Full Disk Encryption is planned to be introduced in the forthcoming release candidate of the Aeon Desktop to enhance data security for its users. The feature is expected to be included in the upcoming Release Candidate 3 (RC3).

Full Disk Encryption is designed to protect data in cases of device loss, theft or unauthorized booting into an alternative operating system. Depending on the hardware configuration of a system, Aeon’s encryption will be set up in one of two modes: Default or Fallback.

Default Mode

The Default Mode is the preferred method of encryption provided the system has the required hardware. This mode utilizes the Trusted Platform Module(TPM) 2.0 chipset with PolicyAuthorizeNV support (TPM 2.0 version 1.38 or newer). In this mode, Aeon Desktop measures several aspects of the system’s integrity. These including:

• UEFI Firmware
• Secure Boot state (enabled or disabled)
• Partition Table
• Boot loader and drivers
• Kernel and initrd (including kernel command line parameters)

These measurements are stored in the system’s TPM. During startup, the current state is compared with the stored measurements. If these match, the system boots normally. If discrepancies are found, users are prompted to enter a Recovery Key provided during installation. This safeguard ensures that unauthorized changes or tampering attempts are flagged.

Fallback Mode

The Fallback Mode is employed when the necessary hardware for Default Mode is not detected. This mode requires users to enter a passphrase each time the system starts. While it does not check system integrity as comprehensively as Default Mode, Secure Boot is strongly recommended to ensure some level of security, confirming that the bootloader and kernel have not been tampered with.

Contrary to initial concerns, Default Mode is not less secure than Fallback Mode despite not requiring a passphrase at startup. The strong integrity checks in Default Mode protect against attacks that could bypass normal authentication methods. For example, it can detect changes to the kernel command line that could otherwise allow unauthorized access. Furthermore, it safeguards against modifications to initrd thereby preventing potential passphrase capture in Fallback Mode.

Secure Boot, while optional in Default Mode due to the comprehensive integrity checks, is critical in Fallback Mode to maintain system security. Disabling Secure Boot in Fallback Mode increases vulnerability to tampering and attacks aimed at capturing the passphrase.

Aeon’s implementation of Full Disk Encryption provides robust security options tailored to the capabilities of users’ hardware. By offering both Default and Fallback modes, Aeon ensures that all users can benefit from enhanced data protection.

The inclusion of this feature in RC3 marks a significant step forward in safeguarding user data against potential threats.

Aeon users are encouraged to read and bookmark the Aeon Encryption Guide.

or how moving code around ended up on a Makefile graduation course

My Pygtk App for Setting Time Zones

As I have been traveling a lot since joining SUSE, I noticed that when I get to a new place, it is annoying to change the timezone of my laptop. Apparently the location server that GNOME used to use for this has been taken down or something.

Anyway, I wrote my own app to make it easy to select the timezone. Here it is with all time zones listed:

You can also filter to find a specfic tz:

I am thinking that next steps are to internationalize it, and also put it into a flatpak.

Code is here. I'll add a readme and license later.

Many thanks to all who participated in the Leap 16 branding workshop at the openSUSE Conference 2024. The enthusiasm and creativity is moving us forward to take the next steps with Leap 16 branding. Let’s develop some of these fantastic ideas further!

Below is a list of Leap 16 branding initiatives we aim to achieve:

1) Abstract Distribution Agnostic Wallpaper

We are looking for wallpaper designs that can be shared across any distribution. This could be a gradient, fractal or any other abstract design, which ideally incorporates the new logo. The goal is to create something visually appealing and universally adaptable as chameleons do.

2) Abstract Distribution Specific Wallpaper for Leap 16 and Tumbleweed

In addition to the agnostic wallpaper, we need specific designs for Leap 16 and Tumbleweed. These wallpapers should reflect the unique identity of each distribution while maintaining a cohesive visual theme. An adjustable design for other flavors like Slowroll, Kalpa, Aeon and others can be considered and proposed to those projects.

