We're proud to present the next iteration of our Proxmox Virtual Environment platform. This new version 9.1 is the first point release since our major update and is dedicated to refinement.
This release is based on Debian 13.2 "Trixie" but we're using the newer Linux kernel 6.17.2 as new stable default. In addition to the main system enhancements, this update incorporates the latest versions of core technologies, including QEMU 10.1.2, LXC 6.0.5, ZFS 2.3.4, and Ceph Squid 19.2.3, all fully...
A new Linux Foundation report reveals how organizations worldwide are adopting, using, and perceiving open source software.
The Linux Foundation’s latest report, The state of global open source, has just been released in collaboration with Canonical. The report follows the Linux Foundation’s European spotlight report, released earlier this year, and confirms that many of the trends the European spotlight report unveiled are true on a global scale. In particular, the global spotlight report confirms the role of open source software as the foundation of business-critical systems worldwide, and indicates a continued increase in adoption. However, organizations continue to lack the governance, security testing, and strategic maturity required to manage open source strategically and securely.
The report suggests that most organizations expect enterprise-grade performance from open source software, but under-invest in the required governance frameworks, security practices, and community engagement.
83% of organizations acknowledge open source is valuable to their future
According to the report, the trend of increasing open source adoption in the enterprise is set to continue, as 83% of enterprises consider open source software adoption valuable to their future. Likewise, the report reveals the centrality of open source software to the modern enterprise. Globally, enterprises have adopted open source software throughout their technical stacks: 55% have adopted open source operating systems, whilst 49% have adopted open source cloud and container technologies, and 46% open source web and application development.
The widespread confidence that open source will play a pivotal role in many organizations’ futures is closely connected to a growing understanding of the benefits of open source software adoption.
86% report open source software improves productivity
This report confirms a shift in enterprises’ strategic mindset around open source: 82% of respondents considered open source as an asset that enables innovation. Historically, open source software was often reserved for specific projects or use cases, like setting up web servers – with wider organizational use being viewed with some scepticism.
Open source is now a “must-have.” Why is this the case? Here’s what the respondents had to say:
86% stated that open source improves productivity
79% reported improved software quality as a result of open source
78% highlighted improved security
Compared to the benefits seen by organizations using open source software in 2024, 46% reported increased business value from open source over the past year. The growing interest in and use of open source technologies is particularly clear for certain technologies, like AI.
AI technologies benefit most from being open source
The growing value of open source can partly be attributed to the influence of AI. Since 2024, there has been an increase in the adoption of open source AI and machine learning (ML) applications from 35% to 40% – a rise of 5%. Globally, AI and ML were perceived to be the technology most benefiting from being open source. Code visibility ensures organizations can more easily audit their AI systems, which makes compliance simpler, provides more transparency into how the AI model functions, and enables companies to run the AI on their own infrastructure – ensuring sensitive data never leaves the organization’s control.
With growing adoption of AI and ML come new cybersecurity risks and requirements. However, the report indicates that organizations currently lack mature governance structures for their open source estates, creating additional complications to adopting AI and ML securely.
Lack of mature governance: only 34% of organizations have defined a clear open source strategy
Despite increasing adoption of open source technologies, many organizations still lack a mature governance strategy for their open source software.
The number of organizations that have defined a clear open source strategy has grown by just 2% in the last year, to a total of 34%. That means that nearly two-thirds of organizations rely instead on informal strategies of governance of their open source estates, primarily due to budget constraints, shifting priorities and new strategic requirements. For example, when evaluating open source components for adoption:
44% of organizations check the activity level of the project community
31% use automated security testing tools
28% manually review the source code
36% evaluate the direct dependencies of the open source component
With less than half of organizations taking these important formal strategies before adoption, the report indicates that this “creates significant risk exposure and limits organizations’ ability to capture the full strategic value of open source participation,” signalling that this is a concern that organizations must take seriously.
Similarly, organizations demonstrate a lack of consensus around which security features and assurances matter to them when adopting open source components, with no single certification or assurance mechanism achieving adoption by more than a quarter of open source solutions. Almost a third of organizations (28%) don’t know which assurances would make them more likely to trust an open source solution. This opens them up to serious security risks, like supply chain attacks.
As a result, enterprises are increasingly turning to paid support options for their open source estates.
54% view paid support as essential for mission-critical workloads
More than half of respondents consider paid support for their open source essential. As open source technologies have become critical to business infrastructure, expectations for open source software support are beginning to mirror that of commercial software standards:
71% of organizations expect response times of less than 12 hours from support providers
47% expect rapid security patching for open source software in production environments
53% expect long term support guarantees for their open source software.
Acquiring paid support for open source software makes this level of support achievable, which organizations broadly accept. On a granular level, the industries with the highest proportion that consider paid support essential are those that process sensitive or valuable data, such as manufacturing (97%) followed by financial services (96%), IT (91%) and government (92%).
Conclusion and recommendations
The Linux Foundation’s The state of global open source reveals that enterprises are relying on open source software and perceiving its benefits. However, increasing engagement with open source communities, more structured governance of open source estates, and structured security evaluations of open source elements before adoption will help organizations to strengthen the resilience of their open source infrastructure.
Greenbone is excited to announce new compliance policies for Huawei’s EulerOS and openEuler. These compliance policies are the result of close collaboration with Huawei to provide OPENVAS SCAN users with authenticated checks for over 200 key security controls. By thoroughly vetting security settings, defenders gain high degree security assurances and visibility into the security posture […]
Today, virtually every business depends on its online infrastructure. Companies manage multiple websites, internal applications, or e-commerce platforms that must remain available at all times.
As these environments grow, maintenance and stability become as critical as security — and every change must be applied without affecting the user experience. Maintaining uptime during configuration changes requires solutions that support reload configuration without downtime.
Even a minimal interruption —a restart, a reconnection, or a lost session— can translate into frustrated customers, disrupted operations, or lost revenue. And in an environment where reputation depends on availability, these incidents can have visible consequences.
Keeping services running while updating configurations or network policies is no longer just a technical challenge — it’s an operational requirement.
Network Maintenance: When Stopping Is No Longer an Option
In daily practice, administrators plan maintenance and updates through a controlled service restart. They pick a low-traffic time, apply the changes, and assume a brief service interruption.
Although the process is fast and almost imperceptible to users, it still implies a short disruption. This method works well in small environments, where a few seconds of downtime go unnoticed.
The challenge arises when managing dozens or hundreds of sites simultaneously — as in the case of service providers, public administrations, or hosting environments.
In those scenarios, even a short interruption can have a direct impact:
A customer abandons a purchase because the e-commerce platform stops responding.
An API session interrupts an ongoing transaction.
An application stops synchronizing real-time data.
Monitoring systems detect the failure and generate unnecessary alerts.
That’s why, in modern web traffic and service management, the ability to apply changes without restarting has become an essential function.
This is where the concept of reload becomes relevant.
Reload Configuration Without Downtime
This feature allows changes to be applied without restarting active processes — reloading the configuration in the background while keeping all connections open.
In other words, reload replaces the classic “stop and restart” with a smarter process where the system updates its configuration, preserves active sessions, and ensures that traffic continues to flow without interruptions. Technically, reload forces a re-read of the service configuration in memory, synchronizing new rules, policies, or certificates without closing sockets or terminating active connections.
From a technical point of view, it may seem like a small change, but in practice it represents a qualitative leap for any infrastructure that requires true continuity.
The difference between restart and reload is simple: one stops and starts again, the other updates without stopping.
When Updating Without Downtime Becomes Essential?
Not every business requires the same level of continuity, but there are scenarios where reload makes a clear difference:
E-commerce and financial services: every second of downtime can directly result in lost sales or trust.
Providers managing multiple websites: when hundreds of domains or applications are handled at once, a restart could leave one of them hanging.
Platforms with frequent updates: where traffic rules, certificates, or configurations are adjusted several times a day.
Systems with real-time traffic: where every connection or active process must remain uninterrupted.
In these cases, reload isn’t a technical luxury — it’s what allows an infrastructure to keep operating without visible interruptions while evolving internally.
How SKUDONET Ensures Updates Without Interruptions
At SKUDONET, we believe that availability should never be sacrificed each time a configuration is updated.
That’s why the system allows services and load-balancing policies to be reloaded without restarting, keeping traffic flowing smoothly even in high-demand environments.
This means that:
New settings are applied immediately.
Active sessions remain connected.
No packet loss or connection drops occur.
Performance remains stable throughout the operation.
Thanks to this capability, SKUDONET helps organizations maintain full service availability, even in continuous activity environments or when managing dozens of simultaneous applications.
Everything is managed from a single visual interface, with unified metrics, logs, and events that simplify control without manual processes or scheduled restarts.
SKUDONET Enterprise Edition combines load balancing, security, and traffic inspection in a single platform — designed for business environments that can’t afford downtime but still need to evolve quickly.
Want to try SKUDONET Enterprise Edition with all its features, including reload configuration without downtime? Request your free 30-day trial here:
Dear Friends! It’s time for our annual fundraiser for our servers. So let’s get started! By January 15, 2026, we need to raise and pay for the servers €510 plus a minimum of €1100 for our monthly payments: domains, internet, electricity, gas, water, fuel, rent, medications, and life, which is getting more expensive and difficult each month. We also have non-monthly but equally important…
FIPS 140 is a highly demanding security standard that’s mandatory for almost all high-security and federal environments. It can be hard to get right and may be a daunting part of the journey for those trying to meet compliance requirements like FedRAMP or CMMC. We get a lot of questions about FIPS 140-3, and so we decided to put together this comprehensive collection of video resources to answer the most burning ones we’ve had so far.
In this collection, you’ll be able to get answers to the most frequently asked FIPS questions, including:
How to enable FIPS 140-3 on Ubuntu 22.04
How to check if you’re operating in FIPS mode
How to enable FIPS on public clouds: AWS, Azure, GCP
Which modules and hardware have been FIPS 140-3 certified for Ubuntu
Which FIPS-enabled Docker containers are available in Iron Bank
What are the most common issues when enabling FIPS 140-3
How to enable FIPS on Ubuntu?
We’ll start with the most common question: how do you enable FIPS on Ubuntu? The basic prerequisite is an Ubuntu Pro subscription, which is available either free for personal use or with a 30-day free trial for enterprise users. After subscribing, you’ll get access to a dashboard where you can find a token that you can attach to an Ubuntu instance and get access to the FIPS certified modules. All you need to do is open your terminal and enter the following commands:
sudo pro attach <token>
sudo pro enable fips-updates
sudo reboot
You should see output like the following, indicating that the FIPS packages have been installed:
Installing FIPS Updates packages
FIPS Updates enabled
A reboot is required to complete install.
Enabling FIPS should be performed during a system maintenance window since this operation makes changes to underlying SSL-related libraries and requires a reboot into the FIPS-certified kernel.
How to check if you’re operating in FIPS mode
After enabling FIPS mode, it is good to verify that it is activated. Luckily it’s very straightforward to verify that FIPS mode is enabled. Just run this command in the terminal:
cat /proc/sys/crypto/fips_enabled
The output that indicates that FIPS mode is enabled is “1”.
How to enable FIPS on public clouds
It is very easy to enable FIPS in public clouds. In contrast to on-prem usage, Ubuntu images for public clouds already have FIPS enabled. Decide on the Ubuntu version you’d like to run, visit the relevant marketplace for your public cloud provider (for example: AWS, Azure, or GCP), and search for the relevant image. Here is an example of how it would look:
Which modules and hardware have been FIPS 140-3 certified
Sometimes it can be tricky to figure out exactly which modules and hardware have been FIPS 140-3 certified. This video goes into extensive detail outlining the modules and components you’ll be able to make full use of with FIPS 140-3 certified Ubuntu.
To give a brief overview, the following certified cryptographic modules are available with Ubuntu 22.04 LTS:
OpenSSL v3.0.5
Libgcrypt v1.9.4
GnuTLS v3.7.3
Linux kernel v5.15.0
StrongSwan v5.9.5
These modules have been developed and tested on a range of hardware platforms:
Intel/AMD x86_64
ARM64
IBM z15
FIPS-enabled containers available in Iron Bank
Canonical’s container images are trusted and pre-approved for high-security use cases. Hardened Ubuntu images are already certified and available in the U.S. Department of Defense’s Iron Bank, the official repository of security-hardened containers for government systems. You can find the code to build your own image here, or get the actual container that passed all the automated compliance checks here. Note, you would need to first register to get access to the platform.
Canonical has also recently added FIPS and STIG-compliance to Canonical Kubernetes. Built on Ubuntu Pro hosts, Canonical Kubernetes now includes FIPS 140-3 validated crypto modules out of the box and can be hardened for DISA-STIG. This means you can deploy secure, compliant clusters built on Ubuntu, making it much easier to meet FedRAMP and other federal compliance requirements right from your Kubernetes base.
Common issues when enabling FIPS 140-3
Compliance always comes with challenges, but when we know the issues, we can help. The video above explains how to solve the most common issues that teams run into when enabling FIPS 140-3, including:
WiFi SSID should be 16 characters
32-bit crypto library versions must be removed, if present
Finnix is a Linux-based utility live distribution.
Write it to a USB flash drive or burn it to a CD, boot it, and you’re seconds from a root prompt with hundreds of utilities available for recovery, maintenance, testing and more.
Finnix 251 has been released today, including new official OCI / Docker images, and containing new packages, features and fixes.
Finnix 251 is the first release to distribute official OCI container images.
The official Finnix container contains all the same software as the ISO release, and may be launched from Podman, Docker, Kubernetes, etc.
docker run -it--rm finnix/finnix
podman run -it--rm docker.io/finnix/finnix:latest
kubectl run finnix-$(uuidgen | cut-b-4 | tr A-Z a-z)--image=finnix/finnix --restart=Never -it--rm
This is particularly useful for Kubernetes users, giving you a quick utility shell in the namespace of your choice.
The finnix/finnix:latest container currently includes architecture support for amd64, arm64 and riscv64.
Otherwise, Finnix 251 is a regular semiannual utility release:
Linux kernel 6.16 (Debian 6.16.12-2)
Added packages: dc3dd
Upstream Debian package updates
Many minor fixes and improvements
Please visit finnix.org to download Finnix 251 today!
