The openSUSE community wants to make the project’s conference in Nuremberg smooth, welcoming and beneficial to attendees. We’re calling on you to get involved!

Whether you’re a longtime contributor or a new face looking to get more involved, there are several ways you can support the conference and ensure everyone has a good time.

We Need Volunteers for:

🟢 Registration Booth / Welcome Desk

Be the first friendly face attendees see! Help us greet participants, hand out badges and swag, and answer basic questions about the venue and schedule.

🟢 Timekeeping During Talks

Help keep our sessions running on time by signaling to speakers when they’re approaching the end of their allotted time. This simple task helps ensure everyone gets a fair and punctual presentation slot.

🟢 Shop Assistance

We’ll have a shop set up at the venue with openSUSE merchandise available for purchase. Volunteers will help the booth lead organize inventory and assist with transactions.

🟢 Video Team Support

The video team could use extra hands with camera setup on June 25 and session recordings through the conference as well as stream monitoring. No prior experience required; just a willingness to help and learn.

Those who are interested should email ddemaio@opensuse.org with the subject header oSC25 Help.

Spreading Awareness – Celebrating 20 Years of openSUSE

This year marks 20 years of openSUSE, and we’re working on a special video project to honor the people and stories behind the project. As part of this, we’re running a campaign at the conference to highlight how individuals contribute to openSUSE. Whether it’s packaging, translation, infrastructure, design, community organizing, release management or documentation, we would like for you to spend a few minutes on camera.

If you’d like to help capture these stories or support the video team’s work to showcase them, we’d love to hear from you. Send an email to ddemaio@opensuse.org with the subject header openSUSE 20 Year!

How to Volunteer

If you’re attending the conference and would like to get involved in any of the roles above, please register here and send a message to the email above. Let’s make openSUSE Conference 2025 one to remember.

Table of Contents

• 1) Introduction
• 2) Overview of Kea Design
• 3) Security Issues
  • 3.1) Local Privilege Escalation by Injecting a Hook Library via the set-config Command (CVE-2025-32801)
  • 3.2) Arbitrary File Overwrite via config-write Command (CVE-2025-32802)
  • 3.3) Redirection of Log Files to Arbitrary Paths (shared CVE with 3.2)
  • 3.4) Service Spoofing with Sockets in /tmp (shared CVE with 3.2)
  • 3.5) Denial-of-Service issues with Sockets in /tmp (shared CVE with 3.2)
  • 3.6) World-Readable DHCP Lease Files in /var/lib/kea/*.cvs (CVE-2025-32803)
  • 3.7) World-Readable Kea Log Files (shared CVE with 3.6)
• 4) Hardening Suggestions
  • 4.1) Possible Timing Attack against the HTTP Basic Auth Implementation
  • 4.2) API Credentials Leak via ‘get-config’ Command
• 5) Bugfixes
• 6) Affectedness of Kea Configurations on Common Linux and UNIX Systems
  • 6.1) Arch Linux
  • 6.2) Debian Linux
  • 6.3) Ubuntu Linux
  • 6.4) Fedora Linux
  • 6.5) Gentoo Linux
  • 6.6) openSUSE Tumbleweed
  • 6.7) FreeBSD
  • 6.8) NetBSD (pkgsrc binary)
  • 6.9) OpenBSD
• 7) CVE Assignments
• Timeline
• Change History
• References

1) Introduction

The Kea DHCP distribution is the next generation DHCP server suite offered by the Internet Systems Consortium (ISC). It replaces the traditional ISC DHCP software which has reached its end of life.

Since SUSE is also going to ship Kea DHCP in its products, we performed a routine review of its code base. Even before checking the network security of Kea, we stumbled over a range of local security issues, among them a local root exploit which is possible in many default installations of Kea on Linux and BSD distributions. This, as well as some other issues and security recommendations for Kea follow below in a detailed report.

This report is based on Kea release 2.6.1. Any source code references in this report relate to this version. Many systems still ship older releases of Kea, but we believe they are all affected as well by the issues described in this report.

In the next section an overview of the Kea design, as far as it is relevant for the issues in this report, is provided. In section 3) the security issues we found will be discussed in detail. In section 4) further hardening suggestions are provided. In section 5) the upstream bugfixes for the issues are discussed. In section 6) the packaging properties and affectedness of Kea in widespread Linux and UNIX systems are documented. Finally in section 7) an overview of the CVE assignments is given.

2) Overview of Kea Design

This section provides a short overview of the involved components, to allow readers that are unfamiliar with Kea to better understand the rest of this report.

Kea offers three separate services for dhcp4, dhcp6 and dhcp-ddns. A kea-ctrl-agent is active by default in most Kea installations and offers an HTTP REST API listening on localhost:8000. This REST API is based on JSON requests that are either processed by kea-ctrl-agent itself or forwarded to one of the Kea services it controls. To allow forwarding, each Kea service listens on a UNIX domain socket that is only accessible to kea-ctrl-agent.

In most installations, the REST API is by default accessible to all users in the system without authentication. Many installations run the Kea services with full root privileges. On Linux systems that use a dedicated service user account instead, the Linux capability CAP_NET_BIND_SERVICE is assigned to all of the Kea services. The dhcp4 service additionally needs CAP_NET_RAW to function.

The default configuration and the packaging of Kea are important aspects to judge the exploitability of the issues described in this report. In some sense, the issues could be considered vendor-specific problems and not upstream issues (some ISC engineers argued in this direction when we first reported these issues). The number of affected Kea packages and the fact that the default configuration installed by the Kea build system also enables an unauthenticated REST API make these seem like overarching upstream issues to us, however.

