openSUSE Archaeopteryx • 2w ago • 100%

Presenting GRUB2 BLS

news.opensuse.org

## GRUB2 with BLS is now in MicroOS and Tumbleweed Recently the openSUSE project released for MicroOS and Tumbleweed a new version of the GRUB2 package, with a new subpackage `grub2-$ARCH-efi-bls`. This subpackage deliver a new EFI file, `grubbls.efi`, that can be used as replacement of the traditional `grub.efi`. The new PE binary is a version of GRUB2 that includes a set of patches from Fedora, which makes the bootloader follow the Boot Loader Specification ([BLS](https://uapi-group.org/specifications/specs/boot_loader_specification/)). This will make GRUB2 understand the boot entries from `/boot/efi/entries`, and dynamically generate the boot menu showed during boot time. This is really important for full disk encryption (FDE) because this means that now we can re-use all the architecture and tools designed for `systemd-boot`. For example, installing or updating the bootloader can now be done with `sdbootutil install`, the `suse-module-tools` scriptlets will create new BLS entries when a new kernel is installed, and the `tukit` and `snapper` plugins will take care of doing the right thing when snapshots are created or removed. Reusing all those tools without modification was a significant win, but even better, many of the quirks that classical GRUB2 had when extending the event log are no longer present. Before this package, `sdbootutil` needed to take ownership of the `grub.conf` file, as this will be measured by GRUB2 *by executed lines*. That is right! For each line that is read and executed by the GRUB2 parser, a new PCR#8 will take place, and because GRUB2 support conditional as other complex constructors, it is very hard to predict the final value of PCR#8 without imposing a very minimal and strict `grub.conf`. However, with the new BLS subpackage, this file, along with the fonts and graphical assets for the theme, and the necessary modules (such as `bli.mod`), are now included in the internal `squashfs` within the EFI binary. GRUB2 will no longer measure those internal files without compromising security guarantees because now it is the firmware that measures the entire EFI when the bootloader is executed during the boot process. As today, we cannot use YaST2 to install GRUB2 with BLS, but we can do that manually very easily. We need to make a `systemd-boot` [installation](https://en.opensuse.org/Portal:MicroOS/FDE#Installation_with_YaST), replace `LOADER_TYPE` from `systemd-boot` to `grub2-bls`, install the new GRUB2 BLS package, and do `sdbootutil install`. Another option is to play with one of the available images for [MicroOS](https://download.opensuse.org/tumbleweed/appliances/openSUSE-MicroOS.x86_64-kvm-and-xen-grub-bls.qcow2) or [Tumbleweed]( https://download.opensuse.org/tumbleweed/appliances/openSUSE-Tumbleweed-Minimal-VM.x86_64-kvm-and-xen-grub-bls.qcow2). Have a lot of fun!

