I'm glad to say that I'll participate again in the GSoC, as mentor. This year we will try to improve the RPM packaging workflow using AI, as part of the openSUSE project.

So this summer I'll be mentoring an intern that will research how to integrate Log Detective with openSUSE tooling to improve the packager workflow to maintain rpm packages.

Log Detective

Log Detective is an initiative created by the Fedora project, with the goal of

"Train an AI model to understand RPM build logs and explain the failure in simple words, with recommendations how to fix it. You won't need to open the logs at all."

As a project that was promoted by Fedora, it's highly integrated with the build tools around this distribution and RPM packages. But RPM packages are used in a lot of different distributions, so this "expert" LLM will be helpful for everyone doing RPM, and everyone doing RPM, should contribute to it.

This is open source, so if, at openSUSE, we want to have something similar to improve the OBS, we don't need to reimplement it, we can collaborate. And that's the idea of this GSoC project.

We want to use Log Detective, but also collaborate with failures from openSUSE to improve the training and the AI, and this should benefit openSUSE but also will benefit Fedora and all other RPM based distributions.

The intern

The selected intern is Aazam Thakur. He studies at University of Mumbai, India. He has experience in using SUSE as he has previously worked on SLES 15.6 during his previous summer mentorship at OpenMainFrame Project for RPM packaging.

I'm sure that he will be able to achieve great things during these three months. The project looks very promising and it's one of the things where AI and LLM will shine, because digging into logs is always something difficult and if we train a LLM with a lot of data it can be really useful to categorize failures and give a short description of what's happening.

Table of Contents

• 1) Overview
• 2) Introduction to SELinux
  • SELinux booleans
• 3) The problem with emulating Windows games
• 4) Finding an elegant solution
  • Implementation
• 5) Closing Remarks
• 6) References

1) Overview

OpenSUSE Tumbleweed recently switched to using SELinux by default. While generally well received, this change caused problems in particular when playing Windows games through Proton or Wine. This post will provide context and introduce the solution the openSUSE SELinux team came up with.

Section 2 gives an overview of SELinux and introduces the primitives necessary to understand the issue and solution. Section 3 takes a closer look at the root cause of the problem and the manual steps needed to work around the issue in the past. Section 4 discusses the requirements for a better solution and how it was implemented in the end. Section 5 closes with information on how to report SELinux bugs and how to reach the openSUSE SELinux team.

2) Introduction to SELinux

OpenSUSE Tumbleweed switched to SELinux as the default Mandatory Access Control mechanism for new installations in February 2025.

The central reason for the change was that we consider SELinux the more encompassing solution: security problems with a program do not pose a threat to the whole system, rather a system compromise can be confined to the affected program or daemon.

SELinux provides a powerful and detailed language to describe expected application behaviour. Allowing to confine a process, referred to as a SELinux domain, by limiting access to required system resources and describing the interaction with other domains. A large catalog of domains is already available via the upstream SELinux policy.

SELinux booleans

Common behaviour of a piece of software might be allowed by default for the domain, but very specific scenarios might be prohibited, especially when negatively impacting security. SELinux booleans provide a way for the user to enable such optional functionality in the SELinux policy.

To give an example: the Apache HTTP daemon is used to serve web pages. In certain situations it might be needed that these webpages are stored in the user’s home directory, but as a default it is not advisable that a network facing daemon has access to the home directories. To address these different usage scenarios a boolean called httpd_enable_homedirs exists. The user can turn on the boolean if the HTTP daemon needs to access the home directories of users to serve web pages.

3) The problem with emulating Windows games

Playing Windows games on Linux with SELinux enabled did not work without manual intervention by the user. This is related to the way Windows libraries have been developed and are used by emulation software. To allow the software for emulating Windows games to work, for example Steam with Proton or Lutris with Wine, a boolean called selinuxuser_execmod needs to be enabled:

sudo setsebool -P selinuxuser_execmod 1

But enabling this boolean has consequences for the general security of the system. The user_selinux manpage states for selinuxuser_execmod:

If you want to allow all unconfined executables to use libraries requiring text relocation that are not labeled textrel_shlib_t, you must turn on the selinuxuser_execmod boolean.

But why exactly is the boolean problematic and required a manual change before? Executable stack is used by hackers as a building block in their exploitation techniques. A lot of research went into finding mitigation strategies to make it harder for malicious actors to run successful exploits. One central measure was Executable-space protection, and Text relocation touches a part of that mitigation. If the boolean is enabled it allows modification of the executable code portions of the affected libraries, and could result in successful exploitation of the processes using these libraries.

4) Finding an elegant solution

OpenSUSE Tumbleweed is a general-purpose Linux distribution, targeting a multitude of use cases, be it as a server, running on embedded devices, as container host or as a desktop system. Some Tumbleweed users require their desktop system to run emulations software for Windows games.

In general we try to take a Secure by Default approach when we take decisions affecting security. For openSUSE Tumbleweed we decided to disable selinuxuser_execmod by default, because we think it provides a risk to the security of the system if all unconfined executables can use libraries with text relocation.

In software security we usually want to make it as hard as possible for malicious actors to exploit a target. Accomplishing this feat is not easy, because some attack scenarios rely on normal system behavior that can be used or exploited by attackers. An approach to mitigate this in defensive software security is a concept known as Defense in Depth, where different protective mechanisms are used to provide a layered defense, making a successful exploit as hard as possible.

