fidzu : Ubuntu

The Ubuntu Studio team is pleased to announce the release of Ubuntu Studio 24.04.3 LTS. This is a minor release which wraps-up the security and bug fixes into one .iso image, available for download now.

The biggest change is the lowlatency kernel has been officially retired, replaced by the generic Ubuntu kernel. Those that have been using Ubuntu Studio 24.04 and upgraded may have already noticed this change.

With that said, much like Ubuntu Studio 24.10 and higher, the generic kernel includes kernel parameters added upon boot that allow the kernel to act in a lowlatency mode, so you now can enjoy the benefits of the lowlatency kernel while using the generic kernel.

We realize this may come as a shock, but when 24.04 was released, we knew this day would eventually come. However, there is no difference between the lowlatency kernel and the generic kernel with these boot parameters. They are:

• preempt=full: Makes the kernel fully preemptible
• rcu_nocbs=all Offloads Read-Copy Update (RCU) callbacks from all CPUs dedicated to kernel threads, improves real-time performance
• threadirqs Forces interrupt handlers to run in a threaded context, reducing buffer xruns

These kernel parameters can be found in the files in /etc/defaults/grub.d

Please give financially to Ubuntu Studio!

Giving is down. We understand that some people may no longer be able to give financially to this project, and that's OK. However, if you have never given to Ubuntu Studio for the hard work and dedication we put into this project, please consider a monetary contribution.

Additionally, we would love to see more monthly contributions to this project. You can do so via PayPal, Liberapay, or Patreon. We would love to see more contributions!

So don't wait, and don't wait for someone else to do it! Thank you in advance!

Donate using PayPal Donations are Monthly or One-Time

Donate using Liberapay Donations are Weekly, Monthly, or Annually

Donate using Patreon Become a Patron!Donations are Monthly

08 Aug 2025 4:15am GMT

The Ubuntu team is pleased to announce the release of Ubuntu 24.04.3 LTS (Long-Term Support) for its Desktop, Server, and Cloud products, as well as other flavours of Ubuntu with long-term support.

As usual, this point release includes many updates and updated installation media has been provided so that fewer updates will need to be downloaded after installation. These include security updates and corrections for other high-severity bugs, with a focus on maintaining stability and compatibility with Ubuntu 24.04 LTS.

Kubuntu 24.04.3 LTS, Ubuntu Budgie 24.04.3 LTS, Ubuntu MATE 24.04.3 LTS, Lubuntu 24.04.3 LTS, Ubuntu Kylin 24.04.3 LTS, Ubuntu Studio 24.04.3 LTS, Xubuntu 24.04.3 LTS, Edubuntu 24.04.3 LTS, Ubuntu Cinnamon 24.04.3 LTS and Ubuntu Unity 24.04.3 LTS are also now available. More details can be found in their individual release notes (see 'Official flavours'):

https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890

Maintenance updates will be provided for 5 years from the initial 24.04 LTS release for Ubuntu Desktop, Ubuntu Server, Ubuntu Cloud, and Ubuntu Core. All the remaining flavours will be supported for 3 years. Additional security support is available with ESM (Expanded Security Maintenance).

To get Ubuntu 24.04.3 LTS

In order to download Ubuntu 24.04.3 LTS, visit:

https://ubuntu.com/download

Users of Ubuntu 22.04 LTS will be offered an automatic upgrade to 24.04.3 LTS via Update Manager.

We recommend that all users read the 24.04.3 LTS release notes, which document caveats and workarounds for known issues, as well as more in-depth notes on the release itself. They are available at:

https://discourse.ubuntu.com/t/ubuntu-24-04-lts-noble-numbat-release-notes/39890

If you have a question, or if you think you may have found a bug but aren't sure, you can try asking in any of the following places:

https://matrix.to/#/#discuss:ubuntu.com

https://discourse.ubuntu.com/support

https://lists.ubuntu.com/mailman/listinfo/ubuntu-users

Help Shape Ubuntu

If you would like to help shape Ubuntu, take a look at the list of ways you can participate at:

https://discourse.ubuntu.com/contribute

About Ubuntu

Ubuntu is a full-featured Linux distribution for desktops, laptops, clouds and servers, with a fast and easy installation and regular releases. A tightly-integrated selection of excellent applications is included, and an incredible variety of add-on software is just a few clicks away.

Professional services including support are available from Canonical and hundreds of other companies around the world. For more information about support, visit:

https://ubuntu.com/support

More Information

You can learn more about Ubuntu and about this release on our website listed below:

https://ubuntu.com/

To sign up for future Ubuntu announcements, please subscribe to Ubuntu's very low volume announcement list at:

https://lists.ubuntu.com/mailman/listinfo/ubuntu-announce

Originally posted to the ubuntu-announce mailing list on Thu Aug 7 14:22:28 UTC 2025 by Paride Legovini on behalf of the Ubuntu Release Team

08 Aug 2025 12:53am GMT

JetBrains releases IntelliJ IDEA 2025.2 with offline AI code completion, Java 25 support, Spring tools, and Maven 4 enhancements.

You're reading IntelliJ IDEA 2025.2 Released with Offline AI Code Completion, a blog post from OMG! Ubuntu. Do not reproduce elsewhere without permission.

07 Aug 2025 6:52pm GMT

Ubuntu 24.04.3 LTS is the third point release to the 'Noble Numbat'. It adds 6 months worth of updates, a new Linux kernel and updated drivers.

You're reading Ubuntu 24.04.3 LTS Released with Linux 6.14 + Mesa 25, a blog post from OMG! Ubuntu. Do not reproduce elsewhere without permission.

07 Aug 2025 4:08pm GMT

O Miguel fez declarações polémicas que vão incendiar as redes sociais, descobriu um simulador de vôo para Linux para perder mais tempo e o Diogo passou-se definitivamente para a Digi, onde (não) vai poder usufruir de velocidades de 10 Gbps. Surpreendentemente…também foi às compras: auscultadores, chaves USB, monitores portáteis, mini pc's com Twin Lake N150…foi um fartote de despesismo. Mas também falámos sobre as últimas versões de Ubuntu com instantâneos de desenvolvimento, «rolling release»; o novo livro «The Ultimate Ubuntu Handbook» e as últimas novidades do Ubuntu Touch, que prometem!.

Já sabem: oiçam, subscrevam e partilhem!

• https://www.x-plane.com/
• https://www.youtube.com/watch?v=ILylmS5Ivp8
• https://www.youtube.com/watch?v=JMz_gONS8X0
• https://youtu.be/Ti8T70XZUzM
• https://youtu.be/BApjrtV_dow
• https://store.steampowered.com/search/?term=x-plane&os=linux&supportedlang=english&ndl=1
• https://www.amazon.es/dp/B0D8Q5FNVL
• https://www.amazon.es/dp/B0DT9MMZTL
• https://www.amazon.es/dp/B0DGXJS6BF
• https://www.amazon.es/dp/B0CJC91T4J
• https://www.amazon.es/dp/B0D1MZM9BN
• https://discourse.ubuntu.com/t/listening-to-contributors-code-documentation-translation-testing-etc-participate-in-a-feedback-session/63837
• Questing Quokka 25.10 Wallpaper Competition: https://discourse.ubuntu.com/t/questing-quokka-25-10-wallpaper-competition/61560
• https://discourse.ubuntu.com/t/questing-quokka-25-10-wallpaper-competition/61560
• Ubucon Africa / DjangoCon Africa, Arusha, Tanzania, 11 a 15 de Agosto: https://ubuntu.com/blog/ubucon-africa-and-djangocon-africa-2025
• https://2025.djangocon.africa/
• Festa do Software Livre 2025, Porto, 3 a 5 de Outubro: https://festa2025.softwarelivre.eu/pt/
• Ubuntu Summit 2025, Londres, 23-24 de Outubro: https://ubuntu.com/blog/ubuntu-summit-25-10-is-coming-to-your-circle-of-friends-from-london
• LoCo PT: https://loco.ubuntu.com/teams/ubuntu-pt/
• Mastodon: https://masto.pt/@pup
• Youtube: https://youtube.com/PodcastUbuntuPortugal

