openSUSE

cross-posted from: https://lemmy.ml/post/19629878

In recent testing scenarios involving a build and NetworkManager, a significant issue has surfaced: the network stack becomes non-operational.

Users are advised to postpone system updates for now, but if users have already updated, use Snapper to rollback; it’s important to note that while the issue primarily affects GNOME setups with Wicked, it can also impact servers without these components.

This problem has been consistently reproducible since at least the 20240825 Tumbleweed build. Bind 9.20.1 received an update has changes to DNS query handling and system controls, which may have inadvertently contributed to the network stack issue.

The first packages of the new COSMIC desktop has landed in openSUSE.

List of packages:

• https://download.opensuse.org/tumbleweed/repo/oss/x86_64/?P=*cosmic*

Development branch of COSMIC (stable)

• https://build.opensuse.org/project/show/X11:COSMIC:Factory

More Information about openSUSE:

Official

• openSUSE News
• openSUSE Mailing List
• openSUSE Wiki

Fediverse

• https://discuss.tchncs.de/c/opensuse@lemmy.world

Welcome to the monthly update for openSUSE Tumbleweed for July 2024. Last month was busy with events like the Community Summit in Berlin and the openSUSE Conference. Both events were productive and well-received. Despite the busy schedule and follow on discussion from the conference about the Rebranding of the Project, a number of snapshots continued to roll out to users this month.

Stay tuned and tumble on!

Should readers desire more frequent information about snapshot updates, they are encouraged to subscribe to the openSUSE Factory mailing list.

New Features and Enhancements

• Linux Kernel 6.9.9: This kernel introduces several important fixes and enhancements across various subsystems. Key updates include the introduction of devm_mutex_init() for mutex initialization in multiple components, addressing issues in the Hisilicon debugfs uninit process, and resolving shared IRQ handling in DRM Lima drivers. Fixes in the PowerPC architecture avoid nmi_enter/nmi_exit in real mode interrupts, while networking improvements prevent unnecessary BUG() calls in net/dql. Enhancements in WiFi drivers such as RTW89 include improved handling for 6 GHz channels. Updates in DRM/AMD drivers address multiple issues, from uninitialized variable warnings to ensuring proper timestamp initialization and memory management. The RISC-V architecture receives a fix for initial sample period values, and several BPF selftests see adjustments for better error detection. These updates collectively enhance system stability, performance, and security.
• KDE Plasma 6.1.3: Discover now auto-handles Flatpak rebases from runtimes and properly uninstalls EOL refs without replacements. In Kglobalacceld, invalid keycodes are explicitly processed. Kpipewire introduces proper cleanup on deactivate and fixes thread handling for PipeWireSourceStream. KScreen now uses ContextualHelpButton from Kirigami, and Kscreenlocker adds a property to track past prompts. KWin sees numerous improvements: relaxed nightlight constraints, simplified Wayland popup handling, better input method windows, and enhanced screencast plugins. Plasma Mobile enhancements improve home screen interactions, translation issues, and swipe detection. Plasma Networkmanager and Plasma Workspace benefit from shared QQmlEngine and various bug fixes, including avatar image decoding and pointer warping on Wayland.
• Frameworks 6.4.0: Attica updates its gitignore to include VS Code directories. Baloo reverts a QCoreApplication change and ports QML modules. Breeze Icons introduces a ColorScheme-Accent and fixes data-warning icons. KArchive now rejects tar files with negative sizes and fixes crashes with malformed files. KAuth and KBookmarks add VS Code directories to gitignore. KCalendarCore adds missing QtCore dependencies and QML bindings for calendar models. KIO improves systemd process handling and deprecates unused features. Kirigami enhances navigation and dialog components. KTextEditor adds a tool for testing JavaScript scripts and ensures even indent sizes, fixing multiple bugs.
• KDE Gear 24.05.2: Akonadi-calendar adds missing change notifications. Dolphin updates Meta-Object Compiler generation. Filelight enables appx building and ensures hicolor icon presence while Itinerary fixes calendar permissions, corrupted notes, and the package introduces new extractors. Kdenlive addresses timeline, aspect ratio, and compilation issues. Okular fixes a crash with certain PDF actions.
• Supermin 5.3.4: This update introduces several key enhancements, including support for OCaml 5 and kylinsecos. It improves package management by detecting dnf5 and omitting missing options. The update also refines OCaml compilation by using -output-complete-exe instead of -custom that fixes kernel filtering for the aarch64 architecture, and enables kernel uncompression on RISC-V. The update removes previously applied patches now included in the new tarball, helping to streamline the codebase and improve maintainability.
• Checkpolicy 3.7: The latest update brings support for Classless Inter-Domain Routing notation in nodecon statements, enhancing SELinux policy definition capabilities. Error messages are now more descriptive, and error handling has been improved. Key bug fixes include handling unprintable tokens, avoiding garbage value assignments, freeing temporary bounds types and performing contiguous checks in host byte order.

