We did it again, Fedora at Kirinyaga university in Kenya. This time, we didn’t just introduce what open source is – we showed students how to participate and actually contribute in real time.

Many students had heard of open source before, but were not sure how to get started or where they could fit. We did it hands-on and began with a simple explanation of what open source is: people around the world working together to create tools, share knowledge, and support each other. Fedora is one of these communities. It is open, friendly, and built by different people with different skills.

We talked about the many ways someone can contribute, even without deep technical experience. Documentation, writing guides, design work, translation, testing software, and helping new contributors are all important roles in Fedora. Students learned that open source is not only for “experts.” It is also for learners. It is a place to grow.

Hands-on Documentation Workshop

After the introduction, we moved into a hands-on workshop. We opened Fedora Docs and explored how documentation is structured. Students learned how to find issues, read contribution instructions, and make changes step-by-step. We walked together through:

• Opening or choosing an issue to work on
• Editing documentation files
• Making a pull request (PR)
• Writing a clear contribution message

By the end of the workshop, students had created actual contributions that went to the Fedora project. This moment was important. It showed them that contributing is not something you wait to do “someday.” You can do it today.

“This weekend’s Open Source Event with Fedora, hosted by the Computer Society Of Kirinyaga, was truly inspiring!

Through the guidance of Cornelius Emase, I was able to make my first pull request to the Fedora Project Docs – my first ever contribution to the open-source world. ”
– Student at Kirinyaga University

Thank you note

Huge appreciation to:

• Jona Azizaj — for steady guidance and mentorship.
• Mat H. — for backing the vision of regional community building.
• Fedora Mindshare Team — for supporting community growth here in Kenya.
• Computer Society of Kirinyaga — for hosting and bringing real energy into the room.

And to everyone who played a part – even if your name isn’t listed here, I see you. You made this possible.

Growing the next generation

The students showed interest, curiosity, and energy. Many asked how they can continue contributing and how to connect with the wider Fedora community. I guided them to Fedora Docs, Matrix community chat rooms, and how they can be part of the Fedora local meetups here in Kenya.

We are introducing open source step-by-step in Kenya. There is a new generation of students who want to be part of global technology work. They want to learn, collaborate, and build. Our role is to open the door and walk together(I have a discourse post on this, you’re welcome to add your views).

What Comes Next

This event is part of a growing movement to strengthen Fedora’s presence in Kenya. More events will follow so that learning and contributing can continue.

We believe that open source becomes strong when more people are included. Fedora is a place where students in Kenya can learn, grow, share, and contribute to something global.

We already had a Discourse thread running for this event – from the first announcement, planning, and budget proposal, all the way to the final workshop. Everything happened in the open. Students who attended have already shared reflections there, and anyone who wants to keep contributing or stay connected can join the conversation.

You can check the events photos submitted here on Google photos(sorry that’s not FOSS:))

Cornelius Emase,
Your Friend in Open Source(Open Source Freedom Fighter)

The Fedora community is coming together once again to celebrate the release of Fedora Linux 43, and you’re invited! Join us on Friday, November 21, 2025, from 13:00 to 16:00 UTC on Matrix for our virtual Fedora 43 Release Party.

This is our chance to celebrate the latest release, hear from contributors across the project, and see what’s new in Fedora Workstation, KDE, Atomic Desktops, and more. Whether you’re a long-time Fedora user or new to the community, it’s the perfect way to connect with the broader community, learn more about Fedora, and hang out in Matrix chat with your Fedora friends.

We have a lineup of talks and updates from across the Fedora ecosystem, including updates directly from teams who have been working on changes in this release. We’ll kick things off with Fedora Project Leader Jef Spaleta and Fedora Community Architect Justin Wheeler, followed by sessions with community members like Timothée Ravier on Atomic Desktops, Peter Boy and Petr Bokoč on the new Fedora Docs initiative, and Neal Gompa and Michel Lind discussing the Wayland-only GNOME experience. You’ll also hear from teams across Fedora sharing insights, demos, and what’s next for the project.

Registration is free but required to join the Matrix event room. Once registered, you’ll receive an invitation in your Matrix account before the event begins.

Sign up on the Fedora Linux 43 Release Party event page. We can’t wait to see you there to come celebrate Fedora 43 with us!

The official dates and location are set for Flock to Fedora 2026, the premier annual conference for Fedora Project contributors. The event will take place from 14-16 June 2026, in Prague, Czechia.

For Flock 2026, we are returning to the Vienna House by Wyndham Andel’s Prague, located at:

Stroupeznickeho 21
Prague, 150 00
Czech Republic

While all three days will be full conference days, the arrangement of the schedule will change slightly in 2026. Sunday, 14 June, will be designated as Day 0, featuring workshops, team meetups, and hands-on contributor sessions. The main conference activities, including streamed content, the opening keynote, and other sessions, are scheduled for Monday, 15 June, and Tuesday, 16 June.

Coordinated Scheduling with DevConf CZ

Following community feedback from last year, Flock 2026 has been scheduled to align more closely with DevConf.CZ. The conference will conclude just before DevConf.CZ begins in Brno (18-20 June 2026). This compressed travel schedule is intended to make it easier for community members who wish to attend both events.

Call for Proposals & Conference Themes

The Call for Proposals (CFP) for Flock 2026 will open in early December 2025 and close shortly after FOSDEM 2026 (31 January – 1 February). Speaker confirmations are scheduled to be sent in March 2026.

For Flock 2026, we are taking a more focused approach to session content. The Fedora Council, FESCo, and the Mindshare Committee are shaping key themes for the CFP. All presentation and workshop submissions should align with one of these themes. More details will be shared when the CFP opens.

Planning for Flock 2026

Here is what you need to know to plan your attendance:

• Registration: Conference registration is scheduled to open in January 2026.
• Sponsorship: Is your company or organization interested in sponsoring Flock 2026? Our sponsorship prospectus for Flock 2026 is now available on the Flock 2026 website. Organizations interested in supporting Flock and the Fedora community are encouraged to review the prospectus and contact the organizing team with any questions.
• Hotel Block: A discounted block of rooms is arranged at the conference hotel. More information about the discounted hotel block can be found on the Flock website.
• Travel Day & Connections: 17 June is designated as a free travel day between Flock to Fedora 2026 and DevConf.CZ. Frequent bus and train connections are available for travel between Prague and Brno.
• Sponsored Travel: We intend to offer sponsored travel again for Flock to Fedora 2026. More details will follow in December 2025.

Get Involved & Ask Questions

The official Flock to Fedora 2026 Matrix room, #flock:fedoraproject.org, is the best place to connect with organizers and other community members. We encourage you to join the channel for the latest updates and to ask any questions you may have.

Flock to Fedora 2026 web site

A Note on Our Flock to Fedora 2026 & 2027 Plans

We recognize that returning to the same city and venue for a second consecutive year is a departure from Flock’s tradition. This decision was made intentionally with two key goals in mind.

First, by working with a familiar venue, our organizing team can optimize its processes and plan further in advance. This stability for Flock to Fedora 2026 will give us more opportunity to improve our internal processes and explore new ways to incorporate community input into the design of Fedora’s flagship contributor conference.

Second, this allows us to plan for a significant change in 2027. The Flock organizing team is committed to exploring new locations for Flock 2027, with a particular focus on regions outside of North America and Europe. We acknowledge the travel difficulties many of our contributors in regions like LATAM and APAC face. We learned valuable lessons from past planning cycles and are eager to achieve this goal, while also recognizing that unforeseen circumstances can impact our plans. We will work with community members in these regions to explore possible options and conduct thorough research on pricing and availability for 2027.

