Fedora is a Trademark of Red Hat, Inc, an operating system built by volunteers around the world. This page is provided so that independent volunteers can showcase our contributions to Fedora and Free Software in general. Official Fedora Download page.

RSS Atom

We Make Fedora

June 25, 2026

• Fedora Community Blog Fedora at XV P.I.W.O. Poznań Free Software Fest

  On Saturday May 30th 2026, the XV edition of P.I.W.O. Poznań Free Software Fest was held in Poznań, Poland.

  P.I.W.O. is an event with a long history. Between 2004 and 2018, it was organized by various student associations at the PoznaÅ„ University of Technology. After 2018’s XIII edition (superstition much?), it entered a long hiatus that lasted until 2025, when members of the newly-formed Knyfyrtel PoznaÅ„ Hackerspace decided to bring it back. The reactivated event proved a huge success, with the XIV edition bringing in 197 attendees. As such, ambitions for 2026 were rather big.

  Teamwork makes the dream work

  This year’s edition was the result of combined efforts of three PoznaÅ„-based organizations:

  • Knyfyrtel Hackerspace PoznaÅ„
  • “Webrains” Students’ Scientific Association at the Adam Mickiewicz University
  • “Linux Academic Group” Students’ Scientific Association at the PoznaÅ„ University of Technology

  

  Thanks to Webrains, for the first time in its history, the event was held at the Adam Mickiewicz University in PoznaÅ„ – namely, the uni’s Faculty of Mathematics and Computer Science. Also a historical first, the XV edition was granted honorary patronage by the President of PoznaÅ„ City Council.

  Busy, busy day

  The event spanned almost the entire Saturday, opening at 9:30 am and closing at 7:35 pm. The agenda was tightly packed, featuring 3 lecture tracks with 24 talks, 2 workshop tracks with 8 activities, plus a LAN Party track with 3 tournaments, as well as “free play” sessions. There was also a quiet corner where, thanks to the “Honte” group, attendees could relax and learn to play Go.

  

  

  

  Throughout the years, one of P.I.W.O.’s hallmarks was the lunch break, with the attendees being provided free pizza. This year couldn’t be any different, with some 66m² (or 710 ft²) of pizza being delivered to the venue. (It disappeared frighteningly quick.)

  

  

  The Fedora Community was represented by:

  • Zbyszek JÄ™drzejewski-Szmek, who gave 2 (!) talks
  • Mat Holmes, who volunteered as a photographer
  • Kacper SkrzyÅ„ski, who handled various urgent tasks
  • Artur Frenszek-Iwicki, who gave a talk and held a workshop session

  

  Historical moment: creation of SPOIWO

  This year’s P.I.W.O. served as an opportunity to announce the creation of SPOIWO – Sojusz Przyjaciół Otwartego i Wolnego Oprogramowania (Alliance of Friends of Open and Free Software). This diverse coalition of social and technology organisations, cooperatives and open source businesses signed a declaration in support of digital sovereignty. The alliance was formed in response to the ever-deepening of public institutions’ dependency on closed platforms and their loss of control over data and communication.

  

  The signing ceremony also featured speeches by representatives of SUSE Poland, Polish Linux User Group, “Internet. Czas działać!� Foundation and PLZ Spółdzielnia.

  Exceeding all expectations

  The event wrapped with 452 attendee badges issued, which exceeded even the most daring of expectations. (The number also explains why the pizza disappeared so quick.) The bar for the next edition is set high, but so are the organizing team’s ambitions.

  

  

  

  If you’d like to learn more about the event, watch the live stream recordings, or subscribe to news so you won’t miss the announcement for the XVI edition – you can do all of that on the event’s website, at piwo.sh.

  The post Fedora at XV P.I.W.O. Poznań Free Software Fest appeared first on Fedora Community Blog.

June 24, 2026

• Kiwi TCMS Kiwi TCMS 16.1

  Dear testers, we're happy to announce Kiwi TCMS version 16.1!

  IMPORTANT:

  This is a minor version release which includes security related updates, several improvements, database migrations, new API methods and updated translations.

  You can explore everything at https://public.tenant.kiwitcms.org!

  ---

  Public container image (x86_64):

  pub.kiwitcms.eu/kiwitcms/kiwi   latest  12fc270ef5b9    862MB
  

  IMPORTANT: version tagged and multi-arch container images are available only to subscribers!

  Changes since Kiwi TCMS 16.0

  Security

  • Restrict open redirect. Fixes CVE-2026-54724
  • Validate user input in extra_link fields. Fixes CVE-2026-55630

  Improvements

  • Update bleach from 6.3.0 to 6.4.0
  • Update django from 5.2.15 to 6.0.6
  • Update django-guardian from 3.3.1 to 3.3.2
  • Update django-simple-history from 3.11.0 to 3.12.0
  • Update node_modules/js-yaml from 4.1.1 to 4.2.0
  • Update node_modules/pdfmake from 0.3.7 to 0.3.11
  • Update node_modules/webpack from 5.106.0 to 5.107.2
  • Update node_modules/webpack-cli from 7.0.2 to 7.0.3
  • Remove the handle_attachments_post_save() signal. Going forward files uploaded via rich text editor will be linked to the user who uploaded them

  Database

  • Add migration testcases.0024_alter_testcase_extra_link
  • Add migration testplans.0011_alter_testplan_extra_link
  • Add migration testruns.0020_testexecutiontag

  API

  • Add TestExecution.remove_tag() method. Refs Issue #4349
  • Method Tag.filter() now returns the execution field

  Bug fixes

  • Fix invalid multiline {% trans %} on password reset confirm page

  Refactoring and testing

  • Update actions/checkout from 6 to 7
  • Update codecov/codecov-action from 6 to 7
  • Update isort from 6.1.0 to 8.0.1
  • Update locust from 2.44.1 to 2.44.4
  • Update pylint from 3.3.9 to 4.0.6
  • Silence false-positive errors & adjustments for newer pylint
  • Skip English plural forms of seen strings in similar-string linter
  • Add XML-RPC API test case with non-printable character

  Translations

  • Updated Chinese Simplified translation
  • Updated German translation

  Changes since Kiwi TCMS Enterprise v16.0-mt

  • Based on Kiwi TCMS v16.1
  • Compatible with Django 6
  • Update kiwitcms-github-app from 2.2.2 to 2.3.0
  • Update kiwitcms-tenants from 4.4.4 to 4.5.0
  • Update kiwitcms-trackers-integration from 1.3.1 to 1.4.0
  • Update sentry-sdk from 2.61.1 to 2.63.0

  Private container images

  hub.kiwitcms.eu/kiwitcms/version          16.1 (aarch64)          ae3442ef043b    24 Jun 2026     715MB
  hub.kiwitcms.eu/kiwitcms/version          16.1 (x86_64)           8a98927b8581    24 Jun 2026     696MB
  hub.kiwitcms.eu/kiwitcms/enterprise       16.1-mt (aarch64)       0610f65a5fd5    24 Jun 2026     913MB
  hub.kiwitcms.eu/kiwitcms/enterprise       16.1-mt (x86_64)        a3f823870351    24 Jun 2026     892MB
  

  IMPORTANT: version tagged, multi-arch and Enterprise container images are available only to subscribers!

  How to upgrade

  Follow the Upgrading instructions from our documentation.

  Happy testing!

  ---

  If you like what we're doing and how Kiwi TCMS supports various communities please help us grow!

  • Give â­� on GitHub;
  • Join our newsletter and follow all news;
  • Become a subscriber and help us sustain development

• Dennis Gilmore Global Roaming on Google Fi and Linux

  I have a 5G modem in my Lenovo x13s and t14s. I run Fedora on them, currently Fedora 44. I have had issues in the past when traveling. The 5G modem works fine when in the US but will not connect to any provider when roaming. It has worked after some time in the UK and Australia, but not in other countries. I use Google Fi for phone service, which allows roaming with the same data allowance as in the US.

  After some digging during my current trip, when it wasn’t connecting, I think I have found the issue and a workaround to ensure I can connect. Google Fi uses two networks, T-Mobile in the US and Three UK when roaming. It also uses T-Mobile for roaming. The issue seemed to be that the towers were rejecting the SIM card, attempting to register using T-Mobile’s default APN that seems to be baked into the SIM card as a default profile. The ModemManager logs looked like the following

  ModemManager[1603]: <msg> [modem0] 3GPP packet service state changed (unknown -> detached)
  ModemManager[1603]: <msg> [modem0] 3GPP packet service state changed (detached -> unknown)
  ModemManager[1603]: <msg> [modem0] 3GPP packet service state changed (unknown -> detached)
  ModemManager[1603]: <msg> [modem0] 3GPP packet service state changed (detached -> unknown)

  The trick that got it to connect was to make a change to the default profile used to connect to the phone tower was to run an mmcli command: “mmcli -m 0 –3gpp-set-initial-eps-bearer-settings=”apn=h2g2,ip-type=ipv4v6” Which forces the sim to use the Google Fi APN and not the T-Mobile one

June 23, 2026

• Tomas Tomecek Running opencode inside openshell on Fedora 44 with llama-cpp

  For quite some time I wanted to explore openshell. I naively thought it would be easy to set up on my workstation that has an AMD GPU, together with llama-cpp as an inference server.

  After following the tutorial, I was immediately stuck even with running the gateway in a podman container.

  I guess I’m too old for this stuff because I let Claude Code to investigate the problems.

  

• Fedora Community Blog Community Update – Week 25, 2026

  This is a report created by CLE Team, which is a team containing community members working in various Fedora groups for example Infrastructure, Release Engineering, Quality etc. This team is also moving forward some initiatives inside Fedora project.

  Week: 15 – 19 June 2026 (Flock Week!!)

  Fedora Infrastructure

  This team is taking care of day to day business regarding Fedora Infrastructure.
  It’s responsible for services running in Fedora infrastructure.
  Ticket tracker

  • Helped getting elnbuildsync moved into stg openshift (ongoing).
  • A couple more services had OS upgrades to Fedora 44.
  • Some more MirrorManager problems.
  • Scrappers found another ostree repo. on kojipkgs, limited dir. indexing to stop the attack and then searched for any other ostree repos. Hopefully the last time it happens.

  CentOS Infra including CentOS CI

  This team is taking care of day to day business regarding CentOS Infrastructure and CentOS Stream Infrastructure.
  It’s responsible for services running in CentOS Infrastructure and CentOS Stream.
  CentOS ticket tracker
  CentOS Stream ticket tracker

  • Finish rebuilding/bumping some pkgs for ppc64le libvirt/qemu-kvm stack on el10 (https://gitlab.com/CentOS/infra/tracker/-/work_items/1928)
  • Start to work on debuginfo origin servers refresh with el10 instances (https://gitlab.com/CentOS/infra/tracker/-/work_items/1892)
  • More coordination work with Stream team about secureboot issues (https://redhat.atlassian.net/browse/CS-3400)
  • Finishing last debuginfo pool members reinstall (https://gitlab.com/CentOS/infra/tracker/-/work_items/1892)
  • Decommission old openstack env for stream (https://redhat.atlassian.net/browse/CS-3404)
  • Cloud SIG doc url change (migration to gitlab, from pagure) – https://gitlab.com/CentOS/infra/tracker/-/work_items/1934
  • internal requests (FRCL and audit compliance)
  • Move another SIG doc url (away from pagure.io) – https://gitlab.com/CentOS/infra/tracker/-/work_items/1938
  • Modified the aws load-balancer settings for one ocp tenant (https://gitlab.com/CentOS/infra/tracker/-/work_items/1932)
  • Migrate haproxy load-balancers to el10 for stream dc-move prep (https://redhat.atlassian.net/browse/CS-3353)

  Release Engineering

  This team is taking care of day to day business regarding Fedora releases.
  It’s responsible for releases, retirement process of packages and package builds.
  Ticket tracker

  • Migration at 95%, the only thing left to migrate is majorly fedora-scm-requests, bug fixes, and continued releng operations.
  • Migration: archive-repo-manager from pagure
  • Fix: Missing permissions on releng/fedora-comps
  • Bug Fix: Mass tagging script for verification bits
  • F45 Change Sets reviews are in check and f45-python side tags are merged.
  • Regular releng operations.

  QE

  This team is taking care of quality of Fedora. Maintaining CI, organizing test days
  and keeping an eye on overall quality of Fedora releases.

  • We’ve started searching for new owners/maintainers of Packager Dashboard and Oraculum

  Forgejo

  This team is working on introduction of https://forge.fedoraproject.org to Fedora
  and migration of repositories from pagure.io.

  • Completed the Flock To Fedora 2026 presentation on Fedora → Forgejo migration efforts #588, packaged and deployed Forgejo 15.0.3 #620.
  • successfully ran the PR fix doctor across all migrated repositories #601 to address merge issues with Pagure imports.
  • Enhanced runner infrastructure with the addition of a Testing Farm runner option #619 and docker-slim type runner #568, and improved security by deploying oauth-proxy to secure the Forge metrics endpoint #571.

  EPEL

  This team is working on keeping Epel running and helping package things.

  • Updated caddy in rawhide, resolving 14 CVEs
  • Ongoing onboarding of Pedro

  UX

  This team is working on improving User experience. Providing artwork, user experience,
  usability, and general design services to the Fedora project

  • With Flock this week, got to see how all the final designs turned out it in person!
  • Emma delivered her talk on ‘Why You Should Use Open Source Design in Open Source’ at Flock
  • Great progress on the F45 wallpaper in the final stretch!

  If you have any questions or feedback, please respond to this report or contact us on #admin:fedoraproject.org channel on matrix.

  The post Community Update – Week 25, 2026 appeared first on Fedora Community Blog.

• Fedora Community Blog Community Update – Week 24, 2026

  This is a report created by CLE Team, which is a team containing community members working in various Fedora groups for example Infrastructure, Release Engineering, Quality etc. This team is also moving forward some initiatives inside Fedora project.

  Week: 08 – 12 June 2026

  Fedora Infrastructure

  This team is taking care of day to day business regarding Fedora Infrastructure.
  It’s responsible for services running in Fedora infrastructure.
  Ticket tracker

  • Request for CentOS Alternative Images SIG URL Update
  • Wiki upgrade problems/patch with FedoraMessaging when editing a page
  • Staging wiki down due to PluggableAuth extension issue
  • Move all remaining Fedora 42 instances to 44
  • Deploy DRM Panic Frontend
  • Switch from session-based OIDC to Authentication Bearer
  • Move the Fedora Badges static assets from Pagure to Forgejo
  • badges: fix image trigger annote order on deploy metadata
  • List authorization in CORS headers for API routes

  CentOS Infra including CentOS CI

  This team is taking care of day to day business regarding CentOS Infrastructure and CentOS Stream Infrastructure.
  It’s responsible for services running in CentOS Infrastructure and CentOS Stream.
  CentOS ticket tracker
  CentOS Stream ticket tracker

  • Fix backup cache DB mismatch on backup machine
  • Change isa riscv %dist to .el10rv
  • Reinstall failed sponsored server
  • rebase needed qemu-kvm/libvirt stack for ppc64le hypervisor role
  • Refresh new RHEL releases on deployment server[s]
  • Deploy new donated machine (and onboard new sponsor)
  • Upgrade various OCP clusters to latest 4.18 minor version
  • debug a acme renew issue
  • Investigate crashing postgres on cbs-hub
  • Degraded RAID array in sponsored machine
  • CentOS-Stream-GenericCloud-x86_64-10-latest.x86_64.qcow2.SHA256SUM is a zero byte file
  • cbs command aborts on Fedora 44 due to missing CA bundle path
  • [reminder] : reach out to new sponsor in South Africa

  Release Engineering

  This team is taking care of day to day business regarding Fedora releases.
  It’s responsible for releases, retirement process of packages and package builds.
  Ticket tracker

  • Change Set Review for F45
  • Script improvement and feature addition (in-progress):
    • fix(orphans): handle alternative providers to eliminate false positives
    • Fixes #9841 – adds a release_type field to .composeinfo so we can tell Beta and Final releases apart.
  • Regular Releng Operations
  • Fedora 42 EOL Preps

  AI

  This is the summary of the work done regarding AI in Fedora.

  • Testdays (the webapp we use for running…Test Days) has an MCP server now (not sure if it’s deployed in prod yet though) – work by Jaroslav Groma

  QE

  This team is taking care of quality of Fedora. Maintaining CI, organizing test days
  and keeping an eye on overall quality of Fedora releases.

  • Executive summary: Python 3.15 and kmscon Changes landing caused some fallout, tool tech debt payoff / enhancement continues, most team members used Day of Learning for AI experimentation
  • Two major Changes landed: Python 3.15 and kmscon consoles, various fallout from that:
    • CoreOS and IoT both broken by the kmscon change
    • Got on-the-fly keyboard layout changes added (important for openQA)
    • Kickstart installs broken by Python 3.15 change (sent a fix)
    • Various openQA test updates required for kmscon fixes
  • openQA serial bug worked around, new packages now deployed to prod
  • Tech debt repayment and new feature work continue on testdays, issuebot and blockerbugs
  • Kparal continues to find bugs in Lenovo laptop support
  • Work on ELN kernel gating got blocked by an unfortunate pre-existing design problem
  • Worked with Cristian Le to get rpmdeplint pipeline updated so fixes from last ~year are in prod, it now runs in ~2 minutes instead of ~20
  • Team did some AI agent / skills experimentation during Day of Learning

  Forgejo

  This team is working on introduction of https://forge.fedoraproject.org to Fedora
  and migration of repositories from pagure.io.

  • `testing-farm` optimized runner option provided to `ci` and `atomic-desktops` organizations
  • Regular runners capacity increased from 1 to 4 concurrent jobs
  • Private Issues work is ongoing.

  EPEL

  This team is working on keeping Epel running and helping package things.

