Discovery API Icon
Discovery API
Security Advisory Icon
Security Advisory
Alpaquita Linux25Release Information
Release Notes
Download this page as PDF

Alpaquita Linux 25: Release Notes

1. Introduction

The release notes give you late-breaking information about BellSoft Alpaquita Linux 25 release. Please read this document carefully, as it contains information that is not included in other BellSoft Alpaquita documents.

Kernel version

Alpaquita Linux kernel has been upgraded to version 6.12, which is the LTS version with the longest period of support. This kernel version will continue to be updated to include all required security and major functional fixes. Note that this release supports smooth kernel updates when the previous kernel version is not deleted right away and can be used for boot or in the rollback. See Linux kernel in New Features and Changes for more information.

Architecture

This release supports the following processors for all deliverables - iso, minirootfs, package repositories, and docker images.

  • Intel (x86-64-v2)

  • AMD 64-bit (x86-64-v2)

  • AArch64 (ARMv8-A)

Modern CPUs can provide optimal extensions for better performance in the core system libraries. x86-64-v2 provides proper support for new CPU features (CMPXCHG16B, LAHF-SAHF, POPCNT, SSE3, SSE4_1, SSE4_2, SSSE3), vector instructions up to Streaming SIMD Extensions 4.2 (SSE4.2), Supplemental Streaming SIMD Extensions 3 (SSSE3), the POPCNT instruction (useful for data analysis and bit-fiddling in some data structures), and CMPXCHG16B (a two-word compare-and-swap instruction useful for concurrent algorithms).

2. New Features and Changes

This part lists new features and changes introduced in Alpaquita Linux 25 release.

Linux kernel

Alpaquita Linux 25 release contains new kernel build with configuration optimized for smaller size, better security, and performance:

  • Better latencies and responsiveness

  • Compressed modules to save disc space

  • Dropped some old modules that have improper support or have known CVE defects

The following is a list of the notable kernel changes.

  • The kernel’s completely fair scheduler (CFS) algorithm has been replaced by Earliest Eligible Virtual Deadline First (EEVDF) task scheduler. It combines fairness and deadline-driven design, therefore improves scheduling tasks under mixed workloads, that is CPU-bound tasks and latency-sensitive tasks. It also has more predictable and well-defined scheduling logic.

  • New netkit device for high-performance networking in containers.

  • New device memory TCP (devmem TCP) helps to efficiently transfer a large amount of data from device to device. For example, devmem is used in machine-learning accelerators (transfer from storage into GPU/TPU memory) and distributed raw block storage applications.

  • Notable new syscalls:

    • mseal - helps harden memory regions and limit exploitation

    • cachestat - returns cache state for files useful for cache-aware user-space tools

    • listmount and statmount - provide easier query of mount topology and mount attributes instead of parsing /proc/self/mountinfo

  • Virtual dynamic shared object (vDSO) adds the getrandom function to eliminate syscall overhead.

Security scanning and SBOM

BellSoft has adapted a version of the OSV-scanner that is capable of scanning OS images, for example, containers for security issues and producing SBOM reports. The implemented version of the scanner has full support of BellSoft ecosystem, such as Alpaquita Linux and BellSoft Hardened Containers.

For more information, see Getting started with OSV-Scanner for Alpaquita Linux.

MicroVM images

This release includes a pre-built microVM vmlinux and rootfs that are ready to use with FirecrackerVM and QEMU.

Firecracker is an open-source virtualization technology that is specifically designed for creating and managing secure, lightweight virtual machines (microVMs).

Alpaquita Linux is designed to work seamlessly with Firecracker VM:

  • Alpaquita Linux kernel (vmlinux) - pre-built and optimized for Firecracker VM, ensuring compatibility and performance out of the box.

  • Root Filesystem (rootfs) - even though the root filesystem can be easily created using Alpaquita’s base Docker images, we also provide a ready-to-use microVM rootfs for your convenience. This rootfs can be downloaded and customized to meet your specific needs.

