Brief items
Security
More malware uploaded to Arch Linux AUR (Linuxiac)
Linuxiac reports that another malicious package has been uploaded to the Arch User Repository (AUR). This time around the package was google-chrome-stable, which installed a remote-access trojan along with Google Chrome.
The good news—if you can call it that—is that the google-chrome-stable package was available on the AUR only for a few hours before the malware hidden inside was discovered. Still, it did get a few upvotes, which suggests at least some users ended up installing it.
The Arch Linux project had to warn users about a similar attack less than a month ago when a user uploaded three browser packages that also installed a malicious script identified as a remote-access trojan.
Garrett: Secure boot certificate rollover is real but probably won't hurt you
Matthew Garrett has posted a detailed followup to our recent article on the coming expiration of Microsoft's Secure Boot signing key.
The upshot is that nobody actually enforces these expiry dates - here's the reference code that disables it. In a year's time we'll have gone past the expiration date for 'Microsoft Windows UEFI Driver Publisher' and everything will still be working, and a few months later 'Microsoft Windows Production PCA 2011' will also expire and systems will keep booting Windows despite being signed with a now-expired certificate. This isn't a Y2K scenario where everything keeps working because people have done a huge amount of work - it's a situation where everything keeps working even if nobody does any work.
Security quotes of the week
The same architectural principles apply to AI—perhaps the most critical battleground for digital power today. Centralized AI services don't just mine your data for corporate benefit; they can shape your thinking, limit your capabilities, and make you dependent on their infrastructure. But it doesn't need to be that way.— Mike MasnickWe're already seeing the emergence of open source models, opportunities to control your own system prompts (as DuckDuckGo recently introduced), and smaller distilled models that work in decentralized environments. Projects are emerging to give people more power over their own data, letting you decide how AI can interact with your information, rather than the AI system slurping up everything it can about you.
This isn't about technical preferences—it's about the difference between renting someone else's vision of how you should think and work versus building your own.
You can take care to avoid enshittification, you can even make a fetish out of it, but without addressing these systemic failings, your individual actions will only get you so far. Sure, use privacy-enhancing tools like Signal to communicate with other people, but if the only way to get your kid to their little league game is to join the carpool group on Facebook, you're going to hemorrhage data about everything you do to Meta.— Cory DoctorowLikewise, you can use privacy-preserving adblockers in your browser, but the instant you've got to do business with a monopoly that requires you to use their app, you will be totally helpless before them, because anti-circumvention law felonizes modifying an app so it preserves your privacy.
Kernel development
Kernel release status
The 6.17 merge window remains open; it can be expected to close on August 10.Stable updates: 6.15.9, 6.12.41, and 6.6.101 were released on August 1.
The 2025 Maintainers Summit call for topics
The call for topics for the 2025 Maintainers Summit has been posted. The Summit, to be held in Tokyo on December 10, will involve around 30 developers gathered to discuss development-process issues for the kernel. Anybody who is interested in attending is encouraged to post a nomination along with the topic they would like to discuss. Nominations and topics are best sent before September 10.The call for topics for the Kernel Summit, which runs as a Linux Plumbers Conference track, is also out.
A kbuild and kconfig maintainer change
For eight years, Masahiro Yamada has been the sole maintainer of the kernel's build and configuration systems — two complex pieces of infrastructure that many people interact with, but few truly understand. Yamada has just stepped down from that position. Maintenance of the build system will be taken up by Nathan Chancellor and Nicolas Schier (in the "odd fixes" capacity), while the configuration system is now entirely unmaintained.Thanks are due to Yamada for all that work, and to Chancellor and Schier for stepping up. Hopefully a way will be found to better support these important subsystems in the near future.
Almeida: a brief introduction on how GPU drivers work
Daniel Almeida continues his look at graphics drivers on the Collabora blog.
The starting point is to understand that a kernel-mode GPU driver connects a much larger UMD (user-mode driver) to the actual GPU. The UMD will actually implement APIs like Vulkan, OpenGL, OpenCL, and others. These APIs, in turn, will be used by actual programs to describe their workload to the GPU. This includes allocating and using not only the geometry and textures, but also the shaders being used to process said data into the final result. This means that a key aspect of GPU drivers is actually allocating GPU memory to house data related to the current scene being drawn so that it can actually be operated on by the hardware.
Quotes of the week
I never knew the MM code was so dirty.— Andrew Morton
I am currently considering forcing all gmail.com addresses to digest delivery for lists like LKML, netdev, and a few others.— Konstantin Ryabitsev
Distributions
Native NVIDIA support for AlmaLinux OS 9 and 10
The AlmaLinux project has announced the availability of packages to enable native NVIDIA driver support, including CUDA and Secure Boot, for AlmaLinux 9 and 10.
When AlmaLinux started just 5 years ago, this wouldn't have been possible. With NVIDIA's open source version of their graphics drivers things have changed. This open source version is slowly becoming the flagship driver, with new products being added exclusively to it. With the help of some incredible people in the open source ecosystem and the AlmaLinux community, we were able to do something that has yet to be done in the EL ecosystem - ship Secure Boot signed, open source, NVIDIA kernel modules.
Full documentation is available on the AlmaLinux wiki.
Proxmox Virtual Environment 9.0 released
Proxmox Virtual Environment 9.0, based on Debian 13 ("trixie"), has been released. Notable new features include snapshots for thick-provisioned LVM shared storage, affinity rules for high availability (HA) clusters, and a modernized mobile web interface for managing Proxmox systems. See the release notes and known issues for more details about the release.
Distributions quote of the week
In the upcoming Trixie release, bug #186085 - which I filed over 22 years ago - will finally be fixed. I'm genuinely thrilled to see this happen while I'm serving as DPL, even though I contributed almost nothing to the actual fix. In fact, I probably could have sat down and done the work myself years ago. So if you're ever tempted to say, "That took forever!" - remember: sometimes you could be the person who makes it happen sooner.— Andreas Tille
Development
Tuba v0.10.0 released
Version 0.10.0 of the Tuba fediverse client has been released. Notable changes in this release include a new post composer, an in-app web browser, search history, and many other refinements. See this thread for more details and highlights.
Page editor: Daroc Alden
Next page:
Announcements>>