We’re back with another episode of SCS On The Road! This time, our journey took us across the Atlantic to Dublin, Virginia, where members of our team visited the Volvo Trucks Customer Center to get up close and personal with the all-new Volvo VNL. During our visit, we had the opportunity to gather valuable reference materials, learn more about the truck directly from the experts, and even take it for a test drive!

Join Nemiro, Oscar, Ondřej, and Matěj from the SCS Software team as they explore one of Volvo Trucks North America’s newest and most advanced trucks yet. From detailed photography and video references to capturing authentic sounds and interior details, our team worked hard to ensure that every aspect of the all-new Volvo VNL could be recreated as accurately as possible for our players. We’re also excited that players can already experience this truck for themselves, as the all-new Volvo VNL has officially been released for American Truck Simulator. Find out more in our dedicated blog here.

A major part of the trip was also learning more about the design philosophy, technology, and innovations behind the truck itself. We’d like to give a special thank you to Brian Balicki, Head of Design at Volvo Trucks North America, who took the time to share more details about the all-new Volvo VNL and provided fascinating insights into its development and features.

Of course, no SCS On The Road visit would be complete without getting behind the wheel! Our team had the chance to experience the all-new Volvo VNL firsthand during a test drive around the area surrounding the Volvo Trucks Customer Center. Experiencing the truck on the road gave us valuable insight into its handling, driver comfort, visibility, and overall driving feel, all of which helped us better understand how to bring these experiences into our game.

We’d like to extend a huge thank you to everyone at Volvo Trucks North America and the Volvo Trucks Customer Center for welcoming us and making this visit possible. Opportunities like these are invaluable for helping us deliver authentic and immersive trucking experiences to our community.

Make sure to stay connected with all the latest news and upcoming episodes by following us on X, Facebook, Instagram, Bluesky, TikTok, and YouTube, or by subscribing to our newsletter. We look forward to bringing you more SCS On The Road episodes in the future, and until next time, keep on truckin'!

nginx-1.30.2 stable and nginx-1.31.1 mainline versions have been released, with a fix for buffer overflow vulnerability in the ngx_http_rewrite_module (CVE-2026-9256).

1.7.1 (2026-05-22)

Features

• Admin: Expose PWA branding fields in the admin Branding tab
• Pro: Hide empty-state placeholder and collapse the viewer pane in Pro mode so the mail list fills the space

Fixes

• Mail: Preserve inline images when replying (#163)
• Filters: Use the canonical INBOX mailbox in Sieve filter paths (#313)
• Mail: Resolve destination account id to the local namespace on cross-account mailbox drop

• [p]The IEM Cologne 2026 Major Hub is now available. Visit the hub to purchase tournament items, play the Pick'Em Challenge and more.[/p][/*]
• [p]Purchase a Cologne 2026 Viewer Pass to receive an upgradable Cologne 2026 Coin. With an active pass, you can upgrade your coin and earn rewards by playing the Pick'Em Challenge. Additionally, you will show up on the Active Pass Leaderboard where you can compare your Pick'Em Challenge performance to your friends.[/p][/*]

• [p]Fixed a case of incorrect scoreboard timeline presentation in overtime.[/p][/*]
• [p]Fixed weapon entities disallowing pickup from showing pick up weapon hint text.[/p][/*]
• [p]Increased spectator in-eye flash amount.[/p][/*]

• [p]Souvenir quality items can now be selected in Trade Up Contract alongside normal quality items. All Souvenir attributes will be removed from any souvenir items selected, and the result of a Trade Up Contract will be a single normal item of a quality one higher, from a collection of all of the items selected for exchange.[/p][/*]
• [p]Fixed a case where tire fire particles were flickering in the advanced video preview.[/p][/*]
• [p]Adjusted finger animation on Bayonet model.[/p][/*]

Background

I'm a member of the EFI team in Debian, and I've done much of the work for Debian to support UEFI Secure Boot (SB) in recent years. We have included that support for a number of releases now, starting back with Debian 10 (aka Buster).

I'm also a long-time accredited member of the shim-review team, the group that checks and approves shim binaries before Microsoft will sign them.

See the Debian wiki for lots of background details about Secure Boot and how we do things in Debian.

Secure Boot depends on signatures, which are verified during boot using a chain of X.509 certificates. The root certificate(s) in the chain are embedded in computer firmware, then later software such as shim can add more certificates to extend the trust. Easy, right?

The problem - certificates expire...

Microsoft administer the most widespread Secure Boot root certificates, and have been doing so since the very beginning of UEFI Secure Boot as a concept. The Microsoft UEFI CA certificates are included in just about every x86 and x86-64 computer shipped, and also in quite a lot of arm64 machines too.

(The fact that Microsoft is therefore a gatekeeper for Linux running under Secure Boot on most machines is very unpopular in some quarters, but this is just a fact of life in the world we live in. None of the following will affect you if you're using Secure Boot with your own keys only.)