We look forward to seeing you in Prague for Flock 2026, 14-16 June.

— The Flock to Fedora Planning Team

Fedora Silverblue is an operating system for your desktop built on Fedora Linux. It’s excellent for daily use, development, and container-based workflows. It offers numerous advantages such as being able to roll back in case of any problems. If you want to rebase to Fedora Linux 43 on your Fedora Silverblue system, this article tells you how. It not only shows you what to do, but also how to revert things if something unforeseen happens.

Update your existing system

Prior to actually doing the rebase to Fedora Linux 43, you should apply any pending updates. Enter the following in the terminal:

$ rpm-ostree update

or install updates through GNOME Software and reboot.

Note

rpm-ostree is the underlying atomic technology that all the Fedora Atomic Desktops use. The techniques described here for Silverblue will apply to all of them with proper modifications for the appropriate desktop.

Rebasing using GNOME Software

GNOME Software shows you that there is new version of Fedora Linux available on the Updates screen.

First thing to do is download the new image, so select the Download button. This will take some time. When it is done you will see that the update is ready to install.

Select the Restart & Upgrade button. This step will take only a few moments and the computer will restart when the update has completed. After the restart you will end up in a new and shiny release of Fedora Linux 43. Easy, isn’t it?

Rebasing using terminal

If you prefer to do everything in a terminal, then this part of the guide is for you.

Rebasing to Fedora Linux 43 using the terminal is easy. First, check if the 43 branch is available:

$ ostree remote refs fedora

You should see the following in the output:

fedora:fedora/43/x86_64/silverblue

If you want to pin the current deployment (meaning that this deployment will stay as an option in GRUB until you remove it), you can do this by running this command:

# 0 is entry position in rpm-ostree status
$ sudo ostree admin pin 0

To remove the pinned deployment use the following command:

# 2 is entry position in rpm-ostree status 
$ sudo ostree admin pin --unpin 2

Next, rebase your system to the Fedora Linux 43 branch.

$ rpm-ostree rebase fedora:fedora/43/x86_64/silverblue

Finally, the last thing to do is restart your computer and boot to Fedora Linux 43.

How to roll back

If anything bad happens (for instance, if you can’t boot to Fedora Linux 43 at all) it’s easy to go back. At boot time, pick the entry in the GRUB menu for the version prior to Fedora Linux 43 and your system will start in that previous version rather than Fedora Linux 43. If you don’t see the GRUB menu, try to press ESC during boot. To make the change to the previous version permanent, use the following command:

$ rpm-ostree rollback

That’s it. Now you know how to rebase Fedora Silverblue to Fedora Linux 43 and roll back. So why not do it today?

Known Issues

• PAM Lastlog change crashing gdm

FAQ

Because there are similar questions in comments for each blog about rebasing to newer version of Silverblue I will try to answer them in this section.

Question: Can I skip versions during rebase of Fedora? For example from Fedora 40 Silverblue to Fedora 43 Silverblue?

Answer: Although it could sometimes be possible to skip versions during rebase, it is not recommended. You should always update to one version above (40->41->42->43 for example) to avoid unnecessary errors.

Question: I have rpm-fusion layered and I get errors during rebase. How should I do the rebase?

Answer: If you have rpm-fusion layered on your Silverblue installation, you should do the following before rebase:

$ rpm-ostree update --uninstall rpmfusion-free-release --uninstall rpmfusion-nonfree-release --install rpmfusion-free-release --install rpmfusion-nonfree-release

After doing this you can follow the guide in this blog post.

Question: Could this guide be used for other ostree editions (Fedora Atomic Desktops) as well like Kinoite, Sericea (Sway Atomic), Onyx (Budgie Atomic),…?

Yes, you can follow the Rebasing using the terminal part of this guide for every Fedora Atomic Desktop. Just use the corresponding branch. For example, for Kinoite use fedora:fedora/43/x86_64/kinoite

I’m excited to announce my very first Fedora Linux release as the new Fedora Project Leader. Fedora Linux 43 is here! 43 releases! Wow that’s a lot. I was thinking about proposing special tetracontakaitrigon stickers to celebrate this release, but I’m not sure anyone would notice they weren’t circles.

Thank you and congrats to everyone who has contributed to Fedora to this release, and in all the releases leading up to this one. I’m grateful to be back with a chance to take stewardship of the collaboration as the Fedora Project leader. I’ve been getting my feet under me as much as I can in these first few months. I’m looking forward to writing up some longer missives about where I want to steer this ship, but for right now I just want to highlight some of the changes you should expect to encounter in the latest release of Fedora Linux. Read the highlights below to find out more. Or if you are ready just jump right in!

Upgrade

If you have an existing system, Upgrading Fedora Linux to a New Release is easy. In most cases, it’s not very different from just rebooting for regular updates, except you’ll have a little more time to grab a coffee.

Fresh Install

If this is your first time running Fedora Linux, or if you just want to start fresh with Fedora, download the install media for our flagship Editions (Workstation, KDE Plasma Desktop, Cloud, Server, CoreOS, IoT),  for one of our Atomic Desktops (Silverblue, Kinoite, Cosmic, Budgie, Sway), or for alternate desktop options (like Cinnamon, Xfce, Sway, or others).

What’s new?

As usual, with Fedora, there are just too many individual changes and improvements to go over in detail. You’ll want to take a look at the release notes for that.

Notable User Visible Changes

There are, however, a few notable user visible changes in this release. For those of you installing fresh Fedora Linux 43 Spins, you may be greeted with the new Anaconda WebUI. This was the default installer interface for Fedora Workstation 42, and now it’s the default installer UI for the Spins as well.

If you are a GNOME desktop user, you’ll also notice that the GNOME is now Wayland-only in Fedora Linux 43. GNOME upstream has deprecated X11 support, and has disabled it as a compile time default in GNOME 49. Upstream GNOME plans to fully remove X11 support in GNOME 50.

Plumbing Upgrades

Beyond the user-visible changes, there are a couple of significant bits of plumbing that should go unnoticed for most users but are a big deal, nonetheless.

Fedora Linux 43 will be the first release with RPM 6.0. Like I said, this should go unnoticed to end-users, but it is a significant change. RPM 6.0 provides some interesting security enhancements, like multiple key signing of packages. This should help future-proof package signing as we transition to post-quantum-crypto OpenPGP keys in future releases.

We’re also moving forward with our bootc enablement story. Fedora CoreOS is now buildable from a Fedora base bootc image using a Containerfile, instead of needing to be composed with a custom tool. That means anyone with podman can build the Fedora CoreOS image, whether manually or via CI/CD automation.

Fedora CoreOS (FCOS) is also changing how it’s issuing updates to users in Fedora 43. Instead of using an OSTree repository, FCOS updates will be delivered exclusively as OCI images. FCOS 42 provided both OSTree repository and OCI registry as a transition for users. In FCOS 43, the OSTree updates are disabled entirely.

Save the Date: Fedora Linux 43 Release Party!

To celebrate all this incredible community work, we’ll be hosting a virtual Fedora Linux 43 Release Party! Please save the date for Friday, 21 November. We’re still finalizing the schedule and speakers, so registration isn’t open just yet, but more details will be shared soon. You can keep an eye on the Fedora Linux 43 Release Party Schedule wiki page for the latest updates!

If you hit a snag

If you run into a problem, visit our Ask Fedora user support forum. This forum includes a category where we collect common issues and solutions or work-arounds.

Just drop by and say “hello”

Drop by our “virtual watercooler” on Fedora Discussion and join a conversation, share something interesting, and introduce yourself. We’re always glad to see new people!