Atribuição e licenças

Este episódio foi produzido por Diogo Constantino, Miguel e Tiago Carrondo e editado pelo Senhor Podcast. O website é produzido por Tiago Carrondo e o código aberto está licenciado nos termos da Licença MIT. (https://creativecommons.org/licenses/by/4.0/). A música do genérico é: "Won't see it comin' (Feat Aequality & N'sorte d'autruche)", por Alpha Hydrae e está licenciada nos termos da CC0 1.0 Universal License. Os separadores de péssima qualidade foram tocados ao vivo e sem rede pelo Miguel, pelo que pedimos desculpa pelos incómodos causados. Este episódio e a imagem utilizada estão licenciados nos termos da licença: Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0), cujo texto integral pode ser lido aqui. Estamos abertos a licenciar para permitir outros tipos de utilização, contactem-nos para validação e autorização. A arte de episódio foi criada por encomenda pela Shizamura - artista, ilustradora e autora de BD. Podem ficar a conhecer melhor a Shizamura na Ciberlândia e no seu sítio web.

07 Aug 2025 12:00am GMT

Linux Mint 22.2 beta ISOs are being tested according to information on the distro's internal testing server. This suggests a public beta is imminent.

You're reading Linux Mint 22.2 Beta Coming Soon, ISOs Enter Testing, a blog post from OMG! Ubuntu. Do not reproduce elsewhere without permission.

06 Aug 2025 10:59pm GMT

Free office suite ONLYOFFICE has been updated with a new AI Agent, preinstalled plugins, and a flurry of fixes. Details on what the agent can do inside.

You're reading ONLYOFFICE Adds "AI Agent" to Help You Work "Effortlessly", a blog post from OMG! Ubuntu. Do not reproduce elsewhere without permission.

06 Aug 2025 10:42pm GMT

Does operating system (OS) security matter?

Meet Pal. Pal is a senior developer working at PalBank. For the next 6 months, Pal will be responsible for leading the development of the bank's web application client, which will be used daily by millions of customers.

Pal invests considerable effort into designing and implementing the most secure app reasonably achievable: tightly controlled and secure development, build and deployment pipelines, static code analysis, pen-testing by external parties, multi-factor authentication to access the app and encrypting data at rest. And the list goes on!

Pal's working hard, isn't he? Unfortunately, while such efforts are essential, they are insufficient! And even if we assumed, for the sake of argument (and humor), that the PalBank's client web app is completely free of all known and unknown software vulnerabilities, the app's security guarantees are bound to be threatened once consumers run it on their endpoint devices.

The app will be threatened by the millions of lines of code which comprise the platform's privileged system software if it becomes either malicious or compromised. Within this context, system software includes the operating system, virtual machine manager, and all the platforms' firmware embedded within.

To put it differently, it matters little if a user chooses a perfectly strong and unique password, when their operating system is infected with a keylogger leaking it to malicious third-parties. Similarly, it matters little if your code has no buffer overflows, if your operating system is backdoored and simply decides to leak all your customers' data to malicious third parties.

So why does the security of user-level applications depend on the security of its underlying system software?

The reason is the hierarchical architecture of commodity devices: privileged system software gets unrestricted access to all the resources of unprivileged user-level applications, because it controls its execution, memory, and access to the underlying hardware. Indeed, it's a feature, not a bug!

Photo by regularguy.eth on Unsplash

Photo by regularguy.eth on Unsplash

Therefore, it's extremely important to consider the state of security of the operating system of end point devices, and to use the most secure operating system possible.

Enter: Linux

Linux refers to a group of operating systems which are built from open source software and the Linux kernel, bundled together into a Linux distribution. In 2004, Mark Shuttleworth founded Canonical to produce the Ubuntu distribution, and Canonical has published a new Ubuntu release every 6 months since then.

Open source means that the software is published with a license that allows anyone to look at the source code, modify and distribute it as they wish. It's typically developed in a collaborative fashion by coders from around the world. There are numerous variations of open source licenses, but they all generally permit this model of open collaboration and distribution.

Linux is equally at home powering a laptop as running a mission-critical application in the cloud or on your servers. The Linux kernel is the beating heart of the operating system, but it runs behind the scenes - all the applications that we use every day, such as a web browser, email program, card games, developer tools etc, run on top of the kernel.

They are developed by separate groups, and then it's up to a publisher like Canonical to bundle all the software that people might need together into a single secure linux distribution; Ubuntu provides many thousands of the most popular applications and software packages in the latest Nobel Numbat release.

A new version of Ubuntu is released every 6 months, in April and October, with a friendly name (e.g. Plucky Pluffin) and a release number reflecting the year and month it was produced. Every two years, the April release is designated a Long Term Support version, which means that Canonical will provide updates and security fixes for software packages for 5 years. Canonical has been supporting Ubuntu in this way since 2004.

Ubuntu is published in 3 editions: Desktop, Server, and Core (for IoT devices and robots). Over 3 million people run Ubuntu Desktop and over 100,000 new Ubuntu instances are launched every single day in the public cloud.

What about security?

A security vulnerability is a software flaw or bug that can be exploited to allow an adversary to gain unintended access to a system or to harm its operation in some way. Security vulnerabilities are an unavoidable fact of life, but it's how we deal with them that makes all the difference. No software system is immune from security vulnerabilities, and every software system we use today needs to be kept up-to-date with the latest fixes.

In the open source world we can be fully transparent about which issues have been fixed and when, because the source code is open to inspection for everyone. The vast majority of security vulnerabilities are discovered by researchers who study software and report issues in order to fix them and improve the software for everybody.

They operate using a responsible disclosure model, where the researcher reports the vulnerability to the software publisher who then has enough time to implement a fix for the issue and release an updated version of the software before the researcher tells the world about the vulnerability.

Not everybody operates like this though, and there are some malicious actors who discover vulnerabilities to keep for their own nefarious purposes, or to sell to others for use in "zero-day" attacks (so called because the software developer has had zero-days notice to fix the issue and release a patch).

Patching known vulnerabilities

How can known vulnerabilities harm you? After all, if we know about a security gap and the patch which is guaranteed to resolve it is available, surely everyone would immediately patch their affected systems. Right? Unfortunately, that is far from reality! In a report published in Verizon 2022, only 25% of the scanned organizations were found to patch known vulnerabilities within two months of their public disclosure.

Photo by Sajad Nori on Unsplash

But why would someone willingly and knowingly leave their organization vulnerable to cyber attacks? Once more, the answer lies in the eternal tension between security and usability. Ask any system administrator, and they will tell you that the unscheduled work it takes to patch vulnerabilities is time-consuming, expensive and sometimes just impossible because they need to keep the server up and running.

Livepatch: patch your kernel while it is running

Ask these same administrators again, and they will also tell you that they would love a solution which would allow them to patch vulnerabilities while the system runs without requiring a reboot. Problem solved! For the Ubuntu kernel, this is precisely what Livepatch offers.

Livepatch allows you to patch the kernel's critical and high severity vulnerabilities at run time. According Snyc , the latter account for 40% of all high and critical vulnerabilities. Therefore, Livepatch will bring your organization quantifiable benefits and an unmatched return on investment for the ultimate secure Linux deployment.

"Livepatch is a perfect fit for our needs. There's no other solution like it, and it's highly cost-effective. Manually migrating virtual machines, applying kernel updates, and rebooting took an average of 32 hours per server. Multiplied by 80 servers, that was more than 2,500 hours of work."

Shinya Tsunematsu, Senior Engineering Lead of Tech Division, GMO Pepabo

Read the GMO Pepabo case study ›

An extra security advantage

But what about your other non-kernel, business-as-usual vulnerabilities that are not covered by Livepatch? This is precisely where the Canonical ecosystem shines! With each Ubuntu Long Term Support (LTS) release, you always benefit from 5 years of standard security maintenance for the base OS, critical software packages and infrastructure components.

