I did some exploration on KDE's code base. It's amazing what you can find when you have almost 30 years of public history in git.

In doing so I ran some statistics on KDE's core software. That core is relatively well-defined, even over the years. It's the libraries (Frameworks), the desktop (Plasma), and the standard applications shipped together on a regular release schedule (Gear). Of course there are other fine applications in Extragear and elsewhere, but I didn't look at them for now.

In 2009 I did an analysis of KDE's sources and found 4,273,291 lines of code. So I was curious to see where we are today. The numbers are not 100% comparable, because the shape of KDE's core software has changed a bit, but when you look at what is in git (omitting graphics, translations, and other non-code files) you find 8,173,148 lines of code.

Yes, when you look at the history, there is more. There is churn, code gets added, code gets modified, code gets deleted. It evolves. So behind every line of code which is shipped today, there are about 7 lines of code which have been written, changed, deleted. This is what you find in git.

So 55 million lines of code have been written to arrive at 8 million lines of code today. They represent progress, learning, and adaptation to a changing world. You see life there.

The most amazing part for me is actually not the code itself, but that there are thousands of people behind this code who have worked together for decades to continuously improve KDE's software. That's the real story.

P.S. Take the numbers with a grain of salt. They are based on a couple of assumptions and influenced by quirks of tools and history. This is not science, it's the report of a hobby code historian.

Dear Tumbleweed users and hackers,

This week was quite uneventful: another holiday on Thursday in my region (Ascension Day), which also explains the lack of a snapshot being published that day. Actually, while I was reviewing the openQA results, the next snapshot had already landed and discarded the old one. I really need to better keep up with our automatisms (better yet, tests should not fail, then I would not have to look at any test result to confirm/debug). Anyway, we managed to publish 5 Snapshots (0507, 0509, 0510, 0511, and 0512) this week.

The most relevant changes were:

• fwupd 2.1.1
• lcms 2.19.1
• Linux kernel 7.0.5
• Mesa 26.1.0
• Mozilla Firefox 150.0.2
• gawk 5.4.0
• GCC 16.1.1
• KDE Gear 24.04.1
• KDE Frameworks 6.26.0
• ffmpeg 8.1.1
• PHP 8.5.6

The next snapshot (0514) is already in QA and, unless something comes up, should be released later today. Together with the staging projects, we can foresee these changes reaching the user base anytime soon:

• AppArmor 5.0.0 (NOTE: SELinux is the default on new installations; upgraded installations, or users intentionally doing so, might still run AppArmor. cURL is newly confined and is only permitting read/write to $HOME and tmp-dir locations. Some scripts might trip on that. We had some openQA tests tripping on this as well (solved by staging the files in question via /tmp)
• KDE Plasma 6.6.5
• fwupd 2.1.3
• GStreamer 1.28.3
• Ruby 4.0.4
• Linux kernel 7.0.7
• gpg 2.5.20
• Pipewire 1.6.5

This is a roundup of articles from the openSUSE community listed on planet.opensuse.org.

The community blog feed aggregator lists the featured highlights below from May 8 to 14.

Blogs this week cover the Plasma 6.7 beta launch, sovereign Tech funds major investment in KDE, a leadership change on the openSUSE Board, two helpful Firefox tips, a Tumbleweed review, a new Plasmoid for displaying song lyrics, a KDE Frameworks update, and an openSUSE Leap 15.6 reaches end-of-life.

Here is a summary and links for each post:

openSUSE Leap 15.6 Reaches End of Life – Time to Upgrade

Victorhck reports that openSUSE Leap 15.6 reached its official end of life on April 30, which means it will no longer receive security patches or official support. Users are advised to migrate to openSUSE Leap 16.0 to keep their systems up to date and secure.

Plasma 6.7 Beta Released

The KDE Blog announces the launch of the Plasma 6.7 beta and invites testers to try the new release and report any bugs at bugs.kde.org ahead of the final release. Key new features include a quick light/dark mode toggle in the Brightness and Color widget and a modern new print queue application with active job badges in the Printers widget.

The syslog-ng Insider 2026-05: OTEL; Central Log Collection; Old Mac

Peter Czanik’s Blog presents the 140th issue of the syslog-ng Insider monthly newsletter and covers three topics: how Databricks customers can stream logs to a data lakehouse using syslog-ng with OAuth2 authentication and the OpenTelemetry protocol; a reminder that central log collection is valuable far beyond mere compliance, benefiting operations, security, and development teams alike; and a guide to compiling the latest syslog-ng release on older Intel-based Macs where Homebrew no longer provides full support.

