January 18, 2022

January 17th: London, UK – Canonical, the company behind Ubuntu, the world’s most popular operating system across private and public clouds, now offers the Ubuntu Security Guide tooling for compliance with the DISA Security Technical Implementation Guide (STIG) in Ubuntu 20.04 LTS. The new automated tooling builds on Canonical’s track record of designing Ubuntu for high security and regulated workloads, powering U.S. government agencies, prime contractors, and service providers. The Ubuntu Security Guide enables agencies and organisations to comply with the most stringent security requirements by automation and at scale.

“With the Ubuntu Security Guide, we extend the Ubuntu experience to ease compliance with DISA security requirements. It is now very easy for DevOps teams and administrators to follow these requirements,” says Nikos Mavrogiannopoulos, Product Manager for security. 

DISA-STIG is a U.S. Department of Defense security configuration standard consisting of configuration guidelines for hardening systems to improve a system’s security posture. It can be seen as a checklist for securing protocols, services, or servers to improve the overall security by reducing the attack surface. The Ubuntu Security Guide (USG) brings simplicity by integrating the experience of several teams working on compliance. It enables the audit, fixing, and customisation of a system while enabling a system-wide configuration for compliance, making management by diverse people in a DevOps team significantly easier.

The DISA-STIG automated configuration tooling for Ubuntu 20.04 LTS is available with Ubuntu Advantage subscriptions and Ubuntu Pro, alongside additional open source security and support services. 

For more information, visit https://ubuntu.com/security/disa-stig.

Contact our team to get started with Ubuntu for high security and regulated workloads. 

About Canonical

Canonical is behind Ubuntu, the leading OS for container, cloud, and hyperscale computing. Most public cloud workloads use Ubuntu, as do most new smart gateways, switches, self-driving cars, and advanced robots. Canonical provides enterprise security, support, and services to commercial users of Ubuntu. Established in 2004, Canonical is a privately held company.

on January 18, 2022 02:14 PM

The CIS benchmark has hundreds of configuration recommendations, so hardening and auditing a Linux system manually can be very tedious. Every administrator of systems that need to comply with that benchmark would wish that this process is easily usable and automatable. Why is that? Manual configuration of such a large number of rules leads to mistakes – mistakes that cause not only functional problems, but may also cause security breaches. In fact, one of the top reasons for security breaches the last few years is due to misconfigurations, according to Verizon data breach investigations.

Let us introduce the Ubuntu Security Guide (USG). The Ubuntu Security Guide is a new tool available on Ubuntu 20.04 LTS that makes automation easy and greatly improves the usability of hardening and auditing with CIS, while allowing for environment-specific customizations. In the rest of this blog, we go through the major use cases such as CIS compliance, audit, and customization.

Key benefits or, why should I care?

While observing how our existing CIS compliance tools were being used by auditors and administrators of Ubuntu systems, we identified several points that would improve their workflow. The following list summarizes the main pain points for audit and compliance workflows that are addressed by Ubuntu Security Guide.

With Ubuntu Security Guide

  • you can customize (tailor) the CIS profile; select the CIS rules to comply with.
  • you can select a specific version of the CIS benchmark, i.e., a tooling upgrade doesn’t need to break scheduled scans that target a specific benchmark version.
  • teams can standardize on a profile by storing it in a hard-wired location, preventing the case of different people accidentally scanning or complying with different profiles or versions.
  • the same experience applies whether scanning for the CIS benchmark, DISA-STIG and any other profiles made available in the future.
  • last but not least, you use a consistent interface across Ubuntu releases.

Let us now take a deep dive into using the Ubuntu Security Guide.

How to install the Ubuntu Security Guide

The Ubuntu Security Guide is available with a subscription. Once the subscription is attached on your Ubuntu system, install USG with the following commands:

$ sudo apt update
$ sudo apt install ubuntu-advantage-tools

$ sudo ua enable usg
$ sudo apt install usg

How to audit the system

At the time of this writing, the corresponding CIS benchmark for Ubuntu 20.04 LTS is the “CIS Ubuntu Linux 20.04 LTS Benchmark v1.0.0”. We will audit our system using USG and that benchmark with the following command.

$ sudo usg audit cis_level1_server

This will generate a report placed in /var/lib/usg with the results of the audit. The HTML report contains the list of rules that succeeded and failed, and looks like the following screenshot.

<noscript> <img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://lh3.googleusercontent.com/cK1rkKXzDJljstf97fXTMAn7pshsRQYK74ezKbd9kwimycWK9xBjcv9uUc3Z-_K0V8Ps9Q56rwMvc2tB_UIu83tONTtdGiE1YECe3zBvvITpKQm_0BpBLHIIzbblCUpeEXdHQi4d" width="720" /> </noscript>
The compliance report output by Ubuntu Security Guide.

What was the “cis_level1_server” command line option that we used? It indicates the USG profile name to use for audit. These profiles correspond to the CIS profiles with hardening tailored towards workstations vs. server systems, and a higher level indicates more rules that further reduce the attack surface of a system, but at the cost of reducing usability.

USG profile nameCorresponding CIS profile
cis_level1_workstationLevel 1 Workstation profile
cis_level1_serverLevel 1 Server profile
cis_level2_workstationLevel 2 Workstation profile
cis_level2_serverLevel 2 Server profile

How to modify the system for compliance

Modifying a system to comply with the CIS benchmark with USG is as simple as the following command.

$ sudo usg fix cis_level1_server

And that’s all. Performing an audit after a reboot will reveal that the compliance level has increased significantly!

How to create a custom profile based on CIS

Compliance with a benchmark is not an all-or-nothing task. Each environment is different, and options that are considered as niche in one place can be essential in another. As such, USG allows tailoring the profile and removing unnecessary rules, as well as customising the rules that have multiple options available. 

You can customise a profile using a tailoring file, as demonstrated below. 

1. Generate a tailoring file:

$ sudo usg generate-tailoring stig ./tailor.xml

2. Edit the tailoring file and go through the rules shown as comments. For example, to set the remote auditd server (rule UBTU-20-010216), find the text:

<!-- UBTU-20-010216
<xccdf:set-value idref="var_audispd_remote_server">logcollector</xccdf:set-value>

And replace the logcollector with the name of the server. To disable the rule, replace “selected=true” with “selected=false”.

3. Audit using the new tailoring file:

usg audit --tailoring-file tailor.xml

4. Fix using the new tailoring file:

$ sudo usg fix --tailoring-file tailor.xml

In the example above we set the name of the server that acts as a log aggregator. Let us now examine how we can disable certain rules from applying. Let’s say that we are in an environment where we require the `jffs2` filesystem, but we also need to comply with the CIS level 1 for server that prohibits it.

Note that this time we will create and use the “default” tailoring file in /etc/usg/default-tailoring.xml. If that file is present, it acts as the default profile for the system and will be used by the `usg` fix and audit commands without a need to specify a profile.

1. Generate a tailoring file:

$ sudo mkdir -p /etc/usg
$ sudo usg generate-tailoring cis_level1_server /etc/usg/default-tailoring.xml

2. Edit the tailoring file and go through the rules shown as comments. Let’s try to find jffs2 in that file:

<!-- 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled (Automated) -->
<xccdf:select idref="kernel_module_jffs2_disabled" selected="true"/>

By replacing the “selected=true” with “selected=false”, we no longer enforce the disablement of the jffs2 filesystem.

3. Audit using the new tailoring file:

$ sudo usg audit

4. Fix the system using the new tailoring file:

$ sudo usg fix

Conclusions

Manually complying with security profiles is a tedious and complex task that is easy to get wrong. The Ubuntu Security Guide (USG) brings simplicity and integrates the experience of several teams working on compliance. It enables the audit, fixing, and customisation of a system with minimal command line options, while enabling a system-wide configuration for compliance for easy management by diverse people in a devops team. The usg tool is available on Ubuntu 20.04 with Ubuntu Advantage or Ubuntu Pro. There are many ways to achieve compliance with the CIS benchmark, some easier than others. The Ubuntu Security Guide is Ubuntu’s way of achieving compliance by providing a familiar, Linux native interface and is based on the OpenSCAP technology. We welcome you to consider giving it a try! More detailed documentation is available at our documentation pages.


on January 18, 2022 08:08 AM

Small EInk Phone

Bryan Quigley

Would you be interested in crowdfunding a small E Ink Open Phone? If yes, check out the specs and fill out the form below.

If I get 1000 interested people, I'll approach manufacturers. I plan to share the results publicly in either case. I will never share your information with manufacturers but contact you by email if this goes forward.

Basics:

  • Small sized for 2021 (somewhere between 4.5 - 5.2 inches)
  • E Ink screen (Maybe Color)
  • To be shipped with one of the main Linux phone OSes (Manjaro with KDE Plasma, etc).
  • Low to moderate hardware specs
  • Likely >6 months from purchase to getting device

Minimum goal specs (we might be able to do much better than these, but again might not):

  • 4 Corehttps://www.phoronix.com/forums/forum/software/mobile-linux/1300018-small-e-ink-open-phone
  • 32 GB Storage
  • USB Type-C (Not necessarily display out capable)
  • ~8 MP Front camera
  • GPS
  • GSM Modem (US)

Software Goals:

  • Only open source apps pre-installed
  • MMS/SMS
  • Phone calls
  • View websites / webapps including at least 1 rideshare/taxi service working (may not be official)
  • 2 day battery life (during "normal" usage)
Loading

If no form loads click here.

Please share and post it on your favorite site!

Discussions: Phoronix

If I get 1000 interested people, I'll approach manufacturers. I plan to share the results publicly in either case. I will never share your information with manufacturers but contact you by email if this goes forward.

Basics:

  • Small sized for 2021 (somewhere between 4.5 - 5.2 inches)
  • E Ink screen (Maybe Color)
  • To be shipped with one of the main Linux phone OSes (Manjaro with KDE Plasma, etc).
  • Low to moderate hardware specs
  • Likely >6 months from purchase to getting device

Minimum goal specs (we might be able to do much better than these, but again might not):

  • 4 Corehttps://www.phoronix.com/forums/forum/software/mobile-linux/1300018-small-e-ink-open-phone
  • 32 GB Storage
  • USB Type-C (Not necessarily display out capable)
  • ~8 MP Front camera
  • GPS
  • GSM Modem (US)

Software Goals:

  • Only open source apps pre-installed
  • MMS/SMS
  • Phone calls
  • View websites / webapps including at least 1 rideshare/taxi service working (may not be official)
  • 2 day battery life (during "normal" usage)
Loading

If no form loads click here.

Please share and post it on your favorite site!

Discussions: Phoronix

Basics:

  • Small sized for 2021 (somewhere between 4.5 - 5.2 inches)
  • E Ink screen (Maybe Color)
  • To be shipped with one of the main Linux phone OSes (Manjaro with KDE Plasma, etc).
  • Low to moderate hardware specs
  • Likely >6 months from purchase to getting device

Minimum goal specs (we might be able to do much better than these, but again might not):

  • 4 Corehttps://www.phoronix.com/forums/forum/software/mobile-linux/1300018-small-e-ink-open-phone
  • 32 GB Storage
  • USB Type-C (Not necessarily display out capable)
  • ~8 MP Front camera
  • GPS
  • GSM Modem (US)

Software Goals:

  • Only open source apps pre-installed
  • MMS/SMS
  • Phone calls
  • View websites / webapps including at least 1 rideshare/taxi service working (may not be official)
  • 2 day battery life (during "normal" usage)
Loading

If no form loads click here.

Please share and post it on your favorite site!

Discussions: Phoronix

  • Small sized for 2021 (somewhere between 4.5 - 5.2 inches)
  • E Ink screen (Maybe Color)
  • To be shipped with one of the main Linux phone OSes (Manjaro with KDE Plasma, etc).
  • Low to moderate hardware specs
  • Likely >6 months from purchase to getting device

Minimum goal specs (we might be able to do much better than these, but again might not):

  • 4 Corehttps://www.phoronix.com/forums/forum/software/mobile-linux/1300018-small-e-ink-open-phone
  • 32 GB Storage
  • USB Type-C (Not necessarily display out capable)
  • ~8 MP Front camera
  • GPS
  • GSM Modem (US)

Software Goals:

  • Only open source apps pre-installed
  • MMS/SMS
  • Phone calls
  • View websites / webapps including at least 1 rideshare/taxi service working (may not be official)
  • 2 day battery life (during "normal" usage)
Loading

If no form loads click here.

Please share and post it on your favorite site!

Discussions: Phoronix

Minimum goal specs (we might be able to do much better than these, but again might not):

  • 4 Corehttps://www.phoronix.com/forums/forum/software/mobile-linux/1300018-small-e-ink-open-phone
  • 32 GB Storage
  • USB Type-C (Not necessarily display out capable)
  • ~8 MP Front camera
  • GPS
  • GSM Modem (US)

Software Goals:

  • Only open source apps pre-installed
  • MMS/SMS
  • Phone calls
  • View websites / webapps including at least 1 rideshare/taxi service working (may not be official)
  • 2 day battery life (during "normal" usage)
Loading

If no form loads click here.

Please share and post it on your favorite site!

Discussions: Phoronix

  • 4 Corehttps://www.phoronix.com/forums/forum/software/mobile-linux/1300018-small-e-ink-open-phone
  • 32 GB Storage
  • USB Type-C (Not necessarily display out capable)
  • ~8 MP Front camera
  • GPS
  • GSM Modem (US)

Software Goals:

  • Only open source apps pre-installed
  • MMS/SMS
  • Phone calls
  • View websites / webapps including at least 1 rideshare/taxi service working (may not be official)
  • 2 day battery life (during "normal" usage)
Loading

If no form loads click here.

