Fedora is a Trademark of Red Hat, Inc, an operating system built by volunteers around the world. This page is provided so that independent volunteers can showcase our contributions to Fedora and Free Software in general. Official Fedora Download page.

RSS Atom

We Make Fedora

December 04, 2025

• Kiwi TCMS Who is using Kiwi TCMS in 2025

  

  With 2025 drawing to an end Kiwi TCMS is happy to share some highlights from our usage statistics. It is really insightful to see the myriad of organizations using Kiwi TCMS.

  Disclaimer: the information below was obtained via anonymous analytics and represents only instances of Kiwi TCMS which had recorded over 1000 events until 01 Dec 2025. We've used publicly available data in order to identify these organizations. Note that we don't keep track of individuals or IP addresses!

  Numbers at a glance

  • 14+ different versions deployed; most popular is v14.2
  • 37 different countries with active usage
  • 100+ different organizations with ongoing usage
  • 400-500 users/day; upwards monthly trend
  • ~200k total visits
  • ~3.5M pages served

  Argentina

  • Sistema de Información Universitaria

  Austria

  • ams OSRAM AG
  • Benteler - The family of driver professionals. Since 1876

  Belarus

  • Unic Lab

  Brazil

  • Cittamobi - Ônibus e Trilhos
  • E-Gestora - Sistemas e Solucões
  • Finnet - Conectando grandes empresas ao futuro financeiro
  • FPFtech - Transformando conhecimento em Inovação
  • Luna - A plataforma mais completa de meios de pagamento
  • Midas Solutions
  • NeoPath
  • openxsolutions.com.br
  • Pontotel - Plataforma de controle de ponto online

  Bulgaria

  • Platform Services - Integrated Project Management Platform
  • SiteGround - Web Hosting Perfected

  Canada

  • BeLOCUM - Pharmacy & Dental Staffing Solutions
  • DataFix - Election Modernization Experts
  • Minto Group - Building better places to live since 1955
  • NurseGPT - Revolutionize Nursing Home Charting with AI
  • Twisted Mountain Animation - Your Partners In Production

  China

  • InfiMotion - leader in electric drive unit solutions for electric and hybrid vehicles

  Estonia

  • Brokeree - Turnkey Tech Solutions for Retail Brokers

  France

  • Airbus Cybersecurity
  • e*Message - L'expert de l'alerte et des communications critiques

  Germany

  • CIB Group - Digitalisierung. Automatisierung. Künstliche Intelligenz
  • EAS Engineering Automation Systems GmbH - CPQ solution
  • Elatec RFID - Universal Access Control Solutions
  • Eventim - Buy Original Tickets for Concerts, Sports and More
  • NDR.de - Das Beste am Norden - Radio - Fernsehen - Nachrichten
  • OPTITOOL GmbH - optimize your business
  • OSRAM Licht AG
  • TQ-Group
  • UNITEDPRINT SE

  Hungary

  • Masterfield Training Centre
  • Multilogic - Innovatív megoldások az okosszervezetekért

  India

  • Bosshire - Matching Top Talent with Quality Jobs
  • CodeHall - Assembling code, Delivering Open Source success
  • Fintrens - Automated Algo Trading
  • Homeville Group - Financial technology and infrastructure company for housing finance ecosystem
  • Innogenio - Imagine Inspire Impact
  • Pratham Software (PSI) - Digital Product Engineering
  • Sprylogic Technologies Ltd.

  Indonesia

  • BluePay - a mobile payment platform
  • Eterno Global Technologies - Bring Intelligent Technology To Your Mine
  • FORSTOK - Omnichannel selling made easy
  • GOERS - Tickets, Events, Travel
  • PT Aneka Search Indonesia
  • TLab - Research & Development Company

  Ireland

  • Vryno - All-in-one CRM Solution Powered by Microsoft 365

  Israel

  • Cellact - Always connected
  • Uco software development

  Italy

  • Messagenet - Operatore telefonico per il business
  • Olivetti S.p.A. - Design meets Technology

  Japan

  • Communications Business Avenue, Inc. - leader in communication and contact center solutions
  • Fujisan Magazine Service Co.,Ltd. - largest online magazine bookstore
  • Nippon Computer Corporation

  Kazakhstan

  • Gamma Technologies
  • SmartPlayer - Digital Signage Platform

  Mexico

  • The Robox - Fully Autonomous Drone System

  Norway

  • Adresseavisen AS - regional newspaper
  • Pixii - technology partner for smart, modular and scalable battery based energy storage solutions

  Paraguay

  • Cast S.A. - Soluciones Móviles

  Poland

  • exa_22 - Mechatronika i systemy IoT
  • NetCorner - Innowacyjna platforma e-commerce dla Twojego biznesu
  • Fingoweb - Software Development Company

  Portugal

  • Bravantic - Evolving Technology

  Serbia

  • NITES - Smart Industry Solutions - Knowledge & Commitment

  Singapore

  • Bridgetek - high performance microcontroller units & display IC products
  • ChimeraTool - professional software for the mobile phone servicing industry
  • Kegmil - Simpler Smarter Field Service
  • WeesWares - Mobile app design and development studio

  Saudi Arabia

  • CALX Consulting - Saudi Management Consultancy

  South Africa

  • Michanic - South Africa's Top Mobile Mechanics

  Switzerland

  • Medelexis AG
  • MKS PAMP SA - state-of-the-art precious metals refinery

  The Netherlands

  • CleverEnable - technical foundation for mobile virtual network operators

  Turkey

  • Brandefense - All-in-One Digital Risk Protection Solution

  UK

  • AstraZeneca - Research-Based BioPharmaceutical Company
  • Hiiro - your personal running coach
  • Hyris - a tech-bio company
  • Tribe Payments - Payments technology for Fintechs, Banks and Acquirers

  USA

  • Accure AI - Enterprise Operational AI Hub
  • American Time - global manufacturer and distributor of synchronized time clocks and systems
  • Analog Devices - Mixed-signal and digital signal processing ICs
  • City Cheers - The Super App for the Hospitality Industry
  • Curiosity Stream - on demand video streaming service
  • DH2i - SQL Server HA Clustering & Software-Defined Perimeter
  • Dynamic Ratings - Responsive Asset Health Solutions
  • embedUR - Embedded Systems & Edge AI Experts
  • Lithero - AI Agents for Health & Life Sciences Marketers
  • Mobeats
  • Red Hawk Technologies - Custom Software Development and Services
  • Terragrit - virtualization engine for physical environments
  • Wind River - Safe, Secure, Reliable

  Academia & Education

  • Carnegie Mellon University - USA
  • Hochschule Konstanz - Germany
  • Leibniz University Hannover - Germany
  • Multimedia University - Malaysia's Leading Private University
  • Radboud University - the Netherlands
  • Sistema de Información Universitaria - Argentina
  • TH Köln - Germany
  • Wrocław University of Science and Technology - Poland

  Government

  • Bürokratt - virtual AI assistant by Information System Authority, Republic of Estonia
  • HM Revenue & Customs - UK's tax, payments and customs authority
  • Integrated Financial Management Information System - Government of Seychelles
  • Ministero dell'Economia e delle Finanze - Ministry of Economy and Finance - Italy
  • The Directorate General of Early Childhood Education, Primary Education and Secondary Education - Indonesia
  • Ukrposhta - Ukraine's national post

  Military & defense

  • Airbus Cybersecurity
  • U.S. Air Force - common computing environment
  • US Army Corps of Engineers - Hydrologic Engineering Center
  • U.S. Department of Defense - joint operations & support cloud environment

  ---

  If you like what we're doing and how Kiwi TCMS supports various communities please help us!

  • Give ⭐ on GitHub;
  • Join our newsletter and follow all project news;
  • Become a contributor and an awesome open source hacker;
  • Become a subscriber and help us sustain development

• Andreas Schneider CMocka 2.0 Released: Enhancing Unit Testing in C

  

  I am thrilled to announce the release of cmocka 2.0, a milestone for the cmocka project.

  cmocka is a unit testing framework for C, designed to be simple, portable, and easy to use. It provides a straightforward API for writing and running tests, making it an excellent choice for developers who need to ensure the reliability and correctness of their C code.

  A Brief History of cmocka

  cmocka began its journey in 2011 as a successor to Google’s cmockery. I first tried to get in contact with the developers as several bugs which have been fixed started to bitrot in their bug track. I started to fix those issues first and then address many of its limitations while maintaining the philosophy of simplicity. Since then, it has grown to become a widely-used testing framework in the C ecosystem, powering test suites for numerous closed and open-source projects.

  It’s important to note that cmocka is a spare-time project. As such, things sometimes move slower than I’d like, but I try to remain committed to deliver solid, reliable releases.

  What’s New in 2.0?

  This release represents a major modernization effort, bringing cmocka firmly into the “modern” C99 era while maintaining the simplicity and ease of use that users have come to expect.

  One of the most significant changes in cmocka 2.0 is the migration to C99 standard integer types. The LargestIntegralType typedef has been replaced with intmax_t and uintmax_t from stdint.h, providing better type safety and portability across different platforms. Additionally, we’ve adopted the bool type where appropriate, making the code more expressive and self-documenting.

  Using intmax_t and uintmax_t also allows to print better error messages. So you can now find e.g. assert_int_equal and assert_uint_equal.

  cmocka 2.0 introduces a comprehensive set of type-specific assertion macros, including `assert_uint_equal()`, `assert_float_equal()`, and enhanced pointer assertions. The mocking system has also been significantly improved with type-specific macros like `will_return_int()` and `will_return_float()`. The same for parameter checking etc.

  Modern Output Formats

  The framework now supports TAP 14 (Test Anything Protocol) with YAML diagnostics, making it easier to integrate with modern CI/CD pipelines and test result analyzers. cmocka 2.0 also supports multiple simultaneous output formats, giving you flexibility in how you consume test results.

  Build System Improvements

  In addition to the existing CMake support, cmocka 2.0 now includes Meson build system integration, catering to projects using modern build tools.

  API Stability

  While cmocka 2.0 includes many improvements and changes, we’ve maintained API stability to ensure a smooth upgrade path for existing users. The ABI (Application Binary Interface) has changed, but this isn’t a concern for a unit testing library since tests are typically recompiled with each build. Your existing test code should continue to work with minimal or no modifications.

  In case you find any issues you can report a bug here.

  Thanks

  I would like to thank all the contributors who’ve helped make this release possible, whether through code contributions, bug reports, documentation improvements, or simply using cmocka in their projects.

  Get Started

  You can download cmocka 2.0 from cmocka.org or install it through your distribution’s package manager. Full API documentation is available here. The complete changelog can be found here.

  Happy testing!

December 03, 2025

• Felipe Borges One Project Selected for the December 2025 Outreachy Cohort with GNOME!

  We are happy to announce that the GNOME Foundation is sponsoring an Outreachy project for the December 2025 Outreachy cohort.

  Outreachy provides internships to people subject to systemic bias and impacted by underrepresentation in the tech industry where they are living.

  Let’s welcome Malika Asman! Malika will be working with Lucas Baudin on improving document signing in Papers, our document viewer.

  The new contributor will soon get their blogs added to Planet GNOME making it easy for the GNOME community to get to know them and the projects that they will be working on. We would like to also thank our mentor, Lucas  for supporting Outreachy and helping new contributors enter our project.

  If you have any questions, feel free to reply to this Discourse topic or message us privately at soc-admins@gnome.org.

December 02, 2025

• Jon Chiappetta Year End Summary – OpenVPN Modifications in a Screen Cap – Sometimes Lines of Code Removed is a Better Metric!

  I’ve spent a few number of months ironing out some remaining edge cases and code paths to get this highly modified version of OpenVPN to work as stable as I intended it to. It’s basically a lighter-weight TCP-protocol focused-version of OVPN with a number of extra huge unused libraries removed, including WIN32, which I never have run anything on for the last few decades at least now. The summary of all the modifications I made comes out to roughly 3,000 lines added and over 25,000 lines of code removed! I did not remove the UDP library or protocol files from it since that was the OG VPN protocol and it doesn’t really get in the way of things, I may just leave it be anyway.

  Warning: This is a really long screen capture to scroll through!

  

  ~

• Fedora Community Blog Test Day:2025-12-02 FreeIPA-WebUI Test Day

  FreeIPA Web UI Test Week

  The FreeIPA WebUI became new interface for freeipa

  How to Participate during testday

  1. Test the WebUI – Follow the installation instructions on the Test Day wiki page
  2. Explore and experiment – Try different features and workflows
  3. Share your thoughts here – Post your comments, ideas, and UX findings in this discussion
  4. File bugs – If you encounter actual bugs, please file them in the upstream bug tracker

  The post Test Day:2025-12-02 FreeIPA-WebUI Test Day appeared first on Fedora Community Blog.

December 01, 2025

• Fedora fans آموزش کودکان با نرم افزار GCompris

  

  نرم‌افزار GCompris یک مجموعه‌ی آموزشی با کیفیت بالا برای کودکان بین ۲ تا ۱۰ سال است. این مجموعه شامل بیش از صد فعالیت متنوع است که در زمینه‌های مختلف آموزش به کودکان طراحی شده‌اند. نام «GCompris» در زبان فرانسوی به نوعی بازی با عبارت «جِ ‌کامپری» (“J’ai compris” به معنی «فهمیدم») است. این نرم‌افزار به […]

  The post آموزش کودکان با نرم افزار GCompris first appeared on طرفداران فدورا.

• Copr Migrating Copr results to Pulp

  Over the last year, the Copr team has put a lot of effort into supporting Pulp as a storage for Copr build results. It is now time to realize the investment.

  Status Quo

  At this very moment, Copr hosts ~35k projects from ~8k Fedora users. The data consumption sits around ~37TB with only ~3TB of free disk space. With a very few exceptions, everything is stored in our “Copr backend” storage.

  Our current storage is a RAID array of block devices with the Ext4 filesystem. For various reasons, AWS block devices larger than 16TB are either hard to maintain or expensive. We plan to solve this problem by migrating to an S3 object storage and Pulp, which is a mature and durable-by-default solution for managing software repositories.

  We have already migrated all Copr team projects to Pulp to dogfood the integration on ourselves, and we have already migrated one large project to avoid running out of disk space.

  The Goal

  Our goal is to stop using the current “Copr backend” storage for all new projects and migrate all existing project results to Pulp.

  Impact On Users

  • No change to your workflows should be needed.
  • Copr repositories enabled on user machines should continue working.
  • While your projects are being migrated, all your builds and actions will be stuck in the “pending” state until the migration is finished.
  • After the migration of your projects is finished, you shouldn’t notice any difference from the status quo.
  • For technical reasons, we won’t notify users directly that their projects are about to be migrated. Please see the Pulp Migration Schedule to get a rough estimate of when you could be affected.
  • Every user should be affected for at most 24 hours.

  To summarize, the change should be transparent to you, there are no UI/UX changes, and your builds may be paused while your project is being migrated.

  Our Plan

  For a detailed, step-by-step plan with dates and tracked progress, please see the Pulp Migration Schedule. Roughly, the plan is as follows:

  1. Set the default storage for all new Packit projects to Pulp.
  2. Set the default storage for all new projects to Pulp.
  3. Migrate large projects (17 projects that are 100GB+).
  4. Migrate all projects with a few exceptions.
     • Migration will be done in alphabetical order by owner name.
     • Exceptions: Packit projects, @rubygems/rubygems, @copr/PyPI, and @copr/PyPI3.
  5. Migrate everything that remains.

  Contact

  If you have any questions or worries regarding our migration of data to Pulp, please let us know:

  • #buildsys:fedoraproject.org
  • copr-devel mailing list
  • https://github.com/fedora-copr/copr/discussions

November 29, 2025

• Kevin Fenzi coming up: december of docs

  I keep not having time to work on documentation, and it's so very important, so in an effort to see what progress I can make I am going to try and submit / merge at least one doc pull-request or close / comment on at least one docs ticket every day in december.

  I'm going to concentrate on the infrastructure docs of course, but I might branch out into other areas where I could help.

  When we moved our docs over to https://pagure.io/infra-docs-fpo/ we also created tickets to review all our standard operating procedures, and I can definitely work on cutting those down.

  I also might miss some days, but then again I might do more on some other days, but I am going to try and do something every day in december. The most challenging days are likely to be in the next few weeks before the holdays as I am trying to get a datacenter move done and finish things up.

  I'm just doing this myself, but if others would like to join in feel free to do so! I'd also love to have folks reviewing the pr's I submit also.

  Should be fun!

  Comments/replies:

  https://fosstodon.org/@nirik/115634308295278960

• ! Avi Alkalay ¡ Small System Monitoring Script

  Here is a short shell script to show last logins from SSH, XRDP, SUDO and Cockpit. In addition it show potential disk problems from S.M.A.R.T.

  #!/bin/sh
  
  default_since='-1days'
  default_priority=info
  
  read -r -d "" data << END_OF_DATA
  System login         ^ systemd-logind          ^ info  ^         ^ New session 
  XRDP                 ^ xrdp-sesman             ^ debug ^ -5days  ^ logged in|Received system login request
  Cockpit login        ^ cockpit-session         ^       ^         ^ session opened
  SUDO                 ^ sudo                    ^       ^         ^ session opened
  Storage problems     ^ smartd                  ^       ^ -1days  ^ uncorrectable|unreadable
  END_OF_DATA
  
  trim() {
      local s="$*"
      
      # remove leading whitespace
      s="${s#"${s%%[![:space:]]*}"}"
      
      # remove trailing whitespace
      s="${s%"${s##*[![:space:]]}"}"
      
      printf '%s' "$s"
  }
  
  IFS="^"
  echo "$data" | while read title slid priority since grep; do
  	effective_since=$default_since
  	effective_priority=$default_priority
  	
  	[[ -n "$(trim $since)" ]] && effective_since="$(trim $since)"
  	[[ -n "$(trim $priority)" ]] && effective_priority="$(trim $priority)"
  
  	echo "$(trim $title)"
  	journalctl \
  		--no-pager \
  		--no-tail \
  		--since $effective_since \
  		--priority $effective_priority \
  		--reverse \
  		--grep "$(trim $grep)" \
  		-- SYSLOG_IDENTIFIER="$(trim $slid)"
  
  	echo; echo
  done

  I made it with the help of Cockpit Logs feature that shows the actual command being executed based on how you configure it.

  The most important part of the script is the journalctl command. Everything else are defaults, the list of desired syslog identifiers and what to extract from them, and output formatting.

November 27, 2025

• Fedora fans نسخه راکی لینوکس ۱۰.۱ منتشر شد

  

  پروژه Rocky Linux نسخه پایدار Rocky Linux 10.1 را منتشر کرد. تمام ایمیج‌ها شامل نسخه‌های نصب، لایو، کانتینر، ابری و مخصوص بردهای توسعه هم‌اکنون به‌روزرسانی شده و قابل دانلود هستند. در ادامه مهمترین تغییرات و امکانات جدید در راکی لینوکس ۱۰.۱ را بررسی می کنیم. راه‌اندازی سریع‌تر بدون ریبوت کامل (Soft Reboot) در این نسخه […]

  The post نسخه راکی لینوکس ۱۰.۱ منتشر شد first appeared on طرفداران فدورا.

November 25, 2025

• Fedora Community Blog End of OpenID in Fedora

  It’s finally here. We have an end date for OpenID in Fedora. The date is 1st May 2026. You can see it on the banner on https://id.fedoraproject.org/openid and it will be shown to you every time when trying to authenticate with OpenID. The date 1st May 2026 should give anybody still using OpenID authentication enough time to migrate to OpenID Connect.

  We started our move to OpenID Connect and away from old OpenID authentication 4 years ago. This was a long road with plenty of obstacles on the way. We first ported all apps we own in Fedora Infrastructure to OpenID Connect. That took time, but we had at least control over these applications.

  After porting all our applications we started to look at the application using OpenID authentication outside of Fedora ecosystem. This proved to be really difficult as those clients don’t need to register with Fedora Authentication System.

