Reading view

There are new articles available, click to refresh the page.

Board Election for Three Seats Opens

Members of the openSUSE’s election committee have provided notice to the project about the start of this year’s board election. This election there are three board seats up for grabs.

The election begins its nomination process on Nov. 15 and invites all eligible openSUSE members to participate in shaping the community’s future.

The open seats are currently held by Douglas DeMaio, Neal Gompa, and Patrick Fitzgerald. Board members serve as guides for the community, oversee some key project functions, facilitate community initiatives and handle responsibilities from organizing board meetings to managing openSUSE domains and trademarks. They also play a role in upholding community standards, including overseeing complaint processes and ensuring compliance with openSUSE’s Code of Conduct.

Election Timeline The election process will unfold over the next month. The plan is to follow this official schedule:

  • Nov. 15: Official announcement, nominations open, membership drive begins
  • Nov. 30: Final candidate list announced; campaign begins
  • Dec. 1: Voting opens
  • Dec. 15: Voting closes
  • Dec. 16: Election results announced

How to Participate Any openSUSE member can stand for election by sending an email to project@lists.opensuse.org and election-officials@lists.opensuse.org. Members may also nominate others by contacting the Election Committee, who will follow up with the nominee to confirm their interest.

Eligibility Requirements According to the organization’s Election Rules, only current members are eligible to run for board positions. While new members are welcome to join during the membership drive and participate in the voting process, they will not be eligible to stand as candidates. The election committee overseeing this year’s event includes members Ish Sookun, Edwin Zakaria, and Ariez Vachha. The committee is responsible for ensuring a smooth election process and for finalizing the list of candidates by Nov. 30.

Project Welcomes rsync.net as Gold Sponsor

The openSUSE Project is excited to announce rsync.net as the latest Gold Sponsor!

The company’s support will empower the openSUSE community to continue building open-source solutions that serve users worldwide.

Rsync.net’s secure cloud storage and data backup solutions can assist openSUSE members with projects and package development. This is an excellent solution for securing offsite backups of critical data for a system. The cloud storage company rsync.net dedicates resources not only to the openSUSE Project, but to other open-source projects like Debian developers.

Through this partnership, openSUSE community members with an openSUSE email address can access 500 GB of free-forever storage. Members can also gain the additional benefits from rsync.net with affordable options for those who need even more space:

  • Standard Single Region: $0.008 per GB per month, ensuring 99.9999% resiliency.
  • Geo-Redundant Storage: $0.014 per GB per month, with automatic replication across regions for enhanced security.

Storage locations in Silicon Valley, Denver, Zurich, and Hong Kong can help to best suit developer needs.

The openSUSE Project values this partnership with rsync.net and its members appreciate the company’s commitment to support our community and open-source efforts.

For openSUSE members interested in rsync.net’s support, click here.

Members were informed about the sponsorship through the Factory mailing list. Members of openSUSE can view the perks of being a member of the project on the wiki.

Companies interested in supporting the openSUSE Community can find sponsorship details on our sponsors page. The project also accepts donations to support the community through the Geeko Foundation.

Streamlining openSUSE Translations Upstream

Managing localization of desktop menus and applications takes a specific tool and approach that fills a gap but leaves inconsistent upstream translations.

Open-source translation standards have advanced over the years and the downstream-only model being used has proven to become inefficient, which is why Update-Desktop-Files Deprecation efforts are developing.

Over the past two decades, SUSE’s translation system has grown to cover more than 5,747 packages, with a total of about 380,000 translated strings. These efforts are labor-intensive and often redundant since many translations upstream already exist. The update-desktop-files tool contradicts an upstream-first policy. The SUSE-specific translations override upstream versions, causing inconsistencies and duplicating translation work. It also limits package maintainers’ control as translations are often integrated during runtime, which then appear different from what package maintainers expect. The tool adds complexity and requires SUSE-specific infrastructure (e.g., SUSE intranet and OpenQA VPN) that complicates maintenance and makes it challenging to align with certain open-source practices.

Given these challenges, transitioning to an upstream-first approach aligns with openSUSE’s goals of reducing redundancy, improving translation quality and supporting community collaboration.

Starting with the new update-desktop-files release to Factory in November 2024, package maintainers are encouraged to check build logs for instructions on upstreaming SUSE-specific translations.

Below is the roadmap for these effort:

  • November 2024: New version in Factory enables upstreaming of translations done over the past 20 years.
  • Early 2025: Packages using the opaque translation process will start upstreaming changes.
  • March 2025: Package maintainers review and propose changes to upstream projects.
  • End of 2025: Upstream responses are integrated; package maintainers import changes to Factory.
  • 2026: Any remaining SUSE-specific desktop files are patched. By year-end, the use of update-desktop-files will trigger errors, phasing it out completely.

To help in this transition, package maintainers should verify translations for Name, GenericName, Comment, and Keywords against upstream standards. Where applicable, patches can be generated using the update-desktop-files.tar.gz files, which provide various patch formats (e.g., -downstream-translated.diff for direct translations). Package maintainers should also update spec files, remove %suse_update_desktop_file and use the appropriate upstream translation mechanisms. Following the guidelines outlined in the openSUSE wiki page will help those who have questions.

The change is expected to use the upstream translations wherever possible, so the community can focus on openSUSE translations.

For more information, visit openSUSE wiki or subscribe to the translations mailing list.