3) Security Issues

3.1) Local Privilege Escalation by Injecting a Hook Library via the set-config Command (CVE-2025-32801)

The set-config REST API command allows to completely control the configuration of kea-ctrl-agent itself, as well as of the individual Kea services. A trivial local privilege escalation is possible by configuring a hook library under control of an unprivileged user. The following example uses the curl utility to perform the exploit.

someuser$ curl -X POST -H "Content-Type: application/json" \
    -d '{ "command": "config-set", "arguments":
          { "Control-agent": {"hooks-libraries": [{"library": "/home/someuser/libexploit.so"}] }}}' \
    localhost:8000

By placing a constructor function into libexploit.so, attacker controlled code will be executed by kea-ctrl-agent upon dlopen() of the library. The impact is arbitrary code execution with full root privileges on installations that run Kea services as root. On systems that use a dedicated service user for Kea, the impact will be full control over the Kea processes and also escalated networking privileges.

Hook libraries can be configured for any of the other Kea services as well, thus code execution can be achieved in the context of each of the Kea daemons this way.

We offer a simple Python script kea-hook-lib-exploit.py for download which can be used to reproduce the issue.

3.2) Arbitrary File Overwrite via config-write Command (CVE-2025-32802)

The config-write REST API command instructs a Kea service to write out its configuration to an arbitrary file path:

curl -X POST -H "Content-Type: application/json" \
    -d '{ "command": "config-write", "arguments": { "filename": "/etc/evil.conf" } }' \
    localhost:8000

The file write happens via a regular C++ std::ofstream with trunc setting, i.e. the target file will be truncated and overwritten if it already exists. The configuration content that is written to disk can as well be controlled by the attacker, but the JSON format and configuration sanity checks that are enforced by Kea restrict the degree of freedom of what will eventually be written out.

If the Kea services run with full root privileges, then this is a local denial-of-service bordering on a local root exploit. By embedding shell code, a crafted JSON configuration written e.g. to a file in /etc/profile.d could trigger a local root exploit upon root logging in, for example.

If the Kea services are running as dedicated service users, then this attack vector can be used to corrupt Kea-owned configuration, log and state files, thus resulting in integrity violation and denial-of-service limited to the scope of the Kea services.

3.3) Redirection of Log Files to Arbitrary Paths (shared CVE with 3.2)

This is similar to issue 3.2): an arbitrary new logfile path can be configured to be used by Kea services. This is an example JSON configuration that demonstrates the problem:

{
    "command": "config-set",
        "arguments": {
             "Control-agent": {
                 "loggers": [{
                     "name": "kea-ctrl-agent",
                     "output-options": [{
                         "output": "/root/bad.log"
                     }],
                     "severity": "DEBUG"
                 }]
             }
         }
     }
}

This configuration causes kea-ctrl-agent to create the file /root/bad.log and also to change logging severity to DEBUG, potentially exposing sensitive internal program state. Also a lock file will be created in /root/bad.log.lock.

This attack vector poses another local denial-of-service vulnerability bordering on a local root exploit, similar to what is outlined in section 3.2).

3.4) Service Spoofing with Sockets in /tmp (shared CVE with 3.2)

For the purposes of forwarding a REST API request to one of the Kea services, kea-ctrl-agent attempts to connect to the service’s UNIX domain socket. If a legit Kea admin tries to send a command to a Kea service that is not currently running, like the kea-dhcp-ddns service (which isn’t configured by default on most distributions), then the admin can fall victim to a local service spoofing attack.

Whether this is possible depends upon the directory into which the UNIX domain sockets are placed. Many distributions use the public /tmp directory for this. In this case an unprivileged local user can create the UNIX domain socket in question on its own, for example in /tmp/kea-ddns-ctrl-socket. If this succeeds, then API requests will be forwarded to a spoofed service that can respond with a crafted reply. With this a local attacker can attempt to trick the admin into performing dangerous actions, or might be able to intercept sensitive data contained in the request forwarded to the spoofed service.

We reproduced this attack vector for example on Fedora 41 as follows:

curl -X POST -H "Content-Type: application/json" \
    -d '{ "command": "config-get", "service": [ "d2" ], "arguments": { "secret": "data" } }' \
    localhost:8000

The d2 service socket is configured by default in kea-ctrl-agent and refers to the kea-dhcp-ddns service. When running strace on kea-ctrl-agent then the following connect() attempt is observed during this request:

connect(18, {sa_family=AF_UNIX, sun_path="/tmp/kea-ddns-ctrl-socket"}, 27) = -1 ENOENT (No such file or directory)

A local unprivileged user can bind a UNIX domain socket in /tmp/kea-ddns-ctrl-socket to intercept any such requests.

This attack type also affects Kea services that are configured but not yet running, e.g. before the Kea service unit or init script is started, or when Kea services are restarted. Upon startup each service will attempt to unlink() the UNIX domain socket path before binding to it, but this is subject to a race condition that unprivileged users can win by rebinding a socket in this location before the legit service has a chance to do so. The legit service will then fail to start, while the unprivileged user will be able to intercept REST API requests that are forwarded to the spoofed service by kea-ctrl-agent.

3.5) Denial-of-Service issues with Sockets in /tmp (shared CVE with 3.2)

The use of the /tmp directory for the Kea service sockets is generally problematic. The Kea services create lock files in the socket directory that are derived from the socket names. Any local user can pre-create either the UNIX domain sockets or the associated lock files to prevent Kea services from starting.

3.6) World-Readable DHCP Lease Files in /var/lib/kea/*.cvs (CVE-2025-32803)

Many of the distributions we checked grant read access to the state data of the default Kea in-memory database, which is in most cases found in /var/lib/kea. This means all local users will be able to access this information and thereby this poses a local information leak. Whether DHCP leases are private data is debatable. More sensitive data might be stored in these files (in a future implementation), however.

We don’t recommend to allow general read access to this data. We originally only reported this as a hardening recommendation, but upstream decided to assign a CVE for it anyway.

3.7) World-Readable Kea Log Files (shared CVE with 3.6)

On most systems we checked, the Kea log files found in /var/log/kea or /var/log/kea*.log are world-readable. As a hardening measure we recommend to restrict access to this data.

We originally only reported this as a hardening recommendation, but upstream decided to assign a CVE for it anyway.

4) Hardening Suggestions

This section contains further hardening suggestions about issues that we don’t consider high severity at the moment.