Discussion of a new security issue affecting Fortinet’s FortiWeb began circulating online in early October 2025, when cyber deception firm Defused reported capturing a working exploit via honeypot. FortiWeb is Fortinet’s web application firewall (WAF) platform, designed to shield web applications from malicious activity. For over one month, Defused’s revelation mostly lurked in the shadows; […]
VyOS Stream 2025.11 and its corresponding source tarball are now available for download. You can find them at the end of this post. This is the third VyOS Stream release on the way to the upcoming 1.5/Circinus LTS release and includes many of its features for you to test — most notably, a VPP-based accelerated dataplane.
There is a new desktop available for Sparkers: Hyprland What is Hyprland? Features: – All of the eyecandy: gradient borders, blur, animations, shadows and much more – A lot of customization – 100% independent, no wlroots, no libweston, no kwin, no mutter. – Custom bezier curves for the best animations – Powerful plugin support – Built-in plugin manager – Tearing support for better…
The Qubes OS Project will have a stand at FOSDEM 2026, which will take place in Brussels, Belgium on January 31 and February 1, 2026. FOSDEM is a top annual meeting for free and open source software developers. Entry is free, and no registration is required. If you attend, stop by and say hello!
Radio Helsinki wird 30, und feiert das mit einem prall gefüllten Musikprogramm am Samstag, 22.11.2025 im Forum Stadtpark. 🥳 Wir sind mit der HTU-Bigband mit dabei, und spielen ab ~19:30 Uhr für ~1,5 Stunden. Schaut vorbei und feiert mit!
PS: wer es wirklich nicht hinschafft, möge zumindest das Radio einschalten oder den Livestream aufdrehen! 🤓
Open source has come a long way. Recently I was watching a keynote address by our founder, Mark Shuttleworth, in which he discussed his vision for Ubuntu to provide quality support and security maintenance across the broad open source ecosystem, and it made me reflect on how far the open source software (OSS) community has come. Indeed, when looking at today’s interoperable open source landscape, the fragmented, disconnected landscape of the past seems like another planet.
But where is open source going next? What’s in store for open source in the coming years, particularly in relation to security? Here’s my reflection on the state of open source, and the trends that I expect to have an impact going into 2026.
So, what is the state of open source in 2025?
Open source has become a ubiquitous part of software development – just look at the numbers. The average app today contains three times as many open source files as it did just four years ago, to the point where 97% of all applications contain OSS. At the same time, research commissioned by Canonical and IDC revealed that seven out of ten organizations consider open source to be “extremely important” for running their mission-critical workloads. In fact, a Harvard study found that if OSS didn’t exist, the global expenditure on software would be 3.5 times higher.
Put simply, the modern software landscape and market depends upon open source. Open source is popular because it is transformative for businesses, blending cost-effectiveness with access to sophisticated software. For instance, one company reduced their cloud total cost of ownership (TCO) by 76% – saving approximately $370,000 – simply by transitioning to open source cloud infrastructure from Canonical. Previously unthinkable deployments, such as carrier-grade private 5G mobile networks, are now entirely achievable with open source tools, as we demonstrated last year in the Netherlands.
It’s astonishing to think that just 20 years ago, most software companies explicitly forbid the use of any OSS in their contracts and terms of service. Open standards and interoperability – now synonymous with open source – were far from mainstream, and as a result, companies were forced into an uncomfortable decision: use the one expensive product that works, or spend months building and integrating everything from scratch.
That’s a lot of change in just 20 years: an entire ecosystem turned on its head. That’s why I think it’s important to pay critical attention to what’s going around us, to spot trends that could be just as revolutionary (or disastrous), and work around them so that we can keep growing in the next 20 years.
Now that I’ve covered the current state of play, let’s dive into the potential tech revolutions – or challenges – in-waiting.
Future open source cybersecurity trends and their impact on cybersecurity
Open source adoption will continue its strong rise
The decision to move away from the constraints of proprietary systems is grounded in promise: as research by Canonical and IDC shows, businesses everywhere are using open source to keep down costs, fully own their infrastructure, and open up their systems to innovation. Ensuring that this promise is reflected in reality requires a proactive, forward-thinking approach.
Your ability to adopt and adapt to the latest innovations in open source software will be vital. Two things are needed:
A clear plan for adopting open source
A way to manage this open source software supply chain post-adoption
Without a clear plan, you don’t know where you’re going; and without a management system, you’ll be recreating the difficult, fragmented environment open source was 20 years ago. However, I believe that the ever wider adoption of open source will lead to interoperability and simplified supply chains becoming the norm in the software landscape – essentially, that open source software will reshape the software landscape in line with its values. People want open source software that’s quick to install, easy to learn and use, and effortless to deploy and manage. If you’re looking for a place to begin exploring how you can approach adopting open source into your project or organization, I highly recommend visiting our new dedicated webpage to helping you do exactly that.
A new age of digital sovereignty
The tumultuous geopolitical and cyberthreat landscape of 2025 has sparked a new movement towards independence and ownership in mainstream circles. Long story short, companies don’t want to be left in the cold and dark if something happens with their overseas software or services provider – with the appeal of open source software being the control and freedom it offers to users.
Most notably, we’ve seen a major increase in interest, from businesses and governments, in open source, and repatriated products and infrastructure. For example, communal, municipal, and government authorities in nations like Germany and Denmark have expressed strong interest in moving away from proprietary systems in favour of open source alternatives.
This doesn’t mean proprietary tools will vanish. But it does mean that the pressure will increase on software providers to give peace of mind to end users and consumers that whatever system they use will remain online and functioning – even if new terms of service, sanctions, politics, or laws present unforeseen hurdles. Product features will still be important, but things like documentation, interoperability, system-agnostic design, training for users and system admins, and clear handover processes will be a new ‘normal’ in software offerings.
Organizations must balance complexity with visibility
The developer landscape in 2025 has no shortage of tools, libraries, and solutions. If you want to build an app or service, you could build it from scratch, get portions of the solution from open source, or use already-built solutions. The challenge today is creating systems that give you a full view of these tools, and which allow them to be used securely and sustainably in the long term, without major costs.
Security is hard. There is no one-size-fits-all solution, which introduces the challenge of complexity. Developers have a lot of shiny toys to choose from, and keeping them all securely managed within a usable, minimally complex environment will be a real challenge. Indeed, securing your ever-growing stack won’t be easy. All this new tech doesn’t just mean maximized performance and efficiency: it also means a bigger attack surface and new attack vectors born of the intricate interdependencies between systems.
This is made harder by wider organizational habits. Canonical and IDC’s research shows that in general, organizations prize stability over constant updates: over 50% do not automatically upgrade to the newest versions of software when available. Instead, they wait until new features are needed or the program of free updates stops. They also draw these updates from various places: 57% draw from upstream source repositories, such as Github or Gitlab, and 51% draw from ecosystem packages, like pip or npm.
This approach presents clear problems: if you draw packages from multiple different sources and only apply them when you’re forced to update, it leads to more manual work and less certainty that you’re meeting increasingly strict cybersecurity standards in today’s market.
Organizations still have some work to do in order to meet the challenge of complexity. Our research with IDC shows that 70% of organizations mandate vulnerability patching within 24 hours of identification for “high” and “critical” container vulnerabilities – however, just 41% of respondents are “very confident” or “completely confident” in their organization’s ability to execute this policy.
Remember that innovation isn’t just driven by “the good guys”: bad actors are also working to develop new attack methods and techniques, as AI becomes increasingly powerful and AI tools become more connected and widespread.
… especially as we enter the post vibe-coding era
We’ve all heard about and read about vibe coding, which is when a software engineer uses AI to generate and debug code. The hype wave of AI has led to fast adoption of generative AI tools as incredible productivity magnifiers. While the allure of faster go-to-market times and improved cost-effectiveness is undeniable, the widespread adoption of AI tools in primary codebases, especially in environments with busy developers stretching across multiple projects, is creating significant security issues. The rapid, often less scrutinized generation of code through these tools can introduce vulnerabilities and amplify existing security challenges in complex software supply chains.
In the next few years, I predict the rise of a new category of cyberincidents stemming from vibecoded feature additions. Organizations everywhere will need a clear policy on use of these tools, and robust checks and quality assurance processes to ensure that the vibecoded additions don’t ignore instructions, or hallucinate package names and inadvertently execute malicious code inside production environments.
Regulation is coming, and making things harder
We’ve seen a wave of regulation sweep across the US, EU, and UK in the last 4 years. As open source is adopted at the biggest levels of software, it will inherit the steep, strict demands that come with operating in a prestigious global playing field.
Our research with IDC gives a clearer view into the challenges and frustrations that organizations are experiencing with regulations and compliance:
37% of organizations are struggling to understand how regulations apply to specific systems, technologies, and software components.
34% are battling with how to enforce compliance standards across software systems in a consistent manner.
29% find it hard to source the resources and expertise needed to centrally manage software compliance.
As more regulation is rolled out and tightened up, these challenges will only become harder. Simply hitting the check box of compliance or hardening needed for enterprise eligibility isn’t the point any more – security teams have their work cut out in establishing a clear, transparent track record of your software’s trust lifecycle, and embed this transparency into your development practices.
This means more work for people like me whose job it is to keep open source robust and trusted. But it’s undeniably the right path. After all, we don’t just want solutions that work – we want solutions that reflect, support, and continue the legacy of openness and contribution that allowed them to exist in the first place. And we want Canonical to be a leader in transparency and accountability, and institute practices that demonstrate the trustworthiness and compliance-readiness of our software and services. We recently published our Trust Center – a web portal with all our certifications and compliance efforts – in order to demonstrate that when it comes to that hard work of regulations, we’re doing it right.
In short: the future will be characterized by even more adoption of open source, increased regulation, a surge in AI-driven attack vectors, and a critical need for organizations to implement robust security policies and practices. Businesses must prioritize security without compromising stability, manage their open source supply chains effectively, and adapt to a landscape where transparency and compliance are paramount.
No matter the upcoming challenges to security in open source, I’m truly excited about this next phase. The openness we spent decades building has created a truly remarkable landscape of interoperability, where you can combine and integrate almost any technology into a functioning model. I’ve seen first hand how open source has changed everything in the software landscape, and I know how much more revolutionary it could be in the coming years.
Sylva 1.5 becomes the first release to include Kubernetes 1.32, bringing the latest open source cloud-native capabilities to the European telecommunications industry
With the launch of Sylva 1.5, Canonical Kubernetes is now officially part of the project’s reference architecture. This follows its earlier availability as a technology preview in Sylva 1.4.
What is the Sylva project?
The Sylva project is backed by Europe’s largest telecom operators and vendors, including Nokia and Ericsson, and is designed to deliver an open, telco-friendly cloud-native framework. By focusing on interoperability, performance, and automation, Sylva addresses the unique requirements of telecommunications providers building Kubernetes telco platforms for their IT, 5G core, O-RAN, and edge services. Canonical is thrilled to be included as part of the Sylva project, supporting the important work of creating an open source cloud-native reference architecture capable of hosting the mission-critical workloads of the telco industry.
Canonical’s contribution to the Kubernetes telco ecosystem
Canonical Kubernetes brings unique advantages to Sylva’s mission of reducing fragmentation and simplifying operations across telecom networks. One of its defining features is up to 12 years of long-term support (LTS). For operators running critical workloads, this ensures stability, ongoing security updates, and compliance with industry standards over a much longer lifecycle than other Kubernetes distributions.
Canonical Kubernetes also provides the flexibility needed for large-scale Kubernetes telco deployments, from core networks to the far edge. Operators benefit from a distribution designed to be both lightweight and maintained with security in mind, while remaining capable of handling advanced workloads such as 5G core, O-RAN, and AI-driven services.
Guillaume Nevicato, Sylva Technical Steering Committee co-chair and Orange Telco Cloud Product Manager, recognized the importance of this contribution:
Canonical is a major open-source player that has achieved the integration of their Canonical Kubernetes distribution into Sylva. They fully embrace Sylva’s full-stack automation, including cluster lifecycle management, storage, networking, observability, GreenDashboard, and security enhancements. This represents a significant step forward in Sylva’s adoption.
Accelerating the validation of Kubernetes telco workloads
A critical part of Sylva’s role is validating network functions against its reference framework, ensuring that cloud-native network functions (CNFs) and virtualized network functions (VNFs) perform reliably across any Sylva-compliant infrastructure. Following its technical preview in the previous Sylva release, Canonical Kubernetes is now included with 1.32 LTS in Sylva 1.5. This allows it to enter the validation process with the Sylva Validation Workgroup, covering key telecom workloads such as 5G Core, O-RAN, and distributed edge services.
For operators, this means they can deploy Kubernetes telco workloads with confidence, knowing that interoperability and performance have already been tested. Vendors also benefit, since a single certification process ensures compatibility across multiple Sylva-aligned platforms, reducing time to market for new services.
Looking ahead: future opportunities for integration
Canonical is now exploring how its broader infrastructure portfolio, including technologies like Canonical OpenStack, a featureful, highly customizable cloud, and MAAS, bare-metal server automation software, could complement Sylva’s approach in the future. These solutions could help create a more unified environment for both virtualized and cloud-native network functions, enhancing the flexibility of Kubernetes telco deployments.
As Sylva evolves, Canonical will continue engaging with operators, vendors, and the wider community to identify opportunities where its open source software can add value.
Building the future of Kubernetes in telco
The inclusion of Canonical Kubernetes in Sylva represents a milestone in the adoption of open source telco cloud infrastructure. Operators now have access to a validated, commercially supported Kubernetes telco distribution that combines long-term stability, security, and interoperability with the innovation of cloud-native technologies.
With Kubernetes at the foundation, operators can accelerate the rollout of next-generation network functions and services, while benefiting from the reliability and flexibility that only open-source collaboration can deliver.
Next steps
Are you building your telco cloud strategy? Learn how Canonical Kubernetes can give you a stable, validated, and open foundation for 5G, O-RAN, and edge workloads.
Expansion ensures business continuity without forcing major upgrades
Today, Canonical announced the expansion of the Legacy add-on for Ubuntu Pro, extending total coverage for Ubuntu LTS releases to 15 years. Starting with Ubuntu 14.04 LTS (Trusty Tahr), this extension brings the full benefits of Ubuntu Pro – including continuous security patching, compliance tooling and support for your OS – to long-lived production systems.
