Welcome to LWN.net
LWN.net is a reader-supported news site dedicated to producing the best coverage from within the Linux and free software development communities. See the LWN FAQ for more information, and please consider subscribing to gain full access and support our activities.
[$] A trademark dispute over MeshCore
MeshCore is a relatively new project, started in January 2025, that aims to build a scalable mesh network using low-power long-distance radios. While many other projects of the same general nature have been tried before, MeshCore grew quickly because of its more efficient message routing and enthusiastic community. In early 2026, an early proponent of the project made a sudden shift that left the rest of the community stunned and embroiled in a trademark dispute.
[$] A loadable crypto module for FIPS certification
Many organizations require US Federal Information Processing Standard (FIPS) certification of the crypto code they are running. The certification process is lengthy, but the bigger problem is that the way the crypto subsystem is built into the kernel makes the result unable to be reused across kernel updates. I have proposed a patch series that decouples the crypto subsystem into a standalone loadable module, allowing a certified crypto module to be reused with multiple kernels and, thus, requiring fewer lengthy recertification delays.
[$] Policies for merging new filesystems
In a filesystem-track session at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit, Amir Goldstein wanted to discuss his proposed documentation on adding new filesystems to the kernel. There are a number of unmaintained and untestable filesystems already in the kernel, which are a burden to VFS-layer developers who are trying to make sweeping changes, such as switching to folios and the "new" mount API. Goldstein's document is an attempt to head off the addition of filesystems that may increase that burden down the road.
[$] Separating memory descriptors from struct page
The kernel's memory-management subsystem is currently partway through a multi-year project to replace the page structure (which represents a page of physical memory) with memory descriptors. At the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit, Vishal Moola ran a fast-paced session in the memory-management track to describe the current state of that work and what is likely to happen next.
[$] LWN.net Weekly Edition for May 28, 2026
Posted May 28, 2026 1:04 UTC (Thu)The LWN.net Weekly Edition for May 28, 2026 is available.
Inside this week's LWN.net Weekly Edition
- Front: Dirk and Linus talk; BPF and GCC; private memory modes; BPF page-cache policies; major page faults; LLM kernel review; tiered-memory support; transparent huge pages; page mappings; Model Openness Tool.
- Briefs: Stenberg security stress; GTK PDF problems; Morton 2004 keynote; OpenBSD 7.9; Bambu's AGPLv3 violations; Quotes; ...
- Announcements: Newsletters, conferences, security updates, patches, and more.
[$] MOT: a tool to fight openwashing in AI
Many large language models (LLMs) are described as open source, but if one looks a bit deeper it turns out that is not actually so; the model may be free to download, it may be "open weight", but it does not fit the Open Source Initiative (OSI) Open Source Definition (OSD). Assessing the actual openness of models is not easy, as Arnaud Le Hors explained in his talk about the Model Openness Tool (MOT) at Open Source Summit North America 2026. The tool is designed to help users of LLMs understand to what degree a model is (or is not) open, and to combat the openwashing that is prevalent with LLMs.
[$] Further progress toward removing the page map count
The mapcount field was created to track the number of mappings (page-table entries) that refer to the given page. Among other things, a mapcount of zero means that the page has no references and can be reclaimed. Maintaining mapcount has become increasingly challenging and expensive as the memory-management system has grown in complexity, so Hildenbrand has been looking for ways to get rid of it. This session was, he said, maybe one of the last times he will have to bring up this topic.
[$] Better automatic management of transparent huge pages
Huge pages can improve performance by increasing translation lookaside buffer (TLB) utilization and reducing memory-management overhead. Transparent huge pages (THPs) are supposed to make huge-page usage, well, transparent, Nico Pache said at the beginning of his session in the memory-management track of the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit. That transparency has never worked as well as many would like; he has been working on improvements to make it easier for applications to use huge pages on Linux systems. A following session, led by David Hildenbrand, was focused on how THPs could be taken away from processes that are not using them fully.
[$] Reviewing kernel patches with LLMs
In a plenary session at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit, the state of patch review using large language models (LLMs) was discussed. It is a topic that has been swirling around in the kernel community for much of the year. The plenary, which was led by Roman Gushchin, Chris Mason, Josef Bacik, and Sasha Levin, resulted in a quite bit of discussion, so much that a second filesystem-track-only (though others surely sat in) slot was used to continue it later in the day.
[$] Tier-aware memory-controller limits
Joshua Hahn began his session in the memory-management track of the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit by saying that the memory controller for control groups is intended to provide resource allocation, accounting, and protection from interference by other tasks. But it was not really designed for tiered-memory systems; he is looking for a way to improve that situation.