Key Package Updates

• NetworkManager 1.48.4: This update introduces support for matching Open vSwitch (OVS) system interfaces by MAC address, enhancing network interface management. Additionally, NetworkManager now considers the contents of /etc/hosts when determining the system hostname from reverse DNS lookups of configured interface addresses, improving hostname resolution accuracy. Subpackages updated include NetworkManager-bluetooth, NetworkManager-lang, NetworkManager-tui, NetworkManager-wwan, libnm0, and typelib-1_0-NM-1_0. These enhancements contribute to more robust and precise network configuration handling in Linux environments.
• libguestfs 1.53.5: This update includes significant enhancements and fixes. The --chown parameter is now correctly split on the ':' character, and a new checksum command is supported. Detection for Circle Linux and support for the LoongArch architecture have been added, including file architecture translation fixes. The update allows nbd+unix:// URIs and reimplements GPT partition functions using sfdisk. DHCP configuration improvements and a new virt-customize --inject-blnsvr operation enhance usability. Deprecated features include the removal of gluster, sheepdog, and tftp drive support. New APIs such as findfs_partuuid and findfs_partlabel improve functionality, while inspection tools now resolve PARTUUID and PARTLABEL in /etc/fstab. These updates enhance compatibility, performance, and functionality across various environments.
• glib2 2.80.4: The latest update backports key patches: mapping EADDRNOTAVAIL to G_IO_ERROR_CONNECTION_REFUSED, handling files larger than 4GB in g_file_load_contents(), and correcting GIR install locations and build race conditions. Additionally, improvements in gthreadedresolver ensure returned records are properly reference-counted in lookup_records().
• ruby3.3 3.3.4: This release addresses a regression where dependencies were missing in the gemspec for some bundled gems such as net-pop, net-ftp, net-imap, and prime. Other fixes include preventing Warning.warn calls for disabled warnings, correcting memory allocation sizes in String.new(:capacity) and resolving string corruption issues.
• libgcrypt 1.11.0: The latest update introduces several new interfaces and performance enhancements. New features include an API for Key Encapsulation Mechanism (KEM), support for algorithms like Streamlined NTRU Prime sntrup761, Kyber, and Classic McEliece, and various Key Derivation Functions (KDFs) including HKDF and X963KDF. Performance improvements feature optimized implementations for SM3, SM4, and other cryptographic operations on ARMv8/AArch64, PowerPC, and AVX2/AVX512 architectures. Other changes include various enhancements for constant time operations and deprecates the GCRYCTL_ENABLE_M_GUARD control code.

Bug Fixes

• orc 0.4.39:

  • CVE-2024-40897 was solved with versions before 0.4.39, which had a buffer overflow vulnerability in orcparse.c.

• java-21-openjdk 21.0.4.0:

  • CVE-2024-21131 was a difficult-to-exploit vulnerability allowing unauthorized data modifications.
  • CVE-2024-21138 was a vulnerability causing partial denial of service.
  • CVE-2024-21140 was a vulnerability allowing unauthorized data access and modification;
  • CVE-2024-21145 was similar.
  • CVE-2024-21147 was the same, but for more critical data.

• ovmf 202402 had three months of CVE patches in its quarterly update.

• Mozilla Firefox 128.0: This release fixes 16 CVEs. The most severe was CVE-2024-6604; this was a memory safety bug in Firefox 128, Firefox ESR 115.13, Thunderbird 128 and Thunderbird 115.13. These bugs showed evidence of memory corruption that potentially allowed arbitrary code execution.