And if for any reason you cannot upgrade to the next LTS release after 5 years, you can use Canonical's Expanded Security Maintenance in order to remain secure for a total of 10 years. This is available through an Ubuntu Pro subscription with a free license available for personal use.

This innovative approach provides not only a compelling security value proposition, but an equally compelling business one.

Pal can first hand tell you how this has allowed him to enable a secure Linux ecosystem for Palbank, and do away with the usual maintenance burden. Because he doesn't have to worry anymore about scanning, applying, and testing the latest upstream security updates, he can spend all the time he needs to deliver the best bank application for his customers, and even squeeze in a vacation or two in between.

What about unknown threats?

If we know about a security vulnerability then we can patch it, but what about the times when an attacker is using an exploit that hasn't been fixed yet? This is where the Ubuntu ecosystem helps.

The nature of open source software means that it's much harder for bad actors to insert back doors into software. The source code is freely available for everyone to read, and Canonical reviews and monitors the code for each package that's included in Ubuntu, meaning that you can install all the software you need from one trusted source, backed by Canonical's decades-long track record of patching and support, without resorting to downloading random pieces of code from the internet.

Another benefit of using Ubuntu packages is that all the code that Canonical compiles into packages is configured to use the latest compiler security countermeasures. These compiler options focus on memory protection checks and help to ensure that the software is hardened against in-memory attacks, such as buffer overflows and heap corruption, which have plagued native code for many years.

Ubuntu is configured to be secure by default. A fresh installation of Ubuntu Desktop does not open up any network ports that could be abused by an attacker, and has a firewall already enabled. In order to limit the potential damage from unknown attacks, Ubuntu uses AppArmor, which is a sandboxing mechanism built into the Linux kernel that sets predefined constraints on what applications are allowed to do on the system.

So, for example, if a malicious website tried to exploit a vulnerability in the Firefox browser, AppArmor would prevent the exploit code from compromising the whole system.

So, is Linux secure?

The Linux kernel and its entire ecosystem of operating system distributions are built around the values of openness, transparency, agility, and trustworthiness. These values are what lay the foundation for modern software security that Canonical builds upon!

Because Ubuntu stands on the shoulders of giants, it could afford to look around and listen to what modern enterprises need: enterprise-grade security maintenance and support, reliably delivered day in and day out by a robust commercial entity, that you can trust to be your digital partner, today, and tomorrow.

What millions of customers, and Pal, have figured out, is that the Ubuntu LTS release with an Ubuntu Pro subscription and LivePatch enabled, is the most reasonably secure Linux OS you can bet on! This is why they continue choosing Canonical Ubuntu, everyday, to power their desktops, IoT devices, data centres and public cloud workloads.

More resources

• Linux Security: your questions, answered
• Do you need a certified Ubuntu?
• Ubuntu: What's the security story?
• What about Confidential Computing
• What's new in Security for Ubuntu 24.04 LTS?

06 Aug 2025 3:04pm GMT

Does operating system (OS) security matter? Meet Pal. Pal is a senior developer working at PalBank. For the next 6 months, Pal will be responsible for leading the development of the bank's web application client, which will be used daily by millions of customers. Pal invests considerable effort into designing and implementing the most secure […]

06 Aug 2025 3:04pm GMT

About 90% of my Debian contributions this month were sponsored by Freexian.

You can also support my work directly via Liberapay or GitHub Sponsors.

DebConf

I attended DebConf for the first time in 11 years (my last one was DebConf 14 in Portland). It was great! For once I had a conference where I had a fairly light load of things I absolutely had to do, so I was able to spend time catching up with old friends, making some new friends, and doing some volunteering - a bit of Front Desk, and quite a lot of video team work where I got to play with sound desks and such. Apparently one of the BoFs ("birds of a feather", i.e. relatively open discussion sessions) where I was talkmeister managed to break the automatic video cutting system by starting and ending precisely on time, to the second, which I'm told has never happened before. I'll take that.

I gave a talk about Debusine, along with helping Enrico run a Debusine BoF. We still need to process some of the feedback from this, but are generally pretty thrilled about the reception. My personal highlight was getting a shout-out in a talk from CERN (in the slide starting at 32:55).

Other highlights for me included a Python team BoF, Ian's tag2upload talk and some very useful follow-up discussions, a session on archive-wide testing, a somewhat brain-melting whiteboard session about the "multiarch interpreter problem", several useful discussions about salsa.debian.org, Matthew's talk on how Wikimedia automates their Debian package builds, and many others. I hope I can start attending regularly again!

OpenSSH

Towards the end of a release cycle, people tend to do more upgrade testing, and this sometimes results in interesting problems. Manfred Stock reported "No new SSH connections possible during large part of upgrade to Debian Trixie", and after a little testing in a container I confirmed that this was a reproducible problem that would have affected many people upgrading from Debian 12 (bookworm), with potentially severe consequences for people upgrading remote systems. In fact, there were two independent problems that each led to much the same symptom:

• OpenSSH 9.8 split the monolithic sshd listener process into two pieces: a minimal network listener (still called sshd), and an sshd-session process dealing with each individual session. (OpenSSH 10.0 further split sshd-session, adding an sshd-auth process that deals with the user authentication phase of the protocol.) This hardens the OpenSSH server by using different address spaces for privileged and unprivileged code.

  Before this change, when sshd received an incoming connection, it forked and re-executed itself with some special parameters to deal with it. After this change, it forks and executes sshd-session instead, and sshd no longer accepts the parameters it used to accept for this.

  Debian package upgrades happen in two phases: first we unpack the new files onto disk, and then we run some package-specific configuration steps which usually include things like restarting services. (I'm simplifying, but this is good enough for this post.) Normally this is fine, and in fact desirable: the old service keeps on working, and this approach often allows breaking what would otherwise be difficult cycles by ensuring that the system is in a more coherent state before trying to restart services. However, in this case, unpacking the new files onto disk immediately means that new SSH connections no longer work: the old sshd receives the connection and tries to hand it off to a freshly-executed copy of the new sshd binary on disk, which no longer supports this.

  If you're just upgrading OpenSSH on its own or with a small number of other packages, this isn't much of a problem as the listener will be restarted quite soon; but if you're upgrading from bookworm to trixie, there may be a long gap when you can't SSH to the system any more, and if something fails in the middle of the upgrade then you could be in trouble.

  So, what to do? I considered keeping a copy of the old sshd around temporarily and patching the new sshd to re-execute it if it's being run to handle an incoming connection, but that turned out to fail in my first test: dependencies are normally only checked when configuring a package, so it's possible to unpack openssh-server before unpacking a newer libc6 that it depends on, at which point you can't execute the new sshd at all. (That also means that the approach of restarting the service at unpack time instead of configure time is a non-starter.) We needed a different idea.

  dpkg, the core Debian package manager, has a specialized facility called "diversions": you can tell it that when it's unpacking a particular file it should put it somewhere else instead. This is normally used by administrators when they want to install a locally-modified version of a particular file at their own risk, or by packages that knowingly override a file normally provided by some other package. However, in this case it turns out to be useful for openssh-server to temporarily divert one of its own files! When upgrading from before 9.8, it now diverts /usr/sbin/sshd to /usr/sbin/sshd.session-split before the new version is unpacked, then removes the diversion and moves the new file into place once it's ready to restart the service; this reduces the period when incoming connections fail to a minimum. (We actually have to pretend that the diversion is being performed on behalf of a slightly different package since we're using dpkg-divert in a strange way here, but it all works.)

• Most OpenSSH processes, including sshd, check for a compatible version of the OpenSSL library when they start up. This check used to be very picky, among other things requiring both the major and minor number to match. OpenSSL 3 has a better versioning policy, and so OpenSSH 9.4p1 relaxed this check.