Sovereign Tech Fund Invests Over €1 Million in KDE

Victorhck covers the announcement that the Sovereign Tech Fund will invest €1,285,200 in the KDE community across 2026 and 2027. The funding is aimed at strengthening the structural reliability and security of KDE’s core infrastructure, including Plasma and the frameworks supporting KDE’s communication services. The author translates the official KDE announcement into Spanish and shares his thoughts on the significance of the investment for the free software ecosystem.

Plasma Lyrics Widget – View Song Lyrics in Plasma 6 (28)

The KDE Blog presents Plasma Lyrics, a new widget for KDE Plasma 6 that displays the lyrics of the currently playing songs directly on the desktop. This is the 28th entry in the blog’s ongoing series showcasing Plasmoids for Plasma 6, which is aimed at users who want richer desktop integration with their music player.

Fifth Update of Plasma 6.6

The KDE Blog announces the fifth bugfix update to KDE Plasma 6.6, which was released on May 12. The update brings improved animation fluidity on high-refresh-rate displays along with the usual bug fixes and stability improvements.

How to Change the Annoying Firefox “Not Found” Sound

Victorhck shares a practical tip for Firefox users annoyed by the jarring sound the browser plays when a text search via Ctrl+F finds no match on the page. The post walks through how to replace that default sound with a system sound of the user’s own choosing.

IA MED: Public Health, Privacy and Brazilian Technological Sovereignty

Alessandro’s Blog introduces IA MED, which is a an AI solution developed by MultiCortex to bring advanced language models to the public health sector with a focus on precision, privacy, and data sovereignty. The system is already operational in the city of Bebedouro, São Paulo. The post argues that vertically specialized, locally hosted AI running on cost-effective hardware represents a viable and responsible alternative to generic cloud-based AI for public health systems across Brazil.

SOTAQUE: When AI Learns to Speak like a Brazilian

Alessandro’s Blog introduces SOTAQUE (Speech-Oriented Training Audio for Quality Understanding and Expression), which is a community-driven initiative to build an open dataset of Brazilian Portuguese voices that captures the country’s regional diversity of accents. The project, which is published under the CDLA-Permissive-2.0 license, aims to collect up to 10,000 hours of audio so that AI speech tools better represent all Brazilians rather than defaulting to a narrow Southeastern urban standard. Anyone over 18 in Brazil can contribute by recording just a few minutes of their own voice at sotaque.ia.br.

Firefox Not Displaying Japanese (or Chinese or Korean) Characters in Plasma

Victorhck explains how to fix the issue of Firefox displaying small empty squares instead of Japanese kanji characters when browsing the web on KDE Plasma. The solution involves installing the appropriate font packages to give the browser the rendering support it needs.

Framework Becomes a KDE Patron

The KDE Blog announces that Framework, the company behind the modular Framework Laptop, has become an official patron of KDE e.V., and joins existing supporters such as The Qt Company, SUSE, Google, Canonical, Slimbook, and Rocky Linux. Framework founder Nirav Patel noted that KDE is extremely popular within the Framework community, while KDE e.V. President Aleix Pol highlighted that Framework’s commitment to repairability strongly aligns with KDE’s own values of sustainability and open hardware.

malcontent: Disk Space Exhaustion via Globally Accessible D-Bus API (CVE-2026-44931)

The SUSE Security Team Blog discloses CVE-2026-44931, a local denial-of-service vulnerability in malcontent, the GNOME parental control system, introduced in version 0.14.0 as part of the GNOME 50 update packaged for openSUSE. The flaw allows any unprivileged local user to slowly exhaust disk space in /var/lib/malcontent-timerd by repeatedly calling the RecordUsage D-Bus method with arbitrary app identifiers, with no upstream fix currently available. The SUSE team reported the issue privately in February 2026 and, after receiving no follow-up from upstream despite repeated contact, proceeded with public disclosure to avoid further delay.

26th Update of KDE Frameworks 6 and the KArchive Library

The KDE Blog covers the 26th update to KDE Frameworks 6, highlighting improvements to the KArchive library among other fixes across the KDE software stack. The post follows the blog’s regular cadence of documenting each KDE Frameworks release for Spanish-speaking KDE users.

