Welcome to a new issue of This Week in Plasma!

This week we released Plasma 6.6! So far it’s getting great reviews, even on Phoronix. 😁

As usual, this week the major focus was on triaging bug reports from people upgrading to the new release, and then fixing them. There were a couple of minor regressions as a result of the extensive work done to modernize Plasma widgets’ UI and code for Plasma 6.6, and we’ve already got almost all of them fixed.

In addition to that, feature work and UI improvements roared into focus for Plasma 6.7! Lots of neat stuff this week. Check it all out:

Notable new features

Plasma 6.7.0

While in the Overview effect, you can now switch between virtual desktops by scrolling or pressing the Page Up/Page Down keys! (Kai Uwe Broulik, KDE Bugzilla #453109 and kwin MR #8829)

On Wayland, you can optionally synchronize the stylus pointer with the mouse/touchpad pointer if this fits your stylus usage better. (Joshua Goins, KDE Bugzilla #505663)

The old print queue dialog has been replaced with a full-featured print queue viewer app, allowing you to visualize multiple queues of multiple printers connected locally or over the network! It still offers a good and normal experience for the common case of having one printer, but now also includes loads of enterprisey features relevant to environments with many printers. (Mike Noe, print-manager MR #280)

You can now exclude windows from screen recording using permanent window rules! (Kai Uwe Broulik, kwin MR #8828)

Added a new --release-capture command-line option to Spectacle that allows invoking it with its “accept screenshot on click-and-release” setting using automation tools. (Arimil, spectacle MR #479)

Notable UI improvements

Plasma 6.6.1

The Custom Tiling feature accessed with Meta+T no longer inappropriately respects key repeat, and therefore no longer becomes practically impossible to open with a very high key repeat rate. (Ritchie Frodomar, KDE Bugzilla #515940)

Close buttons on the default “Thumbnails” Alt+Tab task switcher are now more legible on top of the window thumbnails. (Nate Graham, kwin MR #8830)

After

Before

The Networks widget now shows a more appropriate icon in the panel or System Tray when you disable Wi-Fi. (Nate Graham, plasma-nm MR #526)

After

Before

Plasma 6.7.0

The System Monitor app and widgets now respect your chosen “binary unit” choice. This means for example if you’ve asked for file sizes to be expressed as “GB” (gigabyte, or one billion bytes) rather than “GiB” (gibibyte, or 2^30 bytes), the system monitoring tools now respect that. (David Redondo, KDE Bugzilla #453854)

If the auto-generated scale factor for a screen is very close to 100%, 200%, or 300%, it now gets rounded to that value, prioritizing performance and visual fidelity. (Kai Uwe Broulik, kwin MR #8742)

The Color Picker widget now displays more sensible tooltip and placeholder text when it hasn’t been used yet. (Joshua Goins, kdeplasma-addons MR #1010)

After

Before

Various parts of Plasma now consistently use the term “UEFI Firmware Settings” to refer to UEFI-based setup tools. (Kai Uwe Broulik, plasma-workspace MR #6246 and plasma-desktop MR #3541)

The “Terminate this frozen window” dialog now shows a little spinner as it tries to terminate the window, so you don’t think it’s gotten stuck. (Kai Uwe Broulik, kwin MR #8818)

The Widget Explorer sidebar now appears on the screen with the pointer on it, rather than always appearing on the left-most screen. (Fushan Wen, plasma-workspace MR #6251)

Notable bug fixes

Plasma 6.6.1

Fixed a case where KWin could crash during intensive input method usage. (Vlad Zahorodnii, KDE Bugzilla #506916)

Fixed a case where KWin could crash when waking up the system while using the Input Leap or Deskflow input-sharing apps. (David Redondo, KDE Bugzilla #515179)

Fixed a case where Discover could crash while trying to install updates. (Harald Sitter, KDE Bugzilla #515150)

Fixed a regression that broke drag-and-drop onto pinned Task Manager widget icons. (Kai Uwe Broulik, KDE Bugzilla #516242)