  Unfortunately, bookworm shipped with OpenSSH 9.2p1, which means that as soon as you unpack the new libssl3 during an upgrade (actually libssl3t64 due to the 64-bit time_t transition), sshd stops working. This couldn't be fixed by a change in trixie; we needed to change bookworm in advance of the upgrade so that it would tolerate newer versions of OpenSSL. And time was tight if we wanted to maximize the chance that people would apply that stable update before upgrading to trixie; there isn't going to be another point release of Debian 12 before the release of Debian 13.

  Fortunately, there's a stable-updates mechanism for exactly this sort of thing, and the stable release managers kindly accepted my proposal to fix this there.

The net result is that if you apply updates to bookworm (including stable-updates / bookworm-updates, which is enabled by default) before starting the upgrade to trixie, everything should be fine. Many thanks to Manfred for reporting this with just enough time to spare that we were able to fix it before Debian 13 is released in a few days!

debmirror

I did my twice-yearly refresh of debmirror's mirror_size documentation, and applied a patch from Christoph Goehre to improve mirroring of installer files.

madison-lite

I proposed renaming this project along with the rmadison tool in devscripts, although I'm not yet sure what a good replacement name would be.

Python team

I upgraded python-expandvars, python-typing-extensions (in experimental), and webtest to new upstream versions.

I backported fixes for some security vulnerabilities to unstable:

• python-urllib3: CVE-2025-50181, CVE-2025-50182

I fixed or helped to fix a number of release-critical bugs:

• bitstruct: autopkgtest regression: invalid command 'test'
• django-pipeline: autopkgtest failure (contributed supporting fix upstream)
• pnopaste: Fails to install with debconf noninteractive frontend (suggested possible patch)
• py3dns: autopkgtest regression: '96.7.128.186' != '93.184.215.14' (contributed upstream)
• python-marshmallow-dataclass: autopkgtest depends on removed package python-marshmallow-enum
• python-pkgconfig: autopkgtest regression: list index out of range
• python-txrequests: autopkgtest regression: twisted.trial.unittest.FailTest: 200 != 404

I fixed some other bugs, mostly Severity: important:

• afew: Unable to remove tags (reviewed and merged MR)
• ipy: FTBFS with the nocheck build profile
• paramiko: Does not correctly handle OpenSSH 10 version
• python-django-storages: FTBFS with the nocheck build profile
• python-icalendar: Depends on a transitional package (and follow-up fixes for missing build-dependencies in python-recurring-ical-events, python-x-wr-timezone, and todoman)
• python-libais: Stop calling python3 setup.py test (contributed supporting fix upstream)

I reinstated python3-mastodon's build-dependency on and recommendation of python3-blurhash, now that the latter has been fixed to use the correct upstream source.

06 Aug 2025 10:41am GMT

Why are so many Canonical software tools named "craft"?

06 Aug 2025 5:34am GMT

Last month Jon Seager (our Vice President for Ubuntu Engineering) wrote about crafting software:

Over the past decade, Canonical has been refining a family of tools called "crafts" to tame [the complexity of packaging software] and make building, testing, and releasing software across ecosystems much simpler.

Multiple Canonical products have craft in their names: Snapcraft, Charmcraft, Rockcraft (and there are others in the works). Our craft products are tools for making software, for the software craftsperson. To be a maker of tools comes with responsibilities - when you decide what tools should be like, you are also deciding how people should work.

Skill, power, technology

Why did we choose to refer to craft?

Craft implies artisanal values, work done by humans, skilled work of the hand.

Craft is not just an activity, it's a value too.

It's an excellent word. It comes from the Germanic kraft - strength, or power. That makes perfect sense: craft as skill or ability is a power. The word empower is so overused that it's in danger of losing its own meaning, but here it really is appropriate: empowering people is what Canonical exists to do through open-source software.

In another direction, the ancient Greek word for craft is téchnē, the root of the modern word technology.

Technology has come to refer to the tools and machinery of industrial society, the hardware and software stuff we make, but it's a more interesting word than that - technology, literally "the study of skill": not merely a product of human activity, but a human endeavour itself.

So craft is a word that reaches in multiple directions. As kraft, it draws in meanings of power and empowerment. As téchnē, it connects directly to the root of our own industry. Craft is where things that matter and that we passionately care about all come together.

It's a noble kind of word for a meaningful kind of activity.

The values of craft

Craft - skill - is obliged to improve itself through practice and reflection. These are fundamental values of craftsmanship, of making and being a maker. Choosing the name craft for our software tools signals a sense of obligation and seriousness about what we're doing.

Jon's article describes a family of tools designed with real intention. They share common interfaces, libraries and workflows - but they also share a common set of values, and that is why craft feels like the right concept to associate with the tools we want to put in the hands of software craftspeople.

Read Crafting your software

06 Aug 2025 5:34am GMT

A fresh batch of bug fixes arrive for users of Audacity, the open source audio editor and sound recording app. Learn how to update.

You're reading Audacity 3.7.5 Fixes More Bugs, Windows on ARM Builds, a blog post from OMG! Ubuntu. Do not reproduce elsewhere without permission.

05 Aug 2025 10:59pm GMT

Tuba 0.10 features a redesigned post composer, YouTube playback, timeline tweaks and more, making this open-source Linux Mastodon client even better.

You're reading Toot, Toot: Linux Mastodon App Tuba Gets a Huge Update, a blog post from OMG! Ubuntu. Do not reproduce elsewhere without permission.

05 Aug 2025 6:04pm GMT

Welcome to the Ubuntu Weekly Newsletter, Issue 903 for the week of July 27 - August 2, 2025. The full version of this issue is available here.

In this issue we cover:

• Questing Snapshot 3 released
• Ubuntu Stats
• Hot in Support
• Rocks Public Journal; 2025-07-30
• Other Meeting Reports
• Upcoming Meetings and Events
• UK LoCo has been handed over to the new leader
• Midwest Superfest and Software Freedom Day 2025
• LoCo Events
• TPM/FDE progress for Ubuntu 25.10
• Kernel Development Release Cadence and Deprecation of linux-modules-extra
• Ubuntu Server Gazette - Issue 6: An extra fresh rolling Ubuntu please
• LXD 4.0 LTS End Of Life
• Event Report - GUADEC 2025
• Other Community News
• What Say You
• Canonical News
• In the Blogosphere
• Featured Audio and Video
• Updates and Security for Ubuntu 22.04, 24.04, and 25.04
• And much more!

The Ubuntu Weekly Newsletter is brought to you by:

• Krytarik Raido
• Bashing-om
• Chris Guiver
• Wild Man
• Din Mušić - LXD
• Cristovao Cordeiro (cjdc) - Rocks
• And many others

If you have a story idea for the Weekly Newsletter, join the Ubuntu News Team mailing list and submit it. Ideas can also be added to the wiki!

.

04 Aug 2025 11:20pm GMT

Flameshot 13.0 marks the screenshot tool's first major update in over 3 years, adding Qt6 support, disabling Imgur uploads by default, and improving its tools.

You're reading Flameshot Screenshot App Gets First Major Update in 3 Years, a blog post from OMG! Ubuntu. Do not reproduce elsewhere without permission.

04 Aug 2025 11:01pm GMT

Partners holding big jigsaw puzzle pieces flat vector illustration. Successful partnership, communication and collaboration metaphor. Teamwork and business cooperation concept.

I write this in the wake of a personal attack against my work and a project that is near and dear to me. Instead of spreading vile rumors and hearsay, talk to me. I am not known to be 'hard to talk to' and am wide open for productive communication. I am disheartened and would like to share some thoughts of the importance of communication. Thanks for listening.

Open source development thrives on collaboration, shared knowledge, and mutual respect. Yet sometimes, the very passion that drives us to contribute can lead to misunderstandings and conflicts that harm both individuals and the projects we care about. As contributors, maintainers, and community members, we have a responsibility to foster environments where constructive dialogue flourishes.

