openSUSE
openSUSE is an open, free and secure operating system for PC, laptops, servers and ARM devices. Managing your emails, browsing the web, watching online streams, playing games, serving websites or doing office work never felt this empowering. And best part? It's not only backed by one of the leaders in open source industry, but also driven by lively community.
So I was using Tumbleweed on my old laptop but I got kind of sick of all the updates; I felt like that icon showing I had updates available just had a permanent space on my screen. Every time I refreshed I had at least 200mb of updates to do. So when I got my new laptop I went with Leap instead.
But what’s the actual difference? So the OS only gets updated once a year or so does it? Are smaller releases more forthcoming? What if there’s other packages that get updated? Do I have to wait a year to get the latest version or are they updated more regularly? I’m wondering if I should look at Slowroll as I don’t want to be waiting a year for new features.
Am on the hunt for an offline screenshot tool with annotation capabilities because my usual options are failing me. Am on Tumbleweed with Gnome. Here’s what I’ve tried so far, and the issues I’ve run into:
- Flameshot: Used to be my go-to, but sadly, it’s not working anymore.
- Spectacle: Doesn’t launch at all.
- Ksnip: Gives me a black screen while taking a screenshot.
- Pensela (AppImage): Crashes on launch.
- Shots: Refuses to launch.
- Bonus: Annotely is web-based and works ✅
At this point, I’m out of breath trying to find something functional. I need something that allows for quick annotations (arrows, text, highlights, etc.) and is lightweight and reliable (Arrows with GIMP... 😮💨).
Anyone got recommendations or solutions?
Edit: using Wayland
It's a fresh install of 15.6 Leap that I downloaded and installed last night. Device is a 1st generation Surface Go. I just can't seem to get the onscreen keyboard to stay up when I swipe it up from the bottom.
Also, the keyboard does not appear when I click a text input box.
I thought maybe the long click of swiping up was triggering a right-click, but the problem persists when I disable the long-click option in settings.
I'm stumped. Everything else is working great. I really like that long-click right-click is working, and this is the first Gnome distro I've tried where Firefox touch-scroll works out of the box. And, in general, the system seems faster than other gnome distros I've tried. (The device isn't exactly a powerhouse.)
Thank you in advance for any replies.
This might be a stupid question, but how stable is Leap's 16.0 pre-alpha? I want to put something non-rolling on my laptop w/ Plasma 6 and I use openSUSE slowroll on my desktop machine. So staying in that openSUSE family tree would be a bit ideal. So im thinking about Leap's 16.0 pre-alpha, but dont have any experience with how "alpha" it is likely to be. #linux #opensuse
The openSUSE Board is calling for the formation of a working group to explore topics focused on project governance, operational models and rebranding for the project.
This follows a call on the openSUSE Project mailing list to formalize efforts, ideas and suggestions by community members in a centralized location.
GRUB2 with BLS is now in MicroOS and Tumbleweed
Recently the openSUSE project released for MicroOS and Tumbleweed a new version of the GRUB2 package, with a new subpackage grub2-$ARCH-efi-bls
. This subpackage deliver a new EFI file, grubbls.efi
, that can be used as replacement of the traditional grub.efi
.
The new PE binary is a version of GRUB2 that includes a set of patches from Fedora, which makes the bootloader follow the Boot Loader Specification (BLS). This will make GRUB2 understand the boot entries from /boot/efi/entries
, and dynamically generate the boot menu showed during boot time.
This is really important for full disk encryption (FDE) because this means that now we can re-use all the architecture and tools designed for systemd-boot
. For example, installing or updating the bootloader can now be done with sdbootutil install
, the suse-module-tools
scriptlets will create new BLS entries when a new kernel is installed, and the tukit
and snapper
plugins will take care of doing the right thing when snapshots are created or removed.
Reusing all those tools without modification was a significant win, but even better, many of the quirks that classical GRUB2 had when extending the event log are no longer present. Before this package, sdbootutil
needed to take ownership of the grub.conf
file, as this will be measured by GRUB2 by executed lines. That is right! For each line that is read and executed by the GRUB2 parser, a new PCR#8 will take place, and because GRUB2 support conditional as other complex constructors, it is very hard to predict the final value of PCR#8 without imposing a very minimal and strict grub.conf
.
However, with the new BLS subpackage, this file, along with the fonts and graphical assets for the theme, and the necessary modules (such as bli.mod
), are now included in the internal squashfs
within the EFI binary. GRUB2 will no longer measure those internal files without compromising security guarantees because now it is the firmware that measures the entire EFI when the bootloader is executed during the boot process.
As today, we cannot use YaST2 to install GRUB2 with BLS, but we can do that manually very easily. We need to make a systemd-boot
installation, replace LOADER_TYPE
from systemd-boot
to grub2-bls
, install the new GRUB2 BLS package, and do sdbootutil install
. Another option is to play with one of the available images for MicroOS or Tumbleweed.
Have a lot of fun!
Hello everyone!
I'd like to announce the start of development and the public availability of what we currently refer to as Leap 16.0 pre-Alpha. Since this is a pre-Alpha version, significant changes may occur, and the final product may look very different in the Alpha, Beta, Release Candidate, or General Availability stages. The installer will currently offer you Base, GNOME, and KDE.
Users can get our new Agama install images from get.opensuse.org/leap/16.0. The installer will currently offer you Base, GNOME, and KDE installation.
Leap 16.0 is a traditional distribution and a successor to Leap 15.6 with expected General Availability arriving in the Fall of 2025.
We intend to provide users with sufficient overlap so that 15.6 users can have a smooth migration, just like they're used to from previous releases.
Further details are available on our roadmap. The roadmap is subject to change since we have to respond to any SUSE Linux Enterprise Server 16 schedule changes.
Users can expect a traditional distribution in a brand new form based on binaries from the latest SLES 16 and community packages from our Factory development codebase.
There is no plan to make a Leap 15.7, however, we still need to deliver previously released community packages from Leap 15 via Package HUB for the upcoming SLES 15 SP7. This is why there are openSUSE:Backports:SLE-15-SP7 project and 15.7 repos in OBS.
