Firefox's built-in PDF viewer has been adding useful features for a while now. You can annotate, fill out forms, draw, insert images, and sign documents without leaving the browser.
The recent Firefox 151 release adds merging documents to that list.
If you've ever searched "merge PDF online" and ended up wading through ads and signup walls just to get your own file back, then you should know that there's a privacy angle worth thinking about too.
Every time you upload a document to one of those sites, you're handing your files over to a server you know nothing about.
Firefox handles everything locally, so your documents stay on your machine.
Merge PDFs using Firefox
First, you need to open a PDF file that you want merged with another. Then, unhide the sidebar menu by clicking on its toggle (looks like a square with a line in it), and click on the "+" button next to the Pages label.
Doing so will open the file picker. In my case, it was the Files (Nautilus) app on GNOME, but yours might be a different file manager on a different desktop environment with similar functionality.
Pick the PDF you want to merge in, then click Select. Firefox will append its pages to the end of the document you have open, and the page count in the toolbar will update to reflect the new total.
You can also reorder pages by dragging them in the sidebar, or delete any you don't need by selecting them and using the Manage menu. 👇
0:00
/0:27
Once the pages are in order, select all of them using the checkboxes, and then open the Manage dropdown and click "Export selected..." A save dialog will open up on your file manager.
Give the file a name, hit Save, and the merged PDF lands wherever you pointed it. Though if you mistakenly try to quit the application before the merged PDFs are saved, Firefox will promptly notify you. 👇
The prompt reads "Save PDF before leaving?" and clicking "Save" opens the same file picker. Hitting "Don't Save" will close Firefox without saving, and "Cancel" keeps you in the same window.
Since a few days now, people trying to plan a trip on Deutsche Bahn's (DB) main booking website have been getting stopped by error 751. The site accused their web browser of acting like a bot, and even logging into accounts made no difference.
So, what was actually triggering it? Just the word "Linux" in the User-Agent string it looks like. heise online tested this by setting a Linux User-Agent on Firefox under Windows and on Safari under macOS, and both got blocked.
Heise had picked up on a thread from Reddit's r/deutschebahn as evidence that real users were being affected. Someone had posted about getting locked out just from clicking "earlier connections" a few times while planning a trip.
They, as you know, tested it on their end and found out that Linux systems were being blocked.
Later in the thread, a commenter tied it to the wave of vibe-coded projects, specifically ones built to scrape Deutsche Bahn's fare data. Another commenter identified themselves as a DB employee, pointing out that internal staff have to deal with DB Systel's problems regularly.
Before you ask, DB Systel is the train operator's IT and digital solutions provider.
DB's official response
Deutsche Bahn has responded to heise online. A spokesperson said Linux users are supposed to be able to use bahn.de and DB Navigator without issues, and that the company's security systems look at traffic behavior, request origins, and browser traits to identify potential threats.
Normal traffic can get caught in this sometimes, they said, while emphasizing that they are working to bring those cases down. Heise ran a test again the same day and found out that a Linux User-Agent on a Windows machine still triggered the block.
I ran two tests of my own. The first was on a Fedora Workstation system with a VPN active, where I accessed bahn.de on Firefox in private mode and spammed various header menu options, reloading repeatedly.
The portal never locked me out. I did the same on an Ubuntu virtual machine and got the same result. So it is safe to assume the fixes have been made, though false positives may still happen occasionally.
As long as I've been a Linux user, I can remember one of the biggest issues being firmware support on the kernel.
The issue has been notorious, with a lot of new users being discouraged immediately after joining, and the benevolent dictator Linus Torvalds himself giving the bird to Nvidia, a sentiment shared by almost every user who had tried to make Nvidia work on Linux a few years ago.
Things have been getting better recently, though, especially with LVFS (Linux Vendor Firmware Service) on the scene now, providing hardware vendors a portal to upload firmware updates, which can then be downloaded and installed by users through clients such as GNOME Software or fwupdmgr.
Why does LVFS matter?
The relief and effort of LVFS cannot be understated, as before a central secure portal for firmware, the users only had the option to trust some random third party upload on the internet, often breaking or worse, infecting their systems. LVFS fills a space where the vendors can provide secure firmware, with Linux-specific .cab files.