Linux Archaeopteryx • 2w ago • 100%

Development start of Leap 16.0

news.opensuse.org

Hello everyone! I'd like to announce the start of development and the public availability of what we currently refer to as Leap 16.0 pre-Alpha. Since this is a pre-Alpha version, significant changes may occur, and the final product may look very different in the Alpha, Beta, Release Candidate, or General Availability stages. The installer will *currently* offer you Base, GNOME, and KDE. Users can get our new Agama install images from [get.opensuse.org/leap/16.0](https://get.opensuse.org/leap/16.0). The installer will *currently* offer you Base, GNOME, and KDE installation. Leap 16.0 is a traditional distribution and a successor to Leap 15.6 with expected General Availability arriving in the Fall of 2025. We intend to provide users with sufficient overlap so that 15.6 users can have a smooth migration, just like they're used to from previous releases. Further details are available on our [roadmap](https://en.opensuse.org/openSUSE:Roadmap#DRAFT_Schedule_for_Leap_16.0). The roadmap is subject to change since we have to respond to any SUSE Linux Enterprise Server 16 schedule changes. Users can expect a traditional distribution in a brand new form based on binaries from the latest SLES 16 and community packages from our [Factory](https://en.opensuse.org/Portal:Factory) development codebase. There is no plan to make a Leap 15.7, however, we still need to deliver previously released community packages from Leap 15 via Package HUB for the upcoming SLES 15 SP7. This is why there are openSUSE:Backports:SLE-15-SP7 project and 15.7 repos in OBS. <h5>Who should get it?</h5> This is a pre-alpha product that is not intended to be installed as your daily driver. I highly recommend starting with the installation in a virtual machine and becoming familiar with the online installer Agama. The target audience for pre-Alpha are early adopters and contributors who would like to actively be part of this large effort. Adopters should consider booting Agama Media from time to time just to check compatibility with their hardware. For non-contributor users, I highly recommend waiting until we have a Beta, which is expected in the late Spring of 2025. <h5>How to report bugs?</h5> I'd like to kindly ask you to check our [Known bugs wikipage](https://en.opensuse.org/openSUSE:Known_bugs_16.0) before reporting a new issue. If you find a new issue that is likely to affect users, please feel free to add it to the page. Specifically for Agama I highly recommend using [github.com/agama-project](https://github.com/agama-project/agama/issues) and collaborating with the YaST team on suggestions and incorporating any changes. For the rest of the components, the workflow isn't changing; just select version 16.0 for [bug submissions](https://en.opensuse.org/openSUSE:Submitting_bug_reports#Regular_release_products). <h5>Feature requests</h5> All changes to packages inherited from SLES 16 need to be requested via a [feature request](https://code.opensuse.org/leap/features). Feature requests will be reviewed every Monday at a [feature review meeting](calendar.opensuse.org) where we'll convert code-o-o requests into JIRA requests used by SUSE Engineering where applicable. The factory-auto bot will reject all code submit requests against SLES packages with a pointer to code-o-o. You can get a list of all SLFO/SLES packages simply by running `osc ls SUSE:SLFO:1.1:Build`. Just for clarification SLFO, SUSE Linux Framework One, is the source pool for SLES 16 and SL Micro 6.X. I highly recommend using code-o-o to co-ordinate larger community efforts such as Xfce enablement, where will likely need to update some of SLES dependencies. This allows us to share the larger story and better reasoning for related SLES update requests. The list of features is also extremely valuable for the Release article. <h5>Where to submit packages, how is it built, and where is it tested?</h5> Leap 16.0 is built in openSUSE:Leap:16.0 project where we will happily welcome any community submissions until the Beta code submission deadline in the late Spring of 2025. We intend to keep the previous development model and avoid forking SLES packages unless necessary. We no longer can [mirror](https://en.opensuse.org/Portal:Jump:OBS:SRMirroring) SLES code submissions from OBS into IBS. So all SLES 16 update requests have to be requested via feature requests. For quality control, we have basic test suites based on Agama installations in [Leap 16.0 job group](https://openqa.opensuse.org/group_overview/129). Later, we plan to rework the existing [Leap 16.0 Images job group](https://openqa.opensuse.org/group_overview/126) for testing the remaining appliance images. The project where we maintain community packages is subject to change as we have not fully finalized yet how to make Package HUB; we may use a similar structure with Backports as in 15.3+). Further test suite enablement is one of the areas where we currently need the most help. Related progress.opensuse.org trackers [poo#164141 Leap 16.0 enablement](https://progress.opensuse.org/issues/164141) and [poo#166562 upgrade from 15.6](https://progress.opensuse.org/issues/166562). Another area where you can help is new package submissions and related maintainer review of package submissions to Leap 16.0. These reviews make sense as we'd like to check with maintainers whether that software in a given version makes sense for inclusion into Leap 16.0, rather than blindly copying all packages over. <h5>Involvement in branding and marketing efforts</h5> I'm very proud to announce fresh branding efforts and want to thank all the people who helped give Leap and Tumbleweed a new look. We plan to publish an article or a video about the changes, and further plans as we still have a surprise or two in our pocket. Do you want to help us on this front? Spread the news and feel free to join the #openSUSE_Marketing Telegram channel(https://t.me/openSUSE_Marketing)! https://en.opensuse.org/openSUSE:Marketing_team Many thanks to all who helped us to reach this point. Lubos Kocman<br/> on behalf of the [openSUSE Release team](https://en.opensuse.org/openSUSE:Release_team)

