We feel how dependencies can hurt

There is a lot of talk about digital sovereignty. Being able to act as a state or as a company is obviously important. But there are real dependencies, and given the current geopolitical dynamics, there are real risks. Unfortunately, there are no easy answers. Digital sovereignty matters, but so do stability, efficiency, and innovation. Fortunately, there are options and some good examples of how to deal with it. I collected some material in an awesome list on digital sovereignty.

While it is complex at the state level, it is merely complicated at the personal level. Reaching something like personal digital sovereignty is possible. If you are informed about the technical landscape, you probably already have a good intuition about it. You feel the pain of having to stop using a service because the provider decided to discontinue it without you having a say. You can decide whether it feels right to upload your personal diary to a server in a jurisdiction you do not control.

Free Software provides a path

There is a clear path to personal digital sovereignty. The goal is nicely expressed in KDE's mission: "A world in which everyone has control over their digital life and enjoys freedom and privacy." The path is provided by Free Software. The freedoms to use, study, share, and improve give you exactly what you need to be in control.

For software you run yourself, this works well. Running Free Software on your personal computer gives you control. It feels good. It becomes more complicated when you use services you do not and cannot run yourself. The software freedoms do not transfer easily. There are a lot of services, which are mostly based on Free Software, but only the service providers enjoy the freedoms, not their users. I have written about this before when working on my Fair Web Services project.

A good testament to personal digital sovereignty is the Blue Angel for software. Its focus on resource and energy efficiency is one side of responsible software use. Maybe even more important is its emphasis on user autonomy: being able to use software without ads being forced on you, being able to choose what to install, and having transparency about what you run. These are the ingredients of personal digital sovereignty.

Finding the balance

Freedom is one side, but convenience is another. Sometimes it is easier to just use something a vendor has invested heavily in providing, even if you pay with your data and some independence. It is also a question of where you spend your time: do you build something for yourself, or do you use something that already exists? And sometimes it is about the limits what you can do yourself. Powerful tools can give you leverage so you can focus on your actual mission.

So it is also about compromise. One very important aspect for me is that I am still able to choose. That is the core of personal digital sovereignty. Sovereignty does not mean doing everything yourself. It means preserving the ability to leave, even if you choose not to.

Federated services make it easy to migrate. For git, for example, it does not matter so much where the server is or who runs it, because switching is as simple as changing the remote. For a proprietary note-taking service, this looks different. You may need special exports, format conversions, and you might lose functionality because it is not based on open standards. Choose your dependencies wisely.

It is important to remember that dependencies are not bad per se. We know this from Free Software. We know what it feels like to stand on the shoulders of giants. We rely on the collective strength of a global community. It is not about rejecting all dependencies or doing everything on your own. It is about creating alternatives and shaping an ecosystem based on openness, so that we can choose and act on our own terms.

My personal stack

I am quite happy with my personal stack, which gives me the control I need. My 12-year-old desktop runs Linux and KDE. I pay to host my own email, Nextcloud, and git services. One project I particularly like is GitJournal, which gives me control over my note-taking across all my devices. This covers the core of my computing needs, with my family, my friends, and what I decide to keep private.

To stay connected to the wider world, there is no way around being present on large networks. GitHub and LinkedIn are the compromises that give me reach without requiring me to abandon all my principles. I would not publish my writing only on LinkedIn, though, because I want to own what I produce.

AI is a difficult question right now. It is easy to switch between services, and with rapid development it is changing quickly what the best choice is. And it can provide tremendous leverage. So it remains an evolving compromise. An ideal future would offer open models powerful enough to serve your needs and that you can run locally.

Building digital sovereignty

On a personal level, you can decide for yourself. There are limitations, and you will have to build on the environment available to you. But there are alternatives, and you can choose to build your personal digital sovereignty.

At the corporate and state level, it is more difficult. The systems are more intertwined, but the pain of dependencies you cannot control and the risks of others making decisions for you are just as real. Alternatives exist there as well, often the same ones available on a personal level. It can be worth taking bold decisions.

Digital sovereignty at the state level is about national security. At the personal level, it is about personal freedom. Free Software provides a powerful path to maintaining control over our digital lives.

I am not arguing for tools. I am arguing for agency.

Dear Tumbleweed users and hackers,

It’s been a productive and busy week for Tumbleweed—and for openQA in particular. We threw 7 snapshots at the engines, and 6 were confirmed and published (0305, 0306, 0307, 0308, 0310, and 0311).

Snapshot 0309 was the first to include systemd 259.3, and openQA was not happy at all. The culprit turned out to be a missing sync with the SELinux policies. Once the policies were updated in snapshot 0310, openQA was (mostly) satisfied. A few additional policy tweaks were pushed via the update channel to ensure we didn’t block the snapshot pipeline any longer than necessary.

