December 10, 2025

Ubuntu developers

Ubuntu Blog: Harnessing the potential of 5G with Kubernetes: a cloud-native telco transformation perspective

Telecommunications networks are undergoing a cloud-native revolution. 5G promises ultra-fast connectivity and real-time services, but achieving those benefits requires an infrastructure that is agile, low-latency, and highly reliable. Kubernetes has emerged as a cornerstone for telecom operators to meet 5G demands. In 2025, Canonical Kubernetes delivers a single, production-grade Kubernetes platform with long-term support (LTS) and telco-specific optimizations, deployable across clouds, data centers, and the far edge.

This blog explores how Canonical Kubernetes empowers 5G and cloud-native telco workloads with high performance, enhanced platform awareness (EPA), and robust security, while offering flexible deployment via snaps, Juju, or Cluster API. We’ll also highlight its integration into industry initiatives like Sylva, support for GPU/DPU acceleration, and synergy with MicroCloud for scalable edge infrastructure.

The rise of the cloud-native telco

Telecom decision-makers face immense pressure to evolve their networks rapidly and cost-effectively. Traditional, hardware-centric architectures struggle to keep pace with 5G’s requirements for low latency, high throughput, and dynamic scaling. This is where Kubernetes – the de facto platform for cloud-native applications – comes in. Kubernetes brings powerful automation, scalability, and resiliency that allow telcos to manage network functions like software across data centers, public clouds, and far-edge deployments. The result is a more agile operational model: services can be rolled out faster, resources automatically optimized to demand, and updates applied continuously without disrupting critical services. In the 5G era, such agility is essential for delivering innovations like network slicing, multi-access edge computing (MEC), and AI-driven services.

At the same time, Kubernetes opens the door for telcos to refactor their network functions into microservices. Instead of relying on monolithic appliances or heavy virtual machines, operators can deploy cloud-native network functions (CNFs) – essentially containerized network services – that are lighter and faster to roll out than traditional virtual network functions (VNFs). By shifting to CNFs, new network features (whether a 5G core component or a firewall) can be introduced or updated in a fraction of the time, using automated CI/CD pipelines instead of lengthy manual upgrades. This approach helps telcos simplify the migration from legacy systems to a more agile, software-driven network model.

However, adopting Kubernetes for telecom workloads also means meeting rigorous performance and reliability standards. Carrier-grade services like voice, video, and core network functions can’t tolerate unpredictable delays or downtime. Telco leaders need a Kubernetes platform that combines cloud-native flexibility with telco-grade performance, security, and support. Canonical Kubernetes answers that call, providing a Kubernetes distribution specifically tuned for telecommunications needs.

Canonical Kubernetes: optimized for cloud-native 5G networks and edge computing

Canonical’s Kubernetes distribution has been engineered from the ground up to address the unique challenges of 5G and cloud-native telco cloud deployments. It is a single, unified Kubernetes offering that blends the ease of use of lightweight deployments with the robustness of an enterprise-grade platform. Importantly, Canonical Kubernetes can be deployed and managed in whatever way best fits a telco’s environment – whether installed as a secure snap package or integrated with full automation tooling like Juju (model-driven operations) or Kubernetes Cluster API (CAPI). This flexibility means operators can start small at the network edge or scale up to carrier-core clusters, all using the same consistent platform. Notably, Canonical Kubernetes brings cloud-native telco-friendly capabilities in the areas of performance, networking, operations, and support:

High performance & low latency

Real-time linux kernel support ensures that high-priority network workloads execute with predictable, ultra-low latency, a critical requirement for functions like the 5G user plane function (UPF). In parallel, built-in support for advanced networking (including SR-IOV and DPDK) enables fast packet processing by giving containerized network functions direct access to hardware, dramatically reducing network I/O latency for high bandwidth 5G applications. Together, these features allow cloud-native network functions to meet stringent performance and determinism once only achievable on specialized telecom hardware.

GPU acceleration

Canonical Kubernetes integrates seamlessly with acceleration technologies to support emerging cloud-native telco workloads. It works with NVIDIA’s GPU and networking operators to leverage hardware accelerators (GPUs, SmartNICs, DPUs) for intensive tasks. It supports NVIDIA’s Multi-Instance GPU (MIG), which expands the performance and value of the NVIDIA’s data center GPUs, such as the latest GB200 and RTX PRO 6000 Blackwell Server Edition by partitioning the GPU into up to seven instances, each fully hardware isolated with its own high-bandwidth memory, cache, and streaming multiprocessors. The partitioned instances are transparent to workloads which greatly optimizes the use of resources and allows for serving workloads with guaranteed QoS.

This means telecom operators can run AI/ML analytics, media processing, or virtual RAN computations that take advantage of GPUs and DPU offloading within their Kubernetes clusters – all managed under the same platform. By tapping into hardware acceleration, telcos can deliver advanced services (like AI-driven network optimization or AR/VR streaming) with high performance, without needing separate siloed infrastructure.

Operational efficiency and automation

Day-0 to Day-2 operations are streamlined through automation in Canonical’s stack. The distribution supports full lifecycle management – clusters can be deployed, scaled, and updated via one-step commands or integrated CI/CD pipelines, reducing manual effort and errors. Using Juju charms, Canonical’s model-driven operations further simplify complex orchestration, enabling teams to configure and update Kubernetes and related services in a repeatable, declarative way. Built-in self-healing and high availability features ensure that the platform can recover from failures automatically, keeping services running without intervention.

This high degree of automation translates into faster rollout of new network functions and updates (with minimal downtime), allowing telco teams to focus on innovation rather than routine ops tasks.

Edge flexibility

Canonical Kubernetes is designed to run from the core to the far edge with equal ease. Its lightweight, efficient design (delivered as a single snap package) results in a low resource footprint, making it viable even on a one- or two-node edge cluster in a remote site. At the same time, it scales up to multi-node deployments for central networks. The platform supports a variety of configurations – from a single node for an ultra-compact edge appliance, to a dual-node high-availability cluster, to large multi-node clusters for data centers – all with the same tooling and consistent experience.

This flexibility allows operators to extend cloud capabilities to edge locations (for ultra-low latency processing) while managing everything in a unified way. In practice, Canonical’s solution can power cloud-native telco IT workloads, 5G core functions, and edge applications under one umbrella, meeting the specific performance and latency needs of each environment.

Long-Term support and stability

Canonical backs its Kubernetes with long-term support options far exceeding the typical open-source release cycle. Each Canonical Kubernetes LTS version can receive security patches and maintenance for up to 15 years, ensuring a stable foundation for cloud-native telco services over the entire 5G rollout and beyond. (For comparison, upstream Kubernetes offers roughly 1 year of support per release).

This extended support window means carriers can avoid frequent, disruptive upgrades and rest assured that their infrastructure remains compliant over the long term. Such a commitment to stability is a key reason telecom operators choose Canonical – long-term maintenance provides confidence that critical network workloads will run on a hardened, well-maintained platform for many years.

Cost efficiency and vendor neutrality

As an open-source, upstream-aligned distribution, Canonical Kubernetes has no licensing costs and prevents vendor lock-in. Telcos are free to deploy it on their preferred hardware or cloud, and they benefit from a large ecosystem of Kubernetes-compatible tools and operators. The platform’s efficient resource usage and automation also help drive down operating costs – by improving hardware utilization and simplifying management, it enables operators to serve growing traffic loads without linear cost increases. In short, Canonical’s Kubernetes offers carrier-grade performance and features at a fraction of the cost of proprietary alternatives, all while keeping the operator in control of their technology roadmap.

Enabling a new wave of cloud-native telco services

Using Canonical Kubernetes, cloud-native telcos can position themselves to innovate faster and operate more efficiently in the 5G era. They can readily stand up cloud-native 5G Core functions, scale out Open RAN deployments, and push applications to the network edge – all on a consistent Kubernetes foundation. In fact, Kubernetes makes it feasible for telcos to transition from traditional VNFs on virtual machines to containerized CNFs, reducing resource overhead and speeding up deployment of network features. This means legacy network applications can be modernized step-by-step and run alongside new microservices on the same platform, avoiding risky “big bang” overhauls.

The result is not only technical efficiency but business agility: operators can launch new services (from enhanced mobile broadband to IoT analytics) in weeks instead of months, respond quickly to customer demand spikes, and streamline the integration of new network functions or vendors.

Early adopters in the industry are already seeing the benefits. For example, Canonical’s Kubernetes has been embraced in initiatives like the European Sylva open telco cloud project, in part due to its security, flexibility and long-term support advantages. This momentum underscores that a performant, open Kubernetes platform is becoming a strategic asset for telcos aiming to stay ahead in a competitive landscape. Perhaps most importantly, Canonical Kubernetes lets telcos focus on delivering value to subscribers – ultra-reliable connectivity, rich digital services, tailored enterprise solutions – rather than getting bogged down in infrastructure complexity. It abstracts away much of the heavy lifting of deploying and upgrading distributed systems, while providing the controls needed to meet strict cloud-native telco requirements. The combination of automation, performance tuning, and openness creates a powerful engine for telecom innovation.

Cloud-native at any scale: Canonical Kubernetes meets MicroCloud

At the edge, complexity is the enemy. That’s why Canonical Kubernetes pairs naturally with MicroCloud, our lightweight production-grade cloud infrastructure for distributed environments. MicroCloud fits the edge use case extremely well: it is easy to deploy, fully automated, and optimized for bare-metal and low-power sites. Drop it into a telco cabinet, regional hub, or remote data center, and you get a resilient control plane for running Kubernetes, virtualization, and storage with zero overhead.

In such deployments, MicroCloud and Canonical Kubernetes form a tightly integrated stack that brings cloud-native operations to the far edge. Need to orchestrate CNFs next to VMs? Spin up a single-node cluster with high availability? Scale to dozens of locations without rearchitecting? This combo makes it possible, with snaps for simple updates, Juju for full automation, and long-term support built in.

Conclusion: building the future of cloud-native telco on open source Kubernetes

5G and edge computing are reshaping telecom networks, and Kubernetes has proven to be an essential technology powering this evolution. Industrial IoT, automotive applications , smart cities, robotics, remote health care, and the gaming industry rely on high data transfer, close to real time latency, very high availability and reliability. Canonical Kubernetes brings the best of cloud-native innovation to the telecom domain in a form that aligns with carriers’ operational realities and performance needs. It delivers a rare mix of benefits – agility and efficiency from automation, high performance for demanding workloads, freedom from lock-in, and assured long-term support – making it a compelling choice for any telco modernizing its infrastructure.

Telecommunications leaders looking to become cloud-native telcos should consider how an open-source platform like Canonical Kubernetes can serve as a foundation for growth. Whether the goal is to reduce operating costs in the core network, roll out programmable 5G services at the edge, or simply break free from proprietary constraints, Canonical’s Kubernetes distribution provides a proven path forward.

Explore further

To dive deeper into how Canonical Kubernetes meets telco performance and reliability requirements, we invite you to read our detailed white paper: Addressing telco performance requirements with Canonical Kubernetes. It offers in-depth insights and benchmark results from real-world cloud-native telco scenarios. Additionally, visit our blogs on Ubuntu.com and Canonical.com for more success stories and technical guides – from 5G network modernization strategies to edge:

Visiting MWC 2026? Book a meeting with Canonical to find out more.

10 December, 2025 03:47PM

Ubuntu Blog: The rhythm of reliability: inside Canonical’s operational cadence

In software engineering, we often talk about the “iron triangle” of constraints: time, resources, and features. You can rarely fix all three. At many companies, when scope creeps or resources get tight, the timeline is often the first element of the triangle to slip.

At Canonical, we take a different approach. For us, time is the fixed constraint.

This isn’t just about strict project management. It is a mechanism of trust. Our users, customers, and the open source community need to know exactly when the next Ubuntu release is coming. To deliver that reliability externally, we need a rigorous operational rhythm internally, and for over 20 years, we have honored this commitment.

Here is how we orchestrate the business of building software, from our six-month cycles to the daily pulse of engineering:

Fig. 1 Canonical’s Operating Cycle

The six-month cycle

Our entire engineering organization operates on a six-month cycle that aligns with the Ubuntu release cadence. This cycle is our heartbeat. It drives accountability and ensures we ship features on time.

To make this work, we rely on three critical control points:

Sprint Readiness Review (SRR): This is where prioritization happens. Before a cycle begins, we don’t just ask “what fits?”: we ask “what matters?” We go through feedback to find the most valuable engineering opportunities, ensuring we prioritize quality and impact over volume. We don’t start the work until we know the scope is worth the effort.

Product Roadmap Sprint: The SRR culminates in this one-week, face-to-face event. This is the formal moment of truth where we close out the previous cycle and leadership signs off on the plan for the next one. It ensures that every team leaves the room with a clear, approved mandate.

Midcycle Review: Three months in, we hold a “Virtual Sprint” to check our progress. Crucially, we review any “bad news”, in which we immediately identify items that will not ship or are at risk. By addressing what won’t happen upfront, leadership can make informed decisions to course-correct immediately rather than letting a deadline slip.

This discipline ensures we stay agile, and that we can adjust our trajectory halfway through without derailing the entire delivery.

The two-week pulse

While the six-month cycle sets the destination, the “pulse” gets us there. A pulse is our version of a two-week agile sprint.

Crucially, these pulses are synchronized across the entire company, on a cross-functional basis. Marketing, Sales, and Support all operate on this same frequency. When a team member says, “we will do it next pulse,” everyone, regardless of department, knows exactly what that means. This creates a shared expectation of delivery that keeps the whole organization moving in lockstep.

Sprints are for in-person connection

We distinguish between a “pulse” (our virtual, two-week work iteration) and a “sprint.” For us, a sprint is a physical, one-week event where teams meet face-to-face.

We are a remote-first company, which makes these moments invaluable. Sprints provide the high-bandwidth communication and human connection needed to sustain us through months of remote execution.

We also stagger these sprints to separate context. Our Engineering Sprints happen in May and November (immediately after an Ubuntu release) so teams can focus purely on technical roadmapping. Commercial Sprints happen in January and July, aligning with our fiscal half-years to focus on business value. This “dual-clock” system ensures that commercial goals and technical realities are synchronized without overwhelming the teams.

Managing the exceptions

Of course, market reality doesn’t always adhere to a six-month schedule. Customers have urgent needs, and high-value opportunities appear unexpectedly. To handle this without breaking our rhythm, we use the Commercial Review (CR) process.

The CR process protects our engineering teams from chaos while giving us the agility to say “yes” to the right opportunities.

Protection: We don’t let unverified requests disrupt the roadmap. A Review Board assesses every non-standard request before we make a promise.
Conscious trade-offs: If a new request is critical, we ask: “What are we removing to make space for this?” It forces a conscious decision. We review the roadmap and agree on what gets deprioritized to satisfy the new request.

This ensures that when we do deviate from the plan, it is a strategic choice, not an accident.

Quality as a natural habit

Underpinning this entire rhythm is a commitment to quality standards. We follow the Plan, Do, Check, Act (PDCA) cycle, a concept rooted in ISO 9001. While we align with these formal frameworks, it has become a natural habit for us at Canonical.

This operational discipline is what enables up to 15 years of LTS commitment on a vast portfolio of open source components, providing Long-Term Support for the entire, integrated collection of application software, libraries, and toolchains. Offering 15 years of security maintenance on our entire stack is only possible because we are operationally consistent. Long-term stability is the direct result of short-term discipline.

By sticking to this rhythm, we ensure that Canonical remains not just a source of great technology, but a reliable partner for the long haul.

10 December, 2025 12:22PM

Deepin

(中文) 第十届中国开源年会举行 deepin社区展示智能操作系统创新成果

Sorry, this entry is only available in 中文.

10 December, 2025 09:07AM by xiaofei

Qubes

Qubes Canary 045

We have published Qubes Canary 045. The text of this canary and its accompanying cryptographic signatures are reproduced below. For an explanation of this announcement and instructions for authenticating this canary, please see the end of this announcement.

Qubes Canary 045

                    ---===[ Qubes Canary 045 ]===---


Statements
-----------

The Qubes security team members who have digitally signed this file [1]
state the following:

1. The date of issue of this canary is December 10, 2025.

2. There have been 109 Qubes security bulletins published so far.

3. The Qubes Master Signing Key fingerprint is:

       427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494

4. No warrants have ever been served to us with regard to the Qubes OS
   Project (e.g. to hand out the private signing keys or to introduce
   backdoors).

5. We plan to publish the next of these canary statements in the first
   fourteen days of March 2026. Special note should be taken if no new
   canary is published by that time or if the list of statements changes
   without plausible explanation.


Special announcements
----------------------

None.


