FOSS Weekly #26.21: Microsoft's Distro, Bitwarden Drama, Adobe on Linux, New Email Client and More

The Fedora AI Developer Desktop initiative that passed unanimously is now blocked. Two council members retracted their votes after community pushback, with contributors arguing the CUDA focus contradicts Fedora's free software foundations and that significant kernel policy changes hadn't been cleared with the right people.

Fedora has also removed Deepin desktop from its offering due to security concern.

Someone got Lightroom CC running on Linux via Wine without writing a single line of code themselves. An AI agent did the whole thing autonomously, fixing DLL gaps and Wine incompatibilities.

LibrePlan is a self-hosted open source project management tool that just got its 1.6.0 release. The additions worth noting include email workflows, per-project document repositories, an issue and risk log, and traffic light status indicators in the project list view.

If you've ever wanted to run BleachBit over SSH without touching the CLI directly, the TUI is shaping up well. You get keyboard navigation throughout, two preview modes for checking what would be cleaned before committing, and full backend parity with the existing GUI.

Bitwarden got a new CEO in February, a new CFO in April, briefly removed "Always Free" from its pricing page, and quietly rewrote its core values. For most software, this would be unremarkable. For the app that holds your passwords, the bar for transparency needs to be much higher.

ONLYOFFICE Docs 9.4 lands with a mix of features and a licensing update that's hard to read as coincidental given the Euro-Office fork dispute. It offers users a dark mode for spreadsheets, 25 new presentation themes, 20 new slide transitions, and form recipient tracking.

Linux's second-in-command, Hartman, thinks that Rust could eliminate 80% of Linux kernel CVEs.

Here are other highlights of this edition of FOSS Weekly:

• Listening to music on the terminal.
• Microsoft having a Fedora-based offering.
• Configuring a smart bulb to run with Home Assistant.
• And other Linux news, tips, and, of course, memes!

🎫 Event alert: AWS Summit India Online

From agentic AI to Cloud Modernization, AWS is bringing together the latest innovations shaping technology today at AWS Summit India Online.

• Attend 50+ sessions filled with tech deep dives, hands-on labs, and actionable insights from AWS experts and leaders
• Discover how organizations are using AI and data to solve complex challenges
• Connect with the AWS community through live Q&A

The event is virtual and free to attend.

Register for FREE

🧠 What We’re Thinking About

Microsoft spent its Open Source Summit announcement talking about Azure Linux 4.0 without mentioning Fedora once. The GitHub README for the 4.0 development branch uses the phrase "upstream base" to describe Fedora's role.

🧮 Linux Tips, Tutorials, and Learnings

Mission Center and Resources are both polished libadwaita system monitors, and both are genuinely good. But what makes them different from each other? A lot. We have a detailed writeup that should clear your doubts.

Splitting a string in Bash isn't as intuitive as it should be. The trick is setting IFS to your delimiter and using read -ra to split the string into an array. Here's a short explainer with a working CSV example and a breakdown of what each part is actually doing.

If cmus or MOC never quite clicked for you, Kew is worth trying. Written in C, it displays album art in the terminal, can search your music library with a single keyword, and handles playlists and shuffles without fuss.

Desktop Linux is mostly neglected by the industry but loved by the community. For the past 13 years, It's FOSS has been helping people use Linux on their personal computers. And we are now facing the existential threat from AI models stealing our content.

If you like what we do and would love to support our work, please become It's FOSS Plus member. It costs less than the cost of a McDonald Happy Meal a month, and you get an ad-free reading experience with the satisfaction of helping the desktop Linux community.

Join It's FOSS Plus

👷 AI, Homelab and Hardware Corner

Eight LLMs benchmarked on a CPU-only Intel i5 laptop with 12GB RAM, using Ollama with Q4_K_M quantization throughout.

Also, here's how I fixed a pesky error with a Tapo smart bulb on Home Assistant.

Tired of AI fluff and misinformation in your Google feed? Get real, trusted Linux content. Add It’s FOSS as your preferred source and see our reliable Linux and open-source stories highlighted in your Discover feed and search results.

Add It's FOSS as preferred source on Google (if you use it)

✨ Apps and Projects Highlights

Aerion is a new open source desktop email client built with Wails and Svelte, not Electron, and it shows.