A central requirement for a solution was not to cause a negative impact on the security of other use cases, which do not require emulation of Windows games. Enabling selinuxuser_execmod by default for all Tumbleweed installations was no option. It would take away a protection mechanism and therefor weaken the Defense in Depth approach.
Manually setting the boolean was needed to get the emulation layer for Windows to function properly. To arrive at that solution the user needed a certain level of familiarity with the administration of SELinux. A transparent, but selective solution, that would need no intervention from the user would be ideal to implement.

Implementation

We decided to introduce a new dependency to packaged gaming software in openSUSE Tumbleweed. If a user installs the RPM version of Lutris or Steam, then the RPM selinux-policy-targeted-gaming will now be installed as well, enabling the boolean on the user system automatically. This solution improves usability for the users who install gaming software and does not compromise the security of other use cases of the distribution.

A user preferring the Flatpak versions of Steam or Lutris can manually install the new package:

sudo zypper in selinux-policy-targeted-gaming

As we do not control the Flatpak applications, we can not add any dependencies to them. As an alternative the user can also still set the boolean manually.

5) Closing Remarks

The openSUSE SELinux team is committed to keeping openSUSE users safe with SELinux, and to fixing problems that SELinux may cause to the community. To facilitate changes with SELinux we rely on users to work with us and provide feedback, so that we understand what the current problematic areas are. If you encounter problems with SELinux feel free to open a bug or reach out over the mailing list.

6) References

• Tumbleweed Adopts SELinux as Default
• openSUSE Bugreport SELinux
• openSUSE SELinux Mailing List

In recent months, I observed an increase in performance issues with partial short outages, particularly of web applications performing expensive operations such as database or shell queries. The origin was always easy to map to an amount of requests larger than what some backend applications are able to handle. Whilst part of the requests do originate from legitimate users, a large amount is found to originate from obscure sources - particularly AI related crawlers seem to dominate. Whereas traditional search engine crawlers, which we do encourage to scan our websites to allow for more users to find them, scan with few requests spread over a long time frame, these new crawlers tend to issue thousands of requests, sometimes in less than a day. With multiple companies pursuing the same practices, this quickly adds up to requests and subsequently load which is not sensible to scale for, particularly given the lack of obvious benefit for the general public.
Over time I implemented various measures to reduce the amount of undesired requests based on the observed patterns, whilst aiming to maintain a stable experience for legitimate requests. These measures include rate limiting (with more fine grained limits for particularly "expensive" sites and paths), wide blocking of source networks from cloud providers and AI related companies, blocking of user agent patterns and blocking of "dumb" requests (for example, we stopped routing requests targeting various script file types to backends which do not speak the matching language). Monitoring did show these measures to help with reducing the immediate request load, however new patterns quickly emerged. A new phenomena are large amounts of requests spread over a large amount of different source networks. Especially with source networks identifying as serving residential traffic, blocking is not possible without risking the lockout of legitimate users. A new method needed to be found.

Of course, we are not the only organization affected by this. The recent influx of AI related crawlers impacting web services caused various operators to implement additional protections, and the most visible one to users are challenge websites, making the user land on an intermediate page before being redirected to the desired location. Whilst these come in various forms, I mostly observe ones asking for a captcha and ones computing a proof-of-work task in the client. The latter came particular popular with the release of Anubis [0], an open source software making it easy for operators to equip their website with a proof-of-work challenge protection. Anubis reached a certain level of fame by big websites deploying it and tech related news outlets talking about it. Most naturally, I looked into Anubis as a solution for our situation as well. The proof-of-work concept was particularly interesting, as automated challenges are less annoying to users and have less accessibility concerns than manual captcha based ones.

As for Anbuis, it acts as a reverse proxy and serves a pre-defined challenge website. It also ships with excludes for known-good search engine crawlers.
In our setup, which consists of internet-facing HAProxy servers routing traffic to backend application/web servers, this would introduce another proxy traffic would flow through. Upon discussion with @darix, we figured it would be beneficial to instead utilize SPOE, the HAProxy Stream Process Ofloading Engine, to "ask" Anubis to challenge problematic clients, but then to pass the result back to HAProxy to directly route the traffic as before. Following the upstream discussion we initiated, I prepared a patch for this [1] - as I was idling for a while before opening a PR, someone else picked up the work and improved upon it, bringing the implementation to a usable shape [2] - however, it has not yet been completed and merged by the time of writing. More importantly, also as part of the upstream discussion, a user suggested to swap out the Go library I used for the SPOP implementation in Anubis with a more performant one [3] - haproxy-go [4]. The same comment [3] lead me to discover the same user having developed a software similar to Anubis, which already implements the suggested library and specifically targets HAProxy native deployments: Berghain [5]. Whilst the user experience is similar to Anubis - one gets served a challenge website to complete an automated proof-of-work computation before being redirected to the desired location, the background implementation is different. It operates tightly integrated with HAProxy by utilizing the SPOE - first to construct a challenge for clients (that is, if a client is intended to be challenged, which is decided using standard HAProxy ACLs), then to verify the challenge response, which is stored in a cookie on the client. The challenge page (which is a combination of HTML, CSS, JS) itself is served directly by HAProxy from memory.

