There is a new desktop available for Sparkers: Hyprland What is Hyprland? Features: – All of the eyecandy: gradient borders, blur, animations, shadows and much more – A lot of customization – 100% independent, no wlroots, no libweston, no kwin, no mutter. – Custom bezier curves for the best animations – Powerful plugin support – Built-in plugin manager – Tearing support for better…
16 November, 2025 01:30PM by pavroo
Radio Helsinki wird 30, und feiert das mit einem prall gefüllten Musikprogramm am Samstag, 22.11.2025 im Forum Stadtpark. 🥳 Wir sind mit der HTU-Bigband mit dabei, und spielen ab ~19:30 Uhr für ~1,5 Stunden. Schaut vorbei und feiert mit!
PS: wer es wirklich nicht hinschafft, möge zumindest das Radio einschalten oder den Livestream aufdrehen! 🤓
Foto-Quelle / Copyright: graz.social/@radiohelsinki/115428633169757433
Open source has come a long way. Recently I was watching a keynote address by our founder, Mark Shuttleworth, in which he discussed his vision for Ubuntu to provide quality support and security maintenance across the broad open source ecosystem, and it made me reflect on how far the open source software (OSS) community has come. Indeed, when looking at today’s interoperable open source landscape, the fragmented, disconnected landscape of the past seems like another planet.
But where is open source going next? What’s in store for open source in the coming years, particularly in relation to security? Here’s my reflection on the state of open source, and the trends that I expect to have an impact going into 2026.
Open source has become a ubiquitous part of software development – just look at the numbers. The average app today contains three times as many open source files as it did just four years ago, to the point where 97% of all applications contain OSS. At the same time, research commissioned by Canonical and IDC revealed that seven out of ten organizations consider open source to be “extremely important” for running their mission-critical workloads. In fact, a Harvard study found that if OSS didn’t exist, the global expenditure on software would be 3.5 times higher.
Put simply, the modern software landscape and market depends upon open source. Open source is popular because it is transformative for businesses, blending cost-effectiveness with access to sophisticated software. For instance, one company reduced their cloud total cost of ownership (TCO) by 76% – saving approximately $370,000 – simply by transitioning to open source cloud infrastructure from Canonical. Previously unthinkable deployments, such as carrier-grade private 5G mobile networks, are now entirely achievable with open source tools, as we demonstrated last year in the Netherlands.
It’s astonishing to think that just 20 years ago, most software companies explicitly forbid the use of any OSS in their contracts and terms of service. Open standards and interoperability – now synonymous with open source – were far from mainstream, and as a result, companies were forced into an uncomfortable decision: use the one expensive product that works, or spend months building and integrating everything from scratch.
That’s a lot of change in just 20 years: an entire ecosystem turned on its head. That’s why I think it’s important to pay critical attention to what’s going around us, to spot trends that could be just as revolutionary (or disastrous), and work around them so that we can keep growing in the next 20 years.
Now that I’ve covered the current state of play, let’s dive into the potential tech revolutions – or challenges – in-waiting.
The decision to move away from the constraints of proprietary systems is grounded in promise: as research by Canonical and IDC shows, businesses everywhere are using open source to keep down costs, fully own their infrastructure, and open up their systems to innovation. Ensuring that this promise is reflected in reality requires a proactive, forward-thinking approach.
Your ability to adopt and adapt to the latest innovations in open source software will be vital. Two things are needed:
Without a clear plan, you don’t know where you’re going; and without a management system, you’ll be recreating the difficult, fragmented environment open source was 20 years ago. However, I believe that the ever wider adoption of open source will lead to interoperability and simplified supply chains becoming the norm in the software landscape – essentially, that open source software will reshape the software landscape in line with its values. People want open source software that’s quick to install, easy to learn and use, and effortless to deploy and manage. If you’re looking for a place to begin exploring how you can approach adopting open source into your project or organization, I highly recommend visiting our new dedicated webpage to helping you do exactly that.
The tumultuous geopolitical and cyberthreat landscape of 2025 has sparked a new movement towards independence and ownership in mainstream circles. Long story short, companies don’t want to be left in the cold and dark if something happens with their overseas software or services provider – with the appeal of open source software being the control and freedom it offers to users.
Most notably, we’ve seen a major increase in interest, from businesses and governments, in open source, and repatriated products and infrastructure. For example, communal, municipal, and government authorities in nations like Germany and Denmark have expressed strong interest in moving away from proprietary systems in favour of open source alternatives.
This doesn’t mean proprietary tools will vanish. But it does mean that the pressure will increase on software providers to give peace of mind to end users and consumers that whatever system they use will remain online and functioning – even if new terms of service, sanctions, politics, or laws present unforeseen hurdles. Product features will still be important, but things like documentation, interoperability, system-agnostic design, training for users and system admins, and clear handover processes will be a new ‘normal’ in software offerings.
The developer landscape in 2025 has no shortage of tools, libraries, and solutions. If you want to build an app or service, you could build it from scratch, get portions of the solution from open source, or use already-built solutions. The challenge today is creating systems that give you a full view of these tools, and which allow them to be used securely and sustainably in the long term, without major costs.
Security is hard. There is no one-size-fits-all solution, which introduces the challenge of complexity. Developers have a lot of shiny toys to choose from, and keeping them all securely managed within a usable, minimally complex environment will be a real challenge. Indeed, securing your ever-growing stack won’t be easy. All this new tech doesn’t just mean maximized performance and efficiency: it also means a bigger attack surface and new attack vectors born of the intricate interdependencies between systems.
This is made harder by wider organizational habits. Canonical and IDC’s research shows that in general, organizations prize stability over constant updates: over 50% do not automatically upgrade to the newest versions of software when available. Instead, they wait until new features are needed or the program of free updates stops. They also draw these updates from various places: 57% draw from upstream source repositories, such as Github or Gitlab, and 51% draw from ecosystem packages, like pip or npm.
This approach presents clear problems: if you draw packages from multiple different sources and only apply them when you’re forced to update, it leads to more manual work and less certainty that you’re meeting increasingly strict cybersecurity standards in today’s market.
Organizations still have some work to do in order to meet the challenge of complexity. Our research with IDC shows that 70% of organizations mandate vulnerability patching within 24 hours of identification for “high” and “critical” container vulnerabilities – however, just 41% of respondents are “very confident” or “completely confident” in their organization’s ability to execute this policy.
Remember that innovation isn’t just driven by “the good guys”: bad actors are also working to develop new attack methods and techniques, as AI becomes increasingly powerful and AI tools become more connected and widespread.
We’ve all heard about and read about vibe coding, which is when a software engineer uses AI to generate and debug code. The hype wave of AI has led to fast adoption of generative AI tools as incredible productivity magnifiers. While the allure of faster go-to-market times and improved cost-effectiveness is undeniable, the widespread adoption of AI tools in primary codebases, especially in environments with busy developers stretching across multiple projects, is creating significant security issues. The rapid, often less scrutinized generation of code through these tools can introduce vulnerabilities and amplify existing security challenges in complex software supply chains.
In the next few years, I predict the rise of a new category of cyberincidents stemming from vibecoded feature additions. Organizations everywhere will need a clear policy on use of these tools, and robust checks and quality assurance processes to ensure that the vibecoded additions don’t ignore instructions, or hallucinate package names and inadvertently execute malicious code inside production environments.
We’ve seen a wave of regulation sweep across the US, EU, and UK in the last 4 years. As open source is adopted at the biggest levels of software, it will inherit the steep, strict demands that come with operating in a prestigious global playing field.
Our research with IDC gives a clearer view into the challenges and frustrations that organizations are experiencing with regulations and compliance:
As more regulation is rolled out and tightened up, these challenges will only become harder. Simply hitting the check box of compliance or hardening needed for enterprise eligibility isn’t the point any more – security teams have their work cut out in establishing a clear, transparent track record of your software’s trust lifecycle, and embed this transparency into your development practices.
This means more work for people like me whose job it is to keep open source robust and trusted. But it’s undeniably the right path. After all, we don’t just want solutions that work – we want solutions that reflect, support, and continue the legacy of openness and contribution that allowed them to exist in the first place. And we want Canonical to be a leader in transparency and accountability, and institute practices that demonstrate the trustworthiness and compliance-readiness of our software and services. We recently published our Trust Center – a web portal with all our certifications and compliance efforts – in order to demonstrate that when it comes to that hard work of regulations, we’re doing it right.
In short: the future will be characterized by even more adoption of open source, increased regulation, a surge in AI-driven attack vectors, and a critical need for organizations to implement robust security policies and practices. Businesses must prioritize security without compromising stability, manage their open source supply chains effectively, and adapt to a landscape where transparency and compliance are paramount.
This means that I’ve got a lot of work ahead of me. But as we move into this new phase of open source I’m excited: open source has never been more exhilarating. The openness we spent decades building has created a truly remarkable landscape of interoperability, where you can combine and integrate almost any technology into a functioning model. I’ve seen first hand how open source has changed everything in the software landscape, and I know how much more revolutionary it could be in the coming years. There’s no other job I’d rather have.
Sylva 1.5 becomes the first release to include Kubernetes 1.32, bringing the latest open source cloud-native capabilities to the European telecommunications industry
With the launch of Sylva 1.5, Canonical Kubernetes is now officially part of the project’s reference architecture. This follows its earlier availability as a technology preview in Sylva 1.4.
The Sylva project is backed by Europe’s largest telecom operators and vendors, including Nokia and Ericsson, and is designed to deliver an open, telco-friendly cloud-native framework. By focusing on interoperability, performance, and automation, Sylva addresses the unique requirements of telecommunications providers building Kubernetes telco platforms for their IT, 5G core, O-RAN, and edge services. Canonical is thrilled to be included as part of the Sylva project, supporting the important work of creating an open source cloud-native reference architecture capable of hosting the mission-critical workloads of the telco industry.
Canonical Kubernetes brings unique advantages to Sylva’s mission of reducing fragmentation and simplifying operations across telecom networks. One of its defining features is up to 12 years of long-term support (LTS). For operators running critical workloads, this ensures stability, ongoing security updates, and compliance with industry standards over a much longer lifecycle than other Kubernetes distributions.
Canonical Kubernetes also provides the flexibility needed for large-scale Kubernetes telco deployments, from core networks to the far edge. Operators benefit from a distribution designed to be both lightweight and maintained with security in mind, while remaining capable of handling advanced workloads such as 5G core, O-RAN, and AI-driven services.
Guillaume Nevicato, Sylva Technical Steering Committee co-chair and Orange Telco Cloud Product Manager, recognized the importance of this contribution:
Canonical is a major open-source player that has achieved the integration of their Canonical Kubernetes distribution into Sylva. They fully embrace Sylva’s full-stack automation, including cluster lifecycle management, storage, networking, observability, GreenDashboard, and security enhancements. This represents a significant step forward in Sylva’s adoption.
A critical part of Sylva’s role is validating network functions against its reference framework, ensuring that cloud-native network functions (CNFs) and virtualized network functions (VNFs) perform reliably across any Sylva-compliant infrastructure. Following its technical preview in the previous Sylva release, Canonical Kubernetes is now included with 1.32 LTS in Sylva 1.5. This allows it to enter the validation process with the Sylva Validation Workgroup, covering key telecom workloads such as 5G Core, O-RAN, and distributed edge services.
For operators, this means they can deploy Kubernetes telco workloads with confidence, knowing that interoperability and performance have already been tested. Vendors also benefit, since a single certification process ensures compatibility across multiple Sylva-aligned platforms, reducing time to market for new services.
Canonical is now exploring how its broader infrastructure portfolio, including technologies like Canonical OpenStack, a featureful, highly customizable cloud, and MAAS, bare-metal server automation software, could complement Sylva’s approach in the future. These solutions could help create a more unified environment for both virtualized and cloud-native network functions, enhancing the flexibility of Kubernetes telco deployments.
As Sylva evolves, Canonical will continue engaging with operators, vendors, and the wider community to identify opportunities where its open source software can add value.
The inclusion of Canonical Kubernetes in Sylva represents a milestone in the adoption of open source telco cloud infrastructure. Operators now have access to a validated, commercially supported Kubernetes telco distribution that combines long-term stability, security, and interoperability with the innovation of cloud-native technologies.
With Kubernetes at the foundation, operators can accelerate the rollout of next-generation network functions and services, while benefiting from the reliability and flexibility that only open-source collaboration can deliver.
Are you building your telco cloud strategy? Learn how Canonical Kubernetes can give you a stable, validated, and open foundation for 5G, O-RAN, and edge workloads.
Today, Canonical announced the expansion of the Legacy add-on for Ubuntu Pro, extending total coverage for Ubuntu LTS releases to 15 years. Starting with Ubuntu 14.04 LTS (Trusty Tahr), this extension brings the full benefits of Ubuntu Pro – including continuous security patching, compliance tooling and support for your OS – to long-lived production systems.
In highly regulated or hardware-dependent industries, upgrades threaten to disrupt tightly controlled security and compliance. For many organizations, maintaining production systems for more than a decade is complex, but remains a more sensible option than a full upgrade.
That’s why, in 2024, we first introduced the Legacy add-on for Ubuntu Pro, starting with Ubuntu 14.04 LTS (Trusty Tahr). The Legacy add-on increased the total maintenance window for Ubuntu LTS releases to 12 years: five years of standard security maintenance, five years of Expanded Security Maintenance (ESM), and two years of additional coverage with the Legacy add-on – with optional support throughout. Due to the positive reception and growing interest in longer lifecycle coverage, we’re excited to now extend the Legacy add-on to 5 years, bringing a 15-year security maintenance and support window to Ubuntu LTS releases.
Throughout this 15-year window, Ubuntu Pro provides continuous security maintenance across the entire Ubuntu base, kernel, and key open source components. Canonical’s security team actively scans, triages, and backports critical, high, and select medium CVEs to all maintained LTS releases, ensuring security without forcing disruptive major upgrades that break compatibility or require re-certification.
Break/fix support remains an optional add-on. When production issues arise, you can get access to our Support team through this service and troubleshoot with experts who contribute to Ubuntu every day, who’ve seen similar problems before and know how to resolve them quickly.
The scope of the Legacy add-on itself is unchanged, but the commitment is longer, giving users additional years to manage transition timelines and maintain compliance.
This updated coverage applies from Ubuntu 14.04 LTS onward. With this extension, Ubuntu 14.04 LTS is now supported until April 2029, a full 15 years after its debut.
By committing to a 15-year lifecycle, Canonical gives users:
Infrastructure is complicated, and upgrades carry real costs and risks. This expansion acknowledges those realities and gives you the support duration your deployments actually require.
Current Ubuntu Pro subscriptions will continue uninterrupted. No re-enrollment, no reinstallation, no surprise migration projects.
The Legacy add-on is available after the first 10 years of coverage (standard security maintenance plus ESM, and optional break/bug fix support), priced at a 50% premium over standard Ubuntu Pro. This applies whether you’re approaching that milestone with 16.04 LTS or already using the Legacy add-on with 14.04 LTS.
To activate coverage beyond ESM, contact Canonical Sales or reach out to your account manager.
For more information about the Legacy add-on, visit our Ubuntu Pro page.
Learn more:
13 November, 2025 03:36AM by xiaofei
Update Tor Browser to 15.0.1.
Tor Browser 15.0 is based on Firefox 140 and inherits from it several new features that are particularly useful if you use many tabs:
Update Thunderbird to 140.4.0.
Update the Linux kernel to 6.12.57.
Remove Root Console.
To open a root console, you can execute the following command in a Console.
sudo -i
Show Don't ask again notifications only after the clock has been synchronized.
For more details, read our changelog.
Automatic upgrades are available from Tails 7.0 or later to 7.2.
If you cannot do an automatic upgrade or if Tails fails to start after an automatic upgrade, please try to do a manual upgrade.
Follow our installation instructions:
The Persistent Storage on the USB stick will be lost if you install instead of upgrading.
If you don't need installation or upgrade instructions, you can download Tails 7.2 directly:
O Miguel está enervadíssimo com Ubuntu Touch e fez peixeirada no Telegram, mas o Diogo tem boas notícias: para além de ter um monitor todo «gamer» para jogar SuperTuxKart, ele e o Ruben Carneiro vão ao Porto combater bravamente oligopólios malvados nos telefones! Revimos excelentes novidades do Firefox 145 que ajudam no combate às invasões de privacidade; discutimos a entrevista de Jon Seager sobre a última BRONCA da Canonical com Flatpaks e o que esperar do Ubuntu Core Desktop; debatemos violentamente as lojas de aplicações móveis e para acabar, planeámos raptar pessoas, inventar séries de Netflix com Linux e explicar porque é que o Pipewire não é um tubo ligado a um fio.
Já sabem: oiçam, subscrevam e partilhem!
