2026-06-08 23:35:10
In a filesystem-track session at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit, Amir Goldstein updated attendees on the fanotify filesystem-event monitoring subsystem. He wanted to describe changes that had come in the last year or so, as well as upcoming features and some remaining challenges in his efforts to use fanotify for hierarchical storage management (HSM). Fanotify is the user-space API for monitoring files, directories, and filesystems for events of various sorts (e.g. opening or deleting a file).
2026-06-08 22:23:23
Andrew Tridgell has announced the release of rsync 3.4.4 with fixes for the regressions introduced in the 3.4.3 release. He also notes there will be an rsync 3.5.0 soon, with many more security updates:
As part of the 3.5.0 release update I have created a [email protected] mailing list for anyone who is willing to do testing of the 3.5.0 release. The idea is to try to reduce the chance of more regressions by expanding the set of testers of this release. I have seeded it with people who were involved in past rsync security issues. If you want to join this list then the easiest way would be for you to be vouched for by someone on the [email protected] list or someone else I already trust.
My apologies for the regressions in the 3.4.3 release and I hope future security updates for rsync will have less issues. The greatly expanded test suite in rsync 3.5 combined with the rsync-security mailing list should help.
2026-06-08 21:32:33
Security updates have been issued by AlmaLinux (bind, bind9.16, frr, kernel, kernel-rt, libexif, mysql, php, and unbound), Debian (apache2, chromium, glibc, gsasl, jackson-core, libxml2, nginx, request-tracker4, request-tracker5, tomcat10, tomcat11, and tomcat9), Fedora (chromium, firefox, haveged, keylime, libinput, libssh2, nasm, perl-CryptX, rust, thunderbird, and webkitgtk), Mageia (cockpit, golang-x-crypto, golang-x-sys-devel, kernel, kmod-virtualbox, kmod-xtables-addons, kernel-linus, perl-DBIx-Class-EncodedColumn, perl-Crypt-URandom-Token, xdg-dbus-proxy, and xmlrpc-c), Slackware (samba), and SUSE (7zip, amazon-ssm-agent, ansible-13, ansible-core, assimp-devel, bind, cacti, chromium, dpkg, epiphany, erlang27, evince, ffmpeg-4, freerdp, frr, git-bug, google-guest-agent, grafana, hauler, ignition, jq, kanidm, kernel, keybase-client, libjxl, libmariadbd-devel, libmozjs-115-0, libopenbabel8, libsoup2, mariadb, mcphost, networkmanager, openssh, perl-HTTP-Daemon, perl-HTTP-Tiny, perl-IO-Compress, perl-Sereal-Decoder, perl-xml-libxml, postgresql18, python-pyopenssl, python311-pip, tomcat, tomcat10, tomcat11, tor, trivy, unbound, uriparser, vifm, weblate, xorg-x11-server, and yq).
2026-06-08 08:28:06
The 7.1-rc7 kernel prepatch is out for
testing. Linus said: "Anyway, as things look now this is the last
rc. Something can obviously always come up and force us to change that, but
please give rc7 a whirl and keep testing for one more week.
"
2026-06-05 22:06:43
Since the earliest days of Unix, two of the core process-oriented system calls have been fork(), which creates a child process as a copy of the parent, and exec(), which runs a new program in the place of the current one. In Linux kernels, those system calls are better known as clone() and execve(), but the core functionality remains the same. While there is elegance to this process-creation model, there are shortcomings as well. A recent proposal from Li Chen to add "spawn templates" to the kernel will not be accepted in its current form, but it may point the way toward a new process-creation primitive in the future.
2026-06-05 20:57:00
Version 4.0.13 of Ruby's Bundler package-manager has added dependency cooldowns in order to help mitigate the effect of supply-chain attacks:
Most supply-chain attacks against RubyGems exploit a narrow window: an account is compromised, a malicious version ships, and any bundle install in the minutes that follow resolves straight to it. Bundler 4.0.13 introduces cooldown, a time-based filter that refuses to resolve to a version until it has been public for at least N days. Releases too new to have been scrutinized are passed over in favor of ones that have aged past the window.
The feature was designed in the open, drawing on how other ecosystems approach the same problem. It is opt-in, and complements rather than replaces existing defenses like mandatory 2FA and trusted publishing.
LWN covered dependency cooldowns in April, and the takeover of RubyGems and Bundler in October 2025.