Disclaimers and notes
----------------------

We would like to remind you that Qubes OS has been designed under the
assumption that all relevant infrastructure is permanently compromised.
This means that we assume NO trust in any of the servers or services
which host or provide any Qubes-related data, in particular, software
updates, source code repositories, and Qubes ISO downloads.

This canary scheme is not infallible. Although signing the declaration
makes it very difficult for a third party to produce arbitrary
declarations, it does not prevent them from using force or other means,
like blackmail or compromising the signers' laptops, to coerce us to
produce false declarations.

The proof of freshness provided below serves to demonstrate that this
canary could not have been created prior to the date stated. It shows
that a series of canaries was not created in advance.

This declaration is merely a best effort and is provided without any
guarantee or warranty. It is not legally binding in any way to anybody.
None of the signers should be ever held legally responsible for any of
the statements made here.


Proof of freshness
-------------------

Wed, 10 Dec 2025 01:14:56 +0000

Source: DER SPIEGEL - International (https://www.spiegel.de/international/index.rss)
Confidential Conference on Ukraine Peace: "We Must Not Leave Ukraine and Volodymyr Alone with These Guys"
Project 2025 Author: "We Won't Let Anyone Stop US from Using Our Oil and Gas"
Remnants of the War: Syrians from Germany Helping with Reconstruction - But Remain Wary of Moving Back
Germany's Queen Mum: Nostalgia for the Merkel Era Alive and Well
Director Nadav Lapid on Israel after Gaza: It Was Our Duty to Scream

Source: NYT > World News (https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
Hundreds of Thousands of Thais and Cambodians Flee
Canada’s Northwest Territories Diamond Mines Are Closing
Another Front in the War in Ukraine: Who Gets to Claim a Famed Artist?
With Cheap Tickets and Lax Etiquette, a Theater Builds an Older Fan Base
Between Pakistan and Afghanistan, a Trade War With No End in Sight

Source: BBC News (https://feeds.bbci.co.uk/news/world/rss.xml)
Trump criticises 'decaying' European countries and 'weak' leaders
Nobel officials unsure when Peace Prize winner will arrive for ceremony
Congress ups pressure to release boat strike video with threat to Hegseth's travel budget
French feminists outraged by Brigitte Macron's comment about activists
'What's your name?' - Moment police confront Luigi Mangione at McDonald's

Source: Blockchain.info
0000000000000000000028650dc7d328ea9c1b7e2b5376ce14089586c8ca3041


Footnotes
----------

[1] This file should be signed in two ways: (1) via detached PGP
signatures by each of the signers, distributed together with this canary
in the qubes-secpack.git repo, and (2) via digital signatures on the
corresponding qubes-secpack.git repo tags. [2]

[2] Don't just trust the contents of this file blindly! Verify the
digital signatures! Instructions for doing so are documented here:
https://www.qubes-os.org/security/pack/

--
The Qubes Security Team
https://www.qubes-os.org/security/

Source: canary-045-2025.txt

Marek Marczykowski-Górecki’s PGP signature

Source: canary-045-2025.txt.sig.marmarek

Simon Gaiser (aka HW42)’s PGP signature

Source: canary-045-2025.txt.sig.simon

What is the purpose of this announcement?

The purpose of this announcement is to inform the Qubes community that a new Qubes canary has been published.

What is a Qubes canary?

A Qubes canary is a security announcement periodically issued by the Qubes security team consisting of several statements to the effect that the signers of the canary have not been compromised. The idea is that, as long as signed canaries including such statements continue to be published, all is well. However, if the canaries should suddenly cease, if one or more signers begin declining to sign them, or if the included statements change significantly without plausible explanation, then this may indicate that something has gone wrong.

The name originates from the practice in which miners would bring caged canaries into coal mines. If the level of methane gas in the mine reached a dangerous level, the canary would die, indicating to miners that they should evacuate. (See the Wikipedia article on warrant canaries for more information, but bear in mind that Qubes Canaries are not strictly limited to legal warrants.)

Why should I care about canaries?

Canaries provide an important indication about the security status of the project. If the canary is healthy, it’s a strong sign that things are running normally. However, if the canary is unhealthy, it could mean that the project or its members are being coerced in some way.

What are some signs of an unhealthy canary?

Here is a non-exhaustive list of examples:

Dead canary. In each canary, we state a window of time during which you should expect the next canary to be published. If no canary is published within that window of time and no good explanation is provided for missing the deadline, then the canary has died.
Missing statement(s). Canaries include a set of numbered statements at the top. These statements are generally the same across canaries, except for specific numbers and dates that have changed since the previous canary. If an important statement was present in older canaries but suddenly goes missing from new canaries with no correction or explanation, then this may be an indication that the signers can no longer truthfully make that statement.
Missing signature(s). Qubes canaries are signed by the members of the Qubes security team (see below). If one of them has been signing all canaries but suddenly and permanently stops signing new canaries without any explanation, then this may indicate that this person is under duress or can no longer truthfully sign the statements contained in the canary.

No, there are many canary-related possibilities that should not worry you. Here is a non-exhaustive list of examples:

Unusual reposts. The only canaries that matter are the ones that are validly signed in the Qubes security pack (qubes-secpack). Reposts of canaries (like the one in this announcement) do not have any authority (except insofar as they reproduce validly-signed text from the qubes-secpack). If the actual canary in the qubes-secpack is healthy, but reposts are late, absent, or modified on the website, mailing lists, forum, or social media platforms, you should not be concerned about the canary.
Last-minute signature(s). If the canary is signed at the last minute but before the deadline, that’s okay. (People get busy and procrastinate sometimes.)
Signatures at different times. If one signature is earlier or later than the other, but both are present within a reasonable period of time, that’s okay. (For example, sometimes one signer is out of town, but we try to plan the deadlines around this.)
Permitted changes. If something about a canary changes without violating any of the statements in prior canaries, that’s okay. (For example, canaries are usually scheduled for the first fourteen days of a given month, but there’s no rule that says they have to be.)
Unusual but planned changes. If something unusual happens, but it was announced in advance, and the appropriate statements are signed, that’s okay (e.g., when Joanna left the security team and Simon joined it).

In general, it would not be realistic for an organization to exist that never changed, had zero turnover, and never made mistakes. Therefore, it would be reasonable to expect such events to occur periodically, and it would be unreasonable to regard every unusual or unexpected canary-related event as a sign of compromise. For example, if something usual happens with a canary, and we say it was a mistake and correct it (with valid signatures), you will have to decide for yourself whether it’s more likely that it really was just a mistake or that something is wrong and that this is how we chose to send you a subtle signal about it. This will require you to think carefully about which among many possible scenarios is most likely given the evidence available to you. Since this is fundamentally a matter of judgment, canaries are ultimately a social scheme, not a technical one.

What are the PGP signatures that accompany canaries?

A PGP signature is a cryptographic digital signature made in accordance with the OpenPGP standard. PGP signatures can be cryptographically verified with programs like GNU Privacy Guard (GPG). The Qubes security team cryptographically signs all canaries so that Qubes users have a reliable way to check whether canaries are genuine. The only way to be certain that a canary is authentic is by verifying its PGP signatures.

Why should I care whether a canary is authentic?

If you fail to notice that a canary is unhealthy or has died, you may continue to trust the Qubes security team even after they have signaled via the canary (or lack thereof) that they been compromised or coerced.

Alternatively, an adversary could fabricate a canary in an attempt to deceive the public. Such a canary would not be validly signed, but users who neglect to check the signatures on the fake canary would not be aware of this, so they may mistakenly believe it to be genuine, especially if it closely mimics the language of authentic canaries. Such falsified canaries could include manipulated text designed to sow fear, uncertainty, and doubt about the security of Qubes OS or the status of the Qubes OS Project.

How do I verify the PGP signatures on a canary?

The following command-line instructions assume a Linux system with git and gpg installed. (For Windows and Mac options, see OpenPGP software.)

Obtain the Qubes Master Signing Key (QMSK), e.g.:

$ gpg --fetch-keys https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
gpg: directory '/home/user/.gnupg' created
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-master-signing-key.asc'
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key DDFA1A3E36879494: public key "Qubes Master Signing Key" imported
gpg: Total number processed: 1
gpg:               imported: 1

(For more ways to obtain the QMSK, see How to import and authenticate the Qubes Master Signing Key.)

View the fingerprint of the PGP key you just imported. (Note: gpg> indicates a prompt inside of the GnuPG program. Type what appears after it when prompted.)

$ gpg --edit-key 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
   
   
pub  rsa4096/DDFA1A3E36879494
     created: 2010-04-01  expires: never       usage: SC
     trust: unknown       validity: unknown
[ unknown] (1). Qubes Master Signing Key
   
gpg> fpr
pub   rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
 Primary key fingerprint: 427F 11FD 0FAA 4B08 0123  F01C DDFA 1A3E 3687 9494

Important: At this point, you still don’t know whether the key you just imported is the genuine QMSK or a forgery. In order for this entire procedure to provide meaningful security benefits, you must authenticate the QMSK out-of-band. Do not skip this step! The standard method is to obtain the QMSK fingerprint from multiple independent sources in several different ways and check to see whether they match the key you just imported. For more information, see How to import and authenticate the Qubes Master Signing Key.

Tip: After you have authenticated the QMSK out-of-band to your satisfaction, record the QMSK fingerprint in a safe place (or several) so that you don’t have to repeat this step in the future.

Once you are satisfied that you have the genuine QMSK, set its trust level to 5 (“ultimate”), then quit GnuPG with q.

gpg> trust
pub  rsa4096/DDFA1A3E36879494
     created: 2010-04-01  expires: never       usage: SC
     trust: unknown       validity: unknown
[ unknown] (1). Qubes Master Signing Key
   
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
   
  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu
   
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
   
pub  rsa4096/DDFA1A3E36879494
     created: 2010-04-01  expires: never       usage: SC
     trust: ultimate      validity: unknown
[ unknown] (1). Qubes Master Signing Key
Please note that the shown key validity is not necessarily correct
unless you restart the program.
   
gpg> q

Use Git to clone the qubes-secpack repo.

$ git clone https://github.com/QubesOS/qubes-secpack.git
Cloning into 'qubes-secpack'...
remote: Enumerating objects: 4065, done.
remote: Counting objects: 100% (1474/1474), done.
remote: Compressing objects: 100% (742/742), done.
remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
Resolving deltas: 100% (1910/1910), done.

Import the included PGP keys. (See our PGP key policies for important information about these keys.)

$ gpg --import qubes-secpack/keys/*/*
gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS signing key)" imported
gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
gpg: no valid OpenPGP data found.
gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" imported
gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes Documentation Signing Key)" imported
gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & Documentation Signing)" imported
gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation Signing Key)" imported
gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes Documentation Signing Key)" imported
gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation Signing Key)" imported
gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation Signing Key)" imported
gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing Key)" imported
gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS documentation signing key)" imported
gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing Key)" imported
gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" imported
gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
gpg: no valid OpenPGP data found.
gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes security pack)" imported
gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
gpg: no valid OpenPGP data found.
gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack signing key)" imported
gpg: Total number processed: 17
gpg:               imported: 16
gpg:              unchanged: 1
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   6  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   6  signed:   0  trust: 6-, 0q, 0n, 0m, 0f, 0u

Verify signed Git tags.

$ cd qubes-secpack/
$ git tag -v `git describe`
object 266e14a6fae57c9a91362c9ac784d3a891f4d351
type commit
tag marmarek_sec_266e14a6
tagger Marek Marczykowski-Górecki 1677757924 +0100
   
Tag for commit 266e14a6fae57c9a91362c9ac784d3a891f4d351
gpg: Signature made Thu 02 Mar 2023 03:52:04 AM PST
gpg:                using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" [full]

The exact output will differ, but the final line should always start with gpg: Good signature from... followed by an appropriate key. The [full] indicates full trust, which this key inherits in virtue of being validly signed by the QMSK.

Verify PGP signatures, e.g.:

$ cd QSBs/
$ gpg --verify qsb-087-2022.txt.sig.marmarek qsb-087-2022.txt
gpg: Signature made Wed 23 Nov 2022 04:05:51 AM PST
gpg:                using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" [full]
$ gpg --verify qsb-087-2022.txt.sig.simon qsb-087-2022.txt
gpg: Signature made Wed 23 Nov 2022 03:50:42 AM PST
gpg:                using RSA key EA18E7F040C41DDAEFE9AA0F4AC18DE1112E1490
gpg: Good signature from "Simon Gaiser (Qubes Security Pack signing key)" [full]
$ cd ../canaries/
$ gpg --verify canary-034-2023.txt.sig.marmarek canary-034-2023.txt
gpg: Signature made Thu 02 Mar 2023 03:51:48 AM PST
gpg:                using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" [full]
$ gpg --verify canary-034-2023.txt.sig.simon canary-034-2023.txt
gpg: Signature made Thu 02 Mar 2023 01:47:52 AM PST
gpg:                using RSA key EA18E7F040C41DDAEFE9AA0F4AC18DE1112E1490
gpg: Good signature from "Simon Gaiser (Qubes Security Pack signing key)" [full]

Again, the exact output will differ, but the final line of output from each gpg --verify command should always start with gpg: Good signature from... followed by an appropriate key.

For this announcement (Qubes Canary 045), the commands are:

$ gpg --verify canary-045-2025.txt.sig.marmarek canary-045-2025.txt
$ gpg --verify canary-045-2025.txt.sig.simon canary-045-2025.txt

You can also verify the signatures directly from this announcement in addition to or instead of verifying the files from the qubes-secpack. Simply copy and paste the Qubes Canary 045 text into a plain text file and do the same for both signature files. Then, perform the same authentication steps as listed above, substituting the filenames above with the names of the files you just created.

10 December, 2025 12:00AM

December 09, 2025

Ubuntu developers

Ubuntu Blog: Canonical to distribute AMD ROCm AI/ML and HPC libraries in Ubuntu

Canonical is pleased to announce an expanded collaboration with AMD to package and maintain AMD ROCm™ software directly in Ubuntu. AMD ROCm is an open software ecosystem to enable hardware-accelerated AI/ML and HPC workloads on AMD Instinct™ and AMD Radeon™ GPUs, simplifying the deployment of AI infrastructure with long term support from Canonical.

Canonical has formed a dedicated team of engineers to package the AMD ROCm software libraries to streamline installation, support, and long-term maintenance on Ubuntu. Canonical will also submit these packages for consideration in Debian.

This work will simplify the delivery of AMD AI solutions in data centers, workstations, laptops, Windows Subsystem for Linux, and edge environments. AMD ROCm software will be available as a dependency for any Debian package, snap, or Docker image (OCI) build. Performance fixes and security patches will automatically be available to production systems.

This collaboration aims to make AMD ROCm software available in Ubuntu starting with Ubuntu 26.04 LTS, with updates available in every subsequent Ubuntu release.

AMD ROCm software: a commitment to open source

Canonical works with silicon industry leaders to incorporate the software libraries and drivers that accelerate applications on their silicon directly into Ubuntu. Comprehensive support for the latest silicon dramatically accelerates developer adoption and production deployments.

For AMD, the software that enables hardware-accelerated AI processing is called ROCm. It is an open software platform that includes runtimes, compilers, libraries, kernel components, and drivers that together accelerate industry standard frameworks such as PyTorch, Tensorflow, Jax, and more on supported AMD GPUs and APUs.

“AMD ROCm software enables open, high-performance acceleration for AI and HPC on AMD hardware. Working with Canonical to package AMD ROCm for Ubuntu makes it easier for developers and enterprises to deploy AMD solutions on supported systems,” said Andrej Zdravkovic, Senior Vice President, GPU Technologies and Engineering Software and Chief Software Officer at AMD.

Packaging AMD ROCm in Ubuntu underscores the strong AMD commitment to developer experience and enterprise experience:

Simpler installation with ‘apt install rocm’ or as an automatic dependency for other projects, like ollama-amd.
Both stable LTS and fresh ROCm versions every six months will be available, to ensure immediate support for the latest hardware and software.
Easy security fixes and performance improvements (just “apt upgrade”).
Up to 15 years of support for AMD ROCm in Ubuntu LTS versions under Ubuntu Pro.
Personal Ubuntu Pro subscriptions are free.

“We are delighted to work alongside AMD and the community to package AMD ROCm libraries directly into Ubuntu,” said Cindy Goldberg, SVP of Silicon and Cloud Alliances at Canonical. “This will simplify the use of AMD hardware and software for AI workloads, and enable organizations to meet security and maintenance requirements for production use at scale.”

Improved hardware support

Canonical works closely with hardware manufactures to test, optimize, and certify Ubuntu for their devices, and to integrate the required software drivers and kernel patches to support that hardware. Thanks to this extensive hardware program, Ubuntu runs equally well on laptops, workstations, servers, and IoT/edge devices, and developers have a seamless path from development through to deployment.