  After some failures to contact the projects that we at least identified to use OpenID in Fedora, we decided that the best course of option is to separate the OpenID authentication system (the service that is providing it is called Ipsilon, which we want to decommission as well). I spent the last two months working on separating the OpenID authentication from OpenID Connect and SAML2. You can see the result on https://id.fedoraproject.org/openid.

  This will now allow us to replace Ipsilon for both OpenID Connect and SAML2 and as most of the separation logic is in proxies, we should have no issue to reuse that for the new solution. This should resolve plenty of issues we are experiencing with current authentication system and let us remove one service from the portfolio of services we own in Fedora Infrastructure. We are looking forward to brighter future!

  The post End of OpenID in Fedora appeared first on Fedora Community Blog.

November 24, 2025

• Fedora fans معرفی و استفاده از Podman – بخش ۱

  

  Podman (مخفف pod manager) یک ابزار متن‌باز (open source) برای توسعه، مدیریت و اجرای کانتینرهاست. این ابزار توسط مهندسان ردهت (Red Hat) با همکاری جامعه open-source ساخته شده و با استفاده از کتابخانه libpod کل اکوسیستم کانتینر را مدیریت می‌کند. معماری Podman به‌گونه‌ای طراحی شده که بدون دیمن (daemonless) باشد و همین‌ موضوع امنیت را […]

  The post معرفی و استفاده از Podman – بخش ۱ first appeared on طرفداران فدورا.

• Gary Benson Slow boot?

  Does your Linux box take forever to boot? The command you’re looking for is systemd-analyze blame

• Bodhi 25.11.2

  Released on 2025-11-23.
  This is a bugfix release.

  Bug fixes

  • When expiring an override don't require candidate or testing build tags (#5937).
  • bodhi-server: refine logic to avoid stuck side-tag updates for releases not composed by bodhi (#5989).
  • bodhi-server: skip updating the gating status if the current status is 'waiting', and the message we're handling is for a QUEUED or RUNNING result (#6000).
  • bodhi-server: gating status should be correctly updated to 'waiting' when all failed tests on an update are restarted. (#6001).

  Other changes

  • server: usage of os.scandir() instead of os.listdir() in clean_old_composes task should give better performance (#5999).

  Contributors

  The following developers contributed to this release of Bodhi:

  • Adam Williamson
  • Mattia Verga

• Dave Airlie fedora 43: bad mesa update oopsie

  F43 picked up the two patches I created to fix a bunch of deadlocks on laptops reported in my previous blog posting. Turns out Vulkan layers have a subtle thing I missed, and I removed a line from the device select layer that would only matter if you have another layer, which happens under steam.

  The fedora update process caught this, but it still got published which was a mistake, need to probably give changes like this more karma thresholds.

  I've released a new update https://bodhi.fedoraproject.org/updates/FEDORA-2025-2f4ba7cd17 that hopefully fixes this. I'll keep an eye on the karma. 

November 23, 2025

• Kevin Fenzi blogiversery: 22 years

  Just a quick post to note my blogiversery.

  22 years ago in 2003 I posted my first entry here.

  Back then I was running a very new version of something called wordpress, then switched to wordpress-mu, then back to wordpress when multiuser came back into core wordpress and then finally to nikola.

  It may be that blogs are out of vouge these days, but I still find them nice for longer thoughts that seem way too busy for social media.

November 22, 2025

• Kevin Fenzi infra weeksly recap: Late November 2025

  

  Another busy week in fedora infrastructure. Here's my attempt at a recap of the more interesting items.

  Inscrutable vHMC

  We have a vHMC vm. This is a virtual Hardware Management Console for our power10 servers. You need one of these to do anything reasonably complex on the servers. I had initially set it up on one of our virthosts just as a qemu raw image, since thats the way the appliance is shipped. But that was making the root filesystem on that server be close to full, so I moved it to a logical volume like all our other vm's. However, after I did that, it started getting high packet loss talking to the servers. Nothing at all should have changed network wise, and indeed, it was the only thing seeing this problem. The virthost, all the other vm's on it, they were all fine. I rebooted it a bunch, tried changing things with no luck.

  Then, we had our mass update/reboot outage thursday. After rebooting that virthost, everything was back to normal with the vHMC. Very strange. I hate problems that just go away where you don't know what actually caused them, but at least for now the vHMC is back to normal.

  Mass update/reboot cycle

  We did a mass update/reboot cycle this last week. We wanted to:

  • Update all the RHEL9 instances to 9.7 which just came out

  • Update all the RHEL10 instances to 10.1 which just came out.

  • Update all the fedora builders from f42 to f43

  • Update all our proxies from f42 to f43

  • Update a few other fedora instances from f42 to f43

  This overall went pretty smoothly and everything should be updated and working now. Please do file an issue if you see anything amiss (as always).

  AI Scrapers / DDoSers

  The new anubis is working I think quite well to keep the ai scrapers at bay now. It is causing some problems for some clients however. It's more likely to find a client that has no user-agent or accept header might be a bot. So, if you are running some client that hits our infra and are seeing anubis challenges, you should adjust your client to send a user-agent and accept header and see if that gets you working again.

  The last thing we are seeing thats still anoying is something I thought was ai scraping, but now I am not sure the motivation of it, but here's what I am seeing:

  • LOTS of requests from a large amount of ip's

  • fetching the same files

  • all under forks/$someuser/$popularpackage/ (so forks/kevin/kernel or the like)

  • passing anubis challenges

  My guess is that these may be some browser add on/botnet where they don't care about the challenge, but why fetch the same commit 400 times? Why hit the same forked project for millions of hits over 8 or so hours?

  If this is a scraper, it's a very unfit one, gathering the same content over and over and never moving on. Perhaps it's just broken and looping?

  In any case currently the fix seems to be just to block requests to those forks, but of course that means the user who's fork it is cannot access them. ;( Will try and come up with a better solution.

  RDU2-CC to RDU3 move

  This datacenter move is still planned to happen. :) I was waiting for a new machine to migrate things to, but it's stuck in process, so instead I just repurposed for now a older server that we still had around. I've setup a new stg.pagure.io on it and copied all the staging data to it, it seems to be working as expected, but I haven't moved it in dns yet.

  I then setup a new pagure.io there and am copying data to it now.

  The current plan if all goes well is to have an outage and move pagure.io over on december 3rd.

  Then, on December 8th, the rest of our RDU2-CC hardware will be powered off and moved. The rest of the items we have there shouldn't be very impactful to users and contributors. download-cc-rdu01 will be down, but we have a bunch of other download servers. Some proxies will be down, but we have a bunch of other proxy servers. After stuff comes back up on the 8th or 9th we will bring things back on line.

  US Thanksgiving

  Next week is the US Thanksgiving holiday (on thursday). We get thursday and friday as holidays at Red Hat, and I am taking the rest of the week off too. So, I might be around some in community spaces, but will not be attending any meetings or doing things I don't want to.

  comments? additions? reactions?

  As always, comment on mastodon: https://fosstodon.org/@nirik/115595437083693195

• Jon Chiappetta Secure VPN DNS Service – Forwarding/Proxying/Caching/Ciphering – Python

  Since I am running a network-wide VPN tunnel on behalf of the clients on the network, any plaintext UDP based DNS packets would be protected from your ISP seeing them, however, the VPN servers ISP would still be able to see them all. I decided to write a new Python DNS server which will listen on the VPN client side and redirect all plaintext UDP DNS traffic to it locally instead. It will then create a TCP SSL connection to a DNS server through the VPN tunnel and perform the query via DNS-over-TLS as a replacement. The answer and response can also then be cached which will help to reduce the amount of UDP DNS packets being sent over the VPN tunnel as well!

  Source Code: https://github.com/stoops/xfer/blob/main/fdns.py

  

  ~

November 21, 2025

• Fedora Community Blog Community Update – Week 47

  This is a report created by CLE Team, which is a team containing community members working in various Fedora groups for example Infratructure, Release Engineering, Quality etc. This team is also moving forward some initiatives inside Fedora project.

  Week: 17 November – 21 November 2025

  Fedora Infrastructure

  This team is taking care of day to day business regarding Fedora Infrastructure.
  It’s responsible for services running in Fedora infrastructure.
  Ticket tracker

  • The intermittent 503 timeout issues plaguing the infra appear to finally be resolved, kudos to Kevin and the Networking team for tracking it down.
  • The Power10 hosts which caused the outage last week are now installed and ready for use.
  • Crashlooping OCP worker caused issues with log01 disk space
  • Monitoring migration to Zabbix is moving along, with discussions of when to make it “official”.
  • AI scrapers continue to cause significant load. A change has been made to bring some of the hits to src.fpo under the Varnish cache, which may help.
  • Update/reboot cycle planned for this week.

  CentOS Infra including CentOS CI

  This team is taking care of day to day business regarding CentOS Infrastructure and CentOS Stream Infrastructure.
  It’s responsible for services running in CentOS Infratrusture and CentOS Stream.
  CentOS ticket tracker
  CentOS Stream ticket tracker

  • HDD issue on internal storage server for CentOS Stream build infra
  • Update Kmods SIG Tags (remove EPEL)
  • cbs signing queue stuck
  • Verify postfix spam checks
  • Deploy new x86_64/aarch64 koji builders for CBS
  • Prepare new signing host for cbs in RDU3
  • https://cbs.centos.org is now fully live from RDU3 (DC-move) : kojihub/builders in rdu3 and/or remote AWS VPC isolated network, and also signing/releng process

  Release Engineering

  This team is taking care of day to day business regarding Fedora releases.
  It’s responsible for releases, retirement process of packages and package builds.
  Ticket tracker

  • EPEL 10.1 ppc64le buildroot broken
  • Transfer device-mapper-multipath ownership to real person
  • Transfer repo ownership to real person
  • fcitx5-qt update didn’t get to updates repository
  • Fedora 43 branch for pgbouncer stuck
  • Help with rebuilds
  • Follow up on Packages owned by invalid users fesco#3475

  RISC-V

  • F43 RISC-V rebuild status: the delta for F43 RISC-V is still about ~2.5K packages compared to F43 primary. Current plan: once we hit ~2K package delta, we’ll start focusing on the quality of the rebuild and fix whatever important stuff that needs fixing. (Here is the last interim update to the community.)
  • Community highlight: David Abdurachmanov (Rivos Inc) has been doing excellent work on Fedora 43 rebuild, doing a lot of heavy-lifting. He also provides quite some personal hardware for Koji rebuilders.

  Forgejo

  Updates of the team responsible for Fedora Forge deployment and customization.
  Ticket tracker

  • Redirects for attachments retention during repository migration [A] [B] [C] [D]
  • Fedora -> Forgejo talk for Fedora 43 release party has been recorded
  • Valkey self managed cluster deployed for Forgejo caching on staging – prod next
  • Private issues – Analysis on database schema, access protection, API layer
  • Forgejo support for Konflux explored -Weighed in on Konflux roadmap meeting
  • Action runners – cleanup for finished runners and workaround for service routes, demo of declarativeness recorded
  • Migration request for Commops SIG, Cloud SIG and AI/ML SIG completed
  • Fixes for user creation issue upstreamed, fixed Anubis problem in the production

  List of new releases of apps maintained by I&R Team

  Minor update of FMN from 3.3.0 to 3.4.0
  Minor update of FASJSON from 1.6.0 to 1.7.0
  Minor update of Noggin from 1.10.0 to 1.11.0

  If you have any questions or feedback, please respond to this report or contact us on #admin:fedoraproject.org channel on matrix.

  The post Community Update – Week 47 appeared first on Fedora Community Blog.

• Remi Collet 💎 PHP version 8.5 is released!

  RC5 was GOLD, so version 8.5.0 GA was just released, at the planned date.

  A great thanks to Volker Dusch, Daniel Scherzer and Pierrick Charron, our Release Managers, to all developers who have contributed to this new, long-awaited version of PHP, and to all testers of the RC versions who have allowed us to deliver a good-quality version.

  RPMs are available in the php:remi-8.5 module for Fedora and Enterprise Linux ≥ 8 and as Software Collection in the remi-safe repository.

  Read the PHP 8.5.0 Release Announcement and its Addendum for new features and detailed description.

  For memory, this is the result of 6 months of work for me to provide these packages, starting in July for Software Collections of alpha versions, in September for module streams of RC versions, and also a lot of work on extensions to provide a mostly full PHP 8.5 stack.

  Installation: read the Repository configuration and choose installation mode, or follow the Configuration Wizard instructions.

  Replacement of default PHP by version 8.5 installation (simplest):

  Fedora (dnf 5):

  dnf install https://rpms.remirepo.net/enterprise/remi-release-$(rpm -E %fedora).rpm
  dnf module reset php
  dnf module enable php:remi-8.5
  dnf install php

  Enterprise Linux (dnf 4):

  dnf install https://rpms.remirepo.net/enterprise/remi-release-$(rpm -E %rhel).rpm
  dnf module switch-to php:remi-8.5/common

  Parallel installation of version 8.5 as Software Collection (recommended for tests):

  yum install php85

  To be noticed :

  • EL-10 RPMs are built using RHEL-10.0
  • EL-9 RPMs are built using RHEL-9.6
  • EL-8 RPMs are built using RHEL-8.10
  • This version will also be the default version in Fedora 44
  • Many extensions are already available, see the PECL extension RPM status page.

  Information, read:

  • PHP 8.5 Released!
  • Migrating from PHP 8.4.x to PHP 8.5.x
  • UPGRADING
  • UPGRADING.INTERNALS

  Base packages (php)
  

  Software Collections (php85)
  

November 20, 2025

• Remi Collet ⚙️ PHP version 8.3.28 and 8.4.15

  RPMs of PHP version 8.4.15 are available in the remi-modular repository for Fedora ≥ 41 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

  RPMs of PHP version 8.3.28 are available in the remi-modular repository for Fedora ≥ 41 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

  ℹ� The packages are available for x86_64 and aarch64.

  ℹï¸� There is no security fix this month, so no update for versions 8.1.33 and 8.2.29.

  These versions are also available as Software Collections in the remi-safe repository.

  âš ï¸� These versions introduce a regression in MySQL connection when using an IPv6 address enclosed in square brackets. See the report #20528. A fix is under review and will be released soon.

  Version announcements:

  • PHP 8.4.15 Release Annoucement
  • PHP 8.3.28 Release Annoucement

  ℹ� Installation: use the Configuration Wizard and choose your version and installation mode.

  Replacement of default PHP by version 8.4 installation (simplest):

  dnf module switch-to php:remi-8.4/common
  

  Parallel installation of version 8.4 as Software Collection

  yum install php84

  Replacement of default PHP by version 8.3 installation (simplest):

  dnf module switch-to php:remi-8.3/common
  

  Parallel installation of version 8.3 as Software Collection

  yum install php83

  And soon in the official updates:

  • Fedora Rawhide now has PHP version 8.5.0
  • Fedora 43 - PHP 8.4.15
  • Fedora 42 - PHP 8.4.15

  ⚠� To be noticed :

  • EL-10 RPMs are built using RHEL-10.0 (next build will use 10.1)
  • EL-9 RPMs are built using RHEL-9.6 (next build will use 9.7)
  • EL-8 RPMs are built using RHEL-8.10
  • intl extension now uses libicu74 (version 74.2)
  • mbstring extension (EL builds) now uses oniguruma5php (version 6.9.10, instead of the outdated system library)
  • oci8 extension now uses the RPM of Oracle Instant Client version 23.8 on x86_64 and aarch64
  • a lot of extensions are also available; see the PHP extensions RPM status (from PECL and other sources) page

  ℹ� Information:

  • Migrating from PHP 8.2.x to PHP 8.3.x
  • Migrating from PHP 8.3.x to PHP 8.4.x

  Base packages (php)

  

  

  Software Collections (php83 / php84)

  

  

• Fedora Community Blog A statement concerning the Fedora and Flathub relationship from the FPL

  Hi,
  I’m Jef, the Fedora Project Leader.
  
  As FPL I believe Fedora needs to be part of a healthy flatpak ecosystem.  I’d like to share my journey in working towards that over the last few months with you all, and include some of the insights that I’ve gained. I hope by sharing this with you it will encourage those who share my belief to join with me in the journey to take us to a better future for Fedora and the entire ecosystem.
  

  The immediate goal

  First, my immediate goal is to get the Fedora ChangeProposal that was submitted to make Flathub the default remote for some of the Atomic desktops accepted on reproposal. I believe implementing the idea expressed in that ChangeProposal is the best available option for the Atomic desktops that help us down the path I want to see us walking together. 

  There seems to be wide appeal from both the maintainers of specific Fedora outputs, and the subset of Fedora users of those desktop outputs, that using Flathub is the best tradeoff available for the defaults.  I am explicitly not in favor of shuttering the Fedora flatpaks, but I do see value in changing the default remote, where it is reasonable and desirable to do so. I continue to be sensitive to the idea that Fedora Flatpaks can exist because it is delivering value to a subset of users, even when it’s not the default remote but still targeting an overlapping set of applications serving different use cases. I don’t view this as a zero-sum situation; the important discussion right now is about what the defaults should be for specific Fedora outputs.  

  What I did this summer

  There is a history of change proposals being tabled and then coming back in the next cycle after some of the technical concerns were addressed.  There is nothing precedent-setting in how the Fedora Engineering Steering Committee handled this situation. Part of getting to the immediate goal, from my point of view, was doing the due diligence on some of the concerns raised in the FESCo discussion leading to the decision to table the proposal in the last release. So in an effort to get things in shape for a successful outcome for the reproposal, I took it on myself to do some of the work to understand the technical concerns around the corresponding source requirements of the GPL and LGPL licenses.

  I felt like we were making some good progress in the Fedora discussion forums back in July. In particular, Timothee was a great help and wrote up an entirely new document on how to get corresponding sources for applications built in flathub’s infrastructure.  That discussion and the resulting documentation output showed great progress in bringing the signal to noise ratio up and addressing the concerns raised in the FESCo discussion.  In fact, this was a critical part of the talk I gave at GUADEC.  People came up to me after that talk and said they weren’t aware of that extension that Timothee documented. We were making some really great progress out in the open and setting a stage for a successful reproposal in the next Fedora cycle.
  
  Okay, that’s all context intended to help you, dear reader, understand where my head is at. Hopefully we can all agree my efforts were aligned with the goal leading up to late July.   The next part gets a bit harder to talk about, and involves a discussion of communication fumbles, which is not a fun topic. 

  The last 3 months

  Unfortunately, at GUADEC I found a different problem, one I wasn’t expecting to find. Luckily, I was able to communicate face to face with people involved and they confirmed my findings, committed on the spot to get it fixed, and we had a discussion on how to proceed. This started an embargo period where I couldn’t participate in the public narrative work in the community I lead. That embargo ended up being nearly 3 months. I don’t think any of us who spoke in person that day at GUADEC had any expectation that the embargo would last so long.
  
  Through all of this, I was in communication with Rob McQueen, VP of the Gnome Foundation, and one of the Flathub founders, checking in periodically on when it was reasonable for me to start talking publicly again. It seems that the people involved in resolving the issues took it so seriously that they not only addressed the deficiencies I found -missing files- but committed to creating significant tooling changes to help prevent it from happening again. Some characterized that work as “busting their asses.” That’s great, especially considering much of that work is probably volunteer effort. Taking the initiative to solve not just the immediate problem, but building tooling to help prevent it is a fantastic commitment, and in line with what I would expect from the volunteers in the Fedora community itself.  We’re more aligned than we realize I think.
  
  What I’ve learned from this is there’s a balance with regard to embargos that must be struck. Thinking about it, we might have been better served if we had agreed to scope the embargo at the outset and then adjusted later with a discussion on extending the time further, that also gave me visibility into why it was taking additional time. It’s one of the ideas I’d like to talk to people about to help ensure this is handled better in the future.  There are opportunities to do the sensitive communications a bit better in the future, and I hope in the weeks ahead to talk with people about some ideas on that.
  
