GNU/Linux Leftovers

posted by Roy Schestowitz on Mar 13, 2026

• Kernel Space / Virtualization

  • Ubuntu ☛ AppArmor vulnerability fixes available

    Linux kernel fixes for the supported Ubuntu releases are being made available as security updates by the Canonical Kernel Team. Furthermore, our security team has provided userspace mitigations in the form of security updates, for all affected Ubuntu releases. Our recommendation is that you apply both userspace mitigations and Linux kernel security updates.

  • Data Swamp ☛ Make your own container base images from trusted sources

    I really like containers, but they are something that is currently very bad from a security point of view: distribution

    We download container images from container registries, whether it is docker.io, quay.io or ghcr.io, but the upstream project do not sign them, so we can not verify a CI pipeline or the container registry did not mess with the image. There are actually a few upstream actors signing their images: Fedora, Red Hat and universial-blue based distros (Bluefin, Aurora, Bazzite), so if you acquire their public key using for signing from a different channel, you can verify if you got the image originally built. Please do not hesitate to get in touch with me if you know about other major upstream that sign their container images.

    Nevertheless, we can still create containers ourself from trustable artifacts signed by upstream. Let's take a look at how to proceed with Alpine Linux.

• Desktop Environments (DE)/Window Managers (WM)

  • K Desktop Environment/KDE SC/Qt

    • Harry Wentland: Plane Color Pipeline, CSC, 3D LUT, and KWin

      A wild blog appears…

      The Plane Color Pipeline API and KWin

      A couple months ago the DRM/KMS Plane Color Pipeline API was merged after more than 2 years of work and deep discussions. Many people worked on it and it’s nice to see it upstream. KWin and other compositors implemented support for it. I’ll mainly focus on kwin here because that’s what I use regularly and what I am most familiar with. I will also focus on AMD HW because that’s what I’m working on.

  • GNOME Desktop/GTK

    • Aryan Kaushik: Open Forms is now 0.4.0 - and the GUI Builder is here

      This is exactly what happened while setting up a booth at GUADEC. The Wi-Fi on the GNU/Linux tablet worked, we logged into the captive portal, the chip failed, Wi-Fi gone. Restart. Repeat.

      We eventually worked around it with a phone hotspot, but that locked the phone to the booth. A one-off inconvenience? Maybe. But at any conference, summit, or community event, at least one of these happens reliably.

• Distributions and Operating Systems

  • Fedora Family / IBM

    • Red Hat ☛ How to develop agentic workflows in a CI pipeline with cicaddy

      When exploring agentic AI, engineering teams often encounter a common barrier, establishing a dedicated agentic platform service. This involves deploying a new runtime, operating a new control plane, and managing a new set of credentials, all before executing a single workflow. However, the continuous integration (CI) pipeline already serves as the most ideal system for scheduling and orchestration for most teams. This article demonstrates how to build agentic workflows directly inside your existing CI/CD pipeline using cicaddy, a platform-agnostic pipeline Hey Hi (AI) agent framework, requiring no separate agentic platform. Your CI system is the scheduler, the executor, and the audit trail.