Please share and post it on your favorite site!

Discussions: Phoronix

Software Goals:

  • Only open source apps pre-installed
  • MMS/SMS
  • Phone calls
  • View websites / webapps including at least 1 rideshare/taxi service working (may not be official)
  • 2 day battery life (during "normal" usage)
Loading

If no form loads click here.

Please share and post it on your favorite site!

Discussions: Phoronix

  • Only open source apps pre-installed
  • MMS/SMS
  • Phone calls
  • View websites / webapps including at least 1 rideshare/taxi service working (may not be official)
  • 2 day battery life (during "normal" usage)
Loading

If no form loads click here.

Please share and post it on your favorite site!

Discussions: Phoronix

Loading

If no form loads click here.

Please share and post it on your favorite site!

Discussions: Phoronix

If no form loads click here.

Please share and post it on your favorite site!

Discussions: Phoronix

Please share and post it on your favorite site!

Discussions: Phoronix

Discussions: Phoronix

on January 18, 2022 04:40 AM

January 17, 2022

Welcome to the Ubuntu Weekly Newsletter, Issue 718 for the week of January 9 – 15, 2022. The full version of this issue is available here.

In this issue we cover:

The Ubuntu Weekly Newsletter is brought to you by:

  • Krytarik Raido
  • Bashing-om
  • Chris Guiver
  • Wild Man
  • And many others

If you have a story idea for the Weekly Newsletter, join the Ubuntu News Team mailing list and submit it. Ideas can also be added to the wiki!

Except where otherwise noted, this issue of the Ubuntu Weekly Newsletter is licensed under a Creative Commons Attribution ShareAlike 3.0 License

on January 17, 2022 09:30 PM
Lubuntu 21.04 End of Life and Current Support Statuses Lubuntu 21.04 (Hirsute Hippo) was released April 22, 2021 and will reach End of Life on Thursday, January 20, 2022. This means that after that date there will be no further security updates or bugfixes released. We highly recommend that you update to 21.10 as soon […]
on January 17, 2022 01:37 AM

January 13, 2022

Ep 177 – tail

Podcast Ubuntu Portugal

Estamos naquela altura do ano… O momento em que vestimos a nossa farda de Zandinga e falamos sobre as nossas convicções e previsões para o ano de 2022. Conheçam também as previsões de quem nos ouve…

Já sabem: oiçam, subscrevam e partilhem!

  • https://shop.nitrokey.com/shop/product/nk-pro-2-nitrokey-pro-2-3?aff_ref=3
  • https://shop.nitrokey.com/shop?aff_ref=3
  • https://youtube.com/PodcastUbuntuPortugal

Apoios

Podem apoiar o podcast usando os links de afiliados do Humble Bundle, porque ao usarem esses links para fazer uma compra, uma parte do valor que pagam reverte a favor do Podcast Ubuntu Portugal.
E podem obter tudo isso com 15 dólares ou diferentes partes dependendo de pagarem 1, ou 8.
Achamos que isto vale bem mais do que 15 dólares, pelo que se puderem paguem mais um pouco mais visto que têm a opção de pagar o quanto quiserem.

Se estiverem interessados em outros bundles não listados nas notas usem o link https://www.humblebundle.com/?partner=PUP e vão estar também a apoiar-nos.

Atribuição e licenças

Este episódio foi produzido por Diogo Constantino, Miguel e Tiago Carrondo e editado por Alexandre Carrapiço, o Senhor Podcast.

A música do genérico é: “Won’t see it comin’ (Feat Aequality & N’sorte d’autruche)”, por Alpha Hydrae e está licenciada nos termos da [CC0 1.0 Universal License](https://creativecommons.org/publicdomain/zero/1.0/).

Este episódio e a imagem utilizada estão licenciados nos termos da licença: Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0), cujo texto integral pode ser lido aqui. Estamos abertos a licenciar para permitir outros tipos de utilização, contactem-nos para validação e autorização.

on January 13, 2022 10:15 PM

January 10, 2022

Welcome to the Ubuntu Weekly Newsletter, Issue 717 for the week of January 2 – 8, 2022. The full version of this issue is available here.

In this issue we cover:

The Ubuntu Weekly Newsletter is brought to you by:

  • Krytarik Raido
  • Bashing-om
  • Chris Guiver
  • Wild Man
  • 何糕
  • And many others

If you have a story idea for the Weekly Newsletter, join the Ubuntu News Team mailing list and submit it. Ideas can also be added to the wiki!

Except where otherwise noted, this issue of the Ubuntu Weekly Newsletter is licensed under a Creative Commons Attribution ShareAlike 3.0 License

on January 10, 2022 09:48 PM

January 06, 2022

Ep 176 – Olimpíadas da Matemática

Podcast Ubuntu Portugal

Todos a postos! Os atletas está na linha de partida prontos para a corrida das previsões. Vamos lá fazer o balanço de 2021, contando com o olhar atento do Miguel, que se vai assegurar que tudo corre bem!

Já sabem: oiçam, subscrevam e partilhem!

  • https://analytics.wikimedia.org/dashboards/browsers/#all-sites-by-browser
  • https://gs.statcounter.com/browser-market-share/all/worldwide/2021
  • https://gs.statcounter.com/browser-market-share/desktop/worldwide/#monthly-202101-202112
  • https://www.netmarketshare.com/browser-market-share.aspx?options=%7B%22filter%22%3A%7B%22%24and%22%3A%5B%7B%22deviceType%22%3A%7B%22%24in%22%3A%5B%22Desktop%2Flaptop%22%5D%7D%7D%5D%7D%2C%22dateLabel%22%3A%22Custom%22%2C%22attributes%22%3A%22share%22%2C%22group%22%3A%22browser%22%2C%22sort%22%3A%7B%22share%22%3A-1%7D%2C%22id%22%3A%22browsersDesktop%22%2C%22dateInterval%22%3A%22Monthly%22%2C%22dateStart%22%3A%222021-01%22%2C%22dateEnd%22%3A%222021-12%22%2C%22plotKeys%22%3A%5B%7B%22browser%22%3A%22Firefox%22%7D%5D%2C%22segments%22%3A%22-1000%22%7D
  • https://www.w3counter.com/globalstats.php
  • https://www.w3counter.com/globalstats.php?year=2021&month=6
  • https://keychronwireless.referralcandy.com/3P2MKM7
  • https://shop.nitrokey.com/shop/product/nk-pro-2-nitrokey-pro-2-3?aff_ref=3
  • https://shop.nitrokey.com/shop?aff_ref=3
  • https://youtube.com/PodcastUbuntuPortugal

Apoios

Podem apoiar o podcast usando os links de afiliados do Humble Bundle, porque ao usarem esses links para fazer uma compra, uma parte do valor que pagam reverte a favor do Podcast Ubuntu Portugal.
E podem obter tudo isso com 15 dólares ou diferentes partes dependendo de pagarem 1, ou 8.
Achamos que isto vale bem mais do que 15 dólares, pelo que se puderem paguem mais um pouco mais visto que têm a opção de pagar o quanto quiserem.

Se estiverem interessados em outros bundles não listados nas notas usem o link https://www.humblebundle.com/?partner=PUP e vão estar também a apoiar-nos.

Atribuição e licenças

Este episódio foi produzido por Diogo Constantino, Miguel e Tiago Carrondo e editado por Alexandre Carrapiço, o Senhor Podcast.

A música do genérico é: “Won’t see it comin’ (Feat Aequality & N’sorte d’autruche)”, por Alpha Hydrae e está licenciada nos termos da [CC0 1.0 Universal License](https://creativecommons.org/publicdomain/zero/1.0/).

Este episódio e a imagem utilizada estão licenciados nos termos da licença: Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0), cujo texto integral pode ser lido aqui. Estamos abertos a licenciar para permitir outros tipos de utilização, contactem-nos para validação e autorização.

on January 06, 2022 10:45 PM

January 01, 2022

Here’s my (twenty-seventh) monthly but brief update about the activities I’ve done in the F/L/OSS world.

Debian

This was my 36th month of actively contributing to Debian. I became a DM in late March 2019 and a DD on Christmas ‘19! \o/

Just churning through the backlog again this month. Ugh.

Anyway, I did the following stuff in Debian:

Uploads and bug fixes:

  • ruby2.7 (2.7.5-1) - New upstream version fixing 3 new CVEs.

Other $things:

  • Mentoring for newcomers.
  • Moderation of -project mailing list.

Ubuntu

This was my 11th month of actively contributing to Ubuntu. Now that I’ve joined Canonical to work on Ubuntu full-time, there’s a bunch of things I do! \o/

I mostly worked on different things, I guess.

I was too lazy to maintain a list of things I worked on so there’s no concrete list atm. Maybe I’ll get back to this section later or will start to list stuff from next year onward, as I was doing before. :D


Debian (E)LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.

And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).

This was my twenty-seventh month as a Debian LTS and eighteenth month as a Debian ELTS paid contributor.
I was assigned 40.00 hours for LTS and 60.00 hours for ELTS and worked on the following things:
(since I had a 3-week vacation, I wanted to wrap things up that were pending and so I worked for 20h more for LTS, which I’ll compensate the next month!)

LTS CVE Fixes and Announcements:

ELTS CVE Fixes and Announcements:

  • Issued ELA 525-2, fixing CVE-2021-43527, for nss.
    For Debian 8 jessie, these problems have been fixed in version 2:3.26-1+debu8u15.
  • Issued ELA 530-1, for systemd.
    For Debian 8 jessie, these problems have been fixed in version 215-17+deb8u14.
  • Issued ELA 531-1, fixing CVE-2021-41817 and CVE-2021-41819, for ruby2.1.
    For Debian 8 jessie, these problems have been fixed in version 2.1.5-2+deb8u13.
  • Issued ELA 533-1, fixing CVE-2018-12020, for python-gnupg.
    For Debian 8 jessie, these problems have been fixed in version 0.3.6-1+deb8u2.
  • Issued ELA 536-1, fixing CVE-2021-43818, for lxml.
    For Debian 8 jessie, these problems have been fixed in version Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain.
  • Started working on src:samba for CVE-2020-25717 to CVE-2020-25722 and CVE-2021-23192 for jessie and stretch, both.
    The version difference b/w the suites are a bit too much for the patch(es) to be easily backported. I’ve talked to Anton to work something out. \o/
  • Found the problem w/ libjdom1-java. Will have to roll the regression upload.
    I’ve prepared the patch but needs some testing to be finally rolled out. Same for stretch.

Other (E)LTS Work:

  • Front-desk duty from 29-11 to 05-12 and 20-12 to 26-12 for both LTS and ELTS.
  • Triaged ffmpeg, git, gpac, inetutils, mc, modsecurity-crs, node-object-path, php-pear, systemd-cron, node-tar, ruby2.3, gst-plugins-bad0.10, npm, nltk, request-tracker4, ros-ros-comm, mediawiki, ruby2.1, ckeditor, ntfs-3g, tiff, wordpress, and jsoup, udisks2, libgit2, python3.5, python3.4, and openssh.
  • Mark CVE-2021-38171/ffmpeg as postponed for stretch.
  • Mark CVE-2021-40330/git as no-dsa for stretch and jessie.
  • Mark CVE-2020-19481/gpac as ignored for stretch.
  • Mark CVE-2021-40491/inetutils as no-dsa for stretch.
  • Mark CVE-2021-36370/mc as no-dsa for stretch and jessie.
  • Mark CVE-2021-35368/modsecurity-crs as no-dsa for stretch.
  • Mark CVE-2021-23434/node-object-path as end-of-life for stretch.
  • Mark CVE-2021-32610/php-pear as no-dsa for stretch.
  • Mark CVE-2017-9525/systemd-cron as no-dsa for stretch.
  • Mark CVE-2021-37701/node-tar as end-of-life for stretch.
  • Mark CVE-2021-37712/node-tar as end-of-life in stretch.
  • Mark CVE-2021-39201/wordpress as not-affected for jessie.
  • Mark CVE-2020-19143/tiff as not-affected for stretch and jessie.
  • Mark CVE-2021-38562/request-tracker4 as no-dsa for stretch.
  • Mark CVE-2021-37146/ros-ros-comm as no-dsa for stretch.
  • Mark CVE-2021-28965/ruby2.1 as ignored for jessie.
  • Mark CVE-2021-37714/jsoup as ignored for jessie.
  • Mark CVE-2021-41617/openssh as no-dsa for jessie.
  • Auto EOL’ed ardour, nltk, request-tracker4, python-scrapy, webkit2gtk, and linux for jessie.
  • Attended monthly Debian LTS meeting.
  • Answered questions (& discussions) on IRC (#debian-lts and #debian-elts).
  • General and other discussions on LTS private and public mailing list.

Debian LTS Survey

I’ve spent 5 hours on the LTS survey on the following bits:

  • Went through the old content on the previous survey.
  • Reviewed the new content - still more work to do.
  • Discussed the survey bits in the team meeting.
  • Partly reviewing the questions of the survey.
  • Walking through the instance to find the doability of the tasks discussed in the meeting.
  • Segregating and staging questions. More work to do here.

Until next time.
:wq for today.

on January 01, 2022 05:41 AM

December 31, 2021

Full Circle Magazine #176

Full Circle Magazine

This month:
* Command & Conquer : Terminal
* How-To : Python, Blender [NEW!] and LibreOffice Writer Tips
* Graphics : Inkscape
Everyday Ubuntu
* Micro This Micro That
* Review : Lubuntu 21.10
* Review : Xencelabs Pen Tablet Medium Bundle
* Book Review : Object Orientated Python
Ubports Touch
* Ubuntu Games : Slipstream
plus: News, The Daily Waddle, Q&A, and more.