Linux Saloon 200 | Open Mic Night

CubicleNate’s Blog celebrates the 200th episode of the Linux Saloon podcast with an Open Mic Night format, where participants shared tech topics that were top of mind. Highlights included a hands-on look at the new Framework Laptop 13 Pro and its hardware improvements, a discussion about Brave’s new Origin browser on Linux, and a nostalgic trip back to the old internet covering GeoCities, webrings, and Homestar Runner.

openSUSE Board Leadership Change

Victorhck reports on the change at the top of the openSUSE Board. The post translates and expands on the official announcement of Gerald Pfeifer stepping down as chair on May 7 after nearly seven years in the role. He is succeeded by Jeff Mahoney, who was elected to the board in 2024.

ICC Profiles in HDR ❤️ – This Week in Plasma

The KDE Blog summarizes “This Week in Plasma” with headlines featuring new support for ICC color profiles in HDR mode. This addition is a significant step forward for color-accurate workflows on Linux, particularly for photographers and designers using HDR-capable displays.

USS/FMS Carrier

Jakub Steiner’s Blog dives into FMS Carrier, a tiny 2-operator FM synthesizer and sequencer for the Nintendo Game Boy Advance created by Ess Mattisson, the original designer of the Elektron Digitone. Jakub shares his enthusiasm for the sequencing workflow, which mirrors the building-block composition approach he loves on his Dirtywave M8 tracker.

Tumbleweed – Review of the Weeks 2026/18 & 19

Victorhck and Dominique Leuenberger cover nine Tumbleweed snapshots published across weeks 18 and 19. Major package arrivals include GNOME 50.1, Linux kernel 7.0.1 through 7.0.3, glibc 2.43, systemd 260.1, Boost 1.91.0, and Mozilla Firefox 150.0.

LliureX Turns 21 – Happy Birthday!

The KDE Blog celebrates the 21st anniversary of LliureX, a GNU/Linux distribution based on Ubuntu and KDE Plasma developed by the Valencian Community’s regional education authority in Spain. The project has been delivering a free software desktop tailored to educational environments in the Valencian Community for over two decades.

View more blogs or learn to publish your own on planet.opensuse.org.

Dear syslog-ng users,

This is the 140th issue of syslog-ng Insider, a monthly newsletter that brings you syslog-ng-related news.

Streaming syslog-ng data to your lakehouse using OTEL

Version 4.11.0 of syslog-ng contains contributions from Databricks related to OAuth2 authentication. Recently, they published a blog about how this enables their customers to send logs to their data lake using syslog-ng and the OpenTelemetry protocol.

https://www.syslog-ng.com/community/b/blog/posts/streaming-syslog-ng-data-to-your-lakehouse-using-opentelemetry

Central log collection - more than just compliance

I often hear, even at security conferences that “no central log collection here” or “we have something due to compliance”. Central logging is more than just compliance. It makes logs easier to use, available and secure, thus making your life easier in operations, security, development, but also in marketing, sales, and so on.

https://www.syslog-ng.com/community/b/blog/posts/central-log-collection—more-than-just-compliance

Compiling syslog-ng on an old Mac

I have an aging, but fully functional MacBook. I bought it for syslog-ng testing, but I also use for watching movies. Homebrew no more fully supports old, Intel-based Macs. This blog helps to compile the latest syslog-ng release on these old, but otherwise functional machines.

https://www.syslog-ng.com/community/b/blog/posts/compiling-syslog-ng-on-an-old-mac

Your feedback and news, or tips about the next issue are welcome. To read this newsletter online, visit: https://syslog-ng.com/blog/

Table of Contents

• Introduction
• Review Summary
• Disk Space Exhaustion Issue
• Upstream Report
• CVE Assignment
• Timeline
• References

Introduction

malcontent is a parental control system for the GNOME desktop environment which allows to restrict access to adult Internet content and to keep track of and restrict the amount of screen time for children. As part of the GNOME 50 version update malcontent 0.14.0 was packaged for openSUSE, triggering a review of changes in the package’s D-Bus methods and Polkit actions.

During this review we identified a local disk space exhaustion attack vector via one of the newly added D-Bus methods. There is currently no upstream bugfix available for the issue. The full details about the issue and communication with upstream will be provided in the following sections.

Review Summary

The complexity of malcontent increased a lot compared to the last time we looked into it. There now exist three different malcontent D-Bus daemons utilizing three different service user accounts and some additional daemons not providing D-Bus interfaces on top of that.

Some parts of the user tracking in malcontent suffer from race conditions. We believe this is acceptable, given that parental controls don’t need to be strong security boundaries; it is sufficient if the target audience (children) is not able to bypass the parental controls.

