by George Whittaker

This article explores how modern DevOps teams are redefining stability and reproducibility in production environments by embracing truly unchangeable operating systems. It delves into how NixOS’s declarative configuration model and OSTree’s atomic update mechanisms open the door to systems that are both resilient and transparent. We'll explain the advantages, technologies, comparisons, and real-world use cases fueling this shift.

The Paradigm Shift: From Mutable Chaos to Immutable Assurance

• Why the change happened: The traditional model, logging into servers, tweaking packages, and patching in place, has led to unpredictable environments, elusive bugs, “snowflake” systems, and configuration drift as environments diverged over time. Immutable infrastructure treats machines like fungible artifacts: if you need change, you don’t fix the running system, you replace it.

• Key benefits:

  • Reliability at scale: Automated, reproducible deployments, no divergence across servers.

  • Simplified rolling back: If something breaks, spin up the previous, working version.

  • Security by design: Core systems are read-only, reducing the attack surface.

Immutable Foundations in Action NixOS: The Declarative, Version-Controlled Linux

• How it works: System configuration, including packages, services, kernels, is expressed in the Nix language in a config file. Rebuilding produces a new system “generation,” which can be booted or rolled back.

• Why DevOps teams love it:

  • Reproducibility: Exact environments can be rebuilt from config files, promoting parity across development, CI, and production.

  • Speed and consistency gains: In one fintech case, switching to NixOS reduced deployment times by over 50 percent, erased environment-related incidents, shrank container sizes by 70%, and cut onboarding time dramatically.

  • Edge readiness: Ideal for remote systems or stateless servers rebuilt nightly to ensure fleet consistency with easy rollback.

  • Personalization meets immutability: With tools like Home Manager, even user-specific configurations (like dotfiles or shell preferences) can be managed declaratively, and consistently reproduced across machines.

Go to Full Article

by George Whittaker Introduction: Why Lightweight Matters for Kubernetes Devs

When running Kubernetes clusters for development, the operating system’s footprint can make or break performance and agility. Heavy, general-purpose Linux distributions waste memory and CPU cycles on components you’ll never use, while lightweight, container-focused distros keep your nodes lean and optimized. For developers experimenting with k3s, MicroK8s, or full-blown Kubernetes clusters, lightweight Linux offers faster spin-ups, lower overhead, and environments that better simulate production-grade setups.

In this guide, we’ll take a look at the best lightweight Linux options for Kubernetes developers, compare their strengths, and walk through code examples for quick setup. Whether you’re spinning up a local test cluster or building a scalable dev lab, this breakdown will help you pick the right base OS and make the most of your Kubernetes workflow.

Key Considerations for Dev-Focused Kubernetes Nodes

Before diving into individual distros, it’s important to understand what really matters when pairing Linux with Kubernetes:

• Minimal Resource Usage: A slim OS footprint leaves more CPU and RAM for pods and workloads.

• Container Runtime Compatibility: Built-in or easy-to-install support for containerd, CRI-O, or Docker ensures smooth cluster bootstrapping.

• Init System Support: Compatibility with systemd or OpenRC impacts how Kubernetes services are managed.

• Immutable vs. Mutable: Immutable systems like Fedora CoreOS or Talos enhance reliability but restrict tinkering, while Alpine and Ubuntu Core offer more flexibility for on-the-fly customization.

• Developer Friendliness: A distro should integrate seamlessly with kubectl, Helm, CI/CD agents, and debugging workflows.

Go to Full Article

by George Whittaker Introduction

Container technology has matured rapidly, but in 2025, two tools still dominate conversations in developer communities: Docker and Podman. Both tools are built on OCI (Open Container Initiative) standards, meaning they can build, run, and manage the same types of images. However, the way they handle processes, security, and orchestration differs dramatically. This article breaks down everything developers need to know, from architectural design to CLI compatibility, performance, and security, with a focus on the latest changes in both ecosystems.

Architecture: Daemon vs. Daemonless Docker's Daemon-Based Model

Docker uses a persistent background service, dockerd, to manage container lifecycles. The CLI communicates with this daemon, which supervises container creation, networking, and resource allocation. While this centralized approach is convenient, it introduces a single point of failure: if the daemon crashes, every running container goes down with it.

Podman’s Daemonless Approach

Podman flips the script. Instead of a single daemon, every container runs as a child process of the CLI command that started it. This design eliminates the need for a root-level service, which is appealing for environments concerned about attack surfaces. Containers continue to run independently even if the CLI session ends, and they can be supervised with systemd for long-term stability.

Developer Workflow and CLI Familiar Command Structure

Podman was designed as a near drop-in replacement for Docker. Commands like podman run, podman ps, and podman build mirror their Docker equivalents, reducing the learning curve. Developers can often alias docker to podman and keep using their existing scripts.

Run an NGINX container

Docker

docker run -d --name web -p 8080:80 nginx:latest

Podman

podman run -d --name web -p 8080:80 nginx:latest GUI Options

For desktop users, Docker Desktop remains polished and feature-rich. However, Podman Desktop has matured significantly. It now supports Windows and macOS with better integration, faster file sharing, and no licensing restrictions, making it appealing for enterprise environments.