The Foundation of Healthy Open Source Communities

At its core, open source is about people coming together to build something greater than what any individual could create alone. This collaborative spirit requires more than just technical skills-it demands emotional intelligence, empathy, and a commitment to treating one another with dignity and respect.

When disagreements arise-and they inevitably will-the manner in which we handle them defines the character of our community. Technical debates should focus on the merits of ideas, implementations, and approaches, not on personal attacks or character assassinations conducted behind closed doors.

The Importance of Direct Communication

One of the most damaging patterns in any community is when criticism travels through indirect channels while bypassing the person who could actually address the concerns. When we have legitimate technical disagreements or concerns about someone's work, the constructive path forward is always direct, respectful communication.

Consider these approaches:

• Address concerns directly: If you have technical objections to someone's work, engage with them directly through appropriate channels
• Focus on specifics: Critique implementations, documentation, or processes-not the person behind them
• Assume good intentions: Most contributors are doing their best with the time and resources available to them
• Offer solutions: Instead of just pointing out problems, suggest constructive alternatives

Supporting Contributors Through Challenges

Open source contributors often juggle their community involvement with work, family, and personal challenges. Many are volunteers giving their time freely, while others may be going through difficult periods in their lives-job searching, dealing with health issues, or facing other personal struggles.

During these times, our response as a community matters enormously. A word of encouragement can sustain someone through tough periods, while harsh criticism delivered thoughtlessly can drive away valuable contributors permanently.

Building Resilient Communities

Strong open source communities are built on several key principles:

Transparency in Communication: Discussions about technical decisions should happen in public forums where all stakeholders can participate and learn from the discourse.

Constructive Feedback Culture: Criticism should be specific, actionable, and delivered with the intent to improve rather than to tear down.

Recognition of Contribution: Every contribution, whether it's code, documentation, bug reports, or community support, has value and deserves acknowledgment.

Conflict Resolution Processes: Clear, fair procedures for handling disputes help prevent minor disagreements from escalating into community-damaging conflicts.

The Long View

Many successful open source projects span decades, with contributors coming and going as their life circumstances change. The relationships we build and the culture we create today will determine whether these projects continue to attract and retain the diverse talent they need to thrive.

When we invest in treating each other well-even during disagreements-we're investing in the long-term health of our projects and communities. We're creating spaces where innovation can flourish because people feel safe to experiment, learn from mistakes, and grow together.

Moving Forward Constructively

If you find yourself in conflict with another community member, consider these steps:

1. Take a breath: Strong emotions rarely lead to productive outcomes
2. Seek to understand: What are the underlying concerns or motivations?
3. Communicate directly: Reach out privately first, then publicly if necessary
4. Focus on solutions: How can the situation be improved for everyone involved?
5. Know when to step back: Sometimes the healthiest choice is to disengage from unproductive conflicts

A Call for Better

Open source has given us incredible tools, technologies, and opportunities. The least we can do in return is treat each other with the respect and kindness that makes these collaborative achievements possible.

Every contributor-whether they're packaging software, writing documentation, fixing bugs, or supporting users-is helping to build something remarkable. Let's make sure our communities are places where that work can continue to flourish, supported by constructive communication and mutual respect.

The next time you encounter work you disagree with, ask yourself: How can I make this better? How can I help this contributor grow? How can I model the kind of community interaction I want to see?

Our projects are only as strong as the communities that support them. Let's build communities worthy of the amazing software we create together.

https://gofund.me/506c910c

04 Aug 2025 9:52pm GMT

Chrome's Ozone backend will auto-detect Wayland on Linux from v140. This should fix issues with blurry text and UI elements when fractional scaling is active.

You're reading Chrome Plans to Play Nicer with Wayland on Linux, a blog post from OMG! Ubuntu. Do not reproduce elsewhere without permission.

04 Aug 2025 4:44pm GMT

The Incus team is pleased to announce the release of Incus 6.15!

This is one of those releases which has a bit of everything, improvements for application containers, VMs, clustering, networking and even some CLI enhancements.

Worth noting that we've also made some good progress on Incus OS and now use it to run the online demo environment. We've also made a new downloading tool for it with instructions available here.

The highlights for this release are:

• Authentication support for OCI registries
• Webhook as a logging target
• More control over memory hotplug behavior in VMs
• Persistent CD-ROM ejection in VMs
• Configurable WWN for disk devices in VMs
• Dynamic IPv6 network address
• Configurable keepalive mode in the CLI
• Markdown output in the CLI
• More server-side filtering support in the CLI

The full announcement and changelog can be found here.
And for those who prefer videos, here's the release overview video:

You can take the latest release of Incus up for a spin through our online demo service at: https://linuxcontainers.org/incus/try-it/

And as always, my company is offering commercial support on Incus, ranging from by-the-hour support contracts to one-off services on things like initial migration from LXD, review of your deployment to squeeze the most out of Incus or even feature sponsorship. You'll find all details of that here: https://zabbly.com/incus

Donations towards my work on this and other open source projects is also always appreciated, you can find me on Github Sponsors, Patreon and Ko-fi.

Enjoy!

04 Aug 2025 3:39am GMT

Newelle is a desktop AI assistant for Linux, providing a native GTK front-end to cloud and local LLMs. It features voice chat, long-term memory and extensions.

You're reading Newelle, AI "Assistant" for GNOME, Hits Version 1.0, a blog post from OMG! Ubuntu. Do not reproduce elsewhere without permission.

03 Aug 2025 10:59pm GMT

KDE Plasma 6.5 will finally include automatic day/night theme switching, to change light/dark Global Themes based on the time of the day.

You're reading KDE Plasma Adding Auto Day/Night Theme Switching, a blog post from OMG! Ubuntu. Do not reproduce elsewhere without permission.

03 Aug 2025 6:06pm GMT

Ubuntu Server 25.10 removes wget from its default installation, in favour of the wcurl tool. Here's why the change was made and if it'll affect you.

You're reading wget Removed from Ubuntu Server 25.10 Default Install, a blog post from OMG! Ubuntu. Do not reproduce elsewhere without permission.

03 Aug 2025 2:28am GMT

Roundup of July's smaller Linux app releases: Shotcut and Kdenlive video editors, Plank Reloaded dock, Krita performance fixes, and more.

You're reading Linux App Release Roundup (July 2025), a blog post from OMG! Ubuntu. Do not reproduce elsewhere without permission.

02 Aug 2025 3:17am GMT

The US ending tariff exemption on goods under $800 could send the price of Raspberry Pi, mini PCs and other Linux hardware soaring - not just for buyers in America.

You're reading US Tariff Change Could Send SBC & Mini PC Prices Soaring, a blog post from OMG! Ubuntu. Do not reproduce elsewhere without permission.

01 Aug 2025 4:17pm GMT

Ubuntu's DING extension adds new keyboard shortcuts for desktop icon selection, including multi-select, Ctrl+Space toggle, and HOME/END navigation.

You're reading Ubuntu's Desktop Icons Extension Gains New Keyboard Shortcuts, a blog post from OMG! Ubuntu. Do not reproduce elsewhere without permission.

01 Aug 2025 2:49am GMT

During the last year I developed as a side project a new tool called chimg . That tool is useful to modify a given rootfs chroot directory in a declarative way. It can replace a kernel within a chroot, preseed snaps, install debian packages, add PPAs and more (documentation is in git but not yet published).

The nice thing about this is, that this tool can be integrated into livecd-rootfs (the tool that is usually used to build Ubuntu images) or future tools which might use the craft framework to build images. chimg automatically detects already bind-mounted filesystems (eg. /sys, /proc, …), detects already preseeded snaps and usually does that same thing that livecd-rootfs currently does when eg. replacing an already installed kernel.

