Fedora is a Trademark of Red Hat, Inc, an operating system built by volunteers around the world. This page is provided so that independent volunteers can showcase our contributions to Fedora and Free Software in general. Official Fedora Download page.

RSS Atom

We Make Fedora

August 04, 2021

• Peter Czanik Using the udp-balancer() source of syslog-ng PE

  UDP-based log collection is so last century. We had TCP-based log collection for decades and TLS encryption to secure connections. Still, UDP is in wide use, especially at large companies and industrial automation, where every change is slow. In most cases, UDP logging is used by networking devices, but sometimes it is just left there from ancient times and people are reluctant to change it. In either case, at higher message rates it can lead to performance problems and thus to message loss.

  Originally, the udp() source of syslog-ng was single-threaded. That does not scale well with typical multi-core CPUs with slower cores. There are many tricks to enhance UDP performance in syslog-ng. Combining those with the udp-balancer() source of syslog-ng PE gives the most reliable solution.

  Before you begin

  While much of what I write here applies to syslog-ng OSE as well, the udp-balancer() is a feature specific to syslog-ng Premium Edition (PE). Syslog-ng PE is the commercial variant of syslog-ng, lacking some of the more experimental features of the open-source edition (OSE) and adding a few extra features mostly related to cloud and compliance. Or in this case: collecting UDP log messages at a high message rate. It has been available for quite some time now, but as usual, using the latest version is recommended. I did my tests using syslog-ng PE 7.0.25. Note that even though syslog-ng PE supports RHEL 7, udp-balancer() itself is not supported by that OS.

  If you do not have syslog-ng PE yet, contact One Identity sales for a trial version at https://www.syslog-ng.com/products/log-management-software/

  Why udp-balancer()?

  Configuring an udp() source can be a frustrating experience. You have to consider the amount of traffic, how is it distributed among source hosts in time and proportion, the network card and even single core CPU performance. With the udp-balancer() of syslog-ng PE, you only need to configure it once and you can use it in just about any situation without caring about the details. The udp-balancer() source uses eBPF to distribute incoming log messages among multiple listeners. This means that no matter the number of log sources and the distribution of incoming log messages over time and hosts, syslog-ng PE can utilize the hardware efficiently while also reducing the chance of message loss.

  UDP traffic: from minor to major

  In the next few paragraphs, I’ll show you the different UDP logging scenarios and the configuration settings to consider. Even if you have some doubts now, by the end you will appreciate the simplicity of using the udp-balancer() source.

  The basics

  If you have a low UDP message rate, there is no need to tune anything, syslog-ng will handle it just fine. But if the message rate has some bursts or constantly over a few thousands messages a second, it is time to tune the Linux kernel and syslog-ng for UDP. For these moderate message rates, tuning buffers is usually enough by:

  • Changing the net.core.rmem_max sysctl value.

  • Increasing the value of the log_fifo_size() option.

  • Increasing the value of so-rcvbuf() at the UDP source to match rmem_max.

  This way, incoming UDP packages can be buffered by the Linux kernel and can be kept there while syslog-ng works through incoming messages.

  For more details about these values, check the syslog-ng PE documentation at https://www.syslog-ng.com/technical-documents/doc/syslog-ng-premium-edition/7.0.25/collecting-log-messages-from-udp-sources

  Few logs from many hosts

  Once you have even higher message rates (higher here depends also on the hardware), things get complicated. You’ll start to lose log messages, as a single thread cannot keep up with the flood of incoming logs. If you collect logs from many hosts, and none of them send logs at a high message rate, there is still some hope in the form of so-reuseport(). Using this option, syslog-ng can open multiple listeners on the same UDP port, and the kernel distributes incoming packages among listeners based on source IP addresses. Of course, it only works with many sources that do not have too high message rates. As soon as there is a host with high message rate, messages cannot be distributed evenly among listeners. The balance is lost, and message loss goes up.

  When a single UDP port cannot handle the load anymore, you can open additional UDP sources in syslog-ng. But doing so requires extra configuration on the server side and also re-configuring part of your clients to direct them to the other ports.

  Lots of logs from a few hosts

  The most typical situation for UDP logging is that there are many logs from just one or a few hosts, for example a router or a firewall trying to document each and every connection going through the device. As so-reuseport() distributes packages based on the source IP address, that feature cannot help here.

  This is where the udp-balancer() source of syslog-ng PE can come handy. It is using eBPF to distribute incoming UDP packages evenly among listeners. You do not have to open multiple ports and reconfigure your clients to make use of them.

  Best of all: using the udp-balancer() source of syslog-ng PE is not specific to high-performance log collection. You can use it in any situation when you collect log messages over UDP.

  Testing

  Ideally, I would do testing on a 10GBit network, but that is not (yet) available in my home network. That is how I ended up testing from the localhost with a virtually unlimited network connection.

  I configured a 256MB buffer:

  sysctl -w net.core.rmem_max=268435456

  And used the following syslog-ng configuration with matching buffer sizes. It is based on the default syslog-ng PE configuration, but I added a new source (with the traditional and the new UDP source) and a new file destination as well.

  @version: 7.0
  #Default configuration file for syslog-ng.
  #
  # For a description of syslog-ng configuration file directives, please read
  # the syslog-ng Administration Guide at:
  #
  # https://support.oneidentity.com/syslog-ng-premium-edition/technical-documents
  #
  @include "scl.conf"
  
  options {
  stats_freq(0); log_fifo_size(4190);
  };
  
  ######
  # sources
  source s_local {
  # message generated by Syslog-NG
  internal();
  system();
  monitoring_welf();
  };
  
  
  ######
  # destinations
  destination d_messages { file("/var/log/messages"); };
  
  
  log {
  source(s_local);
  
  destination(d_messages);
  };
  
  source s_net {
    udp(port(514) so-rcvbuf(268435456) );
    udp-balancer(
        port(2222)
        so-rcvbuf(268435456)
    );
  };
  destination d_fromnet {
    file("/var/log/fromnet");
  };
  log {source(s_net); destination(d_fromnet);};

  Testing was done using the loggen utility of syslog-ng. In case of syslog-ng PE, it is installed to a non-standard location. Either add it to your PATH or call it using the full path name:

  /opt/syslog-ng/bin/loggen -r 140000 --active-connections=8 -i -D localhost 2222

  If you used loggen before, you will notice the number after the -r (maximum message rate) option. With TCP connections, we normally use insanely large values as it builds out connections and regulates itself. UDP does not use connections, so loggen generates log messages as fast as it can.

  The --active-connections option tells loggen how many threads to use to send log messages. Note that the -r option is multiplied by this number.

  The rest of the options tell loggen to send logs to localhost on port 514 over UDP.

  You are now ready to experiment. Start with small numbers and increase until you see considerable message loss. Or start with large numbers and keep decreasing until message loss disappears or gets to a tolerable level.

  Note: do not forget to remove the log file and restart syslog-ng between test runs. Otherwise, suddenly you will count a lot more logs than what is actually sent :)

  On my host, the above loggen command resulted in the optimal load. What does it mean? When I compared the number of messages loggen sent with the number of lines in the log file, the difference was less than a hundred. Depending on your hardware, the values might be slightly higher or much lower.

  As a next step, send the same number of logs to port 514, the regular UDP source. You will see that only a fraction of the log messages are processed and saved by syslog-ng. You can now play with “-r” again to find the value where message loss drops to an acceptable value.

  Summary

  A picture is worth a thousand words, so let me summarize this blog with two screenshots. One was taken when using the regular udp() source of syslog-ng, the other one when using the udp-balancer() source. In the first case, one CPU core is fully loaded, while the rest of the cores are idle. In the second case, the load is distributed near evenly.

  

  

  -

  If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik.

August 02, 2021

• The NeuroFedora Blog Next Open NeuroFedora meeting: 02 August 1300 UTC
  

  Photo by William White on Unsplash.

  
  

  Please join us at the next regular Open NeuroFedora team meeting on Monday 02 August at 1300UTC in #fedora-neuro on IRC (Libera.chat). The meeting is a public meeting, and open for everyone to attend. You can join us over:

  • IRC
  • Matrix

  You can use this link to convert the meeting time to your local time. Or, you can also use this command in the terminal:

  $ date --date='TZ="UTC" 1300 today'
  

  The meeting will be chaired by @ankursinha. The agenda for the meeting is:

  • New introductions and roll call.
  • Tasks from last meeting.
  • Open Pagure tickets.
  • Package health check.
  • Open package reviews check.
  • CompNeuro lab compose status check for Fedora 35.
  • Neuroscience query of the week
  • Next meeting day, and chair.
  • Open floor.

  We hope to see you there!

• Josh Bressers Episode 282 – The security of Rust: who left all this awesome in here?

  Josh and Kurt talk about a story from Microsoft declaring Rust the future of safe programming, replacing C and C++. We discuss how tooling affects progress and why this isn’t always obvious when you’re in the middle of progress.

  Show Notes

  • Microsoft: Rust Is the Industry’s ‘Best Chance’ at Safe Systems Programming
  • Josh’s devopsdays talk
  • Microsoft moved font handling out of the kernel
  • Atari 2600 emulator in Minecraft
  • Rate of technology adoption

July 30, 2021

• Tomasz Torcz Makeshift Kubernetes external load balancer with haproxy

  Some time ago I've replaced Google Analytics with Plausible. It works great, except for one tiny thing. The map of visitors was empty. Due to various layers of Network Adress Translations in k3s networking setup, the original client IP address information was not reaching analytics engine.

  There are solutions – there is a PROXY Protocol exactly for that case. And Traefik, which handles ingress in k3s, supports PROXY. Only a bit of gymnastic was needed.

  Legacy IPv4 traffic entry point to my bare-metal cluster has a form of a small in-the-cloud virtual machine. It routes incoming TCP/443 traffic over the VPN into the cluster. The VM itself is not a part of kubernetes setup – I cannot run any pods on it. I've decided to use Ansible to configure it.

  The outcome lives in k8s-haproxy-external-lb and gives me following map:

  

  (greetings Australia, have you found information about the red LED on Sonoff?)

  There are few moving parts, but with Python, Kubernetes and Ansible, the result is suprisingly simple:

  • there's a persistent pod running on the k8s cluster, watching EndPoints exposed by Traefik. When a change occurs (traefik pod restart, replica count modification, etc.) – ansible playbook is triggered. This pod may be seen as a k8s controller.

  • ansible playbook collects Traefik pod's IP addresses and ports. JSON parsing in ansible is a bit suboptimal: … | first | first | first looks bad but works.

  • still using ansible, haproxy configuration file is created, put on the edge nodes, and the service is restarted. I've selected haproxy because:

    • it implements PROXY protocol

    • I did similar thing on OpenShift

  • haproxy passes received traffic directly to Traefik. This happens at the TCP level. TLS is terminated at Traefik, and certificates do not leave kubernetes cluster.

  Some minimal preparations were needed. Communication between edge node and kubernetes pod network had to be established. This was done in an instant, thanks to Wireguard. SSH keypair for ansible had to be put in a k8s Secret and distributed among edge nodes. Finally, small fix was needed in ansible itself: local connection plugin was not happy when run in a container, as random user without an entry in /etc/passwd.

  Traefik had to be configured to trust PROXY protocol information and generate X-Forwarded-For headers. Plausible utilized information in those headers without additional tinkering.

  Configuration details are described at https://github.com/zdzichu/k8s-haproxy-external-lb.

July 28, 2021

• Free Software Fellowship 100 years of Hitler & psychological experiments on volunteers

  On 29 July 1921, Adolf Hitler became Führer of the Nazi Party. He didn't like the title President.

  To mark this unpleasant anniversary, we will focus on psychological torture.

  Hitler's death camps had established orchestras of Jews. They were ordered to play upbeat music as their family members marched past them into the gas chambers.

  Those who play brass and wind instruments, trumpets and flutes, were inhaling air tainted with the burnt flesh of their family members but they were not allowed to stop playing or they would be next to die.

  The scene of the orchestra and the sound of the music were deliberately incongruous with the extraordinary pain suffered by the victims and witnesses to death. On the other hand, these humiliating scenes were entirely consistent with Hitler's program of psychological experiments on Jews and volunteers.

  This is the Auschwitz Men’s Orchestra:

  

  Psychological torture of free software volunteers

  A volunteer from a free software organization resigned at a time when he lost two family members.

  Immediately after this, the German Free Software Foundation of Europe published a vile document attacking and criticizing the volunteer at this time of grief. At the same time as they published the motion, their President published a wildly upbeat photo, waving their arms and smiling.

  

  The photo, the vile document created by this group and the grief suffered by any volunteer losing a family member are all incongruous with each other.

  There is significant congruity between each and every regime that chooses to conduct psychological experiments and torture on people.

  One general wish -- which I agreed with -- from Debian was to better share information about people... Matthias Kirschner, FSFE President

  
• Fabio Alessandro Locati CORS headers with gRPC-Gateway
  A few years ago, I wrote a blog post on managing CORS headers with Negroni. Lately, I’ve created a new API server that needed to be accessible from the browser, but this time I used a different technology, more precisely gRPC-Gateway. Few months after I wrote that blog post, I stopped writing new REST services by hand. I did not rewrite all the services that used the old paradigm just because they needed a fix or a new feature, but for all new services, I moved to gRPC with gRPC-Gateway.

July 27, 2021

• Peter Czanik Syslog-ng 3.33: the MQTT destination

  Version 3.33 of syslog-ng introduced an MQTT destination. It uses the paho-c client library to send log messages to an MQTT broker. The current implementation supports version 3.1 and 3.1.1 of the protocol over non-encrypted connections, but this is only a first step.

  From this blog, you can learn how to configure and test the mqtt() destination in syslog-ng.

  Before you begin

  To use the MQTT destination of syslog-ng, you need to use at least syslog-ng version 3.33. It is not yet included in most Linux distributions, but luckily it is available in some 3^rd-party syslog-ng repositories. You can find a list of them at https://www.syslog-ng.com/products/open-source-log-management/3rd-party-binaries.aspx MQTT support is usually included in a sub-package of syslog-ng, often called syslog-ng-mqtt. You also need an MQTT broker, where you can forward log messages using the mqtt() destination.,

  For my tests, I used Fedora 34 with the Mosquitto MQTT broker and syslog-ng installed from the unofficial Copr repository.

  Configuring syslog-ng

  If your distribution of choice supports it, create a new configuration file under the /etc/syslog-ng/conf.d/ directory with a .conf extension. Otherwise, append the configuration below to syslog-ng.conf.

  destination d_mqtt {
    mqtt (
      address("tcp://localhost:1883"),
      topic("test/$HOST"),
      fallback-topic("syslog/fallback")
      template("$MESSAGE")
      qos(1)
    );
  };
  
  log {
      source(s_sys);
      destination(d_mqtt);
  };

  The MQTT destination has three mandatory options:

  • address() defines where to send log messages: it includes the hostname (or IP address) and the port number of the MQTT broker. These values work if the broker is running on localhost at the default port.

  • topic() defines in which topic syslog-ng stores the log message. You can also use templates here, and use, for example, the $HOST macro in the topic name hierarchy.

  • fallback-topic() is used when syslog-ng cannot post a message to the originally defined topic (which can include invalid characters coming from templates).

  Optional parameters of the MQTT destination include:

  • template(), where you can configure the message template sent to the MQTT broker. By default, the template is: “$ISODATE $HOST $MSGHDR$MSG”

  • qos stands for quality of service and can take three values in the MQTT world. Its default value is 0, where there is no guarantee that the message is ever delivered. Setting it to 1 makes sure that the message is delivered at least once, while 2 ensures that a message is delivered exactly once. Obviously, 0 has the best performance, while 2 can be much slower.

  The log statement connects the local log sources with the MQTT destination. Note, that the name of the source might be different, depending on syslog-ng.conf. Configurations on Fedora and RHEL call the local log source s_sys, by default.

  Testing

  As mentioned in the introduction, I used the Mosquitto MQTT broker for testing. There are dozens of others listed at https://mqtt.org/software/, verifying incoming messages is different for each software.

  Once you reloaded syslog-ng to ensure that the configuration takes effect, you are ready for testing. We use two utilities for testing:

  • logger sends syslog messages to the local server

  • mosquitto_sub is part of the Mosquitto MQTT broker software and can subscribe to messages arriving on a broker

  First start mosquitto_sub in a terminal:

  mosquitto_sub -h localhost -p 1883 -t 'test/+'

  This will listen to incoming messages on the broker on all subtopics under the “test” topic. “+” is a wildcard here.

  Next, you can send some log messages using the logger command:

  logger this is a test

  And you should see the line appear in the output of mosquitto_sub:

  2021-07-26T16:39:55+02:00 fedora34.localdomain root[3077]: this is a test

  What is next?

  This is just the first step in adding MQTT support to syslog-ng. Your feedback is very welcome about this new feature. Detailed problem reports help to make the next version more robust while positive feedback lets us know that the feature is in use and it is worth developing it further.

  -

  If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @Pczanik.

July 26, 2021

• Fedora fans آموزش کنترل ماشین مجازی در OpenStack
  

  برای کنترل (start, stop, pause, unpause, suspend, resume, reboot) ماشین های مجازی یا همان instance ها در OpenStack  می توان از طریق پنل گرافیکی (Horizon) و یا خط فرمان اقدام کرد که در این مطلب قصد داریم تا از طریق خط فرمان ماشین های مجازی خود را کنترل کنیم.

  نکته: در تمامی دستورهای زیر بجای myInstance باید نام Instance و یا همان ماشین مجازی (VM) خود را بنویسید.

  • برای Pause کردن instance می توان از دستور زیر استفاده کرد (با اجرای این دستور وضعیت VM روی RAM ذخیره خواهد شد) :

  $ openstack server pause myInstance

  • برای unpause کردن instance می توان از دستور زیر استفاده کرد:

  $ openstack server unpause myInstance

  • برای Suspend کردن instance می توان از دستور زیر استفاده کرد:

  $ openstack server suspend myInstance

  • برای resume کردن instance می توان از دستور زیر استفاده کرد:

  $ openstack server resume myInstance

  • برای Stop یا همان Shut Off کردن instance می توان از دستور زیر استفاده کرد:

  $ openstack server stop myInstance

  • برای Start کردن instance می توان از دستور زیر استفاده کرد:

  $ openstack server start myInstance

  • برای Soft reboot کردن instance می توان از دستور زیر استفاده کرد (هنگام reboot کردن یک instance به صورت پیش فرض Soft reboot انجام خواهد شد) :

  $ openstack server reboot myInstance

  • برای Hard reboot کردن instance می توان از دستور زیر استفاده کرد:

   

  $ openstack server reboot --hard myInstance
  

  • برای مشاهده ی status یا همان وضعیت یک instance می توانید از دستور زیر استفاده کنید:

  $ openstack server show myInstance

   

  The post آموزش کنترل ماشین مجازی در OpenStack first appeared on طرفداران فدورا.

  
• Josh Bressers Episode 281 – If you spy on journalists, you’re the bad guys

  Josh and Kurt talk about the news that the NSO Group is widely distributing spyware onto a large number of devices. This news should be a wake up call for anyone creating devices and systems that could be attacked, it’s time to segment services. There’s not a lot individuals can do at this point, but we have some ideas at the end of the episode.

  Show Notes

  • NSO Group spying
  • Technical details Twitter thread
  • Are we the Baddies?