4.1) Possible Timing Attack against the HTTP Basic Auth Implementation

kea-ctrl-agent uses the HTTP Basic Auth mechanism to implement authentication on the REST API interface. In this scheme the string "<username>:<password>" is base64 encoded and placed into an "Authorization:" HTTP header.

The verification of these credentials happens in BasicHttpAuthConfig::checkAuth(). The code maintains a std::unordered_map<std::string, std::string>, where the keys consist of the base64 encoded "<username>:<password>" combinations found in the Kea configuration. The values are the cleartext usernames that can be authenticated with the credentials found in the key.

In basic_auth_config.cc:365 the credentials provided by the REST API client are looked up directly in this map data structure to verify them. The verification of cleartext passwords can suffer from timing attack weaknesses when the passwords are compared using optimized string comparison routines. Attackers can perform statistical analysis of the time required by a service to report an authentication failure to construct, little by little, a valid user/password combination.

In the case of kea-ctrl-agent it isn’t plaintext passwords that are compared, but the base64 encoded "<username>:<password>" strings. This adds a bit of complexity but does not prevent a timing attack from succeeding. A bigger hurdle is the use of the std::unordered_map, however, which uses a hash function to lookup elements in the map. When using the gcc compiler suite and the libstdc++ standard library, then the default hash function used for std::string is MurmurHash2 with a static seed. While the hash lookup complicates a possible timing attack, it is still a deterministic algorithm and an attacker might be able to choose input values in a way that causes kea-ctrl-agent to produce hash values for the hash map lookup that are suitable for a timing attack.

To be on the safe side we suggest to supply a custom KeyEqual template parameter to the std::unordered_map. This key comparison function should implement a constant-time comparison of the input data to avoid any observable timing differences.

Since the complexity of such a timing attack, given the circumstances, will be very high, we don’t see this as a relevant security issue at the moment. A dedicated attacker might be willing to make an attempt at this and succeed, however.

4.2) API Credentials Leak via ‘get-config’ Command

When API authorization is enabled in the REST API, then the configuration potentially contains cleartext user names and passwords that can be used for authentication. A user that already has a valid set of credentials can discover the credentials of other users by retrieving the configuration via the API, even if the configuration file would otherwise not be world-readable in the system.

This means that any user with valid credentials can impersonate any other user. This can also be problematic when the credentials of a user are revoked at some point. By storing the credentials of other users, such a user could still access the API even after being denied access to Kea. Another issue could be that users might be reusing the same credentials for other, unrelated services.

Cleartext credentials should never be exposed on the API level, except maybe if the client is root anyway. Even then it could be a source of information leaks, for example if an admin shares a Kea configuration dump (e.g. for debugging purposes), unaware of the fact that cleartext credentials are contained in the data.

Users of Kea can circumvent this problem by avoiding storing cleartext credentials in the Kea configuration and instead referring to credential files on disk that are only accessible to privileged users.

5) Bugfixes

In our initial report we suggested to upstream to restrict paths from where hook libraries are loaded (issue 3.1) and also paths where configuration and log files are written to (issues 3.2, 3.3). It is obvious, however, that the unauthenticated REST API is problematic beyond the concrete exploit scenarios we explored. Arbitrary users in the system should not be able to fully control Kea’s configuration, for example. Thus we advised to enforce authentication on REST API level by default.

To fix the issues described in this report, upstream published bugfix releases for all currently supported versions of Kea:

• Release 2.4.2
• Release 2.6.3
• Release 2.7.9

We looked into release 2.6.3 and believe the bugfixes are thorough. As is also documented in the upstream release notes, the following changes have been introduced:

• For many operations only safe directories are allowed for reading from or writing to. Among others this covers the following aspects:
  • Hook libraries can only be loaded from a trusted system directory (addresses issue 3.1).
  • Configuration files can only be written to the trusted system configuration directory (addresses issue 3.2).
  • Logfiles can only be written to the log directory determined during build time (addresses issue 3.3).
• The default configuration files installed by Kea now enforce authentication of the REST API.
• The log, state and socket directories are now installed without the world readable / world writable bits set (addresses issues 3.5, 3.6, 3.7).
• Sockets are now placed under /var/run/kea by default. This directory must not be world-writable (addresses issue 3.5).
• The documentation and example files have been updated to avoid issues like discussed in this report.

The hardenings for the issues described in section 4) are not yet available, but upstream intends to address them in the near future.

6) Affectedness of Kea Configurations on Common Linux and UNIX Systems

Kea is a cross-platform project that also targets traditional UNIX systems, which might be the reason why there are no well established standards for the packaging of Kea. Every distribution integrates Kea in its own way, leading to a complex variety of outcomes with regards to affectedness. The defaults and the resulting affectedness on a range of current well-known Linux and BSD systems are documented in detail in this section.

All systems we looked at have been updated to the most recent package versions on 2025-05-23.

6.1) Arch Linux

Arch Linux is affected by all the issues.

6.2) Debian Linux

When we first discovered these issues we looked into Debian 12.10. Meanwhile Debian 12.11 has been released. The situation seems to be the same in both versions, however.

No local root exploit is possible here, because the services run as non-root. Debian also applies an AppArmor profile to Kea services. This makes the hook library injection (3.1) difficult. For the injection to succeed, a directory would be needed that can be written to by the attacker and from where the Kea service is allowed to read and map a library. This seems not possible in the current AppArmor profile used for Kea. Due to this, Debian is not affected by 3.1) at all.

3.2) and 3.3) only affect files owned by _kea and that are allowed to be written to according to AppArmor configuration. This still allows to corrupt the log, lock and state files owned by _kea.

The only information leak is found in the state directory (3.6); logs are protected.

AppArmor Security

We checked more closely if there is a loophole in the Kea AppArmor profiles to make arbitrary code execution (3.1) possible after all. The profiles for the dhcp4, dhcp6 and ddns Kea services allow reading and mapping of files found in /home/*/.Private/**, with the restriction that the files must be owned by _kea. An attacker with a home directory can place an injection library in its $HOME/.Private/libexploit.so. Only the ownership of the file is preventing the exploit from succeeding.