In highly regulated or hardware-dependent industries, upgrades threaten to disrupt tightly controlled security and compliance. For many organizations, maintaining production systems for more than a decade is complex, but remains a more sensible option than a full upgrade.
That’s why, in 2024, we first introduced the Legacy add-on for Ubuntu Pro, starting with Ubuntu 14.04 LTS (Trusty Tahr). The Legacy add-on increased the total maintenance window for Ubuntu LTS releases to 12 years: five years of standard security maintenance, five years of Expanded Security Maintenance (ESM), and two years of additional coverage with the Legacy add-on – with optional support throughout. Due to the positive reception and growing interest in longer lifecycle coverage, we’re excited to now extend the Legacy add-on to 5 years, bringing a 15-year security maintenance and support window to Ubuntu LTS releases.
A 15-year lifecycle for stability
Throughout this 15-year window, Ubuntu Pro provides continuous security maintenance across the entire Ubuntu base, kernel, and key open source components. Canonical’s security team actively scans, triages, and backports critical, high, and select medium CVEs to all maintained LTS releases, ensuring security without forcing disruptive major upgrades that break compatibility or require re-certification.
Break/fix support remains an optional add-on. When production issues arise, you can get access to our Support team through this service and troubleshoot with experts who contribute to Ubuntu every day, who’ve seen similar problems before and know how to resolve them quickly.
The scope of the Legacy add-on itself is unchanged, but the commitment is longer, giving users additional years to manage transition timelines and maintain compliance.
This updated coverage applies from Ubuntu 14.04 LTS onward. With this extension, Ubuntu 14.04 LTS is now supported until April 2029, a full 15 years after its debut.
By committing to a 15-year lifecycle, Canonical gives users:
Realistic timelines for planning and executing major migrations
Continuous security and compliance coverage for long-lived systems
Flexibility to modernize infrastructure strategically rather than reactively
Infrastructure is complicated, and upgrades carry real costs and risks. This expansion acknowledges those realities and gives you the support duration your deployments actually require.
A simple path to extended coverage
Current Ubuntu Pro subscriptions will continue uninterrupted. No re-enrollment, no reinstallation, no surprise migration projects.
The Legacy add-on is available after the first 10 years of coverage (standard security maintenance plus ESM, and optional break/bug fix support), priced at a 50% premium over standard Ubuntu Pro. This applies whether you’re approaching that milestone with 16.04 LTS or already using the Legacy add-on with 14.04 LTS.
To activate coverage beyond ESM, contact Canonical Sales or reach out to your account manager.
For more information about the Legacy add-on, visit our Ubuntu Pro page.
O Miguel está enervadíssimo com Ubuntu Touch e fez peixeirada no Telegram, mas o Diogo tem boas notícias: para além de ter um monitor todo «gamer» para jogar SuperTuxKart, ele e o Ruben Carneiro vão ao Porto combater bravamente oligopólios malvados nos telefones! Revimos excelentes novidades do Firefox 145 que ajudam no combate às invasões de privacidade; discutimos a entrevista de Jon Seager sobre a última BRONCA da Canonical com Flatpaks e o que esperar do Ubuntu Core Desktop; debatemos violentamente as lojas de aplicações móveis e para acabar, planeámos raptar pessoas, inventar séries de Netflix com Linux e explicar porque é que o Pipewire não é um tubo ligado a um fio.
There is the 1st update available for Sparky 8 – 8.1. This is a quarterly update of the Sparky 8 “Seven Sisters” stable release. Sparky 8 is based on and fully compatible with Debian 13 “Trixie”. Main changes: – All packages updated from the stable Debian and Sparky repositories as of November 10, 2025. – Linux kernel PC: 6.12.48-LTS (6.17.7, 6.12.56 LTS, 6.6.115-LTS in sparky repositories) …
When evaluating load balancers, teams often look at features, benchmarks, or latency claims. But the factor that usually determines how far a load balancer can scale is much simpler: where the traffic is processed inside the operating system.
In Linux, packets originate and are handled in the kernel, where the TCP/IP stack runs. User space — where most reverse proxies and L7 load balancers operate — is a separate execution context. When a load balancer is implemented in user space, every packet must travel back and forth between these two layers — which is fundamentally different from kernel-level load balancing, where forwarding happens inside the kernel.
This boundary crossing is subtle, but it has a real cost.
The Cost of Crossing Kernel and User Space
A typical user-space load balancer (like HAProxy in TCP mode, NGINX, Envoy, or Traefik) receives a packet in the kernel, copies it to user space for processing, then returns it to the kernel to send it out. This happens for every packet in the flow.
Each transition triggers:
a memory copy
a context switch
a scheduler hand-off
Individually, these operations are insignificant. Under moderate or heavy load, they accumulate into two visible symptoms:
Latency grows as concurrency increases
CPU usage rises faster than throughput
And this is why user-space load balancers often reach a scaling ceiling long before hardware limits are reached. The system is not slow — it is simply doing more work than necessary to move each packet.
Figure 1. In user-space load balancers, forwarding requires repeated transitions between kernel and user space, increasing latency and CPU overhead.
What Changes When Forwarding Stays in the Kernel
Linux already provides a capable packet-processing engine in the kernel: netfilter for filtering and NAT, and conntrack for connection tracking. If forwarding decisions are made inside the kernel, packets do not need to move up into user space at all — they stay where they originate.
This is the core idea behind kernel-level load balancing. The forwarding path becomes:
Packet arrives → Kernel processes it → Packet leaves
No additional memory copies.
No process wake-ups.
No proxy loop.
This drastically reduces overhead and keeps CPU usage predictable as load increases.
Figure 2. When forwarding occurs in the kernel data plane, packets avoid user-space transitions entirely.
Performance in Real Conditions
This approach is not theoretical. On standard mid-range hardware running SKUDONET L4xNAT, with no DPDK or kernel bypass optimizations:
475,983 requests per second
~1.63 ms average latency
~27% CPU usage
This demonstrates that the improvement does not come from specialized hardware or experimental networking stacks — it comes from where the work is done.
Internal routed services, logs requiring client IP
DSR
Yes
Direct backend → client
High-volume reads, UDP, media/CDN distribution
DSR offers the lowest latency, while SNAT provides the most operational control.
The right choice depends on network topology, not performance capabilities.
Keeping Control Without Touching the Data Path
Working directly with netfilter can be complex. Its chains, rule priorities, and packet classification logic require a detailed understanding of kernel-level networking.
SKUDONET addresses this by providing a control plane that defines services, backends, and policies at a higher level, while automatically generating and maintaining the underlying kernel configuration. In this model, the forwarding logic never leaves the kernel, but operators still retain full visibility and control over how traffic is handled.
This is the separation of concerns that makes the architecture both efficient and maintainable:
Kernel: data path
User space: control and orchestration
Conclusion
Whether a load balancer processes traffic in user space or in the kernel fundamentally affects:
Latency stability
CPU efficieancy
Scalability under concurrency
Predictability under load
User-space load balancing offers flexibility and extensibility, but that flexibility comes at the cost of additional data movement and processing overhead. Kernel-level load balancing forwarding avoids this by keeping packet handling in the layer where the traffic already resides, eliminating unnecessary copies and context switches while preserving visibility and control.
If you want to explore the architecture in depth — including packet flow breakdowns, performance measurements, and forwarding mode selection — you can read the full technical paper below.
As the deepin community continues to advance steadily in its internationalization journey, we are delighted to announce the official launch of its 11th overseas branch – the Indonesia community site! This marks another solid and significant step forward in deepin's global expansion. Zaky, tthe lead of the deepin Indonesia community, has sent his greetings: Halo semuanya, saya Zaky, Global Ambassador deepin dari Indonesia. Saya sangat bangga bisa mengumumkan peluncuran resmi situs deepin Indonesia. Ini adalah momen yang istimewa bagi saya pribadi dan saya sangat bersemangat untuk berkontumbusi dalam memperkuat komunitas open source dan Linux di tanah air, serta memperkenalkan ...Read more
Deploy a FedRAMP-ready Kubernetes cluster and application suite, with FIPS 140-3 crypto and DISA-STIG hardening,
Today at KubeCon North America, Canonical, the publisher of Ubuntu, released support to enable FIPS mode in its Kubernetes distribution, providing everything needed to create and manage a scalable cluster suitable for high-security or Federal deployments. As of version 1.34, Canonical Kubernetes is available with a built-in FIPS 140-3 capability that uses certified cryptographic modules. Your deployment with this FIPS capability can be easily hardened to DISA-STIG standards using comprehensive documentation when deployed as a snap package.
KubeCon attendees in Atlanta can learn more about FIPS-enabled Canonical Kubernetes at booth 821.
What is Canonical Kubernetes?
Canonical Kubernetes is a performant, lightweight, and securely designed CNCF-conformant distribution of Kubernetes. It provides everything needed for a fully functioning cluster, including a container runtime, a CNI, DNS services, an ingress gateway, metrics server, and more. New versions of Canonical Kubernetes ship within a week of the upstream release, and Long Term Support (LTS) versions (which are released every 2 years) are fully supported and security maintained by Canonical for up to 12 years. Long Term Support for Ubuntu and FIPS-enabled Canonical Kubernetes is offered through an Ubuntu Pro subscription. Canonical’s FIPS 140-3 compliant Kubernetes is also available as part of the NVIDIA AI Factory for Government reference design.
Gain stability with the option to upgrade for new features
Canonical is the first software provider to offer 12 years of support for Kubernetes, which is far beyond the support window offered by upstream CNCF and other vendors. Upstream Kubernetes is typically maintained and supported for about 14 months by the Kubernetes community, with 3 releases per year. In comparison, Canonical maintains an LTS release every 2 years, in line with the Ubuntu LTS release cadence.
Traditionally, Kubernetes clusters must be upgraded one version at a time. However, Canonical’s “interim” versions will be supported for 1 year past the next LTS release, allowing customers to upgrade within 1 year of the next LTS release, without downtime, all while knowing their cluster is fully covered by security maintenance.
Get reliable security maintenance
Each component of the Kubernetes stack is backed by Canonical’s CVE patching service. Our dedicated security team triages all relevant vulnerabilities and backports upstream fixes to the currently supported software versions, ensuring a completely stable base without breaking existing deployments.
Comply with FedRAMP requirements
Canonical has been publishing FIPS-certified cryptographic modules for Ubuntu since 2016. These modules are vital for customers across the Federal sector and for on-premises and public clouds, powering a wide range of FedRAMP deployments. With the availability of Canonical Kubernetes and its built-in FIPS 140-3 mode using certified cryptographic modules, customers will have a faster and more direct route to meet their FedRAMP requirements.
FIPS 140-3 functionality requires Kubernetes to be deployed on top of a FIPS-enabled Ubuntu LTS host Operating System. Canonical Kubernetes enables Kubernetes DISA-STIG, and allows you to deploy onto a host OS hardened to DISA-STIG guidelines using the Ubuntu Security Guide (USG) tool. What’s more, applicable STIG controls can be applied to enable hardened containers, along with embedded FIPS cryptographic libraries. Ubuntu STIG hardening has been extensively tested and deployed across the Federal landscape, making it a proven route to meeting FedRAMP security standards.
FIPS modules and STIG hardening are available with an Ubuntu Pro subscription. Ubuntu Pro subscriptions apply on a per-machine basis, which means that any containerized application running on a Pro-enabled host machine is also included within Pro when the Pro token is enabled.
Visit us at our booth 821 at KubeCon North America on November 11-13, 2025 for an in-person conversation about how Canonical Kubernetes powers FedRAMP compliant deployments.
About Canonical
Canonical, the publisher of Ubuntu, provides open source security, support ,and services. Our portfolio covers critical systems, from the smallest devices to the largest clouds, from the kernel to containers, from databases to AI. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone.
This new release brings the stability and security of Ubuntu to Axion-based N4A virtual machines on Google Compute Engine.
November 6, 2025 – Today Canonical, the publishers of Ubuntu, and Google Cloud announced the immediate availability of optimized Ubuntu images for the new Axion-based N4A virtual machines (VMs) on Google Compute Engine. This collaboration brings the stability, security, and expansive ecosystem of Ubuntu, the world’s most popular cloud operating system, to Google Cloud’s most cost-effective N-series offering, enabling enterprises to maximize the total cost of ownership (TCO) for a wide range of general-purpose workloads.
The new N4A VMs are powered by Google’s custom-designed Axion ARM-based CPUs and offer up to 105% better price performance and 80% better performance-per-watt than comparable, current-generation x86-based VMs. By integrating optimized Ubuntu images at launch, Canonical helps ensure developers and operators can immediately take advantage of this breakthrough efficiency for demanding workloads.
Canonical has long supported ARM infrastructure, helping to ensure that Ubuntu provides a consistent, reliable, and secure experience across heterogeneous computing environments. Our deep experience in solving the challenges of mixed x86 and ARM deployments allows us to bring a robust and fully optimized operating system to the N4A series from day one.
The availability of optimized Ubuntu on N4A ensures developers can use the familiar packages and libraries of the latest Long-Term Support (LTS) releases, guaranteeing longevity and simplifying migration. This is crucial for businesses looking to adopt N4A’s cost savings without compromising on operational consistency across Google Cloud’s Compute Engine, Google Kubernetes Engine (GKE), and other services.
Seamless integration and reliability from Day One
These optimized Ubuntu images are backed by rigorous testing to help ensure enterprise-grade stability and compatibility with Google Cloud’s core features.
Canonical and Google Cloud have executed thorough validation across the entire image lifecycle, confirming that Ubuntu on N4A performs exceptionally well with Google Cloud services and VMs. This extensive testing includes validation of:
Secure Boot integrity: Full compatibility and successful execution of google-secure-boot, ensuring the highest levels of system integrity from the moment of launch.
Initialization and configuration: Robust confirmation of the cloud-init configuration process, including network, user, and password authentication (cloud-init-password-auth-test), guaranteeing reliable deployment and user setup.
Lifecycle management: Successful execution of startup and shutdown scripts (google-startup, google-shutdown-script, and their URL-based variants), critical for automated maintenance and application orchestration.