Get it while it’s hot! https://fullcirclemagazine.org/issue-176/

on December 31, 2021 10:52 AM

December 28, 2021

Full Circle Weekly News #242

Full Circle Magazine


Debian offers fnt font manager:
https://bits.debian.org/2021/12/2000-fonts-debian.html

Ubuntu 22.04 theme switched to orange:
https://github.com/ubuntu/yaru/pull/3264

Debian 11.2 Update:
https://www.debian.org/News/2021/20211218

Mongoose OS 2.20, an IoT device platform released:
https://github.com/cesanta/mongoose-os/releases/tag/2.20.0

Release of the GNU library libmicrohttpd 0.9.74:
https://www.mail-archive.com/info-gnu@gnu.org/msg02977.html

Release of helloSystem 0.7 using FreeBSD and similar to macOS:
https://twitter.com/probonopd/status/1472595276942643200

Release of the distribution kit Elementary OS 6.1:
https://blog.elementary.io/elementary-os-6-1-available-now/

Release of the graphics editor GIMP 2.10.30:
https://www.gimp.org/

80% of the 100 most popular games on Steam are running on Linux:
https://www.protondb.com/

Search Engine DuckDuckGo Desktop Web Browser:
https://spreadprivacy.com/duckduckgo-2021-review/

Release of service manager s6-rc 0.5.3.0 and init system s6-linux-init 1.0.7:
https://github.com/skarnet/s6-rc/releases/tag/v0.5.3.0

Manjaro Linux 21.2 Release:
https://forum.manjaro.org/t/manjaro-21-2-0-qonos-released/95856

SuperTux 0.6.3 Free Game Release:
https://www.supertux.org/news/2021/12/23/0.6.3

Release of Krita 5.0:
https://krita.org/en/item/krita-5-0-released/

Jami "Taranis" released:
https://jami.net/taranis-a-major-release-of-jami/



Credits:
Full Circle Magazine
@fullcirclemag
Host: bardmoss@pm.me, @bardictriad
Bumper: Canonical
Theme Music: From The Dust - Stardust
https://soundcloud.com/ftdmusic
https://creativecommons.org/licenses/by/4.0/
on December 28, 2021 11:29 AM

December 19, 2021

The Wio Terminal is a microcontroller with WiFi support. It compares with Arduino when you add a WiFi Shield. Also, it compares well with the ESP8266/ESP32 which are also microcontrollers with built-in WiFi support. For the end-user, all these can be programmed using the Arduino IDE and MicroPython. That is, you can choose between any of these microcontrollers and the development experience will be almost the same.

A microcontroller is used in embedded systems. That is, electronic devices that need a small computer to work, but do not require this computer to run a full operating system like Linux. The Raspberry Pi is an example of a device that runs a full operating system and can be added to electronic devices that really need a full operating system to work. In practical terms, you can think of the microcontroller as a very small computer that does not run Linux but can run single programs that you develop, using a special tool like the Arduino IDE.

Disclaimer: I was approached by SeeedStudio to blog about a project that I will create, using the Wio Terminal, in exchange of a free Wio Terminal (I already received it). This introductory post is out of scope but I feel doing it because it will take me some time to complete the project.

Unboxing the Wio Terminal

Here is the Wio Terminal package.

The Wio Terminal package.

Here are some photos of the Wio Terminal packaging.

Here are the contents of the package. It includes the printed User Manual, stickers, a USB Type-C cable, a spare button and the Wio Terminal.

Contents of the Wio Terminal package.

What’s different with the Wio Terminal?

The big difference between the Wio Terminal and other microcontrollers, is that the Wio Terminal is opinionated. It comes with a case, an LCD screen, buttons, microSD slot and even sensors. Your first impression is that it is actually a retro games console.

Photos of the Wio Terminal

This is the front photo. It shows the 2.4″ LCD screen (320×240). On the right, there is a button that does up/down/left/right. On the left, is the microphone and buzzer. No, I did not remove the LCD protector film.

Wio Terminal, front photo.

These are the four sides of the Wio Terminal.

The first photo shows the two multi-function Grove connectors. That is, you can buy sensors and other devices that support the Grove connector type and just plug them in. In the middle is the USB Type-C connector. The two holes are likely related to the two LEDs. The second photo shows the three user-programmable buttons. The third photo shows a very thin opening which I could not find what it does but I know that behind there is the WiFi and Bluetooth chip. The fourth and final photo shows the microSD memory card slot and the on-off switch.

Finally, this is the back of the Wio Terminal. There is a 40-pin GPIO Header, compatible with the Raspberry Pi. There is some transparent plastic that reveals the microcontroller board. There are two holes that lets you screw the Wio Terminal onto something. The four rubber pads around the corners? These are also magnets. You can either place the Wio Terminal securely on a flat surface or you can place it on a metal surface and it sticks really well.

Switching on the Wio Terminal for the first time

When you plug the Wio Terminal to a power source, it boots up with a default application. It’s a jumping game. You can jump to avoid the obstacles and shoot to kill the birds. The game is very fast and unless you have some experience with such games, you do not stand a chance to get a good high score (mine is 16).

And this brings up the first problem. When I upload my first app to the Wio Terminal, it is going to replace the jumping game! How do we save the game? Well, it’s not a problem but two solutions. First, the source code of the game is available at jumping game for the Wio Terminal. Second, if you are into gaming, you can get better at a game if you can make it go slower. Once you get better at the slower version, you switch back to the faster version and you perform better, with less frustration. The source code is there for you to make it go slower.

Conclusion

The Wio Terminal has a lot of features to make it do useful things with less hassle. In effect, you should focus on the programming of your application, rather than connecting bits and pieces together. The next steps are to setup Arduino Studio to work with the Wio Terminal and, optionally, try out MicroPython. There are lots of resources and the documentation is great.

on December 19, 2021 04:38 PM

December 15, 2021

AWS EKS is a remarkable product: it manages Kubernetes for you, letting you focussing on creating and deploying applications. However, if you want to manage permissions accordingly to the shared responsibility model, you are in for some wild rides.

cover

Image courtesy of unDraw.

The shared responsibility model

First, what’s the shared responsibility model? Well, to design a well-architected application, AWS suggests following six pillars. Among these six pillars, one is security. Security includes sharing responsibility between AWS and the customer. In particular, and I quote,

Customers are responsible for managing their data (including encryption options), classifying their assets, and using IAM tools to apply the appropriate permissions.

Beautiful, isn’t it? AWS gives us a powerful tool, IAM, to manage permissions; we have to configure things in the best way, and AWS gives us the way to do so. Or does it? Let’s take a look together.

Our goal

I would say the goal is simple, but since we are talking about Kubernetes, things cannot be just simple.

Our goal is quite straightforward: setting up a Kubernetes cluster for our developers. Given that AWS offers AWS EKS, a managed Kubernetes service, we only need to configure it properly, and we are done. Of course, we will follow best practices to do so.

A proper setup

Infrastructure as code is out of scope for this post, but if you have never heard about it before, I strongly suggest taking a look into it.

Of course, we don’t use the AWS console to manually configure stuff, but Infrastructure as Code: basically, we will write some code that will call the AWS APIs on our behalf to set up AWS EKS and everything correlated. In this way, we can have a reproducible setup that we could deploy in multiple environments, and countless other advantages.

Moreover, we want to avoid launching scripts that interact with our infrastructure from our PC: we prefer not to have permissions to destroy important stuff! Separation of concerns is a fundamental, and we want to write code without worrying about having consequences on the real world. All our code should be vetted from somebody else through a merge request, and after being approved and merged to our main branch, a runner will pick it up and apply the changes.

A runner is any CI/CD that will execute the code on your behalf. In my case, it is a GitLab runner, but it could be any continuous integration system.

We are at the core of the problem: our runner should follow the principle of least privilege: it should be able to do only what it needs to do, and nothing more. This is why we will create a IAM role only for it, with only the permissions to manage our EKS cluster and everything in it, but nothing more.

I would have a massive rant about how bad is the AWS documentation for IAM in general, not only for EKS, but I will leave it to some other day.

The first part of creating a role with minimum privileges is, well, understanding what minimum means in our case. A starting point is the AWS documentation: unfortunately, it is always a bad starting point concerning IAM permissions, ‘cause it is always too generous in allowing permissions.

The “minimum” permission accordingly to AWS

According to the guide, the minimum permissions necessary for managing a cluster is being able to do any action on any EKS resource. A bit farfetched, isn’t it?

Okay, hardening this will be fun, but hey, do not let bad documentations get in the way of a proper security posture.

You know what will get in the way? Bugs! A ton of bugs, with absolutely useless error messages.

I started limiting access to only the namespace of the EKS cluster I wanted to create. I ingenuously thought that we could simply limit access to the resources belonging to the cluster. But, oh boy, I was mistaken!

Looking at the documentation for IAM resources and actions, I created this policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:ListClusters",
                "eks:DescribeAddonVersions",
                "eks:CreateCluster"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "eks:*",
            "Resource": [
                "arn:aws:eks:eu-central-1:123412341234:addon/my-cluster/*/*",
                "arn:aws:eks:eu-central-1:123412341234:fargateprofile/my-cluster/*/*",
                "arn:aws:eks:eu-central-1:123412341234:identityproviderconfig/my-cluster/*/*/*",
                "arn:aws:eks:eu-central-1:123412341234:nodegroup/my-cluster/*/*",
                "arn:aws:eks:eu-central-1:123412341234:cluster/my-cluster"
            ]
        }
    ]
}

Unfortunately, if a role with these permissions try to create a cluster, this error message appears:

Error: error creating EKS Add-On (my-cluster:kube-proxy): AccessDeniedException: User: arn:aws:sts::123412341234:assumed-role/<role>/<iam-user> is not authorized to perform: eks:TagResource on resource: arn:aws:eks:eu-central-1:123412341234:/createaddon

I have to say that at least the error message gives you a hint: the /createddon action is not scoped to the cluster.

After fighting with different polices for a while, I asked DuckDuckGo for a help, and indeed somebody reported this problem to AWS before, in this GitHub issue.

What the issue basically says is that if we want to give an IAM role permission to manage an add-on inside a cluster, we must give it permissions over all the EKS add-ons in our AWS account.

This of course breaks the AWS shared responsibility principle, ‘cause they don’t give us the tools to upheld our part of the deal. This is why it is a real and urgent issue, as they also mention in the ticket:

Can’t share a timeline in this forum, but it’s a high priority item.

And indeed it is so high priority, that it has been reported the 3rd December 2020, and today, more than one year later, the issue is still there.

To add insult to the injury, you have to write the right policy manually because if you use the IAM interface to select “Any resource” for the add-ons as in the screenshot below, it will generate the wrong policy! If you check carefully, the generated resource name is arn:aws:eks:eu-central-1:123412341234:addon/*/*/*, which of course doesn’t match the ARN expected by AWS EKS. Basically, also if you are far too permissive, and you use the tools that AWS provides you, you still will have some broken policy.

generate-addons-policy

Do you have some horror story about IAM yourself? I have a lot of them, and I am thinking about a more general post. What do you think? Share your thoughts in the comments below, reach me on Twitter (@rpadovani93) or drop me an email at riccardo@rpadovani.com.

Ciao,
R.

on December 15, 2021 10:00 AM

December 14, 2021

How to disable internal keyboard/touchpad when a cat arrives

I’m using an external keyboard (1) and mouse (2), but the laptop lid is usually still open for better cooling. That means the internal keyboard (3) and touchpad (4) – made of comfortable materials – are open to be used by a cat searching for warmth (7), in the obvious “every time” case that a normal non-heated nest (6) is not enough.

The problem is, everything goes chaotic at that point in the default configuration. The solution is to have quick shortcuts in my Dash to Dock (8) to both disable (10) and enable (9) keyboard and touchpad at a very rapid pace.

It is to be noted that I’m not disabling the touch screen (5) by default, because most of the time the cat is not leaning on it – there is also the added benefit that if one forgets about the internal keyboard and touchpad disabling and detaches the laptop from the USB-C monitor (11), there’s the possibility of using the touch screen and on-screen keyboard to type in the password and tap on the keyboard/touchpad enabling shortcut button again. If also touch screen was disabled, the only way would be to go back to an external keyboard or reboot.