By leveraging issue 3.2), the Kea services can be instructed to create _kea owned files in the attacker’s $HOME/.Private. The content of the created files is not fully attacker controlled, however, so it will not be possible to craft a valid ELF object for loading via dlopen() this way. By placing a setgid-directory in $HOME/.Private/evil-dir, any files created in this directory will even have the group-ownership of the attacker. The file mode will be 0644, however, so the attacker is still not able to write to the file. Our research shows that there is only a very thin line of defense left against this arbitrary code execution in _kea:_kea context on Debian, but it seems to hold.

Update

Jakub Wilk shared a working attack vector on the oss-security mailing list which makes it possible to overcome the AppArmor restrictions after all. To allow code execution, a default ACL (access control list) entry can be assigned to $HOME/.Private:

$ setfacl -d -m u:$LOGNAME:rwx ~/.Private/

The mode of newly created files in this directory will be the bitwise AND between the default ACL setting and the mode parameter used by the program that creates the file (the process’s umask is not used in this case). When observed with strace, the creation of configuration files by Kea looks like this:

openat(AT_FDCWD, "/home/<user>/.Private/libexploit.so", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 14

As a result, the libexploit.so created by Kea will end up with a mode of 0666. The executable bits will be missing, but Linux allows to mmap() executable code from the file even if it doesn’t have executable bits assigned. This is enough for the dlopen() within Kea to succeed and for arbitrary code to be executed. Actual library code can simply be redirected into a libexploit.so that was previously created by Kea:

$ cat /path/to/librealexploit.so >~/.Private/libexploit.so

The exploit code will still be restricted by the AppArmor profiles applied to the Kea processes. This means that e.g. only files allowed to be written to by the AppArmor profiles can be modified. This still makes it possible to control all Kea state on disk.

6.3) Ubuntu Linux

Ubuntu is mostly equivalent to the situation on Debian Linux with one major difference: REST API access authentication is enforced either by configuring a custom “user:password” pair, or by generating a random password. If no password is configured, kea-ctrl-agent will not start.

Due to this, Ubuntu is not affected by 3.1 and 3.2 at all. Only the information leak in the state directory (3.6) exists.

6.4) Fedora Linux

When we first discovered these issues we looked into Fedora 41. Meanwhile Fedora 42 has been released. There are some changes found in Fedora 42, most notably a safer mode for /var/log/kea.

No local root exploit is possible on Fedora, because the services run as non-root.

Items 3.1 and 3.2 only affect Kea integrity and escalation of the CAP_NET_RAW and CAP_NET_BIND_SERVICE capabilities. There is no SELinux policy in effect for Kea, thus there are no additional protection layers present that would prevent arbitrary code execution in the context of kea:kea (3.1).

Fedora is affected by 3.3, 3.4 and 3.5 within the constraints of the kea:kea credentials. On Fedora 41 there exists an information leak in the log directory (3.7). The state directory is safe on both Fedora versions.

6.5) Gentoo Linux

On Gentoo Linux Kea is only available as an unstable ~amd64 ebuild. It seems still incomplete, because the default configuration is broken (wrong paths) and the services won’t start. Also the kea-ctrl-agent is not part of the default configuration.

The directory permissions are inconsistent with the root:root credentials the Kea services are running with. This creates opportunities for a compromised dhcp user/group to stage symlink attacks in /run/kea, for example.

There are no information leaks and the /tmp directory is not used for sockets. Since the agent is not configured by default at all, we consider that Gentoo is not affected by any of the issues.

When kea-ctrl-agent is actively added to the mix and authorization is not enabled on the REST API, then Gentoo would be affected by issues 3.1, 3.2 and 3.3.

6.6) openSUSE Tumbleweed

When we first discovered these issues, openSUSE Tumbleweed was fully affected by all of them. We asked our Kea maintainer to harden the packaging already before the publication of these issues, which was possible without disclosing any information about the vulnerabilities. In the current packaging on openSUSE Tumbleweed Kea no longer runs as root and the systemd unit has ProtectSystem=full enabled, which adds another layer of defense. The information leaks in /var/log/kea and /var/lib/kea have been fixed as well.

The more disruptive changes have been delayed until the general publication of these issues and will soon be addressed as well.

6.7) FreeBSD

FreeBSD is affected by all the issues.

6.8) NetBSD (pkgsrc binary)

NetBSD supports the installation of a pkgsrc binary distribution of Kea, which is also available on some other systems like MacOS. This distribution of Kea is affected by all the issues.

By default no configuration is active, however. Admins have to copy over the configuration from example files found in /usr/pkg/share/examples/kea. Thus it is debatable whether NetBSD is affected in default installations of Kea.

6.9) OpenBSD

When we first discovered these issues we looked into OpenBSD 7.6. Meanwhile OpenBSD 7.7 has been released. As far as we can see only the mode of the /var/lib/kea directory changed in this release.

OpenBSD is affected by issues 3.1, 3.2 and 3.3. Sockets are placed in a dedicated directory, thus 3.4 and 3.5 do not apply here. There exist information leaks for log and state data (the latter only in release 7.6).

The _kea group ownership for the socket and state dir is inconsistent with the actual daemon credentials. A compromised _kea group could stage symlink attacks in these directories.

7) CVE Assignments

Kea upstream assigned the following CVEs. Some of them are cumulative and cover multiple of the issues found in this report.

Timeline

Change History

References

• SUSE Bugzilla review bug for Kea
• ISC Kea project page
• ISC GitLab private issue detailing the issues from this report

Agama será el nuevo instalador de openSUSE y SUSE y ya se ha publicado su versión 15 que sigue añadiendo mejoras y nuevas funcionalidades

A punto de acabar el mes de mayo, se acaba de publicar Agama 15, el que será el nuevo instalador de openSUSE y SUSE y que sustituirá al ya veterano y conocido YaST.

