Entering RC Phase

openSUSE Leap 16.0 has officially transitioned from Beta into the Release Candidate phase with the Build 148.4.

The biggest challenge for the Release Team prior to Autumn release is source code management, as we want to transition both Tumbleweed and Leap 16.0 from legacy OBS SCM to Git.
This will also require a new maintenance model for Leap.

Users can expect a few more builds before we announce our Gold Master candidate.
Given the nature of Leap 16 being built on top of binaries from SUSE Linux Enterprise 16, we can only do so once SUSE Linux Enterprise 16.0 announces their Gold Master in late September.

If all goes well with the maintenance setup we could aim for the delivery according to the roadmap in October shortly before SLES 16.0.

More details can be found in the roadmap and newly also in calendar.opensuse.org.

New installer

Leap 16.0 is using the latest Agama for both online and offline installation aside. You can get install images at get.opensuse.org. Alternatively, users can pick one of our appliance images.

Being among the first to deliver Xfce on Wayland

We offer only Wayland-based Desktop Environments in the installer. Xfce on Wayland has recently joined the list.
Thanks to the openSUSE Xfce team, we’re among the first to deliver it as an experimental preview to users.
The Xfce mailing list was quite active as we were getting closer to RC.

Users can enjoy the minimalistic Wayland-friendly greetd and gtkgreet as a replacement for LightDM.

Get the Leap 16.0 install image and try it out!

Please be aware that the Wayland support in Xfce is experimental and there are plenty of issues.
We could use help in improving our patterns and making the experience with Wayland-ready apps on Xfce more complete.
Join the Xfce mailing list if you’re interested in the effort.

YaST stack reduction

A clean install of Leap 16.0 comes with no YaST packages installed.
Users can use the new package Myrlyn, which is a drop-in replacement for legacy YaST Software Management, which provided a bit more than just a nice UI frontend to Zypper.
Some limited set of YaST packages will still be around as Agama depends on them, therefore they won’t be dropped on migration.
The long-term goal is to go in favor of Cockpit.

SELinux is the new default

All new installations will use SELinux by default.
Users can switch to AppArmor post installation.

Steam, Wine, 32-bit support

SUSE Linux Enterprise 16.0 does not support 32-bit binary execution.
Leap users can install grub2-compat-ia32, which enables it by passing ia32_emulation=1 to the kernel.
We’ve recently dropped Steam from the Non-OSS repository due to a limited set of 32-bit libraries.
Steam users will want to install selinux-policy-targeted-gaming, which is not installed by default.

New Repository structure and parallel downloads in zypper

The biggest changes for users migrating from 15.6 will likely be the absence of dedicated update repositories for SLES packages.
Leap 16.0 essentially uses just a single repository repo-oss that contains both community and SLES packages and their respective updates.
We now use separate repodata per architecture, as well as parallel downloads in Zypper for a more “snap” user experience.

Migration

I personally advise Leap 15.6 users migrating to 16.0 to look into the new opensuse-migration-tool.
The tool has some useful optional post-migration scripts such as 32-bit binary enablement, migration from PulseAudio to PipeWire, and AppArmor/SELinux selection.

sudo zypper in opensuse-migration-tool
opensuse-migration-tool --dry-run # optionally check how it looks
sudo opensuse-migration-tool

Users migrating manually will want to drop all update repositories and keep only oss/non-oss repos prior to running zypper --releasever 16.0 dup.
Details are at our System upgrade wiki page.

Revamped release notes

A preview of our new modular release-notes can be found here.
We were able to reduce the build/publish infrastructure for Release Notes to basically just GitHub, as the installer no longer requires an RPM with a local copy of release notes.

Submitting Bug Reports

Your feedback is critical at this stage.

We know that people really start testing new release with RC. Please report any issues on bugzilla.opensuse.org. Please make sure to check Known bugs wiki page prior reporting a new bug.

Thank you for testing and being part of the openSUSE community. Let’s shape Leap 16.0 together!

Several software packages were updated in openSUSE Tumbleweed during July that brought a large amount of enhancements, new features and critical security fixes across a wide range of components.

Major upgrades included hwinfo 25, systemd-rpm-macros 26 and Amarok 3.3.0. A couple GStreamer updates also landed in the rolling release along with curl 8.15.0, nvme-cli 2.15 and more.

These advancements were complemented by updates to the KDE ecosystem, including Plasma 6.4.3, KDE Frameworks 6.16.0 and KDE Gear 25.04.3. Other essential tools like vim 9.1.1508 gained Wayland clipboard support and improved language syntax, while myrlyn 0.9.7 enhances secure privilege escalation.

As always, be sure to roll back using snapper if any issues arise.

For more details on the change logs for the month, visit the openSUSE Factory mailing list.