Este episódio foi produzido por Diogo Constantino, Miguel e Tiago Carrondo e editado pelo Senhor Podcast. O website é produzido por Tiago Carrondo e o código aberto está licenciado nos termos da Licença MIT. (https://creativecommons.org/licenses/by/4.0/). A música do genérico é: “Won’t see it comin’ (Feat Aequality & N’sorte d’autruche)”, por Alpha Hydrae e está licenciada nos termos da CC0 1.0 Universal License. Os separadores de péssima qualidade foram tocados ao vivo e sem rede pelo Miguel, pelo que pedimos desculpa pelos incómodos causados. Os efeitos sonoros têm os seguintes créditos: [crowd booing by HowardV] (https://freesound.org/s/264378/) – License: Creative Commons 0; [Police Car Siren in Traffic by hyderpotter] (https://freesound.org/s/268809/) License: Creative Commons 0; [patrons laughing.mp3 by pbrproductions] (https://freesound.org/s/418831/) – License: Attribution 3.0. Este episódio e a imagem utilizada estão licenciados nos termos da licença: Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0), cujo texto integral pode ser lido aqui. Estamos abertos a licenciar para permitir outros tipos de utilização, contactem-nos para validação e autorização. A arte de episódio foi criada por encomenda pela Shizamura - artista, ilustradora e autora de BD. Podem ficar a conhecer melhor a Shizamura na Ciberlândia e no seu sítio web.
There is the 1st update available for Sparky 8 – 8.1. This is a quarterly update of the Sparky 8 “Seven Sisters” stable release. Sparky 8 is based on and fully compatible with Debian 13 “Trixie”. Main changes: – All packages updated from the stable Debian and Sparky repositories as of November 10, 2025. – Linux kernel PC: 6.12.48-LTS (6.17.7, 6.12.56 LTS, 6.6.115-LTS in sparky repositories) …
12 November, 2025 09:45AM by pavroo
When evaluating load balancers, teams often look at features, benchmarks, or latency claims. But the factor that usually determines how far a load balancer can scale is much simpler: where the traffic is processed inside the operating system.
In Linux, packets originate and are handled in the kernel, where the TCP/IP stack runs. User space — where most reverse proxies and L7 load balancers operate — is a separate execution context. When a load balancer is implemented in user space, every packet must travel back and forth between these two layers — which is fundamentally different from kernel-level load balancing, where forwarding happens inside the kernel.
This boundary crossing is subtle, but it has a real cost.
A typical user-space load balancer (like HAProxy in TCP mode, NGINX, Envoy, or Traefik) receives a packet in the kernel, copies it to user space for processing, then returns it to the kernel to send it out. This happens for every packet in the flow.
Each transition triggers:
Individually, these operations are insignificant. Under moderate or heavy load, they accumulate into two visible symptoms:
And this is why user-space load balancers often reach a scaling ceiling long before hardware limits are reached. The system is not slow — it is simply doing more work than necessary to move each packet.
Figure 1. In user-space load balancers, forwarding requires repeated transitions between kernel and user space, increasing latency and CPU overhead.
Linux already provides a capable packet-processing engine in the kernel: netfilter for filtering and NAT, and conntrack for connection tracking. If forwarding decisions are made inside the kernel, packets do not need to move up into user space at all — they stay where they originate.
This is the core idea behind kernel-level load balancing. The forwarding path becomes:
Packet arrives → Kernel processes it → Packet leaves
This drastically reduces overhead and keeps CPU usage predictable as load increases.
Figure 2. When forwarding occurs in the kernel data plane, packets avoid user-space transitions entirely.
This approach is not theoretical. On standard mid-range hardware running SKUDONET L4xNAT, with no DPDK or kernel bypass optimizations:
This demonstrates that the improvement does not come from specialized hardware or experimental networking stacks — it comes from where the work is done.
Kernel-level forwarding supports multiple operational models:
DSR offers the lowest latency, while SNAT provides the most operational control.
The right choice depends on network topology, not performance capabilities.
Working directly with netfilter can be complex. Its chains, rule priorities, and packet classification logic require a detailed understanding of kernel-level networking.
SKUDONET addresses this by providing a control plane that defines services, backends, and policies at a higher level, while automatically generating and maintaining the underlying kernel configuration. In this model, the forwarding logic never leaves the kernel, but operators still retain full visibility and control over how traffic is handled.
This is the separation of concerns that makes the architecture both efficient and maintainable:
Whether a load balancer processes traffic in user space or in the kernel fundamentally affects:
User-space load balancing offers flexibility and extensibility, but that flexibility comes at the cost of additional data movement and processing overhead. Kernel-level load balancing forwarding avoids this by keeping packet handling in the layer where the traffic already resides, eliminating unnecessary copies and context switches while preserving visibility and control.
If you want to explore the architecture in depth — including packet flow breakdowns, performance measurements, and forwarding mode selection — you can read the full technical paper below.
Download the full technical whitepaper here:
12 November, 2025 09:30AM by Nieves Álvarez
12 November, 2025 09:07AM by xiaofei
Deploy a FedRAMP-ready Kubernetes cluster and application suite, with FIPS 140-3 crypto and DISA-STIG hardening,
Today at KubeCon North America, Canonical, the publisher of Ubuntu, released support to enable FIPS mode in its Kubernetes distribution, providing everything needed to create and manage a scalable cluster suitable for high-security or Federal deployments. As of version 1.34, Canonical Kubernetes is available with a built-in FIPS 140-3 capability that uses certified cryptographic modules. Your deployment with this FIPS capability can be easily hardened to DISA-STIG standards using comprehensive documentation when deployed as a snap package.
KubeCon attendees in Atlanta can learn more about FIPS-enabled Canonical Kubernetes at booth 821.
Canonical Kubernetes is a performant, lightweight, and securely designed CNCF-conformant distribution of Kubernetes. It provides everything needed for a fully functioning cluster, including a container runtime, a CNI, DNS services, an ingress gateway, metrics server, and more. New versions of Canonical Kubernetes ship within a week of the upstream release, and Long Term Support (LTS) versions (which are released every 2 years) are fully supported and security maintained by Canonical for up to 12 years. Long Term Support for Ubuntu and FIPS-enabled Canonical Kubernetes is offered through an Ubuntu Pro subscription. Canonical’s FIPS 140-3 compliant Kubernetes is also available as part of the NVIDIA AI Factory for Government reference design.
Canonical is the first software provider to offer 12 years of support for Kubernetes, which is far beyond the support window offered by upstream CNCF and other vendors. Upstream Kubernetes is typically maintained and supported for about 14 months by the Kubernetes community, with 3 releases per year. In comparison, Canonical maintains an LTS release every 2 years, in line with the Ubuntu LTS release cadence.
Traditionally, Kubernetes clusters must be upgraded one version at a time. However, Canonical’s “interim” versions will be supported for 1 year past the next LTS release, allowing customers to upgrade within 1 year of the next LTS release, without downtime, all while knowing their cluster is fully covered by security maintenance.
Each component of the Kubernetes stack is backed by Canonical’s CVE patching service. Our dedicated security team triages all relevant vulnerabilities and backports upstream fixes to the currently supported software versions, ensuring a completely stable base without breaking existing deployments.
Canonical has been publishing FIPS-certified cryptographic modules for Ubuntu since 2016. These modules are vital for customers across the Federal sector and for on-premises and public clouds, powering a wide range of FedRAMP deployments. With the availability of Canonical Kubernetes and its built-in FIPS 140-3 mode using certified cryptographic modules, customers will have a faster and more direct route to meet their FedRAMP requirements.
FIPS 140-3 functionality requires Kubernetes to be deployed on top of a FIPS-enabled Ubuntu LTS host Operating System. Canonical Kubernetes enables Kubernetes DISA-STIG, and allows you to deploy onto a host OS hardened to DISA-STIG guidelines using the Ubuntu Security Guide (USG) tool. What’s more, applicable STIG controls can be applied to enable hardened containers, along with embedded FIPS cryptographic libraries. Ubuntu STIG hardening has been extensively tested and deployed across the Federal landscape, making it a proven route to meeting FedRAMP security standards.
FIPS modules and STIG hardening are available with an Ubuntu Pro subscription. Ubuntu Pro subscriptions apply on a per-machine basis, which means that any containerized application running on a Pro-enabled host machine is also included within Pro when the Pro token is enabled.
Visit us at our booth 821 at KubeCon North America on November 11-13, 2025 for an in-person conversation about how Canonical Kubernetes powers FedRAMP compliant deployments.
Canonical, the publisher of Ubuntu, provides open source security, support ,and services. Our portfolio covers critical systems, from the smallest devices to the largest clouds, from the kernel to containers, from databases to AI. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone.
Learn more at https://canonical.com/
This new release brings the stability and security of Ubuntu to Axion-based N4A virtual machines on Google Compute Engine.
November 6, 2025 – Today Canonical, the publishers of Ubuntu, and Google Cloud announced the immediate availability of optimized Ubuntu images for the new Axion-based N4A virtual machines (VMs) on Google Compute Engine. This collaboration brings the stability, security, and expansive ecosystem of Ubuntu, the world’s most popular cloud operating system, to Google Cloud’s most cost-effective N-series offering, enabling enterprises to maximize the total cost of ownership (TCO) for a wide range of general-purpose workloads.
The new N4A VMs are powered by Google’s custom-designed Axion ARM-based CPUs and offer up to 105% better price performance and 80% better performance-per-watt than comparable, current-generation x86-based VMs. By integrating optimized Ubuntu images at launch, Canonical helps ensure developers and operators can immediately take advantage of this breakthrough efficiency for demanding workloads.
Canonical has long supported ARM infrastructure, helping to ensure that Ubuntu provides a consistent, reliable, and secure experience across heterogeneous computing environments. Our deep experience in solving the challenges of mixed x86 and ARM deployments allows us to bring a robust and fully optimized operating system to the N4A series from day one.
The availability of optimized Ubuntu on N4A ensures developers can use the familiar packages and libraries of the latest Long-Term Support (LTS) releases, guaranteeing longevity and simplifying migration. This is crucial for businesses looking to adopt N4A’s cost savings without compromising on operational consistency across Google Cloud’s Compute Engine, Google Kubernetes Engine (GKE), and other services.
These optimized Ubuntu images are backed by rigorous testing to help ensure enterprise-grade stability and compatibility with Google Cloud’s core features.
Canonical and Google Cloud have executed thorough validation across the entire image lifecycle, confirming that Ubuntu on N4A performs exceptionally well with Google Cloud services and VMs. This extensive testing includes validation of:
This comprehensive testing suite allows customers to deploy Ubuntu on N4A with total confidence.
To get started, simply select the N4A machine type and choose your preferred Ubuntu image when creating a VM in Google Cloud Compute Engine, or when configuring node settings in GKE.
The optimized images are available now in the public preview regions for N4A (us-central1, us-east4, europe-west3, and europe-west4).
Canonical, the publisher of Ubuntu, provides open source security, support and services. Our portfolio covers critical systems, from the smallest devices to the largest clouds, from the kernel to containers, from databases to AI. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone. Learn more at https://canonical.com/
Today marks something special for us and for everyone who loves what Volumio does. After nearly a year of work, we’re releasing Volumio 4 for Raspberry Pi and PC platforms.
You might fire it up and think, “Wait, it looks the same.” And you’d be right. We didn’t redesign the interface or move buttons around. What we did was rebuild the foundation.
Think of Volumio 4 like replacing the engine in your favorite car. From the driver’s seat, everything feels familiar. But under the hood, we’ve swapped in something more powerful, more efficient, and ready to take you places the old engine simply couldn’t go.
We’ve moved to Debian Bookworm, which is the technical way of saying we’ve given Volumio a completely modern foundation. This isn’t just about what you’ll see today. It’s about what we can build tomorrow, and the year after that, and beyond.
This kind of work doesn’t happen alone. Andy, Marco, Pascal, Ash, Gé, Josh, and our entire inner circle of moderators and developers spent countless hours testing, troubleshooting, and pushing this forward. When you’re rebuilding something from the ground up while keeping it running, you need people who care as much about getting it right as we do. We couldn’t have done this without them.
Here’s where things get exciting. Volumio 4 works hand in hand with our new Volumio app, which just landed on the app stores. This is the first step in our vision: one seamless ecosystem for music playback, everywhere, for every kind of digital music.
The new app doesn’t just look better. It’s fundamentally more resilient. We’ve built a new connection method that stays rock solid even when your network gets cranky. The onboarding is now straightforward instead of confusing. You’ll spend less time troubleshooting and more time listening.
Your CDs will play quietly now. Most USB drives used to make noise during playback. That’s fixed. Silent CD playback with the vast majority of drives out there.
Bluetooth that actually works well. We completely rewrote the Bluetooth stack. Lower latency, better compatibility, and we didn’t compromise on sound quality to get there. There’s also a new plugin that lets you send audio from Volumio to Bluetooth speakers, and your Bluetooth remotes will now work with Volumio.
Everything feels snappier. Browsing your library is smoother. Things respond faster. It’s one of those improvements that’s hard to quantify but impossible to miss once you experience it.
NVME storage support. So many of you asked for this. Read performance with NVME devices is dramatically better now.
Better handling of big libraries. We’re running the latest version of MPD, which means if you have thousands of albums, Volumio handles them more gracefully and reliably.
More DACs just work. We’ve expanded USB quirks support, so if your DAC supports direct DSD, Volumio will recognize it.
Security updates built in. We’re on the latest kernel, which means better security as the world around us keeps changing.
Touchscreen displays. If you want to connect an HDMI touchscreen panel, Volumio 4 has you covered with improved display management.
Let’s talk about something important. The Volumio 3 launch was a success in many ways, but we heard you loud and clear about one thing: plugins weren’t ready at launch like they were for Volumio 2. That hurt the experience for many of you, and we get it. Plugins aren’t just nice to have, they’re part of what makes Volumio yours.
We listened. We learned. And we made sure not to repeat that mistake.
All the plugins you love are available right now for Volumio 4. From day one. We didn’t want anyone sitting around waiting for their favorite functionality to come back.
But we didn’t stop there. We’ve also added new capabilities to Volumio 4 that open up possibilities for plugin developers. This means the plugins you already use can get better, and new plugins can do things that weren’t possible before.
Volumio 4 is available today for Raspberry Pi and PC platforms. If you have one of our Volumio products or something from our OEM partners, you can expect to see the update roll out in Q1 2026.
First, you can’t update over the air from Volumio 3 to Volumio 4. You’ll need to reflash. It’s not ideal, but with a change this fundamental, it was the only way to ensure everything works correctly.
Second, we had to make a difficult call. Raspberry Pi 1 and Raspberry Pi Zero are no longer supported. The necessary binaries simply aren’t available for these older boards. We know this affects some of you, and we didn’t make this decision lightly.
Today is about giving Volumio a foundation that can support everything we want to build. The interface looks the same because we wished to this transition to feel seamless for you. But now, with Volumio 4 and the new app working together, we can start building the features and improvements that weren’t possible before.
We’ve spent a year on the foundation. Now comes the fun part.
Welcome to Volumio 4.
Download Volumio 4 and get the new app from your device’s app store. As always, if you run into any issues, our community is here to help.
The post Volumio 4 is Here: A Year in the Making, Built for What’s Next appeared first on Volumio.
10 November, 2025 01:38PM by Volumio Team
This is the first of two blog posts about how we created the color palette for a new design system at Canonical. In this post I share my journey into perceptually uniform color spaces and perceptual contrast algorithms.
If you’re already familiar with these concepts, skip to this section (or visit the Github repository) to see how I reverse-engineered the Accessible Perceptual Contrast Algorithm (APCA) to generate perceptually contrasting color palettes. In the next post, I will share why we didn’t choose this solution and what we chose instead.
I was nerd sniped by a colleague with this article by Matthew Ström, “How to pick the least wrong colors” about using perceptually uniform color spaces to pick data visualization colors. At that point, I hadn’t known about perceptually uniform color spaces like Oklab and Oklch.
“Normal” color spaces, such as RGB, are structured in such a way that machines can easily process colors. Therefore, RGB has very inhuman characteristics. If you imagine the color space as a geometric shape, for example, RGB would be a cube. The naive assumption would be that colors we perceive as similar are close to each other in this cube, right? However, this is not the case. Surprisingly, human color perception does not correspond to a perfect cube. Who would have thought?
Perceptually uniform color spaces support human perception, not computers. While RGB’s are consistent in how a color displays on a monitor, PUCs are consistent with how we actually see the color. As a result, their 3D shapes are not perfect geometric shapes, such as the one from Oklch (pictured above). Shocker!
This property of perceptually uniform color spaces, which aligns more closely with actual human color perception, holds enormous potential for UI design and the wider design spectrum. For example, it’s much easier to create color palettes in which the brightness of different colors appears more uniform in the same “gradation”. This potential fascinated me, so I took a deeper dive into perceptually uniform color spaces and human perception of colors and contrasts in general.
