Fedora is a Trademark of Red Hat, Inc, an operating system built by volunteers around the world. This page is provided so that independent volunteers can showcase our contributions to Fedora and Free Software in general. Official Fedora Download page.

RSS Atom

We Make Fedora

October 29, 2025

• Kiwi TCMS Meet Kiwi TCMS at Open Source Experience'25 in Paris

  Kiwi TCMS is happy to announce that we're taking part in Open Source Experience, Dec 10-11 in Paris, France. We're joining as part of the European Village category of exhibitors.

  

  Calling all testers and quality engineers as well as existing customers to join us on 10th & 11th Dec 2025 in Paris and talk about testing and software quality! You can learn first hand what's new, who's been using Kiwi TCMS in 2025 and what our plans for the future are! Please register free of charge with invitation code E-KIWIOSXP25.

  NOTE: Limited VIP codes with additional percs are available upon request! Please email us via info-at-kiwitcms.org for more information. In return we kindly ask you to share your Kiwi TCMS user story with the rest of our community!

  If you would like to know more about who uses Kiwi TCMS please check-out the history of Kiwi TCMS in France!

  ---

  If you like what we're doing and how Kiwi TCMS supports various communities please help us!

  • Give â­� on GitHub;
  • Join our newsletter and follow all project news;
  • Become a contributor and an awesome open source hacker;
  • Become a subscriber and help us sustain development

October 28, 2025

• Fedora fans نسخه نهایی Fedora Linux 43 منتشر شد

  

  تیم توسعه پروژه ی فدورا خبر انتشار نسخه نهایی فدورا لینوکس ۴۳ را اعلام کرد. فدورا که همواره شامل تغییراتی می باشد، در ادامه به برخی از مهمترین آنها اشاره خواهیم کرد. تغییرات برجسته برای کاربران با اینکه بعضی تغییرات بیشتر فنی هستند، چند مورد وجود دارد که مستقیماً توجه کاربر را جلب می‌کنند: اگر […]

  The post نسخه نهایی Fedora Linux 43 منتشر شد first appeared on طرفداران فدورا.

• Charles-Antoine Couret Sortie de Fedora Linux 43

  En ce mardi 28 octobre, les utilisateurs du Projet Fedora seront ravis d'apprendre la disponibilité de la version Fedora Linux 43.

  Fedora Linux est une distribution communautaire développée par le projet Fedora et sponsorisée par Red Hat, qui lui fournit des développeurs ainsi que des moyens financiers et logistiques. Fedora Linux peut être vue comme une sorte de vitrine technologique pour le monde du logiciel libre, c’est pourquoi elle est prompte à inclure des nouveautés.

  

  Expérience utilisateur

  L'environnement de bureau GNOME est proposé dans sa version 49. Cette version apporte comme d'habitude de nombreux changements. Tout d'abord l'application Showtime remplace Totem en guise de lecteur vidéo par défaut. Basée sur la bibliothèque GTK4 et libadwaita, elle reprend les canons esthétiques minimalistes des applications GNOME. L'interface s’efface derrière la vidéo, n'affichant que les fonctions de base essentielles.

  De même l'application pour afficher les documents notamment au format PDF passe de Evince à Papers. De la même manière que précédemment, elle utilise la nouvelle pile logicielle plus moderne, cela permet de refaire le visuel de l'application et d'améliorer dans le même temps les performances. La signature numérique des documents est aussi mieux intégrée de même que les annotations des documents.

  L'application de calendrier a eu une amélioration de son accessibilité avec un focus important sur la navigation exclusive au clavier, ce qui a nécessité une refonte de l'interface. L'interface s'adapte en fonction de la taille de l'écran avec notamment la barre latérale qui peut être masquée. Il est également possible d'exporter des événements dans un fichier ICS.

  Le navigateur Web bénéficie de nombreuses améliorations comme un bloqueur de publicités plus efficace avec plus de listes de blocage disponibles. La recherche dans la page est plus complète avec la prise en compte de la casse ou de la recherche de mots entiers uniquement. L'édition des marques pages, ainsi que le menu de sécurité pour la gestion des mots de passes ou des cartes de sécurité, ont été remaniés pour être plus simples.

  La boutique logicielle bénéficie d'une amélioration significative de ses performances, ce qui était son principal point faible en partie à cause du volume de données à gérer pour les différentes applications disponibles provenant des Flatpak. La boutique consomme moins de mémoire, navigue plus rapidement d'une application à une autre et effectue des recherches efficacement.

  La fonctionnalité de bureau distant s'améliore avec la prise en charge des entrées multipoints pour ceux utilisant un écran tactile. De plus le curseur de souris peut fonctionner avec un positionnement relatif ce qui était nécessaire pour quelques applications ou jeux vidéo. Ceux qui le souhaitent peuvent ajouter des écrans virtuels pour une telle session même s'il n'y a pas d'écrans physiques supplémentaires.

  De manière plus générale, l'écran de verrouillage permet de contrôler basiquement les applications multimédia, en particulier pour la musique. Il est d'ailleurs possible d'arrêter ou de redémarrer la machine depuis cet écran de verrouillage en activant l'option idoine avec la commande gsettings set org.gnome.desktop.screensaver restart-enabled true. Le bouton Ne pas déranger passe de la zone de notifications au menu principal de GNOME pour une meilleure cohérence de l'interface.

  Enfin de nouveaux fonds d'écran sont proposés afin d'exploiter les nouvelles capacités des écrans HDR et l'espace de couleur Display P3 qui sont pris en charge sur les machines compatibles. Capacités HDR qui ont été améliorées par ailleurs avec de nouveaux paramètres pour gérer finement la luminosité de ces types d'écran.

  GNOME fonctionnera uniquement en tant que session Wayland, les paquets liés à GNOME pour session X11 sont supprimés. Le projet GNOME a décalé cette décision pour sa prochaine version numérotée 50, mais Fedora maintient le cap car la qualité de ces sessions n'est pas aussi bonne que Wayland faute de tests et de maintenance de la part du projet depuis de nombreuses années. Grâce à XWayland, GNOME reste en capacité d'afficher et de gérer les applications (de plus en plus rares) reposant uniquement sur X11. Cela clôt en un sens la transition vers Wayland pour GNOME entamée il y a 9 ans déjà avec Fedora 25.

  Tous les Spins disposent par défaut de la nouvelle interface web d'Anaconda. Fedora Linux 42 ne l'avait proposée que pour Fedora Workstation, en partie parce que certaines options ont dû être ajoutées pour supporter les Spins. En effet, sous GNOME, une partie de la configuration est faite après l'installation avec l'application GNOME Initial Setup. Par conséquent les spins pourront en plus configurer depuis Anaconda la date et l'heure, le compte utilisateur et le nom de la machine. De même, la configuration de la disposition clavier est gérée de manière légèrement différente. Enfin, l'interface n'est pas forcément affichée par une session de Firefox mais peut l'être via le navigateur web fourni par l'environnement en question.

  Sur les machines x86_64 compatibles UEFI, Anaconda ne permettra plus d'installer Fedora si le format de partitionnement est basé sur MBR au lieu de GPT. Si la norme UEFI autorise une telle configuration, en réalité sa prise en charge correcte dépend des constructeurs et n'est pas bien testée notamment par l'équipe de Fedora ce qui rend une telle configuration peu fiable. De plus, le chargeur de démarrage GRUB2 suppose déjà qu'un système UEFI implique une table de partitions GPT. Cela a été maintenu par Fedora notamment pour permettre son utilisation dans le service cloud AWS qui ne proposait que de tels systèmes à une époque. Mais cette limitation n'a plus lieu d'être et sa suppression simplifie le test et réduit le risque de crashs au moment de l'installation. Cela ne concerne pas les autres architectures comme ARM car leur implémentation repose plus souvent sur MBR et est mieux gérée.

  

  L'installateur Anaconda utilise le gestionnaire de paquet DNF dans sa 5e version dorénavant. Cela améliore la vitesse des opérations à l'installation de Fedora et uniformise la gestion des paquets au sein de Fedora en simplifiant aussi les tests de la distribution.

  Fin de support de la modularité des paquets RPM dans l'installateur Anaconda. Les modules ont disparu dans Fedora depuis Fedora Linux 39, ce changement devenait nécessaire avec la non prise en charge des modules par DNF 5 qui est utilisé maintenant par Anaconda comme expliqué précédemment. Cela améliore aussi la maintenance d'Anaconda et de sa documentation en supprimant cette spécificité qui n'est plus utilisée.

  Activation de la mise à jour automatique du système pour la variante Fedora Kinoite. Grâce au système atomique, la mise à jour se fait en arrière plan et est appliquée au prochain redémarrage. La fiabilité de l'opération avec la possibilité de revenir à l'état précédent autorise une mise à jour automatique sans trop de problèmes pour simplifier la vie de l'utilisateur et améliorer la sécurité. Les mises à jour des firmware ne sont pas concernées pour des raisons de fiabilité. La mise à jour se fait par défaut de manière hebdomadaire et une notification pour inviter à redémarrer est affichée quand c'est pertinent. Cette fonctionnalité peut être coupée et la fréquence des mises à jour reste configurable.

  La police d'affichage d'émojis Noto Color Emoji utilise son nouveau format basé sur COLRv1 pour améliorer le rendu. Le rendu est meilleur car les images sont vectorielles et non sous forme d'images bitmap qui sont moins jolies quand la taille d'affichage augmente. Le tout en prenant moins d'espace disque.

  Le fichier initrd utilisé lors du démarrage est compressé avec zstd pour un démarrage plus rapide du système et une taille d'installation plus petite. Cela remplace la dépendance au binaire xz utilisé jusqu'alors, les tests montrent une baisse de la taille d'installation de quelques méga octets pour un temps de démarrage réduit de quelques secondes en moins.

  

  Gestion du matériel

  La taille de la partition /boot augmente de 1 Gio à 2 Gio par défaut. En effet la taille des firmwares, des initrd, du noyau, etc. ne cessent d'augmenter alors que la partition est restée à 1 Gio depuis 2016. Cela permet de réduire le risque de manquer de place dans un futur proche pour les nouveaux systèmes.

  Prise en charge de la technologie Intel TDX pour exécuter des machines virtuelles avec une plus grande isolation mémoire depuis Fedora Linux. Pour les machines compatibles, cela signifie que chaque machine virtuelle tourne dans un espace mémoire dédié qui est chiffré ce qui apporte des garanties de sécurité et d'intégrité des données pour le système virtualisé.

  Mise à jour de Greenboot vers la réimplémentation en Rust. L'objectif de ce composant est de fournir une vérification du système au démarrage et de redémarrer vers un état précédent du système en cas de défaut constaté ce qui est possible dans un système atomique et améliore l'expérience utilisateur en cas de mise à jour défectueuse. L'utilisateur a par ailleurs la possibilité d'ajouter ses propres tests. La précédente implémentation était en Bash et ne proposait que la prise en charge des systèmes basés sur RPM OSTree. Maintenant il peut gérer les systèmes reposant sur bootc qui est de plus en plus employé.

  Internationalisation

  La police de type monospace aura une police alternative de ce type par défaut en cas de manque dans une langue donnée. Jusqu'ici une police sans-serif était utilisée par défaut ce qui n'était pas idéal car les contextes d'usage sont différents et cela pouvait donner lieu à des comportement imprévisibles suivant les polices installées sur le système. Cela concerne notamment les langues suivantes : l'arabe, l'hébreu, le thaï, le perse, l'hindi, le khmer, etc.

  Administration système

  Le gestionnaire de paquets RPM passe à la version 6.0 tours par minute. Mais les paquets fournis par le projet Fedora utilisent encore le format de la 4e version. Cette version se focalise sur une amélioration de sécurité, par exemple les clés OpenPGP affichent la version complète de l'id de la clé si l'empreinte numérique n'existe pas. Il est possible de fournir plusieurs signatures à un même paquet permettant d'utiliser des clés différentes suivant la provenance et les objectifs. La construction du paquet peut générer automatiquement la signature ce qui est intéressant dans le cadre de l'empaquetage local. Les clés OpenPGP version 6 sont prises en charge de même que les algorithmes dits post quantiques à base de courbes elliptiques. Il est également possible d'utiliser Sequoia-sq au lieu de GnuPG. Les paquets générés avec la 3e version ne sont cependant plus exploitables.

  Réduction du nombre de règles SELinux dontaudit liés au type unlabeled_t. L'objectif de ces règles c'est souvent de réduire le nombre de rapports d'accès anormaux qui sont des faux positifs ou des accès bénins effectués par des applications mal écrites. Cette avalanche de notifications serait contre productive mais cacher ces accès sous le tapis ne permet pas de corriger ces comportements problématiques et complexifie le débogage. L'objectif est de désactiver seulement certaines de ces règles de la politique et non de les supprimer entièrement. Ainsi si le nouveau comportement vous pose problème, vous pouvez exécuter la commande # setsebool -P dontaudit_unlabeled_files 1 pour rétablir le comportement précédent.

  Le paquet gnupg2 pour fournir l'outil de chiffrement est dorénavant découpé en plusieurs sous paquets. Cela permet de réduire la taille du système par défaut car uniquement les paquets nécessaires seront installés par défaut, laissant de côté les binaires plus optionnels. L'autre bénéfice est de simplifier le remplacement par Sequoia-PGP car il nécessite la présence de certains binaires de GnuPG mais en remplace d'autres ce qui n'était pas possible de faire avec un paquet unique. Les installations existantes installeront tous les sous paquets par défaut pour éviter de casser les systèmes existants.

  Le filtre d'impression Foomatic-rip rejette les valeurs inconnues. En effet il est utilisé pour construire des commandes shell, PostScript ou Perl qui sont ensuite exécutées avant d'envoyer la tâche à l'impression via les options FoomaticRIPCommandLine, FoomaticRIPCommandLinePDF et FoomaticRIPOptionSettings. Cette flexibilité permet d'écrire ou de modifier facilement le pilote de l'imprimante en question mais est source de vulnérabilités de sécurité aussi. Pour limiter les risques, par défaut aucune valeur pour ces options ne sont autorisées. L'utilisateur doit exécuter foomatic-hash une fois pour vérifier la validité des options et s'assurer qu'elles ne font rien de problématiques et déplacer le dit fichier dans /etc/foomatic/hashes.d pour autoriser leur utilisation. Cela ne concerne à priori que des vieux pilotes d'imprimantes et une partie de ceux fournis par CUPS ont déjà les validations nécessaires. D'autres devraient venir progressivement. Les pilotes d'imprimantes déjà installés au niveau du système seront aussi automatiquement validés après une mise à niveau vers Fedora Linux 43. À cause de la flexibilité de la méthode d'origine, corriger ou détecter tous les comportements problématiques automatiquement n'est pas possible.

  Le projet 389 Directory Server ne permet plus de modifier ses bases de données BerkeleyDB. Les bases de données utilisaient par défaut LMDB depuis Fedora Linux 40 et l'abandon de BerkeleyDB se fera à priori pour Fedora Linux 45. L'objectif est de permettre la lecture des données pour les migrer vers le nouveau format et ainsi forcer les utilisateurs à effectuer la migration avant son abandon total.

  

  Le gestionnaire de base de données PostgreSQL est mis à jour à sa 18e version. Cette version améliore les performances dans le sous-système des entrées-sorties asynchrones et dans l'optimiseur des requêtes. D'ailleurs, la migration d'une base de données à une version suivante conserve les statistiques de l'optimiseur. Une nouvelle fonction uuidv7() permet de générer un UUID autorisant un tri basé sur un critère temporel. Par défaut les colonnes générées, celles dont le contenu est créé durant une opération de lecture, sont virtuelles et ne résident pas sur le disque. Les B-tree index multi-colonnes peuvent être utilisés plus souvent notamment s'il n'y a pas de contraintes sur les premières clés mais uniquement sur la dernière. Le protocole OAuth peut être utilisé pour s'authentifier dorénavant. Comme d'habitude, les versions 17 et 16 de ce logiciel restent disponibles dans les dépôts autorisant une mise à niveau progressive.

  Le gestionnaire de base de données MySQL passe par défaut à la version 8.4. La version 8.4 était déjà proposée dans les dépôts, elle remplace juste la version 8.0 en tant que version de base. Cette dernière reste disponible via le paquet mysql8.0.

  Le serveur de courriels Dovecot est mis à jour vers sa version 2.4. [https://doc.dovecot.org/2.4.0/installation/upgrade/2.3-to-2.4.html Cette version change de manière significative la configuration qui nécessite une adaptation. Il est maintenant possible de stopper une commande mail qui prend du temps proprement. Pour l'authentification, les fonctions de hashage SCRAM-SHA-1-PLUS et SCRAM-SHA-256-PLUS sont maintenant disponibles de même que les liaisons de canal TLS. La bibliothèque Lua permet d’interagir avec le client DNS et HTTP fourni par Dovecot.

  Le serveur d'application Tomcat est mis à jour vers sa version 10.1. Cela signifie qu'il suit la spécification Jakarta EE 10 ce qui implique un nouvel espace de nom qui passe de javax.* à jakarta.*. À cause de ce changement, la compatibilité ascendante n'est pas garantie et une recompilation des applications web est requise. De même l'API interne de Tomcat a beaucoup changé subtilement ce qui rend la compatibilité binaire impossible à garantir et nécessite une revue pour ceux qui interagissent avec ces APIs. Par défaut les requêtes et réponses Web se font en UTF-8 tandis que les sessions ne sont pas conservées après un redémarrage du serveur. Les fichiers de logs ne seront créés que lorsque du contenu doit être écrit dedans. Enfin les paramètres HTTP en commun entre HTTP 2 et 1.1 seront placés au niveau du connecteur HTTP 1.1 pour permettre à la version 2 d'en hériter et limiter ainsi la duplication des paramètres.

  Migration de l'utilitaire de journalisation lastlog à lastlog2. Le premier intérêt de cette migration est de corriger le bogue de l'an 2038 qui n'affecte pas ce dernier. Il peut également d'utiliser la base de données SQLite 3 pour le stockage. Il utilise aussi des composants PAM pour l'authentification et la sortie est compatible de manière ascendante également. De plus il est légèrement plus performant en augmentant la taille de stockage à partir du nombre d'utilisateurs et non du plus grand id utilisateur dans le lot. Le risque de problèmes de compatibilité devrait être faible. La migration vers le nouveau format sera effectuée automatiquement et des liens symboliques vers les noms des anciens binaires sont créés pour éviter de casser des scripts existants.

  L'information PLATFORM_ID dans os-release est supprimée. Cette information a été ajoutée dans le cadre de la modularité, mais avec l'abandon de celle-ci cette ligne n'est plus nécessaire. Ceux qui se basent sur cette information sont invités à changer d'approche.

  

  Développement

  La chaine de compilation GNU évolue avec binutils 2.45 et glibc 2.42. Pour binutils, les informations sframe générées par l'assembleur sont maintenant conformes avec la spécification SFrame V2. L'assembleur gère les dernières évolutions des architectures RISC-V, LoongArch et AArch64. Il peut également utiliser les directives .errif et .warnif pour avoir un diagnostic contrôlé par l'utilisateur avec des critères qui sont évalués uniquement à la fin de l'assemblage.

  Pour la bibliothèque C glibc, elle prend en charge de nouvelles fonctions mathématiques introduites dans C23 telles que ompoundn, pown, powr, rootn et rsqrt. Elle propose aussi en avance les fonctions valeurs absolues non signées qui seront proposées par la prochaine norme C. Ajout également de la fonction pthread_gettid_np pour connaître l'id d'un thread à partir d'une structure opaque pthread_t. Le cache local dans malloc gagne en performance pour les petites allocations mémoire et peut prendre en charge des blocs à mettre en cache de plus grande taille via l'option glibc.malloc.tcache_max. Le manuel a été particulièrement enrichi pour être plus complet notamment pour les threads, terminaux, systèmes de fichiers, ressources et fonctions mathématiques.

  L'éditeur de lien Gold du paquet binutils-gold est considéré comme déprécié et sera supprimé dans une version future. Fedora Linux a déjà quatre éditeurs de liens : ld.bfd, ld.gold, lld et mold. Se débarrasser de l'un d'entre eux qui n'est plus maintenu par le projet GNU n'est pas un problème et doit améliorer à terme la maintenance.

  Mise à jour de la chaine de compilation LLVM à sa version 21. Les cartes graphiques AMD voient une amélioration de la prise en charge de ROCm de même qu'un effort pour proposer une bibliothèque C pour GPU. Mais les architectures RISC-V ou cartes graphiques de Nvidia ont également quelques améliorations mineures de ce côté. Le compilateur C CLang optimise l’arithmétique des pointeurs avec le pointeur null et comme souvent le suivi des futurs standards C et C++ se poursuit. Le compilateur fait de meilleurs messages d'erreurs pour les erreurs de compilation.

  Côté Fedora, les RPM de ce projet sont compilés avec un profil d'optimisation ce qui devrait significativement améliorer les performances du compilateur maison.

  Le langage Python mue à sa version 3.14. Cette version propose des template strings pour étendre les capacités des f-string afin de plus facilement modifier la valeur de la chaîne de caractères à partir d'autres variables. L'évaluation différée des annotations permet de résoudre les annotations de type qui sont cycliques. De plus, un nouveau module concurrent.interpreters fait son apparition pour permettre l'exécution d'interpréteurs Python dans des fils d'exécution uniques pouvant communiquer entre eux, ouvrant la voie à un vrai parallélisme sans renoncer, pour le moment, au fameux verrou principal nommé GIL. Le module compression accueille l'algorithme zstd qui est de plus en plus utilisé dans divers projets libres. Enfin les UUIDs 6, 7 et 8 font leur apparition, permettant de générer des UUIDs respectant différents critères, les deux premiers autorisent un tri temporel quand le dernier est un assemblage de 3 entiers fournis en paramètre. Il y a évidemment d'autres changements améliorant notamment des performances ou rendant les messages d'erreurs plus clairs.

  Le langage Go passe à la version 1.25. Il est possible dans cette version d'activer le détecteur de fuites de mémoire à la compilation d'un programme par la commande go build -asan, le rapport sera généré à la fermeture du programme. La commande go vet détecte les appels de fonctions sync.WaitGroup.Add mal placés de même que l'usage de fmt.Sprintf("%s:%d", host, port) pour construire des adresses de connexions qui sont invalides en cas d'usage d'IPv6. Un nouveau ramasse-miettes expérimental fait son apparition, il doit réduire l'impact de ces opérations de 10-40% pour un programme standard qui fait beaucoup d'allocations et de désallocations de petits objets. En terme d'expérimentations, un nouveau module expérimental encoding/json/v2 fait son entrée en matière pour l'encodage et le décodage de JSON, qui doit être plus performant pour le décodage tout en supprimant certaines limitations. Pour les développeurs, un nouveau module runtime/trace.FlightRecorder permet de facilement enregistrer la trace d'événements précis dans le programme dans le contexte de débogage tout en étant léger pour ne pas perturber l'exécution du logiciel par les traces complètes habituellement utilisées. Dans le contexte du débogage, le format DWARF5 pour les informations de débogage peut être exploité ce qui améliore la taille du binaire et le temps de l'édition des liens par ailleurs.

  Le langage Perl fourni une réponse brillante avec sa version 5.42. L'accent a été mis pour améliorer les performances dans cette version. Mais en plus de cela, les méthodes peuvent être déclarées avec une visibilité réduite avec l'instruction my method, ces méthodes peuvent être appelées grâce à l'opérateur ->&. Deux nouveaux opérateurs expérimentaux all et any pour vérifier une condition sur l'ensemble, et respectivement aucun, des éléments d'une liste. Un pragma source::encoding peut être apposé sur un fichier source pour détecter les erreurs d'encodage du dit fichier s'il ne correspond pas à celui mentionné. Une classe peut générer automatiquement un setter pour un de ses attributs via l'attribut :writer qui fonctionne de manière analogue à :reader pour le getter.

  La boîte à outils Ruby on Rails démarrera voie 8.0. La gestion de certaines dépendances a été améliorée, en effet pour bénéficier de certaines fonctions telles que les Websockets, les jobs ou le cache il était nécessaire d'utiliser au choix MySQL, PostgreSQL ou Redis. Maintenant SQLite s'ajoute à la liste des possibilités et cela passe par de nouvelles couches d'abstractions Solid Cable, Solid Cache et Solid Queue. Fournir des fichiers statiques repose sur Propshaft au lieu de Sprockets, qui est bien plus simple en tirant profit des changements dans le monde Web opérés depuis 15 ans tels que les frameworks JavaScript ou la bonne gestion des petits fichiers avec le protocole HTTP/2 qui permettent de déléguer la gestion de ces problématiques aux frameworks JavaScript directement. Pour finir, elle propose un moyen simple de générer un template basique mais efficace pour la gestion de l'authentification d'une application, en exécutant bin/rails generate authentication vous obtenez un modèle basique pour la session et l'utilisateur avec des contrôleurs pour la session et l'authentification elle même.