Go to Full Article

by George Whittaker

When Red Hat announced the abrupt end of traditional CentOS in late 2020, the Linux ecosystem was shaken to its core. Developers, sysadmins, and enterprises that relied on CentOS for years suddenly found themselves scrambling for answers. Out of that disruption, two projects, AlmaLinux and Rocky Linux, emerged to carry forward the legacy of CentOS while forging their own identities. This article dives into how these two distributions established themselves as reliable, enterprise-grade options for developers and organizations alike.

The Fall of CentOS: An Industry Shockwave

For over a decade, CentOS was the backbone of countless servers, from small web hosts to enterprise data centers. It provided a stable, free, and RHEL-compatible platform, perfect for developers and administrators building and maintaining critical infrastructure.

That stability came to an end when Red Hat pivoted CentOS to a rolling-release model, CentOS Stream. Instead of offering a downstream, binary-compatible version of RHEL, Stream became a preview of future RHEL updates. This move caused widespread frustration:

• Organizations that built production environments around CentOS suddenly faced shortened support lifecycles.

• Developers who depended on a “set-and-forget” environment now had to deal with the unpredictability of a rolling release.

• Compliance-driven industries were left in limbo, as running on an unsupported OS could trigger security and regulatory risks.

This disruption created a vacuum, and the Linux community quickly stepped up to fill it.

The Birth of AlmaLinux and Rocky Linux AlmaLinux: Community-Driven, Enterprise-Ready

Shortly after the CentOS announcement, CloudLinux, a company with deep experience in server environments, launched AlmaLinux. The first stable release landed in March 2021. True to its name, “alma” meaning “soul”, the project’s mission was clear: to embody the spirit of CentOS while maintaining community governance. The non-profit AlmaLinux OS Foundation now oversees the project, ensuring it remains free and open for everyone.

Rocky Linux: A Tribute and a Promise

At almost the same time, Gregory Kurtzer, one of the original CentOS founders, unveiled Rocky Linux, named in honor of CentOS co-founder Rocky McGaugh. From the beginning, Rocky positioned itself as a 1:1 binary-compatible rebuild of RHEL, mirroring CentOS’s original mission. Its governance structure, managed by the Rocky Enterprise Software Foundation (RESF), ensures that the project remains rooted in community oversight rather than corporate ownership.

Go to Full Article

by George Whittaker A Shift in GNOME’s Core Applications

For over two decades, Eye of GNOME (often shortened to EOG) was the silent workhorse of the GNOME desktop environment. It wasn’t flashy, but it did exactly what most people expected: double-click a picture, and it opened instantly. Yet, with the arrival of GNOME 45 in late 2023, a new name appeared in the lineup of “core” apps: Loupe. From that moment forward, Loupe became the official default image viewer on GNOME desktops, displacing EOG.

This decision wasn’t made lightly. GNOME has been steadily refreshing its default applications in recent years, Gedit was replaced by GNOME Text Editor, and Cheese gave way to Snapshot. Loupe is the continuation of this modernization trend. Eye of GNOME is still available in repositories for those who want it, but the GNOME team has shifted its endorsement to Loupe as the better long-term solution.

What Loupe Brings to the Table

Loupe isn’t just a reskin of EOG. It was built from scratch with today’s hardware, design standards, and security expectations in mind. At first glance, the interface looks minimal, but there’s more happening beneath the hood than many realize.

• Rust-Powered Foundation – Unlike Eye of GNOME’s decades-old C codebase, Loupe is written in Rust. This choice immediately grants it memory safety, helping avoid whole categories of crashes and vulnerabilities. For an app that regularly opens untrusted files, this is an important safeguard.

• GPU-Accelerated Image Handling – Instead of pushing all rendering to the CPU, Loupe leverages the GPU. Panning across a large image or zooming into a 50-megapixel photo feels fluid, even on high-resolution displays.

• Touch-Friendly Navigation – GNOME has been preparing for a future that includes more touch devices. Loupe fits right in, supporting pinch-to-zoom, two-finger swipes to move between images, and smooth transitions that feel natural on both touchscreens and trackpads.

• Streamlined Metadata View – Instead of burying photo information behind a separate dialog, Loupe integrates an optional sidebar. With a click, you can see dimensions, file size, EXIF data, and even location details without leaving the main view.

• Security Through Sandboxing – Image decoding is handled in isolated processes using a new backend called Glycin. If a corrupt or malicious image tries to crash the decoder, it won’t take the entire viewer down with it.

Go to Full Article

by George Whittaker

For decades, the humble terminal has been one of the most unchanging parts of the Linux desktop. Text streams flow in monochrome grids, and while the underlying libraries have evolved, the experience has remained more or less the same. Ubuntu, however, is preparing to rewrite this narrative. The distribution is adopting Ptyxis, a fresh terminal emulator designed for modern computing, and one of its standout qualities is that it leans on the GPU for rendering rather than relying solely on the CPU.

This shift is more than cosmetic. It represents a rethink of how command-line tools should perform in an era of container-heavy development, high-DPI displays, and demanding workloads. Let’s unpack what makes Ptyxis a different breed of terminal, why Ubuntu is betting on it, and what it means for everyday users and power developers alike.

