operating-system providers beginning next year. The language of the Digital Age Assurance Act does not restrict its requirements to proprietary or commercial operating systems; projects like Debian, FreeBSD, Fedora, and others seem to be on the hook just as much as Apple or Microsoft. There is some hope that the law will be amended, but there is no guarantee that it will be. This means that the developer communities behind Linux distributions are having to discuss whether and how to comply with the law with little time and even less legal guidance.
[$] HTTPS certificates in the age of quantum computing
There has been ongoing discussion in the Internet Engineering Task Force (IETF) about how to protect internet traffic against future quantum computers. So far, that work has focused on key exchange as the most urgent problem; now, a new IETF working group is looking at adopting post-quantum cryptography for authentication and certificate transparency as well. The main challenge to doing so is the increased size of certificates — around 40 times larger. The techniques that the working group is investigating to reduce that overhead could have efficiency benefits for traditional certificates as well.
[$] Disabling Python's lazy imports from the command line
The advent of lazy imports in the Python language is upon us, now that PEP 810 ("Explicit lazy imports") was accepted by the steering council and the feature will appear in the upcoming Python 3.15 release in October. There are a number of good reasons, performance foremost, for wanting to defer spending—perhaps wasting—the time to do an import before a needed symbol is used. However, there are also good reasons not to want that behavior, at least in some cases. The tension between those two positions is what led to an earlier PEP rejection, but it is also playing into a recent discussion of the API used to control lazy imports.
[$] Debian decides not to decide on AI-generated contributions
Debian is the latest in an ever-growing list of projects to wrestle (again) with the question of LLM-generated contributions; the latest debate stared in mid-February, after Lucas Nussbaum opened a discussion with a draft general resolution (GR) on whether Debian should accept AI-assisted contributions. It seems to have, mostly, subsided without a GR being put forward or any decisions being made, but the conversation was illuminating nonetheless.
[$] Inspecting and modifying Python types during type checking
Python has a unique approach to static typing. Python programs can contain type annotations, and even access those annotations at run time, but the annotations aren't evaluated by default. Instead, it is up to external programs to ascribe meaning to those annotations. The annotations themselves can be arbitrary Python expressions, but in practice usually involve using helpers from the built-in typing module, the meanings of which external type-checkers mostly agree upon. Yet the type system implicitly defined by the typing module and common type-checkers is insufficiently powerful to model all of the kinds of dynamic metaprogramming found in real-world Python programs. PEP 827 ("Type Manipulation") aims to add additional capabilities to Python's type system to fix this, but discussion of the PEP has been of mixed sentiment.
[$] Fedora shares strategy updates and "weird research university" model
In early February, members of the Fedora Council met in Tirana, Albania to discuss and set the strategic direction for the Fedora Project. The council has published summaries from its strategy summit, and Fedora Project Leader (FPL) Jef Spaleta, as well as some of the council members, held a video meeting to discuss outcomes from the summit on February 25. Topics included a plan to experiment with Open Collective to raise funds for specific Fedora projects, tools to build image-based editions, and more. Spaleta also explained his model for Fedora governance.
[$] The relicensing of chardet
Chardet is a Python module that attempts to determine which character set was used to encode a text string. It was originally written by Mark Pilgrim, who is also the author of a number of Python books; the 1.0 release happened in 2006. For many years, this module has been under the maintainership of Dan Blanchard. Chardet has always been licensed under the LGPL, but, with the 7.0.0 release, Blanchard changed the terms to the permissive MIT license. That has led to an extensive (and ongoing) discussion on when code can be relicensed against the wishes of its original author, and whether using a large language model to rewrite code is a legitimate way to strip copyleft requirements from code.
[$] Reconsidering the multi-generational LRU
The multi-generational LRU (MGLRU) is an alternative memory-management algorithm that was merged for the 6.1 kernel in late 2022. It brought a promise of much-improved performance and simplified code. Since then, though, progress on MGLRU has stalled, and it still is not enabled on many systems. As the 2026 Linux Storage, Filesystem, Memory-Management and BPF Summit (LSFMM+BPF) approaches, several memory-management developers have indicated a desire to talk about the future of MGLRU. While some developers are looking for ways to improve the subsystem, another has called for it to be removed entirely.