Vamos a repasar algunas de las novedades y mejoras que se han añadido en esta nueva versión.

Mejoras a la hora de seleccionar idioma

Esta es una de esas nuevas características que afectan directamente a la interfaz de usuario que como sabéis está basada en tecnología web. Y en ese sentido hay que mencionar los cambios introducidos en el ámbito de la internacionalización.

Agama ofrece dos configuraciones de localización diferentes:

• Una para la interfaz del instalador (idioma y distribución del teclado).
• Otra para la distribución de Linux instalada (idioma, distribución del teclado y zona horaria).

Hay muchas buenas razones para esa distinción, pero los usuarios de versiones anteriores de Agama solían confundir estas configuraciones a pesar de estar configuradas en diferentes lugares de la interfaz de usuario. Ese ya no debería ser el caso gracias a las muchas mejoras añadidas.

Interfaz de usuario Wi-Fi renovada

La sección de red de la interfaz de usuario también ha recibido muchas mejoras en estas versiones 14 y 15, especialmente en lo que respecta a la configuración de las conexiones Wi-Fi. Mejorando la experiencia del usuario, para que sea más intuitiva la forma de configurarlo y muchas otras novedades.

Aclarar las opciones en la página de almacenamiento

Si hay otro aspecto de la configuración que puede ser tan importante como la red, ese es la configuración del almacenamiento a la hora de instalar el nuevo sistema. En estas versiones nuevas se han seguido añadiendo más opciones en cada versión de Agama y, a veces, eso implica que que hay que pulir muchos otros aspectos para mantener la coherencia y la sencillez a la hora de realizar esta tarea clave.

En ese sentido, Agama 14 reorganizó los menús contextuales en la sección de almacenamiento para ayudar a los usuarios a encontrar la opción que buscan y comprender las implicaciones de cada acción y ese camino ha seguido Agama 15.

Estas son solo algunas de las opciones que he destacado de todas las novedades de Agama 15, si quieres conocer en detalle en qué otras mejoras se está trabajando, puedes hacerlo en el anuncio oficial:

• https://agama-project.github.io/blog/2025/05/27/agama-15

Last year, syslog-ng 4.8.0 improved the wildcard-file() source on FreeBSD and MacOS. Version 4.9.0 will do the same for Linux by using inotify for file and directory monitoring, resulting in faster performance while using significantly less resources. This blog is a call for testing the new wildcard-file() source options before release.

Read more at https://www.syslog-ng.com/community/b/blog/posts/testing-the-new-syslog-ng-wildcard-file-source-options-on-linux

Todo evento supone siempre unos gastos, y una presencial también. El 20 y 21 de junio, es decir, en menos de un mes se va a celebrar en Málaga la esperada Akademy-es 2025, el encuentro organizado por KDE España para todos los simpatizantes del proyecto. Es hora de hablar de patrocinadores de Akademy-es 2025 de Málaga OpenSouthCode Edition II, la demostración de que las empresas tienen un papel importante en el desarrollo del Sofware Libre.

Patrocinadores oro de Akademy-es 2025 de Málaga OpenSouthCode Edition II #akademyes

Como sabrán los lector del blog en apenas un mes se va a celebrar Akademy-es 2025 de Málaga como una track de OpenSouthCode de forma presencial, el evento más importante para los desarrolladores y simpatizantes de KDE, organizado por KDE España.

Desde KDE Blog quiero animar a patrocinar este evento ya que cualquier organización que lo haga recibirá visibilidad no solo en España, sino a nivel mundial en el campo del Software Libre, ya que muchos de los integrantes de la Comunidad tienen fuertes vínculos con países de todo el mundo. Recordemos que muchos de los integrantes de KDE España son miembros de KDE e.V., la fundación internacional que auspicia el proyecto.

El evento tiene presentaciones de primer nivel de temas relativos a las nuevas tecnologías, incluyendo aplicaciones de escritorio, aplicaciones móviles, desarrollo de software y multimedia. La comunidad KDE ha presentado innovaciones en todos estos campos a lo largo de su historia. Como patrocinador, su organización tendrá la oportunidad de participar en este entorno creativo y ser conocida por los asistentes.

Además, las discusiones técnicas no son el único objetivo de Akademy-es. El evento es también una oportunidad de networking y de conocer gente. Los eventos sociales son también muy importantes, ya que fomentan la creación del ambiente de cordialidad dentro de la comunidad KDE que permite la aparición de nuevas ideas; así que si lo desea puede también patrocinar un evento social.

De momento ya tenemos algunos patrocinadores de Akademy-es 2025 confirmados, se trata de openSUSE y la Universidad de La Laguna.

Esto, evidentemente, se merece una pequeña reseña en el blog.

Patrocinador: openSUSE

El proyecto openSUSE, de sobre conocido por los lectores habituales del blog, es una comunidad mundial que promueve el uso de Linux en todas partes. openSUSE crea una de las mejores distribuciones de Linux del mundo, en la que se trabaja de forma conjunta, abierta, transparente y amistosa como parte de la comunidad mundial de software libre y de código abierto.

El proyecto está controlado por su comunidad y depende de las contribuciones de sus miembros, que trabajan como probadores, escritores, traductores, expertos en usabilidad, artistas y embajadores o desarrolladores. El proyecto abarca una amplia variedad de tecnologías, gentes con distintos niveles de experiencia, que hablan distintos idiomas y que tienen diferentes orígenes culturales.

Patrocinador: Universidad de La Laguna

La Universidad de La Laguna es una institución pública de educación superior e investigación ubicada en Tenerife.
Ofrece grados, másteres, doctorados, títulos propios y cursos online y semipresencial.
Destaca su amplio compromiso con el Software Libre.

La entrada Patrocinadores oro de Akademy-es 2025 de Málaga OpenSouthCode Edition II #akademyes se publicó primero en KDE Blog.

Agama 15 is out and it is time for a new blog post after our previous announcement of... wait... Agama 13? You may be wondering what happened to Agama 14. The answer is easy, we released it but we were too busy to write the corresponding blog post. So this will serve as an announcement for both versions.