One of the things I learned during my research was the shortcomings of the contrast algorithm currently recommended in the WCAG guidelines, a recommendation based on the ISO-9241-3 standard. The author of APCA, myndex, does an excellent job of documenting the shortcomings of WCAG.
Essentially, WCAG produces both false positives and false negatives when it evaluates contrast between two colors. Meaning, WCAG approvals aren’t necessarily accessible because some combinations with high contrast fail and some with low contrast pass. APCA is a contrast algorithm that is more closely aligned with human contrast perception and is therefore much better at evaluating contrast than WCAG.
At that time, I also was going to start creating a new color palette for Canonical’s design system. So I expanded my research to include how different color spaces and contrast algorithms can be used to create color palettes. In this context, I also read another article by Matthew Ström on color generation, titled “How to Generate Color Palettes for Design Systems.” This article was one of the most important sources of inspiration for my further work and this blog post; In particular, Ström’s principle of using contrasts to determine color gradations, which made me wonder whether it could be developed further.
To support my work creating a new color palette for Canonical’s design system, I also researched how color spaces and contrast algorithms can be used to make color palettes. In his article Ström explores combining contrast algorithms and perceptually uniform color spaces to generate color palettes.
Contrast is one of the most important aspects of working with color in user interfaces (and other media). There must be sufficient contrast between two colors so that people can distinguish between them. Ström believes that contrast should determine the gradation between colors in a palette. Applied to Ström’s palette, this means that every pair of colors with a distance of 500 will have the WCAG mandated contrast ratio of 4.5:1.
In a color palette where the contrast between two shades is consistent, it’s easy to choose accessible color pairs. Choose any two shades in the palette that are a certain distance apart, and you’ve got an accessible color pair. You no longer need to manually check all color combinations in your user interface. In an internal survey of designers at Canonical, we found that selecting accessible color pairs is an important concern for designers. Therefore, a color palette in which it is easy to select accessible color pairs seemed ideal for us.
Matthew Ström used the WCAG algorithm in his blog post to good effect, but as mentioned earlier, the WCAG contrast algorithm has its drawbacks. I was curious to see if it would be possible to follow the same principle (basing color palette gradation on contrast) but replace the WCAG algorithm with a perceptual contrast algorithm; in fact, even Ström mentioned in his article that it would be an interesting experiment. I found the idea of trying it with perceptual contrast exciting and began to investigate its feasibility.
So began my journey to create a color palette inspired by APCA contrast algorithm principles.
The APCA formulaFirst, I had to create a reverse perceptual contrast algorithm. APCA takes two colors and outputs a number between -108 and 106 (where 0 is low contrast and the extreme values are high contrast) to indicate how contrasting the color pair is. Reversing the algorithm means restructuring it so that we can specify a color and a desired contrast ratio to the algorithm, and it returns a color that meets those criteria. Due to its complexity, reversing a perceptual contrast algorithm was much harder than reversing the WCAG algorithm.
I knew that the apca-w3 package already had a “reverse APCA” function. Originally, I thought I would have to go beyond the capabilities of this function (it can only perform the reversal with grayscale colors). As a side project during a climbing trip with friends, I therefore tried to sketch out the reversal of the APCA algorithm on a napkin myself (with the help of a physicist friend, as I’m not that good at math myself).
Much of the APCA algorithm’s complexity stems from the fact that there are four possible cases and the equation looks different depending on the case. The four cases we need to consider for our inverse algorithm are the polarity (is the text lighter than the background) and which of the two variables we want to solve for (text or background).
So for the inverse algorithm, we need to consider four cases:
I will show my process for the first case. The process for the other cases is basically the same, but different substitutions and signs must be used depending on the case.
Repeating the same process for the other cases we get the following 4 equations for our 4 cases:
Finally, in APCA, all input Y values must be clamped, and the Y value returned as the output of the inverse function must be unclamped. The two functions for clamping and unclamping Y are as follows:
After completing all the scary calculations, I was ready to translate it all into code. In doing so, I realized that I had only determined the required Y component (in the XYZ color space) of a color with the correct contrast value distance, but not a full color. So, the formula is essentially capable of determining a grayscale color that has the correct contrast distance to the input color – exactly what the existing reverse APCA function can do 😅.
I took another look at Ström’s article and realized that the Y component was actually all I needed to generate the palettes. So I could have just used the function available in the apca-w3 package… So if you are considering a similar project, you can save yourself (and your physicist friends) the napkin calculations and either use the existing reverseAPCA() function in the apca-w3 package or my code below.
I still thought it was a good learning experience to reverse it myself, and since apca-w3 is not completely open source (it doesn’t have a standard open source license), I also thought it would be nice to have an implementation of the reverse algorithm with a truly open source license. I’m not sure if what I did is compatible with the APCA trademark license, so I’ll refrain from claiming that my result is APCA-compliant. The code for my inverse perceptual contrast finder, inspired by APCA algorithm principles, is as follows:
/**
* Constants used in perceptual contrast calculations
* Inspired by the formula found at https://github.com/Myndex/apca-w3/blob/c012257167d822f91bc417120bdb82e1b854b4a4/src/apca-w3.js#L146
*/
const PERCEPTUAL_CONTRAST_CONSTANTS: {
BLACK_THRESHOLD: number
BLACK_CLAMP: number
OFFSET: number
SCALE: number
MAGIC_OFFSET_IN: number
MAGIC_OFFSET_OUT: number
MAGIC_FACTOR: number
MAGIC_EXPONENT: number
MACIG_FACTOR_INVERSE: number
} = {
BLACK_THRESHOLD: 0.022,
BLACK_CLAMP: 1.414,
OFFSET: 0.027,
SCALE: 1.14,
MAGIC_OFFSET_IN: 0.0387393816571401,
MAGIC_OFFSET_OUT: 0.312865795870758,
MAGIC_FACTOR: 1.9468554433171,
MAGIC_EXPONENT: 0.283343396420869 / 1.414,
MACIG_FACTOR_INVERSE: 1 / 1.9468554433171,
}
/**
* Removes clamping from near-black colors to restore original values
* Inspired by the formula found at: https://github.com/Myndex/apca-w3/blob/c012257167d822f91bc417120bdb82e1b854b4a4/src/apca-w3.js#L403
* @param y - The clamped luminance value to be unclamped
* @returns The unclamped luminance value
*/
function unclampY(y: number): number {
return y > PERCEPTUAL_CONTRAST_CONSTANTS.BLACK_THRESHOLD
? y
: Math.pow(
(y + PERCEPTUAL_CONTRAST_CONSTANTS.MAGIC_OFFSET_IN) *
PERCEPTUAL_CONTRAST_CONSTANTS.MAGIC_FACTOR,
PERCEPTUAL_CONTRAST_CONSTANTS.MAGIC_EXPONENT
) *
PERCEPTUAL_CONTRAST_CONSTANTS.MACIG_FACTOR_INVERSE -
PERCEPTUAL_CONTRAST_CONSTANTS.MAGIC_OFFSET_OUT
}
/**
* Applies clamping to near-black colors to prevent contrast calculation issues
* Inspired by the formula found at: https://github.com/Myndex/apca-w3/blob/c012257167d822f91bc417120bdb82e1b854b4a4/src/apca-w3.js#L381
* @param y - The luminance value to be clamped
* @returns The clamped luminance value
*/
function clampY(y: number): number {
return y >= PERCEPTUAL_CONTRAST_CONSTANTS.BLACK_THRESHOLD
? y
: y +
Math.pow(
PERCEPTUAL_CONTRAST_CONSTANTS.BLACK_THRESHOLD - y,
PERCEPTUAL_CONTRAST_CONSTANTS.BLACK_CLAMP
)
}
/**
* Reverses perceptual contrast calculations to find a matching luminance
* Inspired by the formula found at: https://github.com/Myndex/apca-w3/blob/c012257167d822f91bc417120bdb82e1b854b4a4/images/APCAw3_0.1.17_APCA0.0.98G.svg
* @param contrast - Target contrast value (between 5 and 106.04066)
* @param y - Known luminance value (between 0 and 1)
* @param bgIsDarker - Whether the background is darker than the text
* @param lookingFor - What we're solving for: "txt" (text color) or "bg" (background color)
* @returns The calculated luminance value, or false if no valid solution exists
*/
export function reversePerceptualContrast(
contrast: number = 75, // Default contrast of 75
y: number = 1, // Default luminance of 1
bgIsDarker: boolean = false, // Default assumes background is lighter
lookingFor: "txt" | "bg" = "txt" // Default solves for text color
): number | false {
contrast = Math.abs(contrast)
let output: number | undefined
if (!(y > 0 && y <= 1)) {
console.log("y is not a valid value (y > 0 && y <= 1)")
return false
}
if (!(contrast >= 5 && contrast <= 106.04066)) {
console.log(
"contrast is not a valid value (contrast >= 5 && contrast <= 106.04066)"
)
return false
}
// Apply clamping to input luminance
y = clampY(y)
// Calculate output luminance based on what we're looking for and background darkness
// You could do these calculations here more DRY, but I find that it is easier to
// understand the derivation from the original calculation with the if statements.
if (lookingFor === "txt") {
if (bgIsDarker) {
// For light text on dark background
output =
(y ** 0.65 -
(-contrast / 100 - PERCEPTUAL_CONTRAST_CONSTANTS.OFFSET) *
(1 / PERCEPTUAL_CONTRAST_CONSTANTS.SCALE)) **
(1 / 0.62)
} else if (!bgIsDarker) {
// For dark text on light background
output =
(y ** 0.56 -
(contrast / 100 + PERCEPTUAL_CONTRAST_CONSTANTS.OFFSET) *
(1 / PERCEPTUAL_CONTRAST_CONSTANTS.SCALE)) **
(1 / 0.57)
}
} else if (lookingFor === "bg") {
if (bgIsDarker) {
// For dark background with light text
output =
(y ** 0.62 +
(-contrast / 100 - PERCEPTUAL_CONTRAST_CONSTANTS.OFFSET) *
(1 / PERCEPTUAL_CONTRAST_CONSTANTS.SCALE)) **
(1 / 0.65)
} else if (!bgIsDarker) {
// For light background with dark text
output =
(y ** 0.57 +
(contrast / 100 + PERCEPTUAL_CONTRAST_CONSTANTS.OFFSET) *
(1 / PERCEPTUAL_CONTRAST_CONSTANTS.SCALE)) **
(1 / 0.56)
}
}
// Unclamp the output value if valid
if (output !== undefined && !isNaN(output)) {
output = unclampY(output)
}
// Validate final output
if (
output === undefined ||
isNaN(output) ||
!(output > 0 && output <= 1)
) {
console.log("A color with the specifications does not exist")
return false
} else {
return output
}
}
After performing the perceptual contrast inversion, all I had to do was combine my code for reverse perceptual contrast with Ström's code:
import Color from "colorjs.io"
/**
* Converts OKHSl color to sRGB array
* @param {OkHSL} hsl - Array containing [hue, saturation, lightness]
* hue: number (0-360) - The hue angle in degrees
* saturation: number (0-1) - The saturation value
* lightness: number (0-1) - The lightness value
* @returns {[number, number, number]} sRGB array [r, g, b] in 0-255 range
*/
export function okhslToSrgb(
hsl: [number, number, number],
): [number, number, number] {
// Create new color in OKHSl space
let c = new Color("okhsl", hsl)
// Convert to sRGB color space
c = c.to("srgb")
return [c.srgb[0] * 255, c.srgb[1] * 255, c.srgb[2] * 255]
}
/**
* Converts Y (luminance) value to OKHSL lightness
* Inspired by the formula found at https://github.com/Myndex/apca-w3/blob/c012257167d822f91bc417120bdb82e1b854b4a4/src/apca-w3.js#L418
* @param {number} y - Linear luminance value (0-1)
* @returns {number} OKHSL lightness value (0-1)
*/
export function yToOkhslLightness(y: number): number {
const srgbComponent = y ** (1 / 2.4)
const c = new Color("srgb", [srgbComponent, srgbComponent, srgbComponent])
return c.okhsl[2]
}
/**
* Color scale object with hex color values keyed by scale number
*/
interface ColorScale {
[step: number]: [number, number, number]
}
/**
* Compensates for the Bezold-Brücke effect where colors appear more purplish in shadows
* and more yellowish in highlights by shifting the hue up to 5 degrees
* Derived from https://mattstromawn.com/writing/generating-color-palettes/#putting-it-all-together%3A-all-the-code-you-need
* Copyright (c) 2025 Matthew Ström-Awn
* Licensed under MIT. See LICENSE file.
* @param step - Scale step value (0-1000)
* @param baseHue - Starting hue in degrees (0-360)
* @returns Adjusted hue value
* @throws If parameters are invalid
*/
function computeHue(step: number, baseHue: number): number {
// Normalize step from 0-1000 range to 0-1
const normalizedStep = step / 1000
// Validate normalizedStep is between 0 and 1
if (normalizedStep < 0 || normalizedStep > 1) {
throw new Error("step must produce a normalized value between 0 and 1")
}
// Validate baseHue is between 0 and 360
if (baseHue < 0 || baseHue > 360) {
throw new Error("baseHue must be a number between 0 and 360")
}
if (baseHue === 0) {
return baseHue
}
return baseHue + 5 * (1 - normalizedStep)
}
/**
* Creates a parabolic function for chroma/saturation that peaks at middle values
* This ensures colors are most vibrant in the middle of the scale while being
* more subtle at the extremes
* Derived from https://mattstromawn.com/writing/generating-color-palettes/#putting-it-all-together%3A-all-the-code-you-need
* Copyright (c) 2025 Matthew Ström-Awn
* Licensed under MIT. See LICENSE file.
* @param step - Scale step value (0-1000)
* @param minChroma - Minimum chroma/saturation value (0-1)
* @param maxChroma - Maximum chroma/saturation value (0-1)
* @returns Calculated chroma value
* @throws If parameters are invalid
*/
function computeChroma(
step: number,
minChroma: number,
maxChroma: number,
): number {
const normalizedStep = step / 1000
// Validate normalizedStep is between 0 and 1
if (normalizedStep < 0 || normalizedStep > 1) {
throw new Error("step must produce a normalized value between 0 and 1")
}
// Validate chroma values are between 0 and 1 and properly ordered
if (minChroma < 0 || minChroma > 1 || maxChroma < 0 || maxChroma > 1) {
throw new Error("Chroma values must be numbers between 0 and 1")
}
if (minChroma > maxChroma) {
throw new Error("minChroma must be less than or equal to maxChroma")
}
const chromaDifference = maxChroma - minChroma
return (
-4 * chromaDifference * Math.pow(normalizedStep, 2) +
4 * chromaDifference * normalizedStep +
minChroma
)
}
/**
* Computes OKHSL lightness from a target contrast step using perceptual contrast
* Derived from https://mattstromawn.com/writing/generating-color-palettes/#putting-it-all-together%3A-all-the-code-you-need
* Copyright (c) 2025 Matthew Ström-Awn
* Licensed under MIT. See LICENSE file.