Compute Engine feature compatibility: Validation of core Google Cloud functionality, including accurate disk resizing (google-disk-size), and general system integration (google-general), helping to ensure that Ubuntu images behave predictably within the Compute Engine environment.
This comprehensive testing suite allows customers to deploy Ubuntu on N4A with total confidence.
Getting started
To get started, simply select the N4A machine type and choose your preferred Ubuntu image when creating a VM in Google Cloud Compute Engine, or when configuring node settings in GKE.
The optimized images are available now in the public preview regions for N4A (us-central1, us-east4, europe-west3, and europe-west4).
About Canonical
Canonical, the publisher of Ubuntu, provides open source security, support and services. Our portfolio covers critical systems, from the smallest devices to the largest clouds, from the kernel to containers, from databases to AI. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone. Learn more at https://canonical.com/
Today marks something special for us and for everyone who loves what Volumio does. After nearly a year of work, we’re releasing Volumio 4 for Raspberry Pi and PC platforms.
You might fire it up and think, “Wait, it looks the same.” And you’d be right. We didn’t redesign the interface or move buttons around. What we did was rebuild the foundation.
Why This Matters
Think of Volumio 4 like replacing the engine in your favorite car. From the driver’s seat, everything feels familiar. But under the hood, we’ve swapped in something more powerful, more efficient, and ready to take you places the old engine simply couldn’t go.
We’ve moved to Debian Bookworm, which is the technical way of saying we’ve given Volumio a completely modern foundation. This isn’t just about what you’ll see today. It’s about what we can build tomorrow, and the year after that, and beyond.
A Huge Thanks to Our Community
This kind of work doesn’t happen alone. Andy, Marco, Pascal, Ash, Gé, Josh, and our entire inner circle of moderators and developers spent countless hours testing, troubleshooting, and pushing this forward. When you’re rebuilding something from the ground up while keeping it running, you need people who care as much about getting it right as we do. We couldn’t have done this without them.
The App Changes Everything
Here’s where things get exciting. Volumio 4 works hand in hand with our new Volumio app, which just landed on the app stores. This is the first step in our vision: one seamless ecosystem for music playback, everywhere, for every kind of digital music.
The new app doesn’t just look better. It’s fundamentally more resilient. We’ve built a new connection method that stays rock solid even when your network gets cranky. The onboarding is now straightforward instead of confusing. You’ll spend less time troubleshooting and more time listening.
What You’ll Actually Notice
Your CDs will play quietly now. Most USB drives used to make noise during playback. That’s fixed. Silent CD playback with the vast majority of drives out there.
Bluetooth that actually works well. We completely rewrote the Bluetooth stack. Lower latency, better compatibility, and we didn’t compromise on sound quality to get there. There’s also a new plugin that lets you send audio from Volumio to Bluetooth speakers, and your Bluetooth remotes will now work with Volumio.
Everything feels snappier. Browsing your library is smoother. Things respond faster. It’s one of those improvements that’s hard to quantify but impossible to miss once you experience it.
NVME storage support. So many of you asked for this. Read performance with NVME devices is dramatically better now.
Better handling of big libraries. We’re running the latest version of MPD, which means if you have thousands of albums, Volumio handles them more gracefully and reliably.
More DACs just work. We’ve expanded USB quirks support, so if your DAC supports direct DSD, Volumio will recognize it.
Security updates built in. We’re on the latest kernel, which means better security as the world around us keeps changing.
Touchscreen displays. If you want to connect an HDMI touchscreen panel, Volumio 4 has you covered with improved display management.
We Learned Our Lesson About Plugins
Let’s talk about something important. The Volumio 3 launch was a success in many ways, but we heard you loud and clear about one thing: plugins weren’t ready at launch like they were for Volumio 2. That hurt the experience for many of you, and we get it. Plugins aren’t just nice to have, they’re part of what makes Volumio yours.
We listened. We learned. And we made sure not to repeat that mistake.
All the plugins you love are available right now for Volumio 4. From day one. We didn’t want anyone sitting around waiting for their favorite functionality to come back.
But we didn’t stop there. We’ve also added new capabilities to Volumio 4 that open up possibilities for plugin developers. This means the plugins you already use can get better, and new plugins can do things that weren’t possible before.
How to Get It
Volumio 4 is available today for Raspberry Pi and PC platforms. If you have one of our Volumio products or something from our OEM partners, you can expect to see the update roll out in Q1 2026.
Two Things You Should Know
First, you can’t update over the air from Volumio 3 to Volumio 4. You’ll need to reflash. It’s not ideal, but with a change this fundamental, it was the only way to ensure everything works correctly.
Second, we had to make a difficult call. Raspberry Pi 1 and Raspberry Pi Zero are no longer supported. The necessary binaries simply aren’t available for these older boards. We know this affects some of you, and we didn’t make this decision lightly.
What Comes Next
Today is about giving Volumio a foundation that can support everything we want to build. The interface looks the same because we wished to this transition to feel seamless for you. But now, with Volumio 4 and the new app working together, we can start building the features and improvements that weren’t possible before.
We’ve spent a year on the foundation. Now comes the fun part.
Welcome to Volumio 4.
Download Volumio 4 and get the new app from your device’s app store. As always, if you run into any issues, our community is here to help.
This is the first of two blog posts about how we created the color palette for a new design system at Canonical. In this post I share my journey into perceptually uniform color spaces and perceptual contrast algorithms.
If you’re already familiar with these concepts, skip to thissection (or visit the Github repository) to see how I reverse-engineered the Accessible Perceptual Contrast Algorithm (APCA) to generate perceptually contrasting color palettes. In the next post, I will share why we didn’t choose this solution and what we chose instead.
“Normal” color spaces, such as RGB, are structured in such a way that machines can easily process colors. Therefore, RGB has very inhuman characteristics. If you imagine the color space as a geometric shape, for example, RGB would be a cube. The naive assumption would be that colors we perceive as similar are close to each other in this cube, right? However, this is not the case. Surprisingly, human color perception does not correspond to a perfect cube. Who would have thought?
Perceptually uniform color spaces support human perception, not computers. While RGB’s are consistent in how a color displays on a monitor, PUCs are consistent with how we actually see the color. As a result, their 3D shapes are not perfect geometric shapes, such as the one from Oklch (pictured above). Shocker!
This property of perceptually uniform color spaces, which aligns more closely with actual human color perception, holds enormous potential for UI design and the wider design spectrum. For example, it’s much easier to create color palettes in which the brightness of different colors appears more uniform in the same “gradation”. This potential fascinated me, so I took a deeper dive into perceptually uniform color spaces and human perception of colors and contrasts in general.
How humans perceive contrast
One of the things I learned during my research was the shortcomings of the contrast algorithm currently recommended in the WCAG guidelines, a recommendation based on the ISO-9241-3 standard. The author of APCA, myndex, does an excellent job of documenting the shortcomings of WCAG.
Essentially, WCAG produces both false positives and false negatives when it evaluates contrast between two colors. Meaning, WCAG approvals aren’t necessarily accessible because some combinations with high contrast fail and some with low contrast pass. APCA is a contrast algorithm that is more closely aligned with human contrast perception and is therefore much better at evaluating contrast than WCAG.
At that time, I also was going to start creating a new color palette for Canonical’s design system. So I expanded my research to include how different color spaces and contrast algorithms can be used to create color palettes. In this context, I also read another article by Matthew Ström on color generation, titled “How to Generate Color Palettes for Design Systems.” This article was one of the most important sources of inspiration for my further work and this blog post; In particular, Ström’s principle of using contrasts to determine color gradations, which made me wonder whether it could be developed further.
Generating color palettes for design systems…
To support my work creating a new color palette for Canonical’s design system, I also researched how color spaces and contrast algorithms can be used to make color palettes. In his article Ström explores combining contrast algorithms and perceptually uniform color spaces to generate color palettes.
Contrast is one of the most important aspects of working with color in user interfaces (and other media). There must be sufficient contrast between two colors so that people can distinguish between them. Ström believes that contrast should determine the gradation between colors in a palette. Applied to Ström’s palette, this means that every pair of colors with a distance of 500 will have the WCAG mandated contrast ratio of 4.5:1.
In a color palette where the contrast between two shades is consistent, it’s easy to choose accessible color pairs. Choose any two shades in the palette that are a certain distance apart, and you’ve got an accessible color pair. You no longer need to manually check all color combinations in your user interface. In an internal survey of designers at Canonical, we found that selecting accessible color pairs is an important concern for designers. Therefore, a color palette in which it is easy to select accessible color pairs seemed ideal for us.
… inspired by APCA!
Matthew Ström used the WCAG algorithm in his blog post to good effect, but as mentioned earlier, the WCAG contrast algorithm has its drawbacks. I was curious to see if it would be possible to follow the same principle (basing color palette gradation on contrast) but replace the WCAG algorithm with a perceptual contrast algorithm; in fact, even Ström mentioned in his article that it would be an interesting experiment. I found the idea of trying it with perceptual contrast exciting and began to investigate its feasibility.
So began my journey to create a color palette inspired by APCA contrast algorithm principles.
The APCA formula
First, I had to create a reverse perceptual contrast algorithm. APCA takes two colors and outputs a number between -108 and 106 (where 0 is low contrast and the extreme values are high contrast) to indicate how contrasting the color pair is. Reversing the algorithm means restructuring it so that we can specify a color and a desired contrast ratio to the algorithm, and it returns a color that meets those criteria. Due to its complexity, reversing a perceptual contrast algorithm was much harder than reversing the WCAG algorithm.
I knew that the apca-w3 package already had a “reverse APCA” function. Originally, I thought I would have to go beyond the capabilities of this function (it can only perform the reversal with grayscale colors). As a side project during a climbing trip with friends, I therefore tried to sketch out the reversal of the APCA algorithm on a napkin myself (with the help of a physicist friend, as I’m not that good at math myself).
Much of the APCA algorithm’s complexity stems from the fact that there are four possible cases and the equation looks different depending on the case. The four cases we need to consider for our inverse algorithm are the polarity (is the text lighter than the background) and which of the two variables we want to solve for (text or background).
So for the inverse algorithm, we need to consider four cases:
Case 1: Light text on a dark background, solving for text
Case 2: Dark text on light background, solving for text
Case 3: Light text on dark background, solving for background
Case 4: Dark text on light background, solving for background
I will show my process for the first case. The process for the other cases is basically the same, but different substitutions and signs must be used depending on the case.
Repeating the same process for the other cases we get the following 4 equations for our 4 cases:
Finally, in APCA, all input Y values must be clamped, and the Y value returned as the output of the inverse function must be unclamped. The two functions for clamping and unclamping Y are as follows:
After completing all the scary calculations, I was ready to translate it all into code. In doing so, I realized that I had only determined the required Y component (in the XYZ color space) of a color with the correct contrast value distance, but not a full color. So, the formula is essentially capable of determining a grayscale color that has the correct contrast distance to the input color – exactly what the existing reverse APCA function can do 😅.
I took another look at Ström’s article and realized that the Y component was actually all I needed to generate the palettes. So I could have just used the function available in the apca-w3 package… So if you are considering a similar project, you can save yourself (and your physicist friends) the napkin calculations and either use the existing reverseAPCA() function in the apca-w3 package or my code below.
I still thought it was a good learning experience to reverse it myself, and since apca-w3 is not completely open source (it doesn’t have a standard open source license), I also thought it would be nice to have an implementation of the reverse algorithm with a truly open source license. I’m not sure if what I did is compatible with the APCA trademark license, so I’ll refrain from claiming that my result is APCA-compliant. The code for my inverse perceptual contrast finder, inspired by APCA algorithm principles, is as follows:
/**
* Constants used in perceptual contrast calculations
* Inspired by the formula found at https://github.com/Myndex/apca-w3/blob/c012257167d822f91bc417120bdb82e1b854b4a4/src/apca-w3.js#L146
*/
const PERCEPTUAL_CONTRAST_CONSTANTS: {
BLACK_THRESHOLD: number
BLACK_CLAMP: number
OFFSET: number
SCALE: number
MAGIC_OFFSET_IN: number
MAGIC_OFFSET_OUT: number
MAGIC_FACTOR: number
MAGIC_EXPONENT: number
MACIG_FACTOR_INVERSE: number
} = {
BLACK_THRESHOLD: 0.022,
BLACK_CLAMP: 1.414,
OFFSET: 0.027,
SCALE: 1.14,
MAGIC_OFFSET_IN: 0.0387393816571401,
MAGIC_OFFSET_OUT: 0.312865795870758,
MAGIC_FACTOR: 1.9468554433171,
MAGIC_EXPONENT: 0.283343396420869 / 1.414,
MACIG_FACTOR_INVERSE: 1 / 1.9468554433171,
}
/**
* Removes clamping from near-black colors to restore original values
* Inspired by the formula found at: https://github.com/Myndex/apca-w3/blob/c012257167d822f91bc417120bdb82e1b854b4a4/src/apca-w3.js#L403
* @param y - The clamped luminance value to be unclamped
* @returns The unclamped luminance value
*/
function unclampY(y: number): number {
return y > PERCEPTUAL_CONTRAST_CONSTANTS.BLACK_THRESHOLD
? y
: Math.pow(
(y + PERCEPTUAL_CONTRAST_CONSTANTS.MAGIC_OFFSET_IN) *
PERCEPTUAL_CONTRAST_CONSTANTS.MAGIC_FACTOR,
PERCEPTUAL_CONTRAST_CONSTANTS.MAGIC_EXPONENT
) *
PERCEPTUAL_CONTRAST_CONSTANTS.MACIG_FACTOR_INVERSE -
PERCEPTUAL_CONTRAST_CONSTANTS.MAGIC_OFFSET_OUT
}
/**
* Applies clamping to near-black colors to prevent contrast calculation issues
* Inspired by the formula found at: https://github.com/Myndex/apca-w3/blob/c012257167d822f91bc417120bdb82e1b854b4a4/src/apca-w3.js#L381
* @param y - The luminance value to be clamped
* @returns The clamped luminance value
*/
function clampY(y: number): number {
return y >= PERCEPTUAL_CONTRAST_CONSTANTS.BLACK_THRESHOLD
? y
: y +
Math.pow(
PERCEPTUAL_CONTRAST_CONSTANTS.BLACK_THRESHOLD - y,
PERCEPTUAL_CONTRAST_CONSTANTS.BLACK_CLAMP
)
}
/**
* Reverses perceptual contrast calculations to find a matching luminance
* Inspired by the formula found at: https://github.com/Myndex/apca-w3/blob/c012257167d822f91bc417120bdb82e1b854b4a4/images/APCAw3_0.1.17_APCA0.0.98G.svg
* @param contrast - Target contrast value (between 5 and 106.04066)
* @param y - Known luminance value (between 0 and 1)
* @param bgIsDarker - Whether the background is darker than the text
* @param lookingFor - What we're solving for: "txt" (text color) or "bg" (background color)
* @returns The calculated luminance value, or false if no valid solution exists
*/
export function reversePerceptualContrast(
contrast: number = 75, // Default contrast of 75
y: number = 1, // Default luminance of 1
bgIsDarker: boolean = false, // Default assumes background is lighter
lookingFor: "txt" | "bg" = "txt" // Default solves for text color
): number | false {
contrast = Math.abs(contrast)
let output: number | undefined
if (!(y > 0 && y <= 1)) {
console.log("y is not a valid value (y > 0 && y <= 1)")
return false
}
if (!(contrast >= 5 && contrast <= 106.04066)) {
console.log(
"contrast is not a valid value (contrast >= 5 && contrast <= 106.04066)"
)
return false
}
// Apply clamping to input luminance
y = clampY(y)
// Calculate output luminance based on what we're looking for and background darkness
// You could do these calculations here more DRY, but I find that it is easier to
// understand the derivation from the original calculation with the if statements.