  Now with the embargo lifted, I’ve resumed working towards a successful change reproposal. I’ve restarted my investigation of corresponding source availability for the runtimes. We lost 3 months to the embargo, but I think there is still work to be done.  Already, in the past couple of weeks, I’ve had one face to face discussion with a FESCo member, specifically about putting a reproposal together, and got useful feedback on the approach to that.
  
  So that’s where we are at now.  What’s next?

  The future

  I am still working on understanding how source availability works for the Flathub runtimes.  I think there is a documentation gap here, like there was for the flatpak-builder sources extension.  My ask to the Fedora community, particularly those motivated to find paths forward for Flathub as the default choice for bootc based Fedora desktops, is to join me in clarifying how source availability for the critical FLOSS runtimes works so we can help Flathub by contributing documentation that all Flathub users can find and make use of.
  
  Like I said in my GUADEC talk, having a coherent (but not perfect) understanding of how Fedora users can get the flatpak corresponding sources and make local patched builds is important to me to figure out as we walk towards a future where Flathub is the default remote for Fedora.  We have to get to a future where application developers can look at the entire linux ecosystem as one target. I think this is part of what takes the Linux desktop to the next level. But we need to do it in a way that ensures that end users have access to all the necessary source code to stay in control of their FLOSS software consumption. Ensuring users have the ability to patch and build software for themselves is vital, even if it’s never something the vast majority of users will need to do.  Hopefully, we’re just a couple more documents away from telling that story adequately for Flathub flatpaks.

  I’ve found that some of the most contentious discussions can be with people with whom you actually have a significant amount of agreement. Back in graduate school, when my officemate and I would talk about anything we both felt well-informed about and were in high agreement on: politics, comic books, science, whatever it was.. we’d get into some of the craziest, heated arguments about our small differences of opinion, which were minor in comparison to how much we agreed on. And it was never about needing to be right at the expense of the other person. It was never about him proving me wrong or me proving him wrong. It was because we really deeply wanted to be even more closely aligned. After all, we valued each other’s opinions.  It’s weird to think about how much energy we spent doing that. And I get some of the same feeling that this is what’s going on now around flatpaks. Sometimes we just need to take a second and value the alignment we do have.  I think there’s a lot to value right now in the Fedora and Flathub relationship, and I’m committed to find ways both communities can add value to each other as we walk into the future.

  The post A statement concerning the Fedora and Flathub relationship from the FPL appeared first on Fedora Community Blog.

November 18, 2025

• nmilosev TPU Monitoring in MLFlow Part 2

  As promised, this is a follow up post with a cleaner way to track Google’s TPU performance in MLFlow while training your models.

  This will spawn a background process (not thread, jaxlib didn’t like that) that will periodically send to the MLFlow Tracking server the relevant TPU information.

  import multiprocessing
  import mlflow
  
  class TPUMonitoring(multiprocessing.Process):
      def __init__(self, run_id, sampling_interval_seconds=1):
          super().__init__()
          self.run_id = run_id
          self.sampling_interval = sampling_interval_seconds
          self._stop_event = multiprocessing.Event()
          self.client = mlflow.client.MlflowClient()
  
      def log_tpu_mlflow(self, step):
          chip_type, _, data = self.tpu_system_metrics()
          for tpu in data:
              for metric, val in tpu.items():
                  if metric != "device_id":
                      self.client.log_metric(key=f"system/{chip_type}/{tpu['device_id']}/{metric}", value=float(val), step=step, run_id=self.run_id)
  
  
      def tpu_system_metrics(self):
          try:
              import tpu_info, tpu_info.metrics, tpu_info.device
              chip_type, count = tpu_info.device.get_local_chips()
              if chip_type is not None:
                  data = tpu_info.metrics.get_chip_usage(chip_type)
                  data = [{"device_id": d.device_id, "memory_usage": d.memory_usage, "total_memory": d.total_memory, "duty_cycle_pct": d.duty_cycle_pct} for d in data]
                  return chip_type, count, data
              else:
                  return "no tpu detected", 0, []
          except Exception as e:
              print(e)
              return "no tpu detected", 0, []
  
      def run(self):
          try:
              step = 0
              while not self._stop_event.is_set():
                  self.log_tpu_mlflow(step) 
                  step += 1
                  self._stop_event.wait(self.sampling_interval)
          except Exception as e:
              print(f"Error in background logger process: {e}")
  
      def stop(self):
          self._stop_event.set()
  
  

  To use this in your experiment you need something like this:

  with mlflow.start_run() as run:
      mlflow.enable_system_metrics_logging()
      TPUMonitoring(run_id=run.info.run_id).start()
      ...
  
  

  And that’s it!

  If you have logging enabled you might get some info/warning messages from protobuf, tpu_info but they are safe to ignore from my experience.

  I wanted to also attach the start function to the MLFlow module with something like:

      mlflow.enable_tpu_metrics_logging = TPUMonitoring(run_id=run.info.run_id).start
  
  

  So that it wood look nicer and ‘built-in’ like:

  with mlflow.start_run() as run:
      mlflow.enable_system_metrics_logging()
      mlflow.enable_tpu_metrics_logging()
  

  But I leave that as future work.

November 17, 2025

• Lennart Poettering Mastodon Stories for systemd v258

  Already on Sep 17 we released systemd v258 into the wild.

  In the weeks leading up to that release I have posted a series of serieses of posts to Mastodon about key new features in this release, under the #systemd258 hash tag. It was my intention to post a link list here on this blog right after completing that series, but I simply forgot! Hence, in case you aren't using Mastodon, but would like to read up, here's a list of all 37 posts:

  • Post #1: systemctl start -v
  • Post #2: Home areas
  • Post #3: systemd-resolved delegate zones
  • Post #4: Foreign UID range
  • Post #5: /etc/hostname ??? wildcards
  • Post #6: Quota on /tmp/
  • Post #7: ConcurretnySoftMax= + ConcurrencyHardMax=
  • Post #8: Product UUID in ConditionHost=
  • Post #9: Context OSC terminal sequences
  • Post #10: uki-url Boot Loader Spec Type #1 fields
  • Post #11: rd.break= boot breakpoints
  • Post #12: Factory Reset Rework
  • Post #13: systemd-resolved DNS Configuration Change IPC Subscription API
  • Post #14: io.systemd.boot-entries.extra= SMBIOS Type #11 Key
  • Post #15: Bring Your Own Firmware
  • Post #16: userdb record aliases
  • Post #17: systemd-validatefs and its xattrs
  • Post #18: Offline Signing of Artifacts
  • Post #19: PAMName= in services hooked up to ask-password protocol
  • Post #20: x-systemd.graceful-option= mount option
  • Post #21: systemd-userdb-load-credentials.service
  • Post #22: systemd-vmspawn --grow-image=a
  • Post #23: systemd-notify --fork
  • Post #24: $TERM auto-discovery
  • Post #25: Rebooting/Powering off systemd-nspawn containers via hotkey
  • Post #26: ExecStart= | modifier
  • Post #27: systemctl reload reloads confexts
  • Post #28: Server side userdb filtering
  • Post #29: Quota on StateDirectory= and friends
  • Post #30: systemd-analyze unit-shell
  • Post #31: /etc/issue.d/ drop-in for AF_VSOCK CID
  • Post #32: fsverity in systemd-repart
  • Post #33: AcceptFileDescriptor= + PassPIDFD=
  • Post #34: Tab completion in interactive systemd-firstboot
  • Post #35: rd.systemd.pull= kernel command line option/Boot into tarball
  • Post #36: ConditionKernelModuleLoaded=
  • Post #37: systemd-analyze chid
  • Post #38: homectl list-signing-keys/get-signing-key/add-signing-key/remove-signing-key
  • Post #39: DDI Image Filters
  • Post #40: Android USB Debugging udev rules
  • Post #41: systemd-vmspawn's --smbios11= switch
  • Post #42: $MAINPIDFDID + $MANAGERPIDFDID
  • Post #43: $DEBUG_INVOCATION=1 Respected by all systemd services
  • Post #44: LoaderDeviceURL EFI Variable and systemd.pull='s origin kernel command line switch
  • Post #45: cgroupv1 removal
  • Post #46: ProtectHostname=private
  • Post #47: homectl adopt + homectl register
  • Post #48: systemd-machined Varlink APIs
  • Post #49: DeferTrigger and "lenient" job mode
  • Post #50: Automatic Removal of foreign UID owned delegate subgroups in the per-user service manager
  • Post #51: Per-user ask-password protocol
  • Post #52: PrivateUsers=full
  • Post #53: LoadCredentialEncrypted= in the per-user service manager
  • Post #54: dissect_image builtin in systemd-udevd
  • Post #55: BPF Delegation via Tokens

  I intend to do a similar series of serieses of posts for the next systemd release (v259), hence if you haven't left tech Twitter for Mastodon yet, now is the opportunity.

  We intend to shorten the release cycle a bit for the future, and in fact managed to tag v259-rc1 already yesterday, just 2 months after v258. Hence, my series for v259 will begin soon, under the #systemd259 hash tag.

  In case you are interested, here is the corresponding blog story for systemd v257, and here for v256.

November 16, 2025

• nmilosev TPU Monitoring in MLFlow

  MLFlow sadly doesn’t support TPU monitoring out of the box like with NVIDIA cards and pynvml.

  Luckily it was very easy to add this feature with the following snippet:

  def log_tpu_mlflow(step):
      chip_type, count, data = tpu_system_metrics()
      for tpu in data:
          for metric, val in tpu.items():
              if metric != "device_id":
                  mlflow.log_metric(f"system/{chip_type}/{tpu['device_id']}/{metric}", float(val), step=step)
  
  
  def tpu_system_metrics():
      try:
          import tpu_info
          chip_type, count = tpu_info.device.get_local_chips()
          data = tpu_info.metrics.get_chip_usage(chip_type)
          data = [{"device_id": d.device_id, "memory_usage": d.memory_usage, "total_memory": d.total_memory, "duty_cycle_pct": d.duty_cycle_pct} for d in data]
          return chip_type, count, data
      except Exception as e:
          print(e)
          return "no tpu detected", 0, []
  
  

  Then from your training loop just call it periodically:

      log_tpu_mlflow(step=step)
  

  The only dependency is tpu-info.

  After this, in your system metrics tab you will have:

  

  Very seamless and probably compatible with other experiment tracking tools, not just MLFlow!

  I am not 100% happy with this solution, ideally it would be in a background thread. That would also help in a distributed training scenario. Keep an eye for a follow up post. :)

November 15, 2025

• Kevin Fenzi infra weeksly recap: Early November 2025

  

  Well, it's been a few weeks since I made one of these recap blog posts. Last weekend I was recovering from some oral surgery, the weekend before I had been on PTO on friday and was trying to be 'away'.

  Lots of things happened in the last few weeks thought!

  tcp timeout issue finally solved!

  As contributors no doubt know we have been fighting a super anoying tcp timeout issue. Basically just sometimes requests from our proxies to backend services just timeout. I don't know how many hours I spent on this issue trying everything I could think of, coming up with theorys and then disproving them. Debugging was difficult because _most_ of the time everything worked as expected. Finally, after a good deal of pain I was able to get a tcpdump showing that when it happens the sending side sends a SYN and the receiving side sees nothing at all.

  This all pointed to the firewall cluster in our datacenter. We don't manage that, our networking folks do. It took some prep work, but last week they were finally able to update the firmware/os in the cluster to the latest recommended version.

  After that: The problem was gone!

  I don't suppose we will ever know the exact bug that was happening here, but one final thing to note: When they did the upgrade the cluster had over 1 million active connections. After the upgrade it has about 150k. So, seems likely that it was somehow not freeing resources correctly and dropping packets or something along those lines.

  I know this problem has been anoying to contributors. It's personally been very anoying to me, my mind kept focusing on it and not anything else. It kept me awake at night. ;(

  In any case finally solved!

  There is a new outstanding issue that has occurred from the upgrade: https://pagure.io/fedora-infrastructure/issue/12913 basically long running koji cli watch tasks ( watch-task / watch-logs) are getting a 502 error after a while. This does not affect the task in any way, just the watching of it. Hopefully we can get to the bottom of this and fix it soon.

  outages outages outages

  We have had a number of outages of late. They have been for different reasons, but it does make it frustrating trying to contribute.

  A recap of a few of them:

  • AI scrapers continue to mess with us. Even though most of our services are behind anubis now, they find ways around that, like fetching css or js files in loops, hitting things that are not behind anubis and generally making life sad. We continue to block things as we can. The impact here is mostly that src.fedoraproject.org is sensitive to high load and we need to make sure and block things before it impacts commits.

  • We had two outages ( friday 2025-11-07 and later monday 2025-11-10 ) That were caused by a switch loop when I brought up a power10 lpar. This was due to the somewhat weird setup on the power10 lpars where they shouldn't be using the untagged/native vlan at all, but a build vlan. The friday outage took a while for us to figure out what was causing it. The monday outage was very short. All those lpars are correctly configured now and up and operating ok.

  • We had a outage on monday ( 2025-11-10 ) where a set of crashlooping pods filled up our log server with tracebacks and generally messed with everything. Pod was fixed, storage was cleared up.

  • We had some kojipkgs outages on thursday ( 2025-11-13 ) and friday ( 2025-11-14 ). These were caused by many requests for directory listings for some ostree objects directories. Those directories have ~65k files in them each, so apache has to stat 64k files each time it gets those requests. But then, cloudfront (which is making the request) times out after 30s and resends. So, you get a load average of 1000 and very slow processing. So, for now we put that behind varnish, so it just has to do it the first time for a dir and then it can send the cached result to all the rest. If that doesn't fix it, we can look at just disabling indexes there, but I am not sure the implications.

  We had a nice discussion in the last fedora infrastructure meeting about tracking outages better and trying to do a RCA on them after the fact to make sure we solved it or at least tried to make it less likely to happen again.

  I am really hoping for some non outage days and smooth sailing for a bit.

  power10s

  I think we are finally done with the power10 setup. Many thanks again to Fabian on figuring out all the bizare and odd things we needed to do to configure the servers as close to the way we want them as possible.

  The fedora builder lpars are all up and operating since last week. The buildvm-ppc64les on them should have more memory and cpus that before and hopefully are faster for everyone. We have staging lpars also now.

  The only final thing to do is to get the coreos builders installed. The lpars themselves are all setup and ready to go.

  rdu2-cc to rdu3 datacenter move

  I haven't really been able to think about this due to outages and timeout issue, but things will start heating up next week again.

  It seems unlikely that we will get our new machine in time to matter now, so I am moving to a new plan: repurposing another server there to migrate things to. I plan to try and get it setup next week and sync pagure.io data to a new pagure instance there. Depending on how that looks we might move to it first week of december.

  Theres so much more going on, but those are some highlights I recall...

  comments? additions? reactions?

  As always, comment on mastodon: https://fosstodon.org/@nirik/115554940851319300

• Fedora fans انتشار همزمان RHEL 9.7 و RHEL 10.1

  

  شرکت Red Hat در آبان ۱۴۰۴ دو نسخهٔ جدید از سیستم‌عامل سازمانی خود یعنی Red Hat Enterprise Linux 9.7 و Red Hat Enterprise Linux 10.1 را منتشر کرد. این دو نسخه، مجموعه‌ای از قابلیت‌های تازه در حوزه‌ی امنیت، بهبود تجربه‌ی مدیران سیستم، توسعه‌دهندگان، و همچنین پشتیبانی از سخت‌افزارهای شتاب‌دهنده‌ی هوش مصنوعی را ارائه می‌دهند. در […]

  The post انتشار همزمان RHEL 9.7 و RHEL 10.1 first appeared on طرفداران فدورا.

November 14, 2025

• Allan Day GNOME Foundation Update, 2025-11-14

  This post is another in my series of GNOME Foundation updates, each of which provides an insight into what’s happened at the GNOME Foundation over the past week. If you are new to these posts I would encourage you to look over some of the previous entries – there’s a fair amount going on at the Foundation right now, and my previous posts provide some useful background.

  Old business

  It has been another busy week at the GNOME Foundation. Here’s a quick summary:

  • We had a regular Board meeting (as in, the meeting was part of our regular schedule), where we discussed details about the annual report, some financial policy questions, and partnerships.
  • There was another planning meeting for the Digital Wellbeing program, which is close to wrapping up. If you haven’t seen it already, Ignacy gave a great overview of the work that’s been done on this!
  • There have been more meetings with Dawn Matlak, our new finance advisor and systems guru. We are now at the stage where our new finance system is being setup, which is exciting! The plan is to consolate our payments processing on this new platform, which will reduce operational complexity. Invoice processing in future will also be highly automated, and we are going to get additional capabilities around virtual credit cards, which we already have plans for.
  • Preparations continued for GNOME.Asia 2025, which is happening in Tokyo next month. Assisting attendees with visas and travel has been a particular focus.

  Most of these items are a continuation of activities that I’ve described in more detail in previous posts, and I’m a bit light on new news this week, but I think that’s to be expected sometimes!

  Post #10

  This is the tenth in my series of GNOME Foundation updates, and this seems like a good point to reflect on how they are going. The weekly posting cadance made sense in the beginning, and wrapping up the week on a Friday afternoon is quite enjoyable, but I am unsure if a weekly post is too much reading for some.

  So, I’d love to hear feedback: do you like the weekly updates, or do you find it hard to keep up? Would you prefer a higher-level monthly update? Do you like hearing about background operational details, or are you more interested in programs, events and announcements? Answers to these questions would be extremely welcome! Please let me know what you think, either in the comments or by reaching out on Matrix.

  That’s it from me for now. Thanks for reading, and have a great day.

• Fedora fans بازنشستگی Ingress NGINX؛ یک تغییر بزرگ در دنیای Kubernetes

  

  پروژه‌ی Ingress NGINX که سال‌ها یکی از محبوب‌ترین کنترلرهای Ingress در Kubernetes بوده، به‌طور رسمی اعلام کرد که تا مارس ۲۰۲۶ بازنشسته می‌شود. این یعنی پس از این تاریخ، دیگر به‌روزرسانی، نسخه جدید یا رفع آسیب‌پذیری برای آن منتشر نخواهد شد. دلیل این تصمیم چیست؟ Ingress NGINX با وجود موفقیت و استفاده گسترده، در طول […]

  The post بازنشستگی Ingress NGINX؛ یک تغییر بزرگ در دنیای Kubernetes first appeared on طرفداران فدورا.

• Fedora Community Blog Infra and RelEng Update – Week 46 2025

  This is a weekly report from the I&R (Infrastructure & Release Engineering) Team. We provide you both infographic and text version of the weekly report. If you just want to quickly look at what we did, just look at the infographic. If you are interested in more in depth details look below the infographic.