The target audience for pre-Alpha are early adopters and contributors who would like to actively be part of this large effort. Adopters should consider booting Agama Media from time to time just to check compatibility with their hardware.
For non-contributor users, I highly recommend waiting until we have a Beta, which is expected in the late Spring of 2025.
Specifically for Agama I highly recommend using github.com/agama-project and collaborating with the YaST team on suggestions and incorporating any changes.
For the rest of the components, the workflow isn't changing; just select version 16.0 for bug submissions.
Feature requests will be reviewed every Monday at a feature review meeting where we'll convert code-o-o requests into JIRA requests used by SUSE Engineering where applicable.
The factory-auto bot will reject all code submit requests against SLES packages with a pointer to code-o-o.
You can get a list of all SLFO/SLES packages simply by running osc ls SUSE:SLFO:1.1:Build
.
Just for clarification SLFO, SUSE Linux Framework One, is the source pool for SLES 16 and SL Micro 6.X.
I highly recommend using code-o-o to co-ordinate larger community efforts such as Xfce enablement, where will likely need to update some of SLES dependencies. This allows us to share the larger story and better reasoning for related SLES update requests. The list of features is also extremely valuable for the Release article.
For quality control, we have basic test suites based on Agama installations in Leap 16.0 job group. Later, we plan to rework the existing Leap 16.0 Images job group for testing the remaining appliance images.
The project where we maintain community packages is subject to change as we have not fully finalized yet how to make Package HUB; we may use a similar structure with Backports as in 15.3+).
Further test suite enablement is one of the areas where we currently need the most help. Related progress.opensuse.org trackers poo#164141 Leap 16.0 enablement and poo#166562 upgrade from 15.6.
Another area where you can help is new package submissions and related maintainer review of package submissions to Leap 16.0. These reviews make sense as we'd like to check with maintainers whether that software in a given version makes sense for inclusion into Leap 16.0, rather than blindly copying all packages over.
Do you want to help us on this front? Spread the news and feel free to join the #openSUSE_Marketing Telegram channel(https://t.me/openSUSE_Marketing)! https://en.opensuse.org/openSUSE:Marketing_team
Many thanks to all who helped us to reach this point.
Lubos Kocman on behalf of the openSUSE Release team
hey people on the internet, I updated my tumbleweed to 20241002 and since then, the system would randomly freeze and crash, and automatically reboot after a short while. It also happens when waking from suspend. Does this happen to anyone else?
Welcome to the monthly update for Tumbleweed for September 2024! This month, the rolling-release model has kept pace with numerous important updates and bug fixes. PostgreSQL received a major update moving to 17 and text shaping engine harfbuzz had a major update to version 10. Packages like systemd, git, bash and qemu were also updated this month in the rolling release. Various packages saw CVE fixes and desktop components for GNOME and KDE were also updated. As always, remember to roll back using snapper if any issues arise.
Happy updating and tumble on!
Should readers desire more frequent information about snapshot updates, they are encouraged to subscribe to the openSUSE Factory mailing list.
New Features and Enhancements
- Linux Kernel 6.11.0: The latest update brings reversion of the PCI ACS configurability extension to address an issue bsc#1229019. Key updates in the release include a fix to the block subsystem, resolving how the scheduler is handled in
elv_iosched_local_module
. A correction was made in the AMD GPU display driver to address a mistake from a previous revert related to bsc#1228093. Updates also include refreshed ALSA patches to enhance power management blacklist options. The improvements are expected to provide greater stability and performance for various hardware configurations. - postgresql17: This major release provides key improvements like a revamped memory management system for vacuum, boosting efficiency by reducing memory usage by up to 20x along with optimized processing for high concurrency workloads. Version 17 also enhances query execution with faster processing using B-tree indexes and parallel BRIN index builds. Developers benefit from the addition of the SQL/JSON
JSON_TABLE
command and expanded MERGE capabilities, as well as a 2x speed improvement in data exports with theCOPY
command. Logical replication now simplifies major version upgrades by eliminating the need to drop replication slots, improving ease of use in high availability setups. The software package further enhances database security and operational management, with new TLS options, incremental backups, and detailed monitoring tools. - harfbuzz 10.0.1: Significant fixes were made for the text shaping engine including support for Unicode 16.0.0. The version has a new Application Programming Interfaces that allows clients to customize glyphs when a Unicode Variation Selector isn't supported by the font, as well as a callback for getting table tags from
hb_face_t
. Updates also address pair positioning lookup subtable application for compatibility and ensure subsetting fails if no glyphs are present to prevent silent errors. - GNOME 46.5: gnome-shell now addresses issues with smartcard logins, fixes glitches when quick settings menu animations are interrupted, and resolves problems with new Wi-Fi connections for restricted users. It also ensures required animations remain enabled, fixes display of pending PAM messages on the login screen and plugs memory leaks. Un update of the gnome-software has a reduction in power usage when the main window is closed, along with translation updates..
- KDE Plasma 6.1.5: In Discover, snapType mapping is corrected, and Flatpak now properly reports extensions without errors. KWin addresses several crash scenarios, such as null dereference and input event handling from removed devices. Plasma Desktop includes fixes for keyboard navigation in Kickoff, task list alignment in RTL mode and it has proper handling of background icons and test windows. Plasma Workspace enhances touchscreen interaction, system tray tooltips and clipboard functionality. Additional fixes included targeted crashes in hotplugging and svg rendering, while SDDM KCM improves state management.
- Frameworks 6.6.0: Attica adds CI jobs for Alpine/musl, while Baloo sets up crash handling for baloo_file. New icons are introduced in Breeze. KCoreAddons improves dbus error handling and licensing, and KDeclarative adjusts rendering for better DPI positioning. KIO resolves issues with restoring trash entries and enhances service menu handling. KTextEditor receives performance optimizations and additional C++ porting for sorting and unique functionalities. Kirigami continues to improve icon handling and toolbars, while KNewStuff and KWalletf ocus on making shared actions more reliable and enhancing crash handling.