So here are the scripts. First, the disabling script (pardon my copy-paste use of certain string manipulation tools):

dconf write /org/gnome/desktop/peripherals/touchpad/send-events "'disabled'"
sudo killall evtest
sudo evtest --grab $(sudo libinput list-devices | grep -A 1 "AT Translated Set 2 keyboard" | tail -n 1 | sed 's/.*\/dev/\/dev/') &
sudo evtest --grab $(sudo libinput list-devices | grep -A 1 "Dell WMI" | tail -n 1 | sed 's/.*\/dev/\/dev/') &
sudo evtest --grab $(sudo libinput list-devices | grep -A 1 "Power" | grep Kernel | tail -n 1 | sed 's/.*\/dev/\/dev/') &
sudo evtest --grab $(sudo libinput list-devices | grep -A 1 "Power" | grep Kernel | head -n 1 | sed 's/.*\/dev/\/dev/') &
sudo evtest --grab $(sudo libinput list-devices | grep -A 1 "Sleep" | grep Kernel | tail -n 1 | sed 's/.*\/dev/\/dev/') &
sudo evtest --grab $(sudo libinput list-devices | grep -A 1 "HID" | grep Kernel | head -n 1 | sed 's/.*\/dev/\/dev/') &
sudo evtest --grab $(sudo libinput list-devices | grep -A 1 "HID" | tail -n 1 | sed 's/.*\/dev/\/dev/') &
#sudo evtest --grab $(sudo libinput list-devices | grep -A 1 "ELAN" | tail -n 1 | sed 's/.*\/dev/\/dev/') # Touch screen

And the associated ~/.local/share/applications/disable-internal-input.desktop:

[Desktop Entry]
Version=1.0
Name=Disable internal input
GenericName=Disable internal input
Exec=/bin/bash -c /home/timo/Asiakirjat/helpers/disable-internal-input.sh
Icon=yast-keyboard
Type=Application
Terminal=false
Categories=Utility;Development;

Here’s the enabling script:

dconf write /org/gnome/desktop/peripherals/touchpad/send-events "'enabled'"
sudo killall evtest

and the desktop file:

[Desktop Entry]
Version=1.0
Name=Enable internal input
GenericName=Enable internal input
Exec=/bin/bash -c /home/timo/Asiakirjat/helpers/enable-internal-input.sh
Icon=/home/timo/.local/share/icons/hicolor/scalable/apps/yast-keyboard-enable.png
Type=Application
Terminal=false
Categories=Utility;Development;

With these, if I sense a cat or am just proactive enough, I press Super+9. If I’m about to detach my laptop from the monitor, I press Super+8. If I forget the latter (usually this is the case) and haven’t yet locked the screen, I just tap the enabling icon on the touch screen.

on December 14, 2021 07:29 AM

December 06, 2021

On the road to AppStream 1.0, a lot of items from the long todo list have been done so far – only one major feature is remaining, external release descriptions, which is a tricky one to implement and specify. For AppStream 1.0 it needs to be present or be rejected though, as it would be a major change in how release data is handled in AppStream.

Besides 1.0 preparation work, the recent 0.15 release and the releases before it come with their very own large set of changes, that are worth a look and may be interesting for your application to support. But first, for a change that affects the implementation and not the XML format:

1. Completely rewritten caching code

Keeping all AppStream data in memory is expensive, especially if the data is huge (as on Debian and Ubuntu with their large repositories generated from desktop-entry files as well) and if processes using AppStream are long-running. The latter is more and more the case, not only does GNOME Software run in the background, KDE uses AppStream in KRunner and Phosh will use it too for reading form factor information. Therefore, AppStream via libappstream provides an on-disk cache that is memory-mapped, so data is only consuming RAM if we are actually doing anything with it.

Previously, AppStream used an LMDB-based cache in the background, with indices for fulltext search and other common search operations. This was a very fast solution, but also came with limitations, LMDB’s maximum key size of 511 bytes became a problem quite often, adjusting the maximum database size (since it has to be set at opening time) was annoyingly tricky, and building dedicated indices for each search operation was very inflexible. In addition to that, the caching code was changed multiple times in the past to allow system-wide metadata to be cached per-user, as some distributions didn’t (want to) build a system-wide cache and therefore ran into performance issues when XML was parsed repeatedly for generation of a temporary cache. In addition to all that, the cache was designed around the concept of “one cache for data from all sources”, which meant that we had to rebuild it entirely if just a small aspect changed, like a MetaInfo file being added to /usr/share/metainfo, which was very inefficient.

To shorten a long story, the old caching code was rewritten with the new concepts of caches not necessarily being system-wide and caches existing for more fine-grained groups of files in mind. The new caching code uses Richard Hughes’ excellent libxmlb internally for memory-mapped data storage. Unlike LMDB, libxmlb knows about the XML document model, so queries can be much more powerful and we do not need to build indices manually. The library is also already used by GNOME Software and fwupd for parsing of (refined) AppStream metadata, so it works quite well for that usecase. As a result, search queries via libappstream are now a bit slower (very much depends on the query, roughly 20% on average), but can be mmuch more powerful. The caching code is a lot more robust, which should speed up startup time of applications. And in addition to all of that, the AsPool class has gained a flag to allow it to monitor AppStream source data for changes and refresh the cache fully automatically and transparently in the background.

All software written against the previous version of the libappstream library should continue to work with the new caching code, but to make use of some of the new features, software using it may need adjustments. A lot of methods have been deprecated too now.

2. Experimental compose support

Compiling MetaInfo and other metadata into AppStream collection metadata, extracting icons, language information, refining data and caching media is an involved process. The appstream-generator tool does this very well for data from Linux distribution sources, but the tool is also pretty “heavyweight” with lots of knobs to adjust, an underlying database and a complex algorithm for icon extraction. Embedding it into other tools via anything else but its command-line API is also not easy (due to D’s GC initialization, and because it was never written with that feature in mind). Sometimes a simpler tool is all you need, so the libappstream-compose library as well as appstreamcli compose are being developed at the moment. The library contains building blocks for developing a tool like appstream-generator while the cli tool allows to simply extract metadata from any directory tree, which can be used by e.g. Flatpak. For this to work well, a lot of appstream-generator‘s D code is translated into plain C, so the implementation stays identical but the language changes.

Ultimately, the generator tool will use libappstream-compose for any general data refinement, and only implement things necessary to extract data from the archive of distributions. New applications (e.g. for new bundling systems and other purposes) can then use the same building blocks to implement new data generators similar to appstream-generator with ease, sharing much of the code that would be identical between implementations anyway.

2. Supporting user input controls

Want to advertise that your application supports touch input? Keyboard input? Has support for graphics tablets? Gamepads? Sure, nothing is easier than that with the new control relation item and supports relation kind (since 0.12.11 / 0.15.0, details):

<supports>
  <control>pointing</control>
  <control>keyboard</control>
  <control>touch</control>
  <control>tablet</control>
</supports>

3. Defining minimum display size requirements

Some applications are unusable below a certain window size, so you do not want to display them in a software center that is running on a device with a small screen, like a phone. In order to encode this information in a flexible way, AppStream now contains a display_length relation item to require or recommend a minimum (or maximum) display size that the described GUI application can work with. For example:

<requires>
  <display_length compare="ge">360</display_length>
</requires>

This will make the application require a display length greater or equal to 300 logical pixels. A logical pixel (also device independent pixel) is the amount of pixels that the application can draw in one direction. Since screens, especially phone screens but also screens on a desktop, can be rotated, the display_length value will be checked against the longest edge of a display by default (by explicitly specifying the shorter edge, this can be changed).

This feature is available since 0.13.0, details. See also Tobias Bernard’s blog entry on this topic.

4. Tags

This is a feature that was originally requested for the LVFS/fwupd, but one of the great things about AppStream is that we can take very project-specific ideas and generalize them so something comes out of them that is useful for many. The new tags tag allows people to tag components with an arbitrary namespaced string. This can be useful for project-internal organization of applications, as well as to convey certain additional properties to a software center, e.g. an application could mark itself as “featured” in a specific software center only. Metadata generators may also add their own tags to components to improve organization. AppStream gives no recommendations as to how these tags are to be interpreted except for them being a strictly optional feature. So any meaning is something clients and metadata authors need to negotiate. It therefore is a more specialized usecase of the already existing custom tag, and I expect it to be primarily useful within larger organizations that produce a lot of software components that need sorting. For example:

<tags>
  <tag namespace="lvfs">vendor-2021q1</tag>
  <tag namespace="plasma">featured</tag>
</tags>

This feature is available since 0.15.0, details.

5. MetaInfo Creator changes

The MetaInfo Creator (source) tool is a very simple web application that provides you with a form to fill out and will then generate MetaInfo XML to add to your project after you have answered all of its questions. It is an easy way for developers to add the required metadata without having to read the specification or any guides at all.

Recently, I added support for the new control and display_length tags, resolved a few minor issues and also added a button to instantly copy the generated output to clipboard so people can paste it into their project. If you want to create a new MetaInfo file, this tool is the best way to do it!

The creator tool will also not transfer any data out of your webbrowser, it is strictly a client-side application.

And that is about it for the most notable changes in AppStream land! Of course there is a lot more, additional tags for the LVFS and content rating have been added, lots of bugs have been squashed, the documentation has been refined a lot and the library has gained a lot of new API to make building software centers easier. Still, there is a lot to do and quite a few open feature requests too. Onwards to 1.0!

on December 06, 2021 05:40 PM

December 05, 2021

All-remote workspace at home

Sujeevan Vijayakumaran

It’s been a little over 1,5 years since I joined GitLab as my first all remote company. About half a year ago, I wrote about what I learned in one year at GitLab. In this blog post I will describe my setup how I work because I got several questions about it over the last time. I can also blame dnsmichi who published a similar post about his setup ;-).

I can certainly recommend the page about “Considerations for a Productive Home Office or Remote Workspace“ in the GitLab Handbook about All-Remote.

The Desk

Even long before I worked from home full time I bought a standing desk. I own a IKEA Bekant which only has a “up” and “down” button which is a bit annoying since I always have to hold the button when I want to move the desk up or down. Back in 2017 I’ve written a blog post about my experiences with it in German.

It’s also always good to have some sort of cable management hidden underneath the desktop. Otherwise, your legs will always touch the cables, and it will look ugly.

As part of the desk, I do have three (or should I say four?) arms mounted. One for my 32” 4K Samsung Screen, one for my Notebook-Stand, one for my microphone and an additional cheap „magic arm“ for my Canon EOS 700D which I use as a Webcam.

The Screen

As mentioned above, I’m using a 32" Samsung 4K display. A lot of folks I know are using ultra-widescreen monitors, which I personally do not like that much because they most likely have a smaller resolution. I rather prefer to use a 4K screen without scaling so that I have more space available for my windows.

I used to have a 28" 4K screen, which was a bit small when you want to use it without (much) scaling. Moving forward I hope I will not need to scale it though. For now, my glasses are a good “bugfix” for my eyes, so I can work without scaling on the system side.

The Laptop and The Dockingstation

I used to have Thinkpads in the past, but I recently switched to Dell XPS. I have two Dell XPS 13. One for work (in white) and one private (in black).

While I personally prefer to run ArchLinux (btw I use Arch!) I’m running the latest Ubuntu LTS on my work laptop.

The laptop is connected to a CalDigit TS3-Plus which is my docking station. This was one of the few docking station which supported 4K@60Hz back when I bought this. I would prefer a docking station with more USB-ports. Right now I have another USB-Hub (hidden under the desktop) because the ports provided by most of the docking stations out there are not really enough for me.

Audio and Video

As already mentioned above, I use my Canon EOS 700D as my webcam. I’ll mostly use an 18-55mm lens. The camera is connected to an elgato Cam Link 4k. The biggest downside of this setup currently is that the format is not perfect, as the HDMI-output has two black bars on the left and right side of the video.

I try to keep my background as boring as possible, that’s why all of you will mostly only see my yellow wall behind me.

As a microphone, I use an M-Audio Uber-Mic. It’s being used in meetings and also for my (German) podcast TILpod which I record remotely with Dirk Deimeke. For listening in meetings and also for videos/music, I’m using my Sony WH-1000X3.

Lighting

I do not have a perfect lighting solution yet. I do have a small desk light which is okay for the desk itself but not for video calls. The main light in my office is an IKEA Floalt which can be dimmed.

What else is on the desk?

  • Stream Deck, mostly for changing audio settings
  • a mechanical keyboard (HyperX with brown Cherry MX switches)
  • a boring Logitech mouse
  • a big mouse pad
  • a wrist rest pad
  • some old Logitech speaker
  • a Brother printer/scanner
  • a YubiKey 5 NFC
  • a few (water) bottles

What do I use for on the go?

I didn’t really travel that much for obvious reasons. However, I do have these items as well:

  • a no-name 8-in-1 Hub with multiple USB-Ports, HDMI, microSD and SD and USB-C Power Delivery.
  • a cheap no-name clip-on micrphone because the Laptop-internal microphone are mostly crappy anyway
  • a LAN cable just in case
  • a USB-C cable
  • my Sony WH-1000X3
on December 05, 2021 03:10 PM

December 01, 2021

Here’s my (twenty-sixth) monthly but brief update about the activities I’ve done in the F/L/OSS world.

Debian

This was my 35th month of actively contributing to Debian. I became a DM in late March 2019 and a DD on Christmas ‘19! \o/

Just churning through the backlog again this month. Ugh.

Anyway, I did the following stuff in Debian:

Uploads and bug fixes:

  • rails (2:6.1.4.1+dfsg-3) - No-change rebuild for unstable.

Other $things:

  • Mentoring for newcomers.
  • Moderation of -project mailing list.

Ubuntu

This was my 10th month of actively contributing to Ubuntu. Now that I’ve joined Canonical to work on Ubuntu full-time, there’s a bunch of things I do! \o/

I mostly worked on different things, I guess.

I was too lazy to maintain a list of things I worked on so there’s no concrete list atm. Maybe I’ll get back to this section later or will start to list stuff from next year onward, as I was doing before. :D


Debian (E)LTS

Debian Long Term Support (LTS) is a project to extend the lifetime of all Debian stable releases to (at least) 5 years. Debian LTS is not handled by the Debian security team, but by a separate group of volunteers and companies interested in making it a success.

And Debian Extended LTS (ELTS) is its sister project, extending support to the Jessie release (+2 years after LTS support).