  • Executive summary: 
  • Completed archiving of EPEL 10.1
  • Package maintenance across multiple Fedora and EPEL packages
  • Quality work via bug reports and bodhi karma

  UX

  This team is working on improving User experience. Providing artwork, user experience,
  usability, and general design services to the Fedora project

  • Final stretch prepping Flock materials – Fedora badge, livestream template, sponsor splash
  • Progress being made on the F45 Wallpaper
  • Emma gave a talk about the Fedora Design team at the Waterford office’s Fedora 44 Release Party last Wednesday

  If you have any questions or feedback, please respond to this report or contact us on #admin:fedoraproject.org channel on matrix.

  The post Community Update – Week 24, 2026 appeared first on Fedora Community Blog.

June 22, 2026

• Fedora fans پانزدهمین سالگرد وب سایت طرفداران فدورا

  

  درود بر دوستان، همراهان و اعضای خانواده بزرگ طرفداران فدورا امروز با افتخار پانزدهمین سالگرد تأسیس وب‌سایت FedoraFans می باشد. پانزده سال پیش، با هدف ترویج فرهنگ نرم‌افزارهای آزاد و متن‌باز، آموزش لینوکس فدورا و ایجاد فضایی برای تبادل دانش و تجربه، این وب‌سایت فعالیت خود را آغاز کرد. آن روزها شاید تصور نمی‌کردیم که […]

  The post پانزدهمین سالگرد وب سایت طرفداران فدورا first appeared on طرفداران فدورا.

• Adam Young Father’s day project

  Getting a little more organized in my workshop. My pain point was boxes of nails or screws falling off shelves.

  And, of course, I wanted an excuse to use the laser cutter.

  

  

  I took a lesson from Minecrafters and put an instance of what was inside the box on the front id the box.

• Michel Alexandre Salim Introducing dbranch 🍥→🤝

  Caveat lector

  This post discusses tools reluctantly written with AI assistance. If you don’t entertain using them under any circumstance, and think even reading about them legally compromise your ability to reimplement them yourselves, stop reading now

  Today’s post introduces dbranch, a tool to update a Debian package in unstable, and rebuild downstream branches (currently supports Ubuntu PPAs and stable proposed-updates; backports support could be easily added once I have a package that needs it). Eagle-eyed readers might notice the naming similarity with my previous tool ebranch; and the credit for the name and inspiration eventually came from Jens Petersen’s fbrnch.

June 21, 2026

• Miroslav Suchý Flock and Devconf - Field Report

  Flock

  I was looking forward to this year’s Flock - Fedora Project Conference. I had to cut my vacation short and return from my river trip a day early.

  I arrived in Prague at noon on Sunday, just in time to attend František Lachman’s workshop “PR-based Gating for Fedora: Can We Make It Work?�. We all agreed that we want all contributions to happen through pull requests and only after all tests pass. However, we also realized it is not easy: gating for multi-package PRs will be difficult (unless we have a monorepo). Proven packagers will need special handling (can we work on this later?), and first, we need the new Forgejo—everyone is looking forward to it. Coincidentally, later at Devconf, I spoke to Marcela, who mentioned that SUSE already has Forgejo for all packages and that it does not scale as they expected.
  But the important message from Miro was: “we should not force maintainers to use a new workflow; we should make it pleasant and easy to use so they want to use it on their own.�

  After this workshop, I checked into my hotel and later returned to the venue. We had a passionate conversation with Aleksandra, Miro, and Karolina during a card game. We then moved with several other people to a nearby pub that served Belgian beer. I had only one glass, but I felt very dizzy and tired, so I returned to the hotel sooner than the rest of the gang.

  On Monday, I joined Collin for breakfast, and we discussed the dark corners of RPM building.
  Then I moved to the venue and listened to Jef Spaleta’s “State of Fedora� talk. Fedora’s usage is growing, and KDE is working enormously well, but the decline in Fedora’s contributors is accelerating. We have to figure out why and take action, rather than just setting up plans without execution.

  The “Fedora Council Strategic Proposals� session was great. Two highlights stood out:
  “It’s not the new generation that is different. It’s you who is different,â€� said Aleksandra. “They talk about changing a wallpaper; we are talking about burnout.â€�

  

  “I would not join Fedora if it were stable. I want to improve it.” Jef Spaleta

  

  The subsequent “FESCo Q&A� was less vibrant but provided a great opportunity to learn about members' views. For newcomers, Kevin’s remark that FESCo’s role is sometimes to say “No� and stop things was likely interesting. However, FESCo cannot drive new initiatives; individual contributors must do that.

  Then I watched Stef’s talk about Hummingbird; this was not new to me as we closely cooperate on agentic packaging.

  

  I also observed the talk “Packit and Fedora: The CI Story Continues�, as it summarized what my team accomplished with Fedora CI. There were many examples, and the feedback was positive. I appreciated that Matej managed to substitute for Nikola, who got sick at the last minute.
  Several ideas in the Q&A highlighted that PRs are not mandatory and that maintainers do not always follow upstream in a timely manner.

  I attended “The EU CRA vs. Community: Why You’re Safe, and How Stewards Help�. The CRA was new to me, and the session was packed with concrete information. You may check the most interesting slides in my Mastodon post. The biggest takeaway is that open-source maintainers do not need to worry, but they should be prepared that companies using their software will start email-bombing them in August. There was a nice guide on how to politely reject them.

  I took a break and talked to people in the hallway, sharing remarks with my team members. I talked with Kashyap about bootstrapping RISC-V; he was thankful for our support in Copr. We drafted next steps, only to find that Kashyap’s colleague already did that while I was on vacation.

  I then observed “What’s Cooking in Copr, Testing Farm, tmt, Packit and Log Detectiveâ€�, where Franta and people from my team shared our current work and future plans. It was great that Franta brought the team members on stage.

  After this, I was quite tired, so I headed to the hotel for a quick nap and shower to get ready for the Official Party, which took place at Manifesto—a local market with various street foods. I met many familiar faces as well as new people.

  On Tuesday I listened to Adam’s “RHEL 11 is branching from Fedora 46: What this means for youâ€� talk and appreciated his honesty in answering “I do not knowâ€� to several questions. Later in the hallway, we discussed whether branching RHEL during the Fedora branching phase is ideal, and why we don’t branch during the beta phase instead.

  I then moved to Kevin’s talk, “Scrapers Gotta Scrape Scrape Scrape�. This topic was familiar, as we are also fighting scrapers, and Jiri from my team helped package Anubis and its dependencies for Fedora. However, I learned several new things, and the follow-up Q&A was fun. If you think people ranting about scrapers only wrote inefficient web applications, you should definitely see a recording of this talk.

  I attended Frederick’s talk, “Machine-readable package lifecycle information in repository metadata�. He spoke about their DNF plugin that can set various End-of-Life dates for different packages. This was extremely helpful, and since we wanted to do something similar in RHEL, I immediately emailed the DNF team to introduce them to Frederick.
  After the talk, I bowed to Frederick, as he is reportedly the person behind the migration of AWS Linux to Fedora.

  I listened to Microsoft’s talk, “Two Years In: Accelerating Microsoft Contribution to Fedoraâ€�. It was interesting to see how much Microsoft uses Fedora. The highlight was that the presenters were from different teams within Microsoft and were largely unaware of each other’s work.

  I then talked to people in the corridor, including Bex, who introduced me to two students from Jihlava interested in a high school internship.

  The highlight was definitely the lightning talks. They were strictly 5 minutes long (including notebook setup). I learned about current Lenovo support for Linux, how Miro sped up the last Python mass rebuild, and I reported on the current status of the SPDX migration, noting that the next steps will proceed without me. Fortunately, Max started a SIG that wants to take over the work. I shared some information with him that didn’t fit into the lightning talk. Jiri presented his achievement of packaging Goose for Fedora and even provided a live demo!

  By this point, I was quite tired, so I passively watched the presentation of the Contributor Recognition Awards. Then, I went into the city to meet a friend, and we attended the theater performance Tahle země je naše.

  Tip: If you want to see any mentioned talk, you can find it in the schedule and then rewind to the specific time in the Streams. The edited and cut talks are usually available weeks later on Fedora’s channel.

  DevConf

  DevConf CZ is huge even. With over one thousand participants and eleven tracks - it is huge. As this is a conference in my hometown I volunteered to help organizers: I chaired one of the rooms and acted as a fire marshall. That includes overseeing A/V tech. Help speakers to connect to video and mic. Make sure they do not run with that. Remind them the time.
  This year, I chose a room with Lightning talks. There was 15 minutes for each talk and 5 minutes for a break. And it was a blast!
  I chaired the Thursday morning and Friday afternoon. One of the best delivered talks was from new junior who was speaking for the first time - yet she overperformed more senior people.

  “AI accelerated learning. Mentorship directed it. Real systems grounded it.” Kaja Prokopova @ “From Sysadmin to Software Engineer: A Non-Traditional Path into Tech”

  Petr Kaška spoke about detecting malicious prompts. You can attack your model using https://github.com/Security-FIT/PromptAttacker

  Anežka Müller speaks about how she organizes a small one-day, one-track conference, Python Pizza. You can use her recipe for free https://docs.python.pizza/

  James Freeman with his theory about technology dopamine culture.

  Jan Jurca spoke about tests on the filesystem that produce different results if you use the filesystem for some time. You can artificially simulate the usage of filesystem and then run the benchmarks using Filestorm https://github.com/janjurca/Filestorm
  See the interesting slides.

  I did a small cameo at lightning talk by my student Peter Stefunko in his talk “From SBOM to Dependency Stacks: Making Software Structure Visible“ where he tries to visualize the state of the operating system using famous XKCD comics “Dependency�. You can check his work at github.com/peter-stefunko/rpm2xkcd2347.

  I did not attend Thursday’s party as we had an anniversary with my wife and preferred my wife over all of you. 🙂

  I met many old faces, former colleagues. And the biggest surprise was the booth of Free Software EU where I found the Czech edition of the book Ada & Zangemann that I helped to translate. I did not know it was already printed - that was because the print was finished that morning. I then called Tomas Stary who took the work from me and who I never met - only to find that he is standing beside me in the queue for ice cream 🙂
  Mathias post about the new print https://mastodon.social/@kirschner/116770321504331386
  Half of the batch. Fresh from print.
  Later we discussed with Tomas, his publisher and Lucie from RH additional steps to advertise the book.

June 20, 2026

• Tomasz Torcz Skill issue

  Last week I had to extend complicated, unfamiliar Helm chart. While I've discussed approach with my carbon-based coworker, actual editing and extending was done by Claude Code.

  Refactors and renamings were tedious, but Claudius did them in no time. During the review we decided to significantly change the way chart is organised. Claude executed the changes perfectly.

  If I had to fully understand the working of the chart, it would have taken me a good part of the week. Making the changes – another day or two. Significant rework midway – I'd probably be too demotivated to do it.

  With AI assistant, I have finished work in two days. Tested, simplified, cleaned up.

  But I have no more skills than I had before. I do not understand this Helm chart much better. I've spotted a thing or two during the review, but in no way I have a fuller comprehension. AI let me borrow expertise without acquiring it.

  Next time when I'll have to work on this chart, I will use Claude again. I've got softly locked-in in using AI assistant to work. And I'm not happy with that.

  Now, my employer sees this as an acceptable tradeoff. Paid for some tokens, unlocked couple of my pricy senior-level hours to do other stuff. It balances. Subsidising Scam Altman and his ilk is a money well spent from this perspective.

  We are at the point where we offload more work to so-called AI. Those are just tools. You know what more primitive tools we had before? Assemblers. Then compilers. No one writes machine code by hand anymore. Maybe someone despairs because of it, but people commonly writing binaries are more likely to be dead by now.

  No one treats high level compilers as fad and stuff kids these days do. It's just a tool, expected to work and dissappering into the background.

  There's one important difference. We do not have to pay for the compilers, thanks to work of the GNU Project last century (gcc) and Apple more recently (llvm/clang). But at this point we are paying for tokens. I expect that as we cannot fathom working with any codebase without a compiler now, a LLM-driven assistant will be required to tackle bigger projects in near future.

  To be free, we need to be able to run assistants at reasonable cost. Free is reasonable. Not paying through the nose for electricity is reasonable. We can hope for good quality chinese models to be available for free. We need a free toolkit revolution again. It was GNU Compiler Collection for the previous generation. Would it be Kimi now?

  And we need the proprietary AI bubble to pop and rationality to return.

  066/100 of #100DaysToOffload

• Jeremy Cline Fedora signing: draw the rest of the owl

  Way back in September I apologized for the gap since my last update. I am, once again, sorry it’s been so long since I posted an update. I recently presented at talk at Flock 2026 - if you prefer consuming updates via video where live demos fail, you can find that on YouTube.

  This post is something of a summary of that talk, but the short version is Siguldry has all the features Sigul has, plus some. That means we can start deploying it in the coming weeks.

  PKCS#11

  In the last post, I noted I had implemented server-side support for PGP signing. That’s gone now, I’m pleased to say, because I came across a much neater approach. I implemented a small PKCS#11 module inventively called siguldry-pkcs11.

  I can’t take credit for any of the ideas I’m about to describe, since I stole them from multiple other projects. Our friends over in Flatcar have to sign things as well, and they use a key stored in Azure Key Vault. The way they use it is that they implemented a minimal PKCS#11 module. That was my primary inspiration, but I also recently spent some time building a drop-in replacement for pesign-daemon and the idea of exposing the signing interface over a Unix socket that can be mounted into isolated build environments was another concept I borrowed.

  For those who aren’t familiar, PKCS#11 is a standard that is made up of a C interface. To implement it, you create a shared object file with a few well-known C functions used to discover your implementations of the interface. Users load your shared library, call a well-known function to get a table of functions where you provide your implementations for the various features. What’s nice about this is that common libraries like OpenSSL can speak to PKCS#11 modules, so you can make any tool that uses those common cryptography libraries use your implementations.

  PKCS#11 is a fairly broad specification that covers not just signing, but also encryption/decryption, digest calculation, random number generation, and key management (creating, modifying, deleting, etc). What I realized while poking around Flatcar’s implementation is that you actually don’t need to implement everything. You can, instead, stub out all the functions you don’t want to implement and have them return the handy “function not supported” error code. The list of functions I opted to not support is extensive.

  In fact, all I implemented was the functions to authenticate, list keys, and sign. However, that’s enough to make it possible to use the Siguldry server with tools including (but definitely not limited to): rpmsign, ostree gpg-sign, cosign (if built with PKCS#11 support), gpg2 (with the gnupg-pkcs11-scd service), sq (once it merges its PKCS#11 support), systemd-measure, systemd-sbsign, pesign, and perhaps most humorously, ssh. All these tools know how to speak to PKCS#11 modules so they “just work” with Siguldry. Any new tool people make will also likely just work.

  One thing that’s neat about this approach is that we sit between the tool requesting the signature and the signing server. This means we can hash the content client-side and requests to the server are very small: just a hash, the algorithm used for the hash, and the key name. No more sending a 4GiB ISO over the network only to have the server hash it, that all is done before the request starts.

  The last thing that’s really cool about this approach is that if Fedora decides it needs a new signing server and spends some big bucks on a fancy hardware security module, it will definitely ship with a PKCS#11 module of its own so we can start using it with our existing tooling, no development required. If Siguldry stops being the right choice for Fedora, it’s really easy to swap it out.

  Unix Socket API

  The other thing I did was to implement a Siguldry client that binds a Unix socket and proxies requests from the local system to the remote Siguldry server. I did this because you can expose the socket into locked down environments, such as RPM build environments, install the PKCS#11 module into that environment, and sign things. Right now Fedora uses this general approach for SecureBoot, except it’s specific to the pesign utility. While I’d prefer to disconnect the signing event from the building of a package, it’s important to support the current workflows and this was a neat way to do that which is generic across signing tools.

  It has another advantage. Since the Unix socket is set up using a systemd socket unit, we can sandbox the client proxy, and also configure it with the necessary credentials to connect to the Siguldry server and unlock signing keys. This lets you, if necessary, allow anyone to sign content without needing to manage secrets themselves. The secrets can be encrypted with systemd-creds and bound to hardware. All we have to do is ensure the keys that are configured that way get a special flag when queried via PKCS#11: the “protected authentication path” flag.

  siguldry-fedora-autopen

  The primary way Fedora uses its signing server is via an AMQP consumer that automatically signs things. Robosignatory is the current tool used, but it needs some significant changes to work with this new workflow. In particular, we don’t want to sign content serially, but the fedora-messaging Python library commonly used to interact with the AMQP broker doesn’t handle concurrency well. And, since we now call out to the particular tool used to sign content rather than sending it to the server, the consumer is primarily a mapping between message topics and those various tools.

  All those reasons led me to re-implement it, and since I’ve got no imagination with names, it’s called siguldry-fedora-autopen. It uses the lapin AMQP client with Tokio to manage hundreds or thousands of RPMs/ISOs/containers/etc signing operations at the same time. This means builds should no longer languish in the signing queue for many hours.

  IMA

  All this probably (hopefully) sounds great, but as with all things there are a few problems. Well, really just one big problem. Back in the Fedora 37 days, we enabled IMA signing for RPMs. The short version of how that works is that each file inside an RPM gets signed. And, unfortunately, the PKCS#11 interface is synchronous. This means that rpmsign requests a signature when it creates an OpenPGP signature on the RPM header. It then requests a signature for each file, waiting for each signature request to finish before starting the next one. Now, when the RPM only has dozens or a couple hundred files that happens fairly quickly. A signature might only take a couple milliseconds and the request/response latency might be a couple dozen more milliseconds (or a lot less depending on how close the server is from the client).

  Of course, not all RPMs only have a few hundred files. Some have many, many thousand. For these, a simple OpenGPG signature takes less than a second (even if the RPM is, say, 10GiB). The IMA signing can take many minutes, depending on how many files it has. I’ve been running a client locally, with a server in a nearby datacenter, and the largest time I saw for a signing operation was around 40 minutes. This is really unfortunate, but it is important to remember that we can now do thousands of signing operations at the same time, so even when these slow builds are signed, other builds can be serviced in a timely manner.

  There’s a couple ways we can make this better, but the “easiest” involve a custom signing implementation that avoids using the PKCS#11 path.