  Week: 10th – 14th November 2025

  

  Infrastructure & Release Engineering

  The purpose of this team is to take care of day to day business regarding CentOS and Fedora Infrastructure and Fedora release engineering work.
  It’s responsible for services running in Fedora and CentOS infrastructure and preparing things for the new Fedora release (mirrors, mass branching, new namespaces etc.).
  List of planned/in-progress issues

  Fedora Infra

  • 4 flatpak packages stuck in updates composes
  • Contributor Group (FAS) user theking2
  • packages.fp.o not refreshing since 2025-10-26
  • Lost access to packager-sponsors ML
  • Package update stuck in zombie state?
  • [Forgejo] New Organization and Teams Request: Cloud SIG
  • Missing/messed-up logs for FESCo meting 2024-01-29
  • Group for teamsbc
  • group for EU OS
  • New FAS Group, Organization and Team Request: AI/ML SIG
  • New group on copr: microshift-io
  • Please add jspaleta as admin to release calendar in fedocal
  • CentOS Stream baseos-source repo has a checksum error
  • Spread load from docsync on sundries01
  • Rsync-ing public mirrors for a private mirror leads to corrupt mirror
  • No crawling for mirror site since June
  • Anubis provides a bunch of stats. … would be nice to get them in zabbix
  • Create communishift project for fedora coreos AI helpers
  • docs-rsync doing lots of IO at midnight and setting off alarms.
  • [FMTS] TLS certificate for noggin service is about to expire in 30 days
  • Nagios server `notify-by-fedora-messaging`command might not work
  • [Forgejo] New Organization and Teams Request: CommOps
  • Create Fedora Workstation organization on Forgejo?
  • Issue a client certificate for fedora-image-uploader to authenticate with Azure
  • Need to delete user account in FAS that has been already deleted in Discourse (discussion.fedoraproject.org) due to violations (spam, AI, etc.)
  • Forgejo: Owner access to @jflory7 for @CommOps
  • no-changed-when: Commands should not change things if nothing needs doing. [openshift playbooks linting]
  • Move copr_hypervisor group from iptables to nftables

  CentOS Infra including CentOS CI

  • Failed HDD in raid array on sponsored server
  • Migrate CBS lookaside cache to new RDU3/DC
  • migrate mailman/MX servers for centos.org to new DC
  • stream9 and stream10 BuildTargets and Tags needed for nfs-ganesha-8
  • CentOS Stream Mirror request

  Release Engineering

  • flatpak builds fail to upload to registry
  • Stalled EPEL package: sparsehash
  • Changes/Ruby_3.5
  • Package unretirement
  • Bodhi update(s) pushed to “stable” but ending up without tags in koji and not being available in repos
  • more bodhi updates with push issues
  • Misconfigured redirect to EPEL mirror mirrors.edge.kernel.org
  • Archive openarm_can package
  • Keep compose metadata somewhere that isn’t garbage-collected

  List of new releases of apps maintained by I&R Team

  • Minor update of Fedora Messaging from 3.8.0 to 3.9.0 on 2025-11-12: https://github.com/fedora-infra/fedora-messaging/releases/tag/v3.9.0
  • Minor update of Bodhi from 25.5.1 to 25.11.1 on 2025-11-07: https://github.com/fedora-infra/bodhi/releases/tag/25.11.1

  If you have any questions or feedback, please respond to this report or contact us on #admin:fedoraproject.org channel on matrix.

  The post Infra and RelEng Update – Week 46 2025 appeared first on Fedora Community Blog.

November 12, 2025

• Daniel Pocock Alfa Lions contre Bayonne Dockers, AFL France au Parc de Parilly, 8 novembre 2025

  Vidéo : match masculin

• Daniel Pocock Alfa Lions v Bayonne Dockers, AFL France in Parc de Parilly, 8 November 2025

  Video: men's match

November 11, 2025

• Dan Horák qt5-qtwebengine rebased to 5.5.19

  There has been a rebase of the QT5 stack to 5.5.18 in all released Fedora version recently and it included also a rebase of the QtWebEngine library to 5.5.19. This made me to rebase the ppc64le support to the latest version and to start new builds in my Talos COPR repository. For the details of the rebase see the ppc branch of qt5-qtwebengine fork.

• Cockpit Project Cockpit 351

  Cockpit is the modern Linux admin interface. We release regularly.

  Here are the release notes from Cockpit 351, and cockpit-machines 344:

  Firewall: Additional ports can now be deleted

  “Additional ports” in a firewall zone are now listed each in their individual row, and can be individually deleted.

  Thanks a lot libkurisu for this contribution!

  

  Machines: VMs can be shutdown and restarted with a single action

  Some changes to a virtual machine, such as adding VNC graphics, require it to be completely shut down and restarted before these changes take effect. Cockpit can now do this with a single action.

  

  Machines: Support for network port forwarding

  Cockpit can now configure port forwarding for virtual machines on the user session.

  

  Try it out

  Cockpit 351, cockpit-machines 344, and cockpit-podman 117 are available now:

  • For your Linux system

  • Cockpit Client

  • Cockpit Source Tarball
  • Cockpit Fedora 43
  • Cockpit Fedora 42
  • cockpit-machines Source Tarball
  • cockpit-machines Fedora 43
  • cockpit-machines Fedora 42
  • cockpit-podman Source Tarball
  • cockpit-podman Fedora 43
  • cockpit-podman Fedora 42

November 10, 2025

• Dave Airlie a tale of vulkan/nouveau/nvk/zink/mutter + deadlocks

   I had a bug appear in my email recently which led me down a rabbit hole, and I'm going to share it for future people wondering why we can't have nice things.

  Bug:

  1. Get an intel/nvidia (newer than Turing) laptop.

  2. Log in to GNOME on Fedora 42/43 

  3. Hotplug a HDMI port that is connected to the NVIDIA GPU.

  4. Desktop stops working.

  My initial reproduction got me a hung mutter process with a nice backtrace which pointed at the Vulkan Mesa device selection layer, trying to talk to the wayland compositor to ask it what the default device is. The problem was the process was the wayland compositor, and how was this ever supposed to work. The Vulkan device selection was called because zink called EnumeratePhysicalDevices, and zink was being loaded because we recently switched to it as the OpenGL driver for newer NVIDIA GPUs.

  I looked into zink and the device select layer code, and low and behold someone has hacked around this badly already, and probably wrongly and I've no idea what the code does, because I think there is at least one logic bug in it. Nice things can't be had because hacks were done instead of just solving the problem. 

  The hacks in place ensured under certain circumstances involving zink/xwayland that the device select code to probe the window system was disabled, due to deadlocks seen. I'd no idea if more hacks were going to help, so I decided to step back and try and work out better.

  The first question I had is why WAYLAND_DISPLAY is set inside the compositor process, it is, and if it wasn't I would never hit this. It's pretty likely on the initial compositor start this env var isn't set, so the problem only becomes apparent when the compositor gets a hotplugged GPU output, and goes to load the OpenGL driver, zink, which enumerates and hits device select with env var set and deadlocks.

  I wasn't going to figure out a way around WAYLAND_DISPLAY being set at this point, so I leave the above question as an exercise for mutter devs.

  How do I fix it?

  Attempt 1:

  At the point where zink is loading in mesa for this case, we have the file descriptor of the GPU device that we want to load a driver for. We don't actually need to enumerate all the physical devices, we could just find the ones for that fd. There is no API for this in Vulkan. I wrote an initial proof of concept instance extensions call VK_MESA_enumerate_devices_fd. I wrote initial loader code to play with it, and wrote zink code to use it. Because this is a new instance API, device-select will also ignore it. However this ran into a big problem in the Vulkan loader. The loader is designed around some internals that PhysicalDevices will enumerate in similiar ways, and it has to trampoline PhysicalDevice handles to underlying driver pointers so that if an app enumerates once, and enumerates again later, the PhysicalDevice handles remain consistent for the first user. There is a lot of code, and I've no idea how hotplug GPUs might fail in such situations. I couldn't find a decent path forward without knowing a lot more about the Vulkan loader. I believe this is the proper solution, as we know the fd, we should be able to get things without doing a full enumeration then picking the answer using the fd info. I've asked Vulkan WG to take a look at this, but I still need to fix the bug.

  Attempt 2:

  Maybe I can just turn off device selection, like the current hacks do, but in a better manner. Enter VK_EXT_layer_settings. This extensions allows layers to expose a layer setting in the instance creation. I can have the device select layer expose a setting which says don't touch this instance. Then in the zink code where we have a file descriptor being passed in and create an instance, we set the layer setting to avoid device selection. This seems to work but it has some caveats, I need to consider, but I think should be fine.

  zink uses a single VkInstance for it's device screen. This is shared between all pipe_screens. Now I think this is fine inside a compositor, since we shouldn't ever be loading zink via the non-fd path, and I hope for most use cases it will work fine, better than the current hacks and better than some other ideas we threw around. The code for this is in [1].

  What else might be affected:

  If you have a vulkan compositor, it might be worth setting the layer setting if the mesa device select layer is loaded, esp if you set the DISPLAY/WAYLAND_DISPLAY and do any sort of hotplug later. You might be safe if you EnumeratePhysicalDevices early enough, the reason it's a big problem in mutter is it doesn't use Vulkan, it uses OpenGL and we only enumerate Vulkan physical devices at runtime through zink, never at startup.

  AMD and NVIDIA I think have proprietary device selection layers, these might also deadlock in similiar ways, I think we've seen some wierd deadlocks in NVIDIA driver enumerations as well that might be a similiar problem. 

   [1] https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/38252 

November 09, 2025

• Daniel Pocock Alfa Lionnes contre Bayonne Dockers, AFL France au Parc de Parilly, le 8 novembre 2025

  Vidéo : match féminin

• Daniel Pocock Alfa Lionesses v Bayonne Dockers, AFL France in Parc de Parilly, 8 November 2025

  Video: women's match

November 07, 2025

• Daniel Pocock L’enseignement catholique pro-vie inclut les risques liés à l’intelligence artificielle

  Monseigneur Dominique Rey, ancien évêque de Fréjus-Toulon, est bien connu en France pour son engagement en faveur du caractère sacré de la vie humaine. Le Réseau Vie est l' association catholique française pro-vie.

  Dans l'actualité, le débat pro-vie est généralement caractérisé par un conflit très émotionnel autour de l'avortement.

  En réalité, la position catholique sur l'avortement s'inscrit dans un contexte plus large qui offre une réfutation cohérente de toutes les pratiques, de l'euthanasie à la peine de mort en passant par la guerre.

  De plus, il s'agit d'une façon de penser qui a évolué au cours de près de deux mille ans de christianisme. Le récent séminaire de Mgr Rey à Lyon, à l'instar de ses ouvrages, ne se limitait pas à la question de l'avortement.

  J'ai posé une question sur les risques liés à l'intelligence artificielle dans la prise de décisions de vie ou de mort, et Mgr Rey s'est immédiatement montré disposé à y répondre longuement.

  Quelles que soient les opinions sur le féminisme et l'avortement, il me semble important de respecter le rôle de l' Église catholique qui nous empêche de nous engager sur une pente glissante.

  En réalité, la science actuelle ne nous permet pas de déterminer avec précision le début de la vie. De plus, nous ne disposons même pas d'une définition scientifique parfaite de ce qu'est la vie . S'il est plausible que la vie commence à la conception, nous ne devons pas prendre le risque de nous tromper à ce sujet.

  L' Église catholique ne nous demande pas de croire au lapin de Pâques ni au Père Noël. Elle nous demande de croire en la possibilité que la vie commence dès la conception. Même pour ceux qui n'y croient pas, il semble raisonnable de vérifier. Avant le décollage d'un avion, l'équipage doit compter le nombre de personnes à bord, et ce à plusieurs reprises pour plus de sûreté.

  Que l'on se considère comme pro-vie ou pro-choix, il est essentiel d'envisager la possibilité que l'un ou l'autre camp nous manipule, comme dans toute autre tentative d'ingénierie sociale . L'Église nous induit-elle en erreur en nous faisant croire que la vie commence plus tôt qu'elle ne le fait réellement ? Ou bien le lobby pro-choix trompe-t-il les femmes en leur faisant croire que leur fœtus n'est pas viable, en leur faisant miroiter une prétendue émancipation féminine ?

  Les vastes empires des magnats des réseaux sociaux sont bâtis et contrôlés presque entièrement par des hommes. Leur principale tactique pour inciter les femmes à soumettre toutes leurs données et communications à la surveillance masculine consiste à leur donner une fausse impression d'autonomie . Le lobby pro-choix utilise les mêmes arguments pour séduire les femmes.

  Au final, il y a des femmes qui regrettent d'avoir avorté et il y a des femmes qui regrettent d'avoir donné toutes leurs données aux médias de contrôle social .

  Dans mes rapports sur JuristGate , j'analyse comment des clients ont été dupés par nos propres avocats. Il est facile d'imaginer que certaines personnes se suicident après avoir été ainsi trompées.

  Dans le cas le plus flagrant de supercherie, j'ai examiné la mort d' Adrian von Bidder-Senn , à 32 ans, le jour même de notre mariage. C'était le dimanche des Rameaux. En passant en revue tous les décès liés au débianisme , on découvre l'ensemble des suicides de membres de la communauté débienne . À la lumière des écrits de Frans Pop , je ne peux ignorer le sentiment qu'il s'est senti dupé au moment de sa mort. En remontant aux origines de ces suicides , on constate que le premier, celui de Joel « Espy » Klecker, est survenu dans l'État américain de l'Oregon, immédiatement après la légalisation très médiatisée de l'euthanasie . De plus, les écrits de Klecker révèlent qu'il a lui aussi été dupé par la promesse d'une philosophie que nos pairs ont utilisée pour nous tromper .

  Le docteur australien John Billings est célèbre pour avoir créé la méthode d'ovulation Billings . Cette méthode permet aux femmes de déterminer leurs périodes de fertilité d'un jour à l'autre. Elle peut donc être utilisée aussi bien pour concevoir un enfant que comme moyen de contraception. À ce titre, c'est la seule méthode contraceptive jamais approuvée par l' Église catholique . Par une curieuse coïncidence, le docteur Billings, mon père et moi avons fréquenté le même établissement catholique, le Xavier College de Melbourne, à des périodes différentes.

  Photos de reunion avec Monseigneur Rey, Réseau Vie, Basilique Saint-Bonaventure, Lyon

  

   

  

   

  

   

  

   

  

   

  

   

  

   

  

   

  

   

  

   

  

   

  

   

  

   

  Blogs à propos l'église

  • Éloge funèbre du père John Brosnan par Peter Norden AO
  • Porte de prison en toile de fond du baptême du Père Sean O'Connell, St Paul's, Cobourg
  • Polygamie, du Synode catholique sur la synodalité aux médias de contrôle social et à la cyberpolygamie Debian
  • Contrôle social, médias, technologie et catholicisme : examen et commentaires du Synode sur la synodalité
  • Jubilee of Digital Missionaries, opening sessions photos
  • Jubilee of Digital Missionaries, adoration of the Eucharist (photos)
  • Jubilee of Digital Missionaries, Holy Door and mass with the Pope (photos)
  • Jubilee of Digital Missionaries, Tuesday afternoon sessions (photos)
  • Jubilee of Digital Missionaries, Vatican gardens (photos)
  • Jubilee of Digital Missionaries, Catholic Influencers concert (photos)
  • Fête de l'Assomption, procession à Fourvière, Lyon, France
  • Ordination de Père Billy Maurice Honzounnon, Sainte-Irénée, Lyon
  • L'enseignement catholique pro-vie inclut les risques liés à l'intelligence artificielle

  Catholic.Community

  Veuillez suivre le Catholic.Community site web comme votre page principal.

• Allan Day GNOME Foundation Update, 2025-11-07

  It’s Friday, so it’s time to provide an update on what’s been happening at the GNOME Foundation over the past week. Here’s my summary of the main activities and events, covering what both Board and staff members have been up to.

  GNOME.Asia

  I mentioned GNOME.Asia 2025 in my last post, but I’ll mention it again since it’s only a month until the event in Tokyo, which is being co-hosted with LibreOffice Asia.

  As you’d expect, there is a lot of activity happening as GNOME.Asia 2025 approaches. Kristi has been busy with a plethora of organisational tasks, including scheduling, printing, planning for the day trip, and more.

  Travel has also been a focus this week. The Travel Committee has approved sponsorship for a number of attendees, and we have moved on to providing assistance to those who need documentation for visas.

  Finally, registration is now open! There are two registration sites: one for in-person attendees, and one for remote attendees. If you plan on attending, please do take the time to register!

  Transitions

  This week was a big week for us, with the announcement of Rosanna’s departure from the organisation. Internally transition arrangements have been in progress for a little while, with responsibilities being redistributed, accounts being handed over, and infrastucture that was physically managed by Rosanna being replaced (such as our mailing address and phone number). This work continued this week.

  I’d like to thank Rosanna for her extremely helpful assistance during this transition. I’d also like to thank everyone who was pitched in this week, particularly around travel (thank you Kristi, Julian, Maria, Asmit!), as well as Cassidy and Arun for picking up tasks as they have arisen.

  The Foundation is running smoothly despite our recent staffing change. Payments are being processed quickly and reliably, events and sysadmin work are happening as normal, and accounting tasks are being taken care of. I’m also confident that we’ll continue to work reliably and effectively as we move forward. There are improvements that we have planned which help with this, such as the streamlining of our financial systems and processes.

  Ongoing tasks

  It has become a common refrain in my updates that there is lots going on behind the scenes that doesn’t make it into these posts. This week I thought that I’d call some of those more routine activities out, so readers can get a sense of what those background tasks are.

  It turns out that there is indeed quite a lot of them, so I’ve broken them down into sections.

  Finances and accounting

  It’s the beginning of the month, which is when most invoices tend to get submitted to us, so this week has involved a fair amount of payments processing. We use a mix of platforms for payments, and have a shared tracker for payments tasks. At the time of writing all invoices received since the beginning of the month have been paid, except for a couple of items where we needed additional information.

  As mentioned in previous posts, we are in the process of deploying a set of improvements to our banking arrangements, and this continued this week. The changes are coming in bit by bit, and there are tasks for us to do at each step. It will be a number of weeks before the changes are completed.

  Dawn who joined us last week has been doing research as part of her work to improve our finance systems. This has involved doing calls with team members and stakeholders, and is nearly complete.

  Meetings!

  Kristi booked the room for our regular pre-FOSDEM Advisory Board meeting, and I’ve invited representatives. Thanks to everyone who has sent an RSVP so far!

  Next week we have another regular Board meeting scheduled, so there has been the routine work of preparing the agenda and sending out invitations.

  Sysadmin work

  Bart has been busy as usual, and it’s hard to capture everything he does. Recent activity includes improvements to donate.gnome.org, improvements to Flathub build pipelines, and working through a troublesome issue with the geolocation data used by GNOME apps.

  That’s it for this week! Thanks for reading, and see you next week.

• Bodhi 25.11.1

  Released on 2025-11-01.
  This release fixes a few bugs regarding the display of automated test results
  in web pages.

  Dependency changes

  • bodhi-server: dependency on waitress now requires a version greater than
    3.0.1 (#5897).
  • bodhi-server: support for configuring logging through pyramid_sawing has been
    removed (#5906).

  Features

  • User statistics in homepage will now default to show 10 entries. This number
    can be configured in Bodhi's config file. (#5882).

  Bug fixes

  • client: aliases for Fedora Flatpak updates are now recognized from command
    line (#5918).
  • Fixed a schema issue which prevented to set the released_on property on
    Release (#5964).

  Contributors

  The following developers contributed to this release of Bodhi:

  • Akashdeep Dhar
  • Adam Williamson
  • Jens Petersen
  • Mattia Verga
  • Yaakov Selkowitz

• Remi Collet 🎲 PHP version 8.3.28RC1 and 8.4.15RC1

  Release Candidate versions are available in the testing repository for Fedora and Enterprise Linux (RHEL / CentOS / Alma / Rocky and other clones) to allow more people to test them. They are available as Software Collections, for parallel installation, the perfect solution for such tests, and as base packages.

  RPMs of PHP version 8.4.15RC1 are available

  • as base packages in the remi-modular-test for Fedora 41-43 and Enterprise Linux ≥ 8
  • as SCL in remi-test repository

  RPMs of PHP version 8.3.28RC1 are available

  • as base packages in the remi-modular-test for Fedora 41-43 and Enterprise Linux ≥ 8
  • as SCL in remi-test repository

  ℹ️ The packages are available for x86_64 and aarch64.

  ℹ️ PHP version 8.2 is now in security mode only, so no more RC will be released.

  ℹ️ Installation: follow the wizard instructions.

  ℹ️ Announcements:

  • PHP 8.4.15RC1 available for testing
  • PHP 8.3.28RC1 available for testing

  Parallel installation of version 8.4 as Software Collection:

  yum --enablerepo=remi-test install php84

  Parallel installation of version 8.3 as Software Collection:

  yum --enablerepo=remi-test install php83

  Update of system version 8.4:

  dnf module switch-to php:remi-8.4
  dnf --enablerepo=remi-modular-test update php\*

  Update of system version 8.3:

  dnf module switch-to php:remi-8.3
  dnf --enablerepo=remi-modular-test update php\*

  ℹ️ Notice:

  • version 8.5.0RC4 is in Fedora rawhide for QA
  • version 8.5.0RC4 is also available in the repository
  • EL-10 packages are built using RHEL-10.0 and EPEL-10.0
  • EL-9 packages are built using RHEL-9.6
  • EL-8 packages are built using RHEL-8.10
  • oci8 extension uses the RPM of the Oracle Instant Client version 23.9 on x86_64 and aarch64
  • intl extension uses libicu 74.2
  • RC version is usually the same as the final version (no change accepted after RC, exception for security fix).
  • versions 8.3.28 and 8.4.15 are planed for November 20th, in 2 weeks.

