Fedora is a Trademark of Red Hat, Inc, an operating system built by volunteers around the world. This page is provided so that independent volunteers can showcase our contributions to Fedora and Free Software in general. Official Fedora Download page.

RSS Atom

We Make Fedora

March 29, 2023

• Kiwi TCMS Kiwi TCMS 12.1

  We're happy to announce Kiwi TCMS version 12.1!

  IMPORTANT: this is a minor release which contains security related updates, general improvements, bug fixes and new translations!

  You can explore everything at https://public.tenant.kiwitcms.org!

  Supported upgrade paths:

  5.3   (or older) -> 5.3.1
  5.3.1 (or newer) -> 6.0.1
  6.0.1            -> 6.1
  6.1              -> 6.1.1
  6.1.1            -> 6.2 (or newer)
  

  ---

  Upstream container images (x86_64):

  kiwitcms/kiwi   latest  590c0cd6f25f    521MB
  

  IMPORTANT: version tagged and multi-arch container images are available only to subscribers!

  Changes since Kiwi TCMS 12.0

  Security

  • Add the Content-Security-Policy header to block inline JavaScript. Fixes CVE-2023-27489
  • Add the X-Frame-Options header to deny loading Kiwi TCMS into an iframe
  • Add the X-Content-Type-Options header

  Improvements

  • Update django-grappelli from 3.0.4 to 3.0.5
  • Update django-simple-history from 3.2.0 to 3.3.0
  • Update jira from 3.4.1 to 3.5.0
  • Update markdown from 3.4.1 to 3.4.3
  • Update pygithub from 1.57 to 1.58.1
  • Update tzdata from 2022.7 to 2023.3
  • Do not allow last super-user to be deleted (Ivajlo Karabojkov)
  • Improve loading time on test runs pages which have large number of executions with components, parameters and/or tags (@somenewacc)
  • Expose all RPC methods in the documentation
  • Update documentation to describe transitions for TestRun statuses. Closes Issue #3124

  Settings

  • Allow uWSGI configuration override via the file /Kiwi/etc/uwsgi.override

  API

  • New API method TestRun.add_attachment (David M. Johnson)
  • New API method Environment.filter() method. Refs Issue #3034 (@somenewacc)
  • New API method Environment.create(). Closes Issue #3034 (@somenewacc)

  Bug fixes

  • Fix /admin/testcases/template/ page not being able to render the text editor

  Refactoring

  • Refactor bugtracker integration
  • Remove unnecessary onChanged function for DurationWidget
  • Refactoring to avoid inline <script> tags

  Translations

  • Enable translation integration on Admin pages
  • Updated Bulgarian translation
  • Updated French translation
  • Updated Slovenian translation

  Kiwi TCMS Enterprise v12.1-mt

  • Based on Kiwi TCMS v12.1

  • Update dj-database-url from 1.2.0 to 1.3.0

  • Update kiwitcms-github-app from 1.4.1 to 1.5.1

  • Update kiwitcms-trackers-integration from 0.3.0 to 0.4.0

  • Add test for missing migrations

    Private images:

    quay.io/kiwitcms/version            12.1 (aarch64)          571870729367    29 Mar 2023     528MB
    quay.io/kiwitcms/version            12.1 (x86_64)           590c0cd6f25f    29 Mar 2023     520MB
    quay.io/kiwitcms/enterprise         12.1-mt (aarch64)       0a1e2f092351    29 Mar 2023     734MB
    quay.io/kiwitcms/enterprise         12.1-mt (x86_64)        9f44aaab7646    29 Mar 2023     725MB
    

  IMPORTANT: version tagged, multi-arch and Enterprise container images are available only to subscribers!

  How to upgrade

  Backup first! Then execute the commands:

  cd path/containing/docker-compose/
  docker-compose down
  docker-compose pull
  docker-compose up -d
  docker exec -it kiwi_web /Kiwi/manage.py upgrade
  

  Refer to our documentation for more details!

  Happy testing!

  ---

  If you like what we're doing and how Kiwi TCMS supports various communities please help us grow!

  • Give â­� on GitHub;
  • Give ğŸ‘� on GitLab;
  • Donate via Open Collective as low as 1 EUR;
  • Join our newsletter and follow all project news;
  • Become a contributor and an awesome open source hacker;
  • Become a subscriber and help us sustain development

• ! Avi Alkalay ¡ Melhorias para o Pix do BaCen

  O Banco Central do Brasil acertou em cheio com o Pix, inovação bancária digna de ser copiada por qualquer BC do mundo. Mas ainda acho o Pix bem burocrático de ser usado. Vejo que ele é um sucesso porque era algo muitíssimo desejado, não por ter boa usabilidade nem por promover boas práticas. Minha veia de designer de aplicações não pode deixar de sugerir algumas melhorias que poderiam ser feitas numa próxima revisão, especialmente em relação a usabilidade.

  1. Em primeiro lugar, ficar usando e divulgando CPF e celular como endereço bancário fere de mais a privacidade das pessoas. Há o endereço aleatório, que é um indigesto UDID, mas seu uso é pouco incentivado. Telefone como endereço Pix deveria ser usado só entre amigos que já têm o número um do outro. E CPF então, nem se fala… Eu nem tenho coragem de citar aqui e agora as coisas que poderia descobrir sobre você tendo só o seu CPF. Este parágrafo fica como dica para você, usuário do Pix — use chave aleatória sempre que puder.
  2. Outro aspecto pouco prático é que a pessoa que divulga um endereço Pix precisa informar se aquilo é um CPF ou celular, pois há CPFs que se parecem com número de telefone e vice-versa. E o pagador precisa dizer ao banco que tipo de chave é essa (CPF, telefone), não é detectado automaticamente.
  3. Mais um aspecto triste é o Pix-copia-e-cola ser sub-utilizado. Para quem não sabe — e muitos não sabem —, o Pix-copia-e-cola é um código comprido que tem tudo: endereço do credor, valor, mensagem. Se preciso cobrar alguém, eu gero um Pix-copia-e-cola e passo para a pessoa. Acontece que quase ninguém sabe o que fazer com esse código e como usá-lo para efetivamente executar o pagamento. O pagador primeiro precisa saber do que se trata, navegar pelos menus do aplicativo bancário e colá-lo no lugar certo. Este é um exemplo de Pix-copia-e-cola válido que você pode usar para me pagar R$10:

  00020126890014BR.GOV.BCB.PIX01364cf0670d-87f9-4056-b48b-cbe57aa29ba40227Exemplo de Pix-copia-e-cola520400005303986540510.005802BR5914AVIRAM ALKALAY6009SAO PAULO622605222X9lnULfWGEqFhJGgrYWXC63046086

  Eis uma sugestão de solução para todos esses problemas

  Bastaria o endereço Pix ser uma URL, visto que URLs já representam o endereço de praticamente tudo no universo digital. Segue uma sugestão de solução hipotética.

  • Endereço Pix que é um telefone:

    pix://11912344321.tel

  • Endereço Pix que é um CPF:

    pix://78912365422.cpf

  • Endereço Pix que é uma chave aleatória:

    pix://abc-xyz-kyw.alt

  • URL de um Pix-copia-e-cola que contém credor (endereço aleatório), valor (R$10) e mensagem (“olá mundo”):

    pix://abc-xyz-kyw.alt/?val=10.00&msg=olá%20mundo

  • O código QR da última URL:

    

  • Menos conhecido ainda, um Pix pode ser feito diretamente para uma conta bancária, sem CPF nem telefone nem endereço aleatório, igual um TED. Nesse caso a URL ficaria assim:

    pix://{{instituição, agência e conta bancária codificadas}}.cc/?val=10.00&msg=olá%20mundo

  Os parâmetros para valor ou mensagem, ou ambos, poderiam ser omitidos para deixar o pagador preenchê-los, opcionalmente.

  No mundo físico, essas URLs seriam divulgadas como códigos QR impressos. E sendo um QR/URL válido, a câmera que o captura, ou o simples ato de clicar no link, abriria o tratador correto, que provavelmente seria o aplicativo do seu banco, mas não precisaria pedir para o pagador escrever mais nada, só pediria confirmação para a transação cujos dados e parâmetros estariam todos já resolvidos e no lugar certo.

  

  Com exatos 2 toques de tela (passos 1️⃣ e 3️⃣) e mais a inevitável autenticação no aplicativo bancário (passo 2️⃣), o pagamento seria realizado.

  Do jeito que é hoje:

  • Não existe link de Pix para se clicar
  • Códigos QR só são legíveis com a câmera da app bancária; um leitor qualquer de códigos QR não consegue disparar o aplicativo bancário
  • Caso o pagador inicie o processo com um endereço textual, terá que manualmente copiar e colar o texto pois números de telefone e de CPF não viram links automaticamente. E entre os passos 2 e 3 terá que manualmente selecionar e preencher diversas outras informações

• Peter Hutterer New gitlab.freedesktop.org spamfighting abilities

  As of today, gitlab.freedesktop.org allows anyone with a GitLab Developer role or above to remove spam issues. If you are reading this article a while after it's published, it's best to refer to the damspam README for up-to-date details. I'm going to start with the TLDR first.

  For Maintainers

  Create a personal access token with API access and save the token value as $XDG_CONFIG_HOME/damspam/user.tokenThen run the following commands with your project's full path (e.g. mesa/mesa, pipewire/wireplumber, xorg/lib/libX11):

  
  $ pip install git+https://gitlab.freedesktop.org/freedesktop/damspam
  $ damspam request-webhook foo/bar
  # clean up, no longer needed.
  $ pip uninstall damspam
  $ rm $XDG_CONFIG_HOME/damspam/user.token
  

  The damspam command will file an issue in the freedesktop/fdo-bots repository. This issue will be automatically processed by a bot and should be done by the time you finish the above commands, see this issue for an example. Note: the issue processing requires a git push to an internal repo - if you script this for multiple repos please put a sleep(30) in to avoid conflicts.

  Once the request has been processed (and again, this should be instant), any issue in your project that gets assigned the label Spam will be processed automatically by damspam. See the next section for details.

  For Developers

  Once the maintainer for your project has requested the webhook, simply assign the Spam label to any issue that is spam. The issue creator will be blocked (i.e. cannot login), this issue and any other issue filed by the same user will be closed and made confidential (i.e. they are no longer visible to the public). In the future, one of the GitLab admins can remove that user completely but meanwhile, they and their spam are gone from the public eye and they're blocked from producing more. This should happen within seconds of assigning the Spam label.

  For GitLab Admins

  Create a personal access token with API access for the @spambot user and save the token value as $XDG_CONFIG_HOME/damspam/spambot.token. This is so you can operate as spambot instead of your own user. Then run the following command to remove all tagged spammers:

  
  $ pip install git+https://gitlab.freedesktop.org/freedesktop/damspam
  $ damspam purge-spammers
  

  The last command will list any users that are spammers (together with an issue that should make it simple to check whether it is indeed spam) and after interactive confirmation purge them as requested. At the time of writing, the output looks like this:

  
  $ damspam purge-spammers
  0: naughtyuser              : https://gitlab.freedesktop.org/somenamespace/project/-/issues/1234: [STREAMING@TV]!* LOOK AT ME
  1: abcuseless               : https://gitlab.freedesktop.org/somenamespace/project/-/issues/4567: ((@))THIS STREAM IS IMPORTANT
  2: anothergit               : https://gitlab.freedesktop.org/somenamespace/project/-/issues/8778: Buy something, really
  3: whatawasteofalife        : https://gitlab.freedesktop.org/somenamespace/project/-/issues/9889: What a waste of oxygen I am
  Purging a user means a full delete including all issues, MRs, etc. This is nonrecoverable!
  Please select the users to purge:
  [q]uit, purge [a]ll, or the index: 
       

  Purging the spammers will hard-delete them and remove anything they ever did on gitlab. This is irreversible.

  How it works

  There are two components at play here: hookiedookie, a generic webhook dispatcher, and damspam which handles the actual spam issues. Hookiedookie provides an HTTP server and "does things" with JSON data on request. What it does is relatively generic (see the Settings.yaml example file) but it's set up to be triggered by a GitLab webhook and thus receives this payload. For damspam the rules we have for hookiedookie come down to something like this: if the URL is "webhooks/namespace/project" and damspam is set up for this project and the payload is an issue event and it has the "Spam" label in the issue labels, call out to damspam and pass the payload on. Other rules we currently use are automatic reload on push events or the rule to trigger the webhook request processing bot as above.

  This is also the reason a maintainer has to request the webhook. When the request is processed, the spambot installs a webhook with a secret token (a uuid) in the project. That token will be sent as header (a standard GitLab feature). The project/token pair is also added to hookiedookie and any webhook data must contain the project name and matching token, otherwise it is discarded. Since the token is write-only, no-one (not even the maintainers of the project) can see it.

  damspam gets the payload forwarded but is otherwise unaware of how it is invoked. It checks the issue, fetches the data needed, does some safety check and if it determines that yes, this is spam, then it closes the issue, makes it confidential, blocks the user and then recurses into every issue this user ever filed. Not necessarily in that order. There are some safety checks, so you don't have to worry about it suddenly blocking every project member.

  Why?

  For a while now, we've suffered from a deluge of spam (and worse) that makes it through the spam filters. GitLab has a Report Abuse feature for this but it's... woefully incomplete. The UI guides users to do the right thing - as reporter you can tick "the user is sending spam" and it automatically adds a link to the reported issue. But: none of this useful data is visible to admins. Seriously, look at the official screenshots. There is no link to the issue, all you get is a username, the user that reported it and the content of a textbox that almost never has any useful information. The link to the issue? Not there. The selection that the user is a spammer? Not there.

  For an admin, this is frustrating at best. To verify that the user is indeed sending spam, you have to find the issue first. Which, at best, requires several clicks and digging through the profile activities. At worst you know that the user is a spammer because you trust the reporter but you just can't find the issue for whatever reason.

  But even worse: reporting spam does nothing immediately. The spam stays up until an admin wakes up, reviews the abuse reports and removes that user. Meanwhile, the spammer can happily keep filing issues against the project. Overall, it is not a particularly great situation.

  With hookiedookie and damspam, we're now better equipped to stand against the tide of spam. Anyone who can assign labels can help fight spam and the effect is immediate. And it's - for our use-cases - safe enough: if you trust someone to be a developer on your project, we can trust them to not willy-nilly remove issues pretending they're spam. In fact, they probably could've deleted issues beforehand already anyway if they wanted to make them disappear.

  Other instances

  While we're definitely aiming at gitlab.freedesktop.org, there's nothing in particular that requires this instance. If you're the admin for a public gitlab instance feel free to talk to Benjamin Tissoires or me to check whether this could be useful for you too, and what changes would be necessary.

March 28, 2023

• Peter Czanik Syslog-ng 101, part 13: Updating syslog-ng, syslog-ng 4

  This is the 13th part of my syslog-ng tutorial. Last time, we learned about sending log messages to Elasticsearch. Today, we learn about updating syslog-ng, and some of the new features of syslog-ng 4.

  You can watch the video or read the text below.

  https://youtu.be/205eMGS51XU

  Type support in syslog-ng 4

  Version 4 of syslog-ng is now available. The good news is that it is fully backwards compatible. If the version string in your configuration is set to a 3.X version, it will work as expected even after updating to version 4. Of course you might run into corner cases, but I had no problems even with complex configurations.

  The major new feature of syslog-ng 4 is type support. When using the JSON and PatternDB parsers, syslog-ng stores the type information alongside name-value pairs. You can also set type information using rewrite rules.

  Why type is important? You can use it in two ways. Within syslog-ng you can use it for comparisons. For example comparing numbers will work correctly. The other use is type aware output. Previously, even if syslog-ng parsed types properly, all name-value pairs were stored as if they were strings. You could hint the type information on the destination side, but it is a painful manual process. As syslog-ng now stores type information with name-value pairs, the JSON template function and various destinations can now send proper type information. For example if you extract temperature data from logs, you do not have to configure the type manually any more on the syslog-ng side, or configure type in the destination database, as syslog-ng sends temperature data as numbers without additional configuration.

  Handling of lists (array) also improved considerably in this major new release.

  Today we will use JSON formatted log messages from sudo 1.9.4 (or later) to demonstrate the differences between syslog-ng 3 and 4.

  Syslog-ng configuration for JSON sudo logs

  The first log path in following configuration collects local log messages and stores them without any further processing or filtering into /var/log/messages. There is also a second log path, which selects sudo logs, parses them using JSON parser, and then creates a JSON formatted message from the result.

  @version:3.37
  @include "scl.conf"
  source s_sys { system(); internal();};
  destination d_mesg { file("/var/log/messages"); };
  log { source(s_sys); destination(d_mesg); };
  filter f_sudo {program(sudo)};
  destination d_test {
    file("/var/log/sudo.json"
      template("$(format-json --scope nv_pairs --scope dot_nv_pairs --rekey .* --shift 1 --exclude *journal* --exclude MESSAGE --scope rfc5424)\n\n"));
  };
  log {
    source(s_sys);
    filter(f_sudo);
    destination(d_test);
  };

  The JSON template function has a few excludes to make the log messages shorter, so the MESSAGE macro, which contains the original JSON payload, and any journal macros are discarded. Two new lines at the end make the files more human readable.

  Unparsed JSON sudo log

  Using this configuration if you run sudo, you will find the JSON formatted log message in /var/log/messages:

  Mar 17 15:24:07 localhost sudo[35095]: @cee:{"sudo":{"accept":{"uuid":"9045212067-d7cb-4a8f-ab40-32dc5b7c6f","server_time":{"seconds":1679063047,"nanoseconds":415866617,"iso8601":"20230317142407Z","localtime":"Mar 17 15:24:07"},"submit_time":{"seconds":1679063047,"nanoseconds":399116920,"iso8601":"20230317142407Z","localtime":"Mar 17 15:24:07"},"submituser":"czanik","command":"/usr/bin/ls","runuser":"root","runcwd":"/home/czanik","ttyname":"/dev/pts/0","submithost":"localhost.localdomain","submitcwd":"/home/czanik","runuid":0,"columns":118,"lines":60,"runargv":["ls","/root/"],"runenv":["LANG=en_US.UTF-8","HOSTNAME=localhost.localdomain","TERM=xterm-256color","PATH=/home/czanik/.local/bin:/home/czanik/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin","MAIL=/var/mail/root","LOGNAME=root","USER=root","HOME=/root","SHELL=/bin/bash","SUDO_COMMAND=/usr/bin/ls /root/","SUDO_USER=czanik","SUDO_UID=1000","SUDO_GID=1000"]}}} 

  Log parsed and recreated by syslog-ng 3.X

  Now lets take a look at what syslog-ng can recreate from the original JSON log message. JSON sudo logs are automatically parsed by syslog-ng, this is why you do not see a parser declaration in the above configuration. The JSON template function then tries to recreate the log message from the name-value pairs. For the untrained eye the only difference is that syslog macros, like date or facility are now also part of the JSON:

  {"cee":{"sudo":{"accept":{"uuid":"9045212067-d7cb-4a8f-ab40-32dc5b7c6f","ttyname":"/dev/pts/0","submituser":"czanik","submithost":"localhost.localdomain","submitcwd":"/home/czanik","submit_time":{"seconds":"1679063047","nanoseconds":"399116920","localtime":"Mar 17 15:24:07","iso8601":"20230317142407Z"},"server_time":{"seconds":"1679063047","nanoseconds":"415866617","localtime":"Mar 17 15:24:07","iso8601":"20230317142407Z"},"runuser":"root","runuid":"0","runenv":"LANG=en_US.UTF-8,HOSTNAME=localhost.localdomain,TERM=xterm-256color,PATH=/home/czanik/.local/bin:/home/czanik/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin,MAIL=/var/mail/root,LOGNAME=root,USER=root,HOME=/root,SHELL=/bin/bash,\"SUDO_COMMAND=/usr/bin/ls /root/\",SUDO_USER=czanik,SUDO_UID=1000,SUDO_GID=1000","runcwd":"/home/czanik","runargv":"ls,/root/","lines":"60","command":"/usr/bin/ls","columns":"118"}}},"app":{"name":"cee"},"SOURCE":"s_sys","PROGRAM":"sudo","PRIORITY":"notice","PID":"35095","HOST_FROM":"localhost","HOST":"localhost","FACILITY":"authpriv","DATE":"Mar 17 15:24:07"}

  If you take a more careful look, or if you use an app like jq to display the JSON message, you will catch a few more differences. The list looks slightly differently, and numbers are enclosed in quotes, meaning that they are forwarded as string instead of as numbers.