Below are a few noteworthy changes in the latest release of Fedora Workstation that we think you will love. Upgrade today from the official website, or upgrade your existing install using GNOME Software or through the terminal with dnf system-upgrade.

GNOME 49

Fedora Linux 43 Workstation also ships with the brand-new GNOME 49 release, bringing a host of refinements to your desktop. This update introduces significant enhancements for multiple display setups, an improved and streamlined workflow for taking screenshots and screen recordings, and a new “Focus Mode” to help you minimize distractions. Under the hood, resource-smart background throttling improves performance and battery life, while the Settings app has been polished with a refined UI. These are just the highlights. Check out the official GNOME 49 release notes to find more information about all the new features.

Wayland-only GNOME

One significant change we want to forewarn you about is that Fedora Linux 43 is removing the GNOME X11 packages from the Fedora repositories. All users of the GNOME X11 session will be migrated to the GNOME Wayland session with the upgrade to Fedora Workstation 43.

The transition to the GNOME Wayland session in Fedora Workstation 43 has been in the works for nearly a decade. There have been several prior steps toward this goal, such as the work in Fedora Linux 41 to remove legacy X11 dependencies from core media components.

Wayland has been the default GNOME session on Fedora Workstation for many years, but this release completes the change. The legacy gnome-session-xsession packages have been removed from the Fedora Linux 43 repositories.

This change will unlock a new level of performance and hardware compatibility. You’ll immediately notice smoother, cleaner visuals thanks to triple buffering, which dramatically reduces screen tearing. This change also improves support for a range of hardware, including enhanced drivers for Intel Xe graphics and improvements for systems using NVIDIA Optimus and Hybrid Mode.

A new default video player — Showtime

The default video player has been changed from Totem to Showtime. Showtime is built on the newer GTK 4 and Libadwaita libraries.

Use COLR for Noto Color Emoji

The Noto Color Emoji fonts have released some new files with the COLRv1 format. The COLRv1 format is a color scalable font compared with the previous color bitmap fonts. This new scalable font format should have better or similar rendering results compared to the old bitmap font format. See the change notes for more details.

Peas 2.0

If you are an app developer, you might be interested in the upgrade to Peas 2. Peas is a gobject-based plugins engine that is used by several GNOME applications.

Wrap-up

Be sure to check out the Fedora Linux 43 Change Set wiki for even more details about all the features and changes that went into Fedora Linux 43. Use the Fedora Discussion forum or Fedora’s Matrix chat server if you want to converse with the Fedora community about this new release!

Fedora Linux 43 has been released! So, let’s see what is included in this new release for the Fedora Atomic Desktops variants (Silverblue, Kinoite, Sway Atomic, Budgie Atomic and COSMIC Atomic).

Changes for all variants

zstd compressed initrds

Alongside the rest of Fedora, we are now compressing our initrds with the Zstandard (zstd) algorithm. This should make the initrd a bit smaller and the boot a bit faster.

See the Fedora Change request and the tracking issue atomic-desktops-sig#34.

2 GB boot partition

Along with the rest of Fedora, systems will install with a 2GB /boot partition. This should make things easier with the growing initrd sizes (mostly due to firmwares). Existing systems will require a backup and re-install to benefit from this change.

See the Fedora Change request.

wireguard-tools added

We are adding the wireguard-tools to all variants. Users will still need to use the graphic interface in their desktop environment to configure WireGuard connections. However, it should now be easier to debug issues using the wg tool. This change was decided too late to be included in the installation ISO but it will come via an update.

See silverblue#390 and kde-sig#381.

plocate removed

We removed plocate from all variants.

See atomic-desktops-sig#81.

What’s new in Silverblue

GNOME 49

Fedora Silverblue comes with the latest GNOME 49 release.

For more details about the changes that alongside GNOME 49, see What’s new in Fedora Workstation 43 on the Fedora Magazine.

Workaround for Third Party page hang

We temporarily removed the Third Party page shown during the first boot as it was causing issues. Users will be asked if they want to enable Third Party repositories when they open GNOME Software.

This will be re-enabled once we figure out where the bug is.

See silverblue#650 and atomic-desktops-sig#74.

openssl added for GSConnect

We added the openssl command line tool to Silverblue, to make the GSConnect extension work without having to resort to package layering or sysexts.

See silverblue#201.

What’s new in Kinoite

KDE Plasma 6.4

Fedora Kinoite ships with Plasma 6.4, Frameworks 6.18 and Gear 25.08.

See also What’s New in Fedora KDE Plasma Desktop 43? on the Fedora Magazine.

Weekly automatic updates by default

Updates will now be automatically applied on a weekly basis, for Flatpaks and the system. You can configure the frequency or disable auto-updates in the system settings.

See the Fedora Change request and the tracking issue kde-sig#342.

What’s new in Sway Atomic

Fedora Sway Atomic comes with the latest 1.11 Sway release.

What’s new in Budgie Atomic

Fedora Budgie Atomic comes with the latest 10.9.3 Budgie release. Budgie 10.9.3 is a bug-fix and GNOME 49 compatibility release.

What’s new in COSMIC Atomic

Fedora COSMIC Atomic comes with the latest beta release of the COSMIC desktop.

Changes in unofficial images

XFCE Atomic & LXQt Atomic dropped in Fedora 43

Starting with Fedora 43, we will no longer build XFCE Atomic & LXQt Atomic unofficial images.

Universal Blue, Bluefin, Bazzite and Aurora

Our friends in the Universal Blue project (Bazzite, Bluefin, Aurora) have prepared the update to Fedora 43. Look for upcoming announcements in their Discourse.

As always, I heavily recommend checking them out, especially if you feel like some things are missing from the Fedora Atomic Desktops and you depend on them (NVIDIA drivers, extra media codec, out of tree kernel drivers, etc.).

What’s next

Roadmap to Bootable Containers

The next major evolution for the Atomic Desktops will be to transition to Bootable Containers. See also the Fedora bootc documentation.

We have established a roadmap (atomic-desktops-sig#26) and we need your help to make this a smooth transition for all of our existing users.

New home for the Fedora sysexts

We have moved the systemd system extensions (sysexts) to a new GitHub organization. The sysexts are now split between those built exclusively from Fedora packages and those built from various community sources. Make sure to update your systemd-sysupdate configs to point to the new URLs.

Moving to Fedora’s new Forge based on Forgejo

Now that Fedora’s new forge is available, we will start moving our repos there. You can find the new organization at forge.fedoraproject.org/atomic-desktops. We will likely start by moving the documentation and then issue tracker and the sources.

Where to reach us

We are looking for contributors to help us make the Fedora Atomic Desktops the best experience for Fedora users.

• Atomic Desktops SIG: New Fedora Forge organization, Issue tracker (gitlab.com/fedora/ostree/sig), #atomic-desktops:fedoraproject.org
• Silverblue: Workstation Working Group, #silverblue:fedoraproject.org
• Kinoite: KDE SIG, #kinoite:fedoraproject.org
• Sway Atomic: Sway SIG, #sway:fedoraproject.org
• Budgie Atomic: Budgie SIG, #budgie:fedoraproject.org
• COSMIC Atomic: COSMIC SIG, #cosmic:fedoraproject.org

Fedora has released Fedora KDE Plasma Desktop Edition 43 to the public.

The Fedora KDE Plasma Desktop Edition is well suited for many needs.  It combines the reliable and trusted Fedora Linux base with the KDE Plasma Desktop environment.  It provides a selection of KDE applications that are simple by default, but powerful when needed.