For more information, see Alpaquita and FirecrackerVM.

The x86-64 packages build with -fno-plt by default

This change reduces the overhead of function calls to shared libraries by avoiding the Procedure Linkage Table (PLT), resulting in slightly more efficient code, faster start-up, and lower call latency.

Native support of Utmps in Glibc

Utmps is a library that provides implementation of utmp/wtmp functions. Musl lacks this functionality, but Glibc provides it out of the box. Therefore, all packages that were previously built with Utmps, use the Glibc’s utmp/wtmp implementation now. As a result, the following aports are no longer available in Glibc:

  • core/execline

  • core/s6

  • core/skalibs

  • core/utmps

Noticeable package updates

Glibc

The GNU C Library is upgraded to version 2.39.

The list below provides description of the new tunable packages and other changes:

  • glibc.cpu.plt_rewrite can be used to enable PLT rewrite on x86-64. When enabled with non-lazy binding, the dynamic linker will rewrite indirect branches in PLT with direct branches.

  • glibc.mem.decorate_maps can be used to add additional information on underlying memory allocated by the glibc (for instance, on thread stack created by pthread_create or memory allocated by malloc).

  • glibc.pthread.stack_hugetlb can be used to disable Transparent Huge Pages (THP) in stack allocation at pthread_create.

  • Added functions and changes:

    • posix_spawnattr_getcgroup_np and posix_spawnattr_setcgroup_np help you to set the cgroupv2 in the new process in a race-free manner.

    • pidfd_spawn and pidfd_spawn are similar to posix_spawn, but instead of returning a process ID they return a file descriptor that can be used with other pidfd functions.

    • pidfd_getpid helps to retrieve the process ID associated with the process file descriptor created by pid_spawn, fork_np, or pidfd_open.

    • strlcpy and strlcat are derived from OpenBSD and are expected to be added to a future POSIX version.

  • libcrypt has been removed from the GNU C Library. The new libxcrypt package maintained separately provides binary backward compatibility with the former libcrypt.

For detailed information about changes, see the following:

Musl (musl-default and musl-perf)

The musl-perf package has switched to the high-performance allocator implementation mimalloc v2 release, replacing the default allocator in musl, known as mallocng. Because mimalloc is integrated to the musl-perf, there is no need to install any other mimalloc packages separately, when musl-perf is installed.

The musl-perf package is updated with the glibc-2.39 memory function implementations. The new preferences and thresholds can be checked using the ldd --list-diagnostics command on the target machine.

ldd with musl-perf can now detect static-pie binaries to eliminate printing misleading information about required shared objects.

Both packages were upgraded to the musl release 1.2.5 with the following notable changes:

  • The following new functions are added:

    • statx - provides enhanced file statistics like details on a file’s creation time, data version number, and other new attributes depending upon what is supported by the underlying file-system. It also allows to specify which file information is needed via a request mask.

    • preadv2 and pwritev2 - add a fifth argument, flags, which modify the behavior on a per-call basis.

  • Changes to the printf family of functions have been made for conformance to new standards.

For more information, see musl release announcement.

OpenRC

OpenRC is updated to version 0.62. The following list outlines some notable changes:

  • Added experimental support for user services.

  • The names of cgroups for services started by OpenRC are now prefixed by "openrc." This is done because some services, such as docker, create their own cgroups.

  • rc-status now has an -i/--in-state option to allow filtering of service status to a given state.

For more information, see the upstream changelog.

See also Setting up OpenRC init system document about OpenRC in Alpaquita.

cgroups v2

Cgroups version 2, or "unified", is now the default cgroup mode in OpenRC (rc_cgroup_mode). The previous default was "hybrid", both version 1 and version 2.

Linux-firmware

linux-firmware package is now compressed with ZSTD compression. If you run a custom-built Linux kernel, make sure that CONFIG_FW_LOADER_COMPRESS_ZSTD=y is set in your configuration.

