It's FOSS

LVFS Has Turned Up the Heat on Vendors Who Won't Contribute

Sourav Rudra — Tue, 28 Apr 2026 23:13:08 +0530

The Linux Vendor Firmware Service, or LVFS, is what makes firmware updates on Linux not a nightmare. Hardware vendors upload their firmware directly to it, and users get those updates delivered through fwupd and tools like GNOME Software.

According to official estimates, the project has shipped over 140 million updates from 150 vendors and is a requirement for most consumer-facing Original Equipment Manufacturers (OEMs), Original Design Manufacturers (ODMs), and Independent BIOS Vendors (IBVs).

But the project is moving towards a dilemma that most open source projects of its scale eventually face. To be a sustainable undertaking in the long term. 🗓📈

They need support

Just a placeholder image of the LVFS dashboard.

Right now, the Linux Foundation covers all of LVFS' hosting costs, and Red Hat funds Richard Hughes, the project's only full-time developer. Richard, along with a bunch of part-time contributors, keep over 20,000 firmware files in circulation.

Their sustainability plan flags some key issues that come with being this understaffed.

The project has no dedicated security response team, its sole maintainer has no backup, and the volume of critical work keeps growing with no one new stepping in to help.

Security vulnerabilities get handled on a best-effort basis (yikes ☠️), and very few companies are supporting fwupd core or the LVFS web service. You could call it a tragedy of the commons where everyone depends on it, but almost no one is paying for it.

The plan was published in August 2025, and LVFS has been rolling out restrictions in phases since then. April 2025 already brought in fair-use download utilization graphs to vendor pages. Fair use upload tracking came in July, and sponsorship tiers opened up in August 2025.

The April 2026 phase kicked in at the start of this month and has been live for nearly four weeks now. Any firmware page where a vendor is crossing 50,000 monthly downloads now shows an overquota warning.

Courtesy of Richard Hughes.

Vendors below the "Startup" sponsorship level have also lost access to detailed per-firmware analytics. In August, custom LVFS API access will be cut for non-Startup vendors, with automated upload limits following in December.

How can you help?

LVFS is looking for vendors who use its infrastructure to pitch in. Presently, only two hold Startup sponsor status: Framework Computer and the Open Source Firmware Foundation.

What they actually need is either two full-time software engineers or $400,000 to fund the hires through the Linux Foundation, plus a separate $30,000 for hosting. The sponsorship tiers are as follows:

Premier: $100,000 per year
Startup: $10,000 per year (under 99 employees)
Associate: Free, but only available to registered non-profits, academic institutions, and government entities.

Both Premier and Startup tiers require an LF Silver Membership (page 28) on top of the listed fees. There is no free option for commercial hardware vendors. Alternatively, vendors can contribute a full-time engineer to work on LVFS or fwupd directly.

Suggested Read 📖: Will You Pay $119 For An Open Source KVM?

Hackers Hijacked a GitHub Actions Workflow to Push Malicious Code to PyPI

Sourav Rudra — Tue, 28 Apr 2026 22:12:38 +0530

We have been routinely seeing open source projects getting hit by malicious actors with varying degrees of sophistication. Developers are often left scrambling to push out fixes in such situations.

As to why they get targeted, their attack surface is wide, maintainer bandwidth is limited, and one bad package can quietly reach thousands of users before anyone even notices.

When something slips through, developers have to yank releases, rotate credentials, and piece together what got out.

We now have a similar situation where Elementary Data's OSS Python CLI was compromised. And if you had the affected version installed, then you have some cleanup to do.

How it happened

The attack came down to a flaw in one of Elementary's GitHub Actions workflows. It was set up in a way where text from a PR comment could be passed directly into a shell command, so whatever the comment said, the runner would execute it.

At 22:10 UTC on April 24, the attacker posted a malicious comment on a pull request. The workflow ran it as code, handing over access to the runner's secrets, including the PyPI publish token and the GITHUB_TOKEN.

With those in hand, they created the branches and pull requests needed to stage a release, then kicked off Elementary's release workflow. By 22:20 UTC, elementary-data 0.23.3 was live on PyPI. A malicious Docker image was pushed four minutes later.

Who got hit

Only users who installed elementary-data 0.23.3 (now removed) from PyPI are affected, as well as anyone who pulled the compromised Docker image during the attack window.

However, Elementary Cloud is unaffected, the Elementary dbt package is unaffected, and every other version of the CLI is unaffected. That said, if you were running 0.23.3, the exposure is serious. The malware had access to anything the environment could reach.

The remedy

First check your installed version first:

pip show elementary-data | grep Version

If it shows 0.23.3, get rid of it and install the clean version:

pip uninstall elementary-data

pip install elementary-data==0.23.4

Update your requirements files and lockfiles to reflect that too.

You should also check for a marker file the malware leaves behind. If it's there, the payload ran on that machine:

Linux/macOS: /tmp/.trinny-security-update
Windows: %TEMP%\.trinny-security-update

If you find it, rotate every credential that environment had access to, and get your security team looking for any suspicious activity on those credentials.

On their end, Elementary has already pulled 0.23.3 from PyPI, GitHub, and the Docker registry on April 25.

They also decommissioned the compromised workflow, audited the rest of their GitHub Actions for the same type of vulnerability, regenerated all affected secrets, and moved to OIDC authentication.

They are currently working with an Israeli cybersecurity firm to conduct an investigation and step up their protection against such attacks going forward.

