Vue normale
[$] The KDE desktop gets an overhaul with Plasma 6
It's been nearly 10 years since KDE Plasma 5, which is the last major release of the desktop. On February 28 the project announced its "mega release" of KDE Plasma 6, KDE Frameworks 6, and KDE Gear 24.02 — all based on the Qt 6 development framework. This release focuses heavily on migrating to Wayland, and aspires to be a seamless upgrade for the user while improving performance, security, and support for newer hardware. For developers, a lot of work has gone into removing deprecated frameworks and decreasing dependencies to make it easier to write applications targeting KDE.
Tails 6.0 released
Tails 6.0 is now available. Based on Debian, Tails is a portable operating system designed to run from a USB stick and help users avoid surveillance and censorship. This release updates most Tails applications, and includes important security and usability improvements.
One major new feature in 6.0 is to provide warnings to users about
errors when reading or
writing to persistent storage. This release now ignores USB devices plugged in while the screen is locked, and removes some file and disk-wiping features from the Files application that are "not reliable enough
" on USB sticks and SSDs to continue offering to users.
Users of Tails prior to 6.0~rc1 will need to do a manual upgrade to retain persistent storage. New users can download Tails for USB, or as an ISO to create a DVD or run Tails in a virtual machine.
Security updates for Wednesday
Adding systemd to postmarketOS
The postmarketOS project, which produces a Linux distribution for phones and mobile devices, has announced that it is in the early stages of adding systemd to make it easier to support GNOME and KDE.
Users who prefer the OpenRC
init system are assured they will still have that option when building their own
images "as long as OpenRC is in Alpine Linux (on which postmarketOS is
based)
":
As with text editors, some people are really passionate about their favorite init systems. When discussing this announcement, please keep a friendly tone. Remember that we all share the love for free and open source software, and that our communities work best if we focus on shared values instead of fighting over what implementations to use.
Proof-of-concept images
are available now for a limited set of devices. Users are warned these images are "buggy,
unreliable, and NOT suitable for use on a device you rely on
". Those interested
in helping with testing and development are encouraged to follow along and report
bugs on the systemd
issue at GitLab.
[$] MySQL and MariaDB changes coming in Fedora 40
The Fedora Project switched to MariaDB as the default implementation of MySQL in Fedora 19 in 2013. Once a drop-in replacement for MySQL, MariaDB has diverged enough that this is no longer the case—and, despite concerns about Oracle and optimism that MariaDB would supplant MySQL, the reality is that MySQL and MariaDB seem to be here to stay. With that in mind, Fedora developer Michal Schorm proposed that the project revise the way MySQL and MariaDB are packaged in Fedora starting with Fedora 40.
[$] Untangling the Open Collectives
Name collisions aren't just a problem for software development—organizations, projects, and software that have the same or similar names can cause serious confusion. That was certainly the case on February 28 when the Open Collective Foundation (OCF) began to notify its hosted projects that it would be shutting down by the end of 2024. The announcement surprised projects hosted with OCF, as one might expect. It also worried and confused users of the Open Collective software platform from Open Collective, Inc. (OCI), as well as organizations hosted by the Open Source Collective (OSC) and Open Collective Europe (OC Europe). There is enough confusion about the names, relationships between the organizations, and impact on projects like Flatpak, Homebrew, and htop hosted by OCF, that a deeper look is warranted.
Security updates for Wednesday
[$] Questions about machine-learning models for Fedora
Kaitlyn Abdo of Fedora's AI/ML SIG opened an issue with the Fedora Engineering Steering Committee (FESCo) recently that carried a few tricky questions about packaging machine-learning (ML) models for Fedora. Specifically, the SIG is looking for guidance on whether pre-trained weights for PyTorch constitute code or content. And, if the models are released under a license approved by the Open Source Initiative (OSI), does it matter what data the models were trained on? The issue was quickly tossed over to Fedora's legal mailing list and sparked an interesting discussion about how to handle these items, and a temporary path forward.
Security updates for Friday
Eight stable kernel updates for the weekend
Mitchell: Today we launched Flox 1.0
Zach Mitchell has announced the 1.0 release of Flox, a tool that lets its users install packages from nixpkgs inside portable virtual environments, and share those virtual environments with others as an alternative to Docker-style containers. Flox is based on Nix but allows users to skip learning how to work with the Nix language:
With Flox we're providing a substantially better user experience. We provide the suite of package manager functionality with install, uninstall, etc, but we also provide an entire new suite of functionality with the ability to share environments via flox push, flox pull, and flox activate --remote.
Flox is GPLv2-licensed, and releases are available as RPMs and Debian packages for x86_64 and arm64 systems.
Security updates for Wednesday
Python announces first security releases since becoming a CNA
The Python project has announced three security releases, 3.10.14,
3.9.19,
and 3.8.19.
In addition to the security fixes, these releases are notable for two reasons;
they are the first to make use of GitHub Actions to perform
public builds instead of building artifacts "on a local computer of one
of the release managers
", and the first since Python became a
CVE Numbering Authority (CNA).
Python release team member Łukasz Langa said
that being a CNA means Python is able to "ensure the quality of the vulnerability
reports is high, and that the severity estimates are accurate.
" It also
allows Python to coordinate CVE announcements with the patched versions of
Python, as it has with two CVEs addressed in these releases. CVE-2023-6597 CVE-2024-0450
describes a flaw in CPython's zipfile module that made it vulnerable to a zip-bomb exploit. CVE-2024-0450 CVE-2023-6597 is an
issue with Python's tempfile.TemporaryDirectory class which could be
exploited to modify permissions of files referenced by symbolic links.
Users of affected versions should upgrade soon.
[$] Managing Linux servers with Cockpit
Cockpit is an interesting project for web-based Linux administration that has received relatively little attention over the years. Part of that may be due to the project's strategy of minor releases roughly every two weeks, rather than larger releases with many new features. While the strategy has done little to garner headlines, it has delivered a useful and extensible tool to observe, manage, and troubleshoot Linux servers.
[$] GNOME 46 puts Flatpaks front and center
The GNOME project announced GNOME 46 (code-named "Kathmandu") on March 20. The release has quite a few updates and improvements across user applications, developer tools, and under the hood. One thing stood out while looking over this release—a major emphasis on Flatpaks as the way to acquire and update GNOME software.
Security updates for Wednesday
[$] The race to replace Redis
On March 21, Redis Ltd. announced that the Redis "in-memory data store
" project would now be
released under non-free, source-available licenses, starting with Redis 7.4. The
news is unwelcome, but not entirely unexpected. What is unusual with this situation is
the number of Redis alternatives to choose from; there are at least
four options to choose as a replacement for those who wish to stay
with free software, including a pre-existing fork called KeyDB and the Linux Foundation's newly-announced Valkey project. The question now is which one(s)
Linux distributions, users, and providers will choose to take its place.