Those 6 snapshots brought you these changes:

• bind 9.20.20
• gstreamer 1.28.1
• iptables 1.8.13
• shadow 4.19.4
• PackageKit 1.3.4
• KDE Gear 25.12.3
• Linux kernel 6.19.6 & kernel longterm 6.18.16
• libvirt 12.1.0
• GCC 16 is providing the base libraries, such as libgcc_s1. The system compiler is still version 15 for the time being
• Pipewire 1.6.1
• systemd 259.3
• Mozilla Firefox 148.0.2
• postfix 3.11.1

The future holds these changes, once they pass QA:

• Mesa 26.0.2
• cURL 8.19.0
• systemd 259.4
• Switch default bootloader on uefi systems to systemd-boot (aligning tumbleweed to microos)
• GCC 16 as the default compiler
• GNOME 50: RC is staged for QA; release planned by upstream for March 18
• glibc 2.43: metabug: https://bugzilla.opensuse.org/show_bug.cgi?id=1257250

This is a roundup of articles from the openSUSE community listed on planet.opensuse.org.

The community blog feed aggregator lists the featured highlights below from March 6 to March 12.

Blogs this week highlight digiKam 9.0’s new Survey tool for rapid photo comparison, IBM’s compact speech AI for edge deployment, FreeBSD installation on the HP Z2 Mini, Plasma 6.5’s sixth bugfix update, and FDE improvements dropping legacy pcr-oracle support. Blogs also cover reasons for using Tumbleweed’s Thunderbird release, Rocky Linux joining KDE as a sponsor, the Lenovo ThinkBook Modular AI PC concept, OBS’ post-mortem analysis on a stuck jobs queue, syslog-ng 4.11.0 release notes, and more.

Here is a summary and links for each post:

Thunderbird Always Updated from openSUSE Tumbleweed Repositories

Victorhck explains how openSUSE Tumbleweed users benefit from receiving official Mozilla Thunderbird releases directly through the distribution’s rolling update channel without relying on Flatpak or third-party repositories. The post details how Tumbleweed’s rapid packaging pipeline ensures users get security patches and new features within hours of upstream releases.

Launched digiKam 9.0, introducing the new Survey tool

The KDE Blog announces the release of image organizer and tag editor digiKam 9.0. The new major version has a migration to Qt 6.10.1 for higher speed and stability for Wayland Linux users. The blog points out RAW support updates for Canon EOS R1, Nikon Z6-III, Sony A9-III and more. There is also support for batch coordinate editing and a new home screen design.

Granite 4.0 1B Speech: Compact voice AI for the edge

Alessandro’s Blog provides information about IBM’s new Granite 4.0 1B. The model, under the Apache 2.0 license, explains the capabilities of automatic speech recognition (ASR) and automatic speech translation (AST) across six languages. The ASR covers English, French, German, Spanish, Portuguese, and Japanese while the two-way AST pairs these languages and English. It also has additional pairs such as English–Italian and English–Mandarin in speech-to-text-to-text scenarios. Granite 4.0 1B Speech is available on Hugging Face.

The syslog-ng Insider 2026-03: 4.11.0 release; OpenSearch; ElasticSearch

Peter Czánik’s Blog links the March syslog-ng community newsletter covering version 4.11.0 availability. The newsletter covers OpenSearch data streams and changes to the Elasticsearch destination. The full newsletter is available at the syslog-ng community blog.

Dropping pcr-oracle in user space Full Disk Encryption

The openSUSE News site informs users of the deprecation of pcr-oracle in user space Full Disk Encryption (FDE) for those openSUSE systems using Trusted Platform Module 2 (TPM2). The shift moves from signed policy with JSON files stored in the EFI System Partition to systemd-pcrlock, which stores policy in TPM2 non-volatile RAM under a password (recovery PIN). The change resolves rollback attack vulnerabilities inherent to signed policies and simplifies maintenance across multiple boot loaders.

Sixth Plasma 6.5 update

The KDE Blog announces the sixth bugfix update for Plasma 6.5. The update continues KDE’s regular maintenance cycle and highlights novelties like automatic light/dark theme switching, new initial setup wizard (KISS), global WiFi password storage, KWin performance improvements and more.

Lenovo Thinkbook Modular Dual Screen Laptop | Blathering

The CubicleNate Blog examines Lenovo’s ThinkBook Modular AI PC concept unveiled at Mobile World Congress 2026. The machine is a 14-inch ultra-thin laptop with a detachable secondary display. Nate covers the pros and cons while expressing concern over the proprietary components.