Nesbitt: Protestware for coding agents
Andrew Nesbitt has written a blog post detailing a recent incident with the jqwik library for property-based testing in Java. On May 25, the 1.10.0 release of jqwik included a change that attempts to instruct coding agents to disregard previous instructions and delete jqwik tests and code.
I think this is a new class of supply-chain input worth keeping an eye on, mostly because of how little of the existing tooling has any opinion about it. A System.out.print of sixty-eight bytes of plain ASCII isn't the kind of thing scanners are looking for, since those watch for install hooks, network calls, filesystem writes, obfuscated strings and the like. The jar makes the same syscalls it made in 1.9, and because the change was committed and released by the legitimate maintainer through the normal build, it's clean from a SLSA point of view too: the provenance is what it should be. Anyone who reads the diff can see what it does, but a patch bump of a test-scoped dependency is not where most projects spend their review time.
Security updates for Friday
Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, cockpit, firefox, flatpak, httpd, kernel, and kernel-rt), Debian (kernel, kitty, lemonldap-ng, nagios4, python-flask-httpauth, and roundcube), Fedora (CImg, gmic, haveged, jpegxl, kernel, libpng, mapserver, mingw-qt6-qtsvg, openbao, perl-Sereal, perl-Sereal-Decoder, perl-Sereal-Encoder, and podofo), Mageia (bind, graphicsmagick, microcode, nginx, packages, perl-Catalyst-Plugin-Authentication, perl-HTTP-Daemon, perl-IO-Compress, and thunderbird(-l10n)), SUSE (alloy, apache2, beets, bubblewrap, cups, docker-stable, ffmpeg-4, ffmpeg-7, firefox, google-osconfig-agent, patterns-glibc-hwcaps, podman, samba, thunderbird, trivy, xdg-desktop-portal, and xz), and Ubuntu (apache2, libreoffice, multipart, openjdk-17, openjdk-17-crac, openjdk-21, openjdk-21-crac, openjdk-25, openjdk-25-crac, openjdk-26, openjdk-8, openjdk-lts, php8.1, php8.3, php8.4, php8.5, pyopenssl, python-pip, qtsvg-opensource-src, sed, and vim).
Rust 1.96.0 released
Version 1.96.0 of the Rust programming language has been released. Changes include a new set of Copy-implementing Range types, assertions with pattern matching, a number of stabilized APIs, and two Cargo vulnerability fixes.
Górny: why Gentoo?
Gentoo developer Michał Górny has written a lengthy article explaining the philosophy and purpose of the Gentoo Linux distribution, in response to a thread on Mastodon:
Gentoo is a source-first distribution, which means the primary method of installing software is to build it from source. Of course, that doesn't mean manually building stuff, following some kind of how-to: finding all the dependencies, installing them manually, going through a series of magical incantations, and eventually ending up no better than if we were installing a binary package. The package manager takes care of all the necessary steps and more, making package installs easy; well, at least unless something fails. But I'm digressing...
[...] We try to build a friendly and welcoming community around Gentoo, and we truly want using Gentoo be an enjoyable experience. We want it to be a system that doesn't betray you.
IBM's "Project Lightwell"
IBM has sent out a press release touting a claimed $5 billion investment into an operation called Project Lightwell:
Project Lightwell will establish a trusted enterprise clearinghouse combined with a global force of engineers to identify and fix vulnerabilities at scale. The clearinghouse will serve as a security coordination layer, using advanced AI capabilities to validate and test fixes across an unprecedented volume of open source code. These capabilities will be offered through commercial subscriptions, allowing enterprises to integrate secure patches directly into their existing software supply chains with enterprise-grade validation and lifecycle management.
Toward the bottom, it does also mention sharing vulnerability information with upstream projects.
Security updates for Thursday
Security updates have been issued by AlmaLinux (firefox, gdk-pixbuf2, glibc, gnutls, kernel, libexif, mysql8.4, postgresql16, postgresql18, python3.14, ruby:3.3, and ruby:4.0), Debian (krb5, roundcube, starlette, unbound, and varnish), Fedora (kernel, nginx, nginx-mod-brotli, nginx-mod-fancyindex, nginx-mod-headers-more, nginx-mod-js-challenge, nginx-mod-modsecurity, nginx-mod-naxsi, nginx-mod-vts, perl-Imager, poppler, python-uv-build, rrdtool, rust-astral-tokio-tar, rust-astral_async_http_range_reader, rust-astral_async_zip, uv, and xen), Oracle (.NET 10.0, .NET 9.0, glibc, ruby:3.3, and thunderbird), Red Hat (.NET 10.0, .NET 8.0, .NET 9.0, containernetworking-plugins, gvisor-tap-vsock, podman, runc, and skopeo), SUSE (agama, alloy, bubblewrap, cockpit, cups, dnsmasq, emacs, glibc, gnutls, go1.25, go1.25-openssl, go1.26, go1.26-openssl, google-guest-agent, hplip, ibus-rime, librime, kernel, libarchive, libzypp, nginx, openexr, openssh, php7, postgresql14, postgresql15, postgresql16, python311-pytest-html, redis, redis7, rsync, tree-sitter, valkey, xen, and yq), and Ubuntu (cableswig, commons-beanutils, dnsmasq, ffmpeg, foomuuri, gst-plugins-good1.0, libcaca, libgcrypt20, mediawiki, memcached, papers, postorius, tgt, and tika).
