Fedora is a Trademark of Red Hat, Inc, an operating system built by volunteers around the world. This page is provided so that independent volunteers can showcase our contributions to Fedora and Free Software in general. Official Fedora Download page.

RSS Atom

We Make Fedora

May 27, 2023

• Daniel Pocock JSON CEE structured logging for WebRTC, SIP and XMPP

  I've recently added JSON CEE structured logging to reSIProcate and submitted pull requests for identical functionality in some related projects.

  The use case for structured logging is quite compelling in the RTC world, which includes WebRTC, SIP and XMPP software. In the early days, we would do everything with a single process like Asterisk and we would only have to deal with a single log file. Today, especially with WebRTC, we often have multiple processes involved in a single phone call or video meeting. When something goes wrong, we need to be able to look at the logs from all of these processes. Structured logging provides a convenient way to combine and analyze the log files.

  For structured logging to be useful in a distributed system, every process needs to use the same structure. The syntax of the logs and the semantics of individual values from different processes need to be identical.

  JSON CEE is a specific standard for structured logging. It solves this problem. The JSON CEE standard was never fully completed. Nonetheless, it has been documented widely and it appears to be more than good enough for the ecosystem of free, open source RTC applications. Using JSON CEE is far better than every individual SIP and XMPP project reinventing the wheel with their own JSON schema.

  Free-form text-based logs can become particularly awkward in the RTC world. For example, we often log multi-line SIP or SDP message bodies as they undergo various transformations in the stack. Text-based log files have no standard way to cope with multi-line log messages. JSON solves this problem.

  With free-form log entries, tools have to be adapted to look for certain patterns. Structured logging may eliminate the need for any customization in log analysis tools.

  The latest JSON CEE standard 1.0-beta1 is documented here.

  Here is an example of a JSON CEE structured log message. Notice it includes a multi-line message body.

  {
      "hostname": "host1.example.org",
      "pri": "DEBUG",
      "syslog": {
          "level": 7
      },
      "time": "2023-05-26T23:59:42.616853697Z",
      "pname": "testSdp",
      "subsys": "RESIP",
      "proc": {
          "id": "4003132",
          "tid": 70366700277776
      },
      "file": {
          "name": "rutil/ParseBuffer.cxx",
          "line": 986
      },
      "native": {
          "function": "fail"
      },
      "msg": "resip/stack/SdpContents.cxx:1648, Parse failed Too many connection addresses in context: Contents\nv=0\no=Evil 3559 3228 IN IP4 192.168.2.122\ns=SIP Call\nt=0 0\nm=audio 17124 RTP/AVP 18\nc=IN IP4 192.168.2.122/127/2000000000[CRLF]\n                                     ^[CRLF]\na=rtpmap:18 G729/8000\n"
  }
  

  Adding custom fields to JSON log messages

  Applications can add extra fields to the JSON message if they really want to. For example, a SIP application could add the dialog ID to all log entries that relate to a specific dialog. A TURN server, rtpproxy or signalling server such as a SIP proxy could add UDP port numbers in a special field of their log messages. These values would allow reporting tools to quickly filter all log messages from different applications that relate to a specific session.

  Progress adding JSON CEE support to popular RTC applications

  reSIProcate	Done: when calling Log::initialize, add Log::JSON_CEE
  Kamailio	Done: see pull request 2826 and 2848
  OpenSIPS	Done: Syslog config and the stderr config
  Gstreamer	Pull request submitted #847, please follow-up with Gstreamer developers
  Kurento	Pull request submitted #1, please follow-up with Kurento developers
  Asterisk	Bug report submitted, see ASTERISK-29517

  Best practices for implementing JSON CEE support

  Applications can output JSON CEE log messages as strings.

  To maximize performance and minimize the risk of bugs, it is a good idea to avoid using a JSON library and simply write the JSON CEE log messages using basic string manipulation techniques. For example, in reSIProcate, we write JSON log entries as strings using the C++ stream operator (the code is here). In regular C, such as Gstreamer, the printf function can be used to write JSON log strings.

  When using the Syslog API functions, the JSON strings need to be prefixed with the string @cee: like this:

  #include 
  
  syslog(LOG_CRIT, "@cee: { \"msg\" : \"feed me\" }");
  

  That's all there is too it. Many application developers can simply copy-and-paste from the pull requests mentioned above.

  Adding JSON CEE support to dependency libraries and pre-compiled binaries

  In some cases, dependency libraries are calling the syslog API and sending log messages directly to syslog.

  If the library provides logging callbacks, they may be able to override the syslog calls.

  If not, the LD_PRELOAD mechanism can be used to intercept calls to the Syslog API. This is a bit of a hack and may not be able to fill all the fields in the JSON CEE schema.

  There is an example in my logredir code.

  Build it and they will come

  A standard like JSON CEE, even if it was never finished, helps to unify the developers who write the log messages and the developers who create tools to interpret them.

  At the most basic level, the log messages from all applications have the same syntax and field names.

  More significantly, the standard unifies the semantics of the values in log messages. For exmaple, severity values from one application should be comparable to severity values from another application. This should make life a lot easier for everybody in both development and support teams.

  Reporting on JSON CEE data

  ElasticSearch/Kibana and the equivalent OpenSearch Dashboard stacks provide a convenient way to store and analyze JSON data sets such as CEE.

  There are already many online examples for integrating rsyslog with ElasicSearch or OpenSearch. I was able to make this work by cutting-and-pasting from the examples.

  The fact that many people already wrote documents and blogs about doing this with JSON CEE is another good reason for RTC applications to use the CEE schema.

  Here are some screenshots:

  

May 26, 2023

• Adam Young Opening the perf file descriptor

  A couple months back I recorded this line on my blog as part of investigating perf:

  perf record --branch-filter any,save_type,u true 

  What is the interface between the perf binary and the linux Kernel when I run this? There is a system call to open a file handle. The man page says this:

  int syscall(SYS_perf_event_open, struct perf_event_attr *attr,
                      pid_t pid, int cpu, int group_fd, 
                      unsigned long flags);

  
  But how does that get called by the perf binary…the answer is trickier than I originally thought.

  When debugging system calls, the primary tool I use is strace. I ran it like this:

  sudo strace  perf record --branch-filter any,save_type,u true  2>&1  | less

  Inside of less, I can search for the string “event_open” and I am taken to a spot in the output where the system call is made…11 times. Each one opens a file handle, and all of them are kept open after the system call. Here is the first call:

  
  perf_event_open({
                     type=PERF_TYPE_SOFTWARE, 
                     size=0 /* PERF_ATTR_SIZE_??? */,
                     config=PERF_COUNT_SW_CPU_CLOCK,
                     sample_period=0,
                     sample_type=0,
                     read_format=0,
                     exclude_kernel=1,
                     precise_ip=0 /* arbitrary skid */, ...},
                   -1,
                    2,
                   -1,
                    PERF_FLAG_FD_CLOEXEC) = 4 

  And here is the last one

  
  perf_event_open({
                     type=PERF_TYPE_HARDWARE, 
                     size=PERF_ATTR_SIZE_VER7,
                     config=PERF_COUNT_HW_CPU_CYCLES,
                     sample_freq=4000,                  sample_type=PERF_SAMPLE_IP|PERF_SAMPLE_TID|PERF_SAMPLE_TIME|PERF_SAMPLE_ID|PERF_SAMPLE_PERIOD|PERF_SAMPLE_BRANCH_STACK,
                     read_format=PERF_FORMAT_ID, 
                     disabled=1, 
                     inherit=1, 
                     mmap=1, 
                     comm=1, 
                     freq=1, 
                     enable_on_exec=1, 
                     task=1,
                     precise_ip=3 /* must have 0 skid */,
                     sample_id_all=1,
                     exclude_guest=1,
                     mmap2=1,
                     comm_exec=1,
                     ksymbol=1,
                     bpf_event=1,
                  ...},
                  11127,
                  7,
                 -1,
                  PERF_FLAG_FD_CLOEXEC) = 12 

  I’ve formatted this to make the relationship of the parameters a little clearer. Most significant is that the first parameter is a large structure, which strace knows how to interpret.

  If we keep looking down the output of strace, we can see another block of perf_event_open. When all of these are executed we end up with file descriptors 4-12 and 13-20 open for the remainder of the program as products of the perf_event_open system call. These are never read from, so the information must come from the kernel via another means. Again, we can see a block of related system calls, this time ioctls:

  
  ioctl(13, PERF_EVENT_IOC_ENABLE, 0)     = 0
  ioctl(14, PERF_EVENT_IOC_ENABLE, 0)     = 0
  ioctl(15, PERF_EVENT_IOC_ENABLE, 0)     = 0
  ioctl(16, PERF_EVENT_IOC_ENABLE, 0)     = 0
  ioctl(17, PERF_EVENT_IOC_ENABLE, 0)     = 0
  ioctl(18, PERF_EVENT_IOC_ENABLE, 0)     = 0
  ioctl(19, PERF_EVENT_IOC_ENABLE, 0)     = 0
  ioctl(20, PERF_EVENT_IOC_ENABLE, 0)     = 0
  

  But we do a see a clone system call, which implied a child process or thread.

  clone3({flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_THREAD|CLONE_SYSVSEM|CLONE_SETTLS|CLONE_PARENT_SETTID|CLONE_CHILD_CLEARTID, child_tid=0x7faf329ef910, parent_tid=0x7faf329ef910, exit_signal=0, stack=0x7faf321ef000, stack_size=0x7ffec0, tls=0x7faf329ef640} => {parent_tid=[11539]}, 88) = 11539
  

  If we look for system calls based on this pid (11539) we later see:

  poll([{fd=13, events=POLLIN|POLLERR|POLLHUP}, {fd=14, events=POLLIN|POLLERR|POLLHUP}, {fd=15, events=POLLIN|POLLERR|POLLHUP}, {fd=16, events=POLLIN|POLLERR|POLLHUP}, {fd=17, events=POLLIN|POLLERR|POLLHUP}, {fd=18, events=POLLIN|POLLERR|POLLHUP}, {fd=19, events=POLLIN|POLLERR|POLLHUP}, {fd=20, events=POLLIN|POLLERR|POLLHUP}], 8, 1000 <unfinished ...>

  However, the only time this pid is referenced again is to clean up, in this block of syscalls:

  
  [pid 11539] <... poll resumed>)         = 0 (Timeout)
  [pid 11539] rt_sigprocmask(SIG_BLOCK, ~[RT_1], NULL, 8) = 0
  [pid 11539] madvise(0x7faf321ef000, 8368128, MADV_DONTNEED) = 0
  [pid 11539] exit(0)                     = ?
  [pid 11539] +++ exited with 0 +++
  

• Fedora Community Blog CPE Weekly update – Week 21 2023

  This is a weekly report from the CPE (Community Platform Engineering) Team. If you have any questions or feedback, please respond to this report or contact us on #redhat-cpe channel on libera.chat.

  We provide you both infographics and text version of the weekly report. If you just want to quickly look at what we did, just look at the infographic. If you are interested in more in depth details look below the infographic.

  Week: 22 May – 26 May 2023

  Read more: CPE Weekly update – Week 21 2023

  

  Highlights of the week

  Infrastructure & Release Engineering

  Goal of this Initiative

  Purpose of this team is to take care of day to day business regarding CentOS and Fedora Infrastructure and Fedora release engineering work.
  It’s responsible for services running in Fedora and CentOS infrastructure and preparing things for the new Fedora release (mirrors, mass branching, new namespaces etc.).
  The ARC (which is a subset of the team) investigates possible initiatives that CPE might take on.
  [Planning board](Link to planning board)
  Docs

  Update

  Fedora Infra

  • Move old FMN to F38
  • Server updates/reboots
  • New koji theme deployed on koji.stg.fedoraproject.org
  • Bunch of machines upgraded to f38: all builders, koji hubs, proxies, kojipkgs
  • Mass update/reboot cycle over all machines completed. Some stability issues with rhel8.8 kernel still being investigated. (db01 outage due to that)
  • Setup smtp auth for flock call for papers (and copr machines too)
  • Retired old old space in rdu2 to be replaced by an internal vm.

  CentOS Infra including CentOS CI

  • Decommission bugs.centos.org
  • modify sign+push process to take into account images/spins/media images
  • Fixing c9s deploy issue for CI/QA
  • Koji-gc tuning for Stream storage clean-up
  • Fixing cbs -testing tags signing issue with wrong repodata (koji issue)

  Release Engineering

  • Move f34 release to archive properly
  • Compose tracker updated to f38 images

  EPEL

  Goal of this initiative

  Extra Packages for Enterprise Linux (or EPEL) is a Fedora Special Interest Group that creates, maintains, and manages a high-quality set of additional packages for Enterprise Linux, including, but not limited to, Red Hat Enterprise Linux (RHEL), CentOS and Scientific Linux (SL), Oracle Linux (OL).

  EPEL packages are usually based on their Fedora counterparts and will never conflict with or replace packages in the base Enterprise Linux distributions. EPEL uses much of the same infrastructure as Fedora, including buildsystem, bugzilla instance, updates manager, mirror manager and more.

  Updates

  • Carl presenting “RPM Workshop” at Red Hat Summit.
  • Started coordination for “State of EPEL” presentation for the Release Party
  • Working on EPEL docs overhaul

  Community Design

  Goal of this initiative

  CPE has few members that are working as part of Community Design Team. This team is working on anything related to design in Fedora Community.

  Updates

  • Design Docs transfer from Wiki underway.
  • Creative Freedom Summit
    • Art Challenge organization in progress.
    • Preparing talk for release party.
  • TikTok:
    • Penpot showcase
    • Creation of Colúr

  DNF mirrors-countme improvement

  Goal of this initiative

  This initiative is working on enhancing current DNF mirrors-countme script, which is used to provide statistics about number of Fedora installations on machines. This script has few bottlenecks that will be addressed as part of this intiative.
  ARC investigation

  Updates

  • Start poking at individual IP statistics
  • More cleanup work (remove unused code, split up code along topical boundaries, make function signatures less opaque)
  • Resume work on test coverage

  The post CPE Weekly update – Week 21 2023 appeared first on Fedora Community Blog.

• Remi Collet PHP version 8.1.20RC1 and 8.2.7RC1

  Release Candidate versions are available in testing repository for Fedora and Enterprise Linux (RHEL / CentOS / Alma / Rocky and other clones) to allow more people to test them. They are available as Software Collections, for a parallel installation, perfect solution for such tests, and also as base packages.

  RPM of PHP version 8.2.7RC1 are available

  • as base packages
    • in the remi-php82-test repository for Enterprise Linux 7
    • in the remi-modular-test for Fedora 35-37 and Enterprise Linux ≥ 8
  • as SCL in remi-test repository

  RPM of PHP version 8.1.20RC1 are available

  • as base packages
    • in the remi-php81-test repository for Enterprise Linux 7
    • in the remi-modular-test for Fedora 35-37 and Enterprise Linux ≥ 8
  • as SCL in remi-test repository

  PHP version 8.0 is now in security mode only, so no more RC will be released.

  Installation : follow the wizard instructions.

  Parallel installation of version 8.2 as Software Collection:

  yum --enablerepo=remi-test install php82

  Parallel installation of version 8.1 as Software Collection:

  yum --enablerepo=remi-test install php81

  Update of system version 8.2 (EL-7) :

  yum --enablerepo=remi-php82,remi-php82-test update php\*

  or, the modular way (Fedora and EL ≥ 8):

  dnf module reset php
  dnf module enable php:remi-8.2
  dnf --enablerepo=remi-modular-test update php\*

  Update of system version 8.1 (EL-7) :

  yum --enablerepo=remi-php81,remi-php81-test update php\*

  or, the modular way (Fedora and EL ≥ 8):

  dnf module reset php
  dnf module enable php:remi-8.1
  dnf --enablerepo=remi-modular-test update php\*

  Notice: version 8.2.7RC1 is in Fedora rawhide for QA.

  EL-9 packages are built using RHEL-9.2

  EL-8 packages are built using RHEL-8.8

  EL-7 packages are built using RHEL-7.9

  oci8 extension now uses Oracle Client version 21.10, intl extension now uses libicu 72.1

  RC version is usually the same as the final version (no change accepted after RC, exception for security fix).

  versions 8.1.20 and 8.2.7 are planed for June 8th, in 2 weeks.

  Software Collections (php81, php82)

  

  

  Base packages (php)

  

  

• Zach Oglesby

  Finished reading: Sapiens by Yuval Noah Harari 📚

• William Brown Starting with Rage on OpenSUSE

  Starting with Rage on OpenSUSE

  Rage is a rust implementation of Age, a modern, simple and secure file encryption tool. It is easier to use than other tools like GPG, and being written in a memory safe language it avoids many of the exploits that may occur in C based tools.

