Linux

iDescriptor is a brand-new app that introduces a new way for Linux users to manage iPhones without relying on macOS or iTunes, something that the Linux ecosystem has always lacked.

The project consolidates several capabilities that previously required separate command-line tools or weren’t available at all, turning them into a graphical, cross-platform application that is available for Linux as an AppImage.

Written in C++, iDescriptor is built on top of the libimobiledevice stack and extends it with features that are typically difficult to access from Linux systems. Users can browse their device’s filesystem, import photos and videos, and install applications directly from the App Store using their Apple ID.

Linux 6.18-rc7 just arrived in the Git tree as the newest weekly test build leading up to Linux 6.18 stable hopefully debuting next Sunday, 30 November.

Linux 6.18-rc7 has continued landing many bug/regression fixes for this last kernel release of 2025. With this also being the last major Linux kernel version of 2025, Linux 6.18 is also anticipated to become the annual Long Term Support (LTS) kernel version.

The mailing list link

AWS engineers have been working on Linux kernel improvements to KVM's VMX code for enhancing the unamanged guest memory when dealing with nested virtual machines. The improved code addresses some correctness issues as well as delivering wild performance improvements within a synthetic benchmark.

On Friday Amazon/AWS engineer Fred Griffoul sent out the latest patches to the KVM nVMX code for improving the performance of unmanaged guest memory.

Ethan Sholly, the driving force behind selfh.st, one of the most recognized communities uniting self-hosting enthusiasts, has published the latest results of his annual survey on the community’s preferences, collecting 4,081 responses from self-hosting practitioners worldwide.

No surprise there: Linux is overwhelmingly dominant, chosen by more than four out of five self-hosters (81%). In other words, for self-hosters operating at bare-metal, virtualised, or container-based infrastructure, Linux remains the backbone.

In fact, this result aligns closely with broader trends: according to Wikipedia, Linux holds a 63% share of global server infrastructure. Aside from the hobby aspect, most respondents said privacy was their main reason for self-hosting, which, as you know, remains one of Linux’s strongest selling points. Now, back to the numbers.

The 267th installment of the 9to5Linux Weekly Roundup is here for the week ending on November 23rd, 2025, keeping you updated with the most important things happening in the Linux world.

More features continue piling on for the KDE Plasma 6.6 desktop, including an important performance fix this week for those running displays with a higher than 60Hz refresh rate.

KDE Plasma development highlights for the week have now been published by KDE developer Nate Graham.

Bottles, an open-source software tool built on top of Wine that helps users run Windows applications and games on Linux systems by providing a user-friendly GUI, has just released its latest version, 60.0.

The update introduces a native Wayland option directly in the bottle settings, giving users a more predictable experience on modern Linux desktops that have already shifted away from X11.

cross-posted from: https://leminal.space/post/28955576

I learned how to do this recently, and I wanted to share. Once you know what to do VPN confinement is easy to set up on NixOS.

The scenario: you want selected processes to run through a VPN, but you want everything else to not run through the VPN. On Linux you can do this with a network namespace. That's a kernel feature that defines a network stack that is isolated from your default network stack. Processes can be configured to run in a new namespace, and when they do they cannot access the usual not-VPN-protected network interfaces. Network namespaces work along with other types of namespaces, like process namespaces, to allow Docker containers to function almost as though they are separate machines from the host system. Actually Docker containers are regular processes that are carefully isolated using namespaces, cgroups, and private filesystems. Because of that isolation Docker containers are a popular choice for VPN confinement. But since all you really need is network isolation you can skip the middleman, and use network namespaces directly.

There is a third-party NixOS module that automates this, VPN-Confinement. Here's an example that runs a Borg backup job through a VPN connection. (This example also uses the third-party sops-nix module to encrypt VPN credentials.)