if (lookingFor === "txt") {
if (bgIsDarker) {
// For light text on dark background
output =
(y ** 0.65 -
(-contrast / 100 - PERCEPTUAL_CONTRAST_CONSTANTS.OFFSET) *
(1 / PERCEPTUAL_CONTRAST_CONSTANTS.SCALE)) **
(1 / 0.62)
} else if (!bgIsDarker) {
// For dark text on light background
output =
(y ** 0.56 -
(contrast / 100 + PERCEPTUAL_CONTRAST_CONSTANTS.OFFSET) *
(1 / PERCEPTUAL_CONTRAST_CONSTANTS.SCALE)) **
(1 / 0.57)
}
} else if (lookingFor === "bg") {
if (bgIsDarker) {
// For dark background with light text
output =
(y ** 0.62 +
(-contrast / 100 - PERCEPTUAL_CONTRAST_CONSTANTS.OFFSET) *
(1 / PERCEPTUAL_CONTRAST_CONSTANTS.SCALE)) **
(1 / 0.65)
} else if (!bgIsDarker) {
// For light background with dark text
output =
(y ** 0.57 +
(contrast / 100 + PERCEPTUAL_CONTRAST_CONSTANTS.OFFSET) *
(1 / PERCEPTUAL_CONTRAST_CONSTANTS.SCALE)) **
(1 / 0.56)
}
}
// Unclamp the output value if valid
if (output !== undefined && !isNaN(output)) {
output = unclampY(output)
}
// Validate final output
if (
output === undefined ||
isNaN(output) ||
!(output > 0 && output <= 1)
) {
console.log("A color with the specifications does not exist")
return false
} else {
return output
}
}
After performing the perceptual contrast inversion, all I had to do was combine my code for reverse perceptual contrast with Ström's code:
import Color from "colorjs.io"
/**
* Converts OKHSl color to sRGB array
* @param {OkHSL} hsl - Array containing [hue, saturation, lightness]
* hue: number (0-360) - The hue angle in degrees
* saturation: number (0-1) - The saturation value
* lightness: number (0-1) - The lightness value
* @returns {[number, number, number]} sRGB array [r, g, b] in 0-255 range
*/
export function okhslToSrgb(
hsl: [number, number, number],
): [number, number, number] {
// Create new color in OKHSl space
let c = new Color("okhsl", hsl)
// Convert to sRGB color space
c = c.to("srgb")
return [c.srgb[0] * 255, c.srgb[1] * 255, c.srgb[2] * 255]
}
/**
* Converts Y (luminance) value to OKHSL lightness
* Inspired by the formula found at https://github.com/Myndex/apca-w3/blob/c012257167d822f91bc417120bdb82e1b854b4a4/src/apca-w3.js#L418
* @param {number} y - Linear luminance value (0-1)
* @returns {number} OKHSL lightness value (0-1)
*/
export function yToOkhslLightness(y: number): number {
const srgbComponent = y ** (1 / 2.4)
const c = new Color("srgb", [srgbComponent, srgbComponent, srgbComponent])
return c.okhsl[2]
}
/**
* Color scale object with hex color values keyed by scale number
*/
interface ColorScale {
[step: number]: [number, number, number]
}
/**
* Compensates for the Bezold-Brücke effect where colors appear more purplish in shadows
* and more yellowish in highlights by shifting the hue up to 5 degrees
* Derived from https://mattstromawn.com/writing/generating-color-palettes/#putting-it-all-together%3A-all-the-code-you-need
* Copyright (c) 2025 Matthew Ström-Awn
* Licensed under MIT. See LICENSE file.
* @param step - Scale step value (0-1000)
* @param baseHue - Starting hue in degrees (0-360)
* @returns Adjusted hue value
* @throws If parameters are invalid
*/
function computeHue(step: number, baseHue: number): number {
// Normalize step from 0-1000 range to 0-1
const normalizedStep = step / 1000
// Validate normalizedStep is between 0 and 1
if (normalizedStep < 0 || normalizedStep > 1) {
throw new Error("step must produce a normalized value between 0 and 1")
}
// Validate baseHue is between 0 and 360
if (baseHue < 0 || baseHue > 360) {
throw new Error("baseHue must be a number between 0 and 360")
}
if (baseHue === 0) {
return baseHue
}
return baseHue + 5 * (1 - normalizedStep)
}
/**
* Creates a parabolic function for chroma/saturation that peaks at middle values
* This ensures colors are most vibrant in the middle of the scale while being
* more subtle at the extremes
* Derived from https://mattstromawn.com/writing/generating-color-palettes/#putting-it-all-together%3A-all-the-code-you-need
* Copyright (c) 2025 Matthew Ström-Awn
* Licensed under MIT. See LICENSE file.
* @param step - Scale step value (0-1000)
* @param minChroma - Minimum chroma/saturation value (0-1)
* @param maxChroma - Maximum chroma/saturation value (0-1)
* @returns Calculated chroma value
* @throws If parameters are invalid
*/
function computeChroma(
step: number,
minChroma: number,
maxChroma: number,
): number {
const normalizedStep = step / 1000
// Validate normalizedStep is between 0 and 1
if (normalizedStep < 0 || normalizedStep > 1) {
throw new Error("step must produce a normalized value between 0 and 1")
}
// Validate chroma values are between 0 and 1 and properly ordered
if (minChroma < 0 || minChroma > 1 || maxChroma < 0 || maxChroma > 1) {
throw new Error("Chroma values must be numbers between 0 and 1")
}
if (minChroma > maxChroma) {
throw new Error("minChroma must be less than or equal to maxChroma")
}
const chromaDifference = maxChroma - minChroma
return (
-4 * chromaDifference * Math.pow(normalizedStep, 2) +
4 * chromaDifference * normalizedStep +
minChroma
)
}
/**
* Computes OKHSL lightness from a target contrast step using perceptual contrast
* Derived from https://mattstromawn.com/writing/generating-color-palettes/#putting-it-all-together%3A-all-the-code-you-need
* Copyright (c) 2025 Matthew Ström-Awn
* Licensed under MIT. See LICENSE file.
* @param step - Scale step value (0-1000)
* @returns OKHSL lightness value (0-1)
* @throws If target luminance cannot be calculated
*/
function computeLightness(step: number): number {
// Clip values below minimum threshold to full lightness (white)
if (step < 50) {
return 1
}
// Rescale 50-999 to perceptual contrast's 5-106.04066 range
const perceptualContrast = 5 + ((step - 50) * (106.04066 - 5)) / (1000 - 50)
const targetLuminance = reversePerceptualContrast(
perceptualContrast,
1,
false,
"txt",
)
if (targetLuminance === false) {
throw new Error(
`Problem calculating the target luminance for step ${step}`,
)
}
return yToOkhslLightness(targetLuminance)
}
/**
* Options for generating a color scale
*/
export interface GenerateColorScaleOptions {
/** Base hue in degrees (0-360) */
baseHue: number
/** Minimum chroma/saturation (0-1) */
minChroma: number
/** Maximum chroma/saturation (0-1) */
maxChroma: number
/** Array of scale values to generate (integer values between 0-1000) */
steps: number[]
}
/**
* Generates a complete color scale with accessible contrast levels
* @param options - Configuration object for color scale generation
* @returns Scale object with color srgb values keyed by scale number
*/
export function generateColorScale(
options: GenerateColorScaleOptions,
): ColorScale {
const { baseHue, minChroma, maxChroma, steps } = options
if (baseHue < 0 || baseHue > 360) {
throw new Error("baseHue must be a number between 0 and 360")
}
if (minChroma < 0 || minChroma > 1 || maxChroma < 0 || maxChroma > 1) {
throw new Error("Chroma values must be numbers between 0 and 1")
}
if (minChroma > maxChroma) {
throw new Error("minChroma must be less than or equal to maxChroma")
}
if (
steps.some((step) => step < 0 || step > 1000 || !Number.isInteger(step))
) {
throw new Error("All steps must be integers between 0 and 1000")
}
// Generate the color scale using map and reduce
return steps.reduce((scale, step) => {
const h = computeHue(step, baseHue)
const s = computeChroma(step, minChroma, maxChroma)
const l = computeLightness(step)
const srgb = okhslToSrgb([h, s, l])
return { ...scale, [step]: srgb }
}, {})
}
And just like that, we can generate a color palette with predictable perceptual contrast based shades:
Shade
Gray
Blue
Green
Red
Yellow
0
#fff
#fff
#fff
#fff
#fff
10
#e9e9e9
#e4eaf4
#dfeee1
#f4e6e4
#f2e8dc
20
#d7d7d7
#c7d9f5
#a9eab2
#f5ccc7
#f3d1a9
30
#c4c4c4
#a5c6fa
#66e37e
#faaea5
#f7b666
40
#b1b1b1
#81b2fe
#32d25b
#fd8c81
#f09c1b
50
#9c9c9c
#5a9cff
#00bd43
#ff5f58
#d88900
60
#878787
#3083f8
#2ba142
#f32c34
#bb7608
70
#707070
#2a6ecb
#3b8343
#c13938
#9a6317
80
#585858
#2e5892
#38643a
#8c3a37
#754f23
90
#3c3c3c
#2c3d56
#2f422f
#543230
#4b3926
100
#000
#000
#000
#000
#000
You can find the entire code in a Github repository. I mentioned that I did all this work in preparation for developing a new color palette for Canonical's design system. But in the end, we decided (for good reasons) to go with the WCAG-based approach, which I will write about in my next blog post. So stay tuned 🙂
OpenSSH upstream released
10.1p1 this month, so I
upgraded to that. In the process, I reverted a Debian patch that changed IP
quality-of-service defaults, which made sense at the
time but has since been reworked upstream
anyway, so it makes sense to find out whether we still have similar
problems. So far I haven’t heard anything bad in this area.
Finally, I got all this into trixie-backports, which I intend to keep up to
date throughout the forky development cycle.
Python packaging
For some time, ansible-core has had occasional autopkgtest failures that
usually go away before anyone has a chance to look into them properly. I
ran into these via openssh recently and decided to track them down. It
turns out that they only happened when the libpython3.13-stdlib package
had different versions in testing and unstable, because an integration test
setup script made a change that would be reverted if that package was ever
upgraded in the testbed, and one of the integration tests accidentally
failed to disable system apt sources comprehensively enough while testing
the behaviour of the ansible.builtin.apt module. I fixed this in
Debian
and contributed the relevant part
upstream.
We’ve started working on enabling Python 3.14 as a supported version in
Debian. I fixed or helped to fix a number of packages for this:
pymongo (already fixed by Alexandre
Detiste, but after checking this I took the opportunity to simplify its
arrangements for disabling broken tests and to switch to autopkgtest-pkg-pybuild)
Santiago Vila filed a batch of
bugs
about packages that fail to build when using the nocheck build
profile, and I fixed several of
these (generally just a matter of adjusting build-dependencies):
I investigated a malware report against
tini, which I think we can prove to be a
false positive (at least under the reasonable assumption that there isn’t
malware hiding in libgcc or glibc). Yay for reproducible builds!
I noticed and fixed a small UI deficiency in
debbugs,
making the checkboxes under “Misc options” on package pages easier to hit.
This is merged but we haven’t yet deployed it.
After over a year of work, I’m very excited to announce the general availability of IncusOS, our own immutable OS image designed from the ground up to run Incus!
IncusOS is designed for the modern world, actively relying on both UEFI Secure Boot and TPM 2.0 for boot security and for full disk encryption. It’s a very locked down environment, both for security and for general reliability. There is no local or remote shell, everything must be done through the (authenticated) Incus API.
Under the hood, it’s built on a minimal Debian 13 base, using the Zabbly builds of both the Linux kernel, ZFS and Incus, providing the latest stable versions of all of those. We rely a lot on the systemd tooling to handle image builds (mkosi), application installation (sysext), system updates (sysupdate) and a variety of other things from network configuration to partitioning.
I recorded a demo video of its installation and basic usage both in a virtual machine and on physical hardware:
The Web Engineering team is thrilled to announce the successful conclusion of our third annual Hack Week! Over the past three years, this initiative has become a cornerstone of our collaborative spirit and commitment to innovation. With 126 significant contributions to date, Hack Week provides a dedicated space for our engineers to tackle challenging problems, refine existing systems, and push the boundaries of what’s possible.
The key goals of these events is allowing us to talk with confidence about the true open source nature of our work. We get the opportunity to addressing issues we’ve identified upstream in projects that we use to benefit ourselves and others. By dedicating time to these fixes, we not only improve the stability and performance of our foundational technologies but also empower our team to gain a deeper understanding of complex systems and our dependency tree. The direct engagement with these challenges allows us to truly experience the difficulties firsthand, fostering a unique learning environment. These invaluable learnings are then taken back to our daily projects, where we reflect on the insights gained and implement improvements that benefit all our ongoing work. We are proud of the dedication displayed by everyone involved, and we look forward to continuing this initiative into the future with impactful contributions.