Let's jump directly into the new features because there is a lot to cover.

Usability improvements related to localization​

We will start with those features affecting directly the web user interface. And in that regard we have to mention the changes introduced in the internationalization area. Agama offers two different localization (l10n) configurations:

• One for the installer interface (language and keyboard layout).
• Another for the installed Linux distribution (language, keyboard layout, and timezone).

There are many good reasons for that distinction, but users of previous versions of Agama used to confuse these settings despite being configured at different places of the user interface. That should not be the case anymore thanks to the many usability improvements introduced by this pull request, which includes a detailed description of the changes with many screenshots.

Revamped Wi-Fi user interface​

The network section of the web user interface also received many usability improvements, especially regarding the configuration of Wi-Fi connections. Once again, the individual changes are too many to be listed here but can be checked at the description of the corresponding pull request at Github.

Clarify options at the storage page​

If there is another aspect of the configuration that can be as challenging as the network, that is the storage setup. We keep adding more options on every Agama release and sometimes that implies we must invest some time polishing small details to make the whole user interface more understandable.

In that regard, Agama 14 reorganized the contextual menus on the storage section to help users find the option they are looking for and understand the implications of each action.

Registration: extensions and certificates​

And talking about adding new options to Agama, we also have to consider which of those options are available at the web interface and which ones are there only to be tweaked using the command line or a configuration file (eg. during unattended installation). The possibility of fine-tuning the registration process was an example of the latter... until now.

Agama 14 made it possible to use the web interface to register extensions. Those extensions allow to add more capabilities to SUSE Linux Enterprise right from the installation of the system.

But that is not the only news regarding registration. Agama 15 also added more options to deal with self-signed certificates for those SUSE customers using RMT (Repository Mirroring Tool) to manage subscriptions on their own internal network.

Management of certificate warnings and errors go beyond the visual interface and Agama 15 also offers several ways to handle the situation on unattended installations. In fact, the possibilities of unattended installations are dramatically expanded with these new releases of Agama. Starting with a special case.

Unattended configuration for iSCSI and DASD devices​

We usually implement new features first in the configuration used for unattended installation (the profile, using AutoYaST jargon) and only later we decide whether the given feature must be available at the web interface and, if so, to what extent. But the case of iSCSI and DASD configuration was an exception. Due to their special nature, we first implemented interactive management for them, available already at the early versions of the Agama web interface. Users have had to wait until recent versions 14 and 15 to be able to configure iSCSI and DASD respectively using only a section of the Agama configuration.

We are in the process of improving the documentation for the Agama configuration, but meanwhile examples for both storage technologies can be found at Agama's examples directory.

Storage section: improved searches and software RAIDs​

And talking about unattended installation and storage technologies, Agama 15 also represents a step forward in the way to select and combine the disks and partitions in the target system.

On the one hand, the search property that allows to match existing devices with definitions in the configuration was improved to support filtering by name, size and partition number. On the other hand, this Agama release includes the first fully functional implementation of the property mdRaids that allows to create and reuse MD RAID devices.

The combination of those new features allows to create configurations like the following.

{
  "storage": {
    "drives": [
      {
        "search": {
          "condition": { "size": { "greater": "1 TiB" } },
          "max": 2,
        },
        "partitions": [
          { "search": "*", "delete": true },
          {
            "size": "20 GiB",
            "alias": "parts-for-root"
          },
          {
            "size": { "min": "1 GiB" },
            "alias": "parts-for-home"
          }
        ]
      },
    ],
    "mdRaids": [
      {
        "devices": [ "parts-for-root" ],
        "level": "raid0",
        "filesystem": { "path": "/" }
      },
      {
        "devices": [ "parts-for-home" ],
        "level": "raid1",
        "name": "data",
        "encryption": {
          "luks2": { "password": "notsecret" }
        },
        "filesystem": { "path": "/home" }
      }
    ]
  }
}

Advanced boot loader configuration​

Apart from the storage configuration, there are other aspects where users of unattended installation may have special requirements. One of those areas is the configuration of the boot loader.

The new Agama versions allow to setup an arbitrary timeout for the menu and also additional parameters to be passed to the kernel on every boot of the target system.

{
  "bootloader": {
    "timeout": 10,
    "extraKernelParams": "verbose"
  }
}

Creation of network bridges​

The network section of the configuration was also expanded with the possibility to define bridge interfaces. As you can see in the following example, the syntax follows the same general principles than the previously existing support for network bonding.

{
  "network": {
    "connections": [
      {
        "id": "Bridge0",
        "method4": "manual",
        "interface": "br0",
        "addresses": ["192.168.1.100/24"],
        "gateway4": "192.168.1.1",
        "nameservers": ["192.168.1.1"],
        "bridge": {
          "ports": ["eth0", "eth1"],
          "stp": false
        }
      }
    ]
  }
}

But not all improvements in the unattended installation field correspond to new configuration options or sections. There are also other aspects of the experience we decided to enhance.

Relative URLs at the Agama configuration​

As the most seasoned (open)SUSE users know, AutoYaST may be a bit singular when it comes to URLs. One of the most creative AutoYaST tricks is the usage of an AutoYaST-specific schema relurl to specify URLs that are relative to the location of the profile. Of course, specifying resources relatively to the profile is useful in many scenarios, but for Agama we decided it could be done better.

Instead of porting relurl, Agama 15 introduces the concept of URL reference, well known from HTML and standardized at RFC3986. You can see the difference between an absolute and a relative URL in the following example.

{
  "files": [
    {
      "destination": "/etc/issue.d/readme.issue",
      "url": "http://192.168.122.1/agama/issue-readme",
    },
    {
      "destination": "/etc/issue.d/agama.issue",
      "url": "./issue-sles",
    }
  ]
}

Improvements at the command-line interface​

So far we described many improvements for both the web user interface and the unattended installation process. But as you know, the latter is not really any special mode at Agama, but just a way to trigger the installation in a way in which it still can be monitored and controlled using the mentioned web interface or Agama's command-line tools.