{ config, ... }:

let
  vpnNamespace = "wg";
in
{
  # Define the network namespace for VPN confinement. Creates a VPN network
  # interface in the namespace; creates a bridge; sets up routing; creates
  # firewall rules to prevent DNS leaking. The VPN-Confinement module requires
  # using Wireguard as the VPN protocol.
  vpnNamespaces.${vpnNamespace} = {
    enable = true;
    wireguardConfigFile = config.sops.secrets.wireguard_config.path;
  };

  # Set up whatever service should run via VPN
  services.borgbackup.jobs.homelab = {
    paths = "/home/jesse";
    encryption.mode = "none";
    environment.BORG_RSH = "ssh -i /home/jesse/.ssh/id_ed25519";
    repo = "ssh://offsite.sitr.us/backups/homelab";
    compression = "auto,zstd";
    startAt = "daily";
  };

  # Modify the systemd unit for your service to run its processes in the VPN
  # namespace.
  #
  # - sets Service.NetworkNamespacePath in the systemd unit
  # - sets Service.InaccessiblePaths = [ "/run/nscd" "/run/resolvconf" ] to prevent DNS leaking
  # - adds a dependency to the unit that brings up the VPN network namespace
  #
  # I found the name of the systemd service that services.borgbackups.jobs
  # creates by looking at the Borg module source. You can find the source for
  # NixOS modules by searching for config options on https://search.nixos.org/options
  systemd.services.borgbackup-job-homelab = {
    vpnConfinement = {
      enable = true;
      inherit vpnNamespace;
      # `inherit vpnNamespace;` has the same effect as `vpnNamespace = vpnNamespace;`
      # I used a variable to be certain that the value here matches the name
      # I used to set up the namespace on line 11.
    };
  };

  # Load your wireguard config file however you want. Your VPN provider probably
  # supports wireguard, and will likely generate a config file for you.
  sops.secrets.wireguard_config = {
    sopsFile = ./secrets.yaml;
    owner = "root";
    group = "root";
  };
}

This setup assumes using the Wireguard VPN protocol, and assumes that programs you want to be VPNed are run by systemd. VPN providers mostly support Wireguard, including Tailscale. But my understanding is that Tailscale's mesh routing requires additional setup beyond creating a Wireguard interface. So you'd likely want a different setup for confinement with Tailscale. You can run the Tailscale client in a network namespace (there is a start on such a setup here); or you might use Tailscale's subnet router feature to blend VPN and local network traffic instead of selective confinement.

Normally when you turn on a VPN your VPN client software creates a network interface that transparently sends traffic through an encrypted tunnel, and configures a default route to send network traffic through that interface. So traffic from all programs is routed through the tunnel. VPN-Confinement creates that network interface in the isolated namespace, and sets that default route in the namespace, so that only programs running in the namespace are affected. There is much more detail in this blog post. The VPN-Confinement module differs from the setup in that post in a couple of ways: it has some extra setup to block DNS requests that aren't properly tunneled; it creates a network bridge instead of a simple virtual ethernet cable for port forwarding; and it provides more options for firewall and routing configuration.

VPN-Confinement has an option to forward ports from the default network stack into the VPN namespace. This is useful if you want all outbound traffic to go through the VPN, but you want to accept inbound traffic from programs on the host, or from other machines on your local network, or anywhere else. This is handy if, for example, you're running a program on a headless server that provides a web UI for remote administration. Here's an expanded VPN namespace example:

vpnNamespaces.${vpnNamespace} = {
  enable = true;
  wireguardConfigFile = config.sops.secrets.wireguard_config.path;

  # Forward traffic to specified ports from the default network namespace to
  # the VPN namespace.
  portMappings = [{ from = 8080; to = 8080; }];
  accessibleFrom = [
    # Accept traffic from machines on the local network, and route through the
    # mapped ports.
    "192.168.1.0/24"
  ];
};

Requests to mapped ports from the host machine need to be addressed to the network bridge that VPN-Confinement sets up. You can configure its addresses using the bridgeAddress and bridgeAddressIPv6 options. By default the addresses are 192.168.15.5 and fd93:9701:1d00::1. If you're configuring addresses elsewhere in your NixOS config you can use an expression like this:

url = "http://${config.vpnNamespaces.${vpnNamespace}.bridgeAddress}:8080/";

If you look at the source for VPN-Confinement you'll see that namespace configuration and routing require a lot of stateful ip commands. I think it would be nice if there were an alternative, declarative interface to iproute2. But VPN-Confinement is able to encapsulate the stateful stuff in systemd ExecStart and ExecStopPost scripts.