July 24, 2021

• Michel Alexandre Salim 2021H1 recap: Fedora 34, CentOS Dojo, team switch, and back on leave
  Half of 2021 is gone already! I’m back on parental leave, but want to post a quick recap of the past few months. Parental leave I’m out from July 15 until the end of October. I am signed up to some virtual conferences this summer and fall, but do not anticipate really being there except for a few selected talks. Best way to reach me is async via Matrix or email (see links on the main page).

July 22, 2021

• Adam Jackson threads and libxcb: problems now we have two

  If you want to write an X application, you need to use some library that speaks the X11 protocol. For a long time this meant libX11, often called xlib, which - like most things about X - is a fantastic bit of engineering that is very much a product of its time with some confusing baroque bits. Overall it does a very nice job of hiding the icky details of the protocol from the application developer.

  One of the details it hides has to do with how resource IDs are allocated in X. A resource ID (an XID, in the jargon) is a 32 29-bit integer that names a resource - window, colormap, what have you. Those 29 bits are split up netmask/hostmask style, where the top 8 or so uniquely identify the client, and the rest identify the resource belonging to that client. When you create a window in X, what you really tell the server is "I want a window that's initially this size, this background color (etc.) and from now on when I say (my client id + 17) I mean that window." This is great for performance because it means resource allocation is assumed to succeed and you don't have to wait for a reply from the server.
  

  Key to all this is that in xlib the XID is the return value from the call that issues the resource creation request. Internally the request gets queued into the protocol's write buffer, but the client can march ahead and issue the next few commands as if creation had succeeded - because it probably did, and if it didn't you're probably going to crash anyway.
  

  So to allocate XIDs the client just marches forward through its XID range. What happens when you hit the end of the range? Before X11R4, you'd crash, because xlib doesn't keep track of which XIDs it's allocated, just the lowest one it hasn't allocated yet. Starting in R4 the server added an extension called XC-MISC that lets the client ask the server for a list of unused XIDs, so when xlib hits the end of the range it can request a new range from the server.

  But. UI programming tends to want threads, and xlib is perhaps not the most thread-friendly. So XCB was invented, which sacrifices some of xlib's ease of use for a more direct binding to the protocol and (in theory) an explicitly thread-safe design. We then modified xlib and XCB to coexist in the same process, using the same I/O buffers, reply and event management, etc.
  

  This literal reflection of the protocol into the API has consequences. In XCB, unlike xlib, XID generation is an explicit step. The client first calls into XCB to allocate the XID, and then passes that XID to the creation request in order to give the resource a name.

  Which... sorta ruins that whole thread-safety thing.
  

  Let's say you call xcb_generate_id in thread A and the XID it returns is the last one in your range. Then thread B schedules in and tries to allocate another XID. You'll ask the server for a new range, but since thread A hasn't called its resource creation request yet, from the server's perspective that "allocated" XID looks like it's still free! So now, whichever thread issues their resource creation request second will get BadIDChoice thrown at them if the other thread's resource hasn't been destroyed in the interim.

  A library that was supposed to be about thread safety baked a thread safety hazard into the API. Good work, team.

  How do you fix this without changing the API? Maybe you could keep a bitmap on the client side that tracks XID allocation, that's only like 256KB worst case, you can grow it dynamically and most clients don't create more than a few dozen resources anyway. Make xcb_generate_id consult that bitmap for the first unallocated ID, and mark it used when it returns. Then track every resource destruction request and zero it back out of the bitmap. You'd only need XC-MISC if some other client destroyed one of your resources and you were completely out of XIDs otherwise.

  And you can implement this, except. One, XCB has zero idea what a resource destruction request is, that's simply not in the protocol description. Not a big deal, you can fix that, there's only like forty destructors you'd need to annotate. But then two, that would only catch resource destruction calls that flow through XCB's protocol binding API, which xlib does not, xlib instead pushes raw data through xcb_writev. So now you need to modify every client library (libXext, libGL, ...) to inform XCB about resource destruction.
  

  Which is doable. Tedious. But doable.

  I think.
  

  I feel a little weird writing about this because: surely I can't be the first person to notice this.
  

July 21, 2021

• Peter Czanik Creating a new http()-based syslog-ng destination: Seq

  Recently, many services provide an HTTP-based API to send messages. With a bit of luck, the given service is already supported directly by syslog-ng, or by using the Apprise Python library from the syslog-ng Python destination. In other cases, you need to do the research yourself on how the given HTTP-based service works. It might be scary at first, but often, it just takes a bit of experimenting and reading the documentation.

  In this blog, I’m showing you how to send log messages to Seq, a container-based log management software for application logs. The focus of this blog is to understand what to look for in the documentation of software to create an http()-based destination in syslog-ng. You can install Seq in a container, it is easy, but not necessary.

  Before you begin

  As I mentioned, installing Seq is optional if you also want to test the new syslog-ng configuration. It is easy, as long as you have Docker available on your host: https://docs.datalust.co/docs/getting-started-with-docker

  On the syslog-ng side, any recent syslog-ng version should be OK. In this case, recent means syslog-ng version 3.21 or later. Check our 3^rd-party packages page for up-to-date packages for your distro.

  Reading the docs

  The first step is getting familiar with the syslog-ng http() destination. The documentation is available at https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.30/administration-guide/38#TOPIC-1594993 Yes, it includes many pages of information. You do not have to read all possible options in depth. It is enough to skim through them and try to understand the various example configurations included next to the descriptions. Some of these are http()-specific, while others should already look familiar, like the disk-buffer or the macros in various template-related options.

  By the end, you will notice that all examples are slightly different but most of them include at least the following lines:

  destination d_http {
      http(
          url("http://127.0.0.1:8000")
          method("PUT")
          user-agent("syslog-ng User Agent")
          body("${ISODATE} ${MESSAGE}")
      );
  };

  The next step is reading the Seq documentation. Information is often scattered in small parts across multiple pages in the documentation. Luckily, the Seq documentation has a single page collecting all the necessary information: https://docs.datalust.co/docs/posting-raw-events

  It is not an easy read at first, but it is not too long. Right at the top, you can already see two important parameters to be included in the http() destination:

  • method: POST

  • url: https://localhost:5341/api/events/raw?clef

  Reading a bit further, we can find another important piece of information:

  • a required header: "Content-Type: application/vnd.serilog.clef"

  Now comes the difficult part. The example shown on the page is not something you can easily produce in syslog-ng. By default, Seq expects a message template and then a list of name-value pairs to fill in the blanks in the template. You could create such log messages using the PatternDB parser of syslog-ng, but even then, it could be a painfully slow process.

  Luckily, reading the documentation further leads us to a list of mandatory and optional fields used in the JSON-formatted message. While all the examples show the use of message templates, there is another option, using @m for a fully rendered message describing the event. That is something we have in syslog-ng, alongside the values optionally parsed from log messages.

  There is one more field we must use: @t for the time (and date) of the message in ISO format. Anything else we send is optional from the Seq point of view.

  Configuring the http() destination

  Now that we have all information at hand, we can start configuring syslog-ng. Here is the configuration I came up with for my environment:

  destination d_http {
      http(
          url("http://172.16.167.139:5341/api/events/raw?clef")
          method("POST")
          user-agent("syslog-ng User Agent")
          headers("Content-Type: application/vnd.serilog.clef")
          body('$(format-json --scope rfc5424 --scope dot-nv-pairs
          --rekey .* --shift 1 --scope nv-pairs
          --exclude DATE @t=${ISODATE} @m=${MESSAGE})')
      );
  };

  The URL should look familiar, I only replaced the IP address with an actual server IP in my test environment. Next, we configure the method. Configuring the user-agent is not strictly necessary, but as it is in the examples and some services expect it to be filled, I use it all the time. Next, headers are configured.

  The message body comes last. As expected, we use the format-json template function to create JSON formatted log messages. We include all the regular syslog fields (rfc5414) and all name-value pairs parsed from the log message. We remove the leading dot from name-value pair names that start with a dot. The date macro is excluded, as instead of that, we include the date with the proper formatting as @t. The original message is included in @m.

  Testing

  The focus of this blog was to help you to better understand what to look for in documentation. But, of course, you might also want to try the configuration we put together.

  First of all, you need to include the freshly configured http() destination in a log statement and connect it with a source. For example, in case of openSUSE, the name of the local log source in the default syslog-ng configuration is called src:

  log {
      source(src);
      destination(d_http);
  };

  Recent versions of syslog-ng parse sudo log messages by default. So, without any further configuration you can also send some parsed log messages to Seq, just by issuing a few commands through sudo. You can see an example screenshot below:

  

  What is next?

  Now that you followed how to create an http()-based destination for Seq, it is time to work on your own http()-based destination. As you could see, creating a new destination takes some reading and experimenting. If you work on something new and you get stuck, you can reach out to the syslog-ng community for help. And if you succeed creating a new destination you are welcome to share it with the community to make other users’ lives easier!

  -

  If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @Pczanik.
• Javier Martinez Canillas A framebuffer hidden in plain sight

  Soon after I set up my Rockpro64 board, Peter Robinson told me about an annoying bug that happened on machines with a Rockchip SoC.

  The problem was that the framebuffer console just went away after GRUB booted the Linux kernel. We started looking at this and Peter mentioned the following data points:

  • Enabling early console output on the framebuffer registered by the efifb driver (earlycon=efifb efi=debug) would get some output but at some point everything would just go blank.
  • The display worked when passing fbcon=map:1 and people were using that as a workaround.
  • Preventing the efifb driver to be loaded (modprobe.blacklist=efifb) would also make things to work.

  So the issue seemed to be related to the efifb driver somehow but wasn’t clear what was happening.

  What this driver does is to register a framebuffer device that relies on the video output configured by the firmware/bootloader (using the EFI Graphics Output Protocol) until a real driver takes over an re-initializes the display controller and other IP blocks needed for video output.

  I read The Framebuffer device and The Framebuffer Console sections in the Linux documentation to get more familiar about how this is supposed to work.

  What happens is that the framebuffer console is bound by default to the first framebuffer registered, which is the one registered by the efifb driver.

  Later, the rockchipdrm driver is probed and a second framebuffer registered by the DRM fbdev emulation layer but the frame buffer console is still bound to the first frame buffer, that’s using the EFI GOP but this gets destroyed when the kernel re-initializes the display controller and related IP blocks (IOMMU, clocks, power domains, etc).

  So why are users left with a blank framebuffer? It’s because the framebuffer is registered but it’s not attached to the console.

  Once the problem was understood, it was easy to solve it. The DRM subsystem provides a drm_aperture_remove_framebuffers() helper function to remove any existing drivers that may own the framebuffer memory, but the rockchipdrm driver was not using this helper.

  The proposed fix (that landed in v5.14-rc1) then is for the rockchipdrm driver to call the helper to detach any existing early framebuffer before registering its own.

  After doing that, the early framebuffer is unbound from the framebuffer console and the one registered by the rockchipdrm driver takes over:

  [   40.752420] fb0: switching to rockchip-drm-fb from EFI VGA
  

• Kushal Das Trouble of zoom and participant name

  Last night I was in a panel along with Juan Andrés Guerrero-Saade organized by Aveek Sen, the topic was "Tips on how journalists can avoid getting snooped". You can watch the recording at Youtube.

  But this post is not about that. It is about Zoom. Just before logging into the call, I made sure that the name is changed while joining the call, generally my daughter uses the Zoom and her name was mentioned before. I personally have almost zero zoom usage (except 2-3 times in last 1 year). But, after logging into the call, zoom again went back to the older name, and did not allow me to change it during the session. I kept trying during the session without any luck. I don't know why did they do this or why I could not find a way to change my name, but I feel this is really stupid.

• Josef Strzibny Elixir Authorization Plugs

  Similar to Ruby’s Rack, Plug is a general specification for composing modules between web applications and application servers. Here’s how we can use them to build authorized pipelines in your router.

  Note that this post is not about whether you should do authorization at the router level. It’s likely you’ll do it as part of your business logic for the most part. But when it makes sense, you can use Plugs.

  Authorization plug is a genetic plug, but one that might need to stop the execution of the request. If we import Plug.Conn we can pipe to halt/1 to do exactly that. We should also render a custom error message.

  I’ll demonstrate by checking claims from a Guardian token and compare them to fix hardcoded access rights.

  defmodule DigiWeb.VerifyAdminPlug do
    import Plug.Conn
  
    def init(options), do: options
  
    # This is what's get called
    def call(%Plug.Conn{} = conn, opts) do
      verify_access!(conn, opts)
    end
  
    defp verify_access!(conn, opts) do
      # This is a path like "/admin/path1"
      authorized_path = conn.request_path
  
      # We fetch the authorization rights from claims
      rights =
        if Map.has_key?(conn.private, :guardian_default_claims) do
          conn.private.guardian_default_claims["rights"]
        else
          []
        end
  
      # A simple way of checking a path against a particular right,
      # could be a more sophisticated check
      required_rights = required_action_rights[authorized_path]
  
      if required_rights do
        case has_rights(rights, required_rights) do
          false ->
            conn
            |> auth_error()
            |> halt()
  
          true ->
            conn
        end
      else
        conn
        |> auth_error()
        |> halt()
      end
    end
  
    defp has_rights([], _required), do: false
  
    defp has_rights(rights, required) do
      MapSet.subset?(MapSet.new(rights), MapSet.new(required))
    end
  
    defp auth_error(conn) do
      body = Poison.encode!(%{message: "Unauthorized"})
      send_resp(conn, 401, body)
    end
  
    def required_action_rights do
      %{
        "/admin/path1" => ["right1"],
        "/admin/path2" => ["right2"]
      }
    end
  end
  

  There you have it, a simple way to authorize access. Great for pages that are protected entirely.

  To make a route use your plug, plug it in a pipeline:

  # router.ex
    ..
    pipeline :authorized_admin do
      plug Guardian.Plug.Pipeline,
        module: MyAppWeb.Public.Guardian,
        error_handler: MyAppWeb.Public.ErrorHandler
  
      # Check admin's access rights
      plug MyApp.VerifyAdminPlug
    end
    ..
  

  Because I wanted to use claims from a token issued by Guardian, I put it after the Guardian’s plug.

July 19, 2021

• Andreas Schneider Improved cmdline UX in upcoming Samba 4.15

  To the newcomer, Samba’s command line user interface appears to be a haphazard jumble of scripts and binaries with options and design principles that fade in and out of use according to some esoteric pattern.

  Douglas Bagnall

  The initial quote is from the SambaXP talk What should we do with our user interface? in 2019. Douglas wrote that nobody can fix it as experts are locked-in, newbies are baffled and old options can’t be dropped. Since then things have changed. I’ve succeeded to do the impossible, rewrite the command line user interface.

  This is part of an effort to support FIPS mode with Samba. For this the client needs to be able have certain defaults set when the machine is set to FIPS mode. But lets first look at what the issues where and how I addressed them.

  What were the problems?

  Kerberos

  $ smbclient --help | grep '\-k'                                
    -k, --kerberos                 Use kerberos 
  
  $ ldbsearch --help | grep '\-k'
    -k, --kerberos=STRING          Use Kerberos, -k [yes|no]

  We have -k and `-k yes`. Same option with and without an argument.

  LDB

  $ ldbedit --help | grep '\-e'
   -e, --editor=PROGRAM            external editor
   -e, --encrypt                   Encrypt connection for privacy

  Will I enable encryption or will it open an editor, or both?

  $ ldbsearch --help | grep '\-S'
   -S, --sorted                   sort attributes
   -S, --sign                     Sign connection to prevent
   -S, --signing=on|off|required  Set the client signing state

  $ ldbsearch --help | grep '\-s'
   -s, --scope=SCOPE              search scope
   -s, --configfile=CONFIGFILE    Use alternative configuration

  Will I set the scope or provide a config file with `-s`? I want to set the scope, lets use the long option.

  $ ldbsearch --help | grep '\-scope'
   -s, --scope=SCOPE              search scope
   -i, --scope=SCOPE              Use this Netbios scope

  Those are just a few examples but I think you see the problems. I could go on with logging to stderr or stdout. You never know where log messages are ending up.

  To address all the issues we run into something called the “Backwards compatibility dilemma”:

  Fixing consistency across tools will create new problems!

  • We need to introduce new options
  • The complexity might increase
  • We will certainly break scripts of our users

  How did we solve the issues?

  For tools written in C the command line parser has been rewritten. There were two different implementation and there is only one now! The parser uses the client credentials API for all tools now. This means that all tools behave the same now.

  New important common options

  --use-kerberos=desired|required|off  Use Kerberos authentication
  --use-krb5-ccache=CCACHE             Credentials cache location for Kerberos

  For Kerberos there are two options available and they have new names. The -k option is deprecated but still works for a grace period. It will be removed in on of the following Samba relases!

  A corresponding smb.conf option has been added: client use kerberos = desired|required|off
  This allows you to change the default and in FIPS mode it will be forced to be set to required.

  --client-protection=sign|encrypt|off
     Configure used protection for client connections

  There is a new option to select signing or encryption of the connection. It also doesn’t matter if it is an SMB or RPC connection. It will do the right thing for you

  Corresponding smb.conf option: client protection = sign|encrypt|off|default

  Logging

  All tools and daemons log to stderr by default now! This can be changed using the --debug-stdout option.

  Sanity check

  The new command line parser comes with a sanity checker. This makes sure that a developer will not introduce duplicate options, whether long or short!

  Documentation

  The manpage of all tools and daemons have been changed accordingly to reflect the new options. Feel free to open bugs if you find documentation issues or even better, send patches!

  The new implementation should make much more sense and developers have tools to avoid mistakes now. Samba 4.15rc1 has just been released. Samba 4.15 is expected to be released in September 2021.

• The NeuroFedora Blog Next Open NeuroFedora meeting: 19 July 1300 UTC
  

  Photo by William White on Unsplash.

  
  

  Please join us at the next regular Open NeuroFedora team meeting on Monday 19 July at 1300UTC in #fedora-neuro on IRC (Libera.chat). The meeting is a public meeting, and open for everyone to attend. You can join us over:

  • IRC
  • Matrix

  You can use this link to convert the meeting time to your local time. Or, you can also use this command in the terminal:

  $ date --date='TZ="UTC" 1300 today'
  

  The meeting will be chaired by @ankursinha. The agenda for the meeting is:

  • New introductions and roll call.
  • Tasks from last meeting.
  • Open Pagure tickets.
  • Package health check.
  • Open package reviews check.
  • CompNeuro lab compose status check for Fedora 35.
  • Neuroscience query of the week
  • Next meeting day, and chair.
  • Open floor.

  We hope to see you there!

• Fedora fans بازبینی فایل های TOML به صورت آنلاین
  

  نوعی از فرمت فایل ها TOML می باشد که برای فایل های پیکربندی استفاده می شود. یکی از اقدامات در فرایند توسعه نرم افزار انجام آزمایش ساختار کدها پیش از deploy کردن می باشد.

  روش ها و ابزارهای گوناگونی برای آزمایش ساختار (Syntax) و بازبینی (verify) کدها می باشد که یکی از آنها TOML Lint می باشد که می توانید به صورت آنلاین از آن استفاده کنید. برای اینکار کافیست تا به آدرس زیر مراجعه کنید و فایل های TOML خود را بازبینی (verify) کنید.

  https://www.toml-lint.com

   

  The post بازبینی فایل های TOML به صورت آنلاین first appeared on طرفداران فدورا.