The current certificates have been around since 2011:

1. Windows Production PCA 2011 (used for signing Windows components)

  Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
  Validity
    Not Before: Oct 19 18:41:42 2011 GMT
    Not After : Oct 19 18:51:42 2026 GMT

This expires in October this year, ~5 months from now.

2. Third Party Marketplace Root (used for signing option ROMs and other software)

  Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
  Validity
    Not Before: Jun 27 21:22:45 2011 GMT
    Not After : Jun 27 21:32:45 2026 GMT

For Linux folks, this second certificate is more interesting - it is the root of the certificate chain that Microsoft use when signing shim for Linux distributions

This CA expires 5 weeks from today.

OMG!!! Will all my existing Secure Boot machines stop booting?

Almost definitely not, no.

The specification for UEFI Secure Boot expects that valid dates on certificates should not be enforced for signatures here. All that matters here is the signatures themselves. Modulo buggy firmware, existing signed binaries should continue just fine.

New CAs to be aware of

Microsoft have published three new CAs:

1. A new CA used for signing device option ROMs

  Subject: C=US, O=Microsoft Corporation, CN=Microsoft Option ROM UEFI CA 2023
  Validity
    Not Before: Oct 26 19:02:20 2023 GMT
    Not After : Oct 26 19:12:20 2038 GMT

2. A new CA used for signing Windows components

  Subject: C=US, O=Microsoft Corporation, CN=Windows UEFI CA 2023
  Validity
    Not Before: Jun 13 18:58:29 2023 GMT
    Not After : Jun 13 19:08:29 2035 GMT

3. A new CA used for signing other software (e.g. shim)

  Subject: C=US, O=Microsoft Corporation, CN=Microsoft UEFI CA 2023
  Validity
    Not Before: Jun 13 19:21:47 2023 GMT
    Not After : Jun 13 19:31:47 2038 GMT

New machines and updated older machines will most likely have all of these new CAs installed. New machines are already shipping that only include the new CAs; they will not trust older software and this has already started causing problems for some users.

Isn't this is all a bit short notice?

Yes it is. :-(

A common rule of thumb when deploying CA certificates is to start the process of replacement ("rollover") when a certificate reaches half of its lifetime. Unfortunately, Microsoft have done this very late. They generated new keys in 2023, but didn't start signing shim and other third-party software with the UEFI CA until October 2025.

If I'm a distro developer, what should I do?

If you already have an old shim signed by Microsoft for your distribution from before October 2025, then it will only be signed using the older CA that expires soon. On newer machines, your users will already not be able to boot your distro with Secure Boot enabled.

If you want your users to be able to use Secure Boot in future, you will need to get a new shim build submitted, reviewed and signed using the new CA. However, that signed build will not work on older machines unless they have had the new CAs installed. This is also likely to cause problems for some users. You should encourage your users to update their systems NOW before things break for them.

There is an interim solution which will work, but only if you're quick! Microsoft are currently returning shim binaries signed using both the old CA and the new CA. More specifically, for every binary that is submitted they will return two: one signed with each CA. If you use these directly, you'll need to plan to publish:

• 2 signed shim binaries
• 2 installers
• 2 sets of live/installer images
• etc.

and explain to your users how they'll need to pick one. Good luck with that!

However, it is possible to extract signatures from those signed shim binaries and attach them all onto one shim, giving you the Holy Grail here - a single shim that will boot on the vast majority of machines. Indeed, this is what I'm planning on doing in Debian. So-called "dual-signed" shims may provoke issues with buggy firmware, so be aware that you may have to deal with this too. But take heart: early testing by various distro folks with a dual-signed Fedora shim did not show any problems.

You have 5 weeks and counting...

Microsoft have promised to continue signing with the old CA as long as possible, right up to the last day. They understand how awkward things are going to be otherwise, and are trying to help here as much as possible.

In the shim-review team, we have been expecting to see a surge of shim submissions before the old CA expires, to make the most of the "Holy Grail" dual-signed shims described above. But we've been really surprised that this has not been happening.

So, this blog is a wake-up call for people doing Secure Boot with shim. Even if you're not going to be ready to ship a new shim binary to your users, you should really try to get a new build prepared and signed NOW so that you have it available to tide you over through the coming CA transition. Don't leave it too late.

If you're not sure what to do, ask me and the other shim-review folks. We're happy to give advice. But don't delay.

You have 5 weeks and counting.

How to make a dual-signed shim binary

Microsoft only ship binaries with a single signature included. To make things work, extract those signatures using sbattach --detach (from the sbsigntools source package, available in most distributions. Then apply those signatures one at a time to your shim binary, using sbattach --attach. Simple, really. There's one strong recommendation here: order the signatures on your shim oldest first - that way, old buggy firmware implementations that potentially don't look for more than one signature will find the old signature first.

pesign can also handle moving signatures around, but I chose sbsigntools when doing this work myself.

If you're looking to see how others handle multiple signed shim binaries, feel free to look at the Debian shim-signed package for examples. The repo is https://salsa.debian.org/efi-team/shim-signed.git.