New Features and Enhancements

hwinfo 25.0: This major introduces several new features and improvements that enhance hardware detection and reporting capabilities. There were USB improvements that add support for capturing USB alternate settings and interface associations, which allows for more accurate classification and detailed reporting of complex USB devices. There is new support for reporting NVMe-oF (NVMe over Fabrics) and iSCSI device information that is more useful in enterprise and networked storage environments.

systemd-rpm-macros 26: This new version adds the %udev_trigger_with_reload() macro, which ensures packages properly trigger udev events and reload rule files. Changes align with transactional system behavior and certain changes only take effect after reboot. Packages requiring user or group creation during installation should now use sysusers_create_package() to ensure correct file ownership during installation.

amarok 3.3.0: The music player is now based on Qt 6 and KDE Frameworks 6. The release features a reworked GStreamer-based audio engine to improve playback support and flexibility. This version also includes important internal improvements like upgrading the database character set to support full UTF-8 values and enhancing compatibility with non-Latin characters in music metadata.

KDE Frameworks 6.16.0: Notable updates include safer compression handling in KArchive, improved file renaming in KIO, expanded accessibility in Properties dialogs, and enhanced timezone and date handling in KCoreAddons. Kirigami receives critical crash fixes and design refinements, while Breeze Icons adds new device and action icons. Developers working in Python get new example integrations for KDateValidator and KIconUtils. Syntax highlighting expands with better Perl, HTML, and XML support.

KDE Plasma 6.4.3 and 6.4.2: With 6.4.3, KWin Window Manager and Wayland Compositor gain updates that improve the user experience, including better handling of tablet input and high-resolution (HiDPI) displays, and smoother resizing and scaling for applications and windows. Pop-up windows now close correctly when switching between applications, and panels such as the taskbar function. Multi-monitor setups also benefit from improved screen calibration and output identification. The lock screen has been adjusted to avoid immediately prompting for a password after activation to give users more control. A race condition that could affect login via PAM has been mitigated and the software center Discover now highlights interactive actions more clearly when pressed. The Plasma Welcome screen has been updated to be more accessible and user-friendly.

KDE Gear 25.04.3: This release early in the month brought fixes for better link handling in Akregator, improved file compression in Ark, and a fix for search not opening in Audiotube. Dolphin no longer leaks system resources when viewing folder properties and KAlarm prevents pop-up messages from stealing focus. Kitinerary adds support for more travel confirmations including LeShuttle, DJH, Eurostar, and Leo Express, which have better handling of dates, languages, and ticket formats. Other fixes include improved PDF ticket support, better handling of membership cards, and enhanced public transport data.

myrlyn 0.9.7: This new version changes how myrlyn-sudo now builds its own environment, helping avoid issues with XWayland and ensuring the XDG_RUNTIME_DIR environment variable is preserved. This makes running programs with elevated permissions smoother and more secure. The update improves how configuration files are handled and provides cleaner code and better formatting in .desktop files. A new Root Authentication help menu was added to assist users during setup, and support for prompt arguments in myrlyn-askpass has been introduced. Several issues were fixed, including how file paths and environment variables are handled during system commands. A number of small bugs related to style, typos, and configuration backups have also been addressed.

vim 9.1.1508: This release improves how the package handles file types like correctly recognizing files used by programming languages like Haxe, Numbat, QuickBMS, and Flix. It also adds new navigation shortcuts for Go and enhances syntax highlighting for better readability. A fix adds Wayland clipboard support and allows users on modern Linux desktops to copy and paste text seamlessly between Vim and other applications. The update also ensures symlinks are properly resolved when changing directories with the cd command.

Key Package Updates

kernel-source 6.15.8, 6.15.7, 6.15.5 and 6.15.4: Four kernels for the month and the 6.15.8 version had a key fix to address KVM for x86/xen. It did this by correcting cleanup logic in the emulation of Xen schedop poll hypercalls, which helps ensure more reliable virtualization performance. Another significant update improves the SMB client by making smbd_post_send_iter() respect the peer’s maximum send size. The 6.15.7 version improves Bluetooth reliability and prevents disconnection issues and the kernel had fixes for memory leaks, connection problems and network drivers and protocols like vsock, tcp, phy, atm, stmmac to prevent crashes. It also enhanced audio drivers compatibility with Intel and Qualcomm hardware. The 6.15.5 Linux kernel made fixes across the networking stack, including virtio-net, txgbe, and Bluetooth subsystems. RTC drivers received minor corrections, while MMC/SDHCI updates enhanced SD card error handling and UHS-II support. The update also addressed crashes in modules such as ALSA, RDMA, VSOCK, and SCSI. The 6.15.4 version resolves a regression in io_uring, improves memory accounting and stability for asynchronous I/O operations. Several crypto drivers, including qat and marvell/cesa, now handle shutdowns and request chaining more reliably.

