Full Disk Encryption is planned to be introduced in the forthcoming release candidate of the Aeon Desktop to enhance data security for its users.
The feature is expected to be included in the upcoming Release Candidate 3 (RC3).

Full Disk Encryption is designed to protect data in cases of device loss, theft or unauthorized booting into an alternative operating system.
Depending on the hardware configuration of a system, Aeon's encryption will be set up in one of two modes: Default or Fallback.

Default Mode

The Default Mode is the preferred method of encryption provided the system has the required hardware. This mode utilizes the Trusted Platform Module(TPM) 2.0 chipset with PolicyAuthorizeNV support (TPM 2.0 version 1.38 or newer). In this mode, Aeon Desktop measures several aspects of the system's integrity. These including:

• UEFI Firmware
• Secure Boot state (enabled or disabled)
• Partition Table
• Boot loader and drivers
• Kernel and initrd (including kernel command line parameters)

These measurements are stored in the system's TPM. During startup, the current state is compared with the stored measurements. If these match, the system boots normally. If discrepancies are found, users are prompted to enter a Recovery Key provided during installation. This safeguard ensures that unauthorized changes or tampering attempts are flagged.

Fallback Mode

The Fallback Mode is employed when the necessary hardware for Default Mode is not detected. This mode requires users to enter a passphrase each time the system starts. While it does not check system integrity as comprehensively as Default Mode, Secure Boot is strongly recommended to ensure some level of security, confirming that the bootloader and kernel have not been tampered with.

Contrary to initial concerns, Default Mode is not less secure than Fallback Mode despite not requiring a passphrase at startup. The strong integrity checks in Default Mode protect against attacks that could bypass normal authentication methods. For example, it can detect changes to the kernel command line that could otherwise allow unauthorized access. Furthermore, it safeguards against modifications to initrd thereby preventing potential passphrase capture in Fallback Mode.

Secure Boot, while optional in Default Mode due to the comprehensive integrity checks, is critical in Fallback Mode to maintain system security. Disabling Secure Boot in Fallback Mode increases vulnerability to tampering and attacks aimed at capturing the passphrase.

Aeon's implementation of Full Disk Encryption provides robust security options tailored to the capabilities of users' hardware. By offering both Default and Fallback modes, Aeon ensures that all users can benefit from enhanced data protection.

The inclusion of this feature in RC3 marks a significant step forward in safeguarding user data against potential threats.
Aeon users are encouraged to read and bookmark the Aeon Encryption Guide.

More Information about openSUSE:

Official

• openSUSE News
• openSUSE Mailing List
• openSUSE Wiki

Fediverse

• https://discuss.tchncs.de/c/[email protected]

(Image made with DALL-E)

Full Disk Encryption is planned to be introduced in the forthcoming release candidate of the Aeon Desktop to enhance data security for its users.
The feature is expected to be included in the upcoming Release Candidate 3 (RC3).

Full Disk Encryption is designed to protect data in cases of device loss, theft or unauthorized booting into an alternative operating system.
Depending on the hardware configuration of a system, Aeon's encryption will be set up in one of two modes: Default or Fallback.

Default Mode

The Default Mode is the preferred method of encryption provided the system has the required hardware. This mode utilizes the Trusted Platform Module(TPM) 2.0 chipset with PolicyAuthorizeNV support (TPM 2.0 version 1.38 or newer). In this mode, Aeon Desktop measures several aspects of the system's integrity. These including:

• UEFI Firmware
• Secure Boot state (enabled or disabled)
• Partition Table
• Boot loader and drivers
• Kernel and initrd (including kernel command line parameters)

These measurements are stored in the system's TPM. During startup, the current state is compared with the stored measurements. If these match, the system boots normally. If discrepancies are found, users are prompted to enter a Recovery Key provided during installation. This safeguard ensures that unauthorized changes or tampering attempts are flagged.

Fallback Mode

The Fallback Mode is employed when the necessary hardware for Default Mode is not detected. This mode requires users to enter a passphrase each time the system starts. While it does not check system integrity as comprehensively as Default Mode, Secure Boot is strongly recommended to ensure some level of security, confirming that the bootloader and kernel have not been tampered with.

Contrary to initial concerns, Default Mode is not less secure than Fallback Mode despite not requiring a passphrase at startup. The strong integrity checks in Default Mode protect against attacks that could bypass normal authentication methods. For example, it can detect changes to the kernel command line that could otherwise allow unauthorized access. Furthermore, it safeguards against modifications to initrd thereby preventing potential passphrase capture in Fallback Mode.

Secure Boot, while optional in Default Mode due to the comprehensive integrity checks, is critical in Fallback Mode to maintain system security. Disabling Secure Boot in Fallback Mode increases vulnerability to tampering and attacks aimed at capturing the passphrase.

Aeon's implementation of Full Disk Encryption provides robust security options tailored to the capabilities of users' hardware. By offering both Default and Fallback modes, Aeon ensures that all users can benefit from enhanced data protection.

The inclusion of this feature in RC3 marks a significant step forward in safeguarding user data against potential threats.
Aeon users are encouraged to read and bookmark the Aeon Encryption Guide.

More Information about openSUSE:

Official

• openSUSE News
• openSUSE Mailing List
• openSUSE Wiki

Fediverse

• https://discuss.tchncs.de/c/[email protected]

(Image made with DALL-E)

Welcome to the monthly update for openSUSE Tumbleweed for June 2024. This month was busy with events like the Community Summit in Berlin and the openSUSE Conference, but a number of snapshots continued to roll out to users. Developers, system administrators and users receive updates designed to enhance your experience and ensure high levels of security and performance.