openSUSE Archaeopteryx • 2w ago • 100%

Development start of Leap 16.0

news.opensuse.org

Hello everyone! I'd like to announce the start of development and the public availability of what we currently refer to as Leap 16.0 pre-Alpha. Since this is a pre-Alpha version, significant changes may occur, and the final product may look very different in the Alpha, Beta, Release Candidate, or General Availability stages. The installer will *currently* offer you Base, GNOME, and KDE. Users can get our new Agama install images from [get.opensuse.org/leap/16.0](https://get.opensuse.org/leap/16.0). The installer will *currently* offer you Base, GNOME, and KDE installation. Leap 16.0 is a traditional distribution and a successor to Leap 15.6 with expected General Availability arriving in the Fall of 2025. We intend to provide users with sufficient overlap so that 15.6 users can have a smooth migration, just like they're used to from previous releases. Further details are available on our [roadmap](https://en.opensuse.org/openSUSE:Roadmap#DRAFT_Schedule_for_Leap_16.0). The roadmap is subject to change since we have to respond to any SUSE Linux Enterprise Server 16 schedule changes. Users can expect a traditional distribution in a brand new form based on binaries from the latest SLES 16 and community packages from our [Factory](https://en.opensuse.org/Portal:Factory) development codebase. There is no plan to make a Leap 15.7, however, we still need to deliver previously released community packages from Leap 15 via Package HUB for the upcoming SLES 15 SP7. This is why there are openSUSE:Backports:SLE-15-SP7 project and 15.7 repos in OBS. <h5>Who should get it?</h5> This is a pre-alpha product that is not intended to be installed as your daily driver. I highly recommend starting with the installation in a virtual machine and becoming familiar with the online installer Agama. The target audience for pre-Alpha are early adopters and contributors who would like to actively be part of this large effort. Adopters should consider booting Agama Media from time to time just to check compatibility with their hardware. For non-contributor users, I highly recommend waiting until we have a Beta, which is expected in the late Spring of 2025. <h5>How to report bugs?</h5> I'd like to kindly ask you to check our [Known bugs wikipage](https://en.opensuse.org/openSUSE:Known_bugs_16.0) before reporting a new issue. If you find a new issue that is likely to affect users, please feel free to add it to the page. Specifically for Agama I highly recommend using [github.com/agama-project](https://github.com/agama-project/agama/issues) and collaborating with the YaST team on suggestions and incorporating any changes. For the rest of the components, the workflow isn't changing; just select version 16.0 for [bug submissions](https://en.opensuse.org/openSUSE:Submitting_bug_reports#Regular_release_products). <h5>Feature requests</h5> All changes to packages inherited from SLES 16 need to be requested via a [feature request](https://code.opensuse.org/leap/features). Feature requests will be reviewed every Monday at a [feature review meeting](calendar.opensuse.org) where we'll convert code-o-o requests into JIRA requests used by SUSE Engineering where applicable. The factory-auto bot will reject all code submit requests against SLES packages with a pointer to code-o-o. You can get a list of all SLFO/SLES packages simply by running `osc ls SUSE:SLFO:1.1:Build`. Just for clarification SLFO, SUSE Linux Framework One, is the source pool for SLES 16 and SL Micro 6.X. I highly recommend using code-o-o to co-ordinate larger community efforts such as Xfce enablement, where will likely need to update some of SLES dependencies. This allows us to share the larger story and better reasoning for related SLES update requests. The list of features is also extremely valuable for the Release article. <h5>Where to submit packages, how is it built, and where is it tested?</h5> Leap 16.0 is built in openSUSE:Leap:16.0 project where we will happily welcome any community submissions until the Beta code submission deadline in the late Spring of 2025. We intend to keep the previous development model and avoid forking SLES packages unless necessary. We no longer can [mirror](https://en.opensuse.org/Portal:Jump:OBS:SRMirroring) SLES code submissions from OBS into IBS. So all SLES 16 update requests have to be requested via feature requests. For quality control, we have basic test suites based on Agama installations in [Leap 16.0 job group](https://openqa.opensuse.org/group_overview/129). Later, we plan to rework the existing [Leap 16.0 Images job group](https://openqa.opensuse.org/group_overview/126) for testing the remaining appliance images. The project where we maintain community packages is subject to change as we have not fully finalized yet how to make Package HUB; we may use a similar structure with Backports as in 15.3+). Further test suite enablement is one of the areas where we currently need the most help. Related progress.opensuse.org trackers [poo#164141 Leap 16.0 enablement](https://progress.opensuse.org/issues/164141) and [poo#166562 upgrade from 15.6](https://progress.opensuse.org/issues/166562). Another area where you can help is new package submissions and related maintainer review of package submissions to Leap 16.0. These reviews make sense as we'd like to check with maintainers whether that software in a given version makes sense for inclusion into Leap 16.0, rather than blindly copying all packages over. <h5>Involvement in branding and marketing efforts</h5> I'm very proud to announce fresh branding efforts and want to thank all the people who helped give Leap and Tumbleweed a new look. We plan to publish an article or a video about the changes, and further plans as we still have a surprise or two in our pocket. Do you want to help us on this front? Spread the news and feel free to join the #openSUSE_Marketing Telegram channel(https://t.me/openSUSE_Marketing)! https://en.opensuse.org/openSUSE:Marketing_team Many thanks to all who helped us to reach this point. Lubos Kocman<br/> on behalf of the [openSUSE Release team](https://en.opensuse.org/openSUSE:Release_team)

