Dear Tumbleweed users and hackers,

It seemed like a quiet week to me. Probably people are getting ready to meet up in Brussels for FOSDEM. Make sure to visit the booth area and talk to the people there. We have managed to release 4 snapshots (0124, 0125, 0127, and 0128)

The most relevant changes delivered this week are:

• Mesa 24.3.4
• Mozilla Firefox 134.0.2
• Drop of nscd
• Systemd 257.2
• FWupd 2.0.4+4
• Wine 10.0
• Removal of python 2

The outlook for the future sounds interesting too:

• Meson 1.7.0
• Timezone 2025a
• RPM 4.20: support for declarative build systems. I started playing with this a little bit using meson.
• KDE Plasma 6.3: beta 2 is currently staged
• Change of default LSM from AppArmor to SELinux is progressing, status is tracked at https://bugzilla.opensuse.org/show_bug.cgi?id=1230118.

Tumbleweed remains a strong example of a reliable rolling release as we step into 2025. This month delivered multiple snapshots and a wide range of updates! Two much anticipated major version updates arrived in snapshots this month; GIMP’s release candidate is giving users a good look into the 3.0 version and libvirt 11.0.0 improves virtualization performance, stability and flexibility. KDE Gear 24.12.1 improves app usability and KDE Plasma 6.2.5 brings some additional stability.

As always, be sure to roll back using snapper if any issues arise.

Happy updating and tumble on!

For more details on the change logs for the month, visit the openSUSE Factory mailing list.

New Features and Enhancements

GIMP 3.0.0~RC2: This makes a major leap to version 3.0 with significant updates and fixes. The build process is streamlined with improved handling of fonts, such as replacing Bitstream Vera with Google Noto Sans and ensuring stability even when fonts are missing. The Python runtime dependencies and enhanced debugging support with libbacktrace ensure smoother builds and better issue resolution. Experimental features like the Lua plugin are now gated for optional use, and Fedora-imported patches improve system monitor profile defaults, external help browser support, and privacy settings. These updates modernize GIMP’s architecture and prepare it for the final 3.0 release.

KDE Gear 24.12.1: Notable updates in this release were made to Dolphin, which improved behavior on X11, fixed thumbnail updates on renaming, and ensured search box initialization fixes. With Itinerary, enhancements for trip group handling were made; there were also improvement made to weather forecasts and it was optimized for crash prevention. Kdenlive addressed timeline issues, fixed crashes, improved layout handling and restored effects presets. KMail improved search functionalities and KPublicTransport enhanced station name recognition.

KDE Plasma 6.2.5: The Discover app store fixes overlapping update descriptions text and kpipewire fixes issues when streaming fails to update. The plasma update also prevents crashes by adding a dummy clipboard. Some screencasting was resolved with KWin. PowerDevil resolves crashes in unloadAllActiveActions and Plasma Networkmanager reverts fixing an issue with the connection speed tab remaining visible after disconnecting.

Rsync 3.4.1: This update brings critical bug fixes and security enhancements. Key updates include improved handling of the -H flag, resolution of a use-after-free issue in rename logging, and removal of the dependency on alloca() in the bundled popt. Security fixes address multiple vulnerabilities such as CVE-2024-12747, which mitigates a race condition in handling symbolic links, as well as CVE-2024-12084 through CVE-2024-12088, tackling heap buffer overflows, information leaks, and directory traversal risks. The update also introduces protocol version 32 and refines developer tools for improved permissions handling.

libvirt 11.0.0: This major release adds VLAN tagging and trunking support for network interfaces on Linux host bridges and enables domains to use advanced tlbflush Hyper-V features. User-defined aliases for devices in domain XML and virtiofs read-only mode are now supported. Enhanced vGPU migration between mdev and SRIOV VF devices is also introduced. Key fixes address transient domain TPM profile crashes, disk image deletion with snapshots, and post-copy migration recovery errors, alongside improvements in domain XML formatting and CPU model support.

libcdio 2.2.0: The library now uses GNU/Linux’s new ioctl with kernel 5.16+ and incorporates GitHub CI checks for better development workflow. Additionally, the update ensures compatibility with widestring APIs and provides better pkg-config detection.