Should readers desire a more frequent amount of information about snapshot updates, readers are encouraged to subscribe to the openSUSE Factory mailing list.

Let’s go!

New Features and Enhancements

• Linux Kernel 6.9.7: This kernel introduces several important fixes and enhancements across various subsystems. Key updates include addressing undefined references in netfilter when CONFIG_SYSCTL is disabled, correcting TCP Fast Open handling, and resolving a conflicting quirk in Advanced Linux Sound Architecture for Realtek devices. Improvements in file system writeback operations, multi-threaded path handling and memory management for Hisilicon crypto drivers enhance stability. Networking updates include fixes for race conditions in netpoll, enhancements for specific SFP modules, and improvements in WiFi drivers such as RTW89, Ath9k, Ath12k, and MT76. Additional platform-specific updates address issues in ACPI, ARM64 configurations, HID device handling, and Bluetooth driver fixes.
• PipeWire 1.2.0 and WirePlumber 0.5.4: PipeWire 1.2.0 introduces asynchronous processing, node.sync-group for synchronized scheduling, and improved config parsing error reporting. It also adds mandatory metadata support for buffer parameters, multiple data-loops with CPU affinity, and dynamic log level adjustments. Key fixes include RTP-SAP module enhancements, ROC 0.3 support, and improved Bluetooth BAP broadcast code parsing. WirePlumber 0.5.4 refines the role-based linking policy, allowing role-based sinks alongside standard audio operations and enabling regular filters to act as best targets. It addresses startup crashes due to empty config files, improves Bluetooth profile auto-switching, and fixes issues with DSP filters and infinite loop scenarios in autoswitching scripts. Together, these updates enhance the flexibility, reliability, and overall performance of audio management in Linux environments. Both also received updates in snapshot 20240627
• Mesa and Mesa-drivers 24.1.2: Both packages underwent a specfile cleanup, involving the relocation of Rust crate sources into subprojects folders and updates to baselibs.conf. Due to the maintenance burden associated with Rust crates as system dependencies, these crates are now downloaded as vendored dependencies, as detailed in the README-suse-maintenance.md. The update adds support for building libvulkan_nouveau, including necessary Rust crates such as paste-1.0.14, proc-macro2-1.0.70, quote-1.0.33, syn-2.0.39, and unicode-ident-1.0.12. However, building libvulkan_nouveau on Leap is not possible due to the requirement for rust-cbindgen >= 0.25. For more details, refer to the release notes at https://docs.mesa3d.org/relnotes/24.1.2.
• KDE Plasma 6.1.1: Discover improves UI elements and Packagekit support, while Dr Konqi corrects the Sentry dbus interface usage. Plasma Addons addresses reference issues in Effects/cube, and krdp ensures version compatibility and resolves session controller bugs. Kscreenlocker improves greeter functionality, and KWin introduces multiple fixes for shaders, tiling, and input panels. Libkscreen and libplasma update protocol versions and fix plugin loading issues. Plasma Desktop enhances task icon sizing, panel opacity and file dragging across screens. Plasma Audio Volume Control removes unnecessary symlinks, and Plasma Systemmonitor correctly positions loading overlays. Powerdevil improves battery protection UI and limits backlighthelper calls.
• Python-setuptools 70.0: Key features in this new major version include emitting warnings for ignored [tools.setuptools] entries in pyproject.toml, improved error messaging for pkg_resources.EntryPoint.require and handling None location distributions more gracefully. The update also refreshes unpinned vendored dependencies, supports PEP 625 by standardizing package name and version in filenames and ensures encoding consistency for .pth files. Obsolete Python < 3.8 code has been removed, and pkg_resources now uses stdlib importlib.machinery. Bug fixes address race conditions in the install command, improve handling of nested namespaces with package_dir and correct various pkg_resources method behaviors. The patch for reproducibility has also been refreshed.
• Xen 4.18.2_06: This version resolves intermittent system hangs when Power Control Mode is set to Minimum Power. Patches also improve CPU mask handling and interrupt movement in various scenarios. Upstream bug fixes include improvements in scheduler resource data management and include fixes for building with GNU Compiler Collection 14.

Key Package Updates

• NetworkManager 1.48.2: This package updates support for matching OVS system interfaces by MAC address and fixes port reactivation and VPN secrets handling for 2-factor authentication. It saves connection timestamps during shutdown for proper autoactivation after restart. Key changes in 1.48.0 deprecate autotools building, add support for changing OpenSSL ciphers for 802.1X authentication, and set unmanaged device reasons in the StateReason property visible in nmcli. Additionally, it replaces the mac-address-blacklist property with mac-address-denylist, improves WiFi 6 GHz band detection and optimizes performance to avoid high CPU usage during route updates. Previous version 1.46 adds brought dynamic SSID-based stable IDs, randomized MAC addresses and several enhancements for handling IPv6, D-Bus and cloud setup.
• ibus-table 1.17.6: This update drops Python2 support, transitioning all scripts to Python3 using pyupgrade. It now allows the use of keys with Unicode keysyms in keybindings, enhancing customization and flexibility. Additionally, the frames_per_buffer=chunk_size option is now utilized in self._paudio.open() for improved audio handling. The update also includes translation enhancements from Weblate, with Czech translations reaching 36.6 percent, Japanese at 45.3 percent, and Chinese (Simplified) at 92.0 percent.
• btrfsprogs 6.9: The mkfs utility now halts if the mount status cannot be determined when using the --force option and corrects the minimum size calculation for zoned devices. The check command removes the --clear-ino-cache option, shifting its functionality to the rescue command group, and adds detection and repair for incorrect file extent item ram_bytes values. The qgroup commands now sync the filesystem before searching for stale entries, handle uncleaned subvolumes and squota enabled scenarios, and display the cleaning status of subvolumes. The receive command fixes stream parsing for strict alignment hosts, and tune change-csum and dump-tree commands include updates for handling dev-replace status items. The convert command improves extent iteration for preallocated/unwritten extents. The build process now ensures compatibility with e2fsprogs 1.47.1 and improves header file dependency tracking. Documentation was also updated.
• GNU’s Emacs 29.4: An emergency bugfix took place in this release. In this update, arbitrary shell commands are no longer executed when enabling Org mode, significantly enhancing security by preventing the execution of potentially malicious commands.