Learn more about Canonical’s silicon partnerships
Read about AMD ROCm software

09 December, 2025 05:38PM

GreenboneOS

React2Shell: A Critical React and Next.js Flaw Is Actively Exploited

On December 3rd 2025, a new maximum CVSS software flaw affecting React (aka ReactJS), exploded onto the cybersecurity landscape. Dubbed React2Shell, CVE-2025-55182 is already actively exploited. Users are urged to verify their exposure and patch immediately if affected. React is the most popular JavaScript library for building modern web-application user interfaces (UIs) implying that the […]

09 December, 2025 12:50PM by Joseph Lee

Deepin

(中文) 解锁年末福利：“一键投递” Windows 应用，赢定制周边和专属证书！

Sorry, this entry is only available in 中文.

09 December, 2025 10:21AM by xiaofei

December 08, 2025

VyOS

VyOS Project November 2025 Update

A winter landscape with decidious trees and fir under snow

Hello, Community!

The update for November is here! There are two big features: TLS support for syslog and IPFIX support in VPP, good progress in replacing the old configuration backend, and multiple bug fixes.

08 December, 2025 01:03PM by Daniil Baturin (daniil@sentrium.io)

Ubuntu developers

Ubuntu Blog: How telco companies can reduce 5G infrastructure costs with modern open source cloud-native technologies

5G continues to transform the telecommunications landscape, enabling massive device density, edge computing, and new enterprise use cases. However, operators still face significant cost pressures: from accelerating RAN modernization and 5G SA rollouts to energy demands and the shift to cloud-native network functions (CNFs). As telcos redesign their infrastructure strategies, open source has become a key lever to reduce costs, increase flexibility, and accelerate innovation.

This blog outlines today’s primary 5G infrastructure challenges and highlights how modern open source cloud technologies from Canonical help operators address them.

The telco dilemma: 5G infrastructure challenges

With the advancements of 5G and more complex deployments, telcos face several challenges in building and maintaining 5G infrastructure, including:

High investment costs: 5G infrastructure requires significant investment in new hardware and software, especially for hosting the virtualization infrastructure necessary to run 5G software
Rising OPEX and energy costs: Power consumption of distributed 5G sites is now one of the largest operational expenses.
Cloud-native complexity: Moving from virtualized network functions (VNFs) to cloud-native network functions (CNFs) increases the need for Kubernetes-scale automation and observability.
Disaggregated RAN and multi-vendor integrations: Open RAN and virtualised RAN require consistent infrastructure, automation and lifecycle management.
Limited spectrum: The available spectrum for 5G is limited and highly regulated, which can make it difficult for telcos to acquire and use.
Edge footprint explosion: 5G MEC deployments increase the number of sites operators must manage.
Talent and skills gaps: Cloud-native and Kubernetes skills remain scarce in telecom operations teams.
Security: 5G networks are vulnerable to cyber attacks, which can compromise the security and privacy of users’ data. The attack surface is larger with 5G compared to previous generations of mobile networks.
Vendor Lock-in: a telecom operator is heavily dependent on one or a few vendors for all of its 5G network infrastructure and services, making it difficult for the operator to switch to another vendor without incurring significant costs and disruption to its network.

How open source is changing the game

Open source plays a central role in enabling telcos to modernise their networks: from VNF virtualization to full cloud-native CNF deployments. By standardizing on open platforms like Ubuntu, Kubernetes and OpenStack, operators reduce infrastructure licensing costs, improve interoperability, and accelerate innovation. Today, most large operators run the majority of their 5G core workloads on open source infrastructure.

Shared standards

Open source communities, including CNCF, O-RAN Alliance and Project Sylva, provide common frameworks that reduce integration effort. By adopting open standards, operators can more easily mix vendors and ensure long-term ecosystem interoperability.

Avoid vendor lock-in

In line with the development of shared standards, open source solutions can help avoid vendor lock-in by providing access to code that can be modified and adapted to meet specific needs. This means that telcos and ISVs can avoid being tied to a particular vendor or technology stack and choose the best solutions for their specific requirements instead.

Meet specific-telco requirements

Telcos have demanding requirements when it comes to performance, reliability, and security. Long-term support (LTS) is important in the telco industry, as telcos often have long cycles of release deployment. Open source solutions that are supported over the long term, with no API breaks or major changes that could disrupt telco operations (i.e. 12-month release at least, and a few years on average) are the foremost choice for telcos. This is usually a vendor-driven decision, but choosing the right open source with the right vendor is the key here. The reason is, it is difficult to have a telco-grade system after dealing with all the interoperability and fixing into the puzzle challenges, so it is reasonable for an operator to expect the support cycle to be as long as possible.

Performance, flexibility, and automation are key requirements in the telco industry, as they enable telcos to operate more efficiently and effectively. By leveraging the expertise of the wider community, telcos, and ISVs can build solutions that are optimised for telco environments and that can be easily customised to meet specific requirements.

Cost optimization

Open source software offers cost savings compared to proprietary solutions, which can be especially beneficial for organizations with limited budgets. With open source software, organizations do not need to pay for licenses, and there are no vendor lock-ins. They can leverage the vast community of developers and users to troubleshoot issues and implement new features. In addition to removing licensing fees, open source automation frameworks significantly reduce operational costs by simplifying CNF lifecycle management, improving energy optimization, and enabling consistent operations across core, edge and RAN deployments.

Security

The telecom sector handles a vast amount of sensitive information, including personal and financial data, making it a prime target for cyber-attacks. There are several data privacy and security concerns that the telecom sector faces, including data breaches, malware attacks, insider threats, lack of compliance, etc. In this regard, open source software vulnerabilities are often patched more quickly than with proprietary software. In addition, open source software is transparent and customisable, making it easier to meet the operator’s unique needs and implement security features that align with their security requirements.

In the sections that follow we provide example applications for open source solutions across the telco stack, with a focus on tooling supported by Canonical.

Open source solutions for telcos

Canonical’s telco portfolio spans the entire network – from RAN compute nodes to edge clouds, MEC platforms, private clouds and public-cloud deployments. Ubuntu and our cloud-native infrastructure stack (MAAS, MicroCloud, OpenStack, Kubernetes and Juju) provide a consistent operational model across all layers of the 5G architecture.. This enables telcos to meet any current or future use cases – from OpenRAN to next-generation Core (5G and beyond) and AI at the edge. Ubuntu Pro is Canonical’s comprehensive subscription for enterprise security, compliance and support.

Open source solutions for telcos

Open source for RAN

vRAN and Open RAN deployments require high performance, low latency and hardware acceleration. Canonical works closely with Intel FlexRAN, NVIDIA Aerial and ARM ecosystem partners to optimize Ubuntu for RAN workloads.

Another major Canonical contribution for RANs edge use cases is MicroCloud, which reproduces the APIs and primitives of the big clouds at the scale of the edge. MicroClouds are typically targeted to easily deploy and lifecycle manage distributed micro clouds – bare metal compute clusters of between 3-100 nodes. A Canonical MicroCloud stack consists of certain building blocks. The details for each component are covered in our Telco 5G infrastructure whitepaper.

Open source for core networks

Most operators deploy their 5G Core on private clouds to maintain strict performance and security control. Canonical’s reference architecture – MAAS for bare metal, OpenStack for virtualised infrastructure, Kubernetes for CNFs, and Juju for automation – provides a proven, carrier-grade cloud foundation adopted by major network equipment providers (NEPs) and operators globally.

Canonical stack for private clouds

Open source for public and hybrid clouds

Ubuntu is known for its reliability, security, and versatility, making it a popular choice for telecom companies that require a stable and secure operating system to run Telco applications in the public cloud. A hybrid cloud architecture combines the usage of a private cloud and one or more public cloud services with a workload orchestration engine between the platforms. Using Juju, operators can orchestrate and lifecycle-manage the same CNF or VNF stack across private OpenStack, MicroCloud edge clusters, and hyperscalers. Juju automation provides a consistent approach that natively supports all major hyper scalers APIs and is a de-facto standard tool for MicroClouds in edge use cases. Additionally, Ubuntu Pro for Public Clouds provides telcos with capabilities based on their unique requirements. Details of these requirements and features from Ubuntu are given in this blog series: Amazon Web services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.

Wrapping up

5G infrastructure modernization continues to introduce new operational and cost challenges. Open source cloud technologies, combined with Canonical’s automation and long-term support, help operators simplify their architectures, reduce OPEX, and accelerate the shift to cloud-native 5G.

To explore the latest best practices, speak with our telco specialists.

08 December, 2025 12:38PM

GreenboneOS

Greenbone Is Preparing For The Post Quantum Age

Q-Day marks the moment when quantum computers will render classical cryptography standards obsolete. The risks posed by quantum computers demand a migration to Post Quantum Cryptography (PQC). Greenbone is proactively preparing for this future—upgrading our internal infrastructure, auditing partners, and enhancing the OPENVAS SECURITY INTELLIGENCE platform with upgraded detection and new auditing features. The goal […]

08 December, 2025 11:04AM by Greenbone AG

BunsenLabs Linux

We totally missed our 10th Year Anniversary (edit: Round 2)

https://forums.bunsenlabs.org/viewtopic … 07#p147607

Happy 10th, Bunsenlabs.

08 December, 2025 12:00AM

December 06, 2025

Ubuntu developers

Salih Emin: Fix Broken Updates: uCareSystem New Release uCareSystem v25.12

Let’s be honest. Dealing with broken updates is a nightmare. We’ve all experienced that moment of panic when you run an update, step away for coffee, and return to a terminal screen full of angry red error messages. That is exactly why uCareSystem exists, and today, it gets even better at preventing these issues.

Fix Broken Updates: uCareSystem New Release

I’m thrilled to announce the latest release of uCareSystem. As the sole developer, I feel the pain of broken updates personally. For this version, I spent a lot of time under the hood, focusing on making sure the tool doesn’t just work when everything is perfect, but proactively fixes issues before they break your system.

Here is why you should upgrade to the new version and say goodbye to broken updates for good:

Prevent Broken Updates with Pre-flight Checks

The most frustrating broken updates are the ones that fail because of something that happened last week.

The new uCareSystem introduces automated pre-flight checks. Think of it as a bouncer for your update process. Before it lets any new packages in, it checks the ID of your system to prevent broken updates. It now automatically detects and attempts to fix:

Those annoying stale dpkg locks that require a reboot.
Installations that were interrupted (ghosts of updates past).
Broken dependencies that threaten to ruin your day.

The goal is simple: You press the button, and it actually works.

A UI Upgrade for Better Monitoring

While staring at scrolling walls of monochrome text makes us feel like hackers in a 90s movie, it’s not great for spotting errors.

I’ve given the uCareSystem terminal interface a significant makeover. With improved color coding, better progress indicators, and real-time output logging, you’ll now have a much clearer idea of the process, helping you catch potential issues that could lead to broken updates.

Robustness: Avoiding Broken Updates in Containers

Linux runs everywhere now. To keep up, uCareSystem needs to be flexible.

Containers & WSL: I’ve improved systemd detection so the tool plays nicely even in environments like Docker containers and Windows Subsystem for Linux (WSL).
Internet Reality Check: I added better connectivity checks. Trying to download updates without a stable connection is a common cause of broken updates, and we now handle that gracefully.
Auto-Recovery: If a dpkg process trips and falls midway, the software now has mechanisms to help pick it back up automatically.

Spring Cleaning the Code with ShellCheck

For the code-peepers out there who like to look under the hood: I did some massive spring cleaning. Extensive refactoring and complying with ShellCheck standards mean the codebase is now cleaner and safer. This ensures better maintainability and fewer bugs in the future.

Give the new version a spin. Hopefully, it makes your system maintenance totally boring—and completely free of broken updates.

By the Numbers

This was a significant undertaking, reflected in the statistics for this release:

38 files changed:
2,030 additions,
718 deletions

Please take a look to a comprehensive Release note in the repository: https://github.com/Utappia/uCareSystem/releases/tag/v25.12.04

This release is a testament to my commitment to quality and my vision for the future of uCareSystem as a one-stop system maintenance tool Debian Ubuntu. I am confident that I laid a stronger foundation that will allow for even more exciting features and faster development in the future.

I am deeply grateful to the community members who supported the previous development cycle through donations or code contributions:

P. Laoughman (Thanks for your continued support)
W. Schreinemachers (Thanks for your continued support)
D. Luchini (Thanks for your continued support)
M. Van Hoof
Frankie P.
M. Ryser
Th. Ploumis
M. Stade
K. J. Rasmussen

Every version, has also a code name dedicated as a release honored to one of the contributors. For historical reference, you can check all previous honored releases.

Where can I download uCareSystem ?

As always, I want to express my gratitude for your support over the past 15 years. I have received countless messages from inside and outside Greece about how useful they found the application. I hope you find the new version useful as well.

If you’ve found uCareSystem to be valuable and it has saved you time, consider showing your appreciation with a donation. You can contribute via PayPal or Debit/Credit Card by clicking on the banner.

Pay what you want	Maybe next time
Click the donate button and enter the amount you want to donate. Then you will be navigated to the page with the latest version to download the installer	If you don’t want to Donate this time, just click the download icon to be navigated to the page with the latest version to download the installer

Once installed, the updates for new versions will be installed along with your regular system updates.

The post Fix Broken Updates: uCareSystem New Release uCareSystem v25.12 appeared first on Utappia.

06 December, 2025 03:59PM

Qubes

Qubes OS 4.3.0-rc4 is available for testing

We’re pleased to announce that the fourth release candidate (RC) for Qubes OS 4.3.0 is now available for testing. This minor release includes many new features and improvements over Qubes OS 4.2.

What’s new in Qubes 4.3?

Dom0 upgraded to Fedora 41 (#9402).
Xen upgraded to version 4.19 (#9420).
Default Fedora template upgraded to Fedora 42 (older versions not supported).
Default Debian template upgraded to Debian 13 (versions older than 12 not supported).
Default Whonix templates upgraded to Whonix 18 (upgraded from 17.4.3 in RC2; versions older than 18 no longer supported).
Preloaded disposables (#1512)
Device “self-identity oriented” assignment (a.k.a. New Devices API) (#9325)
Qubes Windows Tools reintroduced with improved features (#1861).

These are just a few highlights from the many changes included in this release. For a more comprehensive list of changes, see the Qubes OS 4.3 release notes.

When is the stable release?

That depends on the number of bugs discovered in this RC and their severity. As explained in our release schedule documentation, our usual process after issuing a new RC is to collect bug reports, triage the bugs, and fix them. If warranted, we then issue a new RC that includes the fixes and repeat the process. We continue this iterative procedure until we’re left with an RC that’s good enough to be declared the stable release. No one can predict, at the outset, how many iterations will be required (and hence how many RCs will be needed before a stable release), but we tend to get a clearer picture of this as testing progresses.

Barring any surprises uncovered by testing, we expect this fourth RC to be the final one, which means that we hope to declare this RC to be the stable 4.3.0 release at the conclusion of its testing period.

How to test Qubes 4.3.0-rc4

Thanks to those who tested earlier 4.3 RCs and reported bugs they encountered, 4.3.0-rc4 now includes fixes for several bugs that were present in those prior RCs!

If you’d like to help us test this RC, you can upgrade to Qubes 4.3.0-rc4 with either a clean installation or an in-place upgrade from Qubes 4.2. (Note for in-place upgrade testers: qubes-dist-upgrade now requires --releasever=4.3 and may require --enable-current-testing for testing releases like this RC.) As always, we strongly recommend making a full backup beforehand and updating Qubes OS immediately afterward in order to apply all available bug fixes.

If you’re currently using an earlier 4.3 RC and wish to update to 4.3.0-rc4, please update normally with current-testing enabled. If you use Whonix, please also upgrade from Whonix 17 to 18, if you have not already done so.

Please help us improve the eventual stable release by reporting any bugs you encounter. If you’re an experienced user, we encourage you to join the testing team.

Known issues in Qubes OS 4.3.0-rc4

It is possible that templates restored in 4.3.0-rc4 from a pre-4.3 backup may continue to target their original Qubes OS release repos. This does not affect fresh templates on a clean 4.3.0-rc4 installation. For more information, see issue #8701.

View the full list of known bugs affecting Qubes 4.3 in our issue tracker.

What’s a release candidate?

A release candidate (RC) is a software build that has the potential to become a stable release, unless significant bugs are discovered in testing. RCs are intended for more advanced (or adventurous!) users who are comfortable testing early versions of software that are potentially buggier than stable releases. You can read more about Qubes OS supported releases and the version scheme in our documentation.

What’s a minor release?

The Qubes OS Project uses the semantic versioning standard. Version numbers are written as [major].[minor].[patch]. Hence, releases that increment the second value are known as “minor releases.” Minor releases generally include new features, improvements, and bug fixes that are backward-compatible with earlier versions of the same major release. See our supported releases for a comprehensive list of major and minor releases and our version scheme documentation for more information about how Qubes OS releases are versioned.