• ghostscript 10.03.1)

  • CVE-2024-33869 allowed bypassing restrictions via crafted PostScript documents.
  • CVE-2023-52722
  • CVE-2024-33870 allows access to arbitrary files via crafted PostScript documents.
  • CVE-2024-33871 allowed arbitrary code execution via crafted PostScript documents using custom Driver libraries in contrib/opvp/gdevopvp.c.
  • CVE-2024-29510 allowed memory corruption and SAFER sandbox bypass via format string injection in a uniprint device.

• xwayland 24.1.1 3:

  • CVE-2024-31080 had a vulnerability that could allow attackers to trigger the X server to read and transmit heap memory values, leading to a crash.
  • CVE-2024-31081 could cause memory leakage and segmentation faults, leading to a crash.
  • CVE-2024-31083 allowed arbitrary code execution by authenticated attackers through specially crafted requests.

• libreoffice 24.2.5.2:

  • CVE-2024-5261 allows fetching remote resources without proper security checks.

• GTK3 3.24.43:

  • CVE-2024-6655 allowed a library injection into a GTK application from the current working directory under certain conditions.

• netpbm 11.7.0:

  • CVE-2024-38526: doc, which provides API documentation for Python projects, had a vulnerability where pdoc --math linked to malicious JavaScript files from polyfill.io.

Conclusion

The month of July 2024 was marked by significant updates, security fixes and enhancements. The Linux Kernel 6.9.9 update introduced several key fixes and improvements across various subsystems, enhancing overall stability and performance. KDE Plasma 6.1.3 brought numerous UI improvements and better handling of Flatpak rebases. The updates to Frameworks 6.4.0 and KDE Gear 24.05.2 provided additional enhancements and bug fixes, improving user experience and system reliability. Critical security vulnerabilities were addressed in various packages, including Firefox, ghostscript, and xwayland, ensuring Tumbleweed remains secure, efficient, and feature-rich for all users. Additionally, the Aeon team announced the release of Aeon Desktop to Release Candidate 3 status that came from the release of a Tumbleweed snapshot last week.

For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Contributing to openSUSE Tumbleweed

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

More Information about openSUSE:

Official

• openSUSE News
• openSUSE Mailing List
• openSUSE Wiki

Fediverse

• https://discuss.tchncs.de/c/opensuse@lemmy.world

(Image made with DALL-E)

An experimental "Pre-RC3" image for the Aeon Desktop has been published and testers are encouraged to try out the final prototype before it becomes the official Release Candidate 3 (RC3). The new image can be downloaded from the openSUSE development repository.

This prototype, which has been submitted to openSUSE Factory, introduces some significant changes and improvements. Notably, the dd backend in the tik installer has been replaced with a new systemd-repart backend. This change allows for the installation of Aeon with Full Disk Encryption that enhances the security features of the operating system.

Existing users of Aeon RC2 and earlier versions will need to perform a reinstall to take advantage of the new features destined for RC3. Due to the fundamental changes in partition layout necessary for the new encryption features, an in-place upgrade from RC2 is not feasible without risking data integrity, according to a post on the new Aeon Desktop subreddit. Users can utilize Aeon's reinstall feature, which facilitates the backup and restoration of user data as long as a sufficiently large USB stick is used.

Users installing the prototype image may encounter some packages from the OBS devel project. These can be removed by running transactional-update --interactive dup and selecting solutions that replace devel:microos packages with official ones.

Testers are encouraged to provide feedback and report any issues encountered during the testing phase on the Aeon Desktop bug report page.

Next Steps

If the prototype is accepted into Factory and becomes RC3, the development of Aeon will be in its final stages before an official release. RC3 will serve as the basis for writing openQA tests for Aeon, which are crucial for ensuring the desktop's stability and functionality.

There is a possibility of an RC4, which aims to streamline the installer process by embedding the full Aeon install within the installer image, potentially reducing the download size by 50 percent. If this approach is not feasible in the short term, it may be revisited post-release.

Full Disk Encryption is set up in one of two modes: Default or Fallback. Get more info about that in the Aeon Desktop Introduces Comprehensive Full Disk Encryption article.