Project Launches Recognition Platform

The openSUSE Project has announced the launch of a new initiative aimed at highlighting contributions of its diverse community members.

Dubbed “Contributor in the Spotlight,” the project aims to feature a different contributor each month and showcase their work in areas such as coding, art, documentation and more.

“It’s a great opportunity to get involved in the community and help ensure that our contributors receive the recognition they deserve,” wrote Tobias Görgens and Gertjan Lettink in an email on the project mailing list.

The program aims to increase visibility, provide recognition, express gratitude and to inspire others to contribute to open-source.

Many contributors’ efforts often go unnoticed and this initiative seeks to change this by sharing their stories and acknowledging their efforts to enhance open source development.

Contributors can apply to be featured by self-nomination though submitting an application by the 15th of each month. Nominations are permissible with the consent of the person being nominated. The selection process will focus on impact, uniqueness and relevance of their work to the project and beyond. Those chosen will be spotlighted in a blog post on the first Monday of the following month.

In addition to encouraging submissions, members of the project seek volunteers to help manage the initiative. Organizers will review applications, create blog posts and promote the project within the community.

Applications are now open, with the first feature expected to be published soon.

For more information, visit the mailing list email or the openSUSE GitHub page.

Tumbleweed Monthly Update - October 2024

This month, the rolling-release ran like a well-tuned engine as it powered through important updates and bug fixes with precision and speed. Updates were available for GNOME, systemd, qemu and more alongside important security patches. Various CVEs were addressed, particularly for Firefox, openssl, and virtualbox packages, to improve systems’ security. Desktop components for GNOME and KDE were also refreshed this month.

In addition to all the package updates this month, the rolling release received a fresh visual overhaul that revamped Tumbleweed’s logo and new wallpapers with both day and night themed variants.

As always, remember to roll back using snapper if any issues arise.

Happy updating and tumble on!

For more details on the change logs for the month, visit the openSUSE Factory mailing list.

New Features and Enhancements

  • LibreSSL 4.0: Major version 4.0 brings several significant changes and removals. Notably, the cms command in openssl(1) now supports the CRLfile option to specify additional CRLs during verification. The update also changes protocol handling in libtls, completely ignoring unsupported TLSv1.0 and TLSv1.1 protocols. The potentially dangerous EVP_PKEY*_check(3) functions were removed, and the Whirlpool hash function is no longer supported.
  • bind 9.20.3: a new WALLET record type was added and allows mapping domain names to cryptocurrency wallets. The release also introduces query response logging features that provide summaries through the responses category and an important change was made that includes the ability to fall back from IXFR to AXFR during DNS record transfers if too many records cause a failure. Bug fixes address issues such as incorrect statistics in forward-only zones, a static-stub bug that causes misdirected queries and improvements to long-running processes like DNSSEC validation and zone file operations.
  • GNOME 47.1: Enhancements to gnome-shell include improved accessibility for quick settings, better tablet UI accent color usage and more accurate inset box shadows. Various layout fixes, padding adjustments and a crash fix are included with translation updates. The gnome-shell-extensions package adds missing top-bar indicators in the classic mode and gnome-sudoku users will enjoy the several UI fixes, including improvements to tooltips in light mode along with better handling of the undo function. The update of gnome-text-editor introduces fixes for documents defaulting to implicit trailing newlines and improves text wrapping on small screens. An update of gnome-bluetooth resolves a crash when canceling pairing and adds support for the Kawai CA501 music keyboard, alongside other improvements. With gnome-control-center, a fix was made for an accessibility regression in background name handling; the package also added improvements to various modules like Appearance, Color, and Users.
  • xz 5.6.3: Key changes include a fix for x86-64 inline assembly compatibility with older versions of GNU Binutils and a build fix for GCC 4.2 on OpenBSD/sparc64. The xzdec tool now correctly displays errors if unsupported options like -M are used, and lzmainfo addresses integer overflow issues when rounding dictionary and uncompressed sizes. In terms of build improvements, the Autotools-based build system now handles link-time optimization (-flto) better, and Solaris users benefit from a fix in version.sh for regenerating configure files. The CMake system also sees improvements, including preferring C11 over C99 compilers, and avoiding unnecessary threading flags when linking against shared liblzma. Additionally, translations have been updated for Catalan, Simplified Chinese, and Brazilian Portuguese.
  • KDE Plasma 6.2.1: A fix was made for Breeze with checkbox sizing when no text or icons are present. Discover addresses a crash related to null channels in Snap packages for those who use it and Plasma Addons improves the web browser applet’s scale selection. KWin saw multiple fixes, including optimized rendering with custom geometry, proper handling of X11 keyboard modifiers and preventing crashes related to window stacking and timestamps. Powerdevil introduces improvements in brightness control and fixing issues with display sliders. Spacebar fixed an issue with SMS sending to further refine communication capabilities in Plasma Mobile environments.
  • KDE Gear 24.08.2: Dolphin fixes issues related to trailing slashes in URLs and ampersand display in filenames while Elisa resolves a problem preventing tracks without metadata from playing. Video editor Kdenlive had multiple bug fixes to include title producer updates, crash fixes and improved handling of effects and keyframes. Improvements in screenshot sharpness were made to Spectacle along with user interface elements like the blur and pixelate tools.
  • Qt 6.8.0: This release provides key updates across the Qt framework, improving performance and stability. Core libraries like libQt6Core and libQt6Gui receive bug fixes and performance boosts. Qt Multimedia improves support for system Eigen headers and optimizes x86 compatibility. Qt WebEngine and Qt WebView enhance web rendering and include patches to prevent build failures on ARM systems. Graphics modules like Qt Quick 3D and Qt ShaderTools provide better 3D rendering and shader handling. Overall, this update enhances functionality across UI, multimedia, and web components.
  • NetworkManager 1.50.0: In this update, support for dhclient was deprecated, and it is no longer built by default unless explicitly enabled. The internal DHCP client, which has been the default since version 1.20, is now recommended. The package now considers /etc/hosts when performing reverse DNS lookups for the system hostname. Support has been added for multiple gateways on a single network through ndisc, and channel-width configuration for Wi-Fi AP mode is now supported. Other enhancements include improved handling of VLANs on bridge ports and better handling of malformed LLDP packages to avoid crashes.
  • cups 2.4.11: This update addresses several issues related to Internet Printing Protocol (IPP) response validation, PostScript Printer Description (PPD) value processing and enhancements in the Web UI. Notable changes include updating the maximum file descriptor limit for cupsd to 64k-1 and fixing the lpoptions -d command for discovered but unadded printers. Support for checkboxes in the Web UI was also enhanced, along with improved printer state notifications and IPP Everywhere printer setups. Several commits related to IPP validation and PPD string processing were also included that address issues such as localized string handling.