06 December, 2025 12:00AM

December 05, 2025

Maemo developers

Meow: Process log text files as if you could make cat speak

Some years ago I had mentioned some command line tools I used to analyze and find useful information on GStreamer logs. I’ve been using them consistently along all these years, but some weeks ago I thought about unifying them in a single tool that could provide more flexibility in the mid term, and also as an excuse to unrust my Rust knowledge a bit. That’s how I wrote Meow, a tool to make cat speak (that is, to provide meaningful information).

The idea is that you can cat a file through meow and apply the filters, like this:

cat /tmp/log.txt | meow appsinknewsample n:V0 n:video ht: \ ft:-0:00:21.466607596 's:#([A-za-z][A-Za-z]*/)*#'

which means “select those lines that contain appsinknewsample (with case insensitive matching), but don’t contain V0 nor video (that is, by exclusion, only that contain audio, probably because we’ve analyzed both and realized that we should focus on audio for our specific problem), highlight the different thread ids, only show those lines with timestamp lower than 21.46 sec, and change strings like Source/WebCore/platform/graphics/gstreamer/mse/AppendPipeline.cpp to become just AppendPipeline.cpp“, to get an output as shown in this terminal screenshot:

Screenshot of a terminal output showing multiple log lines. Some of them have the word "appsinkNewSample" highlighted in red. Some lines have the hexadecimal id of the thread that printed them highlighed (purple for one thread, brown for the other)

Cool, isn’t it? After all, I’m convinced that the answer to any GStreamer bug is always hidden in the logs (or will be, as soon as I add “just a couple of log lines more, bro” 0 0

05 December, 2025 11:16AM by Enrique Ocaña González (eocanha@igalia.com)

Ubuntu developers

Ubuntu Blog: From cloud to dashboard: experience the future of infotainment development at CES 2026

Every year at CES, we try to go beyond showing technology; we want to give you an experience. This time, it’s the story of how in-vehicle infotainment development is transforming, and how developers can now build, test, and deploy immersive experiences faster than ever.

This year, we’re excited to show a demo that combines the strengths of both Anbox Cloud and Rightware’s Kanzi, the industry-leading software for creating rich, visually stunning infotainment interfaces. It demonstrates cloud-native development, automation, and how virtualization can open up completely new ways to design and test next-generation in-vehicle experiences.

Bridging design, development, and validation

Automotive software development has become incredibly complex. Teams are often focused on their own discipline, UI designers on immersive experiences, Android developers on building integrations, and validation engineers on reliability across hardware variants. These teams can’t always collaborate seamlessly.

Testing an infotainment system means being able to access specific hardware or prototypes, which makes iteration slow and collaboration difficult. Small design updates can take days to validate, and testing across different screen configurations or performance conditions is often limited by the availability of physical setups.

We wanted to change that by bringing agility and scalability to infotainment development.

Infotainment comes to life in the cloud

In our demo, we’ll show how Anbox Cloud turns this traditionally hardware-bound process into a fully virtualized, cloud-native experience. By running Android in the cloud, developers can instantly deploy and test infotainment environments built using Kanzi, on demand, at any scale, from anywhere.

Widescreen 8K infotainment CES demo

Our setup fits perfectly with Rightware’s widescreen 8K infotainment and cluster bench, powered by Kanzi. Developers can stream the exact same 8K rendering using Anbox Cloud. The result is an impressive, interactive experience, generated and streamed entirely from the cloud.

8K virtual Android device running on Anbox Cloud

Thanks to Anbox Cloud, Android can be virtualized to any resolution, with pixel-perfect rendering and responsiveness. It can scale to dozens of Android instances running simultaneously, so teams can run automated testing, validate UI performance, and work on the system updates in parallel. Your development becomes faster, collaborative, and independent of physical limitations.

Why choose cloud-native Android development?

When moving your development testing to the cloud, designers and developers can collaborate in real time and can see their changes without waiting for hardware to be available. Validation teams can run automated tests on multiple Android instances, across different configurations. For OEMs and Tier 1 suppliers, this means shorter development cycles, meaning more efficient resource use, and faster results.

“Kanzi has always been about empowering designers and developers to bring exceptional in-vehicle experiences to life,” says Tero Koivu, Co-CEO at Rightware. “Seeing a Kanzi made UI streamed at 8K through Anbox Cloud shows how cloud-native workflows can dramatically accelerate iteration and collaboration. It opens a powerful new path for teams building the next generation of connected, visually stunning automotive user interfaces.”

See it at CES 2026

Join us at LVCC, North Hall, Booth #10562, and check out the workflow for yourself. You’ll see how Kanzi and Anbox Cloud come together to deliver high-fidelity, scalable, cloud-native infotainment experiences, and how this is redefining the way developers can use Android in the cloud.

Book a meeting with our team

Come see the future of automotive software development, from cloud to dashboard.

In the meantime, learn more about Anbox Cloud, and Rightware.

December 04, 2025

Colin Watson: Free software activity in November 2025

My Debian contributions this month were all sponsored by Freexian. I had a bit less time than usual, because Freexian collaborators gathered in Marseille this month for our yearly sprint, doing some planning for next year.

You can also support my work directly via Liberapay or GitHub Sponsors.

OpenSSH

I began preparing for the second stage of the GSS-API key exchange package split (some details have changed since that message). It seems that we’ll need to wait until Ubuntu 26.04 LTS has been released, but that’s close enough that it’s worth making sure we’re ready. This month I just did some packaging cleanups that would otherwise have been annoying to copy, such as removing support for direct upgrades from pre-bookworm. I’m considering some other package rearrangements to make the split easier to manage, but haven’t made any decisions here yet.

This also led me to start on a long-overdue bug triage pass, mainly consisting of applying usertags to lots of our open bugs to sort them by which program they apply to, and also closing a few that have been fixed, since some bugs will eventually need to be reassigned to GSS-API packages and it would be helpful to make them easier to find. At the time of writing, about 30% of the bug list remains to be categorized this way.

Python packaging

I upgraded these packages to new upstream versions:

aioftp
basemap (fixing Cython 3.1 compatibility)
billiard
black
django-phonenumber-field
flask-security
flufl.i18n
langtable
mariadb-connector-python
peewee (fixing Cython 3.1 compatibility)
pydantic
pydantic-core
pydantic-settings
pylsqpack
pymongo
pymssql
pyodbc
python-auditwheel (contributed follow-up fix upstream)
python-avro
python-bleach
python-btrees
python-certifi
python-charset-normalizer
python-colorlog
python-django-channels
python-django-constance
python-django-contact-form
python-django-hashids
python-djvulibre (fixing Cython 3.1 compatibility)
python-evalidate
python-legacy-cgi
python-openstep-plist (fixing Cython 3.1 compatibility)
python-pytest-run-parallel
python-pytokens
python-tblib
python-webargs
pyupgrade
sqlfluff
trove-classifiers
ttconv
wcwidth
zope.hookable
zope.i18nmessageid (removing run-time dependency on setuptools)
zope.interface
zope.proxy
zope.security (removing run-time dependency on setuptools)
zope.sqlalchemy

I packaged django-pgtransaction and backported it to trixie, since we plan to use it in Debusine; and I adopted python-certifi for the Python team.

I fixed or helped to fix several other build/test failures:

kivy
mypy
pytest-mypy-testing (contributed upstream)
python-cytoolz
python-discord
python-ncls, fixing some failures in pyranges
pyxdg
traitlets
twine

I fixed a couple of other bugs:

Other bits and pieces

Code reviews

base-passwd: French translation (merged and uploaded)
cdebconf: Consider using the standard dh sequence in d/rules (merged and uploaded)
cdebconf: Multiple select is not right aligned in Hebrew (patch fails to build; asked reporter for an update)
cdebconf: Allow building without libglib2.0-dev (merged and uploaded)
pydantic-core (merged and uploaded)
pymongo (sponsored adoption by Aryan Karamtoth)
python-maturin: Add missing build dependencies (merged and uploaded)

04 December, 2025 05:55PM

Proxmox VE

Proxmox Datacenter Manager 1.0 (stable)

We're very excited to present the first stable release of our new Proxmox Datacenter Manager!

Proxmox Datacenter Manager is an open-source, centralized management solution to oversee and manage multiple, independent Proxmox-based environments. It provides an aggregated view of all your connected nodes and clusters and is designed to manage complex and distributed infrastructures, from local installations to globally scaled data centers. With multi-cluster management it enables management...

Read more

04 December, 2025 11:49AM by t.lamprecht (invalid@example.com)

December 03, 2025

Grml developers

Michael Prokop: HTU Bigband: Weihnachtskonzert am 12.12.2025

Weihnachten im Dezember – und das mit guter Bigband-Musik! 🎄

Am 12. Dezember 2025 laden wir euch zu einem Weihnachtskonzert der besonderen Art ein – mit der HTU Bigband im Mo.xx! Es gibt Jazz-Rock, Swing, Soul-Pop, Latin + Funk und natürlich jede Menge gute Stimmung. Einlass ist um 19 Uhr, Eintritt freiwillige Spende, und ab 19:30 Uhr gibt es dann feine Musik auf die Ohren. 🎶

🎵 Was: feine Bigband-Musik
⏰ Wann: Freitag, 12. Dezember 2025, ab 19:30 Uhr
📍 Wo: mo.xx, Moserhofgasse 34, Graz

Kommt vorbei, am Besten mit Familie und Freunden! 🎅

03 December, 2025 07:20PM

ZEVENET

Why the Number of WAF Rules Doesn’t Reflect Its Real Effectiveness

In the network security ecosystem, here is a common practice: WAF (Web Application Firewall) solutions that boast thousands of active rules. For an administrator evaluating products, that number may seem reassuring — more rules should theoretically mean more protection. But when you dig deeper, you quickly discover that many of those rules don’t apply to your infrastructure at all.

In several major solutions on the market, part of the rule catalog is dedicated to protecting highly specific technologies: particular PBX models, proprietary hardware, niche admin panels, or applications used by a tiny segment of the industry. If you don’t use those technologies — and most companies don’t — those rules don’t provide security. They simply add overhead to every inspection, increasing latency and operational noise.

To make things worse, in many solutions the WAF behaves like a black box the administrator cannot access.
You cannot see what each rule does, you cannot modify it, you cannot disable it, and you cannot add your own logic. You must rely on a set of policies you don’t control, performing checks you can’t always interpret, and consuming resources on every request.

This leads to a scenario many engineers will immediately recognize:

A WAF with thousands of rules — and no visibility into how many actually apply to your environment.
False positives that are hard to diagnose because you cannot inspect the internal logic of the rule.
Difficulty understanding why a rule triggers or what pattern it is evaluating.

The Real Technical Problem Isn’t the Number of WAF Rules — It’s Their Relevance

When the inspection chain is full of irrelevant signatures, three things happen:

1. Processing costs increase.

Every irrelevant rule is still evaluated on each request, even if it will never trigger. This increases latency, consumes CPU unnecessarily, and adds load to the WAF pipeline without providing any real security. In high-traffic environments, this cumulative overhead can produce noticeable performance degradation.

2. Opacity escalates.

If you cannot see what each rule does or what pattern it evaluates, you cannot diagnose why a request is blocked or allowed. This lack of visibility prevents you from tuning your policy, obscures the WAF’s behaviour, and forces you to build your security strategy around the vendor’s assumptions rather than the needs of your architecture.

3. Control disappears.

If the security policy is a closed package, you cannot adapt it to your environment: you cannot fine-tune rules, disable those that don’t apply, or introduce your own logic. The only path to “improving” the system often ends up being additional proprietary modules, which add complexity but do not solve the underlying issue: the administrator has no real ability to design their own security posture.

This is why measuring a WAF by the number of rules it contains is an unreliable indicator. It says nothing about actual effectiveness and is often used more as a commercial argument than a technical benefit.

What Actually Matters in a Modern WAF

For an engineer evaluating a WAF seriously, the relevant criteria are very different:

Cross-cutting rules, not signatures tied to applications you don’t use. HTTP standards validation, universal attack patterns (SQLi, XSS, LFI), anomalies and protocol violations.

Full transparency. Visibility into each rule, its logic, its conditions, and its actions.

Real control. The ability to enable, disable, modify, or add rules based on your architecture.

A reduced but effective rule set. Less noise, fewer false positives, and lower CPU consumption.

Clear diagnostics. Readable logs, traceability, and visibility into the decision flow.

This is the type of design that allows an administrator to trust the system — not because the catalog is huge, but because the policy is clean, understandable, and aligned with real-world risk.

A Practical Approach: Rules That Matter, Not Inflated Catalogs

At SKUDONET we know that system administrators don’t need thousands of WAF rules — they need rules that make sense for their stack.
That’s why our WAF is built around a set of more than 700 universal rules, focused on two areas that affect any web application:

HTTP standard compliance: validating that requests are well-formed, that headers are consistent, and that the request flow follows the protocol.
Cross-technology attack patterns: SQLi, XSS, LFI, RCE… vulnerabilities that can affect PHP, Python, Node.js or any modern framework in the same way.

Administrators have full access to the policy: they can inspect each rule, understand what it evaluates, modify it, create new ones, or disable those they don’t need. The goal is to give engineers total control over WAF behaviour so they can tailor it precisely to their environment.

This approach avoids unnecessary overhead, reduces latency, and results in a policy that is more coherent, more traceable, and significantly easier to audit.

“Thousands of Rules” Model vs. SKUDONET’s Approach

“Thousands-of-rules” model	SKUDONET model
Many irrelevant signatures	Universal and meaningful rules
High processing cost	Low latency and optimized policy
Black-box behavior	Full visibility
Difficult troubleshooting	Clear auditing and real traceability

A WAF’s rule count tells you nothing about its actual security effectiveness — nor about its real coverage. Volume-based approaches usually translate into higher latency, less visibility, and less control.

It’s not about having more rules, it’s about having the right rules — and the ability to adjust them to what is truly happening inside your infrastructure.

If you want to validate a WAF where every rule is visible, adjustable and built for real relevance—not volume—you can request a 30-day full-featured trial of SKUDONET Enterprise Edition.

TRY ENTERPRISE DEMO

03 December, 2025 01:21PM by Nieves Álvarez

GreenboneOS

November 2025 Threat Report: Data Theft Leads a Volatile Ransomware Landscape

Was November 2025 a quiet month for cyber security? No, of course not. Fallout from the Oracle EBS ransomware campaigns, which began in October, was widespread; over 29 organizations have been claimed by the Cl0p syndicate alone, with over 100 victims in total. This included Envoy Air (an American Airlines subsidiary), Cox Enterprises, Logitech, Harvard […]

03 December, 2025 11:25AM by Joseph Lee

Deepin

deepin Community Monthly Report for November 2025

I. November Community Data Overview II. Community Products 1、deepin 25 Experience Optimization: Key Issue Fixes Enhance User Experience In November, deepin 25 released the 25.0.9 update, further improving system stability and daily use experience through several key fixes. The R&D team is currently fully engaged in the development and testing of the deepin 25.1 internal beta and official release. This month's update focuses primarily on refining the user experience: Network & Store Experience Fixes: Fixed an issue where the App Store page failed to load when IPv6 was enabled by default, ensuring a smooth App Store experience. Taskbar & Update ...Read more

03 December, 2025 07:48AM by xiaofei

(中文) deepin（深度）社区邀您共赴中国开源年会 COSCon'25

Sorry, this entry is only available in 中文.

03 December, 2025 06:48AM by xiaofei

December 02, 2025

Ubuntu developers

Ubuntu Blog: Canonical announces Ubuntu Pro for WSL

Ubuntu Pro for WSL provides turnkey security maintenance and enterprise support for Ubuntu 24.04 LTS WSL instances in Windows. The subscription will also enable comprehensive management for system administrators.

Today, Canonical announced the general availability of Ubuntu Pro for WSL which can be installed from the Microsoft Store. Source and beta releases are also on GitHub.

Canonical and Microsoft have a fantastic partnership, building out the WSL experience. This work will benefit enterprise developers who use WSL to build production Linux solutions.
Craig Loewen, Product Manager for WSL at Microsoft

Ubuntu Pro delivers enterprise-grade security maintenance and support across desktops, servers, and IoT devices. Now, that same proven value proposition comes to WSL, addressing the security and compliance needs of IT managers and paving the way for broader enterprise adoption.

Power to developers, peace of mind for IT teams

WSL provides developers, system administrators, and power users with a native Linux experience on Windows, without the overhead of a full virtual machine or dual boot. It allows users to run Linux command-line tools, utilities, and graphical Linux applications directly on Windows. In collaboration with NVIDIA, WSL 2 delivers near-native GPU-accelerated-performance, allowing applications in Ubuntu to access GPU drivers directly on the Windows host. With Ubuntu Pro, this developer-focused tool is transformed into a fully supported, enterprise-ready solution with up to 15 years of security maintenance.