More Information about openSUSE:

Official

• openSUSE News
• openSUSE Mailing List
• openSUSE Wiki

Fediverse

• https://discuss.tchncs.de/c/opensuse@lemmy.world

Full Disk Encryption is planned to be introduced in the forthcoming release candidate of the Aeon Desktop to enhance data security for its users.
The feature is expected to be included in the upcoming Release Candidate 3 (RC3).

Full Disk Encryption is designed to protect data in cases of device loss, theft or unauthorized booting into an alternative operating system.
Depending on the hardware configuration of a system, Aeon's encryption will be set up in one of two modes: Default or Fallback.

Default Mode

The Default Mode is the preferred method of encryption provided the system has the required hardware. This mode utilizes the Trusted Platform Module(TPM) 2.0 chipset with PolicyAuthorizeNV support (TPM 2.0 version 1.38 or newer). In this mode, Aeon Desktop measures several aspects of the system's integrity. These including:

• UEFI Firmware
• Secure Boot state (enabled or disabled)
• Partition Table
• Boot loader and drivers
• Kernel and initrd (including kernel command line parameters)

These measurements are stored in the system's TPM. During startup, the current state is compared with the stored measurements. If these match, the system boots normally. If discrepancies are found, users are prompted to enter a Recovery Key provided during installation. This safeguard ensures that unauthorized changes or tampering attempts are flagged.

Fallback Mode

The Fallback Mode is employed when the necessary hardware for Default Mode is not detected. This mode requires users to enter a passphrase each time the system starts. While it does not check system integrity as comprehensively as Default Mode, Secure Boot is strongly recommended to ensure some level of security, confirming that the bootloader and kernel have not been tampered with.

Contrary to initial concerns, Default Mode is not less secure than Fallback Mode despite not requiring a passphrase at startup. The strong integrity checks in Default Mode protect against attacks that could bypass normal authentication methods. For example, it can detect changes to the kernel command line that could otherwise allow unauthorized access. Furthermore, it safeguards against modifications to initrd thereby preventing potential passphrase capture in Fallback Mode.

Secure Boot, while optional in Default Mode due to the comprehensive integrity checks, is critical in Fallback Mode to maintain system security. Disabling Secure Boot in Fallback Mode increases vulnerability to tampering and attacks aimed at capturing the passphrase.

Aeon's implementation of Full Disk Encryption provides robust security options tailored to the capabilities of users' hardware. By offering both Default and Fallback modes, Aeon ensures that all users can benefit from enhanced data protection.

The inclusion of this feature in RC3 marks a significant step forward in safeguarding user data against potential threats.
Aeon users are encouraged to read and bookmark the Aeon Encryption Guide.

More Information about openSUSE:

Official

• openSUSE News
• openSUSE Mailing List
• openSUSE Wiki

Fediverse

• https://discuss.tchncs.de/c/opensuse@lemmy.world

(Image made with DALL-E)

Slowroll, which has a more modest update cadence than Tumbleweed, is gaining acceptance as a balance between the rapid updates of Tumbleweed's rolling releases and the traditional Leap release.

Slowroll is nearly ready for full deployment and the development team has been working diligently to prepare the next version bump, with planned updates scheduled for July 9, August 9 and Sept. 9. These updates are expected to maintain a consistent monthly cadence to ensure users have timely and stable updates.

One of the critical updates pulled in will include the latest OpenSSH CVE fixes, which have already been made available in Tumbleweed. This fix enhances the security of Slowroll & ensure that it remains a robust and reliable distribution for users.

Highlighted Features of Slowroll

Balanced Update Cadence: Slowroll offers a monthly rolling update cycle that provides users with the latest features and security updates while ensuring stability through extensive testing and validation.

Beta Phase: Slowroll is now in the Beta phase, indicating its near readiness for full deployment. Users can expect a reliable experience with continuous improvements.

Continuous Improvement: The distribution integrates big updates approximately every month, alongside continuous bug fixes and security patches, ensuring a secure and up-to-date system.