3) Day and Night Variant with Chameleon

We’re also seeking designs for a day and night variant featuring a beloved chameleon. These wallpapers should complement each other while representing the different times of the day in a creative and engaging way. Additionally, day/night variants for abstract designs could also be an option. While not necessary, if participants have good ideas, these will be consider further.

4) Photo Submissions of Our Mascot

We invite you to submit two photos related to our mascot, the chameleon, or anything that resembles to it. The photographer of the photo must also be the submitter; the creator of a photograph with a camera. This is a great opportunity to showcase your photography skills and contribute to our branding efforts. Please note that AI-generated images are not eligible for submission; we want to see your original photographic work.

Call for Photo Competition!

We are thrilled to announce a photo competition. Please submit your pictures for a chance to be featured in branding materials. You can submit your photos through our GitHub issue tracker. We will use a thumbs up/down mechanism to select the best entries.

Submit photos here.

Submission Guidelines

You are welcome to participate on the wallpapers collection set in our branding repository.

Photos can be submitted here under issue 18.

Deadline and Requirements

The deadline for submissions is Nov. 1, 2024. Please ensure your entries meet the following requirements:

• Must be brand-related (chameleons, chameleon-like objects, etc.)
• High-resolution photographs only (4k or preferrably 5k)
• Original work - submitted by the author of the photograph or with approval from the actual author
• Landscape orientation only

Please add a copy of your photos, including a description (where it was taken and what is in the picture), as comments into the issue. Include a link to a high-resolution variant.

We can’t wait to see your creative contributions and make Leap 16 an even more visually stunning experience for everyone in the openSUSE community!

_{^{(Image made with DALL-E)}}

Dear Tumbleweed users and hackers,

My excuse to span two weeks in this report is quite simple: last week was the openSUSE Conference in Nuremberg and I spent my time talking to all the fun people from the community instead. And I am sure you are forgiving me for this. With the conference in full swing and weekends in between, it is quite amazing that the release Team (mostly Ana these days) still managed to produce and publish 12 snapshots (0620, 0621, 0622, 0624, 0625, 0627, 0628, 0629, 0701, 0702, 0703, and 0704)

The most relevant changes from these snapshots include:

• GDB 14.2
• MariaDB 11.4.2
• Mesa: work around broken graphics on ATI/AMD chipsets, Version 24.1.2
• Shadow 4.16.0
• Wayland 1.23.0
• KDE Plasma 6.1.0, 6.1.1 & 6.1.2
• GCC 14.1.1
• Qt 6.7.2
• Linux kernel 6.9.6 (fixing connection issues with iwlwifi) & 6.9.7
• NetworkManager 1.48.2
• ClamAV 1.3.1
• GNOME 46.3
• GStreamer 1.24.5
• Perl 5.40.0
• LLVM 18.1.8
• Poppler 24.07.0
• Qemu 9.0.1
• Systemd 255.8
• Cups 2.4.10
• Samba 4.20.2
• PyTest 8.2.2
• openssh fix against CVE-2024-6387, aka RegreSSHion

Quite an impressive list in just 2 weeks I’d say. At least in the northern hemisphere, the summer holiday is starting (including my own – so no reports from me for the next two weeks! Please follow the individual snapshot release announcements on the factory@lists.opensuse.org mailing list). With many people enjoying a break, we will likely see fewer requests going to Tumbleweed.

Looking at what is currently to be found in the staging area, we can predict those changes to happen in the next few days/weeks:

• Mesa 24.1.3
• Mozilla Firefox 127.0.2
• LibreOffice: fix excessive recommends on libreoffice-qt6
• Agama packages and installer to appear. Not yet QA’ed as part of the Tumbleweed release process, but feel free to test and play with it
• KDE Gear 24.05.2
• SELinux 3.7
• cmake 3.30.0
• transactional-update: enable soft reboot; see https://microos.opensuse.org/blog/2024-06-13-soft-reboot/
• dbus-broker: some networking issue after upgrades left to work out
• GCC 14: phase 2: use gcc14 as the default compiler – lots of help needed: https://build.opensuse.org/project/show/openSUSE:Factory:Staging:Gcc7

My First OpenSUSE Bug Report

One of the first contributions one can make to an Open Source community is a bug report. Effectively, except for one wifi issue on my Tumbleweed computer that seemed to go away on its own, I haven't actually run into many bugs.

