A project during Hack Week 25 aims to address community feedback by bringing popular configuration features from YaST into Cockpit and System Roles, which is a step toward bridging the gap left by YaST’s deprecation in openSUSE Leap 16.0.

The initiative, titled Bring to Cockpit + System Roles capabilities from YAST, responds directly to some users anxiety about the loss of the familiar desktop and system management tools. Cockpit was introduced in Leap 16.0 as part of a broader shift toward modern, automation-friendly infrastructure.

Many long-time users have rightly pointed out that critical YaST functionality remains missing, but the next chapter of Leap requires a modern successor to YaST without reinventing the wheel alone; these advancements can grow stronger when shared and improved across communities.

The efforts for the Hack Week project, are set to begin Dec. 1. People can continue to work on the list of implementations should they choose to advance the features.

Several configuration and installation capabilities that were available in the deprecated YaST, which has long been one of the project’s hallmark tools, have yet to make it into the new Cockpit release. Significant research and careful consideration went into the transition away from YaST. Despite its deep ties to the project’s brand identity, teams thoroughly evaluated which features and modules were essential. These gaps for Cockpit are still being filled through community contributions and ongoing integration with System Roles.

The project’s goal is to implement service configuration in System Roles and then layer a Cockpit interface on top to give administrators direct control. In cases where an existing resource is already configured, specific Cockpit modules to handle the interaction are expected.

Should people choose to assist in the efforts, a spreadsheet detailing the missing features and suggested implementations has been published for contributors. Contributors can track progress and collaborate via the project’s Hack Week page.

Hack Week, which began in 2007, has become a cornerstone of the project’s open-source culture. Hack Week has produced tools that are now integral to the openSUSE ecosystem, such as openQA, Weblate and Aeon Desktop. Hack Week has also seeded projects that later grew into widely used products; the origins of ownCloud and its fork Nextcloud derive from a Hack Week project started more than a decade ago.

For more information, visit hackweek.opensuse.org.

The M8 has extensive USB audio and MIDI capabilities, but it cannot be a USB MIDI host. So you can control other devices through USB MIDI, but cannot sent to it over USB.

Control Surface & Pots for M8

Controlling things via USB devices has to be done through the old TRS (A) jacks. There’s two devices that can aid in that. I’ve used the RK06 which is very featureful, but in a very clumsy plastic case and USB micro cable that has a splitter for the HOST part and USB Power in. It also sometimes doesn’t reset properly when having multiple USB devices attached through a hub. The last bit is why I even bother with this setup.

The Dirtywave M8 has amazing support for the Novation Launchpad Pro MK3. Majority of peolpe hook it up directly to the M8 using the TRS MIDI cables. The Launchpad lacks any sort of pots or encoders though. Thus the need to fuss with USB dongles. What you need is to use the Launchpad Pro as a USB controller and shun at the reliable MIDI connection. The RK06 allows to combine multiple USB devices attached through an unpowered USB hub. Because I am flabbergasted how I did things here’s a schema that works.

If it doesn’t work, unplug the RK06 and turn LPPro off and on in the M8. I hate this setup but it is the only compact one that works (after some fiddling that you absolutely hate when doing a gig).

Intech Knot

The Hungarians behind the Grid USB controlles (with first class Linux support) have a USB>MIDI device called Knot. It has one great feature of a switch between TRS A/B for the non-standard devices.

It is way less fiddly than the RK06, uses nice aluminium housing and is sturdier. Hoewer it doesn’t seem to work with the Launchpad Pro via USB and it seems to be completely confused by a USB hub, so it’s not useful for my use case of multiple USB controllers.

Non-compact but Reliable

Novation came out with the Launch Control XL, which sadly replaced pots in the old one with encoders (absolute vs relative movement), but added midi in/ou/through with a MIDI mixer even. That way you can avoid USB altogether and get a reliable setup with control surfaces and encoders and sliders.

One day someone comes up with a compact midi capable pots to play along with Launchpad Pro ;) This post has been brought to you by an old man who forgets things.

