Inside this week's LWN.net Weekly Edition:
* Front: SFC v. VIZIO; GPLv2 requirements; Debian and GTK 2; OpenZL; kernel
scheduler QoS; Rust concurrent data access; Asciinema.
* Briefs: OpenSSL and Python; LSFMM+BPF 2026; Fedora elections; Gentoo
retrospective; EU lawmaking; Git data model; Firefox 147; Radicle 1.6.0;
Quotes; ...
* Announcements: Newsletters, conferences, security updates, patches, and more.
Paul Kehrer and Alex Gaynor, maintainers of the Python cryptography module, have
put out some strongly worded criticism of OpenSSL. It comes from a talk they
gave at the OpenSSL conference in October 2025 (YouTube video). The post goes
into a lot of detail about the problems with the OpenSSL code base and testing,
which has led the cryptography team to reconsider using the library. "The
mistakes we see in OpenSSL's development have become so significant that we
believe substantial changes are required — either to OpenSSL, or to our reliance
on it." They go further in the conclusion:
> First, we will no longer require OpenSSL implementations for new
> functionality. Where we deem it desirable, we will add new APIs that are only
> on LibreSSL/BoringSSL/AWS-LC. Concretely, we expect to add ML-KEM and ML-DSA
> APIs that are only available with LibreSSL/BoringSSL/AWS-LC, and not with
> OpenSSL.
>
> Second, we currently statically link a copy of OpenSSL in our wheels (binary
> artifacts). We are beginning the process of looking into what would be
> required to change our wheels to link against one of the OpenSSL forks.
>
> If we are able to successfully switch to one of OpenSSL's forks for our binary
> wheels, we will begin considering the circumstances under which we would drop
> support for OpenSSL entirely.
Researchers have demonstrated remotely controlling a wheelchair over Bluetooth.
CISA has issued an advisory.
> CISA said the WHILL wheelchairs did not enforce authentication for Bluetooth
> connections, allowing an attacker who is in Bluetooth range of the targeted
> device to pair with it. The attacker could then control the wheelchair’s
> movements, override speed restrictions, and manipulate configuration profiles,
> all without requiring credentials or user interaction.
Lossless data compression is an important tool for reducing the storage
requirements of the world's ever-growing data sets. Yann Collet developed the
LZ4 algorithm and designed the Zstandard (or Zstd) algorithm; he came to the
2025 Open Source Summit Japan in Tokyo to talk about where data compression goes
from here. It turns out that we have reached a point where general-purpose
algorithms are only going to provide limited improvement; for significant
increases in compression, while keeping computation costs within reason for
data-center use, turning to format-specific techniques will be needed.
This is a current list of where and when I am scheduled to speak:
* I’m speaking at the David R. Cheriton School of Computer Science in Waterloo,
Ontario, Canada on January 27, 2026, at 1:30 PM ET.
* I’m speaking at the Université de Montréal in Montreal, Quebec, Canada on
January 29, 2026, at 4:00 PM ET.
* I’m speaking and signing books at the Chicago Public Library in Chicago,
Illinois, USA, on February 5, 2026, at 6:00 PM CT.
* I’m speaking at Capricon 46 in Chicago, Illinois, USA. The convention runs
February 5-8, 2026. My speaking time is TBD...
The Debian GNOME team would like to remove the GTK 2 graphics toolkit, which has
been unmaintained upstream for more than five years, and ship Debian 14
("forky") without it. As one might expect, however, there are those who would
like to find a way to keep it. Despite its age and declared obsolescence, quite
a few Debian packages still depend on GTK 2. Many of those applications are
unlikely to be updated, and users are not eager to give them up. Discussion
about how to handle this is ongoing; it seems likely that Debian developers will
find some way to continue supporting applications that require GTK 2, but users
may have to look outside official Debian repositories.
Version 1.6.0 of the Radicle peer-to-peer, local-first code collaboration stack
has been released. Notable changes in this release include support for systemd
credentials, use of Rust's clap crate for parsing command-line arguments, and
more. LWN covered the project in March 2024.
Security updates have been issued by AlmaLinux (sssd), Debian (linux-6.1 and
python-parsl), Fedora (chezmoi, complyctl, composer, and firefox), Oracle
(kernel), Red Hat (buildah, libpq, podman, postgresql, postgresql16,
postgresql:13, postgresql:15, and postgresql:16), SUSE (avahi, curl, ffmpeg-4,
ffmpeg-7, firefox, istioctl, k6, kubelogin, libmicrohttpd, libpcap-devel,
libpng16, libtasn1-6-32bit, matio, ovmf, python-tornado6, python311-Authlib, and
teleport), and Ubuntu (angular.js, python-urllib3, and webkit2gtk).
Quality-of-service (QoS) mechanisms attempt to prioritize some processes (or
network traffic, disk I/O, etc.) over others in order to meet a system's
performance goals. This is a difficult topic to handle in the world of Linux,
where workloads, hardware, and user expectations vary wildly. Qais Yousef spoke
at the 2025 Linux Plumbers Conference, alongside his collaborators John Stultz,
Steven Rostedt, and Vincent Guittot, about their plans for introducing a
high-level QoS API for Linux in a way that leaves end users in control of its
configuration. The talk focused specifically on a QoS mechanism for the
scheduler, to prioritize access to CPU resources differently for different kinds
of process. (slides; video)
Version 147.0 of the Firefox web browser has been released. Notable changes in
this release include support for the XDG Base Directory specification, enabling
local network access restrictions for users with enhanced tracking protection
(ETP) set to "Strict", and a fix that improves Firefox's rendering with GNOME on
fractionally scaled displays. Firefox 147 also includes a number of security
fixes, including several sandbox escape vulnerabilities.
Security updates have been issued by AlmaLinux (mariadb10.11, mariadb:10.11,
mariadb:10.3, mariadb:10.5, and tar), Debian (net-snmp), Fedora (coturn,
NetworkManager-l2tp, openssh, and tuxanci), Mageia (libtasn1), Oracle (buildah,
cups, httpd, kernel, libpq, libsoup, libsoup3, mariadb:10.11, mariadb:10.3,
openssl, and podman), SUSE (cpp-httplib, ImageMagick, libtasn1, python-cbor2,
util-linux, valkey, and wget2), and Ubuntu (google-guest-agent, linux-iot, and
python-urllib3).
Forty years ago, The Mentor—Loyd Blankenship—published “The Conscience of a
Hacker” in Phrack.
> You bet your ass we’re all alike… we’ve been spoon-fed baby food at school
> when we hungered for steak… the bits of meat that you did let slip through
> were pre-chewed and tasteless. We’ve been dominated by sadists, or ignored by
> the apathetic. The few that had something to teach found us willing pupils,
> but those few are like drops of water in the desert.
>
> This is our world now… the world of the electron and the switch, the beauty of
> the baud. We make use of a service already existing without paying for what
> could be dirt-cheap if it wasn’t run by profiteering gluttons, and you call us
> criminals. We explore… and you call us criminals. We seek after knowledge… and
> you call us criminals. We exist without skin color, without nationality,
> without religious bias… and you call us criminals. You build atomic bombs, you
> wage wars, you murder, cheat, and lie to us and try to make us believe it’s
> for our own good, yet we’re the criminals...