The Origin Story of Ptyxis

Ptyxis is not an accidental side project. It was initially prototyped under the name GNOME Prompt by Christian Hergert, a well-known GNOME contributor also behind GNOME Builder. Early experiments showed there was space for a terminal designed from scratch with today’s GNOME ecosystem and GPU pipelines in mind.

To avoid conflicts with existing software, the project was later rebranded as Ptyxis. The application has since matured rapidly, and major distributions such as Fedora and Ubuntu have committed to it. Ubuntu introduced it in experimental form in 24.10, and by the upcoming Ubuntu 25.10 “Questing Quokka”, it is expected to replace the aging GNOME Terminal as the default choice.

A New Kind of Terminal Experience GPU Acceleration as the Core

Traditional terminals typically rely on CPU-bound rendering stacks, often through libraries like Cairo and Pango. This works fine until you throw thousands of lines of log output or try to run full-screen text-based UIs that push rendering to its limits. Ptyxis sidesteps these bottlenecks by shifting the drawing work to the graphics processor, taking advantage of Vulkan or OpenGL backends supplied by GTK4.

The result is immediately noticeable: smooth scrolling, responsive updates, and consistent performance even with massive amounts of text on screen. It’s not just about speed, either, offloading rendering to the GPU reduces CPU strain, leaving headroom for the processes you’re actually running.

Go to Full Article

by George Whittaker Why this release cycle feels different

For most of the last decade, talk about Wayland on KDE sounded like a promise: stronger security, modern graphics, fewer legacy foot‑guns, once the pieces land. With Plasma 6, those pieces finally clicked into place. Plasma 6.1 delivered two changes that go straight to how frames hit your screen, explicit synchronization and smarter buffering, while 6.2 followed with color‑management and HDR work that makes creators and gamers care. Together, they turn “Wayland someday” into a desktop you can log into today without caveats.

The frame pipeline finally behaves Explicit sync: the missing handshake

On X11/older Wayland setups, graphics drivers and compositors often assumed when work finished (“implicit sync”), which is fine until it isn’t, especially on NVIDIA, where that guesswork frequently produced flicker or glitches. Plasma 6.1’s Wayland session speaks the explicit sync protocol instead. Now the compositor and apps exchange fences that say “this frame is done,” reducing visual artifacts and making delivery predictable. If you run the proprietary NVIDIA driver, this is the change you’ve been waiting for: NVIDIA added explicit‑sync support in the 555 series, and XWayland 24.1 gained matching support so many games and legacy X11 apps benefit as well.

What you’ll notice: fewer one‑off hitches, less tearing in XWayland content, and a general sense that motion is “locked in” rather than tentative, particularly with the 555.58+ drivers.

Dynamic triple buffering: fewer “missed the train” stutters

Traditional double buffering is cruel: miss a vblank by a hair and your framerate can fall in half. KWin 6.1 added triple buffering that only kicks in when the compositor predicts a frame won’t make the next refresh, letting another frame be “in flight” without permanently increasing latency. One of KWin’s core developers outlined how it activates selectively, tries not to add avoidable lag, and works regardless of GPU vendor. It sounds simple; it feels like the end of random judder during heavy scenes.

VRR/Adaptive‑Sync polish

Variable refresh is no longer a roulette wheel. KDE’s devs chased down stutter/flicker under Adaptive‑Sync, and those fixes landed in the same timeframe as Plasma 6.1. If your monitor supports FreeSync/G‑Sync Compatible and the GPU stack is sane, frame pacing is noticeably calmer.

Go to Full Article

by George Whittaker Introduction

With the arrival of GNOME 48, the desktop experience steps into a refreshing new era, blending clarity, visual richness, and adaptability. This release unfolds a more intuitive configuration interface, native HDR capability, and finer-grained display scaling. Whether you’re streaming, tweaking your workspace, or simply glancing over your notifications, GNOME 48 brings you improvements that feel both modern and meaningful, crafted to feel like they were made for real people doing real tasks.

A Refined Settings Environment Revamped Configuration Hub

GNOME 48’s Settings app has shed its former rigidity and stepped into a role that feels inviting and efficient. Never again will you wade through scattered sections, options are now neatly grouped, and the design flow intuitively matches how your mind works. Menus anticipate your focus, search responds predictably, and the overall layout whispers, “you’re in control.”

Assistive Features Front and Center

Accessibility isn’t an afterthought anymore, it’s central. Icons are clearer, toggles are easier to reach, and each label reads like someone actually sat down to ask, “How can we make this tool-friendly for everyone?” GNOME 48 puts inclusivity on full display, ensuring that those who rely on adaptive tech never need to dig for solutions.

Tighter System Synergy

Gone are the days when Wi-Fi, sound levels, or power settings felt tucked away. These essentials now respond faster, with less visual fuss and more behind-the-scenes connection to smarter system logic. It’s the kind of integration where you flick a switch and everything else falls into harmony.

Elevating Visuals with HDR Why HDR Lights Up the Desktop Experience

Forget washed-out colors or muddled shades, GNOME 48 steps up with HDR rendering, delivering brightness, depth, and contrast that bring your display to life. Darker shadows, gleaming highlights, sumptuous gradients, HDR transforms ordinary visuals into something cinematic. It’s not just eye candy; it's more faithful media, smoother workflows, and next-level artistic clarity.