  What’s Next?

  In the next few weeks I’m hopeful we’ll have enough time to sit down and deploy Siguldry to Fedora’s staging environment. I want to really kick the tires and ensure it’s rock solid before we move it to production, but I think it’s reasonable to hope for that in the next couple of months.

  While that’s happening, I’m going to add support for ML-DSA signing. That will allow us to produce signatures that are safe in a post-quantum cryptography world. After that, I’ll investigate OpenPGP’s hybrid signature schemes, although given recent developments I wonder if we want to bother with those. I’ll defer to what the professional cryptographers have to say about that.

  Sometime in the next few Fedora releases, though, you should expect to see new signature algorithms in use (pending FESCo approval etc etc).

  Comments and Feedback

  Thoughts, comments, or feedback greatly welcomed on Mastodon

• Kevin Fenzi flock 2026 recap

  

  Another wonderfull flock is in the books. This post is likely to be kind of long, and was written a few days after I got back home, so it's likely I forgot some things or misremembered them somehow. If so, it's not intentional.

  TLDR version: Another great flock. Lots of good conversations, lots of good talks, good food, good friends. I'd like to give kudos to all the people who put things on. It's not easy planning a large event like this and at least from my perspective everything went very smoothly.

  Day -3 / -2

  My journey started a few days before flock on Thursday the 11th. I had actually planned to come in a day early to recover from travel, but it turns out there was a meeting scheduled then, so I got to recover in the meeting instead (more on that in a minute).

  Two hour drive to portland airport (PDX) turned into about 2.5 due to traffic, but I had planned buffer so it was fine. This time I was taking icelandair via Keflavík (KEF) instead of my usual jump via Amsterdam. The transfer time was quite low (around an hour), but I read that it was easy to transfer there.

  The flight was fine, the transfer was a bit fun: They deplaned us out on a tarmack and we had to take a bus to the terminal. That took a while as they wanted the bus fully loaded. Then, they said the customs area was understaffed today and would take longer than normal. So, I rushed as best I could and ended up at my gate only to hear that the next flight was waiting for crew and hadn't boarded yet. :)

  The hotel in prague was the same one as last years flock. Last year I had stayed at a nearby hotel, but this year I just stayed at the conference one. I have to say the rooms were nicer there and it was pretty nice to not have to walk over and back a lot.

  I got in friday afternoon and took a short nap, then met up with Tomas and Adam for dinner. We picked a nice sounding place nearby and it was a bunch of nice conversation and food.

  Day -1

  Saturday I had planned to recover from travel, but instead I went to a face to face meeting we had with a bunch of the Red Hatters that were coming to flock. There wasn't anything secret here, it was mostly just discussing what various groups were working on and how we could all help each other out and get things landed/working.

  There was a lot of technical discussion and planning type things along with lots of things that were further discussed at flock.

  I was able to chime in on some hardware questions and some cloud resources along with some policy questions.

  Saturday evening was the 'sponsors dinner' with a bunch of folks from companies sponsoring flock along with leeds of various parts of the project. Amusingly, it was in the same resturant we were at the previous night! It was all good though. I sat near Jermey Cline, David Duncan and Jef Speleta and we had a bunch of conversations on tons of topics.

  Day 1

  The first day this year was workshops, the keynote and other regular talks would be the next day. I can understand why you might want to do things this way as it allows you to get people excited and working on something and then leverage that work for their talk in the later days. On the other hand it means that the workshops had a lot of talk/presentation before being able to get to the actual work part of the workshop.

  The first slot I ended up in the 'hallway track' (as I would many times in the coming days). Talked to too many people to even list. :)

  Next I went to the forgejo workshop. It was fine and there were a few questions, but either everyone had burned out their discussions on it, or the folks with those questions/discussions weren't there as it seemed to go very quietly. I think lots of contributors are getting used to forge.fedoraproject.org now and can imgaine how a migrated src.fedoraproject.org might look.

  Lunch was up next. This year the mentor summit was doing a 'lunch and learn' thing each day, and I went each day. I sat at the 'operations' table on Sunday and had a great conversation with several new to fedora folks. We talked about matrix a fair bit and software we all use.

  After lunch I went to the Fedora Data & Analytics Workshop with Justin and Michael. I think things were pretty interesting, but we spent a lot of time getting everyone up to speed on the background and only had a short time at the end to work on workshoppy things. Still, very interesting stuff here. We have lots of data, but we dont really analize it very much, and I am hopefull this system will allow us to do so! Right after this workshop I got pulled into a hallway track discussion and didn't get a chance to say Hi to Michael in person. :(

  After that was more hallway discussions and then our team had a team dinner. Always great to see people I work with day to day over the internet in person. Some of us then rushed back from dinner for...

  The flock 2026 candy swap. This year was even bigger I think that last year. We barely fit in the bar where this was happening. Tons of good stuff, lots of good stories. A few people said to me "Do you do this every year? Wow, this is great! I would have brought something if I knew". After the swap, beers in the bar and I managed to have a nice discussion on Books with MattH and Aoife along with some music discussions with many others.

  Day 2

  Monday started out with the keynote state of Fedora from Jef. There was even a nice bit of stats out of the data workshop that was interesting.

  Then up in the same room was the Council round table, followed by the FESCo one. Interestingly, the Council didn't get any AI related questions, but FESCo did. Do watch those recordings if you are interested in any of those questions/answers.

  There was a talk on hummingbird after that, which was great. I'm excited to see hummingbird and to see what it's going to grow into.

  Mentor summit lunch and learn monday was the 'infrastructure' table for me. We had folks from Azure linux and Amazon linux (both now based on Fedora) asking a bunch of infrastructure questions. I also asked them a bunch about their infrastructure too. It was very encouraging this year to not only see groups like this at flock, but asking how they can be more involved and help Fedora out and thus help themselves as downstreams. I'm really hopefull we can help each other and all end up better for it. This was probibly the most encouraging thing I saw at flock this year. :)

  After lunch I went to Lenkas Forgejo runners on fedora forge talk. This was largely stuff I knew about, but it was great to see all in one place. There were some nice questions. We are definitely seeing some good use from these runners and it's good to see work on them continue.

  I had a bunch of hallway conversations after that, then off to...

  Post-quantum cryptography for Fedora infrastructure with Alexander and Jakob. The timelines here are really scary to me. There's a lot thats just starting to land now, but the dates for moving things are coming up super fast. I hope it will all work out, but it's a lot of things and a lot of work. :(

  Dinner Monday was the flock reception. It was in a nearby outdoor food court, which I had actually had lunch at last year. It was a nice setup, they blocked off a large area of tables for us and gave us vouchers to get a meal at any of the... many food places. They also brought us all a bunch of free appitizers to the point where it almost wasn't worth getting a real meal. :) Had a lot of conversations on a lot of topics here. I managed to find Michael Winters and we started to talk, but then they called the group photo and we were seperated, then after that we both got pulled into other conversations. (This was a theme)

  A group of us then went to a belgian beer place and stayed talking until the wee hours.

  Day 3

  The last day already!

  I started with the "RHEL11 and what it means for you" talk. Nice to see dates listed there and an attempt to get fedora things landed in time for RHEL11.

  Next up was the state of the fedora kernel from Justin. Nothing too much that I didn't know, but was good to clarify things and hear questions from folks.

  In the next slot I really wanted to go to Kashyap's riscv talk, but unfortunately that was when _my_ talk was scheduled also. ;( So, I gave my talk about scrapers. It was a pretty nice crowd, and there were lots of good questions from people. I did have AV problems however, they were unable to capture from the projector for the live stream, so they could only use the camera to capture it. I have no idea why that was happening. Somehow also, I wasn't able to read my notes while giving the talk, so I missed saying a few things I meant to mention. Things like: "robots.txt was orig called RobotsNotWanted.txt", and asking if anyone remembered the /. effect. ;) Overall I think it went well.

  After a bit of hallway conversation, next up with the talk about Microsoft contributions to Fedora. It's great for this work to get highlighted. I am very happy with all the work Jeremy has been doing on our signing infrastructure, along with all the other places they contribute.

  I then went to the "Upgrading Fedora Infrastructure from Nagios to Zabbix" talk. This was given by Michal, because Greg was unable to attend. He did a fine job going over things, and Greg was in the matrix room for the talk answering questions. I'm super happy about this finally getting over the finish line (at least the initial one) I think we are in a much better place.

  Last day of Mentor summit lunch and learn I sat at the Release Engineering table. We had a mix of folks this time. Some Amazon linux folks, someone asking how to get involved that was just starting out, and someone who was involved in server/docs. We had a pretty wide ranging conversation.

  After lunch were the lightning talks. There were a bunch of them, and I was amazed at how many folks had slides. I guess they were ready to talk about their thing at a minutes notice. Lots of interesting stuff in there. Worth a video re-watch.

  Finally, the last session of the conference: The Fedora’s Contributor Recognition Program. I won this award last year, and was involved a small amount with choosing winners this year. All the proposed candidates were great! Fedora is nothing without it's contibutors and the folks awarded were all super well deserving folks. Make sure you say 'thanks' to those who help you.

  With the conference officially over, I was very tired, so I went to take a nap. Michael Winters was down in the bar, and I said I would try and meet up after I got up. So, after my nap I wandered down and... I swear I saw him walking off to dinner with a group of folks. Missed again. (I'm not avoiding you Michael! Honest!)

  I ended up at dinner with a small group and we actually talked non computer nerd things ( music, podcasts, and even politics ).

  Day 4

  The next day was the travel home. Due to timezones I would leave the Prague airport at 2pm and get into portland at like 5:30pm. (it is NOT 3.5 hours of flights).

  I again had fun with the transfer in iceland. Our plane from Pague was a few minutes late, then we needed to take the bus to the terminal, then passport control was even more backed up than it was last time. I finally got to my gate and their was an attendet there who asked me my name. I then took a bus with only 3 other people on it to the plane. They held it for us, but I made it.

  The rest of the trip back was uneventfull, but will take a while to recover. Luckily, there's a holiday this friday so I do have a 3 day weekend.

  A few Downsides

  Overall I think things went super nicely and smoothly, but:

  • The weird AV issues for my talk. It's likely something off about my aarch64 laptop. So, perhaps I should take a boring x86_64 one next time. Or spend some time poking at it before time for my talk.

  • There were a lot of folks that I usually look forward to talking with in person that were not able to make it this time. Due to various reasons, but it was sad to not see them. You all know who you are, you were missed.

  Hallway conversations

  There were a ton of hallway conversations, and I am sure I don't remember most of them but the few I do:

  • Alexander showed me a new rust based IDP setup he has been working on. Super cool looking and very on point for Fedora.

  • There was a number of AI conversations, but more of the 'what do you think is going to happen when the bubble bursts' than anything else. There was a foundations whiteboard where people could add things around the 4 foundations and under friends was "more people, less AI".

  • Lots of good talks with Amazon Linux and Azure Linux folks. I hope to see them chime in on matrix with questions/comments/contributions.

  • Jeremy and I had a number of talks about the new signing stuff.

  • Nice to see Toshio again and talk with him on lots of things.

  • Had some good talks about 2fa and otp and such with Gotmax23.

  • A conversation I had a number of times was "where should we do flock next year?". There were a lot of ideas, no telling what will win out. We might not do too badly to just do it in Prague again, IMHO.

  As always, comment on the fediverse: https://fosstodon.org/@nirik/116784039502240226

June 19, 2026

• Remi Collet 🎲 PHP version 8.4.23RC1 and 8.5.8RC1

  Release Candidate versions are available in the testing repository for Fedora and Enterprise Linux (RHEL / CentOS / Alma / Rocky and other clones) to allow more people to test them. They are available as Software Collections, for parallel installation, the perfect solution for such tests, and as base packages.

  RPMs of PHP version 8.5.8RC1 are available

  • as base packages in the remi-modular-test for Fedora 42-44 and Enterprise Linux ≥ 8
  • as SCL in remi-test repository

  RPMs of PHP version 8.4.23RC1 are available

  • as base packages in the remi-modular-test for Fedora 42-44 and Enterprise Linux ≥ 8
  • as SCL in remi-test repository

  ℹ️ The packages are available for x86_64 and aarch64.

  ℹ️ PHP version 8.3 is now in security mode only, so no more RC will be released.

  ℹ️ Installation: follow the wizard instructions.

  ℹ️ Announcements:

  • PHP 8.5.8RC1 available for testing
  • PHP 8.4.23RC1 available for testing

  Parallel installation of version 8.5 as Software Collection:

  yum --enablerepo=remi-test install php85

  Parallel installation of version 8.4 as Software Collection:

  yum --enablerepo=remi-test install php84

  Update of system version 8.5:

  dnf module switch-to php:remi-8.5
  dnf --enablerepo=remi-modular-test update php\*

  Update of system version 8.4:

  dnf module switch-to php:remi-8.4
  dnf --enablerepo=remi-modular-test update php\*

  ℹ️ Notice:

  • version 8.5.8RC1 is in Fedora rawhide for QA
  • EL-10 packages are built using RHEL-10.2 and EPEL-10.2
  • EL-9 packages are built using RHEL-9.8 and EPEL-9
  • EL-8 packages are built using RHEL-8.10 and EPEL-8
  • oci8 extension uses the RPM of the Oracle Instant Client version 23.26 on x86_64 and aarch64
  • intl extension uses libicu 74.2
  • RC version is usually the same as the final version (no change accepted after RC, exception for security fix).
  • versions 8.4.19 and 8.5.4 are planed for March 12th, in 2 weeks.

  Software Collections (php84, php85)

  

  

  Base packages (php)

  

  

June 18, 2026

• Gary Benson longintrepr.h

  Did your pip install fail with longintrepr.h: No such file or directory? The file likely is on your system, but it sometime or another it was moved, from /usr/include/python3.xx/longintrepr.h to /usr/include/python3.xx/cpython/longintrepr.h. The proper fix is to update the package in question with the new path, but if you’re installing an old version of something or a package that’s no longer maintained you can work around it like this:

  ln -s /usr/include/python3.*/cpython/longintrepr.h .venv/include

June 17, 2026

• Jakub Kadlčík Flock to Fedora report 2026

  This post is tough to write because Flock to Fedora is my favorite conference, and last year’s Flock might have been the best conference I’ve ever been to. I love the Fedora community, Prague is beautiful, the venue is nice, we always have so many interesting talks and workshops, the organizers do an amazing job preparing this event for us, so I feel really guilty saying that I did not have much fun this year. That is 100% on me, though. Flock bears no blame.

  It wasn’t exactly the wisest decision ever to run my first half-marathon the very evening before the conference, and then waking up early to commute to Prague. It must have hit me much more than I was willing to admit. I feel fine physically, but I can’t pay attention to anything because nothing feels exciting. That is the most lifeless I’ve felt in a long time.

  So, in case anyone is wondering … it was me, not you.

  Highlights

  Despite all that, these were the highlights of the event for me.

  Forging Fedora Project’s Future With Forgejo

  Great job on the migration from pagure.io to forge.fedoraproject.org. It was handled exceptionally well. Next, we look forward to the migration of src.fedoraproject.org to Forgejo, which can’t come soon enough. Tomáš Hrčka teased us that this migration may take considerably less time than the previous one because they already know how to do things (e.g., deploy Forgejo, etc).

  DIY AI: Build a Private, Customizable Chatbot on Lean Hardware

  Ellis Low showed us how to run an LLM on our laptops through Llama and how to interact with it. I really appreciated him saying that, except for this one small text-in, text-out magic black box, everything else is standard software engineering as we know it.

  Fedora Council Strategic Proposals + FESCo Q&A

  Most of the discussion revolved around a decline of new contributors and us failing to connect with the next generation. “They talk about changing wallpaper, we talk about burnout” – Aleksandra Fedorova.

  What’s Cooking in Copr, Testing Farm, tmt, Packit and Log Detective

  I found Pavel Raiskup’s return to the stage hilarious.

  Scrapers gotta scrape scrape scrape

  As presentations go, Kevin Fenzi’s talk about AI scrapers was the best. It started with minor A/V dificulities, which is a nice reminder to not feel bad, the next time it happens to you, because it happens to everybody. Even the main infra guy. Semi-joking aside, I enjoyed the brief history of web scraping and Kevin’s taxonomy of scrapers, clearly showing that not all scrapers are the same (e.g., web.archive.org). However, the current AI scrapers are the plague of the internet, and I am so glad the Fedora Infra team fights them as best as they can to keep our services running.

  Chat with Adam

  I ran into my former Copr team mate Adam Šamalík in the hallway, and we had a nice chat about life. When we still worked together (10 years ago, oh how the time flies), I randomly asked him what he did on a weekend. “We had no plans, so we bought plane tickets and went on a date to Amsterdam with my girlfriend”. Fucking what?! That was the coolest response ever. Since that day, I remember it every time my creaking, lazy bones struggle to do something spontaneous. Why am I telling it now? Adam is now happily living in the Netherlands full-time. Funny how one impromptu decision can completely change your life.

  Chat with Emmanuel

  Made friends with Emmanuel Seyman. He said hello after seeing the Fedora Podcast episode with me as a guest. I really enjoyed our chat, and I am going to follow up online because I think he’ll really like Sundaram Krishnan’s project coprtree.

  Chat with Miro

  Miro Hrončok shared some of his ideas about improving the Fedora Package Review Process with me. This deserves an article on its own, so stay tuned.

