Fedora is a Trademark of Red Hat, Inc, an operating system built by volunteers around the world. This page is provided so that independent volunteers can showcase our contributions to Fedora and Free Software in general. Official Fedora Download page.

We Make Fedora

May 17, 2025

Kevin Fenzi Second week of May 2025 fedora infra bits
Hello everyone. Another saturday blog post on happenings in Fedora Infrastructure over the last week.
Data Center Move

We have pretty much gotten all the new servers setup firmware wise. We have applied all the updates that happened since they were shipped, configured things as best we could for now. A few notable configuration changes we made:
- Enabled lldp on the machines that support it. This allows networking folks to see information about which nics are on which ports, etc. Just a bunch more handy info for us and them.
- Disabled 'hot spare' on power supply configuration. Wouldn't we want a 'hot spare'? well, no as it turns out if you enable that it means that all the servers only use the first power supply, keeping the second one idle. This means that in a rack, ALL the servers pull power from one side, which makes things very imbalanced. Instead disabling this has the server use both supplies and balance, and in the event of a failure, it just switches to the one thats still working. So, you want to be able to run everything from one side, but you definitely don't want to do so all the time.
I installed a few servers manually (see last weeks benchmarking entry), and this week I got local network setup as it should be on one: 2 25G nics bonded with 802.3ad, and a bridge on top for guests. Should be super zippy for anything local, and has the great advantage that networking folks can upgrade/reboot switches without us noticing any outages.

I also did a bunch of work on dns configuration. In order to make things easier on both us and networking folks, I asked them to just setup the new datacenter nets with a translation of existing datacenter configuration. That means we have the same number of vlans for the same purposes. Machines will be at the same last octet in both places. So for example our iad bastion server is internally at 10.3.163.31 in IAD2, and will be at 10.16.163.31 in RDU3. This also means we have a great starting point for network acls and such.

We are now somewhat in a holding pattern, waiting on external network for the servers themselves. Since we have gotten behind where we were hoping to be at this point, we very likely will be moving the actual datacenter switcharoo week out. Should know more next week if we have networking setup by then or not.

As soon as network is available, I will be bootstrapping up things in the new datacenter. Thats starting with a bastion host (to allow our existing ansible control host in our current datacenter to provision things there in the new one), then a dhcp/tftp server, then dns, then an ipa replica, then the rest of the servers, etc. After that is far enough along, we will be installing openshift clusters, getting our new signing infra working, and openqa machines and start migrating things that aren't heavily tieed to our current datacenter.

Things are gonna be busy the next month or so.
Bot blocking

A while back, we added some apache rules to block some bots that were providing a user agent, but were ignoring robots.txt, or were trying to crawl things we didn't want them to crawl or made no sense to be indexed. Last week I was looking at some AI scrapers (which don't pass a user agent saying they are a bot at all) and noticed that our block for 'normal' bots wasn't working. It turns out we had the right expression, but it only does a string match if you put the expression in "s. :(

So, I fixed that and I think it's helped reduce load over a bunch of things that shouldn't have been getting crawled in the first place.

The AI bots are still around, but mostly mitigated via various blocking of networks or specific things they decide they really really want. They are like a dog with a bone on some projects/areas... I am pretty sure they are re-crawling things they already crawled, they also seem particularly interested in forks or mirrors of things they have already crawled (even when those forks/mirrors have 0 other changes from the upstream). Here's hoping the market for these goes bust and they all go out of business.

F40 EOL and upgrades

Fedora 40 went end of life on tuesday of this last week. It's served long and well. Fond farewell to it.

We had a very few Fedora 40 instances left. The wiki was using F40. We upgraded staging and got all the issues sorted out and should be moving production to f42 next week. Bodhi was using f40 for some things (and f41 for others). There was a new upstream release with some minor rolled up changes. I upgraded staging yesterday and today, and will be rolling production very soon.

comments? additions? reactions?

As always, comment on mastodon: https://scrye.com/blogs/nirik//posts/2025/05/17/second-week-of-may-2025-fedora-infra-bits/
Fedora Community Blog Call for volunteers regarding the Fedora username change project

Today, we are celebrating International Day Against Homophobia, Biphobia and Transphobia around the world , an event that has been observed every 17 May for over twenty years. While progress has been made in some parts of the world, others have experienced a visible regression of queer and especially trans rights, and transgender folks are still facing difficulties in their day-to-day lives.

In the Fedora project, we strive to be welcoming of people in all their diversity, even if we still have a long way to go. Some of us also feel that just saying “you’re welcome” is not enough, however, and that we need to be actively working to remove barriers and work on specific problems.

This is why the Fedora Pride group is launching a year-long project aiming to collaboratively solve an often reported issue: The difficulties around changing usernames in the distribution and within the project infrastructure.

While we are working on this from the perspective of someone transitioning and changing their given name, our work can not be limited to that case. There are several reasons to change one’s username. Some people—mostly women but not only women—change their name once they are married (or once they are separated). Some people change their name because they were adopted as adult, or because they want nothing to do with their biological family. Some people have a name that is causing problems, and people just regret being called darkwarlord69 because it looked cool when they were younger and had to create a Fedora account to report a bug. Or maybe they just want to exercise their right under the GDPR articles.

Right now, we do not yet have a firm plan. However, in the spirit of openness, we want to begin with a call for volunteers.

For the infrastructure part of the project, our idea is very basic and will require plenty of testers. Fedora Infrastructure has a set of staging services used for testing upgrades, new versions, etc. We can use these services to test what happens when Fedora users change their own usernames without breaking the regular production infrastructure. So the plan is to take one service, use it for a bit, rename a volunteer, and see what happens. If something breaks, we fix it with a patch or open a bug report. And then we do it again on a new service, and again, and again… until we can safely close this bug on Noggin.

As for the distribution part, the initial idea is more or less the same, except we plan to ask people to do that on their own systems. This could be in a test VM, on a test computer, or just a new user on their current system (or, for the more adventurous, with their own username). We have plenty of time to give feedback for Fedora 43, and plenty of software that needs to be tested.

We have no idea how long it will take, and we haven’t yet looked beyond the initial proposal. We haven’t even opened a bug or decided how we will coordinate. In the meantime, we want to invite all people interested in helping to join us on the #pride:fedoraproject.org Matrix channel. Depending on how things go, we will decide if we conduct regular meetings, use our ticketing system, or something else. We are open to any type of help, whether it be for coding, testing, coordinating, writing documentation or reports.

Thank you.

Caption picture: Flowers and rainbow flags outside Herr Nilsen.jpg , CC-BY-SA 4.0 by Premeditated

The post Call for volunteers regarding the Fedora username change project appeared first on Fedora Community Blog.
Bodhi 25.5.1
Released on 2025-05-17.
This adds a couple of features that were not included in the previous release by mistake.

Features
- The CLI updates download command will now download signed packages, if possible. (#5859).
Bug fixes
- UpdateType.unspecified that was introduced with PR#3047 has been added to the documentation and constants.UPDATE_TYPES list. (#5892).
Contributors

The following developers contributed to this release of Bodhi:
- Adam Williamson
- LuK1337

May 16, 2025

Bodhi 25.5.0
Released on 2025-05-16.
This is mostly a bugfix release, see the following notes for a detailed
description.

Features
- bodhi-server: Updates which fail gating tests are now marked by an icon in the update list view (#5852).
Bug fixes
- When creating a new Update, do not add relationships before the Update object is in session. Fixes some SQLAlchemy 2.x warnings. (#5840).
- The task responsible for unstuck updates ejected from the push has been fixed for correct handling side-tag updates (#5850).
- The Automated Tests tab now correctly indicates when a required test failure was waived if the test case has no 'scenario'. (#5863).
- Where available, libdnf5 Python bindings are now used in repository sanity checks, otherwise we're forcing dnf-4 usage with the old method (#5820).
- Builds for rawhide or branched updates are now moved from pending-testing to testing tag when the update is moved into testing. Despite being pointless, this ensure to not break update flow when a release enters Bodhi activation point (#5830).
Contributors

The following developers contributed to this release of Bodhi:
- Akashdeep Dhar
- Aurélien Bompard
- Adam Williamson
- Peter Oliver
- Mattia Verga
Fedora Community Blog Infra and RelEng Update – Week 20 2025
This is a weekly report from the I&R (Infrastructure & Release Engineering) Team. We provide you both infographic and text version of the weekly report. If you just want to quickly look at what we did, just look at the infographic. If you are interested in more in depth details look below the infographic.

Week: 12th – 16th May 2025

Infrastructure & Release Engineering

The purpose of this team is to take care of day to day business regarding CentOS and Fedora Infrastructure and Fedora release engineering work.
Itâ€™s responsible for services running in Fedora and CentOS infrastructure and preparing things for the new Fedora release (mirrors, mass branching, new namespaces etc.).
List of planned/in-progress issues

Fedora Infra
- In progress:
- Done:
CentOS Infra including CentOS CI
- In progress:
- Done:
Release Engineering
- In progress:
- Done:
If you have any questions or feedback, please respond to this report or contact us on #redhat-cpe channel on matrix.

The post Infra and RelEng Update – Week 20 2025 appeared first on Fedora Community Blog.

May 15, 2025

Peter Czanik The syslog-ng Insider 2025-05: develop branch; Active Roles; ARM container
Dear syslog-ng users,

This is the 131st issue of syslog-ng Insider, a monthly newsletter that brings you syslog-ng-related news.

NEWS

Introducing the develop branch of the syslog-ng git repo

For many years, the development of syslog-ng happened on the master branch in Git. However, if you follow that branch, you might have noticed that there has not been much activity on it lately. That is because we introduced a new branch in git called “develop”.

https://www.syslog-ng.com/community/b/blog/posts/introducing-the-develop-branch-of-the-syslog-ng-git-repo

Working with Active Roles debug logs in syslog-ng

From my previous Active Roles blogs, you could learn how to forward regular Active Roles logs from Windows Event Log to a central syslog-ng server, where it parses, filters, stores and forwards the logs. In this blog, I show you how to work with Active Roles debug logs, that is reading them using syslog-ng Agent for Windows and forwarding them to a central syslog-ng server for long(er) term storage.

https://www.syslog-ng.com/community/b/blog/posts/working-with-active-roles-debug-logs-in-syslog-ng

Nightly arm64 syslog-ng container builds are now available

Recently we enabled nightly syslog-ng builds and container builds for arm64. It means that from now on, you can run the latest syslog-ng on 64bit ARM platforms.

https://www.syslog-ng.com/community/b/blog/posts/nightly-arm64-syslog-ng-container-builds-are-now-available

WEBINARS
- You can learn about upcoming webinars and browse recordings of past webinars at https://www.syslog-ng.com/events/
Your feedback and news, or tips about the next issue are welcome. To read this newsletter online, visit: https://syslog-ng.com/blog/
Felipe Borges Using Libravatar/Gravatar for your profile in Planet GNOME

Now that the new planet.gnome.org website is live, we have added Libravatar and Gravatar support. Instead of having the Planet website host user images itself, we are giving members the choice to use profile images/avatars from these services.

If you are interested in updating your profile picture, check out the instructions at https://gitlab.gnome.org/Teams/Websites/planet.gnome.org#adding-an-avatar and file an issue. Extra points if you do a merge-request!

The old hackergotchis are an important part of our community’s history, so I set up a static website to host the old files. Feel free to file an issue if you want yours taken down from there.

May 13, 2025

Charles-Antoine Couret N'utilisez plus Fedora Linux 40 qui n'est plus maintenu

C'est en ce mardi 13 mai 2025 que la maintenance de Fedora Linux 40 prend fin.

Qu'est-ce que c'est ?

Un mois après la sortie d'une version de Fedora n, ici Fedora Linux 42, la version n-2 (donc Fedora Linux 40) n'est plus maintenue.

Ce mois sert à donner du temps aux utilisateurs pour faire la mise à niveau. Ce qui fait qu'en moyenne une version est officiellement maintenue pendant 13 mois.

En effet, la fin de vie d'une version signifie qu'elle n'aura plus de mises à jour et plus aucun bogue ne sera corrigé. Pour des questions de sécurité, avec des failles non corrigées, il est vivement conseillé aux utilisateurs de Fedora Linux 39 et antérieurs d'effectuer la mise à niveau vers Fedora Linux 42 ou 41.

Que faire ?

Si vous êtes concernés, il est nécessaire de faire la mise à niveau de vos systèmes. Vous pouvez télécharger des images CD ou USB plus récentes.

Il est également possible de faire la mise à niveau sans réinstaller via DNF ou GNOME Logiciels.

GNOME Logiciels a également dû vous prévenir par une pop-up de la disponibilité de Fedora Linux 42 ou 41. N'hésitez pas à lancer la mise à niveau par ce biais.
Fedora Community Blog End of OpenID authentication in Fedora Account System – May update
We announced the end of OpenID authentication in Fedora in March. The original date of this was set to 20th May 2025. The progress could be followed in this ticket.

What we did?

We reached to services that are using OpenID for authentication and asked them to move to OIDC. There were few that we already helped to move:
What is the plan now?
1. Deploying a new Ipsilon instance – this will be tested on staging environment first
2. Set the above instance for OpenID only – there will be a big red banner showing that this authentication method is unsupported and will be removed in the future
3. All the OpenID traffic will be redirected to the new instance
4. Removing the OpenID only instance – the date is not decided yet, but we will keep it running at least half a year
This plan will allow us to potentially migrate from current solution to something better maintained without breaking the OpenID authentication.

This means that the new date for end of OpenID support in Fedora is to be decided.

The post End of OpenID authentication in Fedora Account System – May update appeared first on Fedora Community Blog.
Peter Czanik Syslog-ng 4.8.3 is now available

Last week, we released syslog-ng 4.8.2, containing a CVE fix along with improvements to the Elasticsearch and S3 destinations. As such, an upgrade is highly recommended. Version 4.8.3 does not bring any code changes, just a fix to the release process.

So, why the new release? The “official” syslog-ng source release is generated by a script from syslog-ng sources on GitHub and includes Makefiles, a configure script and man pages. This source is used by most Linux distributions and BSD variants, and the 4.8.2 release includes everything it needs to include. Read my blog about DBLD for more details at https://www.syslog-ng.com/community/b/blog/posts/dbld-a-syslog-ng-developer-tool-not-just-for-developers

However, if you take a look at the release notes at https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.8.2 you see two more files under assets: “Source code (zip)” and “Source code (tar.gz)”. These archives are unmodified snapshots of the git repository, taken when the given release was tagged. We considered it to be just a byproduct of the release, but as we learned soon after the release, these files are actually used by the Debian project to build syslog-ng packages. Unfortunately, due to the master → develop change in the syslog-ng repository, the wrong commit was tagged, so these files did not include the CVE fix and the version upgrade.

Long story short: if you use the generated source release tgz, you do not need to upgrade from 4.8.2 to 4.8.3. However, if you use the snapshot archives, then use the 4.8.3 release. This also means that the openSUSE / SLES, Fedora/RHEL and FreeBSD packages will stay at 4.8.2. For them, the next upgrade will be 4.9.0.
Fedora Community Blog Infra and RelEng Update – Week 19
This is a weekly report from the I&R (Infrastructure & Release Engineering) Team. We provide you both infographic and text version of the weekly report. If you just want to quickly look at what we did, just look at the infographic. If you are interested in more in depth details look below the infographic.

Week: 5th – 9th May 2025

Infrastructure & Release Engineering

The purpose of this team is to take care of day to day business regarding CentOS and Fedora Infrastructure and Fedora release engineering work.
Itâ€™s responsible for services running in Fedora and CentOS infrastructure and preparing things for the new Fedora release (mirrors, mass branching, new namespaces etc.).
List of planned/in-progress issues

Fedora Infra
- In progress:
- Done:
CentOS Infra including CentOS CI
- In progress:
- Done:
Release Engineering
- In progress:
- Done:
If you have any questions or feedback, please respond to this report or contact us on #redhat-cpe channel on matrix.

The post Infra and RelEng Update – Week 19 appeared first on Fedora Community Blog.

May 12, 2025

Felipe Borges GNOME is Sponsoring an Outreachy Internship Project for GNOME Crosswords!

We are excited to announce that the GNOME Foundation is sponsoring an Outreachy internship project for the June 2025 to August 2025 internship round!

Outreachy provides internships to people subject to systemic bias and impacted by underrepresentation in the technical industry where they are living.

The intern will work with mentors Jonathan Blandford, Federico Mena Quintero, and Tanmay Patil on the project Add Wordlist Scoring to the GNOME Crosswords Editor.

The internâ€™s blog will soon be added to Planet GNOME, where you can follow their project updates and learn more about them. Stay tuned!

May 10, 2025

Kevin Fenzi First full week of May infra bits 2025
This week was a lot of heads down playing with firmware settings and doing some benchmarking on new hardware. Also, the usual fires and meetings and such.
Datacenter Move

Spent a fair bit of time this week configuring and looking at the new servers we have in our new datacenter. We only have management access to them, but I still (somewhat painfully) installed a few with RHEL9 to do some testing and benchmarking.

One question I was asked a while back was around our use of linux software raid over hardware raid. Historically, there were a few reasons we choose mdadm raid over hardware raid:
- It's possble/easy to move disks to a different machine in the event of a controller failure and recover data. Or replace a failed controller with a new one and have things transparently work. With hardware raid you need to have the same exact controller and same firmware version.
- Reporting/tools are all open source for mdadm. You can tell when a drive fails, you can easily re-add one, reshape, etc. With hardware raid you are using some binary only vendor tool, all of them different.
- In the distant past being able to offload to a seperate cpu was nice, but anymore servers have a vastly faster/better cpu, so software raid should actually perform better than hardware raid (barring different settings).
So, I installed one with mdadm raid another with a hardware raid and did some fio benchmarking. The software raid won overall. Hardware was actually somewhat faster on writes, but the software raid murdered it in reads. Turns out the cache settings defaults here were write-through for software and write-back for hardware, so the difference in writes seemed explainable to that.

We will hopfully finish configuring firmware on all the machines early next week, then the next milestone should be network on them so we can start bootstrapping up the services there.
Builders with >32bit inodes again

We had a few builders hit the 'larger than 32 bit inode' problem again. Basically btrfs starts allocating inode numbers when installed and builders go through a lot of them by making and deleting and making a bunch of files during builds. When that hits > 4GB, i686 builds start to fail because they cannot get a inode. I reinstalled those builders and hopefully we will be ok for a while more again. I really am looking forward to i686 builds completely going away.

comments? additions? reactions?

As always, comment on mastodon: https://fosstodon.org/@nirik/114484593787412504

May 09, 2025

Charles-Antoine Couret 20 ans de Fedora-fr : cinquième entretien avec Thomas traducteur de Fedora

Introduction

Dans le cadre des 20 ans de Fedora-fr (et du Projet Fedora en lui-même), Charles-Antoine Couret (Renault) et Nicolas Berrehouc (Nicosss) avons souhaité poser des questions à des contributeurs francophones du Projet Fedora et de Fedora-fr.

Grâce à la diversité des profils, cela permet de voir le fonctionnement du Projet Fedora sous différents angles pour voir le projet au delà de la distribution mais aussi comment il est organisé et conçu. Notons que sur certains points, certaines remarques restent d'application pour d'autres distributions.

N'oublions pas que le Projet Fedora reste un projet mondial et un travail d'équipe ce que ces entretiens ne permettent pas forcément de refléter. Mais la communauté francophone a de la chance d'avoir suffisamment de contributeurs de qualité pour permettre d'avoir un aperçu de beaucoup de sous projets de la distribution.

Chaque semaine un nouvel entretien sera publié sur le forum Fedora-fr.org, linuxfr.org et mon blog ici même.

L'entretien du jour concerne Thomas Canniot (pseudo MrTom), ancien traducteur de Fedora en français et fondateur de l'association Fedora-fr.

Entretien

Bonjour Thomas, peux-tu présenter brièvement ton parcours ?

