FOSS Weekly #26.20: Killswitch in Linux, Fedora's AI Move, Rat in Terminal, KDE Dolphine Tweaks and More

Hot on the heels of Copy Fail comes Dirty Frag, another Linux kernel privilege escalation with a working exploit already public. It chains two flaws, neither of which can work alone.

Luckily, fixes have arrived for it in the Linux kernel, as well as Fedora and Pop!_OS. I suggest you make the necessary updates or risk being open to a highly publicized exploit.

Seeing the rise of such exploits, there is now a new kernel proposal called killswitch, which would allow system administrators to disable a vulnerable kernel function at runtime.

In addition to that, there is a proposal for a scheduler in kernel that promises frame time improvements on aging hardware under heavy CPU load.

A few weeks ago, we reported about LVFS turning up the heat on vendors who didn't pay their fair share. Now, Dell and Lenovo have both signed on as Premier sponsors at $100,000 a year each, making them the first vendors to reach that tier.

Ubuntu announced local-first AI plans, and now Fedora has approved its own AI Developer Desktop initiative with a unanimous council vote. Three Atomic Desktop images are planned, two of them CUDA-enabled, and none of them would be phoning home to cloud services.

Fedora has also announced Hummingbird, a distro that ships the entire OS as a bootable OCI image with atomic updates and rollback support.

Debian has made reproducible builds a hard requirement for the Forky cycle. Since May 9, any package that can't be compiled byte-for-byte identically from its source is blocked from entering testing.

Here are other highlights of this edition of FOSS Weekly:

• How moving away from OneDrive looks like.
• Yazi file browser (that I missed to include last week).
• A Ratatui terminal.
• And other Linux news, tips, and, of course, memes!

🧠 What We’re Thinking About

My colleague Sourav, a long-time OneDrive user, had to move away from it over fears of Copilot messing around with his photos and videos. Ente Photos was the alternative he went for.

🧮 Linux Tips, Tutorials, and Learnings

Yazi is a Rust-based terminal file manager that does a lot more than ls and cd. You get a three-pane layout, image previews, syntax-highlighted code previews, and archive peeking without extraction.

Most KDE users know Dolphin does split view and tabs. Fewer know it can verify file checksums, restore recently closed tabs with Ctrl+Shift+T, and paste images directly from the browser.

If you have been eyeing a move to Fedora, then our Getting Started with Fedora series is the one for you. This curated resource page covers everything from first boot to enabling RPM Fusion, NVIDIA drivers, Steam setup, and upgrading between versions.

👷 AI, Homelab and Hardware Corner

Sanctions pushed Huawei to build their own mobile OS. Five years later, it's on 55 million devices and growing fast.

If you are coding with AI agents, here's a new open source tool that works like git but for the AI coding agents.

Tired of AI fluff and misinformation in your Google feed? Get real, trusted Linux content. Add It’s FOSS as your preferred source and see our reliable Linux and open-source stories highlighted in your Discover feed and search results.

Add It's FOSS as preferred source on Google (if you use it)

✨ Apps and Projects Highlights

Terminal can be scary. Terminal can be fun. Terminal can be weird. This week, we came across a new terminal that is amusing, absurd and fun. It shows terminals can have 3D effects.

If you live in the terminal and use Discord, Concord can be a TUI client replacement for it. Keep in mind that it is a relatively new offering, so verify this before installing it on your computer.

📽️ Videos for You

You can run Arch Linux apps on Ubuntu by using Distrobox.

Subscribe to It's FOSS YouTube Channel

💡 Quick Handy Tip

In Kate text editor, you can compare two files for differences in content. First, open two files in separate tabs. Then, right-click on the title of the inactive tab and select the "Compare it with Active Document" option.

This will open a new tab, highlighting the differences between the files.

🎋 Fun in the FOSSverse

Do you know all the Apt commands? You can test your knowledge with our package management quiz.

Newbies have a hard choice to make nowadays. 😆

🗓️ Tech Trivia: On May 10, 1954, Texas Instruments engineer Gordon Teal stunned attendees at an IRE conference in Dayton, Ohio, by announcing the first commercially produced silicon transistor, moments after other speakers had declared such a device was still years away.