June 16, 2026

• Adam Young Downloading from gitlab

  We use gitlab to post internal releases of archives. I want to be able to automate the process of downloading these artifacts. Here it is using the glab CLI.

  export REPO=https://gitlab.com/YourCompany/sw-eng/product-manifest
  
  glab auth login --stdin < ~/.token
  glab release list -R $REPO
  glab release view item/5.4.3.2 -R $REPO
  glab release download item/5.4.3.2 -R $REPO   --asset-name=sw-eng_5.4.3.2-product-subclass_binary-datestamp.tar.xz
  

  Note that each of these commands can be done with the glab api subcommand instead, but the path needs to be escaped.

  export REPO=YourCompany%2Fsw-eng%2Fproduct-manifest
  glab api "$REPO/releases"
  glab api "$REPO/releases/item%2F5.4.3.2"
  

  This last one gives you the URLs for direct download. You want to save them to a file via redirection.

  glab api "https://gitlab.com/api/v4/projects/99999999/packages/generic/sw_release/1.2.3.4/eng_1.2.3.4-product-name-version-version.tar.xz" > eng_1.2.3.4-product-name-version-version.tar.xz

• Fedora Community Blog From Contributor to Outreachy Intern: My Fedora Journey Begins

  Introduction

  Hi, I’m Aman, a software developer and open-source enthusiast who enjoys backend development, APIs, and building tools that are useful to others.

  I recently started my Outreachy internship with the Fedora community, and this is my first blog as an intern. In this post, I want to share what my first two weeks have been like, what I’ve learned so far, and what I’m looking forward to in the next phase of the internship.

  I’m working on the Fedora Release Schedule Planner API, a project focused on improving Fedora’s release planning workflow by moving away from older XML-heavy processes and strengthening the current FastAPI-based API through better tests, authentication, and infrastructure integration.

  About the Fedora Community

  Fedora is a global open-source community behind Fedora Linux and many related projects. People contribute in many areas, including packaging, infrastructure, design, documentation, testing, and release engineering.

  One thing I’ve enjoyed learning about Fedora is its Four Foundations: Freedom, Friends, Features, and First. These values reflect Fedora’s focus on free and open-source software, community, innovation, and adopting new technologies early.

  What I like about Fedora is that it is not only about writing code. Communication, documentation, reviews, and helping new contributors are also important parts of the community.

  Through this internship, I’m also getting a better understanding of Fedora’s release process and how different contributors work together to improve the tools used by the community.

  About My Project

  My Outreachy project is Enhancing the Fedora Release Schedule Planner API.

  Fedora’s traditional release planning workflow relied heavily on manually edited XML files, which made the process difficult for newcomers, harder to scale, and less connected to modern tooling.

  The Fedora Release Schedule Planner API is a modern FastAPI-based project hosted on Codeberg. It has already moved from Flask to a modular FastAPI architecture, uses Pydantic for data validation, provides auto-generated Swagger documentation, and relies on Forgejo Actions for CI/CD testing.

  The goal of my internship is to help make this API more production-ready. My work will focus on improving the test suite, strengthening CI reliability, adding secure authentication with OpenID Connect, integrating the API with Fedora infrastructure data, and preparing it for deployment.

  Learning More About the Community

  I had already started contributing to the Fedora Release Schedule Planner API during the Outreachy contribution period. During that time, I joined the project’s Matrix chat, went through issues and pull requests, and became familiar with the basic project structure.

  So, during the first two weeks of the internship, my focus was more on understanding the project in depth. I followed discussions in the Matrix chat, worked through issue and pull request conversations, and learned how mentors and maintainers review changes.

  We also have a weekly Google Meet call with the mentors. These calls are helpful for discussing progress, asking questions, and understanding what to focus on next.

  Alongside exploring the codebase, I spent time reading Fedora documentation and project-related resources to better understand the release planning workflow.

  I also explored the FastAPI codebase, tests, CI setup, and previous pull requests more closely. This helped me understand how tools like Pydantic, Swagger documentation, and Forgejo Actions are being used in the project.

  Challenges and Wins

  One of my biggest challenges in the first two weeks was understanding the codebase beyond its basic structure. During the contribution period, I had already become familiar with the main parts of the project, but during the internship, I started understanding how different layers work together, including API routes, database models, Pydantic schemas, services, templates, and tests.

  Another challenge was making sure my changes did not affect existing behavior. I had to run tests, check formatting, and verify things locally before updating a pull request.

  My biggest win was becoming more confident with the project workflow. I was able to work on issues, raise pull requests, respond to review feedback, and understand the expectations around code quality and maintainability.

  I also became more comfortable with the tools used in the project, including FastAPI, SQLAlchemy, Pydantic, Jinja2, HTMX, tests, and CI checks.

  A small win for me was getting some of my pull requests merged. For example, PR #425 and PR #427 helped me understand the review process better and gave me more confidence while working on the project.

  Plans for the Next Month

  In the next month, I want to continue building on the work from the first few weeks. Currently, we are focusing on fixing UI-related issues, improving the code structure, and aligning the codebase with the project’s expected structure.

  Along with that, I want to keep improving the test suite and make sure the API works correctly with the current FastAPI and Pydantic structure.

  I also want to start preparing for the authentication part of the project. Since OpenID Connect is an important goal of this internship, I plan to spend time understanding how Fedora authentication works and how it can fit into the Release Schedule Planner API.

  After that, I want to gradually learn more about how this API can connect with Fedora infrastructure data. This is important because the long-term goal of the project is to move away from the older XML-based workflow and make the release planning process more modern and maintainable.

  Conclusion

  These first two weeks have helped me understand the project better. I now have a clearer understanding of the Fedora community, the Release Schedule Planner API, and how people collaborate in open source.

  I still have many things to learn, but I feel more comfortable with the project now than I did at the beginning of the internship.

  I am thankful to Outreachy, Fedora, and my mentors for this opportunity, and I am looking forward to continuing the work in the coming weeks.

  PS: Cover image generated with the help of an AI tool.

  The post From Contributor to Outreachy Intern: My Fedora Journey Begins appeared first on Fedora Community Blog.

June 15, 2026

• Guillaume Kulakowski Deux nouvelles versions majeures pour SeedboxSync et SeedboxSyncFrontend

  Ce week-end marque la sortie de deux versions majeures de mes projets SeedboxSync et SeedboxSyncFrontend. Au programme : support FTP, optimisations de performances, suivi en temps réel des téléchargements, administration depuis l'interface web et plusieurs améliorations de l'expérience utilisateur.

June 13, 2026

• Fedora Community Blog F44 Election Results

  The F44 election cycle has concluded. Below are the results. We are posting the results early this year as we are currently on the eve of Flock to Fedora 2026 and the results were ready. Thank you to all candidates and voters, and congratulations to the newly elected members!

  Results

  Council

  Two Council seats were open this election. A total of 204 voters participated in this election.

  # votes	Candidate
  958	Miro Hrončok
  788	Aleksandra Fedorova
  744	Fabio Valentini
  637	Tomáš Hrčka
  509	Vít Smolík
  451	Akashdeep Dhar
  337	Hristo Marinov

  FESCo

  Five FESCo seats were open this election. A total of 199 voters participated in this election

  # votes	Candidate
  771	Neal Gompa
  700	Fabio Valentini
  662	Michel Lind
  604	Maxwell G
  549	Simon de Vlieger
  537	Adam Miller

  Mindshare

  Four Mindshare seats were open this election. A total of 154 voters participated in this election.

  # votes	Candidate
  419	Samyak Jain
  396	Akashdeep Dhar
  395	Luis Bazan
  351	Mat H (Mat Holmes)
  214	Kenz S (Makenzie Stewart)

  EPEL Steering Committee

  Four EPEL Steering Committee seats were open this election. As the amount of interviews submitted equaled the number of open seats, candidates who interviewed were automatically elected.

  # votes	Candidate
  Automatically Elected	Carl George
  Automatically Elected	Diego Herrera
  Automatically Elected	Jonathan Wright
  Automatically Elected	Troy Dawson

  The post F44 Election Results appeared first on Fedora Community Blog.

June 10, 2026

• Tomasz Torcz Small TLS settings modernization

  Some time has passed since I've tightened TLS settings on my home server. Let's move it a notch higher, this time including home k3s cluster.

  Use ECC certificates

  In 2026, using elliptic curves cryptography certificates should be the norm. Fortunately, automatically obtaining them is easy. I'm using cert-manager for kubernetes ingresses. Switching to ECC is a just a matter of adding an algorithm annotation on Ingress:

  annotations:
    cert-manager.io/cluster-issuer: "zerossl-production"
    cert-manager.io/private-key-algorithm: "ECDSA"
  

  and removing the secret containing old cert and key.

  Small caveat: FreeIPA still lags. While it supports ACME protocol, ECC through it is not possible, yet. I've left my internal domains with RSA certificates.

  For the main server, I refresh certificates using small Ruby script. I had the change RSA.new(3072) to an EC key generation, rest happened automatically:

  certificate_private_key = OpenSSL::PKey::EC.generate('prime256v1')
  csr = Acme::Client::CertificateRequest.new(private_key: certificate_private_key, names: PIPEBREAKER_DOMAINS)
  

  Use TLSv1.3 only

  Last time I've limited support of Transport Layer Security to versions 1.2 and 1.3. Today, let's allow the latest only. I don't care about supporting Windows 7-era clients (years out of support).

  Ingress on k3s is handled by Traefik. Simplest way to influence its config is by creating a global (named default) TLS configuration option:

  apiVersion: traefik.io/v1alpha1
  kind: TLSOption
  metadata:
    name: default
    namespace: kube-system
  spec:
    minVersion: VersionTLS13
  

  That's all!

  Change to nginx configuration on the main server is minimal, too. Version 1.2 is removed from the list, leaving only 1.3:

  ssl_protocols TLSv1.3;
  

  I have to tune Postfix and few other services TLS settings later.

  065/100 of #100DaysToOffload

June 08, 2026

• Michael Catanzaro Please Do Not Ban AI-Assisted Issue Reports

  Many GNOME projects have adopted a policy banning all contributions generated by LLMs. This policy was originally developed by Sophie for Loupe, but is now used in many other notable places:

  This project does not allow contributions generated by large languages models (LLMs) and chatbots. This ban includes, but is not limited to, tools like ChatGPT, Claude, Copilot, DeepSeek, and Devin AI. We are taking these steps as precaution due to the potential negative influence of AI generated content on quality, as well as likely copyright violations.

  This ban of AI generated content applies to all parts of the projects, including, but not limited to, code, documentation, issues, and artworks. An exception applies for purely translating texts for issues and comments to English.

  AI tools can be used to answer questions and find information. However, we encourage contributors to avoid them in favor of using existing documentation and our chats and forums. Since AI generated information is frequently misleading or false, we cannot supply support on anything referencing AI output.

  I won’t attempt to argue that you should allow use of AI for writing code. If you wish to ban LLM-generated code, fine. That’s probably inadvisable, but I am not going to object.

  But this policy is far stricter than that. Notably, it strictly prohibits AI-generated content in issue reports (except to translate text). Don’t do this! Prohibiting bug reports is stupid and just makes your software worse. Please make sure your project’s AI policy allows for at least AI-generated static analysis results and AI-generated vulnerability reports. Otherwise, you prohibit entirely unobjectionable problem reports.

  It’s hard to imagine what could possibly be the value of prohibiting valid bug reports. AI-generated static analysis works well: the AI is able to think about your code, follow execution paths, and automatically discard most false positives to avoid bothering you with them, and the quality of reports is generally pretty high. They are far from perfect, but the same is true of humans.

  Here is a typical example of an AI-generated static analysis finding:

  2. Resource leak in update_credentials_cb on gnutls_credentials_set failure
  
    File: tls/gnutls/gtlsconnection-gnutls.c:169-172
  
    When gnutls_credentials_set() fails, the function returns without calling g_gnutls_certificate_credentials_unref(credentials). The credentials was either freshly allocated or ref-bumped, so it leaks.

  Pasting this into an issue report clearly violates the ban on AI-generated content. And yet, why would you not want to receive a clear and concrete bug report for memory leak?

  I understand not all maintainers are fond of AI, but is your dislike really so extreme that you would choose to ignore valid problems and intentionally make your software worse? If not, then your AI policy should thoughtfully consider how to handle AI-generated content in issue reports. Certainly do not adopt a policy that outright bans all AI-generated content in issue reports.

  As an issue reporter, you could theoretically take the problem found by the AI and rephrase all the words, then claim that it is no longer AI-generated content because it is rewritten. This is a waste of time and usually results in a lower-quality, less-detailed result, but you could plausibly do that. Or, if you want to go above and beyond, you could just jump ahead to creating a merge request. But realistically, if your project does not allow any use of AI in issue reports, it’s more likely that either (a) you won’t receive the issue report in the first place, or (b) you won’t receive such issue reports from experienced developers who read and respect your policy, while users who do not read your policy will continue to submit them.

  What about security vulnerability reports? Since the start of this year, I have reviewed well over 100 vulnerability reports that I strongly suspect were generated by AI. To reach the “over 100” claim, I sadly only considered vulnerability reports submitted during a particularly heavy four week period, so this is an extremely loose lower bound. Suffice to say, I have seen a lot of them. The quality varies dramatically. Vulnerability reports are now often better or worse than before: better because an experienced human working with a good AI is able to find vulnerabilities that would have surely gone unnoticed without AI, and worse because an inexperienced human with a bad AI might create some pretty terrible issue reports, a significant proportion of which are just outright spam. Low-quality reports remain a problem, but nowadays most AI-generated issue reports are quite good.

  Maintainers do not need to tolerate spammy vulnerability reports. If an issue report is bad, of course go ahead and close it. If it’s really bad, then I sometimes don’t even bother replying. But banning good vulnerability reports solely because some portion of the report was generated by AI is unacceptable. AI-assisted vulnerability reports are the new industry standard, and this is not likely to change. Prohibiting issue reports reduces the quality and safety of your software, punishing your users. This is too extreme.

• Rajeesh K Nambiar RIT Unny open source font

  E.P. Unny is a notable Indian political cartoonist, who worked/works with famed Shankar’s Weekly and new papers such as The Hindu and Indian Express.

  Since 2020, all his cartoons (also 2025, 2026 so far) are published — every week — open-access by Sayahna Foundation.

  Unny was using a font based on his handwriting style for the cartoons, designed by K.H. Hussain of Rachana. Recently, a new font designed by Varshini KVSS & ‘Kandam Collective’ is developed by Rachana Institute of Typography to use in the cartoons, and it is released as open source — see the specimen and download links.

  

  The character set of the font is Latin only. There are plenty of alternate glyphs (for upper case and lower cases of i, j, l, g, etc. — for instance check the double ‘l’ in ‘Intelligence’ on the specimen above). Such characters are rendered alternately to give a feel of the randomness that handwriting evokes.

  The source (and issue tracking) are available at RIT fonts repository.

June 07, 2026

• Dennis Gilmore Accessing serial consoles on SBC’s

  I have a bunch of different ARM SBCs, some Raspberry Pis, some Rockchip based, and some others. Some of them I have in 1U rack mount cases. Some in cases that I have 3d printed. They have all had a common issue. When something goes wrong, I need to unplug them, move them to my desk, and connect them to my desktop via a USB to tty adaptor. Aside from being inconvenient, it also meant I had to be home to debug what was happening.

  I figured there had to be a better way. In the end, I used Claude to help me write a solution. What I came up with is a project to make an ESP32 Web Terminal. Using an ESP32 wired to the UART on the SBCs, I can securely access the serial console of my devices. I have used a couple of different ESP32 devices, from a USD$3 ESP32 C3 Mini to a USD$8 XIAO ESP32S3. all of which work well. For the Raspberry Pis, I purchased some premade JST SH1.0 mm 3 Pin Wire connector cables to plug into the uart port, and for other devices, I made some custom cables with 2.54 mm Dupont crimp pin connectors.

  

  I have most of my SBC’s powered by PoE. In the pictured example, I soldered some headers onto the PCB for the PoE hat to use to provide a 5V power source to the ESP32, and it all runs self-contained in the rack-mount unit. I do want to work on making the connections a little neater and the housing better. But for now, this is functional. While the software on the ESP allows resetting the SBC and controlling the power, I do not currently have that wired up.

  As for provisioning the ESPs, I run FreeIPA at home for authentication, and I have dogtag set up as a CA. When I have wired up and flashed a new board, it initially runs as an access point I connect to in order to set up my home network. Once it is connected to my network, I run an Ansible playbook to create and upload SSL certificates signed by my CA and change the admin password. That way, I can connect without any SSL warnings and use a known non-default password to log in. So far, I am quite happy with how they have performed. I still have some things I want to make better, and I also want to finish testing a setup where I connect to an SBC that exposes its serial port over USB. In theory, it should work with ESP32S3, I just need to test.

  While it has added quite a few more devices to my network, it is useful to be able to access and debug what is happening without having to move devices and plug them into another computer. I have considered options for externally powering the ESPs and the best ways to connect the ESPs to the SBCs. I would like to at least be more robust with a 3d printed enclosure for the ESP. Each unit has cost me between USD$5 and USD$12, and each has acceptable performance. I have intentionally stuck to using small ESP’s, though it would work well with bigger devices also. Powering each through a shared power source would require additional circuitry to isolate them and prevent voltage leaks.

June 06, 2026

• Kevin Fenzi misc fedora bits first week of june 2026

  

  Another busy week for me. Lots of little things all over the place.

  mass update/reboots

  We got everything updated and rebooted and cleaned up any messes from that (at least as far as I know). We did firmware updates on servers this time, and those always cause things to take much longer. Instead of a 'quick' 5m reboot of a server, it's more 20-25m to apply all the firmware updates and reboot a bunch of times. Ah well, it's good to be up to date.

  We did have one arm server fail to come up after reboot. ;( It has a memory error, so we are having datacenter folks reseat all the memory (this happened once before and that cleared it up).

  Some old long running tickets

  I was able to try and move some old long running tickets over the finish line this week:

  • systemd-boot signing. This is all setup, but needs to be tweaked in the package and tested. Note that this is a self signed cert, but it will still hopefully help folks using systemd-boot.

  • Looked over a bunch of work from Stephen Gallagher to fix some dist-git repos that have commits that break git fsck. I hope I can finish this up early next week.

  And a few new things

  • Got the drm-panic 'application' deployed. (I just deployed, the change owner did all the heavy lifting).

  • Setup a pagure-stg-ro01 machine to test a 'readonly' pagure instance.

  • Got koji upgraded to 1.36.0.