This seemed like what we were looking for:

• no additional reverse proxy, preservance of existing HAProxy based routing
• decision which clients to challenge using HAProxy ACLs, which we already use in our setup and can easily extend upon
• can be configured to not impact web service availability if the challenge service is offline
• easy branding using HTML + SCSS (Anubis in its default build does not allow for any branding - however they seem to have a version for paying customers and open source projects which allows to swap the imagery)

The project seemed to be in an early stage, with not much activity as compared to Anubis, however initial testing seemed promising. After opening an issue with a minor flaw, the upstream maintainer messaged me - as it turns out, they have similar ideas and are very nice to chat with. Over the last days, various improvements landed in Berghain - I contributed some patches [6], which were pleasantly reviewed and integrated, and the upstream maintainer helped as well, with answering questions in chat and solving bugs [7].

For branding, I made a fork [8] in which the sources of the web page are modified. An upstream discussion to decouple this, allowing theming to reside separately, was started [9], but ideas on achieving this are still pending. As the web sources are deemed to not change as often, the maintenance effort should not be too bad for the time being - I rebase our branch with the upstream one when there are changes, and add the customizations as a patch in our package [10].

With this, all seems to be set for deployment. However, there were some challenges (pun intended) which had to be considered:

• users should not be unnecessarily "annoyed"
  => cover websites and paths only selectively when there is need for additional protection due to excess application load
• the challenge requires JavaScript, don't unnecessarily harm users which do not have JavaScript enabled, and, most importantly, don't break legitimate command line tooling and scripts
  => cover only websites and paths which would require JavaScript anyways (i.e. no API paths)
• if the configured validity period expires while the user is filling out a form, accidental form resubmission might be triggered
  => cover only GET requests
• legitimate search engine crawlers should not be inhibited
  => adapt lists of user agent + source network combinations from Anubis

These points were easily solved using HAProxy ACLs. Of course, the exemptions also leave more room for malicious actors to work around the protection. Whilst this is a concern, most bots are found to be "dumb", hence the enablement can be expected to significantly help with the current situation even with the constraints at hand. Over time, solutions allowing for tighter limitations might be investigated and developed. Particularly interesting was a discussion with the maintainer of Berghain which brought up some ideas to challenge clients without JavaScript, however there is no concrete plan for this yet.

With all that being said, the protection has now been deployed and enabled for two services [11] - including progress.opensuse.org, where you are reading this article right now. Enablement for more services will follow over time as needed, when needed.

With all the considerations which went into this implementation, I hope for the impact on legitimate users to be minimal. If you notice any undesired breakage as a result of this nonetheless, please do open an issue in our tracker [12] explaining the circumstances, and I will try to work out a solution.

[0] https://anubis.techaro.lol
[1] https://github.com/TecharoHQ/anubis/issues/236#issuecomment-2784919382
[2] https://github.com/TecharoHQ/anubis/pull/460
[3] https://github.com/TecharoHQ/anubis/issues/236#issuecomment-2801861198
[4] https://github.com/DropMorePackets/haproxy-go
[5] https://github.com/DropMorePackets/berghain
[6] https://github.com/DropMorePackets/berghain/issues?q=author%3Atacerus
[7] https://github.com/DropMorePackets/berghain/commit/6080b227008a759c267a973202cf2b4edff38e31, https://github.com/DropMorePackets/haproxy-go/commit/c1707895ddabaa9c11d4e0b99e2cba040a0a3330
[8] https://github.com/openSUSE/berghain
[9] https://github.com/DropMorePackets/berghain/issues/26
[10] https://build.opensuse.org/package/show/openSUSE:infrastructure/berghain
[11] https://progress.opensuse.org/projects/opensuse-admin/repository/salt/revisions/3257c222f1c92c96c1d3caaeb7c14604fefad54a
[12] https://progress.opensuse.org/projects/opensuse-admin/issues (in case of issues with using the tracker directly, create a ticket via admin@o.o)

Edit after 1 day:

it was suggested to attach some graphs showing how the load went down after this deployment - here are the graphs behind progress.o.o as an example (times in the graphs are in CEST):

The openSUSE Conference 2025 in Nuremberg from June 26 - 28 is shaping up to be a great gathering for the open source software community.

There are three packed days of presentations, workshops and discussion along with three keynotes.

This year’s conference features SUSE CEO Dirk-Peter van Leeuwen who will recognize the openSUSE community’s 20-year journey. Peer Heinlein, who founded the Heinlein Group, which includes companies like Heinlein Support, mailbox.org, OpenTalk, and OpenCloud, will provide another keynote on the same day and his talk will focus on the risks users face when using proprietary software. Another keynote from Tropic Square’s CEO Jan Pleskač will spotlight the growing need to extend open source hardware.

The conference is offering a broad look at where openSUSE is heading and what challenges are emerging for the project’s development and how the open-source communities can resolve them.

There are several sessions drawing attention like “Public Money? Public Code!” and a series of presentations addressing Cyber Resilience Act (CRA) and Network and Information Security 2 Directive (NIS2) readiness. These sessions explored how European cybersecurity regulations are impacting small to medium open-source vendors and what steps are needed to align with the evolving legal landscape.

On the technical side, integration and automation sessions continue. One talk demonstrated how Uyuni can be tightly woven into existing infrastructure management tools like Ansible and Terraform. Another session unveiled a tool called container-snap, a prototype designed to bring atomic OS updates through OCI images, which helps eliminate the risk of broken upgrades.