Mesa 25.1.5 and 25.1.5: The 25.1.6 resolves a range of critical issues affecting both everyday desktop users and gamers. These fixes include resolving graphics glitches in Team Fortress 2, preventing crashes in applications like sddm-greeter when using modern drivers (nvk + zink), and stopping system reboots or crashes on FirePro W4100 cards. The release also fixes memory leaks, Vulkan threading issues on X11, and several driver-specific regressions for AMD, Intel, and arm . Like 25.1.6, there were no new features in the 25.1.5 release but it did address several crashes, memory issues, rendering glitches and regressions across drivers and platforms. Notably, this release resolves problems like ground texture flickering in DOTA 2, GPU process crashes with WebGPU shaders, and driver-specific Vulkan and OpenGL inconsistencies. Fixes cover a wide range of drivers and tools, including AMD radeonsi, Intel support, as well as panfrost, zink, and Vulkan components such as anv and radv.

curl 8.15.0: This update has better handling of non-blocking input and fixes for long-standing bugs in SFTP path handling (like /~) and LDAP integration. The --retry option now correctly reports exit codes and makes automation scripts more reliable. Under the hood, OpenSSL sees several fixes for buffered data, engine usage, and PKCS#11 provider checks, while HTTP/2 and HTTP/3 reporting are now more consistent. The addition of CURLINFO_TLS_SSL_PTR for QUIC connections helps developers debugging encrypted transfers.

bind 9.20.11: This release addresses a critical security issue that could cause the named resolver process to crash when stale-answer-client-timeout was set to 0. This update also introduces support for the CO flag in the dig tool. Bug fixes include correcting the default interface-interval from 60 seconds to 60 minutes, which resolves a purge-keys issue when zones use multiple views, and ensuring delv +ns now properly performs IPv6 queries.

ddcutil 2.2.1: This package, which improves reliability and usability for users who adjust monitor settings from the command line, fixes several bugs that could cause crashes or incorrect behavior when communicating with displays using DDC/CI, especially on systems with older Nvidia drivers or when using the KDE Plasma desktop environment. Users should experience more reliable detection and communication with displays, better feedback during command execution, and fewer issues with power management tools like KDE PowerDevil. It also adds better reporting when running as root or with elevated privileges, and improves error messages for more meaningful feedback during display configuration.

netpbm 11.11.0: This image processing toolkit has tools like pamflip, which now support -inverse and -reflect for easier transformations, and smoother circle drawing has been implemented via floating-point calculations. Utilities like pnmquantall, ppmtogif, and pnmtofiasco received critical security and stability fixes, and address vulnerabilities and long-standing issues dating back over a decade. File naming in pamdice has also been corrected to avoid unnecessary slice digits.

php8 8.4.10: This update has improvements that include fixes for memory leaks in curl, openssl, intl, and pdo_sqlite, better error handling in pg_cancel_query() and SOAP, and corrected behavior in DatePeriod, SimpleXML, and DOM. Several critical vulnerabilities were also resolved and this release enhances overall reliability for developers using PHP in web, CLI, and FPM contexts.

xen 4.20.1: This update addresses several critical issues, including security vulnerabilities such as XSA-471, which mitigates AMD-based transient execution attacks, and XSA-470.

sudo 1.9.17p1: This release improves security by enforcing stricter behavior when resolving environment settings and password requirements. Other fixes include improved password handling in edge cases (e.g., via pwfeedback), better SSH suggestions when no terminal is allocated, and safeguards against information leaks in sudo -l. There’s also improved behavior with run from serial consoles, a return to using TCSAFLUSH to discard stray password input, and added support for SUDO_TTY to track the user’s original terminal.

GStreamer 1.26.4 and 1.26.3: The multimedia framework 1.26.4 update resolves issues with reverse playback in adaptive streaming and improves compatibility with services like AWS MediaLive and LiveKit. The update also adds support for more precise timestamping in MP4 files and fixes potential deadlocks when using WebRTC, which is common in video conferencing apps. Version 1.26.3 resolves a security issue in the H.266 video parser and fixes problems with WAV files and subtitles that could previously cause crashes or excessive memory usage. Improvements were made to video caption rendering, audio/video sync, large MP4 file creation, and support for live video formats like MPEG-TS and fragmented MP4. A new AI speech synthesis feature using the ElevenLabs API was added, and improvements were made to accessibility features like closed captions.

nvme-cli 2.15: This release adds new commands for power management, arbitration, volatile write cache control, temperature thresholds, and timestamps, giving users more insight and control over their devices. Output formatting has been expanded with more detailed and verbose logs. Plugins for major vendors such as HPE, Western Digital, NetApp, Micron, and MangoBoost received updates for broader device support and improved error handling. Memory handling and device discovery were improved to prevent leaks and incorrect reporting, while new NUMA and arbitration features align with libnvme changes.

libnvme 1.15: This update improves system stability and compatibility by fixing memory handling issues, refining documentation, and enhancing support for power management, health monitoring, and temperature thresholds. It also adds better handling for NVMe path discovery. Numerous tests were added or extended to cover ioctl functions, sysfs handling, and feature sets to boost overall reliability. Documentation was refreshed.