References

• Microsoft ship all their CA certificates and binaries you can use to update computers at https://github.com/microsoft/secureboot_objects
• The Debian wiki has a lot more information about UEFI and Secure Boot already, and I'm going to be adding more user-focused documentation about the CA rollover at SecureBoot/CAChanges shortly.

I'll add more links here in the coming weeks.

1.7.0 (2026-05-21)

New: Pro mode (experimental)

Opt-in tabbed multi-pane interface for power users. Open multiple mail, calendar, contacts, and file views side-by-side, drag tabs to reorder or split panes at the edges, and work across all logged-in accounts in one shell, cross-account email moves, a unified inbox with search, account-split calendar/contacts/files sidebars, and a per-account "From" dropdown in the composer. Enable from Settings → Appearance; the proInterface preference is per-device and not synced.

Pro mode is experimental and we need your feedback to shape it. If something feels off, breaks, or is missing, please don't hesitate to open an issue or start a discussion on GitHub!

Breaking Changes

• Plugins: Plugins now run inside a null-origin iframe sandbox and talk to the host over a postMessage RPC bridge. The in-process plugin runtime is gone; the bundled in-tree plugins have been migrated. Third-party plugins built against the old in-process API need to be ported to the sandboxed runtime.
• Plugins: Server-managed bundles must be Ed25519-signed by the host and approved by an admin before they load. The host public key is served from /api/plugin-signing-pubkey and each bundle response carries the signature in the X-Bundle-Signature header. User-uploaded bundles still load unsigned, but managed marketplace and dev-folder bundles do not.
• Plugins: bundleHash is now a full SHA-256 over the bundle. Legacy short hashes are migrated on first load; any out-of-band tooling that pinned the old hash format needs to be updated.

Features

• Pro: Tabbed shell with drag-to-reorder, drag-to-edge to split, side-by-side panes, and pane-aware responsive layout with a scoped sidebar overlay
• Pro: Auto-redirect to the Pro shell when Pro mode is on; proInterface is kept per-device instead of syncing
• Pro: Multi-account mail sidebar with client routing and a per-account mailbox cache
• Pro: Unified mailbox always visible, with full-text search
• Pro: Cross-account email moves
• Pro: Multi-account calendar sidebar split into owned vs shared per account
• Pro: Multi-account contacts and a cross-account file picker
• Pro: Composer From dropdown grouped by account
• Plugins: Per-plugin admin approval workflow with Ed25519 bundle signing verified on load
• Plugins: Marketplace update flow for installed plugins and themes
• Setup: Allow the setup wizard over plain HTTP with a dismissable warning gate
• Setup: Warn when the JMAP URL points at a local-only host
• Account: List and reorder logged-in accounts from settings (#282)
• Mail: Mobile handoff page with JMAP authentication verification for cross-device OAuth
• Mail: Pluggable reply/forward quote header (#295)
• Calendar: Support multiple flexible event reminders (#170)
• Admin: Expose PWA, app identity, and extension directory keys in the JSON config (#312)
• Admin: Surface OAuth scope settings and wire up orphaned admin policy gates

Security

• Plugins: Pin parent origin in the iframe bridge to block cross-frame postMessage
• Plugins: Ignore plugin-supplied target in ui.openExternalUrl to block host-frame hijack
• Plugins: Validate plugin/theme id in marketplace install to block path traversal
• Plugins: Prevent plugin config from leaking to non-admin users
• Admin: Gate admin routes against cross-origin CSRF
• Auth: Bind Stalwart auth context to the credential, not the cookie-claimed username
• Auth: Validate OAuth discovery endpoints against SSRF
• Mail: Tighten HTML sanitization at plain-text email, signature, and i18n render sites
• Mail: Block script-bearing MIME types from inline attachment preview
• Mail: Escape print-window fields and re-sanitize body to block XSS
• S/MIME: Stop persisting passphrases in sessionStorage
• API: Correct regex for valid API POST path validation

Fixes

• Mail: Serialize draft autosave with send to stop replies stalling in Drafts (#303)
• Mail: Omit empty cc/bcc from Email/set so the server does not emit a bare Cc: header (#301)
• Mobile: Allow adding contacts from the mail recipient popover (#306)
• Mobile: Prevent dual-scroll and use full width for mail content
• Mobile: OAuth handoff flow
• Calendar: Scope iCal subscriptions per JMAP account; fix refresh and clear
• Calendar: iCal subscription refresh, rollback, and URL normalization
• Calendar: Show avatars in the calendar/address book sharing menu
• Contacts: Normalize malformed contact photo data URIs (#307)
• Identity: Clear identity signature fields when emptied
• Identity: Show size cap on identity signature fields
• Identity: Allow table-based layouts in the HTML signature sanitizer
• Plugins: Load globals.css and Geist font in the plugin sandbox iframe
• Plugins: Sync plugin slot iframe height with reported content height
• Plugins: Use plugin slot offer snapshots for useSyncExternalStore
• Plugins: Trust the directory version on marketplace install and update
• Filters: Prevent duplication of Bulwark rules with literal braces in values
• Setup: Defer setup wizard HTTP detection to avoid hydration mismatch
• Routing: Anchor unmatched URLs into main so 404 renders
• Routing: Respect server-resolved locale on first visit (#309)
• Routing: Split app into (main)/(sandbox) route groups so the plugin iframe hydrates properly
• Files: Stop parent directory navigation from jumping to root
• Build: Stop pulling node:dns into the client bundle via OAuth discovery
• UI: Toggle recipient popover when clicking the name again
• UI: Remove white halo around photo avatars

i18n

• Add missing translation keys across 16 locales

We had an amazing day on May 15, as we organized SCS Fay Day Experience #4! We welcomed fans of our games from all around the world to our office in Prague, where they had the opportunity to meet our team, tour the studio, and get a behind-the-scenes look at how our games are made.