  

  La machine virtuelle Java OpenJDK 25 est fournie. Parmi les changements, un effort a été consenti pour améliorer le mécanisme de l'Ahead-of-Time, la mise en cache de la JVM. Il devient en effet plus facile d'exécuter une application simple pour générer la liste des objets et modules nécessaires pour rendre les prochains lancement plus rapides et de même les profils générés pour accélérer l'application seront immédiatement exploités au démarrage pour également accélérer le lancement de l'application. Le système d'enregistrement des événements est étendu avec la possibilité d'enregistrer précisément le temps d'exécution d'une fonction et sa pile d'appels. Il est possible d'appeler d'autres fonctions ou opérations dans un constructeur avant qu'il n'appelle lui même un autre constructeur du même objet ou de sa classe parente ce qui peut simplifier le code en le rendant plus naturel.

  L'utilitaire dans l'écosystème Java nommé Maven bénéficie de la version 4 en parallèle de la version 3. La version 4 est accessible via le paquet maven4 depuis les dépôts. Parmi les changements fondamentaux, il y a une séparation entre les besoins de compilation et d'utilisation du fichier pom.xml qui mentionnait dans le détail les informations de compilation ou des dépendances ce qui était rarement utile pour les utilisateurs lors du déploiement. Maintenant le fichier destiné à être distribué ne mentionne plus ces informations superflues. Dans ce contexte, un nouveau type de paquet bom est fourni pour générer une liste de composants nécessaires pour ce logiciel ce qui est un atout dans une optique de traçabilité et de suivi des failles de sécurité par exemple. Pour clarifier la différence entre les modules de Maven et ceux de Java, les modules sont renommés subprojects, d'ailleurs ces sous-projets peuvent déduire des informations du parent comme sa version par exemple ce qui rend inutile de le mentionner à nouveau. Les sous-projets peuvent aussi être découverts au sein du projet évitant le besoin de les déclarer explicitement et systématiquement.

  Le compilateur pour le langage Haskell GHC a été mis à jour vers sa version 9.8 et son écosystème Stackage vers la version 23. Le langage fonctionnel dispose des ExtendedLiterals pour préciser le type précis d'un entier défini tel quel dans le code, comme 123#Int8 pour un entier représenté uniquement sur 8 bits. Dans le bas niveau, un logiciel compilé avec -mfma pour permettre l'usage des instructions, qui combinent multiplication et addition (telle que fmaddFloat# x y z qui donne x * y + z) si l'architecture matérielle les supporte ce qui peut améliorer les performances du programme. Il introduit des nouveaux pragmas WARNING et DEPRECATED à des fonctions d'un module pour signaler à un appelant de prêter attention à son utilisation, notamment en cas de suppression planifiée de la dite fonction.

  Le langage de programmation fonctionnel Idris dispose d'une mise à jour majeure vers sa 2e version. La version 1 reposait sur Haskell mais il devenait de plus en plus difficile de le générer avec des versions récentes du compilateur GHC. La version 2 est implémentée en Scheme et repose sur la théorie des types quantifiés, ainsi une variable assignée à une quantité 0 est effacée, assignée à une quantité 1 elle est utilisée une seule et unique fois, etc. Ce changement de paradigme rend de nombreux programmes écrits pour Idris 1 incompatibles. De plus le Prelude du langage ne contient que les éléments strictement nécessaires dans la plupart des programmes non triviaux, le reste est relégué dans dans la bibliothèque base.

  Le compilateur Free Pascal propose des paquets permettant la compilation croisée avec d'autres architectures. Ce changement facilite la compilation de programmes pour d'autres systèmes sans quitter sa Fedora Linux. Les paquets nécessaires sont de la forme fpc-cross-$CPU et fpc-units-$CPU-$OS où le premier fourni le compilateur en lui même à destination d'une architecture matérielle spécifique quand le second fourni des objets précompilés nécessaires la plupart du temps pour générer un programme pouvant s'exécuter sur le matériel et système considéré. Si vous souhaitez compiler pour du Windows x86 il faudra installer par conséquent les paquets fpc-cross-i386 et fpc-units-i386-win32.

  La bibliothèque d'Intel tbb pour paralléliser certaines tâches passe à la version 2022.2.0. Les changements sont relativement mineurs mais à cause de la rupture de compatibilité de l'ABI, les logiciels s'en servant doivent être recompilés pour fonctionner avec cette nouvelle version.

  La signature cryptographique des informations de débogage debuginfod est maintenant vérifiée automatiquement du côté du client. Les paquets RPM fournissaient la dite signature depuis Fedora Linux 39, le client comme serveur prenaient en charge la fonctionnalité, il ne manquait plus qu'une configuration adéquate pour permettre ce changement. Cela se fait en éditant le fichier de configuration /etc/debuginfod/elfutils.urls ainsi :

  ima:enforcing https://debuginfod.fedoraproject.org ima:ignore
  

  Cela ne le fait que pour les informations de débogage provenant du projet Fedora, pour les autres il faudra activer cela manuellement de manière similaire. En cas de signature invalide, les fichiers concernés seront rejetés et considérés comme non disponibles ce qui améliore la fiabilité et la sécurité du débogage.

  La bibliothèque Rust async-std est considérée comme dépréciée avant une suppression future. Il n'est en effet plus maintenu et il est recommandé de passer à la bibliothèque smol à la place.

  La bibliothèque Python python-async-timeout est considéré comme dépréciée avant une suppression future. Cette fonctionnalité est en effet fournie dans la bibliothèque standard depuis Python 3.11 rendant cette bibliothèque obsolète. Cependant une trentaine de paquets s'en servent encore directement rendant sa suppression impossible à ce stade.

  Le paquet python-nose a été retiré. Déprécié par Fedora depuis plus de cinq ans et sans maintenant depuis plus longtemps, sa suppression devenait nécessaire avec l'impossibilité de s'en servir avec la dernière version de Python. Les paquets qui en avaient encore besoin ont été corrigés pour s'en passer.

  Les paquets concernant d'anciennes versions de GTK pour Rust gtk3-rs, gtk-rs-core version 0.18, et gtk4-rs ont été retirés. Ils étaient dépréciés depuis Fedora Linux 42 car non maintenus.

  Projet Fedora

  Koji utilise localement au sein du projet Fedora une instance de Red Hat Image Builder pour générer certaines images qui en dépendent. Cela concerne les images Fedora IoT et Minimal qui étaient construites via l'infrastructure de Red Hat, Koji ne servant que d'orchestrateur côté Fedora. Cela posait quelques soucis dont la possibilité d'intervenir en cas de problèmes mais aussi le fait qu'il était impossible de geler les changements de l'infrastructure aux moments adéquats pour l'élaboration des nouvelles images. Le paquet koji-image-builder a été créé pour permettre d'exécuter cette machinerie localement au sein de l'infrastructure du projet Fedora. L'objectif est d'inclure cela dans Koji intégralement à terme quand ce sera suffisamment testé.

  La génération de l'image Core OS repose sur le fichier de définition de conteneurs Containerfile. Jusqu'ici l'image était conçue via RPM OStree avant d'être convertie en image OCI. L'objectif est donc de sauter l'étape RPM OStree en utilisant les conteneurs, l'image de référence est basée sur une Fedora Linux avec bootc. Cela simplifie la procédure de génération de l'image et permet facilement à quiconque de reproduire ces étapes s'il le souhaite en utilisant podman.

  Arrêt de publication des mises à jour de Core OS sur le dépôt OSTree. Cela fait suite au changement introduit dans la version précédente de Fedora où l'utilisation des images OCI avait débuté et que les nœuds existants allaient progressivement migrer vers ce format. Désormais maintenir la publication de mises à jour OSTree n'a plus de sens et permet de réallouer les ressources humaines et matérielles.

  Le système d'intégration continue de Fedora ne prend plus en charge le format Standard Test Interface. Il évoluait conjointement avec Test Management Tool qui a maintenant les mêmes capacités et continue d'évoluer. N'avoir plus qu'un format permet de simplifier la maintenance et l'outillage. Il y avait de plus en plus d'erreurs liées à l'usage de STI pour certains paquets incitant à faire la migration. Le format TMT a quelques avantages dont une meilleure organisation des tests et des environnements de tests. Les tests sont également reproductibles localement ce qui est important pour la résolution de problèmes. Grâce à l'intégration avec Packit il peut facilement exécuter les tests à partir des sources du logiciel si besoin ce qui est utile en cas de nouvelle version d'un paquet ou voir si un correctif spécifique à Fedora introduit des régressions.

  Les nouveaux paquets recevront automatiquement une nouvelle configuration basée sur Packit pour permettre la gestion automatique de certaines tâches dans le cadre des nouvelles versions de Fedora. Cette étape est faite lors de la création du projet sur le service src.fedoraproject.org, un correctif fournit automatiquement cette configuration initiale. Cela peut être manuellement désactivé lors de la création si un mainteneur ne le souhaite pas. L'intérêt est de simplifier l'accueil de nouveaux empaqueteurs mais aussi d'automatiser certaines tâches par défaut. En cas de nouvelle version d'un composant, le paquet avec cette version sera automatiquement crée pour identifier les éventuels problèmes, et s'il n'y en a pas, permettre de créer automatiquement la nouvelle version du paquet et de la diffuser si l'empaqueteur accepte cette nouvelle version. Cela peut aider à gérer plus de paquets et à mieux les maintenir sur le long terme.

  

  Les bibliothèques statiques fournies par les paquets RPM de Fedora conservent les informations de débogage pour permettre de comprendre l'origine des crashes des applications les exploitant. Cela est rendu possible par la mise à jour du composant debugedit qui permet une telle opération sans trop de problèmes. En effet il peut maintenant collecter les fichiers sources d'une bibliothèque statique et réécrire les chemins vers le répertoire /usr/src/debug comme attendu par les différents outils de débogage. Cependant les informations de débogage sont fournies dans les paquets RPM des binaires pour éviter la complexité de les inclure manuellement pour les développeurs qui en ont besoin dans leur logiciel. L'espace disque nécessaire pour ces informations est considéré comme relativement négligeable pour prendre cette décision. Pour les développeurs qui ne veulent pas des informations de débogage dans leur binaire peuvent exécuter la commande strip -g après l'édition de liens.

  Les macros dédiées pour générer les paquets Python reposant sur setup.py sont dorénavant dépréciées. Cela concerne les macros %py3_build, %py3_install, et %py3_build_wheel. En effet ces macros reposent sur ce script qui ne sera plus maintenu à partir d'octobre 2025 par le projet setuptools. L'objectif est d'inciter et de migrer progressivement ces paquets vers la nouvelle méthode reposant sur les macros %pyproject_* et exploitant le fichier de configuration pyproject.toml. Environ 35% des paquets Python de Fedora sont donc concernés par cette migration à venir qui permettra de moderniser et d'unifier les conventions tout en suivant les bonnes pratiques de l'écosystème Python.

  Les paquets Go sont compilés en utilisant par défaut les dépendances du projet compilé plutôt que d'utiliser systématiquement des dépendances basées sur des RPM gérés par le projet Fedora. En effet les binaires Go sont tous statiquement compilés donc l'objectif de maintenir des dépendances ne sert qu'à la construction des dits paquets. Cela concerne environ 1400 paquets pour générer 400 paquets avec un binaire Go. C'est beaucoup de travail de maintenance et cela limitait la possibilité d'inclure plus de paquets Go car il fallait empaqueter toutes les dépendances nécessaires au préalable. Cependant avec cette méthode il devient plus difficile de corriger les bogues ou problèmes de sécurité introduits par ces dépendances si Fedora ne les récupère pas. Et pour les cas où il est préférable d'avoir les dépendances gérées par le projet, cela sera un travail plus important pour un paquet donné car moins de dépendances seront déjà disponibles dans les dépôts. Le suivi des licences nécessite d'être adapté pour s'assurer qu'il n'y a pas de problèmes de compatibilité mais des outils existent déjà pour réduire cette problématique.

  Les paquets NodeJs utiliseront un nouveau formalisme pour le chemin de leurs dépendances. En effet le répertoire %{_libdir}/node_modules pointait vers un répertoire spécifique à une version de NodeJs comme %{_libdir}/node_modules20 pour la version 20 de NodeJs. Mais cette solution était plutôt pénible avec Fedora qui propose plusieurs versions de NodeJs en parallèle. L'objectif est de mettre en commun %{_libdir}/node_modules pour les modules où c'est possible, et pour ceux qui ont par exemple un binaire WASM, ils seront affectés dans un répertoire dépendant de la version. Cela simplifie la procédure d'empaquetage de ces composants tout en réduisant les doublons et en évitant les incompatibilités. Cela aide également à mettre en évidence les dépendances binaires cachées pour les reconstruire au sein du projet Fedora, ou les supprimer si cela n'est pas possible, à terme.

  Les macros CMake ne fourniront plus de variables d'installation non standards. Cela concerne les variables -DINCLUDE_INSTALL_DIR, -DLIB_INSTALL_DIR, -DSYSCONF_INSTALL_DIR, -DSHARE_INSTALL_PREFIX et -DLIB_SUFFIX. Cela ajoute de la confusion notamment parce que la signification de certaines variables n'est pas transparente comme INCLUDE_INSTALL_DIR qui pourrait attendre des chemins relatifs ou absolus. CMake 3.0 a standardisé beaucoup de choses dans GNUInstallDirs qui sont massivement utilisés depuis. Cela permet de mieux s'intégrer dans l'écosystème de ces projets et limite le risque d'erreurs lors de la construction des paquets.

  L'assembleur YASM est considéré comme déprécié pour utiliser NASM à la place. Il n'est en effet plus maintenu même si encore utilisé dans quelques paquets tel que Firefox. D'autres distributions ont déjà sauté le pas.

  Ajout des nouveaux macros RPM _pkg_extra_***flags pour permettre à chaque paquet d'ajouter des nouvelles options à la compilation à la liste par défaut fournie par le projet Fedora. L'intérêt est d'avoir un moyen standard d'étendre les options de compilation d'un paquet plutôt que chacun les édite à sa sauce et cela permet dans le même temps de voir facilement quels paquets et quelles options sont personnalisés.

  Certaines limitations de l'outil gpgverify utilisé par les mainteneurs de paquets sont corrigées permettant de supprimer des méthodes de contournement associés. En effet l'outil est utilisé pour s'assurer que les sources pour construire le paquet sont bien celles souhaitées. Par exemple il était incapable de lire plusieurs clés GPG fournis dans un fichier dédié comme nginx pouvait le faire. Il était également incapable de gérer automatiquement la signature des sommes de contrôle des archives, il exigeait que l'archive des sources elle même soit signée ce qui n'était pas toujours le cas. Maintenant il prendre également en compte les clés au format keybox. Le tout améliore la maintenance des paquets concernés mais évite aussi la possibilité de contourner la sécurité dans certains cas.

  La communauté francophone

  L'association

  

  Borsalinux-fr est l'association qui gère la promotion de Fedora dans l'espace francophone. Nous constatons depuis quelques années une baisse progressive des membres à jour de cotisation et de volontaires pour prendre en main les activités dévolues à l'association.

  Nous lançons donc un appel à nous rejoindre afin de nous aider.

  L'association est en effet propriétaire du site officiel de la communauté francophone de Fedora, organise des évènements promotionnels comme les Rencontres Fedora régulièrement et participe à l'ensemble des évènements majeurs concernant le libre à travers la France principalement.

  Si vous aimez Fedora, et que vous souhaitez que notre action perdure, vous pouvez :

  • Adhérer à l'association : les cotisations nous aident à produire des goodies, à nous déplacer pour les évènements, à payer le matériel ;
  • Participer sur le forum, les listes de diffusion, à la réfection de la documentation, représenter l'association sur différents évènements francophones ;
  • Concevoir des goodies ;
  • Organiser des évènements type Rencontres Fedora dans votre ville.

  Nous serions ravis de vous accueillir et de vous aider dans vos démarches. Toute contribution, même minime, est appréciée.

  Si vous souhaitez avoir un aperçu de notre activité, vous pouvez participer à nos réunions mensuelles chaque premier lundi soir du mois à 20h30 (heure de Paris). Pour plus de convivialité, nous l'avons mis en place en visioconférence sur Jitsi.

  La documentation

  Depuis juin 2017, un grand travail de nettoyage a été entrepris sur la documentation francophone de Fedora, pour rattraper les 5 années de retard accumulées sur le sujet.

  Le moins que l'on puisse dire, c'est que le travail abattu est important : près de 90 articles corrigés et remis au goût du jour. Un grand merci à Charles-Antoine Couret, Nicolas Berrehouc, Édouard Duliège, Sylvain Réault et les autres contributeurs et relecteurs pour leurs contributions.

  La synchronisation du travail se passe sur le forum.

  Si vous avez des idées d'articles ou de corrections à effectuer, que vous avez une compétence technique à retransmettre, n'hésitez pas à participer.

  Comment se procurer Fedora Linux 43 ?

  

  Si vous avez déjà Fedora Linux 42 ou 41 sur votre machine, vous pouvez faire une mise à niveau vers Fedora Linux 43. Cela consiste en une grosse mise à jour, vos applications et données sont préservées.

  Autrement, pas de panique, vous pouvez télécharger Fedora Linux avant de procéder à son installation. La procédure ne prend que quelques minutes.

  Nous vous recommandons dans les deux cas de procéder à une sauvegarde de vos données au préalable.

  De plus, pour éviter les mauvaises surprises, nous vous recommandons aussi de lire au préalable les bogues importants connus à ce jour pour Fedora Linux 43.

• Kiwi TCMS Brief history of Kiwi TCMS in France

  

  Brief history of Kiwi TCMS in France 🇫🇷:

  Notable events

  • November 2018 - initial French translation contributed by Christophe CHAUVET. It was the second foreign language which was actively translated at the time
  • February 2019 - Kiwi TCMS starts executing its Postgres test suite using the French translation. This is still the case today
  • April 2020 - Armadeus Systems - ARM and FPGA based embedded Linux systems - becomes our first customer from France
  • March 2022 - /e/ Foundation (Murena) publishes a “Test session with Kiwiâ€� section on their documentation website which is available at https://doc.e.foundation/testers#test-session-with-kiwi
  • May 2024 - Kiwi TCMS takes part of the first Open Source Founders Summit in Paris and later becomes a member of the Open Source Founders Association

  Individual code contributors

  Christophe CHAUVET - Python Developer and PostgreSQL architect

  Christophe is a Python Developer and PostgreSQL architect who is responsible for the initial translation of Kiwi TCMS into French. He has also worked on improving overall translatability of Kiwi TCMS, fixing multiple parts of the application by marking source strings as translatable. His earliest code contribution is from 22nd Jan 2019!

  Nicolas AUVRAY - PhD in quantum physics, 0 A.D. team member

  Nicolas is a high-school teacher of Physics and Chemistry, with a PhD in quantum physics and also a tem member of 0 A.D - a popular open-source game of ancient warfare. He has contributed documentation about running Kiwi TCMS behind a reverse proxy with HAProxy and was the original inspiration behind the now defunct Open-Source-Test-Management repository. His earliest code contribution is from 08th Mar 2019!

  Nicolas GELOT - Python lover, automation addict and trail runner

  Nicolas is a Python developer and (in his own words) an automation addict from Paris; a member of the /e/ Foundation team. He has contributed a bug-fix for the order of test cases when closing a TestPlan in Kiwi TCMS. His earliest code contribution is from 16th Dec 2021!

  Antoine LORENCE - Freelance Python/Django developer, FOSS enthusiast

  Antoine is a Python/Django developer from Angers and the author of django-modern-rpc - the library underlying the Kiwi TCMS API layer! He has worked on changes related to Kiwi TCMS compatibility with the latest version of django-modern-rpc . His earliest code contribution is from 23rd May 2022!

  Corporate references

  Our anonymous analytics report over 25k events/1 yr recorded by Plausible and 12k events/3 mo recorded by Scarf. Here are some of the more interesting ones:

  • Parsec - https://kiwi.parsec.cloud - proof-of-concept with Kiwi TCMS
  • CAP’TRONIC - captronic.fr - several training courses about Test Driven Development include Kiwi TCMS
  • e*Message - kiwi-tcms.emessage.fr - most active French installation
  • Allianz - kiwitcms.oav-allianz.fr - another Kiwi TCMS instance
  • Hiiro - kiwi.paris-int.hiiro.app - uses Kiwi TCMS for testing 2026 Marathon de Paris support in their mobile application
  • Airbus CyberSecurity - kiwi.dev.cyberrange.fr - latest Kiwi TCMS installation in France

  If you would like to know more and meet Kiwi TCMS in person you can do so at Open Source Experience, 10 & 11 Dec 2025 in Paris!

  ---

  If you like what we're doing please help us grow and sustain development!

  • Give â­� on GitHub;
  • Join our newsletter and follow all news;
  • Become a contributor and an awesome open source hacker;
  • Become a subscriber and help us sustain development

October 27, 2025

• Colin Walters Thoughts on agentic AI coding as of Oct 2025

  Sandboxed, reviewed parallel agents make sense

  For coding and software engineering, I’ve used and experimented with various frontends (FOSS and proprietary) to multiple foundation models (mostly proprietary) trying to keep up with the state of the art. I’ve come to strongly believe in a few things:

  • Agentic AI for coding needs strongly sandboxed, reproducible environments
  • It makes sense to run multiple agents at once
  • AI output definitely needs human review

  Why human review is necessary

  Prompt injection is a serious risk at scale

  All AI is at risk of prompt injection to some degree, but it’s particularly dangerous with agentic coding. All the state of the art today knows how to do is mitigate it at best. I don’t think it’s a reason to avoid AI, but it’s one of the top reasons to use AI thoughtfully and carefully for products that have any level of criticality.

  OpenAI’s Codex documentation has a simple and good example of this.

  Disabling the tests and claiming success

  Beyond that, I’ve experienced multiple times different models happily disabling the tests or adding a println!("TODO add testing here") and claim success. At least this one is easier to mitigate with a second agent doing code review before it gets to human review.

  Sandboxing

  The “can I do X” prompting model that various interfaces default to is seriously flawed. Anthropic has a recent blog post on Claude Code changes in this area.

  My take here is that sandboxing is only part of the problem; the other part is ensuring the agent has a reproducible environment, and especially one that can be run in IaaS environments. I think devcontainers are a good fit.

  I don’t agree with the statement from Anthropic’s blog

  without the overhead of spinning up and managing a container.

  I don’t think this is overhead for most projects because Where it feels like it has overhead, we should be working to mitigate it.

  Running code as separate login users

  In fact, one thing I think we should popularize more on Linux is the concept of running multiple unprivileged login users. Personally for the tasks I work on, it often involves building containers or launching local VMs, and isolating that works really well with a full separate “user” identity. An experiment I did was basically useradd ai and running delegated tasks there instead. To log in I added %wheel ALL=NOPASSWD: /usr/bin/machinectl shell ai@ to /etc/sudoers.d/ai-login so that my regular human user could easily get a shell in the ai user’s context.

  I haven’t truly “operationalized” this one as juggling separate git repository clones was a bit painful, but I think I could automate it more. I’m interested in hearing from folks who are doing something similar.

  Parallel, IaaS-ready agents…with review

  I’m today often running 2-3 agents in parallel on different tasks (with different levels of success, but that’s its own story).

  It makes total sense to support delegating some of these agents to work off my local system and into cloud infrastructure.

  In looking around in this space, there’s quite a lot of stuff. One of them is Ona (formerly Gitpod). I gave it a quick try and I like where they’re going, but more on this below.

  Github Copilot can also do something similar to this, but what I don’t like about it is that it pushes a model where all of one’s interaction is in the PR. That’s going to be seriously noisy for some repositories, and interaction with LLMs can feel too “personal” sometimes to have permanently recorded.

  Credentials should be on demand and fine grained for tasks

  To me a huge flaw with Ona and one shared with other things like Langchain Open-SWE is basically this:

  

  Sorry but: no way I’m clicking OK on that button. I need a strong and clearly delineated barrier between tooling/AI agents acting “as me” and my ability to approve and push code or even do basic things like edit existing pull requests.