- KDE Gear 24.08.1: Akademy 2024 Videos are out, but a lot of efforts went into last month’s conference. Akonadi resolves a crash related to query cache eviction and fixes configuration file handling. Dolphin improves usability with fixes for button functionality and file list resizing, while Elisa enhances its Now Playing view and toolbar layout. Itinerary and Kalarm both receive updates for better dark mode handling and audio alarm functionality. Kdenlive addresses multiple timeline and rendering issues, optimized keyframe handling and fixes several bugs related to effects and transitions. Kate adds support for the Odin language in its formatter and Okular now sets tooltips for forms.
Key Package Updates
- git 2.46.1: A clarification has been made to
git checkout --ours
to inform users they need to specify paths, avoiding confusion. An issue withgit add -p
failing for users withdiff.suppressBlankEmpty
was corrected. Additionally,git notes add -m '' --allow-empty
no longer improperly invokes an editor, and unnecessary re-encoding operations for tracing have been removed. - qemu 9.1.0: The update introduces new migration capabilities, such as compression offload support via Intel In-Memory Analytics Accelerator (IAA) or User Space Accelerator Development Kit (UADK) and improved postcopy failure recovery. RISC-V architecture also sees support for several extensions, while x86 adds KVM support for AMD SEV-SNP guests and emulation for newer Intel CPU models like Ice Llake and Sapphire Rapids.
- systemd 256.6: This version no longer attempts to restart udev socket units, addressing issue bsc#1228809 where safely restarting socket-activated services and their socket units simultaneously was problematic.
- pipewire 1.2.4: The update addresses a crash during the cleanup of globals and enhances the
RequestProcess
dispatch mechanism. The Simple Plugin API framework now usessystemd-logind
to detect new devices. Pulse-Code Modulation device handling is also improved. - GStreamer 1.24.8: The multimedia framework package improves handling in
decodebin3
andencodebin
for better media decoding and smart rendering, respectively. Enhancements for proper viewport resizing when video size changes were made and audio stream enhancements were made for better compatibility with Firefox. There were some stability fixes for wayland including crash prevention and Application Binary Interface corrections. - Mesa 24.1.7: This release continues to support OpenGL 4.6 and Vulkan 1.3, though the version reported depends on the specific driver used. Key bug fixes include resolving issues with smartcard logins, race conditions when generating enums, and artifacts in games such as Black Myth Wukong and DCS World with certain GPUs.
- GTK4 4.16.1: This GTK Scene Graph Kit layer sees speed optimizations for Vulkan operations, reduces startup time by skipping unnecessary GL and Vulkan initialization and fixes a crash related to certain Vulkan drivers. Memory format conversions in GIMP Drawing Kit are now faster. The builder-tool has also been improved for better box conversion.
- bash 5.2.37: This update has key patches to address issues such as an incorrect handling of quoted text during auto-completion and multibyte character handling in
readline
. The update resolves system compatibility withselect
andpselect
availability and fixes a parsing issue in compound assignments during alias expansion. A typo in the autoconf test affectingstrtold
availability when compiled with GNU Compiler Collection 14 was corrected. - vim 9.1.0718: One notable fix in the text editor resolves issues with personal Vim runtime directory recognition. The update also addresses unnecessary
NULL
checks inparse_command_modifiers()
and corrects color name parsing errors introduced in a previous version. Other improvements include updates to syntax highlighting for various file types such as HCL, Terraform, and tmux. Performance improvements were also made to include the more efficient inserting with a count and resolving cursor position crashes.
Bug Fixes
- curl 8.10.0:
- CVE-2024-8096 may have incorrectly validated certificates using Online Certificate Status Protocol stapling, ignoring certain errors like 'unauthorized'.
- OpenSSL:
- CVE-2024-41996 was fixed, which could have allowed remote attackers to trigger costly server-side DHE calculations via public key order validation in Diffie-Hellman.
- postgresql17
- CVE-2024-7348 fixes a race condition that could allow attackers to execute arbitrary SQL as the user running
pg_dump
.
- CVE-2024-7348 fixes a race condition that could allow attackers to execute arbitrary SQL as the user running
- python311: This package fixed a few CVE’s. Here are a couple of fixes
- CVE-2024-4030 had a fix to ensure Unix "700" permissions are applied to secure the directory.
- tiff 4.7.0:
- CVE-2023-52356 had a segmentation fault allowing remote attackers to trigger a heap-buffer overflow that could cause a denial of service.
- CVE-2024-7006 had a null pointer dereference in that could trigger application crashes and cause denial of service.
- LibreOffice 24.8.1.2
- CVE-2024-5261 was fixed that disabled TLS certificate verification, allowing improper certificate validation during document processing in third-party components.
- Mozilla Firefox 130.0.1:
- This release fixes several CVEs. One of the most critical fixes involves CVE-2024-8385, where a WASM type confusion issue could lead to exploitable vulnerabilities. Another significant fix is for CVE-2024-8381, which could trigger a type confusion vulnerability when looking up property names within a "with" block. CVE-2024-8388 fixed an issue where fullscreen notifications could be hidden on Android devices, potentially leading to UI spoofing attacks. Two memory safety bugs, CVE-2024-8387 and CVE-2024-8389, were also patched.
- apr 1.7.5:
- CVE-2023-49582 had shared memory permissions that could expose sensitive data to local users.
Conclusion
September 2024 brings important updates for Tumbleweed users. Security fixes across packages like PostgreSQL, libtiff, and LibreOffice ensure stability and security. Significant improvements were made in tools like systemd, git, and qemu, enhancing performance and compatibility. Noteworthy updates in PostgreSQL 17 and Harfbuzz 10 also bring major enhancements, contributing to a more robust and refined rolling release environment.
Stay updated with the latest snapshots by subscribing to the openSUSE Factory mailing list. For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.
Contributing to openSUSE Tumbleweed
Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.
This is a quick start guide for Full Disk Encryption with TPM or FIDO2 and YaST2 on openSUSE Tumbleweed. It focuses on the few steps to install openSUSE Tumbleweed with YaST2 and using Full Disk Encryption secured by a TPM2 chip and measured boot or a FIDO2 key.