This is a roundup of articles from the openSUSE community listed on planet.opensuse.org.

The below featured highlights listed on the community’s blog feed aggregator are from October 18 to 26.

Recent Planet highlights includes an announcement from the Open Build Service Blog, a Halloween install party, Leap driving fleets, configuring a PDF viewer in Thunderbird and more.

Here is a summary and links for each post:

Distroless Containers – Nix Flakes vs Fedora

The latest blog as of publication was riemann.cc comparomg the approaches of Nix flakes and Fedora’s tooling for building distroless containers that highlights the differences in reproducibility, usability, and ecosystem integration.

Plasma 6.5 is here – This week in Plasma

KDE Blog announces the arrival of Plasma 6.5 with a solid mix of User Interface enhancements, performance tweaks and bug fixes, which includes a smoother drag-and-drop in the launcher, better multi-screen support and fixes for older AMD GPU cursors.

Linux Marathon Special (Podcast Linux #30)

KDE Blog revisits episode #30 of Podcast Linux, which was a special “Linux Marathon” live-broadcast with more than two hours of discussions featuring multiple Linux community contributors.

Halloween Install Party Valencia

KDE Blog shares details of a free-entry event on Oct. 31 in Valencia organised by GNU/Linux València. The event will offer GNU/Linux installations, free software help and a Super Tux Kart game-party theme to mark the end of Windows 10 support.

Leap Keeps Fleets on Track

openSUSE News highlights how an openSUSE Leap distribution can power mission-critical fleet-tracking systems and is handling real-time GPS data in Indonesia and the Philippines with PostgreSQL clustering and RabbitMQ to deliver reliability for vehicle-management operations.

More Mobile Settings: Keyboard & Wired Network

This blog by sebas outlines new settings modules in Plasma Mobile for keyboard layout/language switching and wired-network configuration. The focus is aimed at non-phone devices like embedded systems or occasional keyboard users.

Release Schedule for KDE Gear 25.12

The KDE Blog published the schedule for the KDE Gear 25.12 release cycle. The freeze and first beta is scheduled for Nov. 13, RC on Nov. 27 and the final release is scheduled for Dec. 11.

Thunderbird on KDE Plasma | Fine-Tuning File Dialogs

CubicleNate’s Techpad explains how to replace the default GTK file dialog in Mozilla Thunderbird with the native KFileDialog on KDE Plasma for a smoother user experience.

Relevant Upstream Package Version Information

The Open Build Service Blog announces enhancements to upstream version tracking as part of its “Foster Collaboration” beta program, which introduces interactive upstream-version links and detailed status labels.

Eighth Update of digiKam 8: Now Able to Import or Export Tag Hierarchies

KDE Blog announces that version 8.8 of digiKam adds support for importing/exporting tag hierarchies from/to text files, enhancing workflow consistency and cross-platform tag sharing.

Configuring an External PDF Viewer in Thunderbird on Linux

CubicleNate’s Techpad walks through how to set up Mozilla Thunderbird on Linux to use a native external PDF viewer instead of the built-in one for improved usability.

Plasma 6.5 Launched: Reaching the Turning Point

Plasma 6.5 represents a major maturity milestone for the desktop, according to the KDE Blog; it focuses on polishing existing features, refining usability, and adds thoughtful enhancements rather than a sweeping new redesign.

GNOME Tour in openSUSE and Welcome App

The blog on danigm.net outlines how the GNOME Tour fork for openSUSE provides a refreshed welcome experience. With custom pages, a donations section and links tailored for openSUSE, the welcome offers a modern replacement for the older Qt-based opensuse-welcome app.

UjiLliureX 2025, Continuing with LliureX as an Educational Innovation Tool

KDE Blog reports on the UjiLliureX 2025 event located in the province of Castellón. The event confirmed that the LliureX distro remains a key driver of innovation in education with aims to blend free-software teaching and institutional collaboration.