What You’ll Need to Shine

This full-color upgrade doesn’t work across all drift of hardware, but it does mesh well with modern, HDR-capable monitors and compatible GPU drivers accelerating through Wayland. GNOME 48 ensures things just click when your stack supports it, activating the richer palette whenever your display and graphics card are game.

Go to Full Article

by George Whittaker

In the last decade, the digital landscape has shifted from a space of casual convenience to a battleground for personal information. From constant corporate profiling to sprawling government surveillance programs, the reality is clear, our devices have become treasure troves for those seeking to exploit or monitor us. As trust in mainstream platforms erodes, a surge of interest has emerged around operating systems that place security and privacy at their very core. At the forefront of this movement are a new breed of Linux distributions designed not just for power users and security experts, but for anyone who values control over their data.

The Age of Hyper-Exposure

Every click, swipe, and typed search leaves a footprint. This wasn’t always a mainstream concern, many users once traded data for convenience without a second thought. But a string of high-profile incidents changed the narrative: massive data breaches leaking millions of personal records, whistleblower revelations exposing global surveillance programs, and marketing giants quietly building extensive behavioral profiles of individuals.

For the average person, these events have shattered the illusion of online privacy. For professionals handling sensitive work, journalists, lawyers, healthcare providers, data exposure is more than a nuisance; it’s a potential threat to safety, reputation, and trust. The result? An accelerating search for technology that resists tracking, intercepts intrusions, and limits data leakage before it can begin.

Why Linux Has Become the Privacy Battleground

Linux, in its many forms, has always worn transparency as a badge of honor. Unlike proprietary systems where code is hidden from public scrutiny, Linux distributions are open-source, meaning anyone can inspect the source code, audit for vulnerabilities, or suggest improvements. This creates a self-reinforcing cycle of trust and accountability.

Beyond transparency, Linux allows deep configurability. Users can strip away unnecessary software, remove hidden telemetry, and harden their system against attacks. Updates arrive quickly, often patched within hours of a security flaw being reported, compared to the slower cycles of commercial operating systems. And most importantly, Linux is free from the corporate incentives that often drive aggressive data collection.

What Sets Security-Focused Distros Apart

While all Linux distributions benefit from open-source transparency, security-oriented distros go several steps further by building privacy and protection into their foundation:

• Hardened System Kernels: Some distros use custom kernels with advanced security patches (like grsecurity) to close off potential attack vectors.

Go to Full Article

by George Whittaker Introduction

Flatpak promises a secure runtime for Linux applications through container-like isolation, relying on bubblewrap namespaces, syscall filtering, and portal interfaces. In theory, each app should operate inside a strong sandbox, disconnected from the host system. But in reality, experience shows gaps, tiny cracks through which apps may escape with serious consequences.

The Sandbox Promise… and the Reality

Flatpak applications begin life in a highly-restricted environment: no network by default, no access to host files beyond the runtime and a private data directory, limited syscalls, and restricted access to session or system services. Portals provide a controlled channel for granting specific capabilities (e.g. file dialogs, screenshot, printing) without broad privileges.

Yet, many Flatpak packages declare broad permissions like filesystem=home, filesystem=host, or device=all. That effectively grants full read-write access to the user's home directory or even system devices, defeating the purpose of the sandbox in practice. Users often assume that 'sandboxed' means locked-down, but blanket permissions expose them to risk.

Real-World Breakouts from the Sandbox CVE‑2024‑32462: RequestBackground Portal Abuse

Security researcher Gergo Koteles uncovered a high-severity vulnerability where malicious Flatpak apps could craft a .desktop file via the org.freedesktop.portal.Background.RequestBackground interface. That tricked Flatpak’s --command= parsing into injecting bwrap arguments (e.g. --bind). This allowed arbitrary host commands to execute outside the sandbox boundary. Versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8 were affected. Patched in the listed versions and mitigated in xdg-desktop-portal 1.18.4 and newer.

CVE‑2024‑42472: Persistent Data Symlink Exploit

A Flatpak flag, --persist (or persistent= in manifest), allows apps writable storage within their data directory. But if a malicious install replaces that directory with a symlink pointing to sensitive host folders (e.g. ~/.ssh), the sandbox mount entry follows it into the real filesystem, giving the app unintended access to files outside its name-spaced area. All versions up to 1.14.8 and 1.15.x ≤ 1.15.9 are vulnerable; patched in 1.14.10 and 1.15.10+.

Policy Complexity and Ecosystem Slip-Ups

A detailed study of hundreds of Flatpak and Snap packages found that nearly 42% of Flatpak apps either override the supposed isolation or misconfigure sandboxing, resulting in overprivilege or potential escape paths. Crafting fine-grained sandbox policy is hard, and mistakes slip through easily.

Go to Full Article

by George Whittaker Opening the Curtain on Tails 6.0

On February 27, 2024, the Tails Project unveiled version 6.0, a milestone release built atop Debian 12 “Bookworm” and GNOME 43 . Tails, short for The Amnesic Incognito Live System, is engineered from the ground up to prevent data leakage, protect against targeted surveillance, and ensure that every use leaves no trace unless explicitly permitted . Version 6.0 refines this mission with a bold suite of features tailored to block modern surveillance tactics.