After receiving a huge number of applications for this fourth edition of our SCS Fan Day, we had to narrow the list down to a smaller group of some of our most dedicated fans, including visitors who traveled all the way to Prague from countries such as Brazil.

As always, it turned into an unforgettable experience meeting and chatting with members of our #BestCommunityEver. Once everyone arrived, they took on the challenge of driving on our 4D motion simulator before heading out on a tour of the office. Along the way, we stopped by several departments where our colleagues gave them a behind-the-scenes look at what they are currently working on and how the development process looks at SCS Software.

Later in the afternoon, we hosted a special Q&A session with our developers and CEO Pavel Šebor, where we discussed the community's thoughts on our games and answered plenty of questions from our guests. The session was accompanied by delicious snacks and coffee before we gathered for a group photo, handed out bags filled with SCS merchandise, and unfortunately had to say goodbye - at least until we hopefully meet again someday!

We would like to thank everyone who took part in this year's Fan Day. We hope it was a memorable experience for you, because it was certainly unforgettable for us as well. Your passion, support, and willingness to travel such long distances just to meet us truly means the world to everyone here at SCS Software, and it continues to motivate us every day. We also hope to meet again with everyone who applied but was not selected or was unable to attend this time around.

We hope we will be able to host another Fan Day in the future and meet even more of our amazing fans. Don't forget to give our X/Twitter, Instagram, Facebook, Bluesky, and TikTok a follow, as you'll receive news from any upcoming events straight to your feed, or subscribe to our newsletter to stay informed.

Another very minor update, now at 0.3.15, for our nanotime package is now on CRAN, and has been built for r2u and Debian. nanotime relies on the RcppCCTZ package (as well as the RcppDate package for additional C++ operations) and offers efficient high(er) resolution time parsing and formatting up to nanosecond resolution, using the bit64 package for the actual integer64 arithmetic. Initially implemented using the S3 system, it has benefitted greatly from a rigorous refactoring by Leonardo who not only rejigged nanotime internals in S4 but also added new S4 types for periods, intervals and durations.

This release adjusts the package for the maybe overly hasty switch R 4.6.0 has undertaken with respect to using C++20 as a default C++ compilation standard. I am of course largely in favour of such a switch to more modern C++. But I am also cognizant of the fact that not all compilers and machines are ready. And just as I have already seen one other package fail to compile on a particular CRAN system (!!) under C++20, this package all of a sudden, and only on that same system, started to throw two (harmless) compiler warnings. We could call these erroneous as newer versions of the same compiler do not throw them but it does not matter. The decision to default to C++20 has been made, and now we live with it. But maybe some hardware platforms should be moved behind the barn. Either way, this release both adds an explicit cast to two lines that may not really need it (but this will not hurt) and also dials the compilation standard down to C++17 on one particular platform. So once again there are no user-facing changes, or behavioural changes or enhancements, in this release.

The NEWS snippet below has the fuller details.

Changes in version 0.3.15 (2026-05-21)

• Add extra const_cast as one CRAN machine with more ancient setup whines otherwise and is obviously less C++20 ready than it thinks

• tools/configure also checks where this is being built and ’as needed' downgrades the compilation to C++17

Thanks to my CRANberries, there is a diffstat report for this release. More details and examples are at the nanotime page; code, issue tickets etc at the GitHub repository – and all documentation is provided at the nanotime documentation site.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. If you like this or other open-source work I do, you can now sponsor me at GitHub. You can also sponsor my Tour de Shore 2026 ride in support of the Maywood Fine Arts Center.

Security Release

• Update Instructions
• Update details on blog

This is a security release to address a brute-force based vulnerability related to multi-factor authentication, and to update project libraries to help avoid potential vulnerabilities that have been reported in those.

Upgrade is generally advised, but strongly so where multi-factor authentication is used & considered as a critical layer of defense.

Thanks to Stephen O. / Sakusen (Codeberg, Website) for responsibly reporting these issues.

Full List of Changes

• Updated PHP package versions.
• Updated MFA verification routes with rate limiting.

VIENNA, Austria – May 21, 2026 – Proxmox Server Solutions GmbH today announced the immediate availability of Proxmox Virtual Environment 9.2, the latest version of its integrated open-source platform for enterprise virtualization. This major update introduces a dynamic load balancer, expanded software-defined networking (SDN) capabilities, and granular management of custom CPU models. By improving resource utilization through dynamic workload balancing and simplifying complex cluster maintenance workflows, Proxmox VE 9.2 enables organizations to scale their infrastructure with higher efficiency and significantly reduced operational complexity.