Fixed a regression that made certain popups from third-party software appear in the wrong place on the screen. (Vlad Zahorodnii, KDE Bugzilla #516185)

Fixed a minor visual regression in the Zoom effect on rotated screens. (Vlad Zahorodnii, kwin MR #8817)

Fixed a layout regression that made the Task Manager widget’s tooltip close buttons get slightly cut off for multi-window apps while window thumbnails were manually disabled. (Christoph Wolk, KDE Bugzilla #516018)

Fixed a layout regression that slightly misaligned the search bar in the Kicker Application Menu widget. (Christoph Wolk, KDE Bugzilla #516196)

Fixed a layout regression that made some System Tray popups always show an unnecessary hamburger menu. (Arjen Hiemstra, KDE Bugzilla #516135)

Fixed a regression that made some GTK apps not notice system-wide changes to the color scheme and enter their dark mode. (Nicolas Fella, KDE Bugzilla #516303)

Fixed a button added to Plasma 6.6 not having translated text. (Albers Astals Cid, plasma-workspace MR #6305)

Fixed server-to-client clipboard syncing in Plasma’s remote desktop implementation. (realies, krdp MR #144)

The new Plasma Login Manager introduced in Plasma 6.6 no longer shows accounts on the system that a human can’t actually log into. (Matthew Snow, plasma-login-manager MR #109)

Fixed a layout issue that made a label in the panel configuration dialog disappear when using certain Plasma styles. (Filip Fila, KDE Bugzilla #515987)

Fixed a layout issue that made the notification dialog too tall for very short text-only notification messages. (Kai Uwe Broulik, plasma-workspace MR #6145)

Fixed an issue that set the screen brightness to too low a level on login in certain circumstances. (Xaver Hugl, KDE Bugzilla #504441)

Fixed a layout issue that made the song or artist names in the Media Player widget get cut off too early when the widget was placed in a panel in between two spacers. (Greeniac Green, KDE Bugzilla #501166)

Improved the Weather Report widget’s reliability with forecasts from the Environment Canada provider. (Eric Soltys, kdeplasma-addons MR #1008)

Made the progress indicator built into icons in the Task Manager widget move in the appropriate direction when using the system with a right-to-left language like Arabic or Hebrew. (Oliver Beard, KDE Bugzilla #516053)

Custom icons embedded in third-party widgets that appear in the Widget Explorer sidebar now also appear in those widgets’ “About this widget” pages. (Mark Capella, KDE Bugzilla #509896)

Plasma 6.7.0

Eliminated a source of visual glitchiness with certain fade transitions while using an ICC profile. (Xaver Hugl, KDE Bugzilla #515194)

Frameworks 6.24

Fixed a case where KDE’s desktop portal could crash when copying certain data over a remote desktop connection. (David Edmundson, KDE Bugzilla #515465)

Notable in performance & technical

Plasma 6.6.1

Improved animation performance throughout the system by leaning more heavily on the Wayland Presentation Time protocol. (Vlad Zahorodnii, KDE Bugzilla #516240)

How you can help

KDE has become important in the world, and your time and contributions have helped us get there. As we grow, we need your support to keep KDE sustainable.

Would you like to help put together this weekly report? Introduce yourself in the Matrix room and join the team!

Beyond that, you can help KDE by directly getting involved in any other projects. Donating time is actually more impactful than donating money. Each contributor makes a huge difference in KDE — you are not a number or a cog in a machine! You don’t have to be a programmer, either; many other opportunities exist.

You can also help out by making a donation! This helps cover operational costs, salaries, travel expenses for contributors, and in general just keeps KDE bringing Free Software to the world.

To get a new Plasma feature or a bugfix mentioned here

Push a commit to the relevant merge request on invent.kde.org.

Let’s go for my web review for the week 2026-08.