For many enterprises, strict security and compliance policies have been a barrier to adopting WSL given the risks of unmonitored and unsupported open source software. Ubuntu Pro for WSL ensures Expanded Security Maintenance (ESM) is enabled, providing CVE security updates that can be applied subject to administrative policy. Canonical provides up to 15 years of CVE security patching for software packaged and published through Ubuntu’s repositories. Ubuntu Pro subscriptions also cover security maintenance for popular toolchains on WSL, such as Python, Go, Rust, and more. This turnkey solution ensures security vulnerabilities are patched quickly and reliably, making WSL a viable, compliant option for enterprise environments.

Ubuntu Pro for WSL will also enable system administrators to manage instances using Landscape, Canonical’s system management tool for Ubuntu. The WSL management feature of Landscape is in beta today, and customers interested in sharing feedback about the feature, and shaping its future, can do so in a self-hosted Landscape server, or by signing up for Landscape SaaS. Landscape will monitor all WSL instances that are deployed once Ubuntu Pro for WSL is configured, and identify which Windows hosts are compliant and which are non-compliant with your WSL provisioning and configuration policies.

Seamless installation with Microsoft ecosystem tools

Personal users benefit from a point-and-click installation of Ubuntu Pro for WSL from within the Microsoft Store. As a standard MSIX package, Ubuntu Pro for WSL integrates seamlessly into existing enterprise management workflows, allowing for easy installation and configuration using Microsoft’s enterprise tools. Ubuntu Pro for WSL can be installed and configured using cloud-based tools such as Microsoft Intune, or via Group Policies defined in Microsoft Active Directory.

In addition to being available in the Microsoft Store, images of Ubuntu on WSL are available for download and distribution behind a firewall, giving enterprises the option to host images internally, with centralized control over which WSL images are available to employees.

Comprehensive enterprise support

Beyond security and ease of deployment, Ubuntu Pro for WSL introduces a new support model for developers using WSL. Canonical provides an Ubuntu Pro subscription tier which includes comprehensive phone and ticket support (Ubuntu Pro + Support). This provides a clear and streamlined way for Windows-native developers to get expert help with their Linux environment.

Ubuntu Pro for WSL brings Canonical’s security and support capabilities into the Windows ecosystem. Free subscriptions for personal users and paid subscriptions are available through Canonical.

Next steps

Download Ubuntu Pro for WSL Read the Ubuntu Pro for WSL tutorial ›

About Canonical

Canonical, the publisher of Ubuntu, provides open source security, support and services. Our portfolio covers critical systems, from the smallest devices to the largest clouds, from the kernel to containers, from databases to AI. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone.

Learn more at canonical.com

02 December, 2025 12:50PM

December 01, 2025

SparkyLinux

Sparky news 2025/11

The 11th monthly Sparky project and donate report of the 2025: – Linux kernel updated up to 6.16.9, 6.12.59-LTS, 6.6.117-LTS – Added to repos: Hyprland desktop – new repo server located in United Kingdom: UK1 – CDE desktop updated up to 2.5.3 Many thanks to all of you for supporting our open-source projects. Your donations help keeping them and us alive. Don’t forget to send a small tip…

Source

01 December, 2025 09:24PM by pavroo

Ubuntu developers

Ubuntu Blog: Canonical announces general availability of Ubuntu on Qualcomm Dragonwing™ IQ-9075 platform

December 1, 2025 – Canonical, the publisher of Ubuntu, today announced the availability of certified images for the Qualcomm Dragonwing™ IQ-9075 platform. This high-performance industrial platform is now fully supported with optimized images for Ubuntu 24.04 LTS. The certified images are available for both Ubuntu Server and Desktop, equipping developers with a robust and securely designed software foundation necessary for next-generation industrial automation, robotics, and edge AI applications.

This launch builds on the general availability of Ubuntu for the QCS6490 and QCS5430 processors, with today’s announcement being the latest instance of Canonical support for Qualcomm’s Dragonwing™ processors.

Resilience and performance for edge AI

The Qualcomm Dragonwing™ IQ-9075 is designed for the next generation of industrial automation systems, handling everything from real-time analytics to on-device Generative AI. Designed for extreme edge AI, IQ-9075 combines high-performance with physical resilience. The platform can deliver up to 100 TOPS of on-device AI compute in thermal junction temperatures ranging from -40℃ to +115℃.

By certifying Ubuntu for the IQ-9075 platform, Canonical ensures that enterprises get a seamless out-of-the-box experience from development to production. Through Ubuntu Pro, Canonical’s subscription for open source security, developers benefit from up to 15 years of long term support. Combined with Qualcomm’s decade-long product lifecycle, developers on IQ-9075 benefit from stability on both the hardware and software level.

Here is a more detailed rundown of the features you can expect on the Qualcomm Dragonwing™ IQ-9075:

8 Kryo Gold Prime high-performance cores
Up to 16 concurrent cameras for multi-stream computer vision
High throughput data processing for robotics and factory automation
Access to the full ecosystem of Ubuntu packages

A partnership that empowers developers

“We are delighted to deepen our collaboration with Canonical by bringing certified Ubuntu support to the Qualcomm Dragonwing™ IQ-9075 processor,” said Laxmi Rayapudi, VP of Product Management, Qualcomm Technologies, Inc. “The IQ-9075 is designed for the most compute-intensive industrial tasks. Providing certified Ubuntu images – optimized and supported by Canonical – gives our ODMs and customers an essential, trusted software layer to deliver security-focused, high-performance edge solutions to market faster.”

“Ubuntu on Qualcomm Dragonwing™ IQ-9075 will accelerate the launch of AI-ready industrial devices at scale. This partnership will ensure high performance and robust security at both the hardware and software level.” said Olivier Philippe, VP of Devices Engineering at Canonical. “Manufacturers using Qualcomm’s Dragonwing™ IQ-9075 platform will not only be ready for long term support and maintenance, but also benefit from the full power of open source AI software innovations optimized for the Dragonwing™ IQ-9075″.

Getting started

To access the latest certified Ubuntu images for the Qualcomm Dragonwing™ IQ-9075 platform, please visit our Qualcomm IoT download page. If you have any questions about the platform or would like information about our certification program, then contact us by filling out our dedicated form.

01 December, 2025 06:00PM

Stéphane Graber: Announcing Incus 6.19

The Incus team is pleased to announce the release of Incus 6.19!

This is a slightly less busy release than usual as we’ve recently been spending quite a bit of time smoothing some of the initial rough edges from the IncusOS release.

That said, it still contains quite a few nice improvements and quite a lot of bugfixes!

The highlights for this release are:

Initial SELinux support
Improved Windows agent support
Serial devices in the resources API
Bandwidth limits on OVN NICs
Support for multi-object deletion in most CLI commands
Ability to turn off passthrough of PCI firmware to VM
PKCS12 generation in the CLI
Option for raw units in CLI CSV output

The full announcement and changelog can be found here.
And for those who prefer videos, here’s the release overview video:

You can take the latest release of Incus up for a spin through our online demo service at: https://linuxcontainers.org/incus/try-it/

And as always, my company is offering commercial support on Incus, ranging from by-the-hour support contracts to one-off services on things like initial migration from LXD, review of your deployment to squeeze the most out of Incus or even feature sponsorship. You’ll find all details of that here: https://zabbly.com/incus

Donations towards my work on this and other open source projects is also always appreciated, you can find me on Github Sponsors, Patreon and Ko-fi.

Enjoy!

01 December, 2025 05:17PM

Pardus

Nesibe Aydın Okulları’nda Pardus ve ETAP Dönemi Başladı

7 şehirde 11 kampüs ile ‘Tek Okul!’ vizyonunu sürdüren Nesibe Aydın Okulları’nda, etkileşimli tahtalardan öğretmen bilgisayarlarına kadar Millileştirilmiş İşletim Sistemi Dağıtımı Pardus ve ETAP’a geçildi. Özel okullarda da artık Pardus dönemi başladı.

01 December, 2025 12:35PM by Hace İbrahim Özbal

Deepin

(中文) 统信 Windows 应用兼容引擎 V3.4.0 版本发布

Sorry, this entry is only available in 中文.

01 December, 2025 10:01AM by xiaofei

Ubuntu developers

Launchpad News: Introducing Webhooks for Package Uploads in PPAs

We have extended our webhooks capabilities to be able to trigger webhooks on successful and unsuccessful package uploads to Personal Package Archives (PPAs).

When a new source package is uploaded to one of your PPAs, the system can now send an instant webhook notification to an endpoint you control. This will make it easier to build automations around package uploads and binary package builds in your PPAs.

The webhook configuration includes scopes so you can configure to only trigger on successful use cases, or vice versa. Each webhook payload includes essential metadata about the upload – more details in the Webhooks page of our user documentation.

To try it out, you can add a webhook to your archive via the API (API reference), or via the UI by going to “Manage Webhooks” in your archive’s page.

If you have ideas or feedback, reach out to us!

01 December, 2025 09:02AM

November 30, 2025

OSMC

OSMC's November update is here with Kodi 21.3

Today we're happy to release OSMC's November 2025 update for all supported devices. The nights are drawing in and it's getting colder. So we want to keep your OSMC experience running smoothly. This update brings you Kodi v21.3 with a number of improvements.

The release notes for Kodi v21.3 are not yet officially available but we will update this post with a link when they are published.

USA shipments restored

From 29th August, there was an executive order stating that shipments to the USA would be subject to import tarrifs and we initially advised for customers to put their orders before this date.

We're now happy to announce that since early September, we have resumed shipments to the US. They remain tariff free and the price that you see on the website is the final price. There are no extra or hidden charges. It's business as usual.

Dolby Vision support

In case you missed it, we are now happy to announce TV-led Dolby Vision support for Vero V devices. You can learn more about Dolby Vision here.

Nothing needs to be done to enable this functionality beyond updating to the latest version of OSMC.

Furthermore, we are now exploring Dolby Vision FEL support and we have started testing this internally.

Black Friday

We like to offer our customers the best possible price for our products, including our flagship Vero V. We didn't offer a Black Friday discount this year. We're already offering the best possible price and with the current insatiable demand for DRAM, we're doing our best to keep the price as it is while we can.

Technology usually operates in a deflationary environment but the AI boom is currently causing an extreme demand for memory. We are doing what we can to mitigate this, including purchasing memory in advance when we see price breaks.

On the OSMC side, we've made a number of changes to keep things running smoothly:

Bug fixes

Vero V: fix an issue with MPEG2 based Live TV
Vero V: avoid micro stutter when users pauses a video
Vero V: fix a micro stutter issue when a user presses pause
Raspberry Pi / Vero: fix Inputstream Adaptive issues

Improving the user experience

Vero V: improved skin performance significantly in library mode and windows which expose lots of text
Vero V: improved playback performance and display latency calculations
Vero V: limit number of HDMI resets when starting stream for smoother playback
Vero V: added support for Dolby Vision Profile 10
Vero V: fixed a frame drop issue that occur after absolute seeking
Vero V: automatically reboot five seconds after a kernel panic
OSMC Skin: improved main menu widget sorting and item limit

Miscellaneous

Vero V: add support for memory dumping crashes on panic
Add version codename to /etc/os-release to improve compatibility

Wrap up

To get the latest and greatest version of OSMC, simply head to My OSMC -> Updater and check for updates manually on your exising OSMC set up. Of course — if you have updates scheduled automatically you should receive an update notification shortly.

If you enjoy OSMC, please follow us on X, like us on Facebook and consider making a donation if you would like to support further development.

You may also wish to check out our Store, which offers a wide variety of high quality products which will help you get the most out of OSMC.

Vero V is our latest and greatest flagship and the best way to enjoy OSMC and with Dolby Vision now supported, it's better than ever.

30 November, 2025 11:50PM by Sam Nazarko

November 28, 2025

Pardus

Sağlıkta Açık Kaynak Hamlesi: Pardus Dönüşümü Hızlanıyor

TÜBİTAK BİLGEM öncülüğünde, Aydın, İstanbul ve Bursa’da sağlık tesislerinde Pardus Milli İşletim Sistemi yaygınlaştırılıyor. Aydın’da mevcut hastanelerde kullanım genişlerken, yakında açılacak Şehir Hastanesi’nde Pardus ile çalışmalar başlayacak. İstanbul’da ise pilot uygulama ve teknik uygunluk analizleri başlatıldı. Bu hamle, sağlıkta açık kaynak ve yerli yazılım kullanımını artırarak teknolojik bağımsızlığa katkı sağlıyor.

28 November, 2025 10:55AM by Hace İbrahim Özbal

November 27, 2025

Deepin

(中文) UOS AI 2.12 上线！MCP 服务自动调用，AI 随航再升级

Sorry, this entry is only available in 中文.

27 November, 2025 08:38AM by xiaofei

Ubuntu developers

Podcast Ubuntu Portugal: E367 a Todo O Vapor

Nesta semana e seguintes, vamos apostar no Ubuntu Touch e trazer o Software Livre nos telefones para as massas! O Miguel resolveu problemas com a ajuda da comunidade, o Diogo vai ao Porto evangelizar à bruta com o Ruben Carneiro e o sol brilhará para todos nós. A Canonical promete suporte para 15 anos; o Xubuntu foi hackeado porque não usa Hugo (womp, womp); o Miguel agora usa mano e bro em cada frase por causa de impressoras e vai converter-se ao Debian com Plasma e MEU DEUS, AS MÁQUINAS DA STEAM SÃO LINDAS!! FUUUUYYYYYOOOOH!!!

Já sabem: oiçam, subscrevam e partilhem!

Ubuntu Touch: https://www.ubuntu-touch.io/
Sessão sobre Ubuntu Touch no LCD Porto (27 e 29 de Novembro): https://porto.ectl.softwarelivre.eu/pt/schedule/2025/
Ruben Carneiro: https://rubencarneiro.github.io/rubencarneiro.io/
Bugs do UT no Gitlab: https://gitlab.com/ubports/development/ubuntu-touch
Pesquisar sem IA: https://noai.duckduckgo.com
Canon Pixma, controladores para Linux: https://www.canon.pt/support/consumer/products/printers/pixma/ts-series/pixma-ts3150.html?type=drivers&os=Linux%20(64-bit)
CUPS? Temos tudo: https://openprinting.github.io/cups/
Mais apps? Não, obrigado: https://youtu.be/kfgtqNrGAFs
Câmara da UBports: https://open-store.io/app/camera.ubports
Manigâncias para o Mistério da Câmara Desaparecida: https://forums.ubports.com/topic/10425/camera-app-cannot-be-installed/30
Podcat: https://open-store.io/app/podcat.cibersheep
Podbird: https://open-store.io/app/com.mikeasoft.podbird
Debian 13 Trixie: https://www.debian.org/releases/trixie/
KDE Plasma 6: https://kde.org/announcements/megarelease/6/
João Gabriel Ribeiro (Shifter.pt): https://shifter.pt/author/joao-gabriel-ribeiro/
Uncle Roger, embaixador da cozinha oriental, originário da Malásia: https://www.youtube.com/channel/UCVjlpEjEY9GpksqbEesJnNA
Tio Roger num casamento Bengali em Sintra: https://youtu.be/wJoLjhgguwA
O site do Xubuntu foi hackeado e distribuiu malware:
- https://www.omgubuntu.co.uk/2025/10/xubuntu-website-malware-hack
- https://www.omgubuntu.co.uk/2025/11/xubuntu-website-breach-report
- https://lists.ubuntu.com/archives/xubuntu-users/2025-November/012210.html
A Canonical oferece suporte para 15 anos:
- https://discourse.ubuntu.com/t/foundations-team-updates-2025-11-20/72480/3?u=d0od
- https://www.omgubuntu.co.uk/2025/11/ubuntu-lts-releases-15-years-of-support
- https://ubuntu.com/blog/canonical-expands-total-coverage-for-ubuntu-lts-releases-to-15-years-with-legacy-add-on
Steam da Valve; hardware para fartura de jogos em Linux: https://store.steampowered.com/sale/hardware
Steam Machine:
- https://youtu.be/VkW3wTHT-p8
- https://youtu.be/g3FkuZNSGkw
Steam Frame:
- https://youtu.be/b7q2CS8HDHU
- https://youtu.be/dU3ru09HTng
NeXT computer (1988): https://en.wikipedia.org/wiki/NeXT_Computer
LoCo PT: https://loco.ubuntu.com/teams/ubuntu-pt/
Mastodon: https://masto.pt/@pup
Youtube: https://youtube.com/PodcastUbuntuPortugal

Atribuição e licenças

Este episódio foi produzido por Diogo Constantino, Miguel e Tiago Carrondo e editado pelo Senhor Podcast. O website é produzido por Tiago Carrondo e o código aberto está licenciado nos termos da Licença MIT. (https://creativecommons.org/licenses/by/4.0/). A música do genérico é: “Won’t see it comin’ (Feat Aequality & N’sorte d’autruche)”, por Alpha Hydrae e está licenciada nos termos da CC0 1.0 Universal License. Os separadores de péssima qualidade foram tocados ao vivo e sem rede pelo Miguel, pelo que pedimos desculpa pelos incómodos causados. Os efeitos sonoros têm os seguintes créditos: [patrons laughing.mp3 by pbrproductions] (https://freesound.org/s/418831/) – License: Attribution 3.0. Concurso: [01 WINNER.mp3 by jordanielmills] – (https://freesound.org/s/167535/) – License: Creative Commons 0. Este episódio e a imagem utilizada estão licenciados nos termos da licença: Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0), cujo texto integral pode ser lido aqui. Estamos abertos a licenciar para permitir outros tipos de utilização, contactem-nos para validação e autorização. A arte de episódio foi criada por encomenda pela Shizamura - artista, ilustradora e autora de BD. Podem ficar a conhecer melhor a Shizamura na Ciberlândia e no seu sítio web.