Highlights in Proxmox Virtual Environment 9.2

Dynamic Load Balancer

A highlight of version 9.2 is the introduction of the Dynamic Load Balancer, which utilizes an intelligent decision-making framework to optimize guest placement for maximum cluster balance and reliability. Operating in a new dynamic mode, the cluster resource scheduler (CRS) incorporates real-time node and guest resource utilization into every placement decision. The integrated load balancer can automatically migrate guests managed by the High Availability (HA) stack to reduce the imbalance across the cluster nodes while strictly respecting all user-defined HA rules. Administrators maintain granular control through configurable options that define the behavior and sensitivity of the load Balancer through various parameters, providing organizations with superior oversight of resource utilization in highly available environments.

Expanded software-defined networking (SDN)

This release significantly improves its SDN stack to support modern network architectures.

• New Fabric Protocols: Native support for WireGuard and BGP has been integrated into the SDN stack.
• BGP/EVPN filtering: Support for route maps and prefix lists allows for fine-grained control over route redistribution.

Further additions include route redistribution for OSPF fabrics, additional options for configuring EVPN controllers, and IPv6 underlay support for EVPN.

Custom CPU model management

To provide greater flexibility for specialized workloads, Proxmox VE 9.2 introduces a dedicated management interface for custom CPU models. Administrators can now create, edit, and remove custom CPU profiles directly in the web interface under the “Datacenter” section. This makes it easier to tailor the virtual CPU features exposed to VMs, ensuring optimal workload performance. Additionally, the integrated CPU flags selector provides instant visibility into supported flags across all cluster nodes, helping administrators identify potential cluster-wide compatibility issues during the configuration phase.

Confident maintenance with HA Arm/Disarm

Addressing common administrative challenges during maintenance windows, Proxmox VE 9.2 introduces the ability to "disarm" and "arm" the HA Manager cluster-wide. Administrators can temporarily suspend the HA stack during planned cluster maintenance to prevent unwanted actions, such as fencing nodes. HA resource states are preserved during these disarm and arm cycles, ensuring HA resources return to their previous state and node placement automatically once maintenance is completed.

Updated technology stack

Proxmox Virtual Environment 9.2 is based on Debian 13.5 "Trixie" and features Linux kernel 7.0 as the new stable default. Along with the latest versions of QEMU 11.0, LXC 7.0, and ZFS 2.4, this release offers a high-performance open-source architecture for modern infrastructure.

As a complete data center ecosystem engineered for high-density virtualization and disaster recovery, version 9.2 provides businesses with a seamless management environment for compute, storage, and backup. This includes updated support for the storage layer, with Ceph Tentacle 20.2. now available as a stable option alongside Ceph Squid 19.2.

Availability

Proxmox Virtual Environment 9.2 is open-source software and immediately available for download at the official website. Users can obtain a complete installation image via ISO download, which contains the full feature set of the solution and can be installed quickly on bare-metal systems using an intuitive installation wizard.

Seamless distribution upgrades from older versions of Proxmox Virtual Environment are possible using the standard APT package management system. Furthermore, it is also possible to install Proxmox Virtual Environment on top of an existing Debian installation.

For enterprise environments, Proxmox offers comprehensive support plans that provide direct access to expert support services and stable and secure updates. These support contracts offer a cost-effective way to secure enterprise-grade stability, with pricing starting at EUR 120 per year and CPU. 

Resources:

• ISO Image Download: https://www.proxmox.com/en/downloads
• Forum Announcement: https://forum.proxmox.com/
• Video tutorial: What’s new in Proxmox VE 9.2
• Roadmap: For published and upcoming features, see the Release Notes & Roadmap

###

About Proxmox Virtual Environment
Powering over 2 million hosts globally, Proxmox Virtual Environment is a complete open-source platform for enterprise virtualization and hyper-converged infrastructure. It natively unifies KVM virtualization, LXC containers, software-defined storage, and networking on a single platform. Alongside its dedicated Backup Server and Datacenter Manager, the Proxmox ecosystem eliminates multi-site complexity as well as dependency on proprietary stacks. Backed by a global community of over 225,000 members, the platform serves as a scalable, cost-effective foundation for modern data centers.

About Proxmox Server Solutions
Proxmox Server Solutions provides powerful, intuitive open-source server software that guarantees vendor independence and minimizes total cost of ownership. Enterprises of all sizes rely on the company’s reliable vendor support, certified training services, and a global network of 3,000 integration partners to ensure business continuity. Established in 2005 and headquartered in Vienna, Austria, tens of thousands of corporate customers worldwide trust Proxmox solutions to secure their mission-critical IT environments. To learn more visit https://www.proxmox.com or follow us on LinkedIn and YouTube.