  Installing Rage

  You can install rage on leap or tumbleweed from zypper

  zypper install rage-encryption
  

  Alternately you can install from cargo with

  cargo install rage
  

  Key management

  The recipient must generate a key. This can be either a rage key, or an ssh key which is of the form ssh-rsa or ssh-ed25519.

  # The public key is displayed.
  rage-keygen -o ~/rage.key
  # age1y2lc7x59jcqvrpf3ppmnj3f93ytaegfkdnl5vrdyv83l8ekcae4sexgwkg
  

  To use ssh keys, you can generate a key with:

  ssh-keygen -t ed25519
  # cat /root/.ssh/id_ed25519.pub
  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE1kWXiYIn/VWzo0DlnIp3cRx/kZd6d9WbwehKJpPx1R
  

  Encrypting to a public key

  You encrypt a file to the owner of the public key with:

  rage -e -r <pub key> -o <encrypted output> <input>
  # With their rage public key.
  rage -e -r age1y2lc7x59jcqvrpf3ppmnj3f93ytaegfkdnl5vrdyv83l8ekcae4sexgwkg -o ~/encyrpted.age data
  

  Alternately, if you want to allow the content of the encrypted file to be base64 for emailing (note the -a):

  rage -e -a -r <pub key> -o <encrypted output> <input>
  # With their rage public key.
  rage -e -a -r age1y2lc7x59jcqvrpf3ppmnj3f93ytaegfkdnl5vrdyv83l8ekcae4sexgwkg \
      -o ~/encyrpted.age data
  
  # cat /tmp/encrypted
  -----BEGIN AGE ENCRYPTED FILE-----
  YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByaDNTNHR0dlI5RkRudmpH
  NEUrT1RrQ3pZdjM5alRVYThDeG5xdTBxd1EwCjYxVGkwV05ibXlWeUN3MWVuNTBC
  Qk1SdEwyd3J1RjgrNVkxem5pbHJscVEKLT4gTyI7WFQtZ3JlYXNlIEZDXyBiICFV
  NgpoTlJ5ME95azMycE5GbS9oS0h6a280RlRTRHNKbE9mMGZjTmFCUjB6aWEwZGxU
  Rjg1RkZmdkhBSkU4Y1dZdEM3CjV0VXl4dE5Qd3E0SU1GSXNIejQKLS0tIFhscDBn
  MlBiTmxPekthY1RabVcxN0JkQnJsd3RKUkpTKzRkelZ1eDFXSk0KHzCOyBZHPe/P
  cV3Fez6yusycXcm83Bt+N2yHTG2utOGxfmIxb5c=
  -----END AGE ENCRYPTED FILE-----
  

  The ssh public key can be encrypted to if the public key is in a file

  rage -e -a -R <path to public key> -o <encrypted output> <input>
  # Using the ssh public key in a file
  rage -e -a -R ~/id_ed25519.pub -o /tmp/ssh-encrypted data
  

  Decrypting a file

  The recipient can then decrypt with:

  rage -d -i <path to private key> -o <decrypted output> <encrypted input>
  
  rage -d -i ~/rage.key -o /tmp/decrypted /tmp/encrypted
  
  # cat /tmp/decrypted
  hello
  

  With an ssh private key

  rage -d -i <path to ssh private key> -o <decrypted output> <encrypted input>
  
  rage -d -i ~/.ssh/id_ed25519 -o /tmp/ssh-decrypted /tmp/ssh-encrypted
  

  Encrypt to multiple recipients

  Rage can encrypt to multiple identities at a time.

  rage -e -a -R <first ssh pub key> -R <second pub key> ... -o <encrypted output> <input>
  rage -e -a -r <first pub key> -r <second pub key> ... -o <encrypted output> <input>
  rage -e -a -R <first ssh pub key> -r <first rage pub key> ... -o <encrypted output> <input>
  
  rage -e -a -R /root/.ssh/id_ed25519.pub \
      -r age1h8equ4vs5pyp8ykw0z8m9n8m3psy6swme52ztth0v66frgu65ussm8gq0t \
      -r age1y2lc7x59jcqvrpf3ppmnj3f93ytaegfkdnl5vrdyv83l8ekcae4sexgwkg \
      -o /tmp/ssh-encrypted hello
  

  all of the associated keys can decrypt this file.

  rage -d -i /root/.ssh/id_ed25519 -o /tmp/ssh-decrypted /tmp/ssh-encrypted
  
  rage -d -i ~/rage.key -o /tmp/decrypted /tmp/ssh-encrypted
  

  Using a passphrase instead of a key

  Rage can encrypt with a passphrase:

  rage -e -p -o <encrypted output> <input>
  
  rage -e -p -o /tmp/passphrase-encrypted data
  

  Decrypted with (passphrase is detected and prompted for):

  rage -d -o <decrypted output> <encrypted input> 
  
  rage -d -o /tmp/decrypted /tmp/passphrase-encrypted
  

May 25, 2023

• Fedora Community Blog Wrapping up the Fedora Websites and Apps Community Initiative: Part IV

  This is the fourth post in a series covering details about the journey of the Fedora Websites and Apps community Initiative, those who were involved in making it a grand success, and what lies ahead down the road for the team. If you have not already, read the previous post before delving into this one.

  Promising community diversification

  By October 2022, the experiment of me stepping away to assess the team’s strength began to show promising results. Niko Dunk, Jefferson Oliviera, Deepesh Nair, and many others, joined the development efforts. Likewise, Madeline Peck, Jess Chitas, Dawn Desmarais, and numerous others contributed to the design aspects. Hari Rana also participated in testing, alongside others who were already involved. I am immensely grateful to Ashlyn Knox, Francois Andrieu, and Niko Dunk for their effective collaboration with members from Fedora Infrastructure, Fedora Design, Fedora Marketing, and other teams. Together, they gathered requirements and provided valuable feedback. This development initiative commenced on GitLab itself, making it the first project to be entirely developed there. The team utilized planning tools such as epics, stories, issues, and timelines. In addition to Fedora Websites 3.0, we began collecting testimonials to gauge community interest in maintaining Fedora Badges.

  Rise of Fedora Badges 2.0

  Given the growing interest in revitalizing Fedora Badges within the community, two community members, Sandro and Erol Keskin, willingly offered to delve into the project repositories. They dedicated their time to connect with experienced contributors of Fedora Badges, seeking guidance on maintaining the current system while planning its redevelopment. Around December 2022, I took the lead in conducting technological investigations and gathering requirements for the Fedora Badges platform. Collaborating with Michal Konecny and Lenka Segura from Red Hat’s Community Platform Engineering Team, we aimed to build upon the initial findings gathered by Ryan Lerch. Concurrently, work on Fedora Websites 3.0 was in full swing, encompassing usability testing events and onboarding sessions for the content management system’s WYSIWYG editor. We organized these activities within the team, but also the wider Fedora Project community. This allowed individuals who were not directly part of the team to contribute to content management.

  Closing the finishing gap

  By February 2023, we successfully concluded the technological investigations and requirements gathering for Fedora Badges. As the development of Fedora Websites 3.0 approached its final stages, it seemed like the logical next step to ensure the team’s continued service to the community. Inspired by Matthew Miller’s previous experiment, we initiated discussions regarding the using Discourse for the frontend of Fedora Badges. Simultaneously, we focused on organizing subteams for design and development, as well as determining the most suitable implementation approach.

  At this juncture, the team had gained complete autonomy over its tasks, leading to significant progress in both our applications and websites. We received the fourth and fifth design mockups for Fedora CoreOS and Fedora Cloud front pages, respectively, skillfully created by Emma Kidney and made available on Fedora Discussions for valuable community feedback. Additionally, during this period, I had the opportunity to visit Frankfurt, Germany, representing the team as the Council objective lead in the Fedora Council face-to-face meeting.

  Evaluating the Community Initiative’s success

  For the March 2023 Fedora Council video meeting, I presented the results of the community survey conducted the previous year. During the meeting, Ben Cotton and Matthew Miller suggested closing the community initiative as a successful endeavor. However, I held a different opinion at the time. I believed that certain aspects still required interaction with the infrastructure services, providing an opportunity for the team to gain exposure. However, following the advice of one of my community mentors, Pierre-Yves Chibon, I reconsidered the proposal.

  I realized that striving for perfection could impede the team’s progress beyond the scope of the community initiative. Considering the future inclusion of Fedora Badges and the revamp of Fedora Websites 3.0 for other spins, the team unanimously agreed to close the community initiative as a success by April 2023. This coincided with the release of Fedora Linux 38, accompanied by our brand-new websites. We spent countless hours spent designing and developing these exceptional creations and the community response is great.

  The post Wrapping up the Fedora Websites and Apps Community Initiative: Part IV appeared first on Fedora Community Blog.

May 24, 2023

• Hans de Goede Fedora IPU6 camera support now available in rpmfusion-nonfree

  Installation
  
  I am happy to announce that Intel's IPU6 camera stack has been packaged in rpmfusion and now can be installed under Fedora 37 and newer with a single `dnf install` command.
  
  First enable both the rpmfusion-free and rpmfusion-nonfree repositories, for instructions see https://rpmfusion.org/Configuration
  
  The IPU6 support requires kernel >= 6.3.1 which is in updates-testing for now and v4l2loopback also needs to be updated to the latest version (in case you already have it installed):
  
  sudo dnf update \
    --enablerepo=updates-testing \
    --enablerepo=rpmfusion-free-updates-testing \
    --enablerepo=rpmfusion-nonfree-updates-testing \
    'kernel*' '*v4l2loopback'
  
  And now things are ready to install the IPU6 driver stack:
  
  sudo dnf install \
    --enablerepo=updates-testing \
    --enablerepo=rpmfusion-free-updates-testing \
    --enablerepo=rpmfusion-nonfree-updates-testing \
    akmod-intel-ipu6
  
  After this command reboot and you should be able to test your camera with https://mozilla.github.io/webrtc-landing/gum_test.html under firefox now.
  
  This relies on Intel's partly closed-source hw-enablement for the IPU6, as such this known to not work on laptop models which are not covered by Intel's hw-enablement work. If your laptop has an option to come with Linux pre-installed and that SKU uses the IPU6 cameras then this should work. Currently known to work models are:
  

  
  
  • Dell Latitude 9420 (ov01a1s sensor)
  
  
  • Lenovo ThinkPad X1 Carbon Gen 10 (ov2740 sensor)
  
  
  • Lenovo ThinkPad X1 Nano Gen 2 (ov2740 sensor)
  
  
  • Lenovo ThinkPad X1 Yoga Gen 7 (ov2740 sensor)
  
  

  
  If the IPU6 driver works for you on an unlisted model please drop mean email at so that the above list can be updated.
  
  Description of the stack
  
  The IPU6 camera stack consists of the following layers:
  

  
  
  1. akmod-intel-ipu6 the IPU6 kernel drivers. These are currently out of tree. Work is ongoing on getting various IO-expander, sensor drivers and the CSI2 receiver patches upstream. This is a slow process though and currently there is no clear path to getting the actual ISP part of the IPU supported upstream.
  
  
  2. ipu6-camera-bins this is a set of closed-source userspace libraries which the rest of the userspace stack builds on top of. There is a separate set of libraries for each IPU6 variant. Currently there are 2 sets, "ipu6" for Tiger Lake and "ipu6ep" for Alder Lake.
  
  
  3. ipu6-camera-hal this is a library on top of the set of libraries in ipu6-camera-bins. This needs to be built separately for the "ipu6" and "ipu6ep" library sets from ipu6-camera-bins.
  
  
  4. gstreamer1-plugins-icamerasrc a gstreamer plugin built on top of ipu6-camera-hal. This allows using the camera through gstreamer.
  
  
  5. akmod-v4l2loopback + v4l2-relayd. Most apps don't use gstreamer for camera access and even those that do don't know they need to use the icamerasrc element. v4l2-relayd will monitor a v4l2loopback /dev/video0 node and automatically start a gstreamer pipeline to send camera images into the loopback when e.g. firefox opens the /dev/video0 node to capture video.
  
  

  
  Packaging challenges and technical details
  

  
  
  1. akmod-intel-ipu6: There were 2 challenges to overcome before the IPU6 kernel drivers could be packaged:
     
     
     1. The sensor drivers required patches to the main kernel package, specifically to the INT3472 driver which deals with providing GPIO, clk, regulator and LED resources to the sensor drivers. Patches have been written for both the main kernel, including some LED subsystem core additions, as well as patches to the IPU6 sensor drivers to bring them inline with mainline kernel conventions for GPIOs, clks and LEDs. All the necessary patches for this are upstream now, allowing the latest ipu6-drivers code to work with an unmodified mainline kernel.
     
     
     2. Until now the IPU6 drivers seem to have been used with a script which manually loads the modules in a specific order. Using automatic driver loading by udev exposed various probe-ordering issues. Requiring numerous patches (all upstreamed to Intel's github repo) to fix.
     
     
  
  
  2. ipu6-camera-bins: Since there were 2 sets of libraries for different IPU6 versions, these are now installed in separate /usr/lib64/ipu6[ep] directories and the headers and pkgconfig files are also installed in 2 different variants.
  
  
  3. ipu6-camera-hal: This needs to be built twice against the 2 different sets of ipu6-camera-bins libraries. Letting the user pick the right libcamhal.so build to install is not very user friendly, to avoid the user needing to manually chose:
     
     
     1. Both builds are installed in separate /usr/lib64/ipu6[ep] directories.
     
     
     2. The libcamhal.so under these directories is patched to include the directory it is installed in as RPATH, so that dynamic-linking against that libcamhal.so will automatically link against the right set of ipu6-camera-bins libraries.
     
     
     3. To make all this all work transparently the actual /usr/lib64/libcamhal.so is a symlink to /run/libcamhal.so and /run/libcamhal.so is set by udev rules to point to /usr/lib64/ipu6[ep]/libcamhal.so depending on the actual hw. The /run/libcamhal.so indirection is there so that things will also work with an immutable /usr .
     
     
     4. ipu6-camera-hal's udev rules also set a /run/v4l2-relayd config file symlink to configure the gstreamer pipeline use by v4l2-relayd to match the ipu6 vs ipu6ep capabilities.
     
     
  
  
  4. akmod-v4l2loopback + v4l2-relayd: Getting this to work with Firefox was somewhat tricky, there were 2 issues which had to be solved:
     
     
     1. Firefox does not accept the NV12 image format generated by ipu6ep pipelines. To work around this a conversion to YUV420 has been added to the v4l2-relayd pipeline feeding into v4l2loopback. This workaround can be dropped once Firefox 114, which will have NV12 support, is released.
     
     
     2. Gstreamer sends v4l2-buffers with a wrong bytesused field value into v4l2loopback causing Firefox to reject the video frames. A patch has been written and merged upstream to make v4l2loopback fix up the bytesused value, fixing this.
     
     
  
  

  
  Many thanks to my colleague Kate Hsuan for doing most of the packaging work for this.
  
  And also a big thank you to the rpmfusion team for maintaining the rpmfusion repo and infrastructure which allows packaging software which does not meet Fedora's strict guidelines outside of the Fedora infra.

• Fabio Alessandro Locati EU EDPB vs. Irish DPC vs. Meta Platforms

  The Irish Data Protection Commission (DPC) has evaluated the legality of Facebook’s (now Meta Platforms) data transfer for over 10 years. In those 10 years, we have seen the Irish DPC trying to avoid ruling on the matter multiple times and the European Data Protection Board (EDPB) forcing them to do it. We now have a final ruling on the matter, which is unfavorable to Meta. In fact, in addition to having to stop the data transfer within 5 months and having to move back all data within 6 months, Meta has to pay a € 1.

May 23, 2023

• Gary Benson Which uninstalled package provides a file?

  $ apt-file find guestmount
  guestmount: /usr/bin/guestmount
  guestmount: /usr/share/bash-completion/completions/guestmount
  guestmount: /usr/share/doc/guestmount/changelog.Debian.gz
  guestmount: /usr/share/doc/guestmount/copyright
  guestmount: /usr/share/man/ja/man1/guestmount.1.gz
  guestmount: /usr/share/man/man1/guestmount.1.gz
  guestmount: /usr/share/man/uk/man1/guestmount.1.gz

• Fedora Community Blog FMN Replacement – Final Post

  It’s been a busy month on the Fedora Messaging Notifications (FMN) Replacement team, but we’ve pushed through to the finish line and are very happy to announce the arrival of the shiny new FMN.

