fidzu : Fedora

Your company just finished Series B. You have cash to spend. You have a great product with a Go stack that compiles to a single static binary.

Your engineering team spends 25% of their time securing that stack. You invest millions in infrastructure defense: Stateful firewalls, AI-augmented scanning, Red Teams, Blue Teams, and rigorous DevSecOps pipelines. You even partner with major cloud providers to ensure your supply chain is audited.

You are serious about security. You have built a fortress.

And then, to install your product, you tell enterprise customers to run this:

curl -fsSL https://my-really-cool-company.com/install.sh | sh

This single line undermines your entire security architecture.

12 Dec 2025 4:00pm GMT

Tengo rato pensando: "¿Qué más ahbrá en cunato a SSH y sus certificados, llaves y demás cosas?". El openssh tiene más que ofrecer, seguramente, que lo que usamos al día a día. Basta con echarte un clavado en los man pages del mismo y ver que así es.

La neta, son perros para manejar autenticación a escala, con expiración automática y políticas bien cabronas. En Fedora 43, con SELinux cuidándonos la espalda, es aún más seguro.

Esta guía completa es tu mapa (y el mío) para dominar los certificados SSH. Incluye comparaciones profundas, mejores prácticas de seguridad, tips de automatización y ejemplos extensos. Ya sea que estés asegurando un centro de datos o un laboratorio casero, esto te va a subir el nivel en cuanto a SSH se refiere.

ssh-keygen -t ed25519 -f ca_key -C "SSH CA para ejemplo.tld"

ssh-keygen -t rsa -b 8192 -f ca_key -C "SSH CA para ejemplo.tld"

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519 -C "juan@ejemplo.tld"

ssh-keygen -s ca_key -I "juan@ejemplo.tld" -z 1 ~/.ssh/id_ed25519.pub

ssh-keygen -s ca_key -I "juan@ejemplo.tld" -n juan,respaldo -z 2 ~/.ssh/id_ed25519.pub

ssh-keygen -s ca_key -I "juan@ejemplo.tld" -n juan,respaldo -O no-port-forwarding -O no-agent-forwarding -z 3 ~/.ssh/id_ed25519.pub

ssh-keygen -s ca_key -I "juan@ejemplo.tld" -n juan,respaldo -O no-port-forwarding -O no-agent-forwarding -V +30d -z 4 ~/.ssh/id_ed25519.pub

ssh-keygen -s ca_key -I "respaldo@ejemplo.tld" -n respaldo -O force-command="/usr/bin/rsync --server --daemon" -V +1d -z 5 ~/.ssh/id_ed25519.pub

ssh-keygen -s ca_key.pub -D /usr/lib/opensc-pkcs11.so -I "juan@ejemplo.tld" -z 6 ~/.ssh/id_ed25519.pub

ssh-add ca_key
ssh-keygen -Us ca_key.pub -I "juan@ejemplo.tld" -z 7 ~/.ssh/id_ed25519.pub

12 Dec 2025 4:00pm GMT

12 Dec 2025 10:39am GMT

This article series takes a closer look at interesting projects that recently landed in Copr.

Copr is a build-system for anyone in the Fedora community. It hosts thousands of projects with a wide variety of purposes, targeting diverse groups of users. Some of them should never be installed by anyone, some are already transitioning into the official Fedora repositories, and others fall somewhere in between. Copr allows you to install third-party software not found in the standard Fedora repositories, try nightly versions of your dependencies, use patched builds of your favourite tools to support some non-standard use-cases, and experiment freely.

If you don't know how to enable a repository or if you are concerned about whether is it safe to use Copr, please consult the project documentation.

Vicinae

Vicinae is a fast application launcher written in C++/QT. Inspired by tool Raycast, it provides instant app and file search and clipboard history. It also includes built-in utilities such as a calculator and web search, along with support for extensions written in TypeScript. It is designed to be highly responsive and native for Wayland environment. Therefore, if you like keeping your hands on the keyboard or want a customizable, extensible launcher for your desktop, Vicinae may be worth trying.

