Security updates have been issued by Debian (glusterfs, php5, reportbug, and suricata), openSUSE (chromium and exempi), Red Hat (openstack-rabbitmq-container), SUSE (couchdb, crowbar, crowbar-core, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui, gdm, OpenStack, pango, and webkit2gtk3), and Ubuntu (bind9, lcms, lcms2, and lcms2).

A story in The New Yorker magazine may help explain some of the timing of the recent upheavals in kernel-land. Longtime followers of kernel development will find the article to be a mixed bag—over the top in spots, fairly accurate elsewhere. "Torvalds’s decision to step aside came after The New Yorker asked him a series of questions about his conduct for a story on complaints about his abusive behavior discouraging women from working as Linux-kernel programmers. In a response to The New Yorker, Torvalds said, 'I am very proud of the Linux code that I invented and the impact it has had on the world. I am not, however, always proud of my inability to communicate well with others—this is a lifelong struggle for me. To anyone whose feelings I have hurt, I am deeply sorry.'"

The LWN.net Weekly Edition for September 20, 2018 is available.

Stable kernels 4.18.9, 4.14.71, 4.9.128, and 4.4.157 have been released. They all contain the usual set of important fixes and users should upgrade.

Android's Project Treble is meant as a way to reduce the fragmentation in the Android ecosystem. It also makes porting Android 8 ("Oreo"—the first version to mandate Treble) more difficult, according to Fedor Tcymbal. He described the project and what it means for silicon and device vendors in a talk at Open Source Summit North America 2018 in Vancouver, Canada.

Facebook runs a lot of programs and it tries to pack as many as it can onto each machine. That means running close to—and sometimes beyond—the resource limits on any given machine. How the system reacts when, for example, memory is exhausted, makes a big difference in Facebook getting its work done. Tejun Heo came to 2018 Open Source Summit North America to describe the resource control work that has been done by the team he works on at Facebook.

Security updates have been issued by Debian (chromium-browser and libapache2-mod-perl2), Oracle (kernel), and Ubuntu (ghostscript, glib2.0, and php5).

Version 7.0.0 of the LLVM compiler suite is out. "It is the result of the community's work over the past six months, including: function multiversioning in Clang with the 'target' attribute for ELF-based x86/x86_64 targets, improved PCH support in clang-cl, preliminary DWARF v5 support, basic support for OpenMP 4.5 offloading to NVPTX, OpenCL C++ support, MSan, X-Ray and libFuzzer support for FreeBSD, early UBSan, X-Ray and libFuzzer support for OpenBSD, UBSan checks for implicit conversions, many long-tail compatibility issues fixed in lld which is now production ready for ELF, COFF and MinGW, new tools llvm-exegesis, llvm-mca and diagtool". The list of new features is long; see the overall release notes, the Clang release notes, the Clang tools release notes, and the LLD linker release notes for more information.

A couple of surprising things happened in the kernel community on September 16: Linus Torvalds announced that he was taking a break from kernel development to focus on improving his own behavior, and the longstanding "code of conflict" was replaced with a code of conduct based on the Contributor Covenant. Those two things did not quite come packaged as a set, but they are clearly not unrelated. It is a time of change for the kernel project; there will be challenges to overcome but, in the end, less may change than many expect or fear.

Security updates have been issued by Fedora (ghostscript, icu, nspr, nss, nss-softokn, nss-util, and okular), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, OpenStack Platform, openstack-neutron, and openstack-nova), and Ubuntu (clamav and php5, php7.0, php7.2).

The PostgreSQL community has, after an extended discussion, announced the adoption of a code of conduct "which is intended to ensure that PostgreSQL remains an open and enjoyable project for anyone to join and participate in".

Versity Software has announced that it has released ScoutFS under GPLv2. "ScoutFS is the first GPL archiving file system ever released, creating an inherently safer and more user friendly option for storing archival data where accessibility over very large time scales, and the removal of vendor specific risk is a key consideration."