New toy: Installing FreeBSD on the HP Z2 Mini

Peter Czánik’s Blog continues to update readers on his new toy and the installation of FreeBSD 15.0 installation on the AMD Ryzen AI Max+ PRO 395-powered workstation. The installation proceeded smoothly, and the system runs at exceptional speeds even when compiling software from FreeBSD ports with minimal noise. FreeBSD boots only via EFI menu boot from file option since standard boot managers don’t recognize it.

Rocky Linux becomes a sponsor of KDE

The KDE Blog announces Rocky Linux as a new KDE patron organization. Congratulations to both. Rocky Linux joins recent sponsors Kubuntu Focus, g10 Code, and Techpaladin alongside longer-standing backers like The Qt Company, SUSE, Google, Blue Systems, Slimbook, Pine64 and more.

Post-mortem: Stuck Critical Jobs Queue

The Open Build Service Blog publishes a post-mortem analysis of service degradation between March 4–5. Users experienced inability to retrieve diff changes for submit requests. Multiple code change factors contributed to the stuck critical jobs queue.

OWASP SP offers ModSecurity (CRS) for openSUSE.

Alessandro’s Blog reports that OWASP São Paulo chapter released ModSecurity Core Rule Set (CRS) version 4.24.1. CRS is a ruleset for Web Application Firewalls that provides generic detection rules to protect web applications against common attacks. This incremental update focuses on stability improvements, enhanced attack detection, and reduced false positives, and makes it essential for systems using ModSecurity or compatible WAF engines to stay protected against emerging threats.

Much Progress in Marknote and Drawy – This Week in KDE Apps

The KDE Blog highlights significant developments across KDE applications, with Marknote reaching version 1.4.0 featuring undo/redo for sketches, drag-and-drop notes between notebooks and more. Drawy received a major overhaul with a new interface, improved zoom controls, and a plugin system for tools.

Updating perltidy (and other dependencies) in os-autoinst

The openQA bites post short blurb explains that when updating dependencies in the dependencies.yaml file in os-autoinst that it will update cpanfile for the user.

Linux Saloon 191 – Application Managers

The CubicleNate Blog covers a lively discussion from the Linux Saloon podcast. Participants shared their impressions about topics like Android sideloading and the evolution of software distribution methods in the Linux ecosystem.

3 Native Racing Games for Linux

The KDE Blog showcases three demanding native Linux racing games. Speed Dreams offers a realistic racing simulator with diverse vehicles and multiple game modes. Trigger Rally provides arcade-focused fun with more than 100 maps across varied terrain. Stunt Rally rounds out the selection with the most complex and creative experience and features more than 200 tracks across 37 scenarios..

openSUSE Tumbleweed Weekly Review – Week 10 of 2026

Victorhck and dimstar report on the snapshots delivered in week 10. The review covers a minor selinux-policy update that inadvertently exposed code relying on incorrect previous behavior, causing boot failures detected by openQA before reaching users. Other updates include Python 3.14, KDE Plasma 6.6.1 and 6.6.2, Linux kernel 6.19.5, and more. Upcoming changes include the GNOME 50 release candidate, glibc 2.43, and a switch to systemd-boot as the default UEFI bootloader, which will align Tumbleweed to MicroOS standards.

Third Update of KDE Gear 25.12

The KDE Blog highlights the third maintenance release of KDE Gear 25.12. The update has corrections to KDE Connect plugin toggling, NeoChat message behavior, an Umbrello crash and more.

Seeing people through the walls with Wi-Fi – π RuView: WiFi DensePose

Watch on Vimeo

Alessandro’s Blog looks at RuView, which is an open-source privacy-first system that analyzes Wi-Fi signal disturbances (CSI data) to reconstruct human pose, detect respiration and heart rates, and sense presence through walls without any cameras. Applications range from elderly fall detection and perimeter security to industrial monitoring, and more.

View more blogs or learn to publish your own on planet.opensuse.org.

The March syslog-ng newsletter is now on-line:

• Version 4.11.0 of syslog-ng is now available
• Using OpenSearch data streams in syslog-ng
• Changes in the syslog-ng Elasticsearch destination

It is available at https://www.syslog-ng.com/community/b/blog/posts/the-syslog-ng-insider-2026-03-4-11-0-release-opensearch-elasticsearch

Introduction

In user space Full Disk Encryption (FDE), as opposed to the boot loader based FDE, developers for openSUSE supported signed policy and NVIndex policy from the beginning when Trusted Platform Module 2 (TPM2) is used.

With this signed policy, we deliver a JSON file in the EFI System Partition (ESP) that is being read during the initrd stage by systemd-cryptsetup. This file contains the hash policy, which basically describes the expected values of the PCR registers of the TPM2 (measured boot). Together with the policy, we will find a signature that will be validated by the TPM2, and if the PCR values and the signatures are valid, then the TPM2 will unseal the password for the encrypted hard disk, and the boot process can continue.