This year we focused on providing accessibility contributions to our internal corporate message application called Mattermost. All contributions are listed below:
Open source encourages compatibility with standards, making locking users in more difficult. This is why we love the freedom open source offers. Open source software allows for sharing knowledge, gaining knowledge, and practising. It promotes transparency in data collection and software systems. Freedom, therefore, is the gift that keeps on giving.
Please have a look at our open-source projects and reach out to us via the issues if anything is unclear.
In security discussions, the term DDoS is often used as if it referred to a single type of threat. In reality, today it covers two very different strategies that share the same goal but not the same execution: volumetric attacks at layers L3/L4 and application exhaustion attacks at layer 7.
Both aim to take a service offline, but they exploit different parts of the infrastructure — and therefore require different mitigation layers.
Two attack families, two impact surfaces
When some vendors claim that “modern DDoS attacks are stealthy and bypass traditional defences”, what they are actually describing is not classic volumetric DDoS, but L7 exhaustion: low-rate traffic, fully valid requests, almost indistinguishable from legitimate clients.
These attacks don’t flood the network — they drain the application from inside.
That doesn’t mean volumetric DDoS has disappeared. It remains cheap to launch, common in the wild, and extremely effective unless it is filtered before the kernel, firewall, or load balancer accepts the connections.
The threat has not changed — the point of mitigation has.
The infrastructure collapses before the application can respond
Application-layer DoS
L7
Exhaust CPU, memory, threads, or DB calls
The service is “up”, but unusable for real users
Or, even more directly:
L3/L4 volumetric attacks → try to take down the network before the service responds
L7 exhaustion attacks → mimic valid traffic to drain the app’s internal resources
Layered defence: why L3/L4 and L7 do not compete — they complement each other
One of the most common misconceptions is assuming that a single protection layer is enough to stop any kind of attack. In practice, filtering only at layer 4 leaves the application exposed, while filtering only at layer 7 allows the kernel or load balancer to be overwhelmed before the WAF ever sees the request.
An L4 firewall can drop malformed packets or abnormal connection patterns before they consume resources, but it has no context to detect that a perfectly valid HTTP request is trying to exploit an SQLi pattern.
A WAF can detect that behaviour — but only after the connection has already been accepted, a socket has been created, and memory has been allocated.
Attack type
Where it must be stopped
What is inspected
Typical tooling
Volumetric (L3/L4)
Before accepting the connection (edge / kernel / LB)
Packets, TCP flags, connection rate
SYN flood protection, rate limiting, conntrack offload
Application exhaustion (L7)
Once the TCP session is established
HTTP headers, URL patterns, payload
TWAF, OWASP rulesets, bot filtering
Effective protection is not about choosing the right layer — it is about dropping as much as possible before the app, and reserving deep inspection only for what deserves to reach it.
What happens when mitigation only works at L7 (and why it fails)
When protection is applied solely at the application layer, the TCP connection has already been accepted before any evaluation occurs. In other words, the system has completed the handshake, allocated a socket, reserved memory and promoted the session to HTTP/S before deciding whether the request should be blocked.
That removes the attacker’s need to generate massive traffic: a few thousand seemingly valid, slow, or incomplete connections are enough to consume server resources without ever saturating the network.
The result is not an immediate outage, but a progressive exhaustion:
Load balancer or backend CPU spikes
Response times increase exponentially
The service is still “up”, but unusable for legitimate users
This is the usual pattern of L7 exhaustion attacks: they don’t bring the network down; they wear the application out from the inside. And it happens for a simple reason: the blocking decision is made too late. First the connection is accepted, then the request is inspected, and only at the end is it decided whether to discard it. By then, the damage is already done.
How SkudoCloud applies two-phase mitigation
Effective protection against DDoS and exhaustion attacks is not about choosing between filtering at L4 or L7, but about enforcing both defenses in the right order. SkudoCloud implements this model natively inside the load-balancing engine itself, without relying on external scrubbing services or additional appliances.
Session rejected before allocation, per-IP/VIP limits, SYN protection, IP reputation / blocklists
Load balancer kernel
2. Deep inspection (L7)
SQLi, XSS, bots, valid-but-abusive requests
Advanced WAF + behavioural rules
HTTP/S module of the engine
This model ensures that high-volume traffic cannot saturate the system before being analysed, and that low-volume abusive requests cannot hide inside seemingly legitimate sessions. The result is an environment where the network does not collapse under load and the application does not degrade due to resource exhaustion.
Everything is managed from a single interface, with unified policies, metrics and event logging — without depending on multiple vendors, external mitigation layers or duplicated configurations.
Ubuntu images on Microsoft Azure have recently started shipping with the open source package azure-vm-utils included by default. Azure VM utils is a package that provides essential utilities and udev rules to optimize the Linux experience on Azure. This change results in more reliable disks, smoother networking on accelerated setups, and fewer tweaks to get things running. Here’s what you need to know:
What’s changing
Smoother storage on modern Azure VMs: Ubuntu now provides consistent device naming across SCSI and NVMe, reducing post-reboot surprises and easing automation.
Better handling of accelerated networking: environments using MANA or Mellanox benefit from safer defaults that avoid double-managing passthrough interfaces.
Less image customization: the utility and rules that many platform teams previously added now ship in the image, removing one more custom step from your pipelines.
Why it matters
Fewer post-boot surprises: predictable device names keep fstab, cloud-init and provisioning scripts stable across VM families and reboots.
Smoother NVMe adoption: newer VM families lean NVMe-first for performance; built-in rules make that transition painless while keeping SCSI setups working.
Less to maintain: the stock image now handles Azure disk naming and accelerated NICs (MANA/Mellanox), so teams can drop custom udev/Netplan snippets and avoid fstab surprises after reboots.
How to Get It
For New VMs: No action is needed. The package is included by default in new Ubuntu images.
For Existing VMs: You can install the package directly from the Ubuntu archive, where it’s available for all current LTS and interim releases: sudo apt update && sudo apt install azure-vm-utils
Quick ways to verify
azure-nvme-id --version # tool present find /dev/disk/azure -type l # predictable Azure disk links
Organizations everywhere are pushing AI and networks closer to the edge. With that expansion comes a challenge: how do you ensure reliable performance, efficiency, and security outside of the data center? Worker safety, healthcare automation, and the success of mobile private networks depend on a robust technology stack that can withstand real-world challenges and still deliver results. Canonical has partnered with Dell Technologies, Intel, Druid, Airspan and Ecrio to publish a new solution brief addressing this question. The brief highlights how a fully integrated, edge-ready platform can meet the growing demand for intelligent, secure, and real-time computing at the edge.
The brief showcases how to build a strong foundation for edge AI and networking by using a Dell PowerEdge XR8000 ruggedized edge network+compute platform consisting of two server sleds powered by Intel Xeon Scalable processors. Both sleds are running Canonical’s software infrastructure stack, which combines Ubuntu, MicroCloud, and Canonical Kubernetes. On the first sled, MicroCloud hosts two VMs: Airspan Control Platform (ACP) manages the 5G radio units, and Druid Raemis provides the cloud-native 5G core orchestrated by Canonical Kubernetes. The second sled hosts Ecrio’s iota-e platform, also managed by Canonical Kubernetes, which enables AI-powered real-time image-recognition, voice, video, and messaging services. These capabilities support critical business processes such as worker coordination in industrial settings, emergency response in healthcare, and secure team communications in remote or hazardous environments.
Download the solution brief to learn how this integrated platform supports advanced use cases, including AI-driven safety monitoring, smart factory operations, and 5G connectivity at the edge.
In the solution brief, you’ll discover how to:
Deploy AI and event detection workloads on optimized, securely designed infrastructure
Operate private 5G and RAN control software on edge-virtualized environments
Streamline orchestration and lifecycle management with Canonical Kubernetes and MicroCloud
Detect safety and operational risks in real time using integrated AI inference
For more information on how Canonical supports your edge and AI journey, visit our related content:
Open source AI for the enterprise Discover how Canonical enables AI workloads from cloud to edge with tools for model training, trusted deployment, and lifecycle management. This webpage outlines Canonical’s full AI stack, from Ubuntu-optimized hardware acceleration to MLOps best practices, with links to blogs, whitepapers, and deployment guides.
Canonical Telco solutions Learn how Canonical helps telecom operators modernize their infrastructure using open source technologies. This hub covers solutions for 5G core networks and Radio Access Networks (RAN) built on Ubuntu, Canonical Kubernetes, OpenStack, MAAS and Juju. You’ll find case studies and insights into telco-grade performance and security.
Fedora 41 is currently scheduled to reach end of life (EOL) on 2025-11-19 (approximately two weeks from the date of this announcement). Please upgrade all of your Fedora templates and standalones by that date. For more information, see Upgrading to avoid EOL.
There are two ways to upgrade a template to a new Fedora release:
Recommended:Install a new template to replace an existing one. This option is simpler for less experienced users, but it won’t preserve any modifications you’ve made to your template. After you install the new template, you’ll have to redo your desired template modifications (if any) and switch everything that was set to the old template to the new template. If you choose to modify your template, you may wish to write those modifications down so that you remember what to redo on each fresh install. To see a log of package manager actions, open a terminal in the old Fedora template and use the dnf history command.
Hello, Community! The October update is here and it's dominated by bug fixes — as we are preparing to release the next VyOS Stream image on the way to the future VyOS 1.5 and working on the new 1.4.4 maintenance release as well. However, there are a few useful features as well, including support for DHCP options 82 (relay agent information) and 26 (interface MTU), containers health checks, and more.
I. October Community Data Overview II. Community Products 1. deepin 25 Official Release Update: File Management and System Experience Upgraded Again In October, the deepin 25 official release received the 25.0.9 version update, bringing multiple optimizations focused on file management efficiency and system interaction details: File Manager Efficiency Innovations: Supports grouping display by time, size, type, and name, making file finding clearer. Added a pin tab feature for one-click access to frequently used directories. Dragging files to the window edge triggers automatic scrolling, making long-distance operations more convenient. Automatically creates a new tab in the current window when opening a ...Read more
And as always, my company is offering commercial support on Incus, ranging from by-the-hour support contracts to one-off services on things like initial migration from LXD, review of your deployment to squeeze the most out of Incus or even feature sponsorship. You’ll find all details of that here: https://zabbly.com/incus
Donations towards my work on this and other open source projects is also always appreciated, you can find me on Github Sponsors, Patreon and Ko-fi.
The 10th monthly Sparky project and donate report of the 2025: – Linux kernel updated up to 6.17.6, 6.12.56-LTS, 6.6.115-LTS – Sparky 8.1-RC1 ARM64 for Raspberry Pi released – added to repos: Mousam Many thanks to all of you for supporting our open-source projects. Your donations help keeping them and us alive. Don’t forget to send a small tip in November too, please. *
I’m pleased to share that my career transition has been successful! I’ve joined our local county assessor’s office, beginning a new path in property assessment for taxation and valuation. While the compensation is modest, it offers the stability I was looking for.
My new schedule consists of four 10-hour days with an hour commute each way, which means Monday through Thursday will be largely devoted to work and travel. However, I’ll have Fridays available for open source contributions once I’ve completed my existing website maintenance commitments.
Open Source Priorities
Going forward, my contribution focus will be:
Ubuntu Community Council
Kubuntu/Debian
Snap packages (as time permits)
Regarding the snap packages: my earlier hope of transitioning them to Carl hasn’t worked out as planned. He’s taken on maintaining KDE Neon single-handedly, and understandably, adding snap maintenance on top of that proved unfeasible. I’ll do what I can to help when time allows.
Looking for Contributors
If you’re interested in contributing to Kubuntu or helping with snap packages, I’d love to hear from you! Feel free to reach out—community involvement is what makes these projects thrive.
Thanks for your patience and understanding as I navigate this transition.
Há demasiadas coisas a acontecer, todas ao mesmo tempo, é o caos! De regresso da Ubuntu Summit em Londres, Lisboa e Porto, o Diogo sublinha os momentos mais importantes e entope o Internet Archive; o Miguel continua na missão de libertar pessoas do Windows; problemas técnicos caem-nos em cima em plena emissão; a Canonical tem uma nova Academia para certificações; revimos as novidades da mais moderna versão do Ubuntu Touch; apelamos a voluntários para fazerem respiração boca-a-boca ao Unity; alguém inventou um Recall para Linux e qual Oppenheimer, vemos ao longe a Framework pegar fogo à tenda do circo com Omarchy e Hyprland. E o mais importante: há um novo Super Tux Kart.
TÜBİTAK BİLGEM tarafından geliştirilmeye devam edilen Pardus’un 25.0 Beta sürümü, Pardus 25.0 Alpha sürümünden aldığımız geri dönüşler ve planlamalarımız doğrultusunda, kullanıcılarımız tarafından deneyimlenmesi ve test edilmesi için yayımlanmıştır.
On October 23rd, we announced the beta availability of silicon-optimized AI models in Ubuntu. Developers can locally install DeepSeek R1 and Qwen 2.5 VL with a single command, benefiting from maximized hardware performance and automated dependency management.
Application developers can access the local API of a quantized generative AI (GenAI) model with runtime optimizations for efficient performance on their CPU, GPU, or NPU.
Architecture of the new open-source tool enabling developers to bundle different combinations of runtimes and weights into a single snap, deploying the most optimal stack on the host machine
By meeting developers at the intersection of silicon and GenAI models, we package, distribute and manage all the necessary components to run AI apps on any machine that runs Ubuntu. Developers can now install pre-trained and fine-tuned AI models that automatically detect the underlying silicon requirements, from how much memory and what GPU or NPU they need, to which software components and default configurations must be included.
What’s the vision behind the announcement, and how did we pull it off?
Ubuntu: the standard distribution platform for AI models
We aim to make Ubuntu the standard distribution platform for generative AI models. Doing so will enable developers to integrate AI seamlessly into their applications and run them optimally across desktops, servers, and edge devices. We believe machine learning (ML) workloads will soon be as fundamental to compute platforms as traditional software dependencies are today, and generative AI models will be a basic part of the compute experience.