Interview session with Jonathan Corbet
The Linux Foundation will be hosting a live interview with LWN co-founder Jonathan Corbet. The event will take place on Tuesday, June 2 at 8:00AM Pacific daylight time (UTC-7). Registration is open for those who would like to attend.
Andrew Morton's 2004 OLS keynote
I recently presented a brief tribute to Andrew Morton at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit; it included a suggestion that reading (or re-reading) his 2004 Ottawa Linux Symposium keynote would be instructive. This talk, given immediately after the Kernel Summit session that decided to fundamentally change the kernel's development model, tells a lot about how the kernel project got to where it is today. The text of that speech was hosted on Groklaw, and has since been replaced by crypto spam, which is rather less useful. In the hopes of preserving this seminal moment, the transcript has been rescued thanks to the Wayback Machine and is presented here.
Security updates for Wednesday
Security updates have been issued by AlmaLinux (bind, buildah, compat-libtiff3, compat-openssl11, containernetworking-plugins, crun, delve, dnsmasq, dovecot, edk2, firefox, freeipmi, gdk-pixbuf2, giflib, git-lfs, glib2, go-fdo-client, go-fdo-server, golang, grafana, grafana-pcp, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free, iputils, jq, kernel, krb5, libcap, LibRaw, libsndfile, libsoup, libsoup3, libssh, libtiff, libvirt, linux-sgx, luksmeta, mingw-glib2, NetworkManager, nginx, nginx:1.24, nginx:1.26, openexr, openssh, openssl, opentelemetry-collector, p11-kit, PackageKit, podman, python-jwcrypto, python-markdown, python-tornado, python3.11, python3.12, python3.14, python3.9, qemu-kvm, rsync, skopeo, sudo, systemd, thunderbird, tomcat, unbound, vim, xorg-x11-server, xorg-x11-server-Xwayland, yggdrasil, and yggdrasil-worker-package-manager), Debian (imagemagick, kdenlive, memcached, node-shell-quote, and samba), Fedora (chromium, curl, editorconfig, haproxy, perl-Crypt-DSA, perl-HTTP-Tiny, poppler, rust-afterburn, rust-coreos-installer, rust-eif_build, rust-rpm-sequoia, rust-sequoia-chameleon-gnupg, rust-sequoia-git, rust-sequoia-keystore-server, rust-sequoia-octopus-librnp, rust-sequoia-openpgp, rust-sequoia-sop, rust-sequoia-sq, rust-sequoia-sqv, and uriparser), Oracle (compat-libtiff3, dnsmasq, firefox, freeipmi, kernel, and uek-kernel), Slackware (mozilla), SUSE (assimp, firefox, glibc, gnutls, go1.25-openssl, go1.26-openssl, kernel, kubevirt, leancrypto, libarchive, libsndfile, mcphost, nginx, openssh, podman, python-GitPython, rsync, and samba), and Ubuntu (ayttm, dnsmasq, libssh2, linux-azure, linux-azure, linux-azure-6.17, linux-iot, linux-lowlatency-hwe-5.15, ngtcp2, onnx, opencc, protobuf, python-git, samba, xdg-dbus-proxy, and xmlrpc-c).
Arias: Human proof for FOSS contributions
Rodrigo Arias Mallo, maintainer of the Dillo web browser, has written a blog post with a proposal on one way to ensure that a contribution is written by a human and not AI; he suggests asking new contributors to record their programming session using asciinema.
In the same way that LLMs generate patches, they can also generate the asciinema recordings themselves. Then, the contributors can lie to the reviewers pretending to have made the edits. Perhaps surprisingly, this is not a easy task for LLMs, at least from my observations. The corpus of recordings of developers making mistakes and thinking the whole process of editing a file is not as large as the corpus of FOSS programs and patches in which to train an LLM. During my very simple tests I haven't been able to generate an asciinema session that remotely resembles what I would expect from a human, and even less so from a human with a nice editor theme and editing an existing Dillo source file.
The Dillo project is not yet requiring asciinema recordings, but he said that he would like to test the theory further. LWN covered asciinema in January 2026.