  
• Josh Bressers Episode 280 – The perils of Single Sign On

  Josh and Kurt talk about what happens when you lose access to your Single Sign On provider. These providers have become critical to many of us, if we lose access to our SSO account we will lose access to many services.

  Show Notes

  • Postbank

July 18, 2021

• Kushal Das A few bytes of curl

  curl is most probably the highest used software in the world. I generally use it daily (directly) in the various scripts at the SecureDrop, starting from inside of Dockerfiles, to Ansible roles or in CI. I never read much about various options available other than a few very basic ones. So I decided to look more into the available options. Here are a few interesting points from that reading:

  Protocols supported

  This is a very long list, I had no clue!!!!

  • dict
  • file
  • ftp
  • ftps
  • gopher
  • gophers
  • http
  • https
  • imap
  • imaps
  • ldap
  • ldaps
  • mqtt
  • pop3
  • pop3s
  • rtsp
  • scp
  • sftp
  • smb
  • smbs
  • smtp
  • smtps
  • telnet
  • tftp

  The --version flag will tell you this details and many things more.

  $ curl --version
  curl 7.76.1 (x86_64-redhat-linux-gnu) libcurl/7.76.1 OpenSSL/1.1.1k-fips zlib/1.2.11 brotli/1.0.9 libidn2/2.3.1 libpsl/0.21.1 (+libidn2/2.3.0) libssh/0.9.5/openssl/zlib nghttp2/1.43.0
  Release-Date: 2021-04-14
  Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
  Features: alt-svc AsynchDNS brotli GSS-API HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz Metalink NTLM NTLM_WB PSL SPNEGO SSL TLS-SRP UnixSockets
  

  User agent string

  We can use -A to provide any given string as User Agent.

  $ curl -A "browser/kd 1.0.0" http://httpbin.org/get
  {
    "args": {}, 
    "headers": {
      "Accept": "*/*", 
      "Host": "httpbin.org", 
      "User-Agent": "browser/kd 1.0.0", 
      "X-Amzn-Trace-Id": "Root=1-60ec8985-05acbf60769f18855db925f1"
    }, 
    "origin": "xxx.xxx.xxx.xxx", 
    "url": "http://httpbin.org/get"
  }
  

  Download via sequence

  We can specify the range in our command. The first example downloads different index files from my blog.

  curl -O "https://kushaldas.in/index-[1-10].html"
  

  A few more examples:

  curl -O "http://example.com/[1-100].png"

  curl -O "http://example.com/[001-100].png"

  curl -O "http://example.com/[0-100:2].png"

  curl -O "http://example.com/section[a-z].html"

  curl -O "http://example.com/{one,two,three,alpha,beta}.html"

  Parallel downloads

  You can pass -Z to the above command to download in parallel. Try it out yourself.

  Configuration file

  We can create a configuration file to hold all the command line parameters and pass it to the curl command via -K flag.

  curl -K configs.txt https://kushaldas.in

  One flag each line, comments via #.

  # Change user agent
  --user-agent "ACAB/1.0"
  

  Curl checks for a default configuration file at ~/.curlrc unless called with -q.

  To view only the headers

  -I to check the headers returned by the server.

  $ curl -I https://kushaldas.in
  HTTP/2 200 
  server: nginx/1.14.2
  date: Sun, 18 Jul 2021 06:40:37 GMT
  content-type: text/html; charset=utf-8
  content-length: 25977
  last-modified: Mon, 05 Jul 2021 15:24:32 GMT
  etag: "60e32430-6579"
  strict-transport-security: max-age=31536000
  onion-location: https://kushal76uaid62oup5774umh654scnu5dwzh4u2534qxhcbi4wbab3ad.onion
  permissions-policy: interest-cohort=()
  x-frame-options: DENY
  x-content-type-options: nosniff
  referrer-policy: strict-origin
  accept-ranges: bytes
  

  DNS over HTTPS

  We can force curl to use a DoH server for the DNS query, pass --doh-url flag to the command along with the server address.

  curl -I --doh-url https://adblock.doh.mullvad.net/dns-query https://securedrop.org

July 15, 2021

• Josh Bressers The future of DWF

  TL;DR – The future of community identifier is going to be the Cloud Security Alliance. See this blog post for more details.

  A few months ago the Distributed Weakness Filing project (DWF), announced it was coming back to work with some new ideas around how we work with vulnerability identifiers. The initial blog post defines some of the reasons, we won’t rehash them here.

  It should surprise nobody that the DWF project did not grow to an enormous size in a few short months. Vulnerability identification is a complex and hard problem. We were looking to try out some new ideas and see which were effective and which were not effective. It was to start to build the structure to deal with a future community. Most importantly it was to help figure out what we don’t know we don’t know.

  One group that has become interested in what we were doing was the CloudSecurityAlliance (CSA). The CSA is focused on, well, security and the cloud, as well as other new and emerging technologies and problems. Traditional vulnerability identifiers have been heavily focused on software as it existed in the past rather than current software and services. The CSA has an interest in helping to define the next generation of vulnerability classification. There are a huge number of potential vulnerabilities and weaknesses that are going untracked, which means they are largely unseen. If we expect the future to be more secure than the past, having a community driven vulnerability classification and freely available databases will be critical.

  To make a long story short, the DWF is dissolving and is directing people and organizations interested in participating in this towards the CSA community where a new working group and other efforts are being started. The group is tentatively called the “Universal Vulnerability Identifier (UVI) working group”. This is a working group with open membership and an initial goal of helping define the future of vulnerability identification. The target audience is anyone looking to understand, use, and define vulnerability identifiers. Closed source, open source, services, security researchers, IoT developers, individuals, companies, projects; we want to work with everyone. For more information please see https://universalvulnerabilityidentifier.org/. 

  The DWF was founded on the idea of bringing community, openness, and transparency to vulnerability identifiers. These are also principals that the CSA values and has consistently exhibited for over a decade. There will be a few changes to the DWF and DWF data happening in the short term to support these long term goals:

  1. The UVI IDs will all start with the prefix “UVI”. All DWF IDs will have the prefix upgraded to UVI
  2. The iwantacve.org domain is being transferred to the MITRE Corporation. We do hope that the MITRE Corporation continues to run a service that makes acquiring a CVE Identifier quick and painless
  3. The DWF project is dissolved effective immediately

  We are extremely excited for what the future holds. The CSA is a very forward thinking organization that understands and appreciates the past work of the DWF. We all expect this working group will have a great impact on the future of vulnerability identification and management.

• Roland Wolters [Short Tip] Output/redirect content to a file in Nushell

  

  And another short tip about Nushell – I promise that those will be less frequent the more I get used to it.

  My current problem was: how do I redirect content to a file like echo hello > foo.txt and echo world >> foo.txt? The typical approach didn’t work:

  ❯ echo "hello" > foo.txt
  ───┬─────────
   0 │ hello   
   1 │ >       
   2 │ foo.txt 
  ───┴─────────

  Yeah, certainly not what I had in mind. Instead, I had to rethink the approach here. What is what we want to do here? First we output content and need to save it to a file. The connection is a pipe, as usual in Nushell:

  ❯ echo hello | save foo.txt
  ❯ open foo.txt
  hello

  That worked! Second, we want to append something. So we need to open the file, append something, and save it again. In between all steps we need pipes – Nushell, after all:

  ❯ open foo.txt | append "world"| save --raw foo.txt
  ❯ open foo.txt
  hello
  world

  Note that save needs the --raw flag here: it tries to be smart to guess in what format we want to save it, and for some reason in my case it didn’t save the new lines without the flag.

  And that’s it. It is not as short as I would like it to be compared to Bash and others. On the other hand it is way more flexible (it can also handle structured data this way like json) and it is not like I use redirection all the time.

July 13, 2021

• Joe Brockmeier Three sentences in a trench coat pretending to be a coherent thought
  At least once a week when I'm reading, or editing, copy related to work I'll skim over something and realize that what I just read makes no sense. Sure, the words are used properly. The paragraph is composed of sentences that seem grammatically correct. But if you stop to think about what the copy is … Continue reading Three sentences in a trench coat pretending to be a coherent thought →

July 12, 2021

• Roland Wolters [Short Tip] Executing a subshell in Nushell

  

  I just run through a howto where I was asked to execute a command which used the command output from a subshell as an argument for another command. Copy&paste of such typical command examples don’t work with nushell:

  ❯ sudo usermod --append --groups libvirt $(whoami)
  error: Variable not in scope
    ┌─ shell:9:40
    │
  9 │ sudo usermod --append --groups libvirt $(whoami)
    │                                        ^^^^^^^^^ unknown variable: $(whoami)

  The right way to do that in nushell is only slightly different – using subexpressions:

  ❯ sudo usermod --append --groups libvirt (whoami)

• Roland Wolters [Short Tip] Get data type in Nushell

  

  Nushell supports multiple data types. If you get lost what exact data type you are working with just right now, the describe command can help:

  ❯ echo 1 | describe
  integer
  
  ❯ echo "1" | describe
  string

  Unfortunately right now it does not support structured data types like “list” or “table”. Hopefully that will be added in the future:

  ❯ echo [a b c] | describe
  ───┬─────────────────────
   0 │ string 
   1 │ string 
   2 │ string 
  ───┴─────────────────────

  Image by BRRT from Pixabay

• Fedora fans دوره ویدیوئی کامل و رایگان GitHub Actions
  

  در دوره ی آموزشی GitHub Actions شما قادر خواهید بود تا درک عمیقی از مفاهیم، کلیات و نحوه عملکرد GitHub Actions و استفاده از آن در کل فرایند توسعه نرم افزار داشته باشد.

  این دوره ترکیبی از مباحث تئوری و عملی می باشد که برای استفاده از GitHub Actions در پروژه های خود دید بهتری را به شما می دهد.

  این دوره شامل مباحث زیر می باشد:

  1. GitHub Actions Overview

  • What is GitHub Actions
  • Advantages of GitHub Actions over other CI platforms
  • Key functionalities of GitHub Actions
  • Actions components: Events, Triggers, Workflows, Actions
  • Types of Actions: JavaScript vs Container
  • Actions Creation: Monolithic vs Chainable
  • Starter workflows
  • GitHub Actions Syntax
  • Governance of GitHub Actions
  • Debug and Troubleshooting

  2. Actions CI, CD & Release

  • CI Workflows structure
  • Matrix build
  • CI Workflows examples: Docker, Web Apps, etc.
  • CD Workflows structure
  • CD Workflows examples: Docker, Azure, AWS, Serverless, ECS, Kubernetes, etc.
  • GitHub Actions Environments overview
  • Protection Rules and Approvals
  • Deployment Logs overview
  • GitHub Actions Environments: creation, management, and usage

  3. Self-Hosted Runners

  • Difference between Hosted runners and Self-hosted runners
  • Configure Self-hosted runners
  • Runner Groups and why to use them
  • Best practices for Self-hosted runners
  • Dynamically scale Self-hosted runners

  4. Secret Management

  • GitHub Actions Secrets Overview
  • Type of Secrets: Organization vs Repository vs Environment
  • Limitation of GitHub Secrets
  • Secrets: creation, management, and usage
  • Third party actions for secrets (Azure KeyVault, and more)

  5. Advanced GitHub Actions

  • API availability
  • Passing Parameters to Actions
  • Repository Dispatch with custom events

  • Control the flow of the workflow with Conditionals

   

  هم اکنون می توانید دوره ی آموزش ویدیوئی GitHub Actions را مشاهده کنید:

   

   

  The post دوره ویدیوئی کامل و رایگان GitHub Actions first appeared on طرفداران فدورا.

  
• Josh Bressers Episode 279 – The audacity of Audacity: When open source goes rogue

  Josh and Kurt talk about the events happening to the Audacity audio editor. What happens if a popular open source application is acquired by an unknown entity? Can this happen to other open source projects? What can we do about it?

  Show Notes

  • SGDQ Paper Mario
  • Paper Mario Arbitrary Code Execution explained
  • Freenode
  • Audacity acquired by Muse Group
  • Audacity fork

July 09, 2021

• Maxim Burgerhout Building a load balanced Ansible Tower cluster

  Load balancing Ansible Tower cluster

  As you might know, I do a bit of YouTubing. One video request I got a couple of times, was to do a video about clustering Ansible Tower behind a load balancer.

  As I had never done that before myself, it sounded interesting, so I did it.

  Video is here:

  In the video, I use a playbook that I promised to put up somewhere, so here it is:

  ---
  - name: configure Tower cluster
    hosts: tower
    become: yes
    vars:
      custom_config: |
        BROADCAST_WEBSOCKET_PROTOCOL = 'http'
        BROADCAST_WEBSOCKET_PORT = 80
        USE_X_FORWARDED_PORT = True
        USE_X_FORWARDED_HOST = True
      tower_base_url: http://main.nontoonyt.lan
      proxy_ip_allowed_list:
        - 192.168.122.8
      remote_host_headers:
        - HTTP_X_FORWARDED_FOR
        - REMOTE_ADDR
        - REMOTE_HOST
      tower_username: admin
      tower_password: redhat123
  
    tasks:
      # https://access.redhat.com/solutions/5228651 and
      # https://docs.ansible.com/ansible-tower/3.8.3/html/installandreference/proxy-support.html
      - name: drop in configuration file for web sockets over port 80
        ansible.builtin.copy:
          content: ""
          dest: /etc/tower/conf.d/custom.py
          mode: 0640
          owner: root
          group: awx
        notify: restart ansible-tower
  
      - name: configure tower remote host headers
        ansible.tower.tower_settings:
          name: REMOTE_HOST_HEADERS
          value: ""
          tower_host: http://127.0.0.1
          tower_username: ""
          tower_password: ""
        run_once: yes
  
      - name: configure proxy ip allowed list
        ansible.tower.tower_settings:
          name: PROXY_IP_ALLOWED_LIST
          value: ""
          tower_host: http://127.0.0.1
          tower_username: ""
          tower_password: ""
        run_once: yes
  
      - name: configure tower base url
        ansible.tower.tower_settings:
          name: TOWER_URL_BASE
          value: ""
          tower_host: http://127.0.0.1
          tower_username: ""
          tower_password: ""
        run_once: yes
  
    handlers:
      - name: restart ansible-tower
        ansible.builtin.service:
          name: ansible-tower
          state: restarted
  

  Same goes for the haproxy configuration file I use to set this up:

  global
      chroot      /var/lib/haproxy
      pidfile     /var/run/haproxy.pid
      user        haproxy
      group       haproxy
      daemon
      tune.ssl.default-dh-param 2048
  
      # turn on stats unix socket
      stats socket /var/lib/haproxy/stats
  
  #---------------------------------------------------------------------
  # common defaults that all the 'listen' and 'backend' sections will
  # use if not designated in their block
  #---------------------------------------------------------------------
  defaults
      mode                    http
      option                  redispatch
      option                  contstats
      retries                 3
      timeout connect         10s
      timeout client          1m
      timeout server          1m
      option                  forwardfor
  
  #---------------------------------------------------------------------
  
  listen stats
      bind :9000
      mode http
      option forwardfor       except 127.0.0.0/8
      stats enable
      stats uri /
      stats refresh 3s
  
  frontend tower_fe
      bind *:443 ssl crt /etc/haproxy/haproxy.pem
      default_backend tower_be
  
  backend tower_be
      balance roundrobin
      server tower1_http 192.168.122.161:80 maxconn 100 check weight 6
      server tower2_http 192.168.122.201:80 maxconn 100 check weight 1
      server tower3_http 192.168.122.144:80 maxconn 100 check weight 1
      server tower4_http 192.168.122.80:80  maxconn 100 check weight 1
      server tower5_http 192.168.122.89:80  maxconn 100 check weight 1
  

  If you do this installation, make sure you initiate the Tower installation with:

  ./setup.sh -e nginx_disable_https=true -- -b
  

  Check out the video if you want to learn more!

  Cheers!

July 08, 2021

• Maxim Burgerhout Fish, bash, zsh

  Fish, bash, zsh

  Over the last year, I’ve been using fish as my shell on Linux. Before that, I have tried both zsh (with and without oh-my-zsh) and bash. For bash, I wrote my own configuration framework, which - let’s be real - everyone needs to do and probably has done at some point.

  Last week, I decided to switch back from fish to bash. This blog is the story why I did that and what I’m using now. I might look into zsh again at some point, but not now.

  Fish

  Fish. I like fish. Fish shell is a great shell. It really is. I love the frameworks that exist for it, like omf, and I love some of the features is offers. I’ll talk about those first, because that’s what switching shells is generally all about, right? ;)

  Fish features

  The good

  I’ll talk about abbreviations, named function arguments, variable scoping, and the help mechanism.

  Let’s start with abbreviations. In bash, you have functions and aliases. Functions are functions, and aliases are a shortened version of a (series of) command(s). The fish concept of abbreviations is like an alias, but instead of you entering an alias and the shell invisibly executing the aliased command(s), an abbreviation shows you the command it expands to when you hit space or enter.

  This means you can abbreviate long bits of code you need to use regularly, and always see the command you are executing on screen, which is great for understanding and from a security perspective.

  Another great feature of fish is named function arguments. When you define a function in bash or sh, you use something like (I know the function keyword is optional / non-canonical, but I like using it for clarity):

  function myfunction() {
    echo "the result: $1"
  }
  

  The above function might take or might not take any arguments. From the signature of the function, we cannot tell. Enter fish. In fish you would use:

  function myfunction -a result
    echo "the result: $result"
  

  As you can see, the way fish handles defining that function is much clearer to a reader of the code, as the argument to the function is now named $result, not $1.

  You can also have fish add a description to a function with the -d flag, or trigger it when a variable changes with -v. Awesome features.

  Anyway, on to variable scoping. Bash has variables that are local (which are local to their block), as indicated by the local keyword, and the rest. Any variable that is not local in Bash is therefore scoped to the current shell context (either your current interactive shell or a script). This is all ok, and we’ve been doing this for year, except that the local keyword is a bashism, I think, but whatever.

  Fish has more scopes. In fish, a variable can be local, like in bash, it can be global, or they can be universal. A universal variable is shared between fish instances of the same user, which can be quite convenient.

  While setting variables in fish, you can also tell the variable to be exported, treated as a path variable and much more. The downside of this all is the required usage of the set keyword for any variable operations. I’ll come back to why that is a nuisance later.

  Finally, let’s talk about the fish help mechasim. In bash, when you want to learn about a built-in command, you call help for and bash will give you

  $ help for
  for: for NAME [in WORDS ... ] ; do COMMANDS; done
      Execute commands for each member in a list.
  
      The `for' loop executes a sequence of commands for each member in a
      list of items.  If `in WORDS ...;' is not present, then `in "$@"' is
      assumed.  For each element in WORDS, NAME is set to that element, and
      the COMMANDS are executed.
  
      Exit Status:
      Returns the status of the last command executed.
  

  In fish, running help for will open a local copy of the fish docs on your browser, allowing for a much better reading experience, links to other commands and much more. Really nice.

  But now for the bad.

  The bad

  Ok, so what’s bad. Bash / sh incompatibility is bad. When running demos or tutorials, what is generally provided is bash commands. Some will work, but especially the ones where variables are set, will not. Truly frustrating sometimes. Dropping into a bash shell works, but then the commands will be part of my bash history, not my fish history, so I’ll need to remember what history a certain command will be in. Annoying.