However, when using my LEAP laptop, I was constantly driven to distraction by accidentally pasting when I was trying to click. What was happening was I would click the middle part of the bottom of my track pad, and that would trigger the "past by middle click" "feature" in GNOME.

I was a bit surprised by the lack of configurability for the track pad, but I chalked that up to GNOME being GNOME. I tried to disable "tap to click" as a work around.

This didn't seem to work, so I decided to log a but report:

Notice that bug report is set to RESOLVED. This is because the person investigating the issue pointed me to gnome-tweaks, which did have the kind of configurability I was expecting.

I ended up closing the bug report after leaving some comments about how I handled it.

All in all, I had a highly positive experience reporting the issue. I am not sure that I actually helped anyone so much as got tech support from the community, but I now have my first bug report under my belt!

In this round of SCM/CI Integration improvements, we have simplified the way you can filter by event source and have modified the notifications about workflow run failures to reach users or groups the token is shared with. Better Workflow Runs Filtering You might deal with tons of workflow runs in Your Profile > Manage Your Tokens > Workflow Runs. That’s why we have been determined to improve the filtering on that page. This time, we...

Welcome to the monthly update for openSUSE Tumbleweed for June 2024. This month was busy with events like the Community Summit in Berlin and the openSUSE Conference, but a number of snapshots continued to roll out to users. Developers, system administrators and users receive updates designed to enhance your experience and ensure high levels of security and performance.

Should readers desire a more frequent amount of information about snapshot updates, readers are encouraged to subscribe to the openSUSE Factory mailing list.

Let’s go!

New Features and Enhancements

• Linux Kernel 6.9.7: This kernel introduces several important fixes and enhancements across various subsystems. Key updates include addressing undefined references in netfilter when CONFIG_SYSCTL is disabled, correcting TCP Fast Open handling, and resolving a conflicting quirk in Advanced Linux Sound Architecture for Realtek devices. Improvements in file system writeback operations, multi-threaded path handling and memory management for Hisilicon crypto drivers enhance stability. Networking updates include fixes for race conditions in netpoll, enhancements for specific SFP modules, and improvements in WiFi drivers such as RTW89, Ath9k, Ath12k, and MT76. Additional platform-specific updates address issues in ACPI, ARM64 configurations, HID device handling, and Bluetooth driver fixes.
• PipeWire 1.2.0 and WirePlumber 0.5.4: PipeWire 1.2.0 introduces asynchronous processing, node.sync-group for synchronized scheduling, and improved config parsing error reporting. It also adds mandatory metadata support for buffer parameters, multiple data-loops with CPU affinity, and dynamic log level adjustments. Key fixes include RTP-SAP module enhancements, ROC 0.3 support, and improved Bluetooth BAP broadcast code parsing. WirePlumber 0.5.4 refines the role-based linking policy, allowing role-based sinks alongside standard audio operations and enabling regular filters to act as best targets. It addresses startup crashes due to empty config files, improves Bluetooth profile auto-switching, and fixes issues with DSP filters and infinite loop scenarios in autoswitching scripts. Together, these updates enhance the flexibility, reliability, and overall performance of audio management in Linux environments. Both also received updates in snapshot 20240627
• Mesa and Mesa-drivers 24.1.2: Both packages underwent a specfile cleanup, involving the relocation of Rust crate sources into subprojects folders and updates to baselibs.conf. Due to the maintenance burden associated with Rust crates as system dependencies, these crates are now downloaded as vendored dependencies, as detailed in the README-suse-maintenance.md. The update adds support for building libvulkan_nouveau, including necessary Rust crates such as paste-1.0.14, proc-macro2-1.0.70, quote-1.0.33, syn-2.0.39, and unicode-ident-1.0.12. However, building libvulkan_nouveau on Leap is not possible due to the requirement for rust-cbindgen >= 0.25. For more details, refer to the release notes at https://docs.mesa3d.org/relnotes/24.1.2.
• KDE Plasma 6.1.1: Discover improves UI elements and Packagekit support, while Dr Konqi corrects the Sentry dbus interface usage. Plasma Addons addresses reference issues in Effects/cube, and krdp ensures version compatibility and resolves session controller bugs. Kscreenlocker improves greeter functionality, and KWin introduces multiple fixes for shaders, tiling, and input panels. Libkscreen and libplasma update protocol versions and fix plugin loading issues. Plasma Desktop enhances task icon sizing, panel opacity and file dragging across screens. Plasma Audio Volume Control removes unnecessary symlinks, and Plasma Systemmonitor correctly positions loading overlays. Powerdevil improves battery protection UI and limits backlighthelper calls.
• Python-setuptools 70.0: Key features in this new major version include emitting warnings for ignored [tools.setuptools] entries in pyproject.toml, improved error messaging for pkg_resources.EntryPoint.require and handling None location distributions more gracefully. The update also refreshes unpinned vendored dependencies, supports PEP 625 by standardizing package name and version in filenames and ensures encoding consistency for .pth files. Obsolete Python < 3.8 code has been removed, and pkg_resources now uses stdlib importlib.machinery. Bug fixes address race conditions in the install command, improve handling of nested namespaces with package_dir and correct various pkg_resources method behaviors. The patch for reproducibility has also been refreshed.
• Xen 4.18.2_06: This version resolves intermittent system hangs when Power Control Mode is set to Minimum Power. Patches also improve CPU mask handling and interrupt movement in various scenarios. Upstream bug fixes include improvements in scheduler resource data management and include fixes for building with GNU Compiler Collection 14.