  Github’s Copilot gets this more right because its bot runs as a distinct identity. I haven’t dug into what it’s authorized to do. I may play with it more, but I also want to use agents outside of Github and I also am not a fan of deepening dependence on a single proprietary forge either.

  So I think a key thing agent frontends should help do here is in granting fine-grained ephemeral credentials for dedicated write access as an agent is working on a task. This “credential handling” should be a clearly distinct component. (This goes beyond just git forges of course but also other issue trackers or data sources that may be in context).

  Conclusion

  There’s so much out there on this, I can barely keep track while trying to do my real job. I’m sure I’m not alone – but I’m interested in other’s thoughts on this!

• Kiwi TCMS Testing and Continuous Delivery devroom, FOSDEM'26

  

  Attention testers! On behalf of the Testing and Continuous Delivery devroom we'd like to announce that call for participation is now open. This room is about building better software through a focus on testing and continuous delivery practices across all layers of the stack. The purpose of this devroom is to share good and bad examples around the question “how to improve quality of our software by automating tests, deliveries or deployments” and to showcase new open source tools and practices.

  Note: for FOSDEM 2026 this devroom is a merger between the former Testing and Automation and Continuous Integration and Continuous Deployment devrooms and is jointly organized between devroom managers in previous FOSDEM editions! Kiwi TCMS is proud to be part of the team hosting this devroom!

  Important: devroom will take place on Sunday, February 1st 2026 at ULB Solbosch Campus, Brussels, Belgium! Presentations will be streamed online but all accepted speakers are required to deliver their talks in person!

  Here are some ideas for topics that are a good fit for this devroom:

  Testing in the real, open source world

  • War stories/strategies for testing large scale or complex projects
  • Tools that extend the ability to test low-level code, e.g. bootloaders, init systems, etc.
  • Projects that are introducing new/interesting ways of testing "systems"
  • Address the automated testing frameworks fragmentation
  • Stories from end-users (e.g. success/failure)
  • Continuous Integration
  • Continuous Delivery
  • Continuous Deployment
  • Security in Software Supply Chain
  • Pipeline standardization
  • Interoperability in CI/CD
  • Lessons learned

  Cool Tools (good candidates for lightning talks)

  • Project showcases, modern tooling
  • How your open source tool made developing quality software better
  • What tools do you use to setup your CI/CD
  • Combining projects/plugins/tools to build amazing things "Not enough people in the open source community know how to use $X, but here's a tutorial on how to use $X to make your project better."

  In the past the devroom has seen both newbies/students and experienced professionals and past speakers as part of the audience and talks covering from beginner/practical to advanced/abstract topics. If you have doubts then submit your proposal and leave a comment for the devroom managers and we'll get back to you.

  To submit a talk proposal (you can submit multiple proposals if you'd like) use Pretalx, the FOSDEM paper submission system. Be sure to select Testing and Continuous delivery otherwise we won't see your proposal!

  Checkout https://fosdem-testingautomation.github.io/ for more information!

  Happy Testing!

  ---

  If you like what we're doing and how Kiwi TCMS supports various communities please help us!

  • Give ⭐ on GitHub;
  • Join our newsletter and follow all project news;
  • Become a contributor and an awesome open source hacker;
  • Become a customer and we'll share our profits with the community

October 25, 2025

• Daniel Pocock Bad faith: can’t change Debian Social Contract (DSC) without unanimous consent of every joint author

  In 2022, Debianists had a vote to allow some binary blobs to be included in the Debian installer images. GR 2022-3 on "non-free" firmware.

  In my last blog, I examined how the use of the term "non-free" to describe purely binary artifacts is a social engineering attack. Real Debian Developers and the people who use our work have a very clear expectation that "non-free" describes source code without a fully free license. In Debian speak, the term "non-free" has nothing to do with binary blobs. People trying to use the term "non-free" for two unrelated concepts at the same time are causing confusion.

  Nonetheless, this blog introduces another critical comment about the General Resolution (GR): the vote was not valid in the first place.

  The original Debian Social Contract was adopted on 5 July 1997. Ever since then, people have worked together to create the Debian intellectual property through a process of joint authorship. In doing so, we waived our rights to royalties and we accepted the terms of the Debian Social Contract as one of the substitutes for payment.

  Each new release of Debian is a derivative of the previous releases.

  The influence of each Debian Developer is much bigger than the packages we published. We do a range of things, for example, mentoring newcomers and participating in discussions and votes about parts of the system that are shared between all packages. Many of those common features of Debian would be different in some subtle way if certain people had never been present in the first place.

  After engaging in that creative process, there is no way that we can roll back Debian to separate the influence of the people who did not consent to change the Debian Social Contract.

  Therefore, if the Debian Social Contract will ever be changed, it is necessary to have the consent of every Debian Developer who ever contributed or collaborated on Debian after 5 July 1997.

  Consent is vital in contracts and agreements. People who did not vote for the change are not consenting. To understand the significance of this imagine a group of three men and two women. Can they vote for the women to be slaves to the men? Would such a vote be valid because over sixty percent support the outcome? If all five people in the group do not consent to this activity, it is probably a crime.

  The only other way to proceed is to create some paraller project or fork that is not Debian at all with its own social contract. The derivative project could not be called Debian though.

  Please see the chronological history of how the Debian harassment and abuse culture evolved.

October 24, 2025

• Jon Chiappetta Linux Routing – Load Balancing

  So, I also learned another new lesson recently that the Linux kernel way back in the day used to properly load balance routes (nexthop weights) by making use of a routing cache to remember which connection is associated with which route. Then, that cache implementation was removed and replaced instead with sending individual packets randomly down each route listed (similar to how I was initially approaching the OpenVPN load balancing between multiple threads). This, however, would break connection states and packet ordering as the two route links may be going to separate places entirely. Then, the Linux kernel developers decided to implement a basic hash mapping algorithm that would associate a connection stream with the same routing hop, always. This is a very limited form of load balancing as the same source+destination address will always map to the same hash which will always match the same routing path every time (this will be even more limiting also if you are using a source NAT).

  It turns out there is another trick to get some more dynamically distributed load balanced routing under Linux which is to make use of the iptables mangle table and connmark a new connection state so that the conntrack table can save+restore the specified packet markings. You can then set an ip rule to pick up these firewall markers and associate them to a different routing table. In addition to this, you are able to use a random algorithm or modding algorithm to evenly set different marks giving you even greater routing variety!

  $ipt -t mangle -A PREROUTING -j CONNMARK --restore-mark
  $ipt -t mangle -A PREROUTING -i lan -m mark --mark 0x0 -m statistic --mode nth --every 2 --packet 0 -j MARK --set-mark 8
  $ipt -t mangle -A PREROUTING -i lan -m mark --mark 0x0 -m statistic --mode nth --every 1 --packet 0 -j MARK --set-mark 9
  $ipt -t mangle -A POSTROUTING -j CONNMARK --save-mark

  echo "8 vpna" >> /etc/iproute2/rt_tables
  echo "9 vpnb" >> /etc/iproute2/rt_tables
  ip rule add fwmark 8 table vpna
  ip rule add fwmark 9 table vpnb

  You can then now add your VPN tunnel routing rules to both new ip routing tables, for example, vpna and vpnb!

  ~

• Kiwi TCMS Kiwi TCMS 15.1

  We're happy to announce Kiwi TCMS version 15.1!

  IMPORTANT:

  This is a minor version release which includes security related updates, several improvements, new API methods and new translations.

  Recommended upgrade path:

  15.0 -> 15.1
  

  You can explore everything at https://public.tenant.kiwitcms.org!

  ---

  Public container image (x86_64):

  pub.kiwitcms.eu/kiwitcms/kiwi   latest  9b33a6e47c0f    696MB
  

  IMPORTANT: version tagged and multi-arch container images are available only to subscribers!

  Changes since Kiwi TCMS 15.0

  Security

  • Update Django from 5.2.6 to 5.2.7, addressing one security vulnerability with severity “high” and one security vulnerability with severity “low”: CVE-2025-59681 and CVE-2025-59682

  Improvements

  • Update jira from 3.8.0 to 3.10.5
  • Update psycopg[binary] from 3.2.10 to 3.2.11
  • Update python-gitlab from 6.3.0 to 6.5.0
  • Update uwsgi from 2.0.30 to 2.0.31
  • Display records count in TestPlan page. Fixes Issue #4110
  • Add 'Deactivate selected accounts' dropdown on /admin/auth/user/ page
  • Add 'Deactivate' button in 'Change user' admin page

  API

  • Add User.deactivate() API method
  • Update documentation and tests for User.filter() method
  • Add new internal signal USER_DEACTIVATED_SIGNAL. Sent when account is deactivated

  Refactoring and testing

  • Update actions/setup-node from 5 to 6
  • Update github/codeql-action from 3 to 4
  • Update isort from 6.0.1 to 6.1.0
  • Update locust from 2.34.1 to 2.42.0
  • Update node_modules/webpack from 5.101.3 to 5.102.1
  • Pin intermediate dependency Pillow to 11.3.0 to fix failing container build
  • Define a login_form template block in login.html
  • Update Bitbucket repository URL b/c the original repository has reached a limit of 10k issues and new ones cannot be created anymore
  • Add login tests for disabled accounts via browser
  • Add tests for API login and method calls from deactivated accounts
  • Collect logs from Postgres container during testing

  Translations

  • Updated Japanese translation

  Kiwi TCMS Enterprise v15.1-mt

  • Based on Kiwi TCMS v15.1
  • Update certbot from 4.2.0 to 5.1.0
  • Update kiwitcms-tenants from 4.2.0 to 4.3.0
  • Update sentry-sdk from 2.38.0 to 2.42.1
  • Update social-auth-app-django from 5.5.1 to 5.6.0
  • Redirect /admin/login/ to /accounts/login/
  • Add 'Export as CSV' dropdown on /admin/auth/user/ page
  • Add PASSWORD_LOGIN_ENABLED setting

  Private container images

  hub.kiwitcms.eu/kiwitcms/version          15.1 (aarch64)        c363e5d8b45c   24 Oct 2025      706MB
  hub.kiwitcms.eu/kiwitcms/version          15.1 (x86_64)         994fde01a325   24 Oct 2025      696MB
  hub.kiwitcms.eu/kiwitcms/enterprise       15.1-mt (aarch64)     377a5b6a6b8e   24 Oct 2025      976MB
  hub.kiwitcms.eu/kiwitcms/enterprise       15.1-mt (x86_64)      6e897543a398   24 Oct 2025      955MB
  

  IMPORTANT: version tagged, multi-arch and Enterprise container images are available only to subscribers!

  How to upgrade

  Follow the Upgrading instructions from our documentation.

  Happy testing!

  ---

  If you like what we're doing and how Kiwi TCMS supports various communities please help us grow!

  • Give ⭐ on GitHub;
  • Join our newsletter and follow all project news;
  • Become a contributor and an awesome open source hacker;
  • Become a subscriber and help us sustain development

• Fedora Community Blog Infra and RelEng Update – Week 43 2025

  This is a weekly report from the I&R (Infrastructure & Release Engineering) Team. We provide you both infographic and text version of the weekly report. If you just want to quickly look at what we did, just look at the infographic. If you are interested in more in depth details look below the infographic.

  Week: 20th – 24th October 2025

  

  Infrastructure & Release Engineering

  The purpose of this team is to take care of day to day business regarding CentOS and Fedora Infrastructure and Fedora release engineering work.
  It’s responsible for services running in Fedora and CentOS infrastructure and preparing things for the new Fedora release (mirrors, mass branching, new namespaces etc.).
  List of planned/in-progress issues

  Fedora Infra

  • increasing koschei failures due to kojipkgs0X.fedoraproject.org being unavailable
  • src.fedoraproject.org is often unavailable
  • db01.rdu3.fedoraproject.org timeout (postgresql?) when running git push to my rpms/haruna fork
  • Archive openarm_can package
  • need to have respins01.fedorainfracloud.org rebooted please
  • Requesting merge access to https://pagure.io/fedora-infra/ansible for Jiri Podivin
  • Error when attempting to set the bugzilla assignee from src.fp.o pagure
  • 502/503 when reaching https://koji.fedoraproject.org/kojihub/
  • Please remove file from lookaside cache
  • Planned Outage – ibiblio vlan move – 2025-10-13 21:00 UTC
  • CentOS Stream crb-source repo has a checksum error
  • Opt-in for AWS region to ap-southeast-6 acct:125523088429
  • Update standupbot to used Done and Planned
  • [Forgejo] Create a Fedora Docs organization on Forgejo
  • Create a Fedora Atomic Desktops organization on Forgejo
  • Help me move my discourse bots to production?
  • Move from iptables to nftables (was firewalld)
  • Move ibiblio machines to new vlan

  CentOS Infra including CentOS CI

  • Validate RDU3 Netapp NFS storage
  • CBS permissions for centos-release-ovirt45 in extra’s
  • Add fedora-messaging TLS client validity check in zabbix
  • Stream repositories in CBS seem to be out of date
  • Automotive SIG gpg key update?
  • Reinstall IBM Power 10 in LPAR mode

  Release Engineering

  • Block python-atomicwrites in F43
  • Freeze Exception: Upgrade Koji builders to image-builder-39-1.fc42
  • fedora-scm-requests for rpms/perl-Net-IDN-PP failed: Remote end closed connection without response
  • Unretire pysubnettree
  • Please remove gnome-sig commit access from krb5-auth-dialog
  • “initial_commit”: false not respected in fedora-scm-requests
  • Some packages retired in dist-git not getting blocked in koji
  • Create detached signatures for the ignition 2.24.0 release
  • Release Management Support Request – F44
  • Create Fedora 43 Final candidates
  • Assign systemd package to zbyszek
  • Change impact: Python 3.15 (Fedora 45)
  • Retired package rust-rstest0.23 not blocked in F43, Rawhide
  • F44 System-Wide Change: Switch Fedora Cloud to /boot as a Btrfs subvolume
  • Please make el10-openjdk to follow 10.2 or – better- some rolling el10
  • Update pungi filters

  If you have any questions or feedback, please respond to this report or contact us on #admin:fedoraproject.org channel on matrix.

  The post Infra and RelEng Update – Week 43 2025 appeared first on Fedora Community Blog.

• Remi Collet ⚙️ PHP version 8.3.27 and 8.4.14

  RPMs of PHP version 8.4.14 are available in the remi-modular repository for Fedora ≥ 41 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

  RPMs of PHP version 8.3.27 are available in the remi-modular repository for Fedora ≥ 41 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

  ℹ� The packages are available for x86_64 and aarch64.

  ℹï¸� There is no security fix this month, so no update for versions 8.1.33 and 8.2.29.

  These versions are also available as Software Collections in the remi-safe repository.

  Version announcements:

  • PHP 8.4.14 Release Annoucement
  • PHP 8.3.27 Release Annoucement

  ℹ� Installation: use the Configuration Wizard and choose your version and installation mode.

  Replacement of default PHP by version 8.4 installation (simplest):

  dnf module switch-to php:remi-8.4/common
  

  Parallel installation of version 8.4 as Software Collection

  yum install php84

  Replacement of default PHP by version 8.3 installation (simplest):

  dnf module switch-to php:remi-8.3/common
  

  Parallel installation of version 8.3 as Software Collection

  yum install php83

  And soon in the official updates:

  • Fedora Rawhide now has PHP version 8.5.0RC3
  • Fedora 43 - PHP 8.4.14
  • Fedora 42 - PHP 8.4.14
  • Fedora 41 - PHP 8.3.27

  ⚠� To be noticed :

  • EL-10 RPMs are built using RHEL-10.0
  • EL-9 RPMs are built using RHEL-9.6
  • EL-8 RPMs are built using RHEL-8.10
  • intl extension now uses libicu74 (version 74.2)
  • mbstring extension (EL builds) now uses oniguruma5php (version 6.9.10, instead of the outdated system library)
  • oci8 extension now uses the RPM of Oracle Instant Client version 23.8 on x86_64 and aarch64
  • a lot of extensions are also available; see the PHP extensions RPM status (from PECL and other sources) page

  ℹ� Information:

  • Migrating from PHP 8.2.x to PHP 8.3.x
  • Migrating from PHP 8.3.x to PHP 8.4.x

  Base packages (php)

  

  

  Software Collections (php83 / php84)

  

  

October 23, 2025

• Daniel Pocock Social engineering attack: Debian voted to trick you on binary blobs

  Many people expressed mild dismay about the 2022 vote to allow binary blobs in the Debian installer.

  Few people, if any, commented on the trick: they have used the term "non-free" to refer to these blobs.

  This is another social engineering attack in broad daylight.

  In the Debian world, to classify software as non-free, it still has to provide all of the source code. The term non-free tells us that there is something awkward about the license for that source code but when you see the term non-free, you know the source code is there.

  From the Wayback machine snapshot of Debian web site in 1997:

  Packages in this directory do not necessarily cost money, but have some onerous condition restricting the redistribution of the software.

  Yet if we look at the Debian policy manual today, we find the thin end of the wedge:

  It is possible that there are policy requirements which the package is unable to meet, for example, if the source is unavailable. These situations will need to be handled on a case-by-case basis.

  The text of the policy manual has been softened up so that somebody with enough power, like an FTP Master, could slip something in under the radar. Remember the concerns expressed by AJ Towns about giving too much power to one person? Does his client exert pressure on him to take shortcuts when necessary to ensure their flights stay on schedule?

  Non-free licenses typically have some clauses in them that allow us to redistribute the source code but they make some limit on how the code can be used. For example, the very famous case of the original JSLint license, containing the clause "The Software shall be used for Good, not Evil." is a non-free license. However, the JSLint developers always provided one hundred percent of the source code.

  The community has accepted the definition of non-free over three decades. Yet since the vote in 2022, people are using exactly the same term, non-free, to refer to something that is even less free than non-free.

  They softened us up to the term non-free over thirty years. The 2022 general resolution vote allows them to use our understanding of the term non-free to exploit us and give us something other than what we came to expect from that term.

  IBM Red Hat very explicitly told people that RHEL source code can't be distributed any more. The wording of the Debian general resolution sent us down the same path by stealth.

  To put it another way, they voted to broaden the definition of non-free so the term no longer has any value at all.

  We saw the same phenomena with the word "harassment". They now use the word "harassment" to describe anything they don't agree with. When competent professionals ask urgent questions about the social engineering attacks, the misfits cry "harassment" to avoid looking us in the eye.

  Leaked debian-private archives give us many insights into how the Debian founders put great thought into the meaning of these words.

  Remember, they spent over $120,000 on legal fees to argue about the trademark. Why didn't anybody defend the real meaning of the non-free trademark? For many users, the non-free trademark is far more important than nit-picking about pronouns.

  Please see the chronological history of how the Debian harassment and abuse culture evolved.

October 22, 2025

• Jon Chiappetta Solving a Final Remaining Performance Impact with Mutli-Threaded Operation by using Connection-State Mapping in the Highly-Modified OpenVPN Source Code [Implementation]

  In my previous blog post, I started observing strange performance issues with using my network-wide, highly-modified OpenVPN application setup. I noticed that everything ran fast and speedy in bulk-mode, however, in mtio-mode things began to not work as smoothly as expected (speed tests were good, TCP seemed alright, but UDP appeared fairly impacted). When I thought about it more in depth, I realized that my multi-threaded implementation of OVPN was simply throwing any data read off of the TUN interface into any available thread all at the same time to try and maximize parallel performance. The issue with doing it this way was that I was breaking up the ordering of packets in either of the UDP or TCP “streams” of data and non-advanced/capable API applications were not able to handle this as well as expected (although TCP seem to fair a bit better but you could still sense a hesitation or lag to the connection).

  I wrote about this observation to the OpenVPN devs and they agreed that this setup could cause connection problems with having to perform mass-reordering of all the packets all the time. I then came up with the split tunnel solution in my previous post which did help to temporarily solve the issue, however, I wanted to find a way to solve the issue in source code as well instead. I did not, however, want to implement packet tracking and ordering as I would then be basically re-implementing the whole entire functionality and complexity of a TCP protocol all over again. Instead, I chose another way to help prevent this issue which was to implement a simple version of connection state tracking and mapping (similar to how iptables conntrack would work). All I would need to do is parse and extract the source+destination addresses from the packet header and place them in a mapping table for a brief amount of time and associate that connection “stream” of data with an available thread. When you combine this change with the bulk-mode operation, it now makes for a very snappy and performative VPN experience overall. I was able to implement this change in less than 75 lines of code with only a single helper method!

  Complete Code Change Commits: github.com/stoops/openvpn-fork/compare/master…bust

  

  ~

  

  ~

• Daniel Pocock Mysterious grant forfeited, $100,000 from Software in the Public Interest accounts 2023

  Techrights has recently reported on a grant of $100,000 forfeited by Software in the Public Interest, Inc (SPI).

  SPI acts as an umbrella for multiple free and open source software projects. Their form 990 public filings do not give a per-project breakdown.

  Somebody may be able to pick through the month-by-month financial reports and identify when they received this grant, when they gave it back and which organization it relates to. Or somebody could try to ask them.

  Grants often come with conditions. In some cases, an organization applies for a grant in good faith and later on, after receiving the money, they decide that spending the money, under the conditions they agreed to, is no longer profitable for the organization so they give it back.

  Sometimes the conditions include specific targets or deadlines. In those cases, the organization may be doing some work but they miss the deadline. If they incurred expenses related to the project and then gave the money back then the community needs to look very closely at what went wrong.

  During 2025, the new US Government administration has canceled many grants. The reports being discussed from SPI relate to the return of a grant in 2023, prior to the Trump administration.

  Prior to the death of Abraham Raji, the accounts from SPI showed us over $120,000 spent on legal fees for censoring discussions about Debianism. Yet DebConf organizers asked volunteers to contribute their own money to the day trip and Abraham Raji was left alone, swimming unsupervised, and he drowned.

  While waiting for more details about this money from 2023, now is a good time to go and read through the leaked debian-private archives to see some of the discussions about the secret strategy for SPI and why SPI was created separately from Debianism.

  Read more about governance issues at Software in the Public Interest, Inc.

• Daniel Pocock Evidence: bullying, student union behaviour: Armijn Hemel’s FSFE resignation

  A few years ago, Armijn Hemel silently resigned from the FSFE misfits.

  But it wasn't really a silent resignation. He sent an internal resignation email citing the behaviour of certain bullies and telling people that their behaviour reminds him of a student union.

  * Bad organizational management

  FSFE feels like it is reverting back to being run like a student union, whereas in the past people tried to make it more professional. FSFE's management makes very basic and unnecessary mistakes unworthy of an organization trying to have global influence. This is hurting FSFE. Even though this has been addressed a few times (by some, including myself) nothing seems to be done to rectify these mistakes.

  and this really jumps out at us:

  * No improvements/personal attacks

  None of the issues mentioned above are new (and if they are, then QED) and have been mentioned before. What I have noticed when issues are mentioned is that either one of these three things happens:

  - they fall on deaf ears

  - they are acknowledged and then ignored

  - FSFE gets very defensive, or launches personal attacks. The most glaring case was when the vice-president recently came barging in and arrogantly threw insults left and right without understanding any of the background of the situation, and launched a vicious personal attack on two of the previous legal coordinators.

  and Armijn's conclusion:

  All these things combined have tipped the scales and now the negative far outweighs the positive (because there is very little positive left in my opinion). I no longer feel that FSFE is the right place for me, or that it is advancing free software in Europe (especially the legal field) and it is better to focus my energy somewhere else where I can have a more positive impact.

  Read more about the FSFE misfits usurping the name of Dr Richard Stallman's FSF.

• Daniel Pocock Evidence: psychological abuse, stalking, Galia Mancheva, Susanne Eiswirt ignored by FSFE judgment for Matthias Kirschner

  In 2020, we know that Susanne Eiswirt suddenly left the FSFE misfits and Galia Mancheva was forced to take long term medical leave.

  Mancheva started a law suit against the FSFE misfits and Matthias Kirschner in particular.

  In Germany, women seem to have very few rights and the court gave a judgment in favour of Matthias Kirschner.

  Nonetheless, Matthias Kirschner did not deny the allegation that he went to the home of a female employee even after being given written notice not to do so ever again.