Key Package Updates

  • systemd 256.7: This version contribution by 26 developers with 83 commits. Key improvements include refined support for managing nspawn containers, handling of ld.so.cache and better logging mechanisms in the query response systems. The release also addresses issues with seccomp synchronization and improves error handling in the ARP protocol (sd-ipv4acd).
  • kernel-source 6.11.3: Key updates include improvements in static call handling, specifically in module failures and static key decrements. Several SCSI fixes address issues like input/output errors on empty drive resets and PCI queue mapping overwrites. On the graphics side, the Intel and AMD GPU drivers see optimizations that include fixes for power management and display rendering. Networking updates include fixes for Realtek PHY drivers, VLAN handling, and preventing potential underflow conditions in packet length initialization. The update also introduces various memory leak fixes, improvements to Bluetooth, and enhancements to netfilter and IPv4/IPv6 handling.
  • gpg2 2.5.1: New commands like --add-recipients and --change-recipients provide added flexibility in managing recipients, and the --proc-all-sigs option has been added for signature processing. Improvements include fixes for key retrieval, PKCS#12 parsing updates and a resolution for the KEYTOCARD command when using loopback pinentry. The version update also now leverages the process spawn Application Programming Interfaces from libgpg-error for greater system compatibility.
  • gtk4 4.16.3: This update enhances how default cursor themes are handled by searching within XDG directories to ensure better compatibility with Wayland environments. The default cursor size now matches the gsettings schema and provides a more consistent user experience. The fallback process for portal settings was refined as settings_portal is cleared when switching to fallback without portal settings. This release also includes updated translations.
  • php8 8.3.13: Some essential fixes arrived in this package for its core and extensions. The Calendar extension addresses overflows in date functions like jdtounix, while CLI updates prevent duplicate HTTP headers. The core updates resolve segmentation faults, memory leaks and assertion errors, which stabilize nested frames and hash tables. In DOM, null pointer and memory leak issues are fixed for smoother XML handling. LDAP now handles memory leaks in ldap_modify_batch and SOAP patches address segmentation faults and memory leaks.
  • wicked 0.6.77: This release enhances IPv4/IPv6 node generation and interface-specific settings. It improves sysctl inheritance across interfaces, including loopback, but excludes settings like use_tempaddr and accept_dad. Routing updates resolve destination processing issues, and manpage enhancements clarify configuration details. New options include an ignore-rfc3927-1-6 setting for DHCP4. Compatibility improvements address deprecated INTERFACETYPE=dummy, and the package update fixes data leaks in ethtool operations.

Bug Fixes and Security Updates

Several key security vulnerabilities were addressed this month:

  • Firefox 131.0.3:
    • CVE-2024-9936 was a vulnerability that allowed attackers to manipulate selection node cache, potentially causing crashes.
    • CVE-2024-9392 could allow arbitrary cross-origin page loading in Firefox and Thunderbird versions below 131.
  • libnbd 1.20.3:
    • CVE-2024-7383 allows man-in-the-middle attacks due to improper TLS certificate verification when connecting to NBD servers.
  • Openssl:
    • CVE-2024-9143 was a flaw that may cause out-of-bounds memory access that potentially leads to crashes or remote code execution, but was a low likelihood.
    • CVE-2023-50782 was a flaw that amy have allowed a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges leading to exposure of confidential or sensitive data.
  • qemu 9.1.0:
    • CVE-2024-8612 may leak uninitialized data and lead to potential information exposure.
  • virtualbox 7.1.4:
    • CVE-2024-21248 allows low-privileged attackers to compromise the system that could potentially lead to unauthorized data access, modification or partial denial of service.
    • CVE-2024-21273 allows high-privileged attackers to gain unauthorized access to all data, potentially impacting other products.
    • CVE-2024-21259 allows high-privileged attackers to potentially take over the system, impacting confidentiality, integrity and availability.
    • CVE-2024-21263 allows low-privileged attackers to cause a complete denial of service and gain unauthorized read access to some data.
  • libarchive 3.7.6:
  • webkit2gtk3 2.46.1:
  • gnome-shell:
    • CVE-2024-36472 could allow the launching of a portal helper based on network responses that would enable untrusted JavaScript execution that could potentially cause resource consumption or other impacts.
  • oath-toolkit 2.6.11.12:
    • CVE-2024-47191 could allow root privilege escalation via improper users file access to include symlink handling.
  • unbound 1.21.1
    • CVE-2024-8508 allows denial of service that could cause excessive CPU usage during name compression.