Installation instructions

The repo currently provides vicinae for Fedora 42, 43, and Fedora Rawhide. To install it, use these commands:

sudo dnf copr enable scottames/vicinae
sudo dnf install vicinae

UZDoom

UZDoom is a modern DOOM source port that builds upon classic GZDoom engine, offering hardware-accelerated rendering, an updated scripting system, improved mod support, and high-quality audio playback. At the same time, it maintains compatibility with classic WAD files while making the experience smooth on current systems.

Whether you are playing the original episodes or diving into extensive mod packs, UZDoom offers a convenient way to enjoy them.

Installation instructions

The repo currently provides uzdoom for Fedora 42, 43, and Fedora Rawhide. To install it, use these commands:

sudo dnf copr enable nalika/uzdoom
sudo dnf install uzdoom

Plasma Panel Colorizer

Plasma Panel Colorizer is a widget for KDE Plasma that allows you to customize the panel's appearance. In addition, it offers options for background tinting, blur, custom opacity levels, shadows, floating panels, or themes that differ from the stock Plasma look. It also includes full blur support and is updated for Plasma 6, making it easy to adjust your panel exactly the way you want.

Installation instructions

The repo currently provides plasma-panel-colorizer for Fedora 42, 43, and Fedora Rawhide. To install it, use these commands:

sudo dnf copr enable peridot-augustus/plasma-panel-colorizer
sudo dnf install plasma-panel-colorizer

sfizz-ui

Sfizz-ui is the graphical interface for the sfizz sampler engine, which is an open-source player for SFZ instrument libraries. The UI provides an accessible way to load SFZ instruments, adjust parameters, and integrate the sampler into your workflow. It also includes plugin support such as LV2 and VST3, making it suitable for music creation in a Linux DAW environment.

For musicians, sound designers, or anyone using SFZ sample libraries, sfizz-ui offers a polished interface.

Installation instructions

The repo currently provides sfizz-ui for Fedora 41, 42, and 43. To install it, use these commands:

sudo dnf copr enable lexridge/sfizz-ui
sudo dnf install sfizz-ui

12 Dec 2025 8:00am GMT

11 Dec 2025 12:15pm GMT

10 Dec 2025 12:30pm GMT

LFX Insights is a handy platform from the Linux Foundation that provides a variety of data on open source projects. Among the statistics it reports is contributions outside of working hours. Some users reported errors with how this information is reported, which got me thinking about the value of this measure. The short version: there's very little value.

Why measure outside-of-working-hours contributions?

LFX Insights includes this measure as a signal of a project's sustainability. Projects that rely heavily on people making after hours contributions, the thinking goes, will have a harder time attracting and retaining contributors.

As a software consumer, you don't want your upstreams to suddenly disappear because that will present supply chain risks. It could mean vulnerabilities go unpatched. It could also mean that new features aren't added. Either way, this puts the onus on the project's users to carry the load.

As a project leader, you may be less concerned about whether or not a company downstream has to devote extra engineering time, but you probably do want your contributors to stick around anyway. Onboarding, mentoring, and growing contributors takes a lot of time and effort. You want to make sure people can stick around.

Why this measure fails

Despite the good intentions of measuring contributions outside working hours, the reality fails to deliver. There are some straightfoward reasons for this. Not everyone's working hours are the same. Not everyone's working hours are consistent. Some people use a different time zone on their computer. Not everyone's working days are the same. Holidays vary widely across countries and religions. People (hopefully) take time off.

Then there's the cultural mismatch. Linux Foundation projects are, to a first approximation, by companies for companies. The Linux Foundation is a 501(c)(6), not a charity, so it makes sense that it would view the world through a business lens. I don't fault them for that. LF project contributors are more likely to make contributions during the working day than contributors to a "hobbyist" project.