Contact: Daniela Häsler, Proxmox Server Solutions GmbH, marketing@proxmox.com

I've heard "containers are not a security boundary" enough times that it's started to feel like received wisdom, and my honest read (after 13+ years) is that it's technically defensible but practically sloppy – and the sloppiness matters.

The part that's true: containers share a kernel, and a kernel exploit crosses the container boundary where a VM would not. That difference is real and non-trivial, and the CVE history backs it up – CVE-2019-5736, CVE-2022-0492, and CVE-2024-21626 all happened in "correctly configured" production containers.

The part I'd push back on is that the comparison point is almost never stated. "Containers aren't a security boundary" is being used as shorthand for "containers aren't a VM boundary" – but the conclusion people seem to draw from that is "therefore don't bother", which doesn't actually follow. The more honest version is that default Docker doesn't provide strong isolation between mutually untrusting parties, but a hardened configuration does.

What ships by default in Moby is actually a pretty reasonable foundation: seccomp is enabled (with a builtin profile blocking ~50 syscalls – credit where it's due: this is mostly @jessfraz's work; she even ran contained.af as a public CTF for years daring people to escape a container under her seccomp profile, and to my knowledge it was never claimed), AppArmor is enabled (the docker-default profile), and several sensitive /proc paths are masked. What's not on by default: no-new-privileges (setuid binaries inside can escalate), CAP_NET_RAW is still granted to every container (even though the kernel has supported unprivileged ICMP sockets for over a decade, meaning most modern distributions no longer need CAP_NET_RAW for ping), and user namespace remapping – though user namespaces aren't quite the silver bullet they might sound like; Debian left them disabled by default for years because the kernel attack surface they exposed hadn't been hardened against unprivileged callers.

The boundary isn't absent – it doesn't come completely pre-assembled. With VMs, the hypervisor is there whether you asked for it or not; with containers, assembling the boundary is left as an exercise for the operator. That's a much more solvable problem than "the technology is incapable", but it does mean the work falls to whoever's running the containers.

So, some things you can do today without waiting for defaults to change:

--user (or USER in your Dockerfile) is worth calling out specifically, because I think it's arguably stronger than user namespace remapping in one important way – and partly for the same reason Debian was hesitant about user namespaces in the first place. User namespace remapping protects the host from a root-in-container escape: if you do escape, you land as an unprivileged user on the host. But you were still root inside the container the whole time. Running as a non-root user means you were never root anywhere. The blast radius of a compromised process is limited whether or not it escapes, including for things like reading secrets, modifying container contents, or lateral movement within the container itself. Most application containers have no legitimate reason to be root.

Beyond that, a short list of things that are easy to enable and hard to justify leaving off:

• --security-opt no-new-privileges – prevents setuid binaries from escalating; can also be set daemon-wide in daemon.json with "no-new-privileges": true
• --read-only – a read-only root filesystem means a compromised process can't easily persist tooling or modify the container (pair with a writable tmpfs mount for /tmp etc as needed)
• --cap-drop NET_RAW – or --cap-drop ALL and add back only what you actually need; CAP_NET_RAW is almost never legitimately needed by application containers
• never --privileged – if something seems to require it, the right answer is almost always a more targeted capability grant or bind mount, not the nuclear option

docker run \
  --user 1234:5678 \
  --security-opt no-new-privileges \
  --read-only \
  --tmpfs /tmp \
  --cap-drop ALL \
  acme/untrusted-workload:latest

None of these require a daemon restart or infrastructure changes, and stacked together they go a long way toward actually building the boundary that the defaults leave unbuilt.

(this post was written with the assistance of "claude my eyes right out" but all thoughts and understanding are Tianon's)

🚀 Jellyfin Web 10.11.9

We are pleased to announce the latest stable release of Jellyfin, version 10.11.9! This minor release brings several bugfixes to improve your Jellyfin experience. As always, please ensure you take a full backup before upgrading!

You can find more details about and discuss this release on our forums.

Changelog (1)

🔒 Security

• Fix xss in checkbox element [PR #7941], by @thornbill

🚀 Jellyfin Server 10.11.9

We are pleased to announce the latest stable release of Jellyfin, version 10.11.9! This minor release brings several bugfixes to improve your Jellyfin experience. As always, please ensure you take a full backup before upgrading!

You can find more details about and discuss this release on our forums.

Changelog (5)

📈 General Changes

• Fix rate control in av1_amf encoder [PR #16819], by @nyanmisaka
• Fix UserManager after EFcore refactor [PR #15368], by @JPVenson
• Update log for user session related concurrency update fails [PR #16845], by @JPVenson
• Allow HDR10 for VPP tonemapping [PR #16718], by @gnattu
• Use strict QSV CPB size for less powerful H.264 decoder [PR #16743], by @nyanmisaka

• [p]Adjusted player and grenade collision.[/p][/*]
• [p]Adjusted material blending to improve accuracy of footstep sounds.[/p][/*]
• [p]Fixed several gaps reported by players.[/p][/*]

• [p]Fixed a gap in the wall.[/p][/*]

The Stable channel has been updated to 149.0.7827.22/.23 for Windows and Mac (149.0.7827.29/.30) ,as part of our early stable release to a small percentage of users. A full list of changes in this build is available in the log.