* @param step - Scale step value (0-1000)
* @returns OKHSL lightness value (0-1)
* @throws If target luminance cannot be calculated
*/
function computeLightness(step: number): number {
// Clip values below minimum threshold to full lightness (white)
if (step < 50) {
return 1
}
// Rescale 50-999 to perceptual contrast's 5-106.04066 range
const perceptualContrast = 5 + ((step - 50) * (106.04066 - 5)) / (1000 - 50)
const targetLuminance = reversePerceptualContrast(
perceptualContrast,
1,
false,
"txt",
)
if (targetLuminance === false) {
throw new Error(
`Problem calculating the target luminance for step ${step}`,
)
}
return yToOkhslLightness(targetLuminance)
}
/**
* Options for generating a color scale
*/
export interface GenerateColorScaleOptions {
/** Base hue in degrees (0-360) */
baseHue: number
/** Minimum chroma/saturation (0-1) */
minChroma: number
/** Maximum chroma/saturation (0-1) */
maxChroma: number
/** Array of scale values to generate (integer values between 0-1000) */
steps: number[]
}
/**
* Generates a complete color scale with accessible contrast levels
* @param options - Configuration object for color scale generation
* @returns Scale object with color srgb values keyed by scale number
*/
export function generateColorScale(
options: GenerateColorScaleOptions,
): ColorScale {
const { baseHue, minChroma, maxChroma, steps } = options
if (baseHue < 0 || baseHue > 360) {
throw new Error("baseHue must be a number between 0 and 360")
}
if (minChroma < 0 || minChroma > 1 || maxChroma < 0 || maxChroma > 1) {
throw new Error("Chroma values must be numbers between 0 and 1")
}
if (minChroma > maxChroma) {
throw new Error("minChroma must be less than or equal to maxChroma")
}
if (
steps.some((step) => step < 0 || step > 1000 || !Number.isInteger(step))
) {
throw new Error("All steps must be integers between 0 and 1000")
}
// Generate the color scale using map and reduce
return steps.reduce((scale, step) => {
const h = computeHue(step, baseHue)
const s = computeChroma(step, minChroma, maxChroma)
const l = computeLightness(step)
const srgb = okhslToSrgb([h, s, l])
return { ...scale, [step]: srgb }
}, {})
}
And just like that, we can generate a color palette with predictable perceptual contrast based shades:
| Shade | Gray | Blue | Green | Red | Yellow |
|---|---|---|---|---|---|
| 0 |
#fff
|
#fff
|
#fff
|
#fff
|
#fff
|
| 10 |
#e9e9e9
|
#e4eaf4
|
#dfeee1
|
#f4e6e4
|
#f2e8dc
|
| 20 |
#d7d7d7
|
#c7d9f5
|
#a9eab2
|
#f5ccc7
|
#f3d1a9
|
| 30 |
#c4c4c4
|
#a5c6fa
|
#66e37e
|
#faaea5
|
#f7b666
|
| 40 |
#b1b1b1
|
#81b2fe
|
#32d25b
|
#fd8c81
|
#f09c1b
|
| 50 |
#9c9c9c
|
#5a9cff
|
#00bd43
|
#ff5f58
|
#d88900
|
| 60 |
#878787
|
#3083f8
|
#2ba142
|
#f32c34
|
#bb7608
|
| 70 |
#707070
|
#2a6ecb
|
#3b8343
|
#c13938
|
#9a6317
|
| 80 |
#585858
|
#2e5892
|
#38643a
|
#8c3a37
|
#754f23
|
| 90 |
#3c3c3c
|
#2c3d56
|
#2f422f
|
#543230
|
#4b3926
|
| 100 |
#000
|
#000
|
#000
|
#000
|
#000
|
You can find the entire code in a Github repository. I mentioned that I did all this work in preparation for developing a new color palette for Canonical's design system. But in the end, we decided (for good reasons) to go with the WCAG-based approach, which I will write about in my next blog post. So stay tuned 🙂
About 95% of my Debian contributions this month were sponsored by Freexian.
You can also support my work directly via Liberapay or GitHub Sponsors.
OpenSSH upstream released 10.1p1 this month, so I upgraded to that. In the process, I reverted a Debian patch that changed IP quality-of-service defaults, which made sense at the time but has since been reworked upstream anyway, so it makes sense to find out whether we still have similar problems. So far I haven’t heard anything bad in this area.
10.1p1 caused a regression in the ssh-agent-filter package’s tests, which I bisected and chased up with upstream.
10.1p1 also had a few other user-visible regressions (#1117574, #1117594, #1117638, #1117720); I upgraded to 10.2p1 which fixed some of these, and contributed some upstream debugging help to clear up the rest. While I was there, I also fixed ssh-session-cleanup: fails due to wrong $ssh_session_pattern in our packaging.
Finally, I got all this into trixie-backports, which I intend to keep up to date throughout the forky development cycle.
For some time, ansible-core has had occasional autopkgtest failures that
usually go away before anyone has a chance to look into them properly. I
ran into these via openssh recently and decided to track them down. It
turns out that they only happened when the libpython3.13-stdlib package
had different versions in testing and unstable, because an integration test
setup script made a change that would be reverted if that package was ever
upgraded in the testbed, and one of the integration tests accidentally
failed to disable system apt sources comprehensively enough while testing
the behaviour of the ansible.builtin.apt module. I fixed this in
Debian
and contributed the relevant part
upstream.
We’ve started working on enabling Python 3.14 as a supported version in Debian. I fixed or helped to fix a number of packages for this:
I upgraded these packages to new upstream versions:
I packaged python-blockbuster and python-pytokens, needed as new dependencies of various other packages.
Santiago Vila filed a batch of
bugs
about packages that fail to build when using the nocheck build
profile, and I fixed several of
these (generally just a matter of adjusting build-dependencies):
I helped out with the scikit-learn 1.7 transition:
I fixed or helped to fix several other build/test failures:
I fixed some other bugs:
/usr/bin/env: 'python': No such file or
directoryI investigated a python-py build failure, which turned out to have been fixed in Python 3.13.9.
I adopted zope.hookable and zope.location for the Python team.
Following an IRC question, I ported linux-gpib-user to pybuild-plugin-pyproject, and added tests to make sure the resulting binary package layout is correct.
Another Pydantic upgrade meant I had to upgrade a corresponding stack of Rust packages to new upstream versions:
I also upgraded rust-archery and rust-rpds.
I fixed a few bugs in other packages I maintain:
I investigated a malware report against tini, which I think we can prove to be a false positive (at least under the reasonable assumption that there isn’t malware hiding in libgcc or glibc). Yay for reproducible builds!
I noticed and fixed a small UI deficiency in debbugs, making the checkboxes under “Misc options” on package pages easier to hit. This is merged but we haven’t yet deployed it.
I notced and fixed a typo in the Being kind to porters section of the Debian Developer’s Reference.
After over a year of work, I’m very excited to announce the general availability of IncusOS, our own immutable OS image designed from the ground up to run Incus!
IncusOS is designed for the modern world, actively relying on both UEFI Secure Boot and TPM 2.0 for boot security and for full disk encryption. It’s a very locked down environment, both for security and for general reliability. There is no local or remote shell, everything must be done through the (authenticated) Incus API.
Under the hood, it’s built on a minimal Debian 13 base, using the Zabbly builds of both the Linux kernel, ZFS and Incus, providing the latest stable versions of all of those. We rely a lot on the systemd tooling to handle image builds (mkosi), application installation (sysext), system updates (sysupdate) and a variety of other things from network configuration to partitioning.
I recorded a demo video of its installation and basic usage both in a virtual machine and on physical hardware:
Full release announcement: https://discuss.linuxcontainers.org/t/announcing-incusos/25139
In security discussions, the term DDoS is often used as if it referred to a single type of threat. In reality, today it covers two very different strategies that share the same goal but not the same execution: volumetric attacks at layers L3/L4 and application exhaustion attacks at layer 7.
Both aim to take a service offline, but they exploit different parts of the infrastructure — and therefore require different mitigation layers.
When some vendors claim that “modern DDoS attacks are stealthy and bypass traditional defences”, what they are actually describing is not classic volumetric DDoS, but L7 exhaustion: low-rate traffic, fully valid requests, almost indistinguishable from legitimate clients.
These attacks don’t flood the network — they drain the application from inside.
That doesn’t mean volumetric DDoS has disappeared. It remains cheap to launch, common in the wild, and extremely effective unless it is filtered before the kernel, firewall, or load balancer accepts the connections.
The threat has not changed — the point of mitigation has.
Or, even more directly:
One of the most common misconceptions is assuming that a single protection layer is enough to stop any kind of attack. In practice, filtering only at layer 4 leaves the application exposed, while filtering only at layer 7 allows the kernel or load balancer to be overwhelmed before the WAF ever sees the request.
An L4 firewall can drop malformed packets or abnormal connection patterns before they consume resources, but it has no context to detect that a perfectly valid HTTP request is trying to exploit an SQLi pattern.
A WAF can detect that behaviour — but only after the connection has already been accepted, a socket has been created, and memory has been allocated.
Effective protection is not about choosing the right layer — it is about dropping as much as possible before the app, and reserving deep inspection only for what deserves to reach it.
When protection is applied solely at the application layer, the TCP connection has already been accepted before any evaluation occurs. In other words, the system has completed the handshake, allocated a socket, reserved memory and promoted the session to HTTP/S before deciding whether the request should be blocked.
That removes the attacker’s need to generate massive traffic: a few thousand seemingly valid, slow, or incomplete connections are enough to consume server resources without ever saturating the network.
The result is not an immediate outage, but a progressive exhaustion:
This is the usual pattern of L7 exhaustion attacks: they don’t bring the network down; they wear the application out from the inside. And it happens for a simple reason: the blocking decision is made too late. First the connection is accepted, then the request is inspected, and only at the end is it decided whether to discard it. By then, the damage is already done.
Effective protection against DDoS and exhaustion attacks is not about choosing between filtering at L4 or L7, but about enforcing both defenses in the right order. SkudoCloud implements this model natively inside the load-balancing engine itself, without relying on external scrubbing services or additional appliances.
This model ensures that high-volume traffic cannot saturate the system before being analysed, and that low-volume abusive requests cannot hide inside seemingly legitimate sessions. The result is an environment where the network does not collapse under load and the application does not degrade due to resource exhaustion.
Everything is managed from a single interface, with unified policies, metrics and event logging — without depending on multiple vendors, external mitigation layers or duplicated configurations.
To see how this model works in a real deployment, follow the step-by-step guide: Configure the First SkudoCloud Service
06 November, 2025 11:12AM by Nieves Álvarez
06 November, 2025 08:34AM by xiaofei
Ubuntu images on Microsoft Azure have recently started shipping with the open source package azure-vm-utils included by default. Azure VM utils is a package that provides essential utilities and udev rules to optimize the Linux experience on Azure. This change results in more reliable disks, smoother networking on accelerated setups, and fewer tweaks to get things running. Here’s what you need to know:
azure-nvme-id --version # tool present
find /dev/disk/azure -type l # predictable Azure disk links
05 November, 2025 10:09AM by xiaofei
Organizations everywhere are pushing AI and networks closer to the edge. With that expansion comes a challenge: how do you ensure reliable performance, efficiency, and security outside of the data center? Worker safety, healthcare automation, and the success of mobile private networks depend on a robust technology stack that can withstand real-world challenges and still deliver results. Canonical has partnered with Dell Technologies, Intel, Druid, Airspan and Ecrio to publish a new solution brief addressing this question. The brief highlights how a fully integrated, edge-ready platform can meet the growing demand for intelligent, secure, and real-time computing at the edge.
The brief showcases how to build a strong foundation for edge AI and networking by using a Dell PowerEdge XR8000 ruggedized edge network+compute platform consisting of two server sleds powered by Intel Xeon Scalable processors. Both sleds are running Canonical’s software infrastructure stack, which combines Ubuntu, MicroCloud, and Canonical Kubernetes. On the first sled, MicroCloud hosts two VMs: Airspan Control Platform (ACP) manages the 5G radio units, and Druid Raemis provides the cloud-native 5G core orchestrated by Canonical Kubernetes. The second sled hosts Ecrio’s iota-e platform, also managed by Canonical Kubernetes, which enables AI-powered real-time image-recognition, voice, video, and messaging services. These capabilities support critical business processes such as worker coordination in industrial settings, emergency response in healthcare, and secure team communications in remote or hazardous environments.
Download the solution brief to learn how this integrated platform supports advanced use cases, including AI-driven safety monitoring, smart factory operations, and 5G connectivity at the edge.
Download the full solution brief
For more information on how Canonical supports your edge and AI journey, visit our related content:
Fedora 41 is currently scheduled to reach end of life (EOL) on 2025-11-19 (approximately two weeks from the date of this announcement). Please upgrade all of your Fedora templates and standalones by that date. For more information, see Upgrading to avoid EOL.
There are two ways to upgrade a template to a new Fedora release:
Recommended: Install a new template to replace an existing one. This option is simpler for less experienced users, but it won’t preserve any modifications you’ve made to your template. After you install the new template, you’ll have to redo your desired template modifications (if any) and switch everything that was set to the old template to the new template. If you choose to modify your template, you may wish to write those modifications down so that you remember what to redo on each fresh install. To see a log of package manager actions, open a terminal in the old Fedora template and use the dnf history command.
Advanced: Perform an in-place upgrade of an existing Fedora template. This option will preserve any modifications you’ve made to the template, but it may be more complicated for less experienced users.
Please note that no user action is required regarding the OS version in dom0 (see our note on dom0 and EOL).
Hello, Community! The October update is here and it's dominated by bug fixes — as we are preparing to release the next VyOS Stream image on the way to the future VyOS 1.5 and working on the new 1.4.4 maintenance release as well. However, there are a few useful features as well, including support for DHCP options 82 (relay agent information) and 26 (interface MTU), containers health checks, and more.
04 November, 2025 01:04PM by Daniil Baturin (daniil@sentrium.io)
04 November, 2025 09:41AM by xiaofei
Welcome to the Ubuntu Weekly Newsletter, Issue 916 for the week of October 26 – November 1, 2025. The full version of this issue is available here.
In this issue we cover:
The Ubuntu Weekly Newsletter is brought to you by:
If you have a story idea for the Weekly Newsletter, join the Ubuntu News Team mailing list and submit it. Ideas can also be added to the wiki!
The Incus team is pleased to announce the release of Incus 6.18!
This is a reasonably busy release with quite a few smaller releases in every corner of Incus so there should be something for everyone!
The highlights for this release are:
The full announcement and changelog can be found here.
And for those who prefer videos, here’s the release overview video:
You can take the latest release of Incus up for a spin through our online demo service at: https://linuxcontainers.org/incus/try-it/
And as always, my company is offering commercial support on Incus, ranging from by-the-hour support contracts to one-off services on things like initial migration from LXD, review of your deployment to squeeze the most out of Incus or even feature sponsorship. You’ll find all details of that here: https://zabbly.com/incus
Donations towards my work on this and other open source projects is also always appreciated, you can find me on Github Sponsors, Patreon and Ko-fi.
Enjoy!
The 10th monthly Sparky project and donate report of the 2025: – Linux kernel updated up to 6.17.6, 6.12.56-LTS, 6.6.115-LTS – Sparky 8.1-RC1 ARM64 for Raspberry Pi released – added to repos: Mousam Many thanks to all of you for supporting our open-source projects. Your donations help keeping them and us alive. Don’t forget to send a small tip in November too, please. *
02 November, 2025 10:26AM by pavroo
I’m pleased to share that my career transition has been successful! I’ve joined our local county assessor’s office, beginning a new path in property assessment for taxation and valuation. While the compensation is modest, it offers the stability I was looking for.
My new schedule consists of four 10-hour days with an hour commute each way, which means Monday through Thursday will be largely devoted to work and travel. However, I’ll have Fridays available for open source contributions once I’ve completed my existing website maintenance commitments.
Going forward, my contribution focus will be:
Regarding the snap packages: my earlier hope of transitioning them to Carl hasn’t worked out as planned. He’s taken on maintaining KDE Neon single-handedly, and understandably, adding snap maintenance on top of that proved unfeasible. I’ll do what I can to help when time allows.
If you’re interested in contributing to Kubuntu or helping with snap packages, I’d love to hear from you! Feel free to reach out—community involvement is what makes these projects thrive.
Thanks for your patience and understanding as I navigate this transition.
Há demasiadas coisas a acontecer, todas ao mesmo tempo, é o caos! De regresso da Ubuntu Summit em Londres, Lisboa e Porto, o Diogo sublinha os momentos mais importantes e entope o Internet Archive; o Miguel continua na missão de libertar pessoas do Windows; problemas técnicos caem-nos em cima em plena emissão; a Canonical tem uma nova Academia para certificações; revimos as novidades da mais moderna versão do Ubuntu Touch; apelamos a voluntários para fazerem respiração boca-a-boca ao Unity; alguém inventou um Recall para Linux e qual Oppenheimer, vemos ao longe a Framework pegar fogo à tenda do circo com Omarchy e Hyprland. E o mais importante: há um novo Super Tux Kart.
Já sabem: oiçam, subscrevam e partilhem!
Este episódio foi produzido por Diogo Constantino, Miguel e Tiago Carrondo e editado pelo Senhor Podcast. O website é produzido por Tiago Carrondo e o código aberto está licenciado nos termos da Licença MIT. (https://creativecommons.org/licenses/by/4.0/). A música do genérico é: “Won’t see it comin’ (Feat Aequality & N’sorte d’autruche)”, por Alpha Hydrae e está licenciada nos termos da CC0 1.0 Universal License. Os separadores de péssima qualidade foram tocados ao vivo e sem rede pelo Miguel, pelo que pedimos desculpa pelos incómodos causados. Os efeitos sonoros têm os seguintes créditos: [Short Elevator Music Loop by BlondPanda] (https://freesound.org/s/659889/). License: Creative Commons 0. Este episódio e a imagem utilizada estão licenciados nos termos da licença: Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0), cujo texto integral pode ser lido aqui. Estamos abertos a licenciar para permitir outros tipos de utilização, contactem-nos para validação e autorização. A arte de episódio foi criada por encomenda pela Shizamura - artista, ilustradora e autora de BD. Podem ficar a conhecer melhor a Shizamura na Ciberlândia e no seu sítio web.