Amarok 3.2.1 & 3.2.2: Amarok introduces Qt6 and KF6 compatibility, enabling support for gpodder, last.fm, and the Wikipedia context applet. The collection can now be filtered by empty tags, and the context view applet for the current track is displayed by default. Key fixes address crashes during file transfers to MTP devices, Ampache logins, and collection filtering. Additional improvements include reduced MTP device query flooding, refined font size limitations in the context view, and enhanced compatibility across compiler and Qt6 versions. Amarok now depends on KDE Frameworks 5.108, marking a step toward modernized builds and better stability.

libxml2 2.13.5: New features include API additions for more reliable malloc failure reporting and context-specific error handlers, such as xmlCtxtSetErrorHandler. The update introduces the XML_PARSE_NO_XXE parser option, enhancing security by disabling external entity loading. Key bug fixes address regressions in xmlIO, xmlreader, and handling of parameter entities. Additionally, significant optimizations ensure better compatibility with modern systems, improved error handling, and support for new configurations. Deprecated features such as HTTP POST support and legacy FTP functionality are gradually being phased out, which reflects a shift toward streamlined and secure XML processing.

Key Package Updates

Kernel Source 6.12.8, 6.12.10 and 6.13.0: The rolling release was one of the first to update to the 6.13 kernel and notable changes for it include a PCI/DPC quirk for PIO log size adjustments on Intel Raptor Lake-P (bsc#1234623). The update also drops a mainline patch for Nouveau backlight control and includes refreshed configurations. Enhanced USB handling, better support for various arm platforms and multiple bug fixes for IIO devices arrived in a previous kernel update. Key changes address vulnerabilities, improve stability and refine hardware compatibility across various subsystems. Version 6.12.8 had enhancements to ALSA and Bluetooth subsystems to address issues like memory leaks and invalid parameter handling. Btrfs received fixes for race conditions and improvements to power supply drivers were made.

btrfs-progs 6.12: This update includes recursive subvolume deletion for accessible subvolumes and the --subvol option in mkfs to create subvolumes with specific properties (read-only, read-write, or default). Other notable improvements include hard link detection in the --rootdir option, refined verbosity in receive and more accurate handling of compressed extents in check. The release also addresses several bugs, such as false positive checksum reports and improper subvolume iteration in rescue clear-ino-cache.

Systemd 257.2: Key updates in this package include improvements to user@.service. Various patches, such as fixes for TPM2 utilities and initrd_prepare behavior, have been integrated upstream. While the testsuite now requires cloning the systemd repository due to upstream changes; efforts are underway to adapt the sub-package.

Mesa 24.3.3: Fixes in this release include resolving rendering issues in Portal 2 and Half-Life 2, addressing crashes in Artifact Classic, and correcting a regression that broke Wayland on RS480M GPUs. Additional updates fix prop disc rendering in X-Plane 12, improve H264/H265 VAAPI encoding on R6700XT with proper QP value handling, and resolve missing text in Age of Mythology Retold on Arc b580 GPUs.

HarfBuzz 10.2.0: Font handling improvements arrive in this package. Unicode Variation Selectors are now considered during “cmap” table subsetting, while malformed UTF-8 strings are better guarded in hb_cairo_glyphs_from_buffer(). Rendering and parsing see significant fixes, including corrected scaling for “COLR” v1 glyphs and locale-independent double number parsing in the hb-subset tool. New APIs enable advanced font table serialization, repacking, and font variation settings conversion.

Coreutils 9.6: This release addresses multiple bug fixes, such as correcting issues in cp, mv, ls and tail, improving reliability and compliance with POSIX standards. Enhancements include new features like CRC32b support in cksum, indexed arguments in printf, and POSIX:2024 string comparison in test. Performance improvements touch key utilities like wc, cksum and sort to ensure faster operations on modern systems.

PHP 8.3.16: This package delivers a wide range of bug fixes and stability improvements across core features and extensions. Enhancements include addressing issues in DatePeriod, SimpleXML and FFI, resolving memory leaks in components like LibXML and Sockets, and improving compliance with standards such as RFC 6890 for IP filtering. Key fixes span vulnerabilities like use-after-free (UAF) in DOM and Iconv, segmentation faults in Gettext and Phar, and overflow issues in Streams. Developers benefit from improved error handling, compatibility updates, and hardened security measures for critical functions like proc_open().