  Let’s take a moment and see how the project has unfolded over the last few months

  About 6 weeks ago, I put out a blog post highlighting where we were with the project. At that time we were very close to finishing, even making plans as to when the “old” service would be turning off. I’m very happy to let you all know that this has been planned. However, we decided to have a grace period where everyone could start creating their new rules in the “new” version.

  Aurélien Bompard sent out an email on devel-announce explaining this, but in case people didn’t see it, here is the gist of that info:

  • The “new” FMN is deployed at https://notifications.fedoraproject.org/
  • The “old” FMN is deployed at https://apps.fp.o/notifications-old
  • The “old” FMN will exist until the F39 release (targeted for October 2023)
  • Because of the new features, any user’s existing rules will need to be created fresh in the new FMN
  • Any issues with the new FMN, please file tickets at https://pagure.io/fedora-infrastructure/new_issue

  So long and thanks for all the fish

  From all of the team that worked on this project, we hope that you enjoy the new version. One of the largest features we tried to improve was getting the notifications to the users quickly. Hopefully you will see that. Also, please file tickets if something is broken or could be improved. Remember to create your new rules because everyone starts out with a blank slate.

  The post FMN Replacement – Final Post appeared first on Fedora Community Blog.

May 22, 2023

• The NeuroFedora Blog Next Open NeuroFedora meeting: 22 May 1300 UTC

  

  Photo by William White on Unsplash.

  
  

  Please join us at the next regular Open NeuroFedora team meeting on Monday 22 May at 1300 UTC. The meeting is a public meeting, and open for everyone to attend. You can join us over:

  • Matrix (using your web-browser)
  • IRC

  You can use this link to convert the meeting time to your local time. Or, you can also use this command in the terminal:

  $ date --date='TZ="UTC" 1300 2023-05-22'
  

  The meeting will be chaired by @ankursinha. The agenda for the meeting is:

  • New introductions and roll call.
  • Tasks from last meeting.
  • Open Pagure tickets.
  • Package health check.
  • Open package reviews check.
  • CompNeuro lab compose status check for Fedora 38/rawhide.
  • Neuroscience query of the week
  • Next meeting day, and chair.
  • Open floor.

  We hope to see you there!

• Dave Airlie lavapipe and sparse memory bindings: part two

   Thanks for all the suggestions, on here, and on twitter and on mastodon, anyway who noted I could use a single fd and avoid all the pain was correct!

  I hacked up an ever growing ftruncate/madvise memfd and it seemed to work fine. In order to use it for sparse I have to use it for all device memory allocations in lavapipe which means if I push forward I probably have to prove it works and scales a bit better to myself. I suspect layering some of the pb bufmgr code on top of an ever growing fd might work, or maybe just having multiple 2GB buffers might be enough.

  Not sure how best to do shaderResourceResidency, userfaultfd might be somewhat useful, mapping with PROT_NONE and then using write(2) to get a -EFAULT is also promising, but I'm not sure how best to avoid segfaults for read/writes to PROT_NONE regions.
  

  Once I got that going, though I ran headfirst into something that should have been obvious to me, but I hadn't thought through.

  llvmpipe allocates all it's textures linearly, there is no tiling (even for vulkan optimal). Sparse textures are incompatible with linear implementations. For sparseImage2D you have to be able to give the sparse tile sizes from just the image format. This typically means you have to work out how large the tile that fits into a hw page is in w/h. Of course for a linear image, this would be dependent on the image stride not just the format, and you just don't have that information.

  I guess it means texture tiling in llvmpipe might have to become a thing, we've thought about it over the years but I don't think there's ever been a solid positive for implementing it.

  Might have to put sparse support on the back burner for a little while longer.
  

• Josh Bressers Episode 376 – Open Source Summit, who built your open source, and AI

  Josh and Kurt talk about the Open Source Summit in Vancouver. Josh was there and we pick on two observations. Firstly that security keeps trying to use fear as a feature, except it doesn’t work. Secondly we discuss AI and how people are talking about it. It is changing things, how much is yet to be seen.

  Show Notes

  • SLSA
  • FRSCA
  • S2C2F
  • MSI leak
  • Intel microcode
  • Tom Scott AI Video

May 21, 2023

• Kiwi TCMS Kiwi TCMS 12.3

  We're happy to announce Kiwi TCMS version 12.3!

  IMPORTANT: this is a small release which contains security related updates, general improvements and new translations!

  You can explore everything at https://public.tenant.kiwitcms.org!

  Supported upgrade paths:

  5.3   (or older) -> 5.3.1
  5.3.1 (or newer) -> 6.0.1
  6.0.1            -> 6.1
  6.1              -> 6.1.1
  6.1.1            -> 6.2 (or newer)
  

  ---

  Upstream container images (x86_64):

  kiwitcms/kiwi   latest  1cbaba8640d9    594MB
  

  IMPORTANT: version tagged and multi-arch container images are available only to subscribers!

  Changes since Kiwi TCMS 12.2

  Security

  • Update Django from 4.1.8 to 4.2.1 which contains a fix for CVE-2023-31047. We believe this does not affect Kiwi TCMS
  • Implement better scanning for embedded <script> tags in uploaded files
  • Force Content-Type: text/plain when serving uploaded files. See GHSA-x7c2-7wvg-jpx7
  • Explicitly configure top-level permissions for CI jobs as read-all
  • Pass untrusted input via intermediate ENV variables in CI jobs

  Improvements

  • Update nginx from 1.20 to 1.22
  • Update django-grappelli from 3.0.5 to 3.0.6
  • Update pygithub from 1.58.1 to 1.58.2
  • Add Helm chart examples (Michael Abramovich)

  Refactoring and testing

  • Update node_modules/webpack-cli from 5.0.1 to 5.1.1
  • Update node_modules/webpack from 5.80.0 to 5.83.1
  • Update node_modules/eslint from 8.38.0 to 8.40.0
  • Update tests/bugzilla/fedora from 37 to 38
  • Enable the checkov static linter

  Translations

  • Updated Russian translation

  Kiwi TCMS Enterprise v12.3-mt

  • Based on Kiwi TCMS v12.3

  • Update dj-database-url from 1.3.0 to 2.0.0

  • Update django-ses from 3.3.0 to 3.5.0

  • Update kiwitcms-tenants from 2.5.0 to 2.5.1

  • Explicitly set permissions to read-all

  • Enable checkov linter

    Private images:

    quay.io/kiwitcms/version            12.3 (aarch64)          8bf8cd56c565    22 May 2023     601MB
    quay.io/kiwitcms/version            12.3 (x86_64)           1cbaba8640d9    22 May 2023     592MB
    quay.io/kiwitcms/enterprise         12.3-mt (aarch64)       36d6670c3fca    22 May 2023     845MB
    quay.io/kiwitcms/enterprise         12.3-mt (x86_64)        e769e6bdb5c1    22 May 2023     835MB
    

  IMPORTANT: version tagged, multi-arch and Enterprise container images are available only to subscribers!

  How to upgrade

  Backup first! Then execute the commands:

  cd path/containing/docker-compose/
  docker-compose down
  docker-compose pull
  docker-compose up -d
  docker exec -it kiwi_web /Kiwi/manage.py upgrade
  

  Refer to our documentation for more details!

  Happy testing!

  ---

  If you like what we're doing and how Kiwi TCMS supports various communities please help us grow!

  • Give â­� on GitHub;
  • Give ğŸ‘� on GitLab;
  • Donate via Open Collective as low as 1 EUR;
  • Join our newsletter and follow all project news;
  • Become a contributor and an awesome open source hacker;
  • Become a subscriber and help us sustain development

May 19, 2023

• Adam Young Testing an MCTP Driver via Echo request

  MCTP stands for Management Component Transport Protocol. While it is designed around a server, it is also designed as a network protocol. As such, the Linux implementation makes use of the Socket interface and the Kernel plumbing for dealing with network protocols. To support a new transport mechanism, you implement a new device driver specific to that transport mechanism that implements the struct net_device contract, which includes implementing the functions for struct net_device_ops.

  Before I write a full implementation, I want to write something that only echos a packet back to the receiver. This mimics the behavior of the mctp-echo server in the user tools, and can make use of the mctp-req echo client.

  A network driver moves traffic from the operating system to the network device or in the opposite direction. My proof-of-concept code is going to do half of each operation: it is going to take a packet from the operating system, munge it, and send it back to the operating system. In order to perform this operation, I hae to implement the function .ndo_start_xmit from the struct net_device_ops. Here’s my implementation:

  static netdev_tx_t mctp_pcc_tx(struct sk_buff *skb, struct net_device *ndev)
  {
          struct mctp_hdr * hdr;
          struct control_work_data * control_write_data;
  
          u8      orig_dest;
          u8      orig_src;
          
          printk(KERN_INFO "mctp_pcc_tx called\n");
  
          hdr = mctp_hdr(skb);
          
          printk("Version:     %x\n",hdr->ver);
          printk("Source:      %x\n",hdr->src);
          printk("Destination: %x\n",hdr->dest);
          printk("flags_seq_tag:      %x\n",hdr->flags_seq_tag);
          pkt_hex_dump(skb); 
  
  
          orig_dest = hdr->dest;
          orig_src = hdr->src;
  
          __mctp_cb(skb);
  
          hdr = mctp_hdr(skb);
          hdr->src=orig_dest;
          hdr->dest=orig_src;
          hdr->flags_seq_tag += 8;
          //This is a single static bloc instead of a kmalloc'ed block. The kmalloc
          //Was triggering a check during interrupt context and stack dumping
          control_write_data = &control_write_data_static;//kmalloc(sizeof(struct control_work_data), GFP_KERNEL);
          control_write_data->skb = skb;
          INIT_WORK(&control_write_data->work, temp_echo_handler);
          init_waitqueue_head(&control_write_data->wq);
  
          schedule_work(&control_write_data->work);
  
          return NETDEV_TX_OK;
  }
  

  A few observations.

  • I am assuming that this code is supposed to consume and free the sk_buff that is handed in. In stead of doing that, I reuse it for the outward journey. I’d like to confirm that this is correct, but I have not gotten a double free message, so I think I am right.
  • I swap the source and destination values., as that is where the response message needs to go. The original destination value lets me set a routing rule to ensure that the packet gets sent to the new device driver. The recvfrom call in the mctp_req program looks for a packet from this address
  • There is a flag on the header that indicates that this is a response packet. Without this, the packet does not get delivered back to the the mctp_req process. That is what this code does: hdr->flags_seq_tag += 8; Should be a bitwise or setting, but this proves the concept.
  • Since the start_tx call is done in interrupt context, we want to exit out as quickly as possible. The essential work that has to be done here is scheduling the work that cannot be done in interrupt context. This is done in the function linked in the control_write_data block with the skbuff data attached. I could have put more of this work into the callback function, but nothing I did here would block.

  The work_queue function that sends the packet back to the kernel looks like this:

  void temp_echo_handler(struct work_struct *work){
          struct control_work_data *my_data = container_of(work, \
                                   struct control_work_data, work);
          pr_info("%s\n", __func__);
          if (my_data->skb != NULL){
                  pr_info("%s calling netif_rx\n", __func__);
                  netif_rx(my_data->skb);
          }
   
          pr_info("%s after netif_rx \n", __func__);
  }
  

  Aside from the logging, the function calls netif_rx(my_data->skb) which sends the packet back into the kernels’ network processing code…it ends up on a queue to get delivered to the appropriate waiting socket.

  To set up a test for this code, I run the following shell script:

  #!/bin/sh
  insmod mctp_pcc.ko 
  mctp route add 9 via mctpipcc2d
  mctp address add 10 dev mctpipcc2d
  mctp link set mctpipcc2d  up
  

  With this run, I can see the mctp device using the mctp tool:

  # mctp link
  dev lo index 1 address 0x00:00:00:00:00:00 net 1 mtu 65536 up
  dev mctpipcc2d index 9 address 0x(no-addr) net 1 mtu 68 up
  

  To avoid fooling myself, I need to ensure that the mctp-echo server is not running, or it will respond for me.

  A test run looks like this:

  # ./obj/mctp-req eid 9
  req:  sending to (net 1, eid 9), type 1
  -> sent
  req:  message from (net 1, eid 9) type 1 len 1: 0x00..
  

  I added the ->sent message from debugging, but otherwise this is the vanilla code linked above.

• Adam Young System Tap on Fedora 38

  Getting System Tap up and running on F38 has involved chasing down a few modules.

  I am running on

  uname -a
  Linux hackery 6.2.15-300.fc38.aarch64+debug #1 SMP PREEMPT_DYNAMIC Thu May 11 16:10:31 UTC 2023 aarch64 GNU/Linux
  

  I had to get the kernel-debug-devel package in in order to get the files under /usr/src/kernels/6.2.15-300.fc38.aarch64+debug/. Running stap looks for a file in /lib/modules/6.2.15-300.fc38.aarch64+debug/build which is a symlink to this directory.

  sudo yum install kernel-debug-devel kernel-debug-modules kernel-debuginfo kernel-debug-core  kernel-devel kernel-devel

  With that installed I can run the command:

  stap --dump-probe-types

  I knew that things were OK once I could get the stap-prep command to to work. That involved getting the debug Kernel running and the appropriate other RPMS. As of now I am running This version of the Linux Kernel from the Fedora RPMs 6.2.15-300.fc38.aarch64+debug.

  The funny thing is that I ended up not using System Tap after all this, but I wanted to record the thing I learned.

• Zach Oglesby

  I finally found a use case for ChatGPT. Ask it a question that I am interested in. After it gives its answer ask it for book on the topic. It provides me a list of books and a synopsis of each.

  Way faster than trying to google for books on a topic where I have to read multiple people’s articles.

• Joe Brockmeier Everything you need to know about Vim and text on Linux (Slides)

  Last week I had the opportunity to present at Open Source Summit North America (2023) in the Open Source On-Ramp track. I promised to upload my slides by Monday of this week (oops) but didn’t factor in getting COVID. Apologies to anybody who came looking for the slides previously, I was pretty much under the weather all week.

  Better late than never, I hope. Here’s the deck in PDF form: Everything you need to know about Vim and text on Linux.

  Despite being on Friday, I felt like there was pretty decent attendance and clearly there’s still interest in Vim content. I’ll be adding to my Vim resources here on Dissociated Press as time allows. One person requested tips for working with YAML, which might be good for folks working with Kubernetes.

• Fedora Community Blog CPE Weekly update – Week 20 2023

  This is a weekly report from the CPE (Community Platform Engineering) Team. If you have any questions or feedback, please respond to this report or contact us on #redhat-cpe channel on libera.chat.

  We provide you both infographics and text versions of the weekly report. If you just want to quickly look at what we did, just look at the infographic. If you are interested in more in depth details look below the infographic.

  Week: 15 – 19 May 2023

  

  Highlights of the week

  Infrastructure & Release Engineering

  Goal of this Initiative

  The purpose of this team is to take care of day-to-day business regarding CentOS and Fedora Infrastructure and Fedora release engineering work.
  It’s responsible for services running in Fedora and CentOS infrastructure and preparing things for the new Fedora release (mirrors, mass branching, new namespaces, etc.).
  The ARC (which is a subset of the team) investigates possible initiatives that CPE might take on.
  Planning board
  Docs

  Update

  Fedora Infra

  • Update bodhi to 7.2.0
  • Wiki upgraded in staging, soon in prod
  • Fixed up Azure image builds
  • Mass update/reboot cycle this week including builders/koji to f38 later today

  CentOS Infra including CentOS CI

  • Refresh RHEL deployment mirrors with 9.2/8.8 trees
  • Fixed Driver Discs created for user space packages
  • Convert signing process/machine from el7 to el9
  • Enabling Sign testing repositories
  • Working on images/spin releng process for SIGs
  • Decommissioned https://bugs.centos.org

  Release Engineering

  • Fedora 36 is End Of Life
  • Documentation updates
  • Composing Fedora knowledge transfer in Brno
  • Openh264 multilib composes underway

  EPEL

  Goal of this initiative

  Extra Packages for Enterprise Linux (or EPEL) is a Fedora Special Interest Group that creates, maintains, and manages a high-quality set of additional packages for Enterprise Linux, including, but not limited to, Red Hat Enterprise Linux (RHEL), CentOS, and Scientific Linux (SL), Oracle Linux (OL).