  Copied from the blog of Galia Mancheva:

  ————– I took FSFE to court. This is my story ––––– Soon after the first lockdown in Berlin this year I filed a public case in the Berlin Tribunal of Labour Court against the president of Free Software Foundation Europe (FSFE), Matthias Kirschner, for workplace bullying. Why? A female colleague and me had dared to discuss wage transparency and gender pay gap in the office. Apparently it is common in Germany that this gap exceeds 20%, but we both felt secure that the free software movement is progressive, and cares about being inclusive and equal opportunities oriented. Unfortunately we miscalculated – our boss Matthias was beyond furious. After that office meeting, he told my colleague “there will be consequences”. Our efforts coincided with the resignation of Richard Stallman from the US-based sister organisation of FSFE due to careless revictimisation of female victims of sexual abuse- another gender discrimination issue in our community that would cause the situation in our office to deteriorate quickly. In its reluctant press release on this pivotal change in leadership in the largest free software organisation in the world, the FSFE had opted to honour Stallman for his undeniably long service and overlook the social issues underlying the change – something with which I expressed dissatisfaction, and not without support from colleagues. It led to immediate retribution. I was ordered to rewrite the text and was warned that I had “three hours to do it. Whether we will publish it or not, is going to be my [Matthias', my rem.] decision, not yours”. Free software is in most of our digital infrastructure, and I care a lot about inclusivity in this community to ensure that our most basic tools can be developed by everyone's perspectives for everyone's needs, so I rewrote our announcement. But not only was it never published – it was not even honoured with his feedback. My aforementioned female colleague, who had also backed me up, was fired just a few days later. Personally, I was subjected to a good amount of pressure and strategic intrigues. I was given tasks irrelevant to my job description and far below my qualifications. I was degraded both as a professional and due to who I am through instructions such as “translate this [text] in your mother tongue, so you can understand better”. I was belligerently micromanaged and questioned through rebukes like “why do you refer to dates in this format and not in that format”, while there is no office policy on following a particular date standard. I was even told some of the things I was working on were bullshit! For 3 months I was pushing for time to launch a newsletter survey as an attempt to make qualitative improvements, but my effort was labelled as “not necessary”. I was regularly nagged, and prevented from doing the work I was hired for. In front of my colleagues I was tasked with one thing and in private I was asked not to do it and have it replaced with another, and then in front of others asked about the progress on the previous. Matthias was manufacturing the false impression I wasn't doing my work, while at the same time calling and texting my private phone number in obscure hours (such as 5:00AM or 22:00PM) with work orders and topics. Unlike other colleagues, I had a hard time receiving time off for the extra days I worked on, and was prevented from taking any of my annual holidays. I suspected Matthias was preparing to fire me, and indeed I was on a clock. He needed to make sure he was re-elected FSFE president before he could get rid of me. It would have damaged his chances to have fired all the full-time women in the office in the two months leading up to the elections – an unnecessary risk – but once approved he would have another two years' free reign. At this time my friends were starting to worry – the psychological pressure and lack of enough time off caused my condition was decline. I had to take a sick leave. Certain that I was about to get fired, my friends encouraged me to seek legal counsel, if so only to keep myself focussed on constructive tasks. Immediately after my sick leave announcement, Matthias fired me over the phone on a Friday night, and threatened me to immediately go to the office to hand over work-related items. Appearing in the office during a sick leave is illegal in Germany, so I refused. A weekend of non-stop calls followed, including from hidden phone numbers. He even texted telling me I should answer my phone, for my own better. Even after my lawyer warned him to terminate all attempts to communicate with me and send someone else to pick up my work laptop, he came in person to my house, and was very irritated that I was not alone. Eventually, of course, my sick leave ended, I was fired, and there was a global pandemic with follow-on lockdowns. It was against this background that I filed a complaint in the Anti-Discrimination Commission in Germany and I filed a case against him in court for work-place bullying. Disappointingly, it turned out, the Commission does not have much legal authority for actions, so I proceeded further only with the bullying case. During the process, one curious clue popped up. In one of the publicly available answers to the court he argued I had no reason to doubt a gender pay gap, because you see, there was this male trainee that was having a lower pay than me. But, not only does the FSFE rate women salaries lower, but also foreigners. So, if you happen to be a foreign woman – well, tough luck. At the same time they are proudly proclaiming the office “international” and “inclusive” when pursuing donor relations or in relations to the public. The court process was taxing. The FSFE lawyer made up easily disprovable slanders against me – and I say “easily” because their charges were demonstrably false, but of course finding evidence that is also admissible in the conservative German court system did not do much good for my stress levels over summer. They disrespected the court by not submitting papers on time, and they refused to answer my allegations, opting instead to portray me as a disobedient, sexist, racist, incompetent belligerent. Why did they give such a person a permanent contract after a six month probation period? Well, magnanimously they apparently were afraid that I would otherwise be disappointed. Now, I finally received the Labour court's verdict some days ago. The court basically says that even though they recognise my claims as true I do not qualify for financial remuneration because I did not suffer for at least a year and I did not end up having major psychological damage of my identity. I was accused by the FSFE that my claim was driven by a desire for a quick financial gain. Unfortunately, the German law foresees only monetary and no other type of compensation. However, I was given the opportunity in court to ask for something else. I asked for an apology and the president of the FSFE refused. Why am I writing all this? Because I want to expose the hypocrisy and double standards in FSFE leadership. How the organisation “promoting” transparency, equality and inclusivity treats employees and more specifically women. How donations are spent on nurturing Matthias' grandiosity. Because, let's be honest, to how many male employees' homes would he appear uninvited after being cautioned by a lawyer not to do so? I remain committed to open infrastructure and free software, and I know the community extends beyond the FSFE Berlin office, where Matthias reigns supreme with the support of his FSFE Board employees. I of course also hope that the advocacy arm of the European free software movement will eventually also reflect the diversity, friendship and equality that I continue to find in the movement as such. Finally, I want to thank those of my hacker friends who showed up in person at my final court hearing and those whose priceless support remained in spite of physical distance. Your presence made it so much more bearable, and reminded me that it is not the sour apples of the FSFE offices that make our community, but the many people around them who continue to commit themselves and their skills to a better tomorrow.

  

   

  Read more about the FSFE misfits usurping the name of Dr Richard Stallman's FSF.

October 21, 2025

• Fedora Community Blog Forging Fedora’s Future with Forgejo

  We in the CLE team and wider Fedora infra space have been talking about the future of Fedora’s development infrastructure for a while. Now it is starting to take shape, as Ryan outlined in the soft launch blog post: Both staging and production Forgejo instances are up and running in the RDU3 datacenter. That means the work of moving away from pagure.io is no longer theoretical. It is happening.

  If you have a project on Pagure, you can already open a migration ticket, as described in the Forge documentation, and we will help you move it over. But this is not just about swapping one forge for another. Forgejo gives us a chance to modernize some of the core parts of Fedora’s packaging workflows, such as how we handle ownership, where we store artifacts, and how we integrate automation.

  Let us take a closer look.

  Automation, Actions, and CI

  One of the first questions we hear is: What about CI/CD?

  Forgejo upstream recommends Woodpecker/Raven, which are full CI/CD systems. These are powerful, but they are also heavy and expensive to maintain. Fedora is going to take a different approach.

  We are focusing on Forgejo Actions, which are somehow API compatible with GitHub Actions(It is not a 1:1 replacement).

  This allows contributors to:

  • Automate ticket and pull request workflows
    
  • Run small repo-local tasks such as linting, simple checks, or doc generation.
    
  • Trigger jobs in external services like COPR or Jenkins
    

  For those who want to run heavy workloads, such as large test suites or extensive CI pipelines. You can connect your own self-hosted runners, while the shared Fedora infrastructure will stay lightweight, stable, and dependable. The CLE team won’t provide resources within Fedora’s Forgejo infrastructure.

  Rethinking Dist-Git

  There was an engaging discussion about dist-git at this year’s Flock, and one message came through clearly: as we move forward, we should take the opportunity to improve the model rather than simply replicate it. The conversation focused on three key areas: package ownership, artifact storage, and Packit integration.

  Modernizing Access Control and Contribution Workflows

  A central theme of our discussion was how we manage permissions and contributions in a way that is both secure and efficient. The goal is to leverage Forgejo’s powerful features to refine our processes.

  Key takeaways include:

  •  A Shift to Merge Requests: There is strong momentum to make Merge Requests (MRs) the default contribution method for everyone. This “review-first” approach ensures that all changes to our packages benefit from peer review, improving code quality and stability.

  • Redefining the “Proven Packager” Role: We recognize the immense value and trust placed in our Proven Packagers. Instead of a direct-push model, we are exploring how this role can evolve within a merge-request workflow. A formal policy proposal for this is already being drafted.

  • Hardening Our Security: There was a unanimous agreement to enforce “hard rules” against rewriting git history. Force pushes to primary branches will be disabled across the board to protect the integrity of our repositories.

  • Granular Permissions: Forgejo will allow us to set fine-grained permissions for different actions. We plan to separate the ability to change package content from the ability to change repository configuration, adding another layer of security.

  Right now, all Fedora packages officially belong to the Fedora Project, but the daily reality is a patchwork of individual maintainers and teams. This works, but it leaves gaps.

  • Permissions are all or nothing. You either have commit rights or you do not.
    
  • It is not always clear who is responsible for a package at any given time.
    
  • Onboarding new maintainers or transferring ownership when someone steps back is often manual and slow.
    
  • Critical packages such as toolchains affect the whole distribution, but our ownership model does not reflect that impact.
    

  Forgejo lets us improve this. With its more flexible permissions, we can introduce roles such as maintainer, co-maintainer, or limited contributor. Groups can own packages as first-class entities. 

  Artifact storage

  Today, the package build process relies on the Lookaside Cache. It is simple, but it is also dated. It struggles with very large artifacts, it separates code and artifacts, and it does not integrate well with modern workflows.

  Several options are on the table:

  • Using git lfs: An industry-standard solution for storing large files in Git. While it integrates cleanly with Forgejo, it’s not compatible with mirroring infrastructure.
  • Leveraging Forgejo’s Package Registry: We could repurpose Forgejo’s built-in registry to store source tarballs. While it sounds wonderful to solve all the problems with one tool. We would be misusing the feature and need to maintain compatibility.
  • A Radically Simpler Approach: Some suggested moving away from a separate cache entirely, embracing a “source git” model where we work directly with forks of upstream projects.

  This is a complex decision with long-term implications. No decision has been made yet. We are committed to a transparent process and will submit a formal Change Proposal to the Fedora Engineering Steering Committee (FESCo) before any major architectural change is implemented, ensuring the entire community can weigh in.

  Packit integration

  Packit is essential for connecting upstream projects to Fedora packaging. It automates updates, tests, and workflows that save maintainers huge amounts of time.

  On Pagure, Packit integration was always custom. On GitHub and GitLab, it is native. This gap created extra work and sometimes rougher edges for Fedora contributors.

  The Packit team already prototyped Forgejo support during Google Summer of Code. The service is called Avant, and it’s in our sights as one of the first integration testing areas in staging deployment.

    The next steps are:

  • Deploy Forgejo in staging and provide Packit with a service account
    
  • Collect feedback from maintainers on real workflows.
    
  • Reach feature parity with GitHub and GitLab support.

  The long-term goal is clear. Packit in Forgejo should feel natural and seamless, not bolted on.

  Konflux Integration

  Some of Fedora’s container builds run through Konflux. Right now, Konflux only supports GitHub and GitLab. To make it work with Forgejo, we built a workaround that mirrors repositories into GitHub. It works, but it is fragile and wasteful.

  The better solution is native Forgejo integration. That means upstream changes in Konflux, secure authentication, and removing the mirroring step entirely. Until then, the GitHub workaround will stay in place, but long-term, the focus is on a direct, reliable path.

  Building a Compatibility Bridge

  A migration like this cannot happen overnight. We need to keep workflows running while the move happens. To do this, we are building a compatibility bridge.

  The bridge includes:

  • A metaservice that translates Pagure-style API calls into Forgejo’s API
    
  • New artifact storage, currently in the Lookaside Cache
    
  • A phased rollout: first internal scripts, then external tools, and finally contributor-facing workflows
    
  • Incremental testing in staging before production cutovers

  The goal is continuity. Contributors should be able to keep working while the infrastructure gradually changes behind the scenes.

  Tooling Compatibility

  Fedora’s ecosystem depends on many tools that integrate with dist-git. Each needs some level of adjustment.

  • Bodhi will need to adapt to the new repository metadata.
    
  • COPR will need changes to fetch SRPMs directly from Forgejo
    
  • Packit integration is a priority and is being developed in parallel.
    
  • Fedpkg and release engineering scripts will be updated first since they are under Fedora control.
    
  • CI systems, Anitya, Toddlers, Notifications, Monitor Gating, and others will need targeted updates to remove assumptions about Pagure.

  The approach is simple. During the transition, a compatibility layer keeps these tools running. Once Forgejo support is mature, the tools can be updated to use Forgejo directly.

  What is Next

  This migration is not just an infrastructure swap. It is a chance to fix long-standing pain points, simplify workflows, and make Fedora’s packaging system stronger for the future.

  By the end of the Year, I expect us to be able to:

  • Have runners and actions in production
  • Move about 80% of non-source projects to forge.fp.o

  Nice to have:

  • Some outcomes from Package ownership and Artifact storage discussions
  • Staging deployment of Forgejo, let’s temporarily call it “packagers’ forge” 
  • Staging environments for Packit and Actions of the packagers’ forge deployment
  • Roadmaps for Konflux and the compatibility bridge

  Fedora thrives on collaboration. Forgejo is our next step toward a modern, maintainable, and community-driven development platform.

  Join us in shaping it together, try the staging environment, file migration ticket, and share your feedback in our matrix channel for ideas and discussion, use the git-forge-future tag.

  The post Forging Fedora’s Future with Forgejo appeared first on Fedora Community Blog.

• Josef Strzibny devise-otp 2.0 released

  The OTP plugin for Devise I help to maintain goes 2.0 this week. Here is what’s new and how to upgrade.

  What’s new

  We tried to address a couple of things in this release, mainly support for lockable strategy, improving locale files, and fixing Hotwire and Remember me support. On top we refactored some code, cleaned up ERB views, and added Rubocop and linting.

  Most of these things are self-descriptive but it might be important to note that the devise-otp shares failed login counter with lockable for now. In a way, a login failure is a login failure at the end of the day.

  We also have some breaking changes that warrant the big version bump. Laney Stroup refactored browser persistance to be a dedicated controller and while standardizing browser persistance routes moved actions to be HTML buttons.

  Upgrading

  1. Regenerate the controller and views if you use custom ones:

      rails g devise_otp:controllers
      rails g devise_otp:views
     

     Note that the browser persistence controls now use button_to, rather than link_to.

  2. Update locales file

     Move any *_persistence keys from devise.otp.otp_tokens to devise.otp.otp_persistence

  And that should be it! Please file an issue if you found one.

October 20, 2025

• Matthew Garrett Where are we on X Chat security?

  AWS had an outage today and Signal was unavailable for some users for a while. This has confused some people, including Elon Musk, who are concerned that having a dependency on AWS means that Signal could somehow be compromised by anyone with sufficient influence over AWS (it can't). Which means we're back to the richest man in the world recommending his own "X Chat", saying The messages are fully encrypted with no advertising hooks or strange “AWS dependencies” such that I can’t read your messages even if someone put a gun to my head.
  
  Elon is either uninformed about his own product, lying, or both.
  
  As I wrote back in June, X Chat genuinely end-to-end encrypted, but ownership of the keys is complicated. The encryption key is stored using the Juicebox protocol, sharded between multiple backends. Two of these are asserted to be HSM backed - a discussion of the commissioning ceremony was recently posted here. I have not watched the almost 7 hours of video to verify that this was performed correctly, and I also haven't been able to verify that the public keys included in the post were the keys generated during the ceremony, although that may be down to me just not finding the appropriate point in the video (sorry, Twitter's video hosting doesn't appear to have any skip feature and would frequently just sit spinning if I tried to seek to far and I should probably just download them and figure it out but I'm not doing that now). With enough effort it would probably also have been possible to fake the entire thing - I have no reason to believe that this has happened, but it's not externally verifiable.
  
  But let's assume these published public keys are legitimately the ones used in the HSM Juicebox realms[1] and that everything was done correctly. Does that prevent Elon from obtaining your key and decrypting your messages? No.
  
  On startup, the X Chat client makes an API call called GetPublicKeysResult, and the public keys of the realms are returned. Right now when I make that call I get the public keys listed above, so there's at least some indication that I'm going to be communicating with actual HSMs. But what if that API call returned different keys? Could Elon stick a proxy in front of the HSMs and grab a cleartext portion of the key shards? Yes, he absolutely could, and then he'd be able to decrypt your messages.
  
  (I will accept that there is a plausible argument that Elon is telling the truth in that even if you held a gun to his head he's not smart enough to be able to do this himself, but that'd be true even if there were no security whatsoever, so it still says nothing about the security of his product)
  
  The solution to this is remote attestation - a process where the device you're speaking to proves its identity to you. In theory the endpoint could attest that it's an HSM running this specific code, and we could look at the Juicebox repo and verify that it's that code and hasn't been tampered with, and then we'd know that our communication channel was secure. Elon hasn't done that, despite it being table stakes for this sort of thing (Signal uses remote attestation to verify the enclave code used for private contact discovery, for instance, which ensures that the client will refuse to hand over any data until it's verified the identity and state of the enclave). There's no excuse whatsoever to build a new end-to-end encrypted messenger which relies on a network service for security without providing a trustworthy mechanism to verify you're speaking to the real service.
  
  We know how to do this properly. We have done for years. Launching without it is unforgivable.
  
  [1] There are three Juicebox realms overall, one of which doesn't appear to use HSMs, but you need at least two in order to obtain the key so at least part of the key will always be held in HSMs
  
  comments

• Fedora fans شبیه‌سازی آسمان شب با نرم افزار KStars

  

  KStars یک نرم‌افزار متن‌باز و رایگان از جامعه KDE است که به عنوان یک «پلانتاریوم دسکتاپ» (نرم‌افزار شبیه‌سازی آسمان شب) برای علاقه‌مندان به نجوم، دانشجویان، اساتید و منجمان آماتور طراحی شده است. این نرم‌افزار امکان شبیه‌سازی دقیق آسمان شب را برای هر نقطه روی زمین، در هر تاریخ و زمان دلخواه فراهم می‌کند. در نمایش […]

  The post شبیه‌سازی آسمان شب با نرم افزار KStars first appeared on طرفداران فدورا.

• Josef Strzibny InvoicePrinter 2.5 with QR images and Ruby 3.4 support

  Today I released a new version of InvoicePrinter, my Ruby library for generating PDF invoices. Here’s what’s new.

  New features

  I finally implemented last feature I had in mind, QR code images. I decided not to add dependencies and keep it as a simple image, although we could consider a built-in feature later on.

  To add a QR code, simply point to your QR image path:

  invoice = InvoicePrinter::Document.new(
    number: 'NO. 202500000001',
    provider_name: 'John White',
    provider_lines: provider_address,
    purchaser_name: 'Will Black',
    purchaser_lines: purchaser_address,
    issue_date: '10/20/2025',
    due_date: '11/03/2025',
    total: '$ 900',
    bank_account_number: '156546546465',
    description: "Invoice with QR image example.",
    items: [],
    note: "Scan the QR code for payment or details."
  )
  
  qr_path = File.expand_path('../qr.png', __FILE__)
  
  InvoicePrinter.print(
    document: invoice,
    qr: qr_path,
    file_name: 'qr_invoice.pdf'
  )
  

  The QR code will always appear bottom right, above any notes if they exist.

  Ruby support

  InvoicePrinter got Ruby 3.4 support. It currently supports Rubies from 3.1 to 3.4. We are staying with current Prawn version due to a circular dependency.

  New contributors

  Simon Neutert was a new contributor in this release, thanks Simon!

October 19, 2025

• Jon Chiappetta Split VPN Tunnelling and Routing Based on Packet Protocol and Port for Improved Network Performance and App Compatibility

  So I’ve been running a highly modified version of OpenVPN and speed and performance have been pretty good overall, however, I noticed that some very few apps would use a custom UDP based API call for data transfer (Ring live video app) and the video would appear very choppy and blurry. I suspected this is because the multi-threaded version of OpenVPN does not preserve UDP packet ordering (whereas UDP protocols like QUIC seem to be more advanced and capable).

  I am now experimenting with a solution to this issue by running two VPN tunnels at the same time, one is bulk-mode-multi-threaded for the majority of smart protocols and data and the second is bulk-mode-single-threaded for some of the simpler UDP protocols that assume a specific order of packets arriving from a server or service. This technique requires use of iptables mangle packet marking as well as ip rule mark setting with additional routing table rules.

  

• Guillaume Kulakowski SeedboxSync s’agrandit : introduction du frontend web

  Le projet SeedboxSync, qui a fêté ses 10 ans cette année, continue de grandir. Jusqu’à présent, SeedboxSync n’était qu’un simple client CLI. Il y a dix ans, il faisait le strict minimum en Python 2. Puis il a été migré vers Python 3 et entièrement refondu avec Cement, un framework léger spécialisé dans les applications […]

  Cet article SeedboxSync s’agrandit : introduction du frontend web est apparu en premier sur Guillaume Kulakowski's blog.

October 18, 2025

• Kevin Fenzi infra weekly recap: mid October 2025

  

  Another saturday recap of the last week for me in fedora infra.

  Timeout issue

  The timeout issue ( https://pagure.io/fedora-infrastructure/issue/12814 ) has sucked up the vast majority of my time this week. A fix/cause continues to elude me. I've come up with a bunch of theories, but they are always proven wrong.

  So, in an attempt to at least get more datapoints, I brought out a bigger hammer: I reinstalled a proxy with Fedora 43 (yes, I know it's not out yet but it's very close to being out, I've been running it fine on my servers at home for a while, etc). This did provide some more data, but no solution.

  Next, I reinstalled a virthost / hypervisor that that proxy was on with rhel10. Most of our hypervisors are currently rhel9, but we planned to move them to rhel10 after f43 was out. This went mostly fine, but also didn't solve anything in the end.

  I'll keep trying to figure it out, thanks for everyone's patience.

  Fedora 43 news

  We have a RC now (it's rc-1.4 for reasons), but it wasn't fixing all the blockers on thursday, so we were no go for a release next week. Please do help out testing the rc and filing bugs you hit. Always appreciated.

  More power for copr

  As part of our datacenter move, we moved our primary ppc64le builders over to new power10 hardware, which left us some power9 capacity we could repurpose to copr builders.

  I did a fair bit of work on getting those setup over the last week, and hopefully can finish that off next week. Need to reinstall them again and tweak a few things and then the copr team can get them added. Hopefully that will help out builds there.

  RDU2-CC to RDU3 Datacenter move

  Not too much to report on this. However, the new copr power9's are in the new vlan in rdu3 that we will be using for the other items migrating, so we know things are working for those later moves.

  comments? additions? reactions?

  As always, comment on mastodon: https://fosstodon.org/@nirik/115396902676137040

October 17, 2025

• Remi Collet 📝 Valkey version 9.0

  With version 7.4 Redis Labs choose to switch to RSALv2 and SSPLv1 licenses, so leaving the OpenSource World.

  Most linux distributions choose to drop it from their repositories. Various forks exist and Valkey seems a serious one and was chosen as a replacement. 

  So starting with Fedora 41 or Entreprise Linux 10 (CentOS, RHEL, AlmaLinux, RockyLinux...) redis is no more available, but valkey is.

  With version 8.0 Redis Labs choose to switch to AGPLv3 license, and so is back as an OpenSource project, but lot of users already switch and want to keep valkey.

  RPMs of Valkey version 9.0 are available in the remi-modular repository for Fedora ≥ 41 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

   

  So you now have the choice between Redis and Valkey.

  1. Installation

  Packages are available in the valkey:remi-9.0 module stream.

  1.1. Using dnf4 on Enterprise Linux

  # dnf install https://rpms.remirepo.net/enterprise/remi-release-<ver>.rpm
  # dnf module switch-to valkey:remi-9.0/common

  1.2. Using dnf5 on Fedora

  # dnf install https://rpms.remirepo.net/fedora/remi-release-<ver>.rpm
  # dnf module reset  valkey
  # dnf module enable valkey:remi-9.0
  # dnf install valkey

  The valkey-compat-redis compatibility package is not available in this stream. If you need the Redis commands, you can install the redis package.

  2. Modules

  Some optional modules are also available:

  • valkey-bloom (Fedora and EL ≥ 9)
  • valkey-json
  • valkey-ldap (Fedora and EL ≥ 9)
  • valkey-rdma
  • valkey-search (Fedora)
  • valkey-tls

  These packages are weak dependencies of Valkey, so they are installed by default (if install_weak_deps is not disabled in the dnf configuration).

  The Modules are automatically loaded after installation and service (re)start.

  3. Future

  Valkey also provides a set of modules, which may be submitted for the Fedora official repository.