Conclusion

October 2024 brought significant updates to Tumbleweed users and gave them a secure and performant system. Updating critical packages like systemd, pgp, php, GTK4 and more keeps your system up-to-date with the latest snapshots. Stay updated with the latest snapshots by subscribing to the openSUSE Factory mailing list.

Stay updated with the latest snapshots by subscribing to the openSUSE Factory mailing list. For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Contributing to openSUSE Tumbleweed

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

Leap, Tumbleweed Get Makeovers

Branding for Tumbleweed and Leap 16.0 are moving along with the creation of a visual identity for these two distinct operating system flavors.

For two of openSUSE’s most notable Linux distributions, there is an updated logo and new digital wallpaper themes that feature beloved chameleons that represent the community projects.

The Tumbleweed logo has been revamped and transitions from a horizontal format to a new design that aligns with logos of other openSUSE flavors like Leap, MicroOS, Aeon, Leap Micro and Slowroll. Communication and input from Logo Contest participants helped the group to collaborate on crafting a new logo. This new logo decided on by the release team took elements from the contest. The new logo has recognizable brand elements that reinforce a connection to the openSUSE ecosystem.

During a Leap 16.0 branding focus group at an openSUSE Conference in 2024, community contributors began creating designs and developing plans for evolving visually engaging wallpapers that display day or night and light or dark variants.

Ideas from the session centered around nature-themed day and night variants featuring desert and jungle landscapes with complimentary stylized chameleons along with the use of creatively displaying the Leap logo. This Leap logo concept incorporated a constellation pattern in the night’s sky design and a subtle Leap logo concept as a cloud.

The new wallpapers reflect the versatility of openSUSE Project that blend creativity with the stability and reliability users expect, said Leap release manager Lubos Kocman. The goal is to offer visually stunning designs that capture both the light of day and the tranquility of night, all while showcasing the adaptability of our beloved chameleon mascot. A photo of the Bluetail Day Gecko, which aligns with Geekos.org, offers a timely opportunity to feature a gecko with a chameleon-like appearance.

Designs began to take shape through collaborative efforts on the project’s branding repository on GitHub. Contributors shared drafts and provided feedback. Kocman himself has shared several iterations, experimenting with gradients and textures in the night scene and refining the sky’s appearance with gradients of purple and blue. One design even featured Aurora Borealis; after some community feedback, the contributors realized that Van Gogh wasn’t coming back to paint it for the release, so the team opted for a simpler starry night sky that better complemented the openSUSE brand’s clean and minimalist aesthetic. Kocman tried incorporating more complex elements like the Aurora Borealis, but sometimes simplicity speaks louder, Kocman commented. The design with a clean blue sky and soft starry details of a constallation felt more in line with openSUSE’s overall philosophy.

Many contributors in the community suggested incorporating constellations such as Aquila, Sagittarius and Lyra into the night design. These subtle additions give the wallpaper a sense of place, further emphasizing the natural beauty the team aims to capture. And, hey, if people squint hard enough, the Leap constellation is basically the Big Dipper’s cooler cousin!

The new wallpapers are just one component of a broader branding overhaul for Leap 16 and openSUSE’s rolling-release Tumbleweed. The branding team is exploring more abstract, distribution-agnostic wallpapers that can be used across different openSUSE flavors like Slowroll, Kalpa, and Aeon.

The community’s role in shaping the new look of Leap 16 and Tumbleweed didn’t stop at design suggestions. The branding team announced a photo competition inviting users to submit high-resolution photographs featuring chameleons or objects resembling the mascot. This competition is open until Nov. 1 and encourages users to submit original, landscape-oriented images through the branding repository.

Submissions are already rolling in, with some stunning entries showcasing natural landscapes that align with the day and night wallpaper themes.

To learn more about the wallpaper development process and contribute to the conversation, visit github.com/openSUSE/branding.

Leap 15.6 started to use a new logo. Logos for openSUSE distributions and flavors can be found in the project’s distribution-logos repository.

The last update for Tumbleweed’s wallpaper happened in 2018 and Leap’s wallpaper changed in 2022 with version 15.4.

People who are interested in advancing the openSUSE Welcome package or those who would like to share ideas about advancing it, can join a group working on it during HackWeek.

Many thanks to the marketing teams that helped to create this change for the project.

Workshop Continues with GNOME Extensions

The openSUSE Project will live-stream Episode 10 of it Contribution Workshop series on Oct. 24 at 18:00 UTC on openSUSE’s YouTube and X platforms for a GNOME Extensions workshop.

The session will cover how to enhance and customize the GNOME desktop environment using powerful extensions that add functionality, streamline workflows and personalize the desktop experience.

GNOME Extensions are an excellent way for users to expand the capabilities of their GNOME environment and make desktop use more efficient and tailored to individual needs.

Episode 10: GNOME Extensions

These workshops offer a platform for learning and for contributors to ask questions and engage directly with developers, maintainers and experienced members of the openSUSE community.

Whether you’re new to open-source contributions or a seasoned developer, the openSUSE Contribution Workshops offer valuable learning opportunities to improve your skills, engage with the community, and contribute effectively to the openSUSE Project.

