RISC-V (ongoing)
 
	New ISA defined since 2010
		arch is open but implementations may be propreitary and include vendor extensions
		scalable from 32bits microcontroller

security hardening
	-struct timer_list: used to track time outs, delayed work
		used to have function ptr and argument for the function(unsign long)
		now function is always called with a pointer to the structure not argument anymore

	-Usercopy: copying data between user and kernel memory
		prevent copies overflowing stack or heap by boundary checks
		didn't catch overflows with the same memory area, so a bug could still lead to overwriting other parts of a structure
 
speculation leak mitigation

	speculative execution allows CPUs to avoid waiting for slow operations like memory reads by predicting the result

	results of speculation are buffered until the prediction is checked and discarded if tracing malicious caches

	Spectre v1 (CVE-2017-5753): bounds check bypass
		mitigated by masking value after checkouts

	Spectre v2 (CVE-2017-5715): branch target injection
		mitigated on x86, PowerPC and System Z by disabling or defeating indirect branch prediction in the kernel, additionally mitigated on x86 using new microcoded features

	Meltdown (CVE-2017-5754): rogue data cache load
		mitigated by Page Table Isolation or cache flush

	Spectre-NG v4 (CVE-2018-3639): speculative store bypass
		mitigated by same software changes

	CVE-2018-3665: floating-point/vector register leak
		Only intelx86 are effected if using LazyFPU

Y2038[4.18-ongoing]
	Kernel internal interfaces updated to use 64-bits time types in all configurations

	32bits kernel configurations can now include 64bits version of most time-related system calls

	Not yet enabled by any arch

	glibc doesn't support both 32bits and 64bits time_t at the same time, and review of the necessary changes is going slowly

	will miss Debian Buster, but probably be ready for Bookworm

	could dpkg-buildflags enable LFS and 64bits time by defauly(maybe)

FUSE in user namespaces [4.18]

	- any user can create a user namespace (userns) and be the root user in their own little world
		Disable in Debian by default

	- most Linux fs are not robust enough against maliciously constructed disk images

	- mount(2) is restricted, so you can't use this to attack fs code

	- FUSE (filesystem in user-space) moves the security problem out of the kernel

	- FUSE now considered robust enough to be mounted in any userns

SATA Link Power Management [4.15]
	- LPM can switch into lower power modes when idles

	- Agressive LPM gives high power savings, but risks data loss due to hardware bugs -- so not enabled in Linux

	- Linux can now set LPM settings samiliar to Windows on intel-based laptops -- save more power and might be well-tested(?)

Packaging Chasnges
	- Template source package for code signing

	- More flexible selection for bin packages, to support derivatives and backports that don't need them all

	- Kernel config files moved into new bin packages (linux-config-version)

	- Removed remaining dependencies on python2

	- Preparation remaining for armhf and arm64 packages with PREEMPT_RT

	- Moved all repos to Salsa -- Merge Requests Welcome !