openSUSE Archaeopteryx • 3w ago • 95%

Tumbleweed Monthly Update - September 2024

news.opensuse.org

Welcome to the monthly update for Tumbleweed for September 2024! This month, the rolling-release model has kept pace with numerous important updates and bug fixes. PostgreSQL received a major update moving to 17 and text shaping engine [harfbuzz](https://github.com/harfbuzz/harfbuzz) had a major update to version 10. Packages like [systemd](https://freedesktop.org/wiki/Software/systemd/), [git](https://github.com/git), [bash](https://www.gnu.org/software/bash/) and [qemu](https://www.qemu.org/) were also updated this month in the rolling release. Various packages saw CVE fixes and desktop components for [GNOME](https://www.gnome.org/) and [KDE](https://www.kde.org/) were also updated. As always, remember to roll back using [snapper](https://github.com/openSUSE/snapper) if any issues arise. Happy updating and tumble on! Should readers desire more frequent information about snapshot updates, they are encouraged to subscribe to the [openSUSE Factory mailing list](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/). ### New Features and Enhancements * [Linux Kernel](https://www.kernel.org/) 6.11.0: The latest update brings reversion of the PCI ACS configurability extension to address an issue [bsc#1229019](https://bugzilla.opensuse.org/show_bug.cgi?id=1229019). Key updates in the release include a fix to the block subsystem, resolving how the scheduler is handled in `elv_iosched_local_module`. A correction was made in the [AMD](https://www.amd.com) GPU display driver to address a mistake from a previous revert related to [bsc#1228093](https://bugzilla.opensuse.org/show_bug.cgi?id=1228093). Updates also include refreshed [ALSA](https://en.wikipedia.org/wiki/Advanced_Linux_Sound_Architecture) patches to enhance power management blacklist options. The improvements are expected to provide greater stability and performance for various hardware configurations. * [postgresql17](https://www.postgresql.org/): This major release provides key improvements like a revamped memory management system for vacuum, boosting efficiency by reducing memory usage by up to 20x along with optimized processing for high concurrency workloads. Version 17 also enhances query execution with faster processing using B-tree indexes and parallel BRIN index builds. Developers benefit from the addition of the SQL/JSON `JSON_TABLE` command and expanded MERGE capabilities, as well as a 2x speed improvement in data exports with the `COPY` command. Logical replication now simplifies major version upgrades by eliminating the need to drop replication slots, improving ease of use in high availability setups. The software package further enhances database security and operational management, with new TLS options, incremental backups, and detailed monitoring tools. * [harfbuzz](https://github.com/harfbuzz/harfbuzz) 10.0.1: Significant fixes were made for the text shaping engine including support for Unicode 16.0.0. The version has a new [Application Programming Interfaces](https://en.wikipedia.org/wiki/API) that allows clients to customize glyphs when a Unicode Variation Selector isn't supported by the font, as well as a callback for getting table tags from `hb_face_t`. Updates also address pair positioning lookup subtable application for compatibility and ensure subsetting fails if no glyphs are present to prevent silent errors. * [GNOME](https://www.gnome.org/) 46.5: [gnome-shell](https://gitlab.gnome.org/GNOME/gnome-shell) now addresses issues with smartcard logins, fixes glitches when quick settings menu animations are interrupted, and resolves problems with new Wi-Fi connections for restricted users. It also ensures required animations remain enabled, fixes display of pending PAM messages on the login screen and plugs memory leaks. Un update of the [gnome-software](https://gitlab.gnome.org/GNOME/gnome-software) has a reduction in power usage when the main window is closed, along with translation updates.. * [KDE Plasma 6.1.5](https://kde.org/announcements/plasma/6/6.1.5/): In [Discover](https://invent.kde.org/plasma/discover), snapType mapping is corrected, and [Flatpak](https://flatpak.org/) now properly reports extensions without errors. [KWin](https://userbase.kde.org/KWin) addresses several crash scenarios, such as null dereference and input event handling from removed devices. [Plasma Desktop](https://kde.org/plasma-desktop/) includes fixes for keyboard navigation in Kickoff, task list alignment in RTL mode and it has proper handling of background icons and test windows. Plasma Workspace enhances touchscreen interaction, system tray tooltips and clipboard functionality. Additional fixes included targeted crashes in hotplugging and svg rendering, while SDDM KCM improves state management. * [Frameworks 