  • Got all koji builders, hubs and kojipkgs moved to fedora 44

  • Moved all our proxies to fedora 44

  • Moved all our compose hosts to fedora 44

  • Fixed some openshift apps that were still pulling from docker hub (and getting rate limited). I even moved greenwave to using a hummingbird memcached container. Works great!

  flock

  Flock is coming up fast now. I will be traveling to it starting next thursday. So expect me to be largely offline thursday and friday, and then only sporadically online while I am at flock.

  Really looking forward to meeting up with folks and getting that good flock infusion of energy.

  As always, comment on the fediverse: https://fosstodon.org/@nirik/116704516544974008

June 05, 2026

• Remi Collet ⚙️ PHP version 8.4.22 and 8.5.7

  RPMs of PHP version 8.5.7 are available in the remi-modular repository for Fedora ≥ 42 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

  RPMs of PHP version 8.4.22 are available in the remi-modular repository for Fedora ≥ 42 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

  ℹ� These versions are also available as Software Collections in the remi-safe repository.

  ℹ� The packages are available for x86_64 and aarch64.

  ℹ� There is no security fix this month, so no update for versions 8.2.31 and 8.3.31.

  Version announcements:

  • PHP 8.5.7 Release Annoucement
  • PHP 8.4.22 Release Annoucement

  ℹ� Installation: Use the Configuration Wizard and choose your version and installation mode.

  Replacement of default PHP by version 8.5 installation (simplest):

  On Enterprise Linux (dnf 4)

  dnf module switch-to php:remi-8.5/common
  

  On Fedora (dnf 5)

  dnf module reset php
  dnf module enable php:remi-8.5
  dnf update
  

  Parallel installation of version 8.5 as Software Collection

  yum install php85

  Replacement of default PHP by version 8.4 installation (simplest):

  On Enterprise Linux (dnf 4)

  dnf module switch-to php:remi-8.4/common
  

  On Fedora (dnf 5)

  dnf module reset php
  dnf module enable php:remi-8.4
  dnf update
  

  Parallel installation of version 8.4 as Software Collection

  yum install php84

  And soon in the official updates:

  • Fedora Rawhide now has PHP version 8.5.7
  • Fedora 44 - PHP 8.5.7
  • Fedora 43 - PHP 8.4.22

  ⚠� To be noticed :

  • EL-10 RPMs are built using RHEL-10.2
  • EL-9 RPMs are built using RHEL-9.8
  • EL-8 RPMs are built using RHEL-8.10
  • intl extension now uses libicu74 (version 74.2)
  • mbstring extension (EL builds) now uses oniguruma5php (version 6.9.10, instead of the outdated system library)
  • oci8 extension now uses the RPM of Oracle Instant Client version 23.26 on x86_64 and aarch64
  • A lot of extensions are also available; see the PHP extensions RPM status (from PECL and other sources) page

  ℹ� Information:

  • Migrating from PHP 8.2.x to PHP 8.3.x
  • Migrating from PHP 8.3.x to PHP 8.4.x
  • Migrating from PHP 8.4.x to PHP 8.5.x

  Base packages (php)

  

  

  Software Collections (php83 / php84 / php85)

  

  

   

• Michel Alexandre Salim Work-Life Balance 🏖️ with Sandogasa 👒 Hat-Track

  Caveat lector

  This post discusses tools reluctantly written with AI assistance. If you don’t entertain using them under any circumstance, and think even reading about them legally compromise your ability to reimplement them yourselves, stop reading now

  Happy Friday! Of course it’s not Friday anymore in Asia, and if I finish this post in time, it’s still the work day in the Western Hemisphere.

  When you work in a large distributed project, it’s not dissimilar to working in a large multinational company - there are too many people to know everyone (or at least not at once!) and you might not know where someone is and if you’re pinging them in the middle of the night.

June 04, 2026

• Kiwi TCMS Kiwi TCMS 16.0

  Dear testers, we're happy to announce Kiwi TCMS version 16.0!

  IMPORTANT:

  This is a major version release which includes security related updates several improvements, backwards incompatible changes and new translations.

  You can explore everything at https://public.tenant.kiwitcms.org!

  ---

  Public container image (x86_64):

  pub.kiwitcms.eu/kiwitcms/kiwi   latest  3b2c789666ec   867MB
  

  IMPORTANT: version tagged and multi-arch container images are available only to subscribers!

  Changes since Kiwi TCMS 15.4

  Security

  • Update Django from 5.2.12 to 5.2.15
  • Upadate pillow from 11.3.0 to 12.1.1
  • Update node_modules/fast-uri from 3.1.0 to 3.1.2
  • Update node_modules/flatted from 3.3.3 to 3.4.2
  • Make /init-db/ page a no-op if already executed once. Fixes CVE-2026-49292

  Improvements

  • Update Python runtime from 3.11 to 3.12
  • Update Node.js runtime from 16 to 22
  • Update Nginx runtime from 1.22 to 1.26
  • Update django-grappelli from 4.0.3 to 5.0.0
  • Update django-guardian from 3.3.0 to 3.3.1
  • Update django-tree-queries from 0.23.1 to 0.24.0
  • Update psycopg from 3.3.3 to 3.3.4
  • Update pygithub from 2.8.1 to 2.9.1
  • Update pygments from 2.19.2 to 2.20.0
  • Update python-gitlab from 8.1.0 to 8.4.0
  • Update tzdata from 2025.3 to 2026.2
  • Update node_modules/pdfmake from 0.3.6 to 0.3.7
  • Update node_modules/webpack-cli from 7.0.1 to 7.0.2
  • Update node_modules/webpack from 5.105.4 to 5.106.0
  • Display Last modified column in TestCase Search page. Closes Issue #4140
  • Remove requirement for setuptools<82. Fixes Issue #4299

  Removals

  • Remove Bitbucket Issues integration because Atlassian has announced the removal of this feature

  Release

  • pub.kiwitcms.eu/kiwitcms/kiwi container is now a rolling release
  • PyPI packages are uploaded to pkg.kiwitcms.eu. Closes Issue #3376

  API

  • API method TestCase.filter() now returns the history_date field

  Refactoring and testing

  • Update black from 25.12.0 to 26.5.1
  • Update locust from 2.43.3 to 2.44.1
  • Update codecov/codecov-action from 5 to 6
  • Merge Dockerfile.buildroot with Dockerfile. Closes Issue #3496
  • Replace pkg_resources discovery with importlib.metadata
  • GitLab Issues are now called Work Items

  Translations

  • Updated Chinese Simplified translation
  • Updated Japanese translation
  • Updated Korean translation

  Changes since Kiwi TCMS Enterprise v15.3-mt

  • Based on Kiwi TCMS v16.0
  • Update Python runtime from 3.11 to 3.12
  • Update certbot from 5.4.0 to 5.6.0
  • Update django-prometheus from 2.4.1 to 2.5.0
  • Update kiwitcms-github-app from 2.1.0 to 2.2.2
  • Update kiwitcms-tenants from 4.4.1 to 4.4.4
  • Update kiwitcms-trackers-integration from 1.2.1 to 1.3.1
  • Update psycopg-pool from 3.3.0 to 3.3.1
  • Update sentry-sdk from 2.54.0 to 2.61.1
  • Update social-auth-kerberos from 0.3.0 to 0.3.2
  • Update social-auth-app-django from 5.7.0 to 5.9.0
  • Remove OpenResty override
  • Remove requirement for setuptools<82
  • Honor container ENV variable NGX_DENY_INCLUDE
  • Don't use legacy syntax in Dockerfile
  • Provide sample SSL configuration for Postgres and configure Kiwi TCMS to connect to it securely. Closes Issue #2413

  Private container images

  hub.kiwitcms.eu/kiwitcms/version          16.0 (aarch64)          d972a78b065c    04 Jun 2026     720MB
  hub.kiwitcms.eu/kiwitcms/version          16.0 (x86_64)           876f5b848ee7    04 Jun 2026     701MB
  hub.kiwitcms.eu/kiwitcms/enterprise       16.0-mt (aarch64)       25fc9c88a3b5    05 Jun 2026     925MB
  hub.kiwitcms.eu/kiwitcms/enterprise       16.0-mt (x86_64)        3a7747c99b65    05 Jun 2026     904MB
  

  IMPORTANT: version tagged, multi-arch and Enterprise container images are available only to subscribers!

  How to upgrade

  Follow the Upgrading instructions from our documentation.

  Happy testing!

  ---

  If you like what we're doing and how Kiwi TCMS supports various communities please help us grow!

  • Give â­� on GitHub;
  • Join our newsletter and follow all news;
  • Become a subscriber and help us sustain development

• Dave Airlie Appearing on the Software Engineering Radio Podcast

  Software Engineering Radio is a podcast for people in IT/development with over 700 episodes across many topics over 20 years. They haven't touched on the Linux kernel much. I was invited on as part of my role at Red Hat as a Distinguished Engineer, but the podcast is really an insight into kernel maintenance, in graphics and beyond, touching on the scope and scale of the project.

  It was my first time to record something that wasn't just me talking at a conference/meetup, and it was all very professional, with sound checks and brainstorming before hand. 

  The content is at a pretty broad and introductory level. We talked about kernel development processes, maintenance processes, and we touch on rust in the kernel a bit. It's mostly about the sheer size and scale of the project and how Linus releases things, how trees get to Linus and how the GPU work is done.

   Hopefully you enjoy listening to it!

  [1] https://se-radio.net/2026/06/se-radio-723-dave-airlie-on-linux-kernel-maintenance/ 

• Cockpit Project Cockpit 363

  Cockpit is the modern Linux admin interface. We release regularly.

  Here are the release notes from cockpit-files 41:

  Files: Add editor shortcut for “Save”

  You can now type “Ctrl-S” to save a file in the editor.

  Thanks a lot @Leone25 for this contribution!

  Try it out

  cockpit-files 41 are available now:

  • For your Linux system

  • Cockpit Client

  • cockpit-files Source Tarball
  • cockpit-files Fedora 44
  • cockpit-files Fedora 43

June 01, 2026

• Marcin 'hrw' Juszkiewicz Arm desktop: so many cores, not enough speed

  Using a system with 80 AArch64 cores can be a pleasure. Or a pain…

  Multicore heaven?

  Having 80 cores sounds nice, doesn’t it? But not so much during actual use…

  You see, building Fedora packages was flying by. With all cores in use, ccache buffers filling up (in case of rebuilds), and 128 GB of RAM in constant use, etc.

  But at the same time, 100% load on all cores means you cannot listen to music on Spotify or watch online videos, etc. All that because the CPU cores are occupied by the build processes.

  I tried to use cgroups to limit cpu.max for each fedpkg mockbuild call. It did not help much: the audio was still jerky.

  To compare: I wrote this post on a system powered by a Ryzen 5 3600 CPU while a package build was running in the background. All twelve CPU threads were 100% busy, yet the music did not skip.

  All of this shows that cores-heavy CPUs are perhaps not a good choice for a desktop machine. Latencies, the scheduler and context switching — all of this introduces enough noise to make a desktop user suffer.

  The lack of single-thread speed

  Arm processors are good in many cases, as long as you do not need pure, single-thread, CPU power.

  It is very noticeable in a web browser. For example, Bitwarden unlocks with a noticeable delay, while on a Ryzen 5 3600, it is nearly instant. And it feels even worse when you watch some YouTube videos like “who will make faster PC on a €100 budget”, and then you run the same browser benchmark and get worse results…

  Many software builds also highlight this problem. I have a feeling that developers have grown used to a small number of fast CPU cores, which is the norm on the x86-64 architecture, and their code is written to take it for granted.

  And then you look at your machine, where 70 cores do nothing, waiting for some code to finally compile or link. I have seen one software package where the bootstrap was composed of TWO source files. Both were over two megabytes in size and full of machine-generated C code. Two cores were kept busy for quite a while, while the other 78 had to wait.

  Not much has changed since my the “From the diary of AArch64 porter — parallel builds” blog post from eight years ago.

  Of course, there are also packages which will take all cores, whole memory and as much swap as possible, and do magic in nearly no time. When I started build of the PrusaSlicer package, I had to add some swap because Firefox was gone due to OOM. Having less than 2 GB of RAM per CPU core really sucks ;D

  Summary

  To use a desktop system you do not need many cores. As long as they are fast.

May 30, 2026

• Kevin Fenzi misc fedora bits the last week of may 2026

  

  Another week has gone by, time for another longer form recap.

  More rhel10 migrations

  Some more rhel10 migrations this last week. This time our memcached instances, our tang servers and a few others. Slowly making progress, but this will get us down to the 'fun' ones: Database servers, virthosts that host important things, etc.

  Fedora 42 eol

  Tuesday was supposed to be the end of life for Fedora 42. For some reason, the date was set to be wed, and then there was some delays due to failed updates composes that pushed it to thursday. It's done however. Fedora 42 was a nice release, it served well. We still have just 3 Fedora 42 instances we need to move and we will do those next week...

  Updated staging koji

  I have updated our staging koji ( https://koji.stg.fedoraproject.org ) hub and builders all to Fedora 44 and the latest koji version (1.36.0). We have some non upstreamed patches for our theme, and koji upstream changed from cheeta to jinja2 for it's templates which completely broke that. I was able to use a clanker to rework the patch for jinja2 and then manually fix it from there to work. I'd say it was much quicker, but the process wasn't particularly satisfying. Anyhow, it's done and working as far as I have been able to test in staging.

  Mass update/reboot cycle next week

  We are going to apply updates all around and reboot things next week. There is a lot we hope to do on this outage:

  • rhel 9.8 and 10.2 came out, so we will be updating all rhel servers to those.

  • we will be upgrading the wiki servers from f42 to f44 (and newer mediawiki)

  • I hope to do some rhel10 reinstalls while we are in outage

  • Upgrade prod koji to 1.36.0 and f44 (hubs and builders)

  • There is a chance DC operations want us to move some servers from one set of racks to another to balance power usage out. Still to be determined if this happens.

  So, it should be a busy week

  Flock

  The week after next, flock is already upon us! I hope to be there and able to catch up with old friends and new.

  As always, comment on the fediverse: https://fosstodon.org/@nirik/116664633411162579

May 29, 2026

• Jon Chiappetta Lessons Learned From Implementing Multi-Threaded VPNs!

  When reading packets or network data from a tunnel interface, the order in which they are read does matter as they can impact connectionless protocols and also cause stateful protocols to spend time re-ordering data! There were three techniques that I tried implementing to solve this issue:

  • Map a packet address to a thread index during the entire time of every connection state
  • Index and order every packet read by number and wait to write them out in the same sequence
  • Lock and time and order each threaded process just like many pistons firing inside of an engine block

  ~

• Allan Day GNOME Foundation Update, 2026-05-29

  Welcome to another update about everything that’s been happening at the GNOME Foundation. As has become my custom, this post covers a two week period, this time from 18 May until today, 29 May. As usual the Foundation continues to be busy, with events, infra, governance, and accounting activities all happening simultaneously. Read on for more information!

  Events

  Linux App Summit (LAS) 2026 was held in Berlin over the 16-17 May weekend. I’ve heard quite a few reports now, and everyone seemed extremely positive about the event. Kristi wrote a nice summary if you want more details.

  The GNOME Foundation had two team members on the ground helping with running the event, which we co-organize with KDE. I’d like to take this opportunity to give a big thank you to the event’s sponsors: openSUSE, Tuxedo, Nextcould and Codethink. This event wouldn’t be possible without your support.

  In addition to LAS, work is continuing on arrangements for GUADEC 2026. The deadline for travel sponsorship applications has now passed, and the Travel Committee has met to decide who will be funded. Notifications will be going out soon.

  Board Elections

  The process is officially underway for this year’s Board elections. Terms on our Board of Directors are two years in length, and each year half the board seats are open for election. This year we have five seats being contested.

  The 2026 election has a slightly different schedule to previous years. In the past, there was no gap between the candidacy period, in which people can announce their intention to run, and the voting period. This meant that there was little opportunity for last-minute candidates to participate in discussion prior to voting taking place.

  To address this, we’ve added a one week discussion period to the schedule, which will run between 8 and 15 June, between the candidacy and voting periods. This will hopefully give us opportunity to have more structured and inclusive debate amongst the candidates. We are still figuring out what that might look like, so if people have ideas or want to help, let me know in the comments.

  GNOME Fellowship

  We are currently in the very final stages of confirming and announcing the successful candidates for the inaugural round of the Foundation’s Fellowship program. Expect an announcement very soon.

  Got a Concern?

  Last week we introduced a new policy for handling of concerns about the Foundation, which is now part of the project handbook.

  The new policy covers how to report concerns about people who are working for the Foundation, either in a paid or voluntary capacity. It also covers more general concerns about the Foundation.

  The main goals of the policy are to:

  • have a documented reporting procedure for those who have concerns relating to the Foundation
  • clarify how concerns will be responded to
  • provide reassurance for those reporting concerns, including that concern reports are welcome, are taken seriously, and will never result in retaliation

  We hope that this policy will make it clear how you can inform us of a concern if you have one. We also want to emphasise that we want to hear concerns, so we can address them. Please do use the new reporting procedure.

  Finance/Accounting

  Work has continued on the finance and accounting operation over the past two weeks. Highlights include:

  • Our transition to a monthly rather than quarterly close reached a significant milestone this week, with the completion of our April finance reports within three weeks of the previous month end. This is probably the fastest ever turnaround for our finance operation, and is a huge win for us in being able to effectively manage our finances.
  • Following input from the board, corrections have now been sent to the accountants for our audit and annual tax filing.
  • Applications are still open for our Director of Finance and Operations part-time contract. Candidates have until 4 June to submit.
  • Finally, as I mentioned in my last update, we are in the process of retiring a number of finance platforms as we consolidate and streamline our operation. This week saw another platform retired, which brings the total number of eliminated platforms to four.

  Infrastructure

  Our infrastructure experienced a DDoS attack last weekend, which Bart and Andrea have been dealing with. Thankfully it seems that services weren’t too badly affected, and we’ve already improved our protection against similar attacks in the future.