I love the work of the ArchWiki maintainers

Tags: tech, linux, documentation

This is indeed an excellent technical documentation wiki for the Linux ecosystem.

https://k7r.eu/i-love-the-work-of-the-archwiki-maintainers/

Four Lessons From Civic Tech

Tags: tech, politics, commons, business

Interesting lessons indeed. Especially the first one: “Technology is inherently political, and anyone telling you otherwise is trying to hide their politics.” As tech people we too often forget this is all “sociotechnical”, no tech is designed and used in a vacuum.

https://pagedout.institute/download/PagedOut_008.pdf#%5B%7B%22num%22%3A72%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2Cnull%2Cnull%2Cnull%5D

Hold on to Your Hardware

Tags: tech, hardware, ai, machine-learning, gpt, economics

Are we on the verge to a push toward a mainframe based future? I really hope not, but for sure the hardware prices surging won’t make things easy.

https://xn–gckvb8fzb.com/hold-on-to-your-hardware/

The case for gatekeeping, or: why medieval guilds had it figured out

Tags: tech, foss, community, craftsmanship, ai, copilot, slop

Kind of resonate oddly with the string of talks I gave talking about craftsmanship a decade ago. Looks like FOSS communities at large have no choice but get inspired by such old practice.

https://www.joanwestenberg.com/the-case-for-gatekeeping-or-why-medieval-guilds-had-it-figured-out/

Open-source game engine Godot is drowning in ‘AI slop’ code contributions

Tags: tech, ai, machine-learning, copilot, slop, github

Another example of how much of a problem this is for some projects. Of course it is compounded by having so many projects on GitHub, this pushes people to try to farm for activity to attempt to make their resume look good. This is sad.

https://www.pcgamer.com/software/platforms/open-source-game-engine-godot-is-drowning-in-ai-slop-code-contributions-i-dont-know-how-long-we-can-keep-it-up/

What Your Bluetooth Devices Reveal About You

Tags: tech, bluetooth, security, privacy

Bluetooth might be convenient, clearly it leads to metadata leakage though.

https://blog.dmcc.io/journal/2026-bluetooth-privacy-bluehood/

Obfuscate data by hiding it in images

Tags: tech, security, cryptography, colors, graphics

I’ve always been fascinated by steganography. It’s a good reminder that the basics are fairly simple.

https://pagedout.institute/download/PagedOut_008.pdf#%5B%7B%22num%22%3A172%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2Cnull%2Cnull%2Cnull%5D

Self-hosting my websites using bootable containers

Tags: tech, linux, bootc, system, systemd, self-hosting

Interesting setup for self hosting on immutable infrastructure using bootc.

https://yorickpeterse.com/articles/self-hosting-my-websites-using-bootable-containers/

TIL: Docker log rotation

Tags: tech, docker, logging

I find surprising it’s not by default… But here we are.

https://ntietz.com/blog/til-docker-log-rotation/

Compendium

Tags: tech, system, observability, strace, linux

Still very young but it looks like it might become a nice and friendly alternative to strace.

https://pker.xyz/posts/compendium

Linux terminal emulator architecture

Tags: tech, linux, terminal, system

A good one page primer on how terminal emulators are designed.

https://pagedout.institute/download/PagedOut_008.pdf#%5B%7B%22num%22%3A90%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2Cnull%2Cnull%2Cnull%5D

Runtime validation in type annotations

Tags: tech, python, type-systems

Interesting new tricks with the introspection of Python type annotations.

https://blog.natfu.be/validation-in-type-annotations/

How bad can Python stop-the-world pauses get?

Tags: tech, python, memory, performance

Of course it’s a question of the amount of allocations you need.

https://lemire.me/blog/2026/02/15/how-bad-can-python-stop-the-world-pauses-get/

C++26: std::is_within_lifetime

Tags: tech, c++, type-systems

A small change in the standard, but it opens the door to interesting uses.

https://www.sandordargo.com/blog/2026/02/18/cpp26-std_is_within_lifetime

spix: UI test automation library for QtQuick/QML Apps

Tags: tech, qt, tests, gui

Still young but looks like a nice option to write GUI tests for Qt based applications.