Flatpak 1.16.0: The latest version has new environment variables like FLATPAK_TTY_PROGRESS, FLATPAK_DATA_DIR, and FLATPAK_DOWNLOAD_TMPDIR offer greater flexibility for configuring runtime behavior, such as progress indicators and alternative directory paths. Notable bug fixes include improved handling of dangling symlinks, corrections to introspection annotations in libflatpak, and resolving regressions with Wayland socket handling. Other refinements ensure smoother operation and compatibility, including fixes for terminal progress indicators and the installation of missing test data.

Bug Fixes and Security Updates

Several key security vulnerabilities were addressed this month:

Rsync 3.4.1:

• CVE-2024-12747: Fixed a race condition in handling symbolic links.
• CVE-2024-12084: Resolved a heap buffer overflow in checksum parsing.
• CVE-2024-12085: Fixed an information leak via uninitialized stack contents, defeating ASLR.
• CVE-2024-12086: Addressed server leakage of arbitrary client files.
• CVE-2024-12087: Resolved an issue allowing a server to make clients write files outside the destination directory using symbolic links.
• CVE-2024-12088: Fixed a bypass for --safe-links functionality.

git 2.48.1:

• CVE-2024-50349: Fixed an issue where crafted URLs could inject ANSI escape sequences, potentially misleading users into sending credentials to malicious hosts.
• CVE-2024-52006: Addressed incorrect handling of line endings in credential helpers, preventing credential exposure.

HPLIP:

• CVE-2020-6923: Fixed a memory buffer overflow vulnerability in HPLIP versions 3.20.8 and earlier, which could allow arbitrary code execution or denial of service.

libxml2 2.13.5:

• CVE-2024-40896: Fixed an out-of-bounds read and write vulnerability when processing HEIF files with forged overlay image offsets.

Raptor:

• CVE-2024-57823: Patch added to fix an integer underflow, which could lead to potential vulnerabilities.

Mozilla Firefox 134.0:

• CVE-2025-0244: Address bar spoofing using an invalid protocol scheme on Firefox for Android.
• CVE-2025-0245: Lock screen setting bypass in Firefox Focus for Android.
• CVE-2025-0246: Address bar spoofing using an invalid protocol scheme on Firefox for Android.
• CVE-2025-0237: WebChannel APIs susceptible to confused deputy attack.
• CVE-2025-0238: Use-after-free when breaking lines in text.
• CVE-2025-0239: Alt-Svc ALPN validation failure when redirected.
• CVE-2025-0240: Compartment mismatch when parsing JavaScript JSON module.
• CVE-2025-0241: Memory corruption when using JavaScript Text Segmentation.
• CVE-2025-0242: Memory safety bugs fixed across multiple versions of Firefox and Thunderbird.
• CVE-2025-0243: Memory safety bugs affecting Firefox, Thunderbird, and ESR versions.
• CVE-2025-0247: Memory safety bugs fixed in Firefox 134 and Thunderbird 134.

openssl-3

• CVE-2024-13176: A timing side-channel vulnerability in ECDSA signature computations could allow attackers to recover private keys.

Conclusion

KDE users will appreciate the refined experience offered by the latest KDE Gear and Plasma releases, with improved usability and bug fixes. Under the hood, Tumbleweed continues to receive critical updates, including security enhancements for Rsync and improved XML processing with libxml2. These updates, along with numerous others continue to make Tumbleweed a secure, stable and useful open-source platform.

Slowroll Arrivals

Please note that these updates also apply to Slowroll and arrive between an average of 5 to 10 days after being released in Tumbleweed snapshot. This monthly approach has been consistent for many months, ensuring stability and timely enhancements for users.

Contributing to openSUSE Tumbleweed

Stay updated with the latest snapshots by subscribing to the openSUSE Factory mailing list. For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

Behold, My First RPM

I've written tons and tons of software, but was never much for packaging it. If I did any packaging, it was typically sticking a server into a container.