Install chimg with:

sudo snap install chimg --classic

An example configuration (eg. config.yaml) to modify a rootfs chroot directory looks like this:

---
kernel: linux-aws
debs:
  - name: shim-signed
  - name: grub-pc
  - name: grub2-common
  - name: ubuntu-cloud-minimal
snap:
  assertion_brand: canonical
  assertion_model: aws-classic
  snaps:
    - name: hello
      channel: latest/stable
files:
  -
    destination: /etc/default/grub.d/70-mysettings.cfg
    content: |+
      GRUB_TIMEOUT=0

cmds_post:
  -
    cmd: |
      echo "Everything done"

This config (stored in config.yaml in this example) can be applied to a newly created (or existing) root filesystem directory. Let's create one in /tmp/chimg-noble:

sudo mmdebstrap --variant=apt --verbose noble /tmp/chimg-noble

Let's apply the config changes now:

sudo chimg --log-console chrootfs config.yaml /tmp/chimg-noble

That's it. The modifications are now applied to the /tmp/chimg-noble directory.

31 Jul 2025 6:15pm GMT

The third monthly snapshot of Ubuntu 25.10 (Questing Quokka) is available to download, if you feel like helping the furry-faced mascot seeks out stable status.

You're reading Ubuntu 25.10 Snapshot 3 is Available to Download, a blog post from OMG! Ubuntu. Do not reproduce elsewhere without permission.

31 Jul 2025 4:26pm GMT

Proton launches a free, open-source 2FA app with cross-device sync. It works on all major OSes, including Ubuntu, as a privacy-focused alternative to Google Authenticator.

You're reading Proton's New 2FA Authenticator App Supports Ubuntu, a blog post from OMG! Ubuntu. Do not reproduce elsewhere without permission.

31 Jul 2025 4:05pm GMT

Gostam de arroz de pato? Nós também - neste episódio temos disso e muito mais para causar indigestão: o Diogo foi ao Porto ensinar LXD e dizer mal da gastronomia local; visitou o Museu LOAD do Timex ZX Spectrum em Cantanhede e trouxe-nos um relato nostálgico dos bons tempos da infância; a Microsoft libertou o Edit para ser usado como Snap; a Canonical meteu-se no negócio da «fast food» e decidiu investir em kernels novinhos em folha e Ubuntu como «rolling release»; em Linux teremos cada vez mais TPM. E ainda discutimos como usar agentes de IA para bater código pode dar mau resultado: entra pato, sai cocó. E facto inédito: o Diogo usou grosseiros palavrões.

Já sabem: oiçam, subscrevam e partilhem!

• Museu LOAD do ZX Spectrum, em Cantanhede: https://loadzx.com/
  • Canal Youtube do museu: https://www.youtube.com/channel/UCbR6zEjDUkKPo01JDKJb5Vw
• Vibe Coding deu cocó: https://www.theregister.com/2025/07/21/replit_saastr_vibe_coding_incident/
• Código de Receita de Arroz de Pato: https://gitlab.com/podcastubuntuportugal/arroz-de-pato/-/blob/ca4b64e8b8493350d4fb699315494532130be87b/arroz_de_pato.py
• Assinaturas STOP KILLING GAMES: https://www.stopkillinggames.com
• Microsoft Edit como Snap: https://snapcraft.io/msedit
  • https://www.omgubuntu.co.uk/2025/06/microsoft-edit-text-editor-ubuntu
• Kernel Acelerado: https://discourse.ubuntu.com/t/kernel-development-release-cadence-and-deprecation-of-linux-modules-extra/65176
• Trusted Platform Module / Full Disk Encryption no Ubuntu: https://discourse.ubuntu.com/t/tpm-fde-progress-for-ubuntu-25-10/65146
• OpenJDK pela Canonical: https://canonical.com/blog/introducing-canonical-builds-of-openjdk
• Contentores Cinzelados: https://canonical.com/blog/chiseled-ubuntu-containers-openjre
• Listening to contributors (code, documentation, translation, testing, etc.): participate in a feedback session: https://discourse.ubuntu.com/t/listening-to-contributors-code-documentation-translation-testing-etc-participate-in-a-feedback-session/63837
• Questing Quokka 25.10 Wallpaper Competition: https://discourse.ubuntu.com/t/questing-quokka-25-10-wallpaper-competition/61560
• https://discourse.ubuntu.com/t/questing-quokka-25-10-wallpaper-competition/61560
• Ambientes Virtualizados em Linux, ECTL, em Julho: https://ectl.pt/pt/
• LCD Porto: https://lcdporto.org/pt/pagina-principal/
• Ubucon Africa / DjangoCon Africa, Arusha, Tanzania, 11 a 15 de Agosto: https://ubuntu.com/blog/ubucon-africa-and-djangocon-africa-2025
• https://2025.djangocon.africa/
• Festa do Software Livre 2025, Porto, 3 a 5 de Outubro: https://festa2025.softwarelivre.eu/pt/
• Ubuntu Summit 2025, Londres, 23-24 de Outubro: https://ubuntu.com/blog/ubuntu-summit-25-10-is-coming-to-your-circle-of-friends-from-london
• LoCo PT: https://loco.ubuntu.com/teams/ubuntu-pt/
• Mastodon: https://masto.pt/@pup
• Youtube: https://youtube.com/PodcastUbuntuPortugal

Atribuição e licenças

Este episódio foi produzido por Diogo Constantino, Miguel e Tiago Carrondo e editado pelo Senhor Podcast. O website é produzido por Tiago Carrondo e o código aberto está licenciado nos termos da Licença MIT. (https://creativecommons.org/licenses/by/4.0/). A música do genérico é: "Won't see it comin' (Feat Aequality & N'sorte d'autruche)", por Alpha Hydrae e está licenciada nos termos da CC0 1.0 Universal License. Os separadores de péssima qualidade foram tocados ao vivo e sem rede pelo Miguel, pelo que pedimos desculpa pelos incómodos causados. Este episódio e a imagem utilizada estão licenciados nos termos da licença: Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0), cujo texto integral pode ser lido aqui. Estamos abertos a licenciar para permitir outros tipos de utilização, contactem-nos para validação e autorização. A arte de episódio foi criada por encomenda pela Shizamura - artista, ilustradora e autora de BD. Podem ficar a conhecer melhor a Shizamura na Ciberlândia e no seu sítio web.

31 Jul 2025 12:00am GMT

If you're here, you likely already know about preemption, determinism, and real-time capable operating systems. If that's the case, and you want to learn how to get up and running with Real-time Ubuntu, skip ahead now to find out how to enable the kernel on your workstation. If you'd like a short refresher, we have […]

30 Jul 2025 11:12am GMT

Canonical's MAAS User Interface has been ranked as the top-quality software project in its category by the quarterly TIOBE Software Quality Assurance Award

29 Jul 2025 1:30pm GMT

Yesterday, exactly twenty years ago my mobile rang while I was walking the dog.

I had just returned from Sydney about a week ago (still battling with the last remains of my Jet-lag (I had never left Europe before!)) where I had attended the UbuntuDownUnder summit and had a 30min interview on the last day (that was literally rather like having a coffee with friends after lunch) with Mark Shuttleworth and Matt Zimmerman (back then Canonicals CTO) on a nice hotel terrace directly under a tree with a colony of flying foxes sleeping above our heads.

There was Jane Silber (CEO) on the phone, telling me: "I'm so happy to tell you you are hired! In your new role we want you to create an educational flavor of Ubuntu, there will be a debian-edu/skolelinux gathering in Bergen in Norway from the 10th to 12th of June, are you okay flying there with Mark?"

I rushed back home and told my girlfriend: "I'm hired, and I'll fly Canonical One on my first business trip next month!" (Canonical One was the name of Marks plane). I learned the next weeks that Canonical had indeed booked a generic scheduled flight for me and we'd only meet at the venue

The flight was a disaster, after we were boarding that small 20-seater 2 prop plane that was supposed to get us from Cologne to Amsterdam and the pilot started the engine my window all of a sudden was soaked in oil. We had to stay in the plane out on the filed while the mechanics were fixing the engine for like 2-3h so indeed I missed the connection in Amsterdam and had to stay for the night instead of arriving in Bergen the evening before the event started.