The Leap 16.0 Beta will have a dedicated session, and the future of SUSE Linux Enterprise will be discussed in a talk titled “From ALP to SLES16”.

Workshops on LLMs will show how to run large language models locally and turn them into functional agents and a popular penguin AI project called Kowalski should capture some attention at the conference.

Underlying many talks is a shared urgency around user empowerment. The “End of 10 Install Workshop” sessions are aimed at encouraging users to install openSUSE on aging or repurposed hardware based on Microsoft’s end-of-life date for Windows 10.

The full schedule of the openSUSE Conference 2025 is available at events.opensuse.org.

While most Java-based drivers have been deprecated in syslog-ng years ago, we have recently removed all of them in preparation to syslog-ng 4.9.0. Right now, the only Java-based driver remaining is HDFS, so we want to ask the syslog-ng community if the HDFS destination is still needed for them.

Read more at https://www.syslog-ng.com/community/b/blog/posts/deprecating-java-based-drivers-from-syslog-ng-is-hdfs-next

May ended with a large update for openSUSE’s rolling release. While that snapshot addressed several Common Vulnerabilities and Exposures, more security fixes were introduced throughout the month.

May introduced qemu 10.0 with improved virtualization performance, KDE Plasma 6.3.5 with polished usability fixes, and GStreamer 1.26.1 with smoother media playback across desktop and embedded devices. Security took center stage with OpenSSL 3.5.0’s post-quantum cryptography support and kernel updates, which addresses speculative execution vulnerabilities. Whether you’re a developer, sysadmin, or daily desktop user, May’s snapshots deliver meaningful enhancements for a trusted Tumbleweed experience.

As always, be sure to roll back using snapper if any issues arise.

For more details on the change logs for the month, visit the openSUSE Factory mailing list.

New Features and Enhancements

qemu 10.0: This is a major leap forward for virtualization on openSUSE Tumbleweed and will benefit desktop users, developers and server admins alike. This update allows for better I/O performance for virtual machines by spreading work across multiple threads though the added multiqueue support to virtio-scsi. The Intel GPU passthrough (VFIO) is now better supported and helps users build more capable desktop virtual machines or development environments with hardware acceleration. Developers and embedded enthusiasts will be happy to know the update now supports new arm, LoongArch, RISC-V, HPPA boards and CPU features. Notable improvements include ARM’s EL2 timer emulation and support for new RISC-V extensions like smrnmi and supm. The QEMU Machine Protocol (QMP) documentation has been revamped for easier automation and scripting. This version also fixes build issues with GCC 15 and improves test reliability for openSUSE packaging. Be sure to check the deprecated features, especially for those running 32-bit hosts.

KDE Plasma 6.3.5: Plasma’s KWin window manager has bug fixes targeting crashes, rendering issues, HDR brightness control, tablet input reliability, and smoother screen dimming behavior. Discover improves how update information displays. The “Still Looking” indicator bug has been resolved for a smoother package search experience. Notification bubbles are now better padded and positioned. The weather widget now respects default units, the notes applet won’t misbehave with layout sizes, and task manager grouping visuals are more predictable. Dolphin won’t accidentally misplace interface elements, Plasma Vaults avoid build errors, and color scheme integrations in apps and applets use the correct styling for a more cohesive look.

GStreamer 1.26.1: This release improves media playback reliability, especially for streaming, subtitles, and camera input. If you use apps like GNOME Videos, OBS, or PipeWire-based systems, this update means fewer crashes and smoother performance. Notable fixes improve subtitle handling in H.264/H.265, A/V sync for V4L2 decoding, stability in WebRTC calls, better Matroska and MP4 support, and more accurate frame-rate detection. Developers also get better plugin loading on Windows and improved compatibility with newer Python and GObject versions. This update boosts multimedia experience across desktops, browsers, and embedded devices.

gimp 3.0.4: The update resolves a clipboard bug that caused pasted content to appear padded and ensures smoother behavior when monitors are disconnected or changed; this speeds up startup for users with large font libraries. Non-destructive filter workflows see improvements with better undo tracking and fewer visual artifacts. KDE Wayland users benefit from corrected icon rendering, and .ICO file support is fixed with a patch for the ZDI-CAN-26752 bug. Two now-upstreamed patches were dropped, keeping the package clean and current.

gnome-music 48.0: This update brings better compatibility with modern Python environments by dropping legacy specific workarounds and improving GLib integration. While not a feature-heavy update, it fixes backend issues related to introspection and ensures smoother startup and stability on current openSUSE Tumbleweed systems.

OpenSSL 3.5.0: This major update strengthens cryptographic security and modernizes TLS support for openSUSE Tumbleweed users. The default encryption for tools like req, cms, and smime now uses the stronger aes-256-cbc cipher instead of the outdated 3DES. TLS configuration is improved with support for post-quantum cryptography (PQC) key exchange methods like ML-KEM, which gives users a future-proof option that’s also faster than older methods. The release introduces QUIC server support (used in HTTP/3), which matters for developers building low-latency or streaming applications. Day-to-day, this improves system-wide crypto performance, enhances compatibility with modern web protocols, and strengthens encryption defaults. Users of secure tools like cURL, Git, or anything using OpenSSL-backed TLS benefit from better security and reduced CPU load on newer hardware.

