-
Notifications
You must be signed in to change notification settings - Fork 33
/
release-notes.xml
815 lines (765 loc) · 30.5 KB
/
release-notes.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet href="urn:x-suse:xslt:profiling:docbook50-profile.xsl"
type="text/xml"
title="Profiling step"?>
<!DOCTYPE article
[
<!ENTITY % myents SYSTEM "release-notes.ent" >
%myents;
]>
<article xml:lang="en" xml:id="rnotes"
xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink">
<title>&rnotes;</title>
<info>
<releaseinfo>&rversion;</releaseinfo>
<productname>&thisflavor;</productname>
<productnumber>&version;</productnumber>
<date><?dbtimestamp format="Y-m-d"?></date>
<abstract>
<para>
&thisflavor; is a free and Linux-based operating system for your PC, Laptop
or Server. You can surf the Web, manage your e-mails and photos, do office
work, play videos or music and have a lot of fun!
</para>
</abstract>
<dm:docmanager xmlns:dm="urn:x-suse:ns:docmanager">
<dm:bugtracker>
<dm:url>https://bugzilla.opensuse.org/enter_bug.cgi</dm:url>
<dm:product>openSUSE Distribution</dm:product>
<dm:component>Release Notes</dm:component>
<dm:assignee>lukas.kucharczyk@suse.com</dm:assignee>
</dm:bugtracker>
</dm:docmanager>
</info>
<para condition="beta">
This is the initial version of the release notes for the forthcoming
&thisversion;.
</para>
<para condition="pre;maintained">
The release notes are under constant development.
To find out about the latest updates, see the online version at
<link xlink:href="https://doc.opensuse.org/release-notes"/>.
The English release notes are updated whenever need arises. Translated
language versions can temporarily be incomplete.
</para>
<para condition="unmaintained">
The end of the maintenance period for &thisversion; is now reached. To keep
your systems up-to-date and secure, upgrade to a current &opensuse; version.
Before starting the upgrade, make sure that all maintenance updates for
&thisversion; are applied.
</para>
<para condition="unmaintained">
For more information about upgrading to a current &opensuse; version, see
<link xlink:href="https://en.opensuse.org/SDB:System_upgrade"/>.
</para>
<!-- Previous Release Notes -->
<para>
If you upgrade from an older version to this &thisflavor; release, see
previous release notes listed here:
<link xlink:href="https://en.opensuse.org/openSUSE:Release_Notes"/>.
</para>
<para>
<phrase condition="beta">This public beta test is part of the &opensuse;
project.</phrase> Information about the project is available at
<link xlink:href="https://www.opensuse.org"/>.
</para>
<para condition="beta;pre">
Report all bugs you encounter using this prerelease of &thisflavor; &version;
in the &opensuse; Bugzilla. For more information, see
<link xlink:href="https://en.opensuse.org/Submitting_Bug_Reports"/>. If you
would like to see anything added to the release notes, file a bug
report against the component <quote>Release Notes</quote>.
</para>
<para condition="maintained">
To report bugs against this release, use the &opensuse; Bugzilla. For more
information, see
<link xlink:href="https://en.opensuse.org/Submitting_Bug_Reports"/>.
</para>
<para condition="pre;maintained">
Major new features of &thisversion; are also listed at
<link xlink:href="https://en.opensuse.org/Features_&version;"/>.
</para>
<sect1 xml:id="installation">
<title>Installation</title>
<para>
This section contains installation-related notes. For detailed installation
instructions, see the documentation at
<link xlink:href="https://doc.opensuse.org/documentation/leap/startup/html/book-startup/part-basics.html"/>.
</para>
<!-- <para>
Make sure to also review <xref linkend="sec.driver"/>.
</para> -->
<sect2 xml:id="installation-new-update-repos">
<title>&opensuseleap; now has three update repositories</title>
<!-- boo#1186593 -->
<para>
The &opensuseleap; 15.3 maintenance setup consists of three main update repositories.