https://github.com/faaxm/spix?tab=readme-ov-file

Fast sorting, branchless by design

Tags: tech, algorithm, security

Didn’t know about sorting networks. They have interesting properties and are definitely good options on modern hardware.

https://00f.net/2026/02/17/sorting-without-leaking-secrets/

How Michael Abrash doubled Quake framerate

Tags: tech, game, optimisation, assembly, graphics

Interesting insights from optimisations done on the Quake engine almost thirty years ago.

https://fabiensanglard.net/quake_asm_optimizations/index.html

Font Rendering from First Principles

Tags: tech, fonts, graphics

We take font rendering for granted but this is more complex than one might think.

https://mccloskeybr.com/articles/font_rendering.html

Modern CSS Code Snippets

Tags: tech, web, frontend, css

Another nice resource to discover newer CSS idioms.

https://modern-css.com/

Stop Guessing Worker Counts

Tags: tech, distributed, messaging, performance

We got some math for that! No need to guess.

https://pagedout.institute/download/PagedOut_008.pdf#%5B%7B%22num%22%3A118%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22XYZ%22%7D%2Cnull%2Cnull%2Cnull%5D

The 12-Factor App - 15 Years later. Does it Still Hold Up in 2026?

Tags: tech, services, infrastructure, cloud, devops

A bit buzzword oriented, still I think it’s true that most of those principles make sense.

https://lukasniessen.medium.com/the-12-factor-app-15-years-later-does-it-still-hold-up-in-2026-c8af494e8465

The only developer productivity metrics that matter

Tags: tech, agile, productivity, metrics

I agree with this very much. The only productivity metric in the end is the end-user satisfaction.

https://genehack.blog/2026/02/the-only-developer-productivity-metrics-that-matter/

You can code only 4 hours per day. Here’s why.

Tags: tech, engineering, cognition, organisation, communication, productivity

Quite some good tips in there. If you want to do deep work you need to arrange your organisation for it. Using asynchronous communication more is also key in my opinion.

https://newsletter.techworld-with-milan.com/p/you-can-code-only-4-hours-per-day

Poor Deming never stood a chance

Tags: management, leadership

Interesting comparison of Drucker’s and Deming’s approaches to management. One is easier while the other is clearly demanding but brings lasting improvements.

https://surfingcomplexity.blog/2026/02/16/poor-deming-never-stood-a-chance/

In a blind test, audiophiles couldn’t tell the difference between audio signals sent through copper wire, a banana, or wet mud

Tags: audio, music, physics, funny

Can we stop with the audiophile snobbery now?

https://www.tomshardware.com/speakers/in-a-blind-test-audiophiles-couldnt-tell-the-difference-between-audio-signals-sent-through-copper-wire-a-banana-or-wet-mud-the-mud-should-sound-perfectly-awful-but-it-doesnt-notes-the-experiment-creator

Bye for now!

Today we're releasing the second beta of Krita 5.3.0 and Krita 6.0.0. Our thanks to all the people who have tested the first beta. We received 49 bug reports in total, of which we managed to resolve 14 for this release.

Note that 6.0.0-beta2 has more issues, especially on Linux and Wayland, than 5.3.0-beta2. If you want to combine beta testing with actual productive work, it's best to test 5.3.0-beta2, since 5.3.0 will remain the recommended version of Krita for now.

This release also has the new splash screen by Tyson Tan - "Kiki Paints Over the Waves"!

To learn about everything that has changed, check the release notes!

5.3.0-beta2 Download

Windows

If you're using the portable zip files, just open the zip file in Explorer and drag the folder somewhere convenient, then double-click on the Krita icon in the folder. This will not impact an installed version of Krita, though it will share your settings and custom resources with your regular installed version of Krita. For reporting crashes, also get the debug symbols folder.

[!NOTE] We are no longer making 32-bit Windows builds.

• 64 bits Windows Installer: krita-x64-5.3.0-beta2-setup.exe

• Portable 64 bits Windows: krita-x64-5.3.0-beta2.zip

• Debug symbols. (Unpack in the Krita installation folder)

Linux

Note: starting with recent releases, the minimum supported distro versions may change.