Bug Fixes

• Python-dnspython 2.6.1:

  • CVE-2023-29483 - Eventlet before 0.35.2 in dnspython allows remote "TuDoor" DNS attack interference.

• php8 8.3.8:

  • CVE-2012-1823 involved a vulnerability where attackers could inject arguments into PHP-CGI, leading to potential security issues. The new vulnerability, CVE-2024-4577, was discovered to bypass this original fix, allowing the same or similar types of argument injection attacks. The update ensures that this bypass is no longer possible, reinforcing the security measures originally put in place for CVE-2012-1823.
  • Similarly, the bypass of CVE-2024-1874 was made with the fix to CVE-2024-5585.

• kernel-firmware-nvidia-gspx-G06 (NVIDIA GPU driver)

  • CVE-2024-0090 was a vulnerability where a user can cause an out-of-bounds write.
  • CVE-2024-0091 was a vulnerability where a user can cause an untrusted pointer dereference. A successful exploit of this vulnerability might lead to denial of service.
  • CVE-2024-0092 was an improper check or improper handling of exception conditions might lead to denial of service.

• XZ 5.6.2:

  • CVE-2024-3094 Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library. More details in snapshot 20240605

• cJSON v1.7.17:

  • CVE-2024-31755 - A segmentation violation, which can trigger through the second parameter.

Conclusion

The month of June 2024 saw a range of significant updates, security fixes and enhancements. The Linux Kernel 6.9.7 update improved stability and performance. Mesa and Mesa-drivers 24.1.2 introduced Rust crate dependencies and improved Vulkan support. KDE Plasma 6.1.1 brought UI improvements and a major version of Python-setuptools 70.0 arrived for rolling release users. A few critical security vulnerabilities were taken care of and fixes related to the XZ backdoor continued, so that Tumbleweed remains secure, efficient and feature-rich for all users.

For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Contributing to openSUSE Tumbleweed

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

More Information about openSUSE:

Official

• openSUSE News
• openSUSE Mailing List
• openSUSE Wiki

Fediverse

• https://discuss.tchncs.de/c/[email protected]

(Image made with DALL-E)

Welcome to the monthly update for openSUSE Tumbleweed for June 2024. This month was busy with events like the Community Summit in Berlin and the openSUSE Conference, but a number of snapshots continued to roll out to users. Developers, system administrators and users receive updates designed to enhance your experience and ensure high levels of security and performance.

Should readers desire a more frequent amount of information about snapshot updates, readers are encouraged to subscribe to the openSUSE Factory mailing list.

Let’s go!

