Anton Protopopov led a short discussion at the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit about amount of memory used
by hash tables in BPF programs. He thinks that the current memory layout is
inefficient, and wants to split the structure that holds table entries into two
variants for different kinds of maps. When that proposal proved
uncontroversial, he also took the chance to talk about a bug in BPF's call
instruction.
The Debian project has the concept of essential
packages, which provide the bare minimum functionality considered
absolutely necessary (or "essential") for a system to
function. Packages tagged as essential, and the packages that are
required by the set of essential packages, are always installed as
part of a Debian system. However, Debian's packaging rules do not
require developers to explicitly declare dependencies on that set of
packages (the essential set) but they can simply rely on the fact that those
will always be present. That means that changing the essential set, as
the project may wish to do occasionally, is more complicated than it
should be. This came to light recently when a Debian developer asked
what might be required to remove mawk to slim down
the project's container images.
The SUSE Security Team has announced the removal of the Deepin
Desktop from openSUSE due to violations of the project's packaging
policy.
The discovery of the bypass of the security whitelistings via the
deepin-feature-enable package marks a turning point in our assessment
of Deepin. We don't believe that the openSUSE Deepin packager acted
with bad intent when he implemented the "license agreement" dialog to
bypass our whitelisting restrictions. The dialog itself makes the
security concerns we have transparent, so this does not happen in a
sneaky way, at least not towards users. It was not discussed with us,
however, and it violates openSUSE packaging policies. Beyond the
security aspect, this also affects general packaging quality
assurance: the D-Bus configuration files and Polkit policies installed
by the deepin-feature-enable package are unknown to the package
manager and won't be cleaned up upon package removal, for
example. Such bypasses are not deemed acceptable by us.
Security updates have been issued by Fedora (incus and nodejs20), Red Hat (freetype, kernel, kernel-rt, libsoup, libtiff, redis, redis:6, and thunderbird), SUSE (apparmor, chromium, grafana, ImageMagick, java-11-openjdk, java-17-openjdk, libsoup, libsoup2, libxslt, opensaml, rabbitmq-server, rubygem-rack-1_6, sqlite3, and thunderbird), and Ubuntu (kernel, libfcgi, libraw, libsoup2.4, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-nvidia-tegra, linux-nvidia-tegra-igx, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-aws-6.8, linux-gcp, linux-gcp-6.8, linux-gke, linux-gkeop, linux-hwe-6.8, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8, linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle, linux-oracle-6.8, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-gcp, linux-gcp-6.11, linux-hwe-6.11, linux-lowlatency, linux-lowlatency-hwe-6.11, linux-oracle, linux-raspi, linux-aws-fips, linux-fips, linux-gcp-fips, linux-azure, linux-azure, linux-azure-4.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-azure, linux-azure-6.11, linux-azure-6.8, linux-azure-fips, linux-intel-iot-realtime, linux-realtime, linux-oem-6.11, linux-raspi, linux-realtime, python, python-scrapy, and ruby-carrierwave).
Willy Tarreau and William Lallemand have posted
an extensive white
paper examining the landscape of the available SSL implementations.
OpenSSL 3.0 performs significantly worse than alternative SSL
libraries, forcing organizations to provision more hardware just to
maintain existing throughput. This raises important questions about
performance, energy efficiency, and operational costs.
Examining alternatives—BoringSSL, LibreSSL, WolfSSL, and
AWS-LC—reveals a landscape of trade-offs. Each offers different
approaches to API compatibility, performance optimization, and QUIC
support. For developers navigating the modern SSL ecosystem,
understanding these trade-offs is crucial for optimizing
performance, maintaining compatibility, and future-proofing their
infrastructure.
On the 50th anniversary of the USENIX organization, its flagship Annual
Technical Conference (ATC) is
coming
to an end.
For the past two decades, as more USENIX conferences have joined
the USENIX calendar by focusing on specific topics that grew out of
ATC itself, attendance at ATC has steadily decreased to the point
where there is no longer a critical mass of researchers and
practitioners joining us. Thus, after many years of experiments to
adapt this conference to the ever-changing tech landscape and
community, the USENIX Board of Directors has made the difficult
decision to sunset USENIX ATC.
Many important technologies first saw the light of day at this event.
Version
1.0.0 of Mission Center, a system-monitoring application, has been
released. Notable changes in this release include the addition of
SMART data for SATA and NVMe devices, display of per-process
network usage, as well as a redesigned Apps Page that provides
more information about applications and processes. Mission Center's
backend application for obtaining system data has been renamed from
the Gatherer to Magpie, and is
now available as a standalone executable and libraries that can be
used by other applications.
Linux systems can have large filesystems; trying to keep up with the
stream of
fanotify filesystem-monitoring notifications for them can be a struggle.
Fanotify is one of a few ways to monitor accesses to filesystems provided by the kernel.
Song Liu led a discussion
on how to improve in-kernel filtering of fanotify events to a joint
session of the filesystem and BPF tracks at the 2025 Linux Storage, Filesystem,
Memory-Management, and BPF Summit. He wants to combine the best parts of a few
different approaches to efficiently filter filesystem events.
In a combined filesystem and memory-management session at
the 2025 Linux Storage, Filesystem, Memory
Management, and BPF Summit (LSFMM+BPF), Joanne Koong led a discussion on
improving the writeback performance for the
Filesystem in
Userspace (FUSE) layer. Writeback is how data that is written to the
filesystem is actually flushed to the disk; it is the process of writing
dirty pages from the page cache to storage. The current FUSE
implementation allocates unmovable memory, then copies the dirty data to it
before initiating writeback, which is slow; Koong wanted to change that
behavior. Since the session, she has
posted a
patch set that has been
applied
by FUSE maintainer Miklos Szeredi.
Security updates have been issued by Fedora (chromium and kappanhang), Red Hat (osbuild-composer and thunderbird), SUSE (chromedriver), and Ubuntu (c-ares, corosync, mysql-8.0, mysql-8.4, openjdk-17, openjdk-21, openjdk-24, openjdk-8, and openjdk-lts).