Key Package Updates

• NetworkManager 1.48.2: This package updates support for matching OVS system interfaces by MAC address and fixes port reactivation and VPN secrets handling for 2-factor authentication. It saves connection timestamps during shutdown for proper autoactivation after restart. Key changes in 1.48.0 deprecate autotools building, add support for changing OpenSSL ciphers for 802.1X authentication, and set unmanaged device reasons in the StateReason property visible in nmcli. Additionally, it replaces the mac-address-blacklist property with mac-address-denylist, improves WiFi 6 GHz band detection and optimizes performance to avoid high CPU usage during route updates. Previous version 1.46 adds brought dynamic SSID-based stable IDs, randomized MAC addresses and several enhancements for handling IPv6, D-Bus and cloud setup.
• ibus-table 1.17.6: This update drops Python2 support, transitioning all scripts to Python3 using pyupgrade. It now allows the use of keys with Unicode keysyms in keybindings, enhancing customization and flexibility. Additionally, the frames_per_buffer=chunk_size option is now utilized in self._paudio.open() for improved audio handling. The update also includes translation enhancements from Weblate, with Czech translations reaching 36.6 percent, Japanese at 45.3 percent, and Chinese (Simplified) at 92.0 percent.
• btrfsprogs 6.9: The mkfs utility now halts if the mount status cannot be determined when using the --force option and corrects the minimum size calculation for zoned devices. The check command removes the --clear-ino-cache option, shifting its functionality to the rescue command group, and adds detection and repair for incorrect file extent item ram_bytes values. The qgroup commands now sync the filesystem before searching for stale entries, handle uncleaned subvolumes and squota enabled scenarios, and display the cleaning status of subvolumes. The receive command fixes stream parsing for strict alignment hosts, and tune change-csum and dump-tree commands include updates for handling dev-replace status items. The convert command improves extent iteration for preallocated/unwritten extents. The build process now ensures compatibility with e2fsprogs 1.47.1 and improves header file dependency tracking. Documentation was also updated.
• GNU’s Emacs 29.4: An emergency bugfix took place in this release. In this update, arbitrary shell commands are no longer executed when enabling Org mode, significantly enhancing security by preventing the execution of potentially malicious commands.