📽️ Videos for You

Using Xfce doesn't need to feel like a trip down memory lane. You can customize it thoroughly to bring it up to current standards.

Subscribe to It's FOSS YouTube Channel

💡 Quick Handy Tip

In the Bitwarden desktop app and browser extension, you can set a pin instead of using the master password to log in. To do that, go into the Account Security settings and turn on the "Unlock with Pin option."

Remember to turn off "Require master password on browser restart," and set the session timeout to "On browser restart" for securing your vault against unauthorized access.

Though, do not forget the master password, since the PIN is not a replacement, and you will need it when signing into new devices.

🎋 Fun in the FOSSverse

Test your terminal knowledge with our Linux Terminal Emulators crossword.

Do you still shudder at the sight of a CLI? 🤨

🗓️ Tech Trivia: On May 21, 1952, IBM announced its first electronic computer, the Model 701, at a time when the company was better known as the world's largest supplier of punched card equipment, with chairman Thomas Watson Sr. so resistant to the idea that engineers had to rebrand it a "Defense Calculator" just to get it built.

🧑‍🤝‍🧑 From the Community: Old time FOSSer Howard is looking for feedback and suggestions on how to clean the /home folder.

from It's FOSS https://ift.tt/yCKbGo0
via IFTTT

Rust Could Eliminate 80% of Linux Kernel CVEs!

Greg Kroah-Hartman was at RustWeek 2026 in Utrecht this week, and he talked about a Rust-based proposal still in development that could wipe out around 80% of the CVEs the Linux kernel generates.

That is not a small claim. This is coming from someone who has personally reviewed every kernel security bug since the Linux kernel security team was formed in 2005.

C's blind spot

Greg's presentation starts at 14:27.

The core problem, as Greg sees it, is untrusted data. Every time data arrives from user space or from hardware, the kernel should treat it with suspicion. C has never had a reliable way to enforce that.

Once data gets copied from user space into the kernel, it becomes a regular pointer and loses all context about where it came from. It gets passed around freely, and the external checkers that should catch issues do not always get run.

Hardware adds another layer of the same problem. The kernel was designed assuming hardware is trustworthy, and that assumption is getting harder to hold as malicious hardware becomes a real and growing threat.

What Rust already fixes

Before the new proposal even ships, Rust is already making a difference. Failing to check error return values and forgetting to release locks are two notable contributors to kernel CVEs, and Rust handles both at compile time.

Greg estimates those two fixes alone cover around 60% of kernel bugs.

And it doesn't stop there. Writing Rust bindings for existing C code has quietly pushed kernel maintainers to actually document and think through their APIs, working out ownership semantics, lock rules, and const-correctness.

Enter, the "untrusted" type

Greg's proposed solution is a Rust type called Untrusted<T>, developed with kernel contributor Benno Lossin. It attaches to data coming in from user space or hardware as a compile-time marker, with no runtime cost.

And you cannot access the underlying data without going through a validation step that explicitly converts it to trusted. That pushes all validation code into one visible, reviewable spot.

What this means for you as a Linux user? A significant number of the CVEs that currently trickle down to your distro as security updates simply would not exist in the first place.

But, it is not merged yet. Changes are still needed in the Rust compiler, and related work on field projections is running alongside it. Greg concluded his presentation by asking for more Rust kernel developers, and pointed towards the Rust for Linux mailing list as the starting point.

---

Suggested Read 📖: Fedora Pulls the Plug on Deepin

from It's FOSS https://ift.tt/SuPa6rv
via IFTTT

Fedora Pulls the Plug on Deepin Over Security and Maintenance Failures

Fedora's Engineering Steering Committee (FESCo) has voted to retire all Deepin-related packages from the distribution's repositories.

The vote passed with +7, 0, 0 at a May 19 meeting. On top of that, the release engineering team has been told not to reinstate any of these packages unless they go through a fresh review.

A year in the making

The story starts with openSUSE. In May 2025, their security team published a detailed report on Deepin's packages, stating that they had pulled them from their repos after a review had flagged serious problems across multiple components.

The deepin-file-manager daemon had significant D-Bus interface issues, some of which stayed unfixed even after partial patches. Both deepin-api and deepin-system-monitor were found using deprecated Polkit authentication in an unsafe way.

That report prompted Adam Williamson of the Fedora QA team to open a ticket with a pointed question attached. If SUSE's security team found all of this, what did Fedora's situation look like?