Other notable package updates

  • Binutils 2.45

    Binutils packages are also available for cross targets now:

    • binutils-aarch64

    • binutils-x86_64

    Note that the gold linker is considered deprecated since version 2.44 and will be removed in the future (see this announcement for details).

  • Busybox 1.37.0

    On Glibc, Busybox now uses utmp/wtmp implementation provided by Glibc itself, instead of the external Utmps library. See Native support of Utmps in Glibc in New Features and Changes.

    Other notable changes:

    • Added support for the find -ok option that prompts before executing.

    • seq can accept negative parameters now.

    • NTP client and server are Y2036/2038-ready.

    • Implemented ls -sh to print human-readable allocated blocks.

    • Added support for the sort -h option to compare human-readable numbers (such as, 2K 1G).

  • Cloud-init 24.3

    Notable changes:

    • Added support for a cloud-init "degraded" state, improving status reporting.

    • Improved logging by standardizing output to stderr.

    • Added support for busybox micro DHCP client (udhcpc).

    • Added support for Busybox adduser/addgroup.

    • Added support for FTP and FTP over TLS.

  • Docker 28.3

    Notable changes:

    • BuildKit became the default builder, offering performance and feature enhancements, such as improved caching and better handling of unused build arguments.

    • Added port publishing improvements making containers more secure.

    • Added support for recursively read-only mounts.

    • Added Subpath field to the VolumeOptions making it possible to mount a subpath of a volume.

    • ip6tables is no longer experimental.

  • Dotnet 8.0.21

    .Net runtime version 8 LTS, available in Alpaquita Linux, contains both runtime and SDK for developing and running modern .Net and ASP.Net applications.

  • Dracut 107

    This release is based on the new community-maintained fork, dracut-ng. The original dracut project is now abandoned, with the last tag "059".

    The new release has a decent amount of bug fixes, better compatibility and support for the recent kernels, its modules, and firmware.

  • GCC 14.3

    Notable changes:

    • Better device offload support for OpenMP and OpenACC

    • Link-time optimization (LTO) improvements

    • New option -fhardened that enables a set of standard hardening flags. You can see the options it enables via gcc --help=hardened command.

    • Support for many new CPU targets and ISA extensions:

      • AArch64 - new CPUs are supported: Ampere-1{A,B}, Cortex-A{520, 715, 720}, Cortex-X{1C,3,4}, Cobalt-100 and Neoverse V2.

      • x86-64 - includes support for AVX10.1 intrinsics and support for new AMD (Zen 4 & 5) and Intel (Clearwater Forest, Panther Lake, etc.) CPUs microarchitectures.

    • Adds more of the C23 standard and new command-line options, such as -std=c23, -std=gnu23

    • Experimental but mature support for C++23 and even some upcoming C++26 features

    • GCC can now emit diagnostics in SARIF (a structured JSON format useful for static-analysis tools)

    • Improved and expanded static-analysis warnings

      Note that GCC still uses the x86-64-v2 microarchitecture as the default setting to ensure compatibility with older hardware.

    GCC 13 Release Series Changes, GCC 14 Release Series Changes, Usage of libgomp.

  • Libvirt 11.3

    Notable changes since Alpaquita Linux 23-lts:

    • qemu - Implement external snapshot deletion and reverting.

    • qemu - Support for passing FDs instead of opening files for <disk>.

    • qemu - Change default machine type for ARM and RISC-V to virt.

    • qemu - Introduce support for igb network interface model.

    • qemu - Basic support for use of "VFIO variant" drivers.

    • network/qemu/lxc - Support vlans on standard Linux host bridges.

    • Adapt to musl-1.2.4 where LFS64 symbol aliases were removed.

    • Switch from YAJL to json-c for JSON parsing and formatting.

  • LLVM 20 (default), 19

    In Alpaquita Linux 25-lts, two LLVM versions are available: 20 (default) and 19. Also, LLVM is now built with LLVM_USE_PERF=ON, which enables building support for Perf (linux profiling tool) JIT support.