Mon parcours est assez banal j’estime. Quand j’étais petit, je bidouillais sur un Amstrad CPC 6128 en Basic. Quand nous avons reçu notre premier ordinateur Windows en 1997, j’étais vraiment curieux de comprendre comment cela fonctionnait. J’ai rapidement découvert les logiciels libres et adhéré à l’époque à ses grands principes. Du coup, j’ai cherché très vite à utiliser le plus possible de logiciels libres tout en sachant qu’un jours je finirais par passer à Linux. J’ai pu tester pas mal de distributions. A la fac de Lille, je participais à l’association Campux où j’ai pu rencontrer d’autres étudiants qui étaient sur Linux.

Question études, j’ai fais des études d’anglais puis d’ingénierie pédagogique à Lille. J’ai un master 2. Rien à voir avec l’informatique et pourtant.

Peux-tu présenter brièvement tes contributions au Projet Fedora ?

Les contributions ont été assez larges en fait. Je participais pas mal au forum et j’échangeais pas mal avec le créateur de Fedora-fr.org à l’époque pour lui demander des demandes d’améliorations, le développement du wiki etc. Au final, il a fini par me céder le site et c’est avec des volontaires sur channel IRC que nous avons pu constituer une équipe (LLaumgui, Trashy et d’autres) autour du site pour le renforcer techniquement et lui donner un second souffle.

Qu'est-ce qui fait que tu es venu sur Fedora ?

Je cherchais une distribution à la pointe des derniers développements qui soit stable et « sérieuse ». J’aimais le fait que Fedora soit une distribution Linux assez jeune (j’ai débuté sur Fedora Core 2). La communauté et le site était assez jeune, il y avait matière à faire quelque chose sans que je n’ai moi de compétences techniques poussées et encore moins en programmation.

Pourquoi contribuer à Fedora en particulier ?

J’aimais la distribution par sa communauté et le fait que le projet s’organisait en chemin. C’était hyper stimulant de participer à quelque chose qui se construit et de voir un projet de cette nature se construire, établir des processus de contribution. En installant Fedora Core 3 ou 4, je me suis rendu compte qu’il y avait plein de phrases en anglais partout dans le système alors que celui-ci était bien configuré en français. Je me suis du coup penché sur la traduction de la distribution et nous avons pu grâce au forum fedora-fr et au canal IRC monter une équipe de 3 ou 4 personnes qui contribuait nuits et jours à la traduction de Fedora. J’ai fait ça pendant 6 ou 7 ans je dirais, c’était vraiment un gros boulot, parfois même stressant car nous essayions de traduire le plus possible de lignes de texte avant la prochaine sortie de la distribution.

As tu contribué à d'autres Logiciels Libres ? Si oui, lesquels et comment ?

J’ai participé à d’autres projets de traduction. Aujourd’hui, je m’applique à traduire le logiciel de conversion vidéo Handbrake pour mac, linux et windows.

Est-ce que tes contributions à Fedora sont un atout direct ou indirect dans ta vie professionnelle ? Si oui, de quelle façon ?

Participer au projet Fedora m’a appris énormément sur l’informatique et le développement des projets logiciels. C’est une plus-value énorme sur mon profil professionnel. L’informatique est partout, et même si vous n’êtes pas concerné par le développement ou l’achat de logiciels au quotidien, savoir ce qu’est un logiciel propriétaire, un logiciel libre, les différents types de licences et le problématiques de développements et de traductions qui en découlent sont des cordes supplémentaires indéniables à mon arc. J’ai aussi appris sur le tas à ménager la chèvre et le choux entre les différents profils des contributeurs du projets, tenté tant bien que mal à motiver les troupes et établir des relations saines avec l’équipe de RedHat en charge de la communauté mondiale de Fedora.

Tu as fait parti des pionniers de la communauté francophone de Fedora et de l'association, quelles raisons t'ont poussé à t'y lancer ?

La raison la plus simple et primaire, c’est qu’il fallait une structure financière basique pour payer le serveur du site internet fedora-fr.org et le nom de domaine. Nous avons donc monter une association loi 1901 et commencé à recevoir quelques cotisations (les nôtres) pour le financement annuel du serveur.

Peux-tu nous faire un bref historique des débuts de la communauté et de l'association ?

L’association étant lancée, nous avons cherché à ce qu’elle grossisse un peu en permettant de faire la promotion de Fedora en France, en Suisse et en Belgique. Parfois même en Afrique du Nord. Nous sommes restés une petite association, avec une trentaine de membres pas toujours à jour de leur cotisation. C’était vraiment rock’n’roll parfois Tous les ans, nous faisions presser des live CD d’installation de la distribution que nous revendions parfois complètement à perte. C’était un peu le graal d’avoir un objet qui symbolisait la distribution et qui portait les couleurs de la communauté Fedora francophone. C’était si je me souviens bien notre plus gros budget annuel de dépense, mais cela nous permettait d’avoir des choses à proposer sur les salons.

Tu as été pendant quelques années président de l'association Fedora-fr à l'époque. Peux-tu revenir sur les chantiers en cours à ce moment là et des apports que tu as pu y faire ?

Les premières années ont été des années de développement et de structuration de l’activité de l’association. Nous faisions tous cela à côté de nos études ou de nos jobs, donc nous n’avons pas créé des choses incroyables. Beaucoup de monde ignore tout le bazar que peut générer la création d’une association en France, ne serait-ce que d’avoir une banque ou une assurance qui comprennent ce que vous faites et qui vous accompagnent. C’était un gros boulot de stabilisation administrative. Avec les cotisations des membres, nous avons pu développer les activités de l’association : pour en faire la promotion sur les salons informatiques locaux ou nationaux, permettre aux membres de prendre en charger tout ou partie de leurs frais de déplacements, leur fournir des goodies et des live CD, des flyers etc. Tout cela prend du temps à penser, créer, imprimer, organiser etc.

Tu as été traducteur pour le Projet Fedora, et même des FWN (Fedora Week News) en podcast. Peux-tu nous dire l'importance que ça a de traduire un projet de cette taille ? Le rythme des FWN n'était-il pas trop élevé ?

La traduction c’est du bénévolat ingrat, car vous êtes en bout de chaine et c’est chez les traducteurs qu’est la pression de terminer le travail le plus vite possible avant que la distribution ne soit packagées et disponible en version finale. Le Projet Fedora nous a fréquemment réduit les deadlines de contributions, donc nous sommes allés au plus urgent très souvent. J’avais oublié que j’avais réalisé un podcast avec Trashy. C’était vraiment fait sur un coin de table, mais c’était vraiment un plaisir d’essayer de faire ça. Oui le rythme était intense, mais j’aimais bien l’audio et le format.

Comment fonctionne le monde de la traduction logicielle ? Quels outils sont à disposition pour réaliser ce travail ?

Au tout début, c’était vraiment rock’n’roll et je ne comprenais pas réellement comment je devais le faire. Faire un commit de fichier quand vous êtes complètement novice en développement, ça relève de la sorcellerie. On récupérait donc les fichiers à traduire, on les traduisait et on les renvoyait. Il y a(vait) une liste de diffusion pour organiser l’équipe de traduction et les processus. Pour éviter que plusieurs personnes ne travaillent sur les mêmes fichiers en même temps, ou pour chercher un relecteur, avant de publier la traduction. Nous étions plutôt bien organisés avec les petits outils à disposition. Ensuite, pour traduire, rien de tel qu’une logiciel comme Lokalize et un bon dictionnaire parfois. Plus tard dans la vie du projet, le site Transifex a été lancé. Je l’utilise encore aujourd’hui pour traduire Handbrake avec beaucoup de nostalgie.

Le volume de traduction que cela représente est plutôt élevé, quelle était ta motivation à l'effectuer durant tout ce temps ?

En toute franchise, je l’ai fait par passion au début. Vers la fin, c’est devenu une contrainte mais j’essayais de participer car je ne voulais pas voir la distribution mal traduite. C’est terrible quand vous installez un logiciel et qu’ils n’est pas entièrement en français. Personnellement je déteste cela.

Si ce n'est pas indiscret, tu as quitté maintenant Borsalinux-fr et le Projet Fedora, quelles en sont les raison ?

Plusieurs raisons. Je me sentais un peu usé d’avoir participé pendant de nombreuses années et la motivation s’en est allée petit à petit. J’ai également fait mon entrée dans le monde du travail et le temps disponible s’est considérablement réduit. Enfin, Apple est passé par là. J’étais un peu frustré de devoir ré-installer mon ordinateur tous les 6 mois alors qu’un Mac ça ne bouge pas, vous l’allumez et ça fonctionne. Point. Mes proches avaient des Mac, des machines silencieuses qui fonctionnaient sans manipulations et sans problèmes… la tentation a été trop forte.

Que conseillerais-tu, comme lecture ou travaux, à un jeune contributeur de faire pour contribuer dans tes domaines ? Quelles compétences ou qualité sont utiles pour réaliser ce travail ?

Deux choses : Ne pas se fixer des objectifs inatteignables. Les projets de logiciels libres sont en grande partie structurés et il faut parfois y aller doucement et faire ses preuves avant de prendre des responsabilités. Être persévérant et ne pas se décourager. Parfois la marche peut sembler haute, mais n’hésitez pas à en parler à d’autres utilisateurs et contributeurs qui pourront vous donner un coup de main ou débloquer des situations. Ce sont des projets d’équipes, personne ne doit rester seul dans son coin.

Merci Thomas pour ta contribution !

Conclusion

Nous espérons que cet entretien vous a permis d'en découvrir un peu plus sur le site Fedora-fr.

Si vous avez des questions ou que vous souhaitez participer au Projet Fedora ou Fedora-fr, ou simplement l'utiliser et l'installer sur votre machine, n'hésitez pas à en discuter avec nous en commentaire ou sur le forum Fedora-fr.

À dans 10 jours pour un entretien avec Robert-André Mauchin, empaqueteur du Projet Fedora en particulier concernant l'écosystème Go et Rust.
Adam Young vim windows
I tend to want to work with three windows side by side. Two have the code I am working with, often production code on the left, test code on the right. The third window is the output from running commands to test the code.

I recently have decide to go all-in on vim, and it is progressing nicely. Thank you the Jake Worth for inspiring this. In Vim, the meta key for for doing windows operations is Ctrl-W. Here are a few commands I have gathered up from the internet. I will collect up the links where I get them at the bottom

To split and add new vertial window,
```
Ctrl-W vsplit <filename>
```
If you leave off the filename, it will open it with the existing file.

To Cycle between windows, use
```
Ctrl-W Ctrl-W
```
To move to the window to the left
```
Ctrl-W <left-arrow>
```
To move to the window to the right
```
 Ctrl-W <right-arrow>
```
To close the current window: :hide
```
 :hide
```
https://profkuperman.com/help/vim/windows.html

I want my windows 8 columns across. To do that, lead with the size.
```
80 Ctrl-W |
```
https://vi.stackexchange.com/questions/514/how-do-i-change-the-current-splits-width-and-height

An alternative is to use the :vertical command, which might be easier to remember
```
:vertical resize 80
```
https://vim.fandom.com/wiki/Resize_splits_more_quickly

To open a terminal in a window, use
```
:term
```
https://vi.stackexchange.com/questions/16903/show-external-command-output-in-preview-window

To navigate in the terminal window, first “disable it with”
```
Ctrl-w  Shift-n
```
Reenable it with
```
i
```
https://superuser.com/questions/1439330/scroll-up-to-in-vim-term
Felipe Borges GNOME Welcomes Its Google Summer of Code 2025 Contributors!

We are happy to announce that five contributors are joining the GNOME community as part of GSoC 2025!

This year’s contributors will work on backend isolation in GNOME Papers, adding eBPF profiling to Sysprof, adding printing support in GNOME Crosswords, and Vala’s XML/JSON/YAML integration improvements. Let’s give them a warm welcome!

In the coming days, our new contributors will begin onboarding in our community channels and services. Stay tuned to Planet GNOME to read their introduction blog posts and learn more about their projects.

If you want to learn more about Google Summer of Code internships with GNOME, visit gsoc.gnome.org.
Remi Collet ⚙️ PHP version 8.3.21 and 8.4.7
RPMs of PHP version 8.4.7 are available in the remi-modular repository for Fedora â‰¥ 40 and Enterprise Linux â‰¥ 8 (RHEL, Alma, CentOS, Rocky...).

RPMs of PHP version 8.3.21 are available in the remi-modular repository for Fedora â‰¥ 40 and Enterprise Linux â‰¥ 8 (RHEL, Alma, CentOS, Rocky...).

â„¹ï¸� The packages are available for x86_64 and aarch64.

â„¹ï¸� There is no security fix this month, so no update for version 8.1.32 and 8.2.28.

âš ï¸� PHP version 8.0 has reached its end of life and is no longer maintained by the PHP project.

These versions are also available as Software Collections in the remi-safe repository.

Version announcements:
- PHP 8.4.7 Release Annoucement
- PHP 8.3.21 Release Annoucement
â„¹ï¸� Installation: use the Configuration Wizard and choose your version and installation mode.

Replacement of default PHP by version 8.4 installation (simplest):
```
dnf module switch-to php:remi-8.4/common
```
Parallel installation of version 8.4 as Software Collection
```
yum install php84
```
Replacement of default PHP by version 8.3 installation (simplest):
```
dnf module switch-to php:remi-8.3/common
```
Parallel installation of version 8.3 as Software Collection
```
yum install php83
```
And soon in the official updates:
- Fedora Rawhide now has PHP version 8.4.7
- Fedora 42 - PHP 8.4.7
- Fedora 41 - PHP 8.3.21
âš ï¸� To be noticed :
- EL-10 RPMs are built using RHEL-10.0-beta
- EL-9 RPMs are built using RHEL-9.5
- EL-8 RPMs are built using RHEL-8.10
- intl extension now uses libicu74 (version 74.2)
- mbstring extension (EL builds) now uses oniguruma5php (version 6.9.10, instead of the outdated system library)
- oci8 extension now uses the RPM of Oracle Instant Client version 23.7 on x86_64 and aarch64
- a lot of extensions are also available; see the PHP extensions RPM status (from PECL and other sources) page
â„¹ï¸� Information:
- Migrating from PHP 8.2.x to PHP 8.3.x
- Migrating from PHP 8.3.x to PHP 8.4.x
Base packages (php)

Software Collections (php83 / php84)

May 08, 2025

Peter Czanik syslog-ng 4.8.2 is now available

Finally, a new syslog-ng release! As you can see from its version number, this is a bug fix release. It took a bit longer than expected, as we wanted to release it in sync with syslog-ng PE, the commercial variant of syslog-ng. 4.8.2 serves not just as the foundation of the new syslog-ng PE release, but also provides fixes to 4.8.1, which is included in major Linux distributions. This update ensures that all our recent bug fixes reach the majority of our users.

What’s new?

Version 4.8.1 introduced a backwards-incompatible fix in the format-json template function, which is used in the elasticsearch-http() destination and others. While we provided a workaround for this earlier, the drivers defined in the syslog-ng configuration library (SCL) are now updated in 4.8.2 to reflect the changes.

An S3 destination driver was also introduced earlier, but thorough testing revealed some reliability issues with it, which lead to its major refactor. As a result, the S3 destination driver code became a lot smaller and reliable, and its performance also improved considerably.

There is also a CVE fix for a low-severity issue that does not affect the default configuration. Previously, when using a wildcard syntax in the configuration file to specify the TLS certificate name, syslog-ng matched the wildcard too loosely, accepting more than the intended certificate name. If an attacker knew the original certificate name(s), they could exploit this by guessing the wildcard string used to match the correct certificate(s), and then creating fake certificates satisfying the guessed wildcard sting using g_pattern_match_simple(). However, as this exploit relied on insider information and did not lead to data loss or unintended privileged access, it was deemed low impact.

What’s next?

Although the development of syslog-ng slowed down a bit, it never stopped. Moreover, while working on 4.8.2, work also started on the next release. If you collect log messages from file, you will love the latest enhancements to the wildcard-file() source, which not only became faster, but also uses only a fraction of the resources now that it previously required. Linux support is clearly catching up to FreeBSD / MacOS… :-)

-

If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik, on Mastodon as @Pczanik@fosstodon.org.

May 06, 2025

Felipe Borges It’s alive! Welcome to the new Planet GNOME!

A few months ago, I announced that I was working on a new implementation of Planet GNOME, powered by GitLab Pages. This work has reached a point where we’re ready to flip the switch and replace the old Planet website.

You can check it out at planet.gnome.org

This was only possible thanks to various other contributors, such as Jakub Steiner, who did a fantastic job with the design and style, and Alexandre Franke, who helped with various papercuts, ideas, and improvements.

As with any software, there might be regressions and issues. It would be a great help if you report any problems you find at https://gitlab.gnome.org/Teams/Websites/planet.gnome.org/-/issues

If you are subscribed to the old Planet’s RSS feed, you don’t need to do anything. But if you are subscribed to the Atom feed at https://planet.gnome.org/atom.xml, you will have to switch to the RSS address at https://planet.gnome.org/rss20.xml

Here’s to blogs, RSS feeds, and the open web!

May 05, 2025

Richard Hughes Prem’Day 2025 – Firmware Update Management with LVFS & fwupd

A few weeks ago I was invited to talk about firmware updates for servers using fwupd/LVFS at Prem’Day 2025. I gave the hardware vendors a really hard time, and got lots of instant feedback from customers in the the audience from the “little green thumbs” that people could raise. The main takeaway from the Premâ€™Day community seemed to be that proprietary tooling adds complexity without value, and using open ecosystems enable users to better operate their infrastructure.

Since getting back to the UK I’ve had some really interesting discussions with various companies; there might be some nice announcements soon.

May 04, 2025

Guillaume Kulakowski OpenWRT 24.10 derrière une Freebox: IPv6, DMZ et Bridge

Bien que je sois le très récent et heureux possesseur d’une Freebox Pop, j’ai fait le choix de continuer à déléguer la gestion de mon réseau ainsi que de mon partage Wi-Fi, non pas à la Pop, mais à OpenWRT. Les avantages pour moi sont les suivants : Je reviendrai sur pas mal de ces […]

Cet article OpenWRT 24.10 derrière une Freebox: IPv6, DMZ et Bridge est apparu en premier sur Guillaume Kulakowski's blog.

May 03, 2025

Kevin Fenzi review of the SLZB-06M

I've been playing with Homeassistant a fair bit of late and I've collected a bunch of interesting gadgets. Today I'd like to talk about / review the SLZB-06M.

So the first obvious question: what is a SLZB-06M?

It is a small, Ukrainian designed device that is a: "Zigbee 3.0 to Ethernet, USB, and WiFi Adapter" So, basically you connect it to your wired network, or via usb or via wifi and it gateways that to a Zigbee network. It's really just a esp32 with a shell and ethernet/wifi/bluetooth/zigbee, but all assembled for you and ready to go.

I'm not sure if my use case is typical for this device, but it worked out for me pretty nicely. I have a pumphouse that is down a hill and completely out of line-of-sight of the main house/my wifi. I used some network over power/powerline adapters to extend a segment of my wired network over the power lines that run from the house to it, and that worked great. But then I needed some way to gateway the zigbee devices I wanted to put there back to my homeassistant server.

The device came promptly and was nicely made. It has a pretty big antenna and everything is pretty well labeled. On powering it home assistant detected it no problem and added it. However, then I was a bit confused. I already have a usb zigbee adapter on my home assistant box and the integration was just showing things like the temp and firmware. I had to resort to actually reading the documentation! :)

Turns out the way the zigbee integration works is via zigbee2mqtt. You add the repo for that, install the add on and then configure a user. Then you configure the device via it's web interface on the network to match that. Then, the device shows up in a zigbee2mqtt pannel. Joining devices to it is a bit different from a normal wifi setup, you need to tell it to 'permit join', either anything, or specific devices. Then you press the pair button or whatever on the device and it joins right up. Note that devices can only be joined to one zigbee network, so you have to make sure you do not add them to other zigbee adapters you have. You can set a seperate queue for each one of these adapters, so you can have as many networks as you have coordinator devices for.