🧑‍🤝‍🧑 From the Community: Pro FOSSer Ernest shares how he has created a home-brewed, cross-platform reminders system.

from It's FOSS https://ift.tt/DCJecKi
via IFTTT

This New Terminal is Absurd (But Totally Fun)

There is no dearth of terminal emulators for Linux users. Most people stick with the default terminal, while some have their own preferred ones.

I like Kitty and I am pretty happy with it. But then I came across a new Rust-based terminal that grabbed my attention.

No, it's not because it's written in Rust. It's because the terminal has a rat as the mouse cursor.

Did you see the rat?

Sounds weird, right? But Ratty shows the unusual capabilities of a terminal.

What is Ratty, again?

Ratty is a modern terminal emulator written in Rust that brings a unique twist to the command line. Unlike traditional terminal environments, Ratty is GPU-rendered.

It supports viewing 3D models directly inside the terminal window, and a lot more!

The design is inspired by TempleOS, giving it a retro look while still maintaining modern performance.

Let's take a look at this cool project and see what makes it stand out in the crowded field of terminal emulators.

Amusing features of Ratty

Ratty stands out by merging traditional terminal functionality with modern graphics rendering. Here are some of the most notable features I noticed in this experimental project.

📋

I know screenshots are easier to glance at, but since most of the features here are animations, I added videos to show them in action.

Customizable 3D Cursor

Ratty uses terminal protocols, Ratatui and the Bevy game engine to create a 3D representation for the cursor. Instead of a traditional block or line, the cursor can be a 3D rat or other customized objects.

Rotating 3D Cursor

When you install Ratty, you get a spinning rat as the cursor by default. This 3D object moves along with your text input, providing a unique visual experience that blends a game engine's rendering capabilities with a standard terminal workflow.

3D Mode

Ratty includes a dedicated 3D Mode that transforms the entire terminal into a canvas within a 3D scene. In this mode, the terminal window is no longer static. You can pull, warp and view your terminal output from different angles!

3D Mode in Ratty

To enter 3D mode, you can use the keyboard shortcut CTRL+ALT+Enter.

Additionally, there is a "Mobius mode" accessible via CTRL+ALT+M. This twists and bends the terminal output to form a continuous Mobius strip, showcasing the project's integration with the Bevy game engine.

Mobius Mode

While you are in 3D Mode, you can press the Super+CTRL+ALT+Up to increase warp and Super+CTRL+ALT+Down to reduce warp.

Increase and decrease warp

Inline 3D Objects

This feature allows developers to register 3D assets and anchor them to specific text cells in the terminal. Because they are anchored to the cells, the 3D models move seamlessly as the text scrolls or changes position.

Inline 3D. Credit: orhun/ratty

To make this work, the project uses a dedicated Ratty Graphics Protocol. This protocol handles the communication between the terminal data and the 3D engine to ensure the models stay synced with the text on your screen.

Builtin Image Support

Ratty also supports the Kitty Graphics Protocol, which allows it to display standard images directly in the terminal window.

This compatibility means that tools like fastfetch or yazi can show real images and icons alongside your text. By supporting this established protocol, Ratty ensures that modern terminal utilities work as expected while still offering its own specialized 3D features.

Live 2D to 3D Split Pane Drawing

Ratty includes a 3D drawing demo that showcases its unique rendering capabilities. This feature uses a split-pane workspace where you can draw on a traditional 2D canvas on the left side of the terminal.

2D to 3D split pane editing. Credit: orhun/ratty

As you draw on the flat surface, Ratty instantly generates a live 3D preview of your creation on the right side. The preview rotates in real-time, allowing you to see how your 2D input translates into a 3D object without leaving the terminal environment.

Interactive Document Mode

Ratty also features a document editing mode inspired by TempleOS. This mode allows you to type standard, editable text directly alongside embedded 3D objects.

Because these 3D models are animating in real-time on the same screen as your text, the terminal functions more like a spatial document editor than a simple command prompt. It provides a unique way to interact with data where text and 3D assets coexist in the same workspace.