[!WARNING] Starting with recent AppImage runtime updates, some AppImageLauncher versions may be incompatible. See AppImage runtime docs for troubleshooting.

• 64 bits Linux: krita-5.3.0-beta2-x86_64.AppImage

MacOS

Note: minimum supported MacOS may change between releases.

• MacOS disk image: krita-5.3.0-beta2-signed.dmg

Android

Krita on Android is still beta; tablets only.

• 64 bits Intel CPU APK

• 64 bits Arm CPU APK

• 32 bits Arm CPU APK

Source code

You can build Krita 5.3 using the Krita 6.0.0.source archives. The difference is which version of Qt you build against.

md5sum

For all downloads, visit https://download.kde.org/unstable/krita/5.3.0-beta2/ and click on "Details" to get the hashes.

6.0.0-beta2 Download

Windows

If you're using the portable zip files, just open the zip file in Explorer and drag the folder somewhere convenient, then double-click on the Krita icon in the folder. This will not impact an installed version of Krita, though it will share your settings and custom resources with your regular installed version of Krita. For reporting crashes, also get the debug symbols folder.

[!NOTE] We are no longer making 32-bit Windows builds.

• 64 bits Windows Installer: krita-x64-6.0.0-beta2-setup.exe

• Portable 64 bits Windows: krita-x64-6.0.0-beta2.zip

• Debug symbols. (Unpack in the Krita installation folder)

Linux

Note: starting with recent releases, the minimum supported distro versions may change.

[!WARNING] Starting with recent AppImage runtime updates, some AppImageLauncher versions may be incompatible. See AppImage runtime docs for troubleshooting.

• 64 bits Linux: krita-6.0.0-beta2-x86_64.AppImage

MacOS

Note: minimum supported MacOS may change between releases.

• MacOS disk image: krita-6.0.0-beta2-signed.dmg

Android

Due to issues with Qt6 and Android, we cannot make APK builds for Android of Krita 6.0.0-beta2.

Source code

• krita-6.0.0-beta2.tar.gz

• krita-6.0.0-beta2.tar.xz

md5sum

For all downloads, visit https://download.kde.org/unstable/krita/6.0.0-beta2/ and click on "Details" to get the hashes.

Key

The Linux AppImage and the source tarballs are signed. You can retrieve the public key here. The signatures are here (filenames ending in .sig).

Automating Repetitive GUI Interactions in Embedded Development with Spix

git subrepo add 3rdparty/spix git@github.com:faaxm/spix.git

LIST(APPEND CMAKE_MODULE_PATH /home/christoph/KDAB/spix/cmake/modules)
find_package(Spix REQUIRED)

target_link_libraries(myApp
  PRIVATE Qt6::Core
          Qt6::Quick 
          Qt6::SerialPort 
          Spix::Spix
)

#include <Spix/AnyRpcServer.h>
#include <Spix/QtQmlBot.h>
[...]

//Start the actual Runner/Server
spix::AnyRpcServer server;
auto bot = new spix::QtQmlBot();
bot->runTestServer(server);

import xmlrpc.client

session = xmlrpc.client.ServerProxy('http://localhost:9000')

session.inputText('mainWindow/userField', 'christoph')
session.inputText('mainWindow/passwordField', 'secret') 
session.mouseClick('mainWindow/"Login"')

import xmlrpc.client

session = xmlrpc.client.ServerProxy('http://localhost:9000')

[...]
session.takeScreenshot('mainWindow', '/tmp/screenshot.png')k

from skimage import io
from skimage.metrics import structural_similarity as ssim

screenshot1 = io.imread('/tmp/reference.png', as_gray=True)
screenshot2 = io.imread('/tmp/screenshot.png', as_gray=True)

ssim_index = ssim(screenshot1, screenshot2, data_range=screenshot1.max() - screenshot1.min())

threshold = 0.95

if ssim_index == 1.0: 
    print("The screenshots are a perfect match")
elif ssim_index >= threshold:
    print("The screenshots are similar, similarity: " + str(ssim_index * 100) + "%")
else:
    print("The screenshots are not similar at all, similarity: " + str(ssim_index * 100) + "%")

import cv2

image1 = cv2.imread('/tmp/reference.png')
image2 = cv2.imread('/tmp/screenshot.png')

diff = cv2.absdiff(image1, image2)