KDE Plasma 6.4

KDE developers continue to release new features, fix bugs and fine-tune the desktop experience to improve on the now well-established foundation of Plasma 6. 

Fedora KDE 43 ships with Plasma 6.4.5 featuring:

• More flexible tiling. You are able to choose a different tile layout for each of your virtual desktops.
• New Spectacle. Spectacle, Plasma’s screenshot tool, got a complete overhaul.
• Color Management. The Display and Monitor page in System settings comes with a brand new HDR calibration wizard.
• Accessibility. You can now move the pointer using your keyboard’s number pad keys, or use a three-finger touchpad pinch gesture to zoom in or out.
• Notifications. When any applications are in full screen mode, Plasma will enter Do Not Disturb mode and only show urgent notifications. When you exit full screen mode, you’ll see a summary of any notifications you missed, and they’ll be right there in the System Tray for your perusal.
• Apps. The Application Launcher will place a green New! tag next to newly installed apps, so you can easily find where something you just installed lives in the menu.
• Many other bugfixes, improvements and features that can be found in the Plasma 6.4 release announcement.

Fedora KDE 43 specific updates

Beyond the updates to KDE Plasma 6.4, there are some Fedora KDE updates that have happened with Fedora Linux 43.

• The new Anaconda Installer UI is being used in the Fedora KDE Desktop image. This brings a fresh, modern look to the installation process.
• Fedora Kinoite now does automatic updates by default.  Users have the option of disabling or tuning the frequency that auto-updates happen. 

Fedora Linux 43 general updates

Some of the key updates occurred in the core components of Fedora Linux 43, which directly impact the KDE Plasma Desktop Edition, include:

• New installs now have a 2 GiB /boot partition
• Faster startup with zstd compressed initrds
• Noto Color Emoji now have scalable colorful emoji

Wrap-up

The Fedora KDE SIG hopes that you’ll find the Fedora KDE Plasma Desktop 43 to be a wonderful experience.  When you’re ready to try it, click here for download links and verification instructions.  If you’d like to learn more, check out the Fedora KDE Plasma Desktop website.

Image mode for Fedora Linux leverages bootable containers. This technology enables OCI containers to serve as a transport and delivery mechanism for operating system content. This article will guide you through how to use that technology to quickly create a Web Server using Caddy

Introduction

Bootable containers leverage existing OCI container tools (like Podman and Docker) and transport protocols for operating system management. This streamlines the configuration and distribution of operating systems through Containerfiles and container registries. The Universal Blue (ublue) community has embraced this technology, offering diverse operating systems. They also provide a project template to simplify the creation of custom operating systems.

Using the image-template repository

We will begin by using the image-template GitHub repository to create our own repository. For this guide I have named it fedora-web-server.

If you don’t have a GitHub account, you can simply clone the repository to your local machine and rename it to reflect your project’s name.

$ git clone git@github.com:<username>/fedora-web-server.git
$ cd fedora-web-server

Using Fedora Bootc 42 as base image

Image-template simplifies custom OS creation by providing a pre-built structure and essential files. To begin building our web server, we need to choose a base image. While image-template defaults to the ublue Bazzite image, we’ll switch to quay.io/fedora/fedora-bootc:42. Make this change by editing the Containerfile (see immediately below) and replacing the default Base Image.

# Allow build scripts to be referenced without being copied into the final image
FROM scratch AS ctx
COPY build_files /

# Base Image
FROM quay.io/fedora/fedora-bootc:42

RUN --mount=type=bind,from=ctx,source=/,target=/ctx \
   --mount=type=cache,dst=/var/cache \
   --mount=type=cache,dst=/var/log \
   --mount=type=tmpfs,dst=/tmp \
   /ctx/build.sh
  
### LINTING
## Verify final image and contents are correct.
RUN bootc container lint

fedora-bootc is a minimal image designed for customized installations. For this project, I’ll install cloud-init to facilitate deployment and testing both in the cloud and locally. I’ll modify the build_files/build.sh script, which is executed from within the Containerfile, to incorporate cloud-init into our customized OS.

The build.sh file will appear as follow:

#!/bin/bash

set -ouex pipefail

### Install packages
dnf5 install -y --setopt=install_weak_deps=0 cloud-init

Since I want to keep my OS minimal I am not installing weak dependencies.

Installing Caddy

Caddy is an open-source, modern web server known for its simplicity, security, and automatic configuration—it “just works.” For our Fedora Bootc server, we’ll run Caddy using its container image, docker.io/caddy. We’ll leverage quadlet for seamless integration with systemd, allowing our Caddy container to operate like any other systemd service. Create the following file:

$ cd build_files
$ touch caddy.container

and enter the following text into caddy.contatiner :

[Unit]
Description=Caddy Web Server
After=network-online.target

[Container]
Image=docker.io/caddy:2-alpine
PublishPort=80:80
PublishPort=443:443
Memory=512m
Volume=/var/caddy-data/:/data:Z
Volume=/var/caddy-config/:/config:Z
Volume=/var/log/caddy/:/var/log/caddy:Z
Volume=/etc/caddy:/etc/caddy:Z
Volume=/var/www/:/var/www:Z

[Service]
Restart=always

[Install]
# Start by default on boot
WantedBy=multi-user.target

For those familiar with systemd services, the syntax and directives will be recognizable. The [Container] section declares the image to be used, the ports to be published, and the volumes to be shared between the host and the container.

We can now modify the build.sh to copy that file in our custom OS, as shown here:

#!/bin/bash

set -ouex pipefail

### Install packages
dnf5 install -y --setopt=install_weak_deps=0 cloud-init

# Copy caddy.container to /etc/containers/systemd/caddy.container
cp /ctx/caddy.container /etc/containers/systemd/caddy.container

Configuring Caddy

The final step to create a working Caddy server is to add the configuration file. Let’s create a Caddyfile:

$ touch Caddyfile

and enter the text shown below:

# Caddy configuration with automatic Let's Encrypt certificates
# Replace 'your-domain.com' with your actual domain name

# For automatic HTTPS with Let's Encrypt, use your domain name instead of :80
# your-domain.com {
#    root * /var/www
#    file_server
#    log {
#        output file /var/log/caddy/access.log
#    }
# }

# For local development (HTTP only)
:80 {
     root * /var/www
     file_server
     log {
         output file /var/log/caddy/access.log
     }
}

We can now copy that file in our OS, by editing build.sh

#!/bin/bash

set -ouex pipefail

### Install packages
dnf5 install -y --setopt=install_weak_deps=0 cloud-init

# Copy caddy.container to /etc/containers/systemd/caddy.container
cp /ctx/caddy.container /etc/containers/systemd/caddy.container


# Create /etc/caddy directory and copy Caddyfile
mkdir -p /etc/caddy
cp /ctx/Caddyfile /etc/caddy/Caddyfile

To complete the setup, we’ll use systemd.tmpfiles to create Caddy’s necessary internal directories. This approach is essential because /var in bootable containers is mutable through overlayfs, meaning it’s only created at runtime and isn’t part of the container build process. Systemd.tmpfiles provides a straightforward solution to this limitation. Modify your build.sh file as follow:

#!/bin/bash
set -ouex pipefail

### Install packages
dnf5 install -y --setopt=install_weak_deps=0 cloud-init

# Copy caddy.container to /etc/containers/systemd/caddy.container
cp /ctx/caddy.container /etc/containers/systemd/caddy.container

# Create /etc/caddy directory and copy Caddyfile
mkdir -p /etc/caddy
cp /ctx/Caddyfile /etc/caddy/Caddyfile

# Create tmpfiles.d configuration to set up /var directories at runtime
cat > /usr/lib/tmpfiles.d/caddy.conf << 'EOF'
# Create Caddy directories at runtime
d /var/log/caddy 0755 root root -
d /var/caddy-data 0755 root root -
d /var/caddy-config 0755 root root -
EOF

That’s it. We now have a Containerfile using fedora-bootc:42 as base image, a build script installing cloud-init and installing Caddy via quadlet and copying the Caddy configuration as well as setting up Caddy’s internal directories.

