OpenSUSE Leap 15.2 Release Notes: Difference between revisions

openSUSE Leap is a free and Linux-based operating system for your PC, Laptop or Server. You can surf the Web, manage your e-mails and photos, do office work, play videos or music and have a lot of fun!

Publication Date: 2020-06-04, Version: 15.2.20200604.9c6334bc

The release notes are under constant development. To find out about the latest updates, see the online version at https://doc.opensuse.org/release-notes. The English release notes are updated whenever need arises. Translated language versions can temporarily be incomplete.

If you upgrade from an older version to this openSUSE Leap release, see previous release notes listed here: https://en.opensuse.org/openSUSE:Release_Notes.

Information about the project is available at https://www.opensuse.org.

To report bugs against this release, use the openSUSE Bugzilla. For more information, see https://en.opensuse.org/Submitting_Bug_Reports.

Major new features of openSUSE Leap 15.2 are also listed at https://en.opensuse.org/Features_15.2.

Installation

This section contains installation-related notes. For detailed upgrade instructions, see the documentation at https://doc.opensuse.org/documentation/leap/startup/html/book.opensuse.startup/part-basics.html.

Using Atomic Updates With the System Role Transactional Server

The installer supports the system role Transactional Server. This system role features an update system that applies updates atomically (as a single operation) and makes them easy to revert should that become necessary. These features are based on the package management tools that all other SUSE and openSUSE distributions also rely on. This means that the vast majority of RPM packages that work with other system roles of openSUSE Leap 15.2 also work with the system role Transactional Server.

To provide these features, this update system relies on:

• Btrfs snapshots. Before a system update is started, a new Btrfs snapshot of the root file system is created. Then, all the changes from the update are installed into that Btrfs snapshot. To complete the update, you can then restart the system into the new snapshot.

To revert the update, simply boot from the previous snapshot instead.

• A read-only root file system. To avoid issues with and data loss because of updates, the root file system must not be written to otherwise. Therefore, the root file system is mounted read-only during normal operation.

To make this setup work, two additional changes to the file system needed to be made: To allow writing user configuration in /etc, this directory is automatically configured to use OverlayFS. /var is now a separate subvolume which can be written to by processes.

To work with transactional updates, always use the command transactional-update instead of YaST and Zypper for all software management:

• Update the system: transactional-update up
• Install a package: transactional-update pkg in PACKAGE_NAME
• Remove a package: transactional-update pkg rm PACKAGE_NAME
• To revert the last snapshot, that is the last set of changes to the root file system, make sure your system is booted into the next to last snapshot and run: transactional-update rollback

Optionally, add a snapshot ID to the end of the command to rollback to a specific ID.

When using this system role, by default, the system will perform a daily update and reboot between 03:30 am and 05:00 am. Both of these actions are systemd-based and if necessary can be disabled using systemctl:

systemctl disable --now transactional-update.timer rebootmgr.service

For more information about transactional updates, see the openSUSE Kubic blog posts https://kubic.opensuse.org/blog/2018-04-04-transactionalupdates/ and https://kubic.opensuse.org/blog/2018-04-20-transactionalupdates2/.

Installing on Hard Disks With Less Than 12 GB of Capacity

The installer will only propose a partitioning scheme if the available hard disk size is larger than 12 GB. If you want to set up, for example, very small virtual machines images, use the guided partitioner to tune partitioning parameters manually.

UEFI - Unified Extensible Firmware Interface

Prior to installing openSUSE on a system that boots using UEFI (Unified Extensible Firmware Interface), you are urgently advised to check for any firmware updates the hardware vendor recommends and, if available, to install such an update. A pre-installation of Windows 8 or later is a strong indication that your system boots using UEFI.

Background: Some UEFI firmware has bugs that cause it to break if too much data gets written to the UEFI storage area. However, there is no clear data of how much is "too much".

openSUSE minimizes the risk by not writing more than the bare minimum required to boot the OS. The minimum means telling the UEFI firmware about the location of the openSUSE boot loader. Upstream Linux kernel features that use the UEFI storage area for storing boot and crash information (pstore) have been disabled by default. Nevertheless, it is recommended to install any firmware updates the hardware vendor recommends.

UEFI, GPT and MS-DOS Partitions

Together with the EFI/UEFI specification, a new style of partitioning arrived: GPT (GUID Partition Table). This new schema uses globally unique identifiers (128-bit values displayed in 32 hexadecimal digits) to identify devices and partition types.

Additionally, the UEFI specification also allows legacy MBR (MS-DOS) partitions. The Linux boot loaders (ELILO or GRUB 2) try to automatically generate a GUID for those legacy partitions, and write them to the firmware. Such a GUID can change frequently, causing a rewrite in the firmware. A rewrite consists of two different operations: Removing the old entry and creating a new entry that replaces the first one.

Modern firmware has a garbage collector that collects deleted entries and frees the memory reserved for old entries. A problem arises when faulty firmware does not collect and free those entries. This can result in a non-bootable system.

To work around this problem, convert the legacy MBR partition to GPT.

System Upgrade

This section lists notes related to upgrading the system. For supported scenarios and detailed upgrade instructions, see the documentation at:

• https://en.opensuse.org/SDB:System_upgrade
• https://doc.opensuse.org/documentation/leap/startup/html/book.opensuse.startup/cha-update-osuse.html

Additionally, check Section 3, "Packaging Changes".

