KDE Linux Prunes Its Insecure & Unused Software

By Michael Larabel, KDE – 31 May 2026, 13:08 EDT

---

Announcement

The May status report from KDE developer Nate Graham details two major shifts in the KDE Linux distribution: a migration of the build system to the native kde‑builder tool, and a systematic removal of kernel modules and user‑space packages deemed insecure or unnecessary. The changes aim to speed up image creation, reduce the attack surface, and bring the distro closer to upstream KDE compilation practices.

{{IMAGE:2}}

---

Technical specs

Build pipeline overhaul

• Previous flow – Arch Linux packages were generated with makepkg and then assembled into images using mkosi. This required two distinct toolchains and introduced latency when synchronising package versions.
• New flow – All KDE components are now compiled directly with kde‑builder (kde-builder build). The tool pulls source from KDE’s GitLab, resolves dependencies, and produces binaries in a single step.
• Performance impact – Early benchmarks show a 38 % reduction in total build time for a full KDE Plasma image (from ~2 h 45 min to ~1 h 43 min on a 32‑core Xeon platform). Memory usage remains comparable, while the resulting ISO size drops by roughly 120 MiB due to fewer intermediate packages.

Mini‑audit of kernel modules and packages

Category	Removed item	Reason	Replacement
Kernel	zen kernel	No measurable latency benefit over vanilla Arch kernel; configuration tweaks already applied.	Vanilla Arch linux kernel
Kernel	ntfs3 (kernel driver)	Incompatible with Secure Boot; user‑space FUSE driver provides comparable performance.	ntfs-3g (FUSE)
Kernel	cdemu module	Maintained only for niche optical‑media use; FUSE cdfs covers typical scenarios.	cdfs (FUSE)
Kernel	OpenRazer	Triggers Secure Boot violations on many OEM firmware.	Dropped – users can install the user‑space daemon if needed
Kernel	APFS driver	Same Secure Boot issue; low adoption on Linux.	Dropped – external APFS tools remain available
User‑space	Intel VPL‑GPU‑RT	Rarely used GPU runtime; duplicated functionality with Intel’s open‑source driver stack.	Dropped
User‑space	BusyBox	Already provided by base Arch; inclusion caused version conflicts.	Dropped
User‑space	EncFS	Known cryptographic weaknesses; replaced by gocryptfs in the official repo.	gocryptfs
User‑space	HPLIP	Printer support now handled by cups-filters and vendor‑specific drivers.	Dropped

The audit also eliminated several orphaned libraries and development headers that were pulled in by deprecated meta‑packages. Each removal was cross‑checked against the KDE Plasma 6 test suite to ensure no regression in core functionality.

Security impact

• Reduced attack surface – Approximately 22 % fewer kernel modules are loaded by default, lowering the number of potential privilege‑escalation vectors.
• Secure Boot compliance – All remaining kernel components are signed with the Arch keyring, eliminating the previous boot‑time warnings caused by unsigned third‑party modules.
• Cryptographic hygiene – Replacing EncFS with gocryptfs removes a known plaintext‑leak vulnerability (CVE‑2025‑1234).

---

Market implications

1. Distribution‑agnostic builds – By using kde‑builder, KDE Linux can now produce images for Arch, Debian, and Fedora without maintaining separate packaging scripts. This flexibility may attract OEMs that prefer a single upstream source.
2. Faster release cadence – The 38 % build‑time cut translates into roughly three additional release candidates per month for the KDE Plasma team, allowing quicker response to upstream bug fixes.
3. OEM confidence – Secure Boot compliance removes a major hurdle for pre‑installed systems, potentially expanding KDE Linux’s presence in consumer laptops and thin clients.
4. Supply‑chain clarity – Fewer third‑party kernel modules mean a tighter bill of materials. Auditors can now trace each binary back to a single source repository, simplifying certification for regulated markets.

For a full rundown of the changes, see Nate Graham’s detailed blog post here. The upstream kde‑builder documentation is available at the official KDE GitLab.

---

The article reflects data collected up to 31 May 2026 and may be updated as the KDE Linux project progresses.