Turns out Fedora had been shipping these packages without any meaningful security review, and the project's own package review guidelines were found lacking without any requirements, tools, or instructions for reviewers to consider security issues.

A thing to note here is that some security-related guidelines did exist at one point but were deleted years ago.

Was already on life support

By the time FESCo cast its vote, the Deepin packages were already in rough shape on their own. Core packages had been failing to build across Fedora 42, 43, and 44.

The desktop environment had already been pulled from Fedora spins and fedora-comps months earlier because essential packages simply could not build.

The ones who were supposed to be the stewards of this effort in Fedora, the DeepinDE SIG, lost many of its key members over time. One of the original maintainers, Zamir Sun, who had served as the SIG's coordinator, confirmed as much in a reply to FESCo's outreach email:

To make a long story short, all the initial packagers of the Deepin DE packages(namely felixonmars, mosquito(no longer with Fedoraproject) and cheeselee in FAS, and me as the coordinator) are being too busy for the vast amount of work in maintaining DeepinDE. And we never got active packagers to take the effort so we have to see it going away from Fedora.

That left a certain Felix Wang (topazus) as the one person still actively touching the packages, who has not been replying to bug reports, maintainer pings, or direct emails.

And whenever Fedora's build failure policy automatically orphaned a package, topazus would simply reclaim it without fixing anything.

FESCo sent its formal outreach on May 5 and gave four weeks for a response. With nothing substantive coming back, the committee moved to retire the full package set. Release Engineering has also been told not to reinstate any of these packages unless they go through a proper review first.

So that is the end of line for Deepin on Fedora, for now. If, in the future, some people step up and take the packages through a fresh review, maybe this desktop environment will make a comeback.

But given the state things were left in, that is not a bet anyone should be making just yet.

from It's FOSS https://ift.tt/qv19EJO
via IFTTT

Open Source ONLYOFFICE Docs 9.4 Brings Dark Spreadsheets, Smarter Forms, and a Licensing Cleanup

ONLYOFFICE has been putting out fairly consistent updates to its open source office suite. The previous release focused heavily on the PDF editor, adding new signature options, password-protected PDF editing, and a multipage view for documents.

Since then, things got a little complicated for the project. Nextcloud and IONOS launched Euro-Office, a European fork of ONLYOFFICE, citing concerns about the project's Russian development roots, lack of transparency, and resistance to outside contributions.

ONLYOFFICE hit back, accusing the fork of violating the additional conditions attached to its AGPLv3 license.

Now, the developers have released ONLYOFFICE Docs 9.4, which covers a fair bit of ground across all the editors and introduces a licensing update.

🆕 ONLYOFFICE Docs 9.4: What's New?

Starting with form management, you can now assign specific recipients and track their filling status directly within the editor. Previously, that meant going outside the editor entirely, making the whole experience more clunky than it needed to be.

Horizontal lines in documents are in too, which was apparently a frequently requested feature on their social media pages. You can insert them to visually separate sections via the "Borders" button in the Home tab.

Similarly, the signature field in forms now defaults to the last image you used. Thanks to this, you don't need to dig around for the same file each time you sign a batch of documents.

Then there's the Presentation Editor, which picks up 25 new ready-to-use themes, covering a fairly wide range of styles, accessible from the Design tab. There are also 20 new slide transitions under the Transitions tab for adding a bit more polish to your next pitch.

The new presentation themes (left) and the 'Dark Document' mode for spreadsheets (right).

The Spreadsheet Editor gets a dedicated Dark Document mode. With the general dark theme on, the spreadsheet canvas can be switched to a dark background as well via the View tab.

The community version (for self-hosting) also sees some structural work. The code is no longer minified, making it easier to read through, and it now runs as a single process with no reliance on RabbitMQ or databases.

That trims down what the host machine needs to run, and starting with this release, the 20-connection cap is gone.

Finally, the licensing terms have been updated. ONLYOFFICE has clarified its AGPLv3 conditions, with clearer language around attribution, copyright notices, labeling of modified versions, and trademark rights under a separate Trademark Policy (was error 404 at the time of writing).

If you recall, the Euro-Office dispute was specifically about whether a fork could drop those additional Section 7 conditions. The developers haven't said this update was a response to that, but we can confidently infer that from what has happened so far.