# Convert the difference image to grayscale
gray = cv2.cvtColor(diff, cv2.COLOR_BGR2GRAY)

# Threshold the grayscale image to get a binary image
_, thresh = cv2.threshold(gray, 30, 255, cv2.THRESH_BINARY)

contours, _ = cv2.findContours(thresh, cv2.RETR_EXTERNAL, cv2.CHAIN_APPROX_SIMPLE)
cv2.drawContours(image1, contours, -1, (0, 0, 255), 2)

cv2.imshow('Difference Image', image1)
cv2.waitKey(0)

Defective Image

The script marked the defective parts of the image compared to the should-be image.

The post Automating Repetitive GUI Interactions in Embedded Development with Spix appeared first on KDAB.

The UN Open Source Principles are comprised of eight guidelines and provide a framework to guide the use, development and sharing of open source software across the United Nations. This is part of the UN's Open Source United (OSU) initiative, which aims to coordinate and increase open source efforts across the United Nations system.

According to OSU:

"Across the UN, teams are building powerful digital tools, but much of this work is isolated. Open Source United breaks these silos, encourages collaboration, and makes innovation easier to share and reuse. By working together, we deliver solutions that are more transparent, sustainable, and cost-effective."

Alongside another 119 FLOSS organisations, KDE will support the effort to connect UN teams and their partners, as well as the global community, encouraging them to share, discover and reuse open-source solutions in their work to carry out the UN’s mission worldwide.

Qt for MCUs 2.11.2 LTS has been released and is available for download. This patch release provides bug fixes and other improvements while maintaining source compatibility with Qt for MCUs 2.11 (see Qt for MCUs 2.11 LTS released). This release does not add any new functionality.

In my last post, I made a solemn vow to not touch Kapsule for a week. Focus on the day job. Be a responsible adult.

Success level: medium.

I did get significantly more day-job work done than the previous week, so partial credit there. But my wife's mother and sister are visiting from Japan, and they're really into horror movies. I am not. So while they were watching people get chased through dark corridors by things with too many teeth, I was in the other room hacking on container pipelines with zero guilt. Sometimes the stars just align.

Here's what came out of that guilt-free hack time.

Konsole integration: it's actually done

The two Konsole merge requests from the last post—!1178 (containers in the New Tab menu) and !1179 (container association with profiles)—are merged. They're in Konsole now. Shipped.

Building on that foundation, I've got two more MRs up:

!1182 adds the KapsuleDetector—the piece that actually wires Kapsule into Konsole's container framework. It uses libkapsule-qt to list containers over D-Bus and OSC 777 escape sequences for in-session detection, following the same pattern as the existing Toolbox and Distrobox detectors. It also handles default containers: even if you haven't created any containers yet, the distro-configured default shows up in the menu so you can get into a dev environment in one click.

!1183 is a small quality-of-life addition: when containers are present, a Host section appears at the top of the container menu showing your machine's hostname. Click it, and you get a plain host terminal. This matters because once you set a container as your default, you need a way to get back to the host without going through settings. Obvious in hindsight.

The OSC 777 side of this lives in Kapsule itself—kapsule enter now emits container;push / container;pop escape sequences so Konsole knows when you've entered or left a container. This is how the tab title and container indicator stay in sync.

Four merge requests across two repos (Konsole and Kapsule) to get from "Konsole doesn't know Kapsule exists" to "your containers are in the New Tab menu and your terminal knows when you're inside one." Not bad for horror movie time.

Configurable host mounts: the trust dial is real

In the last post, I talked about making filesystem mounts configurable—turning the trust model into a dial rather than a switch. That's shipped now.