Bug Fixes

• Python-dnspython 2.6.1:
  • CVE-2023-29483 - Eventlet before 0.35.2 in dnspython allows remote “TuDoor” DNS attack interference.
• php8 8.3.8:
  • CVE-2012-1823 involved a vulnerability where attackers could inject arguments into PHP-CGI, leading to potential security issues. The new vulnerability, CVE-2024-4577, was discovered to bypass this original fix, allowing the same or similar types of argument injection attacks. The update ensures that this bypass is no longer possible, reinforcing the security measures originally put in place for CVE-2012-1823.
  • Similarly, the bypass of CVE-2024-1874 was made with the fix to CVE-2024-5585.
• kernel-firmware-nvidia-gspx-G06 (NVIDIA GPU driver)
  • CVE-2024-0090 was a vulnerability where a user can cause an out-of-bounds write.
  • CVE-2024-0091 was a vulnerability where a user can cause an untrusted pointer dereference. A successful exploit of this vulnerability might lead to denial of service.
  • CVE-2024-0092 was an improper check or improper handling of exception conditions might lead to denial of service.
• XZ 5.6.2:
  • CVE-2024-3094 Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library. More details in snapshot 20240605
• cJSON v1.7.17:
  • CVE-2024-31755 - A segmentation violation, which can trigger through the second parameter.

Conclusion

The month of June 2024 saw a range of significant updates, security fixes and enhancements. The Linux Kernel 6.9.7 update improved stability and performance. Mesa and Mesa-drivers 24.1.2 introduced Rust crate dependencies and improved Vulkan support. KDE Plasma 6.1.1 brought UI improvements and a major version of Python-setuptools 70.0 arrived for rolling release users. A few critical security vulnerabilities were taken care of and fixes related to the XZ backdoor continued, so that Tumbleweed remains secure, efficient and feature-rich for all users.

For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Contributing to openSUSE Tumbleweed

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

_{^{(Image made with DALL-E)}}

Slowroll, which has a more modest update cadence than Tumbleweed, is gaining acceptance as a balance between the rapid updates of Tumbleweed’s rolling releases and the traditional Leap release.

Slowroll is nearly ready for full deployment and the development team has been working diligently to prepare the next version bump, with planned updates scheduled for July 9, August 9 and Sept. 9. These updates are expected to maintain a consistent monthly cadence to ensure users have timely and stable updates.

One of the critical updates pulled in will include the latest OpenSSH CVE fixes, which have already been made available in Tumbleweed. This fix enhances the security of Slowroll & ensure that it remains a robust and reliable distribution for users.

Highlighted Features of Slowroll

Balanced Update Cadence: Slowroll offers a monthly rolling update cycle that provides users with the latest features and security updates while ensuring stability through extensive testing and validation.

Beta Phase: Slowroll is now in the Beta phase, indicating its near readiness for full deployment. Users can expect a reliable experience with continuous improvements.

Continuous Improvement: The distribution integrates big updates approximately every month, alongside continuous bug fixes and security patches, ensuring a secure and up-to-date system.

Statistics and Status

According to the latest statistics available on the Slowroll Stats page:

• Tumbleweed had 2813 updated packages since the last version bump
• Slowroll received 1316 updates from 871 different packages and only 339 updated rpms are Slowroll-specific builds

Origins and Purpose

Slowroll, introduced in 2023, was designed as an experimental distribution. Its primary goal is to offer a slower rolling release compared to Tumbleweed, thus enhancing stability without compromising on access to new features. The distribution continuously evolves with big updates integrated approximately every month, supported by regular bug fixes and security updates.

It’s crucial to understand that Slowroll is not intended to replace Leap. Instead, it provides an alternative for users who desire more up-to-date software at a slower pace than Tumbleweed but faster than Leap.

If you try Slowroll, have a lot of fun - rolling… slowly!