Bug Fixes and Security Updates

Several key security vulnerabilities were addressed this month. Common Vulnerabilities and Exposures this month are:

Security Updates

sudo 1.9.17p1:

• CVE-2025-32462: Fixed local privilege escalation vulnerability in sudo via the --host option.
• CVE-2025-32463: Resolved local privilege escalation issue in sudo related to the chroot option.

qt6-base:

• CVE-2025-5992: Prevented denial-of-service via out-of-range values in Qt’s QColorTransferGenericFunction.

bind 9.20.11:

• CVE-2025-40777: Fixed a heap buffer overflow in libvirt’s secret_xml_extract_value() that could lead to remote code execution.

ImageMagick 7.1.2.0:

• CVE-2025-53101: Fixed improper validation in OpenJDK’s XML parsing, preventing crafted XML attacks.
• CVE-2025-53014: Patched integer overflow in libjpeg-turbo’s JPEG decompression that could cause crashes.
• CVE-2025-53015: Addressed buffer underflow in libjpeg-turbo during color space conversion.
• CVE-2025-53019: Fixed out-of-bounds write in libjpeg-turbo’s progressive JPEG decoder.

libavif:

• CVE-2025-48175: Patched stack buffer overflow in Bash when expanding environment variables.
• CVE-2025-48174: Fixed use-after-free in Bash’s associative array handling during parameter expansion.

php8 8.4.10:

• CVE-2025-1735: Fixed improper URL validation in Apache HTTP Server leading to possible path traversal.
• CVE-2025-6491: Patched integer overflow in SQLite vulnerable to denial-of-service via crafted queries.
• CVE-2025-1220: Resolved out-of-bounds read in libpng when processing malformed PNG chunks.

git 2.50.1:

• CVE-2025-27613: Fixed integer overflow in libxml2’s DTD parsing with malicious entities.
• CVE-2025-27614: Patched buffer overflow in libxml2’s XML external entity handling.
• CVE-2025-46334: Addressed memory leak in systemd when processing malformed unit files.
• CVE-2025-46835: Fixed out-of-bounds read in zlib during deflate processing of crafted data.
• CVE-2025-48384: Resolved use-after-free in PulseAudio’s module loading when unloading quickly.
• CVE-2025-48385: Patched buffer under-read in PulseAudio’s sample format conversion.
• CVE-2025-48386: Fixed race condition in PulseAudio’s client disconnect handling causing crashes.

apache2-mod_php8 8.4.10:

• CVE-2025-1735: Fixed improper URL validation in Apache HTTP Server leading to possible path traversal.
• CVE-2025-6491: Patched integer overflow in SQLite vulnerable to denial-of-service via crafted queries.
• CVE-2025-1220: Resolved out-of-bounds read in libpng when processing malformed PNG chunks.

xen 4.20.1:

• CVE-2025-27465: Fixed incorrect exception handling in Xen’s x86 instruction replay stubs, which could lead to a hypervisor crash and cause Denial of Service (DoS) by an unprivileged guest.

poppler 25.06.0:

• CVE-2025-52886: Fixed out-of-bounds read in libxml2’s xmlParseNameComplex() that could lead to denial of service (DoS).

Mozilla Firefox 141 and 140:

• CVE-2025-8027: Fixed JavaScript engine bug where only a partial return value was written to the stack.
• CVE-2025-8028: Addressed issue where a large branch table could lead to truncated instructions.
• CVE-2025-8041: Corrected URL truncation flaw in Firefox for Android.
• CVE-2025-8042: Patched issue allowing sandboxed iframes to initiate downloads.
• CVE-2025-8029: Fixed vulnerability where javascript: URLs could execute in <object> and <embed> tags.
• CVE-2025-8036: Resolved DNS rebinding issue that allowed circumvention of CORS restrictions.
• CVE-2025-8037: Patched vulnerability where nameless cookies could shadow secure cookies.
• CVE-2025-8030: Fixed potential user-assisted code execution risk in the “Copy as cURL” developer tool command.
• CVE-2025-8043: Addressed another incorrect URL truncation issue.
• CVE-2025-8031: Corrected improper URL stripping in CSP (Content Security Policy) reports.
• CVE-2025-8032: Fixed XSLT documents being able to bypass CSP restrictions.
• CVE-2025-8038: Patched enforcement issue where CSP frame-src was not correctly applied to paths.
• CVE-2025-8039: Resolved privacy issue where search terms persisted in the URL bar.
• CVE-2025-8033: Fixed JavaScript state machine bug affecting generator functions.
• CVE-2025-8044: Patched memory safety bugs in Firefox 141 and Thunderbird 141.
• CVE-2025-8034: Fixed memory safety vulnerabilities in Firefox ESR 115.26, ESR 128.13, ESR 140.1, Firefox 141, and corresponding Thunderbird versions.
• CVE-2025-8040: Resolved memory safety bugs in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141, and Thunderbird 141.
• CVE-2025-8035: Patched memory safety vulnerabilities in Firefox ESR 128.13, ESR 140.1, Firefox 141, and corresponding Thunderbird versions.
• CVE-2025-6424: Use-after-free in FontFaceSet.
• CVE-2025-6425: The WebCompat WebExtension shipped with Firefox exposed a persistent UUID.
• CVE-2025-6426: No warning when opening executable terminal files on macOS.
• CVE-2025-6427: connect-src Content Security Policy restriction could be bypassed.
• CVE-2025-6429: Incorrect parsing of URLs could have allowed embedding of youtube.com.
• CVE-2025-6430: Content-Disposition header ignored when a file is included in an embed or object tag.
• CVE-2025-6431: An attacker could have bypassed this prompt, potentially exposing the user to security vulnerabilities or privacy leaks in external applications.

mozjs128 128.13.0 and 128.12.0:

• CVE-2025-8027: Fixed JavaScript engine bug where only a partial return value was written to the stack.
• CVE-2025-8028: Addressed vulnerability where a large branch table could cause truncated instructions.
• CVE-2025-8029: Fixed issue allowing javascript: URLs to execute in <object> and <embed> tags.
• CVE-2025-8030: Patched potential user-assisted code execution vulnerability in the “Copy as cURL” command.
• CVE-2025-8031: Corrected improper URL stripping in Content Security Policy (CSP) reports.
• CVE-2025-8032: Fixed flaw allowing XSLT documents to bypass CSP restrictions.
• CVE-2025-8033: Addressed JavaScript state machine bug affecting generator functions.
• CVE-2025-8034: Patched multiple memory safety bugs in Firefox ESR 115.26, ESR 128.13, ESR 140.1, Firefox 141, and corresponding Thunderbird versions.
• CVE-2025-8035: Fixed memory safety vulnerabilities in Firefox ESR 128.13, ESR 140.1, Firefox 141, and corresponding Thunderbird versions.
• CVE-2025-6424: Fixed use-after-free vulnerability in FontFaceSet that could lead to memory corruption.
• CVE-2025-6425: Resolved exposure of a persistent UUID via the WebCompat WebExtension.
• CVE-2025-6426: Addressed lack of warning when opening executable terminal files on macOS.
• CVE-2025-6429: Fixed URL parsing flaw that could allow embedding content from youtube.com improperly.
• CVE-2025-6430: Corrected handling of the Content-Disposition header when files are included via <embed> or <object>.
• CVE-2025-5283: Fixed double-free vulnerability in the libvpx encoder.
• CVE-2025-5263: Patched improper isolation of error handling for script execution from web content.
• CVE-2025-5264: Fixed local code execution risk in the “Copy as cURL” developer tool command.
• CVE-2025-5265: Addressed another local code execution vector via the “Copy as cURL” command.
• CVE-2025-5266: Resolved cross-origin information leak through script element events.
• CVE-2025-5267: Fixed clickjacking vulnerability that could expose saved payment card details.
• CVE-2025-5268: Patched multiple memory safety issues in Firefox 139, Thunderbird 139, and ESR 128.11 releases.
• CVE-2025-5269: Fixed additional memory safety bug in Firefox ESR 128.11 and Thunderbird 128.11.

openssl-3 3.5.1:

• CVE-2025-5278: Fixed unintended evaluation of stylesheet rules in WebKit.
• CVE-2025-4575: Corrected OpenSSL’s -addreject flag misuse to prevent unintended trust marks. raptor:
• CVE-2024-57822: Patched memory corruption in LibreOffice’s XML parser via crafted documents.
• CVE-2024-57823: Addressed use-after-free in LibreOffice’s graphics handling layer.

djvulibre 3.5.29:

• CVE-2025-53367: Fixed various bugs, added corrupted file tests, and resolved clang warning issues.
• CVE-2021-32490: Fixed out-of-bounds write in DjVu decode function.
• CVE-2021-32491: Resolved memory corruption via malformed JB2 streams.
• CVE-2021-32492: Addressed improper bounds checks in the IW44 decompression code.
• CVE-2021-32493: Fixed heap buffer overflow in the RLE decoder.
• CVE-2021-46310: Patched denial-of-service vulnerability due to infinite loop in JBIG2 decoding. libxml2:
• CVE-2025-49794: Fixed heap use-after-free vulnerability that could lead to denial of service (DoS).
• CVE-2025-49795: Patched null pointer dereference issue that could cause a denial of service (DoS).
• CVE-2025-49796: Resolved type confusion vulnerability potentially leading to denial of service (DoS).
• CVE-2025-6021: Fixed integer overflow in xmlBuildQName() that could cause a stack buffer overflow.
• CVE-2025-6170: Addressed stack buffer overflow vulnerability that could result in application crashes.

apache2 2.4.64:

• CVE-2025-53020: Fixed denial-of-service vulnerability in Apache HTTP Server’s HTTP/2 implementation that could cause excessive memory usage.
• CVE-2025-49812: Addressed TLS upgrade attack in mod_ssl that could compromise encrypted connections.
• CVE-2025-49630: Patched denial-of-service issue in mod_proxy_http2.
• CVE-2025-23048: Fixed access control bypass in mod_ssl when using TLS session resumption.
• CVE-2024-47252: Corrected improper escaping of variables in mod_ssl error logs.
• CVE-2024-43394: Resolved SSRF vulnerability on Windows caused by improper handling of UNC paths.
• CVE-2024-43204: Fixed SSRF issue when mod_headers was used to set the Content-Type header.
• CVE-2024-42516: Patched HTTP response splitting vulnerability in Apache HTTP Server.
• CVE-2025-54090: Fixed logical flaw in Apache HTTP Server 2.4.64.

Users are advised to update to the latest versions to mitigate these vulnerabilities.

Conclusion

July continued openSUSE Tumbleweed’s tradition of delivering powerful improvements to the Linux desktop and infrastructure stack. From hardware tools like hwinfo to desktop environments powered by KDE Plasma 6.4.3, and from multimedia upgrades in GStreamer to security-focused enhancements in sudo, bind, and libxml2, the rolling release reinforced its reputation for cutting-edge stability. With critical CVEs addressed across dozens of core packages, users benefit not only from new features but also from hardened security.

Slowroll Arrivals

Please note that these updates also apply to Slowroll and arrive between an average of 5 to 10 days after being released in Tumbleweed snapshot. This monthly approach has been consistent for many months, ensuring stability and timely enhancements for users. Updated packages for Slowroll are regularly published in emails on openSUSE Factory mailing list.

Contributing to openSUSE Tumbleweed

Stay updated with the latest snapshots by subscribing to the openSUSE Factory mailing list. For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

Recently, several people have asked me about the syslog-ng project’s view on Artificial intelligence. In short, there is cautious optimism: we embrace AI, but it does not take over any critical tasks from humans. But what does this mean for syslog-ng?

Read more at https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-development-and-ai

This is a roundup of articles from the openSUSE community listed on planet.opensuse.org.

The below featured highlights listed on the community’s blog feed aggregator from July 21 to 27. Some of the most recent blogs openSUSE Conference 2025, updates on Tumbleweed developments, and important security insights.

Here is a summary and links for each post:

openSUSE Conference 2025 Highlights

openSUSE Conference 2025 - Ish Sookun shared his experience attending oSC25 in Nuremberg, Germany, including his perspective as a newly elected openSUSE Board member. The conference brought together developers, contributors, and open-source enthusiasts from around the world. Key highlights included setting up an on-site openSUSE Shop to make swag more accessible to international attendees, keynotes from SUSE leadership emphasizing the power of open collaboration, and technical presentations covering topics like SELinux security improvements and distributed Kubernetes clusters. Ish also presented talks on improving openSUSE membership management and building mirrors in Mauritius.

Tumbleweed Updates

openSUSE Tumbleweed revision de la semana 30 de 2025 - Victorhck provided a detailed review of Tumbleweed snapshots 0718, 0722, and 0723 in Spanish and noted a delay due to SELinux 3.9 debugging. Key updates included KDE Plasma 6.4.3, Mesa 25.1.6, Apache 2.4.64, and Linux kernel 6.15.7. Snapshot 0724 is in quality control and expected to bring SELinux 3.9, Bash 5.3, and Firefox 141.0.

Tumbleweed – Review of the weeks 2025/30 - Dominique Leuenberger provided a detailed review of Tumbleweed snapshots like that listed above.

Security Insights

SUSE Security Team Spotlight Spring 2025 - The SUSE security team shared insights from their spring 2025 work, including reviews of new Polkit features in GDM, Flatpak, and ModemManager. They also detailed privilege escalation vulnerabilities found in cyrus-imapd and configuration changes for systemd-coredump.