  There are some plugins for omf (a fish config framework) that aim to mimic the bash experience around setting the $PATH variable, mainly, but you’ll end up with a weird config and having to work around fish when running a tutorial.

  This is the (big) downside of the variable scoping bit I talked about above.

  The $PATH variable on fish is both an awesome and an aweful thing. It’s awesome because fish allows you to prepend another variable to it, $fish_users_paths, in order to prevent having to override $PATH itself. You can add directories to $fish_users_paths with the fish_add_path command. Per directory, you’ll only ever run that once, since it manipulates a universal variable, and universal variables are saved between session.

  I don’t think there is a fish_remove_path function though, so removing a directory from your path requires you to dig into ~/.config/fish_variables manually.

  Another thing I do not like in the above examples, is that fish does not allow you to do ${result}. That is considered a syntax error. Over the years, I made a habit of wrapping all my variables in curly braces to be consistent through my code and prevent ambiguity with variable names. Fish would require me to do {$result} instead of ${result}, which looks weird. This is trivial though :)

  As a final example of things I do not like: completions. Not really fish’s fauly. Fish has awesome ones, like bash and zsh do. Problem is, neither of the three can read the completion format of the others. Or at least fish cannot read bash or zsh completions, and there simply are less completions for fish. This means that completions for pretty important binaries, like, for example, oh, I don’t know, kubectl might not be supported for fish. This situation is improving, but it’s far from perfect.

  My biggest problem is with following tutorials and howtos though. This was the ultimate reason I switched back

  Config framework

  Any decent Linux person has written some kind of bash / shell configuration framework at some point, amirite?

  So did I, years ago. I just revived it from my personal gitea server and improved it a bit. I might open that repo up soon, just for fun.

  I know that there are a ton of bash config frameworks, like oh-my-bash, out there, but I think my philosophy here is a bit different.

  bashrc.d

  I called my framework bashrc.d a long time ago, and it’ll probably still be called that when I open it up.

  My idea is as follows. It’s simple. I do not need a million plugins that provide ‘handy’ aliases that I do not know exist, that I do not understand, that are not applicable to me and might, in fact, be harmful.

  No plugins with aliases.

  If I add a plugin to bashrc.d, it is because the plugin provides me with some functionality that is otherwise missing. As an example, I have a plugin with a bunch of functions to set, view and unset a number of (free) 1GiB huge pages on Linux. (I use them for virtualization performance.) That’s functionality that’s hard to do in an alias and quite useful, potentially also for others.

  Bashrc.d has a help system for plugins as well, so you can not only enable and disable them through a cli, but also view some help on what they do and what they provide.

  No plugins without built-in help.

  As another example, I have a plugin that helps with the generation of SSL certificates and keys and viewing their properties, complete with docs. I think that is useful.

  I will however not add any huge lists of aliases for all kinds of things. Aliases are mainly a personal preference if you ask me, unless we are talking about really commonly used ones, like kc for kubectl. Maybe. Huge lists of aliases in different plugins are also bound to start conflicting at some point.

  This is why I stopped using all the other frameworks to begin with. I don’t need someone else’s aliases. They’ll never become real muscle memory anyway.

  Aliases go into local_settings.sh in bashrc.d. Aliases are yours. Not mine.

  I like shell configuration frameworks that offer functions to do useful things. Cosmetic plugins, easy to install completions for tools.

  And I suffer from NIH really, really bad :D

July 07, 2021

• Roland Wolters [Short Tip] Doing for-loops in Nushell

  

  Nushell 0.32 added support for typical for loops:

  With the new for..in command, you can write more natural iterating loops:

  Nushell 0.32 release notes

  > for $x in 1..3 { echo ($x + 10) }
  ───┬────
   0 │ 11 
   1 │ 12 
   2 │ 13 
  ───┴────

  Compared to what we have in Bash and others (and given my limited understanding) the most notable difference is that there is no “do”, but instead a curly bracket defining what should be done.

  Also, remember that Nushell has an understanding of various data types, so the iterator in the example above is indeed of type “int”. Just stitching it together with another string doesn’t work:

  ❯ for $i in 1..3 {echo ("/home/" + $i) }
  error: Coercion error
     ┌─ shell:31:23
     │
  31 │ for $i in 1..3 {echo ("/home/" + $i) }
     │                       ^^^^^^^^   -- integer
     │                       │           
     │                       string

  Instead, make sure to echo the iterator:

  ❯ for $i in 1..3 {echo $"/home/(echo $i)" }
  ───┬─────────
   0 │ /home/1 
   1 │ /home/2 
   2 │ /home/3 
  ───┴─────────

  For comparison, if you have a set of strings you can provide them in a table and stitch them together easily:

  ❯ for $i in [a b c d] {echo ("/home/" + $i) }
  ───┬─────────
   0 │ /home/a 
   1 │ /home/b 
   2 │ /home/c 
   3 │ /home/d 
  ───┴─────────

July 05, 2021

• Roland Wolters [Short Tip] Access system variables in Nushell

  

  Working with variables in Nushell works mostly like you would expect it. If you want to define a variable, you need the keyword let:

  ❯ let my_variable = "hello blog readers"
  
  ❯ echo $my_variable
  hello blog readers

  Note that you need the spaces around the equal sign character!

  ❯ let my_variable="hello blog readers"
  error: let requires the equals sign parameter
     ┌─ shell:21:1
     │
  21 │ let my_variable="hello blog readers"
     │ ^^^ requires the equals sign parameter

  But apart from defining your own variables, there is a surprised when you try to access typical system variables:

  ❯ echo $HOME
  error: Variable not in scope
     ┌─ shell:25:6
     │
  25 │ echo $HOME
     │      ^^^^^ unknown variable: $HOME

  The reason for that error is that Nushell places system environment variables underneath the main variable $nu:

  ❯ echo $nu|pivot
  ───┬─────────────────┬────────────────────────────────────────────
   # │     Column0     │                  Column1                   
  ───┼─────────────────┼────────────────────────────────────────────
   0 │ env             │ [row 34 columns]                           
   1 │ history-path    │ /home/liquidat/.local/share/nu/history.txt 
   2 │ config          │ [row path prompt startup]                  
   3 │ config-path     │ /home/liquidat/.config/nu/config.toml      
   4 │ path            │ [table 5 rows]                             
   5 │ cwd             │ /home/liquidat
   6 │ home-dir        │ /home/liquidat
   7 │ temp-dir        │ /tmp                                       
   8 │ keybinding-path │ /home/liquidat/.config/nu/keybindings.yml  
  ───┴─────────────────┴────────────────────────────────────────────
  
  ❯ echo $nu.env|pivot
  ────┬──────────────────────────┬────────────────────────────────────────────────────
   #  │         Column0          │                      Column1                       
  ────┼──────────────────────────┼────────────────────────────────────────────────────
    0 │ CMD_DURATION_MS          │ 2                                                  
    1 │ HOME                     │ /home/liquidat                                            
    2 │ SYSTEMD_EXEC_PID         │ 2958                                               
    3 │ SSH_AUTH_SOCK            │ /run/user/1000/keyring/ssh                         
    4 │ SESSION_MANAGER          │ local/unix:@/tmp/.ICE-unix/2557,unix/unix:/tmp/.IC 
      │                          │ E-unix/2557                                        
    5 │ GNOME_TERMINAL_SCREEN    │ /org/gnome/Terminal/screen/71e37281_4af2_4c9b_be19 
  [...]
  
  ❯ echo $nu.env.HOME
  /home/liquidat

  The environment variables are generated from the environment Nushell was started in. If you need to update those for the current environment, use the command let-env:

  ❯ echo $nu.env.LANG
  en_US.UTF-8
  
  ❯ let-env LANG = C
  
  ❯ echo $nu.env.LANG
  C

  Image by Susanne Westphal from Pixabay

• Kushal Das Reproducible wheel buidling failure on CircleCI container

  At SecureDrop project we have Python wheels built for Python 3.7 on Buster in a reproducible way. We use the same wheels inside of the Debian packages. The whole process has checks to verify the sha256sums based on gpg signatures, and at the end we point pip to a local directory to find all the dependencies.

  Now, I am working to update the scripts so that we can build wheels for Ubuntu Focal, and in future we can use those wheels in the SecureDrop server side packages. While working on this, in the CI I suddenly noticed that all wheels started failing on the reproducibility test on Buster. I did not make any change other than the final directory path, so was wondering what is going on. Diffoscope helped to find out the difference:

  │ -6 files, 34110 bytes uncompressed, 9395 bytes compressed:  72.5%
  │ +6 files, 34132 bytes uncompressed, 9404 bytes compressed:  72.4%
  ├── six-1.11.0.dist-info/METADATA
  │ @@ -9,14 +9,15 @@
  │  Platform: UNKNOWN
  │  Classifier: Programming Language :: Python :: 2
  │  Classifier: Programming Language :: Python :: 3
  │  Classifier: Intended Audience :: Developers
  │  Classifier: License :: OSI Approved :: MIT License
  │  Classifier: Topic :: Software Development :: Libraries
  │  Classifier: Topic :: Utilities
  │ +License-File: LICENSE
  │  
  │  .. image:: http://img.shields.io/pypi/v/six.svg
  │     :target: https://pypi.python.org/pypi/six
  │  
  │  .. image:: https://travis-ci.org/benjaminp/six.svg?branch=master
  │      :target: https://travis-ci.org/benjaminp/six
  ├── six-1.11.0.dist-info/RECORD
  │ @@ -1,6 +1,6 @@
  │  six.py,sha256=A08MPb-Gi9FfInI3IW7HimXFmEH2T2IPzHgDvdhZPRA,30888
  │  six-1.11.0.dist-info/LICENSE,sha256=Y0eGguhOjJj0xGMImV8fUhpohpduJUIYJ9KivgNYEyg,1066
  │ -six-1.11.0.dist-info/METADATA,sha256=vfvF0GW2vCjz99oMyLbw15XSkmo1IxC-G_339_ED4h8,1607
  │ +six-1.11.0.dist-info/METADATA,sha256=Beq9GTDD6nYVwLYrN3oOcts0HSPHotfRWQ_Zn8_9a7g,1629
  │  six-1.11.0.dist-info/WHEEL,sha256=Z-nyYpwrcSqxfdux5Mbn_DQ525iP7J2DG3JgGvOYyTQ,110
  │  six-1.11.0.dist-info/top_level.txt,sha256=_iVH_iYEtEXnD8nYGQYpYFUvkUW9sEO1GYbkeKSAais,4
  │  six-1.11.0.dist-info/RECORD,,
  

  It seems somehow the packages were picking up metadata about the LICENSE file. After looking into the environment, I found virtualenv is pulling latest setuptools into the virtualenv. Thus breaking the reproducibility. It was a quick fix. Yes, we do pin setuptools and pip in our wheels repository.

  Next, the extension based wheels started failing, and I was going totally crazy to find out why there is some ABI change. I still don't know the correct reason, but noticed that the circleci/python:3.7-buster container image (and the upstream Python container) is using different flags to build the extensions than Debian Buster on vm/bare metal. For example, below on the top we have the command line from the container and then inside of the normal Debian Buster.

  creating build/temp.linux-x86_64-3.7/lib/sqlalchemy/cextension
  gcc -pthread -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -fPIC -I/home/circleci/project/.venv/include -I/usr/local/include/python3.7m -c lib/sqlalchemy/cextension/processors.c -o build/temp.linux-x86_64-3.7/lib/sqlalchemy/cextension/processors.o
  gcc -pthread -shared build/temp.linux-x86_64-3.7/lib/sqlalchemy/cextension/processors.o -L/usr/local/lib -lpython3.7m -o build/lib.linux-x86_64-3.7/sqlalchemy/cprocessors.cpython-37m-x86_64-linux-gnu.so
  building 'sqlalchemy.cresultproxy' extension
  gcc -pthread -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -fPIC -I/home/circleci/project/.venv/include -I/usr/local/include/python3.7m -c lib/sqlalchemy/cextension/resultproxy.c -o build/temp.linux-x86_64-3.7/lib/sqlalchemy/cextension/resultproxy.o
  gcc -pthread -shared build/temp.linux-x86_64-3.7/lib/sqlalchemy/cextension/resultproxy.o -L/usr/local/lib -lpython3.7m -o build/lib.linux-x86_64-3.7/sqlalchemy/cresultproxy.cpython-37m-x86_64-linux-gnu.so
  building 'sqlalchemy.cutils' extension
  gcc -pthread -Wno-unused-result -Wsign-compare -DNDEBUG -g -fwrapv -O3 -Wall -fPIC -I/home/circleci/project/.venv/include -I/usr/local/include/python3.7m -c lib/sqlalchemy/cextension/utils.c -o build/temp.linux-x86_64-3.7/lib/sqlalchemy/cextension/utils.o
  gcc -pthread -shared build/temp.linux-x86_64-3.7/lib/sqlalchemy/cextension/utils.o -L/usr/local/lib -lpython3.7m -o build/lib.linux-x86_64-3.7/sqlalchemy/cutils.cpython-37m-x86_64-linux-gnu.so
  
  
  
  creating build/temp.linux-x86_64-3.7/lib/sqlalchemy/cextension
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -I/home/kdas/code/securedrop-debian-packaging/.venv/include -I/usr/include/python3.7m -c lib/sqlalchemy/cextension/processors.c -o build/temp.linux-x86_64-3.7/lib/sqlalchemy/cextension/processors.o
  x86_64-linux-gnu-gcc -pthread -shared -Wl,-O1 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,relro -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 build/temp.linux-x86_64-3.7/lib/sqlalchemy/cextension/processors.o -o build/lib.linux-x86_64-3.7/sqlalchemy/cprocessors.cpython-37m-x86_64-linux-gnu.so
  building 'sqlalchemy.cresultproxy' extension
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -I/home/kdas/code/securedrop-debian-packaging/.venv/include -I/usr/include/python3.7m -c lib/sqlalchemy/cextension/resultproxy.c -o build/temp.linux-x86_64-3.7/lib/sqlalchemy/cextension/resultproxy.o
  x86_64-linux-gnu-gcc -pthread -shared -Wl,-O1 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,relro -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 build/temp.linux-x86_64-3.7/lib/sqlalchemy/cextension/resultproxy.o -o build/lib.linux-x86_64-3.7/sqlalchemy/cresultproxy.cpython-37m-x86_64-linux-gnu.so
  building 'sqlalchemy.cutils' extension
  x86_64-linux-gnu-gcc -pthread -DNDEBUG -g -fwrapv -O2 -Wall -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -I/home/kdas/code/securedrop-debian-packaging/.venv/include -I/usr/include/python3.7m -c lib/sqlalchemy/cextension/utils.c -o build/temp.linux-x86_64-3.7/lib/sqlalchemy/cextension/utils.o
  x86_64-linux-gnu-gcc -pthread -shared -Wl,-O1 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,relro -g -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 build/temp.linux-x86_64-3.7/lib/sqlalchemy/cextension/utils.o -o build/lib.linux-x86_64-3.7/sqlalchemy/cutils.cpython-37m-x86_64-linux-gnu.so
  installing to build/bdist.linux-x86_64/wheel
  

  If you want to see the difference in the flags, you can try out the following command:

  python3 -m sysconfig
  

  Look for PY_CFLAGS and related flags in the command output. Reproducibility depends on the environment, and we should not expect the latest container image (with the latest Python 3.7.x release) creating the same thing like in Debian Buster, but the failure started recently, we did not notice this a few months. Also, this means in future we should enable reproducibility tests on nightlies in CI.

• Fedora fans دانلود مقاله مقدمات ایمکس برای زبانشناسان
  

  ایمکس (Emacs) نام یکسری از نرم افزارهای ویرایشگر متن قدرتمند است که مشهورترین آنها گنو ایمکس است. در اکثر مواقع وقتی ایمکس به تنهایی گفته میشود منظور گنو ایمکس است.

  ویرایشگر متن ایمکس نرم افزاری آزاد است که بر روی اکثر سیستم عاملها اجرا میشود. این نرم افزار هم در محیط گرافیکی و هم در محیط متنی اجرا میشود. ایمکس قابلیت شخصی سازی بالایی دارد.

  «مقدمات ایمکس برای زبانشناسان» نام مقاله ای است که توسط آقای هومن جاویدپور تهیه و تنظیم شده است. این مقاله به زبان فارسی می باشد که علاقمندان به ویرایشگر Emacs می توانند آن را به رایگان دانلود و استفاده کنند.

   

  نام مقاله: مقدمات ایمکس برای زبانشناسان

  تهیه و تنظیم: هومن جاویدپور

  نوع فایل: pdf

  حجم فایل: ۸۴۸ کیلوبایت

  تعداد صفحات: ۲۱

  لینک: دانلود

  The post دانلود مقاله مقدمات ایمکس برای زبانشناسان first appeared on طرفداران فدورا.

  
• Josh Bressers Episode 278 – Could SELinux have stopped SolarWinds?

  Josh and Kurt talk about a listener provided question. Could SELinux have stopped the SolarWinds attack? Given what we know, the answer is technically yes, but practically no. SELinux is awesome, but it’s very difficult to sandbox something like a build system.

  Show Notes

  • Gone in 60 milliseconds
• Josef Strzibny How I earn over $750 a month from my unfinished book

  I started to sell the pre-release version of my book in April. Here are the numbers 3 months later.

  I am writing a book on web application deployment for quite some time now. It’s called Deployment from Scratch and I decided to sell its unfinished version to early customers. I wanted to finally validate this product with money rather than just the email list I built. I also knew some people wanted to start reading sooner. So why not? My last programming book was also just an ebook in beta afterall.

  This post is about some of my thinking behind making the pre-release and how went it went when comes to sales.

  Background

  While I knew that selling sooner is a good tactic, I wasn’t comfortable to put just about anything out there. I sit down and thought hard what would be the the first public version. In the end, it was actually a small book on its own because it went all the way from networking to deploying static websites. So, if this is a book on just deploying static websites, it would have a good ending. After this release, I was adding a chapter or two from time to time, and notifying my waiting list about the changes.

  All of that went on for three months starting in April and it was probably the best decision I made so far for this product. I got new feedback, more validation, and even earn some first dollars. Wondering why I didn’t start sooner? Why I couldn’t go chapter by chapter from the beginning? I was only comfortable selling something once I saw the light at the end. I didn’t want for people to wait too long for the final version.

  Sales

  Most of you came here because of the numbers. So let’s get into it. Here are the sales of the first three months:

  Month	Views	Copies	Sales
  April	474	80	$2,009
  May	266	26	$754
  June	315	29	$831

  Note that views are visits to the Gumroad product page, and sales are before any fees or taxes. The price of the early version was $25, then $29. You can still buy it for this price.

  If you are thinking, nice passive income, then you couldn’t be more wrong. I had to spend significant time making updates to the book and announcing them on my mailing list to sell anything. I started to write the book 2 years before that.

  But I had progressed in terms of writing, and the sales brought me some sanity and peacefulness. Writing this book is the hardest thing I have ever done. If you bought your copy, a big thank you!

  Conversions

  I’ll mention referrer conversions tracked by Gumroad, but I don’t know what to think about them. I link to the landing page from my emails and blog, for example. So those high rates are from people that were already interested one step before arriving at Gumroad page for checkout:

  Referrer	Conversion
  deploymentfromscratch.com	25.3%
  email	9.9%
  Gumroad	21.1%
  Recommended by Gumroad	10%
  nts.strzibny.name	6.1%
  news.ycombinator.com	2%

  Gumroad can sell your product in their store and it sold 6 copies for $174 with a 10% conversion for me. That’s more than I expected.