This method is simple and very flexible. We can update the policy to generate new predictions (for example if a new kernel was installed). Using a private key, that can be stored in the encrypted side of the system, we can sign it and install in the ESP. Another advantage is that we can generate multiple files that support multiple valid configurations, which can represent different snapshots, kernels, or initrd installed in the system.

But one limitation of this method is that we are not protected against a rollback attack. Some one can copy the JSON file (the ESP is not encrypted), together with the kernel and the initrd and wait until some CVE is published for this configuration. After that, the assets can be copied back to the ESP and the signature of the policy will be still valid as far as the TPM2 is concerned. Technically, this can be resolved generating a new private key and enrolling again the devices, but this is not ideal.

systemd-pcrlock provides a new alternative, known as NVIndex policy, which store the policy in the TPM2 non-volatile RAM under a password (recovery PIN). This approach is a bit better for our case, as it resolves the rollback attack. This method is used by default if the TPM2 support it, but because policyAuthorizeNV was introduced in TPM2 Revision 1.38 ten years ago (2016), not all devices can do that. sdbootutil fallbacks to pcr-oracle (signed policy) if NVIndex policy cannot be used.

The next version of sdbootutil will drop pcr-oracle.

Motivation

Basically it is time to do that. The rollback attack is a good argument to avoid signed policies, but we need to factor the maintenance of pcr-oracle for multiple boot loaders (GRUB2 and systemd-boot).

The way that pcr-oracle works means that any change in the event log order or structure needs to be addressed in the source code, but with systemd-pcrlock it is a matter of generating some JSON files stored in /var/lib/pcrlock.d and updating the TPM2 policy in the right moment.

This difference makes pcr-oracle stay behind in the current support, making in effectively broken for any metric.

Migration

The good news is that if you have a TPM2 produced after 2016, you can migrate to systemd-pcrlock very easily. sdbootutil still recognize systems registered with pcr-oracle and can unenroll them. The migration process is as easy as:

  # sdbootutil unenroll --method=tpm2
  #  sdbootutil enroll --ask-pin --method=tpm2

If sadly your TPM2 revision is older, the password enrollment is always available:

  # sdbootutil unenroll --method=tpm2
  #  sdbootutil enroll --method=password

Further Documentation

• MicroOS FDE
• Quickstart in Full Disk Encryption with TPM and YaST2
• Systemd-boot and Full Disk Encryption with TPM and FIDO2

Finally, I also installed FreeBSD on my new AI focused mini workstation from HP. I even managed to install GNOME on the machine with minimal effort. However, I also ran into many problems.

So far it’s a mixed experience. Installation went smoothly, FreeBSD 15.0 was up and running in no time. However, FreeBSD is not found by any of the Linux boot managers I use (different flavors of GRUB), and it’s not in the EFI boot menu either. The only way I could boot FreeBSD was bringing up the EFI boot menu, choosing boot from file and loading EFI/freebsd/loader.efi

Once FreeBSD boots on the machine, it is lightning fast. One of the fastest machines I have ever used, in the size of a Lord of the rings book. Still it stays silent while compiling software from FreeBSD ports.

I do not plan to use this box as a FreeBSD desktop, but of course I was curious how much FreeBSD desktop support evolved since I last tried it. I found a nice article on the FreeBSD Foundation website, describing how to install a GUI on FreeBSD using the new desktop-installer tool. It asked tons of questions, did some magic, and after a while I had GNOME up and running.

The good:

• no manual package installation or configuration editing necessary
• the exact same GNOME look and feel as on all Linux distributions I tested (except for Ubuntu)
• sound works, using the built in speaker

The bad:

• no accelerated graphics at all
• 3D games start, play music, but no graphics
• playing YouTube in Firefox works, both graphics and sound, but low quality
• the screensaver starts automatigically, but cannot be unlocked (workaround: disable screensaver)

I might try to debug some of these issues, but most likely I’ll just reinstall FreeBSD, and keep using it in text-only mode. As far as I could see, there is no in hardware AI acceleration available on FreeBSD. However, with 32 CPU cores, a fast SSD and 128 GB of RAM, this is an ideal box for running complex test environments in FreeBSD jails. I love Bastille and plan to install it once I cleaned up the machine after the GNOME experiment.

This blog is part of a longer series about my adventures with my new machine and AI. You can reach me to discuss this blog on one of the contacts listed in the upper right corner. You can read the rest of the blogs under the toy tag.

When updating the dependencies.yaml file in os-autoinst, e.g. when you’d like to fix the outdated perltidy version in the repo the recommended workflow is to:

• Update dependencies.yaml
• Run make update-deps

This will update the cpanfile for you and you only need to make your changes in one single file (dependencies.yaml).