These are: <literal>repo-update</literal>, <literal>repo-backports-update</literal>, and <literal>repo-sle-update</literal>. The latter two are new and
are a result of re-using binaries from &sle;.
These repositories are available and checked during the online installation of &opensuseleap;.
We recommend you to use them.
New update repository definitions for &opensuseleap; 15.3 will be additionally supplied via a 0day maintenance update of the <package>openSUSE-release</package> package.
The update will be delivered via the traditional <literal>repo-update</literal> maintenance channel.
It will carry a special update flag that means it touches the software management area which is then specially handled by zypper.
You should double-check using the <command>zypper up</command> command whether all updates were processed.
For more information, see <link xlink:href="https://bugzilla.opensuse.org/show_bug.cgi?id=1186593"/>.
</para>
<para>
The <literal>repo-update</literal> repository is for &opensuseleap; (OSS) updates. It is the smallest one and
contains system configuration packages, including release package, branding, and potential forks of &sle; packages.
This repository has also a <literal>debug-info</literal> variant.
</para>
<para>
The <literal>repo-backports-update</literal> repository is an update repository for openSUSE Backports that contains updates for the majority of &opensuseleap; packages.
This repository also has a <literal>debug-info</literal> variant.
</para>
<para>
The third repository, named <literal>repo-sle-update</literal>, is an update repository that contains combined updates from all active &sle; update streams.
This repository is without the <literal>debug-info</literal> variant.
</para>
</sect2>
<sect2 xml:id="installation-transactional-server-role">
<title>Using atomic updates with the system role <emphasis>Transactional Server</emphasis></title>
<!-- boo#1092953, boo#1093098 -->
<para>
The installer supports the system role <emphasis>Transactional
Server</emphasis>. This system role features an update system that
applies updates atomically (as a single operation) and makes them easy to
revert should that become necessary.
These features are based on the package management tools that all
other &suse; and &osuse; distributions also rely on. This means that the
vast majority of RPM
packages that work with other system roles of &thisversion; also work
with the system role <emphasis>Transactional Server</emphasis>.
</para>
<note>
<title>Incompatible packages</title>
<para>
Some packages modify the contents of <filename>/var</filename> or
<filename>/srv</filename> in their RPM <literal>%post</literal> scripts.
These packages are incompatible. If you find such a package, file a
bug report.
</para>
</note>
<para>
To provide these features, this update system relies on:
</para>
<itemizedlist>
<listitem>
<formalpara>
<title>Btrfs snapshots</title>
<para>
Before a system update is started, a new Btrfs snapshot of the root
file system is created. Then, all the changes from the update are
installed into that Btrfs snapshot. To complete the update, you can
then restart the system into the new snapshot.
</para>
</formalpara>
<para>
To revert the update, simply boot from the previous snapshot instead.
</para>
</listitem>
<listitem>
<formalpara>
<title>A read-only root file system</title>
<para>
To avoid issues with and data loss because of updates, the root file
system must not be written to otherwise. Therefore, the root file
system is mounted read-only during normal operation.
</para>
</formalpara>
<para>
To make this setup work, two additional changes to the file system
needed to be made: To allow writing user configuration in
<filename>/etc</filename>, this directory is automatically configured
to use OverlayFS. <filename>/var</filename> is now a separate subvolume
which can be written to by processes.
</para>
</listitem>
</itemizedlist>
<important>
<title><emphasis>Transactional Server</emphasis> needs at least 12 GB of disk space</title>
<para>
The system role <emphasis>Transactional Server</emphasis> needs a disk
size of at least 12 GB to accommodate Btrfs snapshots.
</para>
</important>
<important>
<!-- bsc#1134997 -->
<title>
&yast; Does Not Work Transactional Mode
</title>
<para>
Currently, &yast; does not work with transactional updates.
This is because &yast; performs things immediately and because it cannot edit a read-only filesystem.