Installing Ratty

The best way to install Ratty is using Cargo, the Rust package manager. It's a Rust application, after all.

cargo install ratty

For Arch Linux users, there is a package available in the official repositories. You can install it by running:

sudo pacman -S ratty

If you prefer not to compile from source, prebuilt binaries are available for direct download on the GitHub releases page.

Download Ratty

It is important to note that Ratty requires a GPU to function properly. If you are trying to run it inside a virtual machine, it will not open unless you have configured GPU passthrough settings.

⚠️ Troubleshoot

I installed Ratty on Arch Linux and noticed it was missing from the application menu. I had to manually create a desktop entry. Here's how you can do the same.

Create a file at ~/.local/share/applications/ratty.desktop with the configuration provided below, the terminal will appear in your app launcher just like any other program.

[Desktop Entry]
Name=Ratty
Comment=A GPU-rendered terminal emulator with inline 3D graphics
Exec=env TERM=xterm-kitty ratty
Icon=utilities-terminal
Type=Application
Terminal=false
Categories=System;TerminalEmulator;

While this manual method worked for me, if you know of an alternate solution or a more official way to handle the menu entry, feel free to mention it in the comments.

Configuring Ratty

Ratty can be configured using a TOML file located at ~/.config/ratty/ratty.toml. If the directory and file do not exist yet, you can create them using the following commands:

mkdir -p ~/.config/ratty
cd ~/.config/ratty
touch ratty.toml

Once you have created the file, you can copy and paste the default configuration template provided by the project. This allows you to customize the behavior and appearance of the terminal to suit your preferences.

You can find the default config file for Ratty here.

Impressive?

Clearly, Ratty is an experimental project focused on pushing the boundaries of terminal development and testing innovative ideas. Because it uses a game engine for rendering, it is currently heavy on system resources.

Orhun, Ratty creator, explicitly notes that it is not intended as a "daily driver" for standard productivity and hopes to optimize the performance in the future.

The use of 3D sprites and game-like graphics inside a terminal may not appeal to everyone. However, it offers unique possibilities for designers and developers who want to see their assets living directly inside source files or within the terminal workspace.

What is your impression of Ratty? Share it in the comments please,

from It's FOSS https://ift.tt/AudsGTS
via IFTTT

Fedora Hummingbird Debuts As A Super Hardened Linux Distro

Seeing that we are in a time when new Linux exploits seem to be popping up every few weeks, many projects have had to take preventive measures to tackle the growing threat.

Red Hat looks like the latest to act on this front. Fedora's recent announcement introduces Fedora Hummingbird, a new rolling release distribution that ships the entire OS as an OCI image.

It is built on the security-first pipeline behind Project Hummingbird's existing container catalog, with the foundational project itself being something Red Hat introduced as an early access program for subscribers back in November 2025.

The main idea behind the project is to ship a catalog of minimal, hardened, distroless container images kept at near-zero CVE status. When a vulnerability gets patched upstream, the build pipeline finds it, rebuilds the affected image, and ships it.

Fedora Hummingbird is applying the same logic but to a full-size operating system, using a Konflux-based build pipeline, drawing over 95% of packages from Fedora Rawhide.

Whatever Rawhide doesn't have yet gets pulled from upstream, and any fixes made along the way feed back into Fedora.

Moreover, Red Hat's Product Security team maintains a vulnerability feed for each package, so instead of a generic CVE list, you get a clearer picture of what actually affects your setup.

The kernel powering it is the Always Ready Kernel (ARK) from the CKI project, which follows mainline Linux and already ships in Fedora. And, to wrap up, all updates are atomic with rollback support, the root filesystem is read-only, and writable state stays in /var and /etc.

How's it different from Fedora Atomic?

If you're already running Silverblue, Kinoite, or any of the other Fedora Atomic Desktops, then the "immutable OS" moniker might feel familiar to you. But Hummingbird and those are not the same thing.

Fedora's existing Atomic Desktops are rpm-ostree-based desktop variants built from the standard Fedora package set, released on Fedora's regular six-month cycle.

They are built for end users who want a stable, immutable desktop experience.