  Redis may be proposed for reintegration and return to the Fedora official repository, by me if I find enough motivation and energy, or by someone else.

  So users will have the choice and can even use both.

  ℹ️ Notices:

  • Enterprise Linux 10.0 and Fedora ≤ 42 have Valley 8.0 in their repository
  • Fedora 43 will have Valkey 8.1
  • Fedora 44 will have Valkey 9.0
  • CentOS Stream 9 also has valley 8.0, so it should be part of EL-9.7.

  4. Statistics

  valkey

• Fedora Community Blog Infra and RelEng Update – Week 42

  This is a weekly report from the I&R (Infrastructure & Release Engineering) Team. We provide you both infographic and text version of the weekly report. If you just want to quickly look at what we did, just look at the infographic. If you are interested in more in depth details look below the infographic.

  Week: Oct 13 – Oct 17 2025

  Infrastructure & Release Engineering

  The purpose of this team is to take care of day to day business regarding CentOS and Fedora Infrastructure and Fedora release engineering work.
  It’s responsible for services running in Fedora and CentOS infrastructure and preparing things for the new Fedora release (mirrors, mass branching, new namespaces etc.).
  List of planned/in-progress issues

  

  Fedora Infra

  • Application is not available: languages.fedoraproject.org
  • Not receiving mail from users@lists.fedoraproject.org
  • net::ERR_CERT_COMMON_NAME_INVALID when accessing https://zlopez.id.stg.fedoraproject.org/
  • Need to delete user account in FAS that has been already deleted in Discourse (discussion.fedoraproject.org) due to violations (spam, AI, etc.)

  CentOS Infra including CentOS CI

  • Move internal RDU2 mirror to different host (DC move swap)
  • mirror-request
  • Gitlab.com OSS program renewal
  • Init RDU3 env in Ansible Inventory
  • Init new x86_64 Dell Servers in rdu3 DC
  • Fix epel10 external repo for RHEL build tags

  Release Engineering

  • Package gap-pkg-smallclassnr not in list for tag f44-updates-candidate
  • Stalled EPEL package: python-croniter
  • Stalled EPEL package: pyflakes
  • Please unretire python-yattag
  • Unretire python-avocado
  • Unable to build new package rust-zlink-core in rawhide
  • Can’t orphan golang-github-rasky-xdr
  • Please manually block golang-github-anacrolix-log in rawhide
  • Fedora 43 Final Freeze
  • Unorphan whereami
  • Please remove branch org-kde from kf6
  • Implement Scripts Directory Restructuring — Part 2/2 (per #12935)
  • Restructure scripts directory for better organization and maintainability
  • F43 stable push requests
  • Add ELN to the set of packages to be re-signed at each Branch

  If you have any questions or feedback, please respond to this report or contact us on #admin:fedoraproject.org channel on matrix.

  The post Infra and RelEng Update – Week 42 appeared first on Fedora Community Blog.

October 16, 2025

• Swiss JuristGate Mathieu Parreaux claims FINMA knew since day one

  In an extraordinary final LinkedIn post about the closure of his illegal legal insurance venture, the founder, Mathieu Parreaux claimed the Swiss financial regulator, FINMA, was aware of his business since the very beginning of the partnership structure in 2018. In other words, he alleges FINMA knew about it for five years.

  To clarify, Mathieu Parreaux had originally created the business using the name Parreaux & Associés in October 2016. This name appears on LinkedIn but it was not in the business register. In 2018, he recruited the business partner Francois Thiébaud and formed the new entity Parreaux, Thiébaud SNC approximately eight weeks after Thiébaud had closed his previous business, a massage parlour in Le Locle.

  LinkedIn alleges that Parreaux's final post has been edited a number of times. I attach a screenshot taken on 7 October 2025.

  In paragraph five, Parreaux has written "After five years of discussions", implying that FINMA has been aware of his business and discussing it with him for five years.

  My understanding of financial services is that anybody who wants to operate an investment or insurance scheme needs to obtain their licenses and permits before accepting the first payment from a customer. But I am not a jurist like Mathieu Parreaux, so what would I know?

  Parreaux confirms that 20,000 clients were impacted. He claims that the government doesn't care about the clients, which included my own business the Software Freedom Institute.

  He claims to care about the interests of clients and offers to "support them until the end, at our own expense". He does not share any financial information about assets and running costs of the business so we can not determine whether this proposition was credible or not.

  Then again, FINMA only published their side of the story more than six months later, they redacted over ninety percent of paragraphs and they even redacted the dates and company names from the judgment. Therefore, the information that was eventually disclosed from FINMA is not sufficient for anybody to know who is right and who is wrong.

  Here is a translation of Parreaux's final LinkedIn post in English:

  The inside story of a true scandal... Here is the story of a Swiss man currently shocked by a country he loves with all his heart.

  For five years, through Justicia SA, we have been offering a legal product that democratizes access to the law. The concept is simple: you pay a legal subscription of a few hundred francs on average, and our firm's services are available to you without any additional charges or service exclusions.

  A mini-revolution for the legal field and the billing method.

  A huge revolution for the legal insurance sector, which we have tackled head-on.

  After five years of discussions, FINMA sent us a letter containing a decision to immediately close our company because it deemed us to be an insurance company and that we did not comply with certain conditions related to this activity.

  While this is perfectly conceivable, FINMA gives us no deadline to comply with these conditions. Incredibly, FINMA also removes any suspensive effect on any legal action.

  This means they're deciding that their decision is immediate, and that even if we win an appeal in two years, everything will have been reduced to dust, leaving us with nothing but a possible "Sorry, guys! You can start all over again."

  It gets even worse. The approximately 20,000 clients we currently represent are left without assistance. With a complete shutdown of our business, our government doesn't care about these thousands of clients who are currently in need.

  A profoundly humane choice would have been, at the very least, to order a closure in a year, at the end of the clients' contractual period, so that we could support them until the end, at our own expense.

  We are dealing with a total disregard not only for innovative companies, but also for individuals who need our assistance.

  When we weigh these facts against our state's tolerance for companies that are rotten to the core, one thing stands out: in our democracy, the rotten giants will always fare better than the innovative little ones.

  Despite these events, this allows us to fill the gaps that existed. With our motivation, our determination, and our influential partners, we will return.

  We will return. More numerous. More motivated. Stronger.

  

• Fedora Community Blog OSCAFEST’25 & CHAOSS’25 Lagos, Nigeria

  It’s been over a week since I attended OSCAFest 2025 and CHAOSScon Africa 2025, the experience from both gatherings have left lasting impressions and memorable moments on me. All located in Lagos, Nigeria, it was a week-long activity attending CHAOSScon Africa 2025 on the 13th and OSCAFest 2025 on the 15th – 16th of August. 

  CHAOSS, which is dedicated to creating metrics and analytics to measure the health and sustainability of open-source projects, this time served as an insightful and educational conference. Its sessions dove deep into topics of inclusion, building open-source communities and the discerning business value of open source.

  Being involved in The Fedora Project helped me recognize the significant creative value that upstream open source projects contribute to commercial software. Brian Proffitt (Red Hat) talk on the “Metrics and the Business of Open Source” revealed  “The Value and Freedom of Creativity” in the Red Hat’’s approach to open source.

  

  

  On August 15th, I joined the OSCAFest train, experiencing the biggest open-source festival in Africa. The event attracted a diverse range of attendees, including developers, designers, and enthusiasts, with a little under a thousand people in attendance. There were so many talk sessions spread across five different rooms that I occasionally had to move from room to room to attend the ones I was interested in. At OSCAFest, the focus was on enabling growth through open source and inspiring attendees with mentorship-driven talks.

  

  

  Overall, I had a great time at both events as a Fedora ambassador. I made new friends, connected with people about the Fedora community, and onboarded some potential new contributors to The Fedora Project. Being part of both events as an ambassador creates a pathway for greater visibility of The Fedora Project and our incredible community. It’s a strong start to establishing a larger regional community of contributors and enthusiasts from Africa.

  

  

  I shared some additional event highlights on my Twitter/X handle (see tweet 1 and tweet 2). One key takeaway was a noticeable difficulty in the onboarding process, while I aimed to recruit new Fedora contributors, I found that Element Chat, our primary community platform, was unfamiliar to many attendees. I frequently received questions about whether we used platforms like Discord or Slack, which often halted conversations. This was a clear indication that for future event outreach, adopting a more popular, regionally familiar platform could serve as a better first line of onboarding, attracting and retaining an audience until they are ready to progressively move to our stable platforms.

  I look forward to attending these events again, with the hope of speaking to the audience and further promoting our great community.

  The post OSCAFEST’25 & CHAOSS’25 Lagos, Nigeria appeared first on Fedora Community Blog.

• Adam Young Self hosting and installing from pip repos

  I have an application that I want to share with my team. Fortunately, we have a shared server, so it is pretty easy to do so: if I put a file in /usr/local/bin it can A) be executed by anyone on the server and B) will not interfere with RPM packages. But, I do potentially want to put this code on other machines as well, so I am going to buld it as a pip package, upload it to a team repo (apache HTTPD instance on this machine) and then install it from pip as root.

  Building the package from the git repo that holds the python code:

  python -m build

  This, of course, assumes I have a properly set up pyproject.toml file.

  One key entry is the scripts part at the end:

  [project.scripts]
  ampup = "ampup:main"

  Running this command puts the package in dist. To upload it I run:

  pip2pi  /var/www/html/pypi/   -r requirements.txt -r  dist/*.whl

  Since this is a default Apache install, I cheated a little bit with permissions: my whole team is in the kernelos group, and I made the directory executable and group writiable, and set its group to kernelos. That lets me publish to it.

  Also, I have to upload something that is built in a gitlab repo, and posted to a pip repo hosted on gitlab. So

  export PIP_INDEX_URL=https://gitlab.com/api/v4/projects/abignumber/packages/pypi/simple

  Once it is uploaded, I sudo su to root and

  export PIP_INDEX_URL=http://localhost/pypi/simple
  pip install ampup
  

  And now

  # which ampup
  /usr/local/bin/ampup
  

  There is still something wrong with the script generation, which I have fixed by hand. I will update when I figure it out.

October 15, 2025

• Cockpit Project Cockpit 349

  Cockpit is the modern Linux admin interface. We release regularly.

  Here are the release notes from Cockpit 349, and cockpit-podman 115:

  Package manifests: Add any test

  Package manifests can have a list of conditions. Cockpit will only consider the package if all conditions are met. This release introduces an operator for alternative checks in a condition, for example

  "conditions": [
      {"any": [{"path-exists": "…/packagekit.service"}, {"path-exists": "…/dnfdaemon.service"}]}
  ]
  

  That condition will be true if at least one of its subconditions matches.

  List stopped quadlets

  Quadlets are a declarative way to define podman pods/containers using systemd-like configuration files. These podman containers/pods are ephemeral and previously disappeared from cockpit-podman when stopped.

  With this release, cockpit-podman can now detect stopped quadlets on the system for the logged in user and superuser. The quadlets are shown as normal “inactive” pods/containers. In the future, lifecycle actions such as start/stop/restart will be added.

  

  Try it out

  Cockpit 349, cockpit-podman 115, cockpit-files 30, cockpit-machines 342, and cockpit-ostree 216 are available now:

  • For your Linux system

  • Cockpit Client

  • Cockpit Source Tarball
  • Cockpit Fedora 43
  • Cockpit Fedora 42
  • cockpit-podman Source Tarball
  • cockpit-podman Fedora 43
  • cockpit-podman Fedora 42
  • cockpit-files Source Tarball
  • cockpit-files Fedora 43
  • cockpit-files Fedora 42
  • cockpit-machines Source Tarball
  • cockpit-machines Fedora 43
  • cockpit-machines Fedora 42
  • cockpit-ostree Source Tarball
  • cockpit-ostree Fedora 43
  • cockpit-ostree Fedora 42

October 14, 2025

• Fedora Community Blog Packit as Fedora dist-git CI: Phase 2 and 3 completed

  Hello Fedora Community,

  We are excited to share an update on the Packit as Fedora dist-git CI change proposal. This initiative aims to transition Fedora dist-git CI to a Packit-based solution, deprecating Fedora CI and Fedora Zuul Tenant. The change affects the triggering and reporting mechanism for tests but does not alter the tests themselves or the test execution service (Testing Farm). The transition is gradual, allowing maintainers to try the integration out, provide feedback and catch issues early. You can read more about the benefits and why we are doing this in the proposal itself.

  What we have and how to use it

  As part of the second and third phases, we have implemented Packit-driven installability checks and custom tests for Fedora dist-git PRs.

  These features are currently opt-in, and maintainers can enable them by adding their projects to our configuration here by creating a pull request.

  Once projects are listed in our packit-service configuration, Packit will automatically run a Koji scratch build and an installability check for every push to a dist-git PR.

  Currently, the installability check executed by Packit is identical to the one performed by Fedora CI. In the future, based on user requests and already collected feedback we may plan to enhance it.

  Additionally, if a project has both a .fmf/version file and a tmt plan defined in the plans directory, Packit will also execute custom tests in Testing Farm and report the results.

  You can see an example of how this feedback appears in this python-specfile example PR or in the screenshots below:

  

  

  Retriggering of all the jobs via pull request comments is also possible now, for details, see the documentation.

  Do you want to know more? Look at our Packit as Fedora dist-git CI documentation.

  Providing feedback & asking questions

  We welcome feedback and questions! For bugs or feature requests, please use this issue tracker. For ideas or suggestions to discuss, feel free to add a discussion topic here. And for any other questions, join us in the #packit:fedora.im channel on Matrix.

  What’s next?

  Transition to the new Packit-based CI as the default mechanism, replacing Fedora CI.

  This transition will require addressing several technical challenges:

  • Deploying the Packit Fedora CI code within the Fedora infrastructure
  • Switching Packit Fedora CI to be run on all other Fedora packages

  We welcome your feedback. If you’d like to contribute toward reaching our final goal, please add your projects to the list of enabled projects for our Fedora CI here. We’re open to suggestions for improvement and appreciate your support. Thank you!

  Recap of the plan 

  • Phase 1 (Completed): Introduce scratch builds for Fedora dist-git PRs (opt-in).
  • Phase 2 (Completed): Implement installability checks (opt-in).
  • Phase 3 (Completed): Implement support for user-defined TMT tests (opt-in). 
  • Final Phase (Next step): Transition to the new Packit-based CI as the default mechanism, replacing Fedora CI.

  You can also check our tasklist in this issue.

  Final phase targets Fedora Linux 44

  The original plan was to do the switch during the Fedora Linux 43 cycle, but most of the Packit team members are temporarily focusing on another project. We promised to provide an actively maintained CI solution for Fedora dist-git, so we would rather postpone the default change by one Fedora cycle to ensure we have the capacity to implement the change properly. However, the current Packit workflows are still supported, including the opt-in approach to Fedora dist-git CI. This means you have more time to try it and provide feedback, and we can deliver a more polished solution when it becomes the default for everyone.

  We appreciate your support and look forward to your feedback!

  Best, the Packit team

  The post Packit as Fedora dist-git CI: Phase 2 and 3 completed appeared first on Fedora Community Blog.

• Adam Young function tracing mctp-pcc

  While it is tempting to use printk or pr_info when coding in order to trace function in the Linux kernel calls, it turns out that there os a; ready a utility to simplify that. Here are the steps I used to enable ftrace for mcpt-pcc and figuring out where a function call stack ended (in the middle of a debugging session where I had broken it)

  mount -t tracefs nodev /sys/kernel/tracing
  echo pcc_mbox* > /sys/kernel/tracing/set_ftrace_filter 
  echo mctp_pcc* >> /sys/kernel/tracing/set_ftrace_filter 
  echo function > /sys/kernel/tracing/current_tracer
  

  This is what I saw in the output

  cat /sys/kernel/tracing/trace
  # tracer: function
  #
  # entries-in-buffer/entries-written: 6/6   #P:192
  #
  #                                _-----=> irqs-off/BH-disabled
  #                               / _----=> need-resched
  #                              | / _---=> hardirq/softirq
  #                              || / _--=> preempt-depth
  #                              ||| / _-=> migrate-disable
  #                              |||| /     delay
  #           TASK-PID     CPU#  |||||  TIMESTAMP  FUNCTION
  #              | |         |   |||||     |         |
              mctp-3982    [007] .....   895.668105: mctp_pcc_ndo_open <-__dev_open
              mctp-3982    [007] .....   895.668106: pcc_mbox_request_channel <-mctp_pcc_ndo_open
              mctp-3982    [007] .....   895.668139: pcc_mbox_request_channel <-mctp_pcc_ndo_open
       mctp-client-3984    [010] b..1.   895.671158: mctp_pcc_tx <-dev_hard_start_xmit
       mctp-client-3984    [010] D..2.   895.671160: mctp_pcc_tx_prepare <-msg_submit
       mctp-client-3984    [010] D..2.   895.671160: pcc_mbox_write_to_buffer <-mctp_pcc_tx_prepare

October 12, 2025

• Swiss JuristGate Mathieu Elias Parreaux declared bankrupt in Switzerland

  In December 2023, the bankruptcy procedure was started against Mathieu Elias Parreaux.

  This is a procedure for the bankruptcy of Mr Parreaux in a personal capacity. His business had already been liquidated prior to this.

  The Swiss gazette published a provisional alert.

  In April 2024, the gazette contained a call to creditors.

  In June 2024, the gazette announced they had completed an inventory of assets and a plan for dividing the assets between creditors.

  There have been ongoing reports that Mathieu Parreaux is giving people advice about insurance and investments, especially in the crypto market. Anybody obtaining financial advice from Parreaux would be wise to ask him to explain the full circumstances of his own bankruptcy.

  In particular, we need to understand whether Parreaux's businesses failed due to his own mistakes or due to wrongdoing by a third party such as an employee or a key supplier to his business.

  Normally when a business fails, the personal assets of the directors and shareholders are not subject to the business bankruptcy. We need to understand what is different in this case, why was Mr Parreaux placed in bankruptcy in a personal capacity? For example, was he subject to judgments concerning criminal conduct or a civil judgment to compensate third parties?

  Mr Parreaux needs to publish all the documents relating to his bankrupcty, including all the judgments and decisions from FINMA and the debt collection office.

  Mr Parreaux's businesses have included a number of people who appear to be close colleagues and family members. The possible family members with the name Parreaux are Arnaud Parreaux, Marla Sofia Parreaux, Didier Parreaux and Hodan Parreaux-Hussein.

  Naturally, creditors would like to know if any of the family members or friends have received salary payments or other benefits that could represent a transfer of assets out of the businesses prior to their liquidation.

• Swiss JuristGate Swiss pimp usurping reputation of legendary Tissot boss Francois Thiébaud from France (BaselWorld, SWATCH Group SA)

  Francois Thiébaud was born some time between 1946 and 1947 in France-Compte, a region of the French Jura that borders Switzerland. He completed a law degree at the University of Besancon and an MBA at l'Institut de contrôle de gestion de Paris (a reknowned French business school).

  In 1970, Francois Thiébaud started his career in watchmaking in Morteau, France. Morteau is a scenic village in the Jura mountains approximately thirty kilometers from the Swiss border. Many French people who live in these border towns travel to work in Switzerland every day. In French, these cross-border workers are known as Frontalièrs.

  The quartz crisis rocked the watchmaking industry in the 1970s. In 1979, Monsieur Thiébaud went to work for Swiss company Breitling. He was responsible for positioning the Breitling brand as a watch for aviators, a marketing theme that remains strong today.

  In 1996, Francois Thiébaud was recruited to lead the company Tissot, based in Le Locle, Swiss Jura. In 2000 he became president of the Tissot brand and in 2006 he became a member of the SWATCH Group Executive Management Board.

  Under his tenure, Tissot output increased from 800,000 watches per year to over 4 million watches per year.

  In 2002, the French-born Thiébaud was appointed president of the organizing committee for BaselWorld, the world-reknowned Swiss watch industry expo.

  In 2015, Tissot achieved a major coup when they became timekeeper for America's National Basketball Association, the NBA.

  Francois Thiébaud went to America for the contract-signing.

  

   

  

   

  Thiébaud was interviewed by many media organizations, including Forbes. The journalist prefixes his responses with the initials FT.

  

   

  Swiss business records tell us that in March 2017, in Le Locle, the village everybody knows as the home of Tissot, Francois Thiébaud obtained a business license for a bar and massage parlour trading as El Paraiso at 42 rue Girardet.

  

   

  To find the record, visit the web site of the Swiss government gazette. For some reason, there are two search boxes on the page. One searches all the records before 2 September 2018 while the other box searches for all records after that date. Type the name of Mr Thiébaud and the name of the place, Francois Thiébaud Locle. Here is a screenshot of the search results:

  

   

  

   

  Clicking the name of El Paraiso returns the business registration certificate from 4 April 2017.

  

   

  On 10 May 2017 the news website ArcInfo published a report about Francois Thiébaud complaining that the local authority was selling the building out underneath him. The report emphasizes the use of the building for prostitution and they tell us that Mr Thiébaud is from Vevey which is more than two hours away from Le Locle.

  In December 2017 Thiébaud canceled the business license for El Paraiso.

  In 2018, various news reports appeared telling us that Francois Thiebaud of Vevey had merged his "services business" with the legal practice Parreaux & Associés to form the new business Parreaux, Thiébaud & Partners.

  The news report about prostitution has a note at the bottom in bold. They mention that on 11 June 2018 they decided to redact the name in the report and replace it with the initials F.T., like the news report from Forbes. They are not talking about the same F.T.

  If the journalists at ArcInfo realized Francois Thiébaud from Vevey was usurping the reputation of the French Francois Thiébaud on the board of SWATCH Group, why did the Swiss financial regulator FINMA fail to notice the same phenomena?

  When Francois Thiébaud from Vevey pulled out of the massage business to become the partner in a legal fees insurance firm, who was responsible for the probity checks?

  At the time, Mathieu Parreaux, the other partner in the legal fees insurance business, was still working as the Greffier, with judge-like powers, in a tribunal in Canton Valais. The snapshot of his biography tells us he had previously worked as a KYC (Know-Your-Client) officer at Safra Sarasin and Audi Bank in Geneva. Given this experience, it looks likely he would know his new business partner, Francois Thiébaud from Vevey had previously run a massage parlour usurping the reputation of another prominent businessman. If Parreaux knew all of that and if Francois Thiébaud from Vevey had no prior experience in the legal or insurance industries then we can contemplate the possibility that Mathieu Parreaux only chose this other man as a business partner to continue the tradition of usurping the reputation of the real Francois Thiébaud from France, the world-reknowned president of Tissot.

  Even when Parreaux seemed to know FINMA was about to shut him down in 2023, a new business entity, Justiva SA was created with Francois Thiébaud from Vevey as the company director. They seemed to know that the name Thiébaud was good as gold.

  Whenever you open a new bank account, purchase an insurance policy or take out a loan, the firm asks you to provide all kinds of sensitive documents about your identity and financial history. Behind the scenes, KYC officers like Mathieu Parreaux have access to all those documents and huge databases about all of us. Wouldn't it be creepy if these men were using that data to usurp our identities for their own purposes?

  I can't help remembering the ongoing saga of Matthias Kirschner using the name FSFE to usurp the reputation of the real Dr Richard Stallman and real FSF in Boston.

  By using Francois Thiébaud from Vevey to usurp the reputation of Francois Thiébaud from France, the world-reknowned president of Tissot, the Swiss jurists are doing something that smells like identity theft.

  In fact, because Francois Thiébaud, president of Tissot is really from France, he will always be a Frontalier. He may be one of the most successful Frontaliers in Switzerland. The Swiss jurists have used the reputation of the most successful Frontalier in Switzerland to deceive other Frontaliers to purchase a worthless insurance. Moreover, they even deceived a French woman to quit her job in a real insurance company to come and work for the illegal legal fees insurance in Geneva.

  They tricked all those Frontaliers by using the name of Francois Thiébaud, a French man, the most successful Frontalier.

  In 2019, the Swatch group chose not to participate in BaselWorld, the world's largest watch fair, despite the fact Thiébaud had been president of the BaselWorld committee for 20 years. Was he afraid to go out in public after the other Francois Thiébaud from Vevey had started sullying his reputation?

  Francois Thiébaud of Tissot and BaselWorld is not the same Francois Thiébaud who decided to run a massage parlour in Le Locle. It is a long drive from Vevey to Le Locle. If you were starting your first business, why would you do so in a location so far from your home?

  Another news report appears about the prostitution in 2021. The title tells us that Le Locle is no longer the capital of love for hire (Prostitution: Le Locle n’est plus la capitale des amours tarifées).