Statistics and Status

According to the latest statistics available on the Slowroll Stats page:

• Tumbleweed had 2813 updated packages since the last version bump
• Slowroll received 1316 updates from 871 different packages and only 339 updated rpms are Slowroll-specific builds

Origins and Purpose

Slowroll, introduced in 2023, was designed as an experimental distribution. Its primary goal is to offer a slower rolling release compared to Tumbleweed, thus enhancing stability without compromising on access to new features. The distribution continuously evolves with big updates integrated approximately every month, supported by regular bug fixes and security updates.

It's crucial to understand that Slowroll is not intended to replace Leap. Instead, it provides an alternative for users who desire more up-to-date software at a slower pace than Tumbleweed but faster than Leap.

If you try Slowroll, have a lot of fun - rolling... slowly!

More Information about openSUSE:

Official

• openSUSE News
• openSUSE Mailing List
• openSUSE Wiki

Fediverse

• https://discuss.tchncs.de/c/opensuse@lemmy.world

(Image made with DALL-E)

Leap 15.6 install media were refreshed to address an issue with old secure boot signing key for ppc64le and s390x.

Refreshed images from Leap 15.6 Build 710.3 are already available for download at get.opensuse.org. So now you can enjoy installation with secure boot on more exotic architectures.

Happy Hacking!

So I often have to install and test different programs. I do not want programs to access the Internet immediately. After a while I might want to allow it, so it should be easy to allow or disallow internet access at the application level.

Basically I wonder if there is an easy way to do this. It seems that OpenSnitch can do this, but it doesn't seem to work on OpenSuse. I might be able to get it to work eventually, but before I spend hours tinkering with it, do you know of a better solution? Might this even be possible with the built-in firewall or AppArmor?

So, I updated Tumbleweed, and the updates to KDE caused my Plasma/Wayland session to restart, breaking the updates part way through. I wasn't watching at the time so took some while to debug!

Spent some time learning how to use nm-cli, because new half-upgraded KDE wouldn't load the network widget. It looks like something else may have changed and mucked up in the half-update (and of course I rebooted like a wise-man/dummy/i-dont-know-but-at-least-it-didnt-make-it-work) but iterations of trying things in nmcli eventually worked!

Finally tried zypper dup again and saw the session restart, so finished the job from the virtual terminal! At last, I seem to have a working computer again, and I might just brave updating my main laptop. (I cancelled the update while it was still downloading packages, after seeing the breakage on the other laptop!)

Any idea when this will hit tumbleweed? I'm really looking forward to this release!

It's a bit quiet here so for now I'll start linking the latest openSUSE news here.

Hey, I've gone ahead and decided to try out TW as my first foray into the Linux world, and I started by getting it set up on my laptop. Everything seems to be working pretty well for me (other than wifi passwords not saving by default, but I seem to have found a workaround that's not too inconvenient).

I later tried to get it set up on my desktop and the experience was very sluggish and I was curious if there would be an obvious reason as to why. I understand that I'm giving few details here, but the sluggishness was not felt at all on my laptop and was felt immediately on my desktop. I have since installed fedora on my desktop and it's been very solid and noticeably not sluggish.

I thought I should perhaps try to understand what potential issues occurred so I can get a better understanding of the system I'm using. Thanks in advance for any input.

From what i have read, the winning logos are not guaranteed to be chosen, so we will have to wait for an official announcement. I think there is a meeting today, so I would keep an eye on the official wiki and news pages. On the meeting on tuesday (12.12), the competition results have been discussed but I don't know what's been said.

Notes for the meeting on 12.12

Notes for the meeting on 14.12

The deadline has passed, but I'm not sure if all entries have been added to the wiki yet.

Slowroll repos have been moved to a new location.
Upcoming version bump, to catch up with Tumbleweed, announced.

I'm coming for a *deb/*buntu world and I would find useful if I have a cheat sheet for Tumbleweed with the most basic commands and especially if there is something that correlates them with commands I'm already familiar.

For example that # zypper up replaces # apt upgrade

I have already found a cheat sheet for zypper here https://en.opensuse.org/SDB:Zypper_usage#Cheat_sheet so I'm looking for something that includes more stuff than just zypper. Or is zypper the main difference? I mean (I'm completely new on opensuse) other stuff, like restarting services, or default location of config files, or how to do other basic low level actions, I'm not sure if they are different, but if yes, looking for such relation-map.

