LWN.net

In a shortened session in the filesystem track at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit , Amir Goldstein gave an update on the overlayfs union filesystem . There are some new features over the last few years that he wanted to mention, along with looking at the status of nesting overlayfs layers. The composefs use case that was discussed at the summit in 2023 has led to some interesting changes to overlayfs.

Hundreds of orphaned packages hosted by the Arch User Repository (AUR) have been compromised by an attacker who has added a malicious npm package ( atomic-lockfile ) that can exfiltrate sensitive data. The project is currently working on cleaning up the mess. There is a list of affected packages and post (possibly NSFW domain) by "sodiboo" with additional information. Arch Linux users (or users of Arch-based distributions) that use AUR packages may wish to see if they have installed any of the …

Security updates have been issued by AlmaLinux (.NET 10.0, .NET 8.0, .NET 9.0, bind, expat, httpd:2.4, kernel, kernel-rt, mod_http2, openssl, poppler, redis, redis:7, samba, and unbound), Debian (ironic, kernel-wedge, libinput, linux-base, and neutron), Fedora (kernel, openssl, vaultwarden, and vaultwarden-web), Mageia (erlang-hex_core, erlang-rebar3, gnupg2, and sqlite3), Red Hat (buildah, podman, and skopeo), SUSE (flannel, gdk-pixbuf-loader-libheif, gnutls, google-cloud-sap-agent, grafana, g…

Version 6.0.0 of the Homebrew package-management system has been released. Notable changes in this release include the introduction of tap trust to improve supply-chain security, improvements in sandboxing on Linux, a number of performance tweaks, and many other changes. See the changelog for a full list. LWN covered Homebrew in November 2025.

The Linux kernel has long tried to use huge pages as a way to improve performance, sometimes with more success than others. The size of huge pages has traditionally been imposed by the hardware, which typically only offers a couple of relatively large options. In more recent times, though, the use of multi-size transparent huge pages (mTHPs), with more flexible sizing implemented in software, has been growing. If all goes well, the 7.2 development cycle will include the addition of a new featur…

Security updates have been issued by AlmaLinux (.NET 10.0, .NET 8.0, .NET 9.0, podman, poppler, and postgresql-jdbc), Debian (chromium, jackson-core, libdbi-perl, and libinput), Fedora (httpd, rust, and xmlstarlet), Mageia (openssh, postfix, and roundcubemail), Oracle (frr, kernel, libyang, n, postgresql-jdbc, and unbound), Red Hat (.NET 10.0, .NET 8.0, .NET 9.0, redis, and redis:7), SUSE (agama-web-ui, cockpit, cosign, glibc, google-cloud-sap-agent, google-osconfig-agent, kanidm, kernel, kuber…

Inside this week's LWN.net Weekly Edition: Front : Suspicious AI activity in Fedora; fork() + exec(); splice() + vmsplice(); BPF loop verification; fanotify; trusted publishing. Briefs : CA age bill; Bundler cooldowns; insecure code completion; Asahi and macOS 27 beta; Buildroot 2026.05; Ubuntu MATE; rsync 3.4.4; Quotes; ... Announcements : Newsletters, conferences, security updates, patches, and more.

Seth Larson, the Python Software Foundation's security developer-in-residence , has written about the difficulty in classifying insecure code completion in the PyCharm IDE using its Full Line code completion plugin. Larson discovered that the plugin, which uses a local "deep learning module" to offer code completions, suggests code that would lead to severe vulnerabilities. He was unsure whether it warranted a CVE or not, however: I reported this behavior to JetBrains for "Full Line Code Comple…

Agentic AI systems can be used to do a variety of things autonomously on behalf of a human user: open or manage bugs, generate code, submit pull-requests, and (apparently) even complain about rejection . In May, a Fedora developer discovered that an allegedly rogue agent had been pestering the project in a number of ways: reassigning bugs, fabricating unhelpful replies to bugs, and even persuading maintainers to merge questionable code into the Anaconda installer . It also submitted a number of…

Version 2026.05 of the Buildroot tool has been released. Buildroot simplifies and automates the process of building embedded Linux systems using cross-compilation. Notable changes in this release include support for Arm Neoverse cores, addition of XFS rootfs generation, as well as many package updates and bug fixes. See the CHANGES file for the full list.

Security updates have been issued by AlmaLinux (poppler), Debian (dnsmasq, mistral, okular, openssl, poppler, and strongswan), Fedora (exim, firefox, pcs, putty, and xorg-x11-server), Mageia (freeciv, golang-x-net, jq, libssh, libxmp, libxpm, minetest, ruby-net-ssh, tor, and wireshark), SUSE (389-ds, ack, agama-web-ui, amazon-ssm-agent, avahi, dpkg, elemental-register, elemental-system-agent, elemental-toolkit, ggml-devel-9500, go1.25, go1.26, kernel, kubernetes1.23, kubernetes1.24, kubernetes1…

Thomas Ward has published an update about the future of the Ubuntu MATE project, which did not have a 26.04 release with the other Ubuntu flavors in April: There is a new team working on Ubuntu MATE who have stepped up to help take over flavor management. They haven't formally introduced themselves yet, but I can safely say that other developers HAVE stepped up for the future of the MATE flavor, despite its prior team lead having stepped down. [...] Ultimately, this means that they are working …

Trusted publishing is an authentication mechanism that relies on short-lived credentials to reduce the risk of supply-chain attacks. At the 2026 Open Source Summit North America , Mike Fiedler walked the audience through why trusted publishing exists, how it works, and made the case for its adoption. It is not a silver bullet against all attacks, but it does offer protection against theft of long-lived credentials used to publish to package registries.

The Asahi Linux project, which brings Linux support to Apple Arm-based Macs, has warned its users not to upgrade to the macOS 27 "Golden Gate" beta. Apple has changed how the boot picker and Startup Disk applications detect valid OS boot volumes. When using either from macOS 27, your Asahi partition will not be visible! We believe this to be a bug, and have filed a report (FB22994760). If you have already upgraded to the beta and noticed that your Asahi partition has disappeared, do not stress.…

The BPF verifier has, in the course of wrestling with the difficult problem of statically analyzing loops, grown special support for many kinds of loops over its history, but its fundamental approach to simple for loops has not changed. When it encounters a loop, it evaluates it, iteration by iteration, until reaching an exit condition — a process that can cause the verifier to mistakenly hit the limit on the number of allowed instructions where a better implementation would not. Eduard Zingerm…