Xeno-canto: The Wiki of Bird Songs

Victorhck highlights xeno‑canto, where users around the world contribute and explore bird-song recordings from thousands of species. The site offers a rich resource for bird lovers, researchers and curious ears alike.

The Video You Need to Understand Linux

KDE Blog shares a video that explains the history and essentials of Linux. It goes into what it is, who created it, and why it matters for new users stepping into the world of free open-source software.

Installing openSUSE Leap 16.0 on a Dynabook XP (Secure Boot Enabled, Dual-Boot)

The Geeko Blog documents installing openSUSE Leap 16.0 on a Dynabook XP with Lunar Lake (Core Ultra 258V) under Secure Boot and dual-boot with Windows 10. The blog covers the offline ISO install, failing the standard installer due to Arc Xe2 GPU issue, and using nomodeset as a workaround.

Plasma 6.5 Is About to Arrive and KDE Turns 29 — Help Us Celebrate!

KDE Blog highlights the imminent release of Plasma 6.5 alongside the 29th anniversary of KDE. The blog encourages donations and community involvement as the project enters these new milestones.

View more blogs or learn to publish your own on planet.opensuse.org.

For several years, Bitnami offered many standard cloud component Container images and Kubernetes Helm charts, e.g. for PostgreSQL, MariaDB, Redis, or MongoDB. I think they were well maintained, used in many production setups, and used with Bitnami subscriptions by paying customers. Also governments used them (e.g. the German government with openDesk and BundesMessenger or the European Commission with SIMPL-Open). In 2019, Bitnami was bought by VM Ware.

In 2025, Bitnami revaluated their business case and decided to discontinue their current offering:

• https://community.broadcom.com/tanzu/blogs/beltran-rueda-borrego/2025/08/18/how-to-prepare-for-the-bitnami-changes-coming-soon,
• https://github.com/bitnami/containers/issues/83267

In a time, where many customers find their dependency with VM Ware already problematic, customers are sceptical towards a mere upgrade to the new Bitnami offering. So it comes to no surprise, that the Internet is full of discussions on alternatives. Before I present three of them, let me recall the challenges:

• supply chain security
• complexity due to diverging supply chain sources
• transparency
• compliance with NIS2 (Network and Information Security (NIS) Directive 2, adopted in November 2022 and in principle effective from 2025), example measures from nis2compliant.org:
  • robust vulnerability handling and disclosure practices
  • Secure supply chain interactions and mitigate risks related to suppliers or service providers, ensuring comprehensive security from end to end
  • incident detection, triage, and response to meet reporting obligations
• Cybersecurity Regulation for EU institutions, e.g.
  • supply chain security, including security-related aspects concerning the relationships between each Union entity and its direct suppliers or service providers
  • establishment of software supply chain security through criteria for secure software development and evaluation
• any other applicable national legislation

So what are the options to manage supply chain security with a view of reaching compliance? I believe it is impossible for an individual organisation to take care of the supply chain security directly for all their software in use. On top, any attempt would not be good use of (public) money. Hence, the goal must be to outsource and to seek synergies with organisations having similar or higher requirements.

CloudPirates.io

• https://github.com/CloudPirates-io/helm-charts

Some German products may switch from Bitnami to CloudPirates.io. CloudPirates is a company like Bitnami, but it is in Germany and hasn’t been bought by VM Ware (yet). Read their German blog post addressing the Bitnami policy change. I have checked their MariaDB helm chart. It relies on the community MariaDB container.

To ensure compliance when using their work, it may be necessary to introduce obligations for CloudPirates, which they may allow only against a fee.

In alternative would be RedHat Linux, that also offers all kinds of containers with maintenance against a fee.

Self-Made Distroless Containers

• https://www.move-online.de/k21-meldungen/containerhaertung-auf-opencode/ (in German)

Governments could build containers for their own ministries. This is what parts of the German government currently explore. But then, there are many ways how this can be organised.

• Upstream: The Government could just review the community images that everyone is using. However, the community may not be reactive enough or have diverging standards, etc.
• Downstream: The Government could maintain their own downstream fork and still collaborate with the community.