Hardware Requirement:
- UEFI Firmware
- TPM2 Chip or FIDO2 key which supports the hmac-secret extension
- 2GB Memory
Installation of openSUSE MicroOS
There is an own Quickstart for openSUSE MicroOS
Installation of openSUSE Tumbleweed
Boot installation media
- Follow the workflow until "Suggested Partitioning":
- Partitioning: Select "Guided Setup" and "Enable Disk Encryption", keep the other defaults
- Continue Installation until "Installation Settings":
- Booting:
- Change Boot Loader Type from "GRUB2 for EFI" to "Systemd Boot", ignore "Systemd-boot support is work in progress" and continue
- Software:
- Install additional tmp2.0-tools, tpm2-0-tss and libtss2-tcti-device0
- Booting:
- Finish Installation
Finish FDE Setup
Boot new system
- Enter passphrase to unlock disk during boot
- Login
- Enroll system:
- With TPM2 chip:
sdbootutil enroll --method tpm2
- With FIDO2 key:
sdbootutil enroll --method fido2
- With TPM2 chip:
- Optional, but recommended:
- Upgrade your LUKS key derivation function (do that for every encrypted device listed in
/etc/crypttab
):
# cryptsetup luksConvertKey /dev/vdaX --pbkdf argon2id # cryptsetup luksConvertKey /dev/vdaY --pbkdf argon2id
- Upgrade your LUKS key derivation function (do that for every encrypted device listed in
Adjusting kernel boot parameters
The configuration file for kernel command line options is /etc/kernel/cmdline
.
After editing this file, call sdbootutil update-all-entries
to update the
bootloader configuration. If that option does not exist yet or does not work,
a workaround is: sdbootutil remove-all-kernels && sdbootutil add-all-kernels
.
Re-enrollment
If the prediction system fails, a new policy must be created for the new measurements to replace the policy stored in the TPM2.
If you have a recovery PIN:
# sdbootutil --ask-pin update-predictions
If you don't have the recovery PIN, you can set one with this steps:
# sdbootutil unenroll --method=tpm2
# PIN=<new recovery PIN> sdbootutil enroll --method=tpm2
Virtual Machines
If your machine is a VM, it is recommended to remove the "0" from the FDE_SEAL_PCR_LIST
variable in /etc/sysconfig/fde-tools
. An update of the hypervisor can change PCR0. Since such an update is not visible inside the VM, the PCR values cannot be updated. As result, the disk cannot be decrypted automatically at the next boot, the recovery key needs to be entered and a manual re-enrollment is necessary.
Next Steps
The next steps will be:
- Support grub2-BLS (grub2 following the Boot Loader Specification)
- Add support to the installers (YaST2 and Agama)
- Make this the default if a TPM2 chip is present
Any help is welcome!
Further Documentation
The "security" development project is switched to a 4096bit RSA key.
New key fingerprint:
Type : GPG public key
User ID : security OBS Project <[email protected]>
Algorithm : rsa
Key size : 4096
Expires : 2026-12-02 13:27:55
Fingerprint : f9fa 0223 b56b 116c 3637 37ef 5da5 7bdd 6dd7 85ca
Python 3.13 RC2 is now available in Tumbleweed. This new version of the Python interpreter will be released in October 2024.
There is a lot of changes and new features in 3.13, but we're also bringing exiting experimental features in Tumbleweed.
Experimental JIT compiler
The default (python313
) build has the flag --enable-experimental-jit=yes-off
. This means that if you want to use this experimental JIT you can enable with an environment variable:
$ PYTHON_JIT=1 python3.13
You can find more information about the JIT compiler and how it can improve performance in PEP-744.
Free threaded CPython (no GIL)
With this new version of Python interpreter, there is an option to build without the famous Global Interpreter Lock, aka GIL. This is a really experimental feature, but why not have this on Tumbleweed? So we decided to build also this new version with a new package python313-nogil
.
This new package is an isolated interpreter, so you can install without conflicts with python313
. The package is building with the --disable-gil
option and it provides the /usr/bin/python3.13t
binary. It uses by default /usr/lib/python3.13t/site-packages
for third-party libs so, with the default configuration, it won't use any
python 3.13 module.
This means that now you can use threading.Thread
in the Python interpreter, and it will be actual threads so, at the end using threads with python3.13t
, interpreter should be a lot faster.
There's no packages for this interpreter in Tumbleweed, at this moment. So if you want to use third party libraries you should use virtualenv
and pip
for that:
$ python3.13t -m venv free-threaded-env
$ source free-threaded-env/bin/activate
(free-threaded-env) $ pip install requests
(free-threaded-env) $ python3
Python 3.13.0rc2 experimental free-threading build (main, Sep 07 2024, 16:06:06) [GCC] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import sys; sys._is_gil_enabled()
False
cross-posted from: https://lemmy.ml/post/19629878
In recent testing scenarios involving a build and NetworkManager, a significant issue has surfaced: the network stack becomes non-operational.
Users are advised to postpone system updates for now, but if users have already updated, use Snapper to rollback; it’s important to note that while the issue primarily affects GNOME setups with Wicked, it can also impact servers without these components.
This problem has been consistently reproducible since at least the 20240825 Tumbleweed build. Bind 9.20.1 received an update has changes to DNS query handling and system controls, which may have inadvertently contributed to the network stack issue.
The first packages of the new COSMIC desktop has landed in openSUSE.
List of packages:
Development branch of COSMIC (stable)
More Information about openSUSE:
Official
Fediverse
Welcome to the monthly update for openSUSE Tumbleweed for July 2024. Last month was busy with events like the Community Summit in Berlin and the openSUSE Conference. Both events were productive and well-received. Despite the busy schedule and follow on discussion from the conference about the Rebranding of the Project, a number of snapshots continued to roll out to users this month.
Stay tuned and tumble on!
Should readers desire more frequent information about snapshot updates, they are encouraged to subscribe to the openSUSE Factory mailing list.