  Also on the infra side, Bart wasn’t at LAS this year, but he did spend some time writing two great posts about Flathub’s internals: How does Flathub even work? and Why are Flathub downloads so slow sometimes?. They’re a fascinating read if you’re interested in Flathub.

  That’s it from me! As always, thanks for reading, and see you in two weeks.

• Jon Chiappetta A Year Of Three Websites

  https://fossjon.com

  https://xorcipher.com

  https://icanhazdns.com

  ~

May 28, 2026

• Jon Chiappetta I Created A New Web Service For Command Lines – icanhazdns.com

  It is inspired by icanhazip.com but it returns a little more information as well!

  curl icanhazdns.com

  ~

• Jon Chiappetta EARTH-TO-APPLE – Curved Glass Is More Beautiful Than Curved Metal!

  Please help me start a petition to Apple to bring back smaller sized phones with a pro screen and a flat metal ribbon which wraps the curved glass front and back like a beautiful diamond ring design should be! The iPhone 4S was soo close, all it needed was a full AOD screen with curved corners and edges…

  

  

May 27, 2026

• Adam Young Debugging Rust in Vim

  On Fedora:

  yum install termdebug

  in ~/.vimrc

  let g:termdebug_config = {}
  let g:termdebug_config['command'] = 'rust-gdb'
  
  packadd! termdebug
                     

  Inside vim:

  Termdebug target/debug<executable>
  

  Use Ctrl-W DownArrow to switch between windows

  Use :Break to set a breakpoint in the code window

  Use Ctrl-W UpArrow to go to the gdb window

  use run to run the program and cont to continue after hitting a break point.

• Jon Chiappetta Upgrade Ubuntu To The Next Major Release via Command Line SSH/Screen

  screen -dm -S up bash -c "do-release-upgrade -d -m server ; sleep 99999"

  Bonus Command:

  screen -p 0 -S test -X stuff 'echo "test" \n'

  ~

May 26, 2026

• Fedora fans آموزش نصب و راه اندازی MasterDnsVPN

  

  MasterDnsVPN یک نرم‌افزار متن‌باز و پیشرفته برای DNS Tunneling است که با زبان Go توسعه داده شده و با کپسوله‌سازی ترافیک TCP داخل درخواست‌ها و پاسخ‌های DNS، امکان عبور از محدودیت‌ها و فیلترینگ شدید اینترنت را فراهم می‌کند. این پروژه با تمرکز بر پایداری، سرعت و عملکرد در شبکه‌های دارای Packet Loss بالا طراحی شده […]

  The post آموزش نصب و راه اندازی MasterDnsVPN first appeared on طرفداران فدورا.

May 24, 2026

• Kevin Fenzi blood glucose monitoring with open source

  

  Over a year ago now, I was diagnosed with Diabetes. I'm not going to go into too much about it here since there's tons of other online resources for it, but I wanted to share one particular area where I have been able to use serveral open source products to help monitoring and tracking my blood glucose levels.

  Monitoring blood glucose is important information. Various things affect it and it's good to know what those are and how much they affect it. Some things affect it very quickly (exercise) and some more slowly (digesting food). Some foods affect levels dramatically, some not as much.

  When I was first diganosed, the recommendation from my doctor was to use periodic blood tests to see what the levels were. This consists of a set of lancets, some monitoring strips and a reader. You poke your finger and draw a drop of blood on the strip, then put that in the reader and it gives you a reading. This is really quick accurate, but it has a lot of drawbacks:

  • You have to poke yourself all the time and it's painfull and anoying.

  • The reader has bluetooth (but the only thing that can connect to it is a closed source android app).

  • The closed source/non free android app requires you to make an account and then send all your readings to some company.

  • Its really not easy to test a lot, or when traveling.

  • You consume a lancet and a test strip for every test. They are small, but it's still consumable/waste.

  I looked at getting a CGM (continous glucose monitor) which is a sensor you affix to your arm and it monitors all the time for a few weeks, when it needs to be replaced. This seemed much nicer, but it had drawbacks too:

  • More expensive

  • Still had a closed source/non free app that required you to make an account and upload all your data to them.

  • slightly less accurate

  So, I just kept on with infrequent stick testing, until I noticed a post from Bradley Khun on the software freedom conservency blog:

  https://sfconservancy.org/blog/2025/nov/06/juggluco-foss-continuous-glucose-montior-diabetes/

  There was a open source android app to talk to these sensors!

  So, a quick message to my doctor and a perscription in hand, I got some monitors to try out. Juggluco ( https://github.com/j-kaltes/Juggluco ) has kind of a odd interface, but it works great once you figure it out. The sensors seem like they would be painful to attach, but I really haven't noticed anything when applying them. They also make some 'covers' that fit over them to protect them from water/etc. They do look a bit ragged after 15 days, but I've not had one come off yet. Being able to have readings all the time has been very nice. Especially when traveling. It can even give you a 'estimated a1c' value (This is basically a trending for blood glucose over the last N months). You can see immediate results from exersize and can definitely see 1-2 hours after meals how much they affect things.

  All my data is stored on my phone, which was ok, but I wanted to have a longer term/more stable backup of that data at least.

  Google created a while back a setup in android for medical / heath data. "Health Connect" is surprisingly well setup. You (the user) can decide exactly what applications have permissions to write what health data and what applications have permissions to read that data. The idea being that you can decide to share some data with some application, or revoke it later if you choose to. All the data is still stored on the phone, this is just controlling access to it.

  The android home assistant application has the ability (if you grant it to read health connect data. I then just set juggluco to write blood glucose values into health connect and allowed home assistant application to read that. A new sensor appears in home assistant. Now I can graph, run automations based on it, or do anything I can normally do with a sensor in home assistant. You can do the same with for example the 'steps' counter that android keeps automatically.

  There is one slight gotcha in this setup that I discovered a few weeks ago. I went to go look at my longer term blood glucose trends, and... there was only 10 days of values in home assistant. ;( The home assistant android app doesn't keep long term statistics anoyingly. You can get around this by making a template sensor that just reads from the android app one and it will keep long term data (although the usual home assistant way of 1 datapoint per hour instead of all the datapoints, but that should be reasonable for long term trends).

  Overall I think its a pretty nice setup now. I do wish the sensors lasted longer. They last for 15 days and then stop. I'm not sure if thats a limit of battery life, some kind of reading accuracy issue or just that they want you to buy more sensors.

  comments? additions? reactions?

  As always, comment on the fediverse: https://fosstodon.org/@nirik/116630715953443762

May 23, 2026

• Kevin Fenzi misc fedora bits third week of may 2026

  

  Another saturday, time for another longer form weekly recap of what I have been up to in Fedora Infrastructure.

  RHEL10 migrations

  RHEL10 migrations are in full swing. Moving things we have that are on RHEL9 over to RHEL10 with clean re-installs. Mostly this is just pretty easy, but I did run into a few fun things:

  • One of our donated servers was really old and couldn't run RHEL10, so, the provider provisioned us a new(er) one. All good, but we like to do clean installs of our servers and this provider didn't happen to have a remote console, so it was kind of flying blind. First, the RHEL10 installer would hang on boot in systemd-gpt-auto-generator. My theory ( but I haven't tested it yet to be sure ) is that because they installed Fedora 44 on it, when it booted to the RHEL10 installer it would try and figure out the partitions, that would work, but then because there's no btrfs support it would get confused and hang. Next I ran into vnc being deprecated in rhel10.1. Fine, but, also no rdp kickstart directive available, you MUST pass inst.rdp on the boot line. Then of course various adventures in partitioning and such. I did finally get it done, but there was a lot of 'please reboot it' back and forth with the very patent provider.

  • I found another of our old machines ( which is due to be replaced this year, but with hardware prices and availablity I am not sure it actually will be ) is actually BIOS booting still. I just left it for now, if we don't end up replacing it I might reinstall uefi.

  • A few issues around our internal repo files and which things they were or should be pointing to (for minor releases, since 10.2 came out while I was in the middle of installing some things).

  Anyhow, good progress being made on all the easy ones.

  Flock coming up fast

  https://fedoraproject.org/flock/2026/ is coming up fast. Just 3 weeks. This is our big conference of the year, will be great to meet up with folks and discuss everything.

  comments? additions? reactions?

  As always, comment on the fediverse: https://fosstodon.org/@nirik/116625217014724131

• Remi Collet 📝 Redis version 8.8

  RPMs of Redis version 8.8 are available in the remi-modular repository for Fedora ≥ 43 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

  1. Installation

  Packages are available in the redis:remi-8.8 module stream.

  1.1. Using dnf4 on Enterprise Linux

  # dnf install https://rpms.remirepo.net/enterprise/remi-release-$(rpm -E %rhel).rpm
  # dnf module switch-to redis:remi-8.8/common

  1.2. Using dnf5 on Fedora

  # dnf install https://rpms.remirepo.net/fedora/remi-release-$(rpm -E %fedora).rpm
  # dnf module reset  redis
  # dnf module enable redis:remi-8.8
  # dnf install redis --allowerasing

  You may have to remove the valkey-compat-redis compatibility package.

  2. Modules

  Some optional modules are also available:

  • RedisBloom as redis-bloom
  • RedisJSON as redis-json
  • RedisTimeSeries as redis-timeseries

  These packages are weak dependencies of Redis, so they are installed by default (if install_weak_deps is not disabled in the dnf configuration).

  The modules are automatically loaded after installation and service (re)start.

  The modules are not available for Enterprise Linux 8.

  3. Statistics

  redis
  

  redis-bloom
  

  redis-json
  

  redis-timeseries
  

May 22, 2026

• Remi Collet 🎲 PHP version 8.4.22RC1 and 8.5.7RC1

  Release Candidate versions are available in the testing repository for Fedora and Enterprise Linux (RHEL / CentOS / Alma / Rocky and other clones) to allow more people to test them. They are available as Software Collections, for parallel installation, the perfect solution for such tests, and as base packages.

  RPMs of PHP version 8.5.7RC1 are available

  • as base packages in the remi-modular-test for Fedora 42-44 and Enterprise Linux ≥ 8
  • as SCL in remi-test repository

  RPMs of PHP version 8.4.22RC1 are available

  • as base packages in the remi-modular-test for Fedora 42-44 and Enterprise Linux ≥ 8
  • as SCL in remi-test repository

  ℹ️ The packages are available for x86_64 and aarch64.

  ℹ️ PHP version 8.3 is now in security mode only, so no more RC will be released.

  ℹ️ Installation: follow the wizard instructions.

  ℹ️ Announcements:

  • PHP 8.5.7RC1 available for testing
  • PHP 8.4.22RC1 available for testing

  Parallel installation of version 8.5 as Software Collection:

  yum --enablerepo=remi-test install php85

  Parallel installation of version 8.4 as Software Collection:

  yum --enablerepo=remi-test install php84

  Update of system version 8.5:

  dnf module switch-to php:remi-8.5
  dnf --enablerepo=remi-modular-test update php\*

  Update of system version 8.4:

  dnf module switch-to php:remi-8.4
  dnf --enablerepo=remi-modular-test update php\*

  ℹ️ Notice:

  • version 8.5.4RC1 is in Fedora rawhide for QA
  • EL-10 packages are built using RHEL-10.1 and EPEL-10.1
  • EL-9 packages are built using RHEL-9.7 and EPEL-9
  • EL-8 packages are built using RHEL-8.10 and EPEL-8
  • oci8 extension uses the RPM of the Oracle Instant Client version 23.26 on x86_64 and aarch64
  • intl extension uses libicu 74.2
  • RC version is usually the same as the final version (no change accepted after RC, exception for security fix).
  • versions 8.4.19 and 8.5.4 are planed for March 12th, in 2 weeks.

  Software Collections (php84, php85)

  

  

  Base packages (php)

  

  

May 21, 2026

• Michael Catanzaro Single-Click Code Execution Exploit for Evince, Atril, and Xreader

  CVE-2026-46529 is an argument injection vulnerability in Evince, Atril, and Xreader caused by missing shell quoting when composing a command line. The reporter, Jo達o Medeiros, has published a GitHub repo for the CVE and a blog post with the story of how he discovered the flaw and developed the exploit. He also created an Atril security advisory and an Evince issue report.

  The vulnerability is fixed in:

  • Evince 48.4 (fix commit) (I originally reported that it is fixed in 48.2, but there was no successful release for that tag)
  • Atril 1.28.4 and 1.26.3 (fix commit)
  • Xreader 4.6.4 and 3.6.7 (fix commit)

  If you use one of these PDF readers, update immediately. Or at least please be seriously paranoid about clicking on links in PDFs until you do update.

  This vulnerability also affects Papers, but it’s probably not urgent to update Papers. (No, not because it uses Rust. Keep reading!)

  The Flatpak sandbox could have drastically reduced the danger of this attack, limiting the compromise to only files that you had previously opened in the PDF reader. Sadly, Evince and Papers both use sandbox holes that render the sandbox totally meaningless. (Atril and Xreader are not available on Flathub.)

  The Vulnerability

  When you click on a link in a PDF, Evince may execute itself to display the link. Normally the command line used would look something like this:

  /usr/bin/evince --named-dest=/home/foo/hello.pdf

  But an evil PDF may trick Evince into executing a command that is quite different than expected:

  /usr/bin/evince --named-dest= --gtk-module=/home/foo/evil.so /home/foo/hello.pdf

  Oops. The first part of the command is always going to be /usr/bin/evince, but the evil PDF is nevertheless able to unexpectedly load a GTK module into Evince. The fix is to quote the untrusted input using g_shell_quote() to ensure it cannot “break out” of its intended context:

  /usr/bin/evince --named-dest='/home/foo/hello.pdf'

  Or:

  /usr/bin/evince --named-dest=' --gtk-module=/home/foo/evil.so /home/foo/hello.pdf'

  Much better: now the threat is neutralized. g_shell_quote() is safe to use even if the untrusted input itself contains quotes. (However, beware: this only works because GLib is parsing the command line itself, and GLib is not a real Unix shell. It’s not safe if the input is going to be passed to an actual Unix shell. It might not even be theoretically possible to do that safely, because it’s valid for filenames to contain entirely arbitrary characters!)

  All GTK 3 apps support the --gtk-module command line argument for injecting a shared library into the application. The library may of course then execute whatever code it wants via its library constructor. But GTK 4 no longer has standard GTK command line flags, so this does not work for GTK 4 applications like Papers. It’s still possible to tell a GTK 4 app to load a GTK module, but only via environment variables, not via command line flags, and I don’t see any opportunity for the malicious command to set environment variables. It’s probably not possible to exploit this vulnerability in Papers: although it has the exact same vulnerability as the other PDF readers, the impact is different.

  The Exploit

  So far this looks like a pretty typical security bug. OK, so if you trick the user into downloading an archive (or perhaps a git repo) that contains both a malicious PDF and also a malicious shared library, then you can trick the PDF reader into loading the shared library and thereby execute arbitrary code. That’s a pretty bad foreseeable exploit, sure, but at least the attacker is at considerable risk of arousing suspicion if the user is trying to download a PDF and also receives a shared library. You’d have to try pretty hard to hide the library in a forest of other boring files if you want the attack to look convincing and unsuspicious. Right?

  Nope.

  Jo達o used Claude Opus 4.7 to develop a sophisticated script for building malicious polyglot PDFs that are simultaneously both valid PDF files and also valid ELF binaries, so the attacker only needs to trick the victim into downloading one evil PDF file. When the victim clicks on a link in that PDF, the PDF reader will dlopen the PDF itself. The PDF/ELF polyglot’s library constructor will then execute arbitrary code. Much less suspicious, and much scarier. Polyglot files are not entirely novel, but I’d still say this required substantial creativity and expertise from the AI, and substantial persistence from the human. Needless to say, very nice job to both Claude and Jo達o.

  You can easily build your own malicious PDF using the provided script and sample GTK module. The script in the Evince and Atril issue reports requires that the attacker predict the absolute path that the malicious PDF file will be saved to; however, Jo達o’s blog post and GitHub repo refine the exploit to remove that requirement.

  Thoughts on AI Vulnerability Reports

  A human inspecting this code should have been able to find the parameter injection vulnerability, but that requires considerable time and effort, so unsurprisingly nobody did. We’re probably in for a rough time in the short term as the volume of AI-generated vulnerability findings remains temporarily very high and attackers have a much easier time crafting working exploits. But in the long term, I expect we are going to be much more secure than we were before, so this will be worth it.

  A human working alone would have almost certainly stopped and moved on after finding the vulnerability. Claude allowed taking the investigation much farther. It’s highly unusual for a GNOME vulnerability report to come with a working exploit. This is a dangerous change. Perhaps it will be a one-time event, but I suspect we will be seeing more frequent exploits in the future.

  Silver lining: the exploit helps us better appreciate the severity of the issue. It’s often hard to assess how bad a vulnerability is. If not for the weaponized exploit, I would have thought this bug was not very scary, and would have treated it as not a big deal. We would have fixed it, perhaps or perhaps not with a CVE ID, surely without any blog post or fanfare, and probably without distro security updates. But since there is an exploit, we instead had no doubt that this vulnerability was dangerous, and were able to handle it accordingly.

  Several GNOME projects have begun outright prohibiting all AI-generated contributions, including issue reports, with no exception for vulnerability reports. Such policies are misguided and unacceptable. I can sort of understand why some projects might (misguidedly) wish to prohibit AI-generated code contributions. OK, fine. But blocking AI vulnerability reports will make GNOME less safe. AI-assisted vulnerability reporting is the new industry standard for good reason: it is highly effective.

  Some humans are not good at preparing AI-assisted vulnerability reports and will spam maintainers with low-quality reports. Sometimes they will be outright bogus, although more often there may be valid underlying bugs with exaggerated severity claims or bad proof of concept demos. This is annoying, but bad issue reports are a cost we are just going to have to accept and deal with.

  The quality level of AI vulnerability reports reviewed by conscientious humans — as well as AI assessments of AI vulnerability reports — is now often quite encouraging. But just like humans, AIs may also miss things, especially subtle distinctions that may be highly relevant. Although I�� quite impressed with these AIs, we still need experienced humans to review and manage reports. Please don’t abuse the technology by submitting vulnerability reports that you do not understand or have not validated. And certainly please do not allow an AI agent to interact with an issue tracker on your behalf!