The espisdoes for the Contribution Workshop go over a variety of topics including package maintenance, infrastructure or understanding the overall project landscape. These following episodes are tailored to provide an overview and practical advice for open-source software development, use and contribution.

The following episodes were already released:

Note: The live stream was unavailable for openSUSE’s X platform.

(Image made with DALL-E)

Community Plans Tech Summit

The openSUSE community is preparing for the Early Adopter Tech Summit on March 14 and 15, 2025, in Orlando, Florida.

This event will take place at Loews Sapphire Falls Resort at Universal Orlando Resort and will take place as SUSECON concludes.

Partners of SUSE, openSUSE, open-source community projects and community members are all encouraged to register for the summit and submit a talk. There are two types of talks available:

  • Short Talk: 15 minutes
  • Standard Talk: 30 minutes

The call for papers is open until January 15, 2025.

We welcome submissions from anyone passionate about open-source software and community development.

The summit’s schedule will be published in February 2025. Visit events.opensuse.org for more information.

Presenting GRUB2 BLS

GRUB2 with BLS is now in MicroOS and Tumbleweed

Recently the openSUSE project released for MicroOS and Tumbleweed a new version of the GRUB2 package, with a new subpackage grub2-$ARCH-efi-bls. This subpackage deliver a new EFI file, grubbls.efi, that can be used as replacement of the traditional grub.efi.

The new PE binary is a version of GRUB2 that includes a set of patches from Fedora, which makes the bootloader follow the Boot Loader Specification (BLS). This will make GRUB2 understand the boot entries from /boot/efi/loader/entries, and dynamically generate the boot menu showed during boot time.

This is really important for full disk encryption (FDE) because this means that now we can re-use all the architecture and tools designed for systemd-boot. For example, installing or updating the bootloader can now be done with sdbootutil install, the suse-module-tools scriptlets will create new BLS entries when a new kernel is installed, and the tukit and snapper plugins will take care of doing the right thing when snapshots are created or removed.

Reusing all those tools without modification was a significant win, but even better, many of the quirks that classical GRUB2 had when extending the event log are no longer present. Before this package, sdbootutil needed to take ownership of the grub.conf file, as this will be measured by GRUB2 by executed lines. That is right! For each line that is read and executed by the GRUB2 parser, a new PCR#8 will take place, and because GRUB2 support conditional as other complex constructors, it is very hard to predict the final value of PCR#8 without imposing a very minimal and strict grub.conf.

However, with the new BLS subpackage, this file, along with the fonts and graphical assets for the theme, and the necessary modules (such as bli.mod), are now included in the internal squashfs within the EFI binary. GRUB2 will no longer measure those internal files without compromising security guarantees because now it is the firmware that measures the entire EFI when the bootloader is executed during the boot process.

As today, we cannot use YaST2 to install GRUB2 with BLS, but we can do that manually very easily. We need to make a systemd-boot installation, replace LOADER_TYPE from systemd-boot to grub2-bls in /etc/sysconfig/bootloader, install the new GRUB2 BLS package, and do sdbootutil install. Another option is to play with one of the available images for MicroOS or Tumbleweed.

Have a lot of fun!

Development start of Leap 16.0

Hello everyone!

I’d like to announce the start of development and the public availability of what we currently refer to as Leap 16.0 pre-Alpha. Since this is a pre-Alpha version, significant changes may occur, and the final product may look very different in the Alpha, Beta, Release Candidate, or General Availability stages. The installer will currently offer you Base, GNOME, and KDE.

Users can get our new Agama install images from get.opensuse.org/leap/16.0. The installer will currently offer you Base, GNOME, and KDE installation.

Leap 16.0 is a traditional distribution and a successor to Leap 15.6 with expected General Availability arriving in the Fall of 2025.

We intend to provide users with sufficient overlap so that 15.6 users can have a smooth migration, just like they’re used to from previous releases.

Further details are available on our roadmap. The roadmap is subject to change since we have to respond to any SUSE Linux Enterprise Server 16 schedule changes.

Users can expect a traditional distribution in a brand new form based on binaries from the latest SLES 16 and community packages from our Factory development codebase.

There is no plan to make a Leap 15.7, however, we still need to deliver previously released community packages from Leap 15 via Package HUB for the upcoming SLES 15 SP7. This is why there are openSUSE:Backports:SLE-15-SP7 project and 15.7 repos in OBS.

Who should get it?

This is a pre-alpha product that is not intended to be installed as your daily driver. I highly recommend starting with the installation in a virtual machine and becoming familiar with the online installer Agama.

The target audience for pre-Alpha are early adopters and contributors who would like to actively be part of this large effort. Adopters should consider booting Agama Media from time to time just to check compatibility with their hardware.

For non-contributor users, I highly recommend waiting until we have a Beta, which is expected in the late Spring of 2025.

How to report bugs?

I’d like to kindly ask you to check our Known bugs wikipage before reporting a new issue. If you find a new issue that is likely to affect users, please feel free to add it to the page.

Specifically for Agama I highly recommend using github.com/agama-project and collaborating with the YaST team on suggestions and incorporating any changes.

For the rest of the components, the workflow isn’t changing; just select version 16.0 for bug submissions.

Feature requests

All changes to packages inherited from SLES 16 need to be requested via a feature request.

