Powered by Linux kernel 6.12, Rocky Linux 10.2 has been officially released as the latest update in the project’s Enterprise Linux 10 series, following yesterday’s Rocky Linux 9.8 release and the recent RHEL 10.2 update.
Rocky Linux 10.2 expands post-quantum cryptography support in components such as OpenSSH, libssh, Directory Server, p11-kit, and Podman tools. In light of this, OpenSSH now supports ML-KEM hybrid key exchange in FIPS mode, and libssh introduces hybrid post-quantum and traditional key exchange methods combining ML-KEM with ECDH.
This release also updates the FUTURE system-wide cryptographic policy to allow only hybrid ML-KEM key exchange algorithms, removing traditional non-post-quantum methods. The Rocky team cautions that this may disrupt connections to endpoints lacking post-quantum cryptography support, including most public internet services. The default cryptographic policy remains unchanged.
For desktop environments, Rocky Linux 10.2 now delivers Firefox and Thunderbird as Flatpaks by default. When a graphical environment is chosen, the Anaconda installer installs the Flatpak versions automatically. RPM packages remain available in AppStream throughout the Rocky Linux 10 lifecycle, and administrators can override this behavior using Kickstart.
The installer and image creation stack have been updated as well. The default /boot partition size is now 2 GiB, accommodating larger initramfs images. Additionally, a new rdp Kickstart command enables headless graphical installations over RDP.
On top of that, the Image Builder Cockpit application can now create bootable container and disk images. Support for stateless PXE images for HPC and diskless systems is available through the pxe-tar-xz output format.
The software stack has been updated across languages, databases, compilers, and infrastructure services. Rocky Linux 10.2 now includes Node.js 24, PHP 8.4, Ruby 4.0, Python 3.14, OpenJDK 25, Apache HTTP Server 2.4.63, MariaDB 11.8, and PostgreSQL 18.
The system toolchain now features GCC 14.3, glibc 2.39, Annobin 13.02, and Binutils 2.41. Additional toolsets include GCC Toolset 15 with GCC 15.2 and Binutils 2.44, LLVM Toolset 21.1.8, Rust Toolset 1.92, and Go Toolset 1.26.2. Performance and debugging tools have been updated, including GDB 16.3, Valgrind 3.26, SystemTap 5.4, elfutils 0.194, and PCP 7.0.3.
Security updates feature Keylime Agent 0.2.9 with an agent-driven push attestation model, expanded hardware cryptography support, the new clevis-pin-trustee package for automated LUKS volume decryption via remote attestation, and fapolicyd 1.4.3 with rule filtering. Rocky Linux 10.2 also introduces a smaller libreswan-minimal subpackage for container images and SELinux confinement for the redfish-finder service.
Networking updates include full support for PRP and HSR industrial redundancy protocols, with VLAN segmentation on HSR and PRP interfaces. Nftables is now at version 1.1.5, offering reduced memory usage for sets and maps. Rocky Linux 10.2 also adds Wi-Fi 7 hardware support, new firewalld policy sets, and a configurable lower TCP retransmission timeout.
Virtualization enhancements include native Forced Unit Access I/O support in QEMU, new virtio-win components for direct host-to-Windows-VM socket communication, encrypted libvirt secrets via the new virt-secrets-init-encryption service, and improved backup job handling when a guest shuts down during backup. Intel TDX now supports local PCCS attestation in air-gapped environments.
For containers, Podman now uses Sequoia-PGP for OpenPGP image signature verification, supporting post-quantum algorithms. Podman 5.8.2 introduces automatic BoltDB-to-SQLite migration on reboot, a new podman quadlet install command, quadlet REST APIs, and an unless-stopped restart policy that persists across reboots.
Rocky Linux 10.2 includes Cockpit 356, which adds a health dashboard warning for unclean shutdowns, custom branding via /etc/cockpit/branding.css, detachable VNC console windows, quadlet lifecycle management in cockpit-podman, and a file manager that can create empty files.
Last but not least, the Rocky team highlights several workflow changes for administrators to review before upgrading. Both PHP 8.4 and PHP 8.3 are now available, so dependency resolution may select different PHP package streams depending on the installed package.
Moreover, the vi command no longer launches full Vim when both vim-minimal and vim-enhanced are present; users must run vim explicitly for the full editor. Plus, Windows Server 2012 R2 Active Directory trust configuration is no longer supported, and SCTP transport for knet is deprecated in Corosync.
For additional details, see the announcement.
Existing Rocky Linux 10 users can upgrade to Rocky Linux 10.2 from the command line by running sudo dnf -y upgrade. Desktop users can upgrade using GNOME Software or KDE Discover. As before, Rocky Linux does not support upgrades between major versions, so moving from Rocky Linux 9 to 10 requires a fresh installation.
Users of other Enterprise Linux 10 compatible distributions can use the migrate2rocky utilities to convert existing systems to Rocky Linux 10.