  EPEL packages are usually based on their Fedora counterparts and will never conflict with or replace packages in the base Enterprise Linux distributions. EPEL uses much of the same infrastructure as Fedora, including buildsystem, bugzilla instance, updates manager, mirror manager, and more.

  Updates

  • Updated python-waitress in EPEL 8 to resolve five CVEs
  • Submitted a backported fix for CVE-2015-7504 to qemu in EPEL 7
  • Backported fix for CVE-2021-36369 to dropbear in EPEL 7, EPEL 8, and EPEL 9
  • EPEL2RHEL automation reworded to avoid confusion

  Community Design

  Goal of this initiative

  CPE has a few members that are working as part of the Community Design Team. This team is working on anything related to design in Fedora Community.

  Updates

  • The Podman.io website launched, and lots of bug fixes were pushed last week, and a few more for this week.
  • Working with the Anaconda team to make usage more user-friendly.
  • Closed/completed DEI logo
    • Blog post documenting the process: Concept Generation.
  • Continuing the vectorization of Panda.
  • Researching and experimenting with open-source audio editor LMMS for Fedora branding sounds for system boot actions.
  • The F39 Wallpaper is going to be inspired by Florence Nightingale! Yippee

  DNF mirrors-countme improvement

  Goal of this initiative

  This initiative is working on enhancing the current DNF mirrors-countme script, which is used to provide statistics about the number of Fedora installations on machines. This script has a few bottlenecks that will be addressed as part of this initiative.
  ARC investigation

  Updates

  • Work on code refactoring and simplification (exposing opaque arguments, sorting imports and constants, etc.)
  • Finished the code, and opened a PR, for the issue “Delete data from intermediate db fileâ€�

  The post CPE Weekly update – Week 20 2023 appeared first on Fedora Community Blog.

May 18, 2023

• Adam Young Smirking Sigma

  Design prototypes for a band logo

  

  

  All images Copyright Adam Young.

  Designed in Inkscape. Working title is “Smirking Sigma”

  The font used is Beachman Script. by David Rakowski. It really seems to capture the classic feel of a fifties music venue.

• Zach Oglesby

  I am not sure what people are upset about in San Diego. This is on brand for the Padres. Even with a loaded team they are unable to find a way to win. We are a cursed fan base.

  Yes, the season is still new and there is lots of time to turn it around. My point is that we should be use to this by now.

• Fedora Community Blog Wrapping up the Fedora Websites and Apps Community Initiative: Part III

  This is the third post in a series covering details about the journey of the Fedora Websites and Apps community Initiative, those who were involved in making it a grand success, and what lies ahead down the road for the team. If you have not already, read the previous post before delving into this one.

  Processes and Visibility

  Around April 2022, I shifted my focus to rewriting our team documentation. I aimed to maintain high codebase standards for our websites and applications while ensuring a clear understanding of our team processes. This would ensure that the team’s work could continue even after completing the community initiative. We actively participated in community events such as Fedora Linux Release Parties and Nest With Fedora, where we shared updates on our projects and discussed special team initiatives. Ashlyn Knox and Onuralp Sezer went the extra mile by organizing interactive workshops during these events, both personally and on behalf of the team. Their efforts aimed to onboard new members and educate the community about the latest developments in web technologies. Meanwhile, Ojong Enow and Subhangi Choudhary diligently pushed forward with their assignments as we neared the completion of our cohort.

  Getting our Mindshare Representative

  We made significant progress in an organic manner, ticking off numerous outcomes and outputs from the planned checkpoints in our Fedora Websites and Apps council objective charter. By June 2022, we were fully engaged in designing mockups for our revamped websites. The first mockup, created by Mairin Duffy, showcased the revamped Fedora Workstation website. During this time, we also embarked on several exciting experiments, such as Matthew Miller‘s use of Discourse as the frontend for Fedora Badges, and discussions about the potential transition to GitLab due to the sunset of the Taiga service in our community infrastructure. Additionally, Onuralp Sezer was chosen as the Mindshare representative for the team. We received numerous ideas that reinforced our commitment to meeting the community’s requirements. These ideas included enhancing the visibility of Kinoite and Silverblue spins within our maintained websites.

  Dawn of the Fedora Websites 3.0

  By August 2022, we witnessed the rise of one of the first in-person local community events after a prolonged period of online-only events due to the risks associated with COVID-19. Fedora Hatch, a series of smaller local events organized worldwide, presented a valuable platform for advocating for our team and attracting more contributors. During this time, I created the Fedora Websites 3.0 manifesto and shared it with Red Hat teams and the Fedora Project community.

  This initiative kick-started our efforts to create renewed websites for Fedora Linux. We initiated conversations on the tooling and frameworks through Fedora Discussion. Emma Kidney joined our efforts and provided the second design mockup for the Fedora IoT website. Additionally, we successfully completed the Meetbot Logs 2.0 project, which marked our first successful web application rewrite from the Council Objective charter.

  Reboot In Progress

  Fedora Websites 3.0 emerged as a catalyst to reignite the team’s enthusiasm and determine our ability to handle such a significant expansion of our responsibilities. Through extensive study and collaboration with Red Hat’s Community Platform Engineering team, I worked to identify the most suitable front-end technologies that would allow the community to contribute efficiently while lowering the entry barrier for newcomers. We selected NuxtJS for websites and VueJS for applications, a decision that not only influenced the community but also represented a significant victory for the community initiative within Red Hat. By September 2022, we had already initiated discussions on the long-term maintenance of Fedora Badges. Furthermore, we shared the third mockup for the Flock To Fedora website, designed by Ashlyn Knox, with the community for feedback on Fedora Discussion.

  The post Wrapping up the Fedora Websites and Apps Community Initiative: Part III appeared first on Fedora Community Blog.

May 17, 2023

• Richard W.M. Jones NBD-backed qemu guest RAM

  This seems too crazy to work, but it does:

  $ nbdkit memory 1G
$ nbdfuse mem nbd://localhost &
[1] 1053075
$ ll mem
-rw-rw-rw-. 1 rjones rjones 1073741824 May 17 18:31 mem

  Now boot qemu with that memory as the backing RAM:

  $ qemu-system-x86_64 -m 1024 \
-object memory-backend-file,id=pc.ram,size=1024M,mem-path=/var/tmp/mem,share=on \
-machine memory-backend=pc.ram \
-drive file=fedora-36.img,if=virtio,format=raw

  It works! You can even dump the RAM over a second NBD connection and grep for strings which appear on the screen (or passwords etc):

  $ nbdcopy nbd://localhost - | strings | grep 'There was 1 failed'
There was 1 failed login attempt since the last successful login.

  Of course this isn’t very useful on its own, it’s just an awkward way to use a sparse RAM disk as guest RAM, but nbdkit has plenty of other plugins that might be useful here. How about remote RAM? You’ll need a very fast network.

• Adam Young Remote git with ssh

  Working on a different architecture from my Laptop means that I am invariably working on a remote machine. My current development can be done on an Ampere AltraMax machine, which means I have 80 processors available; quite a nice benefit when doing a Linux Kernel compile that can use all of the processors available.
  
  Because the machine is a shared resource out of out lab, I want to make sure I can recreate my work there on another machine; this one could be reclaimed or powered down due to lab priorities. Thus, all my remote work is done in git, and I use the ssh protocol to pull changes from my work server to my laptop fairly regularly…whenever I feel I have valuable work that could be potentially lost.

  I will assume that you can figure out how to create a git repo on work machine (write a comment if you really feel that would be necessary to expand) and will just show how to pull it onto my laptop.

  Here are the steps:

  • create a local git repo.
  • add your remote server ssh login as a git remote
  • git fetch from the remote server.

  Here’s what it looks like:

  mkdir myproj
  cd myproj
  git remote add eng16sys root@eng16sys:devel/myproj
  git fetch eng16sys

  That last command will generate output like this:

  
  remote: Enumerating objects: 13, done.
  remote: Counting objects: 100% (13/13), done.
  remote: Compressing objects: 100% (13/13), done.
  remote: Total 13 (delta 3), reused 0 (delta 0), pack-reused 0
  Unpacking objects: 100% (13/13), 3.07 KiB | 785.00 KiB/s, done.
  From 10.76.105.76:devel/mctp_pcc
   * [new branch]      main       -> eng16sys-r105/main

  This is a two-way setup in that I can push code from my laptop to the server as well. However, since I don’t have ssh from the server back to my laptop, I cannot pull code to the server from my laptop from a command prompt on the server. This is security constraint; I don’t want to allow people that have access to my server (a shared resource) to also have access to my personal laptop.

• Steven Pritchard libvirt surprise

  I just noticed that some of my libvirt VMs had on_crash set to destroy instead of restart. It looks like there is an easy fix:

  for vm in $( virsh list --name ) ; do virt-xml "$vm" --edit --events on_crash=restart ; done

  I don't know if something changed in virt-manager/virt-install over the years, or if I ran into this a long time ago and forgot about it.

  Now I just need to remember to add that --events option to virt-install in the future... 🙂

• Richard W.M. Jones nbdkit’s evil filter

  If you want to simulate how your filesystem behaves with a bad drive underneath you have a few options like the kernel dm-flakey device, writing a bash nbdkit plugin, kernel fault injection or a few others. We didn’t have that facility in nbdkit however so last week I started the “evil filter”.

  The evil filter can add data corruption to an existing nbdkit plugin. Types of corruption include “cosmic rays” (ie. random bit flips), but more realisticly it can simulate stuck bits. Stuck bits are the only failure mode I can remember seeing in real disks and RAM.

  One challenge with writing a filter like this is to make the stuck bits persistent across accesses, without requiring us to maintain a large bitmap in the filter keeping track of their location. The solution is fairly elegant: split the underlying disk into blocks. When we read from a block, reconstruct the stuck bits within that block from a fixed seed (calculated from a global PRNG seed + the block’s offset), and iterate across the block incrementing by random intervals. The intervals are derived from the block’s seed so they are the same each time they are calculated. We size the blocks so that each one will have about 100 corrupted bits so this reconstruction doesn’t take very long. Nothing is stored except one global PRNG seed.

  The filter isn’t upstream yet but hopefully it can be another way to test filesystems and distributed storage in future.

• ! Avi Alkalay ¡ Web scraping and site mirroring

  Need to mirror an entire website? Use the httrack command, available in all Linux distributions. If site requires authentication, provide to httrack a cookies.txt file exported from your browser.

  

  A typical httrack use:

  httrack https://some.site.com -W -O ~/websites/somesite --robots=0 --stay-on-same-address

  On ~/websites/somesite will be created a folder structure with HTML and other files similar to the URLs on https://some.site.com. You can even open the index.html file locally in your browser and browse the mirrored content.

  The httrack technique performs better and faster than the wget command, which is also very powerful but for simpler tasks. The curl command is popular in macOS but is far simpler and can’t crawl an entire site.

  If the content you need to download is media, video, audio from sites like YouTube, Vimeo, Facebook, Instagram, TikTok, Twitter or other video sites, yt-dlp does the job perfectly. Also available in all Linux systems (or with a plain pip install yt-dlp in any Python environment), this tool is a maintained fork of the old youtube-dl, which is now unmaintained and obsolete.

  Content downloading from the Web is the most basic operation of the Internet. It is what web browsers do all the time. Using these tools is exactly like switching to another browser, one that saves the content in a deterministic way instead of just rendering on the screen.

  In the same way, there are even more specialized tools capable of extracting music from Spotify, Deezer, Tidal, sometimes in lossless and studio-grade quality, complete with embedded lyrics, album cover art and high quality tagging. But these are subjects for another writing.

  These tools are not recommended if you need more advanced interactions with services on the Internet. For a more reliable and precise content exchange try first the service’s APIs, if they provide one. Keep web scraping and site crawling as your very last resource.

  Also on my LinkedIn.

• Dave Airlie lavapipe and sparse memory bindings

  Mike nerdsniped me into wondering how hard sparse memory support would be in lavapipe.

  The answer is unfortunately extremely.
  

  Sparse binding essentially allows creating a vulkan buffer/image of a certain size, then plugging in chunks of memory to back it in page-size multiple chunks.

  This works great with GPU APIs where we've designed this, but it's actually hard to pull off on the CPU.

  Currently lavapipe allocates memory with an aligned malloc. It allocates objects with no backing and non-sparse bindings connect objects to the malloced memory.

  However with sparse objects, the object creation should allocate a chunk of virtual memory space, then sparse binding should bind allocated device memory into the virtual memory space. Except Linux has no interfaces for doing this without using a file descriptor.

  You can't mmap a chunk of anonymous memory that you allocated with malloc to another location. So if I malloc backing memory A at 0x1234000, but the virtual memory I've used for the object is at 0x4321000, there's no nice way to get the memory from the malloc to be available at the new location (unless I missed an API).

  However you can do it with file descriptors. You can mmap a PROT_NONE area for the sparse object, then allocate the backing memory into file descriptors, then mmap areas from those file descriptors into the correct places.

  But there are limits on file descriptors, you get 1024 soft, or 4096 hard limits by default, which is woefully low for this. Also *all* device memory allocations would need to be fd backed, not just ones going to be used in sparse allocations.

  Vulkan has a limit maxMemoryAllocationCount that could be used for this, but setting it to the fd limit is a problem because some fd's are being used by the application and just in general by normal operations, so reporting 4096 for it, is probably going to explode if you only have 3900 of them left.

  Also the sparse CTS tests don't respect the maxMemoryAllocationCount anyways :-)

  I shall think on this a bit more, please let me know if anyone has any good ideas!
  

• Fabio Alessandro Locati Manage Podman containers with Systemd and Quadlet

  Until a few months ago, the only option to start containers from Systemd was to create a Systemd unit which called podman (or docker) with the run sub-command. Podman was also providing podman generate systemd to easily create such Systemd file. This has now changed. From version 4.4 of Podman, in addition to the mentioned method, it is possible to use Quadlet to simplify the execution of containers from Systemd.

May 16, 2023

• Charles-Antoine Couret Fedora Linux 36 tire sa révérence

  C'est en ce mardi 16 mai 2023 que la maintenance de Fedora Linux 36 prend fin.

  Qu'est-ce que c'est ?

  Un mois après la sortie d'une version de Fedora n, ici Fedora Linux 38, la version n-2 (donc Fedora Linux 36) n'est plus maintenue.

  Ce mois sert à donner du temps aux utilisateurs pour faire la mise à niveau. Ce qui fait qu'en moyenne une version est officiellement maintenue pendant 13 mois.

  En effet, la fin de vie d'une version signifie qu'elle n'aura plus de mises à jour et plus aucun bogue ne sera corrigé. Pour des questions de sécurité, avec des failles non corrigées, il est vivement conseillé aux utilisateurs de Fedora Linux 36 et antérieurs d'effectuer la mise à niveau vers Fedora Linux 38 ou 37.

  Que faire ?

  Si vous êtes concernés, il est nécessaire de faire la mise à niveau de vos systèmes. Vous pouvez télécharger des images CD ou USB plus récentes.

  Il est également possible de faire la mise à niveau sans réinstaller via DNF ou GNOME Logiciels.

  GNOME Logiciels a également dû vous prévenir par une pop-up de la disponibilité de Fedora Linux 37 ou 38. N'hésitez pas à lancer la mise à niveau par ce biais.

• Mark J. Wielaard Sourceware joins Software Freedom Conservancy

  

  

  After various discussions and lots of positive feedback Software Freedom Conservancy and Sourceware proudly announce that Sourceware today joins SFC as a member project!

  For almost 25 years Sourceware has been the long-time home of various core toolchain project communities. Projects like Cygwin, a UNIX API for Win32 systems, the GNU Toolchain, including GCC, the GNU Compiler Colection, two C libraries, glibc and newlib, binary tools, binutils and elfutils, debuggers and profilers, GDB, systemtap and valgrind. Sourceware also hosts standard groups like gnu-gabi and the DWARF Debugging Standard. See the full list project hosted and services provided on the Sourceware projects page.

  As the fiscal host of Sourceware, Software Freedom Conservancy will provide a home for fundraising, legal protection and governance that will benefit all projects under Sourceware’s care.  We share one mission: developing, distributing and advocating for Software Freedom.  Together we will offer a worry-free, friendly home for core toolchain and developer tool projects.

• Peter Czanik Syslog-ng Python packaging

  In version 4 of syslog-ng, the role of Python became even more important. Previously, all parts of syslog-ng could be extended using Python code, but no actual Python code was provided with syslog-ng. Version 4.0 added a Kubernetes module implemented in Python, while version 4.2 added support for Hypr. But how can we ensure that all Python dependencies are met?

