KDE Linux, the in-progress operating system from the KDE community, removed several kernel modules and software packages after a security audit of the components shipped with the system. The work followed the discovery of multiple security issues in the upstream Linux kernel during the prior month.
Kernel and module changes
Three contributors examined insecure and unused software included in KDE Linux. The audit led to a return to the vanilla Linux kernel. The Zen kernel that had been in use offered little beyond configuration adjustments the team had already applied to its own build.
The contributors deleted the alf_alg kernel modules, which they described as insecure and unused. The contributors deleted the alf_alg kernel modules, which they described as insecure and unused.
The out-of-tree OpenRazer and APFS kernel modules were also removed. These modules would eventually have caused KDE Linux to fail secure boot review, so the project is working toward upstream solutions for the affected functionality. APFS support can run in userspace through a FUSE driver, which the developers say may be abandoned.
Package removals
The audit removed a group of packages the team identified as unused, including acpi_call, busybox, cryfs, encfs, hplip, v4l2loopback-utils, and vpl-gpu-rt.
KDE Linux also dropped fuse2, which is unmaintained and known to be insecure. The change will break some older AppImage applications. Users who encounter a broken app should report it to the application’s authors or packagers. Several other operating systems have already dropped fuse2, and affected applications need to move to fuse3.
The contributors removed fenrir after finding it was unused. This allowed KDE Linux to end its reliance on the Arch User Repository (AUR), a source of infrastructure instability in the past.
Credential storage and build checks
KDE Linux replaced KWalletManager and its System Settings configuration page with KeepSecret, a credential management application packaged with Flatpak. The project also added a service that installs new pre-installed Flatpak apps on existing systems and skips any apps a user already removed.
Build testing improved during the same period. Harald Sitter added a test that confirms a build does not ship with broken file capabilities. KDE Linux had shipped one earlier build that included a regression of this kind, and the new test guards against a repeat. Bhushan Shah and Thomas Duckworth worked on an OpenQA-based testing system, building on a prototype from Kangwei Zhu, that aims to catch faulty builds before release.
The module work supports a larger objective for the project. Passing secure boot review depends on dropping out-of-tree kernel code, and the May changes move KDE Linux toward that result.