This was my twenty-sixth month as a Debian LTS and seventeenth month as a Debian ELTS paid contributor.
I was assigned 30.00 hours for LTS and 45.00 hours for ELTS and worked on the following things:

LTS CVE Fixes and Announcements:

  • Issued DLA 2813-1, fixing CVE-2021-33829 and CVE-2021-37695, for ckeditor.
    For Debian 9 stretch, these problems have been fixed in version 4.5.7+dfsg-2+deb9u1.
  • Issued DLA 2817-1, fixing CVE-2021-23214 and CVE-2021-23222, for postgresql-9.6.
    For Debian 9 stretch, these problems have been fixed in version 9.6.24-0+deb9u1.
  • Issued DLA 2836-1, fixing CVE-2021-43527, for nss.
    For Debian 9 stretch, these problems have been fixed in version 2:3.26.2-1.1+deb9u3.
  • Started working on src:samba for CVE-2020-25717 to CVE-2020-25722 and CVE-2021-23192 for jessie and stretch, both.
    The version difference b/w the suites are a bit too much for the patch(es) to be easily backported. I’ve talked to Anton to work something out. \o/
  • Found the problem w/ libjdom1-java. Will have to roll the regression upload.
    I’ve prepared the patch but needs some testing to be finally rolled out. Same for jessie.
  • Started working on libgit2.

ELTS CVE Fixes and Announcements:

Other (E)LTS Work:

  • Front-desk duty from 29-11 to 05-12 for both LTS and ELTS.
  • Triaged udisk2, wordpress, samba, gmp, nss, ntfs-3g, and openssh.
  • Auto EOL’ed dwarfutils, radare2, mongodb, linux for jessie.
  • As FD, did a deep dive into the no-pu-update issue. Will write to list shortly.
  • Attended monthly Debian LTS meeting.
  • Answered questions (& discussions) on IRC (#debian-lts and #debian-elts).
  • General and other discussions on LTS private and public mailing list.

Debian LTS Survey

I’ve spent 3 hours on the LTS survey on the following bits:

  • Talking to Laura to revive the old a/c on survey.d.net.
  • Setting up stuff there.
  • Discussing the survey questions and other bits w/ Jeremiah.
  • Partly reviewing the questions of the survey.
  • Doing a walkthru of the LimeSurvey instance we have to make sure there are no “changes”.

Until next time.
:wq for today.

on December 01, 2021 05:41 AM

November 24, 2021

Designing Secure Software (Amazon, No Starch Press) by Loren Kohnfelder is one of the latest entries in No Starch Press’s line of security books. This book stands out to me for two big reasons. First, this is one of the most mindset-centric books I’ve seen (which means it is likely to age better than a lot of more technically-specific books). Second, this book caters to developers more than security professionals (but don’t take this to mean it’s only for developers), which is definitely a distinguishing feature from so many other security books.

Note: I was provided an early access copy of Designing Secure Software by the publisher for review, but they had no editorial input. All of the opinions in this review are my own.

The writing in this book is very clear and easy reading, and the examples used are both captivating and easy to understand. Kohnfelder does a great job of making a point that is easy to understand, and most of the chapters could stand alone for developers just working in that one particular area.

Security is something that has to be baked into the software development life cycle, so informing and educating developers is a key element of this. This book is a great resource for this and shows how vulnerabilites can creep in during both the design and implementation phases of the SDLC. There are examples written in C and Python to help developers understand.

One of the best points made in this book is that security is a spectrum and that we have to trust something. Whether that’s a compiler, an operating system vendor, a cloud provider, or dependencies in your software’s build process. Sometimes people who find out a little bit about security become security absolutists, looking for 100% guarantees, and while I recognize and understand the instinct, the real world doesn’t work that, and this book helps software developers to understand and evaluate that.

Overall, this book is a worthwhile read for both software developers and security engineers working the application security space. It distinguishes itself by focusing on concepts rather than being a checklist of individual items to focus on.

on November 24, 2021 08:00 AM

November 22, 2021

Be careful when using vxlan!

Paul Tagliamonte

I’ve spent a bit of time playing with vxlan - which is very neat, but also incredibly insecure by default.

When using vxlan, be very careful to understand how the host is connected to the internet. The kernel will listen on all interfaces for packets, which means hosts accessable to VMs it’s hosting (e.g., by bridged interface or a private LAN will accept packets from VMs and inject them into arbitrary VLANs, even ones it’s not on.

I reported this to the kernel mailing list to no reply with more technical details.

The tl;dr is:

  $ ip link add vevx0a type veth peer name vevx0z
  $ ip addr add 169.254.0.2/31 dev vevx0a
  $ ip addr add 169.254.0.3/31 dev vevx0z
  $ ip link add vxlan0 type vxlan id 42 \
    local 169.254.0.2 dev vevx0a dstport 4789
  $ # Note the above 'dev' and 'local' ip are set here
  $ ip addr add 10.10.10.1/24 dev vxlan0

results in vxlan0 listening on all interfaces, not just vevx0z or vevx0a. To prove it to myself, I spun up a docker container (using a completely different network bridge – with no connection to any of the interfaces above), and ran a Go program to send VXLAN UDP packets to my bridge host:

$ docker run -it --rm -v $(pwd):/mnt debian:unstable /mnt/spam 172.17.0.1:4789
$

which results in packets getting injected into my vxlan interface

$ sudo tcpdump -e -i vxlan0
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vxlan0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:30:15.746754 de:ad:be:ef:00:01 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 64: truncated-ip - 27706 bytes missing! 33.0.0.0 > localhost: ip-proto-114
21:30:15.746773 de:ad:be:ef:00:01 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 64: truncated-ip - 27706 bytes missing! 33.0.0.0 > localhost: ip-proto-114
21:30:15.746787 de:ad:be:ef:00:01 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 64: truncated-ip - 27706 bytes missing! 33.0.0.0 > localhost: ip-proto-114
21:30:15.746801 de:ad:be:ef:00:01 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 64: truncated-ip - 27706 bytes missing! 33.0.0.0 > localhost: ip-proto-114
21:30:15.746815 de:ad:be:ef:00:01 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 64: truncated-ip - 27706 bytes missing! 33.0.0.0 > localhost: ip-proto-114
21:30:15.746827 de:ad:be:ef:00:01 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 64: truncated-ip - 27706 bytes missing! 33.0.0.0 > localhost: ip-proto-114
21:30:15.746870 de:ad:be:ef:00:01 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 64: truncated-ip - 27706 bytes missing! 33.0.0.0 > localhost: ip-proto-114
21:30:15.746885 de:ad:be:ef:00:01 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 64: truncated-ip - 27706 bytes missing! 33.0.0.0 > localhost: ip-proto-114
21:30:15.746899 de:ad:be:ef:00:01 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 64: truncated-ip - 27706 bytes missing! 33.0.0.0 > localhost: ip-proto-114
21:30:15.746913 de:ad:be:ef:00:01 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 64: truncated-ip - 27706 bytes missing! 33.0.0.0 > localhost: ip-proto-114
10 packets captured
10 packets received by filter
0 packets dropped by kernel

(the program in question is the following:)

  package main

  import (
      "net"
      "os"
      "github.com/mdlayher/ethernet"
      "github.com/mdlayher/vxlan"
  )
  func main() {
      conn, err := net.Dial("udp", os.Args[1])
      if err != nil { panic(err) }
      for i := 0; i < 10; i++ {
          vxf := &vxlan.Frame{
              VNI: vxlan.VNI(42),
              Ethernet: &ethernet.Frame{
                  Source:      net.HardwareAddr{0xDE, 0xAD, 0xBE,
0xEF, 0x00, 0x01},
                  Destination: net.HardwareAddr{0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF},
                  EtherType:   ethernet.EtherTypeIPv4,
                  Payload:     []byte("Hello, World!"),
              },
          }
          frb, err := vxf.MarshalBinary()
          if err != nil { panic(err) }
          _, err = conn.Write(frb)
          if err != nil { panic(err) }
      }
  }

When using vxlan, be absolutely sure all hosts that can address any interface on the host are authorized to send arbitrary packets into any VLAN that box can send to, or there’s very careful and specific controls and firewalling. Note this includes public interfaces (e.g., dual-homed private network / internet boxes), or any type of dual-homing (VPNs, etc).

on November 22, 2021 02:39 AM

November 21, 2021

APT Z3 Solver Basics

Julian Andres Klode

Z3 is a theorem prover developed at Microsoft research and available as a dynamically linked C++ library in Debian-based distributions. While the library is a whopping 16 MB, and the solver is a tad slow, it’s permissive licensing, and number of tactics offered give it a huge potential for use in solving dependencies in a wide variety of applications.

Z3 does not need normalized formulas, but offers higher level abstractions like atmost and atleast and implies, that we will make use of together with boolean variables to translate the dependency problem to a form Z3 understands.

In this post, we’ll see how we can apply Z3 to the dependency resolution in APT. We’ll only discuss the basics here, a future post will explore optimization criteria and recommends.

Translating the universe

APT’s package universe consists of 3 relevant things: packages (the tuple of name and architecture), versions (basically a .deb), and dependencies between versions.

While we could translate our entire universe to Z3 problems, we instead will construct a root set from packages that were manually installed and versions marked for installation, and then build the transitive root set from it by translating all versions reachable from the root set.

For each package P in the transitive root set, we create a boolean literal P. We then translate each version P1, P2, and so on. Translating a version means building a boolean literal for it, e.g. P1, and then translating the dependencies as shown below.

We now need to create two more clauses to satisfy the basic requirements for debs:

  1. If a version is installed, the package is installed; and vice versa. We can encode this requirement for P above as P == atleast({P1,P2}, 1).
  2. There can only be one version installed. We add an additional constraint of the form atmost({P1,P2}, 1).

We also encode the requirements of the operation.

  1. For each package P that is manually installed, add a constraint P.
  2. For each version V that is marked for install, add a constraint V.
  3. For each package P that is marked for removal, add a constraint !P.

Dependencies

Packages in APT have dependencies of two basic forms: Depends and Conflicts, as well as variations like Breaks (identical to Conflicts in solving terms), and Recommends (soft Depends) - we’ll ignore those for now. We’ll discuss Conflicts in the next section.

Let’s take a basic dependency list: A Depends: X|Y, Z. To represent that dependency, we expand each name to a list of versions that can satisfy the dependency, for example X1|X2|Y1, Z1.

Translating this dependency list to our Z3 solver, we create boolean variables X1,X2,Y1,Z1 and define two rules:

  1. A implies atleast({X1,X2,Y1}, 1)
  2. A implies atleast({Z1}, 1)

If there actually was nothing that satisfied the Z requirement, we’d have added a rule not A. It would be possible to simply not tell Z3 about the version at all as an optimization, but that adds more complexity, and the not A constraint should not cause too many problems.

Conflicts

Conflicts cannot have or in them. A dependency B Conflicts: X, Y means that only one of B, X, and Y can be installed. We can directly encode this in Z3 by using the constraint atmost({B,X,Y}, 1). This is an optimized encoding of the constraint: We could have encoded each conflict in the form !B or !X, !B or !X, and so on. Usually this leads to worse performance as it introduces additional clauses.

Complete example

Let’s assume we start with an empty install and want to install the package a below.

Package: a
Version: 1
Depends: c | b

Package: b
Version: 1

Package: b
Version: 2
Conflicts: x

Package: d
Version: 1

Package: x
Version: 1

The translation in Z3 rules looks like this:

  1. Package rules for a:
    1. a == atleast({a1}, 1) - package is installed iff one version is
    2. atmost({a1}, 1) - only one version may be installed
    3. a – a must be installed
  2. Dependency rules for a
    1. implies(a1, atleast({b2, b1}, 1)) – the translated dependency above. note that c is gone, it’s not reachable.
  3. Package rules for b:
    1. b == atleast({b1,b2}, 1) - package is installed iff one version is
    2. atmost({b1, b2}, 1) - only one version may be installed
  4. Dependencies for b (= 2):
    1. atmost({b2, x1}, 1) - the conflicts between x and b = 2 above
  5. Package rules for x:
    1. x == atleast({x1}, 1) - package is installed iff one version is
    2. atmost({x1}, 1) - only one version may be installed

The package d is not translated, as it is not reachable from the root set {a1}, the transitive root set is {a1,b1,b2,x1}.

Next iteration: Optimization

We have now constructed the basic set of rules that allows us to solve solve our dependency problems (equivalent to SAT), however it might lead to suboptimal solutions where it removes automatically installed packages, or installs more packages than necessary, to name a few examples.

In our next iteration, we have to look at introducing optimization; for example, have the minimum number of removals, the minimal number of changed packages, or satisfy as many recommends as possible. We will also look at the upgrade problem (upgrade as many packages as possible), the autoremove problem (remove as many automatically installed packages as possible).

on November 21, 2021 07:49 PM

November 09, 2021

Should online communities require people to create accounts before participating?

This question has been a source of disagreement among people who start or manage online communities for decades. Requiring accounts makes some sense since users contributing without accounts are a common source of vandalism, harassment, and low quality content. In theory, creating an account can deter these kinds of attacks while still making it pretty quick and easy for newcomers to join. Also, an account requirement seems unlikely to affect contributors who already have accounts and are typically the source of most valuable contributions. Creating accounts might even help community members build deeper relationships and commitments to the group in ways that lead them to stick around longer and contribute more.

In a new paper published in Communication Research, I worked with Aaron Shaw provide an answer. We analyze data from “natural experiments” that occurred when 136 wikis on Fandom.com started requiring user accounts. Although we find strong evidence that the account requirements deterred low quality contributions, this came at a substantial (and usually hidden) cost: a much larger decrease in high quality contributions. Surprisingly, the cost includes “lost” contributions from community members who had accounts already, but whose activity appears to have been catalyzed by the (often low quality) contributions from those without accounts.