  Current situation

  Of course, Python modules add their own long list of dependencies. There are three ways how these dependencies can be installed:

  • On the system using the package management of the OS. This is the preferred way of many organizations, but unfortunately not all dependencies are available for all operating systems as ready-to-install packages.

  • On the system using Python tools. This is not recommended, unless you really know what you are doing, as mixing OS-maintained packages with manually installed components can easily lead to chaos.

  • Using a syslog-ng provided script (syslog-ng-update-virtualenv) to create a syslog-ng specific venv (virtual environment).

  From a packaging point of view, right now there are three different approaches, all with their own advantages and disadvantages.

  • Packages made by the syslog-ng developers run the syslog-ng-update-virtualenv script automatically during package installation for the syslog-ng-mod-python package. The main advantages of this approach are that there are no manual steps, the installation ensures that all dependencies are available immediately and the versions are tested by syslog-ng developers. However, some sites do not have any Internet access, or the connection they have is very slow. Also, downloading non-OS packages is often not welcome or prohibited completely in the environment.

  • This is why I use OS-provided Python dependencies in my RPM packages, where all necessary dependencies are available. This means no extra downloads, only OS-provided packages. This includes all my official and unofficial openSUSE and SLES packages, along with Fedora and unofficial RHEL 9 packages.

  • Where the OS packages for dependencies are unavailable, my packages do not run syslog-ng-update-virtualenv automatically. This is more compliant to stricter regulations, but also means that syslog-ng does not start, unless someone runs the script manually. Upgrading to a new syslog-ng version can also lead to syslog-ng not starting up. This includes FreeBSD ports and unofficial RHEL 7 and 8 packages.

  My packaging plans

  Right now, if you install syslog-ng Python support (which means installing the syslog-ng-python RPM package, or compiling FreeBSD ports with Python support) then Python-based syslog-ng modules are also installed. While the actual Python code in syslog-ng is small, they pull in well over 50 MB of dependencies, many times the size of a syslog-ng installation. Most syslog-ng users do not run Kubernetes, especially FreeBSD users and people running older Linux distro versions. For them, the extra installation time and disk space could be especially painful. Also, those who forget to run the script may get some really ugly error messages:

  root@fb132:/var/db # syslog-ng -s
  [2023-05-12T15:24:20.294277] python: private virtualenv is not initialized, use the `syslog-ng-update-virtualenv' script to initialize it or make sure all required Python dependencies are available in the system Python installation; path='/var/db/python-venv'
  [2023-05-12T15:24:20.342641] Error evaluating global Python block; exception='ModuleNotFoundError: No module named \'requests\''
  Traceback (most recent call last):
    File "/usr/local/etc/syslog-ng.conf{python-global-code:25}", line 3, in <module>
      import syslogng.modules.hypr
    File "/usr/local/lib/syslog-ng/python/syslogng/modules/hypr/__init__.py", line 48, in <module>
      import requests
  ModuleNotFoundError: No module named 'requests'
  Error parsing python, Error processing global python block in /usr/local/lib/syslog-ng/python/syslogng/modules/hypr/scl/hypr.conf:25:1-25:7:
  20      # OpenSSL libraries as published by the OpenSSL project. See the file
  21      # COPYING for details.
  22      #
  23      #############################################################################
  24      
  25----> python {
  25----> ^^^^^^
  26      
  27      import syslogng.modules.hypr
  28      
  29      syslogng.modules.hypr.register_hypr_config_generator()
  30      
  
  Included from /usr/local/share/syslog-ng/include/scl/python/python-modules.conf:25:1-25:1:
  
  Included from /usr/local/etc/scl.conf:31:1-31:1:
  26      #
  27      
  28      @module appmodel
  29      
  30      @include 'scl/*/*.conf'
  31---->
  31----> ^
  32      @define java-module-dir "`module-install-dir`/java-modules"
  
  Included from /usr/local/etc/syslog-ng.conf:3:1-3:1:
  1       @version:4.2
  2       @include "scl.conf"
  3----->
  3-----> ^
  4       #
  5       # This sample configuration file is essentially equilivent to the stock
  6       # FreeBSD /etc/syslog.conf file.
  7       #
  8       

  Because of these, I plan to split the syslog-ng Python module from the actual Python-based drivers in my packages. Or, in case of FreeBSD, make the installation of Python-based drivers a separate option.

  This has two advantages:

  • A considerably smaller disk space requirement.

  • A much smaller chance to see error messages like the one above.

  Those who need Kubernetes or Hypr support can easily install the separate package, which will also automatically install OS-provided Python dependencies where available.

  Feedback

  I do syslog-ng packaging based on my own experiences and the feedback reaching me. As such, I opened a discussion on GitHub: https://github.com/syslog-ng/syslog-ng/discussions/4481  You can share your own ideas about how to package syslog-ng Python support for openSUSE / SLES, Fedora / RHEL and FreeBSD.

  -

  If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik, on Mastodon as @Pczanik@fosstodon.org.

• Cockpit Project Cockpit 292

  Cockpit is the modern Linux admin interface. We release regularly.

  Here are the release notes from Cockpit 292 and cockpit-machines 290:

  Metrics: Add disk I/O per service

  The “Disks” usage metrics card now shows the active read and write bandwidth for the top 5 consumers by systemd unit. This is similar to the already existing per-service CPU and RAM usage.

  

  Machines: Add watchdogs which require reboot

  In some cases, adding a watchdog to a running VM fails. When that happens, the changes can only be applied through rebooting the VM. The “Add watchdog” dialog now supports this case.

  

  Several right-to-left language fixes

  In Cockpit 282, the first round of RTL support arrived. This release of Cockpit further dramatically improves RTL support.

  A big thanks to Ahmed Abdelatty for kickstarting this most recent round of improvements!

  Try it out

  Cockpit 292, cockpit-machines 290, cockpit-podman 69, and cockpit-ostree 193 are available now:

  • For your Linux system

  • Cockpit Client

  • Cockpit Source Tarball
  • Cockpit Fedora 38
  • Cockpit Fedora 37
  • cockpit-machines Source Tarball
  • cockpit-machines Fedora 38
  • cockpit-machines Fedora 37
  • cockpit-podman Source Tarball
  • cockpit-podman Fedora 38
  • cockpit-podman Fedora 37
  • cockpit-ostree Source Tarball
  • cockpit-ostree Fedora 38
  • cockpit-ostree Fedora 37

May 15, 2023

• Josh Bressers Episode 375 – The market forces of left-pad, Episode 77 remaster part 2

  Josh and Kurt finish up the leftpad discussion. We spent a lot of time talking about how the market will respond to these sort of events, and the market did indeed speak; very little has changed. There is an aspect of all these security events where we need to understand the cost vs benefit just isn’t there. it may never be there. Rather than whine and complain, we need to work with our constraints.

  Show Notes

  • Episode 77 – npm and the supply chain

May 13, 2023

• Remi Collet PHP version 8.1.19 and 8.2.6

  RPMs of PHP version 8.2.6 are available in remi-modular repository for Fedora ≥ 36 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...) and in remi-php82 repository for EL 7.

  RPMs of PHP version 8.1.19 are available in remi-modular repository for Fedora ≥ 36 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...) and in remi-php81 repository for EL 7.

  The modules for EL-9 are available for x86_64 and aarch64.

  No security fix this month, so no update for version 8.0.28.

  PHP version 7.4 have reached its end of life and is no longer maintained by the PHP project.

  These versions are also available as Software Collections in the remi-safe repository.

  Version announcements:

  • PHP 8.2.6 Release Annoucement
  • PHP 8.1.19 Release Annoucement

  Installation: use the Configuration Wizard and choose your version and installation mode.

  Replacement of default PHP by version 8.2 installation (simplest):

  dnf module reset php
  dnf module enable php:remi-8.2
  dnf update php\*

  or, the old EL-7 way:

  yum-config-manager --enable remi-php82
  yum update

  Parallel installation of version 8.2 as Software Collection

  yum install php82

  Replacement of default PHP by version 8.1 installation (simplest):

  dnf module reset php
  dnf module enable php:remi-8.1
  dnf update php\*

  or, the old EL-7 way:

  yum-config-manager --enable remi-php81
  yum update php\*

  Parallel installation of version 8.1 as Software Collection

  yum install php81

  And soon in the official updates:

  • Fedora Rawhide now have PHP version 8.2.6
  • Fedora 38 - PHP 8.2.6
  • Fedora 37 - PHP 8.1.19

  To be noticed :

  • EL-9 RPMs are build using RHEL-9.1
  • EL-8 RPMs are build using RHEL-8.7
  • EL-7 RPMs are build using RHEL-7.9
  • intl extension now uses libicu72 (version 72.1)
  • mbstring extension (EL builds) now uses oniguruma5php (version 6.9.8, instead of the outdated system library)
  • oci8 extension now uses Oracle Client version 21.10
  • a lot of extensions are also available, see the PHP extensions RPM status (from PECL and other sources) page

  Information:

  • Migrating from PHP 7.4.x to PHP 8.0.x
  • Migrating from PHP 8.0.x to PHP 8.1.x
  • Migrating from PHP 8.1.x to PHP 8.2.x

  Base packages (php)

  

  

  Software Collections (php80 / php81 / php82)

  

  

• Zach Oglesby

  Finished reading: The Lost Metal: A Mistborn Novel by Brandon Sanderson 📚

  Great ending to this part of the story, looking forward to what comes next.

May 12, 2023

• ! Avi Alkalay ¡ Framework ↔︎ Arcabouço

  Colegas programadores, arquitetos e companheiros da TI, podemos retornar à Língua Mãe porque uma palavra que usamos muito no nosso dia a dia — FRAMEWORK — já tem popularizada a sua tradução para Português:

  ARCABOUÇO

  Obrigado, Ministério da Fazenda

• ! Avi Alkalay ¡ MariaDB backups in one line

  First allow the Unix user that will make backups (root, in my case) to access MariaDB without a password (works only if accessing from same host that the server is running):

  GRANT ALL PRIVILEGES ON *.* TO `root`@`localhost` IDENTIFIED VIA unix_socket WITH GRANT OPTION;

  Now the backup script, shown here in multiple lines for education purposes:

  TARGET=/some/folder/Backup/databases/`hostname`/`date --rfc-3339=date`;
  mkdir -p "$TARGET";
  chmod -R go-rwx "$TARGET";
  mariadb --batch --skip-column-names -e 'show databases;' | grep -E -v 'information_schema|performance_schema|mysql' | while read db; do mariadb-dump --comments --dump-date --extended-insert --routines --system=user "$db" | gzip -c --best > "$TARGET/$db.sql.gz"; done

  Explained line by line:

  • Define a TARGET folder name which includes hostname and current date as YYYY-MM-DD. It is tempting to use other date formats via the command’s advanced options as date +%Y-%m-%d, but be aware that “%” has a special meaning to cron and will be interpreted as a new line (\n), so you can’t use it. That is why we use a more semantic date --rfc-3339=date.
  • Create the TARGET folder
  • Change permissions on TARGET folder so same group and other users won’t be able to read and access it
  • Now the backup:
    • List all databases
    • Ignore databases named information_schema, performance_schema and mysql
    • For each databse found, use mariadb-dump to export it to its SQL text
    • Compress and save as file name {TARGET}/{DB_NAME}.sql.gz

  Put it in root user’s cron as a one line script using command crontab -e:

  @daily TARGET=/some/fo...; mkdir -p...; chmod -R go...; ...

  The above one-liner is identical to the shown in the beginning, but with no line breaks.

  After a few days of execution, this is how database dump files will look like in my file system:

  /some/folder/Backup/databases/
      db1.alkalay.net/
          2023-05-11/
              drupal.sql.gz
              nextcloud.sql.gz
              powerdns.sql.gz
              wordpress_multisite.sql.gz
          2023-05-12/
              drupal.sql.gz
              nextcloud.sql.gz
              powerdns.sql.gz
              wordpress_multisite.sql.gz

  Of course, before everything, I need MariaDB commands installed in the system I run the MariaDB server. You probably already have them installed, but just in case, in my Fedora system these are the packages:

  dnf install cronie mariadb-backup mariadb

  I used to use Holland Backup Manager to automate MariaDB backups, but I had to come up with this script because Holland package was orphaned and removed from Fedora.

  

• Ben Cotton #inaction bcotton

  On 25 June 2018, I published a post called “It’s hattening”. After years of rejected applications, I was finally starting a job at Red Hat. On 24 April 2023, Red Hat announced a 4% reduction in global staff. As a member of that 4%, today is my last day at Red Hat.

  What does this mean for Ben?

  This is the first time I’ve been laid off from a job. I hope it will be the last, but who can say? I’d be lying if I said I haven’t felt a big range of emotions in the past three weeks: confusion, anger, sadness, amusement.

  But I’ve also felt loved. I’ve received so much support from people since the news started spreading. It’s like that end scene of “It’s a Wonderful Life” and I’m George Bailey. I’m proud of the contributions I’ve made to the Fedora community over the last five years, and it feels good to have others recognize that.

  While I won’t be contributing as the Fedora Program Manager anymore, I was a Fedora contributor long before I joined Red Hat, and I’m not letting them take that away from me. I’ll still be around Fedora in ways that spark joy, although perhaps not much at first as I let my wounds heal.

  I’ve had the great fortune to build an incredible professional and personal network over the years. I’m already pursuing a few opportunities and if those don’t pan out, I’ll be asking for your help finding more. In the meantime, I have (at least) a few weeks to relax for a bit. There’s a ton of work to do around the house, many trails to hike, Program Management for Open Source Projects to promote, and an embarrassingly-large backlog for Duck Alignment Academy articles.

  What does this mean for Fedora?

  I’ve told folks that if Fedora falls off the rails, then I have failed. I’m working with Matthew, Justin, and others to ensure coverage of the core job duties one way or another. I’ve worked hard over the years to automate tasks that can be automated. The documentation is far more comprehensive than what I inherited.

  No doubt there are gaps in what I’ve left for my successors. However, my goal is that in a few months, nobody will notice that I’m gone. That’s my measure of success. The only reason I’ve been successful in my role is because of the work done by my predecessors: John, Robyn, Jaroslav, and Jan.

  As to what the broader implication behind the loss of my position might be, I don’t know. There’s no indication that my role was targeted specifically. There are definitely people in Red Hat who continue to view Fedora as strategically important. I wish I had a clearer understanding of how they chose people/roles to cut, but I’ll probably never know the process. What I do know is that I fully intend to still be participating in the Fedora community when my account hits the 20-year mark in May 2029.

  The post #inaction bcotton appeared first on Blog Fiasco.

May 11, 2023

• Peter Czanik The syslog-ng insider 2023-05: learning; UDP; upgrading;

  Dear syslog-ng users,

  
  

  This is the 110th issue of syslog-ng Insider, a monthly newsletter that brings you syslog-ng-related news.

  
  

  NEWS

  Learning syslog-ng, the easier way

  Last year, one of the returning questions I received was how to learn syslog-ng. My answer was that read the first few chapters of the documentation, read my blogs related to your use case, and then read a few relevant parts from the rest of the documentation. Our documentation is praised by users, but it is still a reference documentation. I was asked if a less detailed, more to the point, preferably video tutorial is available.

  Your request was heard. In the past couple of months, I published a tutorial series in blog and video format, which brings you from basic logging concepts to using syslog-ng to collect, parse, enrich log messages and store them to Elasticsearch. Of course, these 5-10 minute videos are not enough to learn anything in depth, but they introduce you to all major syslog-ng functionalities.

  https://www.syslog-ng.com/community/b/blog/posts/learning-syslog-ng-the-easier-way

  Why syslog over UDP loses messages and how to avoid that

  Message loss related resiliency with regards to syslog over UDP has always been a problem. Users who start looking at these metrics generally report a 30-40% loss of messages for syslog over UDP, but drops of up to 90% are not unheard of. Let me get to the bottom of the reasons why messages are dropped and how these problems can be solved, or at least mitigated.

  https://axoflow.com/syslog-over-udp-message-loss-1/

  Upgrade problems from syslog-ng 3 to 4

  Version 4 of syslog-ng works perfectly well in version 3 compatibility mode. However, if you want to use the syslog-ng 4 features, you need to be aware of some significant changes. If you have a simple configuration, like those in Linux distributions, then simply rewriting the version string is most likely enough. However, if you use PatternDB or JSON parsing, any Python code, or an Elasticsearch, or MongoDB destination, you have to be aware of the changes.