USB Integrity: Stopping Sneaky Hardware Threats Warnings for Persistent Storage Failures

Live USBs are critical lifelines for persistence in Tails. Now, Tails 6.0 alerts users when underlying storage suffers read/write errors. This early detection, prior to catastrophic data loss, allows users to back up their encrypted areas before disaster strikes .

Defense Against Rogue USB Devices

One of the stealthiest attack vectors involves plugging in malicious USB gear while a device is unattended. Tails now ignores any USB device connected while the screen is locked. Only when the screen is unlocked can new USB devices be activated, closing the door on rubber‑duckying-style malware delivery .

Usability Upgrades That Don’t Sacrifice Security Automatic Device Mounting with Safeguards

Plug in a flash drive or encrypted external disk while Tails is unlocked, and the system now instantly mounts the device and prompts for decryption (e.g. VeraCrypt volumes), smoothing workflow while preserving safeguards .

Ambient Display Options for Privacy-Conscious Use

GNOME 43 brings native support for dark mode, night‑light warm tones, or combinations thereof, all accessible via the system menu. These modes reduce eye strain and lower screen glare in sensitive situations, minimizing accidental disclosure in low-light settings .

Simplified Screenshots and Screencast Access

Through a redesigned system menu, users can now take screenshots or record screencasts with a few clicks—reducing reliance on external tools and minimizing exposure via unnecessary browser or app use .

Streamlined Gmail Setup in Thunderbird

Configuring a Gmail account is now smoother: Tails 6.0 allows direct sign‑in within Thunderbird using standard two-step verification, no manual IMAP or security adjustments required, eliminating error-prone manual steps .

Go to Full Article

by George Whittaker Introduction

In recent times, two critical Linux security frameworks, AppArmor and SELinux, have seen noteworthy acceleration in real-world deployment. As Linux continues to anchor enterprise, container, cloud, and desktop systems, these Mandatory Access Control (MAC) tools have crossed threshold events signaling broader acceptance. This article examines those pivotal inflection points, dives into why they matter, and offers reflections on the shifting landscape of Linux security.

A Swift Journey to Widespread Use SELinux’s Ascendancy

Originally conceived by the NSA and later shepherded by Red Hat, SELinux added powerful MAC controls to Linux by the early 2000s. Since being fully embedded into the Linux 2.6.x kernel, SELinux has steadily expanded its reach. It has become the default security layer on Red Hat Enterprise Linux, Fedora, and their derivatives, and integrated into Debian 9+, plus Ubuntu from version 8.04. Android further embraced SELinux starting from version 4.3, marking its normalization in mobile devices.

But the most recent watershed occurred in early 2025: openSUSE Tumbleweed made SELinux the default MAC for new installations beginning with snapshot 20250211, accompanied by minimalVM images running in enforcing mode. Existing installations remain unaffected unless manually migrated, and AppArmor remains an installer option. Moreover, openSUSE Leap 16 will be shipping with SELinux in enforcing mode by default, affirming a full shift within SUSE ecosystems.

This chain of events reflects a conscious pivot in favor of SELinux across both SUSE and community platforms, aligning them more closely with enterprise-grade security policies.

AppArmor’s Established Reach

AppArmor, originally named SubDomain in the late '90s, emerged from Immunix and later became a core tool in SUSE distributions. It officially became part of the Linux kernel in version 2.6.36 around October 2010. Ubuntu began shipping it by default starting with 7.10; by 8.04, CUPS was protected. Over the following releases, its scope widened to include MySQL, libvirt, browser sessions, and more. In Debian 10 ("Buster"), released July 2019, AppArmor became enabled by default, anchoring its adoption across Debian-based ecosystems.

Go to Full Article

by George Whittaker Introduction

Privilege escalation in Linux has always walked a tightrope between convenience and risk. sudo allows users to perform tasks as root without sharing the root password—intuitive, powerful—but also a high-value target for exploits rooted in memory safety bugs. Ubuntu is now pioneering a transition: replacing the traditional C-based sudo with sudo‑rs, a Rust-powered rewrite engineered for safer root handling.

Understanding sudo‑rs

Built under the Trifecta Tech Foundation’s “Privilege Boundary” initiative, sudo‑rs is a from-scratch implementation of sudo and su created in Rust, a language celebrated for its compile-time guarantees against memory mishaps. Designed to behave like the classic “sudo,” it supports user prompts, permission checks, and environment handling, but keeps underlying behavior Turing-equivalent.

Why Ubuntu Is Betting on Rust

Rust’s strict approach to memory usage eradicates whole classes of vulnerabilities—like buffer overflows and use-after-free—that have long plagued system tools. For a utility as privileged as sudo, these protections offer exponentially greater security value. Ubuntu’s strategy, dubbed “Carefully But Purposefully Oxidising Ubuntu,” is a methodical shift toward memory-safe tooling.

Transitioning in Ubuntu 25.10 and Beyond

Canonical has announced that Ubuntu 25.10 (“Questing Quokka”), scheduled for October 9, 2025, will ship sudo‑rs as the default /usr/bin/sudo. This serves as a proving ground ahead of Ubuntu 26.04 LTS (April 2026). Regular users will find no change—commands, flags, and password prompts remain familiar—while Ubuntu monitors real-world feedback.

