Tux Machines

Do you waddle the waddle?

Other Sites

Internet Society

Your Internet Access Is at Risk. We’re Speaking Up

The US Supreme Court will soon consider a case that could fundamentally change how you access the Internet and affect everyone who uses it.

9to5Linux

KDE Linux Distribution Is Available for Public Testing, Download Now

I heard rumors about KDE Linux in the past, but I never thought the KDE Project would put so much effort into creating its own distro, especially since we already have KDE neon, which, in my opinion, does a tremendous job at providing the community with access to the latest and upcoming KDE software.

Debian 13.1 “Trixie” Released with 71 Bug Fixes and 16 Security Updates

Debian 13.1 is here less than a month after Debian 13, providing an updated installation media to those who want to deploy the latest Debian Trixie operating system on new hardware and who had issues with the previous ISO images or don’t want to download hundreds of updates from the repositories after the installation.

Calibre 8.10 E-Book Manager Brings Improvements to the Kindle MTP Driver

Coming two weeks after Calibre 8.9, the Calibre 8.10 release is here with improvements to the Kindle MTP driver by fixing an issue where APNX files are being placed in the wrong location when books are sent to subfolders inside the root folder.

LinuxGizmos.com

MSI unveils MS-CF16 V3.0 Pico-ITX SBC with Alder Lake-N, Amston Lake, and Twin Lake processors

The MS-CF16 V3.0 supports a wider selection of Intel processors than its predecessor, with all configurations featuring up to 16 GB of LPDDR5 4800 MHz memory soldered onboard. Available options include:

M5Stack Introduces Cardputer-Adv with Expanded Features and Higher-Capacity Battery

It is powered by the Stamp-S3A core module based on the ESP32-S3FN8 dual-core Xtensa LX7 processor, running at up to 240 MHz with 8 MB of flash storage. A microSD card slot provides additional storage for applications and data, and an infrared emitter is included for remote-control functions.

Pi Zero 2 W AV-USB board adds USB hub, audio, and video output

The AV-USB provides three full-size USB-A ports via an onboard hub, along with a PCM5102-based stereo analog audio interface over I2S. Audio and composite video are routed through a 3.5 mm TRRS jack, restoring analog video output that on the Pi Zero 2 W was moved to a small test pad, making it easier to connect displays without soldering.

news

Building secure images with NixOS

posted by Roy Schestowitz on Nov 14, 2024

NixOS

Image-based Linux distributions have seen increasing popularity, recently. They promise reliability and security, but pose packaging problems for existing distributions. Ryan Lahfa and Niklas Sturm spoke about the work that NixOS has done to enable an image-based workflow at this year's All Systems Go! conference in Berlin. Unfortunately, LWN was not able to cover the conference for scheduling reasons, but the videos of the event are available for anyone interested in watching the talks. Lahfa and Sturm explained that it is currently possible to create a NixOS system that cryptographically verifies the kernel, initrd, and Nix store on boot — although doing so still has some rough edges. Making an image-based NixOS installation is similarly possible.

Lahfa started by giving a brief overview of NixOS for those attendees who were unfamiliar with it. He described the distribution as a ""standard systemd-based Linux"", but with some differences mostly centered around the fact that it does not follow the filesystem hierarchy standard. In NixOS, all of the binaries on the system live in /nix/store, and are configured to use a path and library path that are tightly scoped to only their declared dependencies. This has a lot of benefits, Lahfa said, including NixOS's ability to run multiple versions of the same software. But it also has consequences for secure boot.

Lahfa explained that secure boot ""controls who is allowed to run software on your computer"". It relies on using signed binaries; the computer will only boot into the provided kernel if the signature on it is valid. On systemd systems, it is possible to use unified kernel images (UKIs), which package a unified extensible firmware interface (UEFI) boot stub, the kernel, and its initrd together. This has security benefits, because it means that secure boot validates the initrd as well as the kernel. But it causes problems for NixOS, which needs to present many more options in the bootloader than most other distributions in order to support its efficient rollback features.

NixOS's separation of binaries into individual paths under /nix/store — and ability to share libraries between different versions — allows the distribution to keep a large number of previous configurations around. Every time a NixOS system has its configuration changed, from a software update, for example, the complete state of the installed programs is saved as a "generation". In the bootloader, the user can select any previous generation they would like (at least until the old generations are cleaned up to reclaim their storage space), and the kernel will load the appropriate initrd for that generation, which in turn sets up all of the configuration files from that generation. This allows for fearless upgrades, since the previous configuration is available in the boot menu — a value proposition quite similar to image-based distributions. Unfortunately, this ability doesn't work well if the initrd needs to be bundled with the kernel, because that increases both the size of each kernel image, and the number of different kernel images that must be stored. Doing so will quickly fill up the EFI (Extensible Firmware Interface) system partition (ESP).

Read on

Other Recent Tux Machines' Posts

KDE Linux Distribution Is Available for Public Testing, Download Now
The KDE Project released today the alpha version of the KDE Linux distribution, an in-house operating system to showcase the latest in-development versions of the KDE Plasma desktop environment and KDE apps.
Debian 13.1 “Trixie” Released with 71 Bug Fixes and 16 Security Updates
Today, the Debian Project announced the release and general availability of Debian 13.1 as the first ISO update to the latest Debian GNU/Linux 13.1 “Trixie” operating system series.
Mozilla Confirms Firefox 32-Bit Linux Support Will End in 2026
Mozilla confirms Firefox will no longer support 32-bit Linux after version 144
Games: Zelda Collector's Edition, Warhammer 40k Dawn of War Definitive Edition Review, Godot 4.5 RC 1
3 gaming stories
A Decade of Kubernetes and v1.34 Release
coverage has begun
 
Infiltration, GNU/Linux, and Reproducible Builds
today's leftovers
Programming Leftovers
Development picks
today's howtos
5 more howtos for now
SuperTuxKart 1.5-rc2 and GNU/Linux Gaming Distro That Uses SD Cards
a pair of gaming links
GNU/Linux and Free Software Leftovers
FOSS and more
Android Leftovers
Google Pixel 10 review: The best of Pixel without the fuss
Pop!_OS Team Sets September 25 for COSMIC Beta Release
The long-awaited COSMIC desktop beta for Pop!_OS 24.04 LTS arrives September 25
I Can't Use Ubuntu Without These 9 GNOME Extensions
Are you using Ubuntu and find it too minimal and bare bones
Best Free and Open Source Software
Only free and open source software is eligible for inclusion
GNU/Linux Leftovers
GNU/Linux, HowTos, and more
Christian Hergert and Allan Day on GNOME
weekly report and more
OpenSUSE: Tumbleweed and Open(SUSE) Build Service
some SUSE news
Open Hardware/Modding: ESP32, Raspberry Pi, and More
3 hardware picks
KDE Linux Goes Alpha: Arch-Based, Immutable OS Unveiled at Akademy
KDE Linux hits alpha—ready for developers and power users, but ordinary Linux fans should hold off for now
Mozilla: Opening Bugs, Slop Inside Firefox, and Thunderbird Accessibility Study
Mozilla picks
Today in Techrights
Some of the latest articles
Free, Libre, and Open Source Software Leftovers
FOSS picks
Databases: PGConf India 2026, pg_ivm 1.12, SQLite, and More
Database related leftovers
GNU/Linux and BSD Leftovers
mostly GNU/Linux news
Fedora / Red Hat / IBM Leftovers
5 new stories
Security and Integrity Leftovers
scams and bugs
Linux Devices, Open Hardware, and Android
hardware or gadgets
Barry Kauler on EasyOS, Latest 4 Updates
development updates
today's howtos
Instructionals/Technical posts (13 in total)
3 things I never got as a Windows fanboy that Linux users have had for years
Some features really surprise me about Linux
How to Switch Your PC to Linux, and Why You Should
What’s So Great About Linux?
4MLinux 50.0 BETA released
4MLinux Release
Sparky 8.0.1
There is a minor update of live/install ISO images of Sparky of the stable line 8.0.1
Free and Open Source Software
This is free and open source software
This Week in Plasma: more app permission configuration; pre-Akademy edition!
This week, KDE contributors from around the world are traveling to Akademy
Spiceworks Community Digest: Better living through Linux
Jessevas also highlighted a key benefit for IT professionals: the increasing demand for Linux support
Programming Leftovers
Development picks
Open Hardware/Modding: Raspberry Pi, Arduino, and More
half a dozen hardware stories
today's howtos
Instructionals/Technical posts (a handful)
Games: Steam Survey and More
10 picks for today
Nobody Denies That SecureBoot Will Cause Problems After September 11 [original]
Disable SecureBoot
Credit to analognowhere.com [original]
Give it a go
Operating Systems Leftovers
mostly GNU/Linux
Keeping the Site Friendly to Everyone [original]
we're probably safe not to sanitise language all that much
Security Leftovers
Security stories
Today in Techrights
Some of the latest articles
openSUSE Leap 16 Promises 24 Months of Community Support per Release
openSUSE Leap 15.6 extends updates until April 2026
Linux Mint 22.2 “Zara” Is Now Available for Download, Here’s What’s New
The wait is finally over as the Linux Mint team has published the final ISO images of the Linux Mint 22.2 “Zara” release, which are available for download from the official mirrors.
Firefox on Linux Is Ending Feature Updates for Old PCs
Mozilla has announced that Firefox 144 will be the last release to support 32-bit x86 Linux
GNOME 49 Release Candidate Re-Enables X11 Support by Default in GDM
The GNOME Project released today the RC (Release Candidate) development version of the upcoming GNOME 49 desktop environment series, scheduled for release later this month on September 17th.
Free and Open Source Software, and Review
I’ve reviewed the vast majority of music players for Linux
Linux - Recreating old problems with new tools
The Year of the Linux (desktop). Can it happen? Will it happen
Security Leftovers
Security related stories
Software and Games for GNU/Linux
a few more stories
Free, Libre, and Open Source Software Leftovers
FOSS and more
Education, Development, and Standards
some leftovers
Open Hardware/Modding: Zigbee and EtherealOS
a pair of stories
Audiocasts/Shows: BSD Now and Ask Noah Show
2 new episodes
Today is the Day [original]
People are gradually returning from holiday
Databases: SQL, PostgreSQL 18 RC 1, pgAdmin 4 v9.8, and E-Maj 4.7.0
DB news
Barry Kauler's Latest Work on EasyOS and Others
4 new updates
New Release of Miracle-WM, Version 0.7
Miracle-WM 0.7 is out
Linux Lite 7.6 Released with New Community Wiki and Updated Apps
Ubuntu-based Linux Lite 7.6 is out with a new community Wiki
Calibre 8.10 E-Book Manager Brings Improvements to the Kindle MTP Driver
Calibre 8.10 has been released today as the latest stable version of this open-source, free, and cross-platform e-book management software for GNU/Linux, macOS, and Windows systems.
The Complaint We Filed is Advancing [original]
Good news for us and for the birds
GNU/Linux and Free Software Leftovers
mostly GNU/Linux news
Programming Leftovers
Development picks
LibreOffice Conference 2025 and "Why I Use LibreOffice"
LibreOffice news and commentary
Open Hardware/Modding: Weekly GNU-like Mobile Linux, Raspberry Pi, and More
Hardware leftovers
Videos/Audiocasts/Shows About GNU/Linux
new videos about GNU/Linux
today's howtos
Instructionals/Technical posts
Latest Red Hat / IBM Puff Pieces (Mostly Buzzwords and Marketing Fluff)
Not much of substance here
Games: SteamOS 3.7.15 Beta, Granvir, Skyrim, and More
11 new articles from GamingOnLinux
Disable Microsoft's "Secure Boot" [original]
Reminder: Microsoft's "Secure Boot" Certificate for "Linux" Will be Expired in One Week
50 Years [original]
50 years of marriage
Today in Techrights
Some of the latest articles
Filtering Out Fake News and Corporate PR [original]
Our role, we believe, is to help people dodge the bad things and find only the "signal"