  From this blog you can learn about type support, how this can affect you, changes in Python support, and some tips how to prepare for the upgrade.

  https://www.syslog-ng.com/community/b/blog/posts/upgrade-problems-from-syslog-ng-3-to-4

  WEBINARS

  • You can browse recordings of past webinars at https://www.syslog-ng.com/events/

  
  

  Your feedback and news, or tips about the next issue are welcome. To read this newsletter online, visit: https://syslog-ng.com/blog/

May 10, 2023

• Michael Catanzaro GNOME Core Apps Update

  It’s been a while since my big core app reorganization for GNOME 3.22. Here is a history of core app changes since then:

  • GNOME 3.26 (September 2017) added Music, To Do (which has since been renamed to Endeavor), and Document Scanner (simple-scan). (I blogged about this at the time, then became lazy and stopped blogging about core app updates, until now.)
  • To Do was removed in GNOME 3.28 (March 2018) due to lack of consensus over whether it should really be a core app.  As a result of this, we improved communication between GNOME release team and design team to ensure both teams agree on future core app changes. Mea culpa.
  • Documents was removed in GNOME 3.32 (March 2019).
  • A new Developer Tools subcategory of core was created in GNOME 3.38 (September 2020), adding Builder, dconf Editor, Devhelp, and Sysprof. These apps are only interesting for software developers and are not intended to be installed by default in general-purpose operating systems like the rest of GNOME core.
  • GNOME 41 (September 2021) featured the first larger set of changes to GNOME core since GNOME 3.22. This release removed Archive Manager (file-roller), since Files (nautilus) is now able to handle archives, and also removed gedit (formerly Text Editor). It added Connections and a replacement Text Editor app (gnome-text-editor). It also added a new Mobile subcategory of core, for apps intended for mobile-focused operating systems, featuring the dialer app Calls. (To date, the Mobile subcategory has not been very successful: so far Calls is the only app included there.)
  • GNOME 42 (March 2022) featured a second larger set of changes. Screenshot was removed because GNOME Shell gained a built-in screenshot tool. Terminal was removed in favor of Console (kgx). We also moved Boxes to the Developer Tools subcategory, to recommend that it no longer be installed by default in general purpose operating systems.
  • GNOME 43 (September 2022) added D-Spy to Developer Tools.

  OK, now we’re caught up on historical changes. So, what to expect next?

  New Process for Core Apps Changes

  Although most of the core app changes have gone smoothly, we ran into some trouble replacing Terminal with Console. Console provides a fresher and simpler user interface on top of vte, the same terminal backend used by Terminal, so Console and Terminal share much of the same underlying functionality. This means work of the Terminal maintainers is actually key to the success of Console. Using a new terminal app rather than evolving Terminal allowed for bigger changes to the default user experience without upsetting users who prefer the experience provided by Terminal. I think Console is generally nicer than Terminal, but it is missing a few features that Fedora Workstation developers thought were important to have before replacing Terminal with Console. Long story short: this core app change was effectively rejected by one of our most important downstreams. Since then, Console has not seen very much development, and accordingly it is unlikely to be accepted into Fedora Workstation anytime soon. We messed up by adding the app to core before downstreams were comfortable with it, and at this point it has become unclear whether Console should remain in core or whether we should give up and bring back Terminal. Console remains for now, but I’m not sure where we go from here. Help welcome.

  To prevent this situation from happening again, Sophie developed a detailed and organized process for adding or removing core apps, including a new Incubator category designed to provide notice to downstreams that we are considering adding new apps to GNOME core. The new Incubator is much more structured than my previous short-lived Incubator attempt in GNOME 3.22. When apps are added to Incubator, I’ve been proactively asking other Fedora Workstation developers to provide feedback to make sure the app is considered ready there, to avoid a repeat of the situation with Console. Other downstreams are also welcome to watch the  Incubator/Submission project and provide feedback on newly-submitted apps, which should allow plenty of heads-up so downstreams can let us know sooner rather than later if there are problems with Incubator apps. Hopefully this should ensure apps are actually adopted by downstreams when they enter GNOME core.

  Imminent Core App Changes

  Currently there are two apps in Incubator. Loupe is a new image viewer app developed by Chris and Sophie to replace Image Viewer (eog). Snapshot is a new camera app developed by Maximiliano and Jamie to replace Cheese. These apps are maturing rapidly and have received primarily positive feedback thus far, so they are likely to graduate from Incubator and enter GNOME core sooner rather than later. The time to provide feedback is now. Don’t be surprised if Loupe is included in core for GNOME 45.

  In addition to Image Viewer and Cheese, we are also considering removing Photos. Photos is one of our “content apps” designed to allow browsing an entire collection of files independently of their filesystem locations. Historically, the other two content apps were Documents and Music. The content app strategy did not work very well for Documents, since a document browser doesn’t really offer many advantages over a file browser, but Photos and Music are both pretty decent at displaying your collection of pictures or songs, assuming you have such a collection. We have been discussing what to do with Photos and the other content apps for a very long time, at least since 2015. It took a very long time to reach some rough consensus, but we have finally agreed that the design of Photos still makes sense for GNOME: having a local app for viewing both local and cloud photos is still useful. However, Photos is no longer actively maintained. Several basic functionality bugs imperiled timely release of Fedora 37 last fall, and the app is less useful than previously because it no longer integrates with cloud services like Google Photos. (The Google integration depends on libgdata, which was removed from GNOME 44 because it did not survive the transition to libsoup 3.) Photos has failed the new core app review process due to lack of active maintenance, and will be soon be removed from GNOME core unless a new maintainer steps up to take care of it. Volunteers welcome.

  Future Core App Changes

  Lastly, I want to talk about some changes that are not yet planned, but might occur in the future. Think of this entire section as brainstorming rather than any concrete plans.

  Like Photos, we have also been discussing the status of Music. The popularity of DRM-encumbered cloud music services has increased, and local music storage does not seem to be as common as it used to be. If you do have local music, Music is pretty decent at handling it, but there are prominent bugs and missing features (like the ability to select which folders to index) detracting from the user experience. We do not have consensus on whether having a core app to play local music files still makes sense, since most users probably do not have a local music collection anymore. But perhaps all that is a moot point, because Videos (totem) 3.38 removed support for opening audio files, leaving us with no core apps capable of playing audio for the past 2.5 years. Previously, our default music player was Videos, which was really weird, and now we have none; Music can only play audio files that you’ve navigated to using Music itself, so it’s impossible for Music to be our default music player. My suggestion to rename Videos to Media Player and handle audio files again has not been well-received, so the most likely solution to this conundrum is to teach Music how to open audio files, likely securing its future in core. A merge request exists, but it does not look close to landing. Fedora Workstation is still shipping Rhythmbox rather than Music specifically due to this problem. My opinion is this needs to be resolved for Music to remain in core.

  It would be nice to have an email client in GNOME core, since everybody uses email and local clients are much nicer than webmail. The only plausible candidate here is Geary. (If you like Evolution, consider that you might not like the major UI changes and many, many feature removals that would be necessary for Evolution to enter GNOME core.) Geary has only one active maintainer, and adding a big application that depends on just one person seems too risky. If more developers were interested in maintaining Geary, it would feel like a safer addition to GNOME core.

  Contacts feels a little out of place currently. It’s mostly useful for storing email addresses, but you cannot actually do anything with them because we have no email application in core. Like Photos, Contacts has had several recent basic functionality bugs that imperiled timely Fedora releases, but these seem to have been largely resolved, so it’s not causing urgent problems. Still, for Contacts to remain in the long term, we’re probably going to need another maintainer here too. And perhaps it only makes sense to keep if we add Geary.

  Finally, should Maps move to the Mobile category? It seems clearly useful to have a maps app installed by default on a phone, but I wonder how many desktop users really prefer to use Maps rather than a maps website.

  GNOME 44 Core Apps

  I’ll end this blog post with an updated list of core apps as of GNOME 44. Here they are:

  • Main category (26 apps):
    • Calculator
    • Calendar
    • Characters
    • Cheese
    • Clocks
    • Connections
    • Console (kgx)
    • Contacts
    • Disks (gnome-disk-utility)
    • Disk Usage Analyzer (baobab)
    • Document Scanner (simple-scan)
    • Document Viewer (evince)
    • Files (nautilus)
    • Fonts (gnome-font-viewer)
    • Help (yelp)
    • Image Viewer (eog)
    • Logs
    • Maps
    • Music
    • Photos
    • Software
    • System Monitor
    • Text Editor
    • Videos (totem)
    • Weather
    • Web (epiphany)
  • Developer Tools (6 apps):
    • Boxes
    • Builder
    • dconf Editor
    • Devhelp
    • D-Spy
    • sysprof
  • Mobile (1 app):
    • Calls

May 09, 2023

• Steven Pritchard Harvester HCI

  I have been using libvirt on CentOS + ZFS for my home lab for somewhere around a decade now.  For the last several years, I have been trying off and on to switch to some kind of hyperconverged infrastructure, usually oVirt + a clustered storage solution (Ceph, Gluster).  For various reasons, I've never quite managed to get all the pieces to work together correctly.

  So, imagine how happy I was to hear about Harvester a while back.

  Harvester is a modern Hyperconverged infrastructure (HCI) solution built for bare metal servers using enterprise-grade open source technologies including Kubernetes, Kubevirt and Longhorn.

  I love everything about this!  It's a more modern take on hyperconverged infrastructure than what I was trying to assemble.  Plus, all my problems magically disappear when all the pieces work together out of the box, right?

  Well...  Not quite.  I installed version 0.3.0.  It made for a cool demo, but, thanks to stability problems and a whole lot of missing features, it wasn't quite ready for anything resembling production use.  (Granted, this is my home lab, but I still run virtualized firewalls and stuff like that on it, so I need it to work, and work reliably.)

  I'll note here that I wrote all of the above over a year ago.  I then closed with a list of reasons why Harvester wasn't good enough for me to actually use it at the time.  It (unintentionally!) sounded negative enough that I decided not to publish the post.

  So here we are a year or so later, and after a few more failed attempts I recently tried Harvester again, this time with version 1.1.1.  Everything I need to work seems to, and I'm ready to start migrating some real workloads!

  That's not to say that everything is perfect.  There are a few useful features on the roadmap that I could benefit from (like anti-affinity rules, zero-downtime upgrades, ...), and I still have some challenges.  Some examples:

  • Automating node installation is ... let's say difficult?
  • Networking is almost as functional as I want it, but I still haven't been able to figure out how to move storage replication to a network with jumbo frames.
  • I want real certs.  I see how to manually manage the certs, but it's not immediately obvious how I could manage them automatically (for Let's Encrypt).

  Thankfully none of those things are keeping me from using Harvester.  They're just things to look forward to in future upgrades. 😀

• Ismael Olea Wikipaseo fotográfico por Granada

  Aprovechando la reciente visita a Granada aproveché para dar un repasillo al centro de la ciudad con Wikishootme para poner en verde algunos elementos. Me quedan por subir a Wikimedia Commons muchas fotos todavía, sobre todo de la galería de esculturas instaladas en la Avenida de la Constitución.

  Para muestra, un botón:

  

• Richard Hughes MSI and Insecure KMs

  As some as you may know, MSI suffered a data breach which leaked a huge amount of source code, documentation and low-level firmware PRIVATE KEYS. This is super bad as it now allows anyone to sign a random firmware image and install it as an official MSI firmware. It’s even more super bad than that, as the certificates leaked seem to be the KeyManifest keys, which actually control the layer below SecureBoot, this little-documented and even less well understood thing called BootGuard. I’ll not overplay the impact here, but there is basically no firmware security on most modern MSI hardware now. We already detect the leaked test keys from Lenovo and notify the user via the HSI test failure and I think we should do the same thing for MSI devices too. I’ve not downloaded the leak for obvious reasons, and I don’t think the KM hashes would be easy to find either.

  So what can you do to help? Do you have an MSI laptop or motherboard affected by the leak? The full list is here (source: Binarly) and if you have one of those machines I’d ask if you could follow the instructions below, run MEInfo and attach it to the discussion please.

  As for how to get MEInfo, Intel doesn’t want to make it easy for us. The Intel CSME System Tools are all different binaries, and are seemingly all compiled one-by-one for each specific MEI generation — and available only from a semi-legitimate place unless you’re an OEM or ODM. Once you have the archive of tools you either have to work out what CSME revision you have (e.g. Ice Point is 13.0) or do what I do and extract all the versions and just keep running them until one works. e.g. choosing the wrong one will get you:

  sudo ./CSME\ System\ Tools\ v13.50\ r3/MEInfo/LINUX64/MEInfo 
  Intel (R) MEInfo Version: 13.50.15.1475
  Copyright (C) 2005 - 2021, Intel Corporation. All rights reserved.
  Error 621: Unsupported hardware platform. HW: Cometlake Platform. Supported HW: Jasplerlake Platform.
  

  And choosing the right one will get you:

  Intel (R) MEInfo Version: 14.1.60.1790
  Copyright (C) 2005 - 2021, Intel Corporation. All rights reserved.
  
  General FW Information
  …
  OEM Public Key Hash FPF                          2B4D5D79BD7EE3C192412A4501D88FB2066C853FF7B1060765395D671B15D30C
  

  Now, how to access these hashes is what Intel keeps a secret, for no reason at all. I literally need to know what integer index to use when querying the HECI device. I’ve asked Intel, but I’ve been waiting since October 2022. For instance:

  sudo strace -xx -s 4096  -e openat,read,write,close ./CSME\ System\ Tools\ v14.0.20+\ r20/MEInfo/LINUX64/MEInfo
  …
  write(3, "\x0a\x0a\x00\x00\x00\x23\x00\x40\x00\x00\x00\x00\x20\x00\x00\x00\x00", 17) = 17
  read(3, "\x0a\x8a\x00\x00\x20\x00\x00\x00\x2b\x4d\x5d\x79\xbd\x7e\xe3\xc1\x92\x41\x2a\x45\x01\xd8\x8f\xb2\x06\x6c\x85\x3f\xf7\xb1\x06\x07\x65\x39\x5d\x67\x1b\x15\xd3\x0c", 4096) = 40
  …
  

  That contains all the information I need – the Comet Lake READ_FILE_EX ID is 0x40002300 and there’s a SHA256 hash that matches what the OEM Public Key Hash FPF console output said above. There are actually three accesses to get the same hash in three different places, so until I know why I’d like the entire output from MEInfo.

  The information I need uploading to the bug is then just these two files:

  sudo ./THE_CORRECT_PATH/MEInfo/LINUX64/MEInfo &> YOUR_GITHUB_USERNAME-meinfo.txt
  sudo strace -xx -s 4096  -e openat,read,write,close ./THE_CORRECT_PATH/MEInfo/LINUX64/MEInfo &> YOUR_GITHUB_USERNAME-meinfo-strace.txt
  

  If I need more info I’ll ask on the ticket. Thanks!

• Justin W. Flory “I am the wilderness”: On trust & community

  The post “I am the wilderness”: On trust & community appeared first on /home/jwf/.

  /home/jwf/ - Free & Open Source, technology, travel, and life reflections

  

  Trust is a word and a concept that is on my mind lately. Trust is an idea that permeates all levels of our waking consciousness, and impacts how we build connections and relationships with other human beings. It is something impossible to ignore, yet it is ironically hard to define and pin down. Beyond what is written in a dictionary, what is trust? What does trust look like? What does trust feel like? Anyone who works in “community work” knows that trust is often the fundamental tie between community leadership and community members. A leader wants to be trusted by the people whom they represent, and a person wants to trust their leaders to represent them fairly and accurately.

  Read more: “I am the wilderness”: On trust & community

  While I was pondering this reflection, my employer announced layoffs a couple weeks ago. While there is a lot that could be said about that, what I will say is that a certain root was pulled; the foundation of trust built between leadership and employee was shaken. Only further action and time will show the full impact on the company and my remaining colleagues. Nonetheless, a very recent negative experience with regard to trust also expanded my perspective of how trust is defined and what its role is in a community.

  Brené Brown on trust

  Later, I came across a sound bite of an interview with Brené Brown about trust (and more). Toward the end of the interview, she talks about her book, Braving the Wilderness (which I haven’t read, but seems interesting). She explained what the wilderness is and a tool that we can keep with us (“BRAVING”) to stay grounded in ourselves and also what trust means.

  She also had a powerful definition of belonging, which put forward the idea that belonging is internal to ourselves and even is a spiritual practice; belonging is not defined externally or given to and taken from us by others.

  Below is my summary of “BRAVING” and the wilderness, together with notes and thoughts about how community leaders can act honestly and authentically, both when times are good and when times are hard.