  Software Collections (php83, php84)

  

  

  Base packages (php)

  

  

November 06, 2025

• Gary Benson Terminal colours

  \x1B[38;5;105m and \x1B[38;5;141m are a great combo.

• Charles-Antoine Couret Sortie de Fedora Linux 43

  En ce mardi 28 octobre, les utilisateurs du Projet Fedora seront ravis d'apprendre la disponibilité de la version Fedora Linux 43.

  Fedora Linux est une distribution communautaire développée par le projet Fedora et sponsorisée par Red Hat, qui lui fournit des développeurs ainsi que des moyens financiers et logistiques. Fedora Linux peut être vue comme une sorte de vitrine technologique pour le monde du logiciel libre, c’est pourquoi elle est prompte à inclure des nouveautés.

  

  Expérience utilisateur

  L'environnement de bureau GNOME est proposé dans sa version 49. Cette version apporte comme d'habitude de nombreux changements. Tout d'abord l'application Showtime remplace Totem en guise de lecteur vidéo par défaut. Basée sur la bibliothèque GTK4 et libadwaita, elle reprend les canons esthétiques minimalistes des applications GNOME. L'interface s’efface derrière la vidéo, n'affichant que les fonctions de base essentielles.

  De même l'application pour afficher les documents notamment au format PDF passe de Evince à Papers. De la même manière que précédemment, elle utilise la nouvelle pile logicielle plus moderne, cela permet de refaire le visuel de l'application et d'améliorer dans le même temps les performances. La signature numérique des documents est aussi mieux intégrée de même que les annotations des documents.

  L'application de calendrier a eu une amélioration de son accessibilité avec un focus important sur la navigation exclusive au clavier, ce qui a nécessité une refonte de l'interface. L'interface s'adapte en fonction de la taille de l'écran avec notamment la barre latérale qui peut être masquée. Il est également possible d'exporter des événements dans un fichier ICS.

  Le navigateur Web bénéficie de nombreuses améliorations comme un bloqueur de publicités plus efficace avec plus de listes de blocage disponibles. La recherche dans la page est plus complète avec la prise en compte de la casse ou de la recherche de mots entiers uniquement. L'édition des marques pages, ainsi que le menu de sécurité pour la gestion des mots de passes ou des cartes de sécurité, ont été remaniés pour être plus simples.

  La boutique logicielle bénéficie d'une amélioration significative de ses performances, ce qui était son principal point faible en partie à cause du volume de données à gérer pour les différentes applications disponibles provenant des Flatpak. La boutique consomme moins de mémoire, navigue plus rapidement d'une application à une autre et effectue des recherches efficacement.

  La fonctionnalité de bureau distant s'améliore avec la prise en charge des entrées multipoints pour ceux utilisant un écran tactile. De plus le curseur de souris peut fonctionner avec un positionnement relatif ce qui était nécessaire pour quelques applications ou jeux vidéo. Ceux qui le souhaitent peuvent ajouter des écrans virtuels pour une telle session même s'il n'y a pas d'écrans physiques supplémentaires.

  De manière plus générale, l'écran de verrouillage permet de contrôler basiquement les applications multimédia, en particulier pour la musique. Il est d'ailleurs possible d'arrêter ou de redémarrer la machine depuis cet écran de verrouillage en activant l'option idoine avec la commande gsettings set org.gnome.desktop.screensaver restart-enabled true. Le bouton Ne pas déranger passe de la zone de notifications au menu principal de GNOME pour une meilleure cohérence de l'interface.

  Enfin de nouveaux fonds d'écran sont proposés afin d'exploiter les nouvelles capacités des écrans HDR et l'espace de couleur Display P3 qui sont pris en charge sur les machines compatibles. Capacités HDR qui ont été améliorées par ailleurs avec de nouveaux paramètres pour gérer finement la luminosité de ces types d'écran.

  GNOME fonctionnera uniquement en tant que session Wayland, les paquets liés à GNOME pour session X11 sont supprimés. Le projet GNOME a décalé cette décision pour sa prochaine version numérotée 50, mais Fedora maintient le cap car la qualité de ces sessions n'est pas aussi bonne que Wayland faute de tests et de maintenance de la part du projet depuis de nombreuses années. Grâce à XWayland, GNOME reste en capacité d'afficher et de gérer les applications (de plus en plus rares) reposant uniquement sur X11. Cela clôt en un sens la transition vers Wayland pour GNOME entamée il y a 9 ans déjà avec Fedora 25.

  Tous les Spins disposent par défaut de la nouvelle interface web d'Anaconda. Fedora Linux 42 ne l'avait proposée que pour Fedora Workstation, en partie parce que certaines options ont dû être ajoutées pour supporter les Spins. En effet, sous GNOME, une partie de la configuration est faite après l'installation avec l'application GNOME Initial Setup. Par conséquent les spins pourront en plus configurer depuis Anaconda la date et l'heure, le compte utilisateur et le nom de la machine. De même, la configuration de la disposition clavier est gérée de manière légèrement différente. Enfin, l'interface n'est pas forcément affichée par une session de Firefox mais peut l'être via le navigateur web fourni par l'environnement en question.

  Sur les machines x86_64 compatibles UEFI, Anaconda ne permettra plus d'installer Fedora si le format de partitionnement est basé sur MBR au lieu de GPT. Si la norme UEFI autorise une telle configuration, en réalité sa prise en charge correcte dépend des constructeurs et n'est pas bien testée notamment par l'équipe de Fedora ce qui rend une telle configuration peu fiable. De plus, le chargeur de démarrage GRUB2 suppose déjà qu'un système UEFI implique une table de partitions GPT. Cela a été maintenu par Fedora notamment pour permettre son utilisation dans le service cloud AWS qui ne proposait que de tels systèmes à une époque. Mais cette limitation n'a plus lieu d'être et sa suppression simplifie le test et réduit le risque de crashs au moment de l'installation. Cela ne concerne pas les autres architectures comme ARM car leur implémentation repose plus souvent sur MBR et est mieux gérée.

  

  L'installateur Anaconda utilise le gestionnaire de paquet DNF dans sa 5e version dorénavant. Cela améliore la vitesse des opérations à l'installation de Fedora et uniformise la gestion des paquets au sein de Fedora en simplifiant aussi les tests de la distribution.

  Fin de support de la modularité des paquets RPM dans l'installateur Anaconda. Les modules ont disparu dans Fedora depuis Fedora Linux 39, ce changement devenait nécessaire avec la non prise en charge des modules par DNF 5 qui est utilisé maintenant par Anaconda comme expliqué précédemment. Cela améliore aussi la maintenance d'Anaconda et de sa documentation en supprimant cette spécificité qui n'est plus utilisée.

  Activation de la mise à jour automatique du système pour la variante Fedora Kinoite. Grâce au système atomique, la mise à jour se fait en arrière plan et est appliquée au prochain redémarrage. La fiabilité de l'opération avec la possibilité de revenir à l'état précédent autorise une mise à jour automatique sans trop de problèmes pour simplifier la vie de l'utilisateur et améliorer la sécurité. Les mises à jour des firmware ne sont pas concernées pour des raisons de fiabilité. La mise à jour se fait par défaut de manière hebdomadaire et une notification pour inviter à redémarrer est affichée quand c'est pertinent. Cette fonctionnalité peut être coupée et la fréquence des mises à jour reste configurable.

  La police d'affichage d'émojis Noto Color Emoji utilise son nouveau format basé sur COLRv1 pour améliorer le rendu. Le rendu est meilleur car les images sont vectorielles et non sous forme d'images bitmap qui sont moins jolies quand la taille d'affichage augmente. Le tout en prenant moins d'espace disque.

  Le fichier initrd utilisé lors du démarrage est compressé avec zstd pour un démarrage plus rapide du système et une taille d'installation plus petite. Cela remplace la dépendance au binaire xz utilisé jusqu'alors, les tests montrent une baisse de la taille d'installation de quelques méga octets pour un temps de démarrage réduit de quelques secondes en moins.

  

  Gestion du matériel

  La taille de la partition /boot augmente de 1 Gio à 2 Gio par défaut. En effet la taille des firmwares, des initrd, du noyau, etc. ne cessent d'augmenter alors que la partition est restée à 1 Gio depuis 2016. Cela permet de réduire le risque de manquer de place dans un futur proche pour les nouveaux systèmes.

  Prise en charge de la technologie Intel TDX pour exécuter des machines virtuelles avec une plus grande isolation mémoire depuis Fedora Linux. Pour les machines compatibles, cela signifie que chaque machine virtuelle tourne dans un espace mémoire dédié qui est chiffré ce qui apporte des garanties de sécurité et d'intégrité des données pour le système virtualisé.

  Mise à jour de Greenboot vers la réimplémentation en Rust. L'objectif de ce composant est de fournir une vérification du système au démarrage et de redémarrer vers un état précédent du système en cas de défaut constaté ce qui est possible dans un système atomique et améliore l'expérience utilisateur en cas de mise à jour défectueuse. L'utilisateur a par ailleurs la possibilité d'ajouter ses propres tests. La précédente implémentation était en Bash et ne proposait que la prise en charge des systèmes basés sur RPM OSTree. Maintenant il peut gérer les systèmes reposant sur bootc qui est de plus en plus employé.

  Internationalisation

  La police de type monospace aura une police alternative de ce type par défaut en cas de manque dans une langue donnée. Jusqu'ici une police sans-serif était utilisée par défaut ce qui n'était pas idéal car les contextes d'usage sont différents et cela pouvait donner lieu à des comportement imprévisibles suivant les polices installées sur le système. Cela concerne notamment les langues suivantes : l'arabe, l'hébreu, le thaï, le perse, l'hindi, le khmer, etc.

  Administration système

  Le gestionnaire de paquets RPM passe à la version 6.0 tours par minute. Mais les paquets fournis par le projet Fedora utilisent encore le format de la 4e version. Cette version se focalise sur une amélioration de sécurité, par exemple les clés OpenPGP affichent la version complète de l'id de la clé si l'empreinte numérique n'existe pas. Il est possible de fournir plusieurs signatures à un même paquet permettant d'utiliser des clés différentes suivant la provenance et les objectifs. La construction du paquet peut générer automatiquement la signature ce qui est intéressant dans le cadre de l'empaquetage local. Les clés OpenPGP version 6 sont prises en charge de même que les algorithmes dits post quantiques à base de courbes elliptiques. Il est également possible d'utiliser Sequoia-sq au lieu de GnuPG. Les paquets générés avec la 3e version ne sont cependant plus exploitables.

  Réduction du nombre de règles SELinux dontaudit liés au type unlabeled_t. L'objectif de ces règles c'est souvent de réduire le nombre de rapports d'accès anormaux qui sont des faux positifs ou des accès bénins effectués par des applications mal écrites. Cette avalanche de notifications serait contre productive mais cacher ces accès sous le tapis ne permet pas de corriger ces comportements problématiques et complexifie le débogage. L'objectif est de désactiver seulement certaines de ces règles de la politique et non de les supprimer entièrement. Ainsi si le nouveau comportement vous pose problème, vous pouvez exécuter la commande # setsebool -P dontaudit_unlabeled_files 1 pour rétablir le comportement précédent.

  Le paquet gnupg2 pour fournir l'outil de chiffrement est dorénavant découpé en plusieurs sous paquets. Cela permet de réduire la taille du système par défaut car uniquement les paquets nécessaires seront installés par défaut, laissant de côté les binaires plus optionnels. L'autre bénéfice est de simplifier le remplacement par Sequoia-PGP car il nécessite la présence de certains binaires de GnuPG mais en remplace d'autres ce qui n'était pas possible de faire avec un paquet unique. Les installations existantes installeront tous les sous paquets par défaut pour éviter de casser les systèmes existants.

  Le filtre d'impression Foomatic-rip rejette les valeurs inconnues. En effet il est utilisé pour construire des commandes shell, PostScript ou Perl qui sont ensuite exécutées avant d'envoyer la tâche à l'impression via les options FoomaticRIPCommandLine, FoomaticRIPCommandLinePDF et FoomaticRIPOptionSettings. Cette flexibilité permet d'écrire ou de modifier facilement le pilote de l'imprimante en question mais est source de vulnérabilités de sécurité aussi. Pour limiter les risques, par défaut aucune valeur pour ces options ne sont autorisées. L'utilisateur doit exécuter foomatic-hash une fois pour vérifier la validité des options et s'assurer qu'elles ne font rien de problématiques et déplacer le dit fichier dans /etc/foomatic/hashes.d pour autoriser leur utilisation. Cela ne concerne à priori que des vieux pilotes d'imprimantes et une partie de ceux fournis par CUPS ont déjà les validations nécessaires. D'autres devraient venir progressivement. Les pilotes d'imprimantes déjà installés au niveau du système seront aussi automatiquement validés après une mise à niveau vers Fedora Linux 43. À cause de la flexibilité de la méthode d'origine, corriger ou détecter tous les comportements problématiques automatiquement n'est pas possible.

  Le projet 389 Directory Server ne permet plus de modifier ses bases de données BerkeleyDB. Les bases de données utilisaient par défaut LMDB depuis Fedora Linux 40 et l'abandon de BerkeleyDB se fera à priori pour Fedora Linux 45. L'objectif est de permettre la lecture des données pour les migrer vers le nouveau format et ainsi forcer les utilisateurs à effectuer la migration avant son abandon total.

  

  Le gestionnaire de base de données PostgreSQL est mis à jour à sa 18e version. Cette version améliore les performances dans le sous-système des entrées-sorties asynchrones et dans l'optimiseur des requêtes. D'ailleurs, la migration d'une base de données à une version suivante conserve les statistiques de l'optimiseur. Une nouvelle fonction uuidv7() permet de générer un UUID autorisant un tri basé sur un critère temporel. Par défaut les colonnes générées, celles dont le contenu est créé durant une opération de lecture, sont virtuelles et ne résident pas sur le disque. Les B-tree index multi-colonnes peuvent être utilisés plus souvent notamment s'il n'y a pas de contraintes sur les premières clés mais uniquement sur la dernière. Le protocole OAuth peut être utilisé pour s'authentifier dorénavant. Comme d'habitude, les versions 17 et 16 de ce logiciel restent disponibles dans les dépôts autorisant une mise à niveau progressive.

  Le gestionnaire de base de données MySQL passe par défaut à la version 8.4. La version 8.4 était déjà proposée dans les dépôts, elle remplace juste la version 8.0 en tant que version de base. Cette dernière reste disponible via le paquet mysql8.0.

  Le serveur de courriels Dovecot est mis à jour vers sa version 2.4. Cette version change de manière significative la configuration qui nécessite une adaptation. Il est maintenant possible de stopper une commande mail qui prend du temps proprement. Pour l'authentification, les fonctions de hashage SCRAM-SHA-1-PLUS et SCRAM-SHA-256-PLUS sont maintenant disponibles de même que les liaisons de canal TLS. La bibliothèque Lua permet d’interagir avec le client DNS et HTTP fourni par Dovecot.

  Le serveur d'application Tomcat est mis à jour vers sa version 10.1. Cela signifie qu'il suit la spécification Jakarta EE 10 ce qui implique un nouvel espace de nom qui passe de javax.* à jakarta.*. À cause de ce changement, la compatibilité ascendante n'est pas garantie et une recompilation des applications web est requise. De même l'API interne de Tomcat a beaucoup changé subtilement ce qui rend la compatibilité binaire impossible à garantir et nécessite une revue pour ceux qui interagissent avec ces APIs. Par défaut les requêtes et réponses Web se font en UTF-8 tandis que les sessions ne sont pas conservées après un redémarrage du serveur. Les fichiers de logs ne seront créés que lorsque du contenu doit être écrit dedans. Enfin les paramètres HTTP en commun entre HTTP 2 et 1.1 seront placés au niveau du connecteur HTTP 1.1 pour permettre à la version 2 d'en hériter et limiter ainsi la duplication des paramètres.

  Migration de l'utilitaire de journalisation lastlog à lastlog2. Le premier intérêt de cette migration est de corriger le bogue de l'an 2038 qui n'affecte pas ce dernier. Il peut également d'utiliser la base de données SQLite 3 pour le stockage. Il utilise aussi des composants PAM pour l'authentification et la sortie est compatible de manière ascendante également. De plus il est légèrement plus performant en augmentant la taille de stockage à partir du nombre d'utilisateurs et non du plus grand id utilisateur dans le lot. Le risque de problèmes de compatibilité devrait être faible. La migration vers le nouveau format sera effectuée automatiquement et des liens symboliques vers les noms des anciens binaires sont créés pour éviter de casser des scripts existants.

  L'information PLATFORM_ID dans os-release est supprimée. Cette information a été ajoutée dans le cadre de la modularité, mais avec l'abandon de celle-ci cette ligne n'est plus nécessaire. Ceux qui se basent sur cette information sont invités à changer d'approche.

  

  Développement

  La chaine de compilation GNU évolue avec binutils 2.45 et glibc 2.42. Pour binutils, les informations sframe générées par l'assembleur sont maintenant conformes avec la spécification SFrame V2. L'assembleur gère les dernières évolutions des architectures RISC-V, LoongArch et AArch64. Il peut également utiliser les directives .errif et .warnif pour avoir un diagnostic contrôlé par l'utilisateur avec des critères qui sont évalués uniquement à la fin de l'assemblage.

  Pour la bibliothèque C glibc, elle prend en charge de nouvelles fonctions mathématiques introduites dans C23 telles que ompoundn, pown, powr, rootn et rsqrt. Elle propose aussi en avance les fonctions valeurs absolues non signées qui seront proposées par la prochaine norme C. Ajout également de la fonction pthread_gettid_np pour connaître l'id d'un thread à partir d'une structure opaque pthread_t. Le cache local dans malloc gagne en performance pour les petites allocations mémoire et peut prendre en charge des blocs à mettre en cache de plus grande taille via l'option glibc.malloc.tcache_max. Le manuel a été particulièrement enrichi pour être plus complet notamment pour les threads, terminaux, systèmes de fichiers, ressources et fonctions mathématiques.

  L'éditeur de lien Gold du paquet binutils-gold est considéré comme déprécié et sera supprimé dans une version future. Fedora Linux a déjà quatre éditeurs de liens : ld.bfd, ld.gold, lld et mold. Se débarrasser de l'un d'entre eux qui n'est plus maintenu par le projet GNU n'est pas un problème et doit améliorer à terme la maintenance.

  Mise à jour de la chaine de compilation LLVM à sa version 21. Les cartes graphiques AMD voient une amélioration de la prise en charge de ROCm de même qu'un effort pour proposer une bibliothèque C pour GPU. Mais les architectures RISC-V ou cartes graphiques de Nvidia ont également quelques améliorations mineures de ce côté. Le compilateur C CLang optimise l’arithmétique des pointeurs avec le pointeur null et comme souvent le suivi des futurs standards C et C++ se poursuit. Le compilateur fait de meilleurs messages d'erreurs pour les erreurs de compilation.

  Côté Fedora, les RPM de ce projet sont compilés avec un profil d'optimisation ce qui devrait significativement améliorer les performances du compilateur maison.