You can also have the SLZB-06M act as a bluetooth gateway. I may need to do that if I ever add any bluetooth devices down there.

The web interface lets you set various network config. You can set it as a zigbee coordinator or just a router in another network. You can enable/disable bluetooth, do firmware updates (but homeassistant will do these directly via the normal integration), adjust the leds on the device (off, or night mode, etc). It even gives you a sample zigbee2mqtt config to start with.

After that it's been working great. I now have a temp sensor and a smart plug (on a heater we keep down there to keep things from freezing when it gets really cold). I'm pondering adding a sensor for our water holding tank and possibly some flow meters for the pipes from the well and to the house from the holding tank.

Overall this is a great device and I recommend it if you have a use case for it.

Slava Ukraini!
Kevin Fenzi Beginning of May infra bits 2025

Wow, it's already May now. Time races by sometimes. Here's a few things I found notable in the last week:

Datacenter Move

Actual progress to report this week! Managed to get access to the mgmt on all our new hardware in the new datacenter. Most everything is configured right in dhcp config now (aarch64 and power10's need still some tweaking there).

This next week will be updating firmware, tweaking firmware config, setting up access, etc on all those interfaces. I want to try and do some testing on various raid configs for storage and standardize the firmware configs. We are going to need to learn how to configure the lpars on the power10 machines next week as well.

Then, the following week hopefully we will have at least some normal network for those hosts and can start doing installs on them.

The week after that I hope to start moving some 'early' things: possibly openqa and coreos and some of our more isolated openshift applications. That will continue the week after that, then it's time for flock, some more moving and then finally the big 'switcharoo' week on the 16th.

Also some work on moving some of our soon to be older power9 hardware into a place where it can be added to copr for more/better/faster copr builders.

OpenShift cluster upgrades

Our openshift clusters (prod and stg) were upgraded from 4.17 to 4.18. OpenShift upgrades are really pretty nice. There was not much in the way of issues (although a staging compute node got stuck on boot and had to be power cycled).

One interesting thing with this upgrade was that support for cgroups v1 was listed as going away in 4.19. It's not been the default in a while, but our clusters were installed so long ago that they were still using it as a default.

I like that the upgrade is basically to edit one map and change a 1 to a 2 and then openshift reboots nodes and it's done. Very slick. I've still not done the prod cluster, but likely next week.

Proxy upgrades

There's been some instablity with our proxies in particular in EU and APAC. We are going to be over the coming weeks rolling out newer/bigger/faster instances which should hopefully reduce or eliminate problems folks have sometimes been seeing.

comments? additions? reactions?

As always, comment on mastodon: https://fosstodon.org/@nirik/114445144640282791

May 02, 2025

Fedora Community Blog Infra and RelEng Update – Week 18
This is a weekly report from the I&R (Infrastructure & Release Engineering) Team. We provide you both infographic and text version of the weekly report. If you just want to quickly look at what we did, just look at the infographic. If you are interested in more in depth details look below the infographic.

Week: 28th April – 2nd May 2025

Infrastructure & Release Engineering

The purpose of this team is to take care of day to day business regarding CentOS and Fedora Infrastructure and Fedora release engineering work.
Itâ€™s responsible for services running in Fedora and CentOS infrastructure and preparing things for the new Fedora release (mirrors, mass branching, new namespaces etc.).
List of planned/in-progress issues

Fedora Infra
- In progress:
- Done:
CentOS Infra including CentOS CI
- In progress:
- Done:
Release Engineering
- In progress:
- Done:
If you have any questions or feedback, please respond to this report or contact us on #redhat-cpe channel on matrix.

The post Infra and RelEng Update – Week 18 appeared first on Fedora Community Blog.

May 01, 2025

Charles-Antoine Couret Revue de presse de Fedora Linux 42
Cela fait depuis Fedora 19 que je publie sur la liste de diffusion de Fedora-fr une revue de presse de chaque sortie d'une nouvelle version. Récapituler quels sites en parle et comment. Je le fais toujours deux semaines après la publication (pour que tout le monde ait le temps d'en parler). Maintenant, place à Fedora Linux 42.

Bien entendu je passe sous silence mon blog et le forum de fedora-fr.

Sites web d'actualité
- Linuxfr ;
- Next ;
- Développez.com (version Beta) ;
- ZDNet ;
- GoodTech
Soit 5 sites.

Les vidéos
- Linuxtricks.
- Actualia.
Soit 2 vidéos.

Bilan

Le nombre de sites parlant de Fedora Linux 42 est stable.

La semaine de sa sortie, nous avons eu globalement une augmentation de visites par rapport à la semaine d'avant de cet ordre là :
- Forums : hausse de 35,7% (plus de 600 visites en plus)
- Documentation : hausse de 6,8% (plus de 150 visites en plus)
- Le site Fedora-fr : hausse de 52% (soit 90 visites en plus)
Si vous avez connaissance d'un autre lien, n'hésitez pas à partager ! Notons que la communication a commencé début avril la publication des entretiens dans le cadre des 20 ans de Fedora-fr.

Rendez-vous pour Fedora Linux 43.

April 30, 2025

Charles-Antoine Couret 20 ans de Fedora-fr : quatrième entretien avec Timothée contributeur des systèmes immuables et KDE
Introduction

Dans le cadre des 20 ans de Fedora-fr (et du Projet Fedora en lui-même), Charles-Antoine Couret (Renault) et Nicolas Berrehouc (Nicosss) avons souhaité poser des questions à des contributeurs francophones du Projet Fedora et de Fedora-fr.

Grâce à la diversité des profils, cela permet de voir le fonctionnement du Projet Fedora sous différents angles pour voir le projet au delà de la distribution mais aussi comment il est organisé et conçu. Notons que sur certains points, certaines remarques restent d'application pour d'autres distributions.

N'oublions pas que le Projet Fedora reste un projet mondial et un travail d'équipe ce que ces entretiens ne permettent pas forcément de refléter. Mais la communauté francophone a de la chance d'avoir suffisamment de contributeurs de qualité pour permettre d'avoir un aperçu de beaucoup de sous projets de la distribution.

Chaque semaine un nouvel entretien sera publié sur le forum Fedora-fr.org, linuxfr.org et mon blog ici même.

L'entretien du jour concerne Timothée Ravier, contributeur au Projet Fedora en particulier concernant les systèmes dits immuables et l'environnement KDE Plasma.

Entretien

Bonjour Timothée, peux-tu présenter brièvement ton parcours ?

J'ai commencé à m'intéresser aux logiciels open source autour de 2004 lorsque j'ai découvert Firefox (version 1.0 à l'époque) par l'intermédiaire d'un ami qui l'a téléchargé pour moi sur un CD ré-inscriptible car je n'avais pas encore l'ADSL à l'époque. J'ai ensuite découvert Linux avec Ubuntu 6.06. Après mes études d'ingénieur en sécurité informatique, j'ai travaillé à l'ANSSI pendant cinq ans sur le projet CLIP OS et je travaille désormais pour Red Hat où je co-dirige l'équipe CoreOS, qui est responsable de la maintenance de Fedora CoreOS et de Red Hat Enterprise Linux CoreOS pour OpenShift.

Peux-tu présenter brièvement tes contributions au Projet Fedora ?

Mes contributions à Fedora sont liées à mon intérêt pour les systèmes orientés conteneurs, parfois dénommés immuables (immutables). Je fais ainsi partie de l'équipe qui maintient Fedora CoreOS, je suis un mainteneur des Fedora Atomic Desktops (principalement Silverblue et Kinoite) et je suis membre du KDE Special Interest Group (SIG).

Qu'est-ce qui fait que tu es venu sur Fedora et que tu y es resté ?

Je suis passé par plusieurs distributions Linux (Ubuntu, Gentoo, Arch Linux) mais je suis désormais sur Fedora.

Je pense que les "Four Foundations" de Fedora représentent bien mon parcours :

- Freedom : Je suis là parce que je suis intéressé par les logiciels libres car ils permettent un partage, une mise en commun au bénéfice de tous. - Features, First : C'est la force de la communauté Fedora d'un point de vue technologique. Je développe ce point dans les questions suivantes. - Friends : Je me suis fais des amis dans la communauté Fedora et cela contribue à la bonne ambiance et la motivation pour continuer à contribuer.

Pourquoi contribuer à Fedora en particulier ?

Je préfère être proche des projets upstream et des dernières évolutions. C'est pour cela que j'étais pendant un long moment sous Arch Linux.

Mais le processus pour pousser des changements dans Arch Linux était plutôt flou. Il est important de noter que cela a peut-être changé désormais. Mon expérience date de plus de 6 ans et je crois qu'ils ont un processus de RFC maintenant. Le fonctionnement d'Arch Linux impose aussi des mises à jour régulières et une certaine discipline lors des mises à jour liée au modèle de développement sans version fixe.

Je commençais alors à m'intéresser de plus en plus aux systèmes à base d'images (CoreOS Container Linux et Fedora Atomic Host à l'époque) et je suis donc allé voir Fedora Atomic Workstation (ancien nom de Silverblue) pour créer une version à base de l'environnement KDE Plasma, qui est devenue Fedora Kinoite.

Le processus pour pousser des changements dans Fedora est ce qui fait la force de la distribution. Il permet d'obtenir des discussions et des décisions sur les évolutions à apportées à la distribution pour la prochaine version.

Contribues-tu à d'autres Logiciels Libres ? Si oui, lesquels et comment ?

En dehors de Fedora, je contribue principalement au développement des projets KDE. Je fais partie de l'équipe qui maintient les applications KDE empaquetées avec Flatpak et publiées sur Flathub.

Je contribue aussi occasionnellement à différents projets open source en fonction des besoins.

Utilises-tu Fedora dans un contexte professionnel ? Et pourquoi ?

Oui, mes ordinateurs professionnels et personnels tournent sous Fedora Kinoite et mes serveurs personnels utilisent Fedora CoreOS. Une partie des serveurs que nous utilisons pour développer et produire les releases de Fedora CoreOS sont aussi sous Fedora CoreOS. D'autres sont sous Red Hat Enterprise Linux CoreOS car ils font partie d'un cluster OpenShift.

En gros, nous sommes aussi des utilisateurs directs des logiciels que nous développons.

Est-ce que tes contributions dans Fedora se font entièrement dans le cadre de ton travail ? Si non, pourquoi ?

Une grosse partie de mes contributions se font dans le cadre de mon travail, mais toute la partie liée à KDE et aux Fedora Atomic Desktops est faite sur mon temps personnel.

Est-ce que être employé Red Hat te donne d'autres droits ou opportunités au sein du Projet Fedora ?

Je n'ai pas plus de droits dans Fedora parce que je travaille pour Red Hat. Je dois suivre tous les processus de Fedora comme n'importe quel contributeur. J'ai d'ailleurs commencé à contribuer à Fedora avant d'avoir été employé par Red Hat.

En revanche, il est indéniable que cela m'aide pour contribuer car j'ai régulièrement l'occasion de discuter avec d'autres contributeurs Fedora dans le cadre de mon travail.

Tu as débuté une carrière dans la sécurité pour finalement travailler pour Red Hat en tant que mainteneur de CoreOS, Silverblue, Kinoite et contributeur à KDE, pourquoi ne pas avoir continué dans la sécurité pour cet écosystème ?

Quelque part je continue à faire de la sécurité mais sous un autre angle. La sécurité que je faisais avant ne bénéficiait qu'à un petit nombre de personnes qui avait accès aux systèmes que l'on développait. La nouvelle version open source de CLIP OS devait rendre le système plus accessible mais le projet était complexe et je crois qu'il est désormais archivé.

Je travaille désormais à améliorer la sécurité de Fedora CoreOS et des Fedora Atomic Desktops sans compromettre leur utilisabilité. L'objectif est de fournir une distribution Linux avec des mises à jour robustes qui soit utilisable par des non développeurs.

Tu participes à CoreOS pour RHEL, CentOS Stream et Fedora. Peux-tu expliquer le but de CoreOS et ses principales caractéristiques ? Quelles sont les différences entre RHEL, CentOS Stream et Fedora à ce sujet ?

L'objectif pour les systèmes CoreOS est de faire tourner au mieux des applications dans des conteneurs. Pour Fedora CoreOS, c'est un système minimal, avec des mises à jour automatiques, proposant à la fois podman et moby-engine (Docker) installés par défaut, prêt à faire tourner des conteneurs sur un seul noeud ou dans le cadre d'un cluster Kubernetes.

Pour Red Hat Enterprise Linux CoreOS (et CentOS Stream CoreOS), ce sont des systèmes qui forment le socle d'OpenShift (et d'OKD), une plateforme qui intègre plein de projets open source dont Kubernetes.

Bien qu'il n'y ai pas une correspondance exacte un pour un dans la liste des logiciels inclus, Fedora CoreOS est l'upstream de CentOS Stream CoreOS et Red Hat Enterprise Linux CoreOS, de la même façon que Fedora est l'upstream de CentOS Stream, qui l'est de Red Hat Enterprise Linux.

L'architecture atomic a gagné du terrain sur les systèmes pour le bureau avec Silverblue et Kinoite et devient relativement populaire, peux-tu expliquer quel en est l'intérêt d'une telle conception pour ce genre de systèmes ?

Le principal intérêt pour un utilisateur est la robustesse et rapidité des mises à jour. Celles-ci sont préparées en arrière plan alors que le système fonctionne normalement. Il suffit alors de redémarrer pour mettre à jour son système. Il n'y a pas d'attente supplémentaire ni à l'extinction ni au démarrage.

Si une mise à jour échoue, le système reste dans l'état actuel, et il est possible de réessayer plus tard. Si une mise à jour introduit un problème important empêchant le démarrage du système par exemple, il est possible de redémarrer et de choisir la version précédente dans le menu de boot de GRUB.

Les utilisateurs sont aussi poussés à utiliser Flatpak pour installer leurs applications graphiques et toolbox (ou distrobox) pour utiliser les applications en ligne de commandes dans des conteneurs.

Quels sont les défis techniques de proposer cette conception dans ces systèmes par rapport à CoreOS par exemple ?

La principale différence est la présence d'une interface graphique. Les applications graphiques doivent être parfois adaptées pour fonctionner avec Flatpak. C'est désormais le cas de la plupart d'entre elles.

Tu y contribues en tant que membre de Fedora Atomic Desktops SIG, peux-tu expliquer son rôle dans Fedora et ton activité dedans ?

Le rôle du Fedora Atomic Desktops SIG et de regrouper l'ensemble des contributeurs Fedora des différentes variantes Atomic : Silverblue, Kinoite, Sway Atomic et Budgie Atomic. Bien que chacun de ces systèmes propose un environnement de bureau distinct, ils partagent énormément d'éléments, tant au niveau des composants de base du système que de l'infrastructure Fedora. Le SIG permet donc de regrouper les contributeurs pour pouvoir les inclure dans les prises de décisions qui impactent ces systèmes.

Je participe à la maintenance des Fedora Atomic Desktops et plus principalement de Silverblue et Kinoite. Cela peut impliquer des mises à jour de paquets, des corrections de bugs dans des projets upstream ou des rajouts de fonctionnalités pour améliorer l'expérience sur ces systèmes. Je surveille aussi que tous les Atomic Desktops continuent de recevoir des mises à jour régulièrement.

Penses-tu qu'un jour ces systèmes atomic deviendront la référence par défaut ? Si oui à quelle échéance ? Quelles sont les difficultés actuelles à résoudre ?

Je l'espère ! Il est impossible de donner une échéance et cela ne dépend pas vraiment de moi. La difficulté la plus importante est le support matériel et les pilotes qui ne sont pas intégrés dans Fedora. C'est un problème que l'on ne peut pas résoudre dans Fedora à cause des contraintes légales et qui sont adressées par le projet Universal Blue, dont la variante Bazzite, est très populaire.

Pour la problématique des pilotes, est-ce que l'initiative du noyau unifié (d'avoir une image universelle et signée comprenant le noyau, initrd, la ligne de commande) te semble être une solution à cette problématique ?

Ces deux sujets ne sont pas liés.

Le problème des pilotes externes au noyau Linux upstream est divisé en deux cas principaux :
- Les pilotes propriétaires : Ils ne seront jamais ajouté directement à Fedora pour des raisons légales et de licence.
- Les pilotes open source mais non inclus dans le noyau Linux upstream : Fedora met à jour le noyau Linux très régulièrement et suis les nouvelles versions stables peu de temps après leur sortie officielle. Il faut donc que ces pilotes soient mis à jour pour suivre les nouvelles versions du noyau et cela demande toujours du temps lorsque ceux-ci ne font pas partie du noyau upstream.
Les images noyau unifiées (Unified Kernel Images ou UKI) incluent le noyau, l'initrd et la ligne de commande du noyau dans un seul fichier. Cela présente des avantages pour mettre en place une chaîne de boot mesurée, notamment à l'aide du TPM, et donc pour offrir de meilleures garanties de sécurité. Leur intégration est encore en cours dans les variantes CoreOS et Atomic Desktops.

Les développeurs et administrateurs systèmes ont souvent besoin d'outils qui à ce jour nécessitent souvent de recourir à rpm-ostree plutôt que Flatpak ou Fedora toolbox dans le cadre d'un système immuable. Penses-tu que ces verrous sont un réel problème et qu'ils seront éventuellement résolus dans le temps ?

L'un des objectif de la nouvelle initiative "Bootable Containers" (conteneurs bootables) est justement de rendre plus ergonomique la modification du système de base. Le systèmes est distribué sous forme d'une image de conteneur standard (image OCI) et il est possible de la modifier à l'aide d'un Containerfile / Dockerfile et d'outils natifs aux conteneurs. Cela permet aux utilisateurs de ré-utiliser leurs habitudes et outils pour modifier aussi leur système de façon sûre et de partager le résultat à l'aide d'un registre d'image de conteneurs.

Nous allons aussi ajouter à nouveau dnf (version 5) dans ces images de conteneurs pour mettre à disposition des utilisateurs une interface familière et toutes les options de dnf lors de la construction de ces images.

Une autre piste est d'utiliser le concept des extensions systèmes de systemd (systemd system extensions ou sysexts), qui permettent d'ajouter du contenu dynamiquement à un système sans perdre les avantages de la gestion à base d'images. Les sysexts utilisent la même technologie que pour les conteneurs (overlayfs) pour ajouter des éléments (merge) au contenu des dossiers /usr et /opt de l'image de base. Je suis en train d'investiguer cette option pour rendre son usage ergonomique pour ces systèmes : https://github.com/travier/fedora-sysexts.

Il est aussi possible de modifier temporairement le système en utilisant un système de fichier temporaire monté au dessus des emplacements en lecture seule (overlayfs). Les fichiers de /usr peuvent alors être modifiés et de nouveaux paquets RPM installés à la demande. Les modifications disparaîtront au redémarrage.

Tu participes aussi à l'équipe de KDE SIG, peux-tu expliquer son rôle dans Fedora et ton activité dedans ?

L'objectif du KDE SIG est de proposer la meilleure expérience possible de KDE sur Fedora. Nous suivons et contribuons aussi au développement de KDE upstream.

Je participe au KDE SIG en tant que mainteneur de Kinoite et développeur KDE.

GNOME reste le bureau principal de Fedora à ce jour, cependant la qualité de l'intégration de KDE progresse depuis de nombreuses années maintenant, penses-tu que la qualité entre les deux est aujourd'hui équivalente ? Est-ce que les contributions pour KDE sont freinées de par le statut de GNOME au sein du projet ?

C'est une question très difficile car elle est très subjective. J'utilise principalement KDE sur mes systèmes mais j'apprécie énormément le travail de design fait sur GNOME. Pour moi c'est un choix personnel.

D'un point de vue technologique, il est possible de trouver des éléments "meilleurs" dans GNOME que dans KDE et l'inverse.

Il n'y a pas de bénéficiaire à opposer ces deux projets. C'est au contraire la collaboration qui améliore l'expérience utilisateur.

Je ne pense pas que les contributions à KDE soient freinées par le status de GNOME dans Fedora.