30 October, 2025 12:02PM by Hace İbrahim Özbal
30 October, 2025 10:09AM by xiaofei
On October 23rd, we announced the beta availability of silicon-optimized AI models in Ubuntu. Developers can locally install DeepSeek R1 and Qwen 2.5 VL with a single command, benefiting from maximized hardware performance and automated dependency management.
Application developers can access the local API of a quantized generative AI (GenAI) model with runtime optimizations for efficient performance on their CPU, GPU, or NPU.
Architecture of the new open-source tool enabling developers to bundle different combinations of runtimes and weights into a single snap, deploying the most optimal stack on the host machine
By meeting developers at the intersection of silicon and GenAI models, we package, distribute and manage all the necessary components to run AI apps on any machine that runs Ubuntu. Developers can now install pre-trained and fine-tuned AI models that automatically detect the underlying silicon requirements, from how much memory and what GPU or NPU they need, to which software components and default configurations must be included.
What’s the vision behind the announcement, and how did we pull it off?
We aim to make Ubuntu the standard distribution platform for generative AI models. Doing so will enable developers to integrate AI seamlessly into their applications and run them optimally across desktops, servers, and edge devices. We believe machine learning (ML) workloads will soon be as fundamental to compute platforms as traditional software dependencies are today, and generative AI models will be a basic part of the compute experience.
But wait: isn’t that already true? Aren’t AI models already everywhere, and don’t we all play with LLMs around 25 times per day?
Yes, but there’s a key distinction. Let me use an analogy to illustrate it.
In the early days of Linux, software distribution was fragmented and cumbersome. Developers had to manually download, compile, and configure source code from individual projects, often tracking down missing libraries, resolving version conflicts, and maintaining complex build environments by hand.
While in the early 90s, software was distributed via floppy disks, Slackware and Debian Linux soon ushered in a system of curated archives of software, usually pre-compiled to save time. Source: https://www.debian.org/
As each distribution had its own conventions, packaging tools, and repositories, installing software was an error-prone and time-consuming process. The lack of a unified delivery mechanism slowed down open-source development and created barriers to adoption.
In October 2004, the first release of Ubuntu was out. It shipped with a fairly fixed set of packages in the Ubuntu archive, for which users received security updates and bug fixes over the internet. To get new software, developers still had to hunt down source code and compile it themselves.
What changed?
Fast-forward to a few years later, and in 2007, Canonical introduced Personal Package Archives (PPA), giving developers a hosted build service to publish and share their own software. Discovering new software on Linux was still hard, from living in unknown PPAs to GitHub repositories with daily builds of all kinds of new software. To fix this, Canonical later introduced snaps, containerized software packages that simplified cross-distribution delivery, updates and security.
Standing on the shoulders of giants and building on Debian, Ubuntu helped transform that experience, becoming the aggregation point for open-source software (OSS). Ubuntu consolidated thousands of upstream projects into a coherent, trusted ecosystem that developers could rely on, without needing to understand every dependency or build chain behind it. Ubuntu helped unify and streamline the open-source ecosystem.
A strong packaging foundation, combined with a steady release cadence and curated repositories, lowered the barrier for both developers and enterprises. Ubuntu became the default, trusted layer for distributing and maintaining open-source software.
What if we could do that with AI models?
Today, software packages are the basic building blocks of compute. Developers routinely install packages, add PPAs, and pull from various vendors, third parties, or the community, without giving it much thought.
We believe that AI models will soon occupy the same space as first-class citizens of a compute stack. They’ll be treated as standard system components, installed, updated and optimized just like any other dependency. We’ll no longer worry about the details of how to juggle the dependencies of various AI models, just as we don’t think about which repositories the packages your projects depend on come from. Developing software will naturally include integrating ML workloads, and models will be as ubiquitous and invisible in the developer experience as traditional packages are today. LLMs will become part of the commodity layer of compute, evolving into dependencies that containerized workloads rely on: composable, versioned, and hardware-optimized.
In making Ubuntu, we mastered the art of distributing open-source software to millions of users. Now we are applying that expertise to AI model distribution. Ubuntu is moving toward making AI models a native element of the compute environment. We’re shifting AI models from external tools to an integral part of the stack. Bringing silicon-optimized AI models natively to Ubuntu is the first step in making them a built-in component of the compute experience itself.
In the announcement, we introduced Intel and Ampere – optimized DeepSeek R1 and Qwen VL, two leading examples of Generative AI models.
DeepSeek R1 is a reasoning Large Language Model (LLM) designed to decompose prompts into structured chains of thought, enabling complex reasoning and problem solving. Qwen VL, on the other hand, is a multimodal LLM that accepts both text and images as inputs, representing the latest generation of vision-language models. Both are transformer-based but tuned and packaged to exploit different runtime patterns and hardware characteristics.
Let’s be more specific. The term model is often used loosely, but in practice, it refers to an entire model family built around a base model. Base models are massive neural networks trained on broad datasets to capture general knowledge. These base models are frequently fine-tuned, retrained, or adapted to specialize in specific tasks, such as instruction following or domain-specific reasoning. For instance, transformer-based LLMs share a common architecture built on components such as self-attention, multi-head attention, and large embedding matrices. From this base, families of foundational models and fine-tuned derivatives, such as instruction-tuned models, adapter-based variants, or task-specific fine-tunes, can be developed.
Let’s look at an example of some of the Mistral models from Mistral AI.
On the left-hand side, we have the model vendor, in this case, Mistral AI, which trains and distributes the foundational base models. Fine-tuned derivatives, such as mistral-7b-instruct, are then adapted for instruction-based use cases, responding to prompts in a structured, context-aware manner.
Another model family might look similar but target different objectives or architectures:
However, a “model” – whether base or fine-tuned – is not particularly useful on its own. It’s essentially a collection of learned weights: billions of numerical parameters, with no runtime context. What matters to developers is the inference stack, the combination of a trained model and an optimized runtime that makes inference possible. In the literature, the term “model” often refers to the complete model artifact, including the tokenizer, pre and post-processing components, and runtime format, e.g., PyTorch checkpoint, ONNX, and GGML.
Inference stacks include inference engines, the software responsible for executing the model efficiently on specific hardware. Besides the weights of the pre-trained model, e.g. the weights of Qwen2.5 VL quantized at Q4_K, an engine will typically include the execution logic, optimizations to efficiently perform matrix multiplications and supporting subsystems. Examples include Nvidia’s TensorRT, Intel’s OpenVINO, Apache’s TVM, and vendor-specific runtimes for NPUs. Multiple stacks can exist for the same model, each tailored to different architectures or performance targets. These engines differ in supported features, kernel implementations, and hardware integration layers – reflecting differences in CPU, GPU, NPU, or accelerator capabilities.
For instance, for a fine-tuned model such as mistral-7b-instruct, one might find multiple inference stacks:
Running LLMs efficiently depends critically on the underlying hardware and available system resources. This is why optimized versions of fine-tuned models are often required. A common form of optimization is quantization, reducing the numerical precision of a model’s parameters (for example, converting 16-bit floating-point weights to 8-bit or 4-bit integers). Quantization reduces the model’s memory footprint and computational load, enabling faster inference or deployment on smaller devices, often with minimal degradation in accuracy.
Beyond quantization, optimization can be silicon-specific. Different hardware architectures, e.g. GPUs, TPUs, NPUs, or specialized AI accelerators, exhibit unique performance characteristics: compute density, memory bandwidth, and energy efficiency. Vendors exploit these characteristics through hardware-aware model variants, which are fine-tuned or compiled to maximize performance on their specific silicon.
For silicon vendors, demonstrating superior inference performance directly translates into market differentiation. Even marginal improvements – a 2% gain in throughput or latency on a leading LLM – can have significant implications when scaled across data centers or deployed at the edge.
This performance race fuels intense investment in AI model optimization across the hardware ecosystem. Each vendor aims to maximize effective TFLOPS and real-world inference efficiency. The result is an expanding landscape of hardware-optimized model variants, from aggressively quantized models that fit within strict memory limits to GPU-tuned builds exploiting tensor cores and parallel compute pipelines.
Furthermore, model packaging and runtime format affect deployability, as one needs optimized artefacts per target, e.g. TorchScript/ONNX for GPUs, vendor-compiled binaries for NPUs, GGML or int8 CPU builds for constrained devices.
As a consequence, developers building embedded AI apps are stuck dealing with API keys, per-token subscriptions, and apps that only work when connected to fast internet. Packaging and distributing AI-powered software is hard. Developers must contend with dozens of silicon types, hundreds of hardware configurations, and an ever-growing number of models and variants – while also managing dependencies, model updates, runtime engines, API servers, optimizations, and more.
Is it possible to abstract that complexity away? Today, developers build on Ubuntu without needing to think about the underlying hardware. The same principle should apply to AI: what if, in the future, a developer could simply code for DeepSeek, without worrying about selecting the optimal fine-tuned variant, choosing the right inference engine, or targeting a specific silicon architecture?
This is the challenge we set out for ourselves, bridging the gap between the potential of AI and its practical adoption. Our goal is to bring the right models directly into developers’ hands and make LLMs part of everyday software development
We envision a world where application developers can target an AI model, not a stack, and seamlessly use hardware-specific optimizations under the hood. To truly harness the potential of AI, developers shouldn’t have to worry about quantization levels, inference runtimes, or attaching API keys. They should simply develop against a consistent model interface.
Unfortunately, today’s AI ecosystem is still fragmented. Developer environments lack a standard packaging and distribution model, making AI deployment costly, inconsistent, and complex. Teams often spend significant time configuring, benchmarking, and tuning inference stacks for different accelerators, work that demands deep expertise and still leaves hardware underutilized.
This is why, through Canonical’s strong ecosystem partnerships, we introduced an abstraction layer that gives users access to develop using a known model while integrating the hardware-specific stacks. Last week, we announced the public beta release of AI models on Ubuntu 24.04 LTS, with DeepSeek R1 and Qwen 2.5 VL builds optimized for Intel and Ampere hardware. Developers can locally install those snaps pre-tuned for their silicon, without wrestling with dependencies or manual setup. Our snap approach enables development against a model’s standard API on Ubuntu, while relying on optimized builds engineered by Canonical, Intel, and Ampere.
Silicon-vendor optimizations will now be automatically included when detecting the hardware. For example, when installing the Qwen VL snap on an amd64 workstation, the system will automatically select the most suitable version – whether optimized for Intel integrated or discrete GPUs, Intel NPUs, Intel CPUs, or NVIDIA GPUs (with CUDA acceleration). Similarly, on arm64 systems using Ampere Altra/One processors, the version optimized for those CPUs will be used. If none of these optimizations match the hardware, Qwen VL will automatically fall back to a generic CPU engine to ensure compatibility.
As we saw, the performance of AI models is tightly bound to the silicon layer. Optimizing for silicon covers multiple layers, from reduced numeric precision, to operator fusion and kernel fusion, memory layout and tiling changes, and vendor-specific kernel implementations. The inference stack itself, from TensorRT, ONNX Runtime, OpenVINO/oneAPI, and vendor NPUs’ runtimes, materially affects latency, throughput and resource utilization. By working with silicon leaders, Canonical can now deliver robust, stable, locally optimized models that run efficiently on desktops, servers, and edge devices, reducing reliance on massive cloud GPU deployments, lowering costs and energy use, improving latency, and keeping sensitive data on-device. Each model can be installed with a single command, without manual setup or dependency management. Once installed, the snap automatically detects the underlying silicon, currently optimized for Intel CPUs, GPUs and NPUs, and Ampere CPUs, applying the most effective combination of inference engine and model variant.
With Ubuntu Core, Desktop and Server, we already provide a consistent OS experience to millions of developers across verticals and form factors. We are now eager to extend our collaborations with the silicon community and broader ecosystem, and are perfectly placed to enable AI models across the compute spectrum.
The following new Debian 13 templates are now available for both Qubes OS 4.2 (stable) and Qubes OS 4.3 (release candidates):
debian-13-xfce (default Debian template with the Xfce desktop environment)debian-13 (alternative Debian template with the GNOME desktop environment)debian-13-minimal (minimal template for advanced users)There are two ways to upgrade a template to a new Debian release:
Recommended: Install a fresh template to replace the existing one. This option is simpler for less experienced users, but it won’t preserve any modifications you’ve made to your template. After you install the new template, you’ll have to redo your desired template modifications (if any) and switch everything that was set to the old template to the new template. If you choose to modify your template, you may wish to write those modifications down so that you remember what to redo on each fresh install. In the old Debian template, see /var/log/dpkg.log and /var/log/apt/history.log for logs of package manager actions.
Advanced: Perform an in-place upgrade of an existing Debian template. This option will preserve any modifications you’ve made to the template, but it may be more complicated for less experienced users.
Note: No user action is required regarding the OS version in dom0 (see our note on dom0 and EOL).
The BunsenLabs image uploader scripts in bunsen-utilities have been modified. Because imgur no longer provides service to the UK ( see: https://forums.bunsenlabs.org/viewtopic.php?id=9568 ) the image hosting service used by default is now imgbb .
The menu items for taking screenshots, and Thunar right-click menu item for image files, now use a BunsenLabs script bl-imgbb-upload instead of bl-imgur-upload.
To take advantage of these changes please upgrade bunsen-utilities to the latest version.
NOTES:
1) imgbb requires that users set up an account and use the access key that they receive. The script bl-imgbb-upload helps with that process, so it's very easy.
2) Users who want to continue using imgur can open /usr/bin/bl-image-upload as root, uncomment the line uploader=bl-imgur-upload and comment out the equivalent line with bl-imgbb-upload. (The script bl-imgur-upload is still available in bunsen-utilities.)
3) The behaviour of bl-imgbb-upload is slightly different from bl-imgur-upload but images and screenshots can be easily uploaded.
4) Future releases of bunsen-utilities might also offer a script for postimage, and allow users to configure their choice of uploader script with a user config setting, but any improvements will come after the Carbon release.
The Ubuntu Release team has now enabled upgrades from 25.04 to 25.10! This is great news! In fact, you may have noticed this icon on your toolbar and a notification to upgrade.
However, upon doing so, you may have noticed something a little more unfortunate:
Yep, we know. This tells you nothing about what is wrong. What is wrong is slightly more technical. As it turns out, the backend application that actually performs the upgrade removed an argument from its command line unannounced during the Plucky Puffin release cycle, approximately a year ago.
As our project leader, Erich Eickmeyer, maintains the upgrade notifier widget for both Ubuntu Studio and Kubuntu, he woke up and immediately got to work identifying what’s wrong and how to patch the Plasma widget in question to correctly execute the upgrade process. He has uploaded the fix, and it was accepted by a member of the Ubuntu Stable Release Updates team.
At the moment, the fix needs to be tested and verified. In order to test it, one must install the fix from the plucky-proposed repository. In order for it to be available, it must build for all architectures and, as of this writing, is awaiting building on riscv64 which has a 40-hour backlog.
If you wish to begin the upgrade process manually rather than waiting on the upgrade notifier fix to be implemented, feel free to make sure you are fully updated, type alt-space to execute Krunner, and paste this:
do-release-upgrade -f DistUpgradeViewKDEThis is the exact command that will be executed by the notifier widget as soon as it is updated.
Of course, if you’re in no hurry, feel free to wait until the notifier is updated and use that method. Do bear in mind, though, that as of this writing, you have exactly 90 days to perform the upgrade to 25.10 before your system will no longer be supported. At that time, you’ll risk being unable to upgrade at all unless certain procedures for End-Of-Life Upgrades are done, which can be tedious for those uncomfortable in a command line as it will require modifying system files.
We do apologize for the inconvenience. Testing upgrade paths like this are hard to do and things go missed, especially when teams don’t communicate with each other. We’re try to identify things before they happen but, unfortunately, certain items cannot be foreseen.
This issue has now been added to the Ubuntu Studio 25.10 Release Notes.
29 October, 2025 10:11AM by xiaofei
29 October, 2025 02:39AM by xiaofei
At NVIDIA GTC Washington D.C., Canonical is pleased to support the arrival of the NVIDIA BlueField-4 – the newest generation of the data processing unit (DPU) family. NVIDIA BlueField-4 is an accelerated infrastructure platform for gigascale AI factories. By combining NVIDIA Grace CPU and NVIDIA ConnectX-9 networking, it delivers 6x the compute power of BlueField-3 and 800 Gb/s throughput to accelerate these systems. BlueField-4features multi-tenant networking, rapid data access, AI runtime security, and enables high-performance inference processing. Running natively on BlueField-4, NVIDIA DOCA microservices deliver containerized services to simplify and scale AI infrastructure.
As with previous generations, BlueField-4 supports the Ubuntu OS, which comes with Canonical’s security maintenance and support. This development is the latest from Canonical’s longstanding collaboration with NVIDIA to advance the state of DPU-driven infrastructure.