Feature requests will be reviewed every Monday at a feature review meeting where we’ll convert code-o-o requests into JIRA requests used by SUSE Engineering where applicable.

The factory-auto bot will reject all code submit requests against SLES packages with a pointer to code-o-o. You can get a list of all SLFO/SLES packages simply by running osc ls SUSE:SLFO:1.1:Build.

Just for clarification SLFO, SUSE Linux Framework One, is the source pool for SLES 16 and SL Micro 6.X. SLFO was previously known as Adaptable Linux Platform (ALP).

I highly recommend using code-o-o to co-ordinate larger community efforts such as Xfce enablement, where will likely need to update some of SLES dependencies. This allows us to share the larger story and better reasoning for related SLES update requests. The list of features is also extremely valuable for the Release article.

Where to submit packages, how is it built, and where is it tested?

Leap 16.0 is built in openSUSE:Leap:16.0 project where we will happily welcome any community submissions until the Beta code submission deadline in the late Spring of 2025. We intend to keep the previous development model and avoid forking SLES packages unless necessary. We no longer can mirror SLES code submissions from OBS into IBS. So all SLES 16 update requests have to be requested via feature requests.

For quality control, we have basic test suites based on Agama installations in Leap 16.0 job group. Later, we plan to rework the existing Leap 16.0 Images job group for testing the remaining appliance images.

The project where we maintain community packages is subject to change as we have not fully finalized yet how to make Package HUB; we may use a similar structure with Backports as in 15.3+).

Further test suite enablement is one of the areas where we currently need the most help. Related progress.opensuse.org trackers poo#164141 Leap 16.0 enablement and poo#166562 upgrade from 15.6.

Another area where you can help is new package submissions and related maintainer review of package submissions to Leap 16.0. These reviews make sense as we’d like to check with maintainers whether that software in a given version makes sense for inclusion into Leap 16.0, rather than blindly copying all packages over.

Involvement in branding and marketing efforts

I’m very proud to announce fresh branding efforts and want to thank all the people who helped give Leap and Tumbleweed a new look. We plan to publish an article or a video about the changes, and further plans as we still have a surprise or two in our pocket.

Do you want to help us on this front? Spread the news and feel free to join the openSUSE Marketing Team in our Telegram channel.

Many thanks to all who helped us to reach this point.

Lubos Kocman
on behalf of the openSUSE Release team

Schedule for openSUSE.Asia Summit is Published

The schedule for this year’s openSUSE.Asia Summit is out and features a diverse lineup of talks highlighting advancements in open-source and with the project.

This year’s event takes place in Tokyo, Japan, and is a two-day event running from Nov. 2 to Nov. 3, that includes talks about technologies involving openSUSE, Fedora, Ubuntu, Debian, AlmaLinux, Rocky Linux, and many other open-source projects.

The summit brings together developers, community members and open-source enthusiasts from around the world to Asia for discussions about Linux distribution updates to security and design.

Fuminobu Takeyama will open the event with a welcome address, which will be followed by a keynote from the company providing the venue, SHIFT Inc.. This will be followed by a talk about What is openSUSE? and talks about the future of Leap and an update about the Geeko Foundation. Trustees from the Geeko Foundation will provide an overview of the foundation’s financial and operational progress as well as providing insights about the use of the Travel Support Program, fundraising efforts and more.

A technical keynote about container and virtualization platforms focusing on openSUSE Leap Micro and a talk about language support for LibreOffice based on specific needs of Chinese, Japanese, and Korean (CJK) users will take place toward the beginning of the summit.

A talk related to secure software packaging and and AI/ML edge computing will provide some great content for attendees on the first day of the summit.

The second day is scheduled to have talks covering areas like the future of desktop Linux, free software in healthcare and geographic information systems using open-source technologies.

Find the schedule at events.opensuse.org.

Tumbleweed Monthly Update - September 2024

Welcome to the monthly update for Tumbleweed for September 2024! This month, the rolling-release model has kept pace with numerous important updates and bug fixes. PostgreSQL received a major update moving to 17 and text shaping engine harfbuzz had a major update to version 10. Packages like systemd, git, bash and qemu were also updated this month in the rolling release. Various packages saw CVE fixes and desktop components for GNOME and KDE were also updated. As always, remember to roll back using snapper if any issues arise.

Happy updating and tumble on!

Should readers desire more frequent information about snapshot updates, they are encouraged to subscribe to the openSUSE Factory mailing list.