  Mailing list

  Since the most sales come from the mailing list, you might be interested in email campaign statistics. But I’ll have to disappoint you, I value every single person that signs up for the book updates, so I am not tracking them at all. If you value people you are emailing to, stop tracking their private inboxes. Besides, those opens and clicks are never accurate anyway.

  But I can tell you that I waited until I had 600 people on the list. Then, since any email sent meant bounces and unsubscribes (usually < 5), I sent other updates only after I got new signups to cover for that.

  Ratings

  So that’s it, I am ramen profitable, and most importantly, people like it so far. If you are one of the people giving it a 5-star rating, thank you so so much. That’s why I do it.

  

  Now excuse me, I have a book to finish…

July 02, 2021

• Joe Brockmeier 3 ways to reduce technical debt in content: Avoid bare URLs, events and analyst content
  Infrastructure and code aren't the only things in your organization that incur technical debt. Content marketing on blogs is a major offender. Here's just three things to cut down on technical debt in your content marketing on blogs. Content marketing practice to avoid: Bare URLs/URIs in content Be kind to your readers and to yourself: … Continue reading 3 ways to reduce technical debt in content: Avoid bare URLs, events and analyst content →

June 29, 2021

• Joe Brockmeier reMarkable 2 and its unremarkable software: Substandard tools hobble excellent hardware
  The reMarkable 2 is a nifty piece of engineering. It's about the size of a thin college (U.S.) notebook, responsive and feels as close to writing on paper as a tablet is likely to get. The tools, on the other hand, leave a lot to be desired. reMarkable 2 and cloud services The reMarkable 2 … Continue reading reMarkable 2 and its unremarkable software: Substandard tools hobble excellent hardware →

June 28, 2021

• Jeremy Cline HDR in Linux: Part 2

  In the previous post, we learned what HDR is: a larger luminance range that requires more bits per component, new transfer functions to encode that luminance, and potentially some metadata. We can examine the work required to use it in a “standard” Linux desktop. By “standard”, I of course meant my desktop environment, which is GNOME on Fedora.

  To do this, we’ll consider a single use-case and examine each portion of the stack, starting at the top and working our way down. The use-case is watching an HDR movie in GNOME’s video application, Totem. In this scenario, the application isn’t likely to tone-map its content as it has been created with HDR metadata the display itself can use to tone-map when necessary, but I will note where this could happen.

  Let’s review the high-level requirements:

  • The Wayland display server (compositor) must determine the display capabilities (color primaries and white point, luminance, transfer function, bits per component, etc) in order to know what outputs are possible and/or optimal.

  • Client applications may want to know what content encoding the Wayland display server supports and maybe even what the optimal content encoding is for the display it is on (the native primaries, transfer function, bit depth, luminance capabilities, and so on)

  • Client applications need to express the transfer function, bit depth, color space, and any HDR metadata for its content (the “content encoding”) to the compositor. The compositor, in turn, needs to ensure the content from all the client applications are blended properly and output in a format the display can handle.

  You might be familiar with text encoding. Adding HDR support is very similar to adding support for various text encoding formats when previously everything assumed content was encoded with ASCII. Instead of ASCII, the graphics stack largely assumes everything is sRGB.

  Totem

  At the top of the stack we have Totem, which provides the user interface and playback management features. It relies on GStreamer to deal with the video itself. It appears to use the playbin plugin, which GStreamer describes as an “everything-in-one” abstraction for a audio and video player.

  Since Totem is all about wiring up a user interface to the GStreamer playbin plugin, GStreamer needs to be HDR-aware. Totem uses GTK and Clutter-GTK to create the user interface, so those libraries are also something we should examine.

  GStreamer

  Based on the GStreamer documentation and this talk by Edward Hervey all the necessary features appear to already be implemented for HDR video playback.

  The GStreamer video library contains an HDR section. The APIs, available since 1.20, include interfaces for working with SMPTE ST 2086 (static metadata) and SMPTE 2094-40 (dynamic metadata). This metadata can be attached to a GstBuffer.

  The GstVideoInfo structure includes colorimetry including the color primaries and transfer function. GstVideoInfo also includes the GstVideoFormatInfo structure which describes the pixel format, including bit depth. These contain all the information required to decode and convert the content. The GstVideoFrame ties the GstBuffer and GstVideoInfo together.

  So GStreamer has all the content metadata we need. Next, we need to make sure it gets from the application, Totem, to the Wayland display server. The client-to-server interaction occurs in the EGL or Vulkan Window System Integration (WSI) APIs. These APIs are where OpenGL and Vulkan APIs are integrated into the particular operating system. This is where buffers are allocated for use within the graphics libraries and they include ways to provide the content encoding. As long as the metadata GStreamer extracts is passed to the relevant EGL or Vulkan API, we are all set. Mesa includes implementations of EGL and Vulkan WSI, so we will examine those after GTK.

  Clutter-GTK

  In the section on Totem, we noted that it uses Clutter-GTK. The documentation is sparse and appears to assume the reader has an understanding of Clutter and why one would want to use it. Clutter appears to be a library for arranging a collection of 2-dimensional surfaces (“actors” in Clutter’s terms) in 3-dimensional space.

  If we look at Clutter’s repository the README notes it is in “deep maintenance mode” and is intended to be replaced with GTK 4. Based on the commit log this is true, so we will look no further and focus on GTK 4.0.

  GTK

  GTK is a “widget toolkit”. It provides, either through a dependency or on its own, an application abstraction, event loop, rendering interfaces, methods to declare various user interface elements (buttons, text fields, etc), and other useful utilities for building a graphical user interface.

  As of GTK 4, rendering is usually performed by OpenGL. As we’ll examine later, OpenGL APIs offer the necessary interfaces to handle HDR content, but GTK’s rendering model introduces a few issues. To understand the difficulties we need to understand how GTK builds the application window.

  A Window into GTK

  GTK documents its drawing model in some detail and it would best to read through it before proceeding.

  One of the most relevant parts of the documentation is that

  Each GTK toplevel window or dialog is associated with a windowing system surface. Child widgets such as buttons or entries don’t have their own surface; they use the surface of their toplevel”

  GTK has each widget render itself, and then combines them all into a single surface which it shares with the Wayland display server to be combined with all the other client surfaces. We’ll look at the Wayland protocol in detail later, but what’s important to know right now is that the surface is where the content encoding should be stored.

  This single surface that GTK produces, therefore, needs to be composed of widgets that all use the same content encoding. Unfortunately, GTK does not offer a way specify what content encoding to use for widgets it renders, nor does it provide a way for users to convey the content encoding they are using for their custom widgets. All content GTK produces on the application’s behalf, like buttons, menus, the window decorations, and so on, are rendered in an undefined color space with an undefined transfer function. In practice, this seems to be sRGB. All textures GTK creates are hard-coded to use 8 bits per component, including when it combines all the widgets into a single image.

  This means, unfortunately, that at the moment there is no way to use GTK for an application interested in producing HDR content (video players, image viewers, content creation tools, etc).

  Ways Forward

  There are a few ways for GTK to work in a world where sRGB isn’t the only content. I can’t really say which approach is best, or even if this is an exhaustive list of options since my knowledge of GTK is only a few days old. Regardless, a good bit of work is necessary to make GTK HDR-ready.

  Widgets with Content Encoding

  One solution, if GTK wishes to remain in the business of blending images together, is to ensure each widget includes a way to express how the content it produces is encoded. GTK can then use this to ensure they are combined correctly. If, for example, sRGB content and PQ-encoded content were combined into a destination image without converting the sRGB content, the end result would be that the sRGB portions of the image would be extremely dark. This, of course, introduces a reasonable amount of complexity to GTK as it needs to convert between a potentially long list of formats in addition to introducing interfaces for specifying the content encoding everywhere it matters.

  Sub-surfaces

  Wayland offers a way to create surfaces with a parent-child relationship called subsurfaces. Since the surface is where the content encoding is stored, GTK could use sub-surfaces to defer the blending of different content encoding to the Wayland display server. This would allow GTK to remain in its undefined, sRGB-ish world while allowing applications to handle modern content with other content encoding. However, I am told these are problematic as they cannot be clipped or transformed by GTK.

  Require a single HDR Format

  Rather than handling converting all the widgets to the same content encoding, GTK could specify one HDR-capable format it supports and require all widgets to use that if HDR has been requested for the application. A format like scRGB with half-precision 16-bit floating point numbers for each color component. This, however, has the downside that all HDR content needs to be converted from its native format to scRGB, blended with the other GTK widgets, and then converted back to some on-the-wire HDR format in the Wayland display server.

  Even with this approach, GTK cannot blend the SDR content into HDR content without considering what luminance range to map SDR content to, which needs to correspond to the display brightness level the user has set.

  Use Sub-surfaces Outside GTK

  Applications can work around GTK not dealing with content encoding by not using GTK for anything other than the menus, buttons, and so on. In fact, this is how Firefox handles things; GTK is used for the “chrome” and the content is rendered to a Wayland sub-surface which Firefox manages itself and overlays on the GTK surface. This sub-surface can be properly configured for HDR and the compositor can handle blending it with GTK’s surface.

  This, of course, isn’t ideal as the applications have to work around the toolkit rather than having the toolkit help them. However, it is a path forward worth mentioning.

  Mesa

  Mesa provides the OpenGL implementation that clients like GTK use to render their content. To allocate storage for the output of that rendering, clients use the EGL or Vulkan WSI interfaces for which Mesa also provides implementations.

  EGL

  The full EGL standard is available online. Of particular interest to us are the interfaces for creating surfaces. eglCreatePlatformWindowSurface includes a list of attributes, including the EGL_GL_COLORSPACE attribute. As of EGL 1.5, only EGL_GL_COLORSPACE_SRGB (which defines both color primaries and a transfer function) and EGL_GL_COLORSPACE_LINEAR (presumably the sRGB primaries, linear light) are defined. However there are a number of extensions to EGL for additional color space attributes including:

  • BT2020 with linear or PQ-encoded luminance

  • Display-P3 with linear and “sRGB-like” encoded luminance

  Additionally, there is an extension to allow the EGL_GL_COLORSPACE attribute to be applied to eglCreateImage

  These extensions make it possible to convey the color primaries and transfer function to the Wayland display server.

  However, this is not currently done because the Wayland protocol has not yet accepted a way to send the content encoding. The proposed protocol has been under discussion (200+ comments) for a year. The details will be covered in the Wayland section below, but for now what’s important to know is that the protocol needs to define a message for the color space and transfer function that is sent from the client via Mesa when a surface is created in EGL.

  Finally, there is an EGL extension for specifying the HDR metadata for a surface. By calling eglSurfaceAttrib and providing the attributes defined in EXT_surface_SMPTE2086_metadata a client can set the HDR metadata for the content. This is actually already partially wired up in Mesa. All that remains is for the Wayland-specific EGL code to send the HDR metadata to the Wayland display server. Again, there is no protocol for this at the moment.

  While it is a dizzying array of extensions, EGL already includes all the metadata and APIs to send the content encoding from the client (Totem, by way of GStreamer) to the Wayland compositor.

  Vulkan WSI

  The Vulkan Window System Interface requires much less bouncing between extensions to determine how it all works.

  For WSI, the content encoding is set when creating a swapchain by providing a VkSwapchainCreateInfoKHR structure. This includes the pixel format as well as the color space. Like EGL, the color space enumeration defines both the color primaries and the transfer function together. There is support for sRGB, Display-P3, BT2020, and more, all with linear and one or more transfer function options.

  The HDR metadata can be provided by the client using vkSetHdrMetadataEXT, which applies to the swapchain. With those two calls, a client can describe the content encoding.

  Like EGL, the WSI implementation in Mesa does not forward this content encoding to the Wayland compositor because there’s no protocol.

  Ville Syrjälä created a proof-of-concept branch of Mesa back in 2017 to have Mesa use the Wayland protocol proposal (of the time), and I rebased it recently to “work” with the latest Wayland protocol proposal. It doesn’t actually work yet, but it is a good approximation of the work required, which is implementing the standard’s functions to call libwayland functions with the content encoding details.

  The Wayland Protocol

  As we touched on in the Mesa section, the Wayland protocol is still being discussed. The discussion is extensive, and I cannot do it justice in this post, but in this section I’ll outline the basics of what the protocol must include and approximately what that would look like.

  Wayland is a client-server architecture. The clients are applications like the video player Totem. A Wayland display server handles client requests and notifies them of relevant events.

  You can, at this point, probably guess what information the protocol needs to include. The client needs to inform the server of:

  • The color primaries (red, green, blue, and white point coordinates)

  • The transfer function used to encode the luminance.

  • HDR metadata when it is available - in the case of Totem playing an HDR movie, HDR metadata will be available. This metadata may remain the same for many frames (perhaps the whole movie), or it may change frame-by-frame.

  Without this information, the Wayland display server cannot properly tone-map or blend the content, nor could it offload those tasks to dedicated GPU hardware or the display since they both need the same information.

  The protocol includes an object that represents a rectangular area that can be displayed, the wl_surface. The surface is backed by a wl_buffer. The wl_buffer holds the content and the wl_surface describes the role of the content and how the server should interpret the contents of the wl_buffer, such as how it should be scaled or rotated. Since the wl_surface includes metadata about the content, it is probably the right place to include other details about how the server should interpret the buffer, namely the color primaries, transfer function, and HDR metadata. While the color primaries and transfer function aren’t likely to change over the lifetime of a surface, the HDR metadata can change - HDR10+ and Dolby Vision allow for frame-by-frame HDR metadata - so the protocol should account for that.

  Additionally, the Wayland display server should be able to inform the clients of:

  • The native color primaries of the display. This will not be a standard color space such as sRGB.

  • Standard color spaces the display will accept (and internally convert to its native color space).

  • Transfer functions the display can decode.

  • Minimum luminance, maximum sustainable luminance, and peak (burst) luminance.

  • HDR metadata formats the display will accept.

  In the case of Totem playing an HDR movie, it would not need to concern itself with tone-mapping and would not need to know about what displays it might be targeting. However, something like a video that generates content would benefit from targeting the display’s capabilities.

  Mutter

  Mutter is, among other things, a Wayland display server. Once a protocol is in place, Mutter needs to implement it. To support HDR, Mutter needs to be able to:

  • Inform clients of display capabilities.

  • Act upon the content encoding provided by the clients to correctly convert all content to the same encoding and blend them all together into the desktop we know and love.

  To inform clients of the display capabilities, Mutter can use the Extended Display Identification Data (EDID) from the kernel, which contains the display color primaries, supported HDR formats, and so on. It will be covered in detail in the kernel section below. The EDID is, in fact, already being used in Mutter so this will be a small addition to that. There is some trickiness around multi-monitor setups as clients don’t generally know which monitor they are being displayed on, but displays with differing pixel density have a similar challenge and Wayland handles that by providing events to the application when it enters a new display and the display content encoding could work the same way.

  To act upon the client-provided content encoding, however, requires a bit more work.

  Consolidating Existing Color Management

  GNOME already has some color management capabilities. At the moment, they are split up in gnome-settings-daemon, colord, and Mutter.

  colord is a system service that maintains a database of devices, color profiles, and the association between the two (including things like the default profile). At the moment, however, gnome-settings-daemon is responsible for querying colord and sets up the profile by calling Mutter D-Bus APIs.

  Mutter needs to be aware of each display’s color profile in order transform the client content if necessary. The existing API for setting color profiles is also difficult to use because it acts on CRTC objects rather than displays. Some displays are composed of multiple panels tiled together and are therefore backed by several CRTCs. It makes more sense for Mutter to query colord itself rather than having gnome-settings-daemon do it. gnome-settings-daemon also handles the Night Light feature, which adjusts the color profile to shift the white point towards red to remove the blue light. Mutter needs to either handle the Night Light feature or, preferably, provide a “temperature” API and allow Mutter users to control when and how much to adjust the color temperature.

  Support Converting Buffer Formats

  There are a number of ways to store an image, but they generally fall into two categories. The first is to represent the red, green, and blue components, and that’s the way we’ve been discussing images in this blog post series.

  Another way is to represent the luminance of a pixel, and then two color components for that same pixel. The third color component can be calculated using the lumanince and two known color components. This approach is commonly referred to as YUV although there are several flavors. This is a valuable approach because humans are more spatially sensitive to luminance than they are color which means it’s possible to produce a reasonably good-looking image even if you keep track of, say, every other pixel’s color. This is called chroma subsampling.

  A lot of content, like films, are encoded using this approach, but at the moment Mutter does not support YUV formats. It would be convenient, since we’re adding a way for clients to communicate content encoding, to handle such formats. There has been some work in this area by Niels De Graef.

  Compositing the Content

  Once Mutter has knowledge of the content encoding of every surface, it can blend them together and convert them to the target encoding of the display. This involves:

  1. Convert YUV to RGB if necessary.

  2. Perform a color space transformation so that all surfaces are using the same color primaries and whitepoint.

  3. Removing the transfer function on surfaces so that Mutter is dealing with the optical (linear) values rather than the non-linear on-the-wire encoding. Adding two non-linear values together without accounting for the non-linearity results in incorrect luminance levels. You can try this with the following Python snippet:

     def gamma(u):
         """Apply the sRGB gamma definition to linear light levels"""
         return 1.055 * u**(1/24) - 0.055
     

     Consider adding linear light level 50 to linear light level 50 and then applying the transfer function versus adding the non-linear encoding of 50 to itself:

      >>> gamma(100)
      1.2231616798531606
      >>> gamma(50) + gamma(50)
      2.3735497958717904
     

  4. Blend the surfaces together. This becomes tricky with HDR since SDR does not have a clearly defined luminance range, it’s just how bright your display is set, but PQ-encoded content does have a well-defined luminance range. Mutter will need define the SDR luminance range and map that content into that well-defined range to ensure SDR content isn’t too dim or too bright.

  Tone-mapping

  With HDR, clients may provide surfaces that encode luminances beyond the capabilities of the target display. Displays account for this by tone-mapping out-of-range content into the display range. This is described in Section 5.4.1 of BT.2390. The important thing to know is that providing the display with out-of-range luminance levels will result in something that looks fine to most end users, but there may be a desire to carefully control what happens when this occurs.

  Mutter would be responsible for implementing alternate tone-mapping if the display’s default behavior is unacceptable for the user. This would most likely be a concern for content creators.

  The Kernel

  We have arrived at the kernel, the final stop in this journey down the stack. The good news is that the basic requirements for HDR have already been met. We’ll touch on those and then look at additional features necessary for us to use certain hardware features.

  The Bare Minimum

  These are the bare minimum features for HDR and are already present in the kernel.

  Display Capabilities

  As we noted in the Mutter section, the EDID structure provided by a display is already available to userspace via the EDID connector property. Userspace can parse it for the chromaticity coordinates of the display primaries, the luminance, supported color spaces, and supported transfer functions. At the moment, many different projects implement parsing the EDID structure, but there have been some requests for a library to do so.

  One thing worth noting is that EDID is quite old and has a replacement standard, DisplayID. Both standards are available from VESA for free, although you do need to provide your name and email address to access them. DisplayID has a Display Parameters block that includes luminance and chromaticity values, and the Display Interface Features block contains supported color space and transfer function combinations as well as bit depths. EDID included much of this information, but only as an extension documented in CTA-861 (currently at revision G). Recently CTA made this available for free, although you must provide an email and billing address to download it.