  ---

  Trust: Remember “BRAVING”

  There are seven elements to building, developing, and measuring trust. Each of these seven elements are a resource for being honest, authentic, and genuine in both easy and hard times. You can remember these seven elements as an acronym: “BRAVING”.

  B: Boundaries

  You set boundaries. When you don’t know what they are, you ask. You are clear about what is okay and what is not.

  R: Reliability

  You do what you say and you say what you do. The hard thing is that you are not hustling for worthiness, so you are not completely over committing and not delivering.

  A: Accountability

  You don’t back channel and blame. You hold people accountable in a straightforward way.

  V: “Vault”

  You do not use stories that are not yours as social currency. You keep them in “the vault.” Using others’ stories as a bid for connection causes others to trust you less. This is the other side of confidentiality.

  I: Integrity

  You choose courage over comfort and practice your values. You choose what is right over what is fun, fast, and easy. Your accomplishments stand out when you operate from a place of discomfort, or outside of your comfort zone.

  N: Non-judgment

  You can ask for help without feeling judged. I can ask for help without judging myself.

  G: Generosity

  When something happens, you assume positive intent. Give someone a chance, or the benefit of the doubt, before launching into anger.

  Braving the wilderness

  What is the wilderness? It is those times when we stand alone, the times when we go out on a limb, the times we walk away from what we know in our ideological bunkers and beliefs.

  “BRAVING” is a tool to help us manage the wilderness. There will be times when standing alone feels too hard, too scary, and we’ll doubt our ability to make our way through the uncertainty. Someone, somewhere, will say, “Don’t do it. You don’t have what it takes to survive the wilderness.” This is when you reach deep into your wild heart and remind yourself, “I am the wilderness.”

  ---

  Photo by Artem Sapegin on Unsplash. Modified by Justin W. Flory.

• Peter Hutterer libei and a fancy protocol

  libei is the library for Emulated Input - see this post for an introduction. Like many projects, libei was started when it was still unclear if it could be the right solution to the problem. In the years (!) since, we've upgraded the answer to that question from "hopefully" to "yeah, I reckon" - doubly so since we added support for receiver contexts and got InputLeap working through the various portal changes.

  Emulating or capturing input needs two processes to communicate for obvious reasons so the communication protocol is a core part of it. But initially, libei was a quickly written prototype and the protocol was hacked up on an as-needed let's-get-this-working basis. The rest of the C API got stable enough but the protocol was the missing bit. Long-term the protocol must be stable - without a stable protocol updating your compositor may break all flatpaks still shipping an older libei. Or updating a flatpak may not work with an older compositor. So in the last weeks/months, a lot of work as gone into making the protocol stable. This consisted of two parts: drop protobuf and make the variuos features interface-dependent, unashamedly quite like the Wayland protocol which is also split into a number of interfaces that can be independently versioned. Initially, I attempted to make the protocol binary compatible with Wayland but dropped that goal eventually - the benefits were minimal and the effort and limitations (due to different requirements) were quite significant.

  The protocol is defined in a single XML file and can be used directly from language bindings (if any). The protocol documentation is quite extensive but it's relatively trivial in principal: the first 8 bytes of each message are the object ID, then we have 4 bytes for the message length in bytes, then 4 for the object-specific opcode. That opcode is one of the requests or events in the object's interface - which is defined at object creation time. Unlike Wayland, the majority of objects in libei are created in server-side (the EIS implementation decides which seats are available and which devices in those seats). The remainder of the message are the arguments. Note that unlike other protocols the message does not carry a signature - prior knowledge of the message is required to parse the arguments. This is a direct effect of initially making it wayland-compatible and I didn't really find it worth the effort to add this.

  Anyway, long story short: swapping the protocol out didn't initially have any effect on the C library but with the changes came some minor updates to remove some of the warts in the API. Perhaps the biggest change is that the previous capabilities of a device are now split across several interfaces. Your average mouse-like emulated device will have the "pointer", "button" and "scroll" interfaces, or maybe the "pointer_absolute", "button" and "scroll" interface. The touch and keyboard interfaces were left as-is. Future interfaces will likely include gestures and tablet tools, I have done some rough prototyping locally and it will fit in nicely enough with the current protocol.

  At the time of writing, the protocol is not officialy stable but I have no intention of changing it short of some bug we may discover. Expect libei 1.0 very soon.

May 08, 2023

• Ismael Olea Participación en la XVI Jornada Laicista de Europa Laica

  La organización de la XVI Jornada Laicista de Europa Laica ha publicado los vídeos de la jornada en Youtube. Entre ellos está el de mi participación, compartiendo mesa con el admirado Daniel Raventós, titulada «Derecho al conocimiento: Wikipedia y otros proyectos Wikimedia».

  Muchas gracias a la organización y en particular a su coordinador local, Pablo Laguna, a quien deseo mucha suerte en su candidatura a la alcaldía de La Zubia en las próximas elecciones municipales.

  Ha sido estupendo pasar unos días en Granada.

• ! Avi Alkalay ¡ Chatbots de auto-atendimento 🥱

  O dilema dos chatbots que empresas disponibilizam em seus canais de atendimento é que eles são só mais uma UI (user interface). Como é o app. Como é o site da empresa.

  Se o usuário não encontrou a função que precisa no site ou no app, também não vai encontrar no chatbot 100% das vezes que procurar.

  O desafio dos chatbots continua sendo integração dos sistemas por trás, que é o maior desafio de qualquer empresa que quer se informatizar, desde quando o computador entrou no mundo corporativo.

  Então se sua última tentativa para resolver um problema é entrar no chat ou ligar no call center da empresa, pode já ir direto pedindo prá falar com ser humano. Pois estes nunca falham.

  LinkedIn e Facebook.

• Josh Bressers Episode 374 – The event we called left-pad, Episode 77 remaster part 1

  Josh and Kurt revisit Episode 77, which was named “npm and the supply chain” but was a discussion about the incident we all know now as “leftpad”. We didn’t understand what was happening at the time, but this would become an event we talk about for years to come. It’s shocking how many of the things we discuss are still completely valid five years later.

  Show Notes

  • Episode 77 – npm and the supply chain

May 07, 2023

• Kushal Das Fixing missing yubikey trouble on fedora 38

  From the time I updated to Fedora 38, I am having trouble with my Yubikey. If I remove the key, just plugging it back does not help. gpg can not detect it.

  $ gpg --card-status 
  gpg: selecting card failed: No such device
  gpg: OpenPGP card not available: No such device
  

  The only way to get it working is restarting the pcscd service, again & again.

  As Heiko pointed out, this is the trouble between pcscd and scdaemon, the second one comes via gnupg package in Fedora.

  To solve the issue, first I tried the following

  $ echo disable-ccid >> ~/.gnupg/scdaemon.conf
  $ gpgconf --reload gpg-agent
  

  Then I figured that I have opensc package installed, just removing that one and then a reboot solved the trouble for me.

  $ sudo dnf remove opensc -y
  

May 05, 2023

• Felipe Borges GNOME will be mentoring 9 new contributors in Google Summer of Code 2023

  We are happy to announce that GNOME was assigned nine slots for Google Summer of Code projects this year!

  GSoC is a program focused on bringing new contributors into open source software development. A number of long term GNOME developers are former GSoC interns, making the program a very valuable entry point for new members in our project.

  In 2023 we will mentoring the following projects:

  Project Title	Contributor	Assigned Mentor(s)
  Make GNOME platform demos for Workbench	Akshay Warrier	Sonny Piers Andy Holmes
  Rust and GTK 4 Bustle Rewrite	Dave Patrick Caberto	Bilal Elmoussaoui Maximilian
  Create a New “System” panel in GNOME Settings	Gotam Gorabh	Felipe Borges
  Implement backlog search in Polari IRC client	Gurmannat Sohal	Carlos Garnacho Florian Müllner
  Integrate GNOME Network Displays features into GNOME Settings	Pedro Sader Azevedo	Felipe Borges Claudio Wunder Jonas Ådahl Anupam Kumar
  GNOME Crosswords Anagram Support	Pratham Gupta	jrb
  Make GNOME Platform Demos for Workbench	Sriyansh Shivam	Sonny Piers Andy Holmes
  Add Acrostic Puzzles to GNOME Crosswords	Tanmay Patil	jrb
  Flatpak synching between machines	Tim FB	Rasmus Thomsen

  As part of the contributor’s acceptance into GSoC they are expected to actively participate in the Community Bonding period (May 4 – 28). The Community Bonding period is intended to help prepare contributors to start contributing at full speed starting May 29.

  The new contributors will soon get their blogs added to Planet GNOME making it easy for the GNOME community to get to know them and the projects that they will be working on.

  We would like to also thank our mentors for supporting GSoC and helping new contributors enter our project.

  If you have any doubts, feel free to reply to this Discourse topic or message us privately at soc-admins@gnome.org

  ** This is a repost from https://discourse.gnome.org/t/announcement-gnome-will-be-mentoring-9-new-contributors-in-google-summer-of-code-2023/15232

May 04, 2023

• Matthew Garrett Twitter's e2ee DMs are better than nothing

  (Edit 2023-05-10: This has now launched for a subset of Twitter users. The code that existed to notify users that device identities had changed does not appear to have been enabled - as a result, in its current form, Twitter can absolutely MITM conversations and read your messages)
  
  Elon Musk appeared on an interview with Tucker Carlson last month, with one of the topics being the fact that Twitter could be legally compelled to hand over users' direct messages to government agencies since they're held on Twitter's servers and aren't encrypted. Elon talked about how they were in the process of implementing proper encryption for DMs that would prevent this - "You could put a gun to my head and I couldn't tell you. That's how it should be."
  
  tl;dr - in the current implementation, while Twitter could subvert the end-to-end nature of the encryption, it could not do so without users being notified. If any user involved in a conversation were to ignore that notification, all messages in that conversation (including ones sent in the past) could then be decrypted. This isn't ideal, but it still seems like an improvement over having no encryption at all. More technical discussion follows.
  
  For context: all information about Twitter's implementation here has been derived from reverse engineering version 9.86.0 of the Android client and 9.56.1 of the iOS client (the current versions at time of writing), and the feature hasn't yet launched. While it's certainly possible that there could be major changes in the protocol between now launch, Elon has asserted that they plan to launch the feature this week so it's plausible that this reflects what'll ship.
  
  For it to be impossible for Twitter to read DMs, they need to not only be encrypted, they need to be encrypted with a key that's not available to Twitter. This is what's referred to as "end-to-end encryption", or e2ee - it means that the only components in the communication chain that have access to the unencrypted data are the endpoints. Even if the message passes through other systems (and even if it's stored on other systems), those systems do not have access to the keys that would be needed to decrypt the data.
  
  End-to-end encrypted messengers were initially popularised by Signal, but the Signal protocol has since been incorporated into WhatsApp and is probably much more widely used there. Millions of people per day are sending messages to each other that pass through servers controlled by third parties, but those third parties are completely unable to read the contents of those messages. This is the scenario that Elon described, where there's no degree of compulsion that could cause the people relaying messages to and from people to decrypt those messages afterwards.
  
  But for this to be possible, both ends of the communication need to be able to encrypt messages in a way the other end can decrypt. This is usually performed using AES, a well-studied encryption algorithm with no known significant weaknesses. AES is a form of what's referred to as a symmetric encryption, one where encryption and decryption are performed with the same key. This means that both ends need access to that key, which presents us with a bootstrapping problem. Until a shared secret is obtained, there's no way to communicate securely, so how do we generate that shared secret? A common mechanism for this is something called Diffie Hellman key exchange, which makes use of asymmetric encryption. In asymmetric encryption, an encryption key can be split into two components - a public key and a private key. Both devices involved in the communication combine their private key and the other party's public key to generate a secret that can only be decoded with access to the private key. As long as you know the other party's public key, you can now securely generate a shared secret with them. Even a third party with access to all the public keys won't be able to identify this secret. Signal makes use of a variation of Diffie-Hellman called Extended Triple Diffie-Hellman that has some desirable properties, but it's not strictly necessary for the implementation of something that's end-to-end encrypted.
  
  Although it was rumoured that Twitter would make use of the Signal protocol, and in fact there are vestiges of code in the Twitter client that still reference Signal, recent versions of the app have shipped with an entirely different approach that appears to have been written from scratch. It seems simple enough. Each device generates an asymmetric keypair using the NIST P-256 elliptic curve, along with a device identifier. The device identifier and the public half of the key are uploaded to Twitter using a new API endpoint called /1.1/keyregistry/register. When you want to send an encrypted DM to someone, the app calls /1.1/keyregistry/extract_public_keys with the IDs of the users you want to communicate with, and gets back a list of their public keys. It then looks up the conversation ID (a numeric identifier that corresponds to a given DM exchange - for a 1:1 conversation between two people it doesn't appear that this ever changes, so if you DMed an account 5 years ago and then DM them again now from the same account, the conversation ID will be the same) in a local database to retrieve a conversation key. If that key doesn't exist yet, the sender generates a random one. The message is then encrypted with the conversation key using AES in GCM mode, and the conversation key is then put through Diffie-Hellman with each of the recipients' public device keys. The encrypted message is then sent to Twitter along with the list of encrypted conversation keys. When each of the recipients' devices receives the message it checks whether it already has a copy of the conversation key, and if not performs its half of the Diffie-Hellman negotiation to decrypt the encrypted conversation key. One it has the conversation key it decrypts it and shows it to the user.
  
  What would happen if Twitter changed the registered public key associated with a device to one where they held the private key, or added an entirely new device to a user's account? If the app were to just happily send a message with the conversation key encrypted with that new key, Twitter would be able to decrypt that and obtain the conversation key. Since the conversation key is tied to the conversation, not any given pair of devices, obtaining the conversation key means you can then decrypt every message in that conversation, including ones sent before the key was obtained.
  
  (An aside: Signal and WhatsApp make use of a protocol called Sesame which involves additional secret material that's shared between every device a user owns, hence why you have to do that QR code dance whenever you add a new device to your account. I'm grossly over-simplifying how clever the Signal approach is here, largely because I don't understand the details of it myself. The Signal protocol uses something called the Double Ratchet Algorithm to implement the actual message encryption keys in such a way that even if someone were able to successfully impersonate a device they'd only be able to decrypt messages sent after that point even if they had encrypted copies of every previous message in the conversation)
  
  How's this avoided? Based on the UI that exists in the iOS version of the app, in a fairly straightforward way - each user can only have a single device that supports encrypted messages. If the user (or, in our hypothetical, a malicious Twitter) replaces the device key, the client will generate a notification. If the user pays attention to that notification and verifies with the recipient through some out of band mechanism that the device has actually been replaced, then everything is fine. But, if any participant in the conversation ignores this warning, the holder of the subverted key can obtain the conversation key and decrypt the entire history of the conversation. That's strictly worse than anything based on Signal, where such impersonation would simply not work, but even in the Twitter case it's not possible for someone to silently subvert the security.
  
  So when Elon says Twitter wouldn't be able to decrypt these messages even if someone held a gun to his head, there's a condition applied to that - it's true as long as nobody fucks up. This is clearly better than the messages just not being encrypted at all in the first place, but overall it's a weaker solution than Signal. If you're currently using Twitter DMs, should you turn on encryption? As long as the limitations aren't too limiting, definitely! Should you use this in preference to Signal or WhatsApp? Almost certainly not. This seems like a genuine incremental improvement, but it'd be easy to interpret what Elon says as providing stronger guarantees than actually exist.
  
  comments

• Maxim Burgerhout Sharing a set of Headphones between MacOS and Fedora

  Why share a set of headphones between MacOS and Fedora (or another Linux)?

  Well, the answer to the ‘why?’ question is quite simple: because I dual boot between MacOS and Fedora on my Mac Mini. This means in order to use the same pair of headphones on MacOS and Fedora, I need them to use the same key, so the headphones think they are always connected to the same machine.

  There are a couple of loose posts on the internet, especially on Ask Ubuntu about this topic already. I’m just combining those posts into a single blog for my own reference and potentially preventing people from having to dig up information from multiple places.

  Background

  Simply said, Bluetooth pairing works by exchanging a secret key between two devices. Your operating systems (well, Linux anyway, but I assume MacOS does the same thing) associated a key with both the Bluetooth address on the local machine as well as the Bluetooth address of the remote device. Devices do the same thing.

  This means that there can only be a single key for each point to point connection in the local Bluetooth “database”. And if you pair a set of headphones with MacOS and then with Linux, the key from the pairing with Linux will overwrite the key from the pairing with MacOS.

  In other words, we have to make sure the pairing with both MacOS and Linux use the same key.