New Features and Enhancements
- Linux Kernel 6.9.9: This kernel introduces several important fixes and enhancements across various subsystems. Key updates include the introduction of
devm_mutex_init()
for mutex initialization in multiple components, addressing issues in the Hisilicon debugfs uninit process, and resolving shared IRQ handling in DRM Lima drivers. Fixes in the PowerPC architecture avoidnmi_enter/nmi_exit
in real mode interrupts, while networking improvements prevent unnecessaryBUG()
calls innet/dql
. Enhancements in WiFi drivers such as RTW89 include improved handling for 6 GHz channels. Updates in DRM/AMD drivers address multiple issues, from uninitialized variable warnings to ensuring proper timestamp initialization and memory management. The RISC-V architecture receives a fix for initial sample period values, and several BPF selftests see adjustments for better error detection. These updates collectively enhance system stability, performance, and security. - KDE Plasma 6.1.3: Discover now auto-handles Flatpak rebases from runtimes and properly uninstalls EOL refs without replacements. In Kglobalacceld, invalid keycodes are explicitly processed. Kpipewire introduces proper cleanup on deactivate and fixes thread handling for PipeWireSourceStream. KScreen now uses ContextualHelpButton from Kirigami, and Kscreenlocker adds a property to track past prompts. KWin sees numerous improvements: relaxed nightlight constraints, simplified Wayland popup handling, better input method windows, and enhanced screencast plugins. Plasma Mobile enhancements improve home screen interactions, translation issues, and swipe detection. Plasma Networkmanager and Plasma Workspace benefit from shared QQmlEngine and various bug fixes, including avatar image decoding and pointer warping on Wayland.
- Frameworks 6.4.0: Attica updates its gitignore to include VS Code directories. Baloo reverts a QCoreApplication change and ports QML modules. Breeze Icons introduces a ColorScheme-Accent and fixes data-warning icons. KArchive now rejects tar files with negative sizes and fixes crashes with malformed files. KAuth and KBookmarks add VS Code directories to gitignore. KCalendarCore adds missing QtCore dependencies and QML bindings for calendar models. KIO improves systemd process handling and deprecates unused features. Kirigami enhances navigation and dialog components. KTextEditor adds a tool for testing JavaScript scripts and ensures even indent sizes, fixing multiple bugs.
- KDE Gear 24.05.2: Akonadi-calendar adds missing change notifications. Dolphin updates Meta-Object Compiler generation. Filelight enables appx building and ensures hicolor icon presence while Itinerary fixes calendar permissions, corrupted notes, and the package introduces new extractors. Kdenlive addresses timeline, aspect ratio, and compilation issues. Okular fixes a crash with certain PDF actions.
- Supermin 5.3.4: This update introduces several key enhancements, including support for OCaml 5 and kylinsecos. It improves package management by detecting dnf5 and omitting missing options. The update also refines OCaml compilation by using
-output-complete-exe
instead of-custom
that fixes kernel filtering for the aarch64 architecture, and enables kernel uncompression on RISC-V. The update removes previously applied patches now included in the new tarball, helping to streamline the codebase and improve maintainability. - Checkpolicy 3.7: The latest update brings support for Classless Inter-Domain Routing notation in nodecon statements, enhancing SELinux policy definition capabilities. Error messages are now more descriptive, and error handling has been improved. Key bug fixes include handling unprintable tokens, avoiding garbage value assignments, freeing temporary bounds types and performing contiguous checks in host byte order.
Key Package Updates
- NetworkManager 1.48.4: This update introduces support for matching Open vSwitch (OVS) system interfaces by MAC address, enhancing network interface management. Additionally, NetworkManager now considers the contents of
/etc/hosts
when determining the system hostname from reverse DNS lookups of configured interface addresses, improving hostname resolution accuracy. Subpackages updated include NetworkManager-bluetooth, NetworkManager-lang, NetworkManager-tui, NetworkManager-wwan, libnm0, and typelib-1_0-NM-1_0. These enhancements contribute to more robust and precise network configuration handling in Linux environments. - libguestfs 1.53.5: This update includes significant enhancements and fixes. The
--chown
parameter is now correctly split on the ':' character, and a new checksum command is supported. Detection for Circle Linux and support for the LoongArch architecture have been added, including file architecture translation fixes. The update allows nbd+unix:// URIs and reimplements GPT partition functions usingsfdisk
. DHCP configuration improvements and a newvirt-customize --inject-blnsvr
operation enhance usability. Deprecated features include the removal of gluster, sheepdog, and tftp drive support. New APIs such asfindfs_partuuid
andfindfs_partlabel
improve functionality, while inspection tools now resolve PARTUUID and PARTLABEL in/etc/fstab
. These updates enhance compatibility, performance, and functionality across various environments. - glib2 2.80.4: The latest update backports key patches: mapping
EADDRNOTAVAIL
toG_IO_ERROR_CONNECTION_REFUSED
, handling files larger than 4GB ing_file_load_contents()
, and correcting GIR install locations and build race conditions. Additionally, improvements ingthreadedresolver
ensure returned records are properly reference-counted inlookup_records()
. - ruby3.3 3.3.4: This release addresses a regression where dependencies were missing in the gemspec for some bundled gems such as net-pop, net-ftp, net-imap, and prime. Other fixes include preventing
Warning.warn
calls for disabled warnings, correcting memory allocation sizes inString.new(:capacity)
and resolving string corruption issues. - libgcrypt 1.11.0: The latest update introduces several new interfaces and performance enhancements. New features include an API for Key Encapsulation Mechanism (KEM), support for algorithms like Streamlined NTRU Prime sntrup761, Kyber, and Classic McEliece, and various Key Derivation Functions (KDFs) including HKDF and X963KDF. Performance improvements feature optimized implementations for SM3, SM4, and other cryptographic operations on ARMv8/AArch64, PowerPC, and AVX2/AVX512 architectures. Other changes include various enhancements for constant time operations and deprecates the
GCRYCTL_ENABLE_M_GUARD
control code.