  Displays can provide an EDID, DisplayID, or both. For the curious, the VESA E-DCC standard documents how these structures are accessed over I²C. How I²C is sent over, for example, DisplayPort is documented within the DisplayPort specification, which is only available to VESA members so the very curious will have to resort to reading the Linux kernel’s implementation if they aren’t members.

  DisplayID can be embedded in the EDID structure as an extension so it may be available to userspace via the existing EDID connector property, but at this time there is not a dedicated kernel interface to retrieve a standalone DisplayID structure that I am aware of. The work to add one would be minimal, however, since it’s extremely similar to the EDID.

  HDR Metadata

  The kernel exposes a HDR_OUTPUT_METADATA connector property that userspace can use to send HDR metadata to the kernel and thus to the display.

  At this time there is only one supported metadata type, which corresponds to the HDR metadata defined in CTA-861 in section 6.9 “Dynamic Range and Mastering InfoFrame”. This should be all that is required for HDR10 and HDR10+ content.

  Bits Per Component

  The max bpc standard connector property is a range property that allows the hardware driver to indicate valid bits per color component. Userspace can set this property so long as it is within the driver-provided range to control the output bit depth.

  Nice-to-have Features

  The bare minimum feature set is present for HDR content and allows us to query display capabilities, pass HDR metadata on to the display, and configure the bits-per-component sent to the display.

  This leaves userspace to handle color space transformations, applying the transfer function’s inverse to get linear light values, blending, and re-encoding the results with a (perhaps different) transfer function. All that is possible, of course, but there are a number of hardware features for all those operations and it would be great to use them when they are there rather than performing the operations using expensive CPU or general purpose graphics shaders cycles.

  Planes

  Before we cover the encoding, decoding, color space transformations, and so on, it’s important to become familiar with planes. Planes hold images and descriptions of how those images should be blended into the final output image. These are analogous to a Wayland surface, which contains a buffer with the image data and metadata for the image.

  Planes describe how they should be cropped, scaled, rotated, and blended with other planes to compose the final image sent to the display. These planes are backed by dedicated hardware that can efficiently do those operations. For the curious, the display engine section of Intel’s documentation describes some of the hardware plane’s capabilities. Of particular interest is the diagram around page 258 which illustrates the plane pipeline.

  One or more planes are used to compose the image the CRTC scans out to the display.

  Decoding, Color Space Transformations, Blending, and Encoding

  Graphics hardware typically provides hardware dedicated to efficiently decode, transform, and re-encode images. Encoding are decoding are done with look-up tables that approximate the smooth curve of the desired transfer function by mapping encoded values to optical values and optical values to encoded values. For historical reasons, these are referred to as the de-gamma and gamma LUTs respectively.

  The hardware-backed look-up tables for encoding and decoding content with an arbitrary transfer function are exposed to userspace as properties attached to CRTC objects and are also documented in the color management section of the KMS interface. The GAMMA_LUT and DEGAMMA_LUT properties and their respective lengths allow us to set arbitrary transfer function approximations. The number of look-up table entries is hardware-dependent so it may not be appropriate to use them in all cases.

  Color space transformations are applied by using the CTM (colorspace transformation matrix) property defined in the color management interface. The CTM property lets userspace define a color transformation matrix to describe how to map from the source color space to the destination color space. When combined with a de-gamma LUT and gamma LUT, it can be used to efficiently decode, transform, and re-encode content for a particular color space.

  Finally, the aforementioned planes include composition properties that allow userspace to control how planes are blended together.

  However, these APIs have a few problems. The color management properties are attached to the CRTC, which is intended to abstract the display pipeline and is made up of planes. If the planes that make up the CRTC do not all have the same transfer function applied to them or use different color spaces, there is no way to express that each plane needs its own look-up table or color transformation matrix.

  While it used to be reasonably safe to assume all the planes were the same (e.g. sRGB), with HDR this is no longer the case. There are likely going to be HDR planes and SDR planes that need to be blended together, so there needs to be a way to express the color management properties - the content encoding - on a plane-by-plane basis. In addition to the content encoding of each plane, we need to be able to express how HDR and SDR content should be blended. In the case of PQ-encoded HDR content, it is expressed in absolute luminance up to 10,000 nits. Userspace needs to express how the SDR luminance range maps into the HDR luminance range so the SDR encoding can be converted into HDR encoding.

  Harry Wentland from AMD recently started a discussion on API changes for planes which looks to address these shortcomings.

  Summary

  All told, a good portion of the work necessary for basic HDR support is done or in progress. Some of the larger challenges are in the compositors as they need to line up client capabilities with hardware capabilities and make up any differences between the two.

  Applications that use OpenGL or Vulkan directly don’t need to concern themselves with GTK’s lack of HDR support. However, there are a non-trivial handful of applications that would benefit from GTK supporting HDR content, like Totem, Eye of GNOME (the image viewer), and content creation tools.

  Finally, there’s plenty of work on the kernel side to ensure userspace can make use of all the hardware available to it.

• Debian Community News Jaminy Prabaharan & Debian: the GSoC admin who failed GSoC
  

  In 2016, Jaminy Prabaharan appeared on Debian's list of GSoC students. She does not appear on the list of students who passed.

  Here is a quote from Jaminy on 7 September 2016:

  Failing and learning is the best experience ever

  She couldn't be more right.

  Since failing GSoC, virtually nothing has appeared in her Github account. Her Debian Salsa account is equally sparse. Yet Jaminy has been given extensive speaking opportunities funded by free software organizations:

  • DebConf 2016 (Heidelberg)
  • Linux Plumbers Conferance 2017 (USA)
  • Open Source Summit North America 2017
  • Linux Foundation, Open Source Summit Japan 2017
  • PyCon AU 2018
  • DebConf 2018 (Taiwan)
  • DebConf 2019 (Brazil)

  Moreover, in 2019, Chris Lamb appointed Jaminy as an administrator in Debian's GSoC program, alongside his ex-girlfriend Molly de Blanc and Pranav Jain. We looked at Pranav's lack of contributions to Debian in a previous blog. Jaminy has contributed even less, in fact, the contributors report doesn't even include her name.

  Below we copied the comments from the Google documentation about the role of an Administrator in GSoC. Is it possible for an intern who failed and made no other technical contributions to the organization to provide this level of leadership?

  Jaminy first met Chris Lamb and other Debian Developers at FOSSASIA in early 2016. Jaminy didn't subsequently meet her mentors at any other events. Why did Lamb appoint Jaminy as an administrator? Why did Debian continue to fund her travel for so long?

  For most interns, being selected for a travel grant is like winning a lottery. This young woman has won the lottery two or three times each year and she didn't even pass GSoC. The majority of developers and volunteers receive nothing.

  Senior developers have been backstabbed and subject to false accusations while the real culprits are people like Lamb running around with young interns.

  We feel this is another example of favoritism. People speculate about what is really happening here. Several inappropriate relationships have been documented. It is often undignifying for the woman who received these benefits.

  ---

  Chris Lamb bastardized the Debian keyring in September 2018. All disclosures of private and personal information are a consequence of Lamb's rudeness to volunteers.

  ---

  From the Google GSoC manual, the Role of an Organization Administrator:

  ...to Google

  • Frame org participation, org selection criteria, and org-specific operating procedures
  • Submit the org application and be the org’s representative
  • Serve as communication liaison with Google
    • Respond to any inquiries from Google within 36 hours
    • Report Participant Agreement violations (e.g., harassment, plagiarism, fraud)
    • Report student withdrawal
  • Ensure all deadlines are met (e.g., slot requests, mentor evaluations, org payment account creation)
  • Select and invite trusted, capable, and qualified mentors
  • Provide and maintain an adequate list of project and task ideas
  • Oversee activity of all mentors and students ensuring responsibilities are being met
  • Respond to Google's survey post GSoC (with questions around student retention, etc.)

  ...to your Mentors

  • Frame org participation, mentor requirements, failure process, and procedure
  • Communicate mentor expectations before the program starts
  • Communicate student selection, continued participation, and dismissal policy
    • Provide selection criteria for slot allocations
    • Describe how Participant Agreement violations and failure will be handled
  • Continuously evaluate mentor interaction with students
    • Recognize conflicts of interest, interpersonal issues, and replace as necessary
  • Let mentors know when more project ideas are needed
  • Maintain regular communication with mentors before and during the program
  • Ensure adequate and appropriate mentoring coverage, particularly near holidays

  ...to your Students

  • Let students know how, when, and why to contact the org admin
  • Ensure students are introduced and become appropriately integrated
  • Communicate org-specific requirements (e.g., time, coding, communication, licensing)
  • Communicate org-specific expectations (e.g., behavior, best practices, visibility)
  • Communicate deadlines, acceptance criteria, and failure/dismissal policy
  • Monitor communications and ensure inappropriate behavior is addressed
  • Ensure students at risk of failure or dismissal are notified in advance

• Josh Bressers Episode 277 – Privacy and activism with Chris Weiland

  Josh and Kurt talk to Chris Weiland from Restore the Fourth Minnesota. Restore The Fourth Minnesota is nonprofit dedicated to restoring the Fourth Amendment to the U.S. Constitution and ending unconstitutional mass government surveillance. Chris drops a ton of knowledge about how to be an effective tech activist, what his group is doing, and most importantly we get actionable advice!

  Show Notes

  • Restore the Fourth Minnesota
  • Restore the Fourth Minnesota on Twitter
  • Writ of assistance
  • Carpenter vs United States
  • How many US federal laws are there?
  • Restore the Fourth
  • Episode 114 – Review of “Click Here to Kill Everybody”
  • EFF EFA
  • ACLU affiliates
  • Glenn Greenwald TED talk
• Fabio Alessandro Locati Sensible datetime scale for Gonum Plot
  Few months ago I posted a library for sensible int scale for Gonum Plot. There is a similar package I’ve developed to handle timescales. The integer one, being based on a recursive function, works with any number scale. Differently, this one will only work well with a timescale between 2 days and a couple of years. Extending it is not hard since it’s enough to add additional case statements in the switch, but I’ve not found use-cases for different timeframes so far.

June 25, 2021

• Debian Community News Pranav Jain & Debian, DebConf, unfair rent boy rumors

  In our last blog, we looked at the Ubuntu/Canonical employee Lucas Kanashiro coming into Debian as a mentor and having a relationship with an intern. Out of fairness, we need to look at other relationships too.

  Back in 2016, Nicolas Dandrimont asked another mentor to mentor Dandrimont's girlfriend. This is the email he sent:

  Subject: Recusing myself from Outreachy applicant selection decisions, internships funding
  Date: Fri, 14 Oct 2016 12:37:46 +0200
  From: Nicolas Dandrimont <olasd@debian.org>
  To: leader@debian.org, outreach@debian.org
  CC: [mentors, redacted]

  Hey all,

  As of today, the person I'm involved with, Pauline Pommeret, is applying to an Outreachy internship in Debian (on the GPG cleanroom environment project - I don't see her mail on the list archive yet, so something must have gone wrong, but it should arrive soon enough).

  To avoid an obvious conflict of interest, I am recusing myself for any decisions regarding applicant selections for this round.

  ...

  I'll stay on the outreach@d.o alias for now, but let me know if you need help ranking applicants, and I'll ask DSA to remove me so you can discuss at ease.

  Cheers,
  --
  Nicolas Dandrimont

  Dandrimont appears to be saying that it is OK for a girlfriend to participate as long as the mentors and Debian Project Leader are informed.

  The Debian Project Leader never challenged this email. Or if he did challenge it, they did so in the back room and didn't tell the mentors that Dandrimont was wrong. Therefore, mentors assumed that the process used by Dandrimont could be followed next time too.

  It wasn't long before next time:

  Subject: Re: Interested in being admin for GSoC
  Date: Mon, 26 Mar 2018 22:09:09 +0200
  From: [redacted / volunteer]
  To: Molly de Blanc <deblanc@riseup.net>, Alexander Wirt <formorer@formorer.de>

  On 26/03/18 11:44, Pranav Jain wrote:
  > Hi Team,
  > I am Pranav Jain from India (irc : pjain). I have been in past GSoC
  > 2016 student with Debian. This year I have been helping a little bit
  > by answering questions of students on IRC/Mailing list, coordinating
  > with mentors/students etc.
  >
  > I am interested to be part of GSoC Admin Team with Debian. I am not
  > mentoring any project as of now but might co-mentor one project at
  > max.
  >
  > Could present admin team please let me know about its feasibility?
  >

  Here are my comments:

  ... snip ...

  - Pranav has also shown the highest level of integrity in everything, for instance, he is one of the students who told me about his other job offers (not everybody tells their mentor) and he also made me aware of a conflict of interest with his brother applying this round.

  There it is, all the admins knew that Pranav's brother Minkush Jain was applying to GSoC.

  Pranav's offer to become an administrator wasn't accepted immediately due to this issue. Nonetheless, it is not very different from the case with Nicolas Dandrimont and his girlfriend applying. The Dandrimont case had set a precedent. In fact, most of the women in Debian are somebody's girlfriend anyway.

  The same volunteer who alerted Molly de Blanc and Alexander Wirt went on to send more reminders like this:

  Subject: Re: [GSoC] topic
  Date: Tue, 27 Mar 2018 23:11:30 +0200
  From: [volunteer]
  To: Pranav Jain , [redacted / other mentors and admin]

  ...

  One applicant, Minkush Jain, is Pranav's brother. So we have to be cautious about Pranav's involvement in the selection process.

  ...

  Pranav replied:

  Ack. I am okay to be out of the final decision process (last 2-3 days). I can help with screening the students and reviewing proposals till then.

  Note that Pranav was already registered as a mentor but not as an administrator. As a mentor, he could log in to the Google portal and see the applications competing with his brother. He was firmly told not to do that:

  Even that is not a good idea. Even if you do it objectively and I'm sure you would try not to have any bias, some other students could be upset if they knew a candidate's brother was looking at them.

  The other mentors evaluated the 11 candidates without further input from Pranav. Three slots were available for different components of this project, three students were selected and one of them was Pranav's brother. This was entirely consistent with the precedent set by Nicolas Dandrimont.

  At this stage, Pranav's request to become an administrator should have been rejected. It would not be valid to accept his brother as an intern and then appoint Pranav as an administrator. It was discussed in an IRC meeting of the admins and mentors:

  <scapegoat> yes, but Pranav is not involved in the
    selection process because one candidate is his brother
  <scapegoat> that could be one reason we are waiting
     until the last minute to confirm the selections
  * Pranav nods.
  <mollydb> nice responsibile decision making :)
  <mollydb> thanks for being so consciencious
  

  Pranav was appointed as an administrator shortly after this meeting but the Debian Project Leader did not revise the delegation email naming the administrators until one year later, effectively making it harder for other candidates and observers to know about Pranav's role. These hidden conflicts of interest are very common in Debian, people see it as a game pretending to be open and transparent.

  Nonetheless, Google found out and got really mad. They wanted to expel both Pranav and Minkush but it looks like Chris Lamb and Molly de Blanc did a lot of backstabbing to make it look like somebody else was responsible. This is scapegoating. Molly de Blanc was no less guilty than anybody else in this affair. At the time, other mentors and Google were not informed that Chris Lamb and Molly de Blanc were in that relationship. Lamb used his position as DPL to defend his girlfriend in the eyes of Google.

  Nonetheless, there is another big question to answer: what does Pranav Jain actually do in Debian?

  He completed a Google Summer of Code internship in 2016. The contributors report doesn't show him doing anything else. He is not a Debian Developer and he did not make any packages. He has only used the mailing list and the wiki:

  

  Despite minimal contributions, Pranav has been invited back to almost every DebConf since 2016. He has been seen at other events in Europe and the US, including Open Source Bridge 2017.

  Just weeks after Minkush collected his payment from Google Summer of Code, Pranav stood up at Open Source Summit Europe to give a speech about GSoC. Google employees including Stephanie Taylor were apparently in the audience, humiliated by Debian.

  His trip to DebConf19 (Brazil) was fully funded despite the scandals involving his brother in 2018. How could Debian shower the money on this young man while excluding so many others?

  Many more experienced developers never receive a travel grant for DebConf. Why has this young man from a developing country become so popular, receiving his tickets just as easily as the young women from developing countries?

  It is unfair to all the other developers but it is unfair to Pranav as well. People are speculating that he is the DebConf rent boy. We do not want to speculate that these rumors are true. That is simply the type of rumor that arises when there is no logical explanation for the intense favoritism.

  In any other organization this rent boy rumor may sound far-fetched and it would not be worth repeating. Yet the Debian organization has seen a disproportionate emphasis on the demands of certain men. These men have argued that anybody who disagrees with their personal quest for power is guilty of violating the Code of Conduct. We saw exactly the same phenomena around DebConf going to Israel: anybody who expressed empathy for Palestinian children was wrongly accused of anti-semitism. In an environment with this scorched-earth policy on dissent and up to thirty percent LGBT presence at sleepover events, it would hardly be surprising to find the leaders using money to bring a rent-boy.

  On one of their many trips, Pranav and Minkush visited Switzerland looking for his former mentor. They have never actually met, the mentor wasn't there at the time.

  
• Josef Strzibny InvoicePrinter 2.2 with breakdowns of items

  A while ago, I released a new version of InvoicePrinter, my little library for generating PDF invoices. Here’s what’s new.

  InvoicePrinter 2.2.0 brings a new free-form breakdown field, which can break down individual items in the table. Look at how that looks like:

  

  Handy for any notes as well!

  Another new thing is the revamp of the totals table. It now aligns amounts to the right – so anybody can easily spot differences in the numbers:

  

  The final number is now in bold if a bold font-variant is present. The new support of bold fonts will allow us to make some other parts bold in the future, too (or let people choose).

  Finally, a new variable_symbol field was also added. This one was a long time overdue.

  The 2.2.0 release also fixes two small bugs. You can see the complete changelog by opening the release or browsing the closed milestone.

June 24, 2021

• Fedora fans نسخه نهایی توزیع Rocky Linux 8.4 منتشر شد
  

  

  اولین نسخه ی پایدار راکی لینوکس یعنی Rocky Linux 8.4 منتشر شد. Rocky Linux توزیعی از سیستم عامل گنو/لینوکس می باشد که بر پایه ی سورس کدهای Red Hat Enterprise Linux می باشد.

  Rocky Linux یکی از جایگزین های مناسب برای توزیع CentOS می باشد. از مهمترین تغییرات توزیع  Rocky Linux می توان به موارد زیر اشاره کرد:

  • Python 3.9
  • SWIG 4.0
  • Subversion 1.14
  • Redis 6
  • PostgreSQL 13
  • MariaDB 10.5

  توزیع Rocky Linux برای دو معماری x86_64 و ARM64 (aarch64)  در دسترس می باشد که جهت دانلود می توانید به وب سایت رسمی آن مراجعه کنید:

  https://rockylinux.org/download/

  جهت اطلاعات بیشتر در مورد توزیع  Rocky Linux 8.4  می توانید نکات انتشار آن را مطالعه کنید:

  https://docs.rockylinux.org/release_notes/8.4

   

   

  The post نسخه نهایی توزیع Rocky Linux 8.4 منتشر شد first appeared on طرفداران فدورا.

