// THE BRIEF: Red Hat / Fedora

Fedora 45 is quietly assembling a more serious security posture – shadow stack by default, Stratis finally installable at root – while the Council shut down its own AI Desktop initiative mid-debate and paused the process that spawned it.

Two Fedora 45 change proposals landed in the tracker this week that deserve more attention than they got. The first: enabling x86_64 Shadow Stack by default on modern Intel and AMD hardware. Shadow Stack is Intel CET’s return-address protection – hardware enforcement against ROP chains, not a compile-time mitigation. Defaulting it on at the distro level is meaningful, assuming the breakage rate on older software stays manageable. The proposal is still under consideration, not approved.

The second: Stratis Storage getting install-time support for root filesystems. Stratis has shipped in Fedora since F28 – that’s roughly eight releases – but you couldn’t actually install to it. Red Hat’s storage stack story has been complicated since RHEL dropped Btrfs plans years ago, and Stratis (XFS under the hood, Rust daemon, LUKS integration) has been the quiet bet ever since. Getting it into Anaconda for root installs is the first time it becomes something an end user actually encounters, rather than a post-install experiment.

Both proposals are still proposals. Neither is in the release yet.

The AI Desktop implosion

The more immediately consequential news came from governance. The Fedora Council, via Aoife Moloney, announced it is pausing the Community Initiatives process entirely and closing discussion on the AI Developer Desktop initiative that had been circulating since May. The stated reason: the Objectives/Initiatives framework “was never intended as a mandatory prerequisite to do the work” and the current process is ineffective.

Phoronix covered the shutdown as the Council effectively killing the AI Desktop proposal. LWN’s framing is more precise – the Council is pausing the process, not banning the work. The distinction matters: someone can still ship an AI-focused Fedora spin or package set, they just can’t do it through the now-suspended formal initiative track.

What the two sources agree on: the proposal generated “widely varying views” (Phoronix) and the discussion had run into the limits of the current governance structure. A formal AI Developer Desktop with hardware-accelerated local ML and pre-configured environments was a legitimate engineering goal. The framework around it wasn’t working.

ARM64 desktop, honest verdict

Props to Red Hat senior engineer Marcin Juszkiewicz for writing honestly about ditching his Ampere Altra AArch64 desktop after nearly a year and going back to AMD Ryzen. He’s on Red Hat’s ARM team – if anyone has the motivation and support to make AArch64 Linux desktop work, it’s him. The issues he encountered were enough to make the switch anyway. No specific bug list in the summary, but the signal is clear: AArch64 Linux desktop is still a project, not a product.

Red Hat’s upstream week

On the engineering side, Red Hat’s Karol Herbst landed hardware utilization improvements to Rusticl in Mesa 26.2 – the Rust-based OpenCL driver sitting on top of Gallium3D. Separately, Red Hat contributed a /etc/tunables.conf infrastructure to glibc, giving admins a stable file to set system-wide glibc tunables rather than relying on environment variables. That one has real operational value: environment-variable tunables are fragile across process boundaries and hard to audit.

On the product side, OpenShift Service Mesh 3.4 is GA, shipping Istio 1.30 and Kiali 2.27 with ambient mode updates. BackendTLSPolicy is now available in OpenShift 4.22, closing the gap between Gateway API and what OpenShift routes already handled with re-encrypt TLS termination.

Red Hat also published a post on the goose AI agent landing in the RHEL extensions repo for RHEL 9.8 and 10.2. The title says “supercharge” (banned word, but that’s their copy). The actual claim is more measured: it’s an optional, open-source agentic tool from the Agentic AI Foundation available as an extension, not a built-in. Worth watching for how it handles privilege escalation – agentic troubleshooting on production RHEL systems is a threat model question as much as a feature.

The security update volume this week was routine but sustained: Fedora shipped patches across kernel, thunderbird, chromium, caddy, nmap, apptainer, and the container toolchain (buildah, podman, skopeo via Red Hat directly).

Fedora 42 is doing real work on the security baseline – Shadow Stack on by default raises the floor for the entire distro, and Stratis graduating to root-install status is a genuine quality-of-life win for anyone who wants modern storage without bolting it on after the fact. The open question is how the ecosystem of older software handles the Shadow Stack requirement; the default is the right call, but the friction is real and will land unevenly across package maintainers.