</para>
</important>
<para>
To work with transactional updates, always use the command
<command>transactional-update</command> instead of &yast; and Zypper for
all software management:
</para>
<itemizedlist>
<listitem>
<para>
Update the system:
<command>transactional-update up</command>
</para>
</listitem>
<listitem>
<para>
Install a package:
<command>transactional-update pkg in <replaceable>PACKAGE_NAME</replaceable></command>
</para>
</listitem>
<listitem>
<para>
Remove a package:
<command>transactional-update pkg rm <replaceable>PACKAGE_NAME</replaceable></command>
</para>
</listitem>
<listitem>
<para>
To revert the last snapshot, that is the last set of changes to the
root file system, make sure your system is booted into the next to last
snapshot and run:
<command>transactional-update rollback</command>
</para>
<para>
Optionally, add a snapshot ID to the end of the command to rollback to
a specific ID.
</para>
</listitem>
</itemizedlist>
<para>
When using this system role, by default, the system will perform a daily
update and reboot between 03:30 am and 05:00 am. Both of these actions
are systemd-based and if necessary can be disabled using
<command>systemctl</command>:
</para>
<screen>systemctl disable --now transactional-update.timer rebootmgr.service</screen>
<para>
For more information about transactional updates, see the &kubic; blog posts
<link xlink:href="https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/"/>
and
<link xlink:href="https://kubic.opensuse.org/blog/2018-04-20-transactionalupdates2/"/>.
</para>
</sect2>
<sect2 xml:id="installation-small-disk">
<title>Installing on hard disks with less than 12 GB of capacity</title>
<!-- boo#1093098 -->
<para>
The installer will only propose a partitioning scheme if the available
hard disk size is larger than 12 GB. If you want to set up, for example,
very small virtual machines images, use the guided partitioner to tune
partitioning parameters manually.
</para>
</sect2>
<sect2 xml:id="sec.install.uefi">
<title>UEFI—Unified Extensible Firmware Interface</title>
<para>
Prior to installing &opensuse; on a system that boots using UEFI (Unified
Extensible Firmware Interface), you are urgently advised to check for any
firmware updates the hardware vendor recommends and, if available, to
install such an update. A pre-installation of Windows 8 or later is a
strong indication that your system boots using UEFI.
</para>
<para>
<emphasis>Background:</emphasis> Some UEFI firmware has bugs that cause it
to break if too much data gets written to the UEFI storage area. However,
there is no clear data of how much is <quote>too much</quote>.
</para>
<para>
&opensuse; minimizes the risk by not writing more than the bare minimum
required to boot the OS. The minimum means telling the UEFI firmware about
the location of the &opensuse; boot loader. Upstream Linux kernel features
that use the UEFI storage area for storing boot and crash information
(<literal>pstore</literal>) have been disabled by default. Nevertheless, it
is recommended to install any firmware updates the hardware vendor
recommends.
</para>
</sect2>
<sect2 xml:id="installation-uefi-part">
<!-- bnc#850056 -->
<title>UEFI, GPT, and MS-DOS partitions</title>
<para>
Together with the EFI/UEFI specification, a new style of partitioning
arrived: GPT (GUID Partition Table). This new schema uses globally unique
identifiers (128-bit values displayed in 32 hexadecimal digits) to identify
devices and partition types.
</para>
<para>
Additionally, the UEFI specification also allows legacy MBR (MS-DOS)
partitions. The Linux boot loaders (ELILO or GRUB 2) try to automatically
generate a GUID for those legacy partitions, and write them to the
firmware. Such a GUID can change frequently, causing a rewrite in the
firmware. A rewrite consists of two different operations: Removing the old
entry and creating a new entry that replaces the first one.
</para>
<para>
Modern firmware has a garbage collector that collects deleted entries and
frees the memory reserved for old entries. A problem arises when faulty
firmware does not collect and free those entries. This can result in a
non-bootable system.
</para>
<para>
To work around this problem, convert the legacy MBR partition to GPT.