Yesterday morning I realized it has been something like 25 or 30 years since I wrote any functional C code, so I decided to do a refreshing, with the help of some AI. After reviewing the syntax and pointers, I wrote a CLI version of a Python app that I wrote a while back.

Python GUI Version

The problem is that I travel for work, but when I do, openSUSE doesn't seem to pick up on my new timezone, and it was a complex set of commands that I could not remember easily to set the new timezone. So I wrote a little GUI tool.

CLI C Version

So I basically did the same thing, but for the CLI, and in C. I made sure that I understood all of the code as I wrote, that I have to admit, I sort of glossed over the code for iterating through the directories and files.

This version does basically the same thing, but doesn't require the GUI.

Packaging

But wait! There is more. With some more AI assistance, I was able to put up a package that I can install on my machines.

Conclusion

I fully get that there are "official" ways of setting the timezone. The point is that I was able to go from not having written any C code in decades, to having a package in less than 2 hours! I also think my tool is a bit sweeter than timedatectl, etc...

In 2020, the Python foundation declared Python 2 as not maintained anymore.

Python 2 is really old, not maintained and should not be used by anyone in any modern environment, but software is complex and python2 still exists in some modern Linux distributions like Tumbleweed.

The past week the request to delete Python 2 from Tumbleweed was created and is going through the staging process.

The main package keeping Python 2 around for Tumbleweed was Gimp 2, that doesn't depends directly on Python 2, but some of the plugins depends on it. Now that we've Gimp 3 in Tumbleweed, we are able to finally remove it.

Python 2

The first version of Python 2 was released around 2000, so it's now 25 years old. That's not true, because software is a living creature, so as you may know, Python 2 grew during the following years with patch and minor releases until 2020 that was the final release 2.7.18.

But even when it was maintained until 2020, it was deprecated for a long time so everyone "should" have time to migrate to python 3.

Py3K

I started to write python code around the year 2006. I was bored during a summer internship at my third year of computer science, and I decided to learn something new. In the following months / years I heard a lot about the futurist Python 3000, but I didn't worry too much until it was officially released and the migration started to be a thing.

If you have ever write python2 code you will know about some of the main differences with python3:

• print vs print()
• raw_input() vs input()
• unicode() vs str
• ...

Some tools appeared to make it easier to migrate from python2 to python3, and even it was possible to have code compatible with both versions at the same time using the __future__ module.

You should have heard about the six package, 2 * 3 = 6. Maybe the name should be five instead of six, because it was a Python "2 and 3" compatibility library.

Python in Linux command line

When python3 started to be the main python, there were some discussion about how to handle that in different Linux distributions. The /usr/bin/python binary was present and everyone expect that to be python2, so almost everyone decided to keep that relation forever and distribute python3 as /usr/bin/python3, so you can have both installed without conflicts and there's no confusion.

But python is an interpreted language, and if you have python code, you can't tell if it's python2 or python3. The shebang line in the executable python scripts should point to the correct interpreter and that should be enough like #!/usr/bin/python3 will use the python3 interpreter and #!/usr/bin/python will use python2.

But this is not always true, some distributions uses python3 in /usr/bin/python like Archlinux or if you create a virtualenv with python3, the python binary points to the python3 interpreter, so a shebang like #!/usr/bin/python could be something valid for a python3 script.

In any case, the recommended and safest way is to always use python3 binary because that way it'll work correctly "everywhere".

Goodbye

It's time to say goodbye to python2, at least we can remove it now from Tumbleweed. It'll be around for some more time in Leap, but it's the time to let it go.

The first beta versions of SUSE Linux Enterprise Server 16 are almost around the corner and openSUSE Leap 16 is already at alpha phase. So the YaST Team (or should we already say the Agama Team?) has focused during the last couple of weeks on providing a better installation experience for both families of distributions. Agama 11 is the result, so let's see what's new on this release.

Bear in mind that some minor revisions of Agama 11 could be released in the following days to correct issues detected during the testing of SLES 16 Beta and openSUSE Leap 16 Alpha. We will update this blog post if any of those changes affect significantly any of the features listed below.