  

June 23, 2021

• Debian Community News Lucas Kanashiro & Debian/Canonical/Ubuntu female GSoC intern relationship

  Chris Lamb bastardized the Debian keyring in September 2018. All disclosures of private and personal information are a consequence of Lamb's rudeness to volunteers.

  At least once every week we are reminded about the false accusations against one of Debian's former administrators in the Google Summer of Code (GSoC). It is time to look at the facts.

  The allegations relate to the Debian GSoC 2018 program. The list of selected interns is here. There are three women on the list. All three women are from Kosova. All three women were invited to DebConf18 in Taiwan. They were all invited back again for DebConf19 in Brazil. They received cash from Google, training, significant travel and accommodation benefits, references and improvements to their career prospects.

  The administrator/mentor who was wrongly accused received an email on 13 June 2018 denying his request for travel funding to attend DebConf 18. He did not attend DebConf18. He did not attend DebConf19. As he was not there, it is impossible for him to be implicated in some of the allegations. The refusal to fund his travel appears unreasonable given the effort mentors put into GSoC every year.

  Let's look at the stories of the three women.

  Elena Gjevukaj was married during GSoC 2018. The wedding was shortly before her travel to Taiwan. It seems unlikely that she had a romantic interest in any of the mentors. Here is a wedding photo. It is incredibly cruel to this woman and her husband to suggest that she might have been party to any other relationship. We congratulate them on their marriage and wish them a happy future together.

  

  Diellza Shabani was selected for GSoC 2018 and immediately after her selection she was offered employment on even better terms from a German company with an office in Kosovo. They also gave her a Thinkpad. The Thinkpad is worth as much as the whole GSoC stipend. Google sends every intern a pre-paid credit card at the beginning of the internship. Google did not deliver the card to Diellza at the same time as other interns. She did not receive the initial $500 payment until 6 weeks after other Google interns. She tried to do GSoC and the other job at the same time. Who wouldn't? The DebConf bursary team awarded her a ticket to DebConf without any communication with the mentors about her progress. Therefore, the mentors hoped she would catch up at DebConf. In practice, the opposite happened: when three young female students arrived at a conference with 300 men, nobody cared about helping them with their projects. After the trip to Taiwan, this woman decided to resign from GSoC and focus on the long term job opportunity. We congratulate her on her success. While we don't like snooping on the love lives of interns, we want to be sure that no woman and no mentor is unfairly accused. Multiple people can confirm that this woman was in a relationship with a man in Kosovo throughout this period in 2018.

  Enkelena Haxhija is the woman who had a relationship with a mentor. There is no wrongdoing on the part of the woman. Enkelena is a formidable woman who did more work than most participants in these programs while also enjoying a relationship with a mentor. Enkelena does not need to influence any mentor to earn a pass in the GSoC program, she is that good. Enkelena has strong political interests too. Imagine if the roles were reversed, a male student having a relationship with a female mentor. In fact, French President Emmanuel Macron married one of his teachers from high school. She is 24 years older than him. We will not be surprised to see Enkelena Haxhija running for public office in Kosovo.

  This is Enkelena on stage promoting her country.

  

  To make it absolutely clear, in many ways we do not see this as the typical relationship between a woman and a mentor. The man would not be a mentor in her eyes: in many ways, this woman is simply superior to a lot of the men in Debian.

  The mentor concerned is Lucas Kanashiro, an employee of Canonical Ltd, the company making the Ubuntu operating system. Kanashiro was not a mentor for Enkelena's project, he was mentoring another project. Nonetheless, it was unacceptable for any mentor to have a romantic relationship with any student in any organization during the course of the program. Somebody leaked this in the diversity girls email but it has been confirmed by multiple independent sources.

  

  We did not choose to name the parties to this relationship to bring attention to this blog. Rather, we felt we had to publish these names for a combination of reasons:

  • To clear the names of all the other women and mentors who have been wrongly suspected over a period of three years now. Debian owes every one of these people an apology.
  • One of the mentors has been wrongly accused in posts on social media, the Debian Bug Tracking System, mailing lists and LWN.
  • The woman was the leader of the bid for Kosovo to host DebConf and the mentor's employer, Ubuntu is both one of the main DebConf sponsors and also one of the biggest derivatives of Debian. Therefore, there are concerns about the integrity of the bid process.
  • One of the administrators leading the mentor team was Molly de Blanc, girlfriend of the former Debian Project Leader, Chris Lamb (the Mollamby couple). It appears that people wanted a scapegoat so that Molly would not be linked to the scandals in Debian's GSoC and Outreachy programs.
  • The mentor who has been falsely accused had resigned at a time when he lost two family members. The childish vendettas coming out of the Debian cabal have been a gross violation of his family's privacy.

  Many interns are only offered one free trip after their internship. We notice that each of these women received two very expensive trips: DebConf18, Taiwan, in 2018, the year they did GSoC. DebConf19, Brazil, one year later. One of the women had not even completed GSoC, she had resigned to take a better job. Why would they invite an intern back again in that case? Google would not fund that. We suspect we know the reason for this: Debian wanted to create a smokescreen around the women having relationships. DebConf19 had six women from Albania and Kosovo. We have just confirmed one of the relationships. We have evidence of at least one more. Inviting all six women was a form of obfuscation and it is unfair to the women and mentors who did nothing wrong.

  
• Joe Brockmeier Link-o-Rama: The ugly underneath Amazon Prime, time to ditch Chrome, analyzing music and more…
  Using Chrome to buy on Amazon Prime? Maybe think twice. Want to automate your playlists? Try Bliss. Post examining what happens behind the scenes when buying from Amazon, and the anti-trust suit against Amazon accusing it of raising prices for consumers. Bliss music analyzer, an open source library to make audio playlists by evaluating distance … Continue reading Link-o-Rama: The ugly underneath Amazon Prime, time to ditch Chrome, analyzing music and more… →
• Fedora fans تولد ۱۰ سالگی وب سایت طرفداران فدورا
  

  بنويس بر ياس كبود
  بنويس بر باورِ رود
  بنويس، از من بنويس
  بنويس عاشق، يكی بود
  بنويس، بنويس، بنويس

  ده سال پش در چنین روزهایی وب سایت طرفداران فدورا متولد شد . این ده سال همواره شامل فراز و نشیب هایی بود که در این مسیر همیشه دوستانی در کنار ما بودند که از همینجا شخصا از همه ی آنها سپاسگزاری می کنم.

  The post تولد ۱۰ سالگی وب سایت طرفداران فدورا first appeared on طرفداران فدورا.

  
• Josef Strzibny CentOS 8 free alternatives

  CentOS 8 EOL is around the corner, so it’s time to evaluate and try the alternatives. I prepared a small table for everybody with the basic overview.

  List of free CentOS 8 alternatives:

  OS	Authors	Support	Commercial Support	Backing	Migration	Differences	ISOs	Container Images
  CentOS Stream	Red Hat	almost 5y for 8.x, then 5-6y	No	Red Hat	centos-stream-repos package	No	Download	Yes
  Rocky Linux	Gregory M. Kurtzer & community	10y (?)	No	AWS, Fastly, GitLab, Google (& more)	Script	No	Download	Yes
  AlmaLinux	CloudLinux OS	10y (2029)	by Tux Care	AWS, Chef, ARM, cPanel (& more)	Script	No	Download	No
  Oracle Linux	Oracle	10y (2029)	by Oracle	Oracle	Script	Option to choose RHEL or Oracle Linux kernel	Download	Yes
  RHEL	Red Hat	10y (2029)	by Red Hat	Red Hat	Convert2RHEL	More commercial software available	Download	Yes (UBI)

  Notes:

  • RHEL is free for commercial use for up to 15 virtual machines, but registration is required.
  • RHEL is the original, so it receives the security fixes the fastest (even before Stream).
  • CentOS Stream is the only one on the list that’s not RHEL clone, it’s actually upstream to RHEL and receives all features the first.
  • Red Hat and Oracle will most likely let you buy extended support beyond the standard 10 years lifecycle.
  • Differences in the table only reflects changes beyond trademarks and cosmetics

June 22, 2021

• Debian Community News Neil McGovern & Debian: GNOME and Mollygate

  Many people will hope Molly de Blanc's departure from GNOME Foundation is the end of the story. It is only the beginning.

  Here are the facts:

  de Blanc's old boss was the Executive Director of the FSF, John Sullivan. Sullivan is a Debian Developer, in other words, part of the Debian cabal.

  de Blanc's boyfriend was Chris Lamb, the Debian Project Leader (2017-2019). The relationship finished early 2019, de Blanc writing a blog about it. Coincidentally, this is when Lamb started meeting women in eastern Europe.

  Chris Lamb showed significant favoritism towards de Blanc. In his role of Debian Project Leader, he made her a non-developing Debian Developer and gave her a Debian Developer certificate to help her look for jobs. He gave her Debian's official support to become president of the Open Source Initiative (OSI).

  de Blanc's new boss was Neil McGovern at the GNOME Foundation. McGovern, like Lamb and Sullivan, is also a Debian cabal member.

  More significantly, McGovern and Lamb are both personal friends. They live in the Cambridge region of the UK. McGovern gave a job to his mate's girlfriend.

  In a situation like this everybody knows there is favoritism, especially the woman. This isn't about de Blanc, it is simply human nature. Any woman in this position may feel less obligation to work than a woman who got the job on merit. This is why competent managers go out of their way to avoid hiring girlfriends. McGovern does not appear to be a competent manager.

  The question was asked on the GNOME foundation-list in July 2019. It received meaningless replies and then it was purged from the archives. (another backup, archive.org)

  When we look at de Blanc's vendetta against her old boss, Dr Richard Stallman, it is easy to see that any employer would sack her for this. GNOME Foundation is not any employer. As the Github records show, her boss, Neil McGovern, was a partner in crime. Therefore, de Blanc has been treated unfairly. She may have a case for unfair dismissal. The Github records are presented below, McGovern and de Blanc did this together.

  It appears that these three men, John Sullivan (previous boss), Chris Lamb (boyfriend) and Neil McGovern all engaged in the attacks on Dr Stallman. It is plausible that they all communicated about moving her from the job at FSF to the GNOME Foundation. It is plausible that two of these men and maybe all three of them envisaged using her as a weapon against Dr Stallman.

  There is a pattern of doing exactly the same thing with other women. Laura Arjona was used as a weapon against Dr Norbert Preining. Erinn Clark was used against Jacob Appelbaum. German lawyer Miriam Ballhausen has been paid to send threats and insults to volunteers. Margarita Manterola threatened DebConf volunteers who wanted to bring their partners to DebConf. There are more examples that will be shared soon.

  As de Blanc has very poor employment prospects right now, the Debian Community News Team calls on Sullivan, Lamb and especially McGovern to explain the way they passed this woman around and used her as a tool for their vendettas.

  
• Debian Community News Molly de Blanc has been terminated, Magdalen Berns' knockout punch and the Wizard of Oz

  In the early hours of Monday morning, a Debian blogger released the video of former GNOME employee Magdalen Berns singing Zombie.

  Less than twenty-four hours later and we have the news that GNOME Foundation has sacked Molly de Blanc. Now there really is a Zombie. Berns once won a championship title in women's boxing. She packs a punch, even when she sings.

  

  Why should I care?

  In January 2019, while Debian Contributor Lucy Wayland was lying in the morgue, Molly de Blanc stood up at FOSDEM in Brussels to give a talk about shaming volunteers to make them obey her.

  Farewell video

  We found this video to help us remember de Blanc's mean behavior towards volunteers.

  Magdalen Berns shows Molly how to pack

  We recommend watching Magdalen sing.

  

  Molly's most memorable quotes

  From the film review Its a Free World:

June 21, 2021

• The NeuroFedora Blog Next Open NeuroFedora meeting: 21 June 1300 UTC
  

  Photo by William White on Unsplash.

  
  

  Please join us at the next regular Open NeuroFedora team meeting on Monday 21 June at 1300UTC in #fedora-neuro on IRC (Libera.chat). The meeting is a public meeting, and open for everyone to attend. You can join us over:

  • IRC
  • Matrix

  You can use this link to convert the meeting time to your local time. Or, you can also use this command in the terminal:

  $ date --date='TZ="UTC" 1300 today'
  

  The meeting will be chaired by @ankursinha. The agenda for the meeting is:

  • New introductions and roll call.
  • Tasks from last week's meeting.
  • Open Pagure tickets.
  • Package health check.
  • Open package reviews check.
  • CompNeuro lab compose status check for Fedora 35.
  • Neuroscience query of the week
  • Next meeting day, and chair.
  • Open floor.

  We hope to see you there!

• Josh Bressers Episode 276 – Security, behavior, and the environment

  Josh and Kurt talk about how our environment affects our behavior, and in turn our level of security. We often ignore what’s happening around us when everything is related.

  Show Notes

  • Judges more lenient after a break
  • Dungeons and Data
  • Poverty changes your DNA

June 20, 2021

• Daniel Pocock Fete de la Musique and why I don’t use Google

  Today is Fete de la Musique in the French-speaking world.

  It feels like the perfect time to release the video of former GNOME employee Magdalen Berns singing Zombie. I recorded this at the Google Mentor Summit in 2014. Magdalen is no longer with us, she died of cancer in 2019.

  If Magdalen was alive today, would she recognize the GNOME organization? People are gradually coming to realize that the recent attacks on Dr Richard Stallman crossed far too many red lines. Working for a non-profit organization is a privilege and when certain GNOME employees attacked a volunteer, Dr Stallman, they undermined the principle of volunteering everywhere.

  We already see people who signed the petition in the heat of the moment are asking to remove their names. The choice of the song's title is subject to debate. Are zombies the people trying to stamp out independent thought from leaders like Dr Stallman? Or are they the volunteers silenced by mindless groupthink?

  Playback issues? Download IPFS Companion

  In fact, Magdalen wasn't the only candidate to sing at the summit. Carla had contemplated it but it was Magdalen's moment and in hindsight, I'm really glad she did it and that we can see it again today. This is Carla performing Zombie:

  Playback issues? Download IPFS Companion

  Why I don't use services from Google

  Despite over twenty years contributing to Debian and GNU/Linux, one of the Google women told me that Carla is not welcome to eat with the rest of us at DebConf. Here are her words:

  Subject: Regarding your DebConf15 attendance
  Date: Thu, 23 Jul 2015 23:10:55 +0200
  From: Margarita Manterola (Google, Inc)
  CC: DebConf15 Registration team, chairs@debconf.org, bursaries@debconf.org

  Hi Daniel,

  We discussed today a certain arrangement regarding your registration (changing food+accom to food for you and Carla), that I was not actually entitled to make. This arrangement is not valid, I was forced by your insistence into agreeing to something that I wouldn't otherwise have agreed.

  This is the mock outrage of somebody who is not really a victim. The Google woman provides no evidence of insistence, the only pushy behaviour we see is in her own communications to volunteers. We can see her demanding behavior through the rest of her email.

  What Google is really trying to do is make volunteers feel bad about bringing our partners. She took a perfectly normal question about food and she turns it around to attack the person asking the question. The Google woman banned Carla from eating and she's trying to make me feel like it is my fault.

  Many women suffer from eating disorders or had life-changing experiences with these disorders in their adolescence. I didn't write this voluntarily. Google employees have made Carla and I incredibly uncomfortable by spreading suggestions of abuse. Yet the only abuse here is coming from the Google woman. Eating disorders are the most deadly of all forms of mental illness. Making somebody who may have suffered with a disease like that feel uncomfortable or unwelcome at meals is the worst thing you can possibly do. The rude Google woman is doing exactly that.

  This insulting email from a Google employee was really the last straw. I don't use Google services and I will go out of my way to help other people stop using them too.

  The DebConf food and accommodation sponsorship is meant to help Debian contributors participate in the conference. It was granted to you, on the basis of your Debian contributions and it's not transferable, nor is it a sponsorship in cash that you can collect, it's meant to be used for your stay at DebConf and nothing else.

  The Google woman met her husband through Debian and then she became a Debian Developer. They always have a room together at DebConf. They make these rules for the rest of us.

  Every year some volunteers ask if they can use the money awarded for shared accommodation as a subsidy for a respectable hotel room off-site. Google always gets mad about these requests.

  Last year, you signed up for the conference but didn't attend, cancelling on the last minute, when you had already been assigned a roommate.

  If a member of the family is in hospital, volunteers are under no obligation to travel and attend a conference doing free work for Google. We are not their slaves.

  Volunteers do the same work or more than Google employees. Why do they insist that we have roommates? This is another gimmick to prevent people bringing their partner or spouse. Google wants people to be working all the time we are at DebConf.

  This year, you have failed on several occasions to update your dates, even though we asked you explicitely to do so. We understand that you have a busy schedule, but so do we. You were supposed to have entered your actual dates by June 30th, it's July 23rd and you still have the whole period from 9th to 23rd.

  Given that the conference is so imminent, it was equally urgent for me to find out if Carla would feel welcome or not. The Google rudeness made it clear that my hesitation in booking the trip was well justified.

  This is a total lack of respect to your fellow Debian/DebConf volunteers that are working hard towards making the conference possible, plus a waste of Debian's money as if we don't set the correct dates for your stay by tomorrow, we will have to pay for it even if you are not attending.

  At the last DebConf before the pandemic, Debian/Google found $10,000 to bring women from eastern Europe to an event in Brazil, it is the diversity expense line in the budget.

  If Debian/Google really wanted to be efficient with funds then they would use the same $10,000 to organize an educational event for 100 women and students in their country of origin.

  I'm not entitled to make any decisions here, but I'm raising the issue to both the DebConf chairs and the DebConf Bursaries team, so that everyone is aware of what's going on.

  Nasty. This is the extremism that Google is imposing in free software events today. They pretend we are all volunteers but then they barge in and start making all these rules and orders.

  This is the photo that everybody is talking about from DebConf19 in Brazil, where four of the women from eastern Europe are sitting at the table with the former Debian leader, Chris Lamb. It is the conference dinner. Accounting records show $10,000 was spent on these diversity grants.

  

  In Albania, Lamb dined in the restaurant owned by the woman's parents on at least two occasions. Shortly after DebConf, she was given an Outreachy internship. Another $6,000.

  The women were expecting to meet students from other countries too. They were surprised that these free tickets had been invented just for them when it was so hard for everybody else to qualify. That is the creepy feeling you get when you wonder if you are in the hands of people trafficking.

  Women are particularly conscious of the impact of favoritism on their careers. Outreachy internships were meant to give women hope but the pictures published by Debian suggest nothing is going to change any time soon. These are the words of Sage Sharp in written instructions telling Debian the woman sitting next to the former leader was not eligible:

  From: Sage Sharp

  [... snip ...] While you may not have intended it this way, this sounds like favoritism, ...

  [... snip ...] Again, this sounds a bit like favoritism of a person who is already active in open source.

  [... snip ...] Again, this may be how your experience with GSoC works, but the goal of Outreachy is to try and get people who aren't currently open source contributors (or who are not as active contributors) to be accepted as Outreachy interns. That's why we have the rule that past GSoC or Outreachy applicants are ineligible to apply.

  There are more women like Magdalen out there who are passed over every day.

  Why was Debian using so much Google money to impress these women but they couldn't even pay for a meal for Carla?