</para>
</sect2>
<sect2 xml:id="installation-tlp">
<title><literal>tlp</literal> package service</title>
<para>
During installation on a laptop, the <literal>tlp</literal> package is
installed (together with its sub-package <literal>tlp-rdw</literal>, if the
installation of recommended packages is enabled). This package provides
additional tools to save battery power on laptops, especially Lenovo
laptops.
</para>
<para>
The service is not enabled by default because it might interfere with other
specialized laptop tools, for example,
<literal>laptop-mode-tools</literal>, <literal>rfkill</literal>,
<literal>gnome-power-manager</literal>, or
<literal>kde-power-manager</literal>. To enable and start the service
explicitly, use YaST Services Manager or use the command <literal>
systemctl enable --now tlp.service
</literal>. If you encounter any unexpected behavior afterward, for example,
WiFi problems or non-functional USB ports, disable the service again.
</para>
</sect2>
</sect1>
<sect1 xml:id="upgrade">
<title>System upgrade</title>
<para>
This section lists notes related to upgrading the system. For supported
scenarios and detailed upgrade instructions, see the documentation at:
</para>
<itemizedlist>
<listitem>
<para>
<link xlink:href="https://en.opensuse.org/SDB:System_upgrade"/>
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://doc.opensuse.org/documentation/leap/startup/html/book-startup/cha-update-osuse.html"/>
</para>
</listitem>
</itemizedlist>
<!-- <para>
Make sure to also review <xref linkend="sec.driver"/>.
</para> -->
<para>
Additionally, check <xref linkend="removed-deprecated"/>.
</para>
<sect2 xml:id="sec.upgrade.152">
<title>Seamless upgrade from &opensuseleap; 15.2</title>
<!-- bnc#1182629 -->
<para>
&opensuseleap; 15.3 is newly built on top of binary rpms from &sles;. This
change was introduced as part of the Closing The Leap Gap (CtLG) effort to
bring &opensuseleap; and &sles; closer together.
</para>
<para>
Unlike 15.2, the default installation of &opensuseleap; 15.3 contains the
majority of rpms from &sles;. These rpms are signed by SUSE LLC instead of
using the &opensuse; key. The <package>libzypp</package> package version
12.25.8 introduced whitelist for the SUSE LLC and &opensuse; vendor exchange
to allow seamless migration. This whitelist removes the need to specify
<literal>--allow-vendor-change</literal>
for &opensuse; and SUSE LLC vendor exchange only. You might still need to
specify
<literal>--allow-vendor-change</literal> during migration if you are using
OBS repositories signed with other keys.
</para>
<para>
&opensuseleap; releases older than 15.2 do not contain this feature because
they are not supported anymore. All users are advised to upgrade to
&opensuseleap; 15.2 with the latest updates before upgrading to 15.3. The
following parameters can be used as a workaround for
<package>libzypp</package> versions older than 12.25.8 (replace 15.0 below
with your current &opensuse; version):
</para>
<screen>
zypper addrepo --check --refresh --name 'openSUSE-Leap-15.0-Update' http://download.opensuse.org/update/leap/15.0/oss/ repo-update
zypper dup --allow-vendor-change --force-resolution
</screen>
<para>
&opensuseleap; 15.3 provides all the required RPM verification keys,
including the &sles; ones, as part of the
<package>openSUSE-build-key</package> package. All the keys are also newly
available inside the OSS repository.
</para>
<para>
The <package>libzypp</package> package version 17.25.11 should automatically
import the required keys that are identified as trusted. If it has, you will
be notified about the import and no other action will be needed.
</para>
<para>
If the system has not imported the key that was used to sign the
<literal>repodata</literal>, you will need to import it manually. You can
check by running the following command:
</para>
<screen>rpm -qa gpg-pubkey</screen>
<para>
The output should include a line starting with the following text: <literal>gpg-pubkey-39db7c82-*</literal>
If it does not, the do the following to import the key manually:
</para>
<itemizedlist>
<listitem>
<para>
Download the &sle; 15 key from <link
xlink:href="https://download.opensuse.org/distribution/leap/15.3/repo/oss/gpg-pubkey-39db7c82-5847eb1f.asc"/>.