KDE Gear 25.04.1: This update brings a focused wave of polish and stability, smoothing out workflows across key apps like Dolphin, Kdenlive and KDE Connect. File management is cleaner with improved theming and context menus in Dolphin, while Kdenlive benefits from a long list of crash fixes, layout refinements, and a less aggressive autosave. KDE Connect also fixes media crashes and improves navigation.

KDE Frameworks 6.14.0: This release improves system integration, accessibility, and app behavior across the KDE stack. Developers benefit from safer file handling in KArchive, drag-and-drop enhancements in KIO, improved high-contrast theme support in KColorScheme, and smoother Wayland clipboard operations in KGuiAddons. Kirigami receives layout fixes and scrolling improvements, while KWallet introduced support for KeePassXC password manager as a backend. Syntax highlighting gains new language definitions, including ACPI and RISC-V updates.

Key Package Updates

GTK4 4.18.5: This release improves overall desktop stability and responsiveness for Tumbleweed users. It resolves several crashes and bugs that could affect file chooser dialogs, accessibility tools, and input methods like XCompose, which provide important fixes for anyone using multilingual input or screen readers. A major performance issue related to Cairo blur rendering has been addressed, which benefits applications using shadows, transitions, or transparency. This update also smooths out behavior in apps like Epiphany and those built with gtkmm. The changes result in fewer surprises and smoother experiences across GNOME apps and custom GTK-based tools.

kernel-source 6.14.6 and 6.14.5: The 6.14.6 update includes protections against CVE-2024-28956, a newly identified speculative execution vulnerability affecting modern Intel CPUs. It introduces the ITS (Indirect Target Selection) mitigation mechanism and ensures safer handling of return and branch instructions during context switches. Several branch predictor hardening improvements were added and are important for embedded devices and containers using ARM64 hardware. A long-standing bug with some HP laptop mute LEDs is also resolved. The 6.14.5 release brings another round of bug fixes and driver updates that enhance system stability and compatibility on the rolling release. This update resolves edge-case crashes, memory leaks, and device compatibility issues across key subsystems like networking (MLX5, ENETC), Bluetooth, and CPU frequency scaling. Graphics users benefit from Intel Xe driver tuning and DRM fixes that improve performance and power management, while media hardware support continues to expand with updates for newer camera sensors. Filesystem integrity also improves with Btrfs and ceph fixes, which helps prevent data corruption in low-level edge scenarios.

curl 8.14.0: This release addresses two vulnerabilities affecting QUIC certificate verification with wolfSSL have been patched, ensuring proper validation and pinning (CVE-2025-4947, CVE-2025-5025). The release also adds support for OpenSSL + ngtcp2 QUIC combinations and introduces new TLS options like CURLOPT_SSL_SIGNATURE_ALGORITHMS. MQTT connections now send pings at upkeep intervals, and users can disable auto-pong replies for WebSockets. This update reinforces both curl’s stability and its evolving network protocol support.

AppStream 1.0.5: This brings improvements that help software centers and package managers like GNOME Software or Discover show richer and more accurate metadata to users. This update enhances how screenshots, icons and descriptions are validated and interpreted, helping app developers ensure their software listings look polished and follow consistent standards. Tumbleweed users should see better visual consistency in software listings, fewer glitches in app stores, and improved metadata quality across repositories.

fwupd 2.0.9: This library improves firmware update reliability and broadens hardware compatibility is a meaningful upgrade for users who rely on secure and seamless firmware management in openSUSE rolling release. Key improvements include better support for updating the UEFI Key Exchange Key (KEK) and signature database (db), now allowing multiple certificates to be installed at once, which are essential for maintaining secure boot integrity. For developers or advanced users, the fwupdtool now includes more verbose JSON output and better Redfish handling, while hidden or backup devices are properly excluded from updates. These changes boost system stability, expand device coverage, and make managing firmware updates more dependable across desktops and servers.

gpg2 2.5.6: This version fixes a regression introduced in the previous version that misclassified signatures from revoked or expired keys as “missing,” which confused users reviewing signed files or emails. Another important fix prevents potential crashes (double free) when running in no signature cache mode. Some new features include support for left-anchored substring filters (helpful when scripting key listings), the --quick-tsign-key command for efficiently creating trust signatures, and a new User-Id option during key generation to streamline custom workflows. There’s also better smart card support, with improvements to certificate selection and card detection, especially for P15 cards.

sqlite 3.49.2: This software package addresses a rare memory error triggered by the NOT NULL optimization introduced in version 3.40.0, which ensures safer query execution. Fixes were also applied to DISTINCT queries using views and edge cases involving UNIQUE constraints with IN operators, which are issues that could lead to incorrect query results in complex schemas. Users relying on the generate_series() function will see better stability, and minor build improvements enhance portability.

thunar 4.20.3: The file manager now receives a warning before permanently deleting files, adding a crucial layer of protection. The file manager handles user-defined custom actions (UCAs) more reliably, especially when submenus are involved, thanks to fixes for several memory leaks and submenu bugs. On Wayland, popup menus now behave correctly and no longer stay open unexpectedly. The update also fixes crashes related to the list view and properties dialog, improves file handling on exFAT file systems, and enhances statusbar updates during searches.

PipeWire 1.4.4: This update restores compatibility with older 1.2-style MIDI and addresses regressions that impacted tools like mpv. The update also enhances integration with libcamera, ensuring smoother video and multimedia processing in GStreamer. Users working with MIDI devices benefit from improved UMP and ALSA sequencer support, including better handling of SysEx and program changes. NetJACK2 networking is now more reliable with refined driver/manager roles and error management.