          "runuser": "root",
          "runuid": "0",
          "runenv": "LANG=en_US.UTF-8,HOSTNAME=localhost.localdomain,TERM=xterm-256color,PATH=/home/czanik/.local/bin:/home/czanik/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin,MAIL=/var/mail/root,LOGNAME=root,USER=root,HOME=/root,SHELL=/bin/bash,\"SUDO_COMMAND=/usr/bin/ls /root/\",SUDO_USER=czanik,SUDO_UID=1000,SUDO_GID=1000",
          "runcwd": "/home/czanik",
          "runargv": "ls,/root/",
          "lines": "60",
          "command": "/usr/bin/ls",
          "columns": "118"

  Syntax check on update

  Now it is time to update syslog-ng from version 3 to version 4. It is different on each and every Linux distribution or BSD variant and thus not the scope of this tutorial. Once you updated syslog-ng, it is time for a syntax check. It shows you a couple warnings, what you should change in your configuration or what changed in the behavior of syslog-ng.

  [root@localhost syslog-ng]# syslog-ng -s -f sudo.conf
  [2023-03-17T15:50:53.583894] WARNING: Configuration file format is too old, syslog-ng is running in compatibility mode. Please update it to use the syslog-ng 4.1 format at your time of convenience. To upgrade the configuration, please review the warnings about incompatible changes printed by syslog-ng, and once completed change the @version header at the top of the configuration file; config-version='3.37'
  [2023-03-17T15:50:53.591649] WARNING: $(format-json) starts using type information associated with name-value pairs in syslog-ng 4.0. This can possibly cause fields in the formatted JSON document to change types if no explicit type hint is specified. This change will cause the type in the output document match the original type that was parsed using json-parser(), add --no-cast argument to $(format-json) to keep the old behavior;

  In this particular case it reminds you that the current version is 4.1 while the version is set to 3.37 in the configuration. The second warning is about the changed behavior of the JSON template function and it also shows you how to change the configuration if you want to keep the old behavior with the new configuration version.

  Log parsed and recreated by syslog-ng 4.X

  On first look you might not notice, but the JSON generated by syslog-ng 4 is very different from the JSON generated by syslog-ng 3:

  {"cee":{"sudo":{"accept":{"uuid":"3d3e1f8c9b-d62e-4081-8fff-bc71e80e29","ttyname":"/dev/pts/0","submituser":"czanik","submithost":"localhost.localdomain","submitcwd":"/home/czanik","submit_time":{"seconds":1679063411,"nanoseconds":336097049,"localtime":"Mar 17 15:30:11","iso8601":"20230317143011Z"},"server_time":{"seconds":1679063413,"nanoseconds":696181185,"localtime":"Mar 17 15:30:13","iso8601":"20230317143013Z"},"runuser":"root","runuid":0,"runenv":["LANG=en_US.UTF-8","HOSTNAME=localhost.localdomain","TERM=xterm-256color","PATH=/home/czanik/.local/bin:/home/czanik/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin","MAIL=/var/mail/root","LOGNAME=root","USER=root","HOME=/root","SHELL=/bin/bash","SUDO_COMMAND=/usr/bin/ls /root/","SUDO_USER=czanik","SUDO_UID=1000","SUDO_GID=1000"],"runcwd":"/home/czanik","runargv":["ls","/root/"],"lines":60,"command":"/usr/bin/ls","columns":118}}},"app":{"name":"cee"},"SOURCE":"s_sys","PROGRAM":"sudo","PRIORITY":"notice","PID":"35167","HOST_FROM":"localhost","HOST":"localhost","FACILITY":"authpriv","DATE":"Mar 17 15:30:13"}

  It is easier to spot the differences with some formatting:

          "runuser": "root",
          "runuid": 0,
          "runenv": [
            "LANG=en_US.UTF-8",
            "HOSTNAME=localhost.localdomain",
            "TERM=xterm-256color",
            "PATH=/home/czanik/.local/bin:/home/czanik/bin:/usr/local/bin:/usr/bin:/usr/local/sbin:/usr/sbin",
            "MAIL=/var/mail/root",
            "LOGNAME=root",
            "USER=root",
            "HOME=/root",
            "SHELL=/bin/bash",
            "SUDO_COMMAND=/usr/bin/ls /root/",
            "SUDO_USER=czanik",
            "SUDO_UID=1000",
            "SUDO_GID=1000"
          ],
          "runcwd": "/home/czanik",
          "runargv": [
            "ls",
            "/root/"
          ],
          "lines": 60,
          "command": "/usr/bin/ls",
          "columns": 118

  Both lists and numbers are handled properly.

  For more syslog-ng 4 info

  By the time of this tutorial the documentation for syslog-ng version 4 is not yet available. You can learn more about the changes from the release notes: https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.0.0

  If you use Python to extend syslog-ng, you can find information how Python support works in syslog-ng version 4 at: https://github.com/syslog-ng/syslog-ng/tree/master/modules/python-modules

  If you have any questions or comments, leave a comment on YouTube or reach out to me on Twitter / Mastodon.

  -

  If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik, on Mastodon as @Pczanik@fosstodon.org.-

• Didier Fabert (tartare) Hello world!

  Welcome to WordPress. This is your first post. Edit or delete it, then start writing!

March 27, 2023

• ! Avi Alkalay ¡ What is Apache Spark

  Apache Spark is like Python’s Pandas and is like SQL databases. It can manipulate datasets, filter, integrate, transform.

  

  But Spark was designed from scratch with horizontal scalability and parallelism in mind, which makes it capable of handling datasets with billions or even unknown number of rows — even if a bit less flexible than Pandas.

  This is not new in the industry. Enterprise editions of commercial SQL databases are parallel and scalable since a very long time, being also very expensive in all levels of the stack: service/support, software and hardware.

  But Spark is free software. And can use Hadoop — also a free software — as scalable and highly available storage, on cheap commodity hardware. In addition, it has a vibrant community and a democratic ecosystem of services and support.

  As with all Open Source, Apache Spark changes the economic landscape of massive data processing systems market, taking money out of a few proprietary HW and SW vendors and pulverizing it locally on people and support.

  From my LinkedIn of 2021-03-18 07:02:56

• ! Avi Alkalay ¡ What means to be Driven By Data

  I’ve seen companies saying they have Big Data because they implemented Hadoop or a data lake and maybe Spark.

  That’s just wrong.

  Big Data, or more precisely, to be Data Driven, is a state where the data a company produces can be reused, as soon as possible, to optimize itself. And there are many ways to reuse data: all meetings and decisions happen with abundance of data, or recently generated data instantly feeds machine learning algorithms to optimize transactions, just to name a few situations.

  To be Driven by Data is part culture and part infrastructure. On the infrastructure side, IT teams still struggle with limited visions about how data should flow pervasively and how access should be granted. They fear about security and performance while they should fear of missing out the data opportunity.

  Data Streaming is a breakthrough recent technology that is here to help with more fluent data access. For an agile and effective data architecture, Data Streaming is much more strategic and important than just a bigger data warehouse because it is the component that can unleash your data and finally make it useful.

  On my LinkedIn of 2021-05-30 15:11:58

• ! Avi Alkalay ¡ Die, e-mail, die, die

  Nobody here reads e-mails. Avoid sending e-mails. If you need to send an e-mail to someone, notify him/her on Slack in order to actually have them reading it.

  First week on a startup.

  Die, e-mail, die, die. Finally!

  Also on my LinkedIn of 2021-06-11 12:29:05

• ! Avi Alkalay ¡ How programmers should record time

  We the data people immediately identify a poorly designed system when we see it handling date and time as plain local time, instead of the number of seconds since January 1st 1970 of time zone 0.

  • This post was published on 1,626,425,523 (UTC, always UTC).
  • Jesus was born -62,399,513,432.
  • Man visited the moon between -14,552,880 and 93,172,200.
  • And so on…

  Just your daily dose of nerdy facts…

  Also on my LinkedIn of 2021-07-16 09:10:06

• The NeuroFedora Blog Next Open NeuroFedora meeting: 27 March 1300 UTC

  

  Photo by William White on Unsplash.

  
  

  Please join us at the next regular Open NeuroFedora team meeting on Monday 27 March at 1300 UTC. The meeting is a public meeting, and open for everyone to attend. You can join us over:

  • Matrix (using your web-browser)
  • IRC

  You can use this link to convert the meeting time to your local time. Or, you can also use this command in the terminal:

  $ date --date='TZ="UTC" 1300 2023-03-27'
  

  The meeting will be chaired by @ankursinha. The agenda for the meeting is:

  • New introductions and roll call.
  • Tasks from last meeting.
  • Open Pagure tickets.
  • Package health check.
  • Open package reviews check.
  • CompNeuro lab compose status check for Fedora 38/rawhide.
  • Neuroscience query of the week
  • Next meeting day, and chair.
  • Open floor.

  We hope to see you there!

• Josh Bressers Episode 368 – The Sovereign Tech Fund with Fiona Krakenbürger

  Josh and Kurt talk to Fiona Krakenbürger about the Sovereign Tech Fund. This is a fund created by Germany to fund important open source projects. Fiona has amazing insight into how this fund was created, what it’s doing today to help fund open source. She discusses where we go from here and what the future will look like. The Sovereign Tech Fund is a forward thinking program to fund open source across the world. This episode is a window into the future.

  Show Notes

  • Fiona on Mastodon
  • Sovereign Tech Fund
  • Sovereign Tech Fund Feasibility Study
  • NJ Governor Requests Expertise of 6 People Who Still Know COBOL
  • OpenSSF Criticality Score
  • European critical open source software
  • OSTIF critical open source projects
  • Apply to the Sovereign Tech Fund

March 26, 2023

• Jon Chiappetta Hi-Tech Meets Lo-Tech

  Found this little device on Amazon called Switchbot and it is currently helping me to get into the garage without having to program anything extra or buy more openers or what not!

• Joe Brockmeier What If Everybody Did It (WIEDI)?

  Most people, I think, tend only to think about their actions and interactions as one-offs. That is, we think “what happens if I do this” and consider the impact from that perspective. But what if we considered the outcomes and impacts if everybody (or even a lot of people) do the same thing? We might act differently. And maybe we should think that way more often. Let’s talk about What If Everybody Did It (WIEDI)? (Don’t worry, there’s a tie-in to open source and community in here, too…)

  The big picture

  Most of the time, people don’t seem to consider actions in aggregate unless it’s pointed out. Consider littering. In the United States it used to be just normal for people to throw garbage out of the car, because there weren’t norms against it. That’s not surprising when you consider that car ownership didn’t really become mainstream until the 1930s and 1940s, and then things like fast food (and the packaging that supports it) became more mainstream in the 1950s and 1960s.

  So people just chucked their garbage out the window with great regularity. And, you know, how big a deal is it if one person just tosses a paper bag or drink cup out a window? Inconsiderate, sure. But it’s pretty big country. One jerk tossing trash out the window all over the place is not going to do much in the grand scheme of things. Where’s the harm, right? The harm is in aggregate.

  Litter used to be ridiculous. It’s still a problem, but it used to be so much worse. What happened? To greatly oversimplify, they ran a big PSA campaign in the 70s to stop littering, and it changed (many) people’s behavior. Litter is still an issue, but less of one. Why?

  Not just because they made littering look like the irresponsible practice that it is, but because they showed the negative impact when everybody litters. If one person throws garbage out of the car window, the impact is small. But when everybody does it, it’s a massive eyesore. They made people think about WIEDI. But, pretty much, just about litter.

  What if we considered all, or even many, of our actions through the lens of WIEDI?

  • If one person picks up some garbage, that’s nice but won’t have a great impact. If everybody makes a practice of picking up garbage, things will look much nicer.
  • If one person is rude to service workers, that’s awful but isolated and lower impact. If everybody is rude, it’s brutal and demoralizing for people in service jobs.
  • If one person contributes a bug report or patch to open source projects they use instead of just complaining about bugs, it helps a little bit. If everybody does that, open source projects will be healthier.
  • If one person DMs or emails event organizers a question they could’ve looked up (or waited on), it’s no big deal. If everybody does it, it puts an even bigger burden on the organizers who are trying to handle the event.
  • If one startup withdraws all its money from a bank that’s struggling a bit, they can handle it. If everybody does it… well, we know that one.

  Community impact

  If you work in a community facing role in open source or tech, the impact of individual behavior at scale becomes immediately obvious. You’ll find yourself fielding a lot of requests or behaviors that, individually, have little impact. At scale, they tend to be very noticeable. Sometimes for the good, sometimes not.

  Consider conferences. Lots of people want individualized attention for their conference submissions, feedback on why they weren’t accepted. Seems kinda reasonable on an individual level, right? Why can’t you take 15 minutes to look through the submissions and tell me why mine wasn’t accepted?

  If one person asks, that’s no big problem. If two people ask… that’s 30 minutes. And if 20 people ask… well, there goes a day or two. And that’s assuming there’s no further discussion or objections.

  On the positive side, think about well-curated wikis. They’re rare, but when a project has a strong culture of updating info on the wiki (or whatever) it’s great. If everybody does a little work to update a project’s info, it’s not heavy lifting for a single person and the net effect is fantastic.

  And some community norms spring out of WIEDI. Take the ASF’s guidelines around “if it didn’t happen on the mailing list, it didn’t happen,” and other guidelines around consensus that explicitly give a time limit for feedback (lazy consensus). Why? Because those norms came out of understanding what happens if “everybody” (or just a lot of people) make decisions offlist and/or turn up two weeks after something is decided and want to reopen a discussion. It’s unworkable. Is it a problem as a one-off? Not usually – but the cumulative effect is awful, so it’s better to have a community norm that codifies the behavior that helps projects run more smoothly.

  Individually our impact is (usually) small. If I’m the kindest, most considerate person I can be or the biggest jerk I could be, my impact is limited. But if we all move in one direction or the other, the potential is enormous. So think about WIEDI and try to aim for the kind, considerate, constructive ways you might make an impact and move the needle — however slightly — towards the good.

  Bring it to other people’s attention, too. “Hey, what if everybody did that?” Not just for negative things, but also positive. “Hey, thanks for updating the wiki about that thing. If everybody does that, we’ll be in great shape!” or “great bug report, if all bug reports were that detailed my job would be so much easier!”

  Try to think about WIEDI a few times a day, for little actions and for big actions. Returning shopping carts. Chipping in some money for a GoFundMe. Going to a local restaurant or coffee shop instead of a chain. Deciding not to poke somebody for an update you don’t actually need, but you’re just itching to find out a little sooner. Being understanding about mistakes instead of complaining.

  I’m sure that you can think of plenty of examples yourself. Would love to hear some examples or other people’s thoughts of WIEDI in action.

March 24, 2023

• Fedora Community Blog Friday’s Fedora Facts: 2013-12

  Here’s your weekly Fedora report. Read what happened this week and what’s coming up. Your contributions are welcome (see the end of the post)!

  I have weekly office hours most Wednesdays in the morning and afternoon (US/Eastern time). Drop by if you have any questions or comments about the schedule, Changes, elections, or anything else. See the upcoming meetings for more information.

  • Announcements
  • Calls for Participation
  • Help wanted
  • Meetings & Events
  • Releases

  Announcements

  • Inactive packagers will be removed after the F38 release.
  • Check your meetings for upcoming summer time changes.
  • Save 1–5 August for Flock to Fedora in Cork, IE.
  • GitHub changed their SSH host key.

  CfPs

  Conference	Location	Date	CfP
  Akademy	Thessaloniki, GR	15–16 July	closes 30 Mar
  Conference for Open Source Coders, Users and Promoters (COSCUP)	Taipei, TW	29–30 Jul	closes 30 Mar
  Container Days	Hamburg, DE	11–13 Sep	closes 31 Mar
  All Things Open	Raleigh, NC, US	15–17 Oct	closes 31 Mar
  The Perl and Raku Conference	Toronto, ON, CA	11–13 Jul	closes 31 Mar
  DevConf US	Boston, MA, US	16–18 Aug	closes 3 Apr
  Upstream	virtual	7 Jun	closes 7 Apr
  openSUSE Conference 2023	Nürnberg, DE	26–28 May	closes 9 Apr
  TechBash	Mount Pocono, PA, US	7–10 Nov	closes 11 Apr
  Pacific Northwest Software Quality Conference	Portland, OR, US and virtual	9–11 Oct	closes 16 Apr
  Web Weekend Kathmandu	Kathmandu, NP	23–24 Sep	closes 21 Apr
  DevRelCon London	London, UK	7–8 Sep	closes 21 Apr
  Cincy Deliver	Cincinnati, OH, US	28 Jul	closes 30 Apr
  ShipIt Con	Dublin, IE	1 Sep	closes 1 May
  FOSS Security Campus	Berlin, DE	26–29 Sep	closes 14 May
  React Norway	Larvik, NO	16 Jun	closes 15 May
  Front Conference	Zurich, CH	31 Aug–1 Sep	closes 31 May
  Inclusive Design 24	virtual	21 Sep	closes 4 Jun

  Help wanted

  • Package review requests:
    • 280 are awaiting a reviewer
    • 30 need a sponsor
  • Orphaned packages seeking maintainers

  Meetings & events

  • Blocker review meeting — 1600 UTC Monday in #fedora-blocker-review
  • Mindshare Committee meeting — 1200 UTC Tuesday in #fedora-mindshare
  • FESCo meeting — 1700 UTC Tuesday in #fedora-meeting
  • Council meeting — 1400 UTC Wednesday in #fedora-meeting
  • Fedora Social Hour — 2300 UTC Thursday in #social on Fedora.im

  Releases

  Release	open bugs
  F36	4509
  F37	3871
  F38 (pre-release)	1142
  Rawhide	6982

  Prioritized Bugs

  See the Prioritized Bugs documentation for information on the process, including how to nominate bugs.

  Bug ID	Component	Status
  2015490	initial-setup	ON_QA

  Fedora Linux 38

  • 735 packages fail to build from source
  • 51 packages fail to install

  Blockers

  Bug	Component	Status	Blocker status
  2170878	crypto-policies	ASSIGNED	Accepted (Final)
  2171350	kernel	NEW	Accepted (Final)
  2176782	kernel	POST	Accepted (Final)
  2172956	openssh	POST	Accepted (Final)
  2174563	sddm	NEW	Accepted (Final)
  2113005	shim	NEW	Accepted (Final)
  2177153	abrt	NEW	Proposed (Final)
  2180768	accountservice	MODIFIED	Proposed (Final)
  2180277	gnome-shell	NEW	Proposed (Final)
  2181367	gnome-software	MODIFIED	Proposed (Final)
  2179591	kwin	NEW	Proposed (Final)

  Schedule

  Below are some upcoming schedule dates. See the schedule website for the full schedule.

  • 2023-04-04 — Final freeze begins
  • 2023-04-18 — Final release early target date

  Changes

  The table below lists Changes status. See the ChangeSet page or Bugzilla for more information.

  Status	Count
  ASSIGNED	3
  MODIFIED	1
  ON_QA	45
  CLOSED	2

  Fedora Linux 39

  • 504 packages fail to build from source
  • 53 packages fail to install

  Changes

  The table below lists proposed Changes. See the ChangeSet page or Bugzilla for information on approved Changes.

  Proposal	Type	Status
  FontAwesome6	Self-Contained	Approved
  SPDX License Phase 2	System-Wide	FESCo #2972
  EC2 AMIs default to the gp3 EBS volume type	Self-Contained	Announced
  Register EC2 Cloud Images with IMDSv2-only AMI flag	Self-Contained	Announced
  Changes of defaults in createrepo_c-1.0.0	System-Wide	Announced
  Register EC2 Cloud Images with uefi-preferred AMI flag	Self-Contained	Announced

  Contributing

  Have something you want included? You can file an issue or submit a pull request in the fedora-pgm/pgm_communication repo.

  The post Friday’s Fedora Facts: 2013-12 appeared first on Fedora Community Blog.

• Matthew Garrett We need better support for SSH host certificates

  Github accidentally committed their SSH RSA private key to a repository, and now a bunch of people's infrastructure is broken because it needs to be updated to trust the new key. This is obviously bad, but what's frustrating is that there's no inherent need for it to be - almost all the technological components needed to both reduce the initial risk and to make the transition seamless already exist.
  
  But first, let's talk about what actually happened here. You're probably used to the idea of TLS certificates from using browsers. Every website that supports TLS has an asymmetric pair of keys divided into a public key and a private key. When you contact the website, it gives you a certificate that contains the public key, and your browser then performs a series of cryptographic operations against it to (a) verify that the remote site possesses the private key (which prevents someone just copying the certificate to another system and pretending to be the legitimate site), and (b) generate an ephemeral encryption key that's used to actually encrypt the traffic between your browser and the site. But what stops an attacker from simply giving you a fake certificate that contains their public key? The certificate is itself signed by a certificate authority (CA), and your browser is configured to trust a preconfigured set of CAs. CAs will not give someone a signed certificate unless they prove they have legitimate ownership of the site in question, so (in theory) an attacker will never be able to obtain a fake certificate for a legitimate site.
  