</para>
</listitem>
<listitem>
<para>
Save the key to the <literal>/var/cache/zypp/pubkeys</literal> directory.
Rename it so that it ends with <literal>.key</literal>.
</para>
</listitem>
<listitem>
<para>
Run the <literal>zypper dup</literal> command.
You will be asked to import the missing key.
This will happen even if the key is in the directory mentioned above.
If the file contains multiple keys, zypper will import
only the required key.
</para>
</listitem>
</itemizedlist>
<para>
For more information, see <link xlink:href="https://bugzilla.opensuse.org/show_bug.cgi?id=1184326"/>.
</para>
</sect2>
<sect2 xml:id="sec-upgrade-kernel">
<title>Alignment of &sles; and &opensuseleap; kernel packaging</title>
<para>
On &opensuseleap;, the default kernel has been split into three subpackages:
<package>kernel-default</package>, <package>kernel-default-extra</package>,
and <package>kernel-default-optional</package>. Similarly,
<package>kernel-preempt</package> has also been split into
<package>kernel-preempt</package>, <package>kernel-preempt-extra</package>,
and <package>kernel-preempt-optional</package>. The
<literal>-optional</literal> package contains optional modules only for
&opensuseleap;. The <literal>-extra</literal> package contains unsupported
modules. The kernel preemption mode can be controlled by setting the
<literal>preempt=voluntary</literal> kernel parameter on the command line.
This parameter works with <package>kernel-default</package>.
</para>
<para>
If you use this kernel variant, make sure that all RPMs required for your
use case are installed.
</para>
</sect2>
</sect1>
<sect1 xml:id="removed-deprecated">
<title>Removed and deprecated packages and features</title>
<sect2 xml:id="deprecated">
<title>Deprecated packages and features</title>
<para>
Deprecated packages are still shipped as part of the distribution but are
scheduled to be removed the next version of &thisflavor;. These packages
exist to aid migration, but their use is discouraged and they may not
receive updates.
</para>
<!-- <itemizedlist>
<listitem>
<para>
<package>example-package</package> is considered deprecated because of
[reason]. For more information, see
<link xlink:href="https://bugzilla.opensuse.org/BUGID"/>.
</para>
</listitem>
</itemizedlist> -->
<itemizedlist>
<listitem>
<para>
<package>midori</package>, a lightweight web browser based on WebKit and
GTK+, is no longer suppored and is scheduled for removal in next release.
</para>
</listitem>
</itemizedlist>
<para>
To check whether installed packages are no longer maintained: Make sure
that <package>lifecycle-data-openSUSE</package> is installed, then use
the command:
</para>
<screen>zypper lifecycle</screen>
</sect2>
<sect2 xml:id="removed">
<title>Removed packages and features</title>
<para>
Removed packages are not shipped as part of the distribution anymore.
</para>
<itemizedlist>
<listitem>
<para>
<package>libqt4</package> and <package>kdelibs4</package> have been
removed because they were unmaintained and had security issues.
For more information, see <xref linkend="desktop-remove-kde4"/>.
</para>
</listitem>
<!-- <listitem>
<para>
<package>example-package</package> has been removed because of [reason].
For more information, see
<link xlink:href="https://bugzilla.opensuse.org/BUGID"/>.
</para>
</listitem> -->
</itemizedlist>
<sect3 xml:id="boo-1195500">
<title>ReiserFS support removed</title>
<para>
With &thisversion;, support for ReiserFS has been completely removed from
YaST and the kernel, and the installer will block the upgrade when it
detects a ReiserFS file system.
</para>
<para>
For existing data partitions formatted with ReiserFS, we suggest converting
them to Btrfs before migrating your system to &thisversion;.