Ensuring Compatibility

To deliver a smooth switch, Canonical is funding “Milestone 5” development in sudo‑rs to implement:

• NOEXEC for shell escape control,

• AppArmor integration,

• sudoedit,

• Support for kernels older than 5.9 (critical for Ubuntu 20.04 containers).

A “less‑is‑more” philosophy guides, meaning legacy niche features—like LDAP-based sudoers—might remain absent. But, for most workflows, sudo‑rs should cover every essential feature.

Coexistence and Rollback

Ubuntu’s old sudo will still be available in the repositories and can be reselected via the alternatives system. Users needing features not yet ported to sudo‑rs can effortlessly revert.

Go to Full Article

by George Whittaker Driving Forces Behind Smarter Battery Use

In an era when remote work, video conferencing, and travel-heavy lifestyles are the norm, users expect laptops to last longer unplugged. Meanwhile, growing awareness of sustainability adds pressure to maximize energy efficiency. Recognizing this mantra, Linux developers have overhauled power-handling strategies, from the kernel core to user-space tools, to meet these expectations in 2025.

Core Kernel Enhancements: Harnessing Modern Power Tech Kernel 6.x’s Focus on Power Efficiency

• Linux 6.8 introduced refined support for newer hardware, including better CPU/GPU idle-state transitions and energy-friendly firmware interfaces.

• Linux 6.15, released in May 2025, continues this trend by adding improved power-capping, more regulators, voltage handlers, and enhanced support for ARM, RISC-V, and Intel/AMD CPU power modules.

These enhancements enable finer-grained control over sleep states, clock gating, and dynamic walling-off of unused chip domains, all pivotal for squeezing extra runtime.

MCU-Firmware Communication with FWCTL

A new firmware controller (fwctl) infrastructure within 6.15 gives user-space tools secure communication channels with embedded controller features, making tasks like adjusting battery charge thresholds more accessible and scriptable.

Advanced CPU & GPU Power Strategies Smarter Frequency Governors

Both intel_pstate and amd_pstate drivers continue evolving. Passive and conservative CPU governors now dynamically adapt based on workload profiles, delivering noticeable battery gains with minimal performance loss.

Low-Power On-Battery GPU Modes

Graphics subsystems are smarter about sleep:

• Intel's Arc and DG2 families now feature improved idle ramp-down behaviors for better battery performance.

• For AMD users, the transition from generic AMDGPU RADEON_POWER_PROFILE settings to fwctl-control offers more granular DPM tuning on laptops, especially under battery constraints.

Deep Sleep States and ACPI Evolution

The adoption of ACPI 6.6 and expanded kernel support for S0ix and modern-sleep states allow laptops to hang out in ultra-low-power standby, extending idle time battery life. Suspend-to-disk and resume logic also got less noisy, reducing spur-of-the-moment wake-ups that were draining battery life for many users.

Go to Full Article

by George Whittaker

When Rust first made its way into the Linux kernel in late 2022 (mainline inclusion began with version 6.1), it didn’t merely introduce a new programming language, it marked a profound shift in how we ensure operating system resilience. This article dives into why that matters, how it’s being implemented, and what it could mean for Linux’s long-term robustness.

Tackling the C Legacy: A Fragility Problem

For over three decades, the Linux kernel has been maintained in C, a language that offers both raw control and notorious pitfalls. Manual memory juggling in C leads to high-risk bugs: buffer overflows, phantom pointers, heap corruption, and race conditions. In fact, memory safety issues account for around two-thirds of all kernel vulnerabilities.

Enter Rust: a systems language designed to eliminate whole classes of these errors through strict compile-time checks, without sacrificing low-level efficiency.

Rust’s Safety Toolkit: What Sets It Apart

Rust’s most powerful features for kernel reliability include:

• Ownership semantics & the borrow checker These enforce rules about who owns a piece of memory at compile-time, no dangling pointers, no double frees.

• No runtime garbage collector All abstractions compile down to efficient machine code, ensuring performance remains rock-solid.

• Race elimination for free Rust-language concurrency prevents data races statically, eliminating a whole breed of timing-related bugs.

Combined, these attributes strip away entire categories of vulnerabilities that plague C-based code.

A New Layer: The Rust-for-Linux Framework

The groundwork for Rust modules in Linux was laid with kernel 6.1, and by version 6.8, the first experimental Rust drivers, covering areas like network PHYs and panic QR logging, were accepted. These drivers coexist with traditional C components, forming a hybrid architecture where Rust is used for new drivers while C remains the backbone.

Crucially, this integration includes:

• A Rust bindings crate to interface safely with C internals.

• A kernel crate that wraps core kernel structures and APIs for Rust consumption.

This layering enables gradual Rust adoption, developed drivers, not wholesale rewrites.

Early Results: Fewer Bugs, More Confidence

Evidence is already showing promise:

• Memory safety vulnerabilities drop out as code gets written in Rust, tackling roughly two-thirds of past CVEs.

• Kernel maintainers are noticeably more comfortable merging Rust patches, citing the added rigor from the borrow checker.