📦 Downloads available at

• https://user.bitfocus.io/download

💵 Donate to the project at

• open collective https://opencollective.com/companion

Companion v4.3.3 - Release Notes

🐞 BUG FIXES

• disable --use-system-ca if encountering openssl launch errors
• improve DropdownInputField performance

Full Changelog: v4.3.2...v4.3.3

• Milestone

This is bug-fix release for 1.29.0.

Feature highlights✨:

• Accept .txt import of feed URLs in additional to e.g. OPML
• New CLI for automatic periodic SQLite export with retention
• More feed info: last received date, publication date

Bug fixes highlights 🐛:

• Fix cookies with some browsers
• Fix search in shared user queries with empty results

UI highlights 🖼:

• Improve Web browsers compatibility

This release has been made by @Alkarex, @Frenzie, @IEEE-754, @Inverle, @McFev, @ciro-mota, @cweiske, @polybjorn and newcomer @mzl2233

Full changelog:

• Features
  • Accept .txt import of feed URLs in additional to e.g. OPML #8818, #8837
  • New CLI for automatic periodic SQLite export with retention #8819
  • More feed info: last received date, publication date #8799
• Bug fixing
  • Fix cookies with some browsers #8867
  • Fix search in shared user queries with empty results #8863
  • Fix XML errors with loading invalid OPML in lib_opml library #8652, #8853,
    lib_opml#48, lib_opml#51
  • Fix ensure maximum number of feeds also with Dynamic OPML #8832
  • Fix click mark as read #8817
• UI
  • Improve browser compatibility to keep mobile navigation at the bottom #8833
  • Improve support of older/simpler Web browsers/engines such as SeaMonkey #8810,
    #8811, #8813,
  • Improve Swage theme #8842
  • Rename Nord theme to Nord #8805
  • Replace GIF spinner by CSS spinner #8804, #8812
  • Various UI and style improvements: #8800, #8816,
• I18n
  • Improve Brazilian Portuguese #8846
  • Improve Dutch #8868
  • Improve German #8840
  • Improve Polish #8854
  • Improve Russian #8861
  • Improve Traditional Chinese #8849
• Misc.
  • Update dev dependencies #8858, #8864

I was getting “<XF86AudioPlay> is undefined” in the status bar of Emacs displayed every 2-3 seconds. Nowhere else I noticed any misbehavior or problems, and also couldn’t find any related log entries. It didn’t stop, though didn’t want to reboot my system to see whether that would fix the problem, but it was driving me nuts.

Now, as a starting point I adjusted my sway configuration, to react to the XF86AudioPlay key press event:

bindsym XF86AudioPlay exec playerctl play-pause

After reloading sway, my music player started to play for 2-3 seconds, stopped playing, started again, etc. It wasn’t a Emacs bug, but something indeed seemed to send the XF86AudioPlay key event every 2-3 seconds. It wasn’t my USB keyboard or any stuck key on it, as verified also by unplugging it. So which device was causing this?

libinput from libinput-tools to the rescue:

% sudo libinput debug-events
[...]
-event12  KEYBOARD_KEY                 +0.000s  KEY_PLAYPAUSE (164) pressed
 event12  KEYBOARD_KEY                 +0.000s  KEY_PLAYPAUSE (164) released
 event12  KEYBOARD_KEY                 +2.887s  KEY_PLAYPAUSE (164) pressed
 event12  KEYBOARD_KEY                 +2.887s  KEY_PLAYPAUSE (164) released
 event12  KEYBOARD_KEY                 +5.773s  KEY_PLAYPAUSE (164) pressed
 event12  KEYBOARD_KEY                 +5.774s  KEY_PLAYPAUSE (164) released
[...]

The `event12` device was sending this event, what’s behind this?

% sudo udevadm info /dev/input/event12
P: /devices/pci0000:00/0000:00:1f.3/skl_hda_dsp_generic/sound/card0/input17/event12
M: event12
R: 12
J: c13:76
U: input
D: c 13:76
N: input/event12
L: 0
S: input/by-path/pci-0000:00:1f.3-platform-skl_hda_dsp_generic-event
E: DEVPATH=/devices/pci0000:00/0000:00:1f.3/skl_hda_dsp_generic/sound/card0/input17/event12
E: DEVNAME=/dev/input/event12
E: MAJOR=13
E: MINOR=76
E: SUBSYSTEM=input
E: USEC_INITIALIZED=12468722
E: ID_INPUT=1
E: ID_INPUT_KEY=1
E: ID_INPUT_SWITCH=1
E: ID_PATH=pci-0000:00:1f.3-platform-skl_hda_dsp_generic
E: ID_PATH_TAG=pci-0000_00_1f_3-platform-skl_hda_dsp_generic
E: XKBMODEL=pc105
E: XKBLAYOUT=us
E: XKBOPTIONS=lv3:ralt_switch,compose:rctrl
E: BACKSPACE=guess
E: LIBINPUT_DEVICE_GROUP=0/0/0:ALSA
E: DEVLINKS=/dev/input/by-path/pci-0000:00:1f.3-platform-skl_hda_dsp_generic-event
E: TAGS=:power-switch:
E: CURRENT_TAGS=:power-switch:

% sudo udevadm info -a /dev/input/event12 | grep -iE 'kernels|drivers|name'
    KERNELS=="input17"
    DRIVERS==""
    ATTRS{name}=="sof-hda-dsp Headphone"
    KERNELS=="card0"
    DRIVERS==""
    KERNELS=="skl_hda_dsp_generic"
    DRIVERS=="skl_hda_dsp_generic"
    KERNELS=="0000:00:1f.3"
    DRIVERS=="sof-audio-pci-intel-tgl"
    KERNELS=="pci0000:00"
    DRIVERS==""

Behind this event12 is sof-hda-dsp Headphone, and evtest confirms that:

% sudo evtest
No device specified, trying to scan all of /dev/input/event*
Available devices:
/dev/input/event0:      AT Translated Set 2 keyboard
/dev/input/event1:      Sleep Button
/dev/input/event10:     ThinkPad Extra Buttons
/dev/input/event11:     sof-hda-dsp Mic
/dev/input/event12:     sof-hda-dsp Headphone
/dev/input/event13:     sof-hda-dsp HDMI/DP,pcm=3
/dev/input/event14:     sof-hda-dsp HDMI/DP,pcm=4
/dev/input/event15:     sof-hda-dsp HDMI/DP,pcm=5
/dev/input/event16:     Yubico YubiKey OTP+FIDO+CCID
/dev/input/event17:     Apple Inc. Magic Keyboard with Numeric Keypad
/dev/input/event18:     Apple Inc. Magic Keyboard with Numeric Keypad
[...]
Select the device event number [0-24]: ^C

We can even get further information:

% sudo evtest /dev/input/event12
Input driver version is 1.0.1
Input device ID: bus 0x0 vendor 0x0 product 0x0 version 0x0
Input device name: "sof-hda-dsp Headphone"
Supported events:
  Event type 0 (EV_SYN)
  Event type 1 (EV_KEY)
    Event code 114 (KEY_VOLUMEDOWN)
    Event code 115 (KEY_VOLUMEUP)
    Event code 164 (KEY_PLAYPAUSE)
    Event code 582 (KEY_VOICECOMMAND)
  Event type 5 (EV_SW)
    Event code 2 (SW_HEADPHONE_INSERT) state 0
Properties:
Testing ... (interrupt to exit)
Event: time 1779295060.175766, type 5 (EV_SW), code 2 (SW_HEADPHONE_INSERT), value 1
Event: time 1779295060.175766, -------------- SYN_REPORT ------------
Event: time 1779295061.951168, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295061.951168, -------------- SYN_REPORT ------------
Event: time 1779295061.951194, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295061.951194, -------------- SYN_REPORT ------------
Event: time 1779295064.548671, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295064.548671, -------------- SYN_REPORT ------------
Event: time 1779295064.548689, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295064.548689, -------------- SYN_REPORT ------------
Event: time 1779295067.437172, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295067.437172, -------------- SYN_REPORT ------------
Event: time 1779295067.437187, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295067.437187, -------------- SYN_REPORT ------------
Event: time 1779295070.323775, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295070.323775, -------------- SYN_REPORT ------------
Event: time 1779295070.323790, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295070.323790, -------------- SYN_REPORT ------------
Event: time 1779295073.200350, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295073.200350, -------------- SYN_REPORT ------------
Event: time 1779295073.200373, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295073.200373, -------------- SYN_REPORT ------------
Event: time 1779295076.076228, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295076.076228, -------------- SYN_REPORT ------------
Event: time 1779295076.076250, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295076.076250, -------------- SYN_REPORT ------------
Event: time 1779295078.961740, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295078.961740, -------------- SYN_REPORT ------------
Event: time 1779295078.961754, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295078.961754, -------------- SYN_REPORT ------------
Event: time 1779295081.850156, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 1
Event: time 1779295081.850156, -------------- SYN_REPORT ------------
Event: time 1779295081.850175, type 1 (EV_KEY), code 164 (KEY_PLAYPAUSE), value 0
Event: time 1779295081.850175, -------------- SYN_REPORT ------------
Event: time 1779295083.306612, type 5 (EV_SW), code 2 (SW_HEADPHONE_INSERT), value 0
Event: time 1779295083.306612, -------------- SYN_REPORT ------------

So when I plug in my headphone (see the `SW_HEADPHONE_INSERT` event), the unexpected behavior starts, unplugging stops the problem.
Good! But what was totally unexpected for me: my headphone, being a Beyerdynamic DT-990 Pro, does not have any keys. 8-)

As it turned out, the headphone jack seemed to have been not entirely clean. The analog side of the jack triggers a behavior within the audio codec, where it seems to interpret the fluctuating impedance as a play button of the headset, being pressed, again and again.

I cleaned the jack of my headphone and my XF86AudioPlay problem is gone, case closed.