New Features and Enhancements

• Linux Kernel 6.9.7: This kernel introduces several important fixes and enhancements across various subsystems. Key updates include addressing undefined references in netfilter when CONFIG_SYSCTL is disabled, correcting TCP Fast Open handling, and resolving a conflicting quirk in Advanced Linux Sound Architecture for Realtek devices. Improvements in file system writeback operations, multi-threaded path handling and memory management for Hisilicon crypto drivers enhance stability. Networking updates include fixes for race conditions in netpoll, enhancements for specific SFP modules, and improvements in WiFi drivers such as RTW89, Ath9k, Ath12k, and MT76. Additional platform-specific updates address issues in ACPI, ARM64 configurations, HID device handling, and Bluetooth driver fixes.
• PipeWire 1.2.0 and WirePlumber 0.5.4: PipeWire 1.2.0 introduces asynchronous processing, node.sync-group for synchronized scheduling, and improved config parsing error reporting. It also adds mandatory metadata support for buffer parameters, multiple data-loops with CPU affinity, and dynamic log level adjustments. Key fixes include RTP-SAP module enhancements, ROC 0.3 support, and improved Bluetooth BAP broadcast code parsing. WirePlumber 0.5.4 refines the role-based linking policy, allowing role-based sinks alongside standard audio operations and enabling regular filters to act as best targets. It addresses startup crashes due to empty config files, improves Bluetooth profile auto-switching, and fixes issues with DSP filters and infinite loop scenarios in autoswitching scripts. Together, these updates enhance the flexibility, reliability, and overall performance of audio management in Linux environments. Both also received updates in snapshot 20240627
• Mesa and Mesa-drivers 24.1.2: Both packages underwent a specfile cleanup, involving the relocation of Rust crate sources into subprojects folders and updates to baselibs.conf. Due to the maintenance burden associated with Rust crates as system dependencies, these crates are now downloaded as vendored dependencies, as detailed in the README-suse-maintenance.md. The update adds support for building libvulkan_nouveau, including necessary Rust crates such as paste-1.0.14, proc-macro2-1.0.70, quote-1.0.33, syn-2.0.39, and unicode-ident-1.0.12. However, building libvulkan_nouveau on Leap is not possible due to the requirement for rust-cbindgen >= 0.25. For more details, refer to the release notes at https://docs.mesa3d.org/relnotes/24.1.2.
• KDE Plasma 6.1.1: Discover improves UI elements and Packagekit support, while Dr Konqi corrects the Sentry dbus interface usage. Plasma Addons addresses reference issues in Effects/cube, and krdp ensures version compatibility and resolves session controller bugs. Kscreenlocker improves greeter functionality, and KWin introduces multiple fixes for shaders, tiling, and input panels. Libkscreen and libplasma update protocol versions and fix plugin loading issues. Plasma Desktop enhances task icon sizing, panel opacity and file dragging across screens. Plasma Audio Volume Control removes unnecessary symlinks, and Plasma Systemmonitor correctly positions loading overlays. Powerdevil improves battery protection UI and limits backlighthelper calls.
• Python-setuptools 70.0: Key features in this new major version include emitting warnings for ignored [tools.setuptools] entries in pyproject.toml, improved error messaging for pkg_resources.EntryPoint.require and handling None location distributions more gracefully. The update also refreshes unpinned vendored dependencies, supports PEP 625 by standardizing package name and version in filenames and ensures encoding consistency for .pth files. Obsolete Python < 3.8 code has been removed, and pkg_resources now uses stdlib importlib.machinery. Bug fixes address race conditions in the install command, improve handling of nested namespaces with package_dir and correct various pkg_resources method behaviors. The patch for reproducibility has also been refreshed.
• Xen 4.18.2_06: This version resolves intermittent system hangs when Power Control Mode is set to Minimum Power. Patches also improve CPU mask handling and interrupt movement in various scenarios. Upstream bug fixes include improvements in scheduler resource data management and include fixes for building with GNU Compiler Collection 14.

Key Package Updates

• NetworkManager 1.48.2: This package updates support for matching OVS system interfaces by MAC address and fixes port reactivation and VPN secrets handling for 2-factor authentication. It saves connection timestamps during shutdown for proper autoactivation after restart. Key changes in 1.48.0 deprecate autotools building, add support for changing OpenSSL ciphers for 802.1X authentication, and set unmanaged device reasons in the StateReason property visible in nmcli. Additionally, it replaces the mac-address-blacklist property with mac-address-denylist, improves WiFi 6 GHz band detection and optimizes performance to avoid high CPU usage during route updates. Previous version 1.46 adds brought dynamic SSID-based stable IDs, randomized MAC addresses and several enhancements for handling IPv6, D-Bus and cloud setup.
• ibus-table 1.17.6: This update drops Python2 support, transitioning all scripts to Python3 using pyupgrade. It now allows the use of keys with Unicode keysyms in keybindings, enhancing customization and flexibility. Additionally, the frames_per_buffer=chunk_size option is now utilized in self._paudio.open() for improved audio handling. The update also includes translation enhancements from Weblate, with Czech translations reaching 36.6 percent, Japanese at 45.3 percent, and Chinese (Simplified) at 92.0 percent.
• btrfsprogs 6.9: The mkfs utility now halts if the mount status cannot be determined when using the --force option and corrects the minimum size calculation for zoned devices. The check command removes the --clear-ino-cache option, shifting its functionality to the rescue command group, and adds detection and repair for incorrect file extent item ram_bytes values. The qgroup commands now sync the filesystem before searching for stale entries, handle uncleaned subvolumes and squota enabled scenarios, and display the cleaning status of subvolumes. The receive command fixes stream parsing for strict alignment hosts, and tune change-csum and dump-tree commands include updates for handling dev-replace status items. The convert command improves extent iteration for preallocated/unwritten extents. The build process now ensures compatibility with e2fsprogs 1.47.1 and improves header file dependency tracking. Documentation was also updated.
• GNU’s Emacs 29.4: An emergency bugfix took place in this release. In this update, arbitrary shell commands are no longer executed when enabling Org mode, significantly enhancing security by preventing the execution of potentially malicious commands.

Bug Fixes

• Python-dnspython 2.6.1:

  • CVE-2023-29483 - Eventlet before 0.35.2 in dnspython allows remote "TuDoor" DNS attack interference.

• php8 8.3.8:

  • CVE-2012-1823 involved a vulnerability where attackers could inject arguments into PHP-CGI, leading to potential security issues. The new vulnerability, CVE-2024-4577, was discovered to bypass this original fix, allowing the same or similar types of argument injection attacks. The update ensures that this bypass is no longer possible, reinforcing the security measures originally put in place for CVE-2012-1823.
  • Similarly, the bypass of CVE-2024-1874 was made with the fix to CVE-2024-5585.

• kernel-firmware-nvidia-gspx-G06 (NVIDIA GPU driver)

  • CVE-2024-0090 was a vulnerability where a user can cause an out-of-bounds write.
  • CVE-2024-0091 was a vulnerability where a user can cause an untrusted pointer dereference. A successful exploit of this vulnerability might lead to denial of service.
  • CVE-2024-0092 was an improper check or improper handling of exception conditions might lead to denial of service.