Fedora Hummingbird ships no desktop environment and is a rolling release that tracks Fedora Rawhide directly, built through its own dedicated pipeline where every package carries independent CVE tracking and its own lifecycle.

The target here is developers and cloud-native workloads, not the desktop market.

Download Fedora Hummingbird

🚧

This image is currently experimental and not suitable for production use.

The image is available to download for the x86_64 and aarch64 platforms with no subscription or registration required. The project's source code lives on GitLab, and is open for contributions.

The download page also has step-by-step instructions for spinning up a virtual machine.

Fedora Hummingbird

---

Suggested Read 📖: Dirty Frag Exploit Fixed in Fedora

from It's FOSS https://ift.tt/m46MqB8
via IFTTT

Your Old Potato PC Might Game Better With This Linux Kernel Patch

As a gamer, if you have gamed on Linux with hardware that's seen better days, there's some work happening in the kernel that's worth keeping an eye on.

Linux kernel developer Peter Zijlstra has posted the second version of a patch series called "sched: Flatten the pick," aimed at fixing gaps in how the Linux scheduler handles cgroup scheduling.

Calling it "a pain in the ar*e," he has tracked the issue down to a formula that fragments a task group's total weight across every CPU on the system.

On a 64-core machine, Peter says, a cgroup is already down to roughly a nice 19 task worth of priority per CPU, and at 256 cores, which is not unusual in servers today, the margin gets even tinier.

He breaks the rest of the problem into two parts, where the usual fix for the first is to inflate the group weight by the CPU count, but when all of a group's load lands on a single CPU, that weight balloons well past nice -20 (priority value of the process), and the math starts breaking down.

The second is how the scheduler picks the next task to run. It currently has to step through multiple cgroup levels to get there; the fix collapses all of that into a single level instead.

He ran what he calls a little experiment, using an older configuration with an Intel Core i7-2600K and AMD Radeon RX 580, loading up Shadows: Awakening from GOG through Lutris, using GE-Proton10-34 and Steam Runtime 3 (sniper).

To properly stress the setup, he threw 8 spinner processes at it alongside the game, one per CPU thread, and watched it go from playable to "almost unplayable, as in proper terrible."

He then restarted it with a shorter scheduler time slice set to one-tenth of the default via chrt and recorded both sessions using MangoHud. This is what he got. 👇

Metric	Default slice	Shorter slice
FPS min	3.8	20.6
FPS avg	48.0	57.2
FPS max	87.4	80.3
Frame time min (ms)	9.4	8.4
Frame time avg (ms)	34.5	19.5
Frame time max (ms)	107.4	37.2

Closing the proposal, Peter said that he has not compared to a kernel without flat on, just wanted to run non trivial workloads and play with slice to make sure everything 'works.'

Should you be excited?

If you game on Linux, especially on older hardware, this kind of fix can be beneficial.

The stress test Peter ran is not that far from what happens in normal use. Discord, a web browser with a dozen tabs, a system update running in the background. They all compete for CPU time the same way those spinner processes did.

And while his test rig is old, the scheduler problem is not limited to old hardware. High core counts make the weight fragmentation issue worse, not better. If this lands, modern rigs with 16 or more cores could see gains too.

You should also know that this has not made it into the mainline Linux kernel yet. The patch series still needs review from the concerned kernel maintainers. It will almost certainly go through some revisions before it lands in a kernel release.

Via: Phoronix

from It's FOSS https://ift.tt/cFUdM9J
via IFTTT

Linux 7.0.6 is Out, and It Fully Patches the Dirty Frag Exploit

Dirty Frag has been the talk of the town (at least in Linux and open source circles) recently. The LPE was inadvertently exposed to the public, catching the Linux project and the various distros off guard.

Thankfully, a proper patch is now out, landing in Linux 7.0.6 and Linux 6.18.29 LTS. Fedora and Pop!_OS have already pushed their own fixes too.

What's the fix?

The patch, authored by Hyunwoo Kim, the same researcher who found and disclosed Dirty Frag, addresses CVE-2026-43500, which now carries a CVSS score of 7.8 HIGH over on the National Vulnerability Database.