L'équipe KDE SIG a récemment proposé d'améliorer le statut de KDE au sein du projet, quitte à même remplacer GNOME pour Fedora Workstation, peux-tu expliquer cette demande ? Penses-tu qu'un jour KDE remplacera GNOME au sein de Fedora ou de RHEL par exemple ?

L'idée des membres soutenant cette proposition (qui ne vient pas uniquement de personnes faisant partie du KDE SIG) est de remettre en question la place de GNOME "par défaut" dans le projet Fedora (notamment Fedora Workstation). Poser cette question force le projet à clarifier les critères qui font qu'un environnement de bureau est considéré comme majeur et donc autorisé à être représenté par une "édition" comme Fedora Workstation. Tous les environnements de bureau non-GNOME ne sont actuellement pas bien présentés sur le site de Fedora notamment.

Il est important pour un projet communautaire de pouvoir justifier ses choix, que l'on soit d'accord ou non avec les arguments présentés. Si ces choix sont perçus comme arbitraires ("c'est comme ça que cela a toujours été", "c'est un employé de Red Hat qui l'a décidé"), alors le projet Fedora perd en crédibilité. Il faut, par exemple, pouvoir justifier que GNOME est un bon choix à présenter aux utilisateurs découvrant Fedora.

Je ne pense pas que KDE va "remplacer" GNOME dans Fedora et ce n'est pas vraiment l'idée derrière cette proposition qui a été formulée explicitement de la sorte pour forcer la discussion. L'objectif est de rendre KDE plus visible dans Fedora.

Pour ce qui est de remplacer GNOME dans RHEL, c'est peu probable et cela serait une décision de Red Hat.

Penses-tu que Fedora est une distribution de référence pour utiliser KDE aujourd'hui ? Par le passé OpenSUSE, Kubuntu ou Mageia étaient souvent recommandées pour utiliser cet environnement.

Oui ! Fedora propose depuis plusieurs années les dernières versions de KDE à des fréquences très proches des sorties upstream. Nous sommes actuellement l'une des premières distributions à proposer le bureau KDE Plasma dans sa version 6. Le KDE SIG suit et participe activement au développement de KDE upstream et certains développeurs KDE recommandent désormais Fedora.

Je travaille avec Fedora Kinoite à rendre le développement de KDE plus abordable, notamment pour le test des versions en cours de développement.

Si tu avais la possibilité de changer quelque chose dans la distribution Fedora ou dans sa manière de fonctionner, qu'est-ce que ce serait ?

Je regrouperai l'intégralité des dépôts Git, codes sources, projets, suivit des bugs, etc. sur une (ou plusieurs) instance GitLab hébergée par le projet Fedora. C'est un projet qui est désormais en cours pour migrer vers Forgejo. Fini les instances Pagure (forge de développement Git), plus de Bugzilla (suivi des bugs). Il faudrait aussi abandonner les mailing lists pour utiliser Discourse à la place (transition aussi en cours).

D'un point de vue personnel, la migration du projet KDE vers GitLab fut un facteur déterminant dans ma capacité à contribuer au projet KDE. Le mode de contributions à l'aide de Pull Requests / Merge Requests à travers une interface web est devenu un standard qui réduit significativement la difficulté pour un premier contributeur à participer à un projet.

Je pense que c'est la prochaine étape importante pour rendre le développement de Fedora plus accessible et donc pour attirer plus de contributeurs.

À l'inverse, est-ce qu'il y a quelque chose que tu souhaiterais conserver à tout prix dans la distribution ou le projet en lui même ?

Le processus pour proposer un changement (Change Process). C'est la clé de ce qui fait de Fedora une distribution à la pointe, qui évolue à chaque nouvelle version et qui pousse l'écosystème en avant.

Que penses-tu de la communauté Fedora-fr que ce soit son évolution et sa situation actuelle ? Qu'est-ce que tu améliorerais si tu en avais la possibilité ?

Malheureusement, je n'ai pas eu beaucoup d'interactions avec la communauté Fedora-fr donc je n'ai pas grand chose à dire.

Quelque chose à ajouter ?

Merci pour l'interview !

Si vous souhaitez en apprendre plus sur ces systèmes, je vous recommande les documentations officielles des projets ou les présentations que j'ai réalisées (une ou deux en français).

Merci Timothée pour ta contribution !

Conclusion

Nous espérons que cet entretien vous a permis d'en découvrir un peu plus sur le site Fedora-fr.

Si vous avez des questions ou que vous souhaitez participer au Projet Fedora ou Fedora-fr, ou simplement l'utiliser et l'installer sur votre machine, n'hésitez pas à en discuter avec nous en commentaire ou sur le forum Fedora-fr.

À dans 10 jours pour un entretien avec Thomas Canniot, ancien traducteur de Fedora en français et fondateur de l'association Fedora-fr.

April 29, 2025

Guillaume Kulakowski Restaurer la géolocalisation sous Linux après l’arrêt du service Mozilla

Cela faisait plusieurs fois que je remarquais que la géolocalisation sur mon PC personnel ne fonctionnait plus...
Aujourd'hui, avec cinq minutes à perdre, je me suis enfin décidé à creuser un peu. Et après quelques recherches rapides, j'ai découvert que depuis le 12 juin 2024, le service de géolocalisation de Mozilla n'était tout simplement plus disponible.
Nous allons voir comment le remplacer !

Cet article Restaurer la géolocalisation sous Linux après l’arrêt du service Mozilla est apparu en premier sur Guillaume Kulakowski's blog.

April 28, 2025

Michael Catanzaro WebKitGTK API Versions Demystified
WebKitGTK has a bunch of different confusing API versions. Here are the three API versions that are currently supported by upstream:
- webkitgtk-6.0: This is WebKitGTK for GTK 4 (and libsoup 3), introduced in WebKitGTK 2.40. This is what’s built by default if you build WebKit with -DPORT=GTK.
- webkit2gtk-4.1: This is WebKitGTK for GTK 3 and libsoup 3, introduced in WebKitGTK 2.32. Get this by building with -DPORT=GTK -DUSE_GTK3=ON.
- webkit2gtk-4.0: This is WebKitGTK for GTK 3 and libsoup 2, introduced in WebKitGTK 2.6. Get this by building with -DPORT=GTK -DUSE_GTK3=ON -DUSE_SOUP2=ON.
webkitgtk-6.0 contains a bunch of API changes, and all deprecated APIs were removed. If you’re upgrading to webkitgtk-6.0, then you’re also upgrading your application from GTK 3 to GTK 4, and have to adapt to much bigger GTK API changes anyway, so this seemed like a good opportunity to break compatibility and fix old mistakes for the first time in a very long time.

webkit2gtk-4.1 is exactly the same as webkit2gtk-4.0, except for the libsoup API version that it links against.

webkit2gtk-4.0 is — remarkably — mostly API stable since it was released in September 2014. Some particular C APIs have been deprecated and don’t work properly anymore, but no stable C APIs have been removed during this time, and library ABI is maintained. (Caveat: WebKitGTK used to have unstable DOM APIs, some of which were removed before the DOM API was eventually stabilized. Nowadays, the DOM APIs are all stable but deprecated in webkit2gtk-4.1 and webkit2gtk-4.0, and removed in webkitgtk-6.0.)

If you are interested in history, here are the older API versions that do not matter anymore:
- webkit2gtk-5.0: This was an unstable API version used during development of the GTK 4 API, intended for WebKit developers rather than application developers. It was obsoleted by webkitgtk-6.0.
- webkit2gtk-3.0: original API version of WebKitGTK for GTK 3 and libsoup 2, obsoleted by webkit2gtk-4.0. This was the original “WebKit 2” API version, which was only used by a few applications before it was removed one decade ago (history).
- webkitgtk-3.0: note the missing “2”, this is “WebKit 1” (predating the modern multiprocess architecture) for GTK 3. This API version was widely-used on Linux, and its removal one decade ago precipitated a security crisis which I called The Great API Break. (This crisis was worth it. Modern WebKit’s multiprocess architecture is far more secure than the old single-process architecture.)
- webkitgtk-1.0: the original WebKitGTK API version, this is “WebKit 1” for GTK 2. This API version was also widely-used on Linux before it was removed in The Great API Break.
Fedora and RHEL users, are you confused by all the different confusing downstream package names? Here is your map:
- webkitgtk6.0, webkit2gtk4.1, and webkit2gtk4.0: This is the current binary package naming in Fedora, corresponding precisely to the WebKitGTK API version to reduce confusion.
- webkit2gtk3: old name for webkit2gtk4.0, still used in RHEL 9 and RHEL 8
- webkitgtk4: even older name for webkit2gtk4.0, still used in RHEL 7
- webkitgtk3: this is the webkitgtk-3.0 API version, still used in RHEL 7
- webkitgtk: this is webkitgtk-1.0, used in RHEL 6
Notably, webkit2gtk4.0, webkit2gtk3, and webkitgtk4 are all the same thing.

April 27, 2025

Guillaume Kulakowski Nouvelle version du container Docker PHP-FPM pour Nextcloud avec s6-overlay

La nouvelle version de mon container Docker pour Nextcloud remplace s6-overlay par supervisor, offrant ainsi une personnalisation plus avancée. Vous pouvez désormais ajouter des configurations pour PHP et PHP-FPM ou exécuter des scripts à l’initialisation (comme l’ajout de drivers Intel). Le PUID et PGID restent également personnalisables. Cette mise à jour s’inscrit dans la lignée […]

Cet article Nouvelle version du container Docker PHP-FPM pour Nextcloud avec s6-overlay est apparu en premier sur Guillaume Kulakowski's blog.

April 26, 2025

Kevin Fenzi Late April infra bits 2025

Another week has gone by. It was a pretty quiet one for me, but it had a lot of 'calm before the storm' vibes. The storm being of course that may will be very busy setting up the new datacenter to try and migrate to it in june.

Datacenter Move

Still don't have access to our new hardware, but I'm hoping early next week I will. I did find out a good deal more about networking there and setup our dhcp server already with all the mac addresses and ip's for the management interfaces. As soon as that comes up they should just get the right addresses and be ready to work on.

Next week then would be spent setting firmware the way we want it, testing a few install paramaters to make sure how we want to install the hosts, then move on to installing all the machines.

Then on to bootstrapping things up (we need a dns server, a tftp server, etc) and then installing openshift clusters and virthosts.

So, we are still on track for the move in June as long as the management access comes in next week as planned.

nftables in production

We rolled out our switch from iptables to nftables in production on thursday. Big shout out to James Antill for all the scripting work and getting things so they could migrate without downtime.

The switch did take a bit longer than we would have liked, and there were a few small hiccups, but overall it went pretty well.

There are still some few openqa worker machines we are going to migrate next week, but otherwise we are all switched.

Staging koji synced

To allow for some testing, I did a sync of our production koji data over to the staging instance. This takes a long long time because it loads the prod db in, vacuums it, then modifies it for staging.

There was a bit of breakage at the end (I needed to change some sequences) but otherwise it went fine and now staging has all the same tags/etc as production does.

comments? additions? reactions?

As always, comment on mastodon: https://fosstodon.org/@nirik/114405223201008788

April 25, 2025

Daniel Pocock In defence of JD Vance, death of Pope Francis
When the sad news appeared about the death of Pope Francis on Easter Monday, people were quick to politicize the tragedy with references to his last official duty, a meeting with US Vice President JD Vance.

What about that dossier on abuse that changed hands on Good Friday? It fits an awkward pattern of dossiers and deaths.

Obituaries and commentaries have appeared far and wide. Many of them begin by praising the late Pope's work on climate and the poor and then they go on to politely but firmly express concern that he could have done more for victims of abuse. We need to look at the other Francis.

Walter Francis Pocock

Walter Francis Pocock was born on 28 February 1938. He went to the former St Patrick's college in East Melbourne and then became a Catholic school teacher. He rose through the ranks of schoolteachers to become a headmaster and then he went on to work in administration at the Catholic Education Office (CEO), part of the Archdiocese of Melbourne.

On 28 February 1998, Pope Francis had become Archbishop of Buenos Aires, on the birthday of Walter Francis Pocock. On 28 February 2013, Pope Benedict XVI resigned, creating the opportunity for Pope Francis to become Pope.

The brother of Walter Francis Pocock is my father, who attended Xavier College, one of Australia's most prominent Jesuit schools. Pope Francis was the first Jesuit pope. Dad and his brother both worked at the Catholic Eduction Office.

My uncle died in 2011. One of the most visible parts of his legacy is the work of his daughters. Bernice became a nurse back in the 1990s. She has worked her way up to the top of her profession, becoming the Health Complaints Commissioner for the State of Victoria.

In that role, she personally signs each of the prohibition orders.

Australia's Royal Commission into Institutional Abuse published a huge archive of internal documents from the Catholic Church. Looking through those documents, we can see that the church removed fewer abusers in fifty years than Bernice has removed in just two years.

The connections don't stop there of course. Pope Francis had a special relationship with the State of Victoria, having invited Cardinal George Pell, who started his career in Ballarat, to be the treasurer of the Vatican.

Let's have a fresh look at the history and how it intersects with deaths of both Cardinal Pell and Pope Francis.

17 April 2011, the day that Adrian von Bidder died, was both the day that Carla and I married and it was Palm Sunday, the beginning of Holy Week.

In December 2018, Cardinal Pell was convicted of abuse, although he was subsequently acquitted on appeal. On one of the most important Christian holidays, the night before Christmas, the Debianists went nuts spreading rumors about my family and abuse. Some of them are still nuts today. Sadly, more of these people have died.

In my last call with Dad, he was clearly disturbed about the Pell situation and the proximity of our family to these matters.

On 17 April 2019, which was Holy Wednesday, the current Archbishop of Melbourne put out a public statement about the grief many people felt throughout the Archdiocese (original video). This was particularly profound for those who worked for the church. People like my father and his brother would see Cardinal Pell in the office from time to time when he was Archbishop of Melbourne. It would have been even more inconvenient for my father as this statement came out on our wedding anniversary.

Dad died on 20 April 2019, which was Easter Saturday.

Pope Benedict died on 31 December 2022, once again, in the Christmas season. Cardinal Pell appeared in news reports and that prompted me to have a fresh look at the evidence and see if I had missed anything.

By pure coincidence, I found myself in the office of the Carabinieri on 10 January 2023, as a witness and survivor talking about the blackmail in Debianism and the similarities to what I observed in the wider context of institutional abuse. I handed over a dossier of approximately 90 pages. Cardinal Pell's name was mentioned somewhere on the first page. I didn't know that the Cardinal was having surgery in the same hour. He died later that evening.

I created a further dossier, a similar size, containing emails from debian-private suggesting that some of the Debian suicides and accidental deaths may have been avoidable. That dossier was sent to the Cambridgeshire coroner on 9 September 2023, the first day of DebConf23. In the middle of the conference, Abraham Raji died in an avoidable accident. I had mentioned Cardinal Pell's name in the email to the coroner and it appears again inside the dossier.

This year, in March 2025, I published a blog pointing out the connection between Adrian von Bidder's death and Palm Sunday. The anniversary of the death was Holy Thursday, the day that Judas betrayed Jesus at the last supper. I previously wrote a blog about that phenomena too.

At the same time as publishing the blog about Palm Sunday, I had been preparing a new dossier about the intersection of the abuse crisis with the health system. It dealt with the cases I'm familiar with, mental health patients, the military, a priest using my name and the remarkable similarities that have emerged in modern-day cults like Debianism.

Pope Francis is featured on the final page, along with the Swiss Guard. The name of Cardinal Pell was repeated forty seven times in this dossier. I included a couple of pictures of the late Cardinal Pell, in one of them he is holding a galero and in another he is wearing his zucchetto and staring at Shadow Man.

The draft was handed over to an expert in the French health system on Good Friday, the day that Jesus was crucified.

Three dossiers, three deaths.

Like my father, I also graduated from the Jesuit school Xavier College.

Some of the dossier is confidential so I'm only going to share the pages with the conclusion. Even that had to be redacted. Nonetheless, it is telling that I used a quote from Ian Lawther about his Fair dinkum letter to the Pope. The letter is published on the web site of the Parliament of Victoria. The letter was dated 24 April 2008 and it appears to have been sent two days later, 26 April 2008. 26 April 2025 is the funeral of Pope Francis.

Ian Lawther's letter is a chilling indictment on the culture of many institutions, this is not only about the crisis in the Catholic Church. Reading this paragraph:

You were not the one who had to take your son to hospital at 2.30 in the morning, because he had broken three bones in his hand, in a fit of anger and guilt, because his mind had been so poisoned, that the priest was able to convince him everything was his fault.

I couldn't help thinking about the way people are being brainwashed in groups like Debian and GNOME. For example, look at how Dr Norbert Preining was brainwashed to write a self-deprecating public confession. Look at the discussions around GNOME this week, for example, Tobias Bernard writes nobody involved is against Codes of Conduct, in other words, victims can't see that amateur-hour Codes of Conduct are nothing more than a tool for denouncing, dividing and silencing people. When people put these amateur hour Codes of Conduct on a pedestal, the victims end up tying themselves in nots. There have been a number of unexplained suicides in the open source software ecosystem and I can't help wondering if some of those people had been shamed with Code of Conduct gaslighting. Look at the horrible message they sent to my last Outreachy intern, it took three months before she told me what they were doing to her.

Read the final pages of the dossier that changed hands on Good Friday.

Can we say JD Vance is off the hook?

Please see the chronological history of how the Debian harassment and abuse culture evolved.

Fact check
- 2023-01-10 (Cardinal Pell's surgery): receipt from Carabinieri from first dossier about working conditions
- 2023-09-09 (DebConf23): email to Cambridgeshire coroner with dossier about avoidable deaths
- 2025-04-18 (Good Friday): final pages of dossier about the similarities in the cultures and some known incidents
Did the Debianists graffiti Dr Jacob Appelbaum's home when they were falsifying abuse accusations against him?

Compare the graffiti to the signature on real abuse cases: the prohibition orders.

When Debianists and social media addicts make stuff up, it makes it harder to believe real victims.

Please see the chronological history of how the Debian harassment and abuse culture evolved.

April 24, 2025

Fedora fans آموزش آپگرید لینوکس فدورا ۴۱ به فدورا ۴۲

با توجه به انتشار نسخه نهایی Linux Fedora 42 پیشنهاد می شود تا کاربرانی که از نسخه های پایین تر استفاده می کنند، سیستم خود را به آخرین نسخه ی پایدار ارتقاء دهند. به همین خاطر در این مطلب قصد داریم تا لینوکس فدورا ۴۱ را به فدورا ۴۲ آپگرید کنیم. قبل از انجام آپگرید […]
The post آموزش آپگرید لینوکس فدورا ۴۱ به فدورا ۴۲ first appeared on طرفداران فدورا.
Adam Young My math was wrong
In my last article, I posted a function for calculating one partition of a larger matrix. THe function looked like this
```
void partial(k, i, g, M, f){ 
        for (m=0; m < n; m++){ 
            j = m * k;
            g[i] = g[i] + M[i][j] * f[i];
        }
}
```
This is actually wrong. Lets look where I messed up. It was all the way back in the equation.

The equation I had looked something like this (not going to use inkscape to do the math this time)
```
g[i] = sum m=1..n of A[i,j]f[j]
     
```
When I divided it up, I fell victim to the 1-based array that I had and simply calculated j by multiplying m*k. This is wrong. If we think of it as a base 4 number, we want k to be the 4’s column (and larger) and m to be the ones column. In function form:
```
j=k*4+m
```
However, this implies that m goes from 0 to (n-1)/4.

Thus the partial function should look like this:
```
void partial(k, i, g, M, f){ 
        for (m=0; m < n; m++){ 
            j = k * n + m;
            g[i] = g[i] + M[i][j] * f[i];
        }
}
```
With that corrected, we can try to implement it in ARM64 assembly.

April 23, 2025

Kiwi TCMS Kiwi TCMS 14.2
We're happy to announce Kiwi TCMS version 14.2!