  Le langage Python mue à sa version 3.14. Cette version propose des template strings pour étendre les capacités des f-string afin de plus facilement modifier la valeur de la chaîne de caractères à partir d'autres variables. L'évaluation différée des annotations permet de résoudre les annotations de type qui sont cycliques. De plus, un nouveau module concurrent.interpreters fait son apparition pour permettre l'exécution d'interpréteurs Python dans des fils d'exécution uniques pouvant communiquer entre eux, ouvrant la voie à un vrai parallélisme sans renoncer, pour le moment, au fameux verrou principal nommé GIL. Le module compression accueille l'algorithme zstd qui est de plus en plus utilisé dans divers projets libres. Enfin les UUIDs 6, 7 et 8 font leur apparition, permettant de générer des UUIDs respectant différents critères, les deux premiers autorisent un tri temporel quand le dernier est un assemblage de 3 entiers fournis en paramètre. Il y a évidemment d'autres changements améliorant notamment des performances ou rendant les messages d'erreurs plus clairs.

  Le langage Go passe à la version 1.25. Il est possible dans cette version d'activer le détecteur de fuites de mémoire à la compilation d'un programme par la commande go build -asan, le rapport sera généré à la fermeture du programme. La commande go vet détecte les appels de fonctions sync.WaitGroup.Add mal placés de même que l'usage de fmt.Sprintf("%s:%d", host, port) pour construire des adresses de connexions qui sont invalides en cas d'usage d'IPv6. Un nouveau ramasse-miettes expérimental fait son apparition, il doit réduire l'impact de ces opérations de 10-40% pour un programme standard qui fait beaucoup d'allocations et de désallocations de petits objets. En terme d'expérimentations, un nouveau module expérimental encoding/json/v2 fait son entrée en matière pour l'encodage et le décodage de JSON, qui doit être plus performant pour le décodage tout en supprimant certaines limitations. Pour les développeurs, un nouveau module runtime/trace.FlightRecorder permet de facilement enregistrer la trace d'événements précis dans le programme dans le contexte de débogage tout en étant léger pour ne pas perturber l'exécution du logiciel par les traces complètes habituellement utilisées. Dans le contexte du débogage, le format DWARF5 pour les informations de débogage peut être exploité ce qui améliore la taille du binaire et le temps de l'édition des liens par ailleurs.

  Le langage Perl fourni une réponse brillante avec sa version 5.42. L'accent a été mis pour améliorer les performances dans cette version. Mais en plus de cela, les méthodes peuvent être déclarées avec une visibilité réduite avec l'instruction my method, ces méthodes peuvent être appelées grâce à l'opérateur ->&. Deux nouveaux opérateurs expérimentaux all et any pour vérifier une condition sur l'ensemble, et respectivement aucun, des éléments d'une liste. Un pragma source::encoding peut être apposé sur un fichier source pour détecter les erreurs d'encodage du dit fichier s'il ne correspond pas à celui mentionné. Une classe peut générer automatiquement un setter pour un de ses attributs via l'attribut :writer qui fonctionne de manière analogue à :reader pour le getter.

  La boîte à outils Ruby on Rails démarrera voie 8.0. La gestion de certaines dépendances a été améliorée, en effet pour bénéficier de certaines fonctions telles que les Websockets, les jobs ou le cache il était nécessaire d'utiliser au choix MySQL, PostgreSQL ou Redis. Maintenant SQLite s'ajoute à la liste des possibilités et cela passe par de nouvelles couches d'abstractions Solid Cable, Solid Cache et Solid Queue. Fournir des fichiers statiques repose sur Propshaft au lieu de Sprockets, qui est bien plus simple en tirant profit des changements dans le monde Web opérés depuis 15 ans tels que les frameworks JavaScript ou la bonne gestion des petits fichiers avec le protocole HTTP/2 qui permettent de déléguer la gestion de ces problématiques aux frameworks JavaScript directement. Pour finir, elle propose un moyen simple de générer un template basique mais efficace pour la gestion de l'authentification d'une application, en exécutant bin/rails generate authentication vous obtenez un modèle basique pour la session et l'utilisateur avec des contrôleurs pour la session et l'authentification elle même.

  

  La machine virtuelle Java OpenJDK 25 est fournie. Parmi les changements, un effort a été consenti pour améliorer le mécanisme de l'Ahead-of-Time, la mise en cache de la JVM. Il devient en effet plus facile d'exécuter une application simple pour générer la liste des objets et modules nécessaires pour rendre les prochains lancement plus rapides et de même les profils générés pour accélérer l'application seront immédiatement exploités au démarrage pour également accélérer le lancement de l'application. Le système d'enregistrement des événements est étendu avec la possibilité d'enregistrer précisément le temps d'exécution d'une fonction et sa pile d'appels. Il est possible d'appeler d'autres fonctions ou opérations dans un constructeur avant qu'il n'appelle lui même un autre constructeur du même objet ou de sa classe parente ce qui peut simplifier le code en le rendant plus naturel.

  L'utilitaire dans l'écosystème Java nommé Maven bénéficie de la version 4 en parallèle de la version 3. La version 4 est accessible via le paquet maven4 depuis les dépôts. Parmi les changements fondamentaux, il y a une séparation entre les besoins de compilation et d'utilisation du fichier pom.xml qui mentionnait dans le détail les informations de compilation ou des dépendances ce qui était rarement utile pour les utilisateurs lors du déploiement. Maintenant le fichier destiné à être distribué ne mentionne plus ces informations superflues. Dans ce contexte, un nouveau type de paquet bom est fourni pour générer une liste de composants nécessaires pour ce logiciel ce qui est un atout dans une optique de traçabilité et de suivi des failles de sécurité par exemple. Pour clarifier la différence entre les modules de Maven et ceux de Java, les modules sont renommés subprojects, d'ailleurs ces sous-projets peuvent déduire des informations du parent comme sa version par exemple ce qui rend inutile de le mentionner à nouveau. Les sous-projets peuvent aussi être découverts au sein du projet évitant le besoin de les déclarer explicitement et systématiquement.

  Le compilateur pour le langage Haskell GHC a été mis à jour vers sa version 9.8 et son écosystème Stackage vers la version 23. Le langage fonctionnel dispose des ExtendedLiterals pour préciser le type précis d'un entier défini tel quel dans le code, comme 123#Int8 pour un entier représenté uniquement sur 8 bits. Dans le bas niveau, un logiciel compilé avec -mfma pour permettre l'usage des instructions, qui combinent multiplication et addition (telle que fmaddFloat# x y z qui donne x * y + z) si l'architecture matérielle les supporte ce qui peut améliorer les performances du programme. Il introduit des nouveaux pragmas WARNING et DEPRECATED à des fonctions d'un module pour signaler à un appelant de prêter attention à son utilisation, notamment en cas de suppression planifiée de la dite fonction.

  Le langage de programmation fonctionnel Idris dispose d'une mise à jour majeure vers sa 2e version. La version 1 reposait sur Haskell mais il devenait de plus en plus difficile de le générer avec des versions récentes du compilateur GHC. La version 2 est implémentée en Scheme et repose sur la théorie des types quantifiés, ainsi une variable assignée à une quantité 0 est effacée, assignée à une quantité 1 elle est utilisée une seule et unique fois, etc. Ce changement de paradigme rend de nombreux programmes écrits pour Idris 1 incompatibles. De plus le Prelude du langage ne contient que les éléments strictement nécessaires dans la plupart des programmes non triviaux, le reste est relégué dans dans la bibliothèque base.

  Le compilateur Free Pascal propose des paquets permettant la compilation croisée avec d'autres architectures. Ce changement facilite la compilation de programmes pour d'autres systèmes sans quitter sa Fedora Linux. Les paquets nécessaires sont de la forme fpc-cross-$CPU et fpc-units-$CPU-$OS où le premier fourni le compilateur en lui même à destination d'une architecture matérielle spécifique quand le second fourni des objets précompilés nécessaires la plupart du temps pour générer un programme pouvant s'exécuter sur le matériel et système considéré. Si vous souhaitez compiler pour du Windows x86 il faudra installer par conséquent les paquets fpc-cross-i386 et fpc-units-i386-win32.

  La bibliothèque d'Intel tbb pour paralléliser certaines tâches passe à la version 2022.2.0. Les changements sont relativement mineurs mais à cause de la rupture de compatibilité de l'ABI, les logiciels s'en servant doivent être recompilés pour fonctionner avec cette nouvelle version.

  La signature cryptographique des informations de débogage debuginfod est maintenant vérifiée automatiquement du côté du client. Les paquets RPM fournissaient la dite signature depuis Fedora Linux 39, le client comme serveur prenaient en charge la fonctionnalité, il ne manquait plus qu'une configuration adéquate pour permettre ce changement. Cela se fait en éditant le fichier de configuration /etc/debuginfod/elfutils.urls ainsi :

  ima:enforcing https://debuginfod.fedoraproject.org ima:ignore
  

  Cela ne le fait que pour les informations de débogage provenant du projet Fedora, pour les autres il faudra activer cela manuellement de manière similaire. En cas de signature invalide, les fichiers concernés seront rejetés et considérés comme non disponibles ce qui améliore la fiabilité et la sécurité du débogage.

  La bibliothèque Rust async-std est considérée comme dépréciée avant une suppression future. Il n'est en effet plus maintenu et il est recommandé de passer à la bibliothèque smol à la place.

  La bibliothèque Python python-async-timeout est considéré comme dépréciée avant une suppression future. Cette fonctionnalité est en effet fournie dans la bibliothèque standard depuis Python 3.11 rendant cette bibliothèque obsolète. Cependant une trentaine de paquets s'en servent encore directement rendant sa suppression impossible à ce stade.

  Le paquet python-nose a été retiré. Déprécié par Fedora depuis plus de cinq ans et sans maintenant depuis plus longtemps, sa suppression devenait nécessaire avec l'impossibilité de s'en servir avec la dernière version de Python. Les paquets qui en avaient encore besoin ont été corrigés pour s'en passer.

  Les paquets concernant d'anciennes versions de GTK pour Rust gtk3-rs, gtk-rs-core version 0.18, et gtk4-rs ont été retirés. Ils étaient dépréciés depuis Fedora Linux 42 car non maintenus.

  Projet Fedora

  Koji utilise localement au sein du projet Fedora une instance de Red Hat Image Builder pour générer certaines images qui en dépendent. Cela concerne les images Fedora IoT et Minimal qui étaient construites via l'infrastructure de Red Hat, Koji ne servant que d'orchestrateur côté Fedora. Cela posait quelques soucis dont la possibilité d'intervenir en cas de problèmes mais aussi le fait qu'il était impossible de geler les changements de l'infrastructure aux moments adéquats pour l'élaboration des nouvelles images. Le paquet koji-image-builder a été créé pour permettre d'exécuter cette machinerie localement au sein de l'infrastructure du projet Fedora. L'objectif est d'inclure cela dans Koji intégralement à terme quand ce sera suffisamment testé.

  La génération de l'image Core OS repose sur le fichier de définition de conteneurs Containerfile. Jusqu'ici l'image était conçue via RPM OStree avant d'être convertie en image OCI. L'objectif est donc de sauter l'étape RPM OStree en utilisant les conteneurs, l'image de référence est basée sur une Fedora Linux avec bootc. Cela simplifie la procédure de génération de l'image et permet facilement à quiconque de reproduire ces étapes s'il le souhaite en utilisant podman.

  Arrêt de publication des mises à jour de Core OS sur le dépôt OSTree. Cela fait suite au changement introduit dans la version précédente de Fedora où l'utilisation des images OCI avait débuté et que les nœuds existants allaient progressivement migrer vers ce format. Désormais maintenir la publication de mises à jour OSTree n'a plus de sens et permet de réallouer les ressources humaines et matérielles.

  Le système d'intégration continue de Fedora ne prend plus en charge le format Standard Test Interface. Il évoluait conjointement avec Test Management Tool qui a maintenant les mêmes capacités et continue d'évoluer. N'avoir plus qu'un format permet de simplifier la maintenance et l'outillage. Il y avait de plus en plus d'erreurs liées à l'usage de STI pour certains paquets incitant à faire la migration. Le format TMT a quelques avantages dont une meilleure organisation des tests et des environnements de tests. Les tests sont également reproductibles localement ce qui est important pour la résolution de problèmes. Grâce à l'intégration avec Packit il peut facilement exécuter les tests à partir des sources du logiciel si besoin ce qui est utile en cas de nouvelle version d'un paquet ou voir si un correctif spécifique à Fedora introduit des régressions.

  Les nouveaux paquets recevront automatiquement une nouvelle configuration basée sur Packit pour permettre la gestion automatique de certaines tâches dans le cadre des nouvelles versions de Fedora. Cette étape est faite lors de la création du projet sur le service src.fedoraproject.org, un correctif fournit automatiquement cette configuration initiale. Cela peut être manuellement désactivé lors de la création si un mainteneur ne le souhaite pas. L'intérêt est de simplifier l'accueil de nouveaux empaqueteurs mais aussi d'automatiser certaines tâches par défaut. En cas de nouvelle version d'un composant, le paquet avec cette version sera automatiquement crée pour identifier les éventuels problèmes, et s'il n'y en a pas, permettre de créer automatiquement la nouvelle version du paquet et de la diffuser si l'empaqueteur accepte cette nouvelle version. Cela peut aider à gérer plus de paquets et à mieux les maintenir sur le long terme.

  

  Les bibliothèques statiques fournies par les paquets RPM de Fedora conservent les informations de débogage pour permettre de comprendre l'origine des crashes des applications les exploitant. Cela est rendu possible par la mise à jour du composant debugedit qui permet une telle opération sans trop de problèmes. En effet il peut maintenant collecter les fichiers sources d'une bibliothèque statique et réécrire les chemins vers le répertoire /usr/src/debug comme attendu par les différents outils de débogage. Cependant les informations de débogage sont fournies dans les paquets RPM des binaires pour éviter la complexité de les inclure manuellement pour les développeurs qui en ont besoin dans leur logiciel. L'espace disque nécessaire pour ces informations est considéré comme relativement négligeable pour prendre cette décision. Pour les développeurs qui ne veulent pas des informations de débogage dans leur binaire peuvent exécuter la commande strip -g après l'édition de liens.

  Les macros dédiées pour générer les paquets Python reposant sur setup.py sont dorénavant dépréciées. Cela concerne les macros %py3_build, %py3_install, et %py3_build_wheel. En effet ces macros reposent sur ce script qui ne sera plus maintenu à partir d'octobre 2025 par le projet setuptools. L'objectif est d'inciter et de migrer progressivement ces paquets vers la nouvelle méthode reposant sur les macros %pyproject_* et exploitant le fichier de configuration pyproject.toml. Environ 35% des paquets Python de Fedora sont donc concernés par cette migration à venir qui permettra de moderniser et d'unifier les conventions tout en suivant les bonnes pratiques de l'écosystème Python.

  Les paquets Go sont compilés en utilisant par défaut les dépendances du projet compilé plutôt que d'utiliser systématiquement des dépendances basées sur des RPM gérés par le projet Fedora. En effet les binaires Go sont tous statiquement compilés donc l'objectif de maintenir des dépendances ne sert qu'à la construction des dits paquets. Cela concerne environ 1400 paquets pour générer 400 paquets avec un binaire Go. C'est beaucoup de travail de maintenance et cela limitait la possibilité d'inclure plus de paquets Go car il fallait empaqueter toutes les dépendances nécessaires au préalable. Cependant avec cette méthode il devient plus difficile de corriger les bogues ou problèmes de sécurité introduits par ces dépendances si Fedora ne les récupère pas. Et pour les cas où il est préférable d'avoir les dépendances gérées par le projet, cela sera un travail plus important pour un paquet donné car moins de dépendances seront déjà disponibles dans les dépôts. Le suivi des licences nécessite d'être adapté pour s'assurer qu'il n'y a pas de problèmes de compatibilité mais des outils existent déjà pour réduire cette problématique.

  Les paquets NodeJs utiliseront un nouveau formalisme pour le chemin de leurs dépendances. En effet le répertoire %{_libdir}/node_modules pointait vers un répertoire spécifique à une version de NodeJs comme %{_libdir}/node_modules20 pour la version 20 de NodeJs. Mais cette solution était plutôt pénible avec Fedora qui propose plusieurs versions de NodeJs en parallèle. L'objectif est de mettre en commun %{_libdir}/node_modules pour les modules où c'est possible, et pour ceux qui ont par exemple un binaire WASM, ils seront affectés dans un répertoire dépendant de la version. Cela simplifie la procédure d'empaquetage de ces composants tout en réduisant les doublons et en évitant les incompatibilités. Cela aide également à mettre en évidence les dépendances binaires cachées pour les reconstruire au sein du projet Fedora, ou les supprimer si cela n'est pas possible, à terme.

  Les macros CMake ne fourniront plus de variables d'installation non standards. Cela concerne les variables -DINCLUDE_INSTALL_DIR, -DLIB_INSTALL_DIR, -DSYSCONF_INSTALL_DIR, -DSHARE_INSTALL_PREFIX et -DLIB_SUFFIX. Cela ajoute de la confusion notamment parce que la signification de certaines variables n'est pas transparente comme INCLUDE_INSTALL_DIR qui pourrait attendre des chemins relatifs ou absolus. CMake 3.0 a standardisé beaucoup de choses dans GNUInstallDirs qui sont massivement utilisés depuis. Cela permet de mieux s'intégrer dans l'écosystème de ces projets et limite le risque d'erreurs lors de la construction des paquets.

  L'assembleur YASM est considéré comme déprécié pour utiliser NASM à la place. Il n'est en effet plus maintenu même si encore utilisé dans quelques paquets tel que Firefox. D'autres distributions ont déjà sauté le pas.

  Ajout des nouveaux macros RPM _pkg_extra_***flags pour permettre à chaque paquet d'ajouter des nouvelles options à la compilation à la liste par défaut fournie par le projet Fedora. L'intérêt est d'avoir un moyen standard d'étendre les options de compilation d'un paquet plutôt que chacun les édite à sa sauce et cela permet dans le même temps de voir facilement quels paquets et quelles options sont personnalisés.

  Certaines limitations de l'outil gpgverify utilisé par les mainteneurs de paquets sont corrigées permettant de supprimer des méthodes de contournement associés. En effet l'outil est utilisé pour s'assurer que les sources pour construire le paquet sont bien celles souhaitées. Par exemple il était incapable de lire plusieurs clés GPG fournis dans un fichier dédié comme nginx pouvait le faire. Il était également incapable de gérer automatiquement la signature des sommes de contrôle des archives, il exigeait que l'archive des sources elle même soit signée ce qui n'était pas toujours le cas. Maintenant il prendre également en compte les clés au format keybox. Le tout améliore la maintenance des paquets concernés mais évite aussi la possibilité de contourner la sécurité dans certains cas.

  La communauté francophone

  L'association

  

  Borsalinux-fr est l'association qui gère la promotion de Fedora dans l'espace francophone. Nous constatons depuis quelques années une baisse progressive des membres à jour de cotisation et de volontaires pour prendre en main les activités dévolues à l'association.

  Nous lançons donc un appel à nous rejoindre afin de nous aider.

  L'association est en effet propriétaire du site officiel de la communauté francophone de Fedora, organise des évènements promotionnels comme les Rencontres Fedora régulièrement et participe à l'ensemble des évènements majeurs concernant le libre à travers la France principalement.

  Si vous aimez Fedora, et que vous souhaitez que notre action perdure, vous pouvez :

  • Adhérer à l'association : les cotisations nous aident à produire des goodies, à nous déplacer pour les évènements, à payer le matériel ;
  • Participer sur le forum, les listes de diffusion, à la réfection de la documentation, représenter l'association sur différents évènements francophones ;
  • Concevoir des goodies ;
  • Organiser des évènements type Rencontres Fedora dans votre ville.

  Nous serions ravis de vous accueillir et de vous aider dans vos démarches. Toute contribution, même minime, est appréciée.

  Si vous souhaitez avoir un aperçu de notre activité, vous pouvez participer à nos réunions mensuelles chaque premier lundi soir du mois à 20h30 (heure de Paris). Pour plus de convivialité, nous l'avons mis en place en visioconférence sur Jitsi.

  La documentation

  Depuis juin 2017, un grand travail de nettoyage a été entrepris sur la documentation francophone de Fedora, pour rattraper les 5 années de retard accumulées sur le sujet.