Bug Fixes
-
orc 0.4.39:
- CVE-2024-40897 was solved with versions before 0.4.39, which had a buffer overflow vulnerability in
orcparse.c
.
- CVE-2024-40897 was solved with versions before 0.4.39, which had a buffer overflow vulnerability in
-
java-21-openjdk 21.0.4.0:
- CVE-2024-21131 was a difficult-to-exploit vulnerability allowing unauthorized data modifications.
- CVE-2024-21138 was a vulnerability causing partial denial of service.
- CVE-2024-21140 was a vulnerability allowing unauthorized data access and modification;
- CVE-2024-21145 was similar.
- CVE-2024-21147 was the same, but for more critical data.
-
ovmf 202402 had three months of CVE patches in its quarterly update.
-
Mozilla Firefox 128.0: This release fixes 16 CVEs. The most severe was CVE-2024-6604; this was a memory safety bug in Firefox 128, Firefox ESR 115.13, Thunderbird 128 and Thunderbird 115.13. These bugs showed evidence of memory corruption that potentially allowed arbitrary code execution.
-
ghostscript 10.03.1)
- CVE-2024-33869 allowed bypassing restrictions via crafted PostScript documents.
- CVE-2023-52722
- CVE-2024-33870 allows access to arbitrary files via crafted PostScript documents.
- CVE-2024-33871 allowed arbitrary code execution via crafted PostScript documents using custom Driver libraries in
contrib/opvp/gdevopvp.c
. - CVE-2024-29510 allowed memory corruption and SAFER sandbox bypass via format string injection in a uniprint device.
-
xwayland 24.1.1 3:
- CVE-2024-31080 had a vulnerability that could allow attackers to trigger the X server to read and transmit heap memory values, leading to a crash.
- CVE-2024-31081 could cause memory leakage and segmentation faults, leading to a crash.
- CVE-2024-31083 allowed arbitrary code execution by authenticated attackers through specially crafted requests.
-
libreoffice 24.2.5.2:
- CVE-2024-5261 allows fetching remote resources without proper security checks.
-
GTK3 3.24.43:
- CVE-2024-6655 allowed a library injection into a GTK application from the current working directory under certain conditions.
-
netpbm 11.7.0:
- CVE-2024-38526: doc, which provides API documentation for Python projects, had a vulnerability where pdoc --math linked to malicious JavaScript files from polyfill.io.
Conclusion
The month of July 2024 was marked by significant updates, security fixes and enhancements. The Linux Kernel 6.9.9 update introduced several key fixes and improvements across various subsystems, enhancing overall stability and performance. KDE Plasma 6.1.3 brought numerous UI improvements and better handling of Flatpak rebases. The updates to Frameworks 6.4.0 and KDE Gear 24.05.2 provided additional enhancements and bug fixes, improving user experience and system reliability. Critical security vulnerabilities were addressed in various packages, including Firefox, ghostscript, and xwayland, ensuring Tumbleweed remains secure, efficient, and feature-rich for all users. Additionally, the Aeon team announced the release of Aeon Desktop to Release Candidate 3 status that came from the release of a Tumbleweed snapshot last week.
For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.
Contributing to openSUSE Tumbleweed
Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.
More Information about openSUSE:
Official
Fediverse
(Image made with DALL-E)
An experimental "Pre-RC3" image for the Aeon Desktop has been published and testers are encouraged to try out the final prototype before it becomes the official Release Candidate 3 (RC3). The new image can be downloaded from the openSUSE development repository.
This prototype, which has been submitted to openSUSE Factory, introduces some significant changes and improvements. Notably, the dd
backend in the tik installer has been replaced with a new systemd-repart
backend. This change allows for the installation of Aeon with Full Disk Encryption that enhances the security features of the operating system.
Existing users of Aeon RC2 and earlier versions will need to perform a reinstall to take advantage of the new features destined for RC3. Due to the fundamental changes in partition layout necessary for the new encryption features, an in-place upgrade from RC2 is not feasible without risking data integrity, according to a post on the new Aeon Desktop subreddit. Users can utilize Aeon's reinstall feature, which facilitates the backup and restoration of user data as long as a sufficiently large USB stick is used.
Users installing the prototype image may encounter some packages from the OBS devel project. These can be removed by running transactional-update --interactive dup
and selecting solutions that replace devel:microos packages with official ones.
Testers are encouraged to provide feedback and report any issues encountered during the testing phase on the Aeon Desktop bug report page.
Next Steps
If the prototype is accepted into Factory and becomes RC3, the development of Aeon will be in its final stages before an official release. RC3 will serve as the basis for writing openQA tests for Aeon, which are crucial for ensuring the desktop's stability and functionality.
There is a possibility of an RC4, which aims to streamline the installer process by embedding the full Aeon install within the installer image, potentially reducing the download size by 50 percent. If this approach is not feasible in the short term, it may be revisited post-release.
Full Disk Encryption is set up in one of two modes: Default or Fallback. Get more info about that in the Aeon Desktop Introduces Comprehensive Full Disk Encryption article.
More Information about openSUSE:
Official
Fediverse
Full Disk Encryption is planned to be introduced in the forthcoming release candidate of the Aeon Desktop to enhance data security for its users.
The feature is expected to be included in the upcoming Release Candidate 3 (RC3).
Full Disk Encryption is designed to protect data in cases of device loss, theft or unauthorized booting into an alternative operating system.
Depending on the hardware configuration of a system, Aeon's encryption will be set up in one of two modes: Default or Fallback.
Default Mode
The Default Mode is the preferred method of encryption provided the system has the required hardware. This mode utilizes the Trusted Platform Module(TPM) 2.0 chipset with PolicyAuthorizeNV
support (TPM 2.0 version 1.38 or newer). In this mode, Aeon Desktop measures several aspects of the system's integrity. These including:
- UEFI Firmware
- Secure Boot state (enabled or disabled)
- Partition Table
- Boot loader and drivers
- Kernel and
initrd
(including kernel command line parameters)
These measurements are stored in the system's TPM. During startup, the current state is compared with the stored measurements. If these match, the system boots normally. If discrepancies are found, users are prompted to enter a Recovery Key provided during installation. This safeguard ensures that unauthorized changes or tampering attempts are flagged.