</para>
</sect3>
<sect3 xml:id="boo-1186564">
<title>Berkeley DB removed from packages</title>
<para>
Berkeley DB, used as a database in certain packages, is dual-licensed under GNU
AGPLv3/Sleepycat licenses. Because service vendors that redistribute our
packages could find packages with these licenses potentially detrimental to
their solutions, we have decided to remove Berkeley DB as a dependency from
these packages. In the long term, &suse; aims to provide a solution without
Berkeley DB.
</para>
<para>
This change affects the following packages:
</para>
<itemizedlist>
<listitem>
<para>
<literal>apr-util</literal>
</para>
</listitem>
<listitem>
<para>
<literal>cyrus-sasl</literal>
</para>
</listitem>
<listitem>
<para>
<literal>iproute2</literal>
</para>
</listitem>
<listitem>
<para>
<literal>perl</literal>
</para>
</listitem>
<listitem>
<para>
<literal>php7</literal>
</para>
</listitem>
<listitem>
<para>
<literal>postfix</literal>
</para>
</listitem>
<listitem>
<para>
<literal>rpm</literal>
</para>
</listitem>
</itemizedlist>
</sect3>
</sect2>
</sect1>
<sect1 xml:id="driver-hardware">
<title>Drivers and hardware</title>
<para/>
<sect2 xml:id="driver-hardware-secure-boot-opensuse-kmps">
<!-- bsc#1182641 -->
<title>Secure Boot: &sle; kernel and openSUSE signed Kernel Module Packages</title>
<para>
The newly introduced <package>openSUSE-signkey-cert</package> package is required for openSUSE KMPs like <package>virtualbox</package>,
but only in Secure Boot mode. The package includes the certificate of
openSUSE signing key for signing kernel module file (<literal>.ko</literal>) in openSUSE KMP
and calls <literal>mokutil</literal> to help user enroll the certificate to MOK.
This way, the openSUSE KMP can be verified by the kernel.
</para>
<para>
If you do not have the base pattern installed and are using any of these KMPs, we recommend
installing the <package>openSUSE-signkey-cert</package> package manually. A system reboot is required.
More information about this process and manual enrollment can be found at
<link xlink:href="https://en.opensuse.org/SDB:NVIDIA_drivers#Secureboot"/>.
</para>
</sect2>
<sect2 xml:id="driver-hardware-secure-boot-sign-driver">
<!-- bsc#173158 -->
<title>Secure Boot: third-party drivers need to be properly signed</title>
<para>
&thisflavor; 15.2 and later enable a kernel
module signature check for third-party drivers
(<literal>CONFIG_MODULE_SIG=y</literal>). This is an important
security measure to avoid untrusted code running in the kernel.
</para>
<para>
This may prevent third-party
kernel modules from being loaded if UEFI Secure Boot is enabled.
Kernel Module Packages (KMPs) from the official &osuse; repositories
are not affected, because the modules they contain are signed with
the openSUSE key. The signature check has the following behavior:
</para>
<itemizedlist>
<listitem>
<para>
Kernel modules that are unsigned or signed with a key that is either
known as untrusted or cannot be verified against the system's trusted
key data base will be blocked.
</para>
</listitem>
</itemizedlist>
<para>
It is possible to generate a custom certificate, enroll it
into the system's Machine Owner Key (MOK) data base,
and sign locally compiled kernel modules with this certificate's key.
Modules signed in this manner will neither be blocked nor cause warnings.
See <link xlink:href="https://en.opensuse.org/openSUSE:UEFI"/>.
</para>
<para>
Since this also affects NVIDIA graphics drivers, we addressed this in our
official packages for openSUSE. However, you need to manually enroll a new
MOK key after installation to make the new packages work.
For instructions how to install the drivers and enroll the MOK key, see
<link xlink:href="https://en.opensuse.org/SDB:NVIDIA_drivers#Secureboot"/>.
</para>
</sect2>
</sect1>
<sect1 xml:id="desktop">
<title>Desktop</title>
<para>
This section lists desktop issues and changes in &thisversion;.