• XZ 5.6.2:

  • CVE-2024-3094 Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library. More details in snapshot 20240605

• cJSON v1.7.17:

  • CVE-2024-31755 - A segmentation violation, which can trigger through the second parameter.

Conclusion

The month of June 2024 saw a range of significant updates, security fixes and enhancements. The Linux Kernel 6.9.7 update improved stability and performance. Mesa and Mesa-drivers 24.1.2 introduced Rust crate dependencies and improved Vulkan support. KDE Plasma 6.1.1 brought UI improvements and a major version of Python-setuptools 70.0 arrived for rolling release users. A few critical security vulnerabilities were taken care of and fixes related to the XZ backdoor continued, so that Tumbleweed remains secure, efficient and feature-rich for all users.

For those Tumbleweed users who want to contribute or want to engage with detailed technological discussions, subscribe to the openSUSE Factory mailing list . The openSUSE team encourages users to continue participating through bug reports, feature suggestions and discussions.

Contributing to openSUSE Tumbleweed

Your contributions and feedback make openSUSE Tumbleweed better with every update. Whether reporting bugs, suggesting features, or participating in community discussions, your involvement is highly valued.

More Information about openSUSE:

Official

• openSUSE News
• openSUSE Mailing List
• openSUSE Wiki

Fediverse

• https://discuss.tchncs.de/c/[email protected]

(Image made with DALL-E)

Slowroll, which has a more modest update cadence than Tumbleweed, is gaining acceptance as a balance between the rapid updates of Tumbleweed's rolling releases and the traditional Leap release.

Slowroll is nearly ready for full deployment and the development team has been working diligently to prepare the next version bump, with planned updates scheduled for July 9, August 9 and Sept. 9. These updates are expected to maintain a consistent monthly cadence to ensure users have timely and stable updates.

One of the critical updates pulled in will include the latest OpenSSH CVE fixes, which have already been made available in Tumbleweed. This fix enhances the security of Slowroll & ensure that it remains a robust and reliable distribution for users.

Highlighted Features of Slowroll

Balanced Update Cadence: Slowroll offers a monthly rolling update cycle that provides users with the latest features and security updates while ensuring stability through extensive testing and validation.

Beta Phase: Slowroll is now in the Beta phase, indicating its near readiness for full deployment. Users can expect a reliable experience with continuous improvements.

Continuous Improvement: The distribution integrates big updates approximately every month, alongside continuous bug fixes and security patches, ensuring a secure and up-to-date system.

Statistics and Status

According to the latest statistics available on the Slowroll Stats page:

• Tumbleweed had 2813 updated packages since the last version bump
• Slowroll received 1316 updates from 871 different packages and only 339 updated rpms are Slowroll-specific builds

Origins and Purpose

Slowroll, introduced in 2023, was designed as an experimental distribution. Its primary goal is to offer a slower rolling release compared to Tumbleweed, thus enhancing stability without compromising on access to new features. The distribution continuously evolves with big updates integrated approximately every month, supported by regular bug fixes and security updates.

It's crucial to understand that Slowroll is not intended to replace Leap. Instead, it provides an alternative for users who desire more up-to-date software at a slower pace than Tumbleweed but faster than Leap.

If you try Slowroll, have a lot of fun - rolling... slowly!

More Information about openSUSE:

Official

• openSUSE News
• openSUSE Mailing List
• openSUSE Wiki

Fediverse

• https://discuss.tchncs.de/c/[email protected]

(Image made with DALL-E)

A new major version of Leap Micro is now available! Leap Micro 6.0 images can be found at get.opensuse.org.

Leap Micro 6.0 uses a brand-new codebase, comes with plenty of new appliances and, for the first time, enters images for public cloud.

About Leap Micro

Leap Micro 6.0 is a rebranded SUSE Linux Enterprise Micro 6.0 which is an ultra-reliable container and Virtual Machine host by SUSE. Leap Micro is released twice a year and has support over two releases.

Leap Micro 5.4 is now EOL

With the release of Leap Micro 6.0, Leap Micro 5.4 reaches End Of Life; users will no longer receive maintenance updates and are advised to upgrade.

More conservative users can stay on Leap Micro 5.5, which will receive updates until the release of Leap Micro 6.1.

Understanding Image variants

All of Leap and SLE Micro generally come in two variants either Base or Default.

Both Base and Default have a container stack, but only the Default variant has the Virtual Machine stack.

If you do not plan to use VMs and you care for space, then the Base might be a variant just for you. 

All of our images offered at get-o-o are the Default ones (VMs+containers) as we expect they're suitable for most users.

All appliances including Base variants (without virtualization stack) can be downloaded directly from https://download.opensuse.org/distribution/leap-micro/6.0/appliances/

Explaining individual appliances

A general recommendation for everyone use is the self-install image. It's a bootable image with a quick wizard that writes the preconfigured image to your drive and grows the root partition. This process from boot takes about 5 minutes.

The preconfigured image is a raw bootable image you can manually write/dd to the disk or SD card. Images can be configured via Ignition/Combustion or will default to the jeos-firsboot wizard.

We have a Real-time image with kernel-rt, qcow image for KVM, VMWare image, and a brand new raw image with Full Disk Encryption.

Users who want to try our FDE image within a VM will need to make sure that they're using emulated tpm-2 chip and UEFI. This can be achieved easily with virt-manager.

SLE Micro 6.0 dropped the traditional installer in favor of self-install media, therefore Leap Micro 6.0 doesn't have it either.