When I arrived at the venue everyone was already busy hacking on stuff and I jumped right in alongside, finally meeting some users of LTSP (Linux Terminal Server Project) which I was upstream for at that time and working with them on the problems they faced in debian with it, tinkering with moodle as a teaching support system and looking at other edu software, meanwhile Mark was sitting on a bar-stool in a corner with his laptop hacking on launchpad code.

When we went to our hotel in the evening it turned out they did not have our booking at all and were completely overbooked due to a jewelry exhibition they had in the house for that week. I talked like 15min to the lady behind the counter, showed her my booking confirmation PDF on the laptop, begged and flirted a lot and eventually she told us "We do have an exhibition room that we keep as spare, it only has one bed but you can have it and we will add a folding bed". The room was actually a normal hotel room but completely set up with wallpaper tables all around the walls.

Mark insisted to take the folding bed and I can tell you, he does not snore … (well, he didn't back then)

This was only the first of a plethora of adventures that followed in the upcoming 20 years, that phone call clearly changed my life and the company gave me the opportunity to work with the brightest, sharpest and most intelligent people on the planet in and outside of Canonical.

It surely changed a lot over these years (when I started we were building the distro with 18 people in the distro team and did that for quite a few years before it actually got split into server, foundations, kernel and desktop teams) but it never lost its special spirit of having these exceptional people with such a high focus on bringing opensource to everyone and making it accessible to everyone.
Indeed, with growth comes the requirement to make more money to pay the people, the responsibility to give your employees a certain amount of security and persistence grows, but Canonical and especially Mark have always managed to keep the balance to not lose that focus and do the right thing in the end.

Ten years ago I said "onward to the next ten!!", I won't really say "onward to the next 20!" today, not because I ever plan to resign but simply because I doubt I still want to work full time when I'm 75

Thank you Mark for dragging me into this adventure and thank you for still having me! I still love the ride!!

29 Jul 2025 1:26pm GMT

Dear friends, family, and community,

I'm reaching out during a challenging time in my life to ask for your support. This year has been particularly difficult as I've been out of work for most of it due to a broken arm and a serious MRSA infection that required extensive treatment and recovery time.

Current Situation

While I've been recovering, I've been actively working to maintain and improve my professional skills by contributing to open source software projects. These contributions help me stay current with industry trends and demonstrate my ongoing commitment to my field, but unfortunately, they don't provide the income I need to cover my basic living expenses.

Despite my efforts, I'm still struggling to secure employment, and I'm falling behind on essential bills including:

• Rent/mortgage payments
• Utilities
• Medical expenses
• Basic living costs

How You Can Help

Any financial assistance, no matter the amount, would make a meaningful difference in helping me stay afloat during this job search. Your support would allow me to:

• Keep my housing stable
• Maintain essential services
• Focus fully on finding employment without the constant stress of unpaid bills
• Continue contributing to the open source community

Moving Forward

I'm actively job searching and interviewing, and I'm confident that I'll be back on my feet soon. Your temporary support during this difficult period would mean the world to me and help bridge the gap until I can secure stable employment.

If you're able to contribute, GoFundMe . If you're unable to donate, I completely understand, and sharing this request with others who might be able to help would be greatly appreciated.

Thank you for taking the time to read this and for considering helping me during this challenging time.

With gratitude, Scarlett

28 Jul 2025 1:51pm GMT

Achieving full disk encryption using FIPS, TCG OPAL and LUKS to encrypt UEFI ESP on bare-metal and in VMs

Many security standards such as CIS and STIG require to protect information at rest. For example, NIST SP 800-53r5 SC-28 advocate to use cryptographic protection, offline storage and TPMs to enhance protection of information confidentiality and/or integrity.

Traditionally to satisfy such controls on portable devices such as laptops one would utilize software based Full Disk Encryption - Mac OS X FileVault, Windows Bitlocker, Linux cryptsetup LUKS2. In cases when FIPS cryptography is required, additional burden would be placed onto these systems to operate their kernels in FIPS mode.

Trusted Computing Group works on establishing many industry standards and specifications, which are widely adopted to improve safety and security of computing whilst keeping it easy to use. One of their most famous specifications them is TCG TPM 2.0 (Trusted Platform Module). TPMs are now widely available on most devices and help to protect secret keys and attest systems. For example, most software full disk encryption solutions can utilise TCG TPM to store full disk encryption keys providing passwordless, biometric or pin-base ways to unlock the drives as well as attesting that system have not been modified or compromised whilst offline.

TCG Storage Security Subsystem Class: Opal Specification is a set of specifications for features of data storage devices. The authors and contributors to OPAL are leading and well trusted storage manufacturers such as Samsung, Western Digital, Seagate Technologies, Dell, Google, Lenovo, IBM, Kioxia, among others. One of the features that Opal Specification enables is self-encrypting drives which becomes very powerful when combined with pre-boot authentication. Out of the box, such drives always and transparently encrypt all disk data using hardware acceleration. To protect data one can enter UEFI firmware setup (BIOS) to set NVMe single user password (or user + administrator/recovery passwords) to encrypt the disk encryption key. If one's firmware didn't come with such features, one can also use SEDutil to inspect and configure all of this. Latest release of major Linux distributions have SEDutil already packaged.

Once password is set, on startup, pre-boot authentication will request one to enter password - prior to booting any operating systems. It means that full disk is actually encrypted, including the UEFI ESP and all operating systems that are installed in case of dual or multi-boot installations. This also prevents tampering with ESP, UEFI bootloaders and kernels which with traditional software-based encryption often remain unencrypted and accessible. It also means one doesn't have to do special OS level repartitioning, or installation steps to ensure all data is encrypted at rest.

What about FIPS compliance? Well, the good news is that majority of the OPAL compliant hard drives and/or security sub-chips do have FIPS 140-3 certification. Meaning they have been tested by independent laboratories to ensure they do in-fact encrypt data. On the CMVP website one can search for module name terms "OPAL" or "NVMe" or name of hardware vendor to locate FIPS certificates.

Are such drives widely available? Yes. For example, a common Thinkpad X1 gen 11 has OPAL NVMe drives as standard, and they have FIPS certification too. Thus, it is likely in your hardware fleet these are already widely available. Use sedutil to check if MediaEncrypt and LockingSupported features are available.

Well, this is great for laptops and physical servers, but you may ask - what about public or private cloud? Actually, more or less the same is already in-place in both. On CVMP website all major clouds have their disk encryption hardware certified, and all of them always encrypt all Virtual Machines with FIPS certified cryptography without an ability to opt-out. One is however in full control of how the encryption keys are managed: cloud-provider or self-managed (either with a cloud HSM or KMS or bring your own / external). See these relevant encryption options and key management docs for GCP, Azure, AWS. But the key takeaway without doing anything, at rest, VMs in public cloud are always encrypted and satisfy NIST SP 800-53 controls.

What about private cloud? Most Linux based private clouds ultimately use qemu typically with qcow2 virtual disk images. Qemu supports user-space encryption of qcow2 disk, see this manpage. Such encryption encrypts the full virtual machine disk, including the bootloader and ESP. And it is handled entirely outside of the VM on the host - meaning the VM never has access to the disk encryption keys. Qemu implements this encryption entirely in userspace using gnutls, nettle, libgcrypt depending on how it was compiled. This also means one can satisfy FIPS requirements entirely in userspace without a Linux kernel in FIPS mode. Higher level APIs built on top of qemu also support qcow2 disk encryption, as in projects such as libvirt and OpenStack Cinder.

If you carefully read the docs, you may notice that agent support is explicitly sometimes called out as not supported or not mentioned. Quite often agents running inside the OS may not have enough observability to them to assess if there is external encryption. It does mean that monitoring above encryption options require different approaches - for example monitor your cloud configuration using tools such as Wiz and Orca, rather than using agents inside individual VMs. For laptop / endpoint security agents, I do wish they would start gaining capability to report OPAL SED availability and status if it is active or not.