</para>
<sect2 xml:id="desktop-remove-kde4">
<title>KDE 4 and Qt4 have been removed</title>
<para>
KDE 4 packages are no longer part of &opensuseleap; 15.3.
Update your system to Plasma 5 and Qt 5.
Some Qt 4 packages may still remain for compatibility reasons.
For more information, see
<link xlink:href="https://bugzilla.opensuse.org/show_bug.cgi?id=1179613"/>.
</para>
</sect2>
<sect2 xml:id="ibus-layout-name-change">
<title>Manual config migration of IBus is necessary due to layout name change</title>
<para>
Since <package>IBus</package> version 1.5.23 renamed some keyboard layouts, it cannot load configuration
containing these renamed layouts after upgrading. Thereby, it might reset
the layout to US. Layouts of the following languages are affected:
Belgian, German, Greek, Romanian, and Slovak.
See <link xlink:href="https://bugzilla.opensuse.org/show_bug.cgi?id=1177545"/> for more information.
</para>
<para>
Users need to migrate configuration manually. Open GNOME Settings and
choose an appropriate layout. For desktop environments other than GNOME,
run <literal>ibus-setup</literal> instead.
</para>
</sect2>
</sect1>
<!-- <sect1 xml:id="server">
<title>Server software</title>
<para>
This section lists changes to server software features in &thisversion;.
</para>
</sect1> -->
<!-- <sect1 xml:id="security">
<title>Security</title>
<para>
This section lists changes to security features in &thisversion;.
</para> -->
<!--
<sect2 xml:id="security-amanda">
<!-/- boo#1116922 -/->
<title>Users and groups associated with AMANDA backup utility</title>
<para>
AMANDA (<emphasis>Advanced Maryland Automatic Network Disk
Archiver</emphasis>) is a backup solution that allows setting up a master
backup server to back up multiple hosts over network to tape
drives/changers or disks or optical media. This tool is shipped in
&osuse; within the package <package>amanda</package>.
</para>
<para>
The execution of the binaries in this package is restricted to the group
<systemitem class="groupname">amanda</systemitem>. However, some of those
binaries use the attribute <literal>setuid</literal> to gain
<systemitem class="username">root</systemitem> rights. As the
implementation of at least some of these binaries is problematic, the user
<systemitem class="username">amanda</systemitem> and members of the group
<systemitem class="groupname">amanda</systemitem> are effectively
privileged users whose rights are equivalent to those of
<systemitem class="username">root</systemitem>.
</para>
<para>
Hence, carefully consider who you allow access to either the user account
or the group.
</para>
</sect2>
-->
<!-- </sect1> -->
<!-- <sect1 xml:id="sec.technical">
<title>Technical</title>
<para/>
</sect1> -->
<!-- <sect1 xml:id="misc">
<title>Miscellaneous</title>
<para/>
</sect1> -->
<sect1 xml:id="feedback">
<title>More information and feedback</title>
<itemizedlist>
<listitem>
<para>
Read the <filename>README</filename> documents on the medium.
</para>
</listitem>
<listitem>
<para>
View a detailed changelog information about a particular package from its
RPM:
</para>
<screen>rpm --changelog -qp <replaceable>FILENAME</replaceable>.rpm</screen>
<para>
Replace <replaceable>FILENAME</replaceable> with the name of the RPM.
</para>
</listitem>
<listitem>
<para>
Check the <filename>ChangeLog</filename> file in the top level of the
medium for a chronological log of all changes made to the updated packages.
</para>
</listitem>
<listitem>
<para>
Find more information in the <filename>docu</filename> directory on the
medium.
</para>
</listitem>
<listitem>
<para>
For additional or updated documentation, see
<link xlink:href="https://doc.opensuse.org/"/>.
</para>
</listitem>
<listitem>
<para>
For the latest product news, from &opensuse;, visit
<link xlink:href="https://www.opensuse.org"/>.
</para>
</listitem>
</itemizedlist>
<para>
Copyright © <?dbtimestamp format="Y" ?> SUSE LLC
</para>
</sect1>
</article>