I ran into an issue where mDNS stopped working while the VPN network namespace was active. I fixed that problem by configuring Avahi to ignore VPN-Confinement's network bridge:

services.avahi.denyInterfaces = [ "${vpnNamespace}-br" ];

Edit 2025-11-23: I deleted a comment that implied that if the VPN namespace string doesn't match in the two places where it is used traffic won't be tunneled. I tested again, and if the names don't match the service that is supposed to be protected won't start. You'll see an error like, Failed to restart test-unit.service: Unit wrong-name.service not found.. If you bypass VPN-Confinement by hand, and set Service.NetworkNamespacePath to a path that doesn't exist the unit will fail with an error like, test-unit.service: Failed to open network namespace path /run/netns/wrong-name: No such file or directory.

Heyho, recently asked for the silliest reasons, but as someone who has suggested linux to many people, I often encounter people having valid reasons for staying with Windows or switching back.

The most boring but valid one is "I have to use Windows for work. It is a requirement (of some software I have to use)". But there are also other answers that fit. My sister for example tried Linux, but while installing software constantly encountered issues that I helped her solve and eventually switched back because she felt like she had less control than over windows. While I am aware that this is fundamentally wrong, it is valid that some amateur users do not want to invest enough time to get over the initial hurdles of relearning how to install software.

What are the best reasons people have given you for not wanting to try Linux?

OQB @VoxAliorum@lemmy.ml

FreeBSD 15.0 is working toward its stable release in early December. As part of reaching that major release, FreeBSD 15.0-RC3 released today as what may be the final release candidate before FreeBSD 15.0-RELEASE.

There was expected to be a FreeBSD 15.0-RC4 milestone but due to release delays due to extra snapshots earlier in the cycle, FreeBSD 15.0-RC3 is currently set to be the last release candidate. If all goes well with that testing, FreeBSD 15.0-RELEASE could be announced on 2 December.

Just last week GNOME's Nautilus file manager "GNOME Files" made headlines for finally supporting Ctrl+INsert and Shift+Insert while this week there is more activity worth pointing out. Nautilus in GNOME 50 will be loading thumbnail images much faster than in prior versions.

With new thumbnail code merged this week for GNOME Files / Nautilus, the file manager is now making use of improvements in GTK4 and now allowing thumbnails to be loaded asynchronously.

Back in mid-2024, the Bavarian Linux PC vendor TUXEDO Computers teased plans for developing a Snapdragon X Elite Linux laptop. Initially they hoped to have it out by Christmas 2024. That didn't happen and now approaching Christmas 2025 they confirmed they have stopped their plans for shipping a Snapdragon X1 Elite laptop for Linux customers.

Earlier in 2025 they confirmed various obstacles they had been hitting with the Linux support around the Snapdragon X Elite effort. They did get to posting Linux kernel patches for the Device Tree on their planned laptop. As recently as in early November they posted the latest Linux DT patches for their ARM laptop with the effort appearing to still be ongoing -- even with Snapdragon X2 Elite laptops for Windows on ARM now coming about.

NVIDIA today issued the 580.94.11 driver release as their newest Vulkan beta driver for Linux customers. Most notable with this beta driver update is adding VK_EXT_hdr_metadata support.

The NVIDIA Windows driver has supported the VK_EXT_hdr_metadata extension (all the way back to 2018) and the open-source Mesa Linux drivers also supported this HDR metadata extension while only now is being enabled by the NVIDIA Linux driver. VK_EXT_hdr_metadata is used for dealing with SMPTE 2086 metadata and CATA 861.3 metadata for Vulkan swapchains.

Just learned of timers the other day, but I'm a cron guy, anybody out there using timers? Anything I'm missing out on?

The upcoming Linux 6.19 kernel cycle is set to introduce support for the Realtek RTL8125K as a forthcoming Ethernet ASIC.