IMPORTANT:

This is a minor version release which includes security related updates, several improvements and new translations.

Recommended upgrade path:
```
14.1 -> 14.2
```
You can explore everything at https://public.tenant.kiwitcms.org!

---
Public container image (x86_64):
```
pub.kiwitcms.eu/kiwitcms/kiwi   latest  141ce95a4323    677MB
```
IMPORTANT: version tagged and multi-arch container images are available only to subscribers!
Changes since Kiwi TCMS 14.1
Security
- Update Django from 5.1.7 to 5.1.8 addressing a moderate severity denial-of-service vulnerability, CVE-2025-27556, which may be affecting Kiwi TCMS instances running natively on Windows
Improvements
- Update django-attachments from 1.11 to 1.12
- Update django-colorfield from 0.12.0 to 0.13.0
- Update django-extensions from 3.2.3 to 4.1
- Update markdown from 3.7 to 3.8
- Update psycopg from 3.2.5 to 3.2.6
- Update tzdata from 2025.1 to 2025.2
- Update uwsgi from 2.0.28 to 2.0.29
- On Execution Dashboard page add Product & Components columns (Oskar Hurst, USACE)
- Remove duplicate IDs to minimize size of SQL WHERE clause for API calls on Execution Dashboard page
- Remove code which was generating /Kiwi/uploads/installation-id. This file was never used and is not needed
Refactoring and testing
- Update node_modules/webpack from 5.98.0 to 5.99.6
- Update fedora from 41 to 42 in tests/bugzilla/Dockerfile
- Pin the version of Locust to avoid accidental failures
- Replace custom function with django.utils
Translations
- Updated Korean translation
- Updates Ukrainian translation
Kiwi TCMS Enterprise v14.2-mt
- Based on Kiwi TCMS v14.2
- Update certbot-* from 3.2.0 to 4.0.0
- Update kiwitcms-github-app from 2.0.1 to 2.1.0
- Update kiwitcms-tenants from 4.0.0 to 4.1.0
- Update sentry-sdk from 2.22.0 to 2.26.1
- Add django-storages[s3] as a dependency
- Add psycopg-pool as a dependency
- Add a show_version command for manage.py
- Allow additional script-src for Content-Security-Policy header to be specified via the NGX_CSP_SCRIPT_SRC environment variable
- Workaround missing wheel packages for xmlsec v1.3.15, see https://github.com/xmlsec/python-xmlsec/issues/344
- Pin xmlsec to v1.3.14
Private container images
```
hub.kiwitcms.eu/kiwitcms/version            14.2 (aarch64)          77cd9ccde9f6    23 Apr 2025     692MB
hub.kiwitcms.eu/kiwitcms/version            14.2 (x86_64)           24c27dafcd26    23 Apr 2025     677MB
hub.kiwitcms.eu/kiwitcms/enterprise         14.2-mt (aarch64)       fd7113a910c1    23 Apr 2025     1.06GB
hub.kiwitcms.eu/kiwitcms/enterprise         14.2-mt (x86_64)        e3f1f25186de    23 Apr 2025     1.04GB
```
IMPORTANT: version tagged, multi-arch and Enterprise container images are available only to subscribers!
How to upgrade

Backup first! Then follow the Upgrading instructions from our documentation.

Happy testing!

---

If you like what we're doing and how Kiwi TCMS supports various communities please help us grow!
- Give â� on GitHub;
- Give ğŸ‘� on GitLab;
- Join our newsletter and follow all project news;
- Become a contributor and an awesome open source hacker;
- Become a subscriber and help us sustain development
Charles-Antoine Couret 20 ans de Fedora-fr : troisième entretien avec Emmanuel, ancien président de Borsalinux-fr

Introduction

Dans le cadre des 20 ans de Fedora-fr (et du Projet Fedora en lui-même), Charles-Antoine Couret (Renault) et Nicolas Berrehouc (Nicosss) avons souhaité poser des questions à des contributeurs francophones du Projet Fedora et de Fedora-fr.

Grâce à la diversité des profils, cela permet de voir le fonctionnement du Projet Fedora sous différents angles pour voir le projet au delà de la distribution mais aussi comment il est organisé et conçu. Notons que sur certains points, certaines remarques restent d'application pour d'autres distributions.

N'oublions pas que le Projet Fedora reste un projet mondial et un travail d'équipe ce que ces entretiens ne permettent pas forcément de refléter. Mais la communauté francophone a de la chance d'avoir suffisamment de contributeurs de qualité pour permettre d'avoir un aperçu de beaucoup de sous projets de la distribution.

Chaque semaine un nouvel entretien sera publié sur le forum Fedora-fr.org, linuxfr.org et mon blog ici même.

Entretien

Bonjour Emmanuel, peux-tu présenter brièvement ton parcours ?

J'ai découvert Linux pendant mes études à l'EFREI, l'École FRançaise d’Électronique et d’Informatique. Ma première distribution était une Red Hat Linux 4.2 que j'ai installé sur mon PC en 1997.

En finissant mes études, je savais que je voulais travailler avec du Logiciel Libre et j'ai commencé un travail d'administrateur système et réseaux chez un hébergeur web dont les serveurs étaient sous Red Hat Linux.

Quand Red Hat a annoncé la fin de Red Hat Linux et le lancement de Fedora, je suis passé d'une distribution à l'autre. Quelques années plus tard, j'ai eu l'occasion de devenir packager (on devait en être à la Fedora 8) et, encore aujourd'hui, je continue à maintenir des paquets.

Ces jours-ci, je fais partie d'une équipe de gestion d'identité dans une entreprise qui fait de l'assurance-crédit. Je gère la partie Unix (essentiellement des serveurs OpenLDAP sous Linux) alors que mes collègues gèrent la partie Active Directory.

Peux-tu présenter brièvement tes contributions au Projet Fedora ?

Maintenir mes paquets reste l'essentiel de mes contributions. Je gère plusieurs centaines de paquets, quasiment tous des modules Perl ou des applications écrites en Perl.

Depuis, je fais partie du SIG Server ou j'essaie de contribuer en y apportant mon expérience dans ce domaine.

Qu'est-ce qui fait que tu es venu sur Fedora et que tu y es resté ?

J'utilisais déjà Red Hat Linux à la fois au boulot et chez moi donc ça a été un enchainement logique de passer sur Fedora Core 1. Je voyais d'un très bon œil de passer sur un système plus communautaire.

Pourquoi contribuer à Fedora en particulier ?

En prenant exemple sur FreshRPMS, un dépôt logiciel pour Red Hat Linux géré par Matthias Saou, j'avais commencé à faire des paquets des logiciels que j'utilisais qui ne se trouvaient pas dans Fedora, des modules Perl pour la plupart. L'étape suivante la plus logique était de maintenir ces paquets au sein du projet Fedora et je suis donc devenu contributeur Fedora.

Contribues-tu à d'autres Logiciels Libres ? Si oui, lesquels et comment ?

À un moment donné, je me suis retrouvé à maintenir une instance de Bugzilla et j'ai commencé à remonter des bogues puis soumettre des correctifs. Au bout d'un moment, les développeurs ont jugé mes contributions suffisamment importantes pour me nommer contributeur.

De temps en temps, je reviens sur le gestionnaire de bogues du projet pour voir.

Utilises-tu Fedora dans un contexte professionnel ? Et pourquoi ?

Au niveau professionnel, j'utilise Red Hat Entreprise Linux et il m'arrive régulièrement d'ajouter certains de mes paquets à Fedora EPEL pour pouvoir les utiliser au boulot.

Est-ce que tes contributions à Fedora sont un atout direct ou indirect dans ta vie professionnelle ? Si oui, de quelle façon ?

Professionnellement, j'utilise Red Hat Entreprise Linux et mon utilisation de Fedora me permet de mieux comprendre le fonctionnement de RHEL. Il m'est déjà arrivé de mettre des paquets que je maintiens dans mon temps libre dans EPEL pour que je puisse m'en servir au boulot.

Tu es actif au sein du SIG Perl, peux-tu expliquer le rôle de cette SIG et de ton activité dans ce groupe de travail ?

Il y a pas mal d'interdépendances entre modules Perl et c'est utile d'avoir un canal Matrix dans lequel il y a tous les packageurs concernés pour qu'on discute ensemble lorsque quelqu'un tombe sur un problème.

Ceci dit, le SIG Perl est relativement informel et c'est compliqué de parler d'une activité de groupe avec des rôles bien définis.

Qu'est-ce qui t'a poussé à travailler sur les paquets de Perl ?

Je connais relativement bien le langage, ce qui facilite le débogage et la création de correctifs.

Tu es par ailleurs membre de l'association les Mongueurs de Perl, quel est ton rôle dans cette association ? Y a-t-il un lien ou une synergie entre le SIG Perl et cette association d'une quelconque façon ?

Je suis le président de l'association depuis plusieurs années.

Il m'arrive de parler de Fedora au sein des Mongueurs. En particulier, je vante le fait que Fedora contient toujours une version de Perl qui est très à jour et qu'on peut donc utiliser toutes les nouveautés du langage.

Quand je vois que l'une des associations fait quelque chose de bien, j'incite l'autre à en faire autant. C'est pour cette raison que les Mongueurs de Perl publient maintenant un article sur chaque nouvelle version de Perl sur LinuxFR.

Tu as été aussi président de Borsalinux-fr pendant quelques années, de 2011 à 2015, peux-tu expliquer en quoi consiste ce rôle ?

J'étais déjà en relation avec les gens de Fedora-fr parce que j'étais président de Parinux, le LUG de Paris, et qu'il nous était arrivés de planifier des évènements ensemble. Après avoir passé la main, j'ai pu trouver le temps pour participer aux activités de Borsalinux-fr et j'ai adhéré à l'association.

Je suis arrivé dans l'association à un moment ou les relations avec Red Hat n'étaient pas au beau fixe. Red Hat ne souhaitait pas que l'association utilise 'Fedora' dans son nom car c'est une marque déposée. En plus de ça, les personnes à la tête de l'association étaient là depuis plusieurs années et commençaient à fatiguer.

À un moment donné, l'association s'est retrouvé sans président et, lors de l'assemblée générale suivante, je me suis proposé pour le poste. Pendant mon premier mandat, j'ai surtout fait de l'administratif (changement de nom de l'association, changement de siège social, partenariat avec Red Hat, ...). Le suivant m'a permis d'inciter les adhérents à contribuer et d'aller présenter la distribution sur des évènements inédits pour nous.

En dehors de cela tu as également participé activement à la vie de l'association, peux-tu revenir sur quelques unes de tes activités ?

Après avoir été président de l'association pendant 4 ans, j'ai voulu passer la main (je ne trouve pas sain qu'une même personne reste à la tête d'une organisation). Renault a accepté de prendre le poste mais on se retrouvait alors sans secrétaire. Pour combler le manque, j'ai pris le poste et je suis resté secrétaire pendant 4 ans.

À côté de ça, je gère les goodies de l'association. De temps en temps, nous créons des goodies Fedora en plus des goodies que nous donne le Projet Fedora. Je centralise tout ça chez moi et j'envoie des goodies à chaque fois que quelqu'un représente l'association sur un évènement.

Tu as également été président de Parinux, quels liens il y avait entre cette activité et tes contributions au sein de Fedora et de Fedora-fr ?

En tant que président de Parinux, je gérais le village associatif de Solutions Linux. J'ai été contacté par quelqu'un (Thomas Canniot ?) qui voulait un stand pour l'association. De mémoire, les fondateurs de l'association comptaient utiliser le salon pour se rencontrer pour la première fois et signer les statuts de l'association. C'est comme ça que j'ai appris l'existence de l'association et du site web.

Un peu plus tard, Parinux a décidé de faire des install partys spécifique à une distribution. Pour celle de Fedora, j'ai donc contacté Fedora-Fr et une bonne partie de l'association a débarqué à la Cité des Sciences pour nous aider. De mémoire, nous avons pu faire ce genre d'évènement plusieurs fois.

Tu contribues également au dépôt externe RPMFusion, peux-tu expliquer la nature de tes contributions et ce qui t'intéresse dans ce projet ?

Contribuer à RPMFusion, c'est beaucoup dire... J'ai pu apporter mon aide de deux manières différentes. Je n'ai plus les dates en tête donc je vais donner ça dans le désordre.

RPMFusion avait besoin d'un paquet de Bugzilla pour CentOS. J'ai donc mis bugzilla dans EPEL et RPMFusion a pu mettre à jour sa version pour ne plus avoir a mettre à jour Bugzilla à la main.

À un autre moment (je me souviens que c'était lors d'un FOSDEM), les admins de RPMFusion cherchaient un bugmaster, quelqu'un pour gérer leur instance de Bugzilla. Étant donné que j'avais une certaine expérience, ils m'ont proposé le poste et j'ai accepté.

Qu'est-ce qui te motive à participer aux activités locales ? Tu nous as représenté sur de nombreux salons en France, qu'est-ce qui te plaît ou qui ne te plaît pas dans ces événements ? Lesquels apprécies-tu le plus et pourquoi ? Quels intérêts trouves-tu à y aller ?

Ça permet de rencontrer des gens et de discuter avec eux, ce qui me fait toujours plaisir. Comme on retrouve toujours un peu les mêmes gens sur les villages associatifs, ça permet aussi de passer plusieurs jours en compagnie de gens qui me sont chers. Et, honnêtement, je ne sais pas ce que je ferais de mes jours de RTT si je ne les utilisais pas pour mes activités associatives.

Pour ce qui est du choix des salons, j'ai un faible pour Capitole du Libre, le salon Toulousain, qui a un côté communautaire qui me plaît beaucoup.

Si tu avais la possibilité de changer quelque chose dans la distribution Fedora ou dans sa manière de fonctionner, qu'est-ce que ce serait ?

J'aimerais beaucoup qu'on soit plus nombreux à faire la distribution, que ça soit au niveau des SIGs, des tests, ... J'aimerais beaucoup qu'on facilite le fait de passer d'utilisateur de la distribution à contributeur.

À l'inverse, est-ce qu'il y a quelque chose que tu souhaiterais conserver à tout prix dans la distribution ou le projet en lui même ?

Je suis très attaché à la nature libre de la distribution.

Que penses-tu de la communauté Fedora-fr que ce soit son évolution et sa situation actuelle ? Qu'est-ce que tu améliorerais si tu en avais la possibilité ?

Je participe assez peu à la communauté francophone. Je dois avouer que j'aimerais un moyen de lire le forum qui puisse se faire depuis un terminal mais je doute que les efforts qu'il faudrait faire puissent se justifier.

Tu participes peu à la communauté francophone mais tu as conservé une certaine présence au sein de l'Association Borsalinux-fr comme les relations pour les goodies avec le Projet Fedora ainsi qu'avec EVL et bien sûr ta présence sur certains évènements francophones pour nous représenter. Considères-tu tout ceci comme une symbiose entre le travail du Projet Fedora et l'Association Borsalinux-fr ?

C'est surtout du Borsalinux-fr. En vérité, je gère les goodies essentiellement parce que je vais sur les salons (j'en ai donc besoin) et que les gens qui gèrent EVL sont des amis qui habitent eux aussi dans la région parisienne. Et soyons honnêtes, c'est loin d'être chronophage.

Arrives-tu à détecter ou motiver des personnes à devenir des contributeurs lors de ces évènements ?

J'essaie surtout de convaincre les gens de faire des petits pas et passer au niveau suivant. Si quelqu'un est utilisateur, je vais l'encourager à rapporter des bogues au projet. S'il le fait déjà, je vais lui proposer de tester les versions béta de la distribution... S'il participe à l'animation du stand Borsalinux-fr sur un salon, je vais lui demander s'il ne veut pas, en plus, animer un stand sur un autre salon.

Quelque chose à ajouter ?

Je trouve que ça fait déjà beaucoup...

Merci pour ta contribution !

Conclusion

Nous espérons que cet entretien vous a permis d'en découvrir un peu plus sur le site Fedora-fr.

Si vous avez des questions ou que vous souhaitez participer au Projet Fedora ou Fedora-fr, ou simplement l'utiliser et l'installer sur votre machine, n'hésitez pas à en discuter avec nous en commentaire ou sur le forum Fedora-fr.

À dans 10 jours pour un entretien avec Timothée Ravier, contributeur au Projet Fedora en particulier concernant les systèmes dits immuables et l'environnement KDE Plasma.
Peter Czanik A call for testing the upcoming syslog-ng releases
While no dates are set to stone yet, we expect a couple of syslog-ng releases in the near future. As version 4.8.1 is used in major Linux distributions and has a couple of known bugs, we will release 4.8.2 to address those. However, we are also working on 4.9.0, which will bring many changes.

Before you begin

For testing, you need an up-to-date build of syslog-ng. You have many options:
- If you have ARM64 or x86_64 systems, you can use the nightly syslog-ng container images: https://www.syslog-ng.com/community/b/blog/posts/nightly-arm64-syslog-ng-container-builds-are-now-available
- Nightly packages for Debian / Ubuntu are available for x86_64: https://www.syslog-ng.com/community/b/blog/posts/nightly-syslog-ng-builds-for-debian-and-ubuntu
- Weekly git snapshot builds are available for openSUSE / SLES & Fedora / RHEL & compatibles: https://www.syslog-ng.com/community/b/blog/posts/rpm-packages-from-syslog-ng-git-head/
- https://github.com/czanik/freebsd/tree/master/syslog-ng4-devel has up-to-date FreeBSD ports. However, you have to build the syslog-ng source tgz yourself and place it under /usr/ports/distfiles.
All these contain the very latest syslog-ng code, in preparation for 4.9.0. If you want to test what is coming to syslog-ng 4.8.2, you can do that on Fedora / RHEL & compatibles by installing syslog-ng-4.8.1.90.g63cdee6 from the abovementioned repository:
```
dnf install syslog-ng-http-4.8.1.90.g63cdee6
```
Just make sure that you always use this version, otherwise dnf will install the latest available syslog-ng version.

Another option is to compile syslog-ng from source. In this case, you can download the syslog-ng source code from https://github.com/syslog-ng/syslog-ng/. The default git branch now is “develop”, containing the latest syslog-ng code and what you can expect to see in 4.9.0 as of today. If you want the source code for 4.8.2, switch to the “master” branch. Note that in the future, this branch will only contain released code, as we are in a transition period right now.

What to test?

Version 4.8.2 will contain two major bug fixes (and several smaller changes):
- The 4.8.1 release brought in some incompatible changes to the format-json() template function to fix a crash. However, it broke several SCL-based drivers, which were not updated accordingly, including elasticsearch-http(). This is now fixed and debugging was also made easier. Elasticsearch, Opensearch, and others should work again.
- The S3 destination driver had some message loss problems, which were addressed in a refactor. But along the way, we also made some major performance improvements as well. You can read more about the changes at: https://github.com/syslog-ng/syslog-ng/pull/5257
Version 4.9.0 will contain many new features and under the hood changes. Some are not easy to test, unless you compile syslog-ng yourself, as they require using the slightly-modified bundled ivykis library (https://github.com/syslog-ng/syslog-ng/pull/5312). Most packaging in Linux distributions and in FreeBSD use the latest official ivykis release, as the use of bundled libraries is not allowed (and not recommended).
- Formatting the output of the syslog-ng-ctl stats and syslog-ng-ctl query commands is unified. You can learn more about how to use the new --format option at https://github.com/syslog-ng/syslog-ng/pull/5248
- Added inotify-based regular file change detection to the wildcard-file() source using the existing inotify-based directory monitor. This improves efficiency on OSes like Linux, where only polling was available before, significantly reducing CPU usage while also enhancing change detection accuracy. You can learn how to configure it at https://github.com/syslog-ng/syslog-ng/pull/5315
What is next?

Please provide your feedback! Obviously, we need testing and bug reports to make sure that all bugs are fixed, and no new bugs are introduced before the new release. Post these at https://github.com/syslog-ng/syslog-ng/issues However, besides bug reports, any kind of feedback is very welcome, such as knowing whether your old config works with the new release, or whether you experience any syslog-ng performance improvements. You can post these at https://github.com/syslog-ng/syslog-ng/discussions or on the mailing list.

-

If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik, on Mastodon as @Pczanik@fosstodon.org.

April 21, 2025

Michael Catanzaro Safety on Matrix
Hello Matrix users, please review the following:
- Update from Matrix Trust & Safety team regarding attacks on the Matrix network
- GNOME’s new Matrix safety guidelines
Be cautious with unexpected private message invites. Do not accept private message invites from users you do not recognize. If you want to talk to somebody who has rejected your invite, contact them in a public room first.

Fractal users: Fractal 11.rc will block media preview by default in public rooms, and can be configured to additionally block media preview in private rooms if desired.

Matrix server administrators: please review the Matrix.org Foundation announcement Introducing Policy Servers.

April 20, 2025

Nazi.Compare Deja vu: Hitler's Birthday, Andreas Tille elected Debian Project Leader again
Adolf Hitler was born on 20 April 1889 in Austria. Today would be the Fuhrer's 136th birthday.

In 2025, just as in 2024, the Debian Project Leader (DPL) election finished on Hitler's birthday.

In 2025, just as in 2024, the Debian Project Leader (DPL) election winner is the German, Andreas Tille.

History repeating itself? Iti is a common theme in the world today. Let's hope not.

We reprint the original comments about this anniversary from 2024.

In 1939, shortly after Hitler annexed Austria, the Nazi command in Berlin had a big celebration for the 50th birthday of Adolf Hitler. It was such a big occasion that it has its own Wikipedia entry.

One of the quotes in Wikipedia comes from British historian Ian Kershaw:

an astonishing extravaganza of the Führer cult. The lavish outpourings of adulation and sycophancy surpassed those of any previous Führer Birthdays

For the first time ever, the Debian Project Leader election has finished just after 2am (Germany, Central European Summer Time) on the birthday of Hitler and the winning candidate is Andreas Tille from Germany.

Hitler's time of birth was 18:30, much later in the day.

Tille appears to be the first German to win this position in Debian.

We don't want to jinx Tille's first day on the job so we went to look at how each of the candidates voted in the 2021 lynching of Dr Richard Stallman.

This blog previously explored the question of whether Dr Stallman, who is an atheist, would be subject to anti-semitism during the Holocaust years because of his Jewish ancestry. We concluded that RMS would have definitely been on Hitler's list of targets.

Here we trim the voting tally sheet to show how Andreas Tille and Sruthi Chandran voted on the question of lynching Dr Stallman:
```
       Tally Sheet for the votes cast. 
 
   The format is:
       "V: vote 	Login	Name"
 The vote block represents the ranking given to each of the 
 candidates by the voter. 
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

     Option 1--------->: Call for the FSF board removal, as in rms-open-letter.github.io
   /  Option 2-------->: Call for Stallman's resignation from all FSF bodies
   |/  Option 3------->: Discourage collaboration with the FSF while Stallman is in a leading position
   ||/  Option 4------>: Call on the FSF to further its governance processes
   |||/  Option 5----->: Support Stallman's reinstatement, as in rms-support-letter.github.io
   ||||/  Option 6---->: Denounce the witch-hunt against RMS and the FSF
   |||||/  Option 7--->: Debian will not issue a public statement on this issue
   ||||||/  Option 8-->: Further Discussion
   |||||||/
V: 88888817	          tille	Andreas Tille
V: 21338885	           srud	Sruthi Chandran
```
We can see that Tille voted for option 7: he did not want Debian's name used in the attacks on Dr Stallman. However, he did not want Debian to denounce the witch hunt either. This is scary. A lot of Germans were willing to stand back and do nothing while Dr Stallman's Jewish ancestors were being dragged off to concentration camps.

The only thing necessary for the triumph of evil is that good men do nothing.

On the other hand, Sruthi Chandran appears to be far closer to the anti-semitic spirit. She put her first and second vote preferences next to the options that involved defaming and banishing Dr Stallman.

Will the new DPL be willing to stop the current vendettas against a volunteer and his family? Or will Tille continue using resources for stalking a volunteer in the same way that Nazis stalked the Jews?

Adolf Hitler famously died by suicide, a lot like the founder of Debian, Ian Murdock, who was born in Konstanz, Germany.

Will Tille address the questions of the Debian suicide cluster or will he waste more money on legal fees to try and cover it up?

April 17, 2025

Adam Young Decomposing Vector X Matrix
If we want to distribute the mathematical processing of a matrix multiplication we need an algorithm that can be split and performed in parallel. Looking at the algorithm I alluded to in the last article, I think I can see how to do that. Here’s my thinking.

To multiple a Matrix M with a Vector f use the top equation.

The second equation is for a single element in the solution vector g.

The third equation is a rewrite of the second equation broken into two stages. I have explicitly made these sub-functions of size 4, although the approach should be generalizable.

in code

int DIM = 4;
```
for (int i = 0; i < DIM; i++){
    g[i] = 0;
    for int (j = 0; j < DIM; j++){
        g[i] = g[i] + M[i][j] * f[i];
    }
}
What should be clear is that the body of the outer loop could be executed in parallel.  However, that still has us working on a complete vectors worth of math at a time, and we are going to want to chunk up that vector.
Lets use n as to mean the number of elements in the vector, which is also the number of elements in one dimension of the matrix.
```
```
int DIM = 4;

int n = 2;

for (int i = 0; i < DIM; i++){
    g[i] = 0;

    for int (k = 0; k < DIM/n; k++){
        for (m=0; m < n; m++){ 
            j = m * k;
            g[i] = g[i] + M[i][j] * f[i];
        }
    }
}
```
It should be fairly clear that these are performing the same operations. What is different is the mechanism by which the loop counters are incremented.

Lets step through it. I am going to use a 2X2 matrix to start

g[1] = bh + gh
```
M = [ [a,b][c,d]]    f= [g,h]

DIM = 2

n = 1

i = 0;

g[i] = 0

j =0

// g[i] = 0 + M[i,j] * f[i]   

//       = 0 + M [0,0] = f[0]

g[0] = ag

i=0, j=1

g[0] = ag + bg

i=1

g[1] = 0

i=1; j =0 

g[1] = 0 + bh

i=1; j =1
```
Thus our final vector = [[ag + bg, bh + gh]]

It should be fairly clear that the only difference between the algorithms should be the increment of the k and m variables and their summation into j.

what we then want to do is to be able to call a function that executes just the innermost loop:
```
void partial(k, i, g, M, f){ 
        for (m=0; m < n; m++){ 
            j = m * k;
            g[i] = g[i] + M[i][j] * f[i];
        }
}
```
Or a comparable function that calculates the same values. More on this in an future article.
Cockpit Project Cockpit 337
Cockpit is the modern Linux admin interface. We release regularly.

Here are the release notes from Cockpit 337, cockpit-podman 104, cockpit-files 19, cockpit-machines 330, and cockpit-ostree 208:

A fresh new style, upgraded to PatternFly 6

Cockpit features a refreshed style, thanks to the latest major version of PatternFly. This update replaces the previous “industrial” look with a more modern “airy” design, featuring even more rounded corners, fewer borders, and improved visual consistency. This release also includes numerous UI-related bug fixes.

The visual changes apply to the core Cockpit interface and all official plugins (including cockpit-files, cockpit-machines, cockpit-podman, and cockpit-ostree). We have tested the new look in both light and dark styles, verified accessibility, and confirmed compatibility with right-to-left (RTL) languages. We are happy with the state of the migration and are ready to share it with everyone.

If you do encounter any issue, please file a bug report to let us know!

For plugin developers: We wrote a guide for upgrading to PatternFly 6.

Software updates: Support dnf needs-restarting

On CentOS Stream and Red Hat Enterprise Linux 10, the Software Updates page uses dnf needs-restarting to check if updates only need service restarts or require a full reboot. This replaces the tracer tool previously used in version 9.

Podman: Link service containers to service pages

Containers managed by systemd link to the Services page, where these containers can be stopped or restarted.

Podman: Connect to other accounts with containers

Administrators sometimes run services as unprivileged containers on other system user accounts, for isolation purposes. These system users typically don’t have a password and thus one cannot log into Cockpit as a system user.

When starting, Cockpit Podman scans the system for other accounts with running containers and provides a means to connect to Podman services on other accounts.

Note that you can only connect to one account at a time, to avoid breaking isolation.

Files: Symbolic link creation

Create symbolic links (symlinks) for files and directories by right-clicking and selecting the Create link menu entry. Both relative and absolute path symlinks are supported.

Try it out

Cockpit 337, cockpit-podman 104, cockpit-files 19, cockpit-machines 330, and cockpit-ostree 208 are available now:

April 16, 2025

Rajeesh K Nambiar Results of RIT-KaChaTaThaPa-Sayahna open font competition 2025
In first of a kind movement to develop free and open source fonts for traditional Malayalam scripts, the Rachana Institute of Technology, KaChaTaThaPa Foundation and Sayahna Foundation had previously announced font design competition in May 2024.

Many participants registered from all over India and shared their initial design of a few selected characters. Ten submissions were shortlisted, and the selected participants were invited for a two-day in person workshop conducted at River Valley campus, Trivandrum. The workshop was lead by the jury members — Dr. KH Hussain who designed notably Rachana and Meera fonts (among many other); eminent calligrapher and designer of Sundar, Ezhuthu, Karuna & Chingam fonts, Narayana Bhattathiri; type designer and multi-scripts expert Vaishnavi Murthy; and yours truly. High quality sessions & feedback from the speakers and lively interactive sessions enlightened both experienced and non-technical designers about the intricacies of typeface design.

Participants of the font workshop held at River Valley Campus, Trivandrum, in August 2024.

Refinement

To manage the glyph submissions for collaborative font projects, a friend of mine and I built a web service. The designers just need to create each character in SVG format and upload into their font project. This helped to abstract away from the designers all the technical complexities, such as assigning correct Unicode codepoint, correct naming convention, OpenType layout & shaping etc.

There was mid-term evaluation of the completed glyph set in October 2024; and a couple of online sessions where the jury pointed out necessary corrections and improvements required for each font.

The final submissions were done near the end of December 2024; and further refinements ensued. All the participants were very receptive to the constructive feedback and enthusiastic to improve the fonts. The technical work for final font production was handled by your humble correspondent.

Results

In March 2024, the jury made a final evaluation and adjudged the winners of the competition. All the six fonts completed are published as open source, and they can be downloaded from Rachana website. See the report for the winning entries, font specimens & posters, prize money, and all other details.

RIT Thaara (താര), calligraphic style, named after Sabdatharavali.

RIT Lekha (ലേഖ), body text font.

RIT Lasya (ലാസ്യ). The Latin glyphs were drawn independently based on Akaya Kannada font, as suggested by a jury member.

RIT Ala (അല).

RIT Keram Bold (കേരം).

RIT Indira Bold (ഇന്ദിര).

I am very happy to have the chance to collaborate over the course of a year with designers from various backgrounds to develop beautiful traditional Malayalam orthography fonts and make them all available under free license. I would like to thank the jury members who did exemplary work in evaluating the designs and providing constructive feedback & guidance multiple times that helped to refine the fonts; CVR for the work to create web pages on Rachana website; and the three Foundations for the initiative and funding to make this all possible. Full disclosure: all the jury members worked in volunteer capacity.

Next competition

RIT-KaChaTaThaPa-Sayahna foundations have already announced plans for next open font design competition! This time the focus is on body text fonts.
- Competition details in English (or https://rachana.org.in/fcomp-2026-ann.html)
- Competition details in Malayalam
- Register here.

April 15, 2025

Michael Catanzaro Dangerous Arbitrary File Read Vulnerability in Yelp (CVE-2025-3155)
I don’t normally blog about particular CVEs, but Yelp CVE-2025-3155 is noteworthy because it is quite severe, public for several weeks now, and not yet fixed upstream. In short, help files can read your filesystem and execute arbitrary JavaScript code, allowing an attacker to exfiltrate any files your Unix user has access to. Thank you to parrot409 for responsibly disclosing this issue and going above and beyond to provide patches.
- By default, all major browsers allow websites to download files automatically, without user interaction, so installing a malicious help file into your Downloads directory is simple. (If you ever find an unexpected file in your Downloads directory, be careful and maybe don’t open it. Cautious users may wish to configure their browsers to prompt before saving a download.)
- The malicious website would next attempt to open the special URL ghelp:///proc/self/cwd/Downloads. This relies on the assumption that the web browser runs with your home directory as current working directory, which in practice will generally be true when launched from your desktop environment.
- Chrome and Firefox prompt the user for permission before launching Yelp. If you grant permission, then Yelp launches and you lose. Don’t grant permission. Beware: both browsers have an “always allow” checkbox, and you won’t be prompted for permission if you’ve ever checked it when opening a ghelp URL in the past.
- Epiphany does not prompt the user for permission before opening the URL. Minimal user interaction is required for the attacker to win. If you use Epiphany or any other browser that opens links in external programs without user confirmation, you should immediately uninstall Yelp, or at least change your Downloads directory to something nonstandard.
Timeline:
- December 25: Bug is reported to GNOME Security.
- February 24: The reporter proposes these patches to fix the issue.
- March 26: The 90 day disclosure deadline is reached, so I make the issue report public even though it is not yet fixed. At this point, due to insufficient creativity, I incorrectly assume the issue is likely to be used only in targeted attacks, because it seems to require the attacker to know the path to your downloads directory, which will normally include your Unix username.
- April 5: The bug reporter posts a detailed write-up including a nice GIF to demonstrate the attack exfiltrating ~/.ssh/id_rsa in Chrome. This attack uses /proc/self/cwd/Downloads, bypassing the requirement to know your Unix username.
- April 13: GNOME Security is notified of the write-up.
If you are a Linux operating system vendor, please consider applying the provided patches even though they have not yet been accepted upstream. They’re probably not worse than the status quo!
Fedora fans نسخه نهایی لینوکس فدورا ۴۲ منتشر شد

در تاریخ ۱۵ آوریل ۲۰۲۵، نسخه نهایی فدورا لینوکس ۴۲ منتشر شد. این نسخه، حاصل تلاش‌های گسترده جامعه متن‌باز است که هزاران توسعه‌دهنده از سراسر جهان در آن مشارکت داشته‌اند. ارتقاء یا نصب تازه ارتقاء از نسخه‌های قبلی: اگر از نسخه‌های قبلی فدورا استفاده می‌کنید، ارتقاء به فدورا ۴۲ آسان است. می‌توانید با مراجعه به […]
The post نسخه نهایی لینوکس فدورا ۴۲ منتشر شد first appeared on طرفداران فدورا.
Christian F.K. Schaller Fedora Workstation 42 is upon us!
We are excited about the Fedora Workstation 42 released today. Having worked on some great features for it.

Fedora Workstation 42 HDR edition
I would say that the main feature that landed was HDR or High Dynamic Range. It is a feature we spent years on with many team members involved and a lot of collaboration with various members of the wider community.

GNOME Settings menu showing HDR settings
The fact that we got this over the finish line was especially due to all the work Sebastian Wick put into it in collaboration with Pekka Paalanen around HDR Wayland specification and implementations.
Another important aspect was tools like libdisplay which was co-created with Simon Ser, with others providing more feedback and assistance in the final stretch of the effort.

HDR setup in Ori and Will of the Wisps

That said a lot of other people at Red Hat and in the community deserve shout outs for this too. Like Xaver Hugl whose work on HDR in Kwin was a very valuable effort that helped us move the GNOME support forward too. Matthias Clasen and Benjamin Otte for their work on HDR support in GTK+, Martin Stransky for his work on HDR support in Firefox, Jonas Aadahl and Olivier Fourdan for their protocol and patch reviews. Jose Exposito for packaging up the Mesa Vulkan support for Fedora 42.

One area that should benefit from HDR support are games. In the screenshot about you see the game Ori and the Will of the Wisps which is known for great HDR support. Valve will need to update to a Wine version for Proton that supports Wayland natively though before this just works, at the moment you can get it working using gamescope, but hopefully soon it will just work under both Mutter and Kwin.

Also a special shoutout to the MPV community for quickly jumping on this and releasing a HDR capable video player recently.

MPV video player playing HDR content

Of course getting Fedora Workstation 42 to out with these features is just the beginning, with the baseline support it now is really the time when application maintainers have a real chance of starting to make use of these features, so I would expect various content creative applications for instance to start having support over the next year.

For the desktop itself there are also open questions we need to decide on like:
- Format to use for HDR screenshots
- Better backlight and brightness handling
- Better offloading
- HDR screen recording video format
- How to handle HDR webcams (seems a lot of them are not really capable of producing HDR output).
- Version of the binary NVIDIA driver released supporting the VK_EXT_hdr_metadata and VK_COLOR_SPACE_HDR10_ST2084_EXT Vulkan extension on Linux
- A million smaller issues we will need to iron out
Accessibility
Our accessibility team has been hard at work trying to ensure we have a great accessibility story in Fedora Workstation 42. Our accessibility team with Lukas Tyrychtr and Bohdan Milar has been working hard together with others to ensure that Fedora Workstation 42 has the best accessibility support you can get on Linux. One major effort that landed was the new keyboard monitoring interface which is critical for making Orca work well under Wayland. This was a collaboration of between Lukas Tyrychtr, Matthias Clasen and Carlos Garnacho on our team. If you are interested in Accessibility, as a user or a developer or both then make sure to join in by reaching out to the Accessibility Working group

PipeWire
PipeWire also keeps going strong with continuous improvements and bugfixes. Thanks to the great work by Jan Grulich the support for PipeWire in Firefox and Chrome is now working great, including for camera handling. It is an area where we want to do an even better job though, so Wim Taymans is currently looking at improving video handling to ensure we are using the best possible video stream the camera can provide and handle conversion between formats transparently. He is currently testing it out using a ffmpeg software backend, but the end goal is to have it all hardware accelerated through directly using Vulkan.

Another feature Wim Taymans added recently is MIDI2 support. This is the next generation of MIDI with only a limited set of hardware currently supporting it, but on the other hand it feels good that we are now able to be ahead of the curve instead of years behind thanks to the solid foundation we built with Pipewire.

Wayland
For a long time the team has been focused on making sure Wayland has all the critical pieces and was functionality wise on the same level as X11. For instance we spent a lot of time and effort on ensuring proper remote desktop support. That work all landed in the previous Fedora release which means that over the last 6 Months the team has had more time to look at things like various proposed Wayland protocols and get them supported in GNOME. Thanks to that we helped ensure the Cursor Shape Protocol and Toplevel Drag protocols got landed in time for this release. We are already looking and what to help land for the next release, so expect a continued acceleration in Wayland protocol adoption going forward.

First steps into AI
So an effort we been plugging away at recently is starting to bring AI tooling to Open Source desktop applications. Our first effort in this regard is Granite.code. Granite.code is a extension for Visual Studio Code that sets up a local AI engine on your system to help with various tasks including code generation and chat inside Visual Studio Code. So what is special about this effort is that it relies on downloading and running a copy of the open source AI Granite LLM model to your system instead on relying on it being run in a cloud instance somewhere. That means you can use Granite.code without having to share your data and work with someone else. Granite.code is still very early stage and it requires a NVIDIA or AMD GPU with over 8GB of video ram to use under Linux. (It also runs under Windows and MacOS X). It is still in a pre-release stage, we are waiting for the Granite 3.3 model update to enable some major features for us before we make the first formal release, but for those willing to help us test you can search for Granite in the Visual Studio Code extension marketplace and install it.
We are hoping though that this will just the starting point where our work can get picked up and used by other IDEs out there too and also we are thinking about how we can offer AI features in other parts of the desktop too.

Granite.code running on Linux
Peter Czanik Working with Active Roles debug logs in syslog-ng
From my previous Active Roles blogs, you could learn how to forward regular Active Roles logs from Windows Event Log to a central syslog-ng server, where it parses, filters, stores and forwards the logs. In this blog, I show you how to work with Active Roles debug logs, that is reading them using syslog-ng Agent for Windows and forwarding them to a central syslog-ng server for long(er) term storage.

Debug logs are typically huge and the Active Roles debug logs are no exceptions, so you must make sure that you collect them only when really necessary. However, there can be situations when you need to collect these logs centrally for easier access or even long-term storage. Active Roles might generate gigabytes of debug logs even in just a few hours, so make sure that you collect these logs separately from the rest of your logs. This way, you can easily discard these logs when they are no longer needed.

Before you begin

If you want to test what you read in this blog, you need 2-4 hosts. Installing Active Roles needs 1-3 Windows Server machines, while installing the syslog-ng PE server needs a supported Linux host. Describing the system requirements or the installation processes are outside the scope of this blog. Contact One Identity at https://www.syslog-ng.com/register/115582/ to receive a trial version of syslog-ng Premium Edition and help to get started. A free trial of Active Roles can be found at https://www.oneidentity.com/register/62175/.

Collecting Active Roles debug logs

You can enable debug logging from the Active Roles Configuration Center. There are five different debug logs, all disabled by default, as they can quickly produce an insane amount of logs. You can see a list of log sources together with paths and file names. For the purpose of this blog, I chose the first one from the list, which stores logs to the C:\Program Files\One Identity\Active Roles\<active-roles-version>\Service directory, with the ds.log file name.

Note that on the syslog-ng Agent for Windows side, we extend the configuration we did in the first blog of the series: https://www.syslog-ng.com/community/b/blog/posts/collecting-active-roles-logs-centrally-using-the-syslog-ng-windows-agent As such, we do not discuss here how to add a destination.

In the syslog-ng Agent for Windows MMC, go to “File Sources”, and make sure that it is set to “Enable”. You can now add a new file source. First, enter the directory name from above (might be slightly different on your host) and the file name. As Active Roles sometimes produces multi-line log messages, we also add a Prefix for the date format. Set “Application” to “Custom”, then enter the following expression:
```
\[[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}\.[0-9]{3}\]
```
Yes, it is ugly and all Active Roles debug logs have a slightly different format. Having this properly configured makes sure that multi-line log messages are forwarded as a single message. If you are not comfortable enough with writing regular expressions, you should use websites like https://regexr.com/ or similar services to create one.

Once you have restarted syslog-ng Agent for Windows, your central syslog-ng server is flooded with debug logs from Active Roles.

Configuring the syslog-ng PE server

In my previous blog, we built a syslog-ng configuration, which collected log messages from Windows using the RFC5424 syslog protocol, parsed and filtered the logs, and finally stored them to various destinations. We do not explain the various destinations here again, only the changes. You can find the second Active Roles + syslog-ng PE blog at https://www.syslog-ng.com/community/b/blog/posts/working-with-parsed-active-roles-logs-in-syslog-ng for more details.

You should append this configuration to your syslog-ng.conf:
```
# source for Windows clients, RFC5424
source s_win {
  syslog(port(601));
};

# xml parser for Windows XML logs
parser p_xml {
  xml(prefix('winxml.'));
};

# destination for Windows logs
destination d_fromwin {
  file("/var/log/fromwin");
  file("/var/log/fromwin.json" template("$(format-flat-json --scope rfc5424 --scope dot-nv-pairs
        --rekey .* --shift 1 --scope nv-pairs --exclude MESSAGE)\n") );
};

# destination for debug logs
destination d_fromdebug {
  file("/var/log/fromdebug");
  file("/var/log/fromdebug.json" template("$(format-flat-json --scope rfc5424 --scope dot-nv-pairs
        --rekey .* --shift 1 --scope nv-pairs)\n") );
};

# destination for syslog-ng Agent for windows internal logs
destination d_frominternal {
  file("/var/log/frominternal");
  file("/var/log/frominternal.json" template("$(format-flat-json --scope rfc5424 --scope dot-nv-pairs
        --rekey .* --shift 1 --scope nv-pairs)\n") );
};


# Elasticsearch destination for easy searching and reporting
destination d_elasticsearch_http {
    elasticsearch-http(
        index("syslog-ng")
        type("")
        user("elastic")
        password("-w35jWfY_syp577m-UfS")
        url("https://localhost:9200/_bulk")
        template("$(format-json --omit-empty-values --scope rfc5424 --scope dot-nv-pairs
        --rekey .* --shift 1 --scope nv-pairs
        --exclude DATE --exclude MESSAGE
        --exclude winxml.Event.EventData.*
        @timestamp=${ISODATE})")
        tls(peer-verify(no))
    );
};

# long term storage for regular Active Roles logs
destination d_logstore {
  logstore("/var/log/ars.lgs" compress(9) );
};

# long term storage Active Roles debug logs
destination d_debugstore {
  logstore("/var/log/arsdebug.lgs" compress(9) );
};

# alerts to file and Slack
destination d_alerts {
  file("/var/log/alerts.txt");
  slack(
    hook-url("https://hooks.slack.com/services/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")
    template("User ${.SDATA.win@18372.4.EVENT_USERNAME} deleted a ${.SDATA.win@18372.4.EVENT_SID_TYPE} on ${HOST} using ARS")
  );
};

# log path for logs from syslog-ng Agent for Windows
log {
  source(s_win);
# syslog-ng Agent for Windows and logs read from files come with
# "syslog-ng-agent" as program name
  if ("${PROGRAM}" eq "syslog-ng-agent") {
# if there is a file name
    if ("${.SDATA.file@18372.4.name}" ne "") {
      destination(d_fromdebug);
      destination(d_debugstore);
      flags(final);
# the rest are internal logs
    } else {
      destination(d_frominternal);
    };
  };
# all other logs come in XML format from the Agent
  parser(p_xml);
  destination(d_fromwin);
  destination(d_elasticsearch_http);
# regular Active Roles logs are saved to LogStore
  if ("${PROGRAM}" eq "ARAdminSvc") {
    destination(d_logstore);
  };
# send an alert if someone deletes an object using Active Roles
  if ("${.SDATA.win@18372.4.EVENT_TASK}" eq "ObjectDelete") {
    destination(d_alerts);
  };
};
```
Let’s check this configuration in more detail, focusing on the new elements and changes in the log path.

There are two new file destinations added. The first one is called “d_fromdebug” and this is where debug logs from Active Roles are stored in plain text and in JSON format. Unlike in “d_fromwin”, the content of the MESSAGE macro is not parsed, so we keep it in the logs as-is. The second one is for internal syslog-ng Agent for Windows log messages, which would be otherwise hard to find if logged together with Active Roles debug logs.

There is also a new LogStore destination for debug logs, which enables compression.

The heart of the configuration is the log path. This was rewritten almost from scratch. I tried to include plenty of comments in this part for clarity, but I will also explain it below in more detail.

The log path starts with a block dedicated to logs where the program name is “syslog-ng-agent”. Why? Because all Active Roles debug logs also belong to this category. The Agent reads the log files and forwards them to the syslog-ng PE server. As there is no application name associated with text files, the Agent uses its own name as PROGRAM. Processing the busiest log source first and storing it with the “final” flag helps to lower the load on the rest of the processing pipeline.

The rest of the logs from the Agent are parsed with an XML parser and saved to various destinations, as it was done previously.

What is next?

Even if this configuration looks complex, it is simplified in many ways. For example, while you should use encryption in a production environment, for the sake of this test, we simply send messages in clear text. Using date macros in file names could also help you delete old debug logs, either by hand or using a script.

Also, did I mention that debug logs are huge? In my environment, collecting logs just for half an hour resulted in about 10 megabytes of Windows and regular Active Roles logs, and close to half a gigabyte of debug logs. However, the good news is that using the LogStore destination with compression can store the same amount of logs in approximately 20 megabytes.

-

If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik, on Mastodon as @Pczanik@fosstodon.org.

April 14, 2025

Adam Young Javac for Building the PrismLauncher on Ubuntu

I peridocially fall off the wagon and get drawn back into playing Minecraft. I’ve decided that, in order to make this time not wasted, I need to do something constructive with this urge. Last time I played Minecraft, I found the MultiMC launcher would no longer work. Being a fan of C++ and open source projects, I was not happy with this state. A friend suggested I try the PrismLauncher fork of the code base.

Prism does not seem to have a native Debian based build available, although I admit I did not look very hard. I don’t want to install flatpacks or other binary management software just for one app. So, I figured I would build from sources.

I have cloned the repo and checked out the latest release version. Following the instructions failed fairly quickly with the error:

error: Target option 7 is no longer supported. Use 8 or later.

This was after a long line of Java based commands, I assumed it had to do with the fact that my machine is running Open JDK V 21 and we needed something older: the build instructions say Java -17, which I also have installed.

For this, I had to switch the javac compiler set by default, using the alternatives framework:

For the Java Exe this is

sudo update-alternatives –config java
There are 3 choices for the alternative java (providing /usr/bin/java).

Selection Path Priority Status
————————————————————
* 0 /usr/lib/jvm/java-21-openjdk-amd64/bin/java 2111 auto mode
1 /usr/lib/jvm/java-17-openjdk-amd64/bin/java 1711 manual mode
2 /usr/lib/jvm/java-21-openjdk-amd64/bin/java 2111 manual mode
3 /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java 1081 manual mode

And for the Javc compiler

sudo update-alternatives –config javac
There are 2 choices for the alternative javac (providing /usr/bin/javac).

Selection Path Priority Status
————————————————————
* 0 /usr/lib/jvm/java-21-openjdk-amd64/bin/javac 2111 auto mode
1 /usr/lib/jvm/java-17-openjdk-amd64/bin/javac 1711 manual mode
2 /usr/lib/jvm/java-21-openjdk-amd64/bin/javac 2111 manual mode

I then needed to switch them back in order to run, as Minecraft needs a version later than 17 (suggested 21).

April 13, 2025

Ismael Olea A Wikibase call for action at the Wikimedia Hackathon 2025
Wikimedia Hackathon 2025.

This year I have again received a grant from the WMF to attend to the annual Wikimedia Hackathon, this year is in Istanbul. I’m very grateful to them.

Since 2024 I’m very interested in the Wikibase platform since we are using it at LaOficina and is a main topic for the DHwiki WG. I’m not going into details but, from the very beginning, my first thoughs of involvement in the hackathon are related with Wikibase. Specially the need of «productization» and reduce entry barriers for Wikibase adoption, at least in my personal experience. Lately I’ve been thinking in very specific goals I think could be done in the hackathon:
- T391815 Wikibase Request for Comment: essential minimalist ontology
- T391821 Wikibase Request for Comment: an inventory of Wikibase related artifacts
- T391826 Wikibase Request for Comment: Wikibase Suite full multimedia proof of concept configuration
- T391828 Wikibase Request for Comment: a method for portable wikibase gadgets
The point is, I can’t do this alone. I have beend working on most of these things for months, but still are finished. Many different skills needed, lack of experience on some of them, etc.

So, the goal of this post is to call for action other attendants at the hackathon to join to work on them. The most relevant required skills (from my lack of skills point of view) are about MediaWiki integration, configuration and programming. For T391828, the most important is to be familiar with MediaWiki gadgets and for T391815, some practical experience in setting up ontologies in Wikibase.

All the practical results will be offered to the Wikibase developers for their consideration.

If you are interested please reach me in Telegram or at your preference. I also would love to set up a Wikibase zone in the hacking space for people working with Wikibase, with these or other tasks.

So, I’ll see you soon in Istanbul o/
Daniel Pocock Influencers: Red Hat, Incâ€™s IPO, 1999, post-mortem on the directed share offer to open source developer community
Red Hat, Inc decided to list shares on the stock market for the first time in 1999.

The plan was announced in June 1999. Around 21 July 1999, Red Hat sent a private email to external developers and volunteers offering them the opportunity to buy the shares at the opening price.
```
Subject: A personal invitation from Red Hat

Dear open source community member: In appreciation of your contribution
to the open source community, Red Hat is pleased to offer you this personal,
non-transferable, opportunity.

Red Hat couldn't have grown this far without the ongoing help and
support of the open source community,

...

Therefore, we have reserved a portion of the stock in our offering for
distribution online to certain members of the open source community.
We invite you to participate.

...
```
It is important to emphasize that Red Hat was not giving the shares away for free. People had to pay for them. They were not stock options either, they were full shares, which meant people had to submit payment for the full price of every share they wanted.

There were limits on the offer. According to the prospectus filed with the SEC, a total of 800,000 shares were reserved out of the 6 million shares in the IPO.

At the request of Red Hat, the underwriters have reserved up to 800,000 shares of common stock for sale at the initial public offering price through a directed share program, to directors, officers and employees of Red Hat and to open source software developers and other persons that Red Hat believes have contributed to the success of the open source software community and the growth of Red Hat.

The IPO took place on 11 August 1999.

On 17 August 1999, ZDNet published a report, "Linux hackers miss IPO boat". In their report, they tell us that the offer was sent to 3,500 open source developers and approximately 2,000 developers responded. Out of that, approximately 200 developers were rejected and didn't get any stock due to SEC regulations that protect inexperience investors from this type of offer. The report notes that each developer was entitled to buy a minimum of 100 shares and a maximum of 400 shares.

If all 3,500 recipients had asked for 400 shares each that would have been a demand for 1.4 million shares, well in excess of the 800,000 shares reserved for the program. It appears that the reserved shares were not fully subscribed by volunteers and E*Trade started offering some of them to the rest of their customers.

In practice, it appears that 1,800 people successfully asked for the shares but we don't know how many each person received. It is in the range from 180,000 to 720,000 shares. The developers were given shares at a price of $14 per share. The share price went up to $50 per share and a few days later it was $85.25 per share at the time of the ZDNet article. 720,000 shares at $85.25 per share means that volunteers had acquired $61.4 million of equity in Red Hat.

Under SEC rules, management can not publicly promote their company in the three months before an IPO and in the month after the IPO.

By sending this offer to 3,500 developers Red Hat was able to create an army of influencers who discussed the IPO far and wide.

Looking at the Slashdot archives, we find approximately a dozen different Slashdot reports about the IPO. Each of those reports has hundreds of comments.

Some related news reports:

Wired emphasizes many of the offers were sent to Debian Developers.

CNet published a report about the negative responses in the community.

C. Scott Ananian writes about jumping through hoops to get some shares and the pain of being excluded from the offer.
Sonar published an article looking back at the scheme and they include some fresh quotes from Bob Young.

Linux World published an article back in the day and then decided to hide it. The article is quoted in this 2018 blog post from Harish Pillay.

On the debian-private gossip network, of which thousands of messages have already been leaked for the period before the IPO, there was intense discussion about the proposition.
```
Subject: Re: RedHat Surprise
Date: Wed, 21 Jul 1999 09:34:29 -0500 (EST)
From: chris mckillop <cdmckill@warg.uwaterloo.ca>
Reply-To: chris mckillop <cdm@debian.org>
To: Ivan E. Moore II <rkrusty@tdyc.com>
CC: debian-private@lists.debian.org

On Wed, 21 Jul 1999, Ivan E. Moore II wrote:

> > > Would it be possible for uninterested Debian developers to pool their
> > > offers towards a common "Debian" buyout?  Perhaps we could end up with
> > > some kind of shareholder voting power?  (of course, then we'd need
> > > a new mailing list, debian-redhat-takeover)
> > > 
> > 
> > 	This would be amazing!  Is it legal??
> 
> <side note> Now, if Debian wanted to as a whole do this for the sole purpose
> of an investment and not for some monopolistic control standpoint than that
> would be a different story. (not saying that's what the intent was, but that's
> just what I fear).  </sn>
> 

	I am looking for a way to put say, $300 up into the IPO as
a Canadian.  With the offer RedHat is making, is it legal for
someone to do this?

	chris


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
chris mckillop - cdm@debian.org    "The faster I go, the behinder I get."
Debian GNU/Linux                     -- Lewis Carroll http://www.debian.org/
Waterloo Aerial Robotics Group - http://ece.uwaterloo.ca/~warg/
```
Buying out a company is not so easy. A few months later, in November 1999, Red Hat simply created more shares, diluting the value of existing shares. The new shares were used to acquire a competitor, Cygnus. The cash raised from the IPO gave Red Hat the balance sheet to justify the takeover on terms that were good for Red Hat management.

The proposition sent to open source volunteers helped Red Hat identify potential recruits without having to go through recruitment agencies.

In modern times, we see a lot more news reports around the ethical issues facing influencers on social media. In 1999, there were no regulations for influencers. In fact, the term influencer didn't even exist in the sense that we know it today.

Another way to view this directed share offer: people owning the shares would be more favourable to Red Hat's interests and less likely to be one hundred percent objective in discussions about controversial topics like systemd. We could think of it is a form of social engineering attack.

We can see the impact in this email where people are asked to be polite to Red Hat:
```
Subject: RedHat Surprise
Date: Wed, 21 Jul 1999 00:09:50 -0500 (EST)
From: Matthew R. Pavlovich <mpav@purdue.edu>
To: debian-devel@lists.debian.org, debian-private@lists.debian.org

In light of RedHat's recent offer to many debian developers, I want to
make a suggestion to those who do not accept RedHat's method of making the
offer.  
Do not send back a nasty e-mail message cursing them for spamming.  If you
feel obligated to tell them your opinion, please consider using your
non-debian e-mail address.  It is very easy for people to mistaken the
opinion of one for the opinion of the whole.  EVERY e-mail message you
send with a debian.org e-mail address reflects Debian as an organization.  
Redhat did not have to include anyone in their offer.  This is a very
considerate and thoughtful gesture on their part.  Redhat is good for
Linux as a whole.  We may have some differences, but IMO they should not
be viewed as our enemy.  They are going to be investing a lot of money
into Linux development, which means good paying jobs for open source
developers.  
IF YOU READ ONE SECTION, READ THIS:
-------
I am not saying anyone is wrong for having an opinion or that they should not express it, the focus of my point is to stress taking into account
the fact that individual opinions are taken as opinions of the entire
organization.

 Matthew R. Pavlovich
```
In other words, the organization doesn't have a consistent definition of spam that we are willing to defend.

FOSDEM recently fell into the same trap, inviting Jack Dorsey for "bring your boss day". FOSDEM used to be an event for developers.

From time to time, discussions appear on Debian mailing lists about whether everybody should declare their conflicts of interest, that is, their employer, their shareholdings and their romantic partners who participate in the same community.

By creating these hidden financial relationships that span multiple free software projects, Red Hat was creating the foundation for cult-like behavior. As more and more serious transgressions have occurred over the years, people have routinely covered them up. People focus on protecting reputations over protecting the truth.

Please see the chronological history of how the Debian harassment and abuse culture evolved.
Guillaume Kulakowski Mon caisson d’imprimante 3D

Depuis que j’ai mon imprimante 3D, celle-ci reposait sur une table à roulettes un peu bancale. Pas vraiment l’idéal : ça manquait de stabilité, d’esthétique, et surtout d’organisation. J’ai donc décidé de lui construire un caisson sur mesure en partant d’une base connue : les tables IKEA Lack. Choix du caisson Après pas mal de […]

Cet article Mon caisson d’imprimante 3D est apparu en premier sur Guillaume Kulakowski's blog.

April 11, 2025

Dan Horák EC P-384 curve causing SIGILL in OpenSSL 3.5.0 on Power8 systems
We have just discovered in Fedora Rawhide that EC P-384 curve is causing SIGILL in OpenSSL 3.5.0 on Power8 based systems as the implementation uses ISA 3.0 (aka Power9) instructions. The symptoms are for example a SIGILL when dnf downloads new repo data. I believe systems with this broken openssl build could be recovered when using rpm directly. See OpenSSL issue 27350 for details.

To recover you will need
After downloading the necessary rpms you can downgrade with sudo rpm -Uvh --oldpackage *.rpm
Gary Benson Python antipattern: Close in finally
Don’t do this:
```
thing = Thing()
try:
    thing.do_stuff()
finally:
    thing.close()
```
Do do this:
```
from contextlib import closing

with closing(Thing()) as thing:
    thing.do_stuff()
```
Why is the second better? Using contextlib.closing() ties closing the item to its creation. These baby examples are about equally easy to reason about, with only a single line in the try block, but consider what happens ifwhen more lines get added in future? In the first example, the close moves away, potentially offscreen, but that doesn’t happen in the second.

April 10, 2025

Felipe Borges Fedora 42 GNOME 48 Test Week from April 8 to 15

We are running a Fedora 42 GNOME 48 Desktop and Core Apps Test Week! This helps us find last-minute bugs and integration issues before Fedora 42 is ready for a stable release.

You can find how to participate in https://fedoraproject.org/wiki/Test_Day:2025-04-08_Fedora_42_GNOME_48_Desktop_and_Core_Apps

April 08, 2025

Adam Young How big a matrix can we fit?

Many of the big scientific computing problems can be solved using matrix mathematics. One of my favorite problems to tackle is implementation of vector times matrix = vector. This has utility in many places, one of which is inference in neural networks.

Since an ARM processor has some support for vector and matrix mathematics, I started wondering what were the size limitations we would hit when trying to solve big problems. Here are some notes:

The Basic ARM v8 architecture has 32 Vector-capable registers. Each of these registeres can be broken up to different sizes, from single byte up to 128 values. A common word ize for neural network applications is 32 bit words, and so we are going to work with those. Thus, a single vector can hold 4 words of 32 bits each. If we use one vector for input, one for out, we would expect to have a square 4X4 matrix. This Would use up 6 Vectors. That means we can set up 5 matrixes in memory and take up 30 out of the 32 vector registers.

We could be slightly more effecient if we do double duty with the input/output vectors. If we only ever had a single input vector and a single output vector, we could have 7 matrices of size 4X4, 2 i/o vectors, and 3 vectors left over for other operations.

However, we know that the ARM processors can have 2 parallel execution pipelines. Thus we want to be able to have each of these going at the same time: This means we have an overhead of 4 Vectors. This could still work with 7 matrices, assuming we stored after each iteration.

However, storing the output vectors requires pipeline time as well. If we make the bold assumption that storing a vector and performing the operation take about the same amount of time, we would want to have at least 2 extra output vectors to be able to perform a second operation with the input vectors. So we have an i/o overhead of 6 vectors, meaning we could still have 7 matrices, but we have no vector registers left over for management or calculation.

It also means that we have to block once we are done with a given input register. Again, we would like to pipeline, so we can load one set of input registers while we calculate with a second, and then swap. This gives and overhead of 8 i/o registers (2 active input, 2 active output, 2 loading input, 2 storing output) at a given time. This cuts us down to 6 Matrices of size 4X4 that we can store in registers.

This is our building block. If we can decompose a large matrix multiplication problem into a series of smaller ones, our problem them will likely be limited by how many operations we can perform on a single CPU without having to swap out the subset of matrices on that CPU.

Currently, Ampere machines are at 192 cores, hovering just under the 200 core mark. So we can simplify the math for now and use 200 cores as the basis. If each core can hold 6 matrices, and we can build a single large matrix out of these building blocks, what size matrix do we get? We want a square number less than 192 X 6, or 1152. 32 X 32 = 1024.

Each of the little squares is a 32 bit value. Each 4X4 square with alternating green and red is a matrix. There are 34 of those squares per row and column. Thus each row represents 5 CPUs plus 2/5ths 6th one; 5 Rows of this matrix represent 27 CPUs.

Check my math. I don’t trust myself on this, but I think it is right.

A follow on question is how to most efficiently move the data around. But that is a tale for another day.

April 07, 2025

The NeuroFedora Blog Next Open NeuroFedora meeting: 07 April 2025 1300 UTC
Photo by William White on Unsplash.

Please join us at the next regular Open NeuroFedora team meeting on Monday 07 April 2025 at 1300 UTC. The meeting is a public meeting, and open for everyone to attend. You can join us in the Fedora meeting channel on chat.fedoraproject.org (our Matrix instance). Note that you can also access this channel from other Matrix home severs, so you do not have to create a Fedora account just to attend the meeting.

You can use this link to convert the meeting time to your local time. Or, you can also use this command in the terminal:
```
$ date -d 'Monday, April 07, 2025 13:00 UTC'
```
The meeting will be chaired by @ankursinha. The agenda for the meeting is:
- New introductions and roll call.
- Tasks from last meeting.
- Open Pagure tickets.
- Package health check.
- Open package reviews check.
- CompNeuro lab compose status check for Fedora 41/rawhide.
- Neuroscience query of the week
- Next meeting day, and chair.
- Open floor.
We hope to see you there!

April 05, 2025

Guillaume Kulakowski Clavier Zuoya GMK87 sous Linux

Récemment, à cause d’un collège de boulot, je me suis lancé dans la construction d’un clavier custom basé sur le Zuoya GMK87. Alors oui, c’est un clavier chinois, mais trouver un clavier custom avec écran, molette, compatible VIA, et avec cette qualité de fabrication pour environ 50€, c’est plutôt rare. Du coup, j’ai accepté quelques […]

Cet article Clavier Zuoya GMK87 sous Linux est apparu en premier sur Guillaume Kulakowski's blog.

April 03, 2025

! Avi Alkalay ¡ Apple Ambient Music
The new iOS 18.4 has an unbelievably wonderful, unprecedented â€” and somewhat hidden â€” feature.

Ambient Music!

There are four buttons you can activate in the Control Center that provide endless ambient music in four styles and for four purposes:
- Relaxation
- Focus & Productivity
- Well-being
- Sleep
The compositions and arrangements are of high quality and very satisfying. They are purely instrumental, with little melodic variation but rich in textures, sound effects, rhythm, and sound design. If voices appear â€” rarely â€” they are only used to add texture, without words.

I am an avid listener of ambient music and use it to block out external noise, enter my inner world, focus, relax, find inspiration, and fall asleep. Collections like Buddha-Bar, CafÃ© del Mar, Le CafÃ© Abstrait, and their curators have been in my ears for many years, introducing me to many artists I now love and follow. Unlike Appleâ€™s new Ambient Music, these collections also include more ethnic styles.

But thereâ€™s something obscure and noteworthy about Apple Ambient Music. There are no song titles, no artist credits, no album covers. Music identifiers like Shazam donâ€™t recognize these tracksâ€”Iâ€™ve tried multiple times. I havenâ€™t noticed any repeated songs, and they all last around three minutes. Itâ€™s as if they were commissioned for this purpose, following specific rules. I also havenâ€™t found any Apple page describing the technology, the source of the collection, or how the curation of the four playlists works.

This leads me to believe the music is dynamically generated (both composed and performed) by artificial intelligence or some kind of algorithm. The fact that the tracks have little melodic richness â€” melody being the most valuable, human, and difficult-to-create musical feature â€” supports this hypothesis. A well-built library of textures and sound effects, combined with fine-tuned algorithms, could make this possible.

But this raises a very serious ethical question, especially when the feature is made so accessible and mainstream. Could AI replace composers, musicians, and sound engineers in some musical styles? Could this explain why Apple isnâ€™t making a big deal out of this feature, despite it deserving the spotlight?

Apple Ambient Music is now part of my listening repertoire.

Here is another article with good sources of music (in Portuguese).

Also in LinkedIn.
Dan Horák Firefox 128.9.0 ESR built for ppc64le

The JIT-enabled Firefox 128.9.0 ESR has been built for Fedora/ppc64le in my Talos
COPR repository. The corresponding sources are in my fork
of the official Fedora Firefox package and the JIT is coming from Cameron's work.
Jon Chiappetta I don’t know why but 80s movies are my favourite still to this day – I’m old! :)

March 30, 2025

Swiss JuristGate Link between institutional abuse, Swiss jurists, Debianism and FSFE

Friday, an expert in the subject of persecution asked me a question: is there a link between the paedophiles and the Swiss jurists?

I reflected on the subject and I found several links between the cultural problems.

At the same time, the BBC published a report on Justin Welby, former head of the Anglican church. He resigned because of the John Smyth QC scandal. John Smyth was a powerful lawyer who had also been a judge for six years. Smyth simultaneously had the role of Reader in the church.

I wrote several blogs about the links between the Code of Conduct gaslighting and the document Crimen Sollicitationis.

The pope sent the Crimen Sollicitationis to each diocese in 1962. It was a secret document. Article 70 insists on total secrecy about abuse:

70. All these official communications shall always be made under the secret of the Holy Office; and, since they are of the utmost importance for the common good of the Church, the precept to make them is binding under pain of grave [sin].

Moreover, we are not even supposed to discuss the existance of the document:

TO BE KEPT CAREFULLY IN THE SECRET ARCHIVE OF THE CURIA FOR INTERNAL USE.

Gerhard Ulrich was a human rights activist. He published a list of judges, their mistakes and their conflicts of interest. In Switzerland, the conflicts of interest are a private subject under article 173(3) of the Swiss criminal code:

The accused is not permitted to lead evidence in support of and is criminally liable for statements that are made or disseminated with the primary intention of accusing someone of disreputable conduct without there being any public interest or any other justified cause, and particularly where such statements refer to a person’s private or family life.

In 2001, the secret document became widely known.

When FINMA published a jugement against the Swiss jurists in 2023, they redacted the names, they redacted the dates and even worse, they redacted most of the paragraphs.

A little bit like Crimen Sollicitationis, certainly.

We find the same problems in the case of John Smyth, Anglican church and Justin Welby:

From 2013, the Church of England knew “at the highest level” about the abuse, the report says, but failed to refer it either to the police or to the relevant authorities in South Africa, where Smyth died while under investigation by the police.

The Swiss authorities, the bar association of Geneva and FINMA had knowledge of Parreaux, Thiébaud & Partners since 2021 or earlier. Why did they redact the majority of paragraphs from the judgment? They wanted to hide their pre-existing knowledge of the scandal.

Why did the church authorities or Swiss authorities protect people like John Smyth and Mathieu Parreaux? Men like that have knowledge of all the scandals and institutional failings throughout their career. We discussed the same question in the (leaked) debian-private mailing list. Each time somebody is bullied and punished by the overlords, there is a risk that they will publish a full copy of debian-private.

We have filled in the secrets in the JuristGate web site.

When I acquired Swiss citizenship, I had to take an oath. ( la promesse solennelle vaudois, Loi sur le droit de cité vaudois 2018).

You promise to be true to the federal constitution and the constitution of the Canton of Vaud. You promise to maintain and defend on every occasion and with all your powers the rights, freedoms and independence of your new country, to develop and advance her reputation and wealth and equally to avoid all that could cause her loss or damage.

There is a problem: after the death of my father, racist Swiss women started writing gossip. The rudeness of selfish and arrogant people who impose upon my family at a time of grief outweighs the seriousness of the oath.

Swiss authorities closed the legal protection insurance. The director of FINMA resigned with a payout of 581,000 Swiss francs, but he did not provide replacement lawyers for the clients.

At the same time, the racist Swiss women demanded a publication.

FSFE uses the trademark of the FSF without authorisation. They received a bequest of EUR 150,000. They declared the bequest a secret subject.

The Swiss citizenship oath implies that we have to find a private solution to the Debian crisis, but the racist Swiss women wanted a publication of lies after the death of my father.

The truth is clear, my father died.

In 2018, the intern Renata D'Avila published a blog about the risks of location tracking services. She chose a quote from the French philosopher Pierre-Joseph Proudhon:

To be GOVERNED is to be watched, inspected, spied upon, directed, ... then, at the slightest resistance, the first word of complaint, to be repressed, fined, vilified, harassed, hunted down, abused, clubbed, disarmed, bound, choked, imprisoned, judged, condemned, shot, deported, sacrificed, sold, betrayed; and to crown all, mocked, ridiculed, derided, outraged, dishonored.

In Australia, Lilie James rejected her boyfriend's demand for location services on her phone and she was clubbed to death. My intern had predicted the crime with her use of the quote alongside her description of problems with Google.

According to the Debian Social Contract, point 3:

We won't hide problems.

but the Debianists threatened my intern by sending her secret emails:

Debian "Community Team" (political police) to Renata, private email of 13 June 2018: Reinforcing positive attitudes and steps that you see in Debian towards women inclusion can also motivate yourself, the other Debian contributors, and possible newcomers, to go on working in that strategy and foster diversity in Debian. This does not mean to avoid criticism or hiding problems, but providing a more accurate vision of how the Brazilian Debian community works towards our common goals.

The threat:

Finally, we would like to say a word about the participation in Debian events that is financed (at least in part) by Debian. We believe that a matching fund, (Mini)DebConf bursary or any other financial help to attend a Debian event is a big endorsement from Debian to the person who receives it, and we believe that your behaviour in MiniDebConf Curitiba 2018 did not match the excellence that we expect for a bursary applicant. Thus, we are considering requesting a rejection of your application to the bursaries team.

Renata did not come back to any Debian events.

In Australia's Royal Commission into Institutional Abuse, we find the same thing:

Culture of secrecy

We are satisfied that there was a prevailing culture within the Archdiocese, led by Archbishop Little, of dealing with complaints internally and confidentially to avoid scandal to the Church.

and again between the priests and their victims:

He said that, on both occasions, Father Daniel encouraged BTH to remain silent by reference to the seal of confession.

The seal of confession is like the Code of Conduct gaslighting in the free software projects. If the victim doesn't maintain the silence, they will be blocked from becoming a priest or a developer.

Frans Pop published his suicide note the night before the Debian Day anniversary. When colleagues discussed his death outside the secret debian-private mailing list, they suffered immediate reprisals.

Unfortunately we also had the misfortune to read information on twitter that, to our current knowledge, must have been gathered from this -private list. We think this a very unfortunate event that is missing every kind of common sense and decency, and therefore saw forced to suspend the accounts of the people leaked from membership on this list.

Pascal/Lia Daobing: You both are no longer subscribed to debian-private, for the next 4 weeks. The one and only reason this list exists is to have a place where we can share information that is not immediately leaked into the public. Twitter is not -private. Please, in the future, respect the rules of the environment you are in, especially in such a special case like this.

The next death was Adrian von Bidder. It was Palm Sunday, the same day as the marriage between Carla and I. Adrian von Bidder died in Switzerland the official report has not been published. Yet.

Switzerland and the Catholic Church both openly promote their culture of secrecy. Debianists have claimed to be committed to transparency so the imposition of secrecy in Debian demonstrates an even greater lack of integrity.

Joerg Jaspert wrote about Frans Pop:

He has done a lot of work for the project, invested a lot of his time and appearently (read the statement of his parents) the Debian project was a very important part of his life.

The last words in the last email of Frans Pop, sent the night before Debian Day:

All mails I ever sent to d-private (and mails quoting them) shall remain private.

March 28, 2025

Jeremy Cline How artifacts are signed in Fedora

For the last few months, one of the things I’ve been working on in Fedora is adding support for SecureBoot on Arm64. The details of that work will be the subject of a later post, but as part of this work I’ve become somewhat familiar with the signing infrastructure in Fedora and how it works. This post introduces the various pieces of the current infrastructure, and how they fit together.

Signed?

Pretty much anything Fedora produces and distributes is digitally signed so users can verify it did, in fact, come from the Fedora project. Perhaps the most obvious example of this is the RPM packages Fedora produces. However, plenty of other artifacts are also signed, like OSTree commits.

Signing works using public-key cryptography. We have the private key that we need to keep secret, and we distribute the public keys to users so they can verify the artifact.

Robosignatory

Signing is (mostly) an automated process. A service, called robosignatory, connects to an AMQP message broker and subscribes to several message topics. When an artifact is created that needs signing, the creator of the artifact sends a message to the AMQP broker using one of these topics.

Robosignatory does not sign artifacts itself. It collects requests from various other services and submits them to the signing server on behalf of those systems. The signing server is the system that contains and protects the private keys.

Sigul

Sigul is the signing server that holds the private keys and performs signing operations. It is composed of three parts: the client, the bridge, and the server.

The Server

The Sigul server is designed to control access to signing keys and to provide a minimal attack surface. It does not behave like a traditional server in that it does not accept incoming network connections. Instead, it connects to the Sigul bridge, and the bridge forwards requests to it via that connection.

This allows the firewall to be configured to allow outgoing traffic to a single host, and to block all incoming connections. This does mean that the host cannot be managed via normal SSH operations. Instead this is done in Fedora via the host’s out-of-band management console.

Private keys are encrypted on disk. When users are granted access to keys, the key is encrypted for that particular user.

The Bridge

The Sigul bridge acts as a specialized proxy. Both the client and server connect to the bridge, and it forwards requests and responses between them.

Unlike the typical proxy, the Sigul bridge does a few interesting things. Firstly, it requires the client to authenticate via TLS certificates. The client then sends the bridge the request it wishes to make. The bridge forwards that request to the server. The bridge then expects the client and server to send an arbitrary amount of data to each other. This arbitrary data is framed as chunks and it forwards that data back and forth until an end of stream signal is sent by the server and client.

Finally, it forwards the server’s response to the client.

The Client

The client is a command-line interface that sends requests to the server via the bridge. This client can be used to create users and keys, grant and revoke access to keys, and request signatures in various formats. Robosignatory invokes the CLI to sign artifacts.

The client connects to the bridge as described above. After authenticating with the bridge and sending the request, it begins a second TLS connection configured with the Sigul server’s hostname, and sends and receives data on this connection over the TLS connection it has with the Sigul bridge. It relies on this inner TLS connection to send a set of session keys to the server without the bridge being able to intercept them. These session keys are used to sign the Sigul server’s responses so the client can be sure the bridge did not tamper with them.

After it has established a set of secrets with the server, the remainder of the interaction occurs over the TLS connection with the bridge, but since the responses are signed both the client and server can be confident the bridge has not tampered with the conversation.

Conclusion

It’s an interesting setup, and has served Fedora for many years. There is plenty of code in Sigul which dates back to 2009, not long after Python 2.6 was released with exciting new features like the standard library json module. It was likely developed for RHEL 5 which means Python 2.4.

Unfortunately, at least one of the libraries (python-nss) it depends on to work are not maintained and not in Fedora 42, so something will have to be done in the near future. Still, it’s not ready to sign off just yet.

This is an independent, censorship-resistant site run by volunteers. This site and the blogs of individual volunteers are not officially affiliated with or endorsed by the Fedora Project.

We Make Fedora

May 17, 2025

Data Center Move

Bot blocking

F40 EOL and upgrades

comments? additions? reactions?

Features

Bug fixes

Contributors

May 16, 2025

Features

Bug fixes

Contributors

Infrastructure & Release Engineering

Fedora Infra

CentOS Infra including CentOS CI

Release Engineering

May 15, 2025

NEWS

Introducing the develop branch of the syslog-ng git repo

Working with Active Roles debug logs in syslog-ng

Nightly arm64 syslog-ng container builds are now available

WEBINARS

May 13, 2025

Qu'est-ce que c'est ?

Que faire ?

What we did?

What is the plan now?

Infrastructure & Release Engineering

Fedora Infra

CentOS Infra including CentOS CI

Release Engineering

May 12, 2025

May 10, 2025

Datacenter Move

Builders with >32bit inodes again

comments? additions? reactions?

May 09, 2025

Introduction

Entretien

Conclusion

May 08, 2025

What’s new?

What’s next?

May 06, 2025

May 05, 2025

May 04, 2025

May 03, 2025

Datacenter Move

OpenShift cluster upgrades

Proxy upgrades

comments? additions? reactions?

May 02, 2025

Infrastructure & Release Engineering

Fedora Infra

CentOS Infra including CentOS CI

Release Engineering

May 01, 2025

Sites web d'actualité

Les vidéos

Bilan

April 30, 2025

Introduction

Entretien

Conclusion

April 29, 2025

April 28, 2025

April 27, 2025

April 26, 2025

Datacenter Move

nftables in production

Staging koji synced

comments? additions? reactions?

April 25, 2025

Walter Francis Pocock

Fact check

April 24, 2025

April 23, 2025

Changes since Kiwi TCMS 14.1

Security

Software updates: Support `dnf needs-restarting`