In both situations, you have to decide with which community. Consider for instance MariaDB. Relevant communities are:

• the MariaDB community
• the Debian community that packages (and patches) MariaDB
• the Opensuse community that packages (and patches) MariaDB
• the NixOS community that packages (and patches) MariaDB
• the Fedora/CentOS Stream/AlmaLinux community that packages (and patches MariaDB)

The US Government got a project on this at https://repo1.dso.mil/dsop, but it consists of many repos, so that I cannot grasp easily their general apporach. Their NodeJS (slim) image relies on Alpine sourced from their own mirror.

The German Government decided to test NixOS Flakes to build containers from Debian packages that contain the bare minimum of software. If the container does not even contain a package management system, then it is called distroless. Read more about it from Google, Docker, RedHat, or Bitnami (minideb).

Find their work at: https://gitlab.opencode.de/open-code/oci

The following list of their requirements is copied over from the (nodejs image README.md):

Base Image Security

• Minimal base images are used - There is no base image at all, since this build is done using nix and debian packages directly.
• Base image provenance is verified - There is no base image at all, since this build is done using nix and debian packages directly.

• Immutable artifact references are used - There is no base image at all, since this build is done using nix and debian packages directly.

• Base Image can be automatically updates (or after a fixed period of time to avoid being a victim of a supply chain attack) - There is no base image at all, since this build is done using nix and debian packages directly.

Build Process Security

• Reproducible builds are implemented - Nix is being used to ensure that builds are reproducible, meaning the same source code and build instructions always produce identical container images.

• Build environment is isolated - Build runs in a Kubernetes GitLab-Runner. Nix is instructed to not do any sandboxing. However, the build environment is isolated from the host system and other builds to prevent contamination.

• Build provenance is attested - Build process generates cryptographically signed provenance (metadata about who, what, when, and how the artifact was built), ideally at SLSA Level 2 or higher. This creates an auditable trail proving the container came from your legitimate build system and hasn’t been substituted.

• Containers are signed - Images are signed using Cosign to ensure authenticity and integrity. They can be verified using the cosign.pub public key.

• Dev / Compile time dependencies are removed - Uses Nix

Component Management & Transparency

• All components are identified - Have a look at the config json files in the root directory. All components, including their versions, urls and checksums are listed there as input to the build process.

• Component PURLs can be matched to CVE reports We are using debian packages to match against known CVEs. Besides that, we are downloading Nodejs 24 from nodejs.org. To match that against CVEs, we are using the PURL constructed from their GitHub repository: pkg:github/nodejs/node@<version>. We can match this using DevGuard against CVEs (https://osv.dev/list?q=github.com%2Fnodejs%2Fnode).

• Component checksums are verified - All checksums are either in config.json or in flake.nix.

• Regular updates are provided for all components or latest Builds like new nodejs versions - Components receive timely updates and patches from upstream maintainers, and your build process incorporates these updates regularly. This ensures your container stays protected against newly discovered vulnerabilities in its components.

• Components can be automatically updated in a timely manner (or after a fixed period of time to avoid being a victim of a supply chain attack) - An automated pipeline exists to detect, test, and deploy component updates without manual intervention. Can provenance or signatures be verified for upstream components? This ensures security patches are applied quickly, reducing the window of exposure to known vulnerabilities.

Secrets & Sensitive Data

• No secrets in images - Credentials, API keys, certificates, and other sensitive data are never embedded in container images; they are injected at runtime via secrets management systems. This prevents secrets from being exposed in image layers, which can be extracted by anyone with access to the image.

Runtime Configuration

• Resource limits are documented - Since this is an runtime image only, resource limits heavily depend on the application being run.

• Container runs as non-root user - User 53111 (nonroot) is used as non-root user.

Compliance & Vulnerability Management

• SBOM is attested - A Software Bill of Materials (SBOM) is generated, accurate, and cryptographically attested to prove the container’s contents. This provides a tamper-proof inventory of components for compliance, license management, security scanning, and incident response.