  • MariaDB 11

    The flagship feature of MariaDB 11 is the new optimizer cost model, which is able to more accurately predict the actual cost of each query execution plan.

  • Nginx 1.28

    This update brings memory usage and CPU usage optimizations in complex SSL configurations, automatic re‑resolution of hostnames in upstream groups, performance enhancements in QUIC, OCSP validation of client SSL certificates, and more.

    For a list of changes, see the release notices for Nginx 1.24, 1.26, and 1.28.

  • Node.js 22

    Notable changes:

    • V8 is updated to version 12.4, which includes new features like WebAssembly Garbage Collection, Array.fromAsync, Set methods and iterator helpers.

    • V8’s Maglev Compiler is now enabled by default. Maglev improves performance for short-lived CLI programs.

    • The default High Water Mark for streams was increased from 16KiB to 64KiB. This provides a performance boost across the board at the cost of slightly higher memory usage.

    • Added a built-in WebSocket client.

    For a list of changes, see the release announcements for Node.js 19, 20, 21, 22.

  • Perl 5.40

    Notable changes:

    • Unicode 15.0 is supported.

    • Added a new experimental class feature for defining object classes.

    • The regex quantifiers limit is increased to I32_MAX.

    • The try/catch feature is no longer experimental.

    For a list of changes, see the upstream changelogs for Perl 5.38 and 5.40.

  • PHP 8.3

    Notable changes:

    • Readonly classes.

    • It is now possible to use null, true and false as stand-alone types.

    • Locale-independent case conversion.

    • Support for constants in traits.

    • Typed class constants.

    • Dynamic class constant fetch.

    • A new #[\Override] attribute to ensure that a method with the same name exists in a parent class.

    For a list of changes, see the release announcements for PHP 8.2, 8.3.

  • PostgreSQL 17

    Notable changes:

    • Performance improvements of existing functionality through new query planner optimizations like parallelizing FULL and RIGHT joins.

    • More syntax was added from the SQL/JSON standard, including constructors and predicates such as JSON_ARRAY(), JSON_ARRAYAGG(), and IS JSON.

    • A new internal memory structure for the vacuum process that consumes up to 20x less memory and also improves performance.

    • Logical replication enhancements for high availability and upgrades.

    For a list of changes, see the release announcements for PostgreSQL 16, 17.

  • Python 3.12

    Notable changes:

    • More flexible f-string parsing.

    • Support for the buffer protocol in Python code.

    • A new debugging/profiling API.

    • Support for isolated sub-interpreters with separate Global Interpreter Locks.

    • Support for the Linux perf profiler to report Python function names in traces.

    • Many large and small performance improvements, delivering an estimated 5% overall performance improvement.

    For more information, see the release announcement.

  • QEMU 10.0

    Notable changes:

    • block - virtio-scsi multiqueue support for using different I/O threads to process requests for each queue

    • VFIO - improved support for IGD passthrough on all Intel Gen 11/12 devices

    • ARM - emulation support for Secure EL2 physical and virtual timers

    • x86 - CPU model support for Clearwater Forest and Sierra Forest v2

    • x86 - faster emulation of string instructions

    For more information, see this announcement.

  • Redis 8.0

    Notable changes:

    • Redis Query Engine is now an integral part of Redis 8.

    • A new I/O threading implementation, which enables throughput increase on multicore environments.

    • An improved replication mechanism that is more performant and robust.

    • New hash commands: HGETDEL, HGETEX, and HSETEX.

    For more information, see Redis 8 release notes.

  • Ruby 3.4

    Notable changes:

    • YJIT (JIT compiler) is no longer experimental.

    • WASI based WebAssembly support.

    • Regexp improvements against regular expression DoS.

    • Introduction of the Prism parser.

    • Memory usage impovements.

    • Introduce of it to reference a block parameter with no variable name.

    For a list of changes, see the release announcements for Ruby 3.2, 3.3, 3.4.

  • Rust 1.87

    Notable changes:

    • The rust-stdlib package is now part of the rust package

    • Rust source code is now in a new separate package rust-src.