Fallback Mode
The Fallback Mode is employed when the necessary hardware for Default Mode is not detected. This mode requires users to enter a passphrase each time the system starts. While it does not check system integrity as comprehensively as Default Mode, Secure Boot is strongly recommended to ensure some level of security, confirming that the bootloader and kernel have not been tampered with.
Contrary to initial concerns, Default Mode is not less secure than Fallback Mode despite not requiring a passphrase at startup. The strong integrity checks in Default Mode protect against attacks that could bypass normal authentication methods. For example, it can detect changes to the kernel command line that could otherwise allow unauthorized access. Furthermore, it safeguards against modifications to initrd
thereby preventing potential passphrase capture in Fallback Mode.
Secure Boot, while optional in Default Mode due to the comprehensive integrity checks, is critical in Fallback Mode to maintain system security. Disabling Secure Boot in Fallback Mode increases vulnerability to tampering and attacks aimed at capturing the passphrase.
Aeon's implementation of Full Disk Encryption provides robust security options tailored to the capabilities of users' hardware. By offering both Default and Fallback modes, Aeon ensures that all users can benefit from enhanced data protection.
The inclusion of this feature in RC3 marks a significant step forward in safeguarding user data against potential threats.
Aeon users are encouraged to read and bookmark the Aeon Encryption Guide.
More Information about openSUSE:
Official
Fediverse
(Image made with DALL-E)
Welcome to the monthly update for openSUSE Tumbleweed for June 2024. This month was busy with events like the Community Summit in Berlin and the openSUSE Conference, but a number of snapshots continued to roll out to users. Developers, system administrators and users receive updates designed to enhance your experience and ensure high levels of security and performance.
Should readers desire a more frequent amount of information about snapshot updates, readers are encouraged to subscribe to the openSUSE Factory mailing list.
Let’s go!
New Features and Enhancements
- Linux Kernel 6.9.7: This kernel introduces several important fixes and enhancements across various subsystems. Key updates include addressing undefined references in netfilter when
CONFIG_SYSCTL
is disabled, correcting TCP Fast Open handling, and resolving a conflicting quirk in Advanced Linux Sound Architecture for Realtek devices. Improvements in file system writeback operations, multi-threaded path handling and memory management for Hisilicon crypto drivers enhance stability. Networking updates include fixes for race conditions in netpoll, enhancements for specific SFP modules, and improvements in WiFi drivers such as RTW89, Ath9k, Ath12k, and MT76. Additional platform-specific updates address issues in ACPI, ARM64 configurations, HID device handling, and Bluetooth driver fixes. - PipeWire 1.2.0 and WirePlumber 0.5.4: PipeWire 1.2.0 introduces asynchronous processing, node.sync-group for synchronized scheduling, and improved config parsing error reporting. It also adds mandatory metadata support for buffer parameters, multiple data-loops with CPU affinity, and dynamic log level adjustments. Key fixes include RTP-SAP module enhancements, ROC 0.3 support, and improved Bluetooth BAP broadcast code parsing. WirePlumber 0.5.4 refines the role-based linking policy, allowing role-based sinks alongside standard audio operations and enabling regular filters to act as best targets. It addresses startup crashes due to empty config files, improves Bluetooth profile auto-switching, and fixes issues with DSP filters and infinite loop scenarios in autoswitching scripts. Together, these updates enhance the flexibility, reliability, and overall performance of audio management in Linux environments. Both also received updates in snapshot 20240627
- Mesa and Mesa-drivers 24.1.2: Both packages underwent a specfile cleanup, involving the relocation of Rust crate sources into subprojects folders and updates to
baselibs.conf
. Due to the maintenance burden associated with Rust crates as system dependencies, these crates are now downloaded as vendored dependencies, as detailed in the README-suse-maintenance.md. The update adds support for building libvulkan_nouveau, including necessary Rust crates such as paste-1.0.14, proc-macro2-1.0.70, quote-1.0.33, syn-2.0.39, and unicode-ident-1.0.12. However, building libvulkan_nouveau on Leap is not possible due to the requirement for rust-cbindgen >= 0.25. For more details, refer to the release notes at https://docs.mesa3d.org/relnotes/24.1.2. - KDE Plasma 6.1.1: Discover improves UI elements and Packagekit support, while Dr Konqi corrects the Sentry dbus interface usage. Plasma Addons addresses reference issues in Effects/cube, and krdp ensures version compatibility and resolves session controller bugs. Kscreenlocker improves greeter functionality, and KWin introduces multiple fixes for shaders, tiling, and input panels. Libkscreen and libplasma update protocol versions and fix plugin loading issues. Plasma Desktop enhances task icon sizing, panel opacity and file dragging across screens. Plasma Audio Volume Control removes unnecessary symlinks, and Plasma Systemmonitor correctly positions loading overlays. Powerdevil improves battery protection UI and limits backlighthelper calls.
- Python-setuptools 70.0: Key features in this new major version include emitting warnings for ignored [tools.setuptools] entries in
pyproject.toml
, improved error messaging forpkg_resources.EntryPoint.require
and handlingNone
location distributions more gracefully. The update also refreshes unpinned vendored dependencies, supports PEP 625 by standardizing package name and version in filenames and ensures encoding consistency for.pth
files. Obsolete Python < 3.8 code has been removed, andpkg_resources
now usesstdlib
importlib.machinery
. Bug fixes address race conditions in the install command, improve handling of nested namespaces withpackage_dir
and correct variouspkg_resources
method behaviors. The patch for reproducibility has also been refreshed. - Xen 4.18.2_06: This version resolves intermittent system hangs when Power Control Mode is set to Minimum Power. Patches also improve CPU mask handling and interrupt movement in various scenarios. Upstream bug fixes include improvements in scheduler resource data management and include fixes for building with GNU Compiler Collection 14.