📥 Download ONLYOFFICE Docs 9.4

Like usual, you will find there are two main flavors. One is for self-hosting users who want to deploy ONLYOFFICE on their infrastructure, and the other one is for people who want a reliable office suite on their computer.

For more details on this release, you can refer to the changelog.

ONLYOFFICE Docs 9.4

---

Suggested Read 📖: The TDF Questions Whether Euro-Office is Truly Sovereign

from It's FOSS https://ift.tt/J92sEmZ
via IFTTT

Things Are Quietly Changing at Bitwarden, and People Are Worried

For a lot of people, Bitwarden became the go-to password manager after the LastPass fiasco. Free, open source, and trustworthy, it has gained a reputation by offering a free tier, keeping the code open, and not pulling the rug.

But that comes at a cost; any hit to its image matters a lot when we are talking about software that holds extremely sensitive information.

So when things start looking a little off, people pay attention. And over the past few months, a few things have looked a little off.

Some things changed at the top

The first change worth noting happened in February. Bitwarden's longtime CEO, Michael Crandell, stepped back to an advisory role. The company said nothing about it publicly, and one would have to check his LinkedIn profile to find out.

The new CEO is Michael Sullivan, who was previously CEO of Acquia and, before that, InsightSoftware. What got people worried was his experience of working across "all facets of mergers and acquisitions," with named private equity firms, including Hg, Vista Equity Partners, and TA Associates.

That is a very particular background for someone to be stepping into a head honcho role at a password manager company. Bitwarden's CFO also changed, where Stephen Morrison left in April and Michael Shenkman, who previously ran InVision, came in as his replacement.

None of these major executive changes were officially announced.

Quiet changes

The term "Always free" has been restored (left), but it was missing for quite some time (right).

I referred to the Wayback Machine and found that the term "Always free" had been on Bitwarden Personal's product page for a long time, sitting inside the plan comparison table.

It disappeared sometime in mid-April and was only restored sometime after May 14.

According to a company employee who posted on the r/Bitwarden subreddit, all of that was supposedly due to an oversight by the Bitwarden marketing team.

Then there's the other issue of values being quietly changed. Bitwarden has used the GRIT acronym to describe its company culture for years, standing for Gratitude, Responsibility, Inclusion, and Transparency.

I again checked the Wayback Machine, and the values were still intact as of March 14, 2026. At some point after that, they were quietly changed. GRIT now stands for Gratitude, Responsibility, Innovation, and Trust.

The 2022 blog post Crandell wrote laying out the original GRIT values was edited to reflect the new ones. Except the editing stopped halfway. The explanatory paragraph further down in the same post still describes Inclusion and Transparency as the values.

📋

Props to ByteHaven for spotting this.

Bitwarden's stance

Sullivan published a blog recently, laying out his first 100 days at Bitwarden and also hashing some things out.

The free tier is not going anywhere. He ruled out a trial model or bait-and-switch and said that the open source foundation and the ability to audit the code, self-host, and verify are what make Bitwarden different from everything else in the space.

He also acknowledged that changes are coming, but those would be explained properly.

Should you be worried?

The post referenced above is the most direct on-record statement Bitwarden has about the free tier. But a pattern of ambiguity has already been established.

For such a sensitive piece of software, unannounced leadership changes and a values rewrite are the kind of thing that should make you nervous. But unless Bitwarden does something drastic like axing the free tier or pulling a Cal.com, there is not much to act on just yet.

---

Suggested Read 📖: Bitwarden vs. Proton Pass

from It's FOSS https://ift.tt/zpDxrwy
via IFTTT

Wow! Microsoft Now Has a Fedora-based Linux Distro

At the Open Source Summit this week, Microsoft announced a range of open source-focused updates, ranging from new Linux distro releases to agentic AI tooling.

Brendan Burns, co-founder of Kubernetes and Corporate VP for Azure OSS and Cloud Native at Microsoft, delivered a keynote on their technological shift from cloud native to what the company is calling the "AI native era."

The announcement covered quite a bit of ground, so here's a breakdown.

What was announced?

The Linux part of the announcement has two updates. Azure Linux 4.0 is coming to Azure Virtual Machines as a public preview, though it is still in active development and no downloads are available yet. Microsoft has a sign-up form open for early access.

Azure Container Linux is now generally available, with a full rollout planned during Microsoft Build on June 2. It is an immutable, container-optimized OS, which by design means no package manager and a read-only system image.