Zero-trust architecture places emphasis on the integrity of infrastructure, which is isolated from untrusted workloads. No component, workload, or user is implicitly trusted, and every interaction within the system is continuously verified and enforced by NVIDIA BlueField at the infrastructure level. In this model, the DPU acts as a hardware-based control and enforcement plane, isolating workloads, validating software integrity, and handling encryption and network policy enforcement independently from the host CPU.
NVIDIA BlueField-4 supports multi-service architectures with native service function chaining, zero-trust tenant isolation, and software defined infrastructure control. Running natively on BlueField-4, NVIDIA DOCA microservices deliver prebuilt, containerized services for AI networking, orchestration, real-time threat detection, and data acceleration–simplifying operations and enabling enterprises and service providers to scale AI securely and efficiently. Enterprises can also deploy validated, BlueField-accelerated applications from leading software providers, enabling advanced infrastructure acceleration and cybersecurity capabilities that enhance the platform’s value.
Ubuntu plays a key role in supporting the overall security posture of zero-trust BlueField-4 infrastructure. BlueField-4 effectively introduces a dedicated control and enforcement domain alongside the host system, meaning it meets the same security and compliance expectations as any other infrastructure component in the data center. In highly regulated environments, where every element is expected to be hardened and certifiable, the software foundation of BlueField becomes just as important, if not more, as that of the host.
Because the BlueField software stack is based on Ubuntu 24.04 LTS, it benefits from Canonical’s signed packages and reproducible build processes. Expanded Security Maintenance (ESM) provides long-term maintenance guarantees. Ubuntu Pro extends this foundation with continuous CVE monitoring, patch delivery, and compliance tooling, giving operators a clear view of security status and patch levels. When DPUs are deployed in environments that require FIPS, DISA-STIG, or similar compliance frameworks, this is essential. These features, supported in the NVIDIA AI Factory for Government reference design, ensure organizations can integrate BlueField-4 into sensitive infrastructure with confidence, knowing that the underlying operating system aligns with their existing security and compliance processes.
In terms of performance, Canonical publishes optimized Ubuntu images, designed to get the most out of BlueField-4, which combines NVIDIA Grace CPU and NVIDIA ConnectX-9 networking. With NVIDIA Grace, a CPU already certified on Ubuntu 24.04 LTS, operators can deploy with confidence, knowing their platforms have undergone comprehensive validation across performance, reliability, and interoperability. In practical terms, this includes an optimized Ubuntu kernel which combines with NVIDIA drivers on Grace CPU architecture to provide efficient scheduling and accelerated I/O performance on its Arm-based cores.
Ubuntu 24.04 LTS provides a robust foundation for service function chaining and software-defined networking (SDN) in BlueField-4 deployments. Ubuntu’s networking stack is optimized for deterministic performance, low latency, and full hardware acceleration.
In environments where complex network services, such as firewalls, load balancers, and intrusion detection, must operate in sequence at line rate, Ubuntu’s Linux kernel is optimized for BlueField and enables high performance service function chaining. Developers can opt to use Canonical’s open virtual network (OVN), which integrates tightly with NVIDIA OVS-DOCA (Open vSwitch) to offload data plane operations directly onto the BlueField-4 programmable platform. This allows for traffic steering, encapsulation, and flow processing to occur entirely within the DPU, freeing host resources and ensuring wirespeed throughput even in multi-tenant or multi-domain deployments.
Service providers can offload user plane function (UPF) and service chaining to BlueField-4, accelerating 5G core workloads running on Ubuntu OpenStack and Kubernetes. With secure tenant isolation via BlueField Advanced Secure Trusted Resource Architecture, operators can enforce zero-trust policies across multi-tenant, high-throughput environments.
In mission-critical settings, BlueField-4 with Ubuntu enables line-rate intrusion detection, data encryption, and air-gapped control planes, executing directly in the DPU for minimal latency and maximum assurance. With Ubuntu’s FIPS validation and DISA-STIG compliance, organizations can deploy infrastructure that meets stringent operational and regulatory standards.
Canonical and NVIDIA have already demonstrated the power of combining Ubuntu, Kubernetes, and DOCA for networking acceleration, as described in our earlier post: Canonical Kubernetes Meets NVIDIA DOCA Platform Framework (DPF).
Canonical and NVIDIA share a commitment to advancing open, programmable, and securely-designed infrastructure. With BlueField-4 on Ubuntu 24.04 LTS, organizations gain a validated, compliant, and high-performance platform to power the next era of AI, telco, and government infrastructure.
Together, we’re enabling governments, operators, and enterprises to deploy scalable, securely maintained, and future-proof infrastructure at gigascale.
Launchpad Builders do not have direct access to the Internet. To reach external resources, they must acquire an authentication token that allows access to a restricted set of URLs via a proxy. This can either be a custom authenticated builder proxy or the fetch service.
The fetch service is a custom sophisticated context-aware forward proxy. Whereas the builder proxy allows requests to allowlisted URLs, the fetch service also keeps track of requests and dependencies for a build.
Users can now opt-in to use the fetch service while building snaps, charms, rocks and sourcecraft packages. You can read more about the fetch service here.
Why is the fetch service important?
To achieve traceability and reproducibility, artifact dependencies retrieved during a build must be identified. The fetch service mediates network access between the build host and the outside world, examining the request protocol, creating a manifest of the downloaded artifacts, and keeping a copy of the artifacts for archival and metadata extraction for each package build.
How to use the fetch service?
To be able to use the fetch service, users must opt-in. For snaps, charms, rocks and sourcecraft packages, the use_fetch_service flag should be set to true in the API. For snaps and charms, this setting is also available in the Edit Recipe UI page.
The fetch service can be run in two modes, “strict” and “permissive”, where it defaults to the former. Both modes only allow certain resources and formats, as defined by inspectors which are responsible for inspecting the requests and the various downloads that are made during the build, ensuring that the requests are permitted.
The “strict” mode errors out if any restrictions are violated. The “permissive” mode works similarly, but only logs a warning when encountering any violations. The mode can be configured using the fetch_service_policy option via the API. For snaps and charms, the mode can also be selected from a dropdown on the Edit Recipe UI page.
When to use the fetch service?
Use the fetch service when you need to keep track of requests and dependencies for a build, e.g., when you need to verify that the artifacts belong to secure, trusted sources.
28 October, 2025 09:52AM by xiaofei
28 October, 2025 02:16AM by xiaofei
Welcome to the Ubuntu Weekly Newsletter, Issue 915 for the week of October 19 – 25, 2025. The full version of this issue is available here.
In this issue we cover:
The Ubuntu Weekly Newsletter is brought to you by:
If you have a story idea for the Weekly Newsletter, join the Ubuntu News Team mailing list and submit it. Ideas can also be added to the wiki!
I’ve written down a new rule (no name, sorry) that I’ll be repeating to myself and those around me. “If you can replace ‘DNS’ with ‘key value store mapping a name to an ip’ and it still makes sense, it was not, in fact, DNS.” Feel free to repeat it along with me.
Sure, the “It’s always DNS” meme is funny the first few hundred times you see it – but what’s less funny is when critical thinking ends because a DNS query is involved. DNS failures are often the first observable problem because it’s one of the first things that needs to be done. DNS is fairly complicated, implementation-dependent, and at times – frustrating to debug – but it is not the operational hazard it’s made out to be. It’s at best a shallow take, and at worst actively holding teams back from understanding their true operational risks.
IP connectivity failures between a host and the rest of the network is not a reason to blame DNS. This would happen no matter how you distribute the updated name to IP mappings. Wiping out all the records during the course of operations due to an automation bug is not a reason to blame DNS. This, too, would happen no matter how you distribute the name to IP mappings. Something made the choice to delete all the mappings, and it did what you asked it to do
There’s plenty of annoying DNS specific sharp edges to blame when things do
go wrong (like 8.8.8.8 and 1.1.1.1 disagreeing about resolving a domain
because of DNSSEC, or since we’re on the topic, a
DNSSEC rollout bricking prod for hours)
for us to be cracking jokes anytime a program makes a DNS request.
We can do better.
Launchpad now supports the FIDO2 hardware-backed SSH key types ed25519-sk and ecdsa-sk. These keys use a hardware device, such as a YubiKey or Nitrokey, to perform cryptographic operations and keep your private keys safely off your computer. They can be used anywhere Launchpad accepts SSH authentication, including git+ssh and SFTP PPA uploads.
To generate a new key, run
ssh-keygen -t ed25519-sk -C "your@email.com"or use ecdsa-sk for backwards compatibility. You will be asked to touch your security key during the key creation, and OpenSSH will store the resulting files in ~/.ssh/. If you want to make your key resident, meaning it can be stored on the hardware device and later retrieved even if the original files are lost, use the -O resident option:
ssh-keygen -t ed25519-sk -O resident -C "your@email.com"Resident keys are useful if you use multiple machines or if you want a portable login method tied directly to your hardware key. To register a new key on your Launchpad account, visit https://launchpad.net/~username/+editsshkeys.
These new key types offer strong protection against key theft and phishing, but require a physical device each time you connect. It is recommended you keep a separate backup key if you use them regularly.
The introduction of security key backed SSH key types is the next step on making Launchpad even more secure. Let us know if you have any feedback!
There are new images of Sparky 8.1 Release Candidate ARM64 available for testing. The new images of ARM64 are set with Openbox window manager and CLI (text mode); no ARMHF images any more. The new images are based on and fully compatible with Debian 13 Trixie. Sparky 8 ARM64 can be installed on Raspberry Pi 3+. Known issues: – Wi-Fi can be disabled. To manually fix that run: Then…
27 October, 2025 01:43PM by pavroo
Wherever users are based, they expect apps to just work, whether in Japanese, Arabic, or Spanish. But anyone who’s touched localization knows it’s more than translation. Real quality comes from testing how your app behaves across languages, layouts, and regions – and doing it fast.
If you’re shipping apps for automotive or gaming, localization gets complex fast. It’s never just about translation: you’re adapting to different layouts, alphabet types, interaction models, and hardware quirks. You’re aiming for pixel-perfect across every region, while teams are spread across time zones and builds keep coming.
Anbox Cloud cuts through all of that: enabling real-time, browser-based localization testing at scale. No APK sharing. No device juggling. Enabling you to localize at speed, and at scale.
Let’s examine a common use case: an automotive Tier 1 supplier building in-vehicle Infotainment (IVI) apps for multiple original equipment manufacturers (OEMs). One app, many markets. Each with different languages, reading directions, and screen resolutions. The traditional approach to testing means emailing builds to local quality assurance (QA) teams, or trying to simulate every scenario in-house. If you’ve experienced this approach first hand, then you’ll know it is both fragile and slow.
With Anbox Cloud, all you have to do is launch a container with the right locale in seconds. Your team (in Berlin, Tokyo, or Washington) gets a secure URL, opens their browser, and tests live. No flashing. No setup delays. No exposure of early builds or IP.
Because it runs in the cloud, you control access, enforce authentication, and test in real-time, without sending binaries halfway across the world.
Now let’s switch to mobile gaming, where localization isn’t just a checkbox: it’s revenue. A game that looks fine in English can break in Turkish, or wrap badly in Finnish. Fonts, line breaks, layout shifts, it all matters. And you don’t want to hear about it from your players.
Global studios know the pain: you need to test across devices, screen densities, and locales. And you need it to be fast, so your players don’t end up furious.
With Anbox Cloud, you can spin up multiple configurations in parallel, simulate different regions, and let your QA team jump into live sessions: no APK installs, no physical devices, just a browser and a link.
Test your UI flow. Click through quests. Break things early.
In a world where users bounce in seconds, localized quality is a differentiator. A misaligned button or clipped string may seem minor, but users notice. And they judge.
In automotive, UI glitches aren’t just annoying, they’re a risk. In gaming, they represent potential lost revenue.
Anbox Cloud brings everything together: faster feedback, real-time testing, and zero APK distribution. Everything runs in the cloud. Everything stays under your control.
Localization QA isn’t just a manual task. With the right tooling, it becomes part of your CI: fast, repeatable, and invisible when it works.
Canonical provides an official GitHub Action to spin up Anbox Cloud dynamically in your pipeline. That means you can launch full Android containers, connect via ADB, and run tests automatically, all from a GitHub workflow. No emulators: just Android, on demand.
Spin up a fresh Android container, connect to it using anbox-connect, and run your UI tests across configurations and locales. The same amc CLI that developers use locally works inside your runner, letting you orchestrate test flows, parallelize across devices, or gate PRs on localization correctness.
Each Android container is accurately replicated, so every test starts from a known baseline. This means that you can also run simultaneous sessions in parallel without sacrificing performance.
Whether you’re localizing a safety-critical IVI interface or pushing a mobile game to 30 markets, Anbox Cloud helps you test, adapt, and scale.
And here’s the best part: Anbox Cloud is included in Ubuntu Pro, which is free for personal use and up to five machines. With GitHub integration and built-in automation, your QA process stays in sync with your development pace.
Want to get hands-on? Check out our official documentation, or get started with the Anbox Cloud Appliance.
Curious to know how Anbox Cloud fits into your pipeline? Talk to us.
Official documentation
Anbox Cloud Appliance
Android is a trademark of Google LLC. Anbox Cloud uses assets available through the Android Open Source Project.
27 October, 2025 07:29AM by Hace İbrahim Özbal
We’re pleased to announce that the third release candidate (RC) for Qubes OS 4.3.0 is now available for testing. This minor release includes many new features and improvements over Qubes OS 4.2.
These are just a few highlights from the many changes included in this release. For a more comprehensive list of changes, see the Qubes OS 4.3 release notes.
That depends on the number of bugs discovered in this RC and their severity. As explained in our release schedule documentation, our usual process after issuing a new RC is to collect bug reports, triage the bugs, and fix them. If warranted, we then issue a new RC that includes the fixes and repeat the process. We continue this iterative procedure until we’re left with an RC that’s good enough to be declared the stable release. No one can predict, at the outset, how many iterations will be required (and hence how many RCs will be needed before a stable release), but we tend to get a clearer picture of this as testing progresses.
At this time, we expect that there will likely be a fourth release candidate, which will probably be the final one.
Thanks to those who tested earlier 4.3 RCs and reported bugs they encountered, 4.3.0-rc3 now includes fixes for several bugs that were present in those prior RCs!
If you’d like to help us test this RC, you can upgrade to Qubes 4.3.0-rc3 with either a clean installation or an in-place upgrade from Qubes 4.2. (Note for in-place upgrade testers: qubes-dist-upgrade now requires --releasever=4.3 and may require --enable-current-testing for testing releases like this RC.) As always, we strongly recommend making a full backup beforehand and updating Qubes OS immediately afterward in order to apply all available bug fixes.
If you’re currently using an earlier 4.3 RC and wish to update to 4.3.0-rc3, please update normally with current-testing enabled. If you use Whonix, please also upgrade from Whonix 17 to 18.
Please help us improve the eventual stable release by reporting any bugs you encounter. If you’re an experienced user, we encourage you to join the testing team.
It is possible that templates restored in 4.3.0-rc3 from a pre-4.3 backup may continue to target their original Qubes OS release repos. This does not affect fresh templates on a clean 4.3.0-rc3 installation. For more information, see issue #8701.
View the full list of known bugs affecting Qubes 4.3 in our issue tracker.
A release candidate (RC) is a software build that has the potential to become a stable release, unless significant bugs are discovered in testing. RCs are intended for more advanced (or adventurous!) users who are comfortable testing early versions of software that are potentially buggier than stable releases. You can read more about Qubes OS supported releases and the version scheme in our documentation.
The Qubes OS Project uses the semantic versioning standard. Version numbers are written as [major].[minor].[patch]. Hence, releases that increment the second value are known as “minor releases.” Minor releases generally include new features, improvements, and bug fixes that are backward-compatible with earlier versions of the same major release. See our supported releases for a comprehensive list of major and minor releases and our version scheme documentation for more information about how Qubes OS releases are versioned.
The Xen Project has released one or more Xen security advisories (XSAs). The security of Qubes OS is not affected.
The following XSAs do affect the security of Qubes OS:
The following XSAs do not affect the security of Qubes OS, and no user action is necessary:
Qubes OS uses the Xen hypervisor as part of its architecture. When the Xen Project publicly discloses a vulnerability in the Xen hypervisor, they issue a notice called a Xen security advisory (XSA). Vulnerabilities in the Xen hypervisor sometimes have security implications for Qubes OS. When they do, we issue a notice called a Qubes security bulletin (QSB). (QSBs are also issued for non-Xen vulnerabilities.) However, QSBs can provide only positive confirmation that certain XSAs do affect the security of Qubes OS. QSBs cannot provide negative confirmation that other XSAs do not affect the security of Qubes OS. Therefore, we also maintain an XSA tracker, which is a comprehensive list of all XSAs publicly disclosed to date, including whether each one affects the security of Qubes OS. When new XSAs are published, we add them to the XSA tracker and publish a notice like this one in order to inform Qubes users that a new batch of XSAs has been released and whether each one affects the security of Qubes OS.