6.6.0](https://kde.org/announcements/frameworks/6/6.6.0/): [Attica](https://api.kde.org/frameworks/attica/html/index.html) adds CI jobs for Alpine/musl, while [Baloo](https://community.kde.org/Baloo) sets up crash handling for baloo_file. New icons are introduced in [Breeze](https://github.com/KDE/breeze). KCoreAddons improves [dbus](https://www.freedesktop.org/wiki/Software/dbus/) error handling and licensing, and KDeclarative adjusts rendering for better DPI positioning. [KIO](https://api.kde.org/frameworks/kio/html/index.html) resolves issues with restoring trash entries and enhances service menu handling. [KTextEditor](https://api.kde.org/frameworks/ktexteditor/html/) receives performance optimizations and additional C++ porting for sorting and unique functionalities. [Kirigami](https://kde.org/products/kirigami/) continues to improve icon handling and toolbars, while [KNewStuff](https://api.kde.org/frameworks/knewstuff/html/index.html) and [KWallet](https://github.com/KDE/kwallet)f ocus on making shared actions more reliable and enhancing crash handling. * [KDE Gear 24.08.1](https://kde.org/announcements/gear/24.08.1/): [Akademy 2024 Videos](https://tube.kockatoo.org/w/p/rHZEAD3pY3hNMTdZMLj4JJ) are out, but a lot of efforts went into last month’s conference. [Akonadi resolves](https://invent.kde.org/pim/akonadi) a crash related to query cache eviction and fixes configuration file handling. [Dolphin](https://apps.kde.org/dolphin/) improves usability with fixes for button functionality and file list resizing, while [Elisa](https://apps.kde.org/elisa/) enhances its Now Playing view and toolbar layout. [Itinerary](https://apps.kde.org/itinerary/) and [Kalarm](https://apps.kde.org/de/kalarm/) both receive updates for better dark mode handling and audio alarm functionality. [Kdenlive](https://kdenlive.org/en/) addresses multiple timeline and rendering issues, optimized keyframe handling and fixes several bugs related to effects and transitions. [Kate](https://kate-editor.org/) adds support for the [Odin](https://odin-lang.org/) language in its formatter and [Okular](https://okular.kde.org/) now sets tooltips for forms. ### Key Package Updates * [git](https://github.com/git) 2.46.1: A clarification has been made to `git checkout --ours` to inform users they need to specify paths, avoiding confusion. An issue with `git add -p` failing for users with `diff.suppressBlankEmpty` was corrected. Additionally, `git notes add -m '' --allow-empty` no longer improperly invokes an editor, and unnecessary re-encoding operations for tracing have been removed. * [qemu](https://www.qemu.org/) 9.1.0: The update introduces new migration capabilities, such as compression offload support via Intel In-Memory Analytics Accelerator (IAA) or User Space Accelerator Development Kit (UADK) and improved postcopy failure recovery. RISC-V architecture also sees support for several extensions, while x86 adds KVM support for [AMD](https://www.amd.com) SEV-SNP guests and emulation for newer Intel CPU models like Ice Llake and Sapphire Rapids. * [systemd](https://freedesktop.org/wiki/Software/systemd/) 256.6: This version no longer attempts to restart udev socket units, addressing issue [bsc#1228809](https://bugzilla.opensuse.org/show_bug.cgi?id=1228809) where safely restarting socket-activated services and their socket units simultaneously was problematic. * [pipewire](https://pipewire.org/) 1.2.4: The update addresses a crash during the cleanup of globals and enhances the `RequestProcess` dispatch mechanism. The Simple Plugin API framework now uses `systemd-logind` to detect new devices. Pulse-Code Modulation device handling is also improved. * [GStreamer](https://gstreamer.freedesktop.org/) 1.24.8: The multimedia framework package improves handling in `decodebin3` and `encodebin` for better media decoding and smart rendering, respectively. Enhancements for proper viewport resizing when video size changes were made and audio stream enhancements were made for better compatibility with Firefox. There were some stability fixes for wayland including crash prevention and [Application Binary Interface](https://en.wikipedia.org/wiki/Application_binary_interface) corrections. * [Mesa](https://www.mesa3d.org/) 24.1.7: This release continues to support [OpenGL](https://www.opengl.org//) 4.6 and [Vulkan](https://www.vulkan.org/) 1.3, though the version reported depends on the specific driver used. Key bug fixes include resolving issues with smartcard logins, race conditions when generating enums, and artifacts in games such as [Black Myth Wukong](https://store.steampowered.com/app/2358720/Black_Myth_Wukong/) and DCS World with certain GPUs. * [GTK4](https://www.gtk.org/) 4.16.1: This GTK Scene Graph Kit layer sees speed optimizations for Vulkan operations, reduces startup time by skipping unnecessary GL and Vulkan initialization and fixes a crash related to certain Vulkan drivers. Memory format conversions in [GIMP](https://www.gimp.org/) Drawing Kit are now faster. The builder-tool has also been improved for better box conversion. * [bash](https://www.gnu.org/software/bash/) 5.2.37: This update has key patches to address issues such as an incorrect handling of quoted text during auto-completion and multibyte character handling in `readline`. The update resolves system compatibility with `select` and `pselect` availability and fixes a parsing issue in compound assignments during alias expansion. A typo in the autoconf test affecting `strtold` availability when compiled with [GNU Compiler Collection](https://gcc.gnu.org/) 14 was corrected. * [vim](https://www.vim.org/) 9.1.0718: One notable fix in the text editor resolves issues with personal Vim runtime directory recognition. The update also addresses unnecessary `NULL` checks in `parse_command_modifiers()` and corrects color name parsing errors introduced in a previous version. Other improvements include updates to syntax highlighting for various file types such as HCL, Terraform, and tmux. Performance improvements were also made to include the more efficient inserting with a count and resolving cursor position crashes. ### Bug Fixes * [curl](https://curl.se/) 8.10.0: * [CVE-2024-8096](https://www.suse.com/security/cve/CVE-2024-8096.html) may have incorrectly validated certificates using Online Certificate Status Protocol stapling, ignoring certain errors like 'unauthorized'. * [OpenSSL](https://www.openssl.org/): * [CVE-2024-41996](https://www.suse.com/security/cve/CVE-2024-41996.html) was fixed, which could have allowed remote attackers to trigger costly server-side DHE calculations via public key order validation in [Diffie-Hellman](https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange). * [postgresql17](https://www.postgresql.org/) * [CVE-2024-7348](https://www.suse.com/security/cve/CVE-2024-7348.html) fixes a race condition that could allow attackers to execute arbitrary SQL as the user running `pg_dump`. * [python311](https://www.python.org/): This package fixed a few CVE’s. Here are a couple of fixes * [CVE-2024-4030](https://www.suse.com/security/cve/CVE-2024-4030.html) had a fix to ensure Unix "700" permissions are applied to secure the directory. * [tiff](http://www.simplesystems.org/libtiff/) 4.7.0: * [CVE-2023-52356](https://www.suse.com/security/cve/CVE-2023-52356.html) had a segmentation fault allowing remote attackers to trigger a heap-buffer overflow that could cause a denial of service. * [CVE-2024-7006](https://www.suse.com/security/cve/CVE-2024-7006.html) had a null pointer dereference in that could trigger application crashes and cause denial of service. * [LibreOffice](https://www.libreoffice.org/) 24.8.1.2 * [CVE-2024-5261](https://www.suse.com/security/cve/CVE-2024-5261.html) was fixed that disabled TLS certificate verification, allowing improper certificate validation during document processing in third-party components. * [Mozilla Firefox](https://www.mozilla.org) 130.0.1: * This release fixes several CVEs. One of the most critical fixes involves [CVE-2024-8385](https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/), where a WASM type confusion issue could lead to exploitable vulnerabilities. Another significant fix is for [CVE-2024-8381](https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/), which could trigger a type confusion vulnerability when looking up property names within a "with" block. [CVE-2024-8388](https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/) fixed an issue where fullscreen notifications could be hidden on Android devices, potentially leading to UI spoofing attacks. Two memory safety bugs, [CVE-2024-8387](https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/) and [CVE-2024-8389](https://www.mozilla.org/en-US/security/advisories/mfsa2024-39/), were also patched. * [apr](https://apr.apache.org/download.cgi) 1.7.5: * [CVE-2023-49582](https://www.suse.com/security/cve/CVE-2023-49582.html) had shared memory permissions that could expose sensitive data to local users. ### Conclusion September 2024 brings important updates for Tumbleweed users. Security fixes across packages like PostgreSQL, libtiff, and LibreOffice ensure stability and security. Significant improvements were made in tools like systemd, git, and qemu, enhancing performance and compatibility. Noteworthy updates in PostgreSQL 17 and Harfbuzz 10 also bring major enhancements, contributing to a more robust and refined rolling release environment. Stay updated with the latest snapshots by subscribing to the openSUSE Factory mailing list. For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the [openSUSE Factory mailing list ](https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/). The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions. ### Contributing to openSUSE Tumbleweed Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