But wait: isn’t that already true? Aren’t AI models already everywhere, and don’t we all play with LLMs around 25 times per day?
Yes, but there’s a key distinction. Let me use an analogy to illustrate it.
From fragmentation to curated archives of software
In the early days of Linux, software distribution was fragmented and cumbersome. Developers had to manually download, compile, and configure source code from individual projects, often tracking down missing libraries, resolving version conflicts, and maintaining complex build environments by hand.
While in the early 90s, software was distributed via floppy disks, Slackware and Debian Linux soon ushered in a system of curated archives of software, usually pre-compiled to save time.Source: https://www.debian.org/
As each distribution had its own conventions, packaging tools, and repositories, installing software was an error-prone and time-consuming process. The lack of a unified delivery mechanism slowed down open-source development and created barriers to adoption.
In October 2004, the first release of Ubuntu was out. It shipped with a fairly fixed set of packages in the Ubuntu archive, for which users received security updates and bug fixes over the internet. To get new software, developers still had to hunt down source code and compile it themselves.
What changed?
Fast-forward to a few years later, and in 2007, Canonical introduced Personal Package Archives (PPA), giving developers a hosted build service to publish and share their own software. Discovering new software on Linux was still hard, from living in unknown PPAs to GitHub repositories with daily builds of all kinds of new software. To fix this, Canonical later introduced snaps, containerized software packages that simplified cross-distribution delivery, updates and security.
Standing on the shoulders of giants and building on Debian, Ubuntu helped transform that experience, becoming the aggregation point for open-source software (OSS). Ubuntu consolidated thousands of upstream projects into a coherent, trusted ecosystem that developers could rely on, without needing to understand every dependency or build chain behind it. Ubuntu helped unify and streamline the open-source ecosystem.
A strong packaging foundation, combined with a steady release cadence and curated repositories, lowered the barrier for both developers and enterprises. Ubuntu became the default, trusted layer for distributing and maintaining open-source software.
What if we could do that with AI models?
GenAI models as basic building blocks of future compute
Today, software packages are the basic building blocks of compute. Developers routinely install packages, add PPAs, and pull from various vendors, third parties, or the community, without giving it much thought.
We believe that AI models will soon occupy the same space as first-class citizens of a compute stack. They’ll be treated as standard system components, installed, updated and optimized just like any other dependency. We’ll no longer worry about the details of how to juggle the dependencies of various AI models, just as we don’t think about which repositories the packages your projects depend on come from. Developing software will naturally include integrating ML workloads, and models will be as ubiquitous and invisible in the developer experience as traditional packages are today. LLMs will become part of the commodity layer of compute, evolving into dependencies that containerized workloads rely on: composable, versioned, and hardware-optimized.
In making Ubuntu, we mastered the art of distributing open-source software to millions of users. Now we are applying that expertise to AI model distribution. Ubuntu is moving toward making AI models a native element of the compute environment. We’re shifting AI models from external tools to an integral part of the stack. Bringing silicon-optimized AI models natively to Ubuntu is the first step in making them a built-in component of the compute experience itself.
DeepSeek R1 is a reasoning Large Language Model (LLM) designed to decompose prompts into structured chains of thought, enabling complex reasoning and problem solving. Qwen VL, on the other hand, is a multimodal LLM that accepts both text and images as inputs, representing the latest generation of vision-language models. Both are transformer-based but tuned and packaged to exploit different runtime patterns and hardware characteristics.
Let’s be more specific. The term model is often used loosely, but in practice, it refers to an entire model family built around a base model. Base models are massive neural networks trained on broad datasets to capture general knowledge. These base models are frequently fine-tuned, retrained, or adapted to specialize in specific tasks, such as instruction following or domain-specific reasoning. For instance, transformer-based LLMs share a common architecture built on components such as self-attention, multi-head attention, and large embedding matrices. From this base, families of foundational models and fine-tuned derivatives, such as instruction-tuned models, adapter-based variants, or task-specific fine-tunes, can be developed.
Inference with fine-tuned models
Let’s look at an example of some of the Mistral models from Mistral AI.
On the left-hand side, we have the model vendor, in this case, Mistral AI, which trains and distributes the foundational base models. Fine-tuned derivatives, such as mistral-7b-instruct, are then adapted for instruction-based use cases, responding to prompts in a structured, context-aware manner.
Another model family might look similar but target different objectives or architectures:
However, a “model” – whether base or fine-tuned – is not particularly useful on its own. It’s essentially a collection of learned weights: billions of numerical parameters, with no runtime context. What matters to developers is the inference stack, the combination of a trained model and an optimized runtime that makes inference possible. In the literature, the term “model” often refers to the complete model artifact, including the tokenizer, pre and post-processing components, and runtime format, e.g., PyTorch checkpoint, ONNX, and GGML.
Inference stacks include inference engines, the software responsible for executing the model efficiently on specific hardware. Besides the weights of the pre-trained model, e.g. the weights of Qwen2.5 VL quantized at Q4_K, an engine will typically include the execution logic, optimizations to efficiently perform matrix multiplications and supporting subsystems. Examples include Nvidia’s TensorRT, Intel’s OpenVINO, Apache’s TVM, and vendor-specific runtimes for NPUs. Multiple stacks can exist for the same model, each tailored to different architectures or performance targets. These engines differ in supported features, kernel implementations, and hardware integration layers – reflecting differences in CPU, GPU, NPU, or accelerator capabilities.
For instance, for a fine-tuned model such as mistral-7b-instruct, one might find multiple inference stacks:
Optimizing hardware for inference
Running LLMs efficiently depends critically on the underlying hardware and available system resources. This is why optimized versions of fine-tuned models are often required. A common form of optimization is quantization, reducing the numerical precision of a model’s parameters (for example, converting 16-bit floating-point weights to 8-bit or 4-bit integers). Quantization reduces the model’s memory footprint and computational load, enabling faster inference or deployment on smaller devices, often with minimal degradation in accuracy.
Beyond quantization, optimization can be silicon-specific. Different hardware architectures, e.g. GPUs, TPUs, NPUs, or specialized AI accelerators, exhibit unique performance characteristics: compute density, memory bandwidth, and energy efficiency. Vendors exploit these characteristics through hardware-aware model variants, which are fine-tuned or compiled to maximize performance on their specific silicon.
For silicon vendors, demonstrating superior inference performance directly translates into market differentiation. Even marginal improvements – a 2% gain in throughput or latency on a leading LLM – can have significant implications when scaled across data centers or deployed at the edge.
This performance race fuels intense investment in AI model optimization across the hardware ecosystem. Each vendor aims to maximize effective TFLOPS and real-world inference efficiency. The result is an expanding landscape of hardware-optimized model variants, from aggressively quantized models that fit within strict memory limits to GPU-tuned builds exploiting tensor cores and parallel compute pipelines.
Furthermore, model packaging and runtime format affect deployability, as one needs optimized artefacts per target, e.g. TorchScript/ONNX for GPUs, vendor-compiled binaries for NPUs, GGML or int8 CPU builds for constrained devices.
As a consequence, developers building embedded AI apps are stuck dealing with API keys, per-token subscriptions, and apps that only work when connected to fast internet. Packaging and distributing AI-powered software is hard. Developers must contend with dozens of silicon types, hundreds of hardware configurations, and an ever-growing number of models and variants – while also managing dependencies, model updates, runtime engines, API servers, optimizations, and more.
Simplifying AI development: abstracting complexity away
Is it possible to abstract that complexity away? Today, developers build on Ubuntu without needing to think about the underlying hardware. The same principle should apply to AI: what if, in the future, a developer could simply code for DeepSeek, without worrying about selecting the optimal fine-tuned variant, choosing the right inference engine, or targeting a specific silicon architecture?
This is the challenge we set out for ourselves, bridging the gap between the potential of AI and its practical adoption. Our goal is to bring the right models directly into developers’ hands and make LLMs part of everyday software development
We envision a world where application developers can target an AI model, not a stack, and seamlessly use hardware-specific optimizations under the hood. To truly harness the potential of AI, developers shouldn’t have to worry about quantization levels, inference runtimes, or attaching API keys. They should simply develop against a consistent model interface.
Unfortunately, today’s AI ecosystem is still fragmented. Developer environments lack a standard packaging and distribution model, making AI deployment costly, inconsistent, and complex. Teams often spend significant time configuring, benchmarking, and tuning inference stacks for different accelerators, work that demands deep expertise and still leaves hardware underutilized.
This is why, through Canonical’s strong ecosystem partnerships, we introduced an abstraction layer that gives users access to develop using a known model while integrating the hardware-specific stacks. Last week, we announced the public beta release of AI models on Ubuntu 24.04 LTS, with DeepSeek R1 and Qwen 2.5 VL builds optimized for Intel and Ampere hardware. Developers can locally install those snaps pre-tuned for their silicon, without wrestling with dependencies or manual setup. Our snap approach enables development against a model’s standard API on Ubuntu, while relying on optimized builds engineered by Canonical, Intel, and Ampere.
Silicon-vendor optimizations will now be automatically included when detecting the hardware. For example, when installing the Qwen VL snap on an amd64 workstation, the system will automatically select the most suitable version – whether optimized for Intel integrated or discrete GPUs, Intel NPUs, Intel CPUs, or NVIDIA GPUs (with CUDA acceleration). Similarly, on arm64 systems using Ampere Altra/One processors, the version optimized for those CPUs will be used. If none of these optimizations match the hardware, Qwen VL will automatically fall back to a generic CPU engine to ensure compatibility.
Canonical’s silicon partnerships: planning for the future
As we saw, the performance of AI models is tightly bound to the silicon layer. Optimizing for silicon covers multiple layers, from reduced numeric precision, to operator fusion and kernel fusion, memory layout and tiling changes, and vendor-specific kernel implementations. The inference stack itself, from TensorRT, ONNX Runtime, OpenVINO/oneAPI, and vendor NPUs’ runtimes, materially affects latency, throughput and resource utilization. By working with silicon leaders, Canonical can now deliver robust, stable, locally optimized models that run efficiently on desktops, servers, and edge devices, reducing reliance on massive cloud GPU deployments, lowering costs and energy use, improving latency, and keeping sensitive data on-device. Each model can be installed with a single command, without manual setup or dependency management. Once installed, the snap automatically detects the underlying silicon, currently optimized for Intel CPUs, GPUs and NPUs, and Ampere CPUs, applying the most effective combination of inference engine and model variant.
With Ubuntu Core, Desktop and Server, we already provide a consistent OS experience to millions of developers across verticals and form factors. We are now eager to extend our collaborations with the silicon community and broader ecosystem, and are perfectly placed to enable AI models across the compute spectrum.
There are two ways to upgrade a template to a new Debian release:
Recommended:Install a fresh template to replace the existing one. This option is simpler for less experienced users, but it won’t preserve any modifications you’ve made to your template. After you install the new template, you’ll have to redo your desired template modifications (if any) and switch everything that was set to the old template to the new template. If you choose to modify your template, you may wish to write those modifications down so that you remember what to redo on each fresh install. In the old Debian template, see /var/log/dpkg.log and /var/log/apt/history.log for logs of package manager actions.
The menu items for taking screenshots, and Thunar right-click menu item for image files, now use a BunsenLabs script bl-imgbb-upload instead of bl-imgur-upload.
To take advantage of these changes please upgrade bunsen-utilities to the latest version.
NOTES:
1) imgbb requires that users set up an account and use the access key that they receive. The script bl-imgbb-upload helps with that process, so it's very easy.
2) Users who want to continue using imgur can open /usr/bin/bl-image-upload as root, uncomment the line uploader=bl-imgur-upload and comment out the equivalent line with bl-imgbb-upload. (The script bl-imgur-upload is still available in bunsen-utilities.)
3) The behaviour of bl-imgbb-upload is slightly different from bl-imgur-upload but images and screenshots can be easily uploaded.
4) Future releases of bunsen-utilities might also offer a script for postimage, and allow users to configure their choice of uploader script with a user config setting, but any improvements will come after the Carbon release.
The Ubuntu Release team has now enabled upgrades from 25.04 to 25.10! This is great news! In fact, you may have noticed this icon on your toolbar and a notification to upgrade.
However, upon doing so, you may have noticed something a little more unfortunate:
Yep, we know. This tells you nothing about what is wrong. What is wrong is slightly more technical. As it turns out, the backend application that actually performs the upgrade removed an argument from its command line unannounced during the Plucky Puffin release cycle, approximately a year ago.
As our project leader, Erich Eickmeyer, maintains the upgrade notifier widget for both Ubuntu Studio and Kubuntu, he woke up and immediately got to work identifying what’s wrong and how to patch the Plasma widget in question to correctly execute the upgrade process. He has uploaded the fix, and it was accepted by a member of the Ubuntu Stable Release Updates team.
At the moment, the fix needs to be tested and verified. In order to test it, one must install the fix from the plucky-proposed repository. In order for it to be available, it must build for all architectures and, as of this writing, is awaiting building on riscv64 which has a 40-hour backlog.
The Workaround
If you wish to begin the upgrade process manually rather than waiting on the upgrade notifier fix to be implemented, feel free to make sure you are fully updated, type alt-space to execute Krunner, and paste this:
do-release-upgrade -f DistUpgradeViewKDE
This is the exact command that will be executed by the notifier widget as soon as it is updated.
Of course, if you’re in no hurry, feel free to wait until the notifier is updated and use that method. Do bear in mind, though, that as of this writing, you have exactly 90 days to perform the upgrade to 25.10 before your system will no longer be supported. At that time, you’ll risk being unable to upgrade at all unless certain procedures for End-Of-Life Upgrades are done, which can be tedious for those uncomfortable in a command line as it will require modifying system files.
Mea Culpa
We do apologize for the inconvenience. Testing upgrade paths like this are hard to do and things go missed, especially when teams don’t communicate with each other. We’re try to identify things before they happen but, unfortunately, certain items cannot be foreseen.
This issue has now been added to the Ubuntu Studio 25.10 Release Notes.