27 November, 2025 12:00AM

November 26, 2025

ZEVENET

Community Edition: an easy-to-use Open Source Load Balancer

Community Edition is the open source load balancer from SKUDONET, designed for engineers and administrators who need traffic control without relying on costly or complex solutions.

Built on Debian 12.8, it provides a stable and secure operating system with performance far above what is typical in free software:

Up to 250,000 TCP requests per second (L4)
Up to 70,000 HTTPS requests per second (L7)

It is 100% free, fully open source, and compatible with Linux and Windows server environments.

For technical users looking for an open source load balancer with a Web GUI, easy to deploy and free of extra dependencies, this edition is an ideal starting point.

A Load Balancer with a GUI: traffic control without complexity

Most open source load balancers require manual configuration, editing text files, or navigating a steep learning curve. This is where SKUDONET Community Edition stands out.

The software includes a full Web GUI that allows you to:

Configure farms and services without touching the CLI
View backend health and real-time status
Adjust L4/L7 traffic distribution policies visually
Manage SSL/TLS certificates directly from the interface
Enable blocklists, basic DDoS protection, and simple filtering rules

This makes it highly accessible—even for small teams that need immediate results without spending hours reading advanced documentation.

Technical Capabilities: Built-in WAF

From a technical perspective, SKUDONET CE includes features typically found only in commercial products:

1.L4 Load Balancing (NAT, DNAT, Stateless NAT, DSR)

Handles large volumes of TCP/UDP connections with minimal overhead.

2.L7 Load Balancing (Reverse Proxy)

Designed for web applications, APIs, and HTTP/HTTPS services.

3.Reverse Proxy with SSL/TLS support

Enables SSL termination directly in the load balancer.

4.Backend health checks

Ensures traffic is sent only to available backend servers.

5.Full Web GUI

A visual interface for managing all components without CLI.

6.REST JSON API

Full automation for CI/CD pipelines, hybrid infrastructures, or external integrations.

7.IPv6, dual stack, routing, and SD-WAN support

Suitable for modern and distributed network architectures.

8.Built-in essential security functions (including WAF)

Beyond traffic distribution, SKUDONET Community Edition includes fundamental security mechanisms:

Source-based blocking rules
Blocklists
Basic DDoS protection
A built-in basic Web Application Firewall (WAF) with fundamental rules

It is not a deep-inspection system like the Enterprise Edition, but it provides an initial layer of protection useful for development environments and small deployments. And if your infrastructure later requires deeper traffic inspection, advanced clustering, or professional support, you can migrate to SKUDONET Enterprise Edition, designed for critical environments.

Where to download SKUDONET Community Edition

SKUDONET Community Edition is distributed for free through SourceForge, where you can download the ISO or installation packages for your test or development environment.

DOWNLOAD ON SOURCEFORGE

26 November, 2025 03:05PM by Nieves Álvarez

Proxmox VE

Proxmox Backup Server 4.1 released!

We're pleased to announce the release of Proxmox Backup Server 4.1.

This version is based on Debian 13.2 (“Trixie”), uses Linux kernel 6.17.2-1 as the new stable default, and comes with ZFS 2.3.4 for reliable, enterprise-grade storage and improved hardware support.

Here are the highlights

User-based traffic control for more fine-grained bandwidth management across backup and restore operations
Configurable parallelism for verify jobs to optimize runtimes and balance...

26 November, 2025 12:30PM by t.lamprecht (invalid@example.com)

Deepin

(中文) deepin 诚邀您参加光合组织 2025 人工智能创新大会

Sorry, this entry is only available in 中文.

26 November, 2025 02:12AM by xiaofei

November 25, 2025

(中文) 开源之夏 2025 | 技术·协作·成长，祝贺 deepin 社区三位学生成功结项！

Sorry, this entry is only available in 中文.

25 November, 2025 07:40AM by xiaofei

November 24, 2025

Pardus

Pardus 25 BİLGE Yayımlandı

TÜBİTAK tarafından geliştirilmeye devam edilen Pardus’un 25.0 sürümü yayımlandı. Pardus 25 BİLGE; Pardus 25 ailesinin ilk sürümüdür.

24 November, 2025 03:38PM by Hace İbrahim Özbal

GreenboneOS

Ubuntu developers

Ubuntu Blog: AMI and Canonical announce partnership

The collaboration makes it easy to boot directly into Ubuntu from AMI’s UEFI firmware solutions

Nuremberg, Germany, November 24, 2025 – Today, Canonical, the publisher of Ubuntu, announced a partnership with AMI, a provider of Unified Extensible Firmware Interface (UEFI) solutions. The partnership will enable users of AMI’s Aptio® V UEFI Firmware to netboot directly into Ubuntu by simply selecting Ubuntu Cloud Installation in the boot menu.

This new native boot functionality makes it easy and convenient to use Ubuntu, and eliminates the need for flashing images or using additional media or external devices. A simple Ethernet connection is enough to install and launch Ubuntu.

Alexander Lehmann (Sales Director – IoT, Canonical) and B. Parthiban (General Manager, Boot Firmware Group at AMI) are excited to provide users with the best out-of-the-box experience for Ubuntu.

“At AMI, we value partnerships that strengthen the ecosystem and deliver trusted solutions. Canonical’s widely adopted, community-supported platform is recognized for its stability and reliability, making this collaboration a natural fit,” commented B. Parthiban, General Manager, Boot Firmware Group at AMI. “Together, we’re enabling secure, high-performance experiences for customers everywhere.”

“Our collaboration with AMI furthers our commitment to deliver the best Ubuntu experience right out of the box. It’s now even easier to install Ubuntu,” said Alexander Lehmann, Sales Director – IoT, at Canonical.

The collaboration between Canonical and AMI kicks off at SPS – the Smart Production Solutions summit – in Nuremberg from November 25 to 27, 2025.

To find out more about Ubuntu, visit Canonical’s booth in hall 6, number 112 and AMI’s booth in hall 6, number 223.

* * *

About Canonical

Canonical, the publisher of Ubuntu Pro, provides open source security, support and services. Our portfolio covers critical systems, from the smallest devices to the largest clouds, from the kernel to containers, from databases to AI. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone. Learn more at https://canonical.com/

About AMI

AMI is Firmware Reimagined for modern computing. As a global leader in Dynamic Firmware for security, orchestration, and manageability solutions, AMI enables the world’s compute platforms from on-premises to the cloud to the edge. AMI’s industry-leading foundational technology and unwavering customer support have generated lasting partnerships and spurred innovation for some of the most prominent brands in the high-tech industry. AMI is a registered trademark of AMI US Holdings, Inc. Aptio is a registered trademark of AMI in the US and/or elsewhere.

24 November, 2025 09:41AM

Ubuntu Blog: The $8.8 trillion advantage: how open source software reduces IT costs

Open source software is known for its ability to lower IT costs. But in 2025, affordability is only part of the story. A new Linux Foundation report, The strategic evolution of open source, reveals that open source has evolved from a tactical cost-saving measure to a mission-critical infrastructure supporting enterprise-grade investments, and delivering stronger business outcomes as a result.

This transformation is supported by academic research estimating that, without open source, companies would pay roughly 3.5 times more to build the software running their businesses – an $8.8 trillion increase.[1]

Open source: from “free alternative” to core infrastructure

The 2025 World of Open Source Survey by the Linux Foundation reveals that open source is deeply embedded across enterprise technology stacks, making it a foundation for global IT operations. In fact, over 55% of analyzed tech stacks used a Linux-based operating system; and similarly, around half of all analyzed cloud, container, and DevOps technologies have Linux at their core.

The survey illuminates the many great reasons businesses are choosing open source: improved productivity, reduced vendor lock-in, and, unsurprisingly, lower total cost of ownership (TCO). Nearly half of organizations (46%) report an increase in business value from open source compared to last year, with 83% considering it valuable for their future. According to the World of Open Source Survey, 58% of organizations reported lower software ownership costs, and 63% cited higher productivity as a direct benefit of adopting open source. In addition, 62% reported reduced vendor lock-in and 75% judged their software quality to be higher thanks to OSS. Overall, 56% said the benefits of OSS exceeded the costs.[3] A Gartner study echoes these findings, showing that cost control and application development flexibility remain the top drivers of open source adoption.[2]

And it’s not just about the costs: organizations that invest strategically in open source are 20% more likely to perceive competitive advantage, while 78% report workplace satisfaction and better talent attraction. Nearly 80% say open source makes their organization a better workplace, and 74% say it improves their ability to attract technical talent.

One respondent put it this way: “Open source is not supplementary tooling but an ecosystem of core infrastructure dependencies.” This captures the shift perfectly: cost savings may start the conversation, but reliability, flexibility, and long-term value now drive adoption.

Why open source reduces IT costs and keeps cutting them

The same characteristics that make open source adaptable also make it economical:

No per-seat licensing: organizations avoid scaling costs tied to user counts or cores
Modular adoption: businesses can deploy only what they need, minimizing waste
Shared innovation: security fixes, feature improvements, and bug patches benefit from collective community investment
Interoperability and exit freedom: avoiding proprietary lock-in reduces switching costs and enables infrastructure that fits business strategy rather than the vendor’s roadmap

Systems based on open source tend to have lower maintenance overhead and longer life cycles, advantages that compound fast. That’s why enterprises see real savings,not just from shifting license costs to labor, but through genuine efficiency gains across teams.

Here’s a real-world case study of that in action: Greek telecom leader Nova leveraged Canonical’s planning and open pricing to control its CAPEX and OPEX, benefiting from predictable costs and freedom from management software licensing fees. Support from Canonical paid for “real expertise that enriches our team, rather than paying for access.”[3]

Open source is also the backbone of AI, making it easier to adopt this increasingly must-have technology into business operations. McKinsey research highlights how open source frameworks accelerate AI adoption, enable faster product development, and catalyze ecosystem innovation, amplifying the total value beyond mere cost savings.[4] In fact, the LF’s survey found that AI is the technology that benefits the most from being open source, according to 38% of respondents, and research from the Microsoft AI cloud Partners team showed that Linux environments such as Ubuntu deploy 63% faster with up to 306% ROl over three years.[5]

Mission-critical workloads demand enterprise-ready support

The data is clear: open source software lowers IT costs, but cost benefits only reach their full potential when paired with enterprise-ready support. For technical audiences, this isn’t about “just” having a backstop: it’s about operational excellence, security, and resilience. When issues do arise, they must be addressed quickly and precisely.

The survey shows 71% of organizations expect response times under 12 hours for critical OSS production issues, marking a shift from traditional community support to commercial-grade service-level agreements. In financial services and manufacturing, over 90% consider paid OSS support essential. This need for enterprise-grade support peaks in mission-critical workloads (54%), systems handling sensitive data (43%), and regulated sectors (38%).

There’s a perception that support is ‘too expensive’, but quite to the contrary, paid commercial support does not diminish open source’s cost benefits; instead, it enhances them. Just like OSS adoption saves on costs and licences, robust support services protect organizations against the potentially disastrous costs of downtime, compliance failures, or data breaches.

Canonical’s own experience confirms that long-term OSS support is an increasingly strategic investment, especially in markets with high regulatory demands and cloud migration complexities.[6]

Take, for example, The European Space Agency (ESA), which depends on Canonical’s distributions of Kubeflow and Spark running on Kubernetes for its mission operations. ESA highlights that Canonical’s support lets them “sleep soundly,” focusing on space missions while trusting infrastructure experts for uptime and reliability.[3]

How Ubuntu Pro locks in the value of open source

The biggest IT cost benefits of open source software come when free software innovation is combined with investments in professional support. After all, these low-cost (or sometimes free) tools are highly accessible and often intuitive to build with, but they can take a lot of time, effort, and specialized skills to maintain and secure in the long term.

Canonical takes away that time-consuming effort from developers, and allows them to focus on building, through Ubuntu Pro + Support, our comprehensive security maintenance and support service.

Ubuntu Pro + Support gives users a wide range of benefits, including:

Up to 15 years of security maintenance and support covering thousands of open source components from the kernel to the applications layer.
Compliance-ready patching for mission-critical, regulated, and sensitive workloads.
Predictable enterprise SLAs aligned with the sub–12-hour incident response expectations of 71% of organizations.
Transparent, forecastable total cost of ownership, eliminating license uncertainties.

Ubuntu Pro extends cost benefits beyond licensing into comprehensive lifecycle management, turning open source affordability into sustained business value.

Open source is an economic strategy, not a shortcut

In conclusion, the business benefits of open source are clear to see, and widely reflected in the business landscape, where record numbers of organizations and tech stacks have open source as a core part of their mission-critical systems. The permissive licences, lack of vendor lock-in, and flexibility of open source make it a clear cost optimizer; but the most significant IT cost savings emerge when organizations combine free software innovation with enterprise-grade support, governance, and active engagement. Those who treat open source as core infrastructure aren’t just saving money: they’re building competitive, secure, and innovative foundations for growth.

$8.8 trillion – that’s what open source is worth to the global economy. If you’re not building on it, you’re paying for it somewhere else. The organizations leading in innovation, efficiency, and resilience already know: open source is the foundation of competitive advantage.

Sources

24 November, 2025 09:40AM

Deepin

(中文) 新项目入驻、全技术栈展示！deepin 携创新成果亮相 2025 开放原子开发者大会

Sorry, this entry is only available in 中文.

24 November, 2025 09:18AM by xiaofei

November 21, 2025

Ubuntu developers

Ubuntu Blog: Open design: the opportunity design students didn’t know they were missing

What if you could work on real-world projects, shape cutting-edge technology, collaborate with developers across the world, make a meaningful impact with your design skills, and grow your portfolio… all without applying for an internship or waiting for graduation?

That’s what we aim to do with open design: an opportunity for universities and students of any design discipline.

What is open design, and why does it matter?

Before we go further, let’s talk about what open design is. Many open source tools are built by developers, for developers, without design in mind. When open source software powers 90% of the digital world (PDF), it leaves everyday users feeling overwhelmed or left out. Open design wants to bridge that gap.

We aim to introduce human-centred thinking into open source development, enhancing these tools to be more intuitive, inclusive, and user-friendly. Most open source projects focus on code contributions, neglecting design contributions. That leaves a vast number of projects without a design system, accessibility audits, or onboarding documentation. That’s where designers come in, helping shape better user experiences and more welcoming communities.

Open design is about more than just aesthetics. Open design helps to make technology work for people; that’s exactly what open source needs. Learn more about open design on our webpage.

We want to raise awareness for the projects, the problems that currently exist, and how we can fix them together, and encourage universities and students to become advocates of open design.

We want universities to connect their students to real-world, meaningful design opportunities in a field that is currently lacking the creativity of designers. Our goal is to help and motivate students to bring their design skills into open source projects and become advocates, to make open design accessible, practical, and empowering!

How Canonical helps universities access open design

We want to help universities help students to access:

Real-world experiences: Students apply their design skills to global projects to create valuable, demonstrable outcomes, beyond hypothetical briefs
Interdisciplinary growth: Empower students to gain collaborative experience with developers, and navigate real tech workflows
Accessible opportunities: No interviews, no barriers; just impact, experience, and learning

We have provided universities with talks and project briefs, enabling them to prepare students to utilise their expertise and design a brighter future for open source. If you’re a department leader, instructor, or coordinator, exploring open source and open design will help you to give your students unique access to industry-aligned experiences, while embedding values of collaboration, open contribution, and inclusive design.

Why should students care?

If you’re a student in UX, UI, interaction, service, visual, HCI design, or any other field with design influence, you’ve been told how important it is to build your portfolio, gain hands-on experience, and collaborate with cross-functional teams. Open design is your opportunity to do so.