openSUSE Archaeopteryx • 3w ago • 100%

Quickstart in Full Disk Encryption with TPM and YaST2

news.opensuse.org

This is a quick start guide for Full Disk Encryption with TPM or FIDO2 and YaST2 on openSUSE Tumbleweed. It focuses on the few steps to install openSUSE Tumbleweed with YaST2 and using Full Disk Encryption secured by a TPM2 chip and [measured boot](https://en.opensuse.org/Portal:MicroOS/RemoteAttestation#Measured_boot) or a FIDO2 key. ## Hardware Requirement: - UEFI Firmware - TPM2 Chip or FIDO2 key which supports the hmac-secret extension - 2GB Memory ## Installation of openSUSE MicroOS There is an own [Quickstart for openSUSE MicroOS](https://microos.opensuse.org/blog/2024-09-03-quickstart-fde-yast2/) ## Installation of openSUSE Tumbleweed ### Boot installation media * Follow the workflow until "Suggested Partitioning": * Partitioning: Select "Guided Setup" and "Enable Disk Encryption", keep the other defaults * Continue Installation until "Installation Settings": * Booting: * Change Boot Loader Type from "GRUB2 for EFI" to "Systemd Boot", ignore "Systemd-boot support is work in progress" and continue * Software: * Install additional tmp2.0-tools, tpm2-0-tss and libtss2-tcti-device0 * Finish Installation ### Finish FDE Setup Boot new system * Enter passphrase to unlock disk during boot * Login * Enroll system: * With TPM2 chip: `sdbootutil enroll --method tpm2` * With FIDO2 key: `sdbootutil enroll --method fido2` * Optional, but recommended: * Upgrade your LUKS key derivation function (do that for every encrypted device listed in `/etc/crypttab`): ``` # cryptsetup luksConvertKey /dev/vdaX --pbkdf argon2id # cryptsetup luksConvertKey /dev/vdaY --pbkdf argon2id ``` ## Adjusting kernel boot parameters The configuration file for kernel command line options is `/etc/kernel/cmdline`. After editing this file, call `sdbootutil update-all-entries` to update the bootloader configuration. If that option does not exist yet or does not work, a workaround is: `sdbootutil remove-all-kernels && sdbootutil add-all-kernels`. ## Re-enrollment If the prediction system fails, a new policy must be created for the new measurements to replace the policy stored in the TPM2. If you have a recovery PIN: ``` # sdbootutil --ask-pin update-predictions ``` If you don't have the recovery PIN, you can set one with this steps: ``` # sdbootutil unenroll --method=tpm2 # PIN=<new recovery PIN> sdbootutil enroll --method=tpm2 ``` ## Virtual Machines If your machine is a VM, it is recommended to remove the "0" from the `FDE_SEAL_PCR_LIST` variable in `/etc/sysconfig/fde-tools`. An update of the hypervisor can change PCR0. Since such an update is not visible inside the VM, the PCR values cannot be updated. As result, the disk cannot be decrypted automatically at the next boot, the recovery key needs to be entered and a manual re-enrollment is necessary. ## Next Steps The next steps will be: * Support grub2-BLS (grub2 following the [Boot Loader Specification](https://uapi-group.org/specifications/specs/boot_loader_specification/)) * Add support to the installers (YaST2 and Agama) * Make this the default if a TPM2 chip is present Any help is welcome! ## Further Documentation * [Full Disk Encryption (FDE)](https://en.opensuse.org/Portal:MicroOS/FDE) * [Systemd-fde](https://en.opensuse.org/Systemd-fde) * [Systemd-boot and Full Disk Encryption with TPM and FIDO2](https://microos.opensuse.org/blog/2023-12-20-sdboot-fde/)