The new Packages image is not a bootable media. This is just an image with an offline repository in case you need it.

Leap Micro 6.0 comes for the first time also with Public Cloud Images.

Images will soon be available with all major public cloud providers. 

Upgrading from 5.X

A recommendation is to make a clean install since this is a brand-new major version.

For those who'd like to try migration, please follow the upgrade guide.

Release Notes

Users can refer to SLE Micro 6.0 Release notes.

Leap Micro 6.0 uses openSUSE-repos for repository management. It is highly recommended to pay attention to this detail, especially for those who migrate. Here is an article explaining how openSUSE repos work.

Leap Micro 6.0 has no longer a dedicated SLE update repo. This has been merged into the main repository.

More Information about openSUSE:

Official

• openSUSE News
• openSUSE Mailing List
• openSUSE Wiki

Fediverse

• https://discuss.tchncs.de/c/[email protected]

A new major version of Leap Micro is now available! Leap Micro 6.0 images can be found at get.opensuse.org.

Leap Micro 6.0 uses a brand-new codebase, comes with plenty of new appliances and, for the first time, enters images for public cloud.

About Leap Micro

Leap Micro 6.0 is a rebranded SUSE Linux Enterprise Micro 6.0 which is an ultra-reliable container and Virtual Machine host by SUSE. Leap Micro is released twice a year and has support over two releases.

Leap Micro 5.4 is now EOL

With the release of Leap Micro 6.0, Leap Micro 5.4 reaches End Of Life; users will no longer receive maintenance updates and are advised to upgrade.

More conservative users can stay on Leap Micro 5.5, which will receive updates until the release of Leap Micro 6.1.

Understanding Image variants

All of Leap and SLE Micro generally come in two variants either Base or Default.

Both Base and Default have a container stack, but only the Default variant has the Virtual Machine stack.

If you do not plan to use VMs and you care for space, then the Base might be a variant just for you. 

All of our images offered at get-o-o are the Default ones (VMs+containers) as we expect they're suitable for most users.

All appliances including Base variants (without virtualization stack) can be downloaded directly from https://download.opensuse.org/distribution/leap-micro/6.0/appliances/

Explaining individual appliances

A general recommendation for everyone use is the self-install image. It's a bootable image with a quick wizard that writes the preconfigured image to your drive and grows the root partition. This process from boot takes about 5 minutes.

The preconfigured image is a raw bootable image you can manually write/dd to the disk or SD card. Images can be configured via Ignition/Combustion or will default to the jeos-firsboot wizard.

We have a Real-time image with kernel-rt, qcow image for KVM, VMWare image, and a brand new raw image with Full Disk Encryption.

Users who want to try our FDE image within a VM will need to make sure that they're using emulated tpm-2 chip and UEFI. This can be achieved easily with virt-manager.

SLE Micro 6.0 dropped the traditional installer in favor of self-install media, therefore Leap Micro 6.0 doesn't have it either.

The new Packages image is not a bootable media. This is just an image with an offline repository in case you need it.

Leap Micro 6.0 comes for the first time also with Public Cloud Images.

Images will soon be available with all major public cloud providers. 

Upgrading from 5.X

A recommendation is to make a clean install since this is a brand-new major version.

For those who'd like to try migration, please follow the upgrade guide.

Release Notes

Users can refer to SLE Micro 6.0 Release notes.

Leap Micro 6.0 uses openSUSE-repos for repository management. It is highly recommended to pay attention to this detail, especially for those who migrate. Here is an article explaining how openSUSE repos work.

Leap Micro 6.0 has no longer a dedicated SLE update repo. This has been merged into the main repository.

More Information about openSUSE:

Official

• openSUSE News
• openSUSE Mailing List
• openSUSE Wiki

Fediverse

• https://discuss.tchncs.de/c/[email protected]

Leap 15.6 install media were refreshed to address an issue with old secure boot signing key for ppc64le and s390x.

Refreshed images from Leap 15.6 Build 710.3 are already available for download at get.opensuse.org. So now you can enjoy installation with secure boot on more exotic architectures.

Happy Hacking!

Leap 15.6 install media were refreshed to address an issue with old secure boot signing key for ppc64le and s390x.

Refreshed images from Leap 15.6 Build 710.3 are already available for download at get.opensuse.org. So now you can enjoy installation with secure boot on more exotic architectures.

Happy Hacking!

openSUSE Leap Micro 6.0 Beta is now available! We expect that it will very quickly transition to RC and GA as the infra readiness advances. Leap Micro 6.0 Beta images can be found at get.opensuse.org or directly at download.opensuse.org.

About Leap Micro

Leap Micro 6.0 is a rebranded SUSE Linux Enterprise Micro 6.0 which is an ultrareliable container and VM host by SUSE. This is the first publicly released product based on the fresh code base "SUSE Linux Framework One" (previously known as ALP).

Leap Micro 6.X is available for x86_64 and aarch64, released every 6 months, and supported until the next-next release is out. That means that Leap Micro 6.0 will become EOL once Leap Micro 6.2 gets released.

All pieces related to Rancher and Elemental are purposely excluded from Leap Micro 6.X as SLE Micro for Rancher is free for use without any subscription within Rancher deployments.

No more traditional installer

Leap Micro 6.X is deployed via self-install image which writes a preconfigured image to the disk and enlarges root partition. Users can use combustion, ignition or default to the jeos-firstboot wizard to do the initial setup of the system.