  Le moins que l'on puisse dire, c'est que le travail abattu est important : près de 90 articles corrigés et remis au goût du jour. Un grand merci à Charles-Antoine Couret, Nicolas Berrehouc, Édouard Duliège, Sylvain Réault et les autres contributeurs et relecteurs pour leurs contributions.

  La synchronisation du travail se passe sur le forum.

  Si vous avez des idées d'articles ou de corrections à effectuer, que vous avez une compétence technique à retransmettre, n'hésitez pas à participer.

  Comment se procurer Fedora Linux 43 ?

  

  Si vous avez déjà Fedora Linux 42 ou 41 sur votre machine, vous pouvez faire une mise à niveau vers Fedora Linux 43. Cela consiste en une grosse mise à jour, vos applications et données sont préservées.

  Autrement, pas de panique, vous pouvez télécharger Fedora Linux avant de procéder à son installation. La procédure ne prend que quelques minutes.

  Nous vous recommandons dans les deux cas de procéder à une sauvegarde de vos données au préalable.

  De plus, pour éviter les mauvaises surprises, nous vous recommandons aussi de lire au préalable les bogues importants connus à ce jour pour Fedora Linux 43.

November 04, 2025

• Allan Day Thanks to Rosanna

  For over 20 years, Rosanna Yuen – aka zana – has been a key member of the GNOME Foundation team. I am writing this post to share the news that, as of last week, she is no longer working for us. We cannot emphasise enough how grateful we are for everything that Rosanna has done for the GNOME Foundation over the years, both as a volunteer and an employee, and we want to take this opportunity to thank and congratulate her for her accomplishments at the GNOME Foundation.

  In the rest of this post I want to share some details about Rosanna’s career at the GNOME Foundation, as a way of celebrating her contributions and reiterating our gratitude for everything she has done for us.

  Rosanna was a GNOME contributor before she started with the GNOME Foundation, as a hacker on the card games in Aisleriot. Way back in 2005, the organization was in a perilous situation after the departure of its first Executive Director, and had no employees. Rosanna stepped in as a volunteer to help keep the organization afloat. Following her intervention as a volunteer, she was taken on as a temporary contractor, and then became a part-time employee. Around four years later, in 2010, she went full time.

  It is no exaggeration to say that Rosanna saved the organization from a state of collapse during those early years. Since then, her roles and duties have been diverse. Aside from a broad range of accounting, finance, and administrative tasks, Rosanna has helped with travel and visas, running programs, and handling grant paperwork. There have also been many small but meaningful tasks that she has taken care of, such as mailing out thank you postcards to our donors, and going to the store each year during GUADEC to buy the “Pants of Thanks”.

  For a long time, Rosanna participated in Board meetings, to address any questions about the Foundation’s operations. And for many years, as the Foundation’s only employee, she performed those operations herself. In more recent years, the Foundation hired additional staff, and Rosanna took on a management role alongside her other duties, providing mentorship and guidance for new staff members as they joined. One of her defining qualities has been the care and support that she has shown towards these colleagues.

  Rosanna had many significant achievements during her time with the GNOME Foundation, and it is impossible to list all of them in this post. However, some of those achievements deserve special mention. They include ensuring that we have maintained our charitable status over the past 20 years, presenting finance reports to both the Board and the membership at our AGMs, playing a key role in establishing GNOME’s first Code of Conduct (and serving on the Code of Conduct Committee since its inception), running the GNOME Outreach Program for Women (as it was known then) for a period, managing transitions between multiple banks and accounting platforms, and ensuring the smooth running of the organization over the past 20 years, including filing taxes, payment of bills and staff, payments for contractors, and much more.

  The decision to eliminate Rosanna’s position was made by the Board as part of approving the GNOME Foundation budget for October 2025 to September 2026. The Board felt that this difficult decision was the right one for the Foundation, and we will be providing details about our plans in future communications. For now, we want to offer Rosanna our deepest thanks and best wishes for the future.

  Thank you, zana.

• Felipe Borges Our Goal with Google Summer of Code: Contributor Selection

  Last week, as I was writing my trip report about the Google Summer of Code Mentor Summit, I found myself going on a tangent about the program in our community, so I decided to split the content off into a couple of posts. In this post, I want to elaborate a bit on our goal with the program and how intern selection helps us with that.

  I have long been saying that GSoC is not a “pay-for-code” program for GNOME. It is an opportunity to bring new contributors to our community, improve our projects, and sustain our development model.

  Mentoring is hard and time consuming. GNOME Developers heroically dedicate hours of their weeks to helping new people learn how to contribute.

  Our goal with GSoC is to attract contributors that want to become GNOME Developers. We want contributors that will spend time helping others learn and keep the torch going.

  Merge-requests are very important, but so are the abilities to articulate ideas, hold healthy discussions, and build consensus among other contributors.

  For years, the project proposal was the main deciding factor for a contributor to get an internship with GNOME. That isn’t working anymore, especially in an era of AI-generated proposals. We need to up our game and dig deeper to find the right contributors.

  This might even mean asking for fewer internship slots. I believe that if we select a smaller group of people with the right motivations, we can give them the focused attention and support to continue their involvement long after the internship is completed.

  My suggestion for improving the intern selection process is to focus on three factors:

  • History of Contributions in gitlab.gnome.org: applicants should solve a few ~Newcomers issues, report bugs, and/or participate in discussions. This gives us an idea of how they perform in the contributing process as a whole.
  • Project Proposal: a document describing the project’s goals and detailing how the contributors plans to tackle the project. Containing some reasonable time estimates.
  • An interview: a 10 or 15 minutes call where admins and mentors can ask applicants a few questions about their Project Proposal and their History of Contributions.

  The final decision to select an intern should be a consideration of how the applicant performed across these aspects.

  Contributor selection is super important, and we must continue improving our process. This is about investing in the long-term health and sustainability of our project by finding and nurturing its future developers.

  If you want to find more about GSoC with GNOME, visit gsoc.gnome.org

• Remi Collet 📝 Redis version 8.4

  RPMs of Redis version 8.4 are available in the remi-modular repository for Fedora ≥ 41 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

  1. Installation

  Packages are available in the redis:remi-8.4 module stream.

  1.1. Using dnf4 on Enterprise Linux

  # dnf install https://rpms.remirepo.net/enterprise/remi-release-<ver>.rpm
  # dnf module switch-to redis:remi-8.4/common

  1.2. Using dnf5 on Fedora

  # dnf install https://rpms.remirepo.net/fedora/remi-release-<ver>.rpm
  # dnf module reset  redis
  # dnf module enable redis:remi-8.4
  # dnf install redis --allowerasing

  You may have to remove the valkey-compat-redis compatibilty package.

  2. Modules

  Some optional modules are also available:

  • RedisBloom as redis-bloom
  • RedisJSON as redis-json
  • RedisTimeSeries as redis-timeseries

  These packages are weak dependencies of Redis, so they are installed by default (if install_weak_deps is not disabled in the dnf configuration).

  The modules are automatically loaded after installation and service (re)start.

  The modules are not available for Enterprise Linux 8.

  3. Future

  Valkey also provides a similar set of modules, requiring some packaging changes already proposed for Fedora official repository.

  Redis may be proposed for unretirement and be back in the Fedora official repository, by me if I find enough motivation and energy, or by someone else.

  I may also try to solve packaging issues for other modules (e.g. RediSearch). For now, module packages are very far from Packaging Guidelines, so obviously not ready for a review.

  4. Statistics

  redis
  

  redis-bloom
  

  redis-json
  

  redis-timeseries
  

November 02, 2025

• Tomasz Torcz Backups with btrbk

  Storage setup of my home server is btrfs raid1 over two, dm-crypt'ed 16TB HDDs cached with bcache on NVMe. It works fine, however for PostgreSQL database and my homedir I prefer full NVMe speed.

  Therefore I've put those two directories on (dm-crypt'ed) btrfs subvolumes directly on NVMe. Thanks to DUP profile there's a protection against bitrot. But it's still a single device which may just die. Regardless of full backups, I was doing daily rsync into main drives, but there's faster and more capable way.

  Enter btrbk, which operates on btrfs subvolumes. It uses btrfs' native send capability to copy the subvolume between filesystems effectively.

  Additionally, it's very easy to keep some number of historic subvolume snapshots. They utilize copy-on-write, minimizing space usage. This let me recover files quickly or compare filesystem's state over last few days.

  The config it bit tricky, that's why I'm posting this. My full backup config below, divided in three sections for explanations.

  timestamp_format        long
  snapshot_preserve       14d
  snapshot_preserve_min   2d      # defaults to 'all'

  The source definition. preserve option combination is needed to have daily snapshots kept for last two weeks and have older snapshots removed.

  target_preserve         7d
  target_preserve_min     latest  # defaults to 'all'

  What to do with subvolumes copies at the target directory. Above combination of options keeps last seven days of snapshots copies.

  send_compressed_data    yes
  
  volume /run/btrbk-work
          target /home/poligon/backs/btrbk_snaps
  
          subvolume home_zdzichu
  
          subvolume var_lib_pgsql

  Job definition. /run/btrbk-work is a directory where I temporarily mount NVMe drive root volume with subvolumes beneath. /home/poligon/backs/btrbk_snaps is the directory on my main (raid1) pool where subvolume copies are stored. And the last two lines are specific subvolumes to copy.

  That works for me. btrbk is run by cron.daily/ from a short script ensuring everything is mounted where it should be.

  020/100 of #100DaysToOffload

November 01, 2025

• Kevin Fenzi infra weeksly recap: late October 2025

  

  I didn't do a recap last week (because I was on PTO on friday and monday) and thought about not doing one today either (I was on PTO friday/yesterday), but I thought of a few good items to talk about. :)

  Fedora Linux 43 released

  Of course Fedora linux 43 was relased, you should install/upgrade to it today.

  I typically upgrade all my machines at home (that aren't running rawhide) the week before release. I did that this time with all of them except one. On those other machines f43 was a typical nothing burger, no real problems everything working as expected.

  On my main server however I held off on the upgrade for now. This is due to:

  • I run my own matrix server, using the matrix-synapse package in fedora. Sadly, this package has had issues in F43+ due to python stack changes. As I understand it, it uses pydandic, but via a v1 compatibility mode, which changed a bit due to python 3.14. Luckily the Fedora maintainer worked on a patch to move it to v2 and worked through all the tests. It's merged upstream now. I expect f43/rawhide builds soon.

  • There's some issues around postgresql. f42 uses postgresql16, but f43 provides postgresql18 by default. You need to upgrade through 17. I went ahead and just did this on f42. (both 16 and 17 are packaged for f42). So that should be ready for the upgrade to 18 now.

  • dovecot changed it's config file around a great deal. I still need to port my f42 dovecot config to the new version before I upgrade.

  So, hopefully all that will be handed soon and I can upgrade that last server.

  tcp timeout issues

  The tcp timeout issues we are seeing between vlans in the new datacenter ( https://pagure.io/fedora-infrastructure/issue/12814 ) continues to vex. Networking have tried a few things, I think it might be better, but we have not come up with a complete fix yet.

  However, I did find another interesting datapoint. Moving our proxies to use port 8080 on backend kojipkgs servers (going directly to httpd there) instead of port 80 ( varnish ) has seen no failures.

  So, it's looking like some kind of traffic issue with port 80 flows. Networking is trying to find anything that would just be affecting that.

  Power news

  Got 3 power9 servers setup and processing copr builds now. This should help with copr ppc64le build capacity, and it also allowed us to test/configure the 'fedora-isolated' vlan that is going to have all the things from the rdu2-cc datacenter moved to it in early december. (This includes pagure.io).

  We now (finally, I hope) have a configuration for the power10's that will work for our needs. One of the two is setup this way now. I have created all the lpars and next week hopefully can get them installed. Once those are installed, I can move 1/2 of the existing buildvm-ppc64le's over to it and we can reconfigure the first server. This should allow spreading the load between the two and allow some more resources for them all.

  Secure boot signing work

  I finally have a ansible pr to setup the siguldry pesign bridge. Hopefully I can land that next week. This will move us from the current secure boot signing (a smart card on one builder) to using sigul (The thing that signs all out other stuff) doing the signing. We can then just configure builders we need to sign, no hardware changes needed. This will also now I sure hope allow us to setup signing for aarch64, something thats been in progress for like 6 years.

  comments? additions? reactions?

  As always, comment on mastodon: https://fosstodon.org/@nirik/115475810895231150

October 31, 2025

• Kushal Das Not anymore a director at the PSF board

  This month I did the last meeting as a director of the Python Software Foundation board, the new board already had their first meeting.

  I decided not to rerun in the election as:

  • I was a director from 2014 (except 1 year when python's random call decided to choose another name), means 10 years and that is long enough.
  • Being an immigrant in Sweden means my regular travel is very restricted and that stress effects all parts of life.

  When I first ran in the election I did not think it would continue this long. But, the Python community is amazing and I felt I should continue. But, the brain told me to give out the space to new folks.

  I will continue taking part in all other community activities.

October 30, 2025

• Jon Chiappetta Finally Able to Insert a Proper Layer of Bi-Directional Multi-Threaded Set of Core Operations to the Highly-Modified OpenVPN Source Code!

  Edit-Edit: After spending several more days tracing and tracking down connection state edge cases, I was able to greatly improve the performance of this modification. I had to rewrite most of the ssl library, socket library, packet library, forward library and multi/io libraries as well as remove some unneeded code paths including the fragment, ntlm, occ, ping, proxy, reliable, and socks libraries. I also filed a couple more code quality related PRs as well ( #4 ~ #5 ).

  Edit: After spending several days of testing and debugging, I found a couple bugs in the OpenVPN source code that I have informed the developers about ( #1 ~ #2 ~ #3 ). I was finally able to get 3 parallel session key states negotiated and renegotiated which the framework was never accounting for to happen! The framework allows for a 3-bit key ID field code to be used and negotiated.

  Session-State-Key-IDs(1,2,3): Client to Server Traffic Communication

  Session-State-Key-IDs(4,5,6): Server to Client Traffic Communication

  Session-State-Key-IDs(0,7): Backup General Traffic Communication

  
  We first negotiated our set of 3 keys for each of the 4 threads in this 1 process:
  Session State Key IDs: no=1, no=7, no=4
  
  2025-11-02 21:05:23 TCPv4_CLIENT DUAL keys [5] [ [key#0 state=S_GENERATED_KEYS auth=KS_AUTH_TRUE id=0 no=1 sid=0eb81f5c fb6a0553] [key#1 state=S_INITIAL auth=KS_AUTH_FALSE id=0 no=0 sid=00000000 00000000] [key#2 state=S_GENERATED_KEYS auth=KS_AUTH_TRUE id=0 no=7 sid=be550b82 c30fb5ec] [key#3 state=S_GENERATED_KEYS auth=KS_AUTH_TRUE id=0 no=4 sid=d0f67472 3dc74469] [key#4 state=S_INITIAL auth=KS_AUTH_FALSE id=0 no=0 sid=00000000 00000000]]
  
  We then renegotiated each of the 3 keys for each of the 4 threads for a total of 12x keys:
  Session State Key IDs: no=2, no=0, no=5
  Lame State Key IDs: no=1, no=7, no=4
  
  2025-11-02 21:06:09 TCPv4_CLIENT DUAL keys [5] [ [key#0 state=S_GENERATED_KEYS auth=KS_AUTH_TRUE id=0 no=2 sid=68cc0579 08edeaed] [key#1 state=S_GENERATED_KEYS auth=KS_AUTH_TRUE id=0 no=1 sid=0eb81f5c fb6a0553] [key#2 state=S_GENERATED_KEYS auth=KS_AUTH_TRUE id=0 no=0 sid=66f6bd41 5b9c05bd] [key#3 state=S_GENERATED_KEYS auth=KS_AUTH_TRUE id=0 no=5 sid=af1447d1 95e7c215] [key#4 state=S_GENERATED_KEYS auth=KS_AUTH_TRUE id=0 no=4 sid=d0f67472 3dc74469]]
  
  The second keys to each primary key listed are considered lame keys which are only meant for back up purposes only
  and are set to expire as they will be rotated out upon the next key renegotiation.
  

  When it comes to tunnelling and proxying data, there are in general two independent pipeline directions, read-link->send-tunn && read-tunn->send-link. I separated out some shared limiting variables in the bulk-mode source code which were the c2.buf && m->pending variables so that the data processing can operate independently for RL->ST and RT->SL. I also added a separate additional session state cipher key in the new dual-mode so that the PRIMARY key can handle client->server encryption/decryption independently and the new THREAD key can now be used for server->client traffic communication.

  

  ~

  

  ~

  Using TCP+BULK+MTIO+DUAL modes together with iptables performing dynamically distributed load balancing over 2x OpenVPN process tunnels running with 16x available threads — I am now able to achieve 144,000 bytes worth of data at a given time onto the 1500 byte MTU VPN link!

  

  ~

  Commit Code: github.com/stoops/openvpn-fork/compare/mtio…dual

  Pull Request: github.com/OpenVPN/openvpn/pull/884

  Complete Commits: github.com/stoops/openvpn-fork/compare/master…bust

  ~

• Kiwi TCMS Kiwi TCMS Enterprise 15.1.1-mt

  We're happy to announce Kiwi TCMS Enterprise version 15.1.1-mt!

  IMPORTANT:

  This is a quick fix for bug which was causing the password reset page to go into an infinite loop when users were trying to reset their passwords.

  You can explore everything at https://public.tenant.kiwitcms.org!

  ---

  Changes since Kiwi TCMS Enterprise v15.1-mt

  • Based on Kiwi TCMS v15.1
  • Temporarily disable password reset override to avoid infinite loop. A more elaborate patch will be provided in the next release

  Private container images

  hub.kiwitcms.eu/kiwitcms/enterprise       15.1.1-mt (aarch64)   232ecaec2677    30 Oct 2025     976MB
  hub.kiwitcms.eu/kiwitcms/enterprise       15.1.1-mt (x86_64)    73985ddf95ee    30 Oct 2025     955MB
  

  IMPORTANT: version tagged, multi-arch and Enterprise container images are available only to subscribers!

  How to upgrade

  Follow the Upgrading instructions from our documentation.

  Happy testing!

  ---

  If you like what we're doing and how Kiwi TCMS supports various communities please help us grow!

  • Give â­� on GitHub;
  • Join our newsletter and follow all project news;
  • Become a contributor and an awesome open source hacker;
  • Become a subscriber and help us sustain development

October 29, 2025

• Felipe Borges Google Summer of Code Mentor Summit 2025

  Last week, I took a lovely train ride to Munich, Germany, to represent GNOME at the Google Summer of Code Mentor Summit 2025. This was my first time attending the event, as previous editions were held in the US, which was always a bit too hard to travel.

  This was also my first time at an event with the “unconference” format, which I found to be quite interesting and engaging. I was able to contribute to a few discussions and hear a variety of different perspectives from other contributors. It seems that when done well, this format can lead to much richer conversations than our usual, pre-scheduled “one-to-many” talks.

  The event was attended by a variety of free and open-source communities from all over the world. These groups are building open solutions for everything from cloud software and climate applications to programming languages, academia, and of course, AI. This diversity was a great opportunity to learn about the challenges other software communities face and their unique circumstances.

  There was a nice discussion with the people behind MusicBrainz. I was happy and surprised to find out that they are the largest database of music metadata in the world, and that pretty much all popular music streaming services, record labels, and similar groups consume their data in some way.

  Funding the project is a constant challenge for them, given that they offer a public API that everyone can consume. They’ve managed over the years by making direct contact with these large companies, developing relationships with the decision-makers inside, and even sometimes publicly highlighting how these highly profitable businesses rely on FOSS projects that struggle with funding. Interesting stories. :)

  There was a large discussion about “AI slop,” particularly in GSoC applications. This is a struggle we’ve faced in GNOME as well, with a flood of AI-generated proposals. The Google Open Source team was firm that it’s up to each organization to set its own criteria for accepting interns, including rules for contributions. Many communities shared their experiences, and the common solution seems to be reducing the importance of the GSoC proposal document. Instead, organizations are focusing on requiring a history of small, “first-timer” contributions and conducting short video interviews to discuss that work. This gives us more confidence that the applicant truly understands what they are doing.