[$] LWN.net Weekly Edition for March 5, 2026
Posted Mar 5, 2026 1:42 UTC (Thu)The LWN.net Weekly Edition for March 5, 2026 is available.
Inside this week's LWN.net Weekly Edition
- Front: Python's bitwise-inversion operator; atomic buffered I/O; keeping open source open; Magit and Majutsu; IIIF; free software and free tools.
- Briefs: Ad tracking; firmware updates; TCP zero-copy; Motorola GrapheneOS phones; Gram 1.0; groff 1.24.0; Texinfo 7.3; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
[$] Magit and Majutsu: discoverable version-control
Jujutsu is an increasingly popular Git-compatible version-control system. It has a focus on simplifying Git's conceptual model to produce a smoother, clearer command-line experience. Some people already have a preferred replacement for Git's usual command-line interface, though: Magit, an Emacs package for working with Git repositories that also tries to make the interface more discoverable. Now, a handful of people are working to implement a Magit-style interface for Jujutsu: Majutsu.
Introducing Moonforge: a Yocto-based Linux OS (Igalia Blog)
Igalia has announced the Moonforge Linux distribution, based on OpenEmbedded and Yocto.
Moonforge is an operating system framework for Linux devices that simplifies the process of building and maintaining custom operating systems.
It provides a curated collection of Yocto layers and configuration files that help developers generate immutable, maintainable, and easily updatable operating system images.
The goal is to offer the best possible developer experience for teams building embedded Linux products. Moonforge handles the complex aspects of operating system creation, such as system integration, security, updates, and infrastructure, so developers can focus on building and deploying their applications or devices.
Security updates for Wednesday
Security updates have been issued by AlmaLinux (kernel, kernel-rt, libvpx, nfs-utils, nginx:1.26, osbuild-composer, postgresql, postgresql:12, postgresql:13, postgresql:15, postgresql:16, and python-pyasn1), Debian (imagemagick), Fedora (perl-Crypt-SysRandom-XS and systemd), Mageia (yt-dlp), Oracle (delve, gimp, git-lfs, go-rpm-macros, image-builder, kernel, libpng, libvpx, mysql8.4, nfs-utils, osbuild-composer, postgresql16, postgresql:12, postgresql:13, postgresql:15, postgresql:16, python-pyasn1, python3, python3.12, python3.9, and thunderbird), SUSE (python-aiohttp, python-maturin, python311-pymongo, rclone, and util-linux), and Ubuntu (linux-nvidia, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, and python-geopandas).
SUSE may be for sale, again
Reuters is reporting that private-equity firm EQT may be looking to sell SUSE:
EQT has hired investment bank Arma Partners to sound out a group of private equity investors for a possible sale of the company, said the sources, who requested anonymity to discuss confidential matters. The deliberations are at an early stage and there is no certainty that EQT will proceed with a transaction, the sources said.
SUSE has traded hands a number of times over the years. Most recently it was acquired by EQT in 2018, was listed on the Frankfurt Stock Exchange in 2021, and then taken private again by EQT in August 2023.
Security updates for Tuesday
Security updates have been issued by Debian (imagemagick), Fedora (chromium, matrix-synapse, mingw-zlib, perl-Net-CIDR, polkit, and rust-pythonize), Mageia (coturn, firefox, and thunderbird), Oracle (delve, git-lfs, gnutls, go-rpm-macros, image-builder, kernel, libsoup, nfs-utils, nginx:1.24, osbuild-composer, postgresql, thunderbird, udisks2, and valkey), Red Hat (grafana, image-builder, and opentelemetry-collector), SUSE (c3p0 and mchange-commons, corepack24, go1, ImageMagick, python-Flask, tomcat, tomcat10, tomcat11, virtiofsd, and weblate), and Ubuntu (apache2 and yara).
digiKam 9.0.0 released
Version
9.0.0 of the digiKam photo-management system has been
released. "This major version introduces groundbreaking
improvements in performance, usability, and workflow efficiency, with
a strong focus on modernizing the user interface, enhancing metadata
management, and expanding support for new camera models and file
formats.