--no-mount-home does what it says—your home directory stays on the host, the container gets its own. --custom-mounts lets you selectively share specific directories. And --no-host-rootfs goes further, removing the full host filesystem mount entirely and providing only the targeted socket mounts needed for Wayland, audio, and display to work.

The use case I had in mind was sandboxing AI coding agents and other tools you don't fully trust with your home directory. But it's also useful for just keeping things clean—some containers don't need to see your host files at all.

Snap works now

Here's a screenshot of Firefox running in a Kapsule container on KDE Linux, installed via Snap:

I expected this one to be a multi-day ordeal. It wasn't.

Snap apps—like Firefox on Ubuntu—run in their own mount namespace, and snap-update-ns can't follow symlinks that point into /.kapsule/host/. So our Wayland, PipeWire, PulseAudio, and X11 socket symlinks were invisible to anything running under Snap, resulting in helpful errors like "Failed to connect to Wayland display."

The fix was straightforward: replace all those symlinks with bind mounts via nsenter. Bind mounts make the sockets appear as real files in the container's filesystem, so Snap's mount namespace setup handles them correctly. That was basically it.

While I was in there, I batched all the mount operations into a single nsenter call instead of running separate incus exec invocations per socket. That brought the mount setup from "noticeably slow" to "instant"—roughly 10-20x faster on a cold cache. And the mount state is now cached per container, so subsequent kapsule enter calls skip the work entirely.

NVIDIA GPU support (experimental)

This one's interesting both technically and in terms of where it's going.

Kapsule containers are privileged by design—that's what lets us do nesting, host networking, and all the other things that make them feel like real development environments. The problem is that upstream Incus and LXC both reject their NVIDIA runtime integration on privileged containers. The upstream LXC hook expects user-namespace UID/GID remapping, and the default codepath wants to manage cgroups for device isolation. Neither applies to our containers.

So I wrote a custom LXC mount hook that runs nvidia-container-cli directly with --no-cgroups (privileged containers have unrestricted device access anyway) and --no-devbind (Incus's GPU device type already passes the device nodes through). This leaves nvidia-container-cli with exactly one job: bind-mount the host's NVIDIA userspace libraries into the container rootfs so CUDA, OpenGL, and Vulkan work without the container image shipping its own driver stack.

There's a catch, though. On Arch Linux, the injected NVIDIA libraries conflict with mesa packages. The container's package manager thinks mesa owns those files, and now there are mystery bind-mounts shadowing them. It works, but it's ugly and will cause problems during package updates. I hit this on Arch first, but I'd be surprised if other distros don't have the same issue—any distro where mesa owns those library paths is going to complain.

So NVIDIA support is disabled by default for now. The plan: build Kapsule-specific container images that ship stub packages for the conflicting files, and have images opt-in to NVIDIA driver injection via metadata. Two independent flags control the behavior: --no-gpu disables device passthrough entirely (still on by default), and --nvidia-drivers enables the driver injection.

Architecture: pipelines all the way down

The biggest behind-the-scenes change in v0.2.1 is the complete restructuring of container creation. The old container_service.py was a 1,265-line monolith that did everything sequentially in one massive function. It's gone now.

In its place is a decorator-based pipeline system. Container creation is a series of composable steps, each a standalone async function that handles one concern:

Pre-creation:     validate → parse image → build config → store options → build devices
Incus API call:   create instance
Post-creation:    host network fixups → file capabilities → session mode
User setup:       mount home → create account → configure sudo → custom mounts → host dirs → enable linger → mark mapped

Each step is registered with an explicit order number and gaps of 100 between steps, so inserting new functionality doesn't require renumbering everything. The decorator handles sorting by priority with stable tie-breaking, so import order doesn't matter.

This pattern worked well enough that I plan to extend it to other large operations—delete, start, stop—as they accumulate their own pre/post logic.