Go to Full Article

by George Whittaker A Paradigm Shift in Desktop Computing

The landscape of desktop operating systems has witnessed a notable transformation in 2025. Linux, once considered a niche player, has achieved a significant milestone by capturing 4.7% of the global desktop market share. This achievement underscores a growing trend of users seeking alternatives to traditional operating systems.

Tracing the Growth Trajectory

Linux's journey to its current standing has been marked by steady growth:

• July 2022: 2.76%

• July 2023: 3.12%

• July 2024: 4.44%

• June 2025: 4.7%

This upward trend reflects a combination of technological advancements and shifting user preferences.

Catalysts Behind the Surge 1. Gaming Innovations

The gaming sector has played a pivotal role in Linux's rising popularity. Valve's Steam Deck, a handheld gaming device running on Linux-based SteamOS, has introduced a new audience to the capabilities of Linux. Additionally, compatibility layers like Proton have enhanced the gaming experience on Linux platforms.

2. Enhanced Hardware Support

Modern Linux distributions have significantly improved hardware compatibility, making installation and daily use more seamless for users across various devices.

3. Cost-Effective Solutions

The open-source nature of Linux offers a free alternative to proprietary operating systems, appealing to both individual users and organizations aiming to reduce software licensing costs.

4. Regional Adoption Patterns

Certain regions have exhibited higher adoption rates. In the United States, Linux's desktop market share reached 5.03% in June 2025. In India, the figure stood at 16.21% as of July 2024. These statistics highlight the global appeal and adaptability of Linux.

Addressing Ongoing Challenges 1. Ecosystem Fragmentation

The diversity of Linux distributions, while offering flexibility, can lead to inconsistencies in user experience and software compatibility.

Despite progress, some proprietary applications and games remain inaccessible or require complex configurations on Linux systems.

2. Software Availability

Despite progress, some proprietary applications and games remain inaccessible or require complex configurations on Linux systems.

Go to Full Article

by George Whittaker

Released on March 24, 2025, Linux Kernel 6.14 introduces significant enhancements for Intel and AMD processors, focusing on performance, power efficiency, and hardware compatibility. These updates are particularly beneficial for users leveraging the latest CPU architectures and AI-driven workloads.

Intel CPU Enhancements Support for Upcoming Architectures

Linux 6.14 extends support to Intel's forthcoming Panther Lake CPUs, incorporating thermal driver support for improved power efficiency and enabling Ultra-High Bit Rate (UHBR) modes via DisplayPort on Thunderbolt's Alt-Mode. This advancement allows for 10G and 20G UHBR modes, enhancing display capabilities for devices equipped with Xe3 graphics.

Additionally, preparations for Intel's Clearwater Forest server processors are underway, with the inclusion of EDAC (Error Detection and Correction) driver support and readiness of the Turbostat tool for monitoring.

Performance and Virtualization Improvements

The kernel introduces Translation Lookaside Buffer (TLB) flushing scalability optimizations, reducing overhead during context switches and improving overall system performance. Enhancements to the x86 Kernel-based Virtual Machine (KVM) also contribute to better virtualization support, benefiting environments that rely on virtual machines.

AMD CPU Enhancements Introduction of AMD XDNA Driver

A notable addition in Linux 6.14 is the AMD XDNA driver, providing support for AMD's Neural Processing Units (NPUs) integrated into Ryzen AI processors. This driver facilitates AI workloads, such as machine learning applications, by enabling efficient execution of tasks like convolutional neural networks and large language models.

Power Management and Performance Tweaks

The AMD P-State driver receives updates, including dynamic ranking of preferred CPU cores and defaulting to the 'balance_performance' Energy Performance Policy (EPP) on Ryzen and EPYC processors. These changes aim to optimize power consumption without compromising performance.

Furthermore, encryption performance sees a 2-3% boost for AES-GCM and AES-XTS standards on Zen 4 and Zen 5 processors, enhancing data security operations.

Broader Implications

Beyond CPU-specific enhancements, Linux 6.14 introduces the NTSYNC driver, improving compatibility and performance for Windows games emulated via Wine and Proton. The kernel also expands support to accommodate up to 4,096 CPU cores, doubling the previous limit and catering to high-performance computing environments. Additionally, improvements in suspend/resume functionality enhance power management for various devices.

Go to Full Article

by George Whittaker

openSUSE Leap 16 marks a significant evolution in the openSUSE project, integrating the robustness of SUSE Linux Enterprise (SLE) with the dynamism of community contributions. This release aims to provide a stable, adaptable, and secure Linux distribution suitable for various environments, from enterprise servers to developer workstations.

Foundation: SUSE Linux Framework One (SLFO)

Leap 16 is built upon SUSE Linux Framework One (SLFO), formerly known as the Adaptable Linux Platform (ALP). This modular architecture allows for a more flexible and maintainable system, enabling users to tailor their installations to specific needs. By leveraging SLFO, Leap 16 inherits the enterprise-grade stability and support lifecycle of SLE 16, ensuring a reliable foundation for critical workloads.

Key Features and Enhancements 1. Modern Installation with Agama

Leap 16 introduces the Agama installer, a web-based, modular installation tool that replaces the traditional YaST installer. Agama offers a cleaner user interface and supports features like remote installations and scripting for automated deployments, enhancing the installation experience for both new and experienced users.