After 2 Weeks of Delay, Fedora 44 is Finally Here!

Sourav Rudra — Tue, 28 Apr 2026 20:51:57 +0530

The Fedora Project has had an interesting journey since its inception in November 2003. It started as a community-backed effort spun off from Red Hat Linux, which Red Hat had decided to retire in favor of its commercial Enterprise Linux product.

Rather than leave the community without a home, Red Hat partnered with contributors to launch Fedora as an open, community-driven distribution that would push new technologies forward.

That upstream-first philosophy has held ever since. Fedora consistently ships things before most other distributions dare to, from Wayland adoption to newer compiler toolchains, often serving as the real-world test bed for what eventually becomes Red Hat Enterprise Linux.

Of course it is not limited to that; its various flavors serve all kinds of users, starting from desktop users to server administrators, hobbyist tinkerers, and anyone running containerized workloads at scale.

Now, to the topic at hand, a new Fedora release has landed, and as always, we must check out what it offers.

Subscribe to It's FOSS YouTube Channel

⭐ Fedora 44: What's New?

The release ships with Linux kernel 6.19, which introduces expanded hardware support, and some noteworthy improvements for gaming that we will talk about later. Both desktop variants, Workstation and KDE Plasma Desktop, arrive with fresh wallpapers, as is tradition with every Fedora release.

Workstation gets GNOME 50, which finalizes the removal of X11 from GDM and promotes variable refresh rate and fractional scaling to stable status. KDE Plasma Desktop bumps up to Plasma 6.6, which introduces a post-install setup wizard and swaps out SDDM for the new Plasma Login Manager as the default across all KDE variants.

Beyond the desktops, this release brings meaningful improvements to gaming through the NTSYNC kernel module, a reworked Games Lab spin, a freshly updated GNU toolchain, and a range of language runtime upgrades.

There's quite a bit packed in here! 😃

GNOME 50

GNOME 50 is the flagship desktop for Fedora Workstation 44, and it comes with a major change that has been a long time coming. X11 has been fully removed from GDM. The plan was originally to do this in GNOME 49, but a last-minute bug had caused it to be pulled back.

Then there are the two features, variable refresh rate and fractional scaling, that have been sitting behind experimental flags for an awkwardly long time are now stable. If you have a high refresh rate display and have been holding off, then this Fedora release is the right time to try them out.

Additionally, the Files app (Nautilus) picks up case-insensitive path completion in the location bar and switches to GNOME's sandboxed Glycin library for more efficient loading of image thumbnails.

KDE Plasma 6.6

KDE Plasma 6.6 powers Fedora KDE Plasma Desktop 44 in this release, with improvements like OCR support in Spectacle, the screenshot tool. You can now pull text directly out of a screenshot, which can be a genuinely useful thing to have when you are copying error messages or text from images.

Accessibility sees a solid round of additions too. There is a new on-screen keyboard called Plasma Keyboard, a grayscale filter in the Color Blindness Correction settings, and the Zoom and Magnifier tool gains a new tracking mode that keeps the pointer centered.

The release also adds the ability to save your current desktop layout as a custom global theme, ambient light sensor support for automatic brightness adjustment, and Wi-Fi QR code scanning from the system tray's Networks widget.

But wait, there are more KDE-related changes!

From left to right, we have the login screen and Plasma Setup on Fedora KDE Plasma Desktop 44.

All Fedora KDE variants now include Plasma Setup, a post-install wizard that handles account creation and initial configuration separately from the OS installer, and Anaconda (the installer) has been updated to skip the setup stages that would otherwise overlap with it.

The other notable change for KDE users is the switch from SDDM to Plasma Login Manager (PLM) as the login manager, making Fedora 44 the first distribution to ship it by default.

Gaming is Better Now

Installing Wine, Steam, or open source game launchers (e.g., Lutris and Heroic Games Launcher) on Fedora 44 now quietly pulls in the NTSYNC kernel module as a recommended dependency. NTSYNC handles thread synchronization at the kernel level, which takes a chunk of work off Wine and Proton's plate.

The result is better Windows game (and software) compatibility and a performance bump in many titles, with no configuration work required from your side.

The Games Lab spin also gets a proper refresh. Xfce is out, KDE Plasma is in, specifically for the better Wayland support it brings to gaming workloads.

If you didn't know, this is one of Fedora's curated offerings that brings together a decent spread of open source games across genres like turn-based strategy, puzzles, and first-person shooters.

Toolchain Upgrades

Fedora 44 also brings a pack of toolchain and language runtime updates, keeping it well-positioned as a development platform:

PHP 8.5
LLVM 22
CMake 4.0
Golang 1.26
Ansible 13 (Core 2.20)
Ruby 4.0 (up from Ruby 3.4 in Fedora 43).
MariaDB 11.8 as the new distribution default (up from 10.11).
GNU Toolchain: GCC 16.1, glibc 2.43, binutils 2.46, gdb 16.3.

📥 Download or upgrade to Fedora 44

This release of Fedora is offered for Workstation, KDE Plasma Desktop, Server, IoT, and the various spins. You can either pick a relevant ISO from one of those or visit the official website for an overview of this release.

Fedora 44

Existing Fedora users can upgrade through their software center. Open Software (Workstation) or Discover (KDE Plasma) and look for the upgrade notification banner to begin the process.

Users of other Fedora spins need to upgrade using DNF. We have a dedicated Fedora upgrade guide to help you.