We can now build our custom operating system. The process involved a Containerfile based on fedora-bootc:42, a build script that installed cloud-init and Caddy (configured via quadlet), and the necessary Caddy configuration and directory setup.
If you want your Caddy web server to serve a custom html page, you can copy the following files https://github.com/cverna/fedora-web-server/tree/main/build_files/web and edit the build.sh script as follows:

#!/bin/bash

set -ouex pipefail

### Install packages
dnf5 install -y --setopt=install_weak_deps=0 cloud-init 

# Copy caddy.container to /etc/containers/systemd/caddy.container
cp /ctx/caddy.container /etc/containers/systemd/caddy.container

# Create /etc/caddy directory and copy Caddyfile
mkdir -p /etc/caddy
cp /ctx/Caddyfile /etc/caddy/Caddyfile

# Copy web content to /usr/share for the base image
mkdir -p /usr/share/caddy/web
cp -r /ctx/web/* /usr/share/caddy/web/

# Create tmpfiles.d configuration to set up /var directories at runtime
cat > /usr/lib/tmpfiles.d/caddy.conf << 'EOF'
# Create Caddy directories at runtime
d /var/log/caddy 0755 root root -
d /var/caddy-data 0755 root root -
d /var/caddy-config 0755 root root -

# Copy web content from /usr/share to /var at runtime
d /var/www 0755 root root -
C /var/www/index.html 0644 root root - /usr/share/caddy/web/index.html
C /var/www/fedora-logo.png 0644 root root - /usr/share/caddy/web/fedora-logo.png
C /var/www/caddy-logo.svg 0644 root root - /usr/share/caddy/web/caddy-logo.svg
EOF

Building the bootable container

The image-template repositories equip you with the necessary tools for local image construction. Let’s begin by verifying that all dependencies are in place.

$ sudo dnf install just git jq podman

Then we can run just to build the container. The following shows the just command and subsequent output:

$ just build fedora-web-server latest
[1/2] STEP 1/2: FROM scratch AS ctx
[1/2] STEP 2/2: COPY build_files /
--> Using cache 94ec17d1689b09a362814ab08530966be4aced972050fedcd582b65f174af3a3
--> 94ec17d1689b
[2/2] STEP 1/3: FROM quay.io/fedora/fedora-bootc:42
[2/2] STEP 2/3: RUN --mount=type=bind,from=ctx,source=/,target=/ctx     --mount=type=cache,dst=/var/cache     --mount=type=cache,dst=/var/log     --mount=type=tmpfs,dst=/tmp     /ctx/build.sh &&     ostree container commit
--> Using cache 8cac20d690bda884b91ae2a555c4239a71f162fbd4ff36a1e2ed5f35f5dfb05a
--> 8cac20d690bd
[2/2] STEP 3/3: RUN bootc container lint
--> Using cache 5cb978e3db5a2bcd437018a6e97e1029d694180002f5fa098aaf540952941dd4
[2/2] COMMIT fedora-web-server:latest
--> 5cb978e3db5a
Successfully tagged localhost/fedora-web-server:latest

Just is a useful tool for running project-specific commands, similar to Makefiles, and uses a ‘justfile’. As the image functions like any other container image, we can inspect it using Podman.

$ podman images
REPOSITORY                   TAG         IMAGE ID      CREATED      SIZE
localhost/fedora-web-server  latest      5cb978e3db5a  4 hours ago  1.95 GB
quay.io/fedora/fedora-bootc  42          586b146c456e  2 days ago   1.88 GB

Building a Disk Image

The disk image for our server is built using just as follows:

$ just build-vm localhost/fedora-web-server latest

This will use the bootc-image-builder project to build a disk image of our bootable container. Once the command has finished, we have a qcow2 image in the output directory

$ ls output/qcow2                                                                                                                                                              
disk.qcow2

We can now use that qcow2 image to start a Virtual Machine and run our webserver.

Running the Web Server

To run the server we can use any virtualization software. In this case I am using virt-install:

$ sudo dnf install virt-install libvirt
$ virt-install --cloud-init root-ssh-key=/path/to/ssh/public.key --connect qemu:///system --import --name fedora-web-server --memory 2048 --disk output/qcow2/disk.qcow2 --os-variant fedora41
Starting install...
Creating domain...
...
Fedora Linux 42 (Adams)
Kernel 6.16.5-200.fc42.x86_64 on x86_64 (ttyS0)

enp1s0: 192.168.100.199
fedora login:

Once the virtual machine is up and running, you can use ssh to login as root, using the local IP address of the virtual machine.

$ ssh root@192.168.100.199
$ bootc status                                                                                                                                                    
● Booted image: localhost/fedora-web-server:latest                                                                                                                               
       Digest: sha256:a813a8da85f48d8e6609289dde87e1d45ff70a713d1a9ec3e4e667d01cb470f2 (amd64)                                                                                  
      Version: 42.20250911.0 (2025-09-12T07:36:05Z) 

Currently, the server’s update capability is limited because the images point to the localhost/fedora-web-server:latest container image. This can be resolved by building and pushing these container images to a container registry such as quay.io or ghcr.io. Detailed instructions for these steps are available in the README file of the ublue-os/image-template repository.

To verify that the web server is running successfully, access that same ip address from your web browser and you should get the following web page.

Summary

This guide demonstrates the power of image mode for Fedora Linux using bootc and Caddy to build a lightweight, custom web server. By leveraging container technologies for OS delivery and Caddy for simplified web serving, users can efficiently deploy and manage web applications, setting a strong foundation for future customization. Make sure to check the library of examples to get ideas on how to use bootc.

Silverblue is an operating system for your desktop built on Fedora Linux. It’s excellent for daily use, development, and container-based workflows. It offers numerous advantages such as being able to roll back in case of any problems. This article provides the steps to rebase to the newly released Fedora Linux 43 Beta, and how to revert if anything unforeseen happens.

NOTE: Before attempting an upgrade to the Fedora Linux 43 Beta, apply any pending upgrades.

Updating using the terminal

Because Fedora LInux 43 Beta is not available in GNOME Software, the whole process must be done through a terminal.

First, check if the 43 branch is available, which should be true now:

$ ostree remote refs fedora

You should see the following line in the output:

fedora:fedora/43/x86_64/silverblue

If you want to pin the current deployment (this deployment will stay as an option in GRUB until you remove it), you can do it by running:

# 0 is entry position in rpm-ostree status
$ sudo ostree admin pin 0

To remove the pinned deployment use following command ( “2” corresponds to the entry position in the output from rpm-ostree status ):

$ sudo ostree admin pin --unpin 2

Next, rebase your system to the Fedora 43 branch.

$ rpm-ostree rebase fedora:fedora/43/x86_64/silverblue

Finally, the last thing to do is restart your computer and boot to Fedora Silverblue 43 Beta.

How to revert

If anything bad happens — for instance, if you can’t boot to Fedora Silverblue 43 Beta at all — it’s easy to go back. Pick the previous entry in the GRUB boot menu (you need to press ESC during boot sequence to see the GRUB menu in newer versions of Fedora Silverblue), and your system will start in its previous state. To make this change permanent, use the following command:

$ rpm-ostree rollback

That’s it. Now you know how to rebase to Fedora Silverblue 43 Beta and fall back. So why not do it today?