The best part is, you don’t have to write a single line of code to make a difference! Open source projects are looking for:

UX/UI improvements
Accessibility and heuristic audits
User research and persona development
User flows and wireframes
Information architecture reviews
Design documentation and feedback systems

If you’re in a design course, you already have, or are developing, the skills that open-source projects need.

Open design is an opportunity to develop by collaborating across disciplines, navigating ambiguity, and advocating for users: skills employers value. With open design, you’ll gain confidence in presenting ideas, working with international teams, and handling feedback in a real-world setting, growing in ways that classroom projects and internships often don’t offer.

If you’re aiming for a tech-focused design career, open design is one of the most impactful and distinctive ways to stand out!

How can you start?

Getting started is easier than you think, even if GitHub looks scary at first. Here’s how:

Learn the basics of GitHub

We’ve made a video guide to understanding GitHub, and curated a list of other videos to get to grips with GitHub.

Find a project on contribute.design

It’s like a job board for design contributions. These projects are waiting for you.

Understand the project’s needs

Most projects on contribute.design list what they’re looking for in .design file or DESIGN.md guidelines.

Pick an issue, or propose your own

Navigate to the Issues tab of the project repo, where you can filter for issues labelled for design. You can also use this tab to propose any issues you discover in the project.

Contribute, collaborate, grow

Start adding your ideas, questions, and solutions to issues. You’ll be collaborating, communicating, and making meaningful contributions.

You can explore more projects through the GitHub Explore page, but not every project will have a design process in place; that’s where your skills are especially valuable. If you don’t see design issues, treat the project as a blank canvas. Suggest checklists, organise a design system, or improve documentation. The power is in your hands!

Reach out to maintainers, join community discussions, and don’t hesitate to introduce design-focused thinking. Your initiative can spark meaningful change and help open source become more user-friendly, one project at a time.

View every project as an opportunity; you don’t need an invitation to contribute, just curiosity, creativity, and the willingness to collaborate.

Interested?

We’re looking for universities and departments interested in introducing open design to their students. Whether that’s through a talk, module project briefs, or anything else you’d like to see, we’re excited to find ways to work together and bring open design to campus.

Are you a program director, a design department, a student group, or an interested student? Let’s talk!

Reach out at opendesign@canonical.com

21 November, 2025 09:39AM

Deepin

(中文) RK3588 适配 deepin 25 实操教程（附烧录指南）

Sorry, this entry is only available in 中文.

21 November, 2025 08:33AM by xiaofei

Ubuntu developers

Ubuntu Blog: Anbox Cloud 1.28.0 is now available!

Enhanced Android device simulation, smarter diagnostics, and OIDC-enforced authentication

The Anbox Cloud team has been working around the clock to release Anbox Cloud 1.28.0! We’re very proud of this release that adds robust authentication, improved diagnostic tools, and expanded simulation options, making Anbox Cloud even more secure, flexible, and developer-friendly for running large-scale Android workloads.

Let’s go over the most significant changes in this new version.

Strengthened authentication and authorization

Our OpenID Connect (OIDC)-based authentication and authorization framework is now stable with Anbox Cloud 1.28.0. This new framework provides a standardized approach for controlling access across web and command-line clients. Operators can now assign permissions through entitlements with fine-grained control, define authorization groups, and create and manage identities.

Configuring user permissions, understanding the idea of identities and groups, and looking through the entire list of available entitlements are all thoroughly covered in the new guides that come with this release. This represents a significant advancement in the direction of a more uniform and standards-based access model for all Anbox Cloud deployments.

Simulated SMS support

This is one of our most exciting new features: developers testing telephony-enabled applications in Anbox Cloud can now simulate incoming SMS messages using the Anbox runtime HTTP API.

This new functionality allows messages to trigger notifications the same way they would on a physical device, generating more realistic end-to-end scenarios. A new how-to guide in our documentation provides detailed instructions on how to enable and use this feature.

Protection against accidental deletions

Because we know accidents happen (especially in production environments…), in order to reduce operational risk, this release introduces the ability to protect instances from accidental deletion. This option can be enabled directly in the dashboard either when creating a new instance or later from the Instance details page under the Security section.

Once this protection option is turned on, the instance cannot be deleted, even during bulk delete operations, until the configuration is reset. This simple safeguard helps operators preserve important data and prevents costly mistakes in busy environments.

Improved ADB share management

Working with ADB (the Android Debug Bridge) has also become more flexible. Anbox Cloud now allows up to five ADB shares to be managed directly from the dashboard. For those who prefer the command line, the new amc connect command provides an alternative to the existing anbox-connect tool. Together, these improvements make it easier for developers to manage and maintain multiple debugging or testing sessions at once.

New diagnostic facility for troubleshooting

With version 1.28.0, we’re introducing a new diagnostic facility in the dashboard. This tool is designed to simplify troubleshooting for both the instances and the streaming sessions themselves.

This feature helps collect relevant diagnostic data automatically, thereby reducing the work needed to identify and resolve issues. It also makes collaboration with our Canonical support teams more efficient, as users can now provide consistent and accurate diagnostic information in a structured, standard format.

Sensor support in the Streaming SDK

Here’s another hotly anticipated feature: the Anbox Streaming SDK gains expanded sensor support in this release. Our SDK now includes gyroscope, accelerometer and orientation sensors, allowing developers to test applications more interactively.

Sensor support is disabled by default but can be easily enabled in the streaming client configuration. This addition opens up new possibilities for interactive use cases, such as gaming.

Upgrade now and stay tuned!

We think that Anbox Cloud 1.28.0 is our best release to date, and we are pleased to keep providing a feature-rich, scalable, and safe solution for managing Android workloads on a large scale.

This latest version makes it easier than ever for developers and operators to create and test Android apps by introducing more precise device simulation, improved troubleshooting tools, and stricter access controls, as we’ve explained above.

Try it now and stay tuned for further developments in our upcoming releases. For detailed instructions on how to upgrade your existing deployment, please refer to the official documentation.

November 20, 2025

Balint Reczey: Think you can’t interpose static binaries with LD_PRELOAD? Think again!

Well, you are right, you can’t. At least not directly. This is well documented in many projects relying on interposing binaries, like faketime.

But what if we could write something that would take a static binary, replace at least the direct syscalls with ones going through libc and load it with the dynamic linker? We are in luck, because the excellent QEMU project has a user space emulator! It can be compiled as a dynamically linked executable, honors LD_PRELOAD and uses the host libc’s syscall – well, at least sometimes. Sometimes syscalls just bypass libc.

The missing piece was a way to make QEMU always take the interposable path and call the host libc instead of using an arch-specifix assembly routine (`safe_syscall_base`) to construct the syscall and going directly to the kernel. Luckily, this turned out to be doable. A small patch later, QEMU gained a switch that forces all syscalls through libc. Suddenly, our static binaries started looking a lot more dynamic!

$ faketime '2008-12-24 08:15:42'  qemu-x86_64 ./test_static_clock_gettime
2008-12-24 08:15:42.725404654
$ file test_static_clock_gettime 
test_clock_gettime: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, ...

With this in place, Firebuild can finally wrap even those secretive statically linked tools. QEMU runs them, libc catches their syscalls, LD_PRELOAD injects libfirebuild.so, and from there the usual interposition magic happens. The result: previously uncachable build steps can now be traced, cached, and shortcut just like their dynamic friends.

There is one more problem though. Why would the static binaries deep in the build be run by QEMU? Firebuild also intercepts the `exec()` calls and now it rewrites them on the fly whenever the executed binary would be statically linked!

$ firebuild -d comm bash -c ./test_static
...
FIREBUILD: fd 9.1: ({ExecedProcess 161077.1, running, "bash -c ./test_static", fds=[0: {FileFD ofd={FileO
FD #0 type=FD_PIPE_IN r} cloexec=false}, 1: {FileFD ofd={FileOFD #3 type=FD_PIPE_OUT w} {Pipe #0} close_o
n_popen=false cloexec=false}, 2: {FileFD ofd={FileOFD #4 type=FD_PIPE_OUT w} {Pipe #1} close_on_popen=fal
se cloexec=false}, 3: {FileFD NULL} /* times 2 */]})
{
    "[FBBCOMM_TAG]": "exec",
    "file": "test_static",
    "// fd": null,
    "// dirfd": null,
    "arg": [
        "./test_static"
    ],
    "env": [
        "SHELL=/bin/bash",
 ...
        "FB_SOCKET=/tmp/firebuild.cpMn75/socket",
        "_=./test_static"
    ],
    "with_p": false,
    "// path": null,
    "utime_u": 0,
    "stime_u": 1017
}
FIREBUILD: -> proc_ic_msg()  (message_processor.cc:782)  proc={ExecedProcess 161077.1, running, "bash -c 
./test_static", fds=[0: {FileFD ofd={FileOFD #0 type=FD_PIPE_IN r} cloexec=false}, 1: {FileFD ofd={FileOF
D #3 type=FD_PIPE_OUT w} {Pipe #0} close_on_popen=false cloexec=false}, 2: {FileFD ofd={FileOFD #4 type=F
D_PIPE_OUT w} {Pipe #1} close_on_popen=false cloexec=false}, 3: {FileFD NULL} /* times 2 */]}, fd_conn=9.
1, tag=exec, ack_num=0
FIREBUILD:   -> send_fbb()  (utils.cc:292)  conn=9.1, ack_num=0 fd_count=0
Sending message with ancillary fds []:
{
    "[FBBCOMM_TAG]": "rewritten_args",
    "arg": [
        "/usr/bin/qemu-user-interposable",
        "-libc-syscalls",
        "./test_static"
    ],
    "path": "/usr/bin/qemu-user-interposable"
}
...
FIREBUILD: -> accept_ic_conn()  (firebuild.cc:139)  listener=6
...
FIREBUILD: fd 9.2: ({Process NULL})
{
    "[FBBCOMM_TAG]": "scproc_query",
    "pid": 161077,
    "ppid": 161073,
    "cwd": "/home/rbalint/projects/firebuild/test",
    "arg": [
        "/usr/bin/qemu-user-interposable",
        "-libc-syscalls",
        "./test_static"
    ],
    "env_var": [
        "CCACHE_DISABLE=1",
...
        "SHELL=/bin/bash",
        "SHLVL=0",
        "_=./test_static"
    ],
    "umask": "0002",
    "jobserver_fds": [],
    "// jobserver_fifo": null,
    "executable": "/usr/bin/qemu-user-interposable",
    "// executed_path": null,
    "// original_executed_path": null,
    "libs": [
        "/lib/x86_64-linux-gnu/libatomic.so.1",
        "/lib/x86_64-linux-gnu/libc.so.6",
        "/lib/x86_64-linux-gnu/libglib-2.0.so.0",
        "/lib/x86_64-linux-gnu/libm.so.6",
        "/lib/x86_64-linux-gnu/libpcre2-8.so.0",
        "/lib64/ld-linux-x86-64.so.2"
    ],
    "version": "0.8.5.1"
}

The QEMU patch is forwarded to qemu-devel. If it lands, anyone using QEMU user-mode emulation could benefit — not just Firebuild.

For Firebuild users, though, the impact is immediate. Toolchains that mix dynamic and static helpers? Cross-builds that pull in odd little statically linked utilities? Previously “invisible” steps in your builds? All now fair game for caching.

Firebuild 0.8.5 ships this new capability out of the box. Just update, make sure you’re using a patched QEMU, and enjoy the feeling of watching even static binaries fall neatly into place in your cached build graph. Ubuntu users can get the prebuilt patched QEMU packages from the Firebuild PPA already.

Static binaries, welcome to the party!

20 November, 2025 08:56PM

VyOS

VyOS SSO explained: how accounts, logins, and permissions work now

After introducing Single Sign-On (SSO) for VyOS services, we received a number of questions about how it works in practice. This follow-up post explains what SSO is, how it relates to your existing VyOS accounts, and what to keep in mind when using it day to day. For rollout dates and migration details, please refer to our initial SSO announcement.

20 November, 2025 03:03PM by Taras Pudiak (taras@vyos.io)

GreenboneOS

October 2025 Threat Report

Just over 4,100 new CVEs emerged in October 2025, representing new attack surfaces and placing pressure on defenders to identify and patch. For operational resilience, organizations need to scan their IT infrastructure often and prioritize mitigation efforts. A free trial of Greenbone’s OPENVAS BASIC lets defenders scan their enterprise IT estate and stay on top […]

20 November, 2025 08:45AM by Joseph Lee

November 19, 2025

Proxmox VE

Proxmox Virtual Environment 9.1 available!

We're proud to present the next iteration of our Proxmox Virtual Environment platform. This new version 9.1 is the first point release since our major update and is dedicated to refinement.

This release is based on Debian 13.2 "Trixie" but we're using the newer Linux kernel 6.17.2 as new stable default. In addition to the main system enhancements, this update incorporates the latest versions of core technologies, including QEMU 10.1.2, LXC 6.0.5, ZFS 2.3.4, and Ceph Squid 19.2.3, all fully...

Read more

19 November, 2025 12:52PM by t.lamprecht (invalid@example.com)

November 18, 2025

Ubuntu developers

Ubuntu Blog: 83% of organizations see value in adopting open source, but report major gaps in security and governance

A new Linux Foundation report reveals how organizations worldwide are adopting, using, and perceiving open source software.

The Linux Foundation’s latest report, The state of global open source, has just been released in collaboration with Canonical. The report follows the Linux Foundation’s European spotlight report, released earlier this year, and confirms that many of the trends the European spotlight report unveiled are true on a global scale. In particular, the global spotlight report confirms the role of open source software as the foundation of business-critical systems worldwide, and indicates a continued increase in adoption. However, organizations continue to lack the governance, security testing, and strategic maturity required to manage open source strategically and securely.

The report suggests that most organizations expect enterprise-grade performance from open source software, but under-invest in the required governance frameworks, security practices, and community engagement.

83% of organizations acknowledge open source is valuable to their future

According to the report, the trend of increasing open source adoption in the enterprise is set to continue, as 83% of enterprises consider open source software adoption valuable to their future. Likewise, the report reveals the centrality of open source software to the modern enterprise. Globally, enterprises have adopted open source software throughout their technical stacks: 55% have adopted open source operating systems, whilst 49% have adopted open source cloud and container technologies, and 46% open source web and application development.

The widespread confidence that open source will play a pivotal role in many organizations’ futures is closely connected to a growing understanding of the benefits of open source software adoption.

86% report open source software improves productivity

This report confirms a shift in enterprises’ strategic mindset around open source: 82% of respondents considered open source as an asset that enables innovation. Historically, open source software was often reserved for specific projects or use cases, like setting up web servers – with wider organizational use being viewed with some scepticism.

Open source is now a “must-have.” Why is this the case? Here’s what the respondents had to say:

86% stated that open source improves productivity
79% reported improved software quality as a result of open source
78% highlighted improved security

Compared to the benefits seen by organizations using open source software in 2024, 46% reported increased business value from open source over the past year. The growing interest in and use of open source technologies is particularly clear for certain technologies, like AI.

AI technologies benefit most from being open source

The growing value of open source can partly be attributed to the influence of AI. Since 2024, there has been an increase in the adoption of open source AI and machine learning (ML) applications from 35% to 40% – a rise of 5%. Globally, AI and ML were perceived to be the technology most benefiting from being open source. Code visibility ensures organizations can more easily audit their AI systems, which makes compliance simpler, provides more transparency into how the AI model functions, and enables companies to run the AI on their own infrastructure – ensuring sensitive data never leaves the organization’s control.

With growing adoption of AI and ML come new cybersecurity risks and requirements. However, the report indicates that organizations currently lack mature governance structures for their open source estates, creating additional complications to adopting AI and ML securely.

Lack of mature governance: only 34% of organizations have defined a clear open source strategy

Despite increasing adoption of open source technologies, many organizations still lack a mature governance strategy for their open source software.

The number of organizations that have defined a clear open source strategy has grown by just 2% in the last year, to a total of 34%. That means that nearly two-thirds of organizations rely instead on informal strategies of governance of their open source estates, primarily due to budget constraints, shifting priorities and new strategic requirements. For example, when evaluating open source components for adoption:

44% of organizations check the activity level of the project community
31% use automated security testing tools
28% manually review the source code
36% evaluate the direct dependencies of the open source component

With less than half of organizations taking these important formal strategies before adoption, the report indicates that this “creates significant risk exposure and limits organizations’ ability to capture the full strategic value of open source participation,” signalling that this is a concern that organizations must take seriously.

Similarly, organizations demonstrate a lack of consensus around which security features and assurances matter to them when adopting open source components, with no single certification or assurance mechanism achieving adoption by more than a quarter of open source solutions. Almost a third of organizations (28%) don’t know which assurances would make them more likely to trust an open source solution. This opens them up to serious security risks, like supply chain attacks.