But that workday tendency doesn't necessarily mean people will stick around projects longer if the project is tied to their job. As the last few years have shown, tech sector layoffs can come for anyone at any time. If someone is only working on an open source project because it's part of their job, then when the job changes, they'll probably stop. People who work on an open source project for non-job reasons will likely stick around through job changes.

Thus one could argue that a project with a high degree of outside-working-hours contributions is more sustainable.

What to measure instead

If measuring contributions outside of working hours isn't helpful, what is? Focus on what you're worried about. Worried that everyone will disappear? Measure the activity over time. Worried that when a new vulnerability is discovered the lone maintainer will be backpacking through the Alps? Measure the spread of the contributions. Worried that the project doesn't have enough people to follow secure coding practices? Measure the security posture.

Of course, the best answer is to stop trying to measure sustainability and contribute to making the project more sustainable instead.

This post's featured photo by Joshua Olsen on Unsplash.

The post The do's and don'ts of measuring contributions "outside of working hours" appeared first on Duck Alignment Academy.

10 Dec 2025 12:00pm GMT

Generative AI systems are changing the way people interact with computers. MCP (model context protocol) is a way that enables LLMs to run commands and use tools to enable live, conversational interaction with systems. Using the new linux-mcp-server, let's walk through how you can talk with your Fedora system for understanding your system and getting help troubleshooting it!

Introduction

Large language models (LLMs) can be an invaluable tool when investigating an issue on a Linux system. However, this can involve a lot of copy/pasting of information from the Linux terminal into a web based interface to an LLM model.

The model context protocol (MCP) acts as a bridge, enabling LLMs to interact with external tools and data sources. The linux-mcp-server utilizes this protocol to give LLMs the ability to interact with a Fedora Linux system. Instead of you manually copying and pasting terminal output, the linux-mcp-server enables the LLM to directly query system information and log entries.

By enabling an LLM direct access to system information and logs, it is transformed into an active part of the investigation process when troubleshooting an issue. It empowers an LLM to directly query the system state, allowing it to help identify performance bottlenecks, and identify important log entries that might be missed by a manual review.

What is the model context protocol (MCP)?

Anthropic introduced MCP in November 2024 as an open standard for LLM tool use. This provides a way for LLMs to interact with outside systems and data sources.

Prior to MCP, there wasn't as strong a standard and ecosystem for LLM systems to call tools. LLMs were thus frequently limited to have only the information contained in their training. They were isolated from the outside world. For example, if you asked an LLM "what is the weather going to be next week", the LLM would respond with a message indicating that it doesn't know what the weather will be, as it doesn't have access to that information. MCP helps solve this problem by enabling a standardized way for an LLM to access an outside data source, such as the weather forecast.

At a high level, users can use an AI agent application, such as Goose (open source), or Claude Desktop, and specify which MCP servers they would like to use. The AI agent application informs the LLM that there are tools available via these MCP servers that can be used to help answer the requests from the user. The LLM model can then decide when to invoke these tools.

MCP is an open standard. You have the flexibility to use MCP servers, such as linux-mcp-server, with either open source-licensed LLM models, or hosted proprietary LLM models.

What is the linux-mcp-server?

The linux-mcp-server is a project started by Red Hat's RHEL Engineering team. It provides a number of tools that enable an LLM to query information from a Linux system, such as system info, service information and logs, process information, journald and other logs, network information, and storage and disk information. For a full list of the tools provided, refer to the project's Github page.

These tools, provided by linux-mcp-server, are focused on providing the LLM access to read-only information. In the future, we'll be exploring expanding past these read-only use cases.

The linux-mcp-server can be used to interact with the local Fedora Linux system that it is running on. It can also be used to interact with remote Fedora Linux systems over SSH. For example, if you have SSH key authentication setup with the remote systems, you could make a request to your AI agent application such as "Determine the current memory usage on the fedora1.example.com, fedora2.example.com, and fedora3.example.com servers".