  For Security Geeks

  This was my first time scoring a vulnerability using CVSS 4.0 rather than CVSS 3.1. It’s also the first time I wasn’t terribly confused about how to set the parameters, because the scoring guide contained answers to all of my questions. Nice. My CVSS vector for CVE-2026-46529 is CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, the base score is 8.4, and I’m pretty sure my choices for each parameter are good. By comparison, using CVSS 3.1 I came up with CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H and base score 7.8.

May 20, 2026

• Richard Hughes LVFS Sponsorship Announcement: HP

  Some more great news: I’m pleased to announce that HP has also agreed to be premier sponsor for the Linux Vendor Firmware Service (LVFS) as part of our sustainability effort.

  

  With the industry support from HP (and our existing sponsors of Lenovo, Dell, Framework, OSFF and of course Linux Foundation and Red Hat) we can turbo-charge the growth of the LVFS even more. Thanks!

May 19, 2026

• Guillaume Kulakowski Copyous : le gestionnaire de presse-papiers GNOME que j’attendais

  À force d’utiliser des gestionnaires de presse-papiers au quotidien, difficile de revenir en arrière. Après GPaste puis CopyQ, j’ai découvert Copyous, une extension GNOME légère, rapide et parfaitement intégrée au bureau.

• Gary Benson Docker images by age or size

  Files by age, newest first:

  ls -lt

  Docker images by age, newest first:

  docker images --format "{{.CreatedAt}}\t{{.Repository}}:{{.Tag}}" | sort -r

  Files by size, largest first:

  ls -lS

  Docker images by size, largest first:

  docker images --format "{{.Size}}\t{{.Repository}}:{{.Tag}}" | sort -rh

  Why why why??!

May 17, 2026

• Guillaume Kulakowski Ghostty : mon nouveau terminal sous Fedora 44

  En migrant de Fedora 43 vers Fedora 44, j’en ai profité pour revoir mon terminal principal. Après GNOME Terminal, Tilix puis Ptyxis, j’ai finalement adopté Ghostty : un terminal moderne, rapide et minimaliste. Voici pourquoi ce choix m’a convaincu, ainsi que ma configuration complète avec thème Nord, Zsh et quelques ajustements utiles pour SSH.

May 15, 2026

• Allan Day GNOME Foundation Update, 2026-05-15

  Welcome to another GNOME Foundation update post! Today’s installment covers highlights from what’s happened over the past two weeks.

  LAS 2026

  Linux Apps Summit 2026 starts tomorrow! The organizing team, which includes members from both GNOME and KDE, has been hard at work and is on the ground in Berlin making final preparations. The schedule looks great, and it promises to be a well-attended event.

  The talks are being streamed this year, so make sure to watch our social media for details, and tune in live to hear the talks.

  GUADEC 2026

  Preparations are continuing for July’s GUADEC. The call for Birds of a Feather sessions is currently open. If you want to hold an informal discussion or working session, please fill out the form before 5th June.

  Applications are still open for travel funding for GUADEC. The deadline for submissions is 24th May – that’s just over one week.

  Board meeting

  This week the Board of Directors had its regular meeting for May. A summary:

  • The Board authorized the closure of a bank account which we are no longer using.
  • I gave an update on operations over the past month, and got feedback from the Board
  • Felipe Borges from the Internship Committee joined, to give a report. The Board discussed how we can best support the committee.
  • Deepa gave a finance report, which included numbers from January and February. The main news here was that our finances are running close to what was projected for this year’s budget.
  • The Board discussed the draft of the report from the audit we recently underwent, as well as the draft of our latest annual tax filing. This is a routine part of the Board’s work, as it is required to perform a review before these documents are finalized.

  Office transitions

  Our long-running effort to enhance our internal accounting processes has continued over the past two weeks. A notable development has been the retirement of several finance platforms, which have been effectively replaced by the new payments platform that we adopted in January. This platform reduction will reduce operational complexity, as well as workloads. It is still ongoing – we have an additional two more platforms that are currently in the process of being retired.

  Another highlight has been the launch of a search for a new member to join our finance and operations team. This is a part-time, contract-based role, which has been shaped in close consultation with Dawn Matlak, who is supporting our finance and accounting operations on a temporary basis, and has already been factored into our budget projections.

  We are looking for someone at director level who brings substantial nonprofit finance experience — including audit preparation and compliance experience — which reflects how much the Foundation’s operational and regulatory requirements have grown, particularly in the run up to and following our audit last March, and will provide in-house expertise which will reduce our reliance on external consultants. You can read the full posting here.

  Thanks for reading, and see you in two week’s time!

• Kamil Páral Heroes of Fedora Quality for Fedora 44

  Fedora 44 is out, and in this post we’d like to highlight the top Fedora Quality contributors who helped us reach the finish line. Releasing Fedora is a shared effort, and Fedora wouldn’t be a high-quality distribution without its community. Every single person who helped us detect and resolve issues, or verify that things work as expected, deserves our gratitude, thank you!

  If you haven’t participated yet in testing Fedora, perhaps you’d like to give it a try? We gladly welcome everyone. Please look at our Fedora Quality homepage.

  Test cases validation

  Our release validation efforts consist of running lots of test cases on the upcoming Fedora release composes. Here’s an example of a Fedora 44 release candidate. We have lots of tables like these, see Fedora 44 test results. All test cases which are not automated yet (or which are intentionally manual) need to be verified by people.

  Test period: Fedora 44 branch time – Fedora 44 Final release
  Contributors: 19
  Test cases executed: 1380
  Unique referenced bugs: 20

  Name	Test cases executed	Referenced bugs1
  derekenz	468	2365456 2438905 2444046 2448211 2456542 2458714 (6)
  lruzicka	132	2442593 2442988 2444078 2458907 (4)
  geraldosimiao	132	2444046 (1)
  psklenar	112
  kparal	106
  nielsenb	81	2442689 2448757 (2)
  aggraxis	70
  jlinton	58	2183626 2402621 2444775 2444776 2457333 2457336 (6)
  robatino	56
  jcline	36
  abhis3k	35
  xariann	20
  osalbahr	19
  jgroman	15
  pboy	15
  ahmedalmeleh	9
  korora	8
  adamwill	5	2448283 2453216 (2)
  supakeen	3

  ¹ This is a list of bug reports referenced in test cases results. The bug itself may not be created by the same person.

  Reporting bugs

  When a new problem is found, we rely on people reporting it. Not every problem can be fixed, but the better data we have, the better we can prioritize and focus on the most important ones. Especially serious bugs can be even proposed as release blockers.

  Test period: Fedora 44 branch time – Fedora 44 Beta (2026-02-03 – 2026-03-10)
  Contributors: 84
  Bug reports submitted: 182

  Name	Bug reports submitted1	Excess reports2	Accepted blockers3
  Lukas Ruzicka	20	9 (45%)	1
  Petr Sklenar	16	1 (6%)	1
  Adam Williamson	9	1 (11%)	2
  Steven Hollingsworth	9	0 (0%)	0
  Steve Cossette	7	0 (0%)	0
  Kamil Páral	6	1 (17%)	0
  Mr. Beedell, Jared Richard William	5	0 (0%)	0
  Akira TAGOH	4	1 (25%)	0
  Jeremy Linton	4	1 (25%)	0
  lpavan at redhat.com	4	0 (0%)	0
  Neal Gompa	4	0 (0%)	0
  Adrian Vovk	3	0 (0%)	0
  gav at gavworld.co.uk	3	0 (0%)	0
  Laurențiu Nicola	3	0 (0%)	0
  Matt Fagnani	3	0 (0%)	0
  Osama Albahrani	3	0 (0%)	0
  Than Ngo	3	0 (0%)	0
  …and also 67 other reporters who created less than 3 reports each, but 76 reports combined!

  Test period: Fedora 44 Beta – Fedora 44 Final release (2026-03-10 – 2026-04-28)
  Contributors: 252
  Bug reports submitted: 426

  Name	Bug reports submitted1	Excess reports2	Accepted blockers3
  Davide Repetto	18	1 (6%)	0
  Petr Sklenar	18	2 (11%)	0
  Fabio Valentini	12	0 (0%)	0
  Kamil Páral	11	5 (45%)	1
  Adam Williamson	10	0 (0%)	3
  Ricardo Ramos	7	0 (0%)	0
  Lukas Ruzicka	6	1 (17%)	1
  Matt Fagnani	6	0 (0%)	0
  Calum Chisholm	5	0 (0%)	0
  lray+redhatbugzilla at mailbox.org	5	0 (0%)	0
  Andrey Motoshkov	4	0 (0%)	0
  Artem S. Tashkinov	4	1 (25%)	0
  Brian Morrison	4	0 (0%)	0
  Chang Qian	4	0 (0%)	0
  Derek Enz	4	2 (50%)	0
  Dominic	4	0 (0%)	0
  iltis at posteo.de	4	0 (0%)	0
  Jan Macku	4	0 (0%)	0
  Jeremy Nickurak	4	0 (0%)	0
  kxra at riseup.net	4	0 (0%)	0
  Luke	4	0 (0%)	0
  Mr. Beedell, Jared Richard William	4	0 (0%)	0
  Steven Hollingsworth	4	0 (0%)	0
  tk2345_ at outlook.com	3	0 (0%)	1
  Alan Altmann	3	1 (33%)	0
  anotheruser	3	0 (0%)	0
  Cristian Ciupitu	3	0 (0%)	0
  Eugene Mah	3	0 (0%)	0
  Jonathan S.	3	0 (0%)	0
  speedlemma at gmail.com	3	2 (67%)	0
  Steve Cossette	3	0 (0%)	0
  …and also 221 other reporters who created less than 3 reports each, but 252 reports combined!

  ¹ The total number of new bug reports (including “excess reports”). Reopened reports or reports with a changed version are not included, because it was not technically easy to retrieve those. This is one of the reasons why you shouldn’t take the numbers too seriously, but just as interesting and fun data.
  ² Excess reports are those that were closed as NOTABUG, WONTFIX, WORKSFORME, CANTFIX or INSUFFICIENT_DATA. Excess reports are not necessarily a bad thing, but they make for interesting statistics. Close manual inspection is required to separate valuable excess reports from those which are less valuable.
  ³ This only includes reports that were created by that particular user and accepted as blockers afterwards. The user might have proposed other people’s reports as blockers, but this is not reflected in this number.

  Testing proposed updates

  When software packages are updated in Fedora (bringing bug fixes and new features), they are not released to end users immediately. They first go to the updates-testing repository, where they undergo automated testing, and also await manual feedback from human testers. This feedback can be provided through Bodhi, either by using its web interface or CLI tools, see instructions. Alerting package maintainers by posting a negative feedback with a problem description can stop the update from reaching general audience and causing issues to all our users. Testing proposed updates is a simple, yet vital process for keeping Fedora releases of high quality during their whole lifecycle. It is used both for already stable and in-development Fedora releases.

  Test period: Fedora 44 branch time – Fedora 44 Final release (2026-02-03 – 2026-04-28)
  Contributors: 147
  Updates commented¹: 1428

  Name	Updates commented
  Geraldo S. Simião Kutz (geraldosimiao)	307
  Filipe Rosset (filiperosset)	185
  Eugene Mah (imabug)	98
  Derek Enz (derekenz)	88
  anotheruser	78
  bojan	71
  Ian Laurie (nixuser)	66
  Kamil Páral (kparal)	37
  Neal Gompa (ngompa)	35
  Fabio Valentini (decathorpe)	33
  František Zatloukal (frantisekz)	31
  Xariann Cat (xariann)	25
  ramot	24
  Cristian Ciupitu (ciupicri)	23
  Ankur Sinha (ankursinha)	20
  Adam Williamson (adamwill)	17
  Alex Gurenko (agurenko)	15
  Benjamin Beasley (music)	14
  Lukáš Růži�ka (lruzicka)	11
  Simon de Vlieger (supakeen)	9
  Michel Lind (salimma)	9
  brett h (bretth)	9
  Dennis Gilmore (ausil)	8
  Paul Whalen (pwhalen)	7
  Wasser Mai (wasser19641)	7
  Peter Robinson (pbrobinson)	7
  Lukas Slebodnik (lslebodn)	7
  Colin Thomson (g6avk)	6
  Juha Uotila (inffy)	6
  Steve Cossette (farchord)	5
  markec	5
  …and also 116 other testers who commented on less than 5 updates each, but 165 comments combined!

  ¹ If a person provides multiple comments to a single update, it is considered as a single comment. Karma value is not taken into account.

  Test days participation

  Test Days are events which are partly focused on testing Changes planned for an upcoming Fedora release, but they also regularly test important areas of the Fedora distribution, like upgrades, internationalization, graphical drivers, desktop environments, kernel updates, and others. The upcoming and past events can be seen in our Testdays app.

  Test period: Fedora 44 branch time – Fedora 44 Final release
  Contributors: 98
  Test cases executed: 698

  Name	Test cases executed
  lpavan	42
  mcrha	36
  adriend	34
  tagoh	27
  pnemade	23
  16levels	23
  lruzicka	17
  stransky	16
  michal odehnal	16
  pschindl	15
  jgrulich	15
  alciregi	15
  psklenar	12
  dkricka	12
  jpb21	12
  romangherta	12
  royboy626	11
  twinkle28	11
  vhumpa	11
  alangm1001	11
  pyadav	10
  rduda	10
  paolojr	10
  dtunma	10
  bittin	9
  pauloheaven	9
  jgroman	8
  derekenz	8
  gornikfan	8
  tdawson	8
  vsembiba	8
  mkasik	8
  clnetbox	8
  mzink	8

  …and also 64 other testers who executed less than 8 updates each

  ---

  We sincerely thank all contributors!

  Are you also interested to help? Please look at our Fedora Quality homepage.

May 14, 2026

• Tomas Tomecek Deploying agents to OpenShift, again (part 2)

  This is a follow-up to the previous article.

  I find it so funny that I estimated the test deployment at 3 story points; at this point I’m at like 40 with the amount of work I put into this.

  But thanks to Claude it’s pretty fast to diagnose and solve problems.

  This time I even let it run oc commands, even oc rsh, but I never allowed commands that would change things or write to remote services. Everything stayed local.

  Here comes Claude’s writeup.

May 11, 2026

• Michael Catanzaro Flatpak Sandbox Escape via Yelp

  Yelp 49.1 fixes a significant Flatpak sandbox escape related to last year’s CVE-2025-3155. CVE assignment for this new issue is currently pending.

  This is not a bug in Flatpak. Flatpak allows sandboxed applications to open URIs or files, meaning the sandboxed application may use a URI or file path to launch another application to open the URI or file. This is brokered via the OpenURI portal. The portal or the app may decide to require user interaction to decide which app to launch, but user interaction is generally not required. This is necessary: you would get pretty frustrated if you were prompted to select which app to use every time you click on a link or try to open something! Accordingly, unsandboxed applications that are installed on the host system are somewhat risky: any malicious sandboxed app may launch an unsandboxed app using a malicious file, generally with no user interaction required. Unsandboxed applications installed on the host OS are inherently part of the attack surface of the Flatpak sandbox.

  In this case, a sandboxed application may launch Yelp to open a malicious help file. The help file can then exfiltrate arbitrary files from your host OS to a web server by using a CSS stylesheet embedded in an SVG. Suffice to say the attack is pretty clever, and certainly more impactful than the typical boring memory safety bugs I more commonly see.

  This bug was discovered by Codean Labs, which performed a security audit of Flatpak and several GNOME projects thanks to generous sponsorship by the Sovereign Tech Resilience program of Germany’s Sovereign Tech Agency.

May 10, 2026

• Tomas Tomecek AI tools feel like heroin for productivity

  This is my personal opinion and I’m going straight to the point, no intro.

  AI assistants such as Claude Code, Cursor, OpenCode, OpenClaw, and others are so addictive for anyone who loves building things.

  Software engineers are not going anywhere. Instead, we’re getting excavators and ditching our shovels.

  I authored 192 commits this year (as of May 2026) without writing a single feature solely myself. I still edit files, but mostly out of convenience. If I need just one or two lines changed, it’s faster doing it myself than asking Claude.

  I guess this was an intro 🤦

  

May 08, 2026

• Remi Collet 🛡️ PHP version 8.2.31, 8.3.31, 8.4.21 and 8.5.6

  RPMs of PHP version 8.5.6 are available in the remi-modular repository for Fedora ≥ 42 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

  RPMs of PHP version 8.4.21 are available in the remi-modular repository for Fedora ≥ 42 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

  RPMs of PHP version 8.3.31 are available in the remi-modular repository for Fedora ≥ 42 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

  RPMs of PHP version 8.2.31 are available in the remi-modular repository for Fedora ≥ 42 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...).

  ℹ� These versions are also available as Software Collections in the remi-safe repository.

  ℹ� The packages are available for x86_64 and aarch64.

  🛡� These Versions fix 8 to 13 security bugs (CVE-2026-6735, CVE-2026-7259, CVE-2025-14179, CVE-2026-6722, CVE-2026-7261, CVE-2026-7262, CVE-2026-7568, CVE-2026-7258, CVE-2026-6104, CVE-2026-42371, CVE-2026-7263, CVE-2026-29078, CVE-2026-29079), so the update is strongly recommended.

  Version announcements:

  • PHP 8.5.6 Release Annoucement
  • PHP 8.4.21 Release Annoucement
  • PHP 8.3.31 Release Annoucement
  • PHP 8.2.31 Release Annoucement

  ℹ� Installation: Use the Configuration Wizard and choose your version and installation mode.

