Week 20, 2026

EbonJaeger

Heya folks! It's sync day, and that means it's time for the weekly Solus roundup!

Our kernel packages have been updated this week. The mainline package is now at version 7.0.7, and the LTS package is at 6.18.30. These versions contain patches for the recent ssh-keysign-pwn vulnerability, and improved patches for DirtyFrag. These patches should make the new kernel packages equivalent to he most recent point-releases: 7.0.7 patched to match 7.0.8, and 6.18.30 patched to match 6.18.31. The latest point releases were tagged too close to sync time to warrant a full rebuild.

eopkg has been updated to version 4.5.0. @joebonrichie has spent a lot of time recently on making eopkg faster. Here are the highlights:

eopkg now uses lzma_mt instead of the lzma module found in the standard library.

This can provide a significant speedup for packagers during the compression of packages, especially at higher compression levels. It allows packages to be compressed with multiple xz blocks, allowing for parallelized decompression.

Note: We'll be rebuilding our larger packages with the new eopkg, which will allow for faster decompression; however, do note the majority of the packages in the repository are too small to be compressed with multiple blocks, so they will not necessarily benefit.
eopkg now shows live extraction progress of package installation.
A smattering of optimizations have been applied after collecting and observing profiles of common eopkg operations.
1. Repository information is now cached in-memory after it is read once, instead of continually re-reading from the xml file.
2. A nasty Python 2 workaround has has been removed, as it is no longer necessary in Python 3.7 onward, providing a general speedup for many common operations.
3. The pickle format used in our "LazyDB" cache files is now using the default Python pickle protocol (currently version 4), instead of version 2. Previously, we were explicitly using version 2 for compatibility with the Python 2 build of eopkg to avoid continually rebuilding the pickle caches. Version 4 of the pickle cache format has a number of performance improvements which generally speed up eopkg.
4. A number of smaller optimizations that generally speed up dependency resolution time.

Check out the full release notes here.

Our PackageKit backend has been updated alongside eopkg, providing support for showing the live extraction progress of packages. Additionally, it contains a number of edge case fixes for package filtering and resolution issues, resolving an issue where Plasma Discover would display package sizes as "Unknown" in the updates view.

Security updates

As usual, there are a bunch of security updates. Make sure to install updates to get the latest vulnerability fixes!

glances was updated to 4.5.4-61 (@clintre). Includes security fixes for CVE-2026-34839, CVE-2026-35587, CVE-2026-35588.
nginx was updated to 1.30.1-55 (@Jaredy899). Includes security fixes for CVE-2026-42946, CVE-2026-42934, CVE-2026-28755, CVE-2026-27654, CVE-2026-27651, CVE-2026-42945, CVE-2026-40460, CVE-2026-28753, CVE-2026-27784, CVE-2026-32647, CVE-2026-42926, CVE-2026-40701.
php was updated to 8.5.6-114 (@Jaredy899). Includes security fixes for CVE-2026-7263, CVE-2025-14179, CVE-2026-6104, CVE-2026-7261, CVE-2026-6722, CVE-2026-6735, CVE-2026-7568, CVE-2026-7259, CVE-2026-7262, CVE-2026-7258.
python-jupyter-server was updated to 2.18.2-8 (@Jaredy899). Includes security fixes for CVE-2026-35397, CVE-2026-40110, CVE-2025-61669, CVE-2026-40934.
python-urllib3 was updated to 2.7.0-23 (@Jaredy899). Includes security fixes for CVE-2026-44432, CVE-2026-44431.
uv was updated to 0.11.14-14 (@palto42). Includes security fixes for GHSA-pjjw-68hj-v9mw.
vim was updated to 9.2.0481-164 (@Jaredy899). Includes security fixes for CVE-2026-44656, CVE-2026-45130.

General updates

The full list of updated packages can be found here.

For the list of currently known issues, see the dedicated thread for it. If you begin experiencing a bug, please look for an issue on our issue tracker, and open a new one if one does not exist.

That’s all for this week, folks! We'll be here same time, same place next week for another roundup of the news!

Harvey

For the record you won't notice the benefits of lzma_mt for the sync transaction. Because you would be using the old eopkg for that update and as stated packages need to be re-built to take advantage of it so not everything will see a noticeable benefit.

Xoph

All good on my systems. Thanks for the explanation on the kernel patch. I just got done patching some servers to 7.0.8 so would have been curious. That makes complete sense.

JayC

LOL figures I ask in the old update thread and then it gets updated and I look like a whiner 🤣

All good on my systems. Also just installed it on my brother's laptop last week. He not exactly computer literate as he struggles using his AppleTV. His laptop was not suitable for Windows 11 according to Microsoft. Installed it with KDE and set it up similar to how he had it and he is happy and using it just fine. So spreading the wonders of Linux and Solus, one Windows convert at a time.

evolve-8

All good on my pc with plasma. The fwupd 2.1.3 release fixed my issue.