Prerequisites

The main components needed are an AI agent application, access to LLM model inference, and the linux-mcp-server.

There are a number of options for the AI agent application, both open source and proprietary. An example of an open source AI agent is Goose, which provides an RPM that can be installed on Fedora.

There are several LLM model inference options, ranging from locally hosted open source models, to proprietary hosted LLM models. If hosting a model locally, you generally need to have GPU/accelerator hardware available. Open source tools that can be used to locally host LLM models include RamaLama, llama.cpp, and Ollama. There are a number of open source LLM models capable of tool calling. These include models such as gpt-oss-20b and Granite 4 small.

Once you've installed your preferred AI agent application, the next step is to install the linux-mcp-server and configure your AI agent application to use it. The linux-mcp-server Github page includes installation instructions, and configuration details for Goose and Claude Desktop.

Use cases for linux-mcp-server

Dear Fedora, why are you so slow today?

Has this happened to you? Time to hop on a call and give a demo. You're pumped. It's your go-time aaaaand… your system starts lagging. Folks on the call say your video is choppy or they can't understand you. OH NO.

You've got to assess what's up, quickly. Run `top`, check `dmesg`, check your network connection (read the man page for `netstat` because you can't remember the flag you want), check `journalctl`, cross-reference what you're seeing, then start killing processes, restarting services, reloading kernel modules willy-nilly based on hastily-crafted theories, see if it improves…

This is a case where you could actually ask the system to tell you why it's slow and give it the ability to do the analysis via linux-mcp-tools. The LLM you connect with won't just run the commands through the MCP server; it will understand what the numbers it gets means in context and be able to explain in human terms.

So let's start working with a relatively new laptop. It's a Thinkpad T14S with the AMD Ryzen AI Pro 7 ( Ryzen AI 360 chip.) Recently one of the wifi networks it must connect to regularly was upgraded. It now has issues with the network connection stability. So let's talk to Goose + gpt-oss:20b + linux-mcp-server about it. Here's the initial prompt I used:

My Wifi doesn't work very well. It cuts out after a few minutes. Help me fix it. Can you find the error messages in the system logs and diagnose the problem?

It responded with the following:

I'll help you diagnose your WiFi connectivity issues by examining the system logs for error messages related to your network interfaces and wireless connectivity. Let me start by gathering information about your system and checking the relevant logs.

It then made a series of tool calls, including Get System Information, Get Network Interfaces, Get Journal Logs, Get Hardware Information, Get Service Status service_name:NetworkManager, Get Service Status service_name:wpa_supplicant, Read Log File. The result was this analysis, which is the actual problem I was hoping it could find!

Not too bad an analysis and set of debugging steps! I'll follow up in the comments and let you know if the solution works.

Where'd my disk space go, Fedora?

Trawling through `du` on the command line, converting the numbers in your head, sorting them - it can be tedious. We even have graphical tools like `baobab`, but it takes time to load in the results and explore the data. And sometimes you might have questions it can't answer in terms of the risk of deleting a specific directory, or the age of a specific file. It's easier to be sloppy and just let the disk fill up. But there comes a time where that is no longer an option.

You can ask the system using the linux-mcp-server to analyze your disk usage, give you a hitlist of the top space-eating places on the file system, and give you advice with a risk analysis of how to clean it up.

Here's my prompt:

I need help analyzing disk usage on my system. Can you:

1. Show me the current disk usage across all filesystems using get_disk_usage
2. Use list_directories_by_size to show me the 10 largest directories (this will help identify where disk space is being consumed)
3. Check if there are any large log files consuming space using get_journal_logs or read_log_file
4. Review running processes with list_processes to see if any are consuming excessive resources or creating temporary files

After gathering this information, help me identify potential space-saving opportunities and assess the safety of cleaning up specific directories. Please don't only examine top-level directories. I want you to go deep if needed to find out where the largest files are!