Security updates have been issued by Debian (discount, ghostscript, intel-microcode, mbedtls, thunderbird, and zutils), Fedora (ghostscript, java-1.8.0-openjdk-aarch32, kernel-headers, kernel-tools, libzypp, matrix-synapse, nspr, nss, nss-softokn, nss-util, zsh, and zypper), Mageia (kernel, kernel-linus, and kernel-tmb), openSUSE (chromium, curl, ffmpeg-4, GraphicsMagick, kernel, libzypp, zypper, okular, python3, spice-gtk, tomcat, and zsh), Oracle (kernel), Slackware (php), SUSE (curl, libzypp, zypper, and openssh-openssl1), and Ubuntu (curl and firefox).

SpamAssassin 3.4.2 is out, the first release from this spam-filtering project since 3.4.1 came out in April 2015. It fixes some remotely exploitable security issues, so SpamAssassin users probably want to update in the near future. "The exploit has been seen in the wild but not believe to have been purposefully part of a Denial of Service attempt.  We are concerned that there may be attempts to abuse the vulnerability in the future.  Therefore, we strongly recommend all users of these versions upgrade to Apache SpamAssassin 3.4.2 as soon as possible."

Behavioral changes can make desktop users grumpy; that is doubly true for changes that arrive without notice and possibly risk data loss. Such a situation recently arose in the Fedora 29 development branch in the form of a new "suspend-then-hibernate" feature. This feature will almost certainly be turned off before Fedora 29 reaches an official release, but the discussion and finger-pointing it inspired reveal some significant differences of opinion about how this kind of change should be managed.

Linus has released 4.19-rc4 and made a set of announcements that should really be read in their entirety. "I actually think that 4.19 is looking fairly good, things have gotten to the 'calm' period of the release cycle, and I've talked to Greg to ask him if he'd mind finishing up 4.19 for me, so that I can take a break, and try to at least fix my own behavior."

The 4.18.8, 4.14.70, 4.9.127, and 4.4.156 stable kernels have been released. Each contains a relatively large set of important fixes and updates.

Linux Journal covers the new Academy Software Foundation (ASWF), which is a project aimed at open-source collaboration in movie-making software that was started by the Academy of Motion Picture Arts and Sciences (AMPAS) and the Linux Foundation. "Still at the early stages, the ASWF has yet to develop any of its own projects, but there is interest in having them host a number of very popular projects, such as Industrial Light & Magic’s OpenEXR HDR image file format, color management solution OpenColorIO, and OPenVDB, which is used for working with those hard-to-handle objects like clouds and fluids. Along with promoting cooperation on the development of a more robust set of tools for the industry, one of the goals of the organization moving forward is to put out a shared licensing template that they hope will help smooth the tensions over licensing. It follows that with the growth of projects, navigating the politics over usage rights is bound to be a tricky task."

Security updates have been issued by CentOS (firefox), Fedora (firefox, openssh, pango, and zziplib), Mageia (flash-player-plugin and ntp), Oracle (kernel), Red Hat (flash-plugin), Slackware (ghostscript), SUSE (podman and spice-gtk), and Ubuntu (firefox).

Over at Opensource.com, Red Hat's Michael Tiemann looks at open source from the perspective of the economic theories of Ronald Coase, who won the 1991 Nobel Prize for Economics. Those theories help explain why companies like Red Hat (and Cygnus Solutions, which Tiemann founded) have prospered even in the face of economic arguments about why they should not. "Successful open source software companies 'discover' markets where transaction costs far outweigh all other costs, outcompete the proprietary alternatives for all the good reasons that even the economic nay-sayers already concede (e.g., open source is simply a better development model to create and maintain higher-quality, more rapidly innovative software than the finite limits of proprietary software), and then—and this is the important bit—help clients achieve strategic objectives using open source as a platform for their own innovation. With open source, better/faster/cheaper by itself is available for the low, low price of zero dollars. As an open source company, we don't cry about that. Instead, we look at how open source might create a new inflection point that fundamentally changes the economics of existing markets or how it might create entirely new and more valuable markets."