On the same theme of "define it once, use it everywhere": container creation options are now defined in a single Python schema that serves as the source of truth for the daemon's validation, the D-Bus interface (which now uses a{sv} variant dicts, so adding an option never changes the method signature), and the C++ CLI's flag generation. Add a new option in Python, recompile the CLI, and you've got a --flag with help text and type validation. Zero manual C++ work.

The long-term plan is to use this same schema to dynamically generate the graphical UI in a future KCM. Define the option once, get the CLI flag, the D-Bus parameter, the daemon validation, and the Settings page widget—all from the same schema.

First external contributor

Marie Ramlow (@meowrie) submitted a fix for PATH handling on NixOS—the first external contribution to Kapsule. I don't have a NixOS setup to test it on, so this one's on trust. That's open source for you: someone shows up, fixes a problem you can't even reproduce, and you merge it with gratitude and a prayer.

Testing

The integration test suite grew substantially. New tests cover host mount modes, custom mount options, OSC 777 escape sequence emission, and socket passthrough. The test runner now does two full passes—once with the default full-rootfs mount and once with --no-host-rootfs—to verify both configurations work.

Bugs caught during testing that would have been embarrassing in production: a race condition in the Incus client where sequential device additions could clobber each other (the client wasn't waiting for PUT operations to complete), and Alpine containers failing because they don't ship /etc/sudoers.d by default.

CI/CD: of all the things to break

I finally built out the CI/CD pipelines. They use the same kde-linux-builder image that builds KDE Linux itself—mainly because it's one of the few CI images with sudo access enabled, which we need for Incus operations.

The good news: the pipeline successfully builds the entire project, packages it into a sysext, deploys it to a VM, and runs the integration tests. That whole chain works. I was pretty pleased with myself for about ten minutes.

The bad news: when the first test tries to actually create a container, the entire CI job dies. Not "the test fails." Not "the runner reports an error." The whole thing just... stops. No exit code, no error message, no logs after that point. Nothing.

I'm fairly sure it's causing a kernel panic in the CI runner's VM. Which is, you know, not great.

Debugging this has been miserable. I can't get any logs after the panic because there are no logs—the kernel is gone. I tried adding debug prints before each step in the container creation pipeline to isolate exactly where it dies. The prints don't come through either, probably because of output buffering, or maybe the runner agent doesn't get a chance to stream the output to GitLab before the entire VM goes down.

The weird part: it's not a nested virtualization issue. Regular Incus works fine on the same runner—you can create containers interactively, no problem. And it doesn't reproduce on KDE Linux at all. Something about the specific combination of the CI environment and Kapsule's container creation path is triggering it, and I have no way to see what.

I've shelved this for now. The pipeline is there, the build and deploy stages work, and the tests would work if the runner didn't kernel panic when Kapsule tries to create a container. If anyone reading this has ideas, I'm all ears.

What's next: custom container images

The biggest item on my plate is custom container images. Right now, Kapsule uses stock distribution images from the Incus image server. They work, but they're not optimized for our use case—things like the NVIDIA stub packages I mentioned above need to live somewhere, and "just install them at container creation time" adds latency and fragility.

Incus uses distrobuilder for image creation, so the plan is straightforward: image definitions live in a directory in the Kapsule repo, a CI pipeline invokes distrobuilder to build them, and the images get published to a server.

The "published to a server" part is where it gets political. I talked to Ben Cooksley about hosting Kapsule images on KDE infrastructure, and he's—understandably—not yet convinced that Kapsule needs its own image server. It's a fair pushback. This is all still experimental, and spinning up image hosting infrastructure for a project that might change direction is a reasonable thing to be cautious about.

So for now, I'll host the images on my own server. They probably won't be the default, since the server is in the US and download speeds won't be great for everyone. But they'll be available for testing and for anyone who wants the NVIDIA integration or other Kapsule-specific tweaks. I'll bug Ben again when the image story is more fleshed out and there's a clearer case for why KDE infrastructure should host them.

Beyond that: get the Konsole MRs (!1182 and !1183) reviewed and merged, and figure out why CI kills the kernel. The usual.