A version of this post was first posted on the Community Data Science blog.

The full citation for the paper is: Hill, Benjamin Mako, and Aaron Shaw. 2020. “The Hidden Costs of Requiring Accounts: Quasi-Experimental Evidence from Peer Production.” Communication Research, 48 (6): 771–95. https://doi.org/10.1177/0093650220910345.

If you do not have access to the paywalled journal, please check out this pre-print or get in touch with us. We have also released replication materials for the paper, including all the data and code used to conduct the analysis and compile the paper itself.

on November 09, 2021 07:55 PM

The OpenUk awards reconise and celebrate the best in open tech in the UK over the last year. We have a bunch of awards this year and the shortlists are up. I’ve clerked the judges into tracking down the gossip on all the shortlisted nominees and we do have final winners which will be announced at the ceremony on Thursday evening.

The ceremony is at COP26 in Glasgow, Scotland. This is the UN conference to try to get international agreement on mitigating the worst affects of the climate crisis. We’ll be one of the last events there.

I’ll be making announcement about KDE’s sustainability effort in front of the politicians and tech audience which I’m very excited about.

You can sign up to watch the day event on sustainability in tech. The evening award ceremony will have its video published shortly after the event.

Who’s is nominated I hear you ask?

OpenUK Awards Shortlist 2021

Belonging – sponsored by Osmii

Pride at SUSE – Rob Knight – executive lead and ambassador for “Pride at SUSE”

Red Hat B.U.I.L.D UK&I – Ally Kouao – who set up the UK and Ireland chapter of Red Hat’s Blacks United in Leadership and Diversity (B.U.I.L.D.)

Endless Compute – Endless’ commitment to open source and an inclusive community goes beyond their own work sharing their OS to promote digital inclusion, to sponsoring the creation of the GNOME Community Engagement Awards, promoting bringing people into open source.

Data: 

Open Knowledge Foundation – a global, non-profit network that promotes and shares information at no charge, including both content and data

Viæ Regiæ project – Viæ Regiæ project aims to extract data on early modern transport networks from historic maps and documents in Britain

Code the City – is dedciated to the use of tech and data for civic good

Hardware – sponsored by The Stack

Lime Micro – Lime Micro specialises in field programmable RF (FPRF) transceivers, SDR platforms and ecosystem technology for the next generation of wireless broadband systems.

Gatecat – developer of nextpnr, the open source FPGA place and route tool

DevTank, HILTOP – Tim Telford – Devtank are an open source test and measurement business dedicated to supplying high quality solutions to businesses across many sectors including space, aerospace, telecoms, defence and green energy

Finance – sponsored by FINOS

Starling Bank – Starling Bank has built its business on open source software

Wise – open source technologies: MariaDB, Envoy and Orchestrator

Software – sponsored by GitLab

Royal College of Paediatrics and Child Health – Their Child Health Digital Growth API wraps all complexity the of child growth in a simple REST API

The Herald Proximity Project – creates an opensource and privacy focused Proximity Measurement and Digital Contact Tracing solution

Open Health Hub – runs an open forum, which provides the only completely independent, open internet-facing, and free place to discuss health technology in the UK’s four NHSes

Sustainability – sponsored by Centre for Net Zero

Turing Institute – The Turing Way – The Turing Way is an open-source project that involves and supports its diverse community to make data science reproducible, ethical, collaborative and inclusive for everyone.

Icebreaker One – an independent, non-partisan non-profit with global reach, which aims to influence investment decisions of $3.6T/year to deliver net-zero by 2030

DevTank, Open Smart Monitor – Tim Telford – an open source test and measurement business

Individual – sponsored by Open Source Connections 

Catherine Stihler – Chief Executive Officer of the Open Knowledge Foundation

Kevin Mayfield – an integral part of the Open Health Hub

Cheryl Hung – VP ecosystem at the Cloud Native Foundation

Young Person (under 25) – sponsored by JetStack

Lowena Hull – Lowena has been volunteering and speaking at events to promote girls in technology

Samuel Van Stroud – Turing Data Stories has the goal of developing an open-source platform that enhances the understanding of the world around us through

Paul Ogbonoko Owoicho – PhD candidate who researches Mixed-Initiative interaction for Conversational Search System

See you there!

on November 09, 2021 06:40 PM

November 05, 2021

Bug Bounty Bootcamp (Amazon, No Starch Press) by Vickie Li is one of No Starch Press’s newest offerings in the security space. The alliterative title is also the best three word summary I could possibly offer of the book – it is clearly focused on getting the reader into a position to participate in Bug Bounties from the first page to the last. This differentiates this book well against other web security books, despite covering many of the same vulnerabilities.

Note: I was provided an early access copy of Bug Bounty Bootcamp by the publisher for review, but they had no editorial input. All of the opinions in this review are my own.

The first couple of chapters provide an introduction to the Bug Bounty space, helping the reader to understand the role of bounties in the overall security program of a company, selecting a bounty to participate in, and how the programs are managed in different situations. It also does a fairly good job of setting expectations for new bounty participants, but I think it might be a little bit on the optimistic side for some that are newer to the space.

The second part of the book covers some foundational knowledge and tooling setup, as well as performing reconnaissance on the target environment. The recon section feels a little light because there are so many situational approaches out there, but for a beginner, it will be a good start. As one gets more experienced, you will need to recognize that there are a lot of other sources of information and incorporating them into your methodology will improve your coverage. (And hopefully also your findings.)

In the third part, Vickie describes a wide of vulnerability types that may be found in common web applications. Obviously, it is not possible to cover every vulnerability and edge case, but the vulnerabilities described cover the vast majority of findings that I have found or seen reported in web applications. 16 Chapters cover a wide variety of vulnerability classes – so many that it may feel overwhelming to newcomers, so I’d suggest picking a subset of classes to start testing for at first. This will give you time to get comfortable with the process and tooling for testing.

Chapter 17, which covers logic errors and broken access control, in particular, is one that I think all web developers should read. (In addition, of course, to bug bounty hunters.) These bugs are pervasive and essentially impossible for better frameworks, web application firewalls, or automated tooling to mitigate because they require an understanding of the underlying business logic in addition to the technical understanding of vulnerability classes.

The fourth, and final, part of this book collects what Vickie refers to as “Expert Techniques”. While they are an extension of other techniques to cover more surface, I think these can be applied even by those with less experience in the field. In particular, covering API and Android apps is a rather natural extension of web security, as most of these are just HTTP APIs with a nice facade on them. Fuzzing is a bit more advanced and further afield, but she provides a nice introduction to them in the final chapter of the book. These chapters do have a bit of a “supplemental” feel to them, and those brand new to security may wish to return to them after gaining some experience with the other vulnerabilities covered and the tooling involved.

I do recommend that more individuals looking to have success in bug bounty programs consider understanding APIs and mobile applications, as these attack surfaces seem to be far less covered, leading to more opportunities to be the first discoverer of a bug. It’s very nice to see that these are covered here, as bug bounty coverage is often “web only”.

This book does bear some similarities to No Starch’s own Real-World Bug Hunting, but it also stands its own ground. Real-World Bug Hunting focuses almost entirely just on the vulnerability classes, while Bug Bounty Bootcamp has a lot more content about automating reconnaisance, integrating a lifecycle for ongoing testing of the same properties, and supplementing your tooling with your own scripting and development. If you have the time, I can handily recommend reading both of these resources. If you’re only going to read one, and your predominant interest is success in Bug Bounties, I think Bug Bounty Bootcamp will do a better job of preparing you for that.

Readers who are interested in full-time roles doing security assessment as opposed to just bug bounties – such as penetration testers or application security engineers – may still find this book useful, but will want to supplement their approach with more traditional resources. A good compliment might be The Web Application Hacker’s Handbook. This is not a negative of the book (as it never claimed to be anything beyond the bug bounty space) but is still something for readers to be aware of depending on their personal goals and roles.

Bug Bounty Bootcamp is a great resource for those who want to participate in Bug Bounties because it not only teaches you about the technical aspects, but helps you develop a methodology and sustain your testing. Some technology knowledge is assumed, but it does a solid job of describing the relevant vulnerability types from first principles, so it can be a strong resource for those new to the security space. The writing style is clear and to the point.

on November 05, 2021 07:00 AM

November 03, 2021

Ever considered doing research about online communities, free culture/software, and peer production full time? It’s PhD admission season and my research group—the Community Data Science Collective—is doing an open-to-anyone Q&A about PhD admissions this Friday November 5th. We’ve got room in the session and its not too late to sign up to join us!

The session will be a good opportunity to hear from and talk to faculty recruiting students to our various programs at the University of Washington, Purdue, and Northwestern and to talk with current and previous students in the group.

I am hoping to admit at least one new PhD advisee to the Department of Communication at UW this year (maybe more) and am currently co-advising (and/or have previously co-advised) students in UW’s Allen School of Computer Science & Engineering, Department of Human-Centered Design & Engineering, and Information School.

One thing to keep in mind is that my primary/home department—Communication—has a deadline for PhD applications of November 15th this year.

The registration deadline for the Q&A session is listed as today but we’ll do what we can to sneak you in even if you register late. That said, please do register ASAP so we can get you the link to the session!

on November 03, 2021 07:11 AM

October 28, 2021

This week sees COP26, the UN conference which is probably the last chance for humanity to mitigate the worse effects of the climate emergency.

At Akademy earlier this year KDE had a talk about Towards Sustainable Computing. Open tech can make a difference.

OpenUK will be hosting a venue on 11 November with a day of events about sustainability with technology emphasising why open tech is the most effective way to do that.

Sessions include an opening from former government minister Francis Maude, Launch of the OpenUK Consortium Data Centre Blueprint, Open Collaboration Opening Sustainability led by Red Hat, Opening Up the Energy Sector, building the Sustainable Open Future for the UK.

In the evening I’ll be hosting the OpenUK awards 2021, showcasing and recognising the best people and organisations for open tech in the UK.

Do join us online for the streaming of the event Join us Digitally on 11 November

on October 28, 2021 01:15 PM

October 21, 2021

https://www.mixcloud.com/dholbach/dj-support-gitops-one-stop-shop-event-oct-2021/

In my day job (in the IT world) we staged an online event in Oct 2021. As with past events like these, it makes the event a lot more fun if you have music in between quite technical talks and folks can get up from your desk and dance while you grab a new cup of tea.

On Mixcloud it’s my first mix using a DJ controller - it’s a very recent development for me. A lot of fun though. I enjoyed the whole event, but it was also sensory overload as I was watching 3 laptops to e.g. catch cues when new speakers would come on or if there was audience feedback, so excuse these moments of distraction - along with the breaks! I’ll get a distraction-free mix out soon again - promise! So without further ado, here’s the music folks from the event as people asked for it. Enjoy!

  1. jiony - Sincretismo
  2. Notorious B.I.G. - Hypnotize (Benedikt Frey Edit)
  3. okuma - Garnatxa
  4. Daniel Hokum - Burn (Paul Traeumer’s Shuffled Remix)
  5. Johannes Klingebiel - Latewood
  6. Canu, Nu, Alejandro Castelli - Mariposa (Viken Arman Remix)
  7. The Tribe Of Good - Heroes (edit)
  8. Noir & Haze - Around (Solomon remix)

  1. Nachtbraker - Hamdi
  2. Sam Shure - Mirage
  3. Vijay & Sofia Zlatko - Rap A Verse (Cassimm Remix)
  4. Sanoi & Rattler - Walking

  1. Malaa - Paris 96'
  2. Afgo - Someone
  3. Kurd Maverick - Dancing To (Extended Mix)
  4. Efdemin - Just a Track

  1. Andi Otto - Gianna Anna (Paradise Hippies Remix)
  2. Thornato - Chapinero

  1. Tony Adams - Estou Livre
  2. Fibre - I’ll Go Back
  3. Psychemagik - Mink & Shoes feat Navid Izadi
  4. Sam Shure - Mirage
  5. Super Flu - Watching The Stars (Super Flu´s Watching A Piano RMX)
  6. The Sunburst Band - He Is (Jimpster Remix)
on October 21, 2021 08:52 AM

October 20, 2021

Ocelot did it again! The French speaking Ubuntu community is happy to present you his splendid Impish Indri t-shirt. :) You can buy it before the end of October for €15 (+ shipping costs) and receive it at the end of November 2021. You can try to buy it later but it will be more expensive and you will not have any garanty of stock.

on October 20, 2021 10:10 PM

We are pleased to announce that Plasma 5.23.1 is now available in our backports PPA for Kubuntu 21.10 (Impish Indri).

The release announcement detailing the new features and improvements in Plasma 5.23 can be found here.

To upgrade:

Add the following repository to your software sources list:

ppa:kubuntu-ppa/backports

or if it is already added, the updates should become available via your preferred update method.

The PPA can be added manually in the Konsole terminal with the command:

sudo add-apt-repository ppa:kubuntu-ppa/backports

and packages then updated with

sudo apt full-upgrade

IMPORTANT

Please note that more bugfix releases are scheduled by KDE for Plasma 5.23, so while we feel these backports will be beneficial to enthusiastic adopters, users wanting to use a Plasma release with more rounds of stabilisation/bugfixes ‘baked in’ may find it advisable to stay with Plasma 5.22 as included in the original 21.10 (Impish Indri) release.

The Kubuntu Backports PPA for 21.10 also currently contains newer versions of KDE Gear (formerly Applications) and other KDE software. The PPA will also continue to receive updated versions of KDE packages other than Plasma, for example KDE Frameworks.