  This infrastructure is used for pretty much every protocol that can use TLS, including things like SMTP and IMAP. But SSH doesn't use TLS, and doesn't participate in any of this infrastructure. Instead, SSH tends to take a "Trust on First Use" (TOFU) model - the first time you ssh into a server, you receive a prompt asking you whether you trust its public key, and then you probably hit the "Yes" button and get on with your life. This works fine up until the point where the key changes, and SSH suddenly starts complaining that there's a mismatch and something awful could be happening (like someone intercepting your traffic and directing it to their own server with their own keys). Users are then supposed to verify whether this change is legitimate, and if so remove the old keys and add the new ones. This is tedious and risks users just saying "Yes" again, and if it happens too often an attacker can simply redirect target users to their own server and through sheer fatigue at dealing with this crap the user will probably trust the malicious server.
  
  Why not certificates? OpenSSH actually does support certificates, but not in the way you might expect. There's a custom format that's significantly less complicated than the X509 certificate format used in TLS. Basically, an SSH certificate just contains a public key, a list of hostnames it's good for, and a signature from a CA. There's no pre-existing set of trusted CAs, so anyone could generate a certificate that claims it's valid for, say, github.com. This isn't really a problem, though, because right now nothing pays attention to SSH host certificates unless there's some manual configuration.
  
  (It's actually possible to glue the general PKI infrastructure into SSH certificates. Please do not do this)
  
  So let's look at what happened in the Github case. The first question is "How could the private key have been somewhere that could be committed to a repository in the first place?". I have no unique insight into what happened at Github, so this is conjecture, but I'm reasonably confident in it. Github deals with a large number of transactions per second. Github.com is not a single computer - it's a large number of machines. All of those need to have access to the same private key, because otherwise git would complain that the private key had changed whenever it connected to a machine with a different private key (the alternative would be to use a different IP address for every frontend server, but that would instead force users to repeatedly accept additional keys every time they connect to a new IP address). Something needs to be responsible for deploying that private key to new systems as they're brought up, which means there's ample opportunity for it to accidentally end up in the wrong place.
  
  Now, best practices suggest that this should be avoided by simply placing the private key in a hardware module that performs the cryptographic operations, ensuring that nobody can ever get at the private key. The problem faced here is that HSMs typically aren't going to be fast enough to handle the number of requests per second that Github deals with. This can be avoided by using something like a Nitro Enclave, but you're still going to need a bunch of these in different geographic locales because otherwise your front ends are still going to be limited by the need to talk to an enclave on the other side of the planet, and now you're still having to deal with distributing the private key to a bunch of systems.
  
  What if we could have the best of both worlds - the performance of private keys that just happily live on the servers, and the security of private keys that live in HSMs? Unsurprisingly, we can! The SSH private key could be deployed to every front end server, but every minute it could call out to an HSM-backed service and request a new SSH host certificate signed by a private key in the HSM. If clients are configured to trust the key that's signing the certificates, then it doesn't matter what the private key on the servers is - the client will see that there's a valid certificate and will trust the key, even if it changes. Restricting the validity of the certificate to a small window of time means that if a key is compromised an attacker can't do much with it - the moment you become aware of that you stop signing new certificates, and once all the existing ones expire the old private key becomes useless. You roll out a new private key with new certificates signed by the same CA and clients just carry on trusting it without any manual involvement.
  
  Why don't we have this already? The main problem is that client tooling just doesn't handle this well. OpenSSH has no way to do TOFU for CAs, just the keys themselves. This means there's no way to do a git clone ssh://git@github.com/whatever and get a prompt asking you to trust Github's CA. Instead, you need to add a @cert-authority github.com (key) line to your known_hosts file by hand, and since approximately nobody's going to do that there's only marginal benefit in going to the effort to implement this infrastructure. The most important thing we can do to improve the security of the SSH ecosystem is to make it easier to use certificates, and that means improving the behaviour of the clients.
  
  It should be noted that certificates aren't the only approach to handling key migration. OpenSSH supports a protocol for key rotation, basically by allowing the server to provide a set of multiple trusted keys that the client can cache, and then invalidating old ones. Unfortunately this still requires that the "new" private keys be deployed in the same way as the old ones, so any screwup that results in one private key being leaked may well also result in the additional keys being leaked. I prefer the certificate approach.
  
  Finally, I've seen a couple of people imply that the blame here should be attached to whoever or whatever caused the private key to be committed to a repository in the first place. This is a terrible take. Humans will make mistakes, and your systems should be resilient against that. There's no individual at fault here - there's a series of design decisions that made it possible for a bad outcome to occur, and in a better universe they wouldn't have been necessary. Let's work on building that better universe.
  
  comments

• Fedora fans آموزش نصب و پیکربندی Cilium در Kubernetes – بخش ۴

  

  
  در ادامه ی سلسه مطلب «آموزش نصب و پیکربندی Cilium در Kubernetes» ، اکنون در قسمت چهارم از این مجموعه قصد داریم تا اجرای سیاست های اجرایی Identity-Aware و HTTP-Aware یا همان

  Identity-Aware and HTTP-Aware Policy Enforcement را توضیح دهیم.

  در این مرحله قصد داریم سیاست Identity-Aware و HTTP-Aware را انجام دهیم. به همین خاطر از مثال جنگ ستارگان (Star Wars) استفاده خواهیم کرد که شامل سه application به صورت microservice با نام های deathstar, tiefighter و xwing می باشد.

  Deathstar یک HTTP webservice بر روی پورت 80 اجرا می کند که بوسیله Kubernetes Service ترافیک را به صورت load-balance بر روی دو pod ازdeathstar ارسال می کند. Deathstar به فضا پیماهای امپراتوری خدمات فرود ارائه می دهد که آنها می توانند درخواست های فرود (landing port) خود را ارسال کنند.

  پاد tiefighter نشان دهنده سرویس درخواست فرود در یک فضا پیمای امپراتوری معمولی است و xwing نشان دهنده خدمات مشابه در یک فضا پیمای متحد (alliance) است.

  با استفاده از این مثال می توانیم سیاست های امنیتی مختلف را برای کنترل دسترسی به خدمات فرود deathstar آزمایش کنیم.

  توپولوژی Application برای Cilium و Kubernetes به صورت زیر می باشد:

  

  فایل http-sw-app.yaml شامل Kubernetes Deployment برای deathstar و دو pod برای tiefighter و xwing می باشد که هر کدام از آنها دارای Kubernetes label های (org=empire, class=deathstar), (org=empire, class=tiefighter) و (org=alliance, class=xwing) می باشند. همچنین شامل Kubernetes Service برای deathstar می باشد که ترافیک را به صورت load-balance به pod هایی با lable های (org=empire, class=deathstar) ارسال می کند.

  اکنون برای deploy کردن application ها می توان دستور زیر را اجرا کرد:

  kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.12/examples/minikube/http-sw-app.yaml

  یک نمونه خروجی از اجرای دستور گفته شده را در تصویر پایین مشاهده می کنید:

  
  Kubernetes اکنون pod ها و service ها را در پس زمینه deploy خواهد کرد. برای بررسی وضعیت آنها می توانید دستور زیر را اجرا کنید:

  kubectl get pods,svc
  

  
  یک نمونه خروجی از اجرای دستور گفته شده را در تصویر پایین مشاهده می کنید:

  

  هر pod در Cilium به عنوان Endpoint نمایش داده می شود. می‌توانیم ابزار cilium را در داخل پاد Cilium برای فهرست کردن آنها فراخوانی کنیم:

  kubectl -n kube-system get pods -l k8s-app=cilium
  kubectl -n kube-system exec cilium-rwmwr -- cilium endpoint list
  

  
  یک نمونه خروجی از اجرای دستورهای گفته شده را در تصویر پایین مشاهده می کنید:

  

  همانطور که در خروجی تصویر بالا مشاهده می کنید، سیاست اجرایی یا همان policy enforcement برای ingress و egress همچنان در همه این pod ها غیرفعال است زیرا هنوز هیچ policy شبکه ای (network policy) وارد نشده است که هر یک از پادها را انتخاب کند.

  بررسی دسترسی فعلی:

  از دیدگاه سرویس deathstar، فقط فضا پیماهایی با برچسب org=empire مجاز به اتصال و درخواست فرود هستند. از آنجایی که ما هیچ قانون اجرایی (rules enforced) نداریم، هم xwing و هم tiefighter می توانند درخواست فرود کنند. برای آزمایش این مورد، از دستورات زیر استفاده کنید:

  kubectl exec xwing -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
  kubectl exec tiefighter -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing
  

  
  یک نمونه خروجی از اجرای دستورهای گفته شده را در تصویر پایین مشاهده می کنید:

  

  ادامه دارد …

  The post آموزش نصب و پیکربندی Cilium در Kubernetes – بخش ۴ first appeared on طرفداران فدورا.

• Fabio Alessandro Locati Fedora Sericea and Sway Spin beta

  The Fedora Project released Fedora 38 beta images. The Fedora Sway Spin and the Fedora Sericea ones are in the long list of released images! This is a critical point in the release of those Fedora artifacts based on Sway since it is the first time it has been possible to test them for the wider public. Although the Fedora Project has been creating Sway artifacts for a couple of months, those were based on Rawhide, which is “a not always stable” version of Fedora, since it tracks far in the future (4-10 months) versions of Fedora.

March 23, 2023

• Fedora Community Blog Fedora at SoCal Linux Expo 20x

  The Southern California Linux Expo (SCaLE) returned to Pasadena, CA and Fedora came back as an exhibitor. It was a very successful year for Fedora: attendees voted us “Most Memorable Booth”!

  Fedora at SCaLE

  I have now attended SCaLE every year since 2010, shortly after I moved to California.  Since the last SCaLE was in late July, there was less time between them.  As a result, I noticed a few things that contributed to this year’s SCaLE being an particularly special year: many larger corporate vendors who were at SCaLE last year didn’t come back this year, so it felt like there were more hobbyist and community groups to fill in the space.  At the same time, many who had not been travelling due to COVID returned for the first time in years.  It resulted in SCaLE feeling a bit more genuine this year with a crowd of people who largely knew what Linux and open source are about and were excited to be there.

  In the booth

  At the Fedora booth, we had a great crew and excellent swag, but the real highlight was getting to connect with users who shared with us what they are currently doing with Fedora. Instead of scanning people’s badges, we offered a simple form for users to connect with us so we can follow up with them about ways they might want to get more involved. Thanks to our excellent group of Fedora Ambassadors including Perry Rivera, Alex Acosta, Ivan Chavero, Brian Monroe (and always a treat to see Jeff Carlson, who again was on staff with SCaLE this year)!

  

  On stage

  Brian Monroe (aka, paradoxguitarist) presented the Fedora talk on Saturday. It was very well attended. He gave an overview of considerations for doing professional audio with Linux. Brian covered recommended hardware, necessary software, and how the Fedora Jam defaults save considerable effort in getting things set up. The talk included a live demonstration of Fedora Jam using a MIDI keyboard to synthesize various instruments and used sound patches to generate impressively realistic compositions. Afterwards, he brought this to the Fedora booth at the exhibition hall. Musically-inclined people could try it out(with headphones this time) for themselves, and several did! It was another great demonstration of how the Fedora community breeds creativity.

  

  What is Fedora Linux good for?

  Multiple people asked me why we were voted Most Memorable Booth. Did we have some kind of gimmick? To be fair, we did have excellent swag this year and a great crew of people at the booth, but in my opinion, it was our enthusiastic community of users who made it truly exceptional.

  Instead of asking overly generic questions like “Do you use Fedora Linux?” and “Have you tried Kinoite or Silverblue yet?”, I decided to ask “What’s something fun or interesting you’re doing with Fedora these days?” and the answers very much did not disappoint.

  Workstation Adventures

  When I asked the person above what they were using Fedora Linux for, they pulled out this Surface Go tablet running on Fedora 37! It honestly looked amazing!

  

  Gaming was another common use reported for Fedora Linux. The fact that Steam OS, Proton, and Lutris (who was at the event) have all contributed to the Linux gaming ecosystem has all meant very good things for Fedora as a gaming platform.

  At least one user reported that they are running Fedora on a Lenovo laptop that came with Fedora pre-installed!

  At Work

  Multiple people advised that they use Fedora to teach others Linux, with one of them saying that they used Fedora in the classroom for this purpose. Another user said that Fedora is running on their microcontrollers at work.

  At Home

  Fedora IoT and CoreOS really shined here, especially around Home Lab and Home Automation use cases.

  For Home Automatiom, one user reported that they are running a 5-node Spark cluster with Fedora IoT on Raspberry Pis. Another made their own digital photo frame powered by Fedora.

  For Home Lab users, someone reported using Fedora Linux as a router and DHCP server for their home networking. Another was using Fedora CoreOS for experimental network testing and for running their own Nextcloud instance. Another is running a k3s cluster on Fedora to run their own FreeIPA with Fedora Server.

  For Development

  If you thought I was adventurous for using Fedora Linux to write a BASIC shell for Linux, one user shared that he was using Fedora to write his own DNS server from scratch in Rust! Another is using Fedora Linux to write Android apps and test them in VMs. Another is writing BPF programs focused on securing IoT devices. Finally, one user said that he used Fedora Linux to package his own software for the Fedora repos. He told us he really enjoyed the overall experience of getting it packaged in RPM and the review process.

  Editor’s note: This post is adapted from two posts on Scott’s personal website: Fedora at SoCal Linux Expo 20x and What Is Fedora Linux Good For?

  The post Fedora at SoCal Linux Expo 20x appeared first on Fedora Community Blog.

March 22, 2023

• Jon Chiappetta The Best Looking iPhone 15 Pro Renders

  So I’ve been tracking the iPhone 15 rumors and I think the best looking renders so far are the ones that keep the antenna bands as a straightened-flattened ribbon wrapping around the phone with the back glass being curved itself at the edges. It will then look like the two different pieces have come together to make up the overall phone. This, along with the flush camera lenses, which dates back to the beautiful iPhone 4S design, would help make it look a lot more stylish as well. I will greatly miss the silencing physical dip switch if Apple decides to remove it but let’s see what they end up doing!

  

• Peter Czanik The syslog-ng Insider 2023-03: 4.1; Homebrew; Ventura;

  Dear syslog-ng users,

  
  

  This is the 108th issue of syslog-ng Insider, a monthly newsletter that brings you syslog-ng-related news.

  
  

  NEWS

  
  

  Version 4.1 of syslog-ng available

  Version 4.1.1 of syslog-ng is now available. It brings PROXY protocol v2 support, many metrics related improvements, including initial Prometheus support, improved Kubernetes support, and many bugfixes. For a complete list of syslog-ng changes, check the release notes:

  https://github.com/syslog-ng/syslog-ng/releases/tag/syslog-ng-4.1.1

  Syslog-ng is now available in Homebrew

  Installing syslog-ng on Mac is easy, if you use Homebrew for 3rd party packages. Previously, you had to install dependencies and then compile syslog-ng from source. Now, a single command takes care of everything:

  brew install syslog-ng

  For more details read https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-is-now-available-in-homebrew

  Syslog-ng on MacOS Ventura

  Each new MacOS release brings some surprises when it comes to compiling syslog-ng. MacOS Ventura has been released recently, while Homebrew has also been updated. So here are some updated instructions for MacOS Ventura (and also for the last MacOS minor release before Ventura).

  https://www.syslog-ng.com/community/b/blog/posts/syslog-ng-on-macos-ventura

  WEBINARS

  • You can browse recordings of past webinars at https://www.syslog-ng.com/events/

  
  

  Your feedback and news, or tips about the next issue are welcome. To read this newsletter online, visit: https://syslog-ng.com/blog/

• Cockpit Project Cockpit 288

  Cockpit is the modern Linux admin interface. We release regularly.

  Here are the release notes from Cockpit 288, cockpit-machines 286, and cockpit-podman 65:

  Accounts: Show shell and home directory on detail page

  Account detail pages show the home directory and shell for an account.

  

  Accounts: Custom user ID during account creation

  A custom user ID can now be specified during account creation. It defaults to the next available user ID on the system.

  

  Overview: Support additional timeservers with chronyd

  Cockpit can now configure additional time servers when chronyd is used to synchronize the clock. Previously, this was only supported with systemd-timesyncd.

  

  Metrics: Show longer time span by default

  The PCP metrics graphs have been redesigned to only show a summary of events for each hour, so that more data fits on the page. The hours can be expanded to get more details.

  

  Storage: Mounting filesystems at boot time

  Filesystems created in Cockpit are usually not used for the main operating system, so they are often supplemental. As such, they now default to nofail, to allow a server to boot even if the additional filesystem is not mounted.

  The new “at boot” option provides several choices with explanations of when the filesystem would be mounted and what would happen if it was not mounted.

  

  Machines: Create VM based on cloud image and start it later

  A VM created from a “cloud base” image can now use the “Create and edit” mode. This is a way to edit all virtual machine properties (bootloader, boot order, disks, networking, etc.) before the VM is installed.

  API removal: Remove cockpit.dbus.publish() and .meta()

  The cockpit.js library dropped cockpit.dbus.publish() and cockpit.dbus.meta(), which were meant to create a D-Bus server object from inside a Cockpit page. No known Cockpit project has ever used these functions, and we are not aware of a good use case.

  If you are using this API, please let us know!

  Try it out

  Cockpit 288, cockpit-machines 286, and cockpit-podman 65 are available now:

  • For your Linux system

  • Cockpit Client

  • Cockpit Source Tarball
  • Cockpit Fedora 38
  • Cockpit Fedora 37
  • cockpit-machines Source Tarball
  • cockpit-machines Fedora 38
  • cockpit-machines Fedora 37
  • cockpit-podman Source Tarball
  • cockpit-podman Fedora 38
  • cockpit-podman Fedora 37

March 21, 2023

• Michael Catanzaro WebKitGTK API for GTK 4 Is Now Stable

  With the release of WebKitGTK 2.40.0, WebKitGTK now finally provides a stable API and ABI for GTK 4 applications. The following API versions are provided:

  • webkit2gtk-4.0: this API version uses GTK 3 and libsoup 2. It is obsolete and users should immediately port to webkit2gtk-4.1. To get this with WebKitGTK 2.40, build with -DPORT=GTK -DUSE_SOUP2=ON.
  • webkit2gtk-4.1: this API version uses GTK 3 and libsoup 3. It contains no other changes from webkit2gtk-4.0 besides the libsoup version. With WebKitGTK 2.40, this is the default API version that you get when you build with -DPORT=GTK. (In 2.42, this might require a different flag, e.g. -DUSE_GTK3=ON, which does not exist yet.)
  • webkitgtk-6.0: this API version uses GTK 4 and libsoup 3. To get this with WebKitGTK 2.40, build with -DPORT=GTK -DUSE_GTK4=ON. (In 2.42, this might become the default API version.)

  WebKitGTK 2.38 had a different GTK 4 API version, webkit2gtk-5.0. This was an unstable/development API version and it is gone in 2.40, so applications using it will break. Fortunately, that should be very few applications. If your operating system ships GNOME 42, or any older version, or the new GNOME 44, then no applications use webkit2gtk-5.0 and you have no extra work to do. But for operating systems that ship GNOME 43, webkit2gtk-5.0 is used by gnome-builder, gnome-initial-setup, and evolution-data-server:

  • For evolution-data-server 3.46, use this patch which applies on evolution-data-server 3.46.4.
  • For gnome-initial-setup 43, use this patch which applies on gnome-initial-setup 43.2. (Update: for your convenience, this patch will be included in gnome-initial-setup 43.3.)
  • For gnome-builder 43, all required changes are present in version 43.7.

  Remember, patching is only needed for GNOME 43. Other versions of GNOME will have no problems with WebKitGTK 2.40.

  There is no proper online documentation yet, but in the meantime you can view the markdown source for the migration guide to help you with porting your applications. Although the API is now stable and it is close to feature parity with the GTK 3 version, there are some problems to be aware of:

  • No support for accessibility. The GTK and WebKitGTK developers are collaborating on a plan to fix this, and I hope this will be ready for WebKitGTK 2.42.
  • Multiple NVIDIA proprietary graphics driver users report that it doesn’t work at all. Nobody currently plans to work on this. The WebKitGTK developers do not use NVIDIA graphics, and it will have to be debugged by somebody who does.
  • Various smaller regressions here and there. The GTK 4 version is almost as stable as GTK 3, and now is a good time to start using it. As with any interesting new software, there is still some work to do.

  Big thanks to everyone who helped make this possible.

• Peter Czanik Syslog-ng 101, part 12: Elasticsearch (and Opensearch, Zinc, Humio, etc.)

  This is the 12th part of my syslog-ng tutorial. Last time, we learned about enriching log messages using syslog-ng. Today, we learn about how to send log messages to Elasticsearch.

  You can watch the video or read the text below.

  https://youtu.be/44rFCmSdb6M

  History of Elasticsearch support

  Originally, the Elasticsearch destination of syslog-ng was implemented in Java. It was a bit resource hungry, but it worked well and was also fast. Unfortunately, however, this implementation could not be included in Linux distributions, as the build process used tools that were unavailable in distributions and downloaded JAR files instead of compiling everything from the source. Using Java was also problematic, because the included drivers had to be updated after each Elasticsearch release.

  As such, there is now another implementation of the Elasticsearch destination that does not need Java. Actually, it is a configuration snippet in the syslog-ng configuration library (SCL). It is a wrapper around the generic http() destination driver, which is implemented in C. It is not just the Elasticsearch destination that uses it, though: Slack, Sumologic, Telegram, and a number of other destinations all build on the http() destination.

  Note that while I keep referring to this driver as “Elasticsearch destination”, you can actually use it with several other software utilizing the Elasticsearch API, such as Opensearch, Zinc, Humio and probably more.

  Elasticsearch-http()

  In this part of the syslog-ng tutorial, we use a configuration similar to what we used when we talked about log enrichment. However, there are a few changes. The first one is that instead of a JSON file, syslog-ng sends log messages to Elasticsearch. Here you can see an Elasticsearch destination, based on the elasticsearch-http() driver:

  destination d_elasticsearch_http {
    elasticsearch-http(
      index("syslog-ng")
      type("")
      user("elastic")
      password("Gr3CmhxxxxxxuCWB")
      url("https://localhost:9200/_bulk")
      template("$(format-json --scope rfc5424 --scope dot-nv-pairs
        --rekey .* --shift 1 --scope nv-pairs
        --exclude DATE @timestamp=${ISODATE})")
      tls(peer-verify(no))
    );
  };

  There might be minor differences in the URL or template when sending logs to Opensearch, Zinc or Humio. You can find configuration examples in the syslog-ng blog.

  The index() is the database name where syslog-ng sends the log messages. Type() was used for Elasticsearch 6 and earlier. It is still a mandatory parameter for the driver in syslog-ng, but for 7 and later versions, you have to keep this parameter empty. User() and password() identify the user if security is enabled. URL() takes multiple parameters, and that way, syslog-ng can perform load balancing among multiple Elasticsearch nodes.

  The template is almost the same as we have seen in the previous part of my syslog-ng tutorial. We talked about templates and template functions earlier, so here I only want to emphasize one key difference: there are no new lines at the end of the template. While new lines make text files easier to read, they break Elasticsearch.

  GeoIP rewrite

  The GeoIP parser of syslog-ng stores longitude and latitude information into two separate name-value pairs. Kibana expects them in a single name-value pair and does not like empty values. As such, this rewrite rule makes sure that syslog-ng sends geographical location information in the expected format, and only if the related information exists.

  rewrite r_geoip2 {
    set(
      "${geoip2.location.latitude},${geoip2.location.longitude}",
      value( "geoip2.location2" ),
      condition(not "${geoip2.location.latitude}" == "")
    );
  };

  Mapping

  For certain data types, like geographical coordinates, Elasticsearch needs mapping. Mapping is telling Elasticsearch that a given name-value pair contains a certain data type. This mapping matches the example syslog-ng configuration in this tutorial, and sets the type to “geo_point”.

  Note that mapping has slight differences between the various Elasticsearch versions, so the following example might need small modifications for the version you use.

  {
    "mappings" : {
      "properties" : {
        "geoip2" : {
          "properties" : {
            "location2" : {
              "type" : "geo_point"
            }
          }
        }
      }
    }
  }

  Example configuration

  This example configuration collects both local log messages and iptables logs over the network. It parses the iptables logs, and adds geographical information to source IP addresses using the GeoIP parser. Finally, it stores both the local log messages and the parsed iptables logs into Elasticsearch.

  @version:3.37
  @include "scl.conf"
  source s_sys { system(); internal();};
  destination d_mesg { file("/var/log/messages"); };
  log { source(s_sys); destination(d_mesg); };
  source s_tcp {
    tcp(ip("0.0.0.0") port("514"));
  };
  
  parser p_kv {kv-parser(prefix("kv.")); };
  
  parser p_geoip2 { geoip2( "${kv.SRC}", prefix( "geoip2." ) database( "/usr/share/GeoIP/GeoLite2-City.mmdb" ) ); };
  
  rewrite r_geoip2 {
      set(
          "${geoip2.location.latitude},${geoip2.location.longitude}",
          value( "geoip2.location2" ),
          condition(not "${geoip2.location.latitude}" == "")
      );
  };
  
  destination d_elasticsearch_http {
      elasticsearch-http(
          index("syslog-ng")
          type("")
          user("elastic")
          password("Gr3CmhxxxxxxuCWB")
          url("https://localhost:9200/_bulk")
          template("$(format-json --scope rfc5424 --scope dot-nv-pairs
          --rekey .* --shift 1 --scope nv-pairs
          --exclude DATE @timestamp=${ISODATE})")
          tls(peer-verify(no))
      );
  };
  
  
  log {
      source(s_sys);
      source(s_tcp);
      if (match("s_tcp" value("SOURCE"))) {
          parser(p_kv);
          parser(p_geoip2);
          rewrite(r_geoip2);
      };
      destination(d_elasticsearch_http);
      flags(flow-control);
  };

  As usual, the configuration starts with a version number declaration and including the syslog-ng configuration library. It is followed by a source for local log messages, a file destination, and a log statement, which connects the two together.

  Iptables log messages are collected by a tcp() source. These logs are first parsed by a key=value parser, then by the GeoIP parser. You can learn more about these in the previous part of my tutorial.

  The rewrite rule creates a new name-value pair by combining the longitude and latitude information if they are not empty. The resulting format complies with the expectations of Elasticsearch and Kibana.

  The elasticsearch-http() destination stores log messages into an Elasticsearch database.

  The log statement starts with two sources: one for the local log messages, while the other one is the network source for collecting iptables logs. Parsing is only necessary for logs arriving to the network source, so there is an if statement, which is matching on logs coming from the TCP source. Matching logs are parsed and rewritten by the parsers and the rewrite rule defined earlier. Finally, all log messages are sent to Elasticsearch.

  Flags(flow-control) at the end means that if the destination is slow, syslog-ng slows down receiving the log messages. This works with a TCP source or when reading a file. However, it does not work with UDP, as syslog-ng has no way of letting the sending side know that the message rate is too high.

  Iptables sample logs

  Here are some iptables sample logs. These are good enough for testing, however using some real-life iptables log messages are a lot more fun. Refer to the previous part of the tutorial on how to send these logs to syslog-ng.

  Feb 27 14:31:01 bridge kernel: INBOUND UDP: IN=br0 PHYSIN=eth0 OUT=br0 PHYSOUT=eth1 SRC=212.123.153.188 DST=11.11.11.82 LEN=404 TOS=0x00 PREC=0x00 TTL=114 ID=19973 PROTO=UDP SPT=4429 DPT=1434 LEN=384  
  Feb 27 14:34:41 bridge kernel: INBOUND TCP: IN=br0 PHYSIN=eth0 OUT=br0 PHYSOUT=eth1 SRC=206.130.246.2 DST=11.11.11.100 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=9492 DF PROTO=TCP SPT=2577 DPT=80 WINDOW=17520 RES=0x00 ACK FIN URGP=0  
  Feb 27 14:34:55 bridge kernel: INBOUND TCP: IN=br0 PHYSIN=eth0 OUT=br0 PHYSOUT=eth1 SRC=4.60.2.210 DST=11.11.11.83 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=3024 DF PROTO=TCP SPT=3124 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 

  IP addresses on map using GeoIP and Kibana

  This maps shows IP addresses on a map. It was created with syslog-ng using the GeoIP parser to turn IP addresses into geographical locations. Then, I used Kibana for display.

  Talking to security professionals, I was advised that these maps do not have much practical value. However, people in upper management love visualizations, and showing maps based on your firewall logs might help you to get additional funding for your information security budget… :-)

  
  

  If you have any questions or comments, leave a comment on YouTube or reach out to me on Twitter / Mastodon.

  -

  If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik, on Mastodon as @Pczanik@fosstodon.org.-

• Fedora Community Blog Save the date: Flock to Fedora 2023

  Good news! I’m excited to announce the return of Flock to Fedora, our annual contributor conference. Save the date so you can plan to join us 1–5 August 2023 in Cork, Ireland. After three years, we’re ready to get together in person to make plans and share ideas.

  You may be wondering why it’s not in North America, since the last two Flocks were in Europe. We had planned to hold it in the United States this year, but the wait for visas made this impossible for some of our contributors. Although we know not everyone can join us in Cork, we want to make it as available as possible.

  You may also be wondering about the call for proposals, travel funding, and so on. Stay tuned for that information soon. In the meantime, clear your calendar. We’ll see you in Cork!

  The post Save the date: Flock to Fedora 2023 appeared first on Fedora Community Blog.

March 20, 2023

• Fedora fans نوروز ۱۴۰۲ مبارک باد

  

  

  نو شدن رسم تقویم است و رسالت مردمان. اگر به نو شدن تقویم بسنده کنیم تسلیم روزگاریم و اگر نو شدیم برگی جدید بر تاریخ زندگی خود خواهیم افزود. شادیهایمان بماند برای پس از نو شدنمان.

  The post نوروز ۱۴۰۲ مبارک باد first appeared on طرفداران فدورا.

• Adam Young Why is ABC Notation not ABC…?

  When we read we begin with

  A.B.C

  When we sing we begin with Do Re Mi

  –“Do, a Deer…” THe Sound of Music

  Western music has coalesced around the major scale. Which is really a pity, because western music notation was built around the natural minor scale.

  A. B. C. D. E. F. G. No sharps or flats added.

  And yes, when people write software tools, they are so indoctrinated into “Major scales” that we make tools like ABC notation (which I adore, by the way) that breaks in the middle of the ASCII sequence. The example on the landing page shows it right up front.

  GABc dedB

  See that jump between B and c? That is a half step. See that wrap around from G to A? That is a whole step.

  If, instead, the developer had been using A minor as the basis, it would have looked like this:

  Gabc dedb

  It would have been in ASCII order as well as semantically arranged from lowest to highest.

  Why do I care? I wrote a tool to generate music using ABC notation, and the amount of code I had to write to get around this particular eccentricity was annoying.

  When I learned the modes, it went with Ionian, Dorian, Phrygian, Lydian, Mixolydian, Aeloean, Locrian …and thus “no sharps” “Two flats” “Four flats” “one sharp” “one flat” “three flats” “five flats.” Which seems a little unbalances. If we start with A natural minor and no flats, then the sequence is 0, 2flats, 3sharps, 1sharp, 1flat, 4 sharps, 3 flats. Or, If organized by the number of accidentals:
  

  • 4 sharps lydian
  • 3 sharps Ionian
  • 2 sharps mixolydian
  • 1 sharp dorian
  • 0 sharps/flats Aeolean
  • 1 flat phrygian
  • 2 flats locrian

  This is the sequence from “brightest to darkest” or “most major to most minor.”

  It is still a bit unbalanced…if Dorian were in the middle it would be evenly distributed. If we were building around the harmonic series, Mixolydian would make the most sense, and then the only mode with 4 accidentals would be the Locrian, which is the most extreme mode anyway.

  Of course…it would have been even better if those ancient monks had been ignored and instead we wrote music where the major scale started on A.

  But considering what we have, using the natural minor as the basis makes for a much simpler notation.

• Josh Bressers Episode 367 – Open source will never be the same

  Josh and Kurt talk about GitHub enforcing sanctions against an open source developer and Docker changing how their registry works. There’s a lot to unpack in this one. There’s a lot of happenings going on in the world of open source. We are seeing governments paying attention to open source like never before, change is coming and everything is going to change.

  Show Notes

  • ipmitool Repository Archived, Developer Suspended By GitHub
  • Elixir: Docker now charges open source orgs $300

March 19, 2023

• Zach Oglesby

  I have an iPad that I use as my computer away from home, but it’s not really what I want. I have looked for a good device small that can run Emacs on the good a few times. I installed Linux on a Surface Go 2 but it was not great. I am really hoping that the MNT Pocket Reform fills my needs.

• Michel Alexandre Salim On recharge

  It’s been over 6 years since I started working at Meta (then known as Facebook). Not going to comment here about all the controversies surrounding our products, but as an employee, I have been lucky enough to work on interesting teams that, yes, don’t do anything that give me cause to be sleepless at night. One perk we have (that is no big deal to friends in Europe, but is a big deal in the US) is being able to take 30 calendar days of recharge leave (think of it as a short sabbatical) after each 5 years of employment (together with the 21 work days of PTO a year, this roughly brings us in line with what Europeans get courtesy of employment laws.

March 18, 2023

• Jon Chiappetta Turning an iPad into a Network Bandwidth Monitor Graph + Weather Station

  I wanted a quick and easy way to visualize and summarize the WAN traffic going through my home network so I wrote what started out as a basic Python script that acts as a simple server/javascript client to query my OpenWRT router for that information. It then uses chart.js to graph and plot the data being returned along with placing little display cards that show me the wind speed, wind direction, cloud graphic, time stamp, and weather summary for the next 5 hours

  I didn’t post the source code for this one as it was more of a highly specialized project that I thought applies for my particular use case and requirements.

  

• Jon Chiappetta Cloudflare Graphs – A Big Spike In Traffic – One Time

  So one evening recently I got an email alert for a big spike in traffic going to this blog. I don’t know why it happened and I don’t see my post view counts getting that high either so it was a strange event. Thankfully Cloudflare’s service was able to handle the total requests being made as I don’t have much visibility on the WordPress side of things. My blog setup here is a bit simplified unfortunately!

  

• Bodhi 7.1.1

  Released on 2023-03-18.
  This is a minor feature release.

  Features

  • The automated tests tab will now display information about queued and running tests (#5139).
  • Copy additional config files for pungi (#5154).

  Contributors

  The following developers contributed to this release of Bodhi:

  • Adam Williamson
  • Michal Konečný

March 17, 2023

• Fedora Community Blog Friday’s Fedora Facts: 2023-11

  Here’s your weekly Fedora report. Read what happened this week and what’s coming up. Your contributions are welcome (see the end of the post)!

  I have weekly office hours most Wednesdays in the morning and afternoon (US/Eastern time). Drop by if you have any questions or comments about the schedule, Changes, elections, or anything else. See the upcoming meetings for more information.

  • Announcements
  • Calls for Participation
  • Help wanted
  • Meetings & Events
  • Releases

  Announcements

  • Inactive packagers will be removed after the F38 release.
  • The Fedora Council is considering a policy to create a Code of Conduct Committee.
  • Check your meetings for upcoming summer time changes.

  CfPs

  Conference	Location	Date	CfP
  DevOpsDays Chicago	Chicago, IL, US	9–10 Aug	closes 17 Mar
  FOSSY call for tracks	Portland, OR, US	13–16 Jul	closes 19 Mar
  Akademy	Thessaloniki, GR	15–16 July	closes 30 Mar
  Container Days	Hamburg, DE	11–13 Sep	closes 31 Mar
  All Things Open	Raleigh, NC, US	15–17 Oct	closes 31 Mar
  The Perl and Raku Conference	Toronto, ON, CA	11–13 Jul	closes 31 Mar
  DevConf US	Boston, MA, US	16–18 Aug	closes 3 Apr
  Upstream	virtual	7 Jun	closes 7 Apr
  openSUSE Conference 2023	Nürnberg, DE	26–28 May	closes 9 Apr
  TechBash	Mount Pocono, PA, US	7–10 Nov	closes 11 Apr
  Web Weekend Kathmandu	Kathmandu, NP	23–24 Sep	closes 21 Apr
  DevRelCon London	London, UK	7–8 Sep	closes 21 Apr
  Cincy Deliver	Cincinnati, OH, US	28 Jul	closes 30 Apr
  ShipIt Con	Dublin, IE	1 Sep	closes 1 May
  React Norway	Larvik, NO	16 Jun	closes 15 May
  Front Conference	Zurich, CH	31 Aug–1 Sep	closes 31 May
  Inclusive Design 24	virtual	21 Sep	closes 4 Jun

  Help wanted

  • Package review requests:
    • 278 are awaiting a reviewer
    • 31 need a sponsor
  • Orphaned packages seeking maintainers

  Meetings & events

  • Blocker review meeting — 1600 UTC Monday in #fedora-blocker-review
  • FESCo meeting — 1700 UTC Tuesday in #fedora-meeting
  • Program Manager Office Hours — 1300 UTC Wednesday and 1800 UTC Wednesday in #fedora-meeting-1
  • Prioritized bugs meeting — 1400 UTC Wednesday in #fedora-meeting-1
  • Fedora Social Hour — 1400 UTC Thursday in #social on Fedora.im
  • Mindshare Committee meeting — 2000 UTC Thursday in #fedora-mindshare

  Releases

  Release	open bugs
  F36	4507
  F37	3744
  F38 (pre-release)	1100
  Rawhide	7018

  Prioritized Bugs

  See the Prioritized Bugs documentation for information on the process, including how to nominate bugs.

  Bug ID	Component	Status
  2015490	initial-setup	ON_QA

  Fedora Linux 38

  • 758 packages fail to build from source
  • 57 packages fail to install

  Blockers

  Bug	Component	Status	Blocker status
  2171350	fcoe-utils	NEW	Accepted (Final)
  2177992	gnome-calendar	VERIFIED	Accepted (Final)
  2177995	gnome-maps	VERIFIED	Accepted (Final)
  2177853	gnome-shell	POST	Accepted (Final)
  2173891	gtk4	VERIFIED	Accepted (Final)
  2176782	kernel	NEW	Accepted (Final)
  2175809	mutter	VERIFIED	Accepted (Final)
  2177982	mutter	VERIFIED	Accepted (Final)
  2176766	nautilus	VERIFIED	Accepted (Final)
  2172956	openssh	POST	Accepted (Final)
  2174563	sddm	NEW	Accepted (Final)
  2113005	shim	NEW	Accepted (Final)
  2178172	f38-backgrounds	VERIFIED	Proposed (Final)
  2177153	gnome-abrt	NEW	Proposed (Final)
  2177993	gnome-calendar	NEW	Proposed (Final)
  2156108	ibus	MODIFIED	Proposed (Final)
  2178167	mutter	POST	Proposed (Final)
  2178971	xdg-desktop-portal-kde	NEW	Proposed (Final)

  Schedule

  Below are some upcoming schedule dates. See the schedule website for the full schedule.

  • 2023-04-04 — Final freeze begins
  • 2023-04-18 — Final release early target date

  Changes

  The table below lists Changes status. See the ChangeSet page or Bugzilla for more information.

  Status	Count
  ASSIGNED	3
  MODIFIED	1
  ON_QA	45
  CLOSED	2

  Fedora Linux 39

  • 504 packages fail to build from source
  • 53 packages fail to install

  Changes

  The table below lists proposed Changes. See the ChangeSet page or Bugzilla for information on approved Changes.

  Proposal	Type	Status
  FontAwesome6	Self-Contained	FESCo #2968
  SPDX License Phase 2	System-Wide	Announced

  Contributing

  Have something you want included? You can file an issue or submit a pull request in the fedora-pgm/pgm_communication repo.

  The post Friday’s Fedora Facts: 2023-11 appeared first on Fedora Community Blog.

• Fedora fans فدورا لینوکس ۳۸ بتا منتشر شد

  

  پروژه ی فدورا خبر انتشار نسخه ی Fedora Linux 38 Beta را اعلام کرد و هم اکنون این نسخه در دسترس و قابل استفاده می باشد. انتشار نسخه ی نهایی فدورا لینوکس ۳۸ برای آخر ماه April یعنی نیمه اول اردیبهشت ۱۴۰۲ زمانبندی شده است.

  نسخه های فدورا مانند همیشه دارای تغییرات و ویژگی های جدیدی می باشند که برخی از مهمترین تغییرات در فدورا ۳۸ بتا به شرح زیر می باشند.

   

  Fedora Workstation

  نسخه Fedora 38 Workstation Beta شامل میزکار GNOME 44 می باشد که در حال حاضر به صورت بتا می باشد که انتظار می رود که نسخه نهایی آن در آخر ماه March منتشر شود.

  میزکار GNOME 44 شامل تغییرات بسیار بزرگی از جمله lock screen جدید، بخش «background apps» در quick menu و بهبود تنظیمات دسترسی (accessibility settings) می باشد.

   

  دیگر بروزرسانی ها

  تیم پروژه ی فدورا همیشه در تلاش است تا ویژگی های امنیتی جدید را به سرعت به کاربران ارائه دهد. اکنون بسته ها (Packages) با flag های سختگیرانه تر کامپایلر ساخته می شوند که از سرریز بافر (buffer overflows) محافظت می کنند. مدیر بسته rpm از یک OpenPGP parser مبتنی بر Sequoia به جای پیاده سازی خود استفاده می کند.

  مانند همیشه بروزرسانی ها شامل زبان های برنامه نویسی و کتابخانه هایی چون Ruby 3.2, gcc 13, LLVM 16, Golang 1.20, PHP 8.2 می باشد.

   

  دانلود فدورا لینوکس ۳۸ بتا

  دانلود Fedora 38 Workstation Beta 

  دانلود Fedora 38 Server Beta

  دانلود Fedora 38 IoT Beta

  دانلود Fedora 38 Cloud Beta

  دانلود Fedora 38 CoreOS Beta

  دانلود Fedora Spins 38 Beta

  دانلود Fedora Labs 38 Beta

  دانلود Fedora Linux 38 Beta for ARM

   

  فدورایی و عصبانی باشید!

   

  The post فدورا لینوکس ۳۸ بتا منتشر شد first appeared on طرفداران فدورا.

• Fedora Community Blog CPE Weekly update – Week 11

  This is a weekly report from the CPE (Community Platform Engineering) Team. If you have any questions or feedback, please respond to this report or contact us on #redhat-cpe channel on libera.chat.

  We provide you both infographics and text version of the weekly report. If you just want to quickly look at what we did, just look at the infographic. If you are interested in more in depth details look below the infographic.

  Week: 13 March – 17 March 2023

  

  Highlights of the week

  Infrastructure & Release Engineering

  Goal of this Initiative

  Purpose of this team is to take care of day to day business regarding CentOS and Fedora Infrastructure and Fedora release engineering work.
  It’s responsible for services running in Fedora and CentOS infrastructure and preparing things for the new Fedora release (mirrors, mass branching, new namespaces etc.).
  The ARC (which is a subset of the team) investigates possible initiatives that CPE might take on.
  Planning board
  Docs

  Update

  Fedora Infra

  • got silverblue/kinote setup to sync to quay.io
  • 38 Beta torrents/bitflip/release day work
  • Installed 2 new staging virthosts

  CentOS Infra including CentOS CI

  • Migrating servers to RHEL 9
  • [spike] : investigating export moin wiki pages to static content
  • RFE : modify sign+push process to take into account images/spins/media images
  • recycling/moving koji.mbox legacy stream build infra

  Release Engineering

  • Enhancements of release engineering documentation
  • Work on enabling collaborators to merge PRs

  CentOS Stream

  Goal of this Initiative

  This initiative is working on CentOS Stream/Emerging RHEL to make this new distribution a reality. The goal of this initiative is to prepare the ecosystem for the new CentOS Stream.

  Updates

  • We have resumed releasing CentOS Stream 8 updates! This means Stream 8 is now following the same workflow as Stream 9. https://lists.centos.org/pipermail/centos-devel/2023-March/142831.html
  • Released a new version of centpkg with better messaging

  EPEL

  Goal of this initiative

  Extra Packages for Enterprise Linux (or EPEL) is a Fedora Special Interest Group that creates, maintains, and manages a high quality set of additional packages for Enterprise Linux, including, but not limited to, Red Hat Enterprise Linux (RHEL), CentOS and Scientific Linux (SL), Oracle Linux (OL).

  EPEL packages are usually based on their Fedora counterparts and will never conflict with or replace packages in the base Enterprise Linux distributions. EPEL uses much of the same infrastructure as Fedora, including buildsystem, bugzilla instance, updates manager, mirror manager and more.

  Updates

  • Presented at SCALE 20x conference, “The Road to EPEL 9”

  FMN replacement

  Goal of this initiative

  FMN (Fedora-Messaging-Notification) is a web application allowing users to create filters on messages sent to (currently) fedmsg and forward these as notifications on to email or IRC.
  The goal of the initiative is mainly to add fedora-messaging schemas, create a new UI for a better user experience and create a new service to triage incoming messages to reduce the current message delivery lag problem. Community will profit from speedier notifications based on own preferences (IRC, Matrix, Email), unified fedora project to one message service and human-readable results in Datagrepper.
  Also, CPE tech debt will be significantly reduced by dropping the maintenance of fedmsg altogether.

  Updates

  • Bug fixes and UI polish, tying up loose ends
  • Started on docs

  Community Design

  Goal of this initiative

  CPE has few members that are working as part of Community Design Team. This team is working on anything related to design in Fedora Community.

  Updates

  • CPE members can file issues / requests to the CDT here.
  • Podman: Completed onboarding system (step by step guide).
  • Fedora Website Revamp almost complete – should be deploying soon.
    • Fedora IoT design changes 
  • Fedora Design TikTok in the works – planning meeting this week
  • F38 wallpaper touch ups for release
  • New time for Fedora Design meeting TBA
  • F37 Release Party videos edits ongoing

  The post CPE Weekly update – Week 11 appeared first on Fedora Community Blog.

March 16, 2023

• Ismael Olea Wikiturismo

  ¡Oh! Casi me olvido: hemos empezado una nueva línea de trabajo para promover el turismo cultural y desestacionalizado trabajando en la mejora de los contenidos descriptivos en Wikipedia de los diferentes lugares. Con todo el rigor wikipédico, por supuesto.

  Le hemos hecho una web propia y todo: https://wikitourism.eu/.

  Y, relacionado, en LaOficina hemos colaborado con Pukara para crear una aplicación web ligera para «turismo inteligente» que reutiliza contenidos Wikimedia relacionados con tu localización. Es la primera prueba de concepto, pero nos emociona todo el potencial que propone: Cicerone.Guide. La aplicación es operativa y puede usarse en cualquier parte del mundo. La cantidad de información que ofrecerá dependerá de los contenidos disponibles en los proyectos Wikimedia, especialmente Wikidata, Wikimedia Commons y Wikipedia en español. Esperamos que de de sí mucho en el futuro.

  

• Ismael Olea Escuela de Wikicronistas

  He tenido abandonada esta web un montón de tiempo. Han habido muchas razones pero no pienso entrar en ello. En cualquier caso he seguido haciendo cositas, sobre todo en el entorno Wikimedia. Precisamente un par de ellas son las que hemos denominado «Escuela de Wikicronistas»:

  Escuela de Wikicronistas es un proyecto del Área de Cultura y Cine de la Diputación Provincial de Almería realizado por la asociación La Oficina Producciones Culturales en el que trabajamos visitando municipios para mejorar la calidad y contenidos de sus artículos en eswiki y promoviendo la implicación ciudadana en el proyecto, para convertirse en parte activa del mantenimiento y ampliación de los artículos y custodios de la información, y de paso demostrando en la práctica la capacidad directa de intervención en los procomunes digitales más importantes del mundo, con impacto local y global tanto en el área cultural como económica.

  

  Se han realizado dos ediciones (2021 y 2022) y estamos a la expectativa de la tercera, aún sin confirmar. Por lo pronto acabo de habilitar en el Wikimedia Outreach Dashboard una «campaña» donde quedan publicadas las estadísticas de actividad de ambas ediciones: Programa de «Escuela de Wikicronistas».

  Los resultados finales son en parte discutibles, pero tanto Diputación como nosotros hemos quedado bastante satisfechos.

  Veremos si me animo a escribir más por aquí.

  Créditos de la imagen: (Ismael Olea )

• Remi Collet PHP version 8.1.17 and 8.2.4

  RPMs of PHP version 8.2.4 are available in remi-modular repository for Fedora ≥ 36 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...) and in remi-php82 repository for EL 7.

  RPMs of PHP version 8.1.17 are available in remi-modular repository for Fedora ≥ 36 and Enterprise Linux ≥ 8 (RHEL, Alma, CentOS, Rocky...) and in remi-php81 repository for EL 7.

  The modules for EL-9 are available for x86_64 and aarch64.

  No security fix this month, so no update for version 8.0.28.

  PHP version 7.4 have reached its end of life and is no longer maintained by the PHP project.

  These versions are also available as Software Collections in the remi-safe repository.

  Version announcements:

  • PHP 8.2.4 Release Annoucement
  • PHP 8.1.17 Release Annoucement

  Installation: use the Configuration Wizard and choose your version and installation mode.

  Replacement of default PHP by version 8.2 installation (simplest):

  dnf module reset php
  dnf module enable php:remi-8.2
  dnf update php\*

  or, the old EL-7 way:

  yum-config-manager --enable remi-php82
  yum update

  Parallel installation of version 8.2 as Software Collection

  yum install php82

  Replacement of default PHP by version 8.1 installation (simplest):

  dnf module reset php
  dnf module enable php:remi-8.1
  dnf update php\*

  or, the old EL-7 way:

  yum-config-manager --enable remi-php81
  yum update php\*

  Parallel installation of version 8.1 as Software Collection

  yum install php81

  Replacement of default PHP by version 8.0 installation (simplest):

  dnf module reset php
  dnf module enable php:remi-8.0
  dnf update php\*

  or, the old EL-7 way:

  yum-config-manager --enable remi-php80
  yum update

  Parallel installation of version 8.0 as Software Collection

  yum install php80

  And soon in the official updates:

  • Fedora Rawhide now have PHP version 8.2.4
  • Fedora 38 - PHP 8.2.4
  • Fedora 37 - PHP 8.1.17
  • Fedora 36 - PHP 8.1.17

  To be noticed :

  • EL-9 RPMs are build using RHEL-9.1
  • EL-8 RPMs are build using RHEL-8.7
  • EL-7 RPMs are build using RHEL-7.9
  • intl extension now uses libicu71 (version 71.1)
  • mbstring extension (EL builds) now uses oniguruma5php (version 6.9.8, instead of the outdated system library)
  • oci8 extension now uses Oracle Client version 21.8
  • a lot of extensions are also available, see the PHP extensions RPM status (from PECL and other sources) page

  Information:

  • Migrating from PHP 7.4.x to PHP 8.0.x
  • Migrating from PHP 8.0.x to PHP 8.1.x
  • Migrating from PHP 8.1.x to PHP 8.2.x

  Base packages (php)

  

  

  Software Collections (php80 / php81 / php82)

  

  

• Gary Benson Which APT repository did a package come from?

  $ apt policy wget
  wget:
    Installed: 1.21.2-2ubuntu1
    Candidate: 1.21.2-2ubuntu1
    Version table:
   *** 1.21.2-2ubuntu1 500
          500 http://gb.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
          100 /var/lib/dpkg/status

• Felipe Borges Register for Linux App Summit 2023!

  LAS 2023 is happening next month and registrations are open!

  

  You can  check the schedule in https://conf.linuxappsummit.org/event/5/timetable/#20230422

  We are excited to have you visiting us in Brno, Czech Republic. The conference starts on Friday, April 21st, with a pre-registration social event. Saturday and Sunday are full of interesting talks, panels, workshops, and more!

• Gary Benson Python debugger

  By the way, if you’ve never used Python’s debugger, it really is as simple as adding a call to the built-in function breakpoint() at the point you want it to stop.

• Dusty Mabe NetworkManager: Limiting Bond Subordinate devices by MAC Address

  Someone recently asked me about locking down a bond to specific NIC devices within the machine. Specifically they were concerned with the sometimes unpredictable nature of NIC naming in Linux. While there has been a lot of effort to make NIC naming more predictable, it turns out with the networking configuration stack we are using in Fedora/RHEL (NetworkManager) you don’t even really need to care about the NIC device names if you know the MAC Addresses of the interfaces you want to use.

March 15, 2023

• Scott Williams (vwbusguy) What Is Fedora Linux Good For?

  What Is Fedora Linux Good For?

  Fedora won "Most Memorable Booth" at the So Cal Linux Expo 20x.  I've had multiple people ask me why and if we had some kind of gimmick.  To be fair, we did have excellent swag this year and a great crew of people at the booth, but in my opinion, it was our enthusiastic community of users who made it truly exceptional.

  

  This year, instead of asking overly generic questions like "Do you use Fedora?" and "Have you tried Kinoite or Silverblue yet?", I decided to ask "What's something fun or interesting you're doing with Fedora these days?" and the answers very much did not disappoint.

  

  Workstation Adventures

  When I asked the person above what they were using Fedora for, they pulled out this Surface Go tablet running on Fedora 37!  It honestly looked amazing!

  Gaming was another common use reported for Fedora.  The fact that Steam OS, Proton, and Lutris (who was at the event) have all contributed to the Linux gaming ecosystem has all meant very good things for Fedora as a gaming platform. 

  At least one user reported that they are running Fedora on a Lenovo laptop that came with Fedora pre-installed!

  At Work

  Multiple people advised that they use Fedora to teach others Linux, with one of them saying that they used Fedora in the classroom for this purpose.  Another user said that Fedora is running on their microcontrollers at work.

  At Home

  Fedora IoT and CoreOS really shined here, especially around Home Lab and Home Automation use cases. 
  
  For Home Automatiom, one user reported that they are running a 5-node Spark cluster with Fedora IoT on Raspberry Pis.  Another made their own digital photo frame powered by Fedora.

  For Home Lab users, someone reported using Fedora as a router and DHCP server for their home networking.  Another was using Fedora CoreOS for experimental network testing and for running their own Nextcloud instance.  Another is running a k3s cluster on Fedora to run their own FreeIPA with Fedora Server. 

  For Development

  If you thought I was adventurous for using Fedora to write a BASIC shell for Linux, one user shared that he was using Fedora to write his own DNS server from scratch in Rust!  Another is using Fedora to write Android apps and test them in VMs.  Another is writing BPF programs focused on securing IoT devices.  And, finally, a user said that they used Fedora to package their own software for the Fedora repos and said he really enjoyed the overal experience of getting it packaged in RPM and the review process.

  Conclusion

  So what is Fedora good for?  It's hard to find something Fedora isn't good for these days!

• Scott Williams (vwbusguy) Fedora at SoCal Linux Expo 20x

  Fedora at SoCal Linux Expo 20x

  The So Cal Linux Expo again returned to Pasadena, CA and Fedora came back as an exhibitor!  I have now attended SCaLE every year since 2010, shortly after I moved to Calfornia.  Since the last SCaLE was in late July, there was less time between them.  As a result, I noticed a few things that contributed to this year's SCaLE being an especially special year: Many larger corporate vendors who were at SCaLE last year didn't come back this year, so it felt like there were more hobbyist and community groups to fill in the space.  At the same time, many who had not been travelling due to COVID returned for the first time in years.  It resulted in SCaLE feeling a bit more geniune this year with a crowd of people who largely knew what Linux and open source are about and were excited to be there.

  

  On Thursday, I attended a workshop on Kubebuilder.  The DevOps and Kubernetes events during SCaLE offered some great high quality talks, both in terms of content and presentation style.  In between those events, we snuck back to the Exhibit Hall and got everything setup and ready to go ahead of the opening on Friday.
  

  At the Fedora booth, we had a great crew and excellent swag, but the real highlight was getting to connect with users who shared with us what they are currently doing with Fedora.  Instead of scanning people's badges, we offered a simple form for users to connect with us so we can follow up with them about ways they might want to get more involved.

  

  We got to visit with enthusiatic new users, who are doing some exciting things with Fedora on their devices...
  

  As well as reconnect with old, familiar friends.
  

  And in some cases, meet new old friends (Ken Thompson and John Maddog Hall):
  

  The Fedora talk on Saturday by Brian Monroe was very well attended and gave a live demonstration of the Fedora Jam SIG using a MIDI keyboard.  This was then setup in the back of the Fedora booth (with headphones) so musically inclined people could try it out for themselves!
  

  After a very fun game night, we all arrived fresh on Sunday morning to the news that the Fedora booth had been voted "Most Memorable Booth" by conference participants this year!
  

  It was a very successful year for Fedora at the So Cal Linux Expo, and we couldn't have done it without such an enthusiastic community user base and an excellent group of Fedora Ambassadors including Perry Rivera, Alex Acosta, Ivan Chavero, Brian Monroe (and always a treat to see Jeff Carlson, who again was on staff with SCaLE this year)!
  

March 14, 2023

• Charles-Antoine Couret Sortie de Fedora Linux 38 Beta

  En ce mardi 14 mars, la communauté du Projet Fedora sera ravie d'apprendre la disponibilité de la version Beta de Fedora Linux 38.

  Malgré les risques concernant la stabilité d’une version Beta, il est important de la tester ! En rapportant les bogues maintenant, vous découvrirez les nouveautés avant tout le monde, tout en améliorant la qualité de Fedora Linux 38 et réduisant du même coup le risque de retard. Les versions en développement manquent de testeurs et de retours pour mener à bien leurs buts.

  La version finale est pour le moment fixée pour le 18 ou 25 avril.

  Expérience utilisateur

  • Passage à GNOME 44 ;
  • La petite souris Xfce est mise à jour après 4.18 tours de roue ;
  • Le gestionnaire de connexions SDDM (utilisé par KDE par exemple) utilise Wayland par défaut ;
  • L'image Fedora Linux avec le bureau Budgie devient une image Spin officielle ;
  • De même pour l'image Fedora Linux avec le gestionnaire de fenêtre Sway ;
  • L'utilitaire initial-setup n'est plus fourni dans l'image KDE et l'image Kinoite ;
  • Flathub n'est plus filtré par défaut lors de l'installation de Fedora Linux, tous les paquets proposés sont donc accessibles ;
  • Le timer systemd pour l'extinction de la machine passe de 2 minutes à 45 secondes, envoyant un signal SIGABRT si jamais des services n'ont pas réussi à s'arrêter dans ce délai ;
  • Les images Live sont modernisées, abandonnant l'usage important de Kickstarts pour les générer afin d'être plus flexible, notamment en créant automatiquement une partition de sauvegarde si de l'espace libre est détecté sur la clé USB par exemple ;
  • cups-filters passe à la version 2.0b ;
  • Dans le domaine de l'impression le paquet ipp-usb devient une dépendance faible de cups ou de sane-airscan pour proposer la prise en charge des imprimantes USB par défaut sans installations supplémentaires de la part de l'utilisateur ;
  • La distribution LaTeX TeXLive version 2022 est proposée, qui est la dernière version avec une prise en charge longue durée ;
  • L'utilitaire ImageMagick tire profit de sa 7e version.

  Gestion du matériel

  • L'installateur Anaconda utilise mdadm au lieu de dmraid pour la prise en charge des stockages RAID reposant sur un firmware ou un BIOS ;
  • L'image LXQt est proposée pour l'architecture aarch64 ;
  • Fourniture d'une image avec Phosh, GNOME Shell pour mobile, à destination des téléphones ou des tablettes pour l'architecture x86_64 et aarch64 ;
  • L'architecture s390x utilise les processeurs de la génération z13 comme base, les plus anciens ne seront plus forcément compatibles ;
  • Les implémentations du serveur X (Xorg et Xwayland) refusent à des clients ayant un boutisme différent du serveur de s'y connecter ;
  • Première partie de la migration vers une image noyau unifiée (donc unifiant noyau, initrd, ligne de commande du noyau et signature) pour les plateformes avec UEFI mais rien ne change par défaut à ce sujet pour les utilisateurs ;
  • L'installateur de l'image IoT récupère celui de CoreOS pour simplifier son installation.

  Internationalisation

  • La police par défaut pour la langue thaï et le cambodgien passe à Noto ;
  • Tandis que les polices Noto CJK pour les langues chinoises, japonaises et coréennes utilisent la variante variable au lieu de static comme auparavant ;
  • Mise à jour de libpinyin 2.8.

  Administration système

  • Les clés du serveur SSH suppriment la lecture par les utilisateurs du groupe ssh_keys (qui est supprimé) pour rétablir le SUID bit de l'utilitaire ssh-keysign ;
  • RPM utilise Sequoia pour traiter le format OpenPGP au lieu de sa propre implémentation interne ;
  • Le paquet systemd-udev fourni par défaut la règle Link.MACAddressPolicy=none au lieu de Link.MACAddressPolicy=persistent ;
  • Le gestionnaire de paquet Microdnf est mis à jour à sa 5e version.

  Développement

  • La mise à niveau de la chaine de compilation GNU est à l’œuvre avec GCC 13.0, binutils 2.39, glibc 2.37 et GDB 12.1 ;
  • Retrait de la prise en charge du langage Guile pour étendre GDB pour laisser la place à Python pour cela ;
  • Pendant que LLVM version 16 débarque ;
  • GNU Make prépare sa version 4.4 ;
  • Le langage Go quant à lui passe à la version 1.20 ;
  • Le langage Ruby expose sa version 3.2 en vitrine ;
  • Le langage PHP évolue vers la version 8.2 ;
  • Le gestionnaire de base de données PostgreSQL met à jour à la version 15 ;
  • Pendant que Haskell GHC (le compilateur Haskell) 9.2 avec sa suite Stackage 20 sont disponibles ;
  • L'écosystème Node.js est repackagé pour autoriser des installations multiples et parallèles, abandonnant l'usage des modules qui était la voie privilégiée ;
  • La bibliothèque pcre est marquée comme obsolète au bénéfice de pcre2, sa suppression totale des dépôts (et de ses dépendances) est à prévoir prochainement ;
  • OpenJDK est compilé pour ressembler plus aux implémentations standards de JDK avec les bibliothèques internes au lieu de celles du système et la compilation avec la bibliothèque libstdc++ liée statiquement ;
  • La boîte à outils pour le développement Web en Python nommé Pyramid bénéficie de la version 2.0 ;
  • Mise à jour de python-packaging version la version 22.0 ;
  • Le paquet python3-toml est considéré comme obsolète avant suppression définitive à venir depuis la prise en charge de cette fonctionnalité dans la bibliothèque standard depuis Python 3.11 ;
  • Le paquet du compilateur FreePascal fpc est subdivisé en trois paquets : fpc pour le compilateur lui même, fpc-ide pour l'environnement de développement en ligne de commande et fpc-units-NOMARCHITECTURE-linux pour la bibliothèque standard précompilée ;
  • Le générateur d'interface SWIG se balance vers la version 4.10.

  Projet Fedora

  • La génération des images Fedora IoT reposera sur osbuild ;
  • Les paquets sont compilés avec l'option _FORTIFY_SOURCE=3 au lieu de _FORTIFY_SOURCE=2 pour mieux se protéger contre les buffers overflow dans les logiciels fournis ;
  • Les paquets sont également compilés avec les options -fno-omit-frame-pointer et -mno-omit-leaf-frame-pointer par défaut ;
  • Les paquets qui veulent changer leur option de compilation doivent passer par les macros %_pkg_extra_cflags, %_pkg_extra_cxxflags, %_pkg_extra_fflags et %_pkg_extra_ldflags pour plus de lisibilité et de traçabilité ;
  • rpmautospec (qui emploie les macros %autorelease et %autochangelog) est recommandé pour l'ensemble des paquets par défaut ;
  • Activation de la macro %clamp_mtime_to_source_date_epoch à 1 qui configure mtimes en $SOURCE_DATE_EPOCH pour la compilation reproductible des paquets ;
  • La macro pour gérer les dépendances des modules Perl perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) est supprimée au profit de perl-generators ;
  • Les paquets Python fournissant la métadonnée python3dist(...) = 0 échoueront dans leur construction ;
  • Début de l'usage généralisé des noms de licence provenant du projet SPDX pour la licence des paquets plutôt que des noms du projet Fedora, de manière facultative pour l'instant.

  Tester

  Durant le développement d'une nouvelle version de Fedora Linux, comme cette version Beta, quasiment chaque semaine le projet propose des journées de tests. Le but est de tester pendant une journée une fonctionnalité précise comme le noyau, Fedora Silverblue, la mise à niveau, GNOME, l’internationalisation, etc. L'équipe d'assurance qualité élabore et propose une série de tests en général simples à exécuter. Suffit de les suivre et indiquer si le résultat est celui attendu. Dans le cas contraire, un rapport de bogue devra être ouvert pour permettre l'élaboration d'un correctif.

  C'est très simple à suivre et requiert souvent peu de temps (15 minutes à une heure maximum) si vous avez une Beta exploitable sous la main.

  Les tests à effectuer et les rapports sont à faire via la page suivante. J'annonce régulièrement sur mon blog quand une journée de tests est planifiée.

  Si l'aventure vous intéresse, les images sont disponibles par Torrent ou via le site officiel.

  Si vous avez déjà Fedora Linux 37 ou 36 sur votre machine, vous pouvez faire une mise à niveau vers la Beta. Cela consiste en une grosse mise à jour, vos applications et données sont préservées.

  Nous vous recommandons dans les deux cas de procéder à une sauvegarde de vos données au préalable.

  En cas de bogue, n'oubliez pas de relire la documentation pour signaler les anomalies sur le BugZilla ou de contribuer à la traduction sur Weblate. N'oubliez pas de consulter les bogues déjà connus pour Fedora 38.

  Bons tests à tous !

• Peter Czanik Syslog-ng 101, part 11: Enriching log messages

  This is the eleventh part of my syslog-ng tutorial. Last time, we learned about message parsing using syslog-ng. Today, we learn about enriching log messages.

  You can watch the video or read the text below.

  https://youtu.be/tFHyvLgiSyI

  Enriching log messages

  You can also enrich log messages using syslog-ng. Enriching in this case means, that you can create additional name-value pairs based on message content. There are several ways how you can enrich log messages using syslog-ng.

  The PatternDB parser can not just parse out interesting information from log messages but can also create additional name-value based on message content. You can add fields in the XML database that describe the content of the message. For example you can mark any login related events with “action=login” and if the message is about an unsuccessful login then “status=failure”.

  The GeoIP parser can find geolocation of an IP address. The software itself is freely available, but the database it uses requires registration. It is no more distributed as part of Linux distributions. The original implementation just returned the country and longitude / latitude information. The current implementation returns many more information and in multiple languages.

  Geographical information can help to find anomalies, like a user logging in from two distant locations at once. A probably less useful but lot more popular usage of GeoIP is displaying the location of IP addresses on a map. It is mostly eye-candy for C-levels, but a spectacular map can help you to get extra funding for security :-)

  The add-contextual-data() parser can add metadata to log messages from CSV files. For example you can add a host role or a contact person to a log message. This way you can see the extra information already while browsing your log messages, without needing an additional lookup. The additional information can also enable more accurate alerts and dashboards.

  Using loggen to read a file

  We have already seen earlier how to use loggen to send synthetic log messages to a network source. Here we extend the command line we used previously by adding file reading to the mix:

  loggen -i -S -d -R /root/iptables_nohead_short localhost 514

  The options used here are:

  • -i: Internet

  • -S: TCP (and unix-stream)

  • -d: do not parse

  • -R /path/to/file: read log messages from a file

  • Host & port

  Why do we use the do not parse option here? For the sample configuration we want to send logs without the original date, so just the message part. The original date is not a real problem here, but will be a problem when we send the logs to Elasticsearch.

  Iptables sample logs

  Working with iptables logs are nice way to get started with message parsing. They follow the key=value formatting and can easily parsed by syslog-ng. Then we can use the results of the parsing and find the geographical location of the source IP address:

  Feb 27 14:31:01 bridge kernel: INBOUND UDP: IN=br0 PHYSIN=eth0 OUT=br0 PHYSOUT=eth1 SRC=212.123.153.188 DST=11.11.11.82 LEN=404 TOS=0x00 PREC=0x00 TTL=114 ID=19973 PROTO=UDP SPT=4429 DPT=1434 LEN=384  
  Feb 27 14:34:41 bridge kernel: INBOUND TCP: IN=br0 PHYSIN=eth0 OUT=br0 PHYSOUT=eth1 SRC=206.130.246.2 DST=11.11.11.100 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=9492 DF PROTO=TCP SPT=2577 DPT=80 WINDOW=17520 RES=0x00 ACK FIN URGP=0  
  Feb 27 14:34:55 bridge kernel: INBOUND TCP: IN=br0 PHYSIN=eth0 OUT=br0 PHYSOUT=eth1 SRC=4.60.2.210 DST=11.11.11.83 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=3024 DF PROTO=TCP SPT=3124 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 

  To avoid duplicating the date part in the logs, we remove that before sending the logs to syslog-ng using loggen. Loggen generates proper message headers based on the current date:

  kernel: INBOUND UDP: IN=br0 PHYSIN=eth0 OUT=br0 PHYSOUT=eth1 SRC=212.123.153.188 DST=11.11.11.82 LEN=404 TOS=0x00 PREC=0x00 TTL=114 ID=19973 PROTO=UDP SPT=4429 DPT=1434 LEN=384  
  kernel: INBOUND TCP: IN=br0 PHYSIN=eth0 OUT=br0 PHYSOUT=eth1 SRC=206.130.246.2 DST=11.11.11.100 LEN=40 TOS=0x00 PREC=0x00 TTL=51 ID=9492 DF PROTO=TCP SPT=2577 DPT=80 WINDOW=17520 RES=0x00 ACK FIN URGP=0  
  kernel: INBOUND TCP: IN=br0 PHYSIN=eth0 OUT=br0 PHYSOUT=eth1 SRC=4.60.2.210 DST=11.11.11.83 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=3024 DF PROTO=TCP SPT=3124 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 

  Example

  This example configuration collects iptables logs over the network, parses them, and adds geographical information to source IP addresses using the GeoIP parser. Finally it writes the resulting name-value pairs into a JSON formatted file.

  @version:3.19
  source s_sys { system(); internal();};
  destination d_mesg { file("/var/log/messages"); };
  log { source(s_sys); destination(d_mesg); };
  
  parser p_kv {kv-parser(prefix("kv.")); };
  parser p_geoip2 { geoip2( "${kv.SRC}", prefix( "geoip2." ) database( "/usr/share/GeoIP/GeoLite2-City.mmdb" ) ); };
  
  source s_tcp { tcp(port(514)); };
  destination d_file {
    file("/var/log/fromnet" template("$(format-json --scope rfc5424
          --scope dot-nv-pairs --rekey .* --shift 1 --scope nv-pairs 
          --exclude DATE @timestamp=${ISODATE})\n\n")  ); 
  };
  log {
    source(s_tcp); 
    parser(p_kv);
    parser(p_geoip2);
    destination(d_file);
  };

  Support for GeoIP is usually a separate sub/package on Linux systems. On FreeBSD it is not part of the default package configuration, which means that you cannot use the package but have to compile syslog-ng from ports yourself.

  Note, that downloading the database for the GeoIP parser is not the scope of this tutorial.

  As usual, the first few lines of the configuration deal with local log messages. The interesting part comes afterwards. Let’s follow the log statement at the end, as this is what connects all the building blocks together.

  The first line opens a TCP source on port 514. The next line is where things start to get interesting. It calls a key=value parser on incoming log messages. prefix(“kv.”) here means, that the name of all resulting name-value pairs will start with “kv.”.

  Next the GeoIP parser is called. It looks for the IP address in the kv.SRC name-value pair and stores the various information in name-value pairs under the geoip2 prefix.

  Finally log messages are written to a file using JSON formatting. You can find more information about template functions in the documentation. Here I want to point you to the --rekey operator, which removes the leading dot from the name of name value pairs. The leading dot is normally replaced by an underscore by syslog-ng, but it has a special meaning in Elasticsearch. We also remove the DATE macro and include ISODATE with the name expected by Elasticsearch. Finally we add two line breaks for better readability. Of course we will remove those when we use the same template to send logs to Elasticsearch.

  If you have any questions or comments, leave a comment on YouTube or reach out to me on Twitter / Mastodon.

  -

  If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik, on Mastodon as @Pczanik@fosstodon.org.-

March 13, 2023

• Fedora fans و آتشی که نمیرد همیشه در دل ماست

  

  
  رمز آتش پاکی و روشنگری

  سرخی و گرما و شادی پروری

  یادگاری از کهن آئین ما

  روزگاران خوش و شیرین ما

  آری امشب جشن سور و آتش است

  جشن رقص شعله‌ های سرکش است

  چهارشنبه سوری مبارک

  The post و آتشی که نمیرد همیشه در دل ماست first appeared on طرفداران فدورا.

• The NeuroFedora Blog Next Open NeuroFedora meeting: 13 March 1300 UTC

  

  Photo by William White on Unsplash.

  
  

  Please join us at the next regular Open NeuroFedora team meeting on Monday 13 March at 1300 UTC. The meeting is a public meeting, and open for everyone to attend. You can join us over:

  • Matrix (using your web-browser)
  • IRC

  You can use this link to convert the meeting time to your local time. Or, you can also use this command in the terminal:

  $ date --date='TZ="UTC" 1300 2023-03-13'
  

  The meeting will be chaired by @ankursinha. The agenda for the meeting is:

  • New introductions and roll call.
  • Tasks from last meeting.
  • Open Pagure tickets.
  • Package health check.
  • Open package reviews check.
  • CompNeuro lab compose status check for Fedora 38/rawhide.
  • Neuroscience query of the week
  • Next meeting day, and chair.
  • Open floor.

  We hope to see you there!

• Dave Airlie vulkan video vp9 decode - radv update

  While going over the AV1 a few people commented on the lack of VP9 and a few people said it would be an easier place to start etc.

  Daniel Almeida at Collabora took a first pass at writing the spec up, and I decided to go ahead and take it to a working demo level.

  Lynne was busy, and they'd already said it should take an afternoon, so I decided to have a go at writing the ffmpeg side for it as well as finish off Daniel's radv code.

  About 2 mins before I finished for the weekend on Friday, I got a single frame to decode, and this morning I finished off the rest to get at least 2 test videos I downloaded to work.

  Branches are at [1] and [2]. There is only 8-bit support so far and I suspect some cleaning up is required.
  

  [1] https://github.com/airlied/FFmpeg/tree/vulkan-vp9-decode

  [2] https://gitlab.freedesktop.org/airlied/mesa/-/commits/radv-vulkan-video-decode-mesa-vp9

  
  

• Josh Bressers Episode 366 – Software liability is coming

  Josh and Kurt talk about the number of dependencies that is now normal. Keeping track of thousands of dependencies used to be impressive, now it’s normal. In what instances should we know everything about our open source? The days of being able to ignore your software liability is looking like it’s coming to an end.

  Show Notes

  • LTT millenial pause
  • The perverse incentive of vulnerability counting
  • National Cybersecurity Strategy

March 12, 2023

• Adam Young Use * to Seach for the word under the cursor in vim

  This might be my new favorite vimism.
  The idea that there is a single character shortcut for searching for the character under the cursor is brilliant, and something I will use, quite a bit, in my day to day work. It might be more powerful than tags.

• Jonathan Dieter Duct tape in the datacenter

  
  

  When I was growing up, on Thursday nights we would watch the Red Green Show, a comedy show set in very rural Canada. One of the regular segments on the show was the Handyman Corner, where Red Green would build something impressive out of the spare parts and garbage he had sitting around the shop, along with copious amounts of “the Handyman’s secret weapon,” duct tape, to hold everything together. To this day, whenever I see duct tape I think about the Red Green Show.

  Lately I’ve had cause to think about duct tape when looking into IT infrastructure issues, some that I’ve had to handle at work, and some that we’ve all gotten to see from the outside. I don’t think I’ve ever actually used physical duct tape on the job, but there’s more than one kind of duct tape.

  The thing about duct tape is that it is an incredibly useful tool for holding things together that perhaps were never intended to be connected (the Apollo 13 duct tape and cardboard scene comes to mind here). The problem is when duct tape is used as a core part of the design (as per most of Red Green’s builds).

  When working with infrastructure, we may not normally be using physical duct tape, but there are plenty of things we do that correspond with duct tape. At my day job, our infrastructure is built using a GitOps model where server deployments are managed using Ansible playbooks and, more recently, Terraform configuration, all stored in git repositories. We also have development environments where we can test infrastructure and code changes before pushing to production.

  The primary advantages of using the GitOps model are documentation and repeatability. Documentation in git comes pretty easily because when changes are made, it’s easy to see what was changed, and (assuming we’ve been disciplined when writing commit messages) why it was changed. Repeatability is there because, If we deploy one server with a specific configuration and need to re-deploy it at a later point, the second deployment will be identical to the first. We don’t need to worry about missing steps because it’s all automatically done when deploying the playbooks.

  So what happens when we bypass our processes? When we manually deploy a server? When we manually make a change? Well, that’s our duct tape. It’s sometimes very necessary. If an important service has crashed, the first priority is to get it back up and running, not have a committee discussion. The problem is when duct tape becomes permanent.

  We’ve seen far too much of this in the news recently, the main case in point being Twitter. It’s unclear whether the latest outage is due to bypassed processes or whether the infrastructure was brittle to begin with (or, most likely, some combination of both), but, either way, the systems there are breaking down, and it just seems to be getting worse.

  So how do you deal with duct tape in the datacenter? Here are some thoughts:

  1. Design your infrastructure to be extensible and your services to be highly available. One of the biggest causes of duct tape maintenance is brittle infrastructure. When there’s an outage, repairs are of the highest urgency, and fixing it now is more important than fixing it correctly. Unfortunately, emergency fixes are like layers of duct tape applied on top of each other, weakening the overall structure.

     Far better to have an infrastructure design where failures have no negative effect beyond letting your team know that something needs to be fixed. Without the urgency, fixes can be planned and implemented correctly. Upper management is happy because customers aren’t affected. You’re happy because the problem is being fixed properly and permanently.

  2. Be disciplined about your processes. When there are urgent tasks or problems, there’s the temptation to skip steps in the process and just apply a bit of duct tape to fix the problem. Sometimes you won’t have a choice, but, if you can avoid it, don’t take the shortcut.

  3. When you have to come up with quick and dirty hacks, ensure that they are done with an eye towards the long-term solution. While the ideal is to always design things properly from the beginning, in the real world, we sometimes have to get something done right now, without worrying about how correct it is.

     The common mistake is to build a quick solution without thinking about how you’ll replace it later. Once the urgency is over, you quickly realize that a proper fix will involve completely changing how your solution works.

     Far better to take a few minutes (or more if possible) to think through what you would want the long term solution to look like, and then assess how best to build the quick solution in a way that the duct tape can be easily replaced later.

  4. Document your duct tape. If you absolutely must make manual changes or break processes, document it. You may not think it’s necessary, but documentation ensures that the duct tape doesn’t get forgotten. There’s nothing worse than trying to fix a massive disaster and realizing that there’s some duct tape hanging around and you don’t know what it’s supposed to be attached to.

     I have been in a couple of situations recently where processes were bypassed (or never created in the first place) when creating a service, and the person responsible for the service has no idea how to manage it. We’ve ended up needing to spend tens of hours reverse engineering the service configuration, compared to a couple of minutes of documentation.

  Like duct tape, the ability to make manual infrastructure changes is a useful, even vital, tool. Don’t throw it away just because it can be abused. The key is to ensure that it’s only used when absolutely necessary and that you know where your duct tape is.

  Photo Polyken Duct Tape by Markbritton used under the CC BY-SA 3.0 license

• Kushal Das Everything Curl from Daniel

  

  Everything Curl is a book about everything related to Curl. I read the book before online. But, now I am proud to have a physical copy signed by the author :)

  

  It was a good evening, along with some amazing fish in dinner and wine and lots of chat about life in general.

March 11, 2023

• Bodhi 7.1.0

  Released on 2023-03-11.
  This is a feature release.

  Dependency changes

  • Bodhi now uses pymediawiki instead of the unmaintained simplemediawiki to fetch test cases (#4852).

  Features

  • bodhi-messages is updated to include additional properties in the message schemas. The additional properties are: app_name, agent_name, and __str__ (#4950).

  Bug fixes

  • Retrieving sidetags list for a user not known to Koji caused an exception in bodhi-server (#4994).
  • Added support for bleach >= 6.0.0 (#5003).
  • bodhi-client: do not run koji wait-repo when expiring a buildroot override (#4830).
  • bodhi-client: fix --version option (#4981).
  • Update notes are now capped to a default of 10k characters, the value can be customized in config (#4982).
  • Fixed webUI template where karma and comment icons where misaligned at highly commented discussions (#4986).
  • Fixed the template of the update details page, where the testcases tab was always empty (#5000).
  • The link to the test gating tab in the update page was fixed (#5032).
  • The composer is now safer about not triggering stable composes for frozen releases (#5080).
  • Rawhide updates which are obsoleted before being pushed will now not be pushed to stable to avoid confusion (#5113).
  • Frozen releases didn't show up in filters (#5115).

  Contributors

  The following developers contributed to this release of Bodhi:

  • Kevin Fenzi
  • Mattia Verga
  • Ryan Lerch

March 09, 2023

• Daniel Berrange make-tiny-image.py: creating tiny initrds for testing QEMU or Linux kernel/userspace behaviour

  As a virtualization developer a significant amount of time is spent in understanding and debugging the behaviour and interaction of QEMU and the guest kernel/userspace code. As such my development machines have a variety of guest OS installations that get booted for various tasks. Some tasks, however, require a repeated cycle of QEMU code changes, or QEMU config changes, followed by guest testing. Waiting for an OS to boot can quickly become a significant time sink affecting productivity and lead to frustration. What is needed is a very low overhead way to accomplish simple testing tasks without an OS getting in the way.

  Enter ‘make-tiny-image.py‘ tool for creating minimal initrd images.

  If invoked with no arguments, this tool will create an initrd containing nothing more than busybox. The “init” program will be a script that creates a few device nodes, mounts proc/sysfs and then runs the busybox ‘sh’ binary to provide an interactive shell. This is intended to be used as follows

  $ ./make-tiny-image.py
  tiny-initrd.img
  6.0.8-300.fc37.x86_64
  
  $ qemu-system-x86_64 \
      -kernel /boot/vmlinuz-$(uname -r) \
      -initrd tiny-initrd.img \
      -append 'console=ttyS0 quiet' \
      -accel kvm -m 1000 -display none -serial stdio
  ~ # uname  -a
  Linux (none) 6.0.8-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 11 15:09:04 UTC 2022 x86_64 x86_64 x86_64 Linux
  ~ # uptime
   15:05:42 up 0 min,  load average: 0.00, 0.00, 0.00
  ~ # free
                total        used        free      shared  buff/cache   available
  Mem:         961832       38056      911264        1388       12512      845600
  Swap:             0           0           0
  ~ # df
  Filesystem           1K-blocks      Used Available Use% Mounted on
  none                    480916         0    480916   0% /dev
  ~ # ls
  bin   dev   init  proc  root  sys   usr
  ~ # <Ctrl+D>
  [   23.841282] reboot: Power down
  

  When I say “low overhead”, just how low are we talking about ? With KVM, it takes less than a second to bring up the shell. Testing with emulation is where this really shines. Booting a full Fedora OS with QEMU emulation is slow enough that you don’t want to do it at all frequently. With this tiny initrd, it’ll take a little under 4 seconds to boot to the interactive shell. Much slower than KVM, but fast enough you’ll be fine repeating this all day long, largely unaffected by the (lack of) speed relative to KVM.

  The make-tiny-image.py tool will create the initrd such that it drops you into a shell, but it can be told to run another command instead. This is how I tested the overheads mentioned above

  $ ./make-tiny-image.py --run poweroff
  tiny-initrd.img
  6.0.8-300.fc37.x86_64
  
  $ time qemu-system-x86_64 \
       -kernel /boot/vmlinuz-$(uname -r) \
       -initrd tiny-initrd.img \
       -append 'console=ttyS0 quiet' \
       -m 1000 -display none -serial stdio -accel kvm
  [    0.561174] reboot: Power down
  
  real	0m0.828s
  user	0m0.613s
  sys	0m0.093s
  $ time qemu-system-x86_64 \
       -kernel /boot/vmlinuz-$(uname -r) \
       -initrd tiny-initrd.img \
       -append 'console=ttyS0 quiet' \
       -m 1000 -display none -serial stdio -accel tcg
  [    2.741983] reboot: Power down
  
  real	0m3.774s
  user	0m3.626s
  sys	0m0.174s
  

  As a more useful real world example, I wanted to test the effect of changing the QEMU CPU configuration against KVM and QEMU, by comparing at the guest /proc/cpuinfo.

  $ ./make-tiny-image.py --run 'cat /proc/cpuinfo'
  tiny-initrd.img
  6.0.8-300.fc37.x86_64
  
  $ qemu-system-x86_64 \
      -kernel /boot/vmlinuz-$(uname -r) \
      -initrd tiny-initrd.img \
      -append 'console=ttyS0 quiet' \
      -m 1000 -display none -serial stdio -accel tcg -cpu max | grep '^flags'
  flags		: fpu de pse tsc msr pae mce cx8 apic sep mtrr pge mca 
                    cmov pat pse36 clflush acpi mmx fxsr sse sse2 ss syscall 
                    nx mmxext pdpe1gb rdtscp lm 3dnowext 3dnow rep_good nopl 
                    cpuid extd_apicid pni pclmulqdq monitor ssse3 cx16 sse4_1 
                    sse4_2 movbe popcnt aes xsave rdrand hypervisor lahf_lm 
                    svm cr8_legacy abm sse4a 3dnowprefetch vmmcall fsgsbase 
                    bmi1 smep bmi2 erms mpx adx smap clflushopt clwb xsaveopt 
                    xgetbv1 arat npt vgif umip pku ospke la57
  
  $ qemu-system-x86_64 \
      -kernel /boot/vmlinuz-$(uname -r) \
      -initrd tiny-initrd.img \
      -append 'console=ttyS0 quiet' \
      -m 1000 -display none -serial stdio -accel kvm -cpu max | grep '^flags'
  flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca 
                    cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx 
                    pdpe1gb rdtscp lm constant_tsc arch_perfmon rep_good 
                    nopl xtopology cpuid tsc_known_freq pni pclmulqdq vmx 
                    ssse3 fma cx16 pdcm pcid sse4_1 sse4_2 x2apic movbe 
                    popcnt tsc_deadline_timer aes xsave avx f16c rdrand 
                    hypervisor lahf_lm abm 3dnowprefetch cpuid_fault 
                    invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced 
                    tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase 
                    tsc_adjust sgx bmi1 avx2 smep bmi2 erms invpcid mpx 
                    rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 
                    xsaves arat umip sgx_lc md_clear arch_capabilities
  

  NB, with the list of flags above, I’ve manually line wrapped the output for saner presentation in this blog rather than have one giant long line.

  These examples have relied on tools provided by busybox, but we’re not limited by that. It is possible to tell it to copy in arbitrary extra binaries from the host OS by just listing their name. If it is a dynamically linked ELF binary, it’ll follow the ELF header dependencies, pulling in any shared libraries needed.

  $ ./make-tiny-image.py hwloc-info lstopo-no-graphics
  tiny-initrd.img
  6.0.8-300.fc37.x86_64
  Copy bin /usr/bin/hwloc-info -> /tmp/make-tiny-imagexu_mqd99/bin/hwloc-info
  Copy bin /usr/bin/lstopo-no-graphics -> /tmp/make-tiny-imagexu_mqd99/bin/lstopo-no-graphics
  Copy lib /lib64/libhwloc.so.15 -> /tmp/make-tiny-imagexu_mqd99/lib64/libhwloc.so.15
  Copy lib /lib64/libc.so.6 -> /tmp/make-tiny-imagexu_mqd99/lib64/libc.so.6
  Copy lib /lib64/libm.so.6 -> /tmp/make-tiny-imagexu_mqd99/lib64/libm.so.6
  Copy lib /lib64/ld-linux-x86-64.so.2 -> /tmp/make-tiny-imagexu_mqd99/lib64/ld-linux-x86-64.so.2
  Copy lib /lib64/libtinfo.so.6 -> /tmp/make-tiny-imagexu_mqd99/lib64/libtinfo.so.6
  
  $ qemu-system-x86_64 -kernel /boot/vmlinuz-$(uname -r) -initrd tiny-initrd.img -append 'console=ttyS0 quiet' -m 1000 -display none -serial stdio -accel kvm 
  ~ # hwloc-info 
  depth 0:           1 Machine (type #0)
   depth 1:          1 Package (type #1)
    depth 2:         1 L3Cache (type #6)
     depth 3:        1 L2Cache (type #5)
      depth 4:       1 L1dCache (type #4)
       depth 5:      1 L1iCache (type #9)
        depth 6:     1 Core (type #2)
         depth 7:    1 PU (type #3)
  Special depth -3:  1 NUMANode (type #13)
  Special depth -4:  1 Bridge (type #14)
  Special depth -5:  3 PCIDev (type #15)
  Special depth -6:  1 OSDev (type #16)
  Special depth -7:  1 Misc (type #17)
  
  ~ # lstopo-no-graphics 
  Machine (939MB total)
    Package L#0
      NUMANode L#0 (P#0 939MB)
      L3 L#0 (16MB) + L2 L#0 (4096KB) + L1d L#0 (32KB) + L1i L#0 (32KB) + Core L#0 + PU L#0 (P#0)
    HostBridge
      PCI 00:01.1 (IDE)
        Block "sr0"
      PCI 00:02.0 (VGA)
      PCI 00:03.0 (Ethernet)
    Misc(MemoryModule)
  

  An obvious limitation is that if the binary/library requires certain data files, those will not be present in the initrd. It isn’t attempting to do anything clever like query the corresponding RPM file list and copy those. This tool is meant to be simple and fast and keep out of your way. If certain data files are critical for testing though, the --copy argument can be used. The copied files will be put at the same path inside the initrd as found on the host

  $ ./make-tiny-image.py --copy /etc/redhat-release 
  tiny-initrd.img
  6.0.8-300.fc37.x86_64
  Copy extra /etc/redhat-release -> /tmp/make-tiny-imageicj1tvq4/etc/redhat-release
  
  $ qemu-system-x86_64 \
      -kernel /boot/vmlinuz-$(uname -r) \
      -initrd tiny-initrd.img \
      -append 'console=ttyS0 quiet' \
      -m 1000 -display none -serial stdio -accel kvm 
  ~ # cat /etc/redhat-release 
  Fedora release 37 (Thirty Seven)
  

  What if the problem being tested requires using some kernel modules ? That’s covered too with the --kmod argument, which will copy in the modules listed, along with their dependencies and the insmod command itself. As an example of its utility, I used this recently to debug a regression in support for the iTCO watchdog in Linux kernels

  $ ./make-tiny-image.py --kmod lpc_ich --kmod iTCO_wdt  --kmod i2c_i801 
  tiny-initrd.img
  6.0.8-300.fc37.x86_64
  Copy kmod /lib/modules/6.0.8-300.fc37.x86_64/kernel/drivers/mfd/lpc_ich.ko.xz -> /tmp/make-tiny-image63td8wbl/lib/modules/lpc_ich.ko.xz
  Copy kmod /lib/modules/6.0.8-300.fc37.x86_64/kernel/drivers/watchdog/iTCO_wdt.ko.xz -> /tmp/make-tiny-image63td8wbl/lib/modules/iTCO_wdt.ko.xz
  Copy kmod /lib/modules/6.0.8-300.fc37.x86_64/kernel/drivers/watchdog/iTCO_vendor_support.ko.xz -> /tmp/make-tiny-image63td8wbl/lib/modules/iTCO_vendor_support.ko.xz
  Copy kmod /lib/modules/6.0.8-300.fc37.x86_64/kernel/drivers/mfd/intel_pmc_bxt.ko.xz -> /tmp/make-tiny-image63td8wbl/lib/modules/intel_pmc_bxt.ko.xz
  Copy kmod /lib/modules/6.0.8-300.fc37.x86_64/kernel/drivers/i2c/busses/i2c-i801.ko.xz -> /tmp/make-tiny-image63td8wbl/lib/modules/i2c-i801.ko.xz
  Copy kmod /lib/modules/6.0.8-300.fc37.x86_64/kernel/drivers/i2c/i2c-smbus.ko.xz -> /tmp/make-tiny-image63td8wbl/lib/modules/i2c-smbus.ko.xz
  Copy bin /usr/sbin/insmod -> /tmp/make-tiny-image63td8wbl/bin/insmod
  Copy lib /lib64/libzstd.so.1 -> /tmp/make-tiny-image63td8wbl/lib64/libzstd.so.1
  Copy lib /lib64/liblzma.so.5 -> /tmp/make-tiny-image63td8wbl/lib64/liblzma.so.5
  Copy lib /lib64/libz.so.1 -> /tmp/make-tiny-image63td8wbl/lib64/libz.so.1
  Copy lib /lib64/libcrypto.so.3 -> /tmp/make-tiny-image63td8wbl/lib64/libcrypto.so.3
  Copy lib /lib64/libgcc_s.so.1 -> /tmp/make-tiny-image63td8wbl/lib64/libgcc_s.so.1
  Copy lib /lib64/libc.so.6 -> /tmp/make-tiny-image63td8wbl/lib64/libc.so.6
  Copy lib /lib64/ld-linux-x86-64.so.2 -> /tmp/make-tiny-image63td8wbl/lib64/ld-linux-x86-64.so.2
  
  $ ~/src/virt/qemu/build/qemu-system-x86_64 -kernel /boot/vmlinuz-$(uname -r) -initrd tiny-initrd.img -append 'console=ttyS0 quiet' -m 1000 -display none -serial stdio -accel kvm  -M q35 -global ICH9-LPC.noreboot=false -watchdog-action poweroff -trace ich9* -trace tco*
  ich9_cc_read addr=0x3410 val=0x20 len=4
  ich9_cc_write addr=0x3410 val=0x0 len=4
  ich9_cc_read addr=0x3410 val=0x0 len=4
  ich9_cc_read addr=0x3410 val=0x0 len=4
  ich9_cc_write addr=0x3410 val=0x20 len=4
  ich9_cc_read addr=0x3410 val=0x20 len=4
  tco_io_write addr=0x4 val=0x8
  tco_io_write addr=0x6 val=0x2
  tco_io_write addr=0x6 val=0x4
  tco_io_read addr=0x8 val=0x0
  tco_io_read addr=0x12 val=0x4
  tco_io_write addr=0x12 val=0x32
  tco_io_read addr=0x12 val=0x32
  tco_io_write addr=0x0 val=0x1
  tco_timer_reload ticks=50 (30000 ms)
  ~ # mknod /dev/watchdog0 c 10 130
  ~ # cat /dev/watchdog0
  tco_io_write addr=0x0 val=0x1
  tco_timer_reload ticks=50 (30000 ms)
  cat: read error: Invalid argument
  [   11.052062] watchdog: watchdog0: watchdog did not stop!
  tco_io_write addr=0x0 val=0x1
  tco_timer_reload ticks=50 (30000 ms)
  ~ # tco_timer_expired timeouts_no=0 no_reboot=0/1
  tco_timer_reload ticks=50 (30000 ms)
  tco_timer_expired timeouts_no=1 no_reboot=0/1
  tco_timer_reload ticks=50 (30000 ms)
  tco_timer_expired timeouts_no=0 no_reboot=0/1
  tco_timer_reload ticks=50 (30000 ms)
  
  

  The Linux regression had accidentally left the watchdog with the ‘no reboot’ bit set, so it would never trigger the action, which we diagnosed from seeing repeated QEMU trace events for tco_timer_expired after triggering the watchdog in the guest. This was quicky fixed by the Linux maintainers.

  In spite of being such a simple and crude script, with many, many, many unhandled edge cases, it has proved remarkably useful at enabling low overhead debugging of QEMU/Linux guest behaviour.

• Cockpit Project Cockpit 287

  Cockpit is the modern Linux admin interface. We release regularly.

  Here are the release notes from Cockpit 287 and cockpit-podman 64:

  Services: Pinned units need to be re-done

  The data storage for “pinned” systemd units has changed. After upgrading to this Cockpit version, you need to re-pin units.

  Development: Cockpit now supports the esbuild bundler

  esbuild is a much faster bundler alternative for webpack. It also natively understands JSX, so that it is not necessary any more to use babel. Cockpit’s shared components and bundler plugins in pkg/lib/ now support both eslint and webpack, so that projects can pick either. cockpit-podman moved to esbuild in this commit. You may choose to do the same for your project.

  Try it out

  Cockpit 287 and cockpit-podman 64 are available now:

  • For your Linux system

  • Cockpit Client

  • Cockpit Source Tarball
  • Cockpit Fedora 38
  • Cockpit Fedora 37
  • cockpit-machines Source Tarball
  • cockpit-machines Fedora 38
  • [cockpit-machines Fedora 37]https://bodhi.fedoraproject.org/updates/FEDORA-2023-9893be2f68()
  • cockpit-podman Source Tarball
  • cockpit-podman Fedora 38
  • cockpit-podman Fedora 37

March 08, 2023

• Outreachy Dating Recognizing relationships and false accusations in GSoC and Outreachy

  For about five years now Debian fanatics and their rent-a-mob have been spreading rumors about a mentor.

  Many of us trust Debian as an operating system for our computers and servers. But can we really trust the people who make Debian?

  Here is Ariadne Conill spreading rumours about a mentor girlfriending one of the GSoC interns:

  

  The last woman this mentor was responsible for is Elena Gjevukaj. In the middle of her internship, she sent the mentor a picture of her wedding.

  Oops. Debian lies. Ariadne lies. If the woman got married in the middle of the internship then it is both very rude and very absurd for Debian people to suggest she was the mentor's girlfriend.

  Subject: 	Surprise
  Date: 	Wed, 15 Aug 2018 01:14:54 +0200
  From: 	Elena Gjevukaj <gjevukaje@gmail.com>
  To: 	Daniel Pocock <daniel@pocock.pro>
  
  We got married! 😂
  

  

  Yet Ariadne persists. She is even stalking the mentor on Twitter, despite the fact the mentor doesn't have any social media accounts.

  

  There is a lot more evidence too. In fact, the mentor was denied funding to attend DebConf18 in 2018. Here is the email:

  ---

  Subject: Your bursary request for DebConf18: status updated
  Date: Wed, 13 Jun 2018 18:35:52 -0000
  From: <bursaries@debconf.org>
  To: <daniel@pocock.pro>
  
  Dear Daniel Pocock,
  
  The bursaries team has updated the status of your bursary request for DebConf18.
  
  Travel bursary
  --------------
  
  Your request for a travel bursary has been evaluated and ranked. However, we are
  unable to grant it at this time: our travel budget is very limited, and we had
  to defer a lot of strong applications. We will let you know as soon as possible,
  hopefully before the end of June, if we can grant you the amount you have
  requested, as our budget evolves and higher ranked applicants finalize their
  plans.
  
  
  Food bursary
  ------------
  
  You have told us that you would be completely unable to come to DebConf if you
  weren't granted a travel bursary. Your food bursary is therefore pending an
  update on the travel bursaries front. If you're able to join us nonetheless,
  let the bursaries team know so we can update your "level of need". Note that
  this will be reflected in your travel bursary ranking.
  
  
  Accommodation bursary
  ---------------------
  
  You have told us that you would be completely unable to come to DebConf if you
  weren't granted a travel bursary. Your accommodation bursary is therefore
  pending an update on the travel bursaries front. If you're able to join us
  nonetheless, let the bursaries team know so we can update your "level of need".
  Note that this will be reflected in your travel bursary ranking.
  
  
  You can review the full status of your bursary request in your profile[1] on the
  DebConf website.
  
  [1] https://debconf18.debconf.org/users/pocock/
  -- 
  The DebConf18 bursaries team
  

  ---

  Mentors do a lot of unpaid work for Google and Outreachy. Why did Debian and Google block this mentor going to DebConf18? Were they hiding something from the mentor?

  It looks like other developers, inner members of the Debian cabal, wanted to have some personal time with the female interns. Jiin-Mei Lin published a photo gallery.

  The gallery includes one inconvenient photo. It is the developer Lior Kaplan with his arm around an Outreachy. In fact, the woman concerned was subsequently employed by GNOME Foundation. She joined GNOME at the same time as Molly de Blanc.

  Congratulations to this woman. She survived DebConf and she outlasted both Molly de Blanc and Neil McGovern at GNOME. The Albanian woman in Lior's arms is the last man standing.

  

  At DebConf19 in Brazil, there was an even bigger controversy. We saw pictures of the Debian Project Leader, Chris Lamb (top left), with a table full of Albanian women at the conference dinner:

  

  If travel budgets are so tight, how did they find money to buy all these tickets from Albania to Brazil?

  Eight weeks later and the woman sitting closest to Lamby won the Outreachy internship, $6,000 and more free trips:

  

  How do other women feel when they waste two or three evenings doing the Outreachy application test and then they see photos suggesting the Debian leader had a romantic history with the winner?

  FSFE is at it too

  Here is that picture from OSCAL in Tirana, Albania where we see the FSFE president Matthias Kirschner (on the right) with a table full of young Albanian girls.

  

  Now we found another picture, it is Kirschner's predecessor at the FSFE, Karsten Gerloff taking a patriarchal pose with his arm around a smiling young woman from Eastern Europe:

  

  RMS signatories were not victims

  Here one of the women tells us she was not a victim.

  

  Nicolas Dandrimont was at it too

  Dandrimont is one of the Debian Account Managers. He tried to bring his girlfriend into Outreachy.

  Subject: Recusing myself from Outreachy applicant selection decisions, internships funding
  Date: Fri, 14 Oct 2016 12:37:46 +0200
  From: Nicolas Dandrimont <olasd@debian.org>
  To: <leader@debian.org>, <outreach@debian.org>
  CC: <mapreri@debian.org>, <pocock@debian.org>
  
  Hey all,
  
  As of today, the person I'm involved with, Pauline Pommeret, is applying to an
  Outreachy internship in Debian (on the GPG cleanroom environment project - I
  don't see her mail on the list archive yet, so something must have gone wrong,
  but it should arrive soon enough).
  
  To avoid an obvious conflict of interest, I am recusing myself for any
  decisions regarding applicant selections for this round.
  
  I am of course still happy to serve as a liaison with the Outreachy program
  administrators, and to forward our applicants to them for general funding when
  selected, if the money allocated by Debian runs out.
  
  This would especially be relevant, in my opinion, to RTC projects, as I'm not
  sure at all that we should fund them from Debian money directly. Karen Sandler
  also told me that one of the Outreachy sponsors was interested in funding
  interns on Reproducible Builds. All in all, we should be able to have two or
  three internship slots with Debian only disbursing one.
  
  I'll stay on the outreach@d.o alias for now, but let me know if you need help
  ranking applicants, and I'll ask DSA to remove me so you can discuss at ease.
  
  Cheers,
  -- 
  Nicolas Dandrimont
  

  Debian women: marriages and children

  The story of Alexander Reichle-Schmehl and Meike Reichle is not uncommon in Debian

  Subject: Ditto: Retiring
  Date: Tue, 31 Dec 2013 12:40:37 +0100
  From: Meike Reichle 
  To: debian-private@lists.debian.org
  
  Hi all
  
  > I'm very sorry but as I'm unable to dedicate any time to anything
  > related to Debian, I think it's best to retire. Sad truth is, that I'm
  > quite busy with my family and my job.
  > 
  > Last year I hoped, that it would only be a temporary thing, but well I
  > still don't have much time, and the time I have left I prefer to spend
  > with my family.
  > 
  > However, I really hope, I'll be able to rejoin when time permits it.
  
  As expected, the same goes for me :-/
  
  With job(s), kid, house, life etc. computers been playing a continuously
  smaller role in our family life. Most of these days I am glad if I manage
  to check my email once a day. I'd really hoped to find a way to combine
  family and Free Software, but I don't seem to be able to really pull it off.
  
  So, as Alex, I am herewith declaring my resignation. *sniff*
  
  Being a part of the Debian project was one of the greatest experiences in
  my life and I owe a lot to you (including my lovely husband). I hope we'll
  still be able to maintain a close connection to the project and find other
  ways to support it until we can return to full DD'dom.
  
  In the meantime there'll at least always be a free guest room waiting,
  should anyone of you ever need a place to stay in the Southern
  Germany/Switzerland area.
  
  Best Regards,
  Meike
  
  PS This message shall never be disclosed.
  
  
  -- 
  Please respect the privacy of this mailing list. Some posts may be declassified
  3 years after posting as per http://www.debian.org/vote/2005/vote_002
  
  Archive: file://master.debian.org/~debian/archive/debian-private/
  
  To UNSUBSCRIBE, use the web form at .
  

• Jan Grulich Explained: QGnomePlatform and Adwaita-qt

  

  I decided to write this post to explain everything I can about these two projects. There have been discussions and people demanding these projects should not be used by default in Fedora. As part of this, some issues were raised and it might not be clear which component might be responsible for what. I ended up constantly defending these projects in many discussions and ended up being exhausted by doing so over and over, so take this as an explainer to shed some light.

  Brief introduction to QGnomePlatform and Adwaita-qt

  To give you some context before I go into details, you can think about Adwaita-qt as the UI representation and QGnomePlatform as the integration between GNOME and Qt. QGnomePlatform applies your GNOME configuration and behavior to Qt apps, together with some integration bits, like dialogs or client-side decorations. Adwaita-qt is responsible for the style of the app itself, including the style of all visible parts (widgets/buttons).

  QGnomePlatform

  What is QGnomePlatform?

  QGnomePlatform is a Qt Platform Theme (part of Qt Platform Abstraction API), where such a plugin is responsible for the app integration into the desktop environment. It is designed to provide integration between Qt apps and the GNOME platform. To explain in an example. Without any platform integration, Qt apps running on GNOME would use default styling and configuration so your fonts, icon theme, dialogs would not fit into the desktop. Also in the case of QGnomePlatform you would not have GNOME-like client-side decorations.

  What QGnomePlatform provides?

  QGnomePlatform provides the following integration for Qt apps running in GNOME:

  • Font configuration *
  • Icon theme *
  • Cursor size and cursor theme *
  • Static hints (like double-click time, long-press time etc.) *
  • Dialogs:
    • File dialog (both using GTK3 * and native dialog using xdg-desktop-portal)
    • Font dialog using GTK3 *
    • Color dialog using GTK3 *
  • Client-side decorations
  • Support for Settings portal from xdg-desktop-portal settings
    • Unlike the built-in GTK3 theme that can get everything only from GSettings
    • Brings support for light/dark theme switching introduced in GNOME 42
  • Use Adwaita-qt theme by default (elephant in the room) and Adwaita color palette
    • Also provides support for additional themes, like Kvantum
  • Support for Cinnamon desktop

  * these can also be provided by built-in GTK3 platform theme in Qt itself (just for comparison what QGnomePlatform does extra)

  Issues QGnomePlatform gets wrongly blamed for

  Client-side decorations

  As stated above, QGnomePlatform provides an implementation of CSD. It’s actually the only Qt CSD implementation I’m aware of, excluding the reference implementation provided by QtWayland, named Bradient. Below is a screenshot comparing QGnomePlatform (left) and Bradient (right).

  

  I saw many times people complaining about missing shadows support and resizing issues. The truth is that officially there was no proper shadows support in the Qt API until I introduced it with Qt 6.2. That’s the reason we don’t have it for Qt5, unless you are a Fedora user, where this support has been backported and enabled in QGnomePlatform build. I also fixed all kinds of CSD related issues in QtWayland.ven though Qt has proper support for shadows in Qt6 now, the reference implementation doesn’t use them.

  Misplaced popups/menus

  This has nothing to do with Qt platform theme or CSD implementation, because it was actually a bug in QtWayland. Unfortunately this fix is only in Qt 6 and cannot be backported officially to Qt 5 as it would break KDE Plasma. I managed to at least patch QtWayland in Fedora and Flatpak KDE runtime, where I modified this patch to not affect KDE Plasma at all.

  What can QGnomePlatform be blamed for?

  Forcing Adwaita-qt color palette

  QGnomePlatform sets Adwaita-qt color palette to each Qt app so applications can use QPalette API to get access to colors used in the style itself. This can be for example useful when an app creates custom widgets that would not get styled by the QStyle itself. This creates a problem for KDE applications using the KColorScheme API. 

  Examples of this issue:

  

  

  

  The reason is that KColorScheme and QPalette are out of sync and there might be color roles that are in KColorScheme, but not in QPalette. If an app requests a color from KColorScheme that’s not in QPalette, KColorScheme will default to Breeze style and a color that’s not going to fit the Adwaita-qt style will be provided, causing the app to mix light and dark colors.

  Luckily, we have identified a workaround that can be done in QGnomePlatform to avoid this issue. Here is the QGnomePlatform bug with more details.

  I think this is the most visible and user-facing issue we currently have and get blamed for so I would like to fix this as soon as possible.

  Adwaita-qt

  Adwaita-qt is a Qt style for widgets. Qt style is again part of Qt Platform Abstraction. You can think of it as a theme for your application. It’s what changes the visualization of your widgets like buttons, checkboxes etc. and it’s the only thing that changes the appearance of the application itself. For comparison, the screenshot below is Adwaita-qt (light) and the second one is the Qt’s default Fusion style used on Linux used without any QGnomePlatform influence so basically what you would get by default.

  

  

  I can also add that Adwaita-qt supports HighContrast variants, which are useful for visually impaired people.

  

  What issues can Adwaita-qt be blamed for?

  I already mentioned the color mismatch issue which is not really Adwaita-qt’s fault. There are of course issues in Adwaita-qt itself and it’s far from being perfect. The whole style needs a complete overhaul, because the last one was done in 2019 and the Adwaita theme changed a lot recently with GTK4. Another issue is that while the majority of common widgets are styled just fine, there are still some widgets that are rarely used and might have issues with this style.

  Another issue is that  apps that customize standard widgets (e.g. through CSS), might get into trouble. Below is a screenshot of Wireshark (pure Qt app) compared to Breeze in KDE.

  

  Another example can be seen in the Black Chocobo app, which uses some customization:

  

  

  Should QGnomePlatform get removed/replaced?

  Definitely not. It has many benefits and extras compared to Qt’s default platform and most importantly gives you CSD support. Once I fix the color mismatch issue, there shouldn’t be anything users should complain about. Obviously, this would not be an issue when Breeze is used instead of Adwaita-qt, but still an issue when Fusion is used so it would still need to be addressed. You can see a screenshot below showing Fusion style used in combination with GNOME set to dark theme:

  

  Should Adwaita-qt get removed/replaced?

  Maybe. It depends on the alternatives. Obviously using Breeze would get rid of all the widget issues one might experience with Adwaita-qt, however, it is problematic to ship it by default due to bringing dependencies on KDE Frameworks and Plasma breeze style. With the default Fusion style you will also get many widget issues fixed, but you still need to set the color palette through QGnomePlatform in case you want Fusion to be “dark” and fit into the desktop, otherwise you will always end up using the default “light” variant no matter what configuration you set in GNOME.

  Conclusion

  I hope that this post is useful for those observing issues with Qt apps under GNOME, and will help them to understand which component is responsible for what, as well as the issues involved. In case you are interested and would like to either contribute a patch or report an issue, here are links to QGnomePlatform and Adwaita-qt repositories.

March 07, 2023

• Joe Brockmeier Why your talk was rejected (or maybe accepted)

  I had a few snarky opening lines for this post, but decided that was a bit unfair. Let’s just say that people get very impassioned about tech events and getting talks accepted. If you’re on the conference committee, it can be… intense, sometimes, managing the needs of an event versus people’s deep interest in being one of the speakers. I thought it’d be helpful to give some insights into why talks are and aren’t accepted.

  In no particular order:

  • Slots available: Depending on the event, there’s probably something like two to 10 talks submitted for every available slot. By definition, some of these talks won’t make the cut simply because there’s not room.
  • Uninspired: I’ve seen a lot of one-liners and blah submissions. If the submission is boring, I’m guessing the talk will be too. Conversely, a really inspired / inspiring talk is going to get a slot very often.
  • Conference carbon copy: Some speakers submit the same talk or a cookie-cutter approach where they just slot name-of-technology into the same title and abstract. I’m disinclined to accept those when I spot that.
  • Topic fit: The topic either isn’t a good fit, or we got 10 submissions on the same topic and only needed one. Or it’s a great fit and immediately selected.
  • Speaker fit: The talk looks good, but it’s unclear whether the speaker is the best fit. If I have a talk submitted by a person with no distinctive credentials and a similar talk submitted by the inventor of the technology, it’s a no-brainer that the inventor gets the slot.
  • Something new: On the other hand, there comes a time to break with tradition and give other people a shot. If the same speaker has given the same talk every year there’s a point when it is time to give another speaker a shot. Sometimes it’s time to retire a talk or at least take a year off.
  • Audience level isn’t right: A 101-level talk might be great for some events and wildly out of place for others. A technology deep dive might be way too much for some events.
  • We have enough Acme Corp, thank you. If the conference is vendor-neutral, having too many speakers from one company is a bad look. A talk might be rejected simply because the event is over-saturated with talks from specific companies.
  • Customer talks for the win! If the conf is vendor-specific, talks from customers about technologies and use cases are usually better than talks from the vendor. It’s better for the attendees to get a customer-centric view, and it’s better for the vendor even if the presentation isn’t as glowing about the product, technology, or whatever.
  • Your talk was submitted by a PR firm. Generally speaking, this is almost always a hard no from me on principle. If, for whatever reason, the speaker can’t be bothered to submit the talk themselves, then I don’t want it. See also…
  • The talk is a thinly (or not at all) disguised product pitch. Most tech conferences are organized around money, in some fashion or another. Vendors sponsor the events because they see a connection between the event and sales, even if it’s just awareness that they hope someday will lead to sales. Vendors pay for speakers to travel because they see “value” at the other end of the rainbow in the form of sales, or are hoping for a halo effect that … leads to sales.I could go on, but the point is it all comes back to money at some point.That said, few attendees want to sit through a commercial. It’s OK to name-check a product. It’s OK if a useful talk just happens to guide people in the general direction of a product or service. If you want to do a product pitch, pony up for one of the paid slots. If the conference doesn’t have those, then too bad.
  • The talk is too negative. Rare, but I’ve seen a few that were shots at competitors or generally outside of healthy critique to outright attack.
  • You didn’t hit submit. This really happens. Some systems will show you talks that were started but not submitted, and I’ve seen some interesting titles that the speaker never finished the submission. If it’s not final, it’s probably not going in!

  Those are just off the top of my head. Talk selection involves a lot of moving parts and is more art than science. Actually, I’m not sure it’s art, but it’s definitely not science.

  All of that said, the point is this… it’s really not so much about you or your talks specifically. If you don’t get a talk accepted, don’t take it personally. It probably doesn’t have a lot to do with you or your submission. Unless you totally phoned it in and submitted a one-liner filled with typos. Then, you know, do better next time.

  There’s a ton of writing out there with advice about how to write talks that get accepted. Some good, some mediocre. I might add some to the pile eventually, but the short version is: Have a good title and abstract. Demonstrate you know the topic well and are authoritative on it. Show you’ll do your homework and come prepped to give a good talk. And if you have compromising photos of the selection committee you’re almost sure to get accepted.

• Peter Czanik Syslog-ng 101, part 10: Parsing

  This is the tenth part of my syslog-ng tutorial. Last time, we learned about syslog-ng filters. Today, we learn about message parsing using syslog-ng.

  You can watch the video or read the text below.

  https://youtu.be/xZwYqUrvdqw

  Parsing

  Parsing createsname-value pairs from log messages using parsers. It is probably the most interesting but also the most complex part of syslog-ng.

  By default, syslog-ng tries to parse all incoming log messages as if they were formatted according to the RFC 3164 or old/BSD syslog specification. This creates a number of macros, including MESSAGE, which contains the actual log message. You can then use other parsers to further parse the content of the MESSAGE macro. It does not stop here: you can parse the content of the resulting macros as well. This way, you can create complex parser chains that extract useful information from log messages.

  When we learned about sources, I mentioned the no-parse flag. This way, RFC 3164 parsing is disabled, and you can parse the whole message. This is useful for a JSON or CSV formatted log message.

  Why is message parsing important? There are two main use cases. Having log messages available as name-value pairs allows a lot more precise filtering. For example, you can create alerts within syslog-ng for a specific username in login messages. It is also possible to save/forward only relevant data from a longer log message, saving significant amount of storage and/or network traffic.

  PatternDB parser

  The PatternDB message parser can extract information from unstructured messages into name-value pairs. Not just that, as it can also add status fields to log messages based on message text and do message classification, like LogCheck.

  Of course, syslog-ng does not know what is inside the log messages by itself. It needs an XML database describing log messages. There are some sample XML databases available online, but mostly you are on your own creating these databases for your logs. For example, in case of an SSH login failure can be described as:

  • Parsed: app=sshd, user=root, source_ip=192.168.123.45

  • Added: action=login, status=failure

  • Classified as “violation”

  JSON parser

  The JSON parser turns JSON-based log messages into name-value pairs. Yes, JSON is a structured log format. However, all incoming log messages are treated by syslog-ng as plain text. You have to instruct syslog-ng to use a parser and turn the message into name-value pairs.

  CSV parser

  The CSV parser can parse columnar data into name-value pairs. A typical example is the Apache access log file, even if the fields are not separated by commas. In this example, you can see that each column has a name. Later, one of the resulting name-value pairs, the name of the authenticated user, is used in a file name.

  parser p_apache {
      csv-parser(columns("APACHE.CLIENT_IP", "APACHE.IDENT_NAME", "APACHE.USER_NAME",
          "APACHE.TIMESTAMP", "APACHE.REQUEST_URL", "APACHE.REQUEST_STATUS",
          "APACHE.CONTENT_LENGTH", "APACHE.REFERER", "APACHE.USER_AGENT",
          "APACHE.PROCESS_TIME", "APACHE.SERVER_NAME")
           flags(escape-double-char,strip-whitespace) delimiters(" ") quote-pairs('""[]')
           );
  };
  destination d_file { file("/var/log/messages-${APACHE.USER_NAME:-nouser}"); };
  log { source(s_local); parser(p_apache); destination(d_file);};

  Key=value parser

  The key=value parser can find key=value pairs in log messages. It was introduced in syslog-ng 3.7. This format is typical for firewall logs, but also used by many other applications. Here are some example log messages:

  Aug 4 13:22:40 centos kernel: IPTables-Dropped: IN= OUT=em1 SRC=192.168.1.23 DST=192.168.1.20 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=59228 SEQ=2

  Aug 4 13:23:00 centos kernel: IPTables-Dropped: IN=em1 OUT= MAC=a2:be:d2:ab:11:af:e2:f2:00:00 SRC=192.168.2.115 DST=192.168.1.23 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=9434 DF PROTO=TCP SPT=58428 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0

  Further parsers

  There are several other parsers in syslog-ng. The XML parser can parse XML formatted log messages, typically used by Windows applications. There is a dedicated parser for Linux Audit logs. There are many non-standard date formats. The date parser can help in this case, which can be configured using templates. It saves the date to the sender date.

  SCL: syslog-ng configuration library

  As mentioned earlier, the syslog-ng configuration library has many parsers. These are implemented in configuration, combining several of the existing parsers.

  The Apache parser can parse Apache access logs. It builds on the CSV parser, but also combines it with the date parser and rewrites part of the results to be more human readable.

  The sudo parser can extract information from sudo log messages, so it is easy to alert on log messages if something nasty happens.

  Log messages from Cisco devices are similar to syslog messages, however, quite often they cannot be parsed by syslog parsers, as they do not comply with specifications. The Cisco parser of syslog-ng can parse many kinds of Cisco log messages. Of course, not all Cisco log messages, only those for which we received log samples.

  Python parser

  The Python parser was first released in syslog-ng 3.10. It can parse complex data formats, where simply combining various built-in parsers is not enough. It can also be used to enrich log messages from external data sources, like SQL, DNS or whois.

  The main drawback of the Python parser is speed and resource usage. C is a lot more efficient. However, for the vast majority of users, this is not a bottleneck. Python also has the advantage that it does not need compilation or a dedicated development environment. For these reasons, the Python scripts are also easier to spread among users than native C.

  Application adapters, Enterprise wide message model

  As mentioned earlier, the syslog-ng configuration library contains a number of parsers. These are also called Application Adapters. There is a growing list of parsers. Using these you can easily parse log messages automatically, without any additional configuration. This is possible, because Application Adapters are enabled for the system() source since syslog-ng version 3.13.

  The Enterprise wide message model (EWMM) allows forwarding name-value pairs between syslog-ng instances. It is made possible by using JSON formatting. It can also forward the original raw message. It is important, as by default, syslog-ng does not send the original message, but what it can reconstruct form it using templates. The original, often broken, formatting is lost. However, some log analytics software expects to receive the broken message format instead of the standards compliant one.

  Example

  You might have seen this example configuration a few times before if you followed my tutorial series. This is a good example for Application Adapters. You do not see any parser declarations in the configuration, but you can see working with the results of message parsing. In this case, name-value pairs are parsed from sudo log messages:

  @version:3.21
  @include "scl.conf"
  source s_sys { system(); internal();};
  destination d_mesg { file("/var/log/messages"); };
  log { source(s_sys); destination(d_mesg); };
  filter f_sudo {program(sudo)};
  destination d_test {
    file("/var/log/sudo.json"
    template("$(format-json --scope nv_pairs --scope dot_nv_pairs --scope rfc5424)\n\n"));
  };
  log {
      source(s_sys);
      filter(f_sudo);
      if (match("czanik" value(".sudo.SUBJECT"))) {
          destination { file("/var/log/sudo_filtered"); };
      };
      destination(d_test);
  };

  If you have any questions or comments, leave a comment on YouTube or reach out to me on Twitter / Mastodon.

  -

  If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/syslog-ng/syslog-ng. On Twitter, I am available as @PCzanik, on Mastodon as @Pczanik@fosstodon.org.