  Replacement of default PHP by version 8.5 installation (simplest):

  On Enterprise Linux (dnf 4)

  dnf module switch-to php:remi-8.5/common
  

  On Fedora (dnf 5)

  dnf module reset php
  dnf module enable php:remi-8.5
  dnf update
  

  Parallel installation of version 8.5 as Software Collection

  yum install php85

  Replacement of default PHP by version 8.4 installation (simplest):

  On Enterprise Linux (dnf 4)

  dnf module switch-to php:remi-8.4/common
  

  On Fedora (dnf 5)

  dnf module reset php
  dnf module enable php:remi-8.4
  dnf update
  

  Parallel installation of version 8.4 as Software Collection

  yum install php84

  And soon in the official updates:

  • Fedora Rawhide now has PHP version 8.5.6
  • Fedora 44 - PHP 8.5.6
  • Fedora 43 - PHP 8.4.21
  • Fedora 42 - PHP 8.4.21

  ⚠� To be noticed :

  • EL-10 RPMs are built using RHEL-10.1
  • EL-9 RPMs are built using RHEL-9.7
  • EL-8 RPMs are built using RHEL-8.10
  • intl extension now uses libicu74 (version 74.2)
  • mbstring extension (EL builds) now uses oniguruma5php (version 6.9.10, instead of the outdated system library)
  • oci8 extension now uses the RPM of Oracle Instant Client version 23.26 on x86_64 and aarch64
  • A lot of extensions are also available; see the PHP extensions RPM status (from PECL and other sources) page

  ℹ� Information:

  • Migrating from PHP 8.2.x to PHP 8.3.x
  • Migrating from PHP 8.3.x to PHP 8.4.x
  • Migrating from PHP 8.4.x to PHP 8.5.x

  Base packages (php)

  

  

  

  

  Software Collections (php83 / php84 / php85)

  

  

  

  

May 07, 2026

• Stephen Gallagher Sausage Factory: Fedora ELN Rebuild Strategy (2026 Edition)

  The Rebuild Algorithm

  Slow and Steady Wins the Race

  The Fedora ELN SIG maintains a tool called ELNBuildSync (or EBS) which is responsible for monitoring traffic on the Fedora Messaging Bus and listening for Koji tagging events. When a package is tagged into Rawhide (meaning it has passed Fedora QA Gating and is headed to the official repositories), EBS checks whether it’s on the list of packages targeted for Fedora ELN or ELN Extras and enqueues it for the next batch of builds.

  A batch begins when there are one or more enqueued builds and at least sixty wallclock seconds have passed since a build has been enqueued. This allows EBS to capture events such as a complete side-tag being merged into Rawhide at once; it will always rebuild those together in a batch. Once a batch begins, EBS stops accepting messages from the Fedora Messaging Bus. The messages remain enqueued and awaiting processing. When the current batch is complete, EBS will resume accepting messages and a new batch will begin.

  The first thing that is done when processing a batch is to create a new side-tag derived from the ELN buildroot. Into the new target associated with this side-tag (which will be referred to as the “build tag” from now on), EBS will tag most¹ of the Rawhide builds. It will then wait until Koji has regenerated the buildroot for the batch tag before triggering the rebuild of the batched packages. This strategy avoids most of the ordering issues (particularly bootstrap loops) inherent in rebuilding a side-tag, because we can rely on the Rawhide builds having already succeeded.

  Once the preparations are complete, we divide the batch up into one or more “batch slices”. The EBS configuration file contains information about certain packages that must be built and added to the buildroot before or after other packages. (Most packages will be part of the same primary slice, but some packages must be built early, such as llvm). EBS triggers all of the builds for a batch slice in the side-tag concurrently, sourcing the content from the git commit that was used to build the triggering Rawhide build. This is to ensure we are building the same content, in case dist-git has received subsequent changes. EBS monitors these builds for completion. Internally, we call these “rebuild attempts”.

  Once all of the tasks in a rebuild attempt have completed (successfully or not), EBS will trigger another rebuild attempt of the failures. While a heavyweight solution, this helps us avoid failures due to infrastructure outages, flaky tests and bootstrapping issues not covered by the Rawhide build tagging. Rebuild attempts will continue to be initiated until the same number of failures occurs twice in a row. At that point, we assume they are legitimate build issues and we continue on.

  Once all of the rebuild attempts have concluded, EBS moves on to the next slice in order until they have all completed, at which point, the next phase of operation begins: errata creation.

  In earlier versions of ELNBuildSync, EBS would now tag all successful builds into the eln-updates-candidate tag and then remove the build tag. The effect of this would be to trigger Bodhi to generate an erratum for each individual package in the batch.

  In modern versions of ELNBuildSync, it will now create a second² side-tag (call it the “errata tag”). EBS then tags all of the successful package builds from the batch into this new errata tag. This ensures that the tag contains only the new ELN builds and none of the Rawhide packages that were tagged into the build tag. From there, EBS talks to Bodhi via its public API and requests that a single Bodhi update erratum be created for all of the packages in this errata tag. This is done to reduce the load on Fedora QA, as the infrastructure there is far better equipped to deal with a single update of a few hundred packages than it is with a few hundred separate updates.

  At this point, the batch is complete and EBS moves on to preparing another batch, if there are packages waiting.

  History

  In its first incarnation, ELNBuildSync (at the time known as DistroBuildSync) was very simplistic. It listened for tag events on Rawhide, checked them against its list and then triggered a build in the ELN target. Very quickly, the ELN SIG realized that this had significant limitations, particularly in the case of packages building in side-tags (which was becoming more common as the era of on-demand side-tags began). One of the main benefits of side-tags is the ability to rebuild packages that depend on one another in the proper order; this was lost in the BuildSync process and many times builds were happening out of order, resulting in packages with the same NVR as Rawhide but incorrectly built against older versions of their dependencies.

  Initially, the ELN SIG tried to design a way to exactly mirror the build process in the side-tags, but that resulted in its own new set of problems. First of all, it would be very slow; the only way to guarantee that side-tags are built against the same version of their dependencies as the Rawhide version would be to perform all of those builds serially. Secondly, even determining the order of operations in a side-tag after it already happened turned out to be prohibitively difficult.

  Instead, the ELN SIG recognized that the Fedora Rawhide packagers had already done the hardest part. Instead of trying to replicate their work in an overly-complicated manner, instead the tool would just take advantage of the existing builds. Now, prior to triggering a build for ELN, the tool would first tag the current Rawhide builds into ELN and wait for them to be added to the Koji buildroot. This solved about 90% of the problems in a generic manner without engineering an excessively complicated side-tag approach. Naturally, it wasn’t a perfect solution, but it got a lot further. (See below for “Why are some package not tagged into the batch side-tag?” for more details.

  A more recent modification to this strategy came about as CentOS Stream 10 started to come into the picture. With the intent to bootstrap CS 10 initially from ELN, tagging Rawhide packages to the ELN tag suddenly became a problem, as CS 10 needs to use that tag event as its trigger. The solution here was not to tag Rawhide builds into Fedora ELN directly, but instead to create a new ELN side-tag target where we could tag them, build the ELN packages there and then tag the successful builds into ELN. As a result, CS 10 builds were only triggered on ELN successes.

  In late 2025, Fedora QA came to the ELN SIG and requested that we find some way to reduce the number of individual errata we were generating, as when they attempted to turn on automated testing for ELN, the result was an overload and significant queuing around mass-rebuilds and other large batches. When it got to the point that the Standard Operating Procedure for mass-rebuilds included disabling all the tests for ELN, it became clear that changes were needed and EBS was modified to start directly requesting errata for all the builds in the batch instead.

  Frequently Asked Questions

  Why does it sometimes take a long time for my package to be rebuilt?

  Not all batches are created equal. Sometimes, there will be an ongoing batch with one or more packages whose build takes a very long time to complete. (e.g. gcc, firefox, LibreOffice). This can lead to up to a day’s lag in even getting enqueued. Even if your package was part of the same batch, it will still wait for all packages in the batch to complete before the tag occurs.

  As of this writing, we are currently investigating having certain extremely large packages built and tagged directly and without batching in order to shorten the average batch time.
  

  Why do batches not run in parallel?

  Simply put, until the previous batch is complete, there’s no way to know if a further batch relies on one or more changes from the previous batch. This is a problem we’re hoping might have a solution down the line, if it becomes possible to create “nested” side-tags (side-tags derived from another side-tag instead of a base tag). Today however, serialization is the only safe approach.

  Why are some packages not tagged into the batch side-tag?

  Some packages have known incompatibilities, such as libllvm and OCAML. The libraries produced in the ELN build and Rawhide build are API or ABI incompatible and therefore cannot be tagged in safely. We have to rely on the previous ELN version of the build in the buildroot.

  Why do you not tag successes back into ELN immediately?

  Despite the fact that we do not block ELN builds going to the stable repository based on test results, we do want to know about and address any issues revealed. Many packages are interdependent and it’s far simpler to test the result of all the builds collectively, once we know they have all been rebuilt.

  1. There are certain packages that we exclude from this so that the Rawhide package is not used in the ELN buildroot; see the skip_tag section of the configuration file for the current set. ︎
  2. In the case of very large batches (such as mass-rebuilds), the set of packages may be split into more than one Bodhi update, to avoid in overtaxing things. ︎

May 06, 2026

• Richard Hughes LVFS Sponsorship Announcement

  Some great news: I’m pleased to announce that both Dell and Lenovo have agreed to be premier sponsors for the Linux Vendor Firmware Service (LVFS) as part of our new sustainability effort.

  

  Over 145 million firmware updates have been deployed now, from over a hundred different vendors to millions of different Linux devices.
  With the huge industry support from Lenovo and Dell (and our existing sponsors of Framework, OSFF, and of course both the Linux Foundation and Red Hat) we can build this ecosystem stronger and higher than before; we can continue the great work we’ve done long into the future.

May 04, 2026

• Marcin 'hrw' Juszkiewicz New Fedora package: fedora-active-user

  During my work on the RISC-V 64-bit architecture port of Fedora, I created several pull requests to Fedora packages. And some were stalled…

  Non-responsive maintainer process

  Fedora project has a process called ‘non-responsive maintainer’. You check is maintainer on vacation, check latest activity and open a bug asking for action.

  The problem was that it linked to fedora_active_user.py script which does not work since Fedora 41. During cycle of that release the python-fedora package got retired and no one updated the script.

  Let me look

  As my actions brought some complains (and some discussions) I decided to take a look at the script and make it work with current Fedora releases. Created pull request, mailed original author etc.

  There was no answer of any kind so I decided to take over maintaining the script. Rewrote it to be Python 3 only, moved from urllib to requests, refactored some repeated code into functions etc.

  Then started checking service by service how to get things working better. Turned out that script had several assumptions which not always apply.

  FAS has separate email for Bugzilla

  Fedora Accounts Service (FAS) has a separate field for the Bugzilla email. I did not had to look for testing accounts for this because that’s my case — I use ‘short’ Red Hat email in Bugzilla due to Single Sign-On (SSO) service we use and my ‘long’ one for the rest. So fedora-active-user script grabs user information from FAS and checks for separate Bugzilla email and use it if present.

  FAS query requires Kerberos

  To query FAS you need Kerberos ticket. Both urllib and requests packages have a way to use it for authentication — one extra package is needed to make it work.

  Lack of valid ticket is caught and info is provided to the user.

  Bugzilla is tricky

  Querying Bugzilla service is the trickiest part. You can request data but there is no warranty that you get the latest one. Sure, there is the ‘order’ field for a query but it feels like a mere suggestion. It is nothing strange to get 2008 entries next to 2023 ones.

  Wanna help?

  For now, I am hosting fedora-active-user on GitHub. Will move it to Fedora Forge later this year. Feel free to open issues, send pull requests if you have suggestions or changes.

  Current version is not the best one. It is a bit better than it was two weeks ago.

  At the moment package is present in Fedora rawhide. I am waiting for branches for stable releases and updates will follow.

  Example output

  $ fedora-active-user --user hrw
  
  Last action on koji:
     2026-05-04 built fedora-active-user-26.05.04-1.fc45
     2024-09-12 built python-system-calls-6.11.0-1.fc42
     2024-01-08 built python-system-calls-6.7.0-1.fc40
     2023-09-18 built python-system-calls-6.6.0-1.fc40
     2023-05-08 built python-system-calls-6.4.0-2.fc39
     2022-08-06 built python-system-calls-5.19.0-2.fc37
     2022-07-25 built python-system-calls-5.19.0-1.fc36
     2022-07-25 built python-system-calls-5.19.0-1.fc37
     2022-01-10 built python-system-calls-5.16.2-1.fc36
     2021-11-15 built python-system-calls-5.16.0-1.fc35
  
  Last package updates on bodhi:
     2026-05-04 fedora-active-user-26.05.04-1.fc45
     2024-09-12 python-system-calls-6.11.0-1.fc42
     2024-01-08 python-system-calls-6.7.0-1.fc40
     2023-09-18 python-system-calls-6.6.0-1.fc40
     2023-05-08 python-system-calls-6.4.0-2.fc39
     2022-08-06 python-system-calls-5.19.0-2.fc37
     2022-07-25 python-system-calls-5.19.0-1.fc36
     2022-07-25 python-system-calls-5.19.0-1.fc37
     2022-01-10 python-system-calls-5.16.2-1.fc36
     2021-11-15 python-system-calls-5.16.0-1.fc35
     2021-11-15 python-system-calls-5.16.0-1.fc36
     2021-09-21 python-system-calls-5.15.5-1.fc36
  
  Last actions performed according to fedmsg:
     2026-05-04 hrw commented on the pull-request rpms/prusa-slicer#67
     2026-05-04 hrw's Badges rank changed from 272 to 260
     2026-05-04 hrw was awarded the badge `Missed the Train`
     2026-05-04 hrw commented on update fedora-active-user-26.05.04-1.fc45 (karma: 0)
     2026-05-04 fedora-active-user-26.05.04-1.fc45 was tagged into f45 by bodhi
     2026-05-04 fedora-active-user-26.05.04-1.fc45 was untagged from f45-updates-candid
     2026-05-04 hrw's fedora-active-user-26.05.04-1.fc45 bodhi update has met stable te
     2026-05-04 fedora-active-user-26.05.04-1.fc45 was untagged from f45-updates-testin
     2026-05-04 fedora-active-user-26.05.04-1.fc45 was tagged into f45-updates-testing-
     2026-05-04 fedora-active-user-26.05.04-1.fc45 was untagged from f45-signing-pendin
  
  Last emails on Fedora mailing lists:
     2026-04-29 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
     2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
     2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
     2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
     2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
     2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
     2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
     2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
     2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
     2026-04-17 mjuszkiewicz@redhat.com as Marcin Juszkiewicz mailed devel@lists.fedora
  
  Bugzilla activity (may not be the latest):
     No activity found on Bugzilla
  

  Looks like I still need to work on querying Bugzilla ;D

May 01, 2026

• Allan Day GNOME Foundation Update, 2026-05-01

  It’s the first day of May, and it’s time for another update on what’s been happening at the GNOME Foundation. It’s been two weeks since my last post, and this update covers highlights of what we’ve been doing since then.

  Remembering Seth Nickell

  This week we received the very sad news of the death of Seth Nickell. It’s been a long time since Seth was active in the GNOME project, so many of our members won’t be familiar with him or his work. However, Seth played an important part in GNOME’s history, and was a special and unique character.

  Jonathan wrote a wonderful post about Seth, with some great stories. Federico migrated the memorial page from the old wiki to the handbook, and added Seth there (work is currently ongoing to develop that page). Seth’s death has also been covered by LWN, which includes dedications from GNOME contributors.

  Whether you knew Seth or came to GNOME after his time, I think we can all appreciate the contributions that he made, which live on in the project and wider ecosystem to this day.

  GNOME Fellowship

  Applications for the first round of the new GNOME Fellowship program closed last week, on 20th April. We had a great response and received some excellent proposals, and now we have the tough job of deciding who is going to receive support through the program.

  To that end, the Fellowship Committee met this week to review the proposals and begin the selection process. We have identified a shortlist of candidates, and will be meeting again next week to narrow the selection further.

  Since this is the first round of the Fellowship, we are establishing the selection process as we go. Hopefully we’ll get to put this to use again in future Fellowship rounds!

  Conferences

  Linux App Summit (LAS) will be held in Berlin on 16-17 May – that’s in a little over two weeks! The schedule has been finalized and looks great, and this year’s LAS is shaping up to be a fantastic event. Please do consider going, and please do register!

  Due to high demand, the organizing team have decided to stream the talks from this year, so look out for details about remote participation.

  Aside from LAS, preparations for July’s GUADEC conference continue to be worked on. Travel sponsorship is still available if you need assistance in order to attend, so do consider applying for that.

  Office transitions ongoing

  Work to update many of our backoffice systems and processes has continued at a steady pace over the past fortnight. Many of the big moves are done (new payments system, email accounts, mailing system, accounting procedures, credit card platform), and we are now firmly in the final stages, making sure that our new address is used everywhere, emails are going to the right places, recurring payments are transferred over to new credit cards, and vendors are setup on the new payments system.

  The value of this work is already showing, with smoother accounting procedures, more up to date finance reports, and better tracking of incoming queries.

  That’s it for this update. Thanks for reading, and take care.

April 30, 2026

• Felipe Borges Let’s Welcome Our Google Summer of Code 2026 Contributors!

  GNOME is once again participating in GSoC. This year, we have 6 contributors working on adding Debug Adapter Protocol support to GJS, incorporating vocab-style puzzles into GNOME Crosswords, creating a native GTK4/Rust rewrite of the Pitivi timeline ruler, porting gitg to GTK4, implementing app uninstallation in the GNOME Shell app grid, and enabling recovery from GPU resets.

  As we onboard the contributors, we will be adding them to Planet GNOME, where you can get to know them better and follow their project updates.

  GSoC is a great opportunity to welcome new people into our project. Please help them get started and make them feel at home in our community!

  Special thanks to our community mentors, who are donating their time and energy to help welcome and guide our new contributors: Philip Chimento, Jonathan Blandford, Yatin, Alex Băluț, Alberto Fanjul,  Adrian Vovk, Jonas Ådahl, and Robert Mader.

  For more information, visit https://summerofcode.withgoogle.com/programs/2026/organizations/gnome-foundation