What about using software encryption none-the-less on top of the above solutions? It is commonly referred to double or multiple encryption. There will be an additional performance impact, but it can be worthwhile. It really depends on what you define as data at rest for yourself and which controls you need. If one has a dual-boot laptop, and wants to keep one OS encrypted whilst booted into the other, it can perfectly reasonable to encrypted the two using separate software encryption keys. In addition to the OPAL encryption of the ESP. For more targeted per-file / per-folder encryption, one can look into using gocryptfs which is the best successor to the once popular, but now deprecated eCryptfs (amazing tool, but has fallen behind in development and can lead to data loss).

All of the above mostly talks about cryptographic encryption, which only provides confidentially but not data integrity. To protect integrity, one needs to choose how to maintain that. dm-verity is a good choice for read-only and rigid installations. For read-write workloads, it may be easier to deploy ZFS or Btrfs instead. If one is using filesystems without a built-in integrity support such as XFS or Ext4, one can retrofit integrity layer to them by using dm-integrity (either standalone, or via dm-luks/cryptsetup --integrity option).

If one has a lot of estate and a lot of encryption keys to keep track off a key management solution is likely needed. The most popular solution is likely the one from Thales Group marketed under ChiperTrust Data Security Platform (previously Vormetric), but there are many others including OEM / Vendor / Hardware / Cloud specific or agnostic solutions.

I hope this crash course guide piques your interest to learn and discover modern confidentially and integrity solutions, and to re-affirm or change your existing controls w.r.t. to data protection at rest.

Full disk encryption, including UEFI ESP /boot/efi is now widely achievable by default on both baremetal machines and in VMs including with FIPS certification. To discuss more let's connect on Linkedin.

28 Jul 2025 11:13am GMT

Effective July 23rd, 2025 the Open Infrastructure Foundation (OIF) has officially joined one of the world's largest and most influential open source communities: the Linux Foundation. This strategic move reflects the accelerating trend toward open source standardization and democratization - a movement Canonical has proudly supported since its inception. As a long-standing and active member […]

24 Jul 2025 4:59pm GMT

Introducing engineering practice leadership at Canonical

23 Jul 2025 7:42am GMT

The integration delivers reliable, cost-effective virtualization for modern IT infrastructure Canonical, the company behind Ubuntu, has collaborated with Dell Technologies on a native integration between Canonical LXD and Dell PowerFlex software-defined infrastructure. The combined solutions for open source virtualization and high-performance software-defined storage ensure tight coupling between the virtualization layer and the underlying storage infrastructure, […]

22 Jul 2025 2:16pm GMT

The last two weeks I attended DebConf and DebCamp in Brest, France.

Usually, I like to do a more detailed write-up of DebConf, but I was already quite burnt out when I got here, so I'll circle back to a few things that were important to me in later posts.

In the meantime, thanks to everyone who made this DebConf possible, whether you volunteered for one task or were part of the organisation team. Also a special thanks to the wonderful sponsors who made this entire event possible!

See you next year in Argentina!

Jellyfish, taken during daytrip at aquarium.

19 Jul 2025 5:12pm GMT

Have you ever dreamed of building and launching your own rockets? Whether you're a student, educator, hobbyist, or aerospace enthusiast, there's one tool that makes rocketry accessible, educational, and exciting: OpenRocket.

OpenRocket is a free, fully open-source model rocket simulator that helps you design, simulate, and optimize rockets in a virtual environment - all before a single part is printed or assembled.

And the best part? It's completely free, runs on Windows, macOS, and Linux, and is trusted by thousands around the world - from classrooms to high-powered launch pads.

What is OpenRocket?

OpenRocket is a powerful simulation tool designed to make rocket science understandable and practical. It enables users to build virtual models of rockets, test their flight performance, and iterate on designs long before committing to physical builds. Whether you're building a simple school project or a multi-stage high-powered model, OpenRocket is built to support you at every step.

Key Features

• Drag-and-Drop Rocket Design
  Build your rocket with ease using a graphical interface - choose body tubes, fins, nose cones, engines, recovery systems, and more.
• Accurate Flight Simulations
  Simulate flights in real-world conditions with detailed physics modeling, including wind, thrust curves, drag, gravity, and stability.
• Detailed Analysis Tools
  Visualize graphs for altitude, velocity, acceleration, angle of attack, and more - perfect for science fair projects and engineering analysis.
• Support for Multistage and Cluster Rockets
  Go beyond basic designs and experiment with multi-engine configurations, boosters, and complex recovery systems.
• Advanced Stability Calculations
  See real-time updates on your rocket's center of pressure and center of gravity - helping ensure stable flights.
• Education-First Philosophy
  Built with educators and students in mind - great for teaching physics, aerodynamics, math, and engineering concepts.
• 100% Free and Open Source (GPLv3 License)
  Modify, contribute, or use it freely in academic and personal projects.

Perfect for Classrooms and Competitions

OpenRocket is a favorite in schools, universities, and STEM clubs. It's ideal for:

• Physics and engineering lessons
• STEM competitions
• High school and university rocketry teams
• Maker clubs and hobbyist communities

With OpenRocket, students don't just learn theory - they test it, visualize it, and bring it to life.

Cross-Platform and Easy to Use

OpenRocket runs smoothly on Windows, Linux, and macOS, with a lightweight footprint and no complex setup required. Just download, install, and launch.

Want to try the latest features? There are stable and experimental versions available, with an active community improving the project continuously.

Join a Global Community

OpenRocket is powered by passionate volunteers and used worldwide. With an active community on forums and GitHub, it's easy to get help, share ideas, and even contribute your own code or simulations.

If you're ready to explore the world of rocketry without burning through your budget, OpenRocket is your launchpad.

Ready for Liftoff?

Visit openrocket.info and start building your dream rocket today.

Design. Simulate. Launch. Learn. Repeat.

Welcome to the world of OpenRocket - where rocket science is for everyone.

The post OpenRocket: Design, Simulate, and Launch Your Own Rockets - Free and Open Source appeared on Hamradio.my - Amateur Radio, Tech Insights and Product Reviews by 9M2PJU.

19 Jul 2025 4:15pm GMT

This year, UbuCon Africa takes place in Arusha, Tanzania. It's co-located with DjangoCon Africa 2025 (11th-15th August) at Life Fitness Hall, Njiro. The whole event is five days of open source engagement and collaboration. There'll be three days of talks, on programming, technology, careers, society and business, followed by two more of hands-on training and […]

17 Jul 2025 10:42am GMT

ESWIN Computing partners with Canonical to unveil a low cost, performant RISC-V SBC with Ubuntu as the preferred operating system We are excited to announce that ESWIN Computing, in collaboration with Canonical, is bringing Ubuntu 24.04 LTS to the ESWIN Computing EBC77 Series Single Board Computer (SBC for short). The EBC77 is a cutting-edge platform […]

16 Jul 2025 8:50am GMT

In the world of enterprise IT, "support" can mean many things. For some, it's a safety net - insurance for the day something breaks. For others, it's the difference between a minor hiccup and a full-scale outage. At Canonical, it means a simple, comprehensive subscription that takes care of everything, so that everything you build […]

14 Jul 2025 2:11pm GMT

Date: 11 - 13 August 2025 Booth: 353 Book a meeting You know the old saying: what happens in Vegas… transforms your AI journey with trusted open source. On August 11-13, Canonical is back at AI4 2025 to share the secrets of building secure, scalable AI infrastructure to accelerate every stage of your machine learning […]

14 Jul 2025 10:06am GMT

The RISC-V Summit China is an annual event that brings together the global RISC-V community - including technical, industry, domain, and ecosystem groups who define the architecture's specifications. All the experts will meet in Shanghai, China, to share technology breakthroughs, industry milestones, and case studies. Canonical is proud to sponsor the RISC-V Summit again - […]

14 Jul 2025 4:00am GMT