Known issues

• PAM Lastlog change crashing gdm

FAQ

Because there are similar questions in comments for each blog about rebasing to newer version of Silverblue I will try to answer them in this section.

Question: Can I skip versions during rebase of Fedora Linux? For example from Fedora Silverblue 41 to Fedora Silverblue 43?

Answer: Although it could be sometimes possible to skip versions during rebase, it is not recommended. You should always update to one version above (41->42 for example) to avoid unnecessary errors.

Question: I have rpm-fusion layered and I got errors during rebase. How should I do the rebase?

Answer: If you have rpm-fusion layered on your Silverblue installation, you should do the following before rebase:

rpm-ostree update --uninstall rpmfusion-free-release --uninstall rpmfusion-nonfree-release --install rpmfusion-free-release --install rpmfusion-nonfree-release

After doing this you can follow the guide in this article.

Question: Could this guide be used for other ostree editions (Fedora Atomic Desktops) as well like Kinoite, Sericea (Sway Atomic), Onyx (Budgie Atomic),…?

Yes, you can follow the Updating using the terminal part of this guide for every ostree edition of Fedora. Just use the corresponding branch. For example for Kinoite use fedora:fedora/43/x86_64/kinoite

This guide provides a step-by-step walk-through for integrating a uTrust FIDO2 security key (Identiv uTrust) with Fedora 42 to secure:

• LUKS2 full disk encryption (FDE)
• Graphical login (LightDM + Cinnamon)
• Sudo elevation

Audience for this article

The guide is intended for instructional cybersecurity labs and intermediate Fedora users. It prioritizes PIN + Touch verification for strong security.

NOTE: Since misconfiguration can result in system lockout, readers should work only on non-production systems, maintain a fallback password, and back up all critical data before making changes.

Background

The following technology is used in this walk-through:

FIDO2 (Fast Identity Online 2) is a standard for passwordless or multi-factor authentication using hardware tokens. It relies on public key cryptography and supports PIN or biometric verification. In this setup, FIDO2 provides secure, hardware-backed authentication using a PIN and a required physical touch on the key.

LUKS2 (Linux Unified Key Setup 2) is the full-disk encryption format used in modern Linux systems.

PAM (Pluggable Authentication Modules) and Polkit (PolicyKit) control authentication for logins and privilege escalation across both GUI and CLI actions.

This guide combines these technologies to deliver end-to-end security — from full-disk decryption at boot, to graphical login, to administrative elevation with sudo.

System Overview

The following hardware/software is used in this implementation:

Hardware and Software:

• Architecture: x86_64
• CPU: Intel Core i7
• Kernel: 6.14.9-300.fc42.x86_64
• Fedora Version: Fedora 42 (Adams)
• Desktop Environment: Cinnamon with LightDM

FIDO2 Key: Identiv uTrust FIDO2

• Vendor/Product:
  0x04e6:0x5a11
• Protocol: CTAP2 / FIDO_2_0
• PIN: Required
• User Presence: Touch required
• User Verification: PIN only (no biometrics)
• Device Path:
  /dev/hidraw0

Disk Setup

• Btrfs on LUKS2 FDE (
  /dev/sda3
  )
• LUKS UUID:
  8b2f0322-f508-4bed-8b1e-8f05cc784d60
  (this will differ on each machine)
• Keyslots:
• 0: Passphrase (argon2id)
• 1: FIDO2 credential (note: in testing, only one FIDO2 key could be used at a time)

Process Flow Overview

The following phases occur during implementation:

1. System preparation — Install Fedora 42 with LUKS2 full-disk encryption and update packages.
2. Package installation — Add the development, PAM, and FIDO2 tools required for integration.
3. FIDO2 key enrollment — Register the key with LUKS2 for disk unlock.
4. PAM configuration — Enable FIDO2 authentication for login and sudo.
5. Polkit configuration (optional) — Extend FIDO2 support to graphical privilege prompts.
6. Testing and verification — Confirm PIN + Touch authentication at boot, login, and sudo elevation.

Implementation Guide

Phase 1: System Preparation

1. Create a clean install of Fedora 42 with Cinnamon + LightDM
2. During installation/partitioning configure the following:
   • LUKS2 Full Disk Encryption (Btrfs or ext4)
   • No separate /home
   • No auto-login
   • Create an admin user
3. Update the system:
   sudo dnf upgrade --refresh -y

Phase 2: Required Package Installation

Install required development and security packages:

sudo dnf install -y
gcc make cmake git autoconf automake libtool
pam-devel systemd-devel glibc-devel openssl-devel
libfido2 libfido2-devel fido2-tools u2f-host pam-u2f
pcsc-lite pcsc-lite-ccid pcsc-tools ccid opensc
authselect cryptsetup pam_passwdqc fprintd-pam gnome-keyring-pam

Enable and start the PC/SC daemon for smartcard support:

sudo systemctl enable --now pcscd

Phase 3: FIDO2 Key Setup

1. Insert the FIDO2 key and verify it is detected:
   lsusb
   fido2-token -L
   fido2-token -I /dev/hidraw0
   Expected output is:
   Identiv uTrust FIDO2 (0x04e6:0x5a11) with options rk, clientPin.
   
2. Troubleshooting considerations if the key isn’t recognized:
   • Ensure /dev/hidraw0 exists
   • Run the following to load kernel modules:
     sudo modprobe hid
     sudo modprobe hid_generic
   • Replug the key
     
3. If FIDO_ERR_INTERNAL (-9) occurs:
   • Create the plugdev group:
     sudo groupadd plugdev
     sudo usermod -aG plugdev $USER
   • Apply a udev rule:
     echo 'KERNEL=="hidraw*", ATTRS{idVendor}=="04e6", ATTRS{idProduct}=="5a11", TAG+="uaccess", GROUP="plugdev"' | sudo tee /etc/udev/rules.d/70-u2f.rules sudo udevadm control --reload-rules && sudo udevadm trigger
   • Reboot:
     sudo reboot
     
4. Enroll the FIDO key for LUKS2:
   sudo systemd-cryptenroll --fido2-device=/dev/hidraw0 --fido2-with-client-pin=yes /dev/sda3
   
5. Validate enrollment:
   sudo cryptsetup luksDump /dev/sda3
   
6. Update /etc/crypttab:
   sudo nano /etc/crypttab
   Add or modify:
   luks-... UUID UUID=... none fido2-device=auto fido2-with-client-pin=yes discard

Phase 4: PAM Configuration

1. Fedora’s pam-u2f package lacks pamu2fcfg. Build pamu2fcfg from source:
   • git clone https://github.com/Yubico/pam-u2f
   • cd pam-u2f
   • mkdir build && cd build
   • cmake -DBUILD_MANPAGES=OFF ..
   • make
   • sudo cp ./pamu2fcfg/pamu2fcfg /usr/local/bin/
   • sudo chmod +x /usr/local/bin/pamu2fcfg
     
     
2. Generate U2F mapping:
   pamu2fcfg -n -u $(whoami) -o pam://fedora | sudo tee /etc/u2f_mappings
   Verify output includes +presence+pin (e.g., yourusername:3aaOH5…Base64…,M9hAf2…==,es256,+presence+pin)
   
3. Set permissions:
   sudo chmod 600 /etc/u2f_mappings
   sudo chown root:root /etc/u2f_mappings
   
4. Backup PAM files:
   mkdir -p ~/fido2-audit/pam
   sudo cp /etc/pam.d/{sudo,lightdm,cinnamon-screensaver,system-auth,password-auth,polkit-1} ~/fido2-audit/pam/
   