Dear deepin community members, We are pleased to announce the official release of the deepin 25.0.9 update! This release includes a number of new features and optimizations, addresses several issues reported by the community, and further refines the user experience across various applications. After updating, your system version will be 25.0.9. We encourage all users to update at your earliest convenience. Feel free to share your thoughts and feedback in the comments! New Features & Improvements File Manager Significant optimizations have been made to file preview and management for a smoother and more efficient experience: Files can now be ...Read more
At NVIDIA GTC Washington D.C., Canonical is pleased to support the arrival of the NVIDIA BlueField-4 – the newest generation of the data processing unit (DPU) family. NVIDIA BlueField-4 is an accelerated infrastructure platform for gigascale AI factories. By combining NVIDIA Grace CPU and NVIDIA ConnectX-9 networking, it delivers 6x the compute power of BlueField-3 and 800 Gb/s throughput to accelerate these systems. BlueField-4features multi-tenant networking, rapid data access, AI runtime security, and enables high-performance inference processing. Running natively on BlueField-4, NVIDIA DOCA microservices deliver containerized services to simplify and scale AI infrastructure.
As with previous generations, BlueField-4 supports the Ubuntu OS, which comes with Canonical’s security maintenance and support. This development is the latest from Canonical’s longstanding collaboration with NVIDIA to advance the state of DPU-driven infrastructure.
A securely-designed foundation
Zero-trust architecture places emphasis on the integrity of infrastructure, which is isolated from untrusted workloads. No component, workload, or user is implicitly trusted, and every interaction within the system is continuously verified and enforced by NVIDIA BlueField at the infrastructure level. In this model, the DPU acts as a hardware-based control and enforcement plane, isolating workloads, validating software integrity, and handling encryption and network policy enforcement independently from the host CPU.
NVIDIA BlueField-4 supports multi-service architectures with native service function chaining, zero-trust tenant isolation, and software defined infrastructure control. Running natively on BlueField-4, NVIDIA DOCA microservices deliver prebuilt, containerized services for AI networking, orchestration, real-time threat detection, and data acceleration–simplifying operations and enabling enterprises and service providers to scale AI securely and efficiently. Enterprises can also deploy validated, BlueField-accelerated applications from leading software providers, enabling advanced infrastructure acceleration and cybersecurity capabilities that enhance the platform’s value.
Ubuntu 24.04 LTS on BlueField-4
Ubuntu plays a key role in supporting the overall security posture of zero-trust BlueField-4 infrastructure. BlueField-4 effectively introduces a dedicated control and enforcement domain alongside the host system, meaning it meets the same security and compliance expectations as any other infrastructure component in the data center. In highly regulated environments, where every element is expected to be hardened and certifiable, the software foundation of BlueField becomes just as important, if not more, as that of the host.
Because the BlueField software stack is based on Ubuntu 24.04 LTS, it benefits from Canonical’s signed packages and reproducible build processes. Expanded Security Maintenance (ESM) provides long-term maintenance guarantees. Ubuntu Pro extends this foundation with continuous CVE monitoring, patch delivery, and compliance tooling, giving operators a clear view of security status and patch levels. When DPUs are deployed in environments that require FIPS, DISA-STIG, or similar compliance frameworks, this is essential. These features, supported in the NVIDIA AI Factory for Government reference design, ensure organizations can integrate BlueField-4 into sensitive infrastructure with confidence, knowing that the underlying operating system aligns with their existing security and compliance processes.
In terms of performance, Canonical publishes optimized Ubuntu images, designed to get the most out of BlueField-4, which combines NVIDIA Grace CPU and NVIDIA ConnectX-9 networking. With NVIDIA Grace, a CPU already certified on Ubuntu 24.04 LTS, operators can deploy with confidence, knowing their platforms have undergone comprehensive validation across performance, reliability, and interoperability. In practical terms, this includes an optimized Ubuntu kernel which combines with NVIDIA drivers on Grace CPU architecture to provide efficient scheduling and accelerated I/O performance on its Arm-based cores.
Advanced networking with Ubuntu 24.04 LTS
Ubuntu 24.04 LTS provides a robust foundation for service function chaining and software-defined networking (SDN) in BlueField-4 deployments. Ubuntu’s networking stack is optimized for deterministic performance, low latency, and full hardware acceleration.
In environments where complex network services, such as firewalls, load balancers, and intrusion detection, must operate in sequence at line rate, Ubuntu’s Linux kernel is optimized for BlueField and enables high performance service function chaining. Developers can opt to use Canonical’s open virtual network (OVN), which integrates tightly with NVIDIA OVS-DOCA (Open vSwitch) to offload data plane operations directly onto the BlueField-4 programmable platform. This allows for traffic steering, encapsulation, and flow processing to occur entirely within the DPU, freeing host resources and ensuring wirespeed throughput even in multi-tenant or multi-domain deployments.
Use cases for telco and public sector
5G Core and edge networking
Service providers can offload user plane function (UPF) and service chaining to BlueField-4, accelerating 5G core workloads running on Ubuntu OpenStack and Kubernetes. With secure tenant isolation via BlueField Advanced Secure Trusted Resource Architecture, operators can enforce zero-trust policies across multi-tenant, high-throughput environments.
Cybersecurity and mission-critical systems
In mission-critical settings, BlueField-4 with Ubuntu enables line-rate intrusion detection, data encryption, and air-gapped control planes, executing directly in the DPU for minimal latency and maximum assurance. With Ubuntu’s FIPS validation and DISA-STIG compliance, organizations can deploy infrastructure that meets stringent operational and regulatory standards.
Canonical and NVIDIA share a commitment to advancing open, programmable, and securely-designed infrastructure. With BlueField-4 on Ubuntu 24.04 LTS, organizations gain a validated, compliant, and high-performance platform to power the next era of AI, telco, and government infrastructure.
Together, we’re enabling governments, operators, and enterprises to deploy scalable, securely maintained, and future-proof infrastructure at gigascale.
Launchpad Builders do not have direct access to the Internet. To reach external resources, they must acquire an authentication token that allows access to a restricted set of URLs via a proxy. This can either be a custom authenticated builder proxy or the fetch service.
The fetch service is a custom sophisticated context-aware forward proxy. Whereas the builder proxy allows requests to allowlisted URLs, the fetch service also keeps track of requests and dependencies for a build.
Users can now opt-in to use the fetch service while building snaps, charms, rocks and sourcecraft packages. You can read more about the fetch service here.
Why is the fetch service important?
To achieve traceability and reproducibility, artifact dependencies retrieved during a build must be identified. The fetch service mediates network access between the build host and the outside world, examining the request protocol, creating a manifest of the downloaded artifacts, and keeping a copy of the artifacts for archival and metadata extraction for each package build.
How to use the fetch service?
To be able to use the fetch service, users must opt-in. For snaps, charms, rocks and sourcecraft packages, the use_fetch_service flag should be set to true in the API. For snaps and charms, this setting is also available in the Edit Recipe UI page.
The fetch service can be run in two modes, “strict” and “permissive”, where it defaults to the former. Both modes only allow certain resources and formats, as defined by inspectors which are responsible for inspecting the requests and the various downloads that are made during the build, ensuring that the requests are permitted.
The “strict” mode errors out if any restrictions are violated. The “permissive” mode works similarly, but only logs a warning when encountering any violations. The mode can be configured using the fetch_service_policy option via the API. For snaps and charms, the mode can also be selected from a dropdown on the Edit Recipe UI page.
When to use the fetch service?
Use the fetch service when you need to keep track of requests and dependencies for a build, e.g., when you need to verify that the artifacts belong to secure, trusted sources.
I’ve written down a new rule (no name, sorry) that I’ll be repeating to myself
and those around me. “If you can replace ‘DNS’ with ‘key value store mapping
a name to an ip’ and it still makes sense, it was not, in fact, DNS.” Feel
free to repeat it along with me.
Sure, the “It’s always DNS” meme is funny the first few hundred times you see
it – but what’s less funny is when critical thinking ends because a DNS query
is involved. DNS failures are often the first observable problem because
it’s one of the first things that needs to be done. DNS is fairly complicated,
implementation-dependent, and at times – frustrating to debug – but it is not
the operational hazard it’s made out to be. It’s at best a shallow take, and at
worst actively holding teams back from understanding their true operational
risks.
IP connectivity failures between a host and the rest of the network is not a
reason to blame DNS. This would happen no matter how you distribute the updated
name to IP mappings. Wiping out
all the records during the course of operations due to an automation bug
is not a reason to blame DNS. This, too, would happen no matter how you
distribute the name to IP mappings. Something made the choice to delete all the
mappings, and it did what you asked it to do
There’s plenty of annoying DNS specific sharp edges to blame when things do
go wrong (like 8.8.8.8 and 1.1.1.1 disagreeing about resolving a domain
because of DNSSEC, or since we’re on the topic, a
DNSSEC rollout bricking prod for hours)
for us to be cracking jokes anytime a program makes a DNS request.
Launchpad now supports the FIDO2 hardware-backed SSH key types ed25519-sk and ecdsa-sk. These keys use a hardware device, such as a YubiKey or Nitrokey, to perform cryptographic operations and keep your private keys safely off your computer. They can be used anywhere Launchpad accepts SSH authentication, including git+ssh and SFTP PPA uploads.
To generate a new key, run
ssh-keygen -t ed25519-sk -C "your@email.com"
or use ecdsa-sk for backwards compatibility. You will be asked to touch your security key during the key creation, and OpenSSH will store the resulting files in ~/.ssh/. If you want to make your key resident, meaning it can be stored on the hardware device and later retrieved even if the original files are lost, use the -O resident option:
Resident keys are useful if you use multiple machines or if you want a portable login method tied directly to your hardware key. To register a new key on your Launchpad account, visit https://launchpad.net/~username/+editsshkeys.
These new key types offer strong protection against key theft and phishing, but require a physical device each time you connect. It is recommended you keep a separate backup key if you use them regularly.
The introduction of security key backed SSH key types is the next step on making Launchpad even more secure. Let us know if you have any feedback!
There are new images of Sparky 8.1 Release Candidate ARM64 available for testing. The new images of ARM64 are set with Openbox window manager and CLI (text mode); no ARMHF images any more. The new images are based on and fully compatible with Debian 13 Trixie. Sparky 8 ARM64 can be installed on Raspberry Pi 3+. Known issues: – Wi-Fi can be disabled. To manually fix that run: Then…
Wherever users are based, they expect apps to just work, whether in Japanese, Arabic, or Spanish. But anyone who’s touched localization knows it’s more than translation. Real quality comes from testing how your app behaves across languages, layouts, and regions – and doing it fast.
If you’re shipping apps for automotive or gaming, localization gets complex fast. It’s never just about translation: you’re adapting to different layouts, alphabet types, interaction models, and hardware quirks. You’re aiming for pixel-perfect across every region, while teams are spread across time zones and builds keep coming.
Anbox Cloud cuts through all of that: enabling real-time, browser-based localization testing at scale. No APK sharing. No device juggling. Enabling you to localize at speed, and at scale.
A consistent experience, everywhere
Let’s examine a common use case: an automotive Tier 1 supplier building in-vehicle Infotainment (IVI) apps for multiple original equipment manufacturers (OEMs). One app, many markets. Each with different languages, reading directions, and screen resolutions. The traditional approach to testing means emailing builds to local quality assurance (QA) teams, or trying to simulate every scenario in-house. If you’ve experienced this approach first hand, then you’ll know it is both fragile and slow.
With Anbox Cloud, all you have to do is launch a container with the right locale in seconds. Your team (in Berlin, Tokyo, or Washington) gets a secure URL, opens their browser, and tests live. No flashing. No setup delays. No exposure of early builds or IP.
Because it runs in the cloud, you control access, enforce authentication, and test in real-time, without sending binaries halfway across the world.
Localization QA at scale: the gaming angle
Now let’s switch to mobile gaming, where localization isn’t just a checkbox: it’s revenue. A game that looks fine in English can break in Turkish, or wrap badly in Finnish. Fonts, line breaks, layout shifts, it all matters. And you don’t want to hear about it from your players.
Global studios know the pain: you need to test across devices, screen densities, and locales. And you need it to be fast, so your players don’t end up furious.
With Anbox Cloud, you can spin up multiple configurations in parallel, simulate different regions, and let your QA team jump into live sessions: no APK installs, no physical devices, just a browser and a link.
Test your UI flow. Click through quests. Break things early.
Why it matters
In a world where users bounce in seconds, localized quality is a differentiator. A misaligned button or clipped string may seem minor, but users notice. And they judge.
In automotive, UI glitches aren’t just annoying, they’re a risk. In gaming, they represent potential lost revenue.
Anbox Cloud brings everything together: faster feedback, real-time testing, and zero APK distribution. Everything runs in the cloud. Everything stays under your control.
Automation that scales with you
Localization QA isn’t just a manual task. With the right tooling, it becomes part of your CI: fast, repeatable, and invisible when it works.
Canonical provides an official GitHub Action to spin up Anbox Cloud dynamically in your pipeline. That means you can launch full Android containers, connect via ADB, and run tests automatically, all from a GitHub workflow. No emulators: just Android, on demand.
Spin up a fresh Android container, connect to it using anbox-connect, and run your UI tests across configurations and locales. The same amc CLI that developers use locally works inside your runner, letting you orchestrate test flows, parallelize across devices, or gate PRs on localization correctness.
Each Android container is accurately replicated, so every test starts from a known baseline. This means that you can also run simultaneous sessions in parallel without sacrificing performance.
Get started today
Whether you’re localizing a safety-critical IVI interface or pushing a mobile game to 30 markets, Anbox Cloud helps you test, adapt, and scale.
And here’s the best part: Anbox Cloud is included in Ubuntu Pro, which is free for personal use and up to five machines. With GitHub integration and built-in automation, your QA process stays in sync with your development pace.
Want to try SKUDONET Enterprise Edition with all its features, including reload configuration without downtime? Request your free 30-day trial here:
The APCA formula
![[RSS 1.0 Feed]](common/rss10.png){kind=small}
![[RSS 2.0 Feed]](common/rss20.png){kind=small}
![[Atom Feed]](common/atom.png){kind=small}
![[FOAF Subscriptions]](common/foaf.png){kind=small}
![[OPML Subscriptions]](common/opml.png){kind=small}
![[Hacker]](common/hacker.png){kind=small}
![[Planet]](common/planet.png){kind=small}