Key Package Updates
- NetworkManager 1.48.2: This package updates support for matching OVS system interfaces by MAC address and fixes port reactivation and VPN secrets handling for 2-factor authentication. It saves connection timestamps during shutdown for proper autoactivation after restart. Key changes in 1.48.0 deprecate autotools building, add support for changing OpenSSL ciphers for 802.1X authentication, and set unmanaged device reasons in the
StateReason
property visible in nmcli. Additionally, it replaces themac-address-blacklist
property withmac-address-denylist
, improves WiFi 6 GHz band detection and optimizes performance to avoid high CPU usage during route updates. Previous version 1.46 adds brought dynamic SSID-based stable IDs, randomized MAC addresses and several enhancements for handling IPv6, D-Bus and cloud setup. - ibus-table 1.17.6: This update drops Python2 support, transitioning all scripts to Python3 using pyupgrade. It now allows the use of keys with Unicode keysyms in keybindings, enhancing customization and flexibility. Additionally, the
frames_per_buffer=chunk_size
option is now utilized inself._paudio.open()
for improved audio handling. The update also includes translation enhancements from Weblate, with Czech translations reaching 36.6 percent, Japanese at 45.3 percent, and Chinese (Simplified) at 92.0 percent. - btrfsprogs 6.9: The
mkfs
utility now halts if the mount status cannot be determined when using the--force
option and corrects the minimum size calculation for zoned devices. The check command removes the--clear-ino-cache
option, shifting its functionality to therescue
command group, and adds detection and repair for incorrect file extent itemram_bytes
values. The qgroup commands now sync the filesystem before searching for stale entries, handle uncleaned subvolumes andsquota
enabled scenarios, and display the cleaning status of subvolumes. Thereceive
command fixes stream parsing for strict alignment hosts, andtune change-csum
anddump-tree
commands include updates for handlingdev-replace
status items. Theconvert
command improves extent iteration for preallocated/unwritten extents. The build process now ensures compatibility with e2fsprogs 1.47.1 and improves header file dependency tracking. Documentation was also updated. - GNU’s Emacs 29.4: An emergency bugfix took place in this release. In this update, arbitrary shell commands are no longer executed when enabling Org mode, significantly enhancing security by preventing the execution of potentially malicious commands.
Bug Fixes
-
Python-dnspython 2.6.1:
- CVE-2023-29483 - Eventlet before 0.35.2 in dnspython allows remote "TuDoor" DNS attack interference.
-
php8 8.3.8:
- CVE-2012-1823 involved a vulnerability where attackers could inject arguments into PHP-CGI, leading to potential security issues. The new vulnerability, CVE-2024-4577, was discovered to bypass this original fix, allowing the same or similar types of argument injection attacks. The update ensures that this bypass is no longer possible, reinforcing the security measures originally put in place for CVE-2012-1823.
- Similarly, the bypass of CVE-2024-1874 was made with the fix to CVE-2024-5585.
-
kernel-firmware-nvidia-gspx-G06 (NVIDIA GPU driver)
- CVE-2024-0090 was a vulnerability where a user can cause an out-of-bounds write.
- CVE-2024-0091 was a vulnerability where a user can cause an untrusted pointer dereference. A successful exploit of this vulnerability might lead to denial of service.
- CVE-2024-0092 was an improper check or improper handling of exception conditions might lead to denial of service.
-
XZ 5.6.2:
- CVE-2024-3094 Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library. More details in snapshot 20240605
-
cJSON v1.7.17:
- CVE-2024-31755 - A segmentation violation, which can trigger through the second parameter.
Conclusion
The month of June 2024 saw a range of significant updates, security fixes and enhancements. The Linux Kernel 6.9.7 update improved stability and performance. Mesa and Mesa-drivers 24.1.2 introduced Rust crate dependencies and improved Vulkan support. KDE Plasma 6.1.1 brought UI improvements and a major version of Python-setuptools 70.0 arrived for rolling release users. A few critical security vulnerabilities were taken care of and fixes related to the XZ backdoor continued, so that Tumbleweed remains secure, efficient and feature-rich for all users.
For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.
Contributing to openSUSE Tumbleweed
Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.
More Information about openSUSE:
Official
Fediverse
(Image made with DALL-E)
Slowroll, which has a more modest update cadence than Tumbleweed, is gaining acceptance as a balance between the rapid updates of Tumbleweed's rolling releases and the traditional Leap release.
Slowroll is nearly ready for full deployment and the development team has been working diligently to prepare the next version bump, with planned updates scheduled for July 9, August 9 and Sept. 9. These updates are expected to maintain a consistent monthly cadence to ensure users have timely and stable updates.
One of the critical updates pulled in will include the latest OpenSSH CVE fixes, which have already been made available in Tumbleweed. This fix enhances the security of Slowroll & ensure that it remains a robust and reliable distribution for users.
Highlighted Features of Slowroll
Balanced Update Cadence: Slowroll offers a monthly rolling update cycle that provides users with the latest features and security updates while ensuring stability through extensive testing and validation.
Beta Phase: Slowroll is now in the Beta phase, indicating its near readiness for full deployment. Users can expect a reliable experience with continuous improvements.
Continuous Improvement: The distribution integrates big updates approximately every month, alongside continuous bug fixes and security patches, ensuring a secure and up-to-date system.
Statistics and Status
According to the latest statistics available on the Slowroll Stats page:
- Tumbleweed had 2813 updated packages since the last version bump
- Slowroll received 1316 updates from 871 different packages and only 339 updated rpms are Slowroll-specific builds
Origins and Purpose
Slowroll, introduced in 2023, was designed as an experimental distribution. Its primary goal is to offer a slower rolling release compared to Tumbleweed, thus enhancing stability without compromising on access to new features. The distribution continuously evolves with big updates integrated approximately every month, supported by regular bug fixes and security updates.
It's crucial to understand that Slowroll is not intended to replace Leap. Instead, it provides an alternative for users who desire more up-to-date software at a slower pace than Tumbleweed but faster than Leap.
If you try Slowroll, have a lot of fun - rolling... slowly!
More Information about openSUSE:
Official
Fediverse
(Image made with DALL-E)