5. Update PAM files to include FIDO2 authentication. On this system, the working configuration is:
   • /etc/pam.d/sudo
     • auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue pinverification=always origin=pam://fedora appid=pam://fedora
     • auth required pam_unix.so
     • account include system-auth
     • password include system-auth
     • session optional pam_keyinit.so revoke
     • session required pam_limits.so
     • session include system-auth
   • /etc/pam.d/lightdm
     • auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue pinverification=always origin=pam://fedora appid=pam://fedora
     • auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
     • auth required pam_env.so
     • auth substack system-auth
     • auth include postlogin
     • account required pam_nologin.so
     • account include system-auth
     • password include system-auth
     • session required pam_selinux.so close
     • session required pam_loginuid.so
     • session required pam_selinux.so open
     • session optional pam_keyinit.so force revoke
     • session required pam_namespace.so
     • session include system-auth
     • session optional pam_lastlog.so silent
     • session include postlogin
   • /etc/pam.d/cinnamon-screensaver
     • auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue pinverification=always origin=pam://fedora appid=pam://fedora
     • auth include system-auth
     • account include system-auth
     • password include system-auth
     • session include system-auth

Phase 5: Polkit Configuration (Optional)

Polkit GUI prompts were not enabled on my test system (no /etc/pam.d/polkit-1 and no running user agent). If you want FIDO2 for Polkit dialogs, ensure a compatible agent is running (for Cinnamon: polkit-gnome-authentication-agent-1). In testing, GUI prompts were not enabled by default and required additional configuration.”

Screensaver unlock: When the screen is locked, Fedora may default to the password prompt. Click the small two-person icon to switch to the FIDO2 method. Keep a fall-back password available. In various tests some desktop prompts did not always default to FIDO2.

Phase 6: Testing

Reboot the system

Confirm functionality

The following sequence of images shows the following:

• FDE (LUKS Unlock): PIN + Touch prompt appears at boot
• GUI Login (LightDM): PIN + Touch required
• Sudo: sudo echo test should prompt for PIN + Touch
• Cinnamon lock screen: PIN + Touch (switch input method)
• Polkit: GUI software install or pkexec prompts for PIN + Touch

Confirm the fallback password login remains functional

Recovery and Backup

Backup:

mkdir -p ~/fido2-audit/pam_restore
for file in sudo lightdm cinnamon-screensaver system-auth password-auth polkit-1; 
do
  sudo cp ~/fido2-audit/pam/$file ~/fido2-audit/pam_restore/$file
done

Restore if needed using TTY or Live USB.

Emergency Login:

• Use a high-entropy admin password
• Store the password securely off-line or in encrypted container

Troubleshooting

Multiple FIDO2 Keys:

lsusb
sudo usbreset /dev/bus/usb/001/003

Warnings

• Never test on production systems
• Back up /etc/crypttab and /etc/pam.d/*
• Avoid running dracut --force unless ready

Security Notes

Strengths:

• Hardware-backed auth
• PIN + Touch = Strong 2FA

Risks:

• Loss of key
• System updates may break compatibility

Recommendations:

• Always keep a fall-back passphrase
• Register a backup FIDO2 key
• Back up /etc/u2f_mappings and test after upgrades

Performance Considerations

Conclusion

This guide demonstrates the successful integration of a uTrust FIDO2 security key with Fedora 42 for secure authentication across LUKS2 full-disk encryption, LightDM login, and sudo elevation. The setup is stable, reproducible, and well-suited for labs or intermediate Fedora users.

Polkit integration is optional and may vary by desktop environment. In testing, GUI prompts were not enabled by default and required additional configuration.

complyctl is a powerful command-line utility implementing the principles of “ComplianceAsCode” (CaC) with high scalability and adaptability for security compliance.

In today’s rapidly evolving digital landscape, maintaining a robust security posture isn’t just a best practice – it is a necessity. For Fedora users, system administrators, and developers, ensuring that your systems meet various security and regulatory requirements can often feel like a daunting, manual task. But what if you could standardize and automate much of this process, making compliance checks faster, easier to audit, and seamlessly integrated into your workflows?

This is now a reality enabled with multiple ComplyTime projects. These focus on specific tasks designed to be easily integrated. They allow a robust, flexible, and scalable combination of microservices communicating with standardized formats that ultimately allow a powerful capability to much more easily adapt to the compliance demands. This also allow faster adoption of new technologies. There are multiple exciting projects actively and quickly evolving under the umbrella of ComplyTime organization. In this article I would like to highlight complyctl, the ComplyTime CLI for Fedora, and its main features that make it an excellent option to easily maintain a robust security posture in your Fedora systems.

complyctl is a powerful command-line utility available since Fedora 42. It’s design uses the principles of “ComplianceAsCode” (CaC) with high scalability and adaptability. It contains a technology agnostic core and is easily extended with plugins. This allows users to use the best of every available underlying technology with a simple and standardized user interface.

The Power of ComplianceAsCode with complyctl

At its heart, complyctl is a tool for performing compliance assessment activities, scaled by a flexible plugin system that allows users to perform compliance check activities with a flexible combination of the best available assessment technologies.

The complyclt plugin architecture allows quick adoption and combination of different scanner technologies. The core design is technology agnostic with standardizing inputs and outputs using machine readable formats that allow high reusability and shareability of compliance artifacts. Currently it leverages the Open Security Controls Assessment Language (OSCAL) and its anti-fragile architecture also allows a smooth adoption of future standards, making it a reliable and continuous modern solution for the long-term.

 This might sound technical, but the benefits are simple:

1. Automation and Speed: Traditional compliance audits can be slow, manual, complex and prone to human error. complyctl relies on standardized machine readable formats, allowing automation without technology or vendor lock-in.
2. Accuracy and Consistency: Machines are inherently more consistent than human reviewers. complyctl’s reliance on OSCAL provides a standardized format for expressing security controls, assessment plans, and results. This standardization is crucial for interoperability. It allows consistent processing and understanding of compliance data across different tools and systems.
3. Scalability and Integration: complyctl simplifies compliance checks integration in your development and deployment pipelines. An OSCAL Assessment Plan can be created and customized once and reused across multiple systems. Ultimately compliance checks can be implemented faster and compliance gaps are caught earlier. This prevents non-compliant configurations from reaching production environments.
4. Extensibility with Plugins (including OpenSCAP): The plugin-based architecture of complyctl makes it incredibly versatile. An example is the complyctl-openscap-plugin, which extends complyctl’s capabilities to use OpenSCAP Scanner and the rich content provided by scap-security-guide package. This allows an immediate and smooth adoption of complyctl using a well-established assessment engine while providing a modern, OSCAL-driven workflow for managing and executing security compliance checks. It also allows a smooth and gradual transition to other scanner technologies.

By embracing complyctl, Fedora users can more easily maintain a strong security posture.

Getting Started with complyctl: A Practical Tutorial

Ready to put complyctl to work? It is likely simpler than you expect. The following is a step-by-step guide to start using complyctl on your Fedora system.

1. Installation

First, install complyctl, if necessary. It is available as an RPM package in official repositories:

sudo dnf install complyctl

2. Understanding the Workflow

complyctl follows a logical, sequential workflow:

• list: Discover available compliance frameworks.
• plan: Create an OSCAL Assessment Plan based on a chosen framework. This plan acts as your assessment configuration.
• generate: Generate executable policy artifacts for each installed plugin based on the OSCAL Assessment Plan.
• scan: Call the installed plugins to scan the system using their respective policies and finally aggregate the results in a single OSCAL Assessment Results file.