October 23, 2025 – Today Canonical, the publisher of Ubuntu, announced an optimized, pre-installed Ubuntu image for RUBIK Pi 3 – a powerful AI developer board built on Dragonwing QCS6490. These new, optimized Ubuntu images reduce time to market through out-of-the-box functionality, and offer official long-term support from Canonical. The new Ubuntu image is also available to download and install for current users of RUBIK Pi 3.
Credit: ThundercommAI is a fast-paced industry, and time is of the essence when launching new products. These optimized Ubuntu images offer developers on RUBIK Pi 3 access to cutting-edge open source, combined with the stability and robustness that Ubuntu is known for. These new images complement RUBIK Pi 3’s ease of use and accessibility. The images work seamlessly out of the box, and are fine-tuned for hardware performance and resource efficiency.
“By delivering an optimized Ubuntu image preloaded on the powerful RUBIK Pi 3, we’re offering an integrated, securely designed, and supported foundation for AI developers, said Cindy Goldberg, VP of Silicon Alliances at Canonical. “Our partnership with Qualcomm and Thundercomm allows developers to move from a concept to a deployed solution with speed and confidence.”
“At Thundercomm, we’re committed to lowering the barriers to AI innovation,” said Ali Mesri, Sr Vice President, Business Development at Thundercomm. “With the optimized Ubuntu image on RUBIK Pi 3, developers now have a unified platform that combines Qualcomm’s performance, Canonical’s stability, and Thundercomm’s deep system integration — enabling faster, more reliable AI deployment from concept to production.”
RUBIK Pi 3 is designed to make innovative hardware more accessible to AI developers. It offers a full-stack, end-to-end solution that is performant at low power. RUBIK Pi 3 consumes less than 6.5W, whilst at the same time being equipped with a 12 tops ML accelerator, 8-core GPU, integrated Wi-Fi and Bluetooth, 8GB LPDDR4x RAM, and 128GB UFS 2.2 storage.
Built on Dragonwing QCS6490, RUBIK Pi 3 includes access to the Qualcomm®
AI Hub with pre-optimized models, and access to the Edge Impulse MLOps platform for training and deployment. Canonical’s new optimized Ubuntu images are the latest development RUBIK Pi 3 offers – see how everything fits together in the table below:
| Feature | Description |
| Optimized Ubuntu images | Prototype, test and deploy edge AI solutions faster with the world’s most popular enterprise Linux. |
| Edge AI silicon | High-performance, low-power AI chips. |
| Qualcomm AI hub | Pre-optimized models for vision, audio, and NLP. |
| IMSDK | Intelligent Multimedia SDK, for developing HW accelerated multimedia and AI applications. |
| QIRP SDK | Qualcomm® Intelligent Robotics Product SDK for developing Robotics applications with ROS/ROS2. |
| Containers | Containerized SDKs and applications with access to HW acceleration (such as NPU, GPU, and VZPU). |
| Integrated developer environment | Qualcomm® VSCode IDE Extensions to simplify device setup and application development environment |
Download the optimized Ubuntu image for Rubik Pi 3
Visit the Thundercomm RUBIK Pi3 page to get your board and start building with the optimized Ubuntu image today.
Canonical, the publisher of Ubuntu, provides open source security, support and services. Our portfolio covers critical systems, from the smallest devices to the largest clouds, from the kernel to containers, from databases to AI. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone. Learn more at https://canonical.com/
Qualcomm branded products are products of Qualcomm Technologies, Inc. and/or its subsidiaries. Qualcomm patents are licensed by Qualcomm Incorporated.
Qualcomm is a trademark or registered trademark of Qualcomm Incorporated.
London, October 23 2025 – Canonical today announced the launch of Canonical Academy, a new platform that enables individuals and enterprises to validate their open source skills with qualifications designed and maintained by the engineers behind Ubuntu. The first available track is the SysAdmin track, which includes four exams that test practical expertise with Linux and Ubuntu. Successful candidates can earn digital badges that prove their ability to employers and peers.
Canonical Academy exams are designed to prepare learners for the real world, with modular, self-paced assessments that fit into busy schedules. The SysAdmin track launches with three exams today:
The fourth exam is currently in development and will be announced soon. To achieve the SysAdmin qualification, users must earn all the badges in the corresponding SysAdmin track.
Traditional certifications can leave gaps between theory and practice. Canonical Academy takes a different approach, creating assessments based on the challenges IT professionals face every day. With the launch of the SysAdmin track, candidates can prove their ability to navigate the Linux terminal, configure Ubuntu desktops, and manage servers in environments that mirror the workplace. New qualification tracks are also in development to broaden the exam portfolio.
“Canonical Academy grounds its qualifications in realistic professional applications. Current, technical professional needs are the foundation of our development process, from the earliest identification of critical job skills for the target occupation, to the design of realistic custom cloud exam environments, to the industry expert code review of every hands-on item.”
– Adrianna Frick, Academy Team Lead, Canonical
Canonical Academy is designed to fit the needs of modern learners. Each exam is modular, meaning professionals can progress at their own pace while building towards an overarching qualification badge. The system allows individuals to focus on the skills they need most, while enterprises can map training to specific roles.
Badges indicate the year of the Ubuntu LTS release the exam is based on. All current exams are aligned with Ubuntu 24.04 LTS. Updated exams for Ubuntu 26.04 LTS are expected in September 2026.
Each exam is supported by a study guide based on the official exam content, helping test takers prepare effectively through guided, self-paced learning.
“The ‘Using Linux Terminal’ qualification provided me with a well-rounded understanding of the Ubuntu ecosystem. I’m enthusiastic about bringing this program to Indonesia to empower local talent with the open source skills that are increasingly in demand across the industry.“
– Safira Zahira, Product Manager, Sivali Cloud Technology
With Canonical Academy, successful candidates receive verifiable digital badges that demonstrate open source competence. Backed by Canonical, these credentials provide credible evidence of technical ability in a competitive job market.
“The test and the entire in-web-browser desktop environment was super cozy. I think the exam is incredibly valuable and will be a fantastic resource to a lot of aspiring and experienced Ubuntu users worldwide. Frankly, I thought I’d nail the Using Linux Terminal exam in 30 minutes. But instead I was sweating.”
– Nathan Haines, Community Council Member, Ubuntu
The Using Linux Terminal exam is open to everyone today.
If you are looking to contribute to Canonical Academy, you can sign up to be a Subject Matter Expert (SME) or a beta tester. As a subject matter expert, you’ll help define topics, advise on future content, and guide the direction of open source skills assessments. As a tester, you’ll preview and critique exams in development, shape the user experience, and access full exams at discounted rates.
Canonical, the publisher of Ubuntu, provides open source security, support and services. Our portfolio covers critical systems, from the smallest devices to the largest clouds, from the kernel to containers, from databases to AI. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone.
Learn more at https://canonical.com/
London, October 23 – Canonical today announced optimized inference snaps, a new way to deploy AI models on Ubuntu devices, with automatic selection of optimized engines, quantizations and architectures based on the specific silicon of the device. Canonical is working with a wide range of silicon providers to deliver their optimizations of well-known LLMs to the developers and devices.
A single well-known model like Qwen 2.5 VL or DeepSeek R1 has many different sizes and setup configurations, each of which is optimized for specific silicon. It can be difficult for an end-user to know which model size and runtime to use on their device. Now, a single command gets you the best combination, automatically. Canonical is working with silicon partners to integrate their optimizations. As new partners publish their optimizations, the models will become more efficient on more devices.
This enables developers to integrate well-known AI capabilities seamlessly into their applications and have them run optimally across desktops, servers, and edge devices.
A snap package can dynamically load components. We fetch the recommended build for the host system, simplifying dependency management while improving latency. The public beta includes Intel and Ampere®-optimized DeepSeek R1 and Qwen 2.5 VL as examples, and open sources the framework by which these are built.
“We are making silicon-optimized AI models available for everyone. When enabled by the user, they will be deeply integrated down to the silicon level,” said Jon Seager, VP Engineering at Canonical, “I’m excited to work with silicon partners to ensure that their silicon-optimized models ‘just work.’ Developers and end-users no longer need to worry about the complex matrix of engines, builds and quantizations. Instead, they can reliably integrate a local version of the model that is as efficient as possible and continuously improves.”
The silicon ecosystem invests heavily in performance optimizations for AI, but developer environments are complex and lack simple tools for unpacking all the necessary components for building complete runtime environments. On Ubuntu, the community can now distribute their optimized stacks straight to end users. Canonical worked closely with Intel and Ampere to deliver hardware-tuned inference snaps that maximize performance.
“By working with Canonical to package and distribute large language models optimized for Ampere hardware through our AIO software, developers can simply get our recommended builds by default, already tuned for Ampere processors in their servers,” said Jeff Wittich, Chief Product Officer at Ampere, “This brings Ampere’s high performance and efficiency to end users right out of the box. Together, we’re enabling enterprises to rapidly deploy and scale their preferred AI models on Ampere systems with Ubuntu’s AI-ready ecosystem.”
“Intel optimizes for AI workloads from silicon to high-level software libraries. Until now, a developer has needed the skills and knowledge to select which model variants and optimizations may be best for their client system,” said Jim Johnson, Senior VP, GM of Client Computing Group, Intel, “Canonical’s approach to packaging and distributing AI models overcomes this challenge, enabling developers to extract the performance and cost benefits of Intel hardware with ease. One command detects the hardware and uses OpenVINO, our open source toolkit for accelerating AI inference, to deploy a recommended model variant, with recommended parameters, onto the most suitable device.”
Get started and run silicon-optimized models on Ubuntu with the following commands:
sudo snap install qwen-vl --beta
sudo snap install deepseek-r1 --beta
Developers can begin experimenting with the local and standard inference endpoints of these models to power AI capabilities in their end-user applications.
Canonical, the publisher of Ubuntu, provides open source security, support and services. Our portfolio covers critical systems, from the smallest devices to the largest clouds, from the kernel to containers, from databases to AI. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone.
Learn more at https://canonical.com/
Open IAM solutions are the key to true freedom of choice. No more vendor lock-in—just secure, flexible, and scalable identity management. More control, more digital sovereignty, less dependency.
Relying on proprietary tools for digital identity management means giving up control—and often paying for it twice: once in high license fees, and again in lost flexibility. Open Identity & Access Management (IAM) systems put the power back in your hands. They give you the freedom to shape your IT on your own terms, not according to a vendor’s roadmap.
In this article, we’ll walk you through why open IAM takes you further: less dependency, more transparency, and a foundation that’s ready for whatever comes next.
An Open Source IAM is like a toolbox: every piece is out in the open, you see exactly what’s inside, and you can add or rearrange parts whenever you need to. But “open” goes far beyond just reading the source code. Open IAM solutions are transparent by design, built on open standards, and licensed for free use—no hidden strings attached. You can review the software, patch and extend it, and connect it with other systems without having to rely on a vendor’s goodwill.
Nothing’s locked in a black box, nothing depends on whether a manufacturer feels like supporting you. With proprietary systems, the vendor calls the shots: how long security updates are delivered, which interfaces are available—and how much you’ll pay. With an Open Source IAM, you stay in charge. You decide which building blocks to use, and you can adapt or expand your environment at any time.
And the best part? This toolbox grows with you. Whether you’re running a school district, a government agency, or a company: new applications can be integrated seamlessly. Moving to the cloud is just as smooth as running in parallel with your existing legacy systems. No proprietary roadblocks—just a flexible platform that adapts to your rules.
Imagine this: you need an IAM solution fast. A vendor shows up with a shiny package that promises everything—quick to install, wrapped in a shiny dashboard, pitched as “all-in-one convenience.” Sounds like the perfect solution, right?
The reality check comes later. Suddenly your data and identities are locked away in a black box. Migration? Painful and expensive. Adding new applications? Only with extra modules—if at all. Before you know it, the vendor is the one shaping your IT, not you.
Vendor lock-in comes at a double cost: money and flexibility. When you don’t control your digital identities, your processes inevitably bend to a vendor’s rules instead of serving your own goals.
Closed systems may look convenient at first glance. But behind the fancy interface lie serious risks:
In the end, it all adds up to dependency. That “easy” all-in-one package you bought today could leave you stuck in a dead end tomorrow.
Open IAM systems redefine the rules: instead of a closed black box, you get a modular toolbox where every piece is visible, interchangeable, and ready to grow—transparent, flexible, and free of lock-in:
In short: with Open Source IAM, you design your infrastructure on your own terms—not according to a vendor’s contract.
What good is the best IAM if it doesn’t talk to anything else? Open systems rely on standards like LDAP, SAML, OpenID Connect, or SCIM—a common language that’s understood worldwide. This keeps your identities portable: you decide which systems are connected and maintain full control over data handling and role models.
Proprietary systems, on the other hand, often invent their own dialect. That may seem convenient in the short term, but every extension becomes unnecessarily complex. Open IAM solutions speak the established languages of the IT world—making them compatible with nearly any application. Whether it’s email, a cloud service, a learning platform, or a specialized business system: with open standards, your IAM integrates seamlessly and keeps your infrastructure flexible and future-proof.
More security? Yes, but without the frustration for your users. A modern Open Source IAM delivers strong protection without making everyday work more complicated. With Single Sign-on (SSO), one login is all it takes for every application—no more password chaos or sticky notes. Add Multi-Factor Authentication (MFA) to reliably secure sensitive areas like HR records or administrative portals.
Open IAM is especially strong when it comes to data protection. Access follows the “need-to-know” principle, and every action is cleanly logged. That makes it easier to meet GDPR requirements in practice: data minimization, transparency, accountability. An open IAM isn’t a black box—it’s a reliable foundation for IT security and digital sovereignty.
Digital identities are the control center of every modern IT environment. Choose a black box here, and you lose flexibility—paying the price in high costs and dependency. Open IAM like Nubus takes you further: you stay in control, remain independent, and build an infrastructure that’s ready for tomorrow. That’s what real digital sovereignty means: freedom of choice, transparency, and being ready for what’s next.
Ready for real digital freedom? Start your Open IAM journey now and book a meeting.
Der Beitrag Freedom of Choice instead of Lock-in – Why Open IAM Solutions Are Built for the Future erschien zuerst auf Univention.
23 October, 2025 12:57PM by Yvonne Ruge
October 23, 2025 – Today, ESWIN Computing and Canonical announced the pre-installation of Ubuntu on EBC7702 Mini-DTX Mainboard – a hardware platform designed to offer developers high computing power in resource-constrained environments. Developers will now be able to benefit from the stability and mature ecosystem of Ubuntu out of the box, on top of the rich feature set offered by the RISC-V compliant, multi-purpose system on chip (SoC) EIC7702X.
This development follows the July 2025 launch of the EBC7700 single board computer. With the introduction of the EIC7702X dual-die SoC, developers gain access to twice the CPU and AI processing cores, an extended set of peripherals, and an enhanced performance – forming part of a wider initiative by Canonical and ESWIN Computing to offer choice and consistency to developers across product lines.
When operating intensive use cases in resource-constrained environments, it’s important that both your hardware and software offer the right balance of computing power and convenience. Whether you’re building AI applications on embedded hardware, or testing industrial automation on manufacturing equipment, your hardware-software stack should facilitate fast testing and development. Ubuntu is known for its versatility and robustness, has a solid track record in applications like edge AI and embedded computing, and is regularly ranked as the top Linux OS by developers. The pre-installation of Ubuntu 24.04 LTS ensures that developers can get the most out of the EBC7702 Mini-DTX Mainboard, and develop applications at pace.