  Francois Thiébaud is a French citizen. He grew up very close to the border with Switzerland and dedicated his entire life and career to the watch industry.

  Francois Thiébaud of Vevey is a Swiss citizen. He is a totally different person. It is important to think about why he chose to operate that type of business and why he chose to do so in Le Locle. Was he hoping that anybody searching for his name in Google would be confused by all the news reports about Francois Thiébaud at Tissot? In other words, a Swiss Thiébaud obtaining obscurity for himself by operating in the shadow of the French Thiébaud, a French man who appears to be superior to the Swiss man in every way?

  Can somebody use their own name for identity theft? It is a complicated subject.

  The Swiss Thiébaud decided to move from prostitution into the legal insurance services industry. These are industries that pretend to practice the highest standards of integrity.

  Comparing the business experience and qualifications of Mathieu Parreaux and Francois Thiébaud, we can see that Parreaux had graduated with a law degree and he had worked in a number of legal and banking jobs. At the time when Parreaux and Thiébaud decided to join forces, Parreaux was the greffier for a tribunal in Monthey.

  Did Parreaux enter into the partnership with the more junior Thiébaud for any reason other than to usurp the name and reputation of the French Thiébaud on the board of SWATCH Group?

  More significantly, in early 2023, as FINMA progressed unacceptably slowly in their investigation of Parreaux, Thiébaud & Partners, we can see the partners created a new business entity using only Mr Thiébaud. When FINMA shut down Parreaux, Thiébaud & Partners, Justicia SA in April 2023, the shelf company under Mr Thiébaud was renamed to Justiva SA and began trying to recruit the former clients of the shuttered enterprise.

  Why did FINMA only issue a ban against one partner, Monsieur Parreaux and not both of them? Was FINMA afraid to create a ban order with the name Francois Thiébaud in it because it is the same name as Monsieur Thiébaud at Tissot? Or did FINMA decide not to ban the Swiss Thiébaud because they knew he wasn't really in charge, he was only there for his name?

  The new entity Justiva SA continued operating for another eight or nine months. How could FINMA completely fail to notice it was there? Was FINMA fooled by the name of Francois Thiébaud as a director?

  Parreaux, Thiébaud & Partners deceived Frontalièrs with promises of legal protection that they failed to fulfil. In the one case Arnaud Parreaux took to the federal court, he argued against minimum wages for cross-border workers.

  Just as Swiss jurists exploited the French woman, it appears that Mathieu Parreaux has exploited Francois Thiébaud of Vevey as a puppet to exploit the reputation of the much larger-than-life Monsieur Thiébaud at Tissot & SWATCH Group.

• Swiss JuristGate Arnaud Parreaux lost case defending rogue employer

  Publicity from Parreaux, Thiébaud & Partners claimed the firm works for the underdog. Cross border workers from France, the Frontaliers, are frequently victims of exploitation in Switzerland. The Swiss jurists at Parreaux, Thiébaud & Partners explicitly promised to help Frontaliers.

  Searching records from the Swiss Federal Tribunal, we could only find one case where the name Parreaux is mentioned. The jurist for the case was Arnaud Parreaux, who was listed as a member of the team in Parreaux, Thiébaud & Partners / Justicia SA.

  Reading the judgment, we see that an employer was penalized for underpayment of workers in Geneva. The employer decided to appeal the decision to the Swiss Federal Tribunal. Arnaud Parreaux was not representing the workers, he was representing the employer.

  In other words, their promise to represent Frontaliers was just another lie.

  Moreover, the rogue employer was an insurance sales office with five employees. The employer claimed the employees were really independent agents who were provided with desks where they could come and work for their clients. The canton and the tribunals felt that this arrangement was a sham and the employees had been underpaid by twenty thousand Swiss francs.

  The Swiss Federal Tribunal was not convinced by the arguments of Arnaud Parreaux. He lost the case and the punishment from the cantonal tribunal was upheld by the Federal tribunal.

  Search the judgments of the Swiss Federal Tribunal online.

  In the search box, type the name "parreaux".

  

   

  The result is a single case: 20.03.2024 2C 137/2024: penalty for failure to respect minimum salary. (Amende pour non respect du salaire minimum).

  2C_137/2024

  Arrêt du 20 mars 2024

  IIe Cour de droit public

  Composition
  Mmes et M. les Juges fédéraux
  Aubry Girardin, Présidente,
  Ryter et Kradolfer,
  Greffier : M. Dubey.

  Participants à la procédure
  A.________ Sàrl,
  représentée par Me Arnaud Parreaux, avocat,
  recourante,

  contre

  Service cantonal de l'inspection et des relations du
  travail de la République et du canton de Genève,
  rue des Noirettes 35, 1227 Carouge GE,
  intimé.

  Objet
  Amende pour non respect du salaire minimum,

  recours contre l'arrêt de la Cour de Justice du canton de Genève (2e Section) du 30 janvier 2024 (ATA/117/2024).

  

October 11, 2025

• Kevin Fenzi infra weekly recap: First full week of October 2025

  

  Wow, saturday again!? At least it's fall now (which is the very best season).

  The connection timeout problem

  So, the connection timeout problem that we first really saw last week was back.

  To recap: Sometimes (a very small % of the time) connections from our proxies to kojipkgs backend and pkgs/src backend also, just timeout. This is causing builds to sometimes fail with a 503 error, which is what haproxy returns back to the user when a connection times out.

  The problem was actually worse than I though it was. I thought it only happened when haproxy marked all the backend servers for that service down, but since the issue can seemingly happen anytime, connections haproxy is sending to a server it thinks is up can timeout too.

  It's very frustrating, I can't seem to find a cause, so it's very hard to come up with a solution. I did try a... lot of things with no luck. Finally later in the week I came up with a bandaid for it. This consists of telling haproxy to retry if it gets a retryable error, and if possible try the other backend with the retry. This doesn't fully fix the issue, but it makes it much much much much less likely to happen (at least from the end user viewpoint).

  RDU2-CC to RDU3 datacenter move

  Some progress on the rdu2-cc to rdu3 move later this year:

  • I wrote up desired network acls for the new rdu3 network

  • I got 3 power9s that we are repurposing to do copr builds moved to that new vlan and I'm working on installing them.

  • We are in process of getting a new server that will replace two old ones. That will also allow us to migrate important things on our schedule and with hopefully limited downtime.

  • The current target move date is now December 8th due to various factors.

  Fedora Fourty Three Final Freeze

  Say that 5 times fast. We are in the final freeze for f43. Hopefully it will be a smooth one and we can release on time.

  comments? additions? reactions?

  As always, comment on mastodon: https://fosstodon.org/@nirik/115357338178933176

October 10, 2025

• Rajeesh K Nambiar ICFK2025: Calligraphy festival

  I’m very glad to participate in the 2025 edition of the International Calligraphy Festival of Kerala, and present a talk to a great audience.

  ICFK is organized by KaChaTaThaPa foundation headed by master calligrapher Narayana Bhattathiri. The event usually takes place on 2–5 October in Kochi. Varying talks, workshops, demonstration sessions, exhibitions, and above all meeting and learning from exemplary calligraphers is the best part of the event. The venue always bursts with beauty, energy, and fun; where everyone is approachable.

  

  

  

  

  

  

  

  

  

  Reconnected with old friends and made new friends. Ashok Parab was traveling pan-India and documenting scripts, that lead to teaching scripts — including Malayalam — as well. Abhishek Vardhan is doing research on NÄ�garÄ« script. Syam is doing research on Malayalam calligraphy. They promised to share their findings and public/open resources, which would be very interesting to look at. Vinoth Kumar, Michel D’Anastasio, Nikheel Aphale, Muqtar Ahammed, and Shipra Rohtagi gave me souvenirs — thank you! I had chances for interesting long chats with Uday Kumar (who asked me about Sayahna Foundation after the t-shirt I wore), Achyut Palav, Sarang Kulkarni, Brody Neuenschwander, and also Shyam Patel of Kochi Biennale Foundation.

  On many occasions delegates approached and asked me about font development process, complex text shaping and related topics. It was also too tempting to not buy fountain pens and Bhattathiri’s merchandise on sale, as gift to friends. The dinner with the ICFK team at Boulangerie Art Cafe was delicious. TM Krishna’s carnatic music concert on Saturday evening was a heavenly experience — Krishna Seth sitting next to me was spontaneously drawing on the notebook for the entire duration of the concert.

  For the last edition, I presented a talk about font development, font engineering, complex text shaping, and such back-end tasks that designers generally find difficult. This year, I talked about the ‘Fundamentals of Typography’. I hope the talk succeeded to some extent in making everyone unhappy when they look at a badly typeset page .

  The slides for the presentation are available here.

  rajeesh-kachatathapa-2025Download the slides

• Remi Collet 🎲 PHP version 8.3.27RC1 and 8.4.14RC1

  Release Candidate versions are available in the testing repository for Fedora and Enterprise Linux (RHEL / CentOS / Alma / Rocky and other clones) to allow more people to test them. They are available as Software Collections, for parallel installation, the perfect solution for such tests, and as base packages.

  RPMs of PHP version 8.4.14RC1 are available

  • as base packages in the remi-modular-test for Fedora 41-43 and Enterprise Linux ≥ 8
  • as SCL in remi-test repository

  RPMs of PHP version 8.3.27RC1 are available

  • as base packages in the remi-modular-test for Fedora 41-43 and Enterprise Linux ≥ 8
  • as SCL in remi-test repository

  ℹ️ The packages are available for x86_64 and aarch64.

  ℹ️ PHP version 8.2 is now in security mode only, so no more RC will be released.

  ℹ️ Installation: follow the wizard instructions.

  ℹ️ Announcements:

  • PHP 8.4.14RC1 available for testing
  • PHP 8.3.27RC1 available for testing

  Parallel installation of version 8.4 as Software Collection:

  yum --enablerepo=remi-test install php84

  Parallel installation of version 8.3 as Software Collection:

  yum --enablerepo=remi-test install php83

  Update of system version 8.4:

  dnf module switch-to php:remi-8.4
  dnf --enablerepo=remi-modular-test update php\*

  Update of system version 8.3:

  dnf module switch-to php:remi-8.3
  dnf --enablerepo=remi-modular-test update php\*

  ℹ️ Notice:

  • version 8.5.0RC2 will be soon in Fedora rawhide for QA
  • version 8.5.0RC2 is also available in the repository
  • EL-10 packages are built using RHEL-10.0 and EPEL-10.0
  • EL-9 packages are built using RHEL-9.6
  • EL-8 packages are built using RHEL-8.10
  • oci8 extension uses the RPM of the Oracle Instant Client version 23.9 on x86_64 and aarch64
  • intl extension uses libicu 74.2
  • RC version is usually the same as the final version (no change accepted after RC, exception for security fix).
  • versions 8.3.27 and 8.4.14 are planed for October 23th, in 2 weeks.

  Software Collections (php83, php84)

  

  

  Base packages (php)

  

  

October 08, 2025

• Adam Young Using bpftrace for PCC traffic

  The following command will print a stack trace whenever pcc_send_data is called.
  

  sudo bpftrace -e 'f:pcc_send_data{print(kstack())}'

October 06, 2025

• Fedora fans شرکت در رویداد Hacktoberfest 2025

  

  Hacktoberfest یک رویداد جهانی و سالانه است که هر سال در ماه اکتبر (مهر) برگزار می‌شود و هدف آن تشویق توسعه‌دهندگان به مشارکت در پروژه‌های متن‌باز (Open Source) است. این رویداد از سال۲۰۱۴توسط شرکت DigitalOcean با همکاری GitHub و بعدهاGitLab آغاز شد و اکنون به یکی از بزرگ‌ترین جشن‌های متن‌باز در جهان تبدیل شده است. […]

  The post شرکت در رویداد Hacktoberfest 2025 first appeared on طرفداران فدورا.

• Tomas Tomecek First test of Claude Sonnet 4.5 for an agent that backports a patch for an RPM

  One of the daily tasks we have when developing AI agents is to review their runs. We have to read dozens of decisions so we can evaluate if the agents did the right thing. If not, we have to adjust our user prompts, system prompts, and tools.

  Let’s review how Sonnet 4.5 performs while backporting a complex patch (with multiple conflicts).

  

• Copr Generating dataset from Fedora packaging guidelines

  Recently we have published a dataset of sourced questions and answers about Fedora packaging guidelines to Hugging Face. With the intention of using it to fine tune LLMs.

  In this blog post, I will describe the approach I have taken to generate it. Focusing on matters of prompt construction, and response constraints.

  Question of data

  Fine tuning large language models to behave according to user instruction, requires a very specific structure of training data used. One can not simply take various documents, no matter how well formed or sourced, and use them as targets for training algorithm.

  Doing so, would simply teach the model to reproduce the very same documents, in the best case. Far more probably, the model would produce many variations of the documents given during training. Some are more plausible than others. But all invariably useless.

  Instead we need to provide model with inputs and outputs in the same format that will be present, and expected, during operation. That is, conversation samples. With questions, as if asked by user, and answers, grounded in source documents.

  The question remains, how to accomplish this at scale. Fine tuning, while cheaper than a full training run, does require many thousands of samples for stable results. Creating samples manually, is simply not viable, even under very optimistic assumptions.

  Leveraging LLMs

  The answer lies in using LLMs. Language manipulation is what they were created for, after all. Having LLM generate enough samples is a simple matter of writing a prompt, setting a loop and going for a cup of coffee, or going to sleep. That depends on how many samples you want and what kind of hardware is available.

  But how can we be sure that model will produce samples that are grounded in reality? After all, if the model already possessed the required domain knowledge, what purpose would any fine tuning serve?

  There is also a much more straightforward issue of controlling and parsing the output. The model has to be called many times, and each time the output has to be transformed into a training sample. This process has to be as reliable as possible. Every call costs us money, or time, and we don’t have an infinite supply of either.

  Grounding the LLM

  To ensure that samples produced are grounded in truth, we need to provide a trustworthy source for model to use when generating them. This simplifies the task considerably, as the model is now merely transforming one kind of text into another.

  With a well structured prompt, we can put strong emphasis on the source, lowering the chance of the model producing ungrounded samples considerably.

  System prompt bears the most weight here, priming the model to provide responses we need. Emphasis has to be placed on source of knowledge to be used, and on contents of the output.

  At the same time, restrictions are placed on what must not be included in model responses. Otherwise we may end up with samples that are seemingly reasonable, but providing no domain knowledge.

  Providing an example is another way to improve the quality of the output.

  EXTRACTION_SYSTEM_PROMPT = """
  You are a meticulous AI assistant designed for high-precision information extraction.
  Your primary function is to create specific, fact-based question-and-answer pairs directly from a provided document.
  
  Your task is to adhere to the following strict principles:
  
  1.  **Absolute Grounding:** Every answer you provide MUST be a direct, verbatim quote from the source document. Do not summarize, paraphrase, or infer information.
  2.  **Question Specificity:** Questions must be specific and target concrete details (e.g., names, numbers, locations, reasons, processes, definitions). Avoid overly broad or ambiguous questions that could have multiple interpretations. Questions should target information that is unique to the document.
  3.  **Self-Contained Questions:** A question should be understandable on its own, but the answer must only be verifiable by consulting the provided document.
  4.  **No External Knowledge:** You must operate exclusively on the information within the document. Do not use any prior knowledge.
  5.  **Exclude Metadata:** Do not generate questions about the document's own properties, such as its author, title, filename, publication date, or revision history. Focus exclusively on the subject matter content within the text.
  6.  **Output Format:** Your response will be a single JSON object containing a list of Q&A pairs. Each pair will have three keys: "question", "answer", and "question_topic".
  
  Example of a GOOD question:
  - "What specific percentage of the budget was allocated to research and development in the final quarter?"
  
  Example of a BAD (too vague) question:
  - "What does the document say about the budget?"
  """
  
  

  The source document can be used as part of much less complex, user level, prompt.

  BASE_EXTRACTION_PROMPT = """
  
  Attempt to create as many high quality question / answer pairs from following document as possible.
  Multiple variants of the same question / answer pair are allowed. As long as the meaning remains unchanged
  
  Document:
  '''
  {document}
  '''
  """
  

  These principles are generally applicable to use of LLMs in various scenarios. Although there may be subtle differences in effectiveness of various approaches to prompting between models, the basic idea of stating purpose, setting constraints and providing examples, remains largely unchallenged.

  Structuring model output

  Structured output provides an easy solution to the second problem. It allows users to specify an exact format which the LLM output must follow. This feature has been supported by OpenAI for some time, and it has proliferated among self-hosted, FOSS inference providers, such as vLLM or llama.cpp.

  The format can be specified as a JSON schema. With pydantic, we can create a model, which will provide us with both schema specification, and validation.

  While the set of JSON features supported by different providers differs, and is never complete, it is generally sufficient for most purposes.

  We can specify type and various constraints on fields, such as length or range of values.

  For example, this model sets the structure of a single question/answer pair. This would be one sample in our dataset.

  class QnAPair(BaseModel):
      """Single Q/A pair with topic."""
  
      question: str = Field(description="Question about contents of the document.")
      answer: str = Field(description="Answer to the question")
      question_topic: str = Field(description="Topic of the question.")
  
  

  We can also request multiple samples at the same time. By asking for a list of objects we have already defined.

  class QnAList(BaseModel):
      """List of Q/A pairs."""
  
      questions_and_answers: List[QnAPair] = Field(
          description="List of questions and answers about given document.", min_length=1
      )
      document_topic: str = Field(description="Topic of the document")
  

  But we need more

  It is very unlikely that a single pass through source document would produce all the samples we need. At very least, we are likely to fill the model context at some point. Simply executing the same call repeatedly, could work. But it would be liable to produce multiple samples with almost, or completely, identical contents.

  In order to reach a reasonable number of samples, we need a way to consistently generate multiple variants of those we already have. And again, LLMs can be leveraged to give us exactly that.

  This task is much easier than the original one. Because it isn’t strictly necessary to get more varied answers. Provided that those we have are of sufficiently high quality.

  If we want our fine tuned model to be robust enough for deployment, it needs to be able to respond to a wide variety of questions.

  With the new format for model responses, we can ensure that we only get questions. Sparing some tokens.

  class QuestionVariant(BaseModel):
      """Variant of base question"""
  
      question: str = Field(description="Variant of an existing question.")
  
  
  class QuestionVariantList(BaseModel):
      """List of question variants."""
  
      question_variants: List[QuestionVariant] = Field(
          description="List of question variants.", min_length=1
      )
  

  The prompt also needs adjustments. But established principles still apply here.

  
  VARIATION_SYSTEM_PROMPT = """
  You are an AI assistant specializing in linguistics and question reformulation. Your task is to rephrase a given question in multiple ways while strictly preserving its original intent and meaning.
  
  Follow these rules:
  1.  **Preserve Core Intent:** All generated questions must request the exact same piece of information as the original. The answer to all variants should be identical to the answer of the original question.
  2.  **Maintain Specificity:** Do not make the questions more general or vague. If the original asks for a percentage, the variants must also ask for a percentage.
  3.  **Vary Phrasing and Structure:** Use synonyms, change the sentence structure (e.g., active to passive), and reorder clauses to create natural-sounding alternatives.
  4.  **Output Format:** Your response will be a single JSON object containing a list of dictionaries. Each dictionary will have only one key: "question".
  """
  
  VARIATION_USER_PROMPT = """
  Here is the original question:
  {question}
  
  Please generate {n_variants} distinct variants of this question.
  """
  

  Sourcing the questions

  Before we can get started with generating the dataset, we should ensure that all samples we create can be tracked back to source.

  for qna in parsed_response.questions_and_answers:
      base_qna.append(
          SourcedQnAPair(
              question=qna.question,
              answer=qna.answer,
              question_topic=qna.question_topic,
              source=file_path,
              document_topic=parsed_response.document_topic,
          )
      )
  

  This will help us with quality control. As we can later track down the exact source document used, and verify that information in the answer is indeed accurate.

  Putting it all together

  With model handling both knowledge extraction and dataset augmentation, the task of building a large Q/A dataset becomes much more tractable.

  All that remains is putting these tasks into loops. First for iterating over all source documents, deriving base questions. Second for deriving new question variants.

  Depending on structure of source documents, and context size of the LLM, it may be prudent to split documents in sections. A number of heuristics can be employed to that end, starting with simple splitting by certain number sentences, or by section headings.

  In the case of Fedora Packaging guidelines, all documents are nicely formatted .adoc files, of limited size, and we can use them without change.

  Created questions and answers, all SourcedQnAPair objects supporting serialization, can be easily converted into a list of dictionaries, and finally into a Hugging Face dataset.

  # Dicts to dataset
  dataset = []
  for e in tqdm.tqdm(final_qna):
      row = e.model_dump()
      dataset.append(row)
  
  random.shuffle(dataset)
  
  dataset = datasets.Dataset.from_list(dataset)
  

  Shuffling is largely optional, and can be left on the consumer of the dataset to be applied before the dataset is split into training and testing subsets.

  Apart from publishing dataset on Hugging Face, we can save it locally, in any of the supported formats.

  dataset.to_parquet("fedora_qna.parquet")
  

  Limitations

  While this approach is certainly powerful and useful, it is not perfect. LLMs, even when grounded with source documents and well crafted prompts, are capable of producing text without foundation in input.

  Even when this is not the case. Source documents ought to be checked. To verify that no private or sensitive information is present. Otherwise they may leak into newly created dataset and any models trained using it.

  Finally, and this is the most important limitation of all. Even the best dataset can not supplant deficient fine tuning procedures. Nor can it balance issues caused by a model that is just too small for the task.

  It is always necessary to consider all aspects of fine tuning and setting expectations accordingly.

October 04, 2025

• Kevin Fenzi infra weekly recap: Early October 2025

  

  Another saturday, so time for another weekly recap!

  Looping mailing list bounces are not fun

  We had a bit of fun in the early part of the week with our mailman server alerting about having a lot of mails in the queue. Looking at it, I found that they were almost entirely bounces, but why?

  Well, it was a sad confluence of events: some providers send bounce emails that are almost completely useless. I'll go ahead and name names: mimecast (used by Red Hat) and ibm (their own thing I guess?). These bounces don't include the orig email, don't include headers from the orig email, don't include who the email was sent to. So, for example, say a fictional someone named Bob Smith signs up for a fedora list with bsmith@redhat.com. They then leave the company and emails to them bounce with a message saying "foobar@somethinginternal" bounced. You have no way to tell who it was really unless their internal name and external name match up. mailman cannot process these bounce messages at all, so it just drops them.

  But it gets worse. If someone in that state was a owner of a list, and they also enabled the 'send bounce emails you cannot process to list owners' then... the email bounces, the bounce can't be processed, it sends to the list owners, where it causes another bounce, etc. ;(

  I managed to figure out the addresses causing the current issue, but it's frustrating. </end rant>

  rdu2-cc to rdu3 dc move

  The move of our rdu2 community cage hardware to rdu3 continues. I was working on network acls to pass to the networking folks this week. Hopefully I got everything at least to a working starter state.

  Still looking like we are going to try a november move, but I am hoping we can get in a new replacement machine before that and I can actually migrate pagure.io before the move. The rest of the hosts there are not too critical and can be down, but it would be nice to avoid downtime for pagure.io.

  mass update/reboot

  We did another mass update/reboot cycle this week. Wanted to get everything up and on the latest updates before going into final freeze next week.

  To give a bit of history here, you may wonder why we do these periodic outages instead of just making it so everything is up all the time? We may consider that again, but at least in the past there were problems with databases and a few other difficult to manage things. Of course you can definitely setup databases these days with clusters and we might try and move to that at some point now, but in the past failover and back was prone to a lot of issues. In the mean time a few hours every few months doesn't seem like a undue burden.

  some builder adjustments / additions

  This last week I brought on line 5 more buildhw-a64's (hardware aarch64 builders). With that done, I then adjusted our 'heavybuilder' and 'secure-boot' channels to take advantage of the new hardware.

  So, I think we are in pretty good shape on x86_64 and aarch64 now. On power, our power10 buildvm's seem to be doing fine to me. We are planning some changes there in coming weeks though: We are moving from a 'entire machine is kvm host' to using lpars (logical partitions). This will allow us to move 1/2 of the current builders to a second power10 chassis and perhaps increase performance. On s390x, nothing much has changed. We continue to restrict ci jobs there and I try and balance out number of builders vs specs.

  DANE update

  Small update for anyone who noticed or cares: I updated the ssl cert for *.fedoraproject.org last week, and finally got to updating the DANE record for it today.