Hope it makes sense what I'm asking, thanks in advance

Running Slowroll.

Just opened my laptop after having previously just closed the lid. Now its showing the last used program I was using before I closed the lid last time. Anyone experienced this before?

I can fully interact with Obsidian, but not able to login. Had to reboot to fix this.

Hi, I have created a fork of the Greybeard project called “Moldavite” (meteorite induced explosion near Nürnberg caused a lot of gems falling on the ground in Bohemia, if it is not a symbol of the cooperation inside of SUSE, then I don’t know what would be ;)). The main project site is https://sr.ht/~mcepl/moldavite/ and OBS project. Whereas, as I understand it, Greybeard is at least for the moment more or less on the back burner, I hope to continue to work on this.

Because my NAS isn't used while I'm at work, I set up a systemd service that reliably suspends the OS to memory at the same time every day (excluding weekends), and uses rtcwake to then wake it up again just before I typically get home from work. I also have an alias set up on my laptop to send a magic packet to the NAS in case I get home earlier etc. The issue is, that while the nas wakes up automatically, it does not wake up if I send a magic packet. In the BIOS of my MSI motherboard, I can change who handles wake events from OS to BIOS and doing so fixes my magic packet issues, but it also causes the systemd service to no longer wake the nas. WakeOnLAN is enabled in the network card, the network card is bridged ( I use the 'real' mac for WoL though). I got it to work while my nas ran ubuntu on different hardware (Biostar motherboard), but I'm a bit confused as to why I can no longer make it work.

any ideas?

Edit: I fixed it. On my specific MSI motherboard, wake event handling needs to be set to BIOS controlled, then wake on pcie needs to be enabled and wake on rtc needs to be disabled (!). This way, I guess, the BIOS does not take control over the rtc alarm, allowing the OS to write to it instead. Wake On LAN is still handled by the BIOS though, as it should be.

I also realize that this was an MSI-related topic, not so much OpenSUSE, but I'd ask the mods to keep this post around in case anybody else ever stumbles across it.

Hi everybody, I recently installed OpenSuse Leap, but I have trouble working with firewalld. The goal is to accept incoming ssh and vnc connections from two IPs exclusively, but it just does'nt work. I removed all interfaces from zone public, set the internal zone up so that it has only the two IPs as sources and only the ssh and vnc services, but I still get asked for password when I try to ssh into the machine from an IP that is not listed. Any hints?

firewall-cmd --get-active-zones returns this: docker interfaces: docker0 internal sources: 192.168.0.3/24 192.168.0.2/24

firewall-cmd --zone=internal --list-all returns this: internal (active) target: default icmp-block-inversion: no interfaces: sources: 192.168.0.3/24 192.168.0.2/24 services: ssh vnc-server ports: 22/tcp 5900/tcp 5901/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

edit: Even with this configuration here, incoming ssh connections from an unlisted address still ask for password: firewall-cmd --get-active-zones
docker interfaces: docker0 drop interfaces: eth0 br0 internal sources: 192.168.0.3/24 192.168.0.2/24

Hi everybody.

I was trying to make the switch to Wayland, but this little problem is really keeping me in X11.

The display turns off, says that there is no signal/input, turns off again but after that it wakes up immediately.

This happens either by using the shortcut to turn the display off Ctrl + Alt + D or waiting for the 10 minutes specified in the Energy Saving options.

I've found this Bug 462695 at KDE.org where it says the problem is from openSUSE.

I've already disabled KScreen 2 in Background Services.

In X11 the display has no problems entering energy saving mode.

Does anybody have the same problem or any idea what it might be keeping the display from sleeping?

My specs:

• openSUSE Tumbleweed
• Kernel 6.4.11-1-default
• DE: Plasma 5.27.7
• CPU Intel i5-4670K
• GPU AMD ATI Radeon RX 6750 XT

On their web site it mentions that the live usb stick is not for testing your hardware's compatibility So what is best way to test you hardware

Hi

Any long term user of Tumbleweed that have any experience with the Packman repository?

Does it work well or does it sometime bring dependency issues?