Bug Fixes and Security Updates

Several key security vulnerabilities were addressed this month. Common Vulnerabilities and Exposures this month are:

Security Updates

libsoup

• CVE-2025-32914: An out-of-bounds read vulnerability allows malicious HTTP clients to trigger memory access errors, potentially leading to crashes.
• CVE-2025-32907: Fixed excessive memory use from repeated HTTP range requests causing partial resource exhaustion.
• CVE-2025-46421: Fixed leak of Authorization headers on HTTP redirects, preventing credential exposure to third-party hosts.
• CVE-2025-4969: Buffer overflow in curl’s dynbuf API could lead to data corruption or crash.
• CVE-2025-4476: In curl, improperly handled credentials in setopt may leak across requests.
• CVE-2025-4948: CURLOPT_SSL_VERIFYPEER bypass possible in curl when reusing connections with wolfSSL.

cyrus-imapd

• CVE-2025-23394: Fixed potential privilege escalation in cyradm due to improper shell escaping when invoking subshell commands.

Mozilla Firefox 138.0:

• CVE-2025-2817: Fixed privilege escalation in Firefox Updater allowing SYSTEM-level operations.
• CVE-2025-4082: Fixed memory corruption in WebGL shader attributes on macOS.
• CVE-2025-4083: Fixed process isolation bypass via javascript: links in cross-origin frames.
• CVE-2025-4085: Resolved potential information leakage and privilege escalation via UITour actor.
• CVE-2025-4086: Obscured file extension in download prompt via crafted filenames.
• CVE-2025-4087: Fixed unsafe attribute access during XPath parsing.
• CVE-2025-4088: Prevented CSRF via Storage Access API redirects.
• CVE-2025-4089: Fixed local code execution risk in “copy as cURL” developer tool.
• CVE-2025-4090: Fixed library path leakage in Firefox for Android via log output.
• CVE-2025-4091: Memory safety bugs fixed in Firefox 138, Thunderbird 138, and ESR versions.
• CVE-2025-4092: Additional memory safety fixes in Firefox 138 and Thunderbird 138. More fixes made for version 138.0.1 and 138.0.4

curl 8.14.0:

• CVE-2025-4947: Fixed an improper Certificate Validation in libcurl (QUIC with IP Address).
• CVE-2025-5025): Addressed a missing Certificate Pinning in libcurl (QUIC with wolfSSL).

389-ds:

• CVE-2025-3416: A use-after-free vulnerability in OpenSSL’s handling of the properties argument in certain functions could lead to undefined behavior or incorrect property parsing, potentially causing OpenSSL to treat the input as an empty string.

gpg2 2.5.6:

• CVE-2025-30258: Fixed a verification denial-of-service (DoS) vulnerability in GnuPG versions prior to 2.5.5.

kernel-source 6.14.6:

• CVE-2024-28956: Addressed multiple vulnerabilities related to Indirect Target Selection (ITS) on x86, including improper branch prediction behavior and missing mitigations for RSB stuffing.

**iputils:

• CVE-2025-47268: Fixed an integer overflow in ping that could lead to a denial of service when handling crafted ICMP Echo Reply packets.

open-vm-tools 12.5.2:

• CVE-2025-22247: Resolved an insecure file handling flaw that allowed local attackers on a guest VM to tamper with files, potentially leading to privilege escalation.

nbdkit 1.42.3:

• CVE-2025-47712: Addressed a vulnerability allowing low-privileged users to cause partial denial-of-service via resource exhaustion.
• CVE-2025-47711: Fixed improper input handling that could allow denial-of-service through resource exhaustion or instability.
• CVE-2024-7383: Fixed an issue where TLS connections failed to properly verify NBD server certificates, allowing potential man-in-the-middle attacks.

webkit2gtk3 2.48.2:

• CVE-2025-24223: Fixed a memory corruption issue in WebKit when processing maliciously crafted web content.
• CVE-2025-31204: Resolved a memory corruption vulnerability in WebKit triggered by malicious web content.
• CVE-2025-31205: Addressed a cross-origin data exfiltration flaw in WebKit due to improper security checks.
• CVE-2025-31215: Resolved a vulnerability in WebKit where processing malicious web content could cause unexpected process crashes.

grub2:

• CVE-2025-4382: Fixed an issue where GRUB’s TPM-based auto-decryption could leave LUKS disks decrypted in memory after a filesystem failure. An attacker with physical access could exploit this to access unencrypted data by forcing GRUB into rescue mode.

mozjs128 128.10.1:

• CVE-2025-4920: Fixed an out-of-bounds access when resolving Promise objects in Firefox.
• CVE-2025-4921: Fixed an out-of-bounds access during optimization of linear sums in Firefox.

OpenSSL:

• CVE-2025-4575: Fixed an issue in OpenSSL 3.5 where the -addreject option in openssl x509 mistakenly marked certificates as trusted instead of rejected.

postgresql17 17.5:

• CVE-2025-4207: Fixed a buffer over-read vulnerability in PostgreSQL’s GB18030 encoding check, which could result in denial-of-service.

python313:

• CVE-2025-4516: Fixed a use-after-free vulnerability in CPython that could lead to memory corruption.

Users are advised to update to the latest versions to mitigate these vulnerabilities.