Let’s walk through these commands.

3. Step-by-Step Tutorial

Step 1: List Available Frameworks

To begin, you need to know which compliance frameworks complyctl can assess your system against. Currently the complyctl package includes the CUSP Profile out-of-the-box.

Use the list command to show the available frameworks:

complyctl list

This command will output a table, showing the available frameworks. Look for the Framework ID column, as you’ll need this for the next step.

Example:

Optionally, you can also include the --plain option for simplified output.

Step 2: Create an Assessment Plan

Once you’ve identified a Framework ID, you can create an OSCAL Assessment Plan. This plan defines what will be assessed. The plan command will generate an assessment-plan.json file in the complytime directory.

complyctl plan cusp_fedora

This command creates the user workspace in the “complytime” directory:

tree complytime
complytime/
└── assessment-plan.json

The JSON file is a machine-readable representation of your chosen compliance policy.

Step 3: Install a plugin

In this tutorial we will use OpenSCAP Scanner as the underlying technology for compliance checks. So, we also want to install the OpenSCAP plugin for complyctl as well the OpenSCAP content delivered by scap-security-guide package:

sudo dnf install complyctl-openscap-plugin scap-security-guide

Step 4: Generate Policy Artifacts

With your assessment-plan.json in place, and the desired plugins installed, the generate command translates this declarative plan into policy artifacts for the installed plugins. These are the actual plugin specific instructions complyctl plugins will use to perform the checks.

complyctl generate

This command prepares the assessment for execution.

tree complytime/

complytime/
├── assessment-plan.json
└── openscap
    ├── policy
    │   └── tailoring_policy.xml
    ├── remediations
    │   ├── remediation-blueprint.toml
    │   ├── remediation-playbook.yml
    │   └── remediation-script.sh
    └── results

Step 5: Execute the Compliance Scan

Finally, the scan command runs the assessment using the installed plugins. The results will appear in the assessment-results.json, file by default.

complyctl scan

For human-readable output, which is useful for review and reporting, you can add the --with-md option. This will generate both assessment-results.json and assessment-results.md files.

complyctl scan --with-md

This Markdown file provides a clear, digestible summary of your system’s compliance status, making it easy to share with auditors or other stakeholders.

tree complytime/
complytime/
├── assessment-plan.json
├── assessment-results.json
├── assessment-results.md
└── openscap
    ├── policy
    │   └── tailoring_policy.xml
    ├── remediations
    │   ├── remediation-blueprint.toml
    │   ├── remediation-playbook.yml
    │   └── remediation-script.sh
    └── results
        ├── arf.xml
        └── results.xml

Final thoughts

complyctl is an open-source tool built for and by the community. We encourage you to give it a try.

• Find us on GitHub at complyctl repository.
• If you find an issue or have a feature request, please open an issue, propose a PR, or contact the maintainers. Your feedback will help shape the future of this tool.
• Collaboration on ComplianceAsCode/content community is also welcome to help us shaping Compliance profiles for Fedora.

On Tuesday, 16 September 2025, it is our pleasure to announce the availability of Fedora Linux 43 Beta! This release comes packed with the latest version upgrades of existing features, plus a few new ones too. As with every beta release, this is your opportunity to test out the upcoming Fedora Linux release and give some feedback to help us fine tune F43 final. We hope you enjoy this latest version of Fedora!

How to get the beta release

You can download F43 Beta, or our pre-release edition versions, from any of the following places:

• Fedora Workstation 43 Beta
• Fedora KDE Plasma Desktop 43 Beta
• Fedora Server 43 Beta
• Fedora IoT 43 Beta
• Fedora Cloud 43 Beta

The Fedora CoreOS “next” stream moves to the beta release one week later, but content for F43 is still available from their current branched stream to enjoy now.

You can also update an existing system to the beta using DNF system-upgrade.

The F43 Beta release content is also available for Fedora Spins and Labs, with the exception of the following:

• Mate – not currently available on any architectures with F43 content
• i3 – not currently available on aarch64 only with F43 content

F43 Beta highlights

Installer and desktop Improvements

Anaconda WebUI for Fedora Spins by default: This creates a consistent and modern installation experience across all Fedora desktop variants. It brings us closer to eventually replacing the older GTK installer. This ensures all Fedora users can benefit from the same polished and user-friendly interface.

Switch Anaconda installer to DNF5: This change provides better support and debugging for package-based applications within Anaconda. It is a bigger step towards the eventual deprecation or removal of DNF4, which is now in maintenance mode.

Enable auto-updates by default in Fedora Kinoite: This change ensures that users are consistently running a system with the latest bug fixes and features after a simple reboot. Updates are applied automatically in the background.

Set Default Monospace Fallback Font: This change ensures that when a specified monospace font is missing, a consistent fallback font is used. Font selection also remains stable and predictable, even when the user installs new font packages. No jarring font changes should occur as appeared in previous versions.

System enhancements

GNU Toolchain Update: The updates to the GNU Toolchain ensures Fedora stays current with the latest features, improvements, and bug and security fixes from the upstream gcc, glibc, binutils, and gdb projects. They guarantees a working system compiler, assembler, static and dynamic linker, core language runtimes, and debugger.

Package-specific RPM Macros For Build Flags: This change provides a consistent and standard way for packages to add to the default list of compiler flags. It also offers a cleaner and simpler method for package maintainers to make per-package adjustments to build flags. This avoids the need to manually edit and re-export environmental variables, and prevents potential issues that could arise from the old manual method. It ensures the consistent applications of flag adjustments.

Build Fedora CoreOS using Containerfile: This change brings the FCOS build process under a standard container image build, moving away from the custom tool, CoreOS Assembler. It also means that anyone with Podman installed can build FCOS. This simplifies the process for both individual users and automated pipelines.

Upgrades and removals

Deprecate The Gold Linker: Deprecate the binutils-gold subpackage. This change simplifies the developer experience by reducing the number of available linkers from four to three. It streamlines choices for projects, and moves towards safeguarding the project against potential issues from “bitrot” where a package’s quality can decline and become unbuildable or insecure over time.

Retire python-nose: The python-nose package will be removed in F43. This prevents the creation of new packages with a dependency on an unmaintained test runner. Developers are encouraged to migrate to actively maintained testing frameworks such as python3-pytest or python3-nose2.

Retire gtk3-rs, gtk-rs-core v0.18, and gtk4-rs v0.7:  This change prevents Fedora from continuing to depend on old, unmaintained versions of these bindings. It also prevents shipping obsolete software and fewer unmaintained versions of packages.

Python 3.14: Updating the Python stack in F43. This means that by building Fedora packages against an in-development version, critical bugs can be identified and reported before the final 3.14.0 release. This helps the entire Python ecosystem. Developers also gain access to the latest features in this release. More information is available at https://docs.python.org/3.14/whatsnew/3.14.html.

Golang 1.25: This change provides Fedora Linux 43 Beta with the latest new features in Go. These include that go build -asan now defaults to leak detection at program exit, the go doc -http option starts a documentation server, and subdirectories of a repository can now be used as a module root. Since Fedora will keep as close to upstream as possible, this means we will continue to provide a reliable development platform for the Go language and projects written in it. 

Idris 2: Users gain access to new features in Idris 2. These include Quantitative Type Theory (QTT), which enables type-safe concurrent programming and fine-grained control over resource usage. It also has a new core language, a more minimal prelude library, and a new target to compile to, Chez Scheme.

More information

Details and more information on the many great changes landing in Fedora Linux 43 are available on the Change Set page.