• Vulnerability management is done in a timely manner - We are using DevGuard to monitor vulnerabilities in our components. New vulnerabilities are assessed and remediated promptly based on their severity and exploitability.

• VEX is attested - Vulnerability Exploitability eXchange (VEX) documents are provided and attested, indicating which vulnerabilities are exploitable in the specific container context and which are mitigated. This reduces alert fatigue by documenting which CVEs don’t actually affect your container due to configuration or usage patterns.

Fedora-based distroless Container images

As part of my pet pilot project EU OS, I rely on compiled code (i.e. RPM packages) from Fedora. Fedora (and their downstream stable versions Redhat RHEL, CentOS Stream, AlmaLinux) have technologies in place to cover most if not all Government use cases for open source:

• operating system for the corporate laptop of the end user (check out EU OS for some inspiration)
• operating system for cloud servers, including Kubernetes clusters
• container images for cloud workloads

So if we reuse the compiled code for all purposes, then the supply chain security becomes more managable (but due to such centralisation, vulnerabilities could have a higher impact).

Let us check, how distroless container images can be built from Fedora RPM packages. Fedora described this in a blog post from 2021. Meanwhile, things have changed a little bit and such Fedora distroless images can also be composed with podman and its multi stage builds. That’s my example for a small NodeJS container:

# kate: hl Containerfile;

ARG ROOTFS="/mnt/rootfs"
ARG HOME=/home/nonroot

ARG DNF="dnf"
ARG RELEASEVER="42"
FROM quay.io/fedora/fedora-minimal:42
# alternatively:
# ARG RELEASEVER="9"
# FROM registry.access.redhat.com/ubi9/ubi-minimal
# or
# ARG RELEASEVER="10"
# FROM quay.io/almalinuxorg/10-minimal:10.0

ARG ROOTFS
ARG DNF
ARG RELEASEVER
ARG DNF_OPTS="--installroot=${ROOTFS} --releasever=${RELEASEVER} --noplugins --config=/etc/dnf/dnf.conf --setopt=install_weak_deps=0 --setopt=cachedir=/var/cache/$DNF --setopt=keepcache=1 --setopt=reposdir=/etc/yum.repos.d --setopt=varsdir=/etc/dnf"

USER root

# pinning of software versions possible with https://dnf5.readthedocs.io/en/latest/dnf5_plugins/manifest.8.html
# (see also: https://github.com/rpm-software-management/dnf5/pull/2425)
RUN --mount=type=cache,target=/var/cache/$DNF \
  mkdir -p ${ROOTFS} && \
  $DNF ${DNF_OPTS} -y --nodocs install nodejs22

FROM scratch

ARG ROOTFS
ARG HOME

COPY --from=base ${ROOTFS} /

RUN \
  mkdir -p $HOME && \
  printf "nonroot:x:1001:\n" >> /etc/group && \
  printf "nonroot:x:1001:1001:Nonroot User:/home/nonroot:/sbin/nologin\n" >> /etc/passwd && \
  printf "nonroot:!:20386::::::\n" >> /etc/shadow && \
  chown -R 1001:1001 $HOME && \
  chmod -R g=u $HOME

USER 1001
WORKDIR $HOME
ENTRYPOINT ["/bin/bash"]

How does it compare? What is missing?

• The container image is not yet reproducible in the sense that it always uses the latest packages at the time of the build. However, with RPM manifests, the Fedora package manager can be instructed to install specific software versions, similar to npm and its package.json files. I could not enable it yet, because the feature is currently disabled, as the library is not yet widely available in the Fedora package repositories.
• SBOMs can be generated directly from the RPM database. Trivy can list vulnerabilities for a given SBOM, but only for distributions with support (fedora is not; CentOS Stream, RHEL, and AlmaLinux is). Trivy can also generate SBOMs for the container images directly. Renovate can be configured to update RPM manifest files.
• Podman supports signing containers.
• The container image also supports a non-root account.
• The container currently contains still bash, find, sed, grep as those tools are pulled in as a dependency of ca-certificates. The latter is required by nodejs. To remove them, an alternative custom ca-certificates package needs to be prepared that has no such dependencies. See also: https://discussion.fedoraproject.org/t/169906/2

I think the main advantage would be to avoid Nix flakes. Maybe Nix flakes are cool, but the system is apparently still experimental/beta software (see here or here). Also, many developers have not worked yet with Nix flakes. So this is something new to learn. Using Nix flakes doesn’t make podman or Containerfiles redundant. So learning Nix flakes does not replace learning Podman or Containerfiles.