Agama can install Slowroll now​

Let's start welcoming a new member to the family of operating systems Agama can install. Thanks to WesFun now it is possible to select openSUSE Slowroll when using the Agama testing iso for openSUSE.

Keep the contributions coming!

Changes in the web interface​

Agama 11 also comes with a small reorganization of the workflow of the web interface. In previous versions, it was always necessary to visit the "Users" section to configure the root authentication and then go back to the "Overview" page in order to proceed with the installation. That happened because authentication is the only aspect of the system configuration for which Agama cannot infer any reasonable setup. You surely don't want Agama to choose a root password for you!

Starting with Agama 11, a screen to configure the root authentication is presented to the user right away after selecting the operating system to install.

After configuring the root password the user lands in the main Agama screen, where the general layout has been reorganized to ensure the "install" button is always accessible from all sections of the interface.

Additionally, the new install button can show a exclamation mark if there are issues preventing the installation and provides a summary of those issues pointing to the corresponding section that can be used to solve the situation.

The changes in the web interface go far beyond the new location of the install button. We encourage you to explore yourself to find all the small improvements!

Product registration​

As you all know, one of the main goals of Agama is to become the official installer for SUSE Linux Enterprise Server 16. The development of that operating system, and its sibling product SLES for SAP Application, is progressing nicely with some preliminary versions being already available to SUSE Partners.

Installing those systems requires the user to register in order to gain access to the repositories. Agama can detect whether registration is necessary and then offer a convenient user interface for the process, as seen below.

Of course, this feature is irrelevant for openSUSE users since the openSUSE repositories are fully public and they will always be.

License agreement​

Another difference between openSUSE and a corporate distribution like SLES is that users needs to explicitly accept a license agreement to use the latter. In the case of the Agama web interface, that means presenting the license as soon as possible in the process. Thus, the corresponding EULA must be accepted already when selecting any of the products that require to do so.

Of course, the screenshot above belongs to a SLES installation media and openSUSE users will not notice this new feature.

Allow remote usage of the command-line interface​

As convenient as an interactive installation with the web interface can be, you know that the command-line interface and the unattended installation process are also first-class citizen for Agama. Thus, they also received some love on this release.

Agama's CLI (command-line interface) offers an alternative way to control the installation process useful in various situations like installing in machines that cannot serve the web interface (eg. due to limited resources), using scripts and other automation techniques or simply when the user prefers good old terminal over graphical interfaces. Now Agama's CLI offers a new global parameter --api that allows to run the tool (and any script based on it) on a different machine from that being effectively installed. Bear in mind the new argument is still not honored by all Agama subcommands. Support for it will be extended on subsequent releases.

Scripting support in unattended installation​

Years of AutoYaST experience has taught us that, no matter how flexible an installer is, users of unattended installations always want to go further. And embedding scripting capabilities into the installer configuration has turned to be an awesome tool for that. So, similar to AutoYaST profiles, Agama configuration files now offer a "scripts" section. It makes possible to run scripts both before and after the installation process and also on the first boot of the new system.

Below you can see a Jsonnet configuration file for Agama including scripts. Note it would also work with plain JSON but, since that format does not support multi-line strings, each script would need to be provided as a long string with "\n" marking the end of each line (not so nice for a blog post 😉).

{
  scripts: {
    pre: [
      {
        name: "activate-multipath",
        body: |||
          #!/usr/bin/bash
          systemctl start multipathd.socket multipathd.service
        |||
      }
    ],
    post: [
      {
        name: "enable-sshd",
        chroot: true,
        body: |||
          #!/usr/bin/bash
          systemctl enable sshd.service
        |||
      }
    ],
    init: [
      {
        name: "run-ansible",
        url: "https://192.168.1.1/provisioning.sh"
      }
    ]
  }
}

For more details see the scripts section of the Agama documentation site.

Storage management for unattended installation​

The Agama configuration format offers a very convenient and powerful approach to configure the storage setup of the new system, way more consistent and concise that the corresponding <partitioning> section of the AutoYaST profile (which is still fully supported for migration purposes).

Agama 11 adds the possibility to define the physical volumes of an LVM volume group by simply specifying the disk (or disks) that will be used as a base for the LVM. Agama will take care of creating all the needed partitions, honoring any other aspect of the configuration in the process. Find a more detailed explanation with examples at the corresponding section of the Agama documentation.