I ran this prompt on my Fedora 42 system using linux-mcp-server with Goose connected to locally-served gpt-oss:20b, and here's the output I got:

gio trash --empty

podman system prune -a   # or docker system prune -a

pnpm store prune         # if pnpm is installed

pip cache purge          # for Python

virtualenv --clean       # optional

du -h --max-depth=1 ~/duffy/.local/share/containers

Upgrade planning

So you may have noticed a little detail above - the system is a Fedora 42 system… and Fedora 43's been out a month now! So, time to upgrade.

This example shows where we have some tools missing from the set provided in the linux-mcp-server. We're including it for two reasons:

• So you can see how this works manually
  You can see that even when specific tools you might not need are available in the MCP server, you can have the response give you instructions on commands to run on your own, and copy/paste the command output back into your chat to get analysis alongside the data the system is able to pull via the MCP tool calls;
• To encourage you to submit additional tools to our project!
  We would love your additions to the project! Here's where to get started: https://github.com/rhel-lightspeed/linux-mcp-server/blob/main/docs/CONTRIBUTING.md

Here's the prompt I started with, with the same Goose + gpt-oss:20b + linux-mcp-server combination:

You are a Linux system administrator assistant analyzing a Fedora system for upgrade readiness.

TASK: Examine this Fedora 42 system and provide a comprehensive upgrade readiness report for Fedora 43.

ANALYSIS CHECKLIST:
1. Check current Fedora version: cat /etc/fedora-release
2. Review system updates status: dnf check-update
3. Identify third-party repositories: dnf repolist
4. List installed packages from non-Fedora repos: dnf list installed | grep -v @fedora
5. Check for broken dependencies: dnf check
6. Review disk space on root partition: df -h /
7. Check for unsupported or deprecated packages
8. Identify custom kernel modules: lsmod | grep -v "^Module"
9. Review SELinux status: sestatus
10. Check for pending system updates: dnf upgrade --refresh --assumeno

REPORT FORMAT:

# Fedora 43 Upgrade Readiness Report

## Current System Status
- Fedora version: [version]
- Kernel: [kernel version]
- Updates status: [current/outdated]

## Potential Issues
[List blocking issues with HIGH/MEDIUM/LOW severity]

## Third-Party Software
[List non-Fedora packages that may need attention]

## Recommendations
[Specific pre-upgrade steps needed]

## Overall Readiness: [READY/NEEDS ATTENTION/NOT READY]
Run the necessary commands and provide this analysis. Be specific about any issues found and give actionable recommendations.

Now, right away the model came back to me to complain it doesn't have access to `dnf`, `cat`, etc. And that's expected here. What it did was give me a list of homework to run for it to complete the analysis… for example, `dnf check-update` and `cat /etc/fedora-release`. I had a little back and forth in Goose with the model where it would ask me to run a command and I'd copy the output into the context. This resulted, finally, in the following report:

sudo dnf check

sudo dnf repolist

dnf list installed | grep -v @fedora

Give it a try, let us know what you think!

You can see from these few examples that tool calling with LLMs is a valuable tool for troubleshooting Linux systems. We could use your help building this and making it awesome! How can you help?

• Give it a try, let us know what you think, file any bugs you find, and let us know what tools are missing that you could use! You can respond in the comments here, file a bug, or chat with us on Fedora matrix.
• We're primarily working with Goose as our client, but if you have another preferred client and want to help us support it better, we'd love to work with you!
• Get involved in the linux-mcp-project generally, we'd love to see your PRs!
• Let us know what you'd like to see in the future. What workflows would you like to see supported? How do you see this making your Fedora or overall Linux experience better? What larger workflows do you see this plugging into?

Join us upstream at https://github.com/rhel-lightspeed/linux-mcp-server! And come chat with us in the Fedora AI/ML SIG chat room on Matrix!