Package Changes

Deprecated Packages

Deprecated packages are still shipped as part of the distribution but are scheduled to be removed the next version of openSUSE Leap. These packages exist to aid migration, but their use is discouraged and they may not receive updates.

• libqt4: Will receive neither updates nor security fixes. The package will be removed in the next version of openSUSE Leap.
• kdelibs4: Will receive neither updates nor security fixes. The package will be removed in the next version of openSUSE Leap.

To check whether installed packages are no longer maintained: Make sure that lifecycle-data-openSUSE is installed, then use the command:

zypper lifecycle

Removed Packages

Removed packages are not shipped as part of the distribution anymore.

• artha: Removed because it is unmaintained and has unpatched security issues. See https://bugzilla.opensuse.org/show_bug.cgi?id=1143860.
• fate: Removed because it uses insecure KDE4 and Qt4 libraries and features.opensuse.org is no longer used for feature requests.
• gcompris (old GTK version): Removed because it is unmaintained and has been replaced by now gcompris-qt. See https://www.gcompris.net.
• gstreamer-plugins-qt, gstreamer-plugins-qt5 and ktp-call-ui: Removed because these packages are unmaintained and no longer build. The package ktp-call-ui depended on gstreamer-plugins-qt.
• H2rename: Removed because the package is unmaintained.
• ixpdimm_sw, invm-cim, invm-cli and invm-i18n: Replaced by ipmctl.
• jag-level-editor: Replaced by jag-editor.
• jovie: Removed because the package is no longer maintained upstream. See also https://kde.org/applications/unmaintained/org.kde.jovie.
• kaccessible, kepas, konsole4, klinkstatus, kppp, kremotecontrol, kvpnc and kvkbd: Removed because these packages are no longer maintained upstream.
• kdesdk4-scripts: Replaced by kdesdk-scripts.
• kdeuser: Replaced by kde-user-manager.
• keepassx and kpassgen: Replaced by keepassxc.
• kile5: Replaced by kile.
• libkdegames4: Replaced by libkdegames5.
• libkquoath, libjreen and libqross: Removed because the packages are no longer maintained upstream and use the insecure libqt4.
• lilo: Has been obsolete for a decade, replaced by grub2.
• lua51-luajit: Replaced by moonjit.
• mp3gain and wxmp3gain: The package mp3gain was removed because it has a security issue and is no longer maintained upstream. The package wxmp3gain depended on mp3gain.
• nodejs8: Replaced by nodejs10 and nodejs12.
• python-django_compressor: Replaced by python-django-compressor.
• python-pep8: Replaced by python-pycodestyle.
• python-pyside and python-pyside-tools: Removed because it depends on the insecure libqt4.
• qgo: Replaced by q5go.
• slapi-nis: Removed because this module is not maintained outside of FreeIPA environments, and we do not ship FreeIPA.
• tomahawk: Removed because the package is no longer maintained upstream.
• vokoscreen: Replaced by vokoscreenNG.
• bareftp, docky, fsharp, gnome-desktop-sharp2, gnome-sharp2, mono-debugger, mono-upnp, pdfmod and taglib-sharp: Removed because the packages do not work with Mono 6.x.

Drivers and Hardware

Secure Boot: Third-Party Drivers Need to Be Properly Signed

openSUSE Leap 15.2 now enables a kernel module signature check for third-party drivers (CONFIG_MODULE_SIG=y). This is an important security measure to avoid untrusted code running in the kernel.

This may prevent third-party kernel modules from being loaded if UEFI Secure Boot is enabled. Kernel Module Packages (KMPs) from the official openSUSE repositories are not affected, because the modules they contain are signed with the openSUSE key. The signature check has the following behaviour:

• Kernel modules that are unsigned or signed with a key that is either known as untrusted or cannot be verified against the system's trusted key data base will be blocked.

It is possible to generate a custom certificate, enroll it into the system's Machine Owner Key (MOK) data base, and sign locally compiled kernel modules with this certificate's key. Modules signed in this manner will neither be blocked nor cause warnings. See https://en.opensuse.org/openSUSE:UEFI.

Since this also affects NVIDIA graphics drivers, we addressed this in our official packages for openSUSE. However, you need to manually enroll a new MOK key after installation to make the new packages work. For instructions how to install the drivers and enroll the MOK key, see https://en.opensuse.org/SDB:NVIDIA_drivers#Secureboot.

Desktop

This section lists desktop issues and changes in openSUSE Leap 15.2.

KDE 4 and Qt 4 are unmaintained

Updating from KDE 4 and Qt 4 to Plasma 5 and Qt 5 is recommended. KDE 4 and Qt 4 are no longer supported. openSUSE Leap 15.2 still contains KDE 4 and Qt 4 packages for compatibility reasons. However these packages will no longer receive updates and security fixes. Therefore it is strongly recommended to replace all installed KDE 4 and Qt 4 packages with packages from Plasma 5 and Qt 5 providing the same or at least similar functionalities.

More Information and Feedback

• Read the README documents on the medium.
• View a detailed changelog information about a particular package from its RPM:

rpm --changelog -qp FILENAME.rpm

Replace FILENAME with the name of the RPM.

• Check the ChangeLog file in the top level of the medium for a chronological log of all changes made to the updated packages.
• Find more information in the docu directory on the medium.
• For additional or updated documentation, see https://doc.opensuse.org/.
• For the latest product news, from openSUSE, visit https://www.opensuse.org.

Copyright © 2021 SUSE LLC