The Council killing its own AI Desktop initiative mid-debate is the more interesting governance story. Not every desktop workflow needs a model running in the background, and pausing the process that spawned the proposal is a principled move – chasing “AI everywhere” as a project goal would expand the attack surface at exactly the moment Fedora is tightening it elsewhere. AI cuts both ways on security: defensive tooling improves, but so does the exploit surface and the sophistication of attacks. That asymmetry makes Shadow Stack-style baseline hardening more valuable, not less, as AI-assisted exploitation gets cheaper.

The ARM64 situation is a reminder that even deep vendor support and expert engineers don’t make a platform mass-market-ready. Honest post-mortems on that gap are more useful to the ecosystem than optimism.

What to do this week

What to do this week:

If you’re tracking Fedora 45 planning: read the Shadow Stack change proposal in full before it hits FESCo vote. The compatibility surface is the question – older JIT-heavy applications and some LD_PRELOAD tooling may trip on CET enforcement. Test against your actual workloads before the default lands, not after.

If you’re evaluating Stratis for anything: F45 install support means you can start testing root-on-Stratis in a VM today against the current rawhide. Eight releases of being a post-install experiment means the tooling is reasonably mature, but installer-path edge cases (LVM coexistence, rescue mode, LUKS passphrase timing) are exactly what needs exercising now.

If you run RHEL 9.8 or 10.2 and are curious about goose: deploy it in a non-production environment first and audit what syscalls and credential paths it touches before handing it a production host. Agentic + root access is a policy conversation before it’s an ops convenience.

On the glibc tunables front: if you’re currently setting GLIBC_TUNABLES in unit files or wrapper scripts, /etc/tunables.conf is cleaner and auditable – worth migrating when you next touch those configs.

The Fedora Council’s Community Initiatives pause doesn’t block work, but if your team had a proposal queued for that track, it’s on hold until the Council redesigns the process. No timeline given.


Receipts

  1. Fedora 45 shadow stack · Phoronix — A change proposal under consideration for Fedora Linux 45 would enable x86_64 Shadow Stack usage by default on modern Intel and AMD systems
  2. Fedora 45 Stratis install · Phoronix — Stratis Storage has been available in Fedora Linux going all the way back to Fedora 28; until now there hasn’t been the option of using it for the root file-system on new Fedora installations
  3. Fedora Council pause · LWN.net — The Fedora Council is proposing to pause the Community Initiatives process as an official project process because it has decided the current process is ineffective; also closing discussion on the AI developer desktop initiative
  4. Fedora AI Desktop shutdown · Phoronix — The Fedora Council issued a statement to effectively shutdown discussions for now over a Fedora AI Developer Desktop and to pause the Fedora Community Initiatives process, stemming from widely varying views
  5. ARM64 desktop abandoned · Phoronix — Red Hat senior software engineer Marcin Juszkiewicz had been dogfeeding with an AArch64 Linux desktop as his primary personal system for nearly the past year but has gone back to using his AMD Ryzen desktop over AArch64 Linux issues with his Ampere Altra desktop
  6. Rusticl Mesa 26.2 · Phoronix — Red Hat engineer Karol Herbst has landed his latest optimization work to Rusticl in Mesa 26.2, around better hardware utilization
  7. glibc tunables.conf · Phoronix — Red Hat has contributed new system-wide tunables infrastructure to glibc that allows specifying system-wide tunables via the new /etc/tunables.conf configuration file
  8. OpenShift Service Mesh 3.4 · Red Hat Blog — Red Hat OpenShift Service Mesh 3.4 is generally available, updating Istio to 1.30 and Kiali to 2.27, with updates to sidecar-less ambient mode
  9. BackendTLSPolicy OpenShift 4.22 · Red Hat Blog — BackendTLSPolicy is now available in Red Hat OpenShift 4.22, giving Gateway API users the same level of secured traffic as OpenShift route re-encrypt termination
  10. goose RHEL agent · Red Hat Blog — The goose AI agent is now available in the RHEL extensions repository for RHEL 9.8 and RHEL 10.2; goose is a flexible, open source AI agent from the Agentic AI Foundation

Leave a comment