The roadbloack...
The issue, however, obviously, had been funding with the largest contributors being the usual suspects, Framework and Open Source Framework Foundation, at $10K a year. Recently, however, Lenovo and Dell joined suite as Premier sponsors, which is the highest tier at $100K a year each, making the project more sustainable and manageable. These companies contributing makes a lot of sense, considering they are two of the bigger computer companies which offer Linux by default in some cases, especially with Lenovo's ThinkPads being the Linux users' favorite for decades.
Welcome the newcomer!
And now, as you'd have it, HP has followed suit as a Premier sponsor, also providing $100K a year, right alongside Dell and Lenovo. This is already being reflected on the homepage of LVFS, with a quote from HP's Senior Vice President as well:
“LVFS enables quick, easy and timely BIOS updates, so countless customers can enjoy the flexibility of open source Linux-based systems.” — Xavi Garcia, HP
This calls for a celebration as users, of course, and also a major bout of appreciation for HP will be well deserved. I'm delighted as an HP user on Fedora myself, this is a remarkable day.
The question still remains, however, where are the other vendors? What are they waiting for?
Where are the others?
The image of Linux as a "niche" user community, left to their own devices (literally) to figure out the solutions to the hardware problems the vendors are unwilling to solve, is a view as outdated as it is ridiculous. It is like they expect us to unlock a door of which they have the only key.
This major move by these three companies should not only be seen as a sign of relief and wider acceptance of the usage of Linux, but as a beacon for other vendors to follow, who ought to make their hardware more accessible to the open-source community. This change is only in their best interest, as every year shows the percentage of Linux's desktop market share going upwards.
Wrapping Up
HP, Dell and Lenovo all being the highest possible contributors to Linux firmware inspires a lot of confidence among the users, a sign of better support and easier updates. Their efforts are much appreciated and applauded, and we hope that more companies show up to the party. Hope this brightens up your day a little bit, if you're a Linux user on HP. Cheers!
The Fedora AI Developer Desktop initiative that passed unanimously is now blocked. Two council members retracted their votes after community pushback, with contributors arguing the CUDA focus contradicts Fedora's free software foundations and that significant kernel policy changes hadn't been cleared with the right people.
Someone got Lightroom CC running on Linux via Wine without writing a single line of code themselves. An AI agent did the whole thing autonomously, fixing DLL gaps and Wine incompatibilities.
LibrePlan is a self-hosted open source project management tool that just got its 1.6.0 release. The additions worth noting include email workflows, per-project document repositories, an issue and risk log, and traffic light status indicators in the project list view.
If you've ever wanted to run BleachBit over SSH without touching the CLI directly, the TUI is shaping up well. You get keyboard navigation throughout, two preview modes for checking what would be cleaned before committing, and full backend parity with the existing GUI.
Bitwarden got a new CEO in February, a new CFO in April, briefly removed "Always Free" from its pricing page, and quietly rewrote its core values. For most software, this would be unremarkable. For the app that holds your passwords, the bar for transparency needs to be much higher.
ONLYOFFICE Docs 9.4 lands with a mix of features and a licensing update that's hard to read as coincidental given the Euro-Office fork dispute. It offers users a dark mode for spreadsheets, 25 new presentation themes, 20 new slide transitions, and form recipient tracking.
Mission Center and Resources are both polished libadwaita system monitors, and both are genuinely good. But what makes them different from each other? A lot. We have a detailed writeup that should clear your doubts.
Splitting a string in Bash isn't as intuitive as it should be. The trick is setting IFS to your delimiter and using read -ra to split the string into an array. Here's a short explainer with a working CSV example and a breakdown of what each part is actually doing.
If cmus or MOC never quite clicked for you, Kew is worth trying. Written in C, it displays album art in the terminal, can search your music library with a single keyword, and handles playlists and shuffles without fuss.
Desktop Linux is mostly neglected by the industry but loved by the community. For the past 13 years, It's FOSS has been helping people use Linux on their personal computers. And we are now facing the existential threat from AI models stealing our content.