2. Enhanced Security with SELinux

Security-Enhanced Linux (SELinux) is now enabled by default in Leap 16, aligning with SLE's security practices. This change provides a more robust security framework, offering fine-grained access controls and improved isolation. For users preferring alternative security modules, AppArmor remains available as an option.

3. Transition to Wayland Display Server

Leap 16 adopts Wayland as the default display server, moving away from the legacy X11 system. Wayland offers improved performance, security, and support for modern graphics hardware. While X11 components are still available for compatibility, the shift to Wayland represents a step forward in graphical session management.

4. Updated Desktop Environments

Users can enjoy the latest desktop environments with Leap 16, including GNOME 48 and KDE Plasma 6.3. These updates bring new features, performance improvements, and enhanced user experiences to the desktop.

5. System Management Tools: Cockpit and Myrlyn

With the deprecation of YaST in Leap 16, system management transitions to Cockpit and Myrlyn. Cockpit provides a web-based interface for managing system settings, services, and performance monitoring. Myrlyn serves as a new Qt-based front end for software management, offering a streamlined experience for package installation and updates.

Go to Full Article

by George Whittaker

Manjaro Linux has long been celebrated for blending the power of Arch Linux with user-friendly features. With the release of Manjaro 25.0 “Zetar”, the distribution takes significant strides in enhancing application management through Flatpak integration and optimizing the system for gaming enthusiasts. This update also brings advancements in desktop environments, file system choices, and hardware support.

Flatpak Integration: Streamlining Application Management

One of the standout features of Manjaro 25.0 is its enhanced support for Flatpak, a universal package management system. This integration allows users to install and manage applications in a sandboxed environment, improving security and ensuring that applications have access only to the resources they need. The inclusion of Flatpak support means users can easily access a vast repository of applications, including those not available in traditional repositories, directly through the Pamac package manager.

Gaming Enhancements: A Focus on Performance

Manjaro 25.0 places a significant emphasis on gaming, introducing several features aimed at improving performance and compatibility:

• Linux Kernel 6.12 LTS: The default kernel in this release offers improved hardware support, including better compatibility with newer GPUs and CPUs, which is crucial for gaming performance.

• Enhanced Graphics Support: Updates to graphics drivers, including the latest Mesa and NVIDIA drivers, ensure that gamers have access to the most recent improvements and bug fixes.

• Manjaro Summit Initiative: Although still in its alpha phase, the Manjaro Summit project introduces a semi-immutable version of the distribution, aiming for greater system stability and consistency—an essential factor for gaming systems.

Desktop Environment Updates: GNOME 48, KDE Plasma 6.3, and Xfce 4.20

Manjaro 25.0 offers updated versions of its three main desktop environments, each bringing unique enhancements:

GNOME 48

• Notification Stacking: Improves organization by grouping notifications from the same application.

• Dynamic Triple Buffering: Enhances animation smoothness and reduces screen tearing.

• Battery Charge Limiting: Introduces an option to cap battery charging at 80%, prolonging battery lifespan.

• HDR Support: Initial support for High Dynamic Range displays, offering richer visuals.

KDE Plasma 6.3

• Improved Fractional Scaling: Provides sharper visuals on high-DPI displays.

Go to Full Article

by George Whittaker Introduction: A New Chapter for Ubuntu

Ubuntu 25.10, affectionately codenamed Questing Quokka, represents more than just the latest iteration of Canonical’s flagship Linux distribution. It marks a decisive step towards modernizing the foundation of Ubuntu by integrating Rust, a systems programming language renowned for its safety, performance, and modern design. This bold move signals Canonical’s commitment to security, reliability, and future-proofing its desktop and server operating systems.

The release of Questing Quokka aligns with a growing trend across the Linux ecosystem: embracing Rust as a key technology for building low-level components. But what does this mean for Ubuntu users and developers? Let’s explore the significance of this change, what tools are being rewritten or introduced in Rust, and how this positions Ubuntu for the future.

Why Rust? The Language of Safety and Speed The Need for Safer Code

For decades, core components of Linux distributions—including Ubuntu—have been written predominantly in C. While C offers unmatched control and performance, it also exposes developers to a range of memory-related errors: buffer overflows, use-after-free bugs, and data races, to name a few. These flaws are among the leading causes of vulnerabilities that compromise system security.

Rust was designed specifically to address these issues. It offers:

• Memory safety without garbage collection: Rust’s ownership model and borrow checker ensure that memory errors are caught at compile time.

• Fearless concurrency: Developers can write multithreaded code that’s safe by default.

• Modern tooling and ecosystem: A robust package manager (Cargo), modern build tooling, and vibrant community support.

Linux and Rust: A Growing Bond

Ubuntu is not alone in recognizing Rust’s advantages. The Linux kernel itself has started to accept Rust code, with drivers and modules being prototyped in Rust to enhance safety. Projects like GNOME, System76’s COSMIC desktop, and various networking utilities have already begun leveraging Rust.

By adopting Rust-based tools, Canonical is aligning Ubuntu with this broader movement—ushering in a future where critical system software is both fast and secure.

Go to Full Article