    • The rust-analysis package was removed (this component has not been available since version 1.69).

    • Add support for UEFI targets.

    See also the upstream changelog.

Overview of changed aports

Aport23-lts25-lts

core/openjdk8

yes

yes

core/openjdk11

yes

yes

core/openjdk11-container-jre

yes

yes

core/openjdk11-jvmci

yes

no

core/openjdk11-lite

yes

yes

core/openjdk17

yes

yes

core/openjdk17-container-jre

yes

yes

core/openjdk17-crac

yes

yes

core/openjdk17-lite

yes

yes

core/openjdk21

yes

yes

core/openjdk21-container-jre

yes

yes

core/openjdk21-crac

yes

yes

core/openjdk21-lite

yes

yes

core/openjdk22

yes

no

core/openjdk22-container-jre

yes

no

core/openjdk22-lite

yes

no

core/openjdk23

yes

no

core/openjdk23-container-jre

yes

no

core/openjdk23-lite

yes

no

core/openjdk24

yes

yes

core/openjdk24-container-jre

yes

yes

core/openjdk24-lite

yes

yes

core/openjdk25

yes

yes

core/openjdk25-container-jre

yes

yes

core/openjdk25-lite

yes

yes

core/openjdk-nik-23-17

yes

yes

core/openjdk-nik-23-21

yes

yes

core/openjdk-nik-24-22

yes

no

core/openjdk-nik-24-23

yes

no

core/openjdk-nik-24-24

yes

yes

core/openjdk-nik-25-25

yes

yes

Added aports

AportNotes

core/bsd-compat-headers

Part of the removed core/libc-dev.

core/isl26

core/libpsl

Required for PSL support in core/curl.

core/libxcrypt

Provides crypt lib removed in glibc-2.39.

core/musl-legacy-error

universe/ada

universe/azure-agent

universe/babeltrace

universe/base64

universe/bats-core

universe/boost1.84

universe/cargo-auditable

universe/cbindgen

universe/clang19

universe/clang20

universe/cxxopts

universe/debian-devscripts

Provides useful checkbashisms and hardening-check utilities.

universe/docker-cli-buildx

universe/doctest

universe/dotnet8-runtime

universe/dotnet8-sdk

universe/dotnet8-stage0

universe/fast_float

universe/font-terminus

universe/font-unifont

universe/gn

universe/google-guest-agent

universe/libclc

universe/libdecor

universe/libexif

universe/libgdiplus

universe/libgit2

universe/libtraceevent

universe/lld19

universe/lld20

universe/llhttp

universe/llvm-runtimes

universe/llvm19

universe/llvm20

universe/log_proxy

universe/lttng-tools

universe/lttng-ust

universe/maturin

universe/mono

universe/nftables

universe/nihtest

universe/pam-rundir

May be required by core/openrc.