As a result, enterprises are increasingly turning to paid support options for their open source estates.

54% view paid support as essential for mission-critical workloads

More than half of respondents consider paid support for their open source essential. As open source technologies have become critical to business infrastructure, expectations for open source software support are beginning to mirror that of commercial software standards:

71% of organizations expect response times of less than 12 hours from support providers
47% expect rapid security patching for open source software in production environments
53% expect long term support guarantees for their open source software.

Acquiring paid support for open source software makes this level of support achievable, which organizations broadly accept. On a granular level, the industries with the highest proportion that consider paid support essential are those that process sensitive or valuable data, such as manufacturing (97%) followed by financial services (96%), IT (91%) and government (92%).

Conclusion and recommendations

The Linux Foundation’s The state of global open source reveals that enterprises are relying on open source software and perceiving its benefits. However, increasing engagement with open source communities, more structured governance of open source estates, and structured security evaluations of open source elements before adoption will help organizations to strengthen the resilience of their open source infrastructure.

Download the report Adopt open source in your enterprise with Canonical ›

18 November, 2025 04:10PM

GreenboneOS

Greenbone Adds New Compliance Profiles for Huawei EulerOS

Greenbone is excited to announce new compliance policies for Huawei’s EulerOS and openEuler. These compliance policies are the result of close collaboration with Huawei to provide OPENVAS SCAN users with authenticated checks for over 200 key security controls. By thoroughly vetting security settings, defenders gain high degree security assurances and visibility into the security posture […]

18 November, 2025 01:19PM by Greenbone AG

ZEVENET

The Importance of Reload in Web Service Continuity

Today, virtually every business depends on its online infrastructure. Companies manage multiple websites, internal applications, or e-commerce platforms that must remain available at all times.

As these environments grow, maintenance and stability become as critical as security — and every change must be applied without affecting the user experience. Maintaining uptime during configuration changes requires solutions that support reload configuration without downtime.

Even a minimal interruption —a restart, a reconnection, or a lost session— can translate into frustrated customers, disrupted operations, or lost revenue. And in an environment where reputation depends on availability, these incidents can have visible consequences.

Keeping services running while updating configurations or network policies is no longer just a technical challenge — it’s an operational requirement.

Network Maintenance: When Stopping Is No Longer an Option

In daily practice, administrators plan maintenance and updates through a controlled service restart. They pick a low-traffic time, apply the changes, and assume a brief service interruption.

Although the process is fast and almost imperceptible to users, it still implies a short disruption. This method works well in small environments, where a few seconds of downtime go unnoticed.

The challenge arises when managing dozens or hundreds of sites simultaneously — as in the case of service providers, public administrations, or hosting environments.

In those scenarios, even a short interruption can have a direct impact:

A customer abandons a purchase because the e-commerce platform stops responding.
An API session interrupts an ongoing transaction.
An application stops synchronizing real-time data.
Monitoring systems detect the failure and generate unnecessary alerts.

That’s why, in modern web traffic and service management, the ability to apply changes without restarting has become an essential function.

This is where the concept of reload becomes relevant.

Reload Configuration Without Downtime

This feature allows changes to be applied without restarting active processes — reloading the configuration in the background while keeping all connections open.

In other words, reload replaces the classic “stop and restart” with a smarter process where the system updates its configuration, preserves active sessions, and ensures that traffic continues to flow without interruptions. Technically, reload forces a re-read of the service configuration in memory, synchronizing new rules, policies, or certificates without closing sockets or terminating active connections.

From a technical point of view, it may seem like a small change, but in practice it represents a qualitative leap for any infrastructure that requires true continuity.

The difference between restart and reload is simple: one stops and starts again, the other updates without stopping.

When Updating Without Downtime Becomes Essential?

Not every business requires the same level of continuity, but there are scenarios where reload makes a clear difference:

E-commerce and financial services: every second of downtime can directly result in lost sales or trust.
Providers managing multiple websites: when hundreds of domains or applications are handled at once, a restart could leave one of them hanging.
Platforms with frequent updates: where traffic rules, certificates, or configurations are adjusted several times a day.
Systems with real-time traffic: where every connection or active process must remain uninterrupted.

In these cases, reload isn’t a technical luxury — it’s what allows an infrastructure to keep operating without visible interruptions while evolving internally.

How SKUDONET Ensures Updates Without Interruptions

At SKUDONET, we believe that availability should never be sacrificed each time a configuration is updated.

That’s why the system allows services and load-balancing policies to be reloaded without restarting, keeping traffic flowing smoothly even in high-demand environments.
This means that:

New settings are applied immediately.
Active sessions remain connected.
No packet loss or connection drops occur.
Performance remains stable throughout the operation.

Thanks to this capability, SKUDONET helps organizations maintain full service availability, even in continuous activity environments or when managing dozens of simultaneous applications.

Everything is managed from a single visual interface, with unified metrics, logs, and events that simplify control without manual processes or scheduled restarts.

SKUDONET Enterprise Edition combines load balancing, security, and traffic inspection in a single platform — designed for business environments that can’t afford downtime but still need to evolve quickly.

Want to try SKUDONET Enterprise Edition with all its features, including reload configuration without downtime? Request your free 30-day trial here:

TRY SKUDONET ADC

18 November, 2025 08:00AM by Nieves Álvarez

November 17, 2025

SparkyLinux

Annual Server Fundraiser 2025

Dear Friends! It’s time for our annual fundraiser for our servers. So let’s get started! By January 15, 2026, we need to raise and pay for the servers €510 plus a minimum of €1100 for our monthly payments: domains, internet, electricity, gas, water, fuel, rent, medications, and life, which is getting more expensive and difficult each month. We also have non-monthly but equally important…

Source

17 November, 2025 09:42PM by pavroo

Ubuntu developers

Ubuntu Blog: Everything you need to know about FIPS 140-3 on Ubuntu | Videos

FIPS 140 is a highly demanding security standard that’s mandatory for almost all high-security and federal environments. It can be hard to get right and may be a daunting part of the journey for those trying to meet compliance requirements like FedRAMP or CMMC. We get a lot of questions about FIPS 140-3, and so we decided to put together this comprehensive collection of video resources to answer the most burning ones we’ve had so far.

In this collection, you’ll be able to get answers to the most frequently asked FIPS questions, including:

How to enable FIPS 140-3 on Ubuntu 22.04
How to check if you’re operating in FIPS mode
How to enable FIPS on public clouds: AWS, Azure, GCP
Which modules and hardware have been FIPS 140-3 certified for Ubuntu
Which FIPS-enabled Docker containers are available in Iron Bank
What are the most common issues when enabling FIPS 140-3

How to enable FIPS on Ubuntu?

We’ll start with the most common question: how do you enable FIPS on Ubuntu? The basic prerequisite is an Ubuntu Pro subscription, which is available either free for personal use or with a 30-day free trial for enterprise users. After subscribing, you’ll get access to a dashboard where you can find a token that you can attach to an Ubuntu instance and get access to the FIPS certified modules. All you need to do is open your terminal and enter the following commands:

sudo pro attach <token>

sudo pro enable fips-updates

sudo reboot

You should see output like the following, indicating that the FIPS packages have been installed:

Installing FIPS Updates packages

FIPS Updates enabled

A reboot is required to complete install.

Enabling FIPS should be performed during a system maintenance window since this operation makes changes to underlying SSL-related libraries and requires a reboot into the FIPS-certified kernel.

How to check if you’re operating in FIPS mode

After enabling FIPS mode, it is good to verify that it is activated. Luckily it’s very straightforward to verify that FIPS mode is enabled. Just run this command in the terminal:

cat /proc/sys/crypto/fips_enabled

The output that indicates that FIPS mode is enabled is “1”.

How to enable FIPS on public clouds

It is very easy to enable FIPS in public clouds. In contrast to on-prem usage, Ubuntu images for public clouds already have FIPS enabled. Decide on the Ubuntu version you’d like to run, visit the relevant marketplace for your public cloud provider (for example: AWS, Azure, or GCP), and search for the relevant image. Here is an example of how it would look:

Which modules and hardware have been FIPS 140-3 certified

Sometimes it can be tricky to figure out exactly which modules and hardware have been FIPS 140-3 certified. This video goes into extensive detail outlining the modules and components you’ll be able to make full use of with FIPS 140-3 certified Ubuntu.

To give a brief overview, the following certified cryptographic modules are available with Ubuntu 22.04 LTS:

OpenSSL v3.0.5
Libgcrypt v1.9.4
GnuTLS v3.7.3
Linux kernel v5.15.0
StrongSwan v5.9.5

These modules have been developed and tested on a range of hardware platforms:

Intel/AMD x86_64
ARM64
IBM z15

FIPS-enabled containers available in Iron Bank

Canonical’s container images are trusted and pre-approved for high-security use cases. Hardened Ubuntu images are already certified and available in the U.S. Department of Defense’s Iron Bank, the official repository of security-hardened containers for government systems. You can find the code to build your own image here, or get the actual container that passed all the automated compliance checks here. Note, you would need to first register to get access to the platform.

Canonical has also recently added FIPS and STIG-compliance to Canonical Kubernetes. Built on Ubuntu Pro hosts, Canonical Kubernetes now includes FIPS 140-3 validated crypto modules out of the box and can be hardened for DISA-STIG. This means you can deploy secure, compliant clusters built on Ubuntu, making it much easier to meet FedRAMP and other federal compliance requirements right from your Kubernetes base.

Common issues when enabling FIPS 140-3

Compliance always comes with challenges, but when we know the issues, we can help. The video above explains how to solve the most common issues that teams run into when enabling FIPS 140-3, including:

WiFi SSID should be 16 characters
32-bit crypto library versions must be removed, if present
Full-disk encryption requires PBKDF2
- sudo cryptsetup –pbkdf=pbkdf2 luksAddKey <partition>
Some applications might not expect disallowed operations to fail – we will endeavor to provide fixes where possible

If you’d like to raise a bug/issue with FIPS compliance on Ubuntu, you can do it on Launchpad. Here is an example of OpenSSL bugs.

Summary

We hope this blog has been useful for you to learn more about FIPS 140-3 on Ubuntu. You can easily get FIPS 140-3 compliance with an Ubuntu Pro subscription, which is free for personal use and offers a free trial for enterprise-focused projects. Additionally, an Ubuntu Pro subscription is not limited to only FIPS 140-3: the subscription also includes access to our hardening automation tools such as Ubuntu Security Guide, expanded security maintenance, Ubuntu fleet management, and more. And if you’re looking for assistance with more complex enterprise use cases, you can simply contact us.

Finnix

Finnix 251 released

Finnix 251 boot screen

Finnix is a Linux-based utility live distribution. Write it to a USB flash drive or burn it to a CD, boot it, and you’re seconds from a root prompt with hundreds of utilities available for recovery, maintenance, testing and more. Finnix 251 has been released today, including new official OCI / Docker images, and containing new packages, features and fixes.

Finnix 251 is the first release to distribute official OCI container images. The official Finnix container contains all the same software as the ISO release, and may be launched from Podman, Docker, Kubernetes, etc.

docker run -it --rm finnix/finnix

podman run -it --rm docker.io/finnix/finnix:latest

kubectl run finnix-$(uuidgen | cut -b -4 | tr A-Z a-z) --image=finnix/finnix --restart=Never -it --rm

This is particularly useful for Kubernetes users, giving you a quick utility shell in the namespace of your choice. The finnix/finnix:latest container currently includes architecture support for amd64, arm64 and riscv64.

Otherwise, Finnix 251 is a regular semiannual utility release:

Linux kernel 6.16 (Debian 6.16.12-2)
Added packages: dc3dd
Upstream Debian package updates
Many minor fixes and improvements

Please visit finnix.org to download Finnix 251 today!

finnix-251.iso • 577 MiB ISO image • AMD64
Release data
BitTorrent download
OpenPGP signature
SHA256 checksum: a635a75a155d8640956c5640fc49268b4a89ce7013fdc7d19f1dfdc8529e9a9e

17 November, 2025 06:00PM

VyOS

We're introducing single sign-on (SSO) for VyOS services

Starting November 18, 2025, you can sign in to VyOS Support Portal, Community Forum, and Issue Tracker using a new, unified authentication method: Single Sign-On (SSO).

This change brings several benefits, and there are a few key things you’ll need to know — read on to ensure you’re prepared.

17 November, 2025 04:48PM by Taras Pudiak (taras@vyos.io)

GreenboneOS

CVE-2025-64446: A Lurking FortiWeb Vulnerability Proves Critical amid Active Exploitation

Discussion of a new security issue affecting Fortinet’s FortiWeb began circulating online in early October 2025, when cyber deception firm Defused reported capturing a working exploit via honeypot. FortiWeb is Fortinet’s web application firewall (WAF) platform, designed to shield web applications from malicious activity. For over one month, Defused’s revelation mostly lurked in the shadows; […]

17 November, 2025 12:28PM by Joseph Lee

VyOS

VyOS Stream 2025.11 is available for download

Hello, Сommunity!

VyOS Stream 2025.11 and its corresponding source tarball are now available for download. You can find them at the end of this post. This is the third VyOS Stream release on the way to the upcoming 1.5/Circinus LTS release and includes many of its features for you to test — most notably, a VPP-based accelerated dataplane.

17 November, 2025 11:24AM by Daniil Baturin (daniil@sentrium.io)

Deepin

(中文) 如意玲珑社区测试源上线，软硬件“追新”零等待！

Sorry, this entry is only available in 中文.

17 November, 2025 09:44AM by xiaofei

November 16, 2025

SparkyLinux

Hyprland

There is a new desktop available for Sparkers: Hyprland What is Hyprland? Features: – All of the eyecandy: gradient borders, blur, animations, shadows and much more – A lot of customization – 100% independent, no wlroots, no libweston, no kwin, no mutter. – Custom bezier curves for the best animations – Powerful plugin support – Built-in plugin manager – Tearing support for better…

Source

16 November, 2025 01:30PM by pavroo

December 10, 2025

The rise of the cloud-native telco

Canonical Kubernetes: optimized for cloud-native 5G networks and edge computing

High performance & low latency

GPU acceleration

Operational efficiency and automation

Edge flexibility

Long-Term support and stability

Cost efficiency and vendor neutrality

Enabling a new wave of cloud-native telco services

Cloud-native at any scale: Canonical Kubernetes meets MicroCloud

Conclusion: building the future of cloud-native telco on open source Kubernetes

Explore further

The six-month cycle

The two-week pulse

Sprints are for in-person connection

Managing the exceptions

Quality as a natural habit

Qubes Canary 045

Marek Marczykowski-Górecki’s PGP signature

Simon Gaiser (aka HW42)’s PGP signature

What is the purpose of this announcement?

What is a Qubes canary?

Why should I care about canaries?

What are some signs of an unhealthy canary?

Does every unexpected or unusual occurrence related to a canary indicate something bad?

What are the PGP signatures that accompany canaries?

Why should I care whether a canary is authentic?

How do I verify the PGP signatures on a canary?

December 09, 2025

AMD ROCm software: a commitment to open source

Improved hardware support

December 08, 2025

The telco dilemma: 5G infrastructure challenges

How open source is changing the game

Shared standards

Avoid vendor lock-in

Meet specific-telco requirements

Cost optimization

Security

Open source solutions for telcos

Open source for RAN

Open source for core networks

Open source for public and hybrid clouds

Wrapping up

December 06, 2025

Prevent Broken Updates with Pre-flight Checks

A UI Upgrade for Better Monitoring

Robustness: Avoiding Broken Updates in Containers

Spring Cleaning the Code with ShellCheck

By the Numbers

Where can I download uCareSystem ?

What’s new in Qubes 4.3?

When is the stable release?

How to test Qubes 4.3.0-rc4

Known issues in Qubes OS 4.3.0-rc4

What’s a release candidate?

What’s a minor release?

December 05, 2025

Bridging design, development, and validation

Infotainment comes to life in the cloud

Why choose cloud-native Android development?

See it at CES 2026

Further reading

December 04, 2025

OpenSSH

Python packaging

Other bits and pieces

Code reviews

December 03, 2025

The Real Technical Problem Isn’t the Number of WAF Rules — It’s Their Relevance

1. Processing costs increase.

2. Opacity escalates.

3. Control disappears.

What Actually Matters in a Modern WAF

A Practical Approach: Rules That Matter, Not Inflated Catalogs

“Thousands of Rules” Model vs. SKUDONET’s Approach

December 02, 2025

Ubuntu Pro for WSL provides turnkey security maintenance and enterprise support for Ubuntu 24.04 LTS WSL instances in Windows. The subscription will also enable comprehensive management for system administrators.

Power to developers, peace of mind for IT teams