During this sprint we improved several aspect of those tools, especially regarding its ability to interact with remote systems, and implemented a new command agama monitor that can be used to connect to any ongoing installation and follow the process.

We must admit the previous screenshot corresponds to an improved version of the agama monitor command which is not included at Agama 15. Because, of course, this release is just another step in the long way to our Agama vision.

More to come​

As you can see, we are already working on Agama 16 and beyond. You can check our plans at the public project roadmap and test the latest development version using the corresponding Live ISO images.

If you got questions or want to get involved, do not hesitate to contact us at the Agama project at GitHub and our #yast channel at Libera.chat. Have a lot of fun!

Este lanzamiento abril de la Comunidad KDE ha llegado con pocas grandes novedades en las aplicaciones pero sí en muchas. De esta forma he decidido crear un par de entradas recopilatorias de las mismas, empecé con las aplicaciones de ocio y sigo hoy con las novedades de las herramientas del sistema en KDE ⚙️ Gear 25.04. Pocas pero interesantes

Novedades de las herramientas del sistema en KDE ⚙️ Gear 25.04

Dentro del lanzamiento de KDE Gear 25.04 muchas aplicaciones han recibido impulso aunque sea con novedades puntuales. Es el ejemplo de las novedades de las herramientas del sistema en KDE ⚙️ Gear 25.04. Veámos que nos ofrecen:

Konqueror, el navegador web y de archivos de KDE, con 25 años de juventud, sigue recibiendo actualizaciones. Esta vez le ha tocado al diálogo Guardar como, que ahora recuerda dónde se descargó un archivo por última vez y mostrará dicha ubicación la próxima vez que seleccione la opción.

KRDC, la aplicación que permite ver y controlar una sesión de escritorio en otra máquina, ya sea en la misma red local o a través de internet, a más de 1000 kilómetros de distancia, ahora permite escalar el escritorio de la máquina remota para que que quepa dentro de la ventana de KRDC,. Además, añade compatibilidad para el campo de dominio durante el proceso de autenticación y ahora funciona con la nueva versión del protocolo FreeRDP.

KDE Connect, la aplicación que reduce la distancia entre el teléfono y la computadora, mejora la velocidad de transferencia de datos cuando se usa Bluetooth.

Más información: KDE Gear 25.04

Y, recuerda, todo este software es gratuito y sin publicidad en todos los sentidos: no te cuesta ni un euro y no se cobra en en forma de datos personales. No obstante, si quieres ayudar a su desarrollo siempre puedes participar en su campaña de recaudación de fondos.

La entrada Novedades de las herramientas del sistema en KDE ⚙️ Gear 25.04 se publicó primero en KDE Blog.

O Dia do Orgulho Nerd, ou Dia do Orgulho Geek é uma iniciativa que advoga o direito de toda pessoa ser um nerd ou um geek. Teve origem na Espanha (“dia del orgullo friki”, em espanhol).^[1]

O dia do orgulho nerd é celebrado em 25 de maio desde 2006, comemorando a première do primeiro filme da série Star Wars, em 1977. O dia 25 de maio também é o Dia da Toalha, em homenagem ao escritor Douglas Adams.

Origens

Em 2006, este dia foi celebrado pela primeira vez em toda a Espanha e na internet, graças à publicidade dada por alguns meios, como:

• Salas, Javier. “Comecocos y mangas toman la calle: la revancha de los frikis“, Telecinco, 2006-5-26. Página visitada em 2006-05-26.
• Perez, Javier. “Orgullo friki“, El Mundo, 2006-5-26. Página visitada em 2005-05-26.
• Ramos, David. “25 de mayo: Día del Orgullo Friki“, 20minutos, 2006-5-25. Página visitada em 2005-05-25.

A maior concentração aconteceu em Madri, onde 300 Nerds demonstraram seu orgulho com um pacman humano.

Comemorações de 2007

Em 2007 a celebração contou com mais ajuda de instituições oficiais (como o Circo Price, de Madri) e teve comemoração mais ampla por toda a Espanha. Atividades oficiais foram anunciadas no Pilar de la Horadada, Cádiz, Huesca, Calaf, Huelva, e Valência. Houve uma campanha Doação de Sangue Nerd. Entre outros atos, foi exibido o filme Gritos no corredor.

2008: O dia do Orgulho Nerd chega à América

Em 2008, o Dia do Orgulho Nerd atravessou o Atlântico e foi comemorado oficialmente na América, onde foi divulgado por numerosos bloggers, unidos pelo lançamento do site GeekPrideDay. O matemático e autor John Derbyshire, vencedor do Prêmio Livro de Euler e blogger geek, anunciou^[2] que apareceria na parada da Quinta Avenida, vestido de número 57, na ala dos números primos – o que fez alguns bloggers dizerem que iriam procurá-lo.

Direitos e deveres dos nerds

Foi criado um manifesto para celebrar o primeiro Dia do Orgulho Nerd, que incluía a seguinte lista de direitos e deveres dos nerds:^[3]Direitos

1. O direito de ser nerd.^[3]
2. O direito de não ter que sair de casa.^[3]
3. O direito a não ter um par e ser virgem.^[3]
4. O direito de não gostar de futebol ou de qualquer outro esporte.^[3]
5. O direito de se associar com outros nerds.^[3]
6. O direito de ter poucos (ou nenhum) amigo.^[3]
7. O direito de ter o tanto de amigos nerds que quiser.^[3]
8. O direito de não ter que estar “na moda”.^[3]
9. O direito ao sobrepeso (ou subpeso) e de ter problemas de visão.^[3]
10. O direito de expressar sua nerdice.^[3]
11. O direito de dominar o mundo.^[3]