  GSoC is not a “pay-for-feature” initiative, neither for Google nor for GNOME. We see this as an opportunity to empower newcomers to become long-term GNOME contributors. Funding free and open-source work is hard, especially for people in less privileged places of the world, and initiatives like GSoC and Outreachy allow these people to participate and find career opportunities in our spaces. We have a large number of GSoC interns who have become long-term maintainers and contributors to GNOME. Many others have joined different industries, bringing their GNOME expertise and tech with them. It’s been a net-positive experience for Google, GNOME, and the contributors over the past decades.

  Our very own Karen Sandler was there and organized a discussion around diversity. This topic is as relevant as ever, especially given recent challenges to these initiatives in the US. We discussed ideas on how to make communities more diverse and better support the existing diverse members of our communities.

  It was quite inspiring. Communities from various other projects shared their stories and results, and to me, it just confirmed my perception: while diverse communities are hard to build, they can achieve much more than non-diverse ones in the long run. It is always worth investing in people.

  As always, the “hallway track” was incredibly fruitful. I had great chats with Carl Schwan (from KDE) about event organizing (comparing notes on GUADEC, Akademy, and LAS) and cross-community collaboration around technologies like Flathub and Flatpak. I also caught up with Claudio Wunder, who did engagement work for GNOME in the past and has always been a great supporter of our project. His insights into the dynamics of other non-profit foundations sparked some interesting discussions about the challenges we face in our foundation.

  I also had a great conversation with Till Kamppeter (from OpenPrinting) about the future of printing in xdg-desktop-portals. We focused on agreeing on a direction for new dialog features, like print preview and other custom app-embedded settings. This was the third time I’ve run into Till at a conference this year! :)

  I met plenty of new people and had various off-topic chats as well. The event was only two days long, but thanks to the unconference format, I ended up engaging far more with participants than I usually do in that amount of time.

  I also had the chance to give a lightning talk about GNOME’s long history with Google Summer of Code and how the program has helped us build our community. It was a great opportunity to also share our wider goals, like building a desktop for everyone and our focus on being a people-centric community.

  Finally, I’d like to thank Google for sponsoring my trip, and for providing the space for us all to talk about our communities and learn from so many others.

• Kiwi TCMS Meet Kiwi TCMS at Open Source Experience'25 in Paris

  Kiwi TCMS is happy to announce that we're taking part in Open Source Experience, Dec 10-11 in Paris, France. We're joining as part of the European Village category of exhibitors.

  

  Calling all testers and quality engineers as well as existing customers to join us on 10th & 11th Dec 2025 in Paris and talk about testing and software quality! You can learn first hand what's new, who's been using Kiwi TCMS in 2025 and what our plans for the future are! Please register free of charge with invitation code E-KIWIOSXP25.

  NOTE: Limited VIP codes with additional percs are available upon request! Please email us via info-at-kiwitcms.org for more information. In return we kindly ask you to share your Kiwi TCMS user story with the rest of our community!

  If you would like to know more about who uses Kiwi TCMS please check-out the history of Kiwi TCMS in France!

  ---

  If you like what we're doing and how Kiwi TCMS supports various communities please help us!

  • Give â­� on GitHub;
  • Join our newsletter and follow all project news;
  • Become a contributor and an awesome open source hacker;
  • Become a subscriber and help us sustain development

• Cockpit Project Cockpit 350

  Cockpit is the modern Linux admin interface. We release regularly.

  Here are the release notes from cockpit-machines 343 and cockpit-podman 116:

  Machines: Memory usage now shows numbers reported by the guest

  The memory usage bars now show the same numbers as tools like “top” and “free” when run inside the guest. Specifically, the memory usage shown by Cockpit is based on the “MemAvailable” number of the guest kernel.

  To implement this, Cockpit will run virsh dommemstat <vm name> --period 10 --life. If that is not acceptable, please let us know.

  Support stopping/starting/restarting quadlets

  Quadlets now have lifecycle operations such as “Start”. These use systemd operations instead of podman’s API.

  

  Try it out

  cockpit-machines 343 and cockpit-podman 116 are available now:

  • For your Linux system

  • Cockpit Client

  • cockpit-machines Source Tarball
  • cockpit-machines Fedora 43
  • cockpit-machines Fedora 42
  • cockpit-podman Source Tarball
  • cockpit-podman Fedora 43
  • cockpit-podman Fedora 42

October 28, 2025

• Kiwi TCMS Brief history of Kiwi TCMS in France

  

  Brief history of Kiwi TCMS in France 🇫🇷:

  Notable events

  • November 2018 - initial French translation contributed by Christophe CHAUVET. It was the second foreign language which was actively translated at the time
  • February 2019 - Kiwi TCMS starts executing its Postgres test suite using the French translation. This is still the case today
  • April 2020 - Armadeus Systems - ARM and FPGA based embedded Linux systems - becomes our first customer from France
  • March 2022 - /e/ Foundation (Murena) publishes a “Test session with Kiwiâ€� section on their documentation website which is available at https://doc.e.foundation/testers#test-session-with-kiwi
  • May 2024 - Kiwi TCMS takes part of the first Open Source Founders Summit in Paris and later becomes a member of the Open Source Founders Association

  Individual code contributors

  Christophe CHAUVET - Python Developer and PostgreSQL architect

  Christophe is a Python Developer and PostgreSQL architect who is responsible for the initial translation of Kiwi TCMS into French. He has also worked on improving overall translatability of Kiwi TCMS, fixing multiple parts of the application by marking source strings as translatable. His earliest code contribution is from 22nd Jan 2019!

  Nicolas AUVRAY - PhD in quantum physics, 0 A.D. team member

  Nicolas is a high-school teacher of Physics and Chemistry, with a PhD in quantum physics and also a tem member of 0 A.D - a popular open-source game of ancient warfare. He has contributed documentation about running Kiwi TCMS behind a reverse proxy with HAProxy and was the original inspiration behind the now defunct Open-Source-Test-Management repository. His earliest code contribution is from 08th Mar 2019!

  Nicolas GELOT - Python lover, automation addict and trail runner

  Nicolas is a Python developer and (in his own words) an automation addict from Paris; a member of the /e/ Foundation team. He has contributed a bug-fix for the order of test cases when closing a TestPlan in Kiwi TCMS. His earliest code contribution is from 16th Dec 2021!

  Antoine LORENCE - Freelance Python/Django developer, FOSS enthusiast

  Antoine is a Python/Django developer from Angers and the author of django-modern-rpc - the library underlying the Kiwi TCMS API layer! He has worked on changes related to Kiwi TCMS compatibility with the latest version of django-modern-rpc . His earliest code contribution is from 23rd May 2022!

  Corporate references

  Our anonymous analytics report over 25k events/1 yr recorded by Plausible and 12k events/3 mo recorded by Scarf. Here are some of the more interesting ones:

  • Parsec - https://kiwi.parsec.cloud - proof-of-concept with Kiwi TCMS
  • CAP’TRONIC - captronic.fr - several training courses about Test Driven Development include Kiwi TCMS
  • e*Message - kiwi-tcms.emessage.fr - most active French installation
  • Allianz - kiwitcms.oav-allianz.fr - another Kiwi TCMS instance
  • Hiiro - kiwi.paris-int.hiiro.app - uses Kiwi TCMS for testing 2026 Marathon de Paris support in their mobile application
  • Airbus CyberSecurity - kiwi.dev.cyberrange.fr - latest Kiwi TCMS installation in France

  If you would like to know more and meet Kiwi TCMS in person you can do so at Open Source Experience, 10 & 11 Dec 2025 in Paris!

  ---

  If you like what we're doing please help us grow and sustain development!

  • Give â­� on GitHub;
  • Join our newsletter and follow all news;
  • Become a contributor and an awesome open source hacker;
  • Become a subscriber and help us sustain development

October 27, 2025

• Colin Walters Thoughts on agentic AI coding as of Oct 2025

  Sandboxed, reviewed parallel agents make sense

  For coding and software engineering, I’ve used and experimented with various frontends (FOSS and proprietary) to multiple foundation models (mostly proprietary) trying to keep up with the state of the art. I’ve come to strongly believe in a few things:

  • Agentic AI for coding needs strongly sandboxed, reproducible environments
  • It makes sense to run multiple agents at once
  • AI output definitely needs human review

  Why human review is necessary

  Prompt injection is a serious risk at scale

  All AI is at risk of prompt injection to some degree, but it’s particularly dangerous with agentic coding. All the state of the art today knows how to do is mitigate it at best. I don’t think it’s a reason to avoid AI, but it’s one of the top reasons to use AI thoughtfully and carefully for products that have any level of criticality.

  OpenAI’s Codex documentation has a simple and good example of this.

  Disabling the tests and claiming success

  Beyond that, I’ve experienced multiple times different models happily disabling the tests or adding a println!("TODO add testing here") and claim success. At least this one is easier to mitigate with a second agent doing code review before it gets to human review.

  Sandboxing

  The “can I do X” prompting model that various interfaces default to is seriously flawed. Anthropic has a recent blog post on Claude Code changes in this area.

  My take here is that sandboxing is only part of the problem; the other part is ensuring the agent has a reproducible environment, and especially one that can be run in IaaS environments. I think devcontainers are a good fit.

  I don’t agree with the statement from Anthropic’s blog

  without the overhead of spinning up and managing a container.

  I don’t think this is overhead for most projects because Where it feels like it has overhead, we should be working to mitigate it.

  Running code as separate login users

  In fact, one thing I think we should popularize more on Linux is the concept of running multiple unprivileged login users. Personally for the tasks I work on, it often involves building containers or launching local VMs, and isolating that works really well with a full separate “user” identity. An experiment I did was basically useradd ai and running delegated tasks there instead. To log in I added %wheel ALL=NOPASSWD: /usr/bin/machinectl shell ai@ to /etc/sudoers.d/ai-login so that my regular human user could easily get a shell in the ai user’s context.

  I haven’t truly “operationalized” this one as juggling separate git repository clones was a bit painful, but I think I could automate it more. I’m interested in hearing from folks who are doing something similar.

  Parallel, IaaS-ready agents…with review

  I’m today often running 2-3 agents in parallel on different tasks (with different levels of success, but that’s its own story).

  It makes total sense to support delegating some of these agents to work off my local system and into cloud infrastructure.

  In looking around in this space, there’s quite a lot of stuff. One of them is Ona (formerly Gitpod). I gave it a quick try and I like where they’re going, but more on this below.

  Github Copilot can also do something similar to this, but what I don’t like about it is that it pushes a model where all of one’s interaction is in the PR. That’s going to be seriously noisy for some repositories, and interaction with LLMs can feel too “personal” sometimes to have permanently recorded.

  Credentials should be on demand and fine grained for tasks

  To me a huge flaw with Ona and one shared with other things like Langchain Open-SWE is basically this:

  

  Sorry but: no way I’m clicking OK on that button. I need a strong and clearly delineated barrier between tooling/AI agents acting “as me” and my ability to approve and push code or even do basic things like edit existing pull requests.

  Github’s Copilot gets this more right because its bot runs as a distinct identity. I haven’t dug into what it’s authorized to do. I may play with it more, but I also want to use agents outside of Github and I also am not a fan of deepening dependence on a single proprietary forge either.

  So I think a key thing agent frontends should help do here is in granting fine-grained ephemeral credentials for dedicated write access as an agent is working on a task. This “credential handling” should be a clearly distinct component. (This goes beyond just git forges of course but also other issue trackers or data sources that may be in context).

  Conclusion

  There’s so much out there on this, I can barely keep track while trying to do my real job. I’m sure I’m not alone – but I’m interested in other’s thoughts on this!

• Kiwi TCMS Testing and Continuous Delivery devroom, FOSDEM'26

  

  Attention testers! On behalf of the Testing and Continuous Delivery devroom we'd like to announce that call for participation is now open. This room is about building better software through a focus on testing and continuous delivery practices across all layers of the stack. The purpose of this devroom is to share good and bad examples around the question “how to improve quality of our software by automating tests, deliveries or deployments” and to showcase new open source tools and practices.

  Note: for FOSDEM 2026 this devroom is a merger between the former Testing and Automation and Continuous Integration and Continuous Deployment devrooms and is jointly organized between devroom managers in previous FOSDEM editions! Kiwi TCMS is proud to be part of the team hosting this devroom!

  Important: devroom will take place on Sunday, February 1st 2026 at ULB Solbosch Campus, Brussels, Belgium! Presentations will be streamed online but all accepted speakers are required to deliver their talks in person!

  Here are some ideas for topics that are a good fit for this devroom:

  Testing in the real, open source world

  • War stories/strategies for testing large scale or complex projects
  • Tools that extend the ability to test low-level code, e.g. bootloaders, init systems, etc.
  • Projects that are introducing new/interesting ways of testing "systems"
  • Address the automated testing frameworks fragmentation
  • Stories from end-users (e.g. success/failure)
  • Continuous Integration
  • Continuous Delivery
  • Continuous Deployment
  • Security in Software Supply Chain
  • Pipeline standardization
  • Interoperability in CI/CD
  • Lessons learned

  Cool Tools (good candidates for lightning talks)

  • Project showcases, modern tooling
  • How your open source tool made developing quality software better
  • What tools do you use to setup your CI/CD
  • Combining projects/plugins/tools to build amazing things "Not enough people in the open source community know how to use $X, but here's a tutorial on how to use $X to make your project better."

  In the past the devroom has seen both newbies/students and experienced professionals and past speakers as part of the audience and talks covering from beginner/practical to advanced/abstract topics. If you have doubts then submit your proposal and leave a comment for the devroom managers and we'll get back to you.

  To submit a talk proposal (you can submit multiple proposals if you'd like) use Pretalx, the FOSDEM paper submission system. Be sure to select Testing and Continuous delivery otherwise we won't see your proposal!

  Checkout https://fosdem-testingautomation.github.io/ for more information!

  Happy Testing!

  ---

  If you like what we're doing and how Kiwi TCMS supports various communities please help us!

  • Give ⭐ on GitHub;
  • Join our newsletter and follow all project news;
  • Become a contributor and an awesome open source hacker;
  • Become a customer and we'll share our profits with the community

October 24, 2025

• Jon Chiappetta Linux Routing – Load Balancing

  So, I also learned another new lesson recently that the Linux kernel way back in the day used to properly load balance routes (nexthop weights) by making use of a routing cache to remember which connection is associated with which route. Then, that cache implementation was removed and replaced instead with sending individual packets randomly down each route listed (similar to how I was initially approaching the OpenVPN load balancing between multiple threads). This, however, would break connection states and packet ordering as the two route links may be going to separate places entirely. Then, the Linux kernel developers decided to implement a basic hash mapping algorithm that would associate a connection stream with the same routing hop, always. This is a very limited form of load balancing as the same source+destination address will always map to the same hash which will always match the same routing path every time (this will be even more limiting also if you are using a source NAT).

  It turns out there is another trick to get some more dynamically distributed load balanced routing under Linux which is to make use of the iptables mangle table and connmark a new connection state so that the conntrack table can save+restore the specified packet markings. You can then set an ip rule to pick up these firewall markers and associate them to a different routing table. In addition to this, you are able to use a random algorithm or modding algorithm to evenly set different marks giving you even greater routing variety!

  $ipt -t mangle -A PREROUTING -i lan -m mark --mark 0x0 -j CONNMARK --restore-mark
  $ipt -t mangle -A PREROUTING -i lan -m statistic --mode nth --every 2 --packet 0 -m mark --mark 0x0 -j MARK --set-mark 8
  $ipt -t mangle -A PREROUTING -i lan -m statistic --mode nth --every 1 --packet 0 -m mark --mark 0x0 -j MARK --set-mark 9
  $ipt -t mangle -A PREROUTING -i lan -m mark ! --mark 0x0 -j CONNMARK --save-mark

  echo "8 vpna" >> /etc/iproute2/rt_tables
  echo "9 vpnb" >> /etc/iproute2/rt_tables
  ip rule add fwmark 8 table vpna
  ip rule add fwmark 9 table vpnb

  You can then now add your VPN tunnel routing rules to both new ip routing tables, for example, vpna and vpnb!

  ~

• Allan Day GNOME Foundation Update, 2025-10-24

  It’s Friday, so it’s time for a GNOME Foundation update, and there are some exciting items to share. As ever, these are just the highlights: there’s plenty more happening in the background that I’m not covering.

  Fundraising progress

  I’m pleased to be able to report that, in recent weeks, the number of donors in our Friends of GNOME program has been increasing. These new regular donations are already adding up to a non-trivial rise in income for the Foundation, which is already making a significant difference to us as an organization.

  I’d like to take this moment to thank every person who has signed up with a regular donation. You are all making a major difference to the GNOME Foundation and the future of the GNOME project. Thank you! We appreciate every single donation.

  The new contributions we are receiving are vital, but we want to go further, and we are working on our plans for both fundraising and future investments in the GNOME project.

  New accountant

  This week we secured the services of a new accountant, Dawn Matlak. Dawn is extremely knowledgeable, and comes with a huge amount of relevant experience, particularly around fiscal hosting. She’s also great to work with, and we’re looking forward to collaborating with her.

  Dawn is going to be doing a fair amount of work for us in the coming months. In addition to helping us to prepare for our upcoming audit, she is also going to be overhauling some of our finance systems, in order to reduce workloads, increase reliability, and speed up processing.

  GNOME.Asia

  In other news, GNOME.Asia 2025 is happening in Tokyo on 13-15 December, and it’s approaching fast! Talk submissions have been reviewed and accepted, and the schedule is starting to come together. Information is being added to the website, and social activities are being planned. It’s shaping up to be a great event.

  Registration for attendees isn’t open just yet, but it isn’t far off – look out for the announcement.

  That’s it from me this week. I am on vacation next week, so I’ll be skipping next week’s post. See you in two weeks!

• Remi Collet ⚙️ PHP version 8.3.27 and 8.4.14

  RPMs of PHP version 8.4.14 are available in the remi-modular repository for Fedora ≥ 41 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

  RPMs of PHP version 8.3.27 are available in the remi-modular repository for Fedora ≥ 41 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

  ℹ� The packages are available for x86_64 and aarch64.

  ℹï¸� There is no security fix this month, so no update for versions 8.1.33 and 8.2.29.

  These versions are also available as Software Collections in the remi-safe repository.

  Version announcements:

  • PHP 8.4.14 Release Annoucement
  • PHP 8.3.27 Release Annoucement

  ℹ� Installation: use the Configuration Wizard and choose your version and installation mode.

  Replacement of default PHP by version 8.4 installation (simplest):

  dnf module switch-to php:remi-8.4/common
  

  Parallel installation of version 8.4 as Software Collection

  yum install php84

  Replacement of default PHP by version 8.3 installation (simplest):

  dnf module switch-to php:remi-8.3/common
  

  Parallel installation of version 8.3 as Software Collection

  yum install php83

  And soon in the official updates:

  • Fedora Rawhide now has PHP version 8.5.0RC3
  • Fedora 43 - PHP 8.4.14
  • Fedora 42 - PHP 8.4.14
  • Fedora 41 - PHP 8.3.27

  ⚠� To be noticed :

  • EL-10 RPMs are built using RHEL-10.0
  • EL-9 RPMs are built using RHEL-9.6
  • EL-8 RPMs are built using RHEL-8.10
  • intl extension now uses libicu74 (version 74.2)
  • mbstring extension (EL builds) now uses oniguruma5php (version 6.9.10, instead of the outdated system library)
  • oci8 extension now uses the RPM of Oracle Instant Client version 23.8 on x86_64 and aarch64
  • a lot of extensions are also available; see the PHP extensions RPM status (from PECL and other sources) page

  ℹ� Information:

  • Migrating from PHP 8.2.x to PHP 8.3.x
  • Migrating from PHP 8.3.x to PHP 8.4.x

  Base packages (php)

  

  

  Software Collections (php83 / php84)