If you like what we do and would love to support our work, please become It's FOSS Plus member. It costs less than the cost of a McDonald Happy Meal a month, and you get an ad-free reading experience with the satisfaction of helping the desktop Linux community.
Tired of AI fluff and misinformation in your Google feed? Get real, trusted Linux content. Add It’s FOSS as your preferred source and see our reliable Linux and open-source stories highlighted in your Discover feed and search results.
In the Bitwarden desktop app and browser extension, you can set a pin instead of using the master password to log in. To do that, go into the Account Security settings and turn on the "Unlock with Pin option."
Remember to turn off "Require master password on browser restart," and set the session timeout to "On browser restart" for securing your vault against unauthorized access.
Though, do not forget the master password, since the PIN is not a replacement, and you will need it when signing into new devices.
🗓️ Tech Trivia: On May 21, 1952, IBM announced its first electronic computer, the Model 701, at a time when the company was better known as the world's largest supplier of punched card equipment, with chairman Thomas Watson Sr. so resistant to the idea that engineers had to rebrand it a "Defense Calculator" just to get it built.
Greg Kroah-Hartman was at RustWeek 2026 in Utrecht this week, and he talked about a Rust-based proposal still in development that could wipe out around 80% of the CVEs the Linux kernel generates.
That is not a small claim. This is coming from someone who has personally reviewed every kernel security bug since the Linux kernel security team was formed in 2005.
C's blind spot
Greg's presentation starts at 14:27.
The core problem, as Greg sees it, is untrusted data. Every time data arrives from user space or from hardware, the kernel should treat it with suspicion. C has never had a reliable way to enforce that.
Once data gets copied from user space into the kernel, it becomes a regular pointer and loses all context about where it came from. It gets passed around freely, and the external checkers that should catch issues do not always get run.
Hardware adds another layer of the same problem. The kernel was designed assuming hardware is trustworthy, and that assumption is getting harder to hold as malicious hardware becomes a real and growing threat.
What Rust already fixes
Before the new proposal even ships, Rust is already making a difference. Failing to check error return values and forgetting to release locks are two notable contributors to kernel CVEs, and Rust handles both at compile time.
Greg estimates those two fixes alone cover around 60% of kernel bugs.
And it doesn't stop there. Writing Rust bindings for existing C code has quietly pushed kernel maintainers to actually document and think through their APIs, working out ownership semantics, lock rules, and const-correctness.
Enter, the "untrusted" type
Greg's proposed solution is a Rust type called Untrusted<T>, developed with kernel contributor Benno Lossin. It attaches to data coming in from user space or hardware as a compile-time marker, with no runtime cost.
And you cannot access the underlying data without going through a validation step that explicitly converts it to trusted. That pushes all validation code into one visible, reviewable spot.
What this means for you as a Linux user? A significant number of the CVEs that currently trickle down to your distro as security updates simply would not exist in the first place.
But, it is not merged yet. Changes are still needed in the Rust compiler, and related work on field projections is running alongside it. Greg concluded his presentation by asking for more Rust kernel developers, and pointed towards the Rust for Linux mailing list as the starting point.
Fedora's Engineering Steering Committee (FESCo) has voted to retire all Deepin-related packages from the distribution's repositories.
The vote passed with +7, 0, 0 at a May 19 meeting. On top of that, the release engineering team has been told not to reinstate any of these packages unless they go through a fresh review.
A year in the making
The story starts with openSUSE. In May 2025, their security team published a detailed report on Deepin's packages, stating that they had pulled them from their repos after a review had flagged serious problems across multiple components.
The deepin-file-manager daemon had significant D-Bus interface issues, some of which stayed unfixed even after partial patches. Both deepin-api and deepin-system-monitor were found using deprecated Polkit authentication in an unsafe way.
That report prompted Adam Williamson of the Fedora QA team to open a ticket with a pointed question attached. If SUSE's security team found all of this, what did Fedora's situation look like?
Turns out Fedora had been shipping these packages without any meaningful security review, and the project's own package review guidelineswere found lacking without any requirements, tools, or instructions for reviewers to consider security issues.
A thing to note here is that some security-related guidelines did exist at one point but were deleted years ago.