New Features and Enhancements

  • Linux Kernel 6.11.0: The latest update brings reversion of the PCI ACS configurability extension to address an issue bsc#1229019. Key updates in the release include a fix to the block subsystem, resolving how the scheduler is handled in elv_iosched_local_module. A correction was made in the AMD GPU display driver to address a mistake from a previous revert related to bsc#1228093. Updates also include refreshed ALSA patches to enhance power management blacklist options. The improvements are expected to provide greater stability and performance for various hardware configurations.
  • postgresql17: This major release provides key improvements like a revamped memory management system for vacuum, boosting efficiency by reducing memory usage by up to 20x along with optimized processing for high concurrency workloads. Version 17 also enhances query execution with faster processing using B-tree indexes and parallel BRIN index builds. Developers benefit from the addition of the SQL/JSON JSON_TABLE command and expanded MERGE capabilities, as well as a 2x speed improvement in data exports with the COPY command. Logical replication now simplifies major version upgrades by eliminating the need to drop replication slots, improving ease of use in high availability setups. The software package further enhances database security and operational management, with new TLS options, incremental backups, and detailed monitoring tools.
  • harfbuzz 10.0.1: Significant fixes were made for the text shaping engine including support for Unicode 16.0.0. The version has a new Application Programming Interfaces that allows clients to customize glyphs when a Unicode Variation Selector isn’t supported by the font, as well as a callback for getting table tags from hb_face_t. Updates also address pair positioning lookup subtable application for compatibility and ensure subsetting fails if no glyphs are present to prevent silent errors.
  • GNOME 46.5: gnome-shell now addresses issues with smartcard logins, fixes glitches when quick settings menu animations are interrupted, and resolves problems with new Wi-Fi connections for restricted users. It also ensures required animations remain enabled, fixes display of pending PAM messages on the login screen and plugs memory leaks. Un update of the gnome-software has a reduction in power usage when the main window is closed, along with translation updates..
  • KDE Plasma 6.1.5: In Discover, snapType mapping is corrected, and Flatpak now properly reports extensions without errors. KWin addresses several crash scenarios, such as null dereference and input event handling from removed devices. Plasma Desktop includes fixes for keyboard navigation in Kickoff, task list alignment in RTL mode and it has proper handling of background icons and test windows. Plasma Workspace enhances touchscreen interaction, system tray tooltips and clipboard functionality. Additional fixes included targeted crashes in hotplugging and svg rendering, while SDDM KCM improves state management.
  • Frameworks 6.6.0: Attica adds CI jobs for Alpine/musl, while Baloo sets up crash handling for baloo_file. New icons are introduced in Breeze. KCoreAddons improves dbus error handling and licensing, and KDeclarative adjusts rendering for better DPI positioning. KIO resolves issues with restoring trash entries and enhances service menu handling. KTextEditor receives performance optimizations and additional C++ porting for sorting and unique functionalities. Kirigami continues to improve icon handling and toolbars, while KNewStuff and KWalletf ocus on making shared actions more reliable and enhancing crash handling.
  • KDE Gear 24.08.1: Akademy 2024 Videos are out, but a lot of efforts went into last month’s conference. Akonadi resolves a crash related to query cache eviction and fixes configuration file handling. Dolphin improves usability with fixes for button functionality and file list resizing, while Elisa enhances its Now Playing view and toolbar layout. Itinerary and Kalarm both receive updates for better dark mode handling and audio alarm functionality. Kdenlive addresses multiple timeline and rendering issues, optimized keyframe handling and fixes several bugs related to effects and transitions. Kate adds support for the Odin language in its formatter and Okular now sets tooltips for forms.

Key Package Updates

  • git 2.46.1: A clarification has been made to git checkout --ours to inform users they need to specify paths, avoiding confusion. An issue with git add -p failing for users with diff.suppressBlankEmpty was corrected. Additionally, git notes add -m '' --allow-empty no longer improperly invokes an editor, and unnecessary re-encoding operations for tracing have been removed.
  • qemu 9.1.0: The update introduces new migration capabilities, such as compression offload support via Intel In-Memory Analytics Accelerator (IAA) or User Space Accelerator Development Kit (UADK) and improved postcopy failure recovery. RISC-V architecture also sees support for several extensions, while x86 adds KVM support for AMD SEV-SNP guests and emulation for newer Intel CPU models like Ice Llake and Sapphire Rapids.
  • systemd 256.6: This version no longer attempts to restart udev socket units, addressing issue bsc#1228809 where safely restarting socket-activated services and their socket units simultaneously was problematic.
  • pipewire 1.2.4: The update addresses a crash during the cleanup of globals and enhances the RequestProcess dispatch mechanism. The Simple Plugin API framework now uses systemd-logind to detect new devices. Pulse-Code Modulation device handling is also improved.
  • GStreamer 1.24.8: The multimedia framework package improves handling in decodebin3 and encodebin for better media decoding and smart rendering, respectively. Enhancements for proper viewport resizing when video size changes were made and audio stream enhancements were made for better compatibility with Firefox. There were some stability fixes for wayland including crash prevention and Application Binary Interface corrections.
  • Mesa 24.1.7: This release continues to support OpenGL 4.6 and Vulkan 1.3, though the version reported depends on the specific driver used. Key bug fixes include resolving issues with smartcard logins, race conditions when generating enums, and artifacts in games such as Black Myth Wukong and DCS World with certain GPUs.
  • GTK4 4.16.1: This GTK Scene Graph Kit layer sees speed optimizations for Vulkan operations, reduces startup time by skipping unnecessary GL and Vulkan initialization and fixes a crash related to certain Vulkan drivers. Memory format conversions in GIMP Drawing Kit are now faster. The builder-tool has also been improved for better box conversion.
  • bash 5.2.37: This update has key patches to address issues such as an incorrect handling of quoted text during auto-completion and multibyte character handling in readline. The update resolves system compatibility with select and pselect availability and fixes a parsing issue in compound assignments during alias expansion. A typo in the autoconf test affecting strtold availability when compiled with GNU Compiler Collection 14 was corrected.
  • vim 9.1.0718: One notable fix in the text editor resolves issues with personal Vim runtime directory recognition. The update also addresses unnecessary NULL checks in parse_command_modifiers() and corrects color name parsing errors introduced in a previous version. Other improvements include updates to syntax highlighting for various file types such as HCL, Terraform, and tmux. Performance improvements were also made to include the more efficient inserting with a count and resolving cursor position crashes.