_{^{(Image made with DALL-E)}}

More Rampaging

So, Dirk Muller mentioned that I probably had a lot of orphaned packages, and he told me how to check for that:

> sudo zypper packages --orphaned
[sudo] password for root: 
Loading repository data...
Reading installed packages...
S  | Repository | Name                                        | Version                | Arch
---+------------+---------------------------------------------+------------------------+-------
i+ | @System    | libavif13                                   | 0.9.3-150400.3.3.1     | x86_64
i+ | @System    | libcamel-1_2-63                             | 3.42.5-150400.3.7.2    | x86_64
i+ | @System    | libcpupower0                                | 5.14-150500.9.3.1      | x86_64
i+ | @System    | libdleyna-core-1_0-5                        | 0.7.0-150400.1.6       | x86_64
i+ | @System    | libebackend-1_2-10                          | 3.42.5-150400.3.7.2    | x86_64
i+ | @System    | libebook-1_2-20                             | 3.42.5-150400.3.7.2    | x86_64
i+ | @System    | libebook-contacts-1_2-3                     | 3.42.5-150400.3.7.2    | x86_64
i+ | @System    | libecal-2_0-1                               | 3.42.5-150400.3.7.2    | x86_64
i+ | @System    | libedata-book-1_2-26                        | 3.42.5-150400.3.7.2    | x86_64
i+ | @System    | libedata-cal-2_0-1                          | 3.42.5-150400.3.7.2    | x86_64
i+ | @System    | libedataserver-1_2-26                       | 3.42.5-150400.3.7.2    | x86_64
i+ | @System    | libedataserverui-1_2-3                      | 3.42.5-150400.3.7.2    | x86_64
i+ | @System    | libgupnp-1_2-1                              | 1.4.3-150400.1.6       | x86_64
i+ | @System    | libgupnp-av-1_0-2                           | 0.12.11-1.56           | x86_64
i+ | @System    | libgupnp-igd-1_0-4                          | 1.2.0-150400.1.10      | x86_64
i+ | @System    | libmalcontent-ui-0-0                        | 0.10.3-150400.1.9      | x86_64
i+ | @System    | libpoppler126                               | 23.01.0-150500.3.8.1   | x86_64
i+ | @System    | libportal0                                  | 0.4-150400.1.9         | x86_64
i+ | @System    | libprocps7                                  | 3.3.15-150000.7.34.1   | x86_64
i+ | @System    | librav1e0                                   | 0.5.1+0-150400.1.10    | x86_64
i+ | @System    | libsrt1                                     | 1.3.4-1.45             | x86_64
i+ | @System    | libwireplumber-0_4-0                        | 0.4.13-150500.3.2.1    | x86_64
i+ | @System    | lifecycle-data-sle-module-development-tools | 1-150200.3.27.1        | noarch
i+ | @System    | python2-cairo                               | 1.15.1-150000.3.6.1    | x86_64
i+ | @System    | slack                                       | 4.35.131-0.1.el8       | x86_64
i+ | @System    | zoom        

Naturally I understood why slack and zoom were there (though I do intent to switch to using Flatpaks for those (more on that later)). But the others, I had no idea where they came from.

Dirk told me that there are tools to help with this, specifically "weakremover." And that a zypper du should remove all "weakobsoletes." Well, I tried, and it didn't work. It turns out that there is a 15.6 specific bug related to weakremover, so that's why it didn't work.

Meanwhile, he said that I could check each package and see if it has dependencies with rpm -e --test {package_name}. That snake cased "package_name" is foreshadowing about what came next.

I ended up write a Python script that ran these commands for me, and if there were no dependencies, it would go ahead and call zypper remove {package_name}. When I first ran a test script, the script found that many packaged DID have dependencies. But when I ran the script with actually removing the packages, they all got removed! I can only hope that the script encountered the dependent packages and removed them first, and I haven't deleted something important in my system.

For now everything still seems to work, but I also haven't done a reboot yet :)

Anyway, no more unaccounted for orphans:

> sudo zypper packages --orphaned
Loading repository data...
Reading installed packages...
S  | Repository | Name  | Version                | Arch
---+------------+-------+------------------------+-------
i+ | @System    | slack | 4.35.131-0.1.el8       | x86_64
i+ | @System    | zoom  | 5.17.1.1840_openSUSE-1 | x86_64