Conclusion

May’s Tumbleweed updates highlight the strength of Tumbleweed to bring together performance improvements, UI polish and critical security updates. QEMU 10 expands hardware support and accelerates virtual machines, while OpenSSL 3.5 modernizes encryption defaults, which deliver noticeable improvements for everyday Linux use. The introduction this month of post-quantum cryptography (PQC) in OpenSSL 3.5 is a major advancement. KDE Gear 25.04.1 brought stability to essential apps like Dolphin and Kdenlive, ensuring workflows remain smooth and intuitive. Thunar also saw meaningful improvements, including safer file deletion and better Wayland behavior. Multimedia users saw benefits from GStreamer and GTK enhancements. AppStream 1.0.5 enhanced how package managers and software centers display app metadata, resulting in cleaner, more informative listings. Updates to SQLite 3.49.2 and gpg2 2.5.6 resolved edge-case bugs that could affect scripts, key management, or database reliability. These rolling release updates make a difference and show that Tumbleweed continues to deliver consistent new software updates every month for developers and power users.

Slowroll Arrivals

Please note that these updates also apply to Slowroll and arrive between an average of 5 to 10 days after being released in Tumbleweed snapshot. This monthly approach has been consistent for many months, ensuring stability and timely enhancements for users. Updated packages for Slowroll are regularly published in emails on openSUSE Factory mailing list.

Contributing to openSUSE Tumbleweed

Stay updated with the latest snapshots by subscribing to the openSUSE Factory mailing list. For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

Dear Tumbleweed users and hackers,

I’m again spanning the review over two weeks. During Week 2025/21, there was a large downtime on OBS/openQA due to some storage failures. This took longer than anticipated, so we delayed checking in for new snapshots. All submissions created during that time were handled, albeit more slowly than usual.

This week looked better from an infra pov, but with a holiday on Thursday, things still went slow. In summary, we have published two snapshots (0515 and 0522) during this week, with 0527 currently being in QA (delayed due to Mesa vs wine issues detected during build) – but even with that out of the way, we can already say that snapshot won’t be published (nvidia firmware package issues, see https://bugzilla.opensuse.org/show_bug.cgi?id=1243843)

Let’s look at the bright side and see what the two published snapshots brought to your computers:

• SDL 3.2.14
• Ruby 3.4.4
• SQLite 3.49.2
• libguestfs 1.55.11
• python setuptools 78.1.1
• XEN 4.20.0_12

Things that are planned to be released with the next snapshots to come:

• Mesa 25.1.1
• Mozilla Firafox 138.0.4
• GNOME 48.2
• fwupd 2.0.10
• GIMP 3.0.4
• Linux glibc devel 6.15
• LLVM 20.1.5
• Pipewire 1.4.3
• PostgreSQL 17.5
• Linux kernel 6.15

To do my tax declaration in Belgium, I have several login methods. One of them is the Belgian eID (eidas). To use it, you need an ID card (or resident card) and a smart card reader. I use the smart card reader CardMan 3121 from OMNIKEY. The setup will also allow you to sign PDF documents and emails with your Belgian ID card. Neat! Other countries would require the purchase of additional certificates, but in Belgian you should have it already – free of charge.

Install Belgian eID on an Atomic Fedora desktop

sudo rpm-ostree install https://eid.belgium.be/sites/default/files/software/eid-archive-fedora-2021-1.noarch.rpm
# reboot now
sudo rpm-ostree install -A eid-viewer eid-mw
# optional reboot

You can check if everything is in order with rpm-ostree status. My output:

State: idle
Deployments:
  fedora:fedora/42/x86_64/kinoite
                  Version: 42.20250429.1 (2025-04-29T19:10:59Z)
               BaseCommit: 530f49cde70f792bb77daa1c0570e1e2e66e2e1ac15c5edcf8e4b2774e452105
                   Commit: b96d42074e4448754bd192650dd5efbdc4192ac004667adb35491db84cb47440
             GPGSignature: Valid signature by B0F4950458F69E1150C6C5EDC8AC4916105EF944
                     Diff: 6 added
          LayeredPackages: eid-mw eid-viewer [redacted]
            LocalPackages: eid-archive-fedora-2021-1.noarch

● fedora:fedora/42/x86_64/kinoite
                  Version: 42.20250429.1 (2025-04-29T19:10:59Z)
         BootedBaseCommit: 530f49cde70f792bb77daa1c0570e1e2e66e2e1ac15c5edcf8e4b2774e452105
                   Commit: 1a3e69661f9dbca3cd798c807c59d2c2c28331f7496b9ea0dab6d46986c6b740
               LiveCommit: b96d42074e4448754bd192650dd5efbdc4192ac004667adb35491db84cb47440
                 LiveDiff: 6 added
             GPGSignature: Valid signature by B0F4950458F69E1150C6C5EDC8AC4916105EF944
          LayeredPackages: [redacted]
            LocalPackages: eid-archive-fedora-2021-1.noarch
                 Unlocked: transient

Then, you need to install the Firefox plugin from https://addons.mozilla.org/en-US/firefox/addon/belgium-eid/.

Note that on Atomic Fedora desktops, Firefox is (as of May 2025) installed as system application and other browsers (such as Chromium) is installed in a flatpak sandbox. So it is very likely that other browsers than Firefox cannot access the eID setup on the system.

