At the Linux Application Summit (LAS) in April, Sebastian Wick said that, by many metrics, Flatpak is doing great. The Flatpak application-packaging format is popular with upstream developers, and with many users. More and more applications are being published in the Flathub application store, and the format is even being adopted by Linux distributions like Fedora. However, he worried that work on the Flatpak project itself had stagnated, and that there were too few developers able to review and merge code beyond basic maintenance.

Version 5.5.0 of the Podman container-management tool has been released. Notable features include the addition of a podman machine cp command to copy files into a running Podman VM, a podman artifact extract command to copy contents of an OCI artifact to disk, and a --mount=artifact option to mount OCI artifacts into containers. See the release announcement for a full list of improvements and bug fixes.

From servers in a data center to desktop computers, many devices communicating on a network will eventually have to filter network traffic, whether it's for security or performance reasons. As a result, this is a domain where a lot of work is put into improving performance: a tiny performance improvement can have considerable gains. Bpfilter is a project that allows for packet filtering to easily be done with BPF, which can be faster than other mechanisms.

Security updates have been issued by AlmaLinux (emacs, firefox, gnutls, java-17-openjdk, java-21-openjdk, osbuild-composer, python39:3.9, and thunderbird), Arch Linux (screen), Debian (varnish), Fedora (chromium), Gentoo (Atop, FreeType, and Spidermonkey), Mageia (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk and postgresql15, postgresql13), Oracle (389-ds-base, emacs, firefox, kernel, libsoup, libtiff, mod_auth_openidc:2.3, nodejs:20, nodejs:22, osbuild-composer, python39:3.9, qemu-kvm, ruby, ruby:3.1, ruby:3.3, and thunderbird), Red Hat (.NET 8.0, .NET 9.0, avahi, buildah, corosync, delve and golang, exiv2, expat, firefox, ghostscript, gimp, git, grafana, gvisor-tap-vsock, java-21-openjdk, kernel, kernel-rt, libarchive, libjpeg-turbo, libsoup, libsoup3, libxslt, mod_auth_openidc, nginx, nginx:1.22, nginx:1.24, nodejs22, nodejs:20, nodejs:22, opentelemetry-collector, osbuild-composer, perl, php, php:8.2, php:8.3, podman, python-jinja2, redis, redis:7, rhc, ruby:2.5, skopeo, sqlite, thunderbird, tomcat, tomcat9, valkey, vim, xorg-x11-server-Xwayland, xterm, xz, yelp, and yggdrasil), Slackware (screen), SUSE (apparmor, dirmngr, gimp, golang-github-prometheus-node_exporter, java-11-openj9, java-17-openj9, java-21-openj9, libxmp-devel, python311-Django4, rabbitmq-server313, rke2, and transfig), and Ubuntu (abseil and open-vm-tools).

BPF arenas are areas of memory where the verifier can safely relax its checking of pointers, allowing programmers to write arbitrary data structures in BPF. Emil Tsalapatis reported on how his team has used arenas in writing sched_ext schedulers at the 2025 Linux Storage, Filesystem, Memory-Management, and BPF Summit. His biggest complaint was about the fact that kernel pointers can't be stored in BPF arenas — something that the BPF developers hope to address, although there are some implementation problems that must be sorted out first.

Nextcloud provides an open-source collaboration platform called Nextcloud Hub, which includes file-sharing and syncing features. The company has written a blog post explaining that Google has revoked a critical permission from the Nextcloud Files app for Android that allows it to sync files to Nextcloud Hub.

Google is stating security concerns as a reason for revoking the permission. This is hard to believe for us. Nextcloud has had this feature since its inception in 2016, and we have never heard about any security concerns from Google about it. Moreover, several Big Tech apps as well as Google's own still have this. What we think: Google owning the platform means they can and are giving themselves preferential treatment.

Despite multiple appeals since mid-2024, Google has refused to reinstate the permission, blocking automated Nextcloud file uploads for millions of users.

The Nextcloud app available via F-Droid does not have this limitation, but the post notes that that is not an option for many users.

Security updates have been issued by Debian (libeconf and rubygems), Fedora (libxmp), Gentoo (glibc), Oracle (java-1.8.0-openjdk, kernel, libxslt, and virtuoso-opensource), SUSE (augeas, git-lfs, kanidm, and tomcat10), and Ubuntu (linux-lts-xenial).

The SUSE Security Team has published an article detailing several security issues it has uncovered with GNU Screen. This includes a local root exploit when Screen is shipped setuid-root, as it is in some Linux and BSD distributions. The security team also reports problems in coordinating disclosure with the upstream Screen project.

We are not satisfied with how this coordinated disclosure developed, and we will try to be more attentive to such problematic situations early on in the future. This experience also sheds light on the overall situation of Screen upstream. It looks like it suffers from a lack of manpower and expertise, which is worrying for such a widespread open source utility. We hope this publication can help to draw attention to this and to improve this situation in the future.

The article includes a table of operating systems, screen versions, and which vulnerabilities they may be affected by.

The Guix project has announced that it is migrating all of its Git repositories, as well as bug tracking and patch tracking, from Savannah to the Codeberg Git forge.

As a user, the main change is that your channels.scm configuration files, if they refer to the git.savannah.gnu.org URL, should be changed to refer to https://codeberg.org/guix/guix.git once migration is complete. But don't worry: guix pull will tell you if/when you need to update your config files and the old URL will remain a mirror for at least a year anyway.

The motivation for the move, which is spelled out in a Guix Consensus Document (GCD), is to improve the contribution experience and improve quality assurance efforts. Migration of Git repositories should be completed by June 7, though they will continue to be mirrored on Savannah until "at least" May 2026. LWN covered Guix in February 2024.

The announcement of the openSUSE Leap 16.0 beta contained something of a surprise—along with the usual set of changes and updates, it informed the community of the retirement of "the traditional YaST stack" from Leap. The YaST ("Yet another Setup Tool") installation and configuration utility has been a core part of the openSUSE distribution since its inception in 2005, and part of SUSE Linux since 1996. It will not, immediately, be removed from the openSUSE Tumbleweed rolling-release distribution, but its future is uncertain and its fate is up to the larger community to decide.