10 Dec 2025 8:00am GMT

10 Dec 2025 7:00am GMT

10 Dec 2025 5:00am GMT

WebKitGTK 2.50.3 contains a workaround for CVE-2025-13947, an issue that allows websites to exfiltrate files from your filesystem. If you're using Epiphany or any other web browser based on WebKitGTK, then you should immediately update to 2.50.3.

Websites may attach file URLs to drag sources. When the drag source is dropped onto a drop target, the website can read the file data for its chosen files, without any restrictions. Oops. Suffice to say, this is not how drag and drop is supposed to work. Websites should not be able to choose for themselves which files to read from your filesystem; only the user is supposed to be able to make that choice, by dragging the file from an external application. That is, drag sources created by websites should not receive file access.

I failed to find the correct way to fix this bug in the two afternoons I allowed myself to work on this issue, so instead my overly-broad solution was to disable file access for all drags. With this workaround, the website will only receive the list of file URLs rather than the file contents.

Apple platforms are not affected by this issue.

09 Dec 2025 3:29pm GMT

Apply now for the Flock to Fedora 2026 Call for Proposals (CfP) at cfp.fedoraproject.org. This year, the submission deadline for the Flock CfP is Monday, February 2nd, 2026.

Flock 2026 registration is open

Last month we announced that we'll be convening again in Prague for Flock 2026 in June. Everyone interested in attending can head over to the Flock 2026 website and register today! For those of you who want to contribute to Flock by presenting your thoughts and ideas in front of your fellow contributors, we've got some inspiration for you in the form of updated proposal themes.

Flock 2026 proposal themes

This year's proposal themes are inspired by Fedora's four foundations:

1. Freedom: The Open Frontier - This theme explores how Fedora pushes the boundaries of technological freedom. We invite proposals on FOSS approaches to Artificial Intelligence, the advancement of open hardware like RISC-V, the development of open standards, and the protection of data privacy. Sessions should focus on how our work in the Fedora Project creates a more free and collaborative technological world for everyone.
2. Friends: Our Fedora Story - This theme celebrates the people and practices that make our community unique. We seek proposals that share stories of mentorship, successful team collaboration, and effective onboarding within Fedora. Collaboration is key to our success. Sessions about our partnerships with other FOSS communities should center on the mutual benefits and the positive impact these relationships have on the Fedora Project.
3. Features: Engineering Fedora's Core - As a contributor conference, this theme dives deep into the craft of building our distribution and other Fedora outputs. We welcome sessions on improvements to our infrastructure, release engineering processes, quality assurance, packaging, and community tooling. This is the place for technical talks that showcase our engineering excellence and the collaborative work that makes Fedora's deliverables possible, from code to final artifact.
4. First: Blueprint for the Future: Fedora Linux 45 & 46 - This theme focuses on the near-term innovations that will define the next generation of Linux. With the next few Fedora Linux releases serving as the foundation for RHEL 11 and EPEL 11, this is a critical time. We are looking for forward-looking technical talks on the changes, features, and architectural decisions in F45 and F46 that will shape the future of the operating system, from the community desktop to the core of the enterprise platforms.

These themes are here to help get you thinking about topics you'd like to present. If you have something you want to talk about that doesn't quite fit neatly into these themes, but you feel it belongs at Flock, go ahead and submit anyways! The reviewers are open to alternative topics. They are on the look out for topics that Fedora contributors are interested in discussing.

Flock financial travel assistance available

Financial travel assistance applications are now open as well. When you go to register to attend on the Flock 2026 website, you should also see links on how to apply for travel assistance if you need it. Financial assistance will be open until March 8th (several weeks after CfP closes on Febuary 8th). This is to give those with accepted talks an opportunity to figure out if they'll need travel assistance.

09 Dec 2025 8:00am GMT

08 Dec 2025 1:00pm GMT

08 Dec 2025 5:00am GMT

hey everyone, it's saturday so time for another recap of adventures in fedora infrastructure and other fedora areas.

06 Dec 2025 7:29pm GMT

06 Dec 2025 4:30pm GMT