References:

• https://eid.belgium.be/en/linux-eid-software-installation on linux setup for Belgian eID
• https://rpmfusion.org/Howto/OSTree on the setup of third-party RPM repositories for rpm-ostree based distros (such as Fedora Kinoite/Silverblue)

First Test with eid-viewer

You should find now in your application menu eID Viewer. Or you lunch in the terminal eid-viewer. Enter your card. Then you should see the data on your card already.

Login with eID

You can now use the Belgian eID to access a governmental service, such as the tax declaration portal. Go to https://fin.belgium.be/fr/particuliers/declaration-impot/rentrer-declaration and choose eID as your mean for authentication. You will need to provide the PIN code that comes with the ID card. :tada:

Sign PDFs with eID

This is not so clear yet. Okular is usually a flatpak. In order to have gpg find the card reader, I had to restart a service first:

gpg --card-status
# => can't connect to 'socket:///home/rriemann/.gnupg/log-socket': No such file or directory
systemctl restart pcscd
gpg --card-status
# can't connect to 'socket:///home/rriemann/.gnupg/log-socket': No such file or directory
# Reader ...........: OMNIKEY AG CardMan 3121 00 00
# Application ID ...: 534C4090413423078AA5B22712924134
# Application type .: PKCS#15

Okular supports as PDF signature backends both NSS and GnuPG (S/MIME). As it does not work with any option, I check in the app Kleopatra (KDE certificate manager) the smartcards. It turns out I have to configure the trust of various certificates belonging to the Belgian authorities.

Then, I restart Okular again and choose under Settings → Configure Backends… → PDF backend configuration the option Signature Backend to GnuPG (S/MIME). I get the following feedback:

When I then choose in the Okular Tools menu the signing option, I end up in a loop with a pinentry-qt dialogue:

Please insert the card with serial number:

[redacted serial number]

It does not work. So close!

An alternative for signing offers the command line tool pdfsig.

With pdfsig -backend GPG -list-nicks, I get a list of fingerprints. One of the hardware ones is for signing, one for authentication. The smartcard tab in the app Kleopatra also displays the names/purposes alongside the fingerprint. So it may be better suited. Otherwise, try out all to find the one for signing. Then, PDFs should be signed with:

pdfsig unsigned.pdf signed.pdf -add-signature -nick [redacted my fingerprint] -reason 'for fun!'

Unfortunately, I only get an error:

signDocument: error getting signature info

We can try briefly the NSS backend with pdfsig. For this, use pdfsig -list-nicks to check nick names:

Certificate nicknames available: BELPIC:Authentication BELPIC:Signature

Then, signing should work with:

pdfsig unsigned.pdf signed.pdf -add-signature -nick BELPIC:Signature -reason 'for fun!'

Then, I get queried for the pin and upon entry, the PDF is signed. This can be checked as follows:

# pdfsig signed.pdf
Digital Signature Info of: signed.pdf
Signature #1:
  - Signature Field Name: 34B8E9A9E274A3BCE18E633ABD5B1ECA
  - Signer Certificate Common Name: Robert Riemann (Signature)
  - Signer full Distinguished Name: CN=Robert Riemann (Signature),serialNumber=[redacted],givenName=Robert,SN=Riemann,C=DE
  - Signing Time: May 29 2025 14:58:22
  - Signing Hash Algorithm: SHA-256
  - Signature Type: adbe.pkcs7.detached
  - Signed Ranges: [0 - 515528], [535530 - 536032]
  - Total document signed
  - Signature Validation: Signature is Valid.
  - Certificate Validation: Certificate issuer isn't Trusted.

It remains yet to determine why the certificate validation fails even though the certificate is marked trusted in Kleopatra. Let me know if you have an answer!

The openSUSE community wants to make the project’s conference in Nuremberg smooth, welcoming and beneficial to attendees. We’re calling on you to get involved!

Whether you’re a longtime contributor or a new face looking to get more involved, there are several ways you can support the conference and ensure everyone has a good time.

We Need Volunteers for:

🟢 Registration Booth / Welcome Desk

Be the first friendly face attendees see! Help us greet participants, hand out badges and swag, and answer basic questions about the venue and schedule.

🟢 Timekeeping During Talks

Help keep our sessions running on time by signaling to speakers when they’re approaching the end of their allotted time. This simple task helps ensure everyone gets a fair and punctual presentation slot.

🟢 Shop Assistance

We’ll have a shop set up at the venue with openSUSE merchandise available for purchase. Volunteers will help the booth lead organize inventory and assist with transactions.

🟢 Video Team Support

The video team could use extra hands with camera setup on June 25 and session recordings through the conference as well as stream monitoring. No prior experience required; just a willingness to help and learn.

Those who are interested should email ddemaio@opensuse.org with the subject header oSC25 Help.

Spreading Awareness – Celebrating 20 Years of openSUSE

This year marks 20 years of openSUSE, and we’re working on a special video project to honor the people and stories behind the project. As part of this, we’re running a campaign at the conference to highlight how individuals contribute to openSUSE. Whether it’s packaging, translation, infrastructure, design, community organizing, release management or documentation, we would like for you to spend a few minutes on camera.

If you’d like to help capture these stories or support the video team’s work to showcase them, we’d love to hear from you. Send an email to ddemaio@opensuse.org with the subject header openSUSE 20 Year!

How to Volunteer

If you’re attending the conference and would like to get involved in any of the roles above, please register here and send a message to the email above. Let’s make openSUSE Conference 2025 one to remember.