Obviously, this advantage would apply equally to building Podman distroless containers with OpenSUSE RPMs or Debian DEBs. All it takes is a build tool that can install dependencies in a separate folder. For dnf, this is done with the option --installroot. If an organisation has already solved supply chain security for a repository of compiled code, then I believe it is good practice to reuse this repository.

What is your view? Please comment, react on Mastodon or use any other channel.

References

• https://github.com/GoogleContainerTools/distroless
• https://fedoramagazine.org/building-smaller-container-images/
• https://discussion.fedoraproject.org/t/build-distroless-image-for-nodejs-with-minimal-dependencies/169906 (my own forum topic for research purposes)
• https://www.redhat.com/en/blog/why-distroless-containers-arent-security-solution-you-think-they-are
• https://docs.docker.com/dhi/core-concepts/distroless/
• https://github.com/bitnami/minideb
• https://wiki.almalinux.org/containers/docker-images.html

Every minute matters for companies managing vehicle fleets and Linux distributions like openSUSE’s serve as dependable backbones for these types of operations.

From security patrols in Indonesia to maintenance cars in the Philippines, fleets can be monitored in real time through cloud-based platforms powered by openSUSE Leap like Ntrack’s GPS Vehicle Tracking System.

Releases like Leap 16 can be used for GPS Vehicle Tracking list this and is one of several use cases for the distribution.

The vehicle tracking system processes raw data from third-party GPS IoT devices made by companies like Teltonika, Concox, Atrack and others. Each unit sends signals every minute over 3G, 4G and 5G networks, which creates a constant stream of location data. That data is queued using RabbitMQ and stored in PostgreSQL databases clustered on Leap servers.

It provides excellent support for database clustering and system monitoring, ensuring reliable failover and scalability of the data layer, said one developer who shared their use case with the project’s mailing list. The system is handling 50–100 data packets per second, and openSUSE keeps it reliable.

The Ntrack platform transforms these packets into actionable insights for fleet operators. Built on Leap, it offers features like live tracking, route scheduling, driver behavior analysis, geofencing and reporting.

The developer, Edwin, said that the use cases already cover fleets across the islands of Java and Bali related to private security, telecommunications maintenance vehicles in the Philippines, and company cars throughout Indonesia.

GPS tracking systems like Ntrack are another example of how the distribution powers mission-critical applications around the world; Leap 16’s extended lifecycle provides the reliability and upgradability businesses need to trust their technology infrastructure.

Members of the openSUSE Project are trying to showcase how people use openSUSE . If you have a use cases for Leap 16 that you want to share, comment on the project’s mailing list.

Recently, I’ve worked on making certain “less obvious” system settings more accessible for Plasma Mobile users. The modules I’ve worked on fall just outside the typical mobile phone use-case, but can be important to users of other types of devices. Specifically, users that plug in or connect a keyboard once in a while and need to change its layout or language, or devices that are connected using an ethernet cable, as often is the case with embedded industrial devices.

These two settings module offer a subset of their “desktop companions'” settings and cater to simpler use-cases while sporting a leaner and more focused user interface. Most of the business logic and the more complex UI components are also shared with the desktop versions.

Reviewers needed!

The merge requests for both are currently under review and I’d appreciate if people could help ironing out issues so we can go ahead and merge the code:

• Merge request for mobile wired network settings
• Merge request for mobile keyboard settings

Update: Both modules have been merged and will ship as part of Plasma 6.6.