universe/parallel

universe/patchelf

universe/perl-class-inspector

universe/perl-cpan-requirements-dynamic

universe/perl-extutils-cchecker

universe/perl-extutils-hascompiler

universe/perl-file-sharedir

universe/perl-file-sharedir-install

universe/perl-file-which

universe/perl-http-cookiejar

universe/perl-inc-latest

universe/perl-ipc-run3

universe/perl-syntax-keyword-try

universe/perl-test-deep

universe/perl-test-simple

universe/perl-xs-parse-keyword

universe/php83

universe/postgresql17

universe/procps-ng

universe/py3-astor

universe/py3-async_generator

universe/py3-cachetools

universe/py3-calver

universe/py3-chardet

universe/py3-curio

universe/py3-dependency-groups

universe/py3-fastjsonschema

universe/py3-flaky

universe/py3-hatch-fancy-pypi-readme

universe/py3-invoke

universe/py3-jsonschema-specifications

universe/py3-jwt

universe/py3-openssl

universe/py3-outcome

universe/py3-passlib

universe/py3-pybind11

universe/py3-pyproject-api

universe/py3-pyproject-hooks

universe/py3-pytest-env

universe/py3-pytest-httpserver

universe/py3-pytest-rerunfailures

universe/py3-pytest-tornasync

universe/py3-python-versioneer

universe/py3-pyzmq

universe/py3-referencing

universe/py3-roman-numerals

universe/py3-rpds-py

universe/py3-scripttest

universe/py3-scrypt

universe/py3-sniffio

universe/py3-sphinx-issues

universe/py3-sphinxcontrib-jquery

universe/py3-syrupy

universe/py3-time-machine

universe/py3-tornado

universe/py3-trio

universe/py3-trove-classifiers

universe/py3-trustme

universe/rdfind

universe/rootlesskit

universe/ruby-base64

universe/ruby-bigdecimal

universe/ruby-debug

universe/ruby-kramdown-parser-gfm

universe/ruby-matrix

universe/ruby-net-ftp

universe/ruby-net-imap

universe/ruby-net-pop

universe/ruby-net-smtp

universe/ruby-prime

universe/ruby-racc

universe/ruby-rake-compiler

universe/ruby-rbs

universe/ruby-rr

universe/ruby-rss

universe/ruby-test-unit-rr

universe/ruby-test-unit-ruby-core

universe/ruby-typeprof

universe/rust-bindgen

universe/sanlock

universe/scudo-malloc

universe/simdjson

universe/simdutf

universe/spirv-llvm-translator

universe/webrtc-audio-processing-1

universe/webrtc-audio-processing-2

universe/wireplumber

Replaced, renamed, merged, or split aports

Original aport(s)New aport(s)Notes

core/fuse

core/fuse3

All aports that depended on core/fuse use core/fuse3 now so core/fuse was removed.

core/ifupdown

core/ifupdown-ng

core/ifupdown is considered unmaintained.

core/libc-dev

core/glibc, core/bsd-compat-headers, core/musl-default, core/musl-perf

core/libc-dev was a meta package that pulls in a correct libc dev and utils packages, but now they are directly provided by glibc and musl aports. core/bsd-compat-headers was part of core/libc-dev and provides header files that are not included in musl, but there are aports that require them.

universe/bats

universe/bats-core

Renamed.

universe/boost1.80

universe/boost1.84

universe/clang15

universe/clang19, universe/clang20

universe/libxfont

universe/libxfont2

universe/llvm15

universe/llvm19, universe/llvm20

universe/php81

universe/php83

universe/pipewire-media-session

universe/wireplumber

universe/postgresql15

universe/postgresql17

universe/procps

universe/procps-ng

universe/py3-pep517

universe/py3-pyproject-hooks

universe/terminus-font

universe/font-terminus

Renamed.

universe/unifont

universe/font-unifont

Renamed.

universe/webrtc-audio-processing

universe/webrtc-audio-processing-1, universe/webrtc-audio-processing-2

Aports moved to a different repository

Original aportCurrent aport

universe/sudo

core/sudo

Removed aports

AportNotes

universe/font-bitstream-speedo

This font is retired by xorg (see DeprecatedInX11R7).

universe/libpthread-stubs

Available in both musl and glibc out of the box.

universe/libutempter

It was only added as a dependency for universe/screen but now universe/screen is built without libutempter support.

universe/makedepend

It was only added as a dependency and is not required by any aport now.

universe/perl-io-captureoutput

It was only added as a dependency and is not required by any aport now.

universe/py3-setuptools-stage0

universe/py3-setuptools can be bootstrapped without stage0 now.

universe/talloc

It was only added as a dependency and is not required by any aport now.

universe/ucl

It was only added as a dependency and is not required by any aport now.

3. Known Issues

No known issues are reported for this release.

Report issues to [email protected].

4. Security Bug Fixes

This release includes a number of bug and security fixes.

5. Installation Process

Alpaquita installation procedures are described in the Alpaquita Linux Installation Guide. Typical process for installing from the ISO image requires access to a command line interpreter and contains several steps.

ON THIS PAGE