Bug Fixes

  • curl 8.10.0:
    • CVE-2024-8096 may have incorrectly validated certificates using Online Certificate Status Protocol stapling, ignoring certain errors like ‘unauthorized’.
  • OpenSSL:
    • CVE-2024-41996 was fixed, which could have allowed remote attackers to trigger costly server-side DHE calculations via public key order validation in Diffie-Hellman.
  • postgresql17
    • CVE-2024-7348 fixes a race condition that could allow attackers to execute arbitrary SQL as the user running pg_dump.
  • python311: This package fixed a few CVE’s. Here are a couple of fixes
    • CVE-2024-4030 had a fix to ensure Unix “700” permissions are applied to secure the directory.
  • tiff 4.7.0:
    • CVE-2023-52356 had a segmentation fault allowing remote attackers to trigger a heap-buffer overflow that could cause a denial of service.
    • CVE-2024-7006 had a null pointer dereference in that could trigger application crashes and cause denial of service.
  • LibreOffice 24.8.1.2
    • CVE-2024-5261 was fixed that disabled TLS certificate verification, allowing improper certificate validation during document processing in third-party components.
  • Mozilla Firefox 130.0.1:
    • This release fixes several CVEs. One of the most critical fixes involves CVE-2024-8385, where a WASM type confusion issue could lead to exploitable vulnerabilities. Another significant fix is for CVE-2024-8381, which could trigger a type confusion vulnerability when looking up property names within a “with” block. CVE-2024-8388 fixed an issue where fullscreen notifications could be hidden on Android devices, potentially leading to UI spoofing attacks. Two memory safety bugs, CVE-2024-8387 and CVE-2024-8389, were also patched.
  • apr 1.7.5:
    • CVE-2023-49582 had shared memory permissions that could expose sensitive data to local users.

Conclusion

September 2024 brings important updates for Tumbleweed users. Security fixes across packages like PostgreSQL, libtiff, and LibreOffice ensure stability and security. Significant improvements were made in tools like systemd, git, and qemu, enhancing performance and compatibility. Noteworthy updates in PostgreSQL 17 and Harfbuzz 10 also bring major enhancements, contributing to a more robust and refined rolling release environment.

Stay updated with the latest snapshots by subscribing to the openSUSE Factory mailing list. For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Contributing to openSUSE Tumbleweed

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

Quickstart in Full Disk Encryption with TPM and YaST2

This is a quick start guide for Full Disk Encryption with TPM or FIDO2 and YaST2 on openSUSE Tumbleweed. It focuses on the few steps to install openSUSE Tumbleweed with YaST2 and using Full Disk Encryption secured by a TPM2 chip and measured boot or a FIDO2 key.

Hardware Requirement:

  • UEFI Firmware
  • TPM2 Chip or FIDO2 key which supports the hmac-secret extension
  • 2GB Memory

Installation of openSUSE MicroOS

There is an own Quickstart for openSUSE MicroOS

Installation of openSUSE Tumbleweed

Boot installation media

  • Follow the workflow until “Suggested Partitioning”:
    • Partitioning: Select “Guided Setup” and “Enable Disk Encryption”, keep the other defaults
  • Continue Installation until “Installation Settings”:
    • Booting:
      • Change Boot Loader Type from “GRUB2 for EFI” to “Systemd Boot”, ignore “Systemd-boot support is work in progress” and continue
    • Software:
      • Install additional tpm2.0-tools, tpm2-0-tss and libtss2-tcti-device0
  • Finish Installation

Finish FDE Setup

Boot new system

  • Enter passphrase to unlock disk during boot
  • Login
  • Enroll system:
    • With TPM2 chip: sdbootutil enroll --method tpm2
    • With FIDO2 key: sdbootutil enroll --method fido2
  • Optional, but recommended:
    • Upgrade your LUKS key derivation function (do that for every encrypted device listed in /etc/crypttab):
            # cryptsetup luksConvertKey /dev/vdaX --pbkdf argon2id
            # cryptsetup luksConvertKey /dev/vdaY --pbkdf argon2id
      

Adjusting kernel boot parameters

The configuration file for kernel command line options is /etc/kernel/cmdline.

After editing this file, call sdbootutil update-all-entries to update the bootloader configuration. If that option does not exist yet or does not work, a workaround is: sdbootutil remove-all-kernels && sdbootutil add-all-kernels.

Re-enrollment

If the prediction system fails, a new policy must be created for the new measurements to replace the policy stored in the TPM2.

If you have a recovery PIN:

  # sdbootutil --ask-pin update-predictions

If you don’t have the recovery PIN, you can set one with this steps:

  # sdbootutil unenroll --method=tpm2
  # PIN=<new recovery PIN> sdbootutil enroll --method=tpm2

Virtual Machines

If your machine is a VM, it is recommended to remove the “0” from the FDE_SEAL_PCR_LIST variable in /etc/sysconfig/fde-tools. An update of the hypervisor can change PCR0. Since such an update is not visible inside the VM, the PCR values cannot be updated. As result, the disk cannot be decrypted automatically at the next boot, the recovery key needs to be entered and a manual re-enrollment is necessary.

Next Steps

The next steps will be:

  • Support grub2-BLS (grub2 following the Boot Loader Specification)
  • Add support to the installers (YaST2 and Agama)
  • Make this the default if a TPM2 chip is present

Any help is welcome!

Further Documentation

(Image made with DALL-E)

❌