Deveres

1. Ser nerd, não importa o quê.^[3]
2. Tentar ser mais nerd do que qualquer um.^[3]
3. Se há uma discussão sobre um assunto nerd, poder dar sua opinião.^[3]
4. Guardar todo e qualquer objeto nerd que tiver.^[3]
5. Fazer todo o possível para exibir seus objetos nerds como se fosse um “museu da nerdice”.^[3]
6. Não ser um nerd generalizado. Você deve se especializar em algo.^[3]
7. Assistir a qualquer filme nerd na noite de estréia e comprar qualquer livro nerd antes de todo mundo.^[3]
8. Esperar na fila em toda noite de estreia. Se puder ir fantasiado, ou pelo menos com uma camisa relacionada ao tema, melhor ainda.^[3]
9. Não perder seu tempo em nada que não seja relacionado à nerdice.^[3]
10. Tentar dominar o mundo.^[3]

Como ya sabréis este año se celebra Akademy-es 2025 se celebrará en de forma presencial en Málaga, dentro de la OpenSouthCode del 20 al 21 de junio, viernes y sábado. Ayer fue publicado el programa de charlas de Akademy-es 2025. Léelo y seguro que encuentras más de una razón para acompañarnos.

Programa de charlas de Akademy-es 2025 de Málaga OpenSouthCode Edition II #akademyes

El 20 y 21 de junio se va a celebrar Akademy-es 2025 de Málaga que se celebrará organizado por KDE España y de forma paralela a otro gran evento como es OpenSouthCode.

Este año volvemos a tener un gran programa de ponencias pero condensado es un solo día ya que se ha pensado que dado que estamos en un gran evento es una buena idea que los organizadores también nos mezclemos con el resto de asistentes.

En el programa de charlas, que pondré a continuación, podrás ver la diversidad de ponencias que hemos preparado, condensando a algunos de los grandes comunicadores de la Comunidad KDE y algunos artistas invitados de prestigio,

Y si no te lo crees simplemente échale un vistazo al programa.

Viernes 20 de junio

Jornada matinal

09:30 – 09:40 Ceremonia de apertura de Akademy-es

09:40 – 10:25 KDE Linux: La nueva distribución de KDE – Albert Astals Cid

10:30 – 11:15 Trucos y Secretos que no te cuentan cuando desarrollas videojuegos en Godot – Gabriel Galiana Jaime

11:30 – 12:15 KDE plasma y más software libre: El flujo de trabajo para ingenieros – Fernando Rosa

12:30 – 13:15 kiot: Integración de KDE Plasma en sistemas de «smart homes» – Ivan Gregori Jorques

Foto de grupo

Jornada vespertina

15:30 – 15:50 ¿Qué es KDE España? – Junta de KDE España

15:55 – 16:20 Charlas relámpago

16:30 – 17:15 Tocando a la puerta del mal: ¿IA en KDE Plasma (y otros escritorios libres)? – Rubén Gómez Antolí

17:30 – 18:15 Okular: El visor de documentos multiplataforma – Albert Astals Cid

18:30 – 19:15 10 cosas que no sabías que podías hacer (o sí) en Plasma 6 – Baltasar Ortega

19:15 Ceremonia de clausura de Akademy-es

Nota: Las charlas y horarios pueden sufrir ligeras modificaciones dependiendo de la disponibilidad de los ponentes

Vía: KDE España

La entrada Programa de charlas de Akademy-es 2025 de Málaga OpenSouthCode Edition II #akademyes se publicó primero en KDE Blog.

Último libro hasta la fecha publicado por el escritor japonés y tercero del escritor que leo

Cuando empecé a leer el libro La ciudad y sus muros inciertos de Haruki Murakami, creí que era un libro que ya había leído de él, pero no. Trataré de escribir sobre el libro sin revelar nada que no tenga que revelar.

Este último libro del escritor japonés publicado en 2024, era una reinterpretación de un relato que publicó cuando empezaba su oficio de escritor y que revisitó en el libro El fin del mundo y un despiadado país de las maravillas que fue el que leí y que me confundía al encontrarme elementos coincidentes.

Una ciudad amurallada, un lector de sueños en un país en el que para entrar te despojan de tu sombra, unas manadas de rinocerontes que fallecen en el crudo invierno… todos estos elementos vuelven a aparecer en este último libro de Murakami.

De Murakami he leído la trilogía de 1Q84, y los dos libros que he mencionado antes. En todos el escritor explora mundos paralelos que se confunden con la realidad, donde los protagonistas son eminentementes personajes solitarios que van deambulando y viviendo a caballo de ambos mundos, uno real y otro imaginario, hasta que casi confunden cual es el que tiene sentido y cual no, si es que alguno lo tiene o si lo tienen ambos.

En este último libro, en el que revisita ese mundo que he mencionado antes, el protagonista por diversos motivos vuelve a internarse en ese país amurallado, donde no hay sorpresas y el tiempo discurre sin contratiempos en un tono gris y sus habitantes han tenido que desprenderse de sus sombras.

De nuevo el protagonista, igual que en la trilogía de 1Q84, es una persona solitaria, que de alguna manera se ve involucrado en toda esa confusión de mundos por un amor idílico de juventud. Un amor que no ha olvidado y que buscar recuperar en el tiempo. Busca reencuentros que a veces ocurren.

El realismo mágico de la literatura latinoamericana cruza océanos y se conjuga en la literatura que nos ofrece Murakami en este libro. Presencias etéreas que interactúan en la realidad, destinos quizás sellados que confirman las teorías deterministas, tonos de diversas melancolías escondidos en lugares que vamos explorando, encuentros, despedidas.

Me gustó el libro, aunque para mi gusto el final (por supuesto sin contar de qué va) me defraudó un poco, no me terminó de gustar ni convencer. La historia se iba desarrollando de manera interesante, pero como que la última parte fue algo abrupto… Para mi gusto. No me hagas caso y te animo a que si quieres lo leas y lo descubras por ti mismo y me digas si coincides conmigo o si a ti el final te ha gustado.

Fue un placer leerlo e incursionar de nuevo por la literatura de Murakami. Te animo que descubras al autor con cualquiera de los títulos publicados, los que he leído yo me han gustado todos mucho, seguro que algún otro título caerá. ¿Alguna recomendación?