The Realtek RTL8125K doesn't appear to have been formally announced yet or at least isn't showing up anywhere prominent online. The Linux enablement patches coming for the Linux 6.19 kernel put the RTL8125K as an extension of the Realtek RTL8125D 2.5G Ethernet ASICs already launched and supported by the mainline Linux kernel last year.

Great conference in Columbus, coming up December 6th, great presentations, and great people. Join us there!

#Ohio #linux #conference #open #libre #free #columbus

Windows is getting worse, while gaming on Linux is getting better. I’m gonna move my desktop to CachyOS. Wish me luck.

The best one I've ever heard is they like the Microsoft wallpapers. Yes i told them you can use them on linux too. But they argued with me that they wouldn't be compatible.

OQB @lordnikon@lemmy.world

While some Linux distros have stood the test of time, others have fallen by the wayside, remembered only by their users.

Nothing lasts forever, not even operating systems. This article will take a look at some distros that offered some innovative features, but for one reason or another, aren't available anymore.

Max 16 Plus laptop with a Qualcomm discrete NPU is now shipping... That is if you are running Ubuntu Linux while the Windows 11 pre-load option is expected in early 2026. An exciting twist with the Linux version of the Dell Pro Max 16 Plus shipping before Microsoft Windows.

The new Dell Pro Max 16 Plus features a Qualcomm AI 100 PC inference accelerator. The Dell Pro Max 16 Plus makes it the first mobile workstation with such an "enterprise grade" discrete NPu.

This is extremely encouraging to me. I am not affiliated with the project but here is what I've gathered. Run by Mike.

• Nix (with the functional declarative design)
• Cinnamon (DE mostly used by Linux Mint, Mike and I think Cinnamon doesn't get enough respect)
• Two versions, main and "lite".
• zero config auto update is a huge selling point imo
• flatpak is a nice touch

Main:

• "4 core and 4GB of ram" target
• Flatpak integrated and auto-updates
• Zoom flatpak
• Chrome flatpak and Firefox
• Libreoffice flatpak

environment.systemPackages = with pkgs; [
    git
    firefox
    libnotify
    gawk
    gnugrep
    sudo
    dconf
    gnome-software
    gnome-calculator
    gnome-calendar
    gnome-screenshot
    flatpak
    xdg-desktop-portal
    xdg-desktop-portal-gtk
    xdg-desktop-portal-gnome
    system-config-printer

Lite:

• "2 core and 2 GB of RAM" target
• no flatpak
• firefox

  zramSwap.memoryPercent = 100;
MemoryHigh = "500M";
environment.systemPackages = with pkgs; [
    git
    firefox
    libnotify
    gawk
    sudo
    gnome-calculator
    gnome-calendar
    gnome-screenshot
    system-config-printer
  ];

Github

Installing

boot the special ISO and connect to wifi via the system settings via the start menu (rough edges here). install.

secure boot is not first-class supported in nix but it 'can' be done.

Does the market need this?

It feels like yes. See what do you install on other people's computers?. A zero-support OS that isn't tied into ChromeOS is a tall order. There are a lot of distros that are "semi" friendly but which are strong enough to give to a stranger and never hear from them again?

The pitch is compelling enough that I put it on my small laptop. I used it for about 20 minutes. That laptop is not a project laptop, and if I could just browse and do basic linux stuff and never think about maintaining it again I'd be happy. I can report back (and contribute to nixbook) if it serves my needs. If it passes my tests I may transition the family Win10 PC to nixbook. I'm getting spooked at how many more threats target Windows than Linux.

tweaking

I'm an ultra noob with nix but you should be able to edit this and have it work. Mike has a post about which config file to edit but I can't find it. https://nixos.wiki/wiki/Nixos-rebuild

$ # Edit your configuration
$ sudo nano /etc/nixos/configuration.nix
$ # Rebuild your system
$ sudo nixos-rebuild switch

I added silversearcher tldr tilde and seemed to work.

Cool tweet

https://fosstodon.org/@codemonkeymike/115582530036847888

OC by @BigHeadMode@lemmy.frozeninferno.xyz