Do not get mistaken by the availability of openSUSE-Leap-Micro-6.0-*.iso is not installable. We refer to the image as a Packages image, which is basically an offline repository on a DVD.

New FDE, VMWare, and Cloud images

Aside from the self-install image Micro 6.0 comes with qcow, Full Disk Encryption, and RealTime images. All images can be found at download.opensuse.org

For the first time Leap Micro 6.X has also cloud-init therefore shortly after the release we will also have cloud images available on GCP, Azure, and AWS.

Changes to the product building

Leap Micro 6.X is using the new product composer instead of the old product builder. This allowed us to consume update-info from the newly designed maintenance workflow of SLE Micro 6.0 and was preferred by the openSUSE maintenance team.

Changes to the repositories and maintenance workflow

Leap Micro 5.X users receive all updates released for relevant SLE Micro version via a repository named repo-sle-update. This particular repository no longer exists in Leap Micro 6.X.

Instead, the repo-main repository will contain all released updates for the relevant version of SUSE Linux Micro to date.

Please note that the repository path slightly changed too, we'll ensure that migration via transactional-update shell followed by zypper dup --releaser 6.0 works via compatibility symlinks on download server.

New way of managing repository definitions

openSUSE-repos is not new to our users, however, for the first time, openSUSE Leap Micro 6.0 deployments come with openSUSE-repos preinstalled. openSUSE repos uses a local RIS service that easily lets us maintain repository definitions with a package update.

Users migrating from 5.5/5.4 releases are advised to install zypper in openSUSE-repos to ensure they have up-to-date repository paths.

Documentation

Please refer to SLE Micro 6.0 documentation including Release notes.

Reporting Issues

Please refer to the Leap Micro section in our Submitting bug reports page.

Next steps

Missing maintenance setup was a long-term blocker for the transition out from Alpha, otherwise, the distribution itself is stable and feature-full. Now that we have it, we need to polish some remaining infrastructure issues and users can expect a release within the next few days. Ideally before oSC2024 next week.

openSUSE Leap Micro 6.0 Beta is now available! We expect that it will very quickly transition to RC and GA as the infra readiness advances. Leap Micro 6.0 Beta images can be found at get.opensuse.org or directly at download.opensuse.org.

About Leap Micro

Leap Micro 6.0 is a rebranded SUSE Linux Enterprise Micro 6.0 which is an ultrareliable container and VM host by SUSE. This is the first publicly released product based on the fresh code base "SUSE Linux Framework One" (previously known as ALP).

Leap Micro 6.X is available for x86_64 and aarch64, released every 6 months, and supported until the next-next release is out. That means that Leap Micro 6.0 will become EOL once Leap Micro 6.2 gets released.

All pieces related to Rancher and Elemental are purposely excluded from Leap Micro 6.X as SLE Micro for Rancher is free for use without any subscription within Rancher deployments.

No more traditional installer

Leap Micro 6.X is deployed via self-install image which writes a preconfigured image to the disk and enlarges root partition. Users can use combustion, ignition or default to the jeos-firstboot wizard to do the initial setup of the system.

Do not get mistaken by the availability of openSUSE-Leap-Micro-6.0-*.iso is not installable. We refer to the image as a Packages image, which is basically an offline repository on a DVD.

New FDE, VMWare, and Cloud images

Aside from the self-install image Micro 6.0 comes with qcow, Full Disk Encryption, and RealTime images. All images can be found at download.opensuse.org

For the first time Leap Micro 6.X has also cloud-init therefore shortly after the release we will also have cloud images available on GCP, Azure, and AWS.

Changes to the product building

Leap Micro 6.X is using the new product composer instead of the old product builder. This allowed us to consume update-info from the newly designed maintenance workflow of SLE Micro 6.0 and was preferred by the openSUSE maintenance team.

Changes to the repositories and maintenance workflow

Leap Micro 5.X users receive all updates released for relevant SLE Micro version via a repository named repo-sle-update. This particular repository no longer exists in Leap Micro 6.X.

Instead, the repo-main repository will contain all released updates for the relevant version of SUSE Linux Micro to date.

Please note that the repository path slightly changed too, we'll ensure that migration via transactional-update shell followed by zypper dup --releaser 6.0 works via compatibility symlinks on download server.

New way of managing repository definitions

openSUSE-repos is not new to our users, however, for the first time, openSUSE Leap Micro 6.0 deployments come with openSUSE-repos preinstalled. openSUSE repos uses a local RIS service that easily lets us maintain repository definitions with a package update.

Users migrating from 5.5/5.4 releases are advised to install zypper in openSUSE-repos to ensure they have up-to-date repository paths.

Documentation

Please refer to SLE Micro 6.0 documentation including Release notes.

Reporting Issues

Please refer to the Leap Micro section in our Submitting bug reports page.

Next steps

Missing maintenance setup was a long-term blocker for the transition out from Alpha, otherwise, the distribution itself is stable and feature-full. Now that we have it, we need to polish some remaining infrastructure issues and users can expect a release within the next few days. Ideally before oSC2024 next week.

NUREMBERG, Germany – The release of Leap 15.6 is official and paves the way for professionals and organizations to transition to SUSE's enterprise distribution with extended support or prepare for the next major release, which will be Leap 16.