“We are excited to continue our collaboration with ESWIN Computing through the launch of their new dual-die variant for the EBC77 series. By combining increased performance with the flexibility and reliability of Ubuntu, developers can now explore wider possibilities and innovate across more RISC-V platforms. Having Ubuntu pre-installed ensures developers can immediately begin testing and building. Our partnership with ESWIN Computing continues to show how open standards and collaborative innovation drive meaningful progress,” says Jonathan Mok, Silicon Alliances Ecosystem Development Manager at Canonical.7
The EBC7702 Mini-DTX Mainboard offers considerable computing power on a minimal form factor of just 203mm x 107mm. The board also comprises the minimal core components needed for high-performance computing. At its heart is a 64-bit, 8-core RISC-V CPU that delivers high AI processor performance, backed by fast on-board LPDDR5 memory running at 640Mbps, available in either 32GB or 64GB configurations. Users can also draw upon varied connectivity and power options, such as four gigabit Ethernet ports, two HDMI out connectors, and multiple USB ports. The full list of features is set out below:
| Form Factor | 203mm x 170mm |
| CPU | 64-bit OoO RISC-V RV64GC 8-core processors |
| AI Processor | Up to 40TOPS in INT8, 20TOPS in INT16, and 20TFLOPS in FP16 |
| Memory | On-board 32GB/64GB LPDDR5@6400Mbps |
| Storage | 1x On-board 32GB eMMC 2x On-board 16MB SPI Flash 1x M.2 M-Key SATA connector 1x Micro SD card connector 1x On-board 2Kbit EEPROM |
| Network | 4x Gigabit Ethernet RJ45 connectors (one of them supports Wake-on-Lan) 1x On-board 802.11ac dual band Wi-Fi module |
| Display | 2x HDMI out connectors 2x 4-lane MIPI DSI connectors |
| Camera | 4x 4-lane MIPI CSI connectors |
| Audio | 1x Audio in connector 1x Audio out connector 1x header for audio line-out and line-in signals on front panel |
| PCIe | 2x 4-lane PCIe Gen3.0 x16 slots |
| USB | 2x USB3.0 Type-A (stacked) 2x USB2.0 Type-A (stacked) 1x USB 19-pin connector to support 1x USB3.0 Type-A on front panel 1x USB Type-E connector to support 1x USB3.0 Type-C connector on front panel. |
| Power Supply | ATX Power Supply Connector |
| Debug | 1x USB2.0 Type-C port for On-board MCU debugging or SoC Debugging (default) |
| RTC | 1x CR1220 RTC Battery holder(Battery not included) |
| FAN | 4x 2.54mm 4-pin 12V Fan Headers |
| Other I/O | I2C, I2S, SPI, UART, General I/O ports (mapping on 40-pin header) |
“We are proud to announce the world premiere of the EBC7702 Mini-DTX Mainboard, powered by our EIC7702X SoC – the industry’s first RISC-V die-to-die solution with cache-coherent interconnected dual chiplets. This architecture provides exceptional scalability and performance, representing a major advance in high-performance RISC-V computing,” said Haibo Lu, Executive Vice President of the Embodied Intelligence Business Group of ESWIN Computing, “By partnering with Canonical and pre-integrating the widely adopted Ubuntu OS, we are providing a robust, ready-to-use platform backed by one of the world’s most vibrant open-source communities, empowering developers to immediately leverage its rich ecosystem and accelerate the next generation of intelligent computing solutions on RISC-V.”
With the launch of the EBC7700 single board computer back in July, Ubuntu developers can now choose between both the EBC7700 SBC for light workload applications (like education and software development) due to its compact size and affordable price, or opt for the EBC7702 Mini-DTX Mainboard for heavy workload use cases, such as AI-assisted super computer and intelligent video analysis. With Ubuntu supported across these platforms, this unlocks multiple possibilities for whatever your use case is.
Close-up of ESWIN EIC7702X system-on-chip (left); EBC7702 Mini-DTX Mainboard (right) Head over to our download webpage to find the compatible Ubuntu images for the EBC7702 Mini-DTX Mainboard and more materials on how to get started with the board.
For anyone attending the RISC-V Summit North America 2025, the EBC77002 Mini-DTX Mainboard will be showcased there from October 21-23, 2025. Visitors to Santa Clara will be able to experience the platform first hand at Canonical’s booth.
Pre-orders for the EBC7702 Mini-DTX Mainboard will open soon. If you’d like to get your hands on one, please visit the ESWIN Amazon online store (either the US, UK, German, or French site) or the Taobao store for the latest updates.
Canonical is committed to accelerating innovation through open source, empowering developers to bring their products to market faster by providing a stable and reliable platform. With RISC-V rapidly emerging as a competitive instruction set architecture across diverse markets and industries, Canonical’s decision to enable Ubuntu to RISC-V was a natural step. Through Canonical’s partnership with ESWIN Computing, we are ensuring that Ubuntu becomes the reference operating system for early adopters on RISC-V platforms, supporting the next wave of open hardware innovation.
Canonical partners with silicon vendors, board manufacturers, and leading enterprises to shorten time-to-market. If you are deploying Ubuntu on RISC-V platforms and want access to ongoing bug fixes and security maintenance or if you wish to learn more about our solutions for custom board enablement and application development services, please reach out to Canonical.
If you have any questions about the platform or would like information about our certification program, contact us.
Canonical, the publisher of Ubuntu, provides open source security, support and services. Our portfolio covers critical systems, from the smallest devices to the largest clouds, from the kernel to containers, from databases to AI. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone. Learn more at https://canonical.com/.
ESWIN Computing is a provider of intelligent solutions in the AI era. Focusing on smart devices and embodied intelligence as our two core application scenarios, ESWIN Computing is adopting next-generation RISC-V computing architecture, innovating domain-specific algorithms and IP modules, and constructing efficient and open software-hardware platforms to deliver highly competitive system-level solutions for customers worldwide. Learn more at www.eswincomputing.com.
22 October, 2025 10:07AM by xiaofei
Alibaba Damo Academy and Canonical today announce a new collaboration to bring the Ubuntu operating system to the latest XuanTie C930 processor. This collaboration will give users access to a robust, reliable and production-ready platform for modern workloads running on the XuanTie processor family, helping to advance RISC-V adoption.
Alibaba Damo Academy, the team behind the XuanTie processor family, drives advancements in intelligent and secure computing architectures built around the RISC-V ecosystem. Alibaba Damo Academy and Canonical are collaborating to enhance Ubuntu support on XuanTie, helping to drive greater RISC‑V maturity and enabling smoother integration into the expanding RISC-V landscape. This partnership focuses on strengthening community collaboration within the RISC‑V ecosystem, and improving software readiness on XuanTie platforms using Ubuntu and RVA23 as the profile and platform of choice.
Since both Alibaba Damo Academy and Canonical are members of the RISC-V Software Ecosystem (RISE), the joint efforts will help accelerate open source adoption and promote consistent interoperability between hardware and software. A key aspect of this work includes alignment with the RVA23 profile, designed to improve portability across hardware designs and simplify development, further advancing the RISC‑V ecosystem’s growth and accessibility.
For developers and XuanTie users, this partnership will deliver an integrated Ubuntu experience for XuanTie hardware all backed by Canonical’s trusted long-term support and rigorous security maintenance.
“We are very excited to be partnering with Alibaba Damo Academy to bring Ubuntu to the latest XuanTie platform. Our teams have already done great work together on a community level for earlier XuanTie processors like the C906 and showing Ubuntu running on a XuanTie C930 FPGA at the Shanghai RISC-V Summit in July 2025. This partnership represents the next step in deepening our relationship and we look forward to working with Alibaba Damo Academy to get Ubuntu into the hands of even more XuanTie developers,” said Cindy Goldberg, Vice President of Silicon Alliance at Canonical.
“We are excited to deepen our collaboration with Canonical, marking another important step toward the real-life applications of RISC-V. Together, we have successfully brought Ubuntu to multiple ecosystem products based on the XuanTie processor. Moving forward, we look forward to advancing our joint work and continuing to unlock the value of RISC-V in various computing scenarios, while further contributing to the growth of the RISC-V community.” said Jing Yang, Vice Present of RISC-V at Alibaba Damo Academy.
If you have any questions about the platform or would like information about our silicon or RISC-V program, contact us.
Canonical, the publisher of Ubuntu, provides open source security, support and services. Our portfolio covers critical systems, from the smallest devices to the largest clouds, from the kernel to containers, from databases to AI. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone.
Learn more at https://canonical.com/
Another year, another ROSCon! This year we’re heading to Singapore, and Canonical is once again thrilled to sponsor this important community event. Just like last year in Odense, Denmark, we’re looking forward to the talks and workshops, which always inspire us and teach us new things about robotics. We’re excited to reconnect with our Southeast Asia community, especially after our earlier gathering at Canonical’s IoT day in Singapore.
We’re really looking forward to sharing some of the work we have done in the robotics space this year, alongside our partners Advantech & Botmind. From Advantech’s powerful platforms for robotics to Botmind’s unified fleet management solutions, our booth showcases collaborative efforts designed to help and guide ROS developers as they aim to simplify complexity and accelerate innovation.
Here’s a quick overview of what we’ll be showcasing at ROSCon booth 51/52, featuring our partners Advantech and Botmind.
Our mission is to bring software to the widest audience. We took the latest step in this mission by bringing together popular open source tools, including Grafana, Prometheus, and Loki, to make it easy to set up a fully functional observability infrastructure for ROS 2 devices using Ubuntu. The same infrastructure used by our telco, logistics, aerospace, and data center customers is now available for robotics makers and ISVs.
The infrastructure is designed to bring together a unified platform for both open source and custom enterprise solutions (e.g. Botmind). Thus allowing companies to bring their own or preferred applications and tools in a tested, reliable, and open source infrastructure.
What can you do today with this beta observability stack
If you’re attending ROSCon 2025, we’ve got two exciting opportunities for you to dive deeper into observability for robotics systems.
📍 Room: 330
🗓️ Date: Monday, October 27, 2025
⏰ Time: 10:30 AM – 11:30 AM
Join us for a hands-on workshop where we’ll demonstrate how the Canonical Observability Stack helps you monitor, debug, and optimize your robotic devices.
> All ROSCon attendees are welcome, even without the workshop ticket — no RSVP required!
📍 Track: Debugging
🗓️ Date: Tuesday, October 28, 2025
⏰ Time: 4:00 PM – 4:10 PM SST
In this talk, we’ll explore how open-source tools make large-scale observability and debugging in robotics simpler, faster, and more powerful.
📍 Room: 330
🗓️ Date: Monday, October 27, 2025
⏰ Time: 11:30 AM – 12:30 PM
Join our partner Qualcomm to learn how to run ROS 2 on the RUBIK Pi 3, a compact platform optimized for edge robotics, powered by Ubuntu.
At ROSCon, we’re not just talking about observability; we’re showing how everything can come together in a real-world deployment. That’s why we’re excited to team up with Botmind, a Singapore-based robotics platform innovator, and deploy their fleet management service on top of our open source Canonical Observability Stack (COS) infrastructure.
Botmind’s mission is to simplify how businesses manage robot fleets. They build an “all-in-one” control platform that integrates multiple robots, real-time tracking, AI-powered scheduling, analytics, and a unified API layer. Their vision is bold: to let robotics operators manage everything, from mission assignments to health monitoring, via a single, intuitive control plane.
In our demo at ROSCon, we’ll show how Botmind’s proprietary fleet manager integrates with our COS infra, enabling:
Through this demo, we aim to prove that you can combine open observability and enterprise robot control in a modular, scalable way.
Visitors to booth 51/52 will be able to see first-hand how Botmind’s system works in tandem with our COS stack, giving developers, integrators, and system architects a compelling reference architecture for real robotic deployments.
We’re proud to collaborate with Advantech to showcase how advanced platforms and Ubuntu-based solutions accelerate the development of Autonomous Mobile Robots and robotic systems. Together, we’re addressing some of the toughest challenges faced by robotics developers, from real-time edge computing to secure and compliant deployments.
At ROSCon 2025, you can discover Advantech’s robotics platforms, powered by Ubuntu and its real-time kernel. Designed for ROS 2, it provides a unified and scalable hardware-software foundation that speeds up robot prototyping and deployment. Advantech’s AFE and ASR series edge computers integrate CPU, GPU, and NPU computing with industrial-grade reliability, supporting:
With Ubuntu Pro, Advantech extends long-term support, security, and maintenance for its Ubuntu-based hardware, including ESM for ROS, ensuring a consistent, secure, and reliable foundation throughout the robot’s lifecycle.
In our joint demo at booth 51/52, Canonical and Advantech will showcase how developers can move from prototype to production faster using Advantech hardware combined with Ubuntu Core, Canonical’s secure, immutable, and reliable operating system designed for edge deployments.
Canonical recently announced official Ubuntu support for the NVIDIA Jetson Thor family, extending our collaboration with NVIDIA to accelerate AI innovation at the edge. In addition, Canonical announces it will support and distribute NVIDIA CUDA directly within Ubuntu’s repositories, making it easier than ever for developers to access GPU acceleration natively on Ubuntu. This partnership ensures that developers can rely on the same enterprise-grade security, stability, and performance on Jetson Thor that powers Ubuntu across clouds and data centers.
In our demo at ROSCon, visitors will see COS running directly on an NVIDIA Jetson Thor device. Using the Grafana Agent, the system continuously collects rich performance and telemetry data from the Jetson platform, including CPU, GPU, and memory metrics, visualized in real time through Grafana dashboards.
By bringing COS to Jetson Thor, Canonical showcases how open source observability can extend all the way from the robot’s edge hardware to cloud-scale operations, empowering developers and integrators to optimize performance and reliability across every layer.
For more information, please visit NVIDIA at ROSCon.
We can’t wait to see you at ROSCon! Join us to explore the latest advancements, connect with fellow innovators, and discover how Ubuntu and our partners are shaping the future of robotics. See you there!
In the early hours of October 20, 2025, Amazon Web Services (AWS) experienced one of the most significant service disruptions of the year. The incident originated in the US-EAST-1 (Northern Virginia) region — one of the provider’s oldest and busiest zones, hosting critical components of its global services.
For several hours, thousands of applications and online platforms — including Snapchat, Fortnite, Duolingo, Alexa, Coinbase, and Robinhood — suffered connection errors, latency issues, or partial outages.
AWS later confirmed an increase in errors and response times across several services tied to that region.
Technical analyses and AWS status reports indicate that the issue was linked to a failure in the internal DNS resolution system, one of the most critical elements of its infrastructure. The Domain Name System (DNS) translates domain names (such as api.mycompany.com) into IP addresses so that applications can communicate with each other.
When this system fails, servers may continue running, but they can no longer “find” one another — requests are lost because domain names cannot be resolved. In this case, the outage affected AWS’s internal DNS service, which depends on DynamoDB to store DNS zone data.
As that service degraded, many applications could no longer resolve the names of their own instances or connect to their databases, even though the servers themselves remained operational.
The result was a regional failure with global impact, as countless organizations rely on infrastructure hosted in Virginia to operate their services — even when their users connect from other continents. It was not a global AWS outage, nor a multi-region event, but rather a localized failure in a critical region that exposed how much dependency can concentrate in the cloud.
The cloud offers scalability and simplified management — but it does not eliminate architectural responsibility. Replicating servers within the same region (for example, across “Availability Zones”) does not guarantee continuity if the entire region becomes unavailable.
Building a truly robust infrastructure means designing for the complete loss of a region — and still being able to keep services online. This is where global traffic management, also known as Global Server Load Balancing (GSLB), becomes essential. Such a system operates above individual data centers or regions.
It continuously monitors multiple distributed endpoints and automatically redirects traffic to the one that remains available and responsive. If a region stops responding — as happened in Virginia — the load balancer can update public DNS records so that users are routed to another active environment.
In practice, this mechanism provides two fundamental benefits:
However, for this approach to be truly effective, the regions or data centers involved must be completely independent from each other. If both environments share the same control plane, internal DNS, or network services, a failure in that common layer could affect both simultaneously.
That’s why GSLB can only ensure real continuity when deployed between operationally isolated environments. In other words: GSLB would not have prevented the AWS outage, but it would have allowed organizations with independent regional architectures to keep their services running while the affected region recovered.
SKUDONET Enterprise Edition integrates a Global Server Load Balancing (GSLB) system designed to maintain service availability across geographically distributed data centers or regions.
Operating at the DNS level, it continuously monitors the health of applications in each location. If one site becomes unavailable, it automatically updates DNS resolution to redirect users to another operational data center.
The GSLB can operate in active-passive mode, ensuring automatic recovery in Disaster Recovery scenarios, or in active-active mode, sharing traffic between multiple data centers to optimize latency and overall performance.
Its design allows combining environments within the same provider or across different ones — as long as they remain operationally independent — thereby avoiding single points of failure.
In this way, SKUDONET provides an external control layer that strengthens high availability and service continuity strategies, even during severe regional disruptions.
Technical reference:
How Global Server Load Balancing works in SKUDONET
The AWS outage in Virginia showed that even the most mature infrastructures can experience critical regional failures. The lesson is not to avoid the cloud, but to design with failure in mind — assuming that any region can go offline at any time. Separating environments and managing traffic at a global level does not eliminate errors, but it allows business operations to continue when they occur.
22 October, 2025 06:24AM by Nieves Álvarez
A complete feed is available in any of your favourite syndication formats linked by the buttons below.
![[RSS 1.0 Feed]](common/rss10.png){kind=small}
![[RSS 2.0 Feed]](common/rss20.png){kind=small}
![[Atom Feed]](common/atom.png){kind=small}
![[FOAF Subscriptions]](common/foaf.png){kind=small}
![[OPML Subscriptions]](common/opml.png){kind=small}
![[Hacker]](common/hacker.png){kind=small}
![[Planet]](common/planet.png){kind=small}
Last updated: 16 Nov 2025 21:46
All times are UTC.
Contact: Debian Planet Maintainers