  DANE is a way to tie a ssl cert to dns for the host. Postfix and exim at least can automatically use that to verify things, as well as a firefox extension I have that tells you if it validates or not.

  slim7x laptop news

  I've kept using my lenovo slim7x laptop and have switched over to mainline rawhide kernels a while back. The only missing thing that wasn't upsreamed for me was bluetooth support and since that was heading upstream, I got Fedora kernel maintainers to just include the patch.

  Recent merge window kernels seem to have broken something in the devicetree file for the laptop tho. It boots to a blank screen with the dtb from the kernel. Passing it an old one and it works fine.

  There's still work to get the devicetree files on the live media, at which time booting from usb on these just becomes a manual step of passing the right dtb, which is a great deal better than 'build your own live media with devicetree files on it'.

  I guess for now I'll just keep daly driving it, but the lack of webcam is kinda anoying.

  Radxa Orion O6

  Picked up one of these the other day with a set of flimsy excuses: "I can use it to build kernels for the laptop" and "I can help test fedora rcs". It was also on sale at the time. :)

  I just installed it this morning. Pretty painless overall, just switching it to 'acpi' mode from 'devicetree' and then an anoying detour of it not liking the first usb stick I plugged in. With an older one it booted right up with the f43 workstation live and was installed a few minutes later.

  Will probibly do a seperate blog post with review soon.

  comments? additions? reactions?

  As always, comment on mastodon: https://fosstodon.org/@nirik/115317546174534133

October 02, 2025

• Cockpit Project Cockpit 348

  Cockpit is the modern Linux admin interface. We release regularly.

  Here are the release notes from cockpit-machines 341:

  Machines: Improved UX for Disks and Network interface tables

  Looking at a Virtual Machine’s available disks or the designated network interfaces there was too much detail being displayed, causing unintended wrapping and making some parts impossible to read with certain screen resolutions.

  To alleviate this we have changed the UI around to showcase only the most important information a user would want and hid the rest within an expandable section.

  

  All the information we had prior to this change is still here, but in a much easier to read design.

  

  

  Try it out

  Cockpit 348, cockpit-podman 114, cockpit-files 29, cockpit-machines 341, and cockpit-ostree 215 are available now:

  • For your Linux system

  • Cockpit Client

  • Cockpit Source Tarball
  • Cockpit Fedora 43
  • Cockpit Fedora 42
  • cockpit-podman Source Tarball
  • cockpit-podman Fedora 43
  • cockpit-podman Fedora 42
  • cockpit-files Source Tarball
  • cockpit-files Fedora 43
  • cockpit-files Fedora 42
  • cockpit-machines Source Tarball
  • cockpit-machines Fedora 43
  • cockpit-machines Fedora 42
  • cockpit-ostree Source Tarball
  • cockpit-ostree Fedora 43
  • cockpit-ostree Fedora 42

October 01, 2025

• Debarshi Ray Ollama on Fedora Silverblue

  I found myself dealing with various rough edges and questions around running Ollama on Fedora Silverblue for the past few months. These arise from the fact that there are a few different ways of installing Ollama, /usr is a read-only mount point on Silverblue, people have different kinds of GPUs or none at all, the program that’s using Ollama might be a graphical application in a Flatpak or part of the operating system image, and so on. So, I thought I’ll document a few different use-cases in one place for future reference or maybe someone will find it useful.

  Different ways of installing Ollama

  There are at least three different ways of installing Ollama on Fedora Silverblue. Each of those have their own nuances and trade-offs that we will explore later.

  First, there’s the popular single command POSIX shell script installer:

  $ curl -fsSL https://ollama.com/install.sh | sh

  There is a manual step by step variant for those who are uncomfortable with running a script straight off the Internet. They both install Ollama in the operating system’s /usr/local or /usr or / prefix, depending on which one comes first in the PATH environment variable, and attempts to enable and activate a systemd service unit that runs ollama serve.

  Second, there’s a docker.io/ollama/ollama OCI image that can be used to put Ollama in a container. The container runs ollama serve by default.

  Finally, there’s Fedora’s ollama RPM.

  Surprise

  Astute readers might be wondering why I mentioned the shell script installer in the context of Fedora Silverblue, because /usr is a read-only mount point. Won’t it break the script? Not really, or the script breaks but not in the way one might expect.

  Even though, /usr is read-only on Silverblue, /usr/local is not, because it’s a symbolic link to /var/usrlocal, and Fedora defaults to putting /usr/local/bin earlier in the PATH environment variable than the other prefixes that the installer attempts to use, as long as pkexec(1) isn’t being used. This happy coincidence allows the installer to place the Ollama binaries in their right places.

  The script does fail eventually when attempting to create the systemd service unit to run ollama serve, because it tries to create an ollama user with /usr/share/ollama as its home directory. However, this half-baked installation works surprisingly well as long as nobody is trying to use an AMD GPU.

  NVIDIA GPUs work, if the proprietary driver and nvidia-smi(1) are present in the operating system, which are provided by the kmod-nvidia and xorg-x11-drv-nvidia-cuda packages from RPM Fusion; and so does CPU fallback.

  Unfortunately, the results would be the same if the shell script installer is used inside a Toolbx container. It will fail to create the systemd service unit because it can’t connect to the system-wide instance of systemd.

  Using AMD GPUs with Ollama is an important use-case. So, let’s see if we can do better than trying to manually work around the hurdles faced by the script.

  OCI image

  The docker.io/ollama/ollama OCI image requires the user to know what processing hardware they have or want to use. To use it only with the CPU without any GPU acceleration:

  $ podman run \
      --name ollama \
      --publish 11434:11434 \
      --rm \
      --security-opt label=disable \
      --volume ~/.ollama:/root/.ollama \
      docker.io/ollama/ollama:latest

  This will be used as the baseline to enable different kinds of GPUs. Port 11434 is the default port on which the Ollama server listens, and ~/.ollama is the default directory where it stores its SSH keys and artificial intelligence models.

  To enable NVIDIA GPUs, the proprietary driver and nvidia-smi(1) must be present on the host operating system, as provided by the kmod-nvidia and xorg-x11-drv-nvidia-cuda packages from RPM Fusion. The user space driver has to be injected into the container from the host using NVIDIA Container Toolkit, provided by the nvidia-container-toolkit package from Fedora, for Ollama to be able to use the GPUs.

  The first step is to generate a Container Device Interface (or CDI) specification for the user space driver:

  $ sudo nvidia-ctk cdi generate --output /etc/cdi/nvidia.yaml
  …
  …

  Then the container needs to be run with access to the GPUs, by adding the --gpus option to the baseline command above:

  $ podman run \
      --gpus all \
      --name ollama \
      --publish 11434:11434 \
      --rm \
      --security-opt label=disable \
      --volume ~/.ollama:/root/.ollama \
      docker.io/ollama/ollama:latest

  AMD GPUs don’t need the driver to be injected into the container from the host, because it can be bundled with the OCI image. Therefore, instead of generating a CDI specification for them, an image that bundles the driver must be used. This is done by using the rocm tag for the docker.io/ollama/ollama image.

  Then container needs to be run with access to the GPUs. However, the --gpus option only works for NVIDIA GPUs. So, the specific devices need to be spelled out by adding the --devices option to the baseline command above:

  $ podman run \
      --device /dev/dri \
      --device /dev/kfd \
      --name ollama \
      --publish 11434:11434 \
      --rm \
      --security-opt label=disable \
      --volume ~/.ollama:/root/.ollama \
      docker.io/ollama/ollama:rocm

  However, because of how AMD GPUs are programmed with ROCm, it’s possible that some decent GPUs might not be supported by the docker.io/ollama/ollama:rocm image. The ROCm compiler needs to explicitly support the GPU in question, and Ollama needs to be built with such a compiler. Unfortunately, the binaries in the image leave out support for some GPUs that would otherwise work. For example, my AMD Radeon RX 6700 XT isn’t supported.

  This can be verified with nvtop(1) in a Toolbx container. If there’s no spike in the GPU and its memory then its not being used.

  It will be good to support as many AMD GPUs as possible with Ollama. So, let’s see if we can do better.

  Fedora’s ollama RPM

  Fedora offers a very capable ollama RPM, as far as AMD GPUs are concerned, because Fedora’s ROCm stack supports a lot more GPUs than other builds out there. It’s possible to check if a GPU is supported either by using the RPM and keeping an eye on nvtop(1), or by comparing the name of the GPU shown by rocminfo with those listed in the rocm-rpm-macros RPM.

  For example, according to rocminfo, the name for my AMD Radeon RX 6700 XT is gfx1031, which is listed in rocm-rpm-macros:

  $ rocminfo
  ROCk module is loaded
  =====================    
  HSA System Attributes    
  =====================    
  Runtime Version:         1.1
  Runtime Ext Version:     1.6
  System Timestamp Freq.:  1000.000000MHz
  Sig. Max Wait Duration:  18446744073709551615 (0xFFFFFFFFFFFFFFFF) (timestamp count)
  Machine Model:           LARGE                              
  System Endianness:       LITTLE                             
  Mwaitx:                  DISABLED
  DMAbuf Support:          YES
  
  ==========               
  HSA Agents               
  ==========               
  *******                  
  Agent 1                  
  *******                  
    Name:                    AMD Ryzen 7 5800X 8-Core Processor 
    Uuid:                    CPU-XX                             
    Marketing Name:          AMD Ryzen 7 5800X 8-Core Processor 
    Vendor Name:             CPU                                
    Feature:                 None specified                     
    Profile:                 FULL_PROFILE                       
    Float Round Mode:        NEAR                               
    Max Queue Number:        0(0x0)                             
    Queue Min Size:          0(0x0)                             
    Queue Max Size:          0(0x0)                             
    Queue Type:              MULTI                              
    Node:                    0                                  
    Device Type:             CPU                                
  …
  …
  *******                  
  Agent 2                  
  *******                  
    Name:                    gfx1031                            
    Uuid:                    GPU-XX                             
    Marketing Name:          AMD Radeon RX 6700 XT              
    Vendor Name:             AMD                                
    Feature:                 KERNEL_DISPATCH                    
    Profile:                 BASE_PROFILE                       
    Float Round Mode:        NEAR                               
    Max Queue Number:        128(0x80)                          
    Queue Min Size:          64(0x40)                           
    Queue Max Size:          131072(0x20000)                    
    Queue Type:              MULTI                              
    Node:                    1                                  
    Device Type:             GPU
  …
  …

  The ollama RPM can be installed inside a Toolbx container, or it can be layered on top of the base registry.fedoraproject.org/fedora image to replace the docker.io/ollama/ollama:rocm image:

  FROM registry.fedoraproject.org/fedora:42
  RUN dnf --assumeyes upgrade
  RUN dnf --assumeyes install ollama
  RUN dnf clean all
  ENV OLLAMA_HOST=0.0.0.0:11434
  EXPOSE 11434
  ENTRYPOINT ["/usr/bin/ollama"]
  CMD ["serve"]

  Unfortunately, for obvious reasons, Fedora’s ollama RPM doesn’t support NVIDIA GPUs.

  Conclusion

  From the puristic perspective of not touching the operating system’s OSTree image, and being able to easily remove or upgrade Ollama, using an OCI container is the best option for using Ollama on Fedora Silverblue. Tools like Podman offer a suite of features to manage OCI containers and images that are far beyond what the POSIX shell script installer can hope to offer.

  It seems that the realities of GPUs from AMD and NVIDIA prevent the use of the same OCI image, if we want to maximize our hardware support, and force the use of slightly different Podman commands and associated set-up. We have to create our own image using Fedora’s ollama RPM for AMD, and the docker.io/ollama/ollama:latest image with NVIDIA Container Toolkit for NVIDIA.

• Máirín Duffy The point of AI^W technology is to help people

  She’s back!

  Back to this blog after a ~2 year hiatus! Well, hmm. No harm – nothing much has changed over the past couple of years….!

  In the past couple of years I’ve been working on various open source AI initiatives at Red Hat… Podman Desktop AI Lab, InstructLab, Red Hat Enterprise Linux AI, and Red Hat Enterprise Linux Lightspeed. We’ll talk about these experiences over time here. There is something I have observed over this time period that I must point out, though. (It actually reminds me a bit of when blockchain first came out, but I think there is a real there there with generative AI.) Here it is:

  AI is a solution looking for a problem.

  It’s an implementation detail. It’s not a hammer for every nail, but there are some nails that have been sticking out for a while that it makes newly possible to hammer in. There’s a lot of rich experiences I’ve dreamed up in my long tenure as a UX designer in the open source space that would never have been realized because of the sheer amount of effort required to build / generate the data. Generative AI may be a way to do this.

  What inspires and drives me to work in open source is the promise that we can democratize technology and give everyone agency and control over it. Technology should help people and solve their problems. Not turn them into products. Not harvest their data for monetization whether it’s driving ad revenues or used to train models without full consent. I believe the open source approach of building and sharing technology will help democratize AI – as open source has for many other technologies.

  There are obviously issues at the intersection of generative AI and open source. I’m quite conscious of them, and quite concerned about the implications for the very definition of what it means to be open source with this new, non-deterministic technology. I’ll dive into that another time.
  

  Quack quack!

  For now – I want to share a pilot video for a potential video series we’re doing at Red Hat. The idea for the series came from my colleague Marcelle Traboulsi who is a filmmaker with Red Hat and this was filmed by Brett Abramsky who is a creative director on our brand team. It’s called “What’s on Mo’s mind?” – and this whole concern I have over driving folks towards using AI without solid problems-to-solve or use cases was obviously on my mind when we filmed this!

  Take a look and let me know what you think! We’d love your feedback, and if you have ideas for more topics you’d like to see covered please let me know in the comments!

  

September 28, 2025

• Siddhesh Poyarekar Finding reason, finding belonging

  I’ve been around in the Free and Open Source world for over 20 years now, initially as a user but largely as a hacker. Since I started making money using (and growing) my technical skills, it never once occurred to me that I’d be doing anything other than writing FOS software. Which is why over the years as I grew up the Engineer Value Stack* in my career, I started shedding some things that once used to give my joy. With that train of thought, I almost did not go to the 2025 GNU Tools Cauldron that just concluded in Porto today.

  Dear reader, if you’re expecting a review of all of the technically awesome things that happened at Cauldron this weekend, stop reading and wait a couple of days. Jonathan Corbett was there so I assume he will have something interesting to write in that space. Go watch the LWN feed and maybe even buy a subscription if you haven’t already.

  So yeah, I almost decided to not go to Porto for Cauldron, because for the past year or so, I didn’t feel like I did anything of consequence in the GNU toolchain community. Sitting alone in my basement in Waterloo, I had already concluded to myself that nobody would miss that I wasn’t there. Things would go on as usual. I had already forgotten whatever work I had done over the last years; they didn’t feel valuable enough. I had concluded that I was mostly a glorified Jira wrangler (the modern equivalent of the “paper pusher” slur one could use to denigrate anybody who doesn’t do Real Work™) and I wasn’t needed.

  I did fly in the end, and arrived at a hot (OK, 24C, but I’m practically Canadian now so forgive me) Porto, still unsure why I was there. To try and brush off the fatigue, I walked with Carlos (there’s nothing like a loud, always driven Argentinian man to lift your spirits) to FEUP, ending our day downtown meeting many of the attendees, many friends.

  That seemed like a great day, and a great evening. But still, was it worth flying the 7 hours? I wasn’t sure. Anyway, that’s one down, 3 more days to go.

  Cut to Sunday night, I’m now wondering where those 3 days went in a blur, and wondering what washed away those doubts I had coming in.

  Maybe it was the wonderful Belgian beer we had on Friday night. Or was it because I was with old friends and new, talking about everything under the sun?

  Maybe it was the chilled Londrina house beer that stayed ice cold to the last drop. Or was it the joy of finding a shared love for working with wood with a colleague who I had only occasionally chatted over the intertubes all these years?

  Maybe it was the Francesinha, a sinfully tasty but likely just as unhealthy Portuguese dish. Or was it the colleague who suggested the dish, who also had welcomed me earlier, genuinely and warmly, saying “here comes the great Sid!” instantly making me feel like I matter?

  Maybe it was the wonderful port wine and fancy 3 course meal we had at Taylor’s. Or was it the intimate conversations I had with some new friends and old about our failures and insecurities, and how they shaped us?

  Maybe it is the wonderful catering Cupertino and folks arranged for our lunches at Cauldron. Or was it the new connections I made with people I looked at with admiration across the hall all these years but never had the courage to walk across and introduce myself?

  Was it the fact that all of the most amazing leaders in the GNU tools ecosystem were there? Or was it the relief at seeing an old friend and mentor (I don’t know if he knows how much my interactions with him meant to me) safe and doing well? Or, in fact, was it the realization of how much I owe it to pretty much every person who has been coming to Cauldron regularly, probably with their own personal reasons, but leaving their own, indelible impression on me as a person? Or, of course, the annual JL (if you know you know) therapy session?

  Maybe it was the fantastic surprise musical performance by a group of school kids, which reminded me of my kiddo back home. OK maybe that one actually had me longing to return home soon.

  Anyway, the material experiences tend to get washed away days after I return from these experiences, but the personal and emotional ones are not permanent either. They’ve shaped me and made me the person I am, but months later, I know I will have forgotten why I loved being here, with my friends, people with whom I share my commitment to Free and Open Source Software. I’m writing this with the hope that I’ll come back here to remind myself of why it matters, to remind myself that I belong, to be grateful to all of those people who made me feel like I belong.

  If you were here the first time, note that I’ve been here for over 13 years now, and you belong, just as I do.

  * Engineer Value Stack: A hierarchy that companies tend to have in their engineering organizations based on an engineer’s ability to effectively communicate their ideas and work with their peers, as opposed to the superiority of their technical skills, which in itself is also a nebulous concept that only serves to promote a deep impostor syndrome among most competent developers.

September 27, 2025

• Kevin Fenzi infra weekly recap: End of sept 2025

  

  Another saturday, time for another weekly recap. September is almost over and time is flying by. But of course fall is the very best season, so we have that going for us.

  Logging and looping apps

  This week our central log server ran low on disk space again, and it was the same issue we have hit in the past: A application that processes fedora messaging messages hit one where processing caused a traceback. So, it puts the message back on the queue and retries. This results in rather a lot of logs. :( We actually have discussed some fixes for this in the past, but haven't gotten around to implementing any of them. Perhaps this latest issue can revive that work.

  Monitoring news

  We currently have a nagios setup and a new zabbix setup we are moving to. This week we found that nagios wasn't monitoring some of the external servers it should have been. Turns out it was some changes we made for the datacenter move, when we have 2 nagios servers and only wanted one to monitor external things, but then it didn't properly get moved to the new one after the move. So, we fixed that and then I had to fix a number of aws security groups and firewalls for those servers to get everything working again.

  I'm really looking forward to just finishing the switch to zabbix. I really hope we can turn nagios off before the end of the year. zabbix has a number of advantages and will get us to a nicer space.

  Really very anoying sporadic 503 errors on kojipkgs requests

  Some small percentage of the time, we have been seeing 503 errors from requests to our kojipkgs servers. This is most visible on builds, but also started to affect composes and other things.

  The setup here is somewhat complex, but a build or compose request to kojipkgs.fedoraproject.org goes to one of two internal proxies (proxy110/prox101), there apache terminates ssl and proxies to a haproxy instance. That haproxy in turn has two varnish servers behind it (kojipkgs01 and kojipkgs02). varnish on those servers caches as much as it possibly can in memory, and anything it cannot cache is requested from a local apache in front of a netapp nfs server.

  The problem was the haproxy -> varnish step. Sometimes haproxy would see failed health checks and disable a backend, sometimes that would happen with _both_ backends and clients would get a 503.

  Digging around on it I found: - Seemingly no particular pattern to when it happened - There was no change in packages or configuration on the proxy servers - Rebooting proxies or varnish servers caused no change - I could not duplicate it from any other machines than proxy servers - I could duplicate it via curl on the proxies - when it happened the proxy had connections showing it sent a SYN

  tcpdump would have been nice, but given the massive amount of traffic it wasn't too practical.

  Finally, I realized all the stuck connections were with a very high local port. Switching curl to use under 32k local ports the problem was gone. But why? I still don't know why... but just switching the proxies to use a local port range under 32k seems to have completely cleared the problem up. Networking folks say there have been no changes, I could not find anything that changed on our end either.

  So, builds are back to normal, and composes (that were sometimes failing and sometimes taking 2x or more time to finish) are back to normal also.

  Oncall

  A number of years ago in Fedora Infrastructure we setup a weekly role called 'oncall'. This person would watch chats for people asking about problems or pinging specific team members and instead triage their issue and guide them in filing a ticket or deciding if the problem was urgent enough to bother others on the team with.

  In this weeks infra meeting we talked about it, and while this was getting used back when we were on IRC, it doesn't really seem to be getting too much use at all on matrix. There of course could be a number of reasons for that: people realize they should just file a ticket or there just have not been too many urgent issues or people are unaware of it or just general answers to questions has been good enough people don't escalate.

  Anyhow, we are thinking of dropping or revamping how that works. I'm planning on starting a discussion thread on it soon...

  comments? additions? reactions?

  As always, comment on mastodon: https://fosstodon.org/@nirik/115277573858704803

September 26, 2025

• Adam Young Tools First

  I have wasted a lot of time as a developer waiting for long running processes to complete. Whether it is a Linux Kernel compile, and Ansible Playbook tearing down and recreating a system on a remote server, or a gitlab pipeline building and testing code, the common problem is that my head is in the problem being addressed there, but I cannot do anything to verify hypotheses until the process completes. I often get distracted while waiting, and find that what could have been a 5 minute turn around has become a 2 hour turn around.

  One of the common aspects of these long running tasks is that they are built out of smaller elements, but need to perform all of the elements in order to validate some prerequisite. Perhaps that prerequisite is starting from a know state, either of the machine of the build.
  
  The problem with automation is that it forces you to go through all the steps. While that is sometimes a necessary and right approach, it is not for all development.
  
  I am going to make a distinction here between tools and automation. The distinction is that a tool is designed to be used by the software craftsman to perform and operation, maybe several, in the course of interactive work. The tools may be as simple as ‘ls’ which lists the contents of a directory, or as complex as tcpdump/wireshare/netstat type tools that show network state in flight.
  
  Automation is explicitly not for this use case: automation is to replace time consuming and error prone tasks with repeatable, deterministic processing. Automation maybe built out of tools, but it is a different use case, and you should not be putting automation in the middle of your code-debug cycle if at all possible.

  This leads to some guidelines.

  • First, If automation is to replace manual processes, those processes need to be automatable. Building the functionality you need into a gui Window breaks this.
  • Make everything executable from the command line.Using curl or python requests to execute a remote HTTP call is acceptable for this. Although you probable want to make the server accept and return JSON or YAML instead of HTML.
  • That implies that you build your tools first. Make it possible for a developer to perform each individual step in the process without waiting a long time for the outcome. For compilation, yeah, the first one might take a long time, but support incremental compilation and make it simple to make simple changes.
  • Do not lead with automation. If you are kicking things off with an Ansible playbook, you probably have leaned to far in the direction of automation….make that process human executable first, and then automate with Ansible.
  • Do not have a dependency on a long running task, or your short task becomes a long running task. You see this in Ansible where a given task needs something that is performed once in the pipeline, much earlier, and an implicit dependency slips in between the stages, and now you need to wait for that unrelated task to complete. Make it easy to fetch just the information you need, or to perform only the essential step, before performing tricky, hard to code sections that need a lot of attention.

  There are two benefits to this approach. First, you make your developers much more productive. Second, you prevent burnout and mental exhaustion. The productivity comes from the ability to keep on task, and not have to rebuild the mental model when returning to a task. The mental exhaustion comes from the need to store and retrieve, and rebuilt, that mental model. Over time that contributes to burnout.

• Remi Collet 🎲 PHP on the road to the 8.5.0 release

  Version 8.5.0 Release Candidate 1 is released. It's now enter the stabilisation phase for the developers, and the test phase for the users.

  RPMs are available in the php:remi-8.5 stream for Fedora ≥ 41 and  Enterprise Linux ≥ 8 (RHEL, CentOS, Alma, Rocky...) and as Software Collection in the remi-safe repository (or remi for Fedora)

   

  ⚠️ The repository provides development versions which are not suitable for production usage.

  Also read: PHP 8.5 as Software Collection

  ℹ️ Installation : follow the Wizard instructions.