  Process

  In order to share the Bluetooth key betwen MacOS and Fedora (or another Linux distro), we follow these steps:

  1. Pair on Linux
  2. Reboot into MacOS
  3. Pair on MacOS
  4. Extract the Bluetooth key from MacOS
  5. Reboot into Linux
  6. Swap out the old - now obsolete - key for the one from MacOS

  Steps 1, 2 and 3

  I’m not going to describe these in detail, as I’m assuming you know how this works :)

  Step 4: extracting the Bluetooth key from MacOS

  This is the crucial bit. On MacOS, open the Keychain app, and search for “bluetooth”. As you just paired the headphones, you are looking for the most recent entry called “MobileBluetooth”.

  Double click it. It will show you the Bluetooth address in the Account field. Make a note of both what is in the Account field and what is in the Show password field. You might have to provide your password once or twice along the way.

  What is the the Show password field will look something like this:

  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
  <plist version="1.0">
  <dict>
  <key>LinkKey</key>
  <string>00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00</string>
  <key>LinkKeyType</key>
  <string>UnAuthenticated</string>
  <key>LocalAddress</key>
  <string>11:11:11:11:11:11</string>
  </dict>
  </plist>
  

  The bit aboce that reads 00-00-00-00-[...] is your Bluetooth key. The bit that reads 11:11:11:[...] is the Bluetooth address of your Bluetooth controller (i.e. the Bluetooth address of your computer.

  Step 5 and 6: reboot into Linux and swap out the key

  Ok, now switch off your headphones for now, and make your sure you keep the note somewhere you can access from Linux and reboot.

  Once rebooted into Linux, as root, go into /var/lib/bluetooth/11:11:11:11:11:11. Obviously swap out the 11:11:11:[...] string for the Bluetooth address of your computer.

  In that directory, you’ll find another directory that is named after the Bluetooth address of your headphones. This is what was in the Account field on MacOS. I’ll use 22:22:22:[...] in this example. Enter that directory. You are now in /var/lib/bluetooth/11:11:11:11:11:11/22:22:22:22:22:22. In that directory, there is a file called info.

  Edit the info file. It’ll look something like this:

  [General]
  Name=Your Awesome HEadphone
  Class=0x240404
  AddressType=public
  SupportedTechnologies=BR/EDR;LE;
  Trusted=true
  Blocked=false
  Services=[very long string here, shortened for readability]
  
  [DeviceID]
  Source=2
  Vendor=1999
  Product=3000
  Version=1999
  
  [LinkKey]
  Key=this_is_the_old_key
  Type=4
  PINLength=0
  

  Remove the dashes from the 00-00-00-[...] string and paste it in the Key field above, where it says this_is_the_old_key.

  Save the file and run systemctl restart bluetooth. Power on your headphones. Listen to music.

  Hope this works as well for you as it did for me!!

May 03, 2023

• Daniel Pocock List of Debian Domains to give away

  On Friday, I announced my intention to give away some Debian domains to help increase diversity of voices in the Debian Community.

  Some people have already made expressions of interest. To ensure the best results for the community, I plan to take a few days to review all the candidates.

  One of the top questions: which domains are actually available?

  Domain	Notes	Status
  debian.family	Looking at the 2021 mob against Dr Richard Stallman, it smells a lot like the plans of the Manson Family to start race riots
  DebianGNULinux.org	As we approach the 30th anniversary of Debian, let's not forget it was originally sponsored by Dr Richard Stallman at the FSF. Therefore, using the full name of Debian GNU/Linux together in a domain is a mark of respect. Some pages have deleted the link to Dr Stallman.
  debian.chat	Here I started publishing some of my work with Debian real-time communications, with an emphasis on chat/IM
  debian.news	One of many uncensored Debian Planet alternatives that have sprung up after the Debian Christmas lynchings
  debian.video	Here I am publishing some of my talks about Debian work from DebConf and related events
  debian.finance	Here I am publishing some of my packages for financial software
  debian.day	Here we can see the final emails of Frans Pop, the Debian Day Volunteer Suicide victim
  debian.team	Teamwork would be a great improvement to Debian
  debian.guide	Let's improve the range of guides available for Debian users and developers. Here I show people how to use some of my Debian packages.
  debianproject.org	A page to promote the Debian software project that we created together
  debian.giving	Let's raise money for unpaid volunteers with a .giving domain
  debianproject.community
  debiancommunity.org	It is rumoured that Jonathan Carter paid over $20,000 to steal and censor the domain debian.community. I will give him this one for free if he publishes the legal bills. As it says in the Debian Social Contract, point 3, we won't hide problems.

  If you would like to take over one of these domains, please see my previous blog about the subject and get in touch with me.

  

• Cockpit Project Patternfly V5 Alpha

  Cockpit upgraded to PatternFly 5 alpha

  PatternFly team has been working with “all hands on deck” on the version 5. That new major release is still scheduled for June. They have conducted two rounds of alpha testing so far and they’ve gone pretty well. Meanwhile PatternFly 4 has been in development freeze for a while as the team is focusing on the new version.

  Cockpit has decided to go ahead with an early adoption of PatternFly 5. The motivation for adopting PatternFly 5 can be summarized in several key points. Firstly, the early adoption of PatternFly 5 is advantageous for the PatternFly team. Secondly, as PatternFly 5 is still in its alpha phase, it is more receptive to significant changes. Thirdly, the high code coverage of Cockpit, with its integration and image comparison testing, provides confidence in being one of the early adopters without compromising product quality. Finally, PatternFly 4 is in development freeze, which hinders the ability to utilize the latest features and fixes found in PatternFly 5.

  It’s important to note that PatternFly 5 is not introducing drastic UI changes that the user would be able to notice, like the PatternFly 3 to PatternFly 4 upgrade did. It’s quite accurate to perceive this major release as an evolution of PatternFly 4, with enhancements and bug fixes.

  Some of the Cockpit team’s most awaited changes that have user impact from PatternFly 5 include improved dark theme support and using gap instead of margins for spacing, something that brings us one step closer to better RTL (Right to left) language support.

  Upgrade strategy for Cockpit projects

  PatternFly 5 is already being used in the main cockpit repository. Cockpit projects which live in separate repositories can still co-exist with Cockpit packages which have already been ported to PatternFly 5. However there is a limitation with the usage of the shared Cockpit components library. Since the library has already been updated to PatternFly 5, consumer plugins cannot use the latest shared library without upgrading their codebase to PatternFly 5 as well.

  If you want to join Cockpit as an early adopter of PatternFly 5, use the following steps to upgrade.

  Upgrading to PatternFly 5

  Installing PatternFly 5

  Run the following commands to install PatternFly 5 alpha:

  npm install --save \
      @patternfly/patternfly@alpha \
      @patternfly/react-core@alpha \
      @patternfly/react-icons@alpha \
      @patternfly/react-table@alpha \
      @patternfly/react-styles@alpha
  

  The PatternFly team has developed a script to help with the upgrade process from @patternfly/react-core@4.x.x to 5.x.x. Run the following command to install the pf-codemods script:

  npm install @patternfly/pf-codemods
  

  Follow the usage guidelines and run the script for automatically doing part of the changes needed for the upgrade to PatternFly 5. However, running this script will not cover all required changes e and will leave your codebase in an incomplete upgrade state.

  Read the error messages that the script will generate one by one and make sure everything is addressed either by auto-fixes from the script or by manual intervention.

  If you want to make multiple commits with isolated logical changes rather than one all-included commits you can use the –only argument to run a specific rule at a time.

  Cockpit overrides for PatternFly 5

  Cockpit has been maintaining a file for CSS overrides for PatternFly 4 containing fixes not yet included upstream in PatternFly and also some special customizations for Cockpit. This file has been renamed to patternfly-5-overrides.scss and should be imported by all Cockpit plugins similarly to the PatternFly 4 overrides. The suggested way to import this file is indirectly by importing page.scss. See an example of importing this file in Cockpit Machines repository.

  Examples of external Cockpit plugins upgraded

  PR for cockpit-machines: https://github.com/cockpit-project/cockpit-machines/pull/1052

  PR for cockpit-podman: https://github.com/cockpit-project/cockpit-podman/pull/1266

• Cockpit Project Cockpit 291

  Cockpit is the modern Linux admin interface. We release regularly.

  Here are the release notes from cockpit 291, cockpit-machines 289.1, and cockpit-podman 68:

  Update to PatternFly 5 alpha

  Cockpit is now an “early adopter” of PatternFly 5. Everything should look the same. We ensured all functional and visual tests pass.

  While this should not affect anyone using Cockpit, it definitely will affect everyone developing for Cockpit. Read more on our PatternFly 5 blog post.

  Machines: VM creation supports raw disk format

  During virtual machine creation, there is now a raw disk option in the storage format selection.

  

  Machines: Redesign virtual machine CPU configuration

  The CPU model dialog and vCPU topology have been merged into a single overview entry and dialog. Additionally, a few minor improvements have been added, including vCPU maximum and vCPU count now being number inputs.

  

  

  Try it out

  Cockpit 291, cockpit-machines 289.1, and cockpit-podman 68 are available now:

  • For your Linux system

  • Cockpit Client

  • Cockpit Source Tarball
  • Cockpit Fedora 38
  • Cockpit Fedora 37
  • cockpit-machines Source Tarball
  • cockpit-machines Fedora 38
  • cockpit-machines Fedora 37
  • cockpit-podman Source Tarball
  • cockpit-podman Fedora 38
  • cockpit-podman Fedora 37

May 02, 2023

• ! Avi Alkalay ¡ Importância de regular as Redes Sociais

  Tem gente achando que a PL das Fake News (péssimo apelido para projeto que debate liberdade, responsabilidade e transparência na Internet) vai restringir liberdades, como se hoje posts e opiniões circulassem livremente.

  Deixa eu só explicar uma coisinha: não tem livre circulação nenhuma aqui, quem decide qual conteúdo você vai ver são algoritmos controlados por umas 3 empresas privadas. E tais algoritmos não selecionam conteúdo que é bom/saudável para você ou com base em qualidade, importância, relevância histórica, como faz o curador de um museu. Para os donos desses algoritmos, “conteúdo relevante” é o que atiça os neurônios dos usuários, faz você ficar ligadão e voltar e interagir, porque assim você consome mais publicidade dos clientes deles. Dessa forma, para os algoritmos, conteúdos sobre terra plana ou fascismo ou outro sensacionalismo qualquer ganham mais relevância e alcance justamente porque são mais polêmicos e geram interação.

  Todo o resto da internet — sites de notícias, de museus, ou qualquer conteúdo excelente — são concorrentes dessas 3 empresas. Não é à toa que o Instagram não permite postar links externos, o que obriga as pessoas a terem que ficar falando o famigerado “link na bio”. Não é à toa que o Facebook bloqueia acesso ao conteúdo de seus usuários, mesmo ao totalmente público, se você não está logado na plataforma, pois acesso anônimo não tem dados a oferecer aos seus algoritmos de otimização.

  Regular a Indústria da Atenção (o nome oficial dessa indústria das redes sociais) é tão importante e legítimo quanto termos regras de trânsito, normas comerciais, política de uso de terra, ética médica etc. O mundo inteiro está discutindo isso porque percebeu quão nocivo é não termos regras.

  Também no meu Facebook.

  Também no meu LinkedIn.

• Ben Williams F38-20230501 updated Live isos released

  The Fedora Respins SIG is pleased to announce the latest release of Updated F38-20230501-Live ISOs, carrying the 6.2.13-300 kernel.

  This set of updated isos will save considerable amounts  of updates after install.  ((for new installs.)(New installs of Workstation have about 860MB of updates savings )).

  A huge thank you goes out to irc nicks:geraldosimiao, Southern_Gentlem for testing these iso.

  And as always our isos can be found at http://tinyurl.com/Live-respins2

• Peter Czanik Getting syslog-ng 4

  Version 4 of syslog-ng was released last December. Quite a few people use it already in production. How can you install it for a test drive? It might be already available in your Linux distribution. There are also several unofficial repositories with the latest syslog-ng.

  From this blog, you can learn how to check your syslog-ng version, where to check if it is not yet installed, and a few additional resources, if you want to install the latest version from unofficial repositories.

  Before you begin

  If you have not yet done so, check the syslog-ng 4.0 release notes. Even if you have not used some of the advanced syslog-ng features earlier, like message parsing, you will want to give them a try: https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.0.1. If you are a Python developer, you should also check the developer documentation for Python support as there are many new possibilities in syslog-ng version 4: https://github.com/syslog-ng/syslog-ng/tree/master/modules/python-modules.

  Checking the installed version

  If you have syslog-ng installed on your system, you can check the version number without running any package management applications. You can query the syslog-ng version number using the -V option. It even works as a regular user, but in this case, you most likely have to use a full path, as the sbin directory is usually not included in the PATH for regular users.

  czanik@czplaptop:~> /usr/sbin/syslog-ng -V
  syslog-ng 4 (4.1.1.393.gd292ca0)
  Config version: 4.0
  Installer-Version: 4.1.1.393.gd292ca0
  Revision:
  Module-Directory: /usr/lib64/syslog-ng
  Module-Path: /usr/lib64/syslog-ng
  Include-Path: /usr/share/syslog-ng/include
  Available-Modules: add-contextual-data,affile,afprog,afsocket,afstomp,afuser,appmodel,azure-auth-header,basicfuncs,cef,confgen,cryptofuncs,csvparser,disk-buffer,examples,graphite,hook-commands,json-plugin,kvformat,linux-kmsg-format,map-value-pairs,pacctformat,pseudofile,rate-limit-filter,regexp-parser,sdjournal,secure-logging,stardate,syslogformat,system-source,tags-parser,tfgetent,timestamp,xml,http,correlation,metrics-probe,ebpf,mod-java
  Enable-Debug: off
  Enable-GProf: off
  Enable-Memtrace: off
  Enable-IPv6: on
  Enable-Spoof-Source: on
  Enable-TCP-Wrapper: on
  Enable-Linux-Caps: on
  Enable-Systemd: on

  As you can see, I use a git snapshot build. This command prints a lot of additional information, but all you need is the very first line from the command output.

  Which version is available for your OS?

  If you do not have syslog-ng installed on your OS yet, you can still check which version is available for your OS. Yet again, you do not even have to start the package manager application on your OS, just open a web page:

  https://repology.org/project/syslog-ng/versions

  I have never heard the name for many of the operating systems listed on the page. However, from those that I know there is a clear tendency. Rolling Linux distributions, like Fedora Rawhide or openSUSE Tumbleweed and FreeBSD (even if not a Linux) were the first to receive the new version. Fedora 38, released just a few weeks ago, was the first major Linux distribution to include syslog-ng 4. The upcoming openSUSE Leap 15.5 will be the next to include it. Enterprise Linux distributions are lagging far behind, as they prefer version stability instead of the latest features.

  Unofficial repositories

  Do you use one of the older RPM or DEB distributions and still would like to use the latest syslog-ng version? I have some good news for you. There are unofficial repositories, maintained by members of the syslog-ng team, which contain up-to-date syslog-ng packages for some of the major Linux distributions.

  You can learn more about the unofficial, but up-to-date Debian and Ubuntu packages at https://www.syslog-ng.com/community/b/blog/posts/installing-the-latest-syslog-ng-on-ubuntu-and-other-deb-distributions.

  You can learn more about the unofficial, but up-to-date openSUSE / SLES and Fedora / RHEL (and compatible) packages at https://www.syslog-ng.com/community/b/blog/posts/overview-of-syslog-ng-rpm-repositories.

  Note that it also mentions my git snapshot repositories. You do not want to run that in production, unless it fixes a bug you reported earlier…

  Container images

  Even if you do not use one of the distributions which has syslog-ng 4 out of the box, and cannot use an unofficial syslog-ng repository, there is some hope. If your Linux distribution of choice supports containerization, you can use the syslog-ng container image:

  https://hub.docker.com/r/balabit/syslog-ng/

  Right now, only x86_64 images are available. If you want an Aarch64 (64 bit ARM) container, Axoflow now provides one. You can read more about their syslog-ng containers at: https://axoflow.com/cloud-ready-syslog-ng-images/

  What is next?

  Version 4 of syslog-ng comes with some major changes. Implementing syslog-ng 4 in your environment might need some planning and testing. Read https://www.syslog-ng.com/community/b/blog/posts/upgrade-problems-from-syslog-ng-3-to-4 to learn about the major changes, and how they might affect you.

  -

  If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik, on Mastodon as @Pczanik@fosstodon.org.