Community and Advocacy

Urgency to Switch from Windows 10 Builds - Douglas DeMaio highlighted the openSUSE Project’s participation in the End of 10 campaign, urging users to migrate from Windows 10 (which ends support in October) to Linux-based operating systems. The article emphasizes both cybersecurity risks of staying on unsupported systems and the environmental benefits of extending older hardware life through Linux adoption.

Technical Deep Dives

Dealing with multiple syslog protocols in syslog-ng made easy - Peter Czanik explained the new transport(auto) option in syslog-ng that simplifies handling multiple syslog protocol variants (RFC3164, RFC5424) through a single source driver, making syslog configuration more straightforward.

KDE Community

Esquinas inferiores redondeadas – Esta semana en Plasma - Baltolkien translated Nate Graham’s weekly Plasma update in Spanish covering Plasma 6.5 developments, including the implementation of automatically rounded bottom window corners and various UI improvements.

Control del nivel de tinta de la impresora – Esta semana en Plasma - Another Spanish translation by Baltolkien of Nate Graham’s weekly Plasma update, featuring printer ink level notifications, notification handling improvements, and various bug fixes in Plasma 6.4.4 and 6.5.

Community Events

Akademy 2026 busca sede ¡anímate y presenta una candidatura! - Baltolkien announced that KDE’s annual developer conference Akademy 2026 is seeking a European host venue for its 30th anniversary celebration, providing details on requirements and how to submit a proposal.

View more blogs or learn to publish your own on planet.opensuse.org.

The openSUSE Conference 2025, was held from 26 - 28 June at the vibrant Z-Bau, House of Contemporary Culture, Nuremberg, Germany. I had the pleasure of attending with my colleagues Eddy Lareine and Alex Bissessur. It marked my third time attending and speaking at the openSUSE Conference in Germany, and my fifth international openSUSE talk, after the Africa Internet Summit 2019 in Kampala, Uganda and the openSUSE Asia Summit 2019 in Bali, Indonesia.

My First Conference as a Board Member

Earlier this year, I was elected to the openSUSE Board, making this year's conference a little different, with added responsibilities.

Two days before the conference began, the Board held our face-to-face meetings. We voted on a few pending items and prepared for the Board's public session with the community, which was scheduled for Friday, 27 June at 6 p.m. These pre-conference meetings were insightful, especially for me as a new Board Member. I learned a great deal from more seasoned members like Simon Lees, Shawn Dunn, and our Chair Gerlald Pfeifer. I also benefitted from the perspectives of former Board Members Douglas DeMaio and Patrick Fitzgerald, who also joined the sessions. Although Jeff Mahoney and I started our mandates at the same time, his experience and understanding of how SUSE and openSUSE intersect brought invaluable context to many of the discussions.

Swag at the conference

One of my proposals as a Board Member was to set up an openSUSE Shop at the conference venue. This initiative allowed attendees, especially those visiting from outside Europe, to purchase openSUSE swag such as t-shirts, caps, tote bags, and mugs. For many of us from regions like Africa or islands like Mauritius, international shipping fees often exceed the actual item costs. This shop helped address that.

Thankfully, Eddy and Alex volunteered to help run the shop, so we didn't need to recruit more volunteers. However, managing the swag table while attending sessions was no easy feat. We had to take turns so we could still attend the talks we were interested in and present our own sessions (Alex and I each had two talks spread across different days).

Day 1 — Keynotes, Community Energy and Technical Deep Dives

The conference opened with a keynote address by SUSE CEO Dirk-Peter van Leeuwen. He spoke from the heart, about his roots as an engineer, his passion for coding, and his belief in the power of community. He reminded us of how openSUSE reached its 20-year milestone, highlighting major contributions like YaST, KDE integration, and the Open Build Service (OBS), the latter being adopted by the Cloud Native Computing Foundation for running Kubernetes builds.

Proprietary software development does not get you anywhere, it has to be open.
— Dirk-Peter van Leeuwen

That statement received a resounding applause.

Next up was Rick Spencer, SUSE General Manager, who emphasized that openSUSE is not just a collection of distros, but a single project with a unified purpose. He encouraged contributors to see beyond labels like Tumbleweed or Leap, and instead, embrace a collaborative spirit. His closing call-to-action was simple but powerful:

Join the momentum, every contribution matters.
— Rick Spencer

Later that day, I also attended Cathy Hu's talk on "SELinux — current state in (open)SUSE" while keeping an eye on the shop. As the maintainer of openSUSE's SELinux policy and userspace toolchain, Cathy gave a thorough overview of security improvements in the distro.

The second keynote was delivered by Peer Heinlein, CEO of the Heinlein Group. He talked about the risks of relying on proprietary software, referencing the fate of ownCloud after its acquisition by Kiteworks. In response, the Heinlein Group forked the open-source ownCloud Infinite Scale (OCIS) codebase to launch OpenCloud.