  Replacement of default PHP by version 8.5 installation, module way (simplest way):

  Using dnf 4 on Enterprise Linux

  dnf module switch-to php:remi-8.5/common

  Using dnf 5 on Fedora

  dnf module reset php
  dnf module enable php:remi-8.5
  dnf update
  

  Parallel installation of version 8.5 as Software Collection (recommended for tests):

  dnf install php85

  ⚠️ To be noticed :

  • EL-10 RPMs are built using RHEL-10.0
  • EL9 rpm are build using RHEL-9.6
  • EL8 rpm are build using RHEL-8.10
  • lot of extensions are also available, see the PHP extension RPM status page and PHP version 8.5 tracker
  • follow the comments on this page for update until final version
  • proposed as a Fedora 44 change

  ℹ️ Information, read:

  • UPGRADING
  • UPGRADING.INTERNALS

  Base packages (php)
  

  Software Collections (php84)
  

• Remi Collet ⚙️ PHP version 8.3.26 and 8.4.13

  RPMs of PHP version 8.4.13 are available in the remi-modular repository for Fedora ≥ 41 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

  RPMs of PHP version 8.3.26 are available in the remi-modular repository for Fedora ≥ 41 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

  ℹ� The packages are available for x86_64 and aarch64.

  ℹ� There is no security fix this month, so no update for version 8.1.33 and 8.2.29.

  These versions are also available as Software Collections in the remi-safe repository.

  Version announcements:

  • PHP 8.4.13 Release Annoucement
  • PHP 8.3.26 Release Annoucement

  ℹ� Installation: use the Configuration Wizard and choose your version and installation mode.

  Replacement of default PHP by version 8.4 installation (simplest):

  dnf module switch-to php:remi-8.4/common
  

  Parallel installation of version 8.4 as Software Collection

  yum install php84

  Replacement of default PHP by version 8.3 installation (simplest):

  dnf module switch-to php:remi-8.3/common
  

  Parallel installation of version 8.3 as Software Collection

  yum install php83

  And soon in the official updates:

  • Fedora Rawhide now has PHP version 8.4.13
  • Fedora 43 - PHP 8.4.13
  • Fedora 42 - PHP 8.4.13
  • Fedora 41 - PHP 8.3.26

  ⚠� To be noticed :

  • EL-10 RPMs are built using RHEL-10.0
  • EL-9 RPMs are built using RHEL-9.6
  • EL-8 RPMs are built using RHEL-8.10
  • intl extension now uses libicu74 (version 74.2)
  • mbstring extension (EL builds) now uses oniguruma5php (version 6.9.10, instead of the outdated system library)
  • oci8 extension now uses the RPM of Oracle Instant Client version 23.8 on x86_64 and aarch64
  • a lot of extensions are also available; see the PHP extensions RPM status (from PECL and other sources) page

  ℹ� Information:

  • Migrating from PHP 8.2.x to PHP 8.3.x
  • Migrating from PHP 8.3.x to PHP 8.4.x

  Base packages (php)

  

  

  Software Collections (php83 / php84)

  

  

September 24, 2025

• Matthew Garrett Investigating a forged PDF

  I had to rent a house for a couple of months recently, which is long enough in California that it pushes you into proper tenant protection law. As landlords tend to do, they failed to return my security deposit within the 21 days required by law, having already failed to provide the required notification that I was entitled to an inspection before moving out. Cue some tedious argumentation with the letting agency, and eventually me threatening to take them to small claims court.
  
  This post is not about that.
  
  Now, under Californian law, the onus is on the landlord to hold and return the security deposit - the agency has no role in this. The only reason I was talking to them is that my lease didn't mention the name or address of the landlord (another legal violation, but the outcome is just that you get to serve the landlord via the agency). So it was a bit surprising when I received an email from the owner of the agency informing me that they did not hold the deposit and so were not liable - I already knew this.
  
  The odd bit about this, though, is that they sent me another copy of the contract, asserting that it made it clear that the landlord held the deposit. I read it, and instead found a clause reading SECURITY: The security deposit will secure the performance of Tenant’s obligations. IER may, but will not be obligated to, apply all portions of said deposit on account of Tenant’s obligations. Any balance remaining upon termination will be returned to Tenant. Tenant will not have the right to apply the security deposit in payment of the last month’s rent. Security deposit held at IER Trust Account., where IER is International Executive Rentals, the agency in question. Why send me a contract that says you hold the money while you're telling me you don't? And then I read further down and found this:
  
  Ok, fair enough, there's an addendum that says the landlord has it (I've removed the landlord's name, it's present in the original).
  
  Except. I had no recollection of that addendum. I went back to the copy of the contract I had and discovered:
  
  Huh! But obviously I could just have edited that to remove it (there's no obvious reason for me to, but whatever), and then it'd be my word against theirs. However, I'd been sent the document via RightSignature, an online document signing platform, and they'd added a certification page that looked like this:
  
  Interestingly, the certificate page was identical in both documents, including the checksums, despite the content being different. So, how do I show which one is legitimate? You'd think given this certificate page this would be trivial, but RightSignature provides no documented mechanism whatsoever for anyone to verify any of the fields in the certificate, which is annoying but let's see what we can do anyway.
  
  First up, let's look at the PDF metadata. pdftk has a dump_data command that dumps the metadata in the document, including the creation date and the modification date. My file had both set to identical timestamps in June, both listed in UTC, corresponding to the time I'd signed the document. The file containing the addendum? The same creation time, but a modification time of this Monday, shortly before it was sent to me. This time, the modification timestamp was in Pacific Daylight Time, the timezone currently observed in California. In addition, the data included two ID fields, ID0 and ID1. In my document both were identical, in the one with the addendum ID0 matched mine but ID1 was different.
  
  These ID tags are intended to be some form of representation (such as a hash) of the document. ID0 is set when the document is created and should not be modified afterwards - ID1 initially identical to ID0, but changes when the document is modified. This is intended to allow tooling to identify whether two documents are modified versions of the same document. The identical ID0 indicated that the document with the addendum was originally identical to mine, and the different ID1 that it had been modified.
  
  Well, ok, that seems like a pretty strong demonstration. I had the "I have a very particular set of skills" conversation with the agency and pointed these facts out, that they were an extremely strong indication that my copy was authentic and their one wasn't, and they responded that the document was "re-sealed" every time it was downloaded from RightSignature and that would explain the modifications. This doesn't seem plausible, but it's an argument. Let's go further.
  
  My next move was pdfalyzer, which allows you to pull a PDF apart into its component pieces. This revealed that the documents were identical, other than page 3, the one with the addendum. This page included tags entitled "touchUp_TextEdit", evidence that the page had been modified using Acrobat. But in itself, that doesn't prove anything - obviously it had been edited at some point to insert the landlord's name, it doesn't prove whether it happened before or after the signing.
  
  But in the process of editing, Acrobat appeared to have renamed all the font references on that page into a different format. Every other page had a consistent naming scheme for the fonts, and they matched the scheme in the page 3 I had. Again, that doesn't tell us whether the renaming happened before or after the signing. Or does it?
  
  You see, when I completed my signing, RightSignature inserted my name into the document, and did so using a font that wasn't otherwise present in the document (Courier, in this case). That font was named identically throughout the document, except on page 3, where it was named in the same manner as every other font that Acrobat had renamed. Given the font wasn't present in the document until after I'd signed it, this is proof that the page was edited after signing.
  
  But eh this is all very convoluted. Surely there's an easier way? Thankfully yes, although I hate it. RightSignature had sent me a link to view my signed copy of the document. When I went there it presented it to me as the original PDF with my signature overlaid on top. Hitting F12 gave me the network tab, and I could see a reference to a base.pdf. Downloading that gave me the original PDF, pre-signature. Running sha256sum on it gave me an identical hash to the "Original checksum" field. Needless to say, it did not contain the addendum.
  
  Why do this? The only explanation I can come up with (and I am obviously guessing here, I may be incorrect!) is that International Executive Rentals realised that they'd sent me a contract which could mean that they were liable for the return of my deposit, even though they'd already given it to my landlord, and after realising this added the addendum, sent it to me, and assumed that I just wouldn't notice (or that, if I did, I wouldn't be able to prove anything). In the process they went from an extremely unlikely possibility of having civil liability for a few thousand dollars (even if they were holding the deposit it's still the landlord's legal duty to return it, as far as I can tell) to doing something that looks extremely like forgery.
  
  There's a hilarious followup. After this happened, the agency offered to do a screenshare with me showing them logging into RightSignature and showing the signed file with the addendum, and then proceeded to do so. One minor problem - the "Send for signature" button was still there, just below a field saying "Uploaded: 09/22/25". I asked them to search for my name, and it popped up two hits - one marked draft, one marked completed. The one marked completed? Didn't contain the addendum.
  
  comments

September 23, 2025

• Kiwi TCMS Kiwi TCMS 15.0

  We're happy to announce Kiwi TCMS version 15.0!

  IMPORTANT:

  This is a major version release which includes important changes to the database, several improvements, bug fixes, couple of updated plugins and new translations.

  Recommended upgrade path:

  14.3 -> 15.0
  

  You can explore everything at https://public.tenant.kiwitcms.org!

  ---

  Public container image (x86_64):

  pub.kiwitcms.eu/kiwitcms/kiwi   latest  1b5584d7b2c1    695MB
  

  IMPORTANT: version tagged and multi-arch container images are available only to subscribers!

  Changes since Kiwi TCMS 14.3

  Improvements

  • Update Django from 5.1.11 to 5.2.6
  • Update django-guardian from 3.0.3 to 3.2.0
  • Update django-tree-queries from 0.20.0 to 0.21.2
  • Update markdown from 3.8.2 to 3.9
  • Update psycopg[binary] from 3.2.9 to 3.2.10
  • Update pygithub from 2.6.1 to 2.8.1
  • Update python-gitlab from 6.1.0 to 6.3.0
  • Support access key authentication for Redmine issue tracker integration (Makson Lee)
  • Rename navbar item PLUGINS -> MORE
  • Send email notifications when a TestCase is created. Fixes Issue #4058
  • Add Cancel button for "New TestCase" & "Edit TestCase" pages. Fixes Issue #4073
  • Display number of records found on Search pages. Fixes Issue #3324
  • Start keeping track of history for Product, Version and Build records

  Database

  • WARNING: Postgres 13 is no longer supported. Minimum version is 14!
  • New migration management.0011_history_for_product_version_build
  • IMPORTANT: For existing Kiwi TCMS installations history will be generated as soon as these objects are changed

  Bug fixes

  • Correct a typo. Fixes Issue #4072
  • Avoid broader matches when searching for harmful HTML attributes in uploaded files. Fixes Issue #4074
  • Send a POST request when clicking Logout menu while on Admin page. Fixes Issue #4005

  Refactoring and testing

  • Update actions/checkout from 4 to 5
  • Update actions/setup-node from 4 to 5
  • Update actions/setup-python from 5 to 6
  • Update github.com/pre-commit/pre-commit-hooks from v5.0.0 to v6.0.0
  • Update psf/black from 25.1.0 to 25.9.0
  • Update black from 25.1.0 to 25.9.0
  • Update node_modules/webpack from 5.99.9 to 5.101.3
  • Adjust API tests for Django 5.2
  • Add test for Issue #4074
  • Add logout tests via browser for Issue #4005

  Translations

  • Updated Chinese Simplified translation
  • Updated Japanese translation
  • Updated Polish translation
  • Updated Portuguese, Brazilian translation
  • Updated Russian translation
  • Updated Spanish translation
  • Updated Spanish, Argentina translation
  • Updated Spanish, Uruguay translation

  Kiwi TCMS Enterprise v15.0-mt

  • Based on Kiwi TCMS v15.0
  • Update certbot from 4.1.1 to 4.2.0 in the certbot group
  • Update django-python3-ldap from 0.15.8 to 0.16.1
  • Update kiwitcms-tenants from 4.1.0 to 4.2.0
  • Update sentry-sdk from 2.32.0 to 2.38.0
  • Remove certbot-dns-* plugins as dependencies
  • Redesign bin/lets-encrypt script for wild-card certificates

  Private container images

  hub.kiwitcms.eu/kiwitcms/version            15.0 (aarch64)          d3842a187b07    23 Sep 2025     706MB
  hub.kiwitcms.eu/kiwitcms/version            15.0 (x86_64)           3e3aa12837a2    23 Sep 2025     695MB
  hub.kiwitcms.eu/kiwitcms/enterprise         15.0-mt (aarch64)       9856d098eea7    23 Sep 2025     975MB
  hub.kiwitcms.eu/kiwitcms/enterprise         15.0-mt (x86_64)        a30d6b94b271    23 Sep 2025     954MB
  

  IMPORTANT: version tagged, multi-arch and Enterprise container images are available only to subscribers!

  tcms-api v15.0

  • Include host URL in Referer header
  • Updates for newer pylint
  • Updates for newer Sphynx
  • Update GitHub actions

  kiwitcms-junit.xml-plugin v15.0

  • Update junitparser from 3.1.0 to 3.2.0
  • Drop official support for Python 3.8

  How to upgrade

  Follow the Upgrading instructions from our documentation.

  Happy testing!

  ---

  If you like what we're doing and how Kiwi TCMS supports various communities please help us grow!

  • Give â­� on GitHub;
  • Join our newsletter and follow all project news;
  • Become a contributor and an awesome open source hacker;
  • Become a subscriber and help us sustain development

September 22, 2025

• Fedora fans مهرگان بر شما فرخنده باد

  

  جشن باستانی مهرگان، پس از نوروز، یکی از مهم‌ترین آیین‌های کهن ایران‌زمین است که هر سال در نیمه‌ی مهرماه برگزار می‌شود. این جشن نماد مهر، راستی، عدالت و دوستی است و ریشه در فرهنگ و تاریخ درخشان ایرانیان دارد. مهرگان، در گذر قرن‌ها، همواره فرصتی بوده است برای بزرگداشت ارزش‌های انسانی، یادآوری پیمان‌های راستین و […]

  The post مهرگان بر شما فرخنده باد first appeared on طرفداران فدورا.

• The NeuroFedora Blog Next Open NeuroFedora meeting: 22 September 2025 1300 UTC

  

  Photo by William White on Unsplash.

  
  

  Please join us at the next regular Open NeuroFedora team meeting on Monday 22 September 2025 at 1300 UTC. The meeting is a public meeting, and open for everyone to attend. You can join us in the Fedora meeting channel on chat.fedoraproject.org (our Matrix instance). Note that you can also access this channel from other Matrix home severs, so you do not have to create a Fedora account just to attend the meeting.

  You can use this link to convert the meeting time to your local time. Or, you can also use this command in the terminal:

  $ date -d 'Monday, September 22, 2025 13:00 UTC'
  

  The meeting will be chaired by @ankursinha. The agenda for the meeting is:

  • New introductions and roll call.
  • Tasks from last meeting.
  • Open Pagure tickets.
  • Python package installability check.
  • Package health check.
  • Open package reviews check.
  • Neuroscience query of the week
  • Next meeting day, and chair.
  • Open floor.

  We hope to see you there!

September 20, 2025

• Kevin Fenzi Misc infra bits from 3rd week of sept 2025

  

  Another week gone by, pretty busy, but not massively so.

  Fedora 43 Beta out

  Beta release was tuesday. Things went pretty smoothly from my view overall. We managed to completely peg one of our 10G connections in our main datacenter with folks syncing and downloading. Thanks to all the community who worked on things and I do hope you all enjoy it.

  Anubis rollout

  Last week I was testing anubis in staging, but this week I rolled it out to production in a number of places. The biggest win was pagure.io, which has been particularly hard hit by scrapers.

  Here's the load last week, can you tell when anubis was enabled?

  

  I then enabled things for a bunch of other sites of ours: koji, src, koschei, lists, etc.

  There's still 2 outstanding issues I know of:

  • Some folks have reported that it's giving them challenges all the time. I'm not sure why this would be happening, but hopefully we can track it down.

  • rss feeds on bodhi and badges aren't working anymore. I need to allow the rss feed paths that they use. In the mean time using a user-agent without Mozilla in it should work around that.

  So, hopefully that saves us a bunch of bandwith, cpu time, database cycles and more. Thanks anubis developers!

  Mailing list issue with gmail accounts

  Just a early heads up that we had a bit of an issue last night with the fedora devel list. As near as I can tell, my current theory is:

  • Some spam got through to the list. I'm still not 100% sure how it got though, but it was using <> and playing other weird tricks.

  • That spam had some bad archives attached to it.

  • gmail subscribers got those emails and then google decided to block lists.fedoraproject.org because of it.

  • lists.fedoraproject.org got the bounces from google and disabled a bunch (~340) users.

  I deleted the spam from archives and put in place some things on the list to hopefully ensure it doesn't allow such posts thru.

  Next week we will see if we can't re-enable all those users, provided google is accepting lists emails again.

  comments? additions? reactions?

  As always, comment on mastodon: https://fosstodon.org/@nirik/115237878042949636

September 19, 2025

• Ankur Sinha "FranciscoD" Zaphod is now on PyPi as zaphodtex

  A quick announcement post.

  I had written Zaphod several years ago. It is a python wrapper around LaTeXdiff that enables a Git workflow for generating diffs in LaTeX documents. A demonstration is in the initial announcement post. It lets you generate a diff, and it also lets you pick and choose what bits from the diff you want to incorporate. It does all of this using Git, so no work is every lost, and everything can be undone (or redone).

  I finally got around to publishing it on PyPi as a package. Unfortunately, the name, zaphod, was already taken, so I have published it as zaphodtex.

  So, you can now install it on your system directly using pip or uv:

  uv pip install zaphodtex
  

  It will also make it easier for people to use it in their projects, on GitHub Actions and so on.

September 18, 2025

• Fedora fans انتشار Fedora Linux 43 بتا

  

  پروژه فدورا با افتخار اعلام کرد که Fedora Linux 43 Beta منتشر شد. این نسخه، پر از ویژگی‌های تازه، بهبودهای سیستمی و تغییرات مهم است. نسخه بتا فرصتی عالی برای کاربران و توسعه‌دهندگان فراهم می‌کند تا قبل از انتشار نهایی، این سیستم‌عامل را آزمایش کنند و بازخورد بدهند. خلاصه مهم‌ترین تغییرات در Fedora 43 Beta […]

  The post انتشار Fedora Linux 43 بتا first appeared on طرفداران فدورا.

• Jeremy Cline Fedora Signing Update, September edition

  It’s been a while since my last update about content signing in Fedora, so I figured I should write one before the end of this month. While I’ve not been able to devote all my time to working on Siguldry, I have made enough progress I think it’s worth covering, and I also had the opportunity to chat with Miloslav Trmač, the original author of Sigul, about its design.

  History Lesson for Sigul

  In my post about various protocol tweaks I covered most of the changes I wanted to make to Sigul’s protocol and my reasons for doing so. A major theme of the changes was pushing more of the content-related “smarts” to the client. For example, in sigul, the server receives a container file and prepares a JSON document based off it to sign with GPG. In my proposed approach, the client should handle that and simply asks the server to sign the given document.

  Miloslav was able to provide me with some history on Sigul and why it pushes the responsibility of dealing with the content to the bridge and server, and I think it’s worth recording here. In the original design, signing didn’t happen automatically: a Fedora contributor would need to request a signature using the Sigul client. In this scenario, there are a lot more Sigul clients and they’re running on machines that Fedora infrastructure doesn’t manage. Thus, the bridge and server needed to make every effort to ensure clients didn’t request signatures for things they shouldn’t - this is why the bridge is able to integrate with the Fedora Account System, and why it also contacts Koji when RPM signatures are requested: it has every reason to expect the client to be malicious.

  These days, there’s only a few Sigul clients. Fedora’s infrastructure admins have management accounts, and the robosignatory service, which runs in Fedora’s infrastructure, also acts as a client. While we should be cautious in our design, the deployment is significantly different from Sigul’s original expectations so we can make different trade-offs.

  Siguldry Progress

  Back in July, I completed the protocol implementation. Since then, I’ve worked on actually doing things on top of it.

  Binding Keys to Hardware

  One feature I largely ignored in Sigul because it seemed complicated was its ability to encrypt signing keys using a combination of user-provided passwords and hardware (a Yubikey or TPM, for example). This means that if you were to obtain a copy of the Sigul database and you also managed to get the user’s password to access a signing key, you still wouldn’t be able to access the private keys without getting access to the signing machine’s TPM or a Yubikey that Fedora’s infrastructure team has access to.

  I have partially re-implemented this particular feature in Siguldry. I say partially because Sigul had a number of different ways to bind keys to hardware on both the server and client side, and I have opted to implement only what Fedora infrastructure currently uses. You can use any key accessible via PKCS #11 to encrypt signing keys in addition to user passwords. You can even use multiple keys, and any one key is enough to unlock things (so you can have a backup Yubikey or three).

  On the client side, the expectation is that user passwords and certificates will be bound to the TPM via systemd-credentials.

  The Server Supports PGP Signing

  I’ve implemented creating PGP keys as well as signing content with them. The interface supports detached signatures, the cleartext format you see, for example, with CHECKSUM files, and inline signatures.

  This covers all current PGP signature types used by Fedora. However, more work is needed on the client side to use this interface to sign RPMs. The client needs to extract the header from the RPM, have the server produce a detached signature, and then send that signature to Koji.

  The Server Supports RSASSA-PKCS1-v1_5 and ECDSA Signatures

  These are the signatures you get with openssl-dgst and related commands, and they’re used for Secure Boot signatures, container signatures with cosign, and IMA.

  What’s Next

  Siguldry now has all the primitive interfaces to implement signing in the client for various types of content (RPM, containers, git tags, etc). It’s now time to work on implementing those, figure out what server interfaces need changing, and then add a whole lot of polish: a comprehensive end-to-end test suite for all content types, API documentation, an admin guide, and a set of tools to migrate the Sigul database to Siguldry.

  Comments and Feedback

  Thoughts, comments, or feedback greatly welcomed on Mastodon

September 17, 2025

• Peter Czanik Nightly syslog-ng RPM packages for RHEL & Co.

  I have been providing syslog-ng users with weekly git snapshot RPM packages for almost a decade. From now on, RHEL & Co users can use nightly packages provided by the syslog-ng team, and from a lot less obscure location. As usual, these packages are for testing, not for production.

  Before you begin

  As you might recall from my blog at https://www.syslog-ng.com/community/b/blog/posts/rpm-packages-from-syslog-ng-git-head/, I provide regular syslog-ng git snapshot packages for Fedora, openSUSE and RHEL (and compatibles). I do most of my syslog-ng related work on Fedora, FreeBSD and openSUSE (alphabetical order :-) ).

  However, the vast majority of syslog-ng users actually run syslog-ng on RHEL and compatible operating systems. Because of this, I will keep updating my personal repositories, but most likely less often, as most users will receive regularly updated packages.

  So, what is supported in the new repository? RHEL 8, 9, and 10, together with compatible operating systems on x86_64 an Aarch64 (64bit ARM) architectures.

  Installing syslog-ng

  Prerequisites: Make sure that the EPEL (https://docs.fedoraproject.org/en-US/epel/) repository is enabled on your host.

  Download the repo file from https://ose-repo.syslog-ng.com/yum/syslog-ng-ose-nightly.repo and save it to the /etc/yum.repos.d/ directory.

  You are now ready to install syslog-ng:

  dnf install syslog-ng

  This will install the core syslog-ng, with minimal dependencies. You can list all the available syslog-ng sub-packages:

  dnf search syslog-ng

  Testing

  Unless you are testing on the day after release, you should see a syslog-ng version with a very long version number, including some letters at the end:

  [root@localhost ~]# syslog-ng -V
  syslog-ng 4 (4.9.0.113.g52b6201)
  Config version: 4.2
  Installer-Version: 4.9.0.113.g52b6201
  Revision:
  Compile-Date: Jul 16 2025 00:00:00
  [...]

  Note that the compile date can be older, if there were no commits to the syslog-ng sources on the previous day(s).

  Make sure that syslog-ng is up and running, and then send some test messages:

  [root@localhost ~]# systemctl restart syslog-ng
  [root@localhost ~]# logger bla
  [root@localhost ~]# tail /var/log/messages
  […]
  Sep  9 13:48:41 localhost.localdomain root[3025]: bla
  […]

  What is next?

  As already mentioned in the introduction, nightly packages are for testing new features and bug fixes. They are not intended for production purposes. Nonetheless, every commit in the syslog-ng code base goes through thousands of test cases, so you should be safe in most cases. If you still run into any trouble, do not hesitate to report the issue at https://github.com/syslog-ng/syslog-ng/issues.

  -

  If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us.

  For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng.

  On Twitter, I am available as @PCzanik, on Mastodon as @Pczanik@fosstodon.org.