  

June 19, 2021

• Joe Brockmeier “Authenticity” is a trap
  The idea of "authenticity" and "selling out" when applied to artists, musicians, and other folks is largely bullshit. Worse, it's a trap. Let me back up a sec. The other day I was on the Twitters and noticed an exchange about how some artist wasn't "authentic" anymore because they licensed their music for a commercial … Continue reading “Authenticity” is a trap →
• William Brown Getting started with Yew

  Getting started with Yew

  Yew is a really nice framework for writing single-page-applications in Rust, that is then compiled to wasm for running in the browser. For me it has helped make web development much more accessible to me, but getting started with it isn’t always straight forward.

  This is the bare-minimum to get a “hello world� in your browser - from there you can build on that foundation to make many more interesting applications.

  Dependencies

  MacOS

  • Ensure that you have rust, which you can setup with RustUp.
  • Ensure that you have brew, which you can install from the Homebrew Project. This is used to install other tools.
  • Install wasm-pack. wasm-pack is what drives the rust to wasm build process.

  cargo install wasm-pack
  

  • Install npm and rollup. npm is needed to install rollup, and rollup is what takes our wasm and javacript and bundles them together for our browser.

  brew install npm
  npm install --global rollup
  

  • Install miniserve for hosting our website locally during development.

  brew install miniserve
  

  A new project

  We can now create a new rust project. Note we use –lib to indicate that it’s a library, not an executable.

  cargo new --lib yewdemo
  

  To start with we’ll need some boilerplate and helpers to get ourselves started.

  index.html - our default page that will load our wasm to run. This is our “entrypoint� into the site that starts everything else off. In this case it loads our bundled javascript.

  <!DOCTYPE html>
  <html>
    <head>
      <meta charset="utf-8">
      <title>PROJECTNAME</title>
      <script src="/pkg/bundle.js" defer></script>
    </head>
    <body>
    </body>
  </html>
  

  main.js - this is our javascript entrypoint that we’ll be using. Remember to change PROJECTNAME to your crate name (ie yewdemo). This will be combined with our wasm to create the bundle.js file.

  import init, { run_app } from './pkg/PROJECTNAME.js';
  async function main() {
     await init('/pkg/PROJECTNAME_bg.wasm');
     run_app();
    }
  main()
  

  Cargo.toml - we need to extend Cargo.toml with some dependencies and settings that allows wasm to build and our framework dependencies.

  [lib]
  crate-type = ["cdylib"]
  
  [dependencies]
  wasm-bindgen = "^0.2"
  yew = "0.18"
  

  build_wasm.sh - create this file to help us build our project. Remember to call chmod +x build_wasm.sh so that you can execute it later.

  #!/bin/sh
  wasm-pack build --target web && \
      rollup ./main.js --format iife --file ./pkg/bundle.js
  

  src/lib.rs - this is a template of a minimal start point for yew. This has all the stubs in place for a minimal “hello world� website.

  use wasm_bindgen::prelude::*;
  use yew::prelude::*;
  use yew::services::ConsoleService;
  
  pub struct App {
      link: ComponentLink<Self>,
  }
  
  impl Component for App {
      type Message = App;
      type Properties = ();
  
      // This is called when our App is initially created.
      fn create(_: Self::Properties, link: ComponentLink<Self>) -> Self {
          App {
              link,
          }
      }
  
      fn change(&mut self, _: Self::Properties) -> ShouldRender {
          false
      }
  
      // Called during event callbacks initiated by events (user or browser)
      fn update(&mut self, msg: Self::Message) -> ShouldRender {
          false
      }
  
      // Render our content to the page, emitting Html that will be loaded into our
      // index.html's <body>
      fn view(&self) -> Html {
          ConsoleService::log("Hello World!");
          html! {
              <div>
                  <h2>{ "Hello World" }</h2>
              </div>
          }
      }
  }
  
  // This is the entry point that main.js calls into.
  #[wasm_bindgen]
  pub fn run_app() -> Result<(), JsValue> {
      yew::start_app::<App>();
      Ok(())
  }
  

  Building your Hello World

  Now you can build your project with:

  ./build_wasm.sh
  

  And if you want to see it on your machine in your browser:

  miniserve -v --index index.html .
  

  Navigate to http://127.0.0.1:8080 to see your Hello World!

  Further Resources

  • yew guide
  • yew api documentation
  • yew example projects
  • wasm-bindgen book

  Troubleshooting

  I made all the following mistakes while writing this blog 😅

  build_wasm.sh - permission denied

  ./build_wasm.sh
  zsh: permission denied: ./build_wasm.sh
  

  You need to run “chmod +x build_wasm.sh� so that you can execute this. Permission denied means that the executable bits are missing from the file.

  building - ‘Could not resolve’

  ./main.js → ./pkg/bundle.js...
  [!] Error: Could not resolve './pkg/PROJECTNAME.js' from main.js
  Error: Could not resolve './pkg/PROJECTNAME.js' from main.js
  

  This error means you need to edit main.js so that PROJECTNAME matches your crate name.

  Blank Page in Browser

  When you first load your page it may be blank. You can check if a file is missing or incorrectly named by right clicking the page, select ‘inspect’, and in the inspector go to the ‘network’ tab.

  From there refresh your page, and see if any files 404. If they do you may need to rename them or there is an error in yoru main.js. A common one is:

  PROJECTNAME.wasm: 404
  

  This is because in main.js you may have changed the await init line, and removed the suffix _bg.

  # Incorrect
  await init('/pkg/PROJECTNAME.wasm');
  # Correct
  await init('/pkg/PROJECTNAME_bg.wasm');
  

June 17, 2021

• Peter Czanik Opensearch and syslog-ng

  Opensearch is a fork of the Elastic stack code base, made right before the license change. The first release candidate (RC1) has been released recently. Next to plain text files, Elasticsearch is one of the most popular destinations in syslog-ng, but after the license change people started to look for alternatives. I did some quick tests and using the elasticsearch-http() destination, syslog-ng seems to work fine with Opensearch as well.

  Opensearch is not yet production ready. It is still in testing phase. However, if the licensing changes of Elastic makes you search for alternatives, switching to Opensearch might be the easiest. RC1 is already in a good enough shape to start testing it, so you can switch easier once it is ready for production.

  You can learn from this blog how to get started with Opensearch, dashboards and syslog-ng. Another alternative that syslog-ng users explored is Grafana Loki.

  Disclaimer: covering a given technology or brand on the syslog-ng blog is not an endorsement. The syslog-ng blog covers new syslog-ng features, new trends in log management or questions, problems coming up in the syslog-ng community.

  Before you begin

  There are no RPM or DEB packages of Opensearch available yet. You can either download binaries as compressed TAR archives, or use Docker. The use of Docker compose can greatly simplify testing, as it sets up a ready-to-use, local, two-node cluster together with Dashboards (the name of the Kibana fork) in just a few minutes.

  I did my tests on openSUSE and Docker, but any operating system with a recent enough Docker version and docker-compose should work. Not tested, but a recent-enough podman and podman-compose should work as well.

  On the syslog-ng side, anything after syslog-ng 3.21 should work, but a more recent version is recommended. If your OS features an earlier version of syslog-ng, check https://www.syslog-ng.com/products/open-source-log-management/3rd-party-binaries.aspx if up-to-date syslog-ng is available from 3^rd-party repositories. You need http() support enabled. On FreeBSD, it is enabled by default. On Fedora/RHEL you also need the syslog-ng-http sub-package, on openSUSE syslog-ng-curl.

  Installing the Opensearch stack

  Getting started with Opensearch is really easy when using the docker-compose method. Download docker-compose.yml from the Opensearch website to an empty directory. From this point, it is a single command:

  docker-compose up

  In a few minutes, you can already point your browser at port 5601 of the host where you installed the Opensearch stack. Your first surprise comes when you try to reach the page: it is password protected. The default user/password pair is admin/admin, which you should change unless everything is running on your laptop behind a firewall.

  Look around. The interface will look familiar, still a bit strange. It is a lot cleaner than the regular Kibana web interface and thus easier to find anything that you need.

  Configuring syslog-ng

  The next surprise comes when you try to send logs to Opensearch using syslog-ng. When you try the following destination, sending logs to Opensearch will fail:

  destination d_opensearch {
      elasticsearch-http(
          index("syslog-ng")
          url("https://localhost:9200/_bulk")
          type("")
  };

  Why? It works with out-of-the-box Elasticsearch, which has no security enabled. Opensearch comes with security enabled, outof-the-box. The port is TLS-encrypted and requires a valid user and password. For a test, you can use the default admin/admin, but of course it is not recommended for production use.

  The TLS part is a bit tricky. You have to extract root-ca.pem from the Opensearch container and make it available under the /etc/syslog-ng/ directory structure. I created a new sub-directory called “tls”, changed to it, and then used the “docker cp” command to extract the file from the running container. The container ID will be different on your system, use “docker ps” to figure it out. Then:

  docker cp 72b9b293941f:/usr/share/opensearch/config/root-ca.pem .

  This command extracts root-ca.pem from the Opensearch container and copies it into the current directory. You do not need this step when you use your own PKI in a production environment. But here we use the demo keys provided in the container image.

  You can now enable password and TLS support in syslog-ng. The following config snippet sends all local log messages to Opensearch on an openSUSE host:

  destination d_opensearch {
      elasticsearch-http(
          index("syslog-ng")
          url("https://localhost:9200/_bulk")
          type("")
          user("admin")
          password("admin")
          ca-file("/etc/syslog-ng/tls/root-ca.pem")
      );
  };
  log {
    source(src);
    destination(d_opensearch);
  };

  You might need to use a different source name on your system.

  Testing

  Once you reloaded syslog-ng and the configuration took effect, you should be able to see incoming log messages in Opensearch. First you need to go to “Stack Management” and configure an index pattern. “syslog-ng” should already be available there. Then you can go to “Discover” and view the incoming log messages.

  What is next?

  From this blog, you could learn how to quickly set up a set environment for Opensearch and syslog-ng. Now comes the hard part: reading the documentation, learning how to configure individual components, rolling out your own PKI, and more. Those topics are well beyond the scope of a syslog-ng blog.

  -

  If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @Pczanik.

June 16, 2021

• Tomasz Torcz PSA: kernel 5.12.11 is safe for bcache, again

  With the release of Linux kernel 5.12.11, bcache is safe to use, again. The patch bcache: avoid oversized read request in cache missing code path has been merged.

  Due to changes in 5.12 kernels, bcache was prone to cause a BUG_ON() when submitting large I/O requests. The result was a kernel panic or a system freeze. Problem was reported in couple of places: Fedora bug#1965809, bcache mailing list #1, bcache mailing list #2.

• Josef Strzibny Removing assets dependencies from Rails applications for runtime

  Rails provides a smooth assets:precompile task to prepare application assets but keeps all required gems for assets generation as a standard part of the generated Gemfile. Let’s see if we can avoid these dependencies for runtime.

  A new Rails application comes with various gems concerning assets compilation and minification:

  $ cat Gemfile
  ...
  # Use SCSS for stylesheets
  gem 'sass-rails', '>= 6'
  # Transpile app-like JavaScript. Read more: https://github.com/rails/webpacker
  gem 'webpacker', '~> 5.0'
  

  We might see other gems in older versions of Rails, like uglifier or coffee-rails.

  It makes sense since the Rails’s assets:precompile tasks is usually run within the PRODUCTION environment, where the CSS concerns are defined:

  $ cat config/environment/production.rb
  ...
    # Compress CSS using a preprocessor.
    # config.assets.css_compressor = :sass
  
    # Do not fallback to assets pipeline if a precompiled asset is missed.
    config.assets.compile = false
  

  Applications without Webpacker might configure a JavaScript processor for the Asset Pipeline:

    # example of older applications
    config.assets.css_compressor = :sass
    config.assets.js_compressor = :uglifier
  

  All of this works but includes extra gems and might have implications about system dependencies. For example, both webpacker and uglifier would need a JavaScript runtime like Node.js for running assets:precompile and possibly for starting the Rails server (Webpacker shouldn’t complain, but uglifier/execjs would).

  But what if we want to handle assets outside the Rails application’s deployment, thus removing these dependencies? What if we’re going to build an optimized Docker container using the multi-stage build and not provide Node.js in the final image?

  Well, we can do something we already do with development and test dependencies – omit these gems for production. We can move them into a new assets group in the Gemfile:

  gem 'webpacker', '~> 5.0'
  
  group :assets do
    gem 'sass-rails', '>= 6'
    ...
  end
  
  # or
  group :assets do
    gem 'sass-rails', '>= 6'
    gem 'uglifier'
    ...
  end
  

  We could be ommiting Webpacker for production only if we don’t depend on javascript_pack_tag and other related helpers. But Webpacker doesn’t break if Node.js is not found, so it’s not an issue.

  Then we can rely on Bundler configuration to set the right groups for the task at hand:

  $ export RAILS_ENV=production
  $ bundle config set --local without development:test
  $ rails assets:precompile
  $ bundle config set --local without development:test:assets
  $ rails s
  

  Setting the without option won’t load these assets gems but will fail whenever you try to use them in the configuration directly. This shouldn’t be an issue for a brand new Rails 6.1 application with Webpacker, but if your js_compressor is set to :uglifier, then omitting the gem ends up not starting the Rails server:

  /home/rails-user/.rubies/ruby-2.6.5/lib/ruby/gems/2.6.0/gems/execjs-2.8.1/lib/execjs/runtimes.rb:58:in `autodetect': Could not find a JavaScript runtime. See https://github.com/rails/execjs for a list of available runtimes. (ExecJS::RuntimeUnavailable)
  

  That happens because uglifier relies on execjs which tries to autodetect a JavaScript processor. With a RubyGems’ Gem.loaded_specs, we can check if we are loading a specific gem and not set these configuration options:

  ...
    if Gem.loaded_specs.has_key?('uglifier')
      config.assets.js_compressor = :uglifier
    end
  ...
  

  Now the uglifier is used only if we are loading it – and we only load it while running assets:precompile.

  With the assets group and possibly updating the production.rb configuration, we could omit certain gems while running the Rails application server and leave out Node.js from the production server or a final container image.

June 15, 2021

• Javier Martinez Canillas The curious case of the ghostly modalias

  I was finishing my morning coffee at the Fedora ARM mystery department when a user report came into my attention: the tpm_tis_spi driver was not working on a board that had a TPM device connected through SPI.

  There was no /dev/tpm0 character device present in the system, even when the driver was built as a module and the Device Tree (DT) passed to the kernel had a node with a "infineon,slb9670" compatible string.

  Peter Robinson chimed in and mentioned that he had briefly looked at this case before. The problem, he explained, is that the module isn’t auto-loaded but that manually loading it make things to work.

  At the beginning he thought that this was just a common issue of a driver not having module alias information. This would lead to kmod not knowing that the module has to be loaded, when the kernel reported a MODALIAS uevent as a consequence of the SPI device being registered.

  But when checking the module to confirm that theory, he found that there were alias entries:

  $ modinfo drivers/char/tpm/tpm_tis_spi.ko | grep alias
  alias:          of:N*T*Cgoogle,cr50C*
  alias:          of:N*T*Cgoogle,cr50
  alias:          of:N*T*Ctcg,tpm_tis-spiC*
  alias:          of:N*T*Ctcg,tpm_tis-spi
  alias:          of:N*T*Cinfineon,slb9670C*
  alias:          of:N*T*Cinfineon,slb9670
  alias:          of:N*T*Cst,st33htpm-spiC*
  alias:          of:N*T*Cst,st33htpm-spi
  alias:          spi:cr50
  alias:          spi:tpm_tis_spi
  alias:          acpi*:SMO0768:*
  

  Since the board uses DT to describe the hardware topology, the TPM device should had been registered by the Open Firmware (OF) subsystem. And should cause the kernel to report a "MODALIAS=of:NspiTCinfineon,slb9670", which should had matched the "of:N*T*Cinfineon,slb9670" module alias entry.

  But when digging more on this issue, things started to get more strange. Looking at the uevent sysfs entry for this SPI device, he found that the kernel was not reporting an OF modalias but instead a legacy SPI modalias: "MODALIAS=spi:slb9670".

  But how come? a user asked, the device is registered using DT, not platform code! Where is this modalias coming from? Is this legacy SPI device a ghost?

  Peter said that he didn’t believe in paranormal events and that there should be a reasonable explanation. So armed with grep, he wanted to get to the bottom of this but got preempted by more urgent things to do.

  Coincidentally, I had chased down that same ghost before many moons ago. And it’s indeed not a spirit from the board files dimension but only an incorrect behavior in the uevent logic of the SPI subsystem.

  The reason is that the SPI uevent handler always reports a MODALIAS of the form "spi:foobar" even for devices that are registered through DT. This leads to the situation described above and it’s better explained by looking at the SPI subsystem code:

  static int spi_uevent(struct device *dev, struct kobj_uevent_env *env)
  {
  	const struct spi_device		*spi = to_spi_device(dev);
  	int rc;
  
  	rc = acpi_device_uevent_modalias(dev, env);
  	if (rc != -ENODEV)
  		return rc;
  
  	return add_uevent_var(env, "MODALIAS=%s%s", SPI_MODULE_PREFIX, spi->modalias);
  }
  

  Conversely, this is what the platform subsystem uevent handler does (which properly reports OF module aliases):

  static int platform_uevent(struct device *dev, struct kobj_uevent_env *env)
  {
  	struct platform_device	*pdev = to_platform_device(dev);
  	int rc;
  
  	/* Some devices have extra OF data and an OF-style MODALIAS */
  	rc = of_device_uevent_modalias(dev, env);
  	if (rc != -ENODEV)
  		return rc;
  
  	rc = acpi_device_uevent_modalias(dev, env);
  	if (rc != -ENODEV)
  		return rc;
  
  	add_uevent_var(env, "MODALIAS=%s%s", PLATFORM_MODULE_PREFIX,
  			pdev->name);
  	return 0;
  }
  

  Fixing the SPI core would be trivial, but the problem is that there are just too many drivers and Device Trees descriptions that are relying on the current behavior.

  It should be possible to change the core, but first all these drivers and DTs have to be fixed. For example, the I2C subsystem had the same issue but has already been resolved.

  A workaround then in the meantime could be to add to the legacy SPI device ID table all the entries that are found in the OF device ID table. That way, a platform using for example a DT node with compatible "infineon,slb9670" will match against an alias "spi:slb9670", that will be present in the module.

  And that’s exactly what the proposed fix for the tpm_tis_spi driver does.

  $ modinfo drivers/char/tpm/tpm_tis_spi.ko | grep alias
  alias:          of:N*T*Cgoogle,cr50C*
  alias:          of:N*T*Cgoogle,cr50
  alias:          of:N*T*Ctcg,tpm_tis-spiC*
  alias:          of:N*T*Ctcg,tpm_tis-spi
  alias:          of:N*T*Cinfineon,slb9670C*
  alias:          of:N*T*Cinfineon,slb9670
  alias:          of:N*T*Cst,st33htpm-spiC*
  alias:          of:N*T*Cst,st33htpm-spi
  alias:          spi:cr50
  alias:          spi:tpm_tis_spi
  alias:          spi:slb9670
  alias:          spi:st33htpm-spi
  alias:          acpi*:SMO0768:*
  

  Until the next mystery!

• Robbi Nespu openSUSE Virtual Conf. 21 t-shirt (FREE!)

  I just checked my email and I got email from ddemaio <ddemaio@suse.de> that said welcome to this year’s openSUSE Conference. S/he give me token access and said that I can claim free t-shirt. Nice!