On the other hand, now it is possible to specify TPM-based unlocking of the encrypted devices as part of the Agama storage configuration. Thus, users of unattended installation can also deploy fully encrypted systems based on TPMv2.

Automatic generation of documentation and shell completion​

A comprehensive and up-to-date documentation is key for a project like Agama, especially for users of the command-line interface and the HTTP API. And the best way to ensure the documentation is always in sync with the current version of Agama is to generate it automagically from the source code.

In the case of the CLI, the manual pages, its Markdown variant and also the files needed for shell completion are all generated from sources. You can see the always current result of the Markdown version at the corresponding section of the Agama web page.

The HTTP API is also automatically documented via an OpenAPI specification. This will help anyone interested in integrating Agama into any solution or infrastructure or even in creating its own client application for Agama, especially taking into account that the Agama HTTP is still not stable and changes on every release.

More changes under the hood​

As you can imagine, the above list of features is far for representing everything that has changed from Agama 10. As usual, the new version also includes many bug fixes and small improvements. And we took the opportunity to update to the latest version of the three programming languages used in Agama, including all used libraries.

We also gave some love to the Agama Live ISO. On the one hand, we revisited the list of included drivers, resulting in a smaller image that actually supports more hardware setups. On the other hand we tried to switch the graphical stack from X11 to Wayland. Although we didn't succeed due to technical problems related to Firefox's kiosk mode, we will keep trying (of course, any help is welcome).

Other Agama change that may not be obvious to all users is the introduction of some changes to ease the creation of automated integration test. That helps the openSUSE and SUSE QA teams in their invaluable effort to ensure a smoother experience to all users.

Just another step​

We are already working on the next version of Agama and your feedback may be useful to decide in which aspects we should focus. So do not hesitate to give Agama a try using our latest Live ISO images and to report bugs through Bugzilla. You can also contact us at the Agama project at GitHub. Of course, if you prefer to chat, you can find us as always at our #yast channel at Libera.chat.

And don't forget to have a lot of fun!

Dear Tumbleweed users and hackers,

This week was filled with snapshots – in just 7 days, we have published 8 snapshots; ok, there is just the co-incidence that the snapshot that was in QA from Thursday to Friday finished much quicker this week than last week – so we ended up having the latest one already on the mirrors at the time of my writing. We have not (yet) invented the time compression machine to publish more snapshots in a week. But honestly, I also don’t think anybody would care for more snapshots. Let alone: the numbering scheme does not support more than one snapshot ‘built’ per day (in rare cases, QA can be speedy and we had seen 2 snapshots syncing out on the same day).

Now, the curious one doesn’t care about the number of snapshots, but rather what changes those snapshots contained. Here are the changes delivered in the snapshot 0116…0123:

• Gimp 3.0 RC2: we are aware of the rc state, and the fact that some plugins are not ported to gimp 3. But that finally allows us to eliminate Python 2 and allows you to test it to make it as good as possible for future Leap versions.
• gpg 2.5.3
• GNOME 47.3
• Samba 4.21.3
• SQLite 3.48.0
• util-linux 2.40.4
• Mozilla Firefox 134.0.1
• LLVM 19.1.7
• PHP 8.3.16
• RSync 3.4.1
• Coreutils 9.6
• Linux kernel 6.12.10 & 6.13.0
• libxml 2.13.5

That’s quite an impressive list for just one week. Let’s look into the future and see what is planned to come:

• Removal of nscd
• Mesa 24.3.4
• Wine 10.0
• Systemd 257
• Timezone 2025a: breaks test suite of PostgreSQL
• Removal of Python 2 – It was nice as long as it lasted, but now it’s over (and we’re amazed at how many wrong dependencies we detected just the last few days)
• RPM 4.20
• KDE Plasma 6.3: beta 2 is currently staged, but that’s merely to detect errors early and allow shipping swiftly after the release
• Change of default LSM from AppArmor to SELinux is progressing, status is tracked at https://bugzilla.opensuse.org/show_bug.cgi?id=1230118.