openSUSE Archaeopteryx • 4w ago • 100%

New Key for Security Devel Project

lists.opensuse.org

The "security" development project is switched to a 4096bit RSA key. New key fingerprint: `Type : GPG public key` `User ID : security OBS Project <security@build.opensuse.org>` `Algorithm : rsa` `Key size : 4096` `Expires : 2026-12-02 13:27:55` `Fingerprint : f9fa 0223 b56b 116c 3637 37ef 5da5 7bdd 6dd7 85ca`

openSUSE Archaeopteryx • 1mo ago • 91%

Python 3.13 RC2, with and without GIL

news.opensuse.org

Python 3.13 RC2 is now available in [Tumbleweed](https://get.opensuse.org/tumbleweed/). This new version of the [Python](https://www.python.org/) interpreter will be released in October 2024. There is [a lot of changes](https://www.python.org/downloads/release/python-3130rc2/) and new features in 3.13, but we're also bringing exiting experimental features in Tumbleweed. ### Experimental JIT compiler The default (`python313`) build has the flag `--enable-experimental-jit=yes-off`. This means that if you want to use this [experimental JIT](https://docs.python.org/3.13/whatsnew/3.13.html#an-experimental-just-in-time-jit-compiler) you can enable with an environment variable: ``` $ PYTHON_JIT=1 python3.13 ``` You can find more information about the JIT compiler and how it can improve performance in [PEP-744](https://peps.python.org/pep-0744/). ### Free threaded CPython (no GIL) With this new version of Python interpreter, there is an option to build without the famous [Global Interpreter Lock](https://docs.python.org/3.13/whatsnew/3.13.html#free-threaded-cpython), aka GIL. This is a really experimental feature, but why not have this on Tumbleweed? So we decided to build also this new version with a new package `python313-nogil`. This new package is an isolated interpreter, so you can install without conflicts with `python313`. The package is building with the `--disable-gil` option and it provides the `/usr/bin/python3.13t` binary. It uses by default `/usr/lib/python3.13t/site-packages` for third-party libs so, with the default configuration, it won't use any python 3.13 module. This means that now you can use `threading.Thread` in the Python interpreter, and it will be actual threads so, at the end using threads with `python3.13t`, interpreter should be a lot faster. There's no packages for this interpreter in Tumbleweed, at this moment. So if you want to use third party libraries you should use `virtualenv` and `pip` for that: ``` $ python3.13t -m venv free-threaded-env $ source free-threaded-env/bin/activate (free-threaded-env) $ pip install requests (free-threaded-env) $ python3 Python 3.13.0rc2 experimental free-threading build (main, Sep 07 2024, 16:06:06) [GCC] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import sys; sys._is_gil_enabled() False ```