Was already on life support
By the time FESCo cast its vote, the Deepin packages were already in rough shape on their own. Core packages had been failing to build across Fedora 42, 43, and 44.
The desktop environment had already been pulled from Fedora spins and fedora-comps months earlier because essential packages simply could not build.
The ones who were supposed to be the stewards of this effort in Fedora, the DeepinDE SIG, lost many of its key members over time. One of the original maintainers, Zamir Sun, who had served as the SIG's coordinator, confirmed as much in a reply to FESCo's outreach email:
To make a long story short, all the initial packagers of the Deepin DE packages(namely felixonmars, mosquito(no longer with Fedoraproject) and cheeselee in FAS, and me as the coordinator) are being too busy for the vast amount of work in maintaining DeepinDE. And we never got active packagers to take the effort so we have to see it going away from Fedora.
That left a certain Felix Wang (topazus) as the one person still actively touching the packages, who has not been replying to bug reports, maintainer pings, or direct emails.
And whenever Fedora's build failure policy automatically orphaned a package, topazus would simply reclaim it without fixing anything.
FESCo sent its formal outreach on May 5 and gave four weeks for a response. With nothing substantive coming back, the committee moved to retire the full package set. Release Engineering has also been told not to reinstate any of these packages unless they go through a proper review first.
So that is the end of line for Deepin on Fedora, for now. If, in the future, some people step up and take the packages through a fresh review, maybe this desktop environment will make a comeback.
But given the state things were left in, that is not a bet anyone should be making just yet.
ONLYOFFICE has been putting out fairly consistent updates to its open source office suite. The previous release focused heavily on the PDF editor, adding new signature options, password-protected PDF editing, and a multipage view for documents.
Since then, things got a little complicated for the project. Nextcloud and IONOS launched Euro-Office, a European fork of ONLYOFFICE, citing concerns about the project's Russian development roots, lack of transparency, and resistance to outside contributions.
ONLYOFFICE hit back, accusing the fork of violating the additional conditions attached to its AGPLv3 license.
Now, the developers have released ONLYOFFICE Docs 9.4, which covers a fair bit of ground across all the editors and introduces a licensing update.
🆕 ONLYOFFICE Docs 9.4: What's New?
Starting with form management, you can now assign specific recipients and track their filling status directly within the editor. Previously, that meant going outside the editor entirely, making the whole experience more clunky than it needed to be.
Horizontal lines in documents are in too, which was apparently a frequently requested feature on their social media pages. You can insert them to visually separate sections via the "Borders" button in the Home tab.
Similarly, the signature field in forms now defaults to the last image you used. Thanks to this, you don't need to dig around for the same file each time you sign a batch of documents.
Then there's the Presentation Editor, which picks up 25 new ready-to-use themes, covering a fairly wide range of styles, accessible from the Design tab. There are also 20 new slide transitionsunder the Transitions tab for adding a bit more polish to your next pitch.
The new presentation themes (left) and the 'Dark Document' mode for spreadsheets (right).
The Spreadsheet Editor gets a dedicated Dark Document mode. With the general dark theme on, the spreadsheet canvas can be switched to a dark background as well via the View tab.
The community version (for self-hosting) also sees some structural work. The code is no longer minified, making it easier to read through, and it now runs as a single process with no reliance on RabbitMQ or databases.
That trims down what the host machine needs to run, and starting with this release, the 20-connection cap is gone.
Finally, the licensing terms have been updated. ONLYOFFICE has clarified its AGPLv3 conditions, with clearer language around attribution, copyright notices, labeling of modified versions, and trademark rights under a separate Trademark Policy (was error 404 at the time of writing).
If you recall, the Euro-Office dispute was specifically about whether a fork could drop those additional Section 7 conditions. The developers haven't said this update was a response to that, but we can confidently infer that from what has happened so far.
📥 Download ONLYOFFICE Docs 9.4
Like usual, you will find there are two main flavors. One is for self-hosting users who want to deploy ONLYOFFICE on their infrastructure, and the other one is for people who want a reliable office suite on their computer.
For more details on this release, you can refer to the changelog.