Issues with Plasma itself can be reported on the KDE bugtracker [1]. In the case of packaging or other issues, please provide feedback on our mailing list [2], IRC [3], and/or file a bug against our PPA packages [4].

1. KDE bugtracker: https://bugs.kde.org
2. Kubuntu-devel mailing list: https://lists.ubuntu.com/mailman/listinfo/kubuntu-devel
3. Kubuntu IRC channels: #kubuntu & #kubuntu-devel on irc.libera.chat
4. Kubuntu ppa bugs: https://bugs.launchpad.net/kubuntu-ppa

on October 20, 2021 07:18 PM

October 17, 2021

Xubuntu 21.10 Released

Xubuntu 21.10 "Impish Indri" was released on October 14, 2021. Check out the release announcement and release notes. I&aposve expanded on both below.

New Features

GNOME Disk Usage Analyzer

GNOME Disk Usage Analyzer (baobab) scans folders, devices, and remote locations to provide an in-depth report on disk usage. It can quickly identify large files and folders wasting disk space and enable users to act on them. A tree-like and graphical representation are used to display disk usage.

Xubuntu 21.10 ReleasedDisk Usage Analyzer makes it much easier to recover lost disk space.

GNOME Disks

GNOME Disks provides an easy way to inspect, format, partition, and configure disks. You can view SMART data, manage devices, benchmark physical disks, and image flash drives using GNOME Disks. Another benefit is that it can mount partitions on-demand or automatically.

Xubuntu 21.10 ReleasedGNOME Disks is an all-in-one solution for managing physical disks and partitions.

Rhythmbox

Rhythmbox is a music-playing application. It features a media library, podcast feeds, and live internet radio stations. It integrates with the Xfce PulseAudio Plugin in Xubuntu, controlling playback and granting easy access to recent playlists. Xubuntu ships with the Alternative Toolbar plugin enabled, making the application layout fit in with the rest of the desktop. Additionally, the Music key on multimedia keyboards will now launch Rhythmbox instead of Parole.

Super Key Support

The Super (or Windows) key will now reveal the application menu, similar to Windows and other desktop environments. This is possible thanks to the inclusion of xcape. xcape is used to configure modifier keys to act as other keys when pressed. For Xubuntu, the left Super key is now mapped to trigger the Ctrl+Escape key combination used for the Whisker Menu. For a peek into the technical reason for this workaround, please see the upstream Xfce bug.

The Super key now works exactly as you&aposd expect.

PipeWire

PipeWire is now included in Xubuntu and the other flavors. PipeWire is a project that improves audio and video handling in Linux. It is used alongside PulseAudio to significantly improve hardware support, particularly for Bluetooth audio devices. For regular usage, PipeWire quietly works in the background. Audio devices are still controlled through the Xfce PulseAudio Plugin and PulseAudio Volume Control (pavucontrol).

Pidgin Removal

Pidgin, “the universal chat client,” is no longer included in Xubuntu. Due to an increasing number of chat services moving to proprietary and restricted protocols, the overall usefulness of Pidgin has diminished significantly over the years. However, if you still use Pidgin, it can be installed from the repository.

Late Night Linux Extra episode 32 featured Gary Kramlich, the lead Pidgin maintainer. In this episode, Gary explained that while many of these services are no longer available within Pidgin by default, existing plugins enable support for those services. Unfortunately, many plugins change rapidly, making it impossible to keep them packaged and up-to-date in Ubuntu.

UX Updates

In continuing our keyboard shortcut clean-up, the long-obsoleted Super+{1,2,3,4} shortcuts were removed. These shortcuts go way back to when Xubuntu had a two-panel layout and launched the first four pinned applications. For a complete list of keyboard shortcuts, click here.

We also made a minor change to our Thunar defaults, updating the title bar to always display the full path of the current directory. This should make navigating and managing the filesystem easier with multiple open windows.

Xubuntu 21.10 ReleasedGo layers deep in your filesystem and never forget where you are with the full path displayed in Thunar at all times.

About the Xubuntu Versions

Xubuntu has three installable versions. Using the main ISO (2.0G), you can pick from the Normal or Minimal installation option, whereas Xubuntu Core (1.0G) will result in a much smaller installation size. Normal includes everything you need to be productive and have fun with Xubuntu. Meanwhile, Minimal and Core are designed to provide the bare essentials, enabling you to tailor Xubuntu to your needs.

Xubuntu 21.10 ReleasedWhen installing from the main ISO, you have an option to perform a "Normal" or "Minimal" installation.

Core and Minimal seem to have the same purpose, but Core has a few advantages. For one, the download size is much smaller and more accessible for those with limited connectivity options. Second, the install size is quite a bit smaller due to how the different versions work. Core installs only the minimal set of packages. Minimal first installs the Normal Xubuntu version and then removes the excess packages. Unfortunately, it’s impossible to reliably identify and remove all of the extra packages, so you end up with another 1.0G of bloat.

Xubuntu 21.10 ReleasedSave nearly 2.0G of disk space by opting for the Xubuntu Core version.

You can learn more about Xubuntu Core here or view the spreadsheet I put together with the package and memory differences here.

Wrapping Up

Xubuntu 21.10 features the work of numerous contributors from the Xfce, GNOME, MATE, Ubuntu, and Debian communities. If you&aposd like to contribute, check out the following links:

Next up, we have the 22.04 "Jammy Jellyfish" LTS cycle. The next six months will be focused primarily on bug fixes and other improvements, building a solid LTS foundation for the next three years. As it is an LTS, we&aposll be running a Wallpaper Contest again, so keep an eye on the Xubuntu website and Twitter for updates.

on October 17, 2021 02:30 PM

October 15, 2021


The Kubuntu Team is happy to announce that Kubuntu 21.10 has been released, featuring the ‘beautiful’ KDE Plasma 5.22: simple by default, powerful when needed.

Codenamed “Impish Indri”, Kubuntu 21.10 continues our tradition of giving you Friendly Computing by integrating the latest and greatest open source technologies into a high-quality, easy-to-use Linux distribution.

The team has been hard at work through this cycle, introducing new features and fixing bugs.

Under the hood, there have been updates to many core packages, including a new 5.13-based kernel, KDE Frameworks 5.86, KDE Plasma 5.22 and KDE Gear 21.08.

Kubuntu 21.10 Desktop Image

Kubuntu has seen many updates for other applications, both in our default install, and installable from the Ubuntu archive.

Krita, Kdevelop, Yakuake, and many many more applications are updated.

Applications for core day to day usage are included and updated, such as Firefox, VLC and Libreoffice.

For a list of other application updates, and known bugs be sure to read our release notes.

Download Kubuntu 21.10, or learn how to upgrade from 21.04.

Note: For upgrades from 21.04, there may a delay of a few hrs to days between the official release announcements and the Ubuntu Release Team enabling upgrades.

on October 15, 2021 04:57 PM

The Ubuntu OpenStack team at Canonical is pleased to announce the general
availability of OpenStack Xena on Ubuntu 21.10 (Impish Indri) and Ubuntu
20.04 LTS (Focal Fossa) via the Ubuntu Cloud Archive. Details of the Xena
release can be found at: https://www.openstack.org/software/xena

To get access to the Ubuntu Xena packages:

Ubuntu 21.10

OpenStack Xena is available by default for installation on Ubuntu 21.10.

Ubuntu 20.04 LTS

The Ubuntu Cloud Archive for OpenStack Xena can be enabled on Ubuntu
20.04 by running the following command:

sudo add-apt-repository cloud-archive:xena

What’s included?

aodh, barbican, ceilometer, ceph (16.2.6), cinder, designate,
designate-dashboard, dpdk (20.11.3), glance, gnocchi, heat,
heat-dashboard, horizon, ironic, ironic-ui, keystone, magnum,
magnum-ui, manila, manila-ui, masakari, mistral, murano,
murano-dashboard, networking-arista, networking-bagpipe,
networking-baremetal, networking-bgpvpn, networking-hyperv,
networking-l2gw, networking-mlnx, networking-odl, networking-sfc,
neutron, neutron-dynamic-routing, neutron-vpnaas, nova, octavia,
octavia-dashboard, openstack-trove, openvswitch (2.16.0),
ovn (21.09.0), ovn-octavia-provider, placement, sahara,
sahara-dashboard, senlin, swift, trove-dashboard, vmware-nsx,vitrage, watcher, watcher-dashboard, zaqar, and zaqar-ui.

For a full list of packages and versions, please refer to:
https://openstack-ci-reports.ubuntu.com/reports/cloud-archive/xena_versions.html

Known issues

OVN 21.09.0 coming soon:
https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1947003

Reporting bugs

If you have any issues please report bugs using the ‘ubuntu-bug’ tool to
ensure that bugs get logged in the right place in Launchpad:

sudo ubuntu-bug nova-conductor

Thank you to everyone who contributed to OpenStack Xena!

Corey
(on behalf of the Ubuntu OpenStack Engineering team)

on October 15, 2021 03:06 PM

The Xubuntu team is happy to announce the immediate release of Xubuntu 21.10.

Xubuntu 21.10, codenamed Impish Indri, is a regular release and will be supported for 9 months, until June 2022. If you need a stable environment with longer support time we recommend that you use Xubuntu 20.04 LTS instead.

The final release images are available as torrents and direct downloads from xubuntu.org/download/.

As the main server might be busy in the first few days after the release, we recommend using the torrents if possible.

Xubuntu Core, our minimal ISO edition, is available to download from unit193.net/xubuntu/core/ [torrent]. Find out more about Xubuntu Core here.

We’d like to thank everybody who contributed to this release of Xubuntu!

Highlights and Known Issues

Highlights

  • New Software: Xubuntu now comes pre-installed with GNOME Disk Analyzer, GNOME Disk Utility, and Rhythmbox. Disk Analyzer and Disk Utility make it easier to monitor and manage your partitions. Rhythmbox enables music playback with a dedicated media library.
  • Pipewire: Pipewire is now included in Xubuntu, and is used in conjunction with PulseAudio to improve audio playback and hardware support in Linux.
  • Keyboard Shortcuts: The Super (Windows) key will now reveal the applications menu. Existing Super+ keyboard shortcuts are unaffected.

Known Issues

  • The shutdown prompt may not be displayed at the end of the installation. Instead you might just see a Xubuntu logo, a black screen with an underscore in the upper left hand corner, or just a black screen. Press Enter and the system will reboot into the installed environment. (LP: #1944519)

For more obscure known issues, information on affecting bugs, bug fixes, and a list of new package versions, please refer to the Xubuntu Release Notes.

The main Ubuntu Release Notes cover many of the other packages we carry and more generic issues.

Support

For support with the release, navigate to Help & Support for a complete list of methods to get help.

on October 15, 2021 11:49 AM
Ubuntu 21.10 Is released. https://releases.ubuntu.com/21.10/ https://youtu.be/pQBL0dDYWxI Estimate: 10 Min Play Speed: x4
on October 15, 2021 04:48 AM
Featured News Ubuntu Ubuntu 21.10 ကတော့ မကြာသေးခင်က ထွက်ရှိထားတဲ့ Gnome 40, GCC11 နဲ့ Flutter toolkit ပိုင်း စုံစုံလင်လင်နဲ့ ထွက်ရှိလာတော့မှာပဲဖြစ်ပါတယ် Release Dates Beta release: 23rd September Release Candidate: 7th October Final Release: 14th October Ubuntu 21.10 codename – ‘Impish Indri’ လို့ အမည်ပေးထားပါတယ်. New Features တွေ ဘာတွေပါ၀င်လာမလဲ Official feature list အနေနဲ့ တိတိကျကျ ထွက်မလာသေးပေမဲ့လည်း ပါ၀င်လာနိုင်တဲ့ features တွေကတော့ 1. Gnome 40 […]
on October 15, 2021 04:42 AM

October 14, 2021

Thanks to all the hard work from our contributors, Lubuntu 21.10 has been released. With the codename Impish Indri, Lubuntu 21.10 is the 21st release of Lubuntu, the seventh release of Lubuntu with LXQt as the default desktop environment. Support lifespan Lubuntu 21.10 will be supported for 9 months until July 2022. Our main focus […]
on October 14, 2021 05:57 PM

The Ubuntu Studio team is pleased to announce the release of Ubuntu Studio 21.10, code-named “Impish Indri”. This marks Ubuntu Studio’s 30th release. This release is a regular release, and as such it is supported for nine months until July 2022.

Since it’s just out, you may experience some issues, so you might want to wait a bit before upgrading. Please see the release notes for a complete list of changes and known issues.

You can download Ubuntu Studio 21.10 from our download page.

If you find Ubuntu Studio useful, please consider making a contribution.

Upgrading

Due to the change in desktop environment that started after the release of 20.04 LTS, direct upgrades from supported releases prior to 21.04 are not supported.

We have had anecdotal reports of successful upgrades from 20.04 LTS (Xfce desktop) to later releases (Plasma desktop), but this will remain at your own risk.

Instructions for upgrading are included in the release notes.

New This Release

This release includes Plasma 5.22.5, the full-featured desktop environment made by KDE. The theming uses the Materia theme and icons are Papirus icons.

Audio

Studio Controls has seen further development as its own independent project and has been updated to version 2.2.7. This version has an all-new layout and features, including JACK over network and MIDI over network.

Ardour 6.9

Ardour has been updated to version 6.9 and includes a ton of bugfixes and enhancements. For more information, check out the official release announcement.

Other Notable Updates

Carla has been upgraded to version 2.4.0 Full release announcement at kx.studio.