Disk Space Exhaustion Issue

The newly introduced RecordUsage D-Bus method in malcontent-timerd is problematic beyond the possibility to bypass parental controls. It allows arbitrary users in the system to slowly fill up disk space in /var/lib/malcontent-timerd. The following shell construct is a simple reproducer of the issue:

for I in `seq 100000`; do
    gdbus call -y -d org.freedesktop.MalcontentTimer1 \
        -o /org/freedesktop/MalcontentTimer1 \
        -m org.freedesktop.MalcontentTimer1.Child.RecordUsage \
        "[(0, 1000, \"app\", \"org.gnome.MyApp$I\")]"
done

The daemon will create an entry for every supposed GNOME app identifier passed to it in /var/lib/malcontent-timerd/store/<caller-username>.gvdb. This will slowly use up the disk space in /var and therefore is a local Denial-of-Service attack vector.

To fix the problem, the method call could be restricted to callers in local active sessions. Furthermore an upper limit of usage entries could be placed on every user account to prevent excess disk usage.

Upstream Report

We reported this issue privately via the upstream’s GitLab bug tracker on 2026-02-18 offering coordinated disclosure. We only received an initial reply a couple of weeks later in which upstream confirmed the issue but also mentioned that there is a lack of developer resources for malcontent. At this time we expressed our opinion that a non-disclosure period would not be strictly necessary since the impact of the issue is not high. We never received further replies from upstream, so we decided to go public with this report to avoid wasting more time without a bugfix being developed.

CVE Assignment

Due to the lack of replies we could not discuss with upstream whether a CVE assignment is appropriate for this issue. Given that upstream at least basically confirmed the issue and there is no bugfix available we assigned CVE-2026-44931 to track the defect and to make others aware.

Timeline

References

• malcontent freedesktop repository
• malcontent upstream private bug about this issue
• openSUSE review bug for malcontent 0.14.0

I'm a sucker for pixel art and very constrained music grooveboxes. While I'm not into chiptunes, they sure are a cultural phenomenon.

You heard me boast about the Dirtywave M8 numerous times, even in person, because it's my tool of choice for producing and performing music. Its genius lies in high sound quality and a workflow that grew out of the tiny screen and button constraints on the Nintendo Gameboy, the platform of choice for an app called LSDJ, which the M8 is modelled after. That, and the sheer amount of sound engines living in your pocket. Building on the shoulders of giants and all.

The small M8 community has a few 'celebrities', such as Ess Mattisson. I first heard of Ess when I ran into an amazing single channel track called Wertstoffe. Ess has a great pedigree as the creator of the original Digitone FM synthesizer while working at Elektron. FM remains his forte, and after creating numerous plugins through Fors, he has now released a little 2-operator FM synth and sequencer for the platform of the future, Nintendo Gameboy Advance.

What makes FMS a bit crazy is what it's doing under the hood. The Gameboy Advance has no FM synthesis hardware at all. Its audio gives you two Direct Sound DMA channels of 8-bit signed PCM — that's 256 amplitude levels, roughly 48 dB of dynamic range. For comparison, a CD has 96 dB, in much finer fidelity. The CPU is an ARM7TDMI running at 16.78 MHz with 256 KB of RAM, and that's where all the FM math happens. Sine waves, modulation, mixing four channels, all in real time, in software, on a chip from 2001 that was designed to shuffle sprites around. The hiss you hear is just part of the deal: quantization noise from that 8-bit DAC. So few amplitude steps means everything that comes out has this fuzzy, slightly crushed quality. You can't get rid of it. It is the sound. And somehow there are four channels of 2-operator FM synthesis in there, each with envelopes and ratio control. On a Gameboy Advance.

Picking GBA as a platform of choice in 2026 may be strange. Surprisingly, it can be used on a very large array of hardware. Not only can you plug a memory card into the original hardware or new fancy clones like the Analogue Pocket, you have an exponentially larger choice of dozens if not hundreds of Chinese emulator handhelds from Anbernic, Powkiddy, Miyoo or Retroid. You can also use the Steam Deck or any PC running one of the many emulators, RetroArch being the most popular one.

FMS really touched me. Partly because I have a soft spot for the Nordic demo scene, but mainly for its novel approach to composition. Just like with the M8, creating basic building blocks and then applying transposition to break the looping monotony is my favorite workflow. This little thing has that in the form of pattern and trig transposition but also a novel take on "effects". Yes, you heard me right. There's a sorta-kinda-delay. Even does stereo field ping-pong.

I will keep on trying to create something that … sounds good. The process has been amazing. I truly love some of the sequencing tricks and workflows. The sequencer is, however, so good it would be worth seeing it run on top of a higher quality sound engine too.