Midway through his talk, I had a déjà vu moment as his name sounded familiar. That's when I remembered that Peer Heinlein is the author of the book Dovecot: POP3/IMAP Servers for Enterprises and ISPs, a crucial reference when I built the email infrastructure for La Sentinelle five years ago.

After his talk, I introduced myself, shared how his book helped me, and thanked him in person. I took a selfie with him and Richard brown, the former openSUSE Board Chair who has always pushed me to be more involved in the project.

I attended the session on Leap 16.0 Beta, by Luboš Kocman, during which he unveiled the new Leap wallpaper.

We were very happy to see the green lizard on the wallpaper, a photo taken by our dear friend and fellow Mauritian, Arwin Neil Baichoo and submitted for the Leap 16.0 and Tumbleweed wallpaper collection. He made us proud. 😊

Day 2 — Talks on Community, Infrastructure, and the African Context

I delivered my first talk in the "Gallerie" room titled "2 cents on improving openSUSE Membership (Management)".

I presented my thoughts on how we could improve the membership process through a custom Laravel-based platform. I had a productive follow-up discussion afterward.

Later, Alex gave his talk on "Geographically Distributed Kubernetes Clusters", highlighting the challenges cloud enthusiasts face in Mauritius, where GCP, AWS, and Azure are absent.

He described how unreliable power and lack of local cloud services inspired him and his friends to build a distributed Kubernetes cluster to host their own blogs and applications.

My second talk, "Building openSUSE Mirror(s) in Mauritius", took place at 4 p.m. in the main hall. It was a status update on the mirror infrastructure project I began in 2022.

I shared lessons learned, improvements to sync strategies, and announced that Kaldera is sponsoring a second mirror in Mauritius, soon to be the fourth mirror in Africa.

The day concluded with the openSUSE Board Q&A session at 6 p.m. Gerald opened with a summary of proposed updates to election and membership rules, and I expanded on our membership platform. Jeff, Simon, and Shawn addressed governance structure proposals. The session felt productive, open, and reflective of the community's spirit.

Day 3 — Bring openSUSE swag for folks back home

On the final day, Alex gave his second talk, "Production-Ready Virtualisation with Harvester and Longhorn." He addressed how recent changes in pricing/licensing by a major virtualization vendor created uncertainty, especially in Africa. Thus, prompting many to seek alternatives.

Harvester and Longhorn, being open-source, hyperconverged solutions, offer a practical alternative at a time when cloud-native infrastructure is becoming the default.

At the end of day, as we were wrapping up, Doug said that we had a few conference t-shirts left and if I would like to bring back home some of them. Naturally, I agreed as I know friends back home would love that.

In fact, I distributed the t-shirts during my talk about the openSUSE Project at the Developers Conference 2025 (Mauritius), which happened just a few weeks after the openSUSE Conference.

Wrapping Up

This year's conference was memorable for many reasons, my new role on the Board, the warm community spirit, the brilliant talks, and of course, the friendships and collaborations that deepened along the way. Videos from all the sessions at oSC25 are available on YouTube.

A big thanks to everyone who made the openSUSE Conference 2025 a success.

Looking forward to seeing you all again in 2026!

Dear Tumbleweed users and hackers,

First off, it has been a bit too quiet from my side on the weekly reviews. The last one published was 2025/25 – the ‘error’ for you missing out on the information is solely on my side: first, there was the openSUSE conference, which was a lot of fun seeing many of you (hopefully many more next year). After that, I dared to take a vacation, which probably nobody realized, as Tumbleweed kept rolling just fine without me. I’ll spare you all the changes that happened in the weeks when no review was conducted. Only so much: a total of 22 snapshots have been released.

This review will cover the events that occurred during this week, essentially snapshots 0718, 0722, and 0723. As can be seen already from the numbers, there was a slightly longer gap between 0718 and 0722. This is partly due to the weekend, but also because of some issues with the planned SELinux 3.9 upgrade, which needed to be debugged first to understand why certain tests were failing. In between, we have reverted to SELinux 3.8 to unblock the tests and keep rolling, while debugging further in an isolated system (and the SELinux, of course, figured it out, addressed the issue, and resubmitted SELinux 3.9, which will be part of Snapshot 0724)

The most relevant changes published in the three mentioned snapshots were:

• KDE Plasma 6.4.3
• Mesa 25.1.6
• Apache 2.4.64
• cURL 8.15.0
• gpgme 2.0.0
• Linux kernel 6.15.7
• LibreOffice 25.2.5.2
• SQLite 3.50.3

Snapshot 0724 is currently in QA and looks very promising. This snapshot and the near future should bring you these changes:

• SELinux 3.9
• Bash 5.3
• Linux kernel 6.15.8
• Mozilla Firefox 141.0
• GStreamer 1.26.4
• gettext 0.25.1