This is aimed at teams handling regulated or security-sensitive deployments, with the intent to keep the attack surface relatively limited while Microsoft maintains the supply chain end to end.

For agentic AI, Microsoft is pushing several building blocks for what it calls an open agentic stack. The Microsoft Agent Framework is an open source SDK and runtime for multi-agent systems, consolidating earlier work from Semantic Kernel and AutoGen into one foundation.

Alongside that is the Agent Governance Toolkit, which covers identity, policy, and audit controls for AI agent deployments and A2A (agent-to-agent) protocols for cross-vendor, cross-framework agent communication.

We saw this coming

The announcement doesn't mention Fedora once, but the Azure Linux 4.0 branch on the project's GitHub paints a different picture.

The README file for 4.0 explicitly describes Fedora as an "upstream base" for Azure Linux, describing the distro as a set of TOML configuration files and targeted overlays applied on top of Fedora.

Likewise, packages come straight from Fedora's upstream repositories, with any deviations from that kept minimal and clearly documented.

Last month, we reported on discussions from a Fedora ELN SIG meeting where it became clear Microsoft was backing a proposal to build x86-64-v3 packages for Fedora 45.

Kyle Gospodnetich, a Linux engineer at Microsoft, was co-authoring the change proposal, with the motivation tied directly to Azure Linux's need for x86-64-v3 performance gains.

There was also talk of Microsoft forking the distribution entirely at one point, but they were guided toward working within the Fedora ecosystem instead. We called it "a big if" at the time.

Now, the 4.0 branch confirms it. 🤓

As for why Microsoft stayed quiet about the Fedora connection in its announcement blog post. Fedora is effectively Red Hat's upstream, and Red Hat is both an Azure partner and a competitor in the enterprise Linux space. I presume that it would make for an awkward read in that context.

---

Suggested Read 📖: Fedora Hummingbird Debuts As a Hardened Linux Distro

from It's FOSS https://ift.tt/d4XKZjD
via IFTTT

The Famous Linux System Cleaner BleachBit Now Has a TUI (And I Tried It Out)

It is a matter of preference to use system cleanup utilities on a computer or smartphone. On Linux, we have many such tools that handle everything from clearing browser caches and old package archives to shredding files and wiping free space.

They range from quick CLI scripts to full-blown graphical applications. Some focus on browser data; others go deeper into system logs, package caches, and temporary files.

One of the more popular offerings among those is BleachBit, which is a free and open source system cleaner for Linux and Windows that handles all that. It's developers have now given everyone an early look into how its text-based user interface (TUI) is shaping up.

BleachBit TUI works well

The TUI is simple to navigate. The space bar toggles cleaning options on or off, and Enter expands a category to show the file list underneath.

For previewing what would be cleaned, there are two options: lowercase p runs a full preview across all selected items, while uppercase P previews just the focused component.

📋

You can use either Shift or Caps Lock for switching to uppercase.

The two preview options (full, focused) on the alpha TUI of BleachBit.

Once done, d handles deletion for everything selected, and D deletes the focused component specifically. On my first attempt, the deletion failed because I had not launched the TUI with elevated privileges.

Re-launching with sudo python3 bleachbit_tui.py fixed that. Once initiated, I had to press Y to confirm the action, and when it completed, a dialog appeared in the bottom-right showing the files deleted and space recovered.

Using sudo fixed the errors I was getting.

There is also a palette menu, accessible via Ctrl+P. From there, you can search commands, maximize a selected component, quit BleachBit, save a screenshot, and bring up the keys/help side panel.

Since the TUI shares its backend with the regular BleachBit GUI, it picks up all the same settings automatically. That covers your selected cleaning options, keep list, custom cleaning list, and cookie keep list.

It also supports changing display themes and some mouse interaction alongside keyboard navigation, including the scroll wheel. On Windows, the TUI ships as both an installer and a portable package, compiled as a native 64-bit binary, unlike the 32-bit stable GUI and CLI builds.

If you want to try it out on Linux, the official announcement has quick-start instructions for running the TUI on Ubuntu, and if that doesn't suit you, then you could build from source.

🚧

This is still being developed. If you go ahead with testing it, expect things to break.

from It's FOSS https://ift.tt/gxWbQMm
via IFTTT