" Some of the changes include a
new survey tool, more advanced search and sorting options, as well
as bulk
editing of geolocation coordinates.
Security updates for Monday
Security updates have been issued by AlmaLinux (delve, git-lfs, and postgresql16), Fedora (cef, chezmoi, chromium, coturn, erlang-hex_core, firefox, gh, gimp, k9s, keylime, keylime-agent-rust, libsixel, microcode_ctl, nextcloud, nss, perl-Crypt-URandom, pgadmin4, php-zumba-json-serializer, postgresql16-anonymizer, prometheus, python-asyncmy, python3.10, python3.11, python3.9, staticcheck, valkey, and vim), SUSE (chromedriver, chromium, coredns, expat, freetype2-devel, gitea-tea, go1.24-openssl, go1.25-openssl, grpc, gstreamer-rtsp-server, gstreamer-plugins-ugly,, helm, jetty-annotations, kubeshark-cli, libaec, libblkid-devel, libsoup, libxml2, libxslt, NetworkManager-applet-strongswan, podman, python-joserfc, python-Markdown, python-pypdf2, python-tornado, python-uv, python311-Django, python311-joserfc, python311-nltk, roundcubemail, and valkey), and Ubuntu (python3.4, python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12, python3.13, python3.14).
Kernel prepatch 7.0-rc3
Linus has released 7.0-rc3 for testing.
"So it's still pretty early in the release cycle, and it just feels a
bit busier than I'd like. But nothing particularly stands out or looks
bad.
"
Huston: Revisiting time
Geoff Huston looks at the network time protocol, and efforts to secure it, in detail.
NTP operates in the clear, and it is often the case that the servers used by a client are not local. This provides an opportunity for an adversary to disrupt an NTP session, by masquerading as a NTP server, or altering NTP payloads in an effort to disrupt a client's time-of-day clock. Many application-level protocols are time sensitive, including TLS, HTTPS, DNSSEC and NFS. Most Cloud applications rely on a coordinated time to determine the most recent version of a data object. Disrupting time can cause significant chaos in distributed network environments.While it can be relatively straightforward to secure a TCP-based protocol by adding an initial TLS handshake and operating a TLS shim between TCP and the application traffic, it's not so straightforward to use TLS in place of a UDP-based protocol for NTP. TLS can add significant jitter to the packet exchange. Where the privacy of the UDP payload is essential, then DTLS might conceivably be considered, but in the case of NTP the privacy of the timestamps is not essential, but the veracity and authenticity of the server is important.
NTS, a secured version of NTP, is designed to address this requirement relating to the veracity and authenticity of packets passed from a NTS server to an NTS client. The protocol adds a NTS Key Establishment protocol (NTS-KE) in additional to a conventional NTPv4 UDP packet exchange (RFC 8915).
OpenWrt 25.12.0 released
Version 25.12.0 of the OpenWrt router distribution is available; this release has been dedicated to the memory of Dave Täht. Changes include a switch to the apk package manager, the integration of the attended sysupgrade method, and support for a long list of new targets.
Security updates for Friday
Security updates have been issued by Debian (chromium), Fedora (freerdp, libsixel, opensips, and yt-dlp), Mageia (python-django, rsync, and vim), Red Hat (go-rpm-macros and osbuild-composer), SUSE (7zip, assertj-core, autogen, c3p0, cockpit-machines, cockpit, cockpit-repos, containerized-data-importer, cpp-httplib, docker, docker-stable, expat, firefox, gnutls, go1.25-openssl, golang-github-prometheus-prometheus, haproxy, ImageMagick, incus, kernel, kubevirt, libsoup, libsoup2, mchange-commons, ocaml, openCryptoki, openvpn, php-composer2, postgresql14, postgresql15, python-Authlib, python-azure-core, python-nltk, python-urllib3_1, python311-Django4, python311-pillow-heif, python311-PyPDF2, python313, python313-Django6, qemu, rhino, roundcubemail, ruby4.0-rubygem-rack, sdbootutil, and wicked2nm), and Ubuntu (less, nss, python-bleach, qtbase-opensource-src, and zutty).