Demands for robust, secure and stable operating systems in the digital infrastructure sector are more critical than ever. The combination of the community-driven Leap 15.6 and SUSE Linux Enterprise 15 Service Pack 6, which integrates new features and enhancements, offers an optimal solution for managing critical infrastructure. Notably, SUSE's general support and [extended support]](https://www.suse.com/products/long-term-service-pack-support/) versions; these Product Support Lifecycles last well beyond Leap 15's lifespan, ensuring longer and reliable service for users.

SLE 15 SP 6 is a feature release, so users can expect several more features in the Leap 15.6 release.

This alignment ensures businesses and professionals using Leap for operational needs can enjoy a clear, supported transition to an enterprise environment, which is crucial in a move for systems that require long-term stability and enhanced security. As organizations strategize their upgrade paths, adopting an enterprise-grade solution like SUSE becomes a strategic decision, especially for those managing extensive networks and critical data across various sectors.

Since being released on May 25, 2018, Leap has added several additions like container technologies, immutable systems, virtualization, embedded development, along with other high-tech advances. A rise in usage from each minor release shows that entrepreneurs, hobbyists, professionals and developers are consistently choosing Leap as a preferred Linux distribution.

Leap 15.6 is projected to receive maintenance and security updates until the end of 2025 to ensure sufficient overlap with the next release. This will provide users with plenty of time to upgrade to the release's successor, which is Leap 16, or switch to SUSE's extended service support version. Users interested in commercial support can use a migration tool to move to SUSE's commercial support version.

The inclusion of the Cockpit[1] package in openSUSE Leap 15.6 represents a significant enhancement in system and container management capabilities for users. This integration into Leap 15.6 improves usability and access as well as providing a link between advanced system administration and user-friendly operations from the web browser. The addition underscores openSUSE's commitment to providing powerful tools that cater to both professionals and hobbyists. Leap does not come with a SELinux policy, so SELinux capablities for Cockpit are not functioning.

Container technologies receive a boost with Podman 4.8, which includes tailored support for Nextcloud through quadlets, alongside the latest releases of Distrobox, Docker, python-podman, Skopeo, containerd, libcontainers-common, ensuring a robust container management system. Virtualization technologies are also enhanced, featuring updates to Xen 4.18, KVM 8.2.2, libvirt 10.0, and virt-manager 4.1.

The Leap 15.6 release incorporates several key software upgrades enhancing performance and security. It integrates Linux Kernel 6.4, which provides backports for some of latest hardware drivers, which offer performance enhancements. OpenSSL 3.1 becomes the new default and provides robust security features and updated cryptographic algorithms. Database management systems receive significant updates with MariaDB 10.11.6 and PostgreSQL 16. Redis 7.2 offers advanced data handling capabilities and the software stack is rounded out with PHP 8.2 and Node.js 20; both received updates for better performance and security in web development. Leap will also have OpenJDK 21 providing improvements for enhanced performance and security in Java-based applications.

Updates in telecommunications software are seen with DPDK 22.11 and Open vSwitch versions 3.1 and OVN 23.03.

The KDE environment advances with the introduction of KDE Plasma 5.27.11, which is the latest Long Term Support version, Qt 5.15.12+kde151, and KDE Frameworks 5.115.0, as well as Qt6 version 6.6.3, facilitating smooth application operations with updated Python bindings for PyQt5 and PyQt6 aligning with Python 3.11.

Many unmaintatined Python packages were removed as part of a transition to Python 3.11; more details can be found in the release notes.

GNOME 45 brings enhancements to the desktop environment, adding features that elevate the user experience. Audio technologies see major upgrades with the release of PulseAudio 17.0 and PipeWire 1.0.4, which improve hardware compatibility and Bluetooth functionality, including device battery level indicators.

These updates collectively enhance the system’s stability and user experience and make Leap 15.6 a compelling choice for professionals, companies and organizations.

Leap can be downloaded at get.opensuse.org.

End of Life

Leap 15.5 will have its End of Life (EOL) six months from today’s release. Users should update to Leap 15.6 within six months of today to continue to receive security and maintenance updates.

Download Leap 15.6

To download the ISO image, visit https://get.opensuse.org/leap/

If you have a question about the release or found a bug, we would love to hear from you at:

https://t.me/openSUSE

https://chat.opensuse.org

https://lists.opensuse.org/opensuse-support/

https://discordapp.com/invite/openSUSE

https://www.facebook.com/groups/opensuseproject

Get involved

The openSUSE Project is a worldwide community that promotes the use of Linux everywhere. It creates two of the world’s best Linux distributions, the Tumbleweed rolling-release, and Leap, the hybrid enterprise-community distribution. openSUSE is continuously working together in an open, transparent and friendly manner as part of the worldwide Free and Open Source Software community. The project is controlled by its community and relies on the contributions of individuals, working as testers, writers, translators, usability experts, artists and ambassadors or developers. The project embraces a wide variety of technology, people with different levels of expertise, speaking different languages and having different cultural backgrounds. Learn more about it on opensuse.org

1 [Root login is disabled by default. Please read details in the Try Cockpit in Leap Release Candidate article.

***** Two bugs related to Chrome with Wayland on GNOME 45 may see a fix coming in an update. *****

Retrospective

Provide your feedback to our release team by visiting survey.opensuse.org/ and taking our retrospective survey.

More Information about openSUSE:

Official

• openSUSE News
• openSUSE Mailing List
• openSUSE Wiki

Fediverse

• https://discuss.tchncs.de/c/[email protected]

_{^{(Image made with DALL-E)}}