Video

OBS Studio

Included this cycle is OBS Studio 27.0.1, which includes support for the upcoming (currently experimental) Wayland compositor via PipeWire. More information at the official release announcement.

For those that would like to use the advanced audio processing power of JACK with OBS Studio, OBS Studio is JACK-aware!

More Updates

There are many more updates not covered here but are mentioned in the Release Notes. We highly recommend reading those release notes so you know what has been updated and know any known issues that you may encounter.

Get Involved!

A great way to contribute is to get involved with the project directly! We’re always looking for new volunteers to help with packaging, documentation, tutorials, user support, and MORE! Check out all the ways you can contribute!

Special Thanks

Huge special thanks for this release go to:

  • Len Ovens: Studio Controls, Ubuntu Studio Installer, Coding
  • Thomas Ward: Packaging, Ubuntu Core Developer for Ubuntu Studio
  • Eylul Dogruel: Artwork, Graphics Design, Website Lead
  • Ross Gammon: Upstream Debian Developer, Guidance, Testing
  • Sebastien Ramacher: Upstream Debian Developer
  • Dennis Braun: Debian Package Maintainer
  • Rik Mills: Kubuntu Council Member, help with Plasma desktop
  • Mauro Gaspari: Tutorials, Promotion, and Documentation, Testing
  • Brian Hechinger: Testing and bug reporting
  • Chris Erswell: Testing and bug reporting
  • Robert Van Den Berg: Testing and bug reporting, IRC Support
  • Krytarik Raido: IRC Moderator, Mailing List Moderator
  • Erich Eickmeyer: Project Leader, Packaging, Direction, Treasurer
on October 14, 2021 05:05 PM

The significant change in Ubuntu MATE 21.10 is the introduction of MATE Desktop 1.26.0 ✨ which was 18 months in the making. Thanks to the optimisations in MATE Desktop 1.26, Ubuntu MATE 21.10 is faster and leaner 💪

Ubuntu MATE 21.10 Ubuntu MATE 21.10 (Impish Indri).

What changed since the Ubuntu MATE 21.04?

Here are the highlights of what’s changed since the release of Hirsute Hippo 🦛

MATE Desktop 🧉

A significant effort 😅 has been invested in fixing bugs 🐛 in MATE Desktop 1.26.0, optimising performance ⚡ and plugging memory leaks. MATE Desktop is faster and leaner as a result and it’s underpinnings have been modernised and updated. This last point mostly benefits developers working on MATE, but is important to highlight to users at it demonstrates MATE Desktop is being maintained to ensure it’s longevity.

Here are some of the other quality of life 💌 improvements in MATE Desktop 1.26:

  • The Control Center features:
    • Improved Window Preferences dialog with a more comprehensive window behaviour and placement options presented.
    • Display preferences now has an option for discrete display scaling.
    • Power Manager has a new option to enable keyboard dimming.
    • Notifications now support for hyperlinks.
  • Caja can format drives and has a new Bookmarks sidebar.
  • Caja Actions, which allows you to add arbitrary programs to be launched through the context menu, is now part of the Desktop.
  • Calculator now uses GNU MPFR/MPC for high precision, faster computation and additional functions.
  • Pluma has a new mini map instant overview, a grid background to turn Pluma into a writing pad and the preferences have been redesigned.
  • Atril is much faster scrolling through large documents and the memory footprint has been reduced.
  • Engrampa, the archive manager, now supports EPUB, ARC and encrypted RAR files.
  • Marco, the windows manager:
    • Correctly restores minimised windows to their original position.
    • Thumbnail window previews support HiDPI.
  • Netspeed applet shows more information about your network interfaces.

While MATE Desktop is not completely ready for Wayland just yet, 1.26.0 represents a significant stepping stone towards that objective with most of the MATE Desktop being able to run on a Wayland compositor. 👍

Ubuntu MATE Enhancements

Ubuntu MATE has tweaked 🔧 the default desktop configuration slighty:

  • Image Extrapolation and Interpolation is disabled by default in Eye of MATE to make image viewing faster and image quality sharper.
  • The Alt-Tab pop-up is now expanded to fit long window titles.
  • If you use the Mutiny layout, session loading is now faster.

Guest Session

Once in a while a friend, family member, or colleague may want to borrow your computer 😱 The Guest Session provides a convenient way, with a high level of security, to lend your computer to someone else. A guest session can be launched either from the login screen or from within a regular session. If you are currently logged in, click the icon at the far right of the menu bar and select Guest Session. This will lock the screen for your own session and start the guest session.

A guest cannot view the home folders of other users, and by default any saved data or changed settings will be removed/reset at logout. It means that each session starts with a fresh environment, unaffected by what previous guests did.

RedShift

RedShift makes a return, after being temporarily removed in Ubuntu MATE 21.04.

Raspberry Pi images

We will be refreshing our Ubuntu MATE images for Raspberry Pi in the coming weeks.

Major Applications

Accompanying MATE Desktop 1.26.0 and Linux 5.13 are Firefox 93.0, Celluloid 0.20, LibreOffice 7.2.1.2

See the Ubuntu 21.10 Release Notes for details of all the changes and improvements that Ubuntu MATE benefits from.

Download Ubuntu MATE 21.10

This new release will be first available for PC/Mac users.

Download

Upgrading from Ubuntu MATE 21.04

You can upgrade to Ubuntu MATE 21.10 from Ubuntu MATE 21.04. Ensure that you have all updates installed for your current version of Ubuntu MATE before you upgrade.

  • Open the “Software & Updates” from the Control Center.
  • Select the 3rd Tab called “Updates”.
  • Set the “Notify me of a new Ubuntu version” drop down menu to “For any new version”.
  • Press Alt+F2 and type in update-manager -c -d into the command box.
  • Update Manager should open up and tell you: New distribution release ‘XX.XX’ is available.
    • If not, you can use /usr/lib/ubuntu-release-upgrader/check-new-release-gtk
  • Click “Upgrade” and follow the on-screen instructions.

There are no offline upgrade options for Ubuntu MATE. Please ensure you have network connectivity to one of the official mirrors or to a locally accessible mirror and follow the instructions above.

Known Issues

Here are the known issues.

Component Problem Workarounds Upstream Links
Plank When snaps update, they disappear from Plank.
Ubuntu Ubiquity slide shows are missing for OEM installs of Ubuntu MATE
VTE gdebi can not install .deb packages

Feedback

Is there anything you can help with or want to be involved in? Maybe you just want to discuss your experiences or ask the maintainers some questions. Please come and talk to us.

on October 14, 2021 02:41 PM

October 07, 2021

Grandma

Stuart Langridge

A couple of weeks ago, my grandma died.

This was not wholly unexpected, and at the same time it was completely unexpected. I should probably explain that.

She was ninety, which is a fair age for anyone, but her mother (my great-grandmother) lived to be even older. What’s different is that nobody knew she was ninety, other than us. Most of her friends were in their mid-seventies. Now, you might be thinking, LOL, old, but this is like you in your mid-forties hanging out with someone who’s 30, or you in your late twenties hanging out with someone who’s 13, or you at eighteen hanging out with someone who’s still learning what letters are. Gaps get narrower as we get older, but the thing that most surprised me was that all her friends were themselves surprised at the age she was. She can’t have been that age, they said when we told them, and buried in there is a subtle compliment: she was like us, and we’re so much younger, and when we’re that much older we won’t be like her.

No. No, you won’t be like my grandma.

I don’t want to talk much about the last few weeks. We, my mum and me, we flew to Ireland in the middle of the night, we sorted out her house and her garden and her affairs and her funeral and her friends and her family, and we came home. All I want to say about it is that, and all I want to say about her is probably best said in the eulogy I wrote and spoke for her death, and I don’t want to say it again.

But (and this is where people in my family should tune out) I thought I’d talk about the website I made for her. Because of course I made a website. You know how some people throw themselves into work to dull the pain when something terrible happens to the people they love? I’m assuming that if you were a metalworker in 1950 and you wanted to handle your grief that a bunch of people got a bunch of metal stuff that you wouldn’t ordinarily have made. Well, I am no metalworker; I build the open web, and I perform, on conference stages or for public perception. So I made a website for my grandma; something that will maybe live on beyond her and maybe say what we thought about her.

Firstly I should say: it’s at kryogenix.org/nell because her name was Nell and I made it. But neither of those things are really true. Her name was Ellen, and what I did was write down what we all said and what we all did to say goodbye. I wanted to capture the words we said while they were still fresh in my memory, but more while how I felt was fresh in my memory. Because in time the cuts will become barely noticeable scars and I’ll be able to think of her not being here without stopping myself crying, and I don’t want to forget. I don’t want to lose it amongst memories of laughter and houses and lights. So I wrote down what we all said right now while I can still feel the hurt of it like fingernails, so maybe I won’t let it fade away.

I want to write some things about the web, but that’s not for this post. This post is to say: goodbye, Grandma.

Goodbye, Grandma. I tried to make a thing that would make people think of you when they looked at it. I wanted people to think of memories of you when they read it. So I made a thing of memories of you, and I spoke about memories of you, and maybe people who knew you will remember you and people who didn’t know you will learn about you from what we all said.

Goodbye, Grandma.

kryogenix.org/nell

on October 07, 2021 09:54 PM

I have a re-purposed AMD64 laptop motherboard, ready to become an experimental Ubuntu Core server.

It's in fine condition. You can see that it boots an Ubuntu LiveUSB's "Try Ubuntu" environment just fine. Attached to the motherboard is a new 60GB SSD for testing. The real server will use a 1TB HDD.

But Ubuntu Core doesn't install on bare metal from a Live USB. It's still easy, though.

1. Boot a "Try Ubuntu" Environment on the target system.

  • Test your network connection. The picture shows a wireless connection. This particular laptop has a wireless chip that is recognized out-of-the box, so I didn't need to get out the long network cable.
  • Test that your storage device works. You can see in the picture that Gnome Disks can see the storage device.

2. Terminal: sudo fdisk -l. Locate the storage device that you want to install Ubuntu Core onto.

  • The entire storage device will be erased.
  • My storage device is at /dev/sda today. It might be different next boot. Yours might be different.

3. Open the web browser and download Ubuntu Core.

4. Write Ubuntu Core to the storage device.

  • Warning: This command will erase your entire storage device. If there is anything valuable on your storage device, then you have skipped too many steps!
    xzcat Downloads/<.img.xz file> | sudo dd of=/dev/<target_storage_device> bs=32M status=progress; sync
  • So mine was
    xzcat Downloads/ubuntu-core-20-amd64.img.xz | sudo dd of=/dev/sda bs=32M status=progress; sync
  • Source: https://ubuntu.com/download/intel-nuc

5. Reboot into Ubuntu Core.

  • When prompted by the "Try Ubuntu" environment, remove the LiveUSB so you are booting from your newly-written storage device.
  • Be patient. My first boot into Ubuntu Core led to a black screen for nearly a minute before the system acknowledged that it actually has been working the entire time.
  • After 3-4 minutes of non-interactive setup alternating between blank screens and scrolling setup output, Ubuntu Core finally asked me two questions:  Which network to connect to, and my Ubuntu SSO e-mail address.
  • Finally, the system rebooted again. This time it didn't ask any question - just displayed the new Ubuntu Core system's IP address.

6. Log into Ubuntu Core.

    On my Desktop:
    me@Desktop:~$ ssh me@192.168.1.x
    Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)
Success: A working Ubuntu Core on bare metal.
on October 07, 2021 09:29 PM

October 04, 2021

Back in March, we asked the HackerNews community, “What do you want to see in Ubuntu 17.10?

A passionate discussion ensued, the results of which are distilled into this post.

In fact, you can see our progress so far this cycle.  We already have a beta code in 17.10 available for your testing for several of those:

And several others have excellent work in progress, and will be complete by 17.10:

In summary -- your feedback matters!  There are hundreds of engineers and designers working for *you* to continue making Ubuntu amazing!

Along with the switch from Unity to GNOME, we’re also reviewing some of the desktop applications we package and ship in Ubuntu.  We’re looking to crowdsource input on your favorite Linux applications across a broad set of classic desktop functionality.

We invite you to contribute by listing the applications you find most useful in Linux in order of preference. To help us parse your input, please copy and paste the following bullets with your preferred apps in Linux desktop environments.  You’re welcome to suggest multiple apps, please just order them prioritized (e.g. Web Browser: Firefox, Chrome, Chromium).  If some of your functionality has moved entirely to the web, please note that too (e.g. Email Client: Gmail web, Office Suite: Office360 web).  If the software isn’t free/open source, please note that (e.g. Music Player: Spotify client non-free).  If I’ve missed a category, please add it in the same format.  If your favorites aren’t packaged for Ubuntu yet, please let us know, as we’re creating hundreds of new snap packages for Ubuntu desktop applications, and we’re keen to learn what key snaps we’re missing.

  • Web Browser: ???
  • Email Client: ???
  • Terminal: ???
  • IDE: ???
  • File manager: ???
  • Basic Text Editor: ???
  • IRC/Messaging Client: ???
  • PDF Reader: ???
  • Office Suite: ???
  • Calendar: ???
  • Video Player: ???
  • Music Player: ???
  • Photo Viewer: ???
  • Screen recording: ???

In the interest of opening this survey as widely as possible, we’ve cross-posted this thread to HackerNews, Reddit, and Slashdot.  We very much look forward to another friendly, energetic, collaborative discussion.

Or, you can fill out the survey here: https://ubu.one/apps1804

Thank you!
On behalf of @Canonical and @Ubuntu
on October 04, 2021 11:02 PM