The root cause traces back to a 2019 commit that left two packet types unaccounted for in the rxrpc handling path, ones with pages fed in through splice() and ones with fragment chains attached.

The kernel did not treat either as shared memory, so it skipped making a safe copy and decrypted them in place. That left a window for a local attacker to reach in from userspace and tamper with those pages while decryption was happening, which is enough to get root.

The fix extends the existing check in two rxrpc functions to also catch those two cases, so they get copied to a private buffer before decryption like they should have been all along.

Linus Torvalds merged it on May 10, Linux 7.0.6 was out the following day, and the 6.18.29 LTS kernel got it too.

You can get the tarball for 7.0.6 over at kernel.org. This is intended for those who have the skill to install it manually, and if you are on an Ubuntu-based distro, we have a guide on how to do that.

Just keep in mind that this is a risky process to go through; only do so if you have backed up your data.

Linux Kernel 7.0.6

For Fedora and Pop!_OS users

Both distros had fixes out before 7.0.6 was officially released.

Fedora

Fedora kernel maintainer Justin Forbes announced earlier that the fix was already being pushed to the stable branch. Fedora 43 and Fedora 44 get it with the 7.0.4 kernel, and Fedora 42 users with 6.19.14-101.

Justin also says that they skipped an update to 7.0.5 for F43 and F44, as the fix was already implemented in their 7.0.4 builds.

To get it on my Fedora Workstation 43 setup, I first ran this command to get a list of any available updates:

sudo dnf update

Getting the patched kernel on Fedora Workstation 43.

After verifying that I was getting the patched⁣ x86_64 7.0.4-100.fc43 kernel, I ran the following command to get the upgrade and pressed "Y" when prompted:

sudo dnf upgrade

Pop!_OS

For people running the LTS releases of Pop!_OS, 22.04 and 24.04, System76 has released kernel updates covering both Dirty Frag CVEs. The esp4 and esp6 modules tied to the second CVE were patched and are said to be safe to re-enable.

For rxrpc, they went with disabling the module rather than patching it and are holding off on re-enabling it.

You can get the fixes by running:

sudo apt update && sudo apt upgrade

Remember to reboot after the above is done running with:

sudo reboot

For further reading, our earlier Dirty Frag coverage has the full scoop on the exploit and the temporary workarounds from before the fix was available.

from It's FOSS https://ift.tt/vaGLYeW
via IFTTT

In a Big Move to Linux Security, Debian Makes Reproducible Builds Mandatory

Debian's release team has made reproducible builds a hard requirement for the Debian 14 "Forky" cycle. Since May 9, the project's migration software has blocked any package failing a reproducibility check from entering testing.

If a package already in testing breaks reproducibility later, it gets blocked too. Paul Gevers from the release team shared the news on the debian-devel-announce mailing list over the weekend.

What are reproducible builds?

Not rocket science, for starters. When a package is built reproducibly, compiling the same source code in the same environment always produces the exact same binary every single time.

That might sound like it should just be how things work by default, but in practice it often isn't. 😅

The culprits are usually mundane. A timestamp baked into the binary, a build ID generated on the fly, files written to the archive in whatever order the filesystem felt like. None of it changes what the software actually does, but it means two builds of the same source won't match.

That gap has security implications. If binaries don't need to match their source, there's room for something to be slipped in at the build stage without touching the code at all.

Reproducible builds cut that off. Anyone can independently rebuild a package and verify the result against what Debian actually ships.

Debian has been working on this alongside the Reproducible Builds project (linked earlier) for years, steadily pushing reproducibility rates across the archive. The setup at reproduce.debian.net has been running continuous rebuilds and tracking results throughout the forky cycle.

What does this mean?

Tracking reproducibility rates for 'all' on Debian's forky branch.

Currently, 98.29% of architecture-independent packages in Forky reproduce successfully, with 23,731 passing and 414 still flagged as 'bad' for not being reproducible. That 414 figure will only get smaller as the block on non-reproducible migrations takes effect going forward.

For you, the user, this translates into a stronger guarantee that what you install from Debian "Forky" actually matches the published source code. No wondering whether something crept in between the source and the binary you are running.

And that verification isn't limited to Debian's own infrastructure either. Independent rebuilders can check it too, which is kind of the whole point.

Maintainers, meanwhile, have been reminded that cleanly migrating a package is the uploader's responsibility. If a package is blocked because of autopkgtest regressions in reverse dependencies, the expectation is that the uploader files the appropriate release-critical bugs.

---

Suggested Read 📖: Linux is Getting a Kill Switch!

from It's FOSS https://ift.tt/vu0H5XC
via IFTTT

Linux is Getting a Kill Switch!

Sasha Levin, NVIDIA engineer and co-maintainer of the stable and long-term support kernel trees, has proposed a new patch that adds a mechanism called killswitch to the Linux kernel.

It's pitched as a way for system administrators to disable a vulnerable kernel function on a running system, and the timing of it isn't a coincidence either. The patch follows the rising risk of Linux Privilege Escalation (LPE) vulnerabilities like Copy Fail and Dirty Frag.

What is it?

The Linux kernel is built out of many thousands of small functions, each handling a specific job, like processing a network packet, opening a file, or talking to a USB device. When a security flaw shows up in one of these functions, the proper fix is to patch the code and ship a new kernel.

What killswitch entails is a more "must exterminate" approach, where the admin gives the kernel a function name and a return value. From that point on, the function still gets called by whatever was calling it, but it just hands back that value and exits. The actual code inside never runs.

In practice, that means a single line at the terminal:

echo "engage af_alg_sendmsg -1" \
        > /sys/kernel/security/killswitch/control

After this, every program trying to send data through AF_ALG (the kernel cryptography interface Copy Fail also exploited) gets an error back. Whatever bug sat in af_alg_sendmsg is now unreachable because the function never actually executes.

The effect kicks in across every CPU core immediately, and it lasts until the admin disengages it or the system reboots. Engaging anything requires root privileges.

There's also a boot parameter version killswitch=fn1=val,fn2=val,..., for cases where an operator needs to apply the mitigation across a whole fleet of machines through the bootloader.

Sasha points at AF_ALG, ksmbd, nftables, vsock, and ax25 as good candidates for this patch, saying that:

For most users, the cost of "this socket family stops working for the day" is
much smaller than the cost of running a known vulnerable kernel until the fix
land.

Any risks?

The biggest catch is that killswitch doesn't fix anything. It just stops the function from running. Anything in userspace that depends on that function stops working too, for as long as the killswitch stays engaged.

Engaging it also taints the kernel, which is its way of marking that the running code isn't pure upstream Linux anymore. A new flag (H, bit 20) gets set the moment any killswitch is active, and it persists across disengage all the way to the next reboot.

Any crash that happens afterward carries an H in its banner, which acts as a signal to the Linux maintainers triaging the bug that the image was modified. The patch also dedicates a whole section called "Choosing the right target," warning operators not to pick the wrong function.

Someone on Reddit has described this as "a security feature that may be worse than the vulnerability," and many people agree with that sentiment.

AI was involved

There's one more thing worth flagging. At the bottom of the patch, just above the diff, sits an Assisted-by: Claude:claude-opus-4-7 line, marking it as one Sasha put together with help from Anthropic's AI assistant.

That isn't a one-off. The Assisted-by tag itself comes from a kernel policy, which Sasha had a hand in shaping. It lays out how AI-assisted contributions should be attributed in commit messages, alongside configuration files for tools like Claude, Copilot, and Cursor.

It also fits a wider pattern. Greg Kroah-Hartman has been running his own AI fuzzer against the kernel, and the first bugs it surfaced were in ksmbd, which is one of the subsystems Sasha specifically called out as a killswitch candidate.

As things stand, killswitch is just a patch on the Linux Kernel Mailing List, not merged into mainline, and not in any released kernel or distro. Whether it lands and in what form depends on the upcoming review cycle.

---

Suggested Read 📖: A Clanker is Being